Issue #1: 64-bit Ubuntu

By default, when you install java on your 64-bit system, you get a 64-bit java. No surprise there, right? Well, Juniper’s tools don’t play nice with 64-bit java. If you attempt to start the junipernc script you’ll promptly see the “VPN has failed!” error message.

VPN has failed!

Also if you look closely in your Terminal you’ll see the text error:

Failed to load the ncui library.

This is the clue that we are dealing with the 64-bit issue.

The work around for this is to install a 32-bit java on your system. Type the following into your Terminal:

sudo apt-get install ia32-sun-java6-bin

After typing your password, a 32-bit copy of java will be installed at: /usr/lib/jvm/ia32-java-6-sun .

Now, you need to convince Juniper Network Connect to use the 32-bit java. If you don’t use java for much besides your new VPN, you may just want to make the 32-bit java your default. This can be done by typing the following into your Terminal:

update-alternatives --set java /usr/lib/jvm/ia32-java-6-sun/jre/bin/java

If you DO use java and just want to tell the VPN to use the 32-bit java, you should modify the junipernc by adding the following line right after the block of lines that start with “#”:

export JDK_HOME=/usr/lib/jvm/ia32-java-6-sun

Now, when you run junipernc, it will use 32-bit java and you should no longer have the failure due to ncui.

Issue #2: Determining Your Realm

The scripting for Network Connect asks a few questions that may not make sense to a typical user. Even a networking savvy programmer may not be certain what values to use for the “Realm” or “PIN + SecureID Code”.

Finding your realm is fairly straight forward if you don’t mind diving into some HTML. Point your web browser to your company’s VPN website: https://vpn.mycompany.com or https://connect.mycompany.com .   View the source of that page and look for a line like:

<input type="hidden" name="realm" value="REALMNAME">

The value of REALMNAME is what you’ll need to enter when prompted.  Your IT department may or may not know what this is if you ask them.

If you don’t know your “PIN + SecureID Code”, it’s simply the password you type along with your username on the VPN website to gain access. As mad scientist says, some companies use “SecurID so [they] enter a personal PIN plus the value provided by the SecurID fob,” which explains why he coded that as the prompt for the password input.

If you need help, there’s a long running thread over at the ubuntu forums where this continues to be discussed a lot: http://ubuntuforums.org/showthread.php?t=232607 . I gathered my info from both mad scientist’s page above and the thread itself.

One further note, I’ve tested this on Ubuntu 9.04 64-bit as well as 8.10 32-bit. Hope this is helpful to all you who need Juniper VPN access on 64-bit Ubuntu Linux.

So I set out to find a solution and I found a post by loudhush which described using the scutil to modify DNS network settings after connecting to a Cisco VPN. This was great, but I needed something a bit handier.

So, I cranked out the following which goes in my /Users/username/.profile:

# .profile or .bash_profile
function myvpn {
vpnclient connect VPNPROFILENAME user MYVPNUSERNAME
myworkdns
}
function myworkdns {
printf "get State:/Network/Service/com.cisco.VPN/DNS\nd.add ServerAddresses * 192.168.1.252, 192.168.1.198\nd.add SearchDomains * example.com, other.example.com\nset State:/Network/Service/com.cisco.VPN/DNS" | sudo scutil
}


These are bash functions which i run from the command line. (I also find the Client GUI Cisco to be a pain, and prefer command line)

So, obviously, you’ll need to substitute in your Cisco VPN profile name ( found in /etc/opt/cisco-vpnclient/Profiles), your VPN username, your DNS server IP addresses, and your DNS search domains to your legitimate values.

To use, run Terminal, then type myvpn. The VPN client will prompt you for your username and password. You’ll then have to hit CTRL+Z to suspend the VPN client so the script can run the DNS updates; this part uses sudo to run the command as root, so you will probably need to type your Mac password immediately after hitting CTRL+Z. If you didn’t want to bother with the command line VPN client, you could just use your GUI Cisco VPN client, then run myworkdns from Terminal, which will still probably prompt you for your Mac password.

Hope others find this useful. If I find a cleaner way, I’ll post that too.

This is not cool as, well, I NEED MY VPN TO WORK!

Thankfully google came to my rescue. The solution is to execute the following in Terminal:

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

Thanks for the answer, VirtuallyShocking.com.

In my last post I outlined how I followed others’ directions to enable netatalk on Linux and Time Machine backups to a shared AFP folder. Originally, I also described how to put all your shares on netatalk. I suppose if only have Mac clients or you REALLY want to use AFP, you can do so. As I worked with files over AFP shares, I started noticing that the performance seemed to be quite bad. No, I didn’t benchmark, but copying large video files to a shared folder over my gigabit network was substantially slower over AFP (netatalk) than over CIFS/SMB (samba). I use my network shares pretty heavily, so this was a concern. Also, netatalk tries very hard to replicate an HFS filesystem complete with resource fork support. This means that your shared directories end up with lots of extra folders named “.AppleDouble”(and a few others) containing Mac specific info. (Note: even on CIFS you’ll get the “.AppleDB” folders unless you disable a setting in Finder. I can deal with .AppleDB better than .AppleDouble AND .AppleDB) So, because of these two issues I decided to try using CIFS and samba again.

My first experiment was to try sharing a “time_machine” folder via CIFS, and using the “defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1″ hack on the previous post, I was able to get Time Machine to perform a backup. It worked, but in the end I decided that if I need to restore from this backup, I want my resource forks intact. To do that, I need AFP and netatalk. So, I removed all AFP shares except the one for Time Machine backup share. Now my Time Machine would backup and restore happily, and I could again use my Samba shares.

One of the cool things about having used AFP/netatalk was that my server and folders were showing up in my finder window. Well, that’s not a feature of AFP or netatalk, its actually avahi/Bonjour doing that. So, all I had to do was advertise the services. If you followed my previous posts, you’ve already created a service for AFP/netatalk on your server; it’s simple to create more, just add more service files. I’ll paste in all of my service files here:

/etc/avahi/services/aftp.service/

afpd.service
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h AFP</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
</service-group>

apache.service
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h HTTP</name>
<service>
<type>_http._tcp</type>
<port>80</port>
</service>
</service-group>

rfb.service
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h VNC</name>
<service>
<type>_rfb._tcp</type>
<port>5901</port>
</service>
</service-group>

samba.service
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>139</port>
</service>
</service-group>

sftp.service
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h SFTP</name>
<service>
<type>_sftp-ssh._tcp</type>
<port>22</port>
</service>
</service-group>

ssh.service
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h SSH</name>
<service>
<type>_ssh._tcp</type>
<port>22</port>
</service>
</service-group>


So, you can see that I’m announcing Samba/CIFS file, AFP file, Apache HTTPd, VNC (RFB) Remote Desktop, SSH and SFTP services. Leopard’s Finder only displays the CIFS, AFP and RFB services, but other applications with Bonjour support will see the other services. By default Finder opens “Screen Sharing” when you use the advertised service, but Chicken of the VNC can also browse for Bonjour enabled VNC servers. Below are screen shots of my Finder showing the shared services.

No restarts are needed for anything at this point. The services should automatically be picked up by the Linux avahi daemon, but if you really need to, you may execute /etc/init.d/avahi-daemon restart .

I recently completed an upgrade of these two core services on a network I manage. We had been running outdated (but functional) BIND v8 and OpenLDAP v2.0 instances for of DNS and LDAP servers. Also, throw a Windows Server 2003 into the mix, which, as an Active Directory domain controller has to run its own DNS and LDAP (AD is tweaked LDAP) servers.

First, the DNS upgrade was substantial, not just because we upgrade to a more modern BIND v9.x installation, but because we implemented a split view configuration. Previously, our local users operated on a sub-domain of “local.example.com” such that each computer was named “host.local.example.com”. The main public services utilized the proper full-domain of “example.com”. This was fine in the beginning, as when we set this up, few users had laptops, so we didn’t use individual client VPN or have road warriors with laptops out trying to access “local” services from home or a customer locations. Also, some services we started deploying (eg, our XMPP chat server, Openfire) preferred to be bound to one host name (like, im.example.com). Internally, that host name still resolved to our public IP address which then needed some interesting firewall rules in order to support the routing or traffic. But this issue was already present with mail services; if I wanted a laptop user to use “mail.example.com” for his server while out of the office, while on VPN that user would have to change to “mail” or “mail.local.example.com” because the VPN essentially made the user part of the local network.

The solution I came up with, as mentioned above, was to use BIND views, and get rid of a “local” DNS sub-domain. All our servers and host names would be part of the base “example.com” domain, thus, local, VPN, or public users would only have one host name for accessing services like mail (mail.example.com) or chat (im.example.com). BIND views essentially provide a different view to your DNS based on the host IP address you are using to access the server. So, if users are at the office, im.example.com resolves to a private RFC 1918 address, same as it resolves if they are connected via VPN, but if they are on the public internet, im.example.com resolves to a publicly routable address assigned to our organization.

Are there any tricks or gotchas when making a change like this in your organization’s DNS? The biggest trick is BE METICULOUS! Seriously, if your organization was like ours, you had a mix of both FQDNs and non FQDNs in your intranet & application URLs, user documentation, etc. Undertaking a naming change like this could be very daunting given a large enough organization. You may find that you can only migrate those services which really need to have split view DNS. In my case, most of the time spent prepping for this transition was spent searching out where the “local.” part of FQDNs was used and switching to non-qualified host names or making a note so I could change it to the new FQDN after the migration. All in all, this proved to be a fairly painless migration for this smaller organization.

The LDAP transition initially concerned me more than the change to DNS, but in the end, proved to be less painful. However, it did require more new knowledge to transition to a totally new server instead of simply upgrading and reconfiguring. OpenLDAP had served us well, but some other admins in the group had been playing with Fedora Directory Server (FDS) and had it installed in other production environments. A few key things prompted us to migrate. First, multi-master replication is a SNAP with FDS. Having that is key part of having redundant and available directory services. Yes, it can be done with OpenLDAP now (as of v2.4 or so), but it wasn’t there when we put our first FDS server into play. Also FDS has nice built-in facilities for account password expiration and password policies and account lockouts. Also, we’d used a bit of hack to push password updates to OpenLDAP from Windows Server for users who had both Windows and Unix accounts, but FDS prvoides a very complete two-way password synchronizer for Windows. Again, I’ll emphasize that replication is a SNAP with FDS. This is largely due to its very useful and easy to use Java based GUI management interface. This is a stand-alone client which runs on your desktop and connects to FDS’s admin server. Fear not, command-line junkies, everything that can be done in the GUI is available on the command-line and via ldapadd LDIF commands, etc. The management interface not only lets you configure the server, options, ACLs (FDS calls them ACIs), etc, but this tool is also a data management tool for all your LDAP data. This was plus for us as we’d never been thrilled with our data management options in OpenLDAP. We used multiple tools to managed accounts in OpenLDAP, but in the end, the best all around tool we had used was phpLDAPdmin. I’m sue the tool has matured A LOT since we last upgraded, and it was pretty nice, we may even install it again with FDS, but the built in GUI from FDS is just a nice touch.

The actual work of transitioning from OpenLDAP to FDS was not as hard as I’d expected. First, I installed FDS on the new server. The installation process was pretty straight forward if you’ve used OpenLDAP before and done your resarch ahead of time. A slapcat of the old OpenLDAP database created an LDIF dump of my old data. From there, I experimented with importing the data into FDS using ldapadd. There were a few schema changes required, but not many. In my case, the LDIF lines that FDS didn’t like were not required (eg, “struturalObjectClass” was dumped by OpenLDAP but required by FDS) and I simply ran my LDIF dump through a series of “grep -v” filters to remove the unwanted lines. One other concern was the format of the userPassword fields. I’d been storing passwords as MD5 hashes; FDS supports this, but the storage format of the hashes was not compatible. FDS’s website has links to user contributed scripts to solve this, but they didn’t seem to work for me. Again, having a small organization was useful, as I was able to change the default storage type to something more compatible (eg, SHA, SHA1, CRYPT, etc) and have my users update their passwords. Voila! Updated password formats. Once all this was completed, I simply pointed LDAP clients to the FDS instead of the old OpenLDAP and everything just worked!

Overall, my migrations were pretty smooth. Your mileage may vary, but if you need the features, or just yearn to run on updated software, the migration is well worth it.