Tuesday, December 21, 2010

Macs, Windows 7, and SMB shares

I was recently creating a SMB share on one of my Mac 10.6 servers that acted funny.  It would keep asking me to log in, even though I had the correct credentials.  I accidentally discovered that a Windows 2008 R1 machine could hit it just fine... but my Windows 7 box could not.  This lead to a search of the internets, and I discovered a somewhat-related problem (it was actually crashing Samba on the server side)...  Someone on that blog wrote that it has to do with NTLM.  I figure the security permissions were changed from Windows 2008 R1 to R2, and also between Vista and Windows 7.  The post mentions to change a bunch of stuff in the "local security policy" of the Windows box to make it work.  I don't like changing a whole lot of security stuff, especially loosing it... so here is all I changed to make this work , citing "nikonz" from the site above for the original fix (with my changes):

"Control Panel --> Administrative Tools --> Local Security Policy

Local Policies --> Security Options

Network security: LAN Manager authentication level
Send LM & NTLM responses - use NTLMv2 session security if negotiated"

There, once again my Macs and PCs are at peace with each other again.

Wednesday, December 8, 2010

3 hours = worlds longest command line

This was on one line, thought I would share it with everyone:

msdeploy -verb:sync -source:"metakey=lm/w3svc/571459,computername=server1" -dest:"metakey=lm/w3svc/2989,computername=server2" -skip:"objectName=metaProperty,attributes.name=LogFileDirectory" -skip:"objectName=metaProperty,attributes.name=SSLStoreName" -skip:"objectName=metaProperty,attributes.name=SSLCertHash" -skip:"objectName=metaProperty,attributes.name=SSLStoreName" -skip:"objectName=metaProperty,attributes.name=ServerBindings" -skip:"objectName=metaKey,attributes.path=blahTOBlah" -skip:"objectName=metaKey,attributes.path=HTTPtoHTPPS" -skip:"objectName=metaKey,attributes.path=redirectToBLAH" -skip:"objectName=metaProperty,attributes.name=AppFriendlyName" -skip:"objectName=metaProperty,attributes.name=SecureBindings" -skip:skipAction=delete -replace:"objectName=metaProperty,match=m:\websitelocation1,replace=x:\websitelocation1" -replace:"objectName=metaProperty,targetAttributeName=value,match=apppool2\.0,replace=apppool" -replace:"objectName=dirPath,match=m:\website1,replace=x:\website" -enableLink:AppPool -disableLink:ContentExtension -whatif > msdeploysync.log


Tuesday, December 7, 2010

Microsoft finally follows it's own RFC... now stuff is broken.

We have a web service that goes out and talks to other web services. Our web service and the other ones are protected by firewalls, as we don't want just anyone hitting our web services. As we move to windows 2008 r2, we noticed something funny was happening..... our connections were being blocked.
Turns out that Microsoft is finally following their own RFC and it is breaking things.  Windows servers now will use the "IP address most closely matching the gateway" to decide what IP address to use as the default one.  So now our webservice was using the "lowest" ip address we had, which was for a site that had nothing to do with the webservice.
I found out I wasn't alone being surprised by this new "feature" and found that there is a workaround.
In short, you need to:
-Download and apply the hofix. (the MS extractor was currupt, so I used 7zip to extract the files)
-Reboot for the hotfix to take effect.
-Gather a list of all your IP addresses on that machine, take out the one you want to be the "default IP." Put them in the variable $currentIPs.  Then you can run the script as below, it will remove and add the IPs all at once with little downtime.

I forgot to remote desktop using the FQDN, so I was disconnected, but when I reconnected everything was happy.

$currentIps = "","","",""

foreach ($ip in $currentIps){

netsh interface ip delete address public $ip
write-host "$ip deleted"
netsh interface ip add address "public" $ip skipassource=true
write-host "$ip added"
Write-Host "I suggest you reboot your server now, just in case."

Notice the "skipassource=true."  This will not work before the hotfix.  Again you do not want to run that parameter with your IP address that you DO want to be the default one.
(My Subnet mask is, if yours is different, then change it above.)