SBS creates a group called Power Users. The default SBS installation puts all users into this group. I could not log in to ssh with a normal userid but I could log in with the Administrator userid. I finally found that power users were denied “local log in” in the default Domain controllers policy.
I did not have this problem with Samba when I was running W2K but evidently I cannot use Samba’s version of SMB with Windows 2003 server. I get the following message:
cli_negprot: SMB signing is mandatory and we have disabled it.
26595: protocol negotiation failed
SMB connection failed
Evidently Andrew feels this is a problem with SMBFS, http://lists.samba.org/archive/samba/2003-December/076388.html, and we should move to CIFS. The bad news is that CIFS is supported in the 2.4 kernel via a patch. The 2.6 kernel supports CIFS. I guess I will put this project off until Fedora Core 2 is released. I have other options if this becomes an issue.
Today I spent a lot of time playing with NIS and Samba. I am trying to finalize my connectivity between Fedora and W2K3. I have Unix Services installed on the Windows Server and it offers NIS. After playing with it and learning a lot more about it, I have decided not to use it. The key is Samba and Kerberos. If I get Samba and Kerberos correctly configured, then NIS would be redundant. The best resource I have found is http://www.wlug.org.nz/ActiveDirectorySamba but I do not have it working yet. The login and mount is not working even though I have joined the computer to the domain and modified the login pam. I am still researching the problem(s).
I installed Services for Unix 3.5 today. The idea is to use authenticate my Redhat box against the Active Directory. I spent most of the time downloading and testing the tools from http://www.interopsystems.com/tools/. Those nice folks have ported over a nice set of open source tools. I downloaded Bash and ssh. I was very pleased to find they had ported over ssh and even more pleased to find that it works. I have been reading the ssh mailing list for almost a year so I have seen a lot of problems with the cygwin version of ssh on 2003. I believe I have NIS set up correctly on the server but I won’t get around to setting up the Redhat box until tomorrow.
Today I found Sig Weber’s Playground and his xslt files for reading and formating a RSS feed using a XML webpart. This is pretty simple stuff except for the XSLT stuff and is equivalent to Leadit’s version. I prefer the format of Leadit’s version but would prefer to have ability to customize the feed display with xslt. Hmm…
I decided to write a description of my firewall policy today. I have been tweaking it again to get the RSS Reader webpart to work. I think if I write it out I will better be able to see any logic errors.
General Firewall Policy Description
- Allow computers in the local domain complete access to other computers in the local domain.
- Deny inbound access from the internet.
- Allow computers in the local domain anonymous outbound access to the internet with the following protocols:
- Windows integrated authentication for IP protocols other than the ones listed above.
- Minimize the downloading of advertising and sexual content.
Rules and Implementation
- Direct Access Rule Direct access to computers in the local domain is granted via the proxy client configuration for the web browser.
- Default Inbound Access Rule – Inbound access from the Internet is denied by the ISA firewall by default.
- Protocol rule #1 If the client is from the local domain, anonymous outbound access is granted to the Internet for the normal protocol set, HTTP, HTTPS, FTP, POP3, SMTP, and NTP. Almost all internet access will go through this rule.
- Protocol rule #2 If a client requires access to an IP protocol outside of the normal protocol set, that client must be authenticated using windows integrated authentication.
- Site and content rule #1 – Deny content from known advertising websites listed in the No Ads destination set and redirect the link to a local web page. This rule increases bandwidth by reducing the amount of unnecessary content being downloaded from the internet.
- Site and content rule #2 – Deny content from known sexual websites listed in the No Sex destination set and redirect the link to a local policy web page.
- Site and content rule #3 Allow clients from the local domain access to all domains that have not been explicitly denied.
- Do not authenticate outbound listener. I think this is a temporary fix to get the RSS reader webpart to work and requires that the web.config have a
statement. This is opposite of what the folks at www.isaserver.org recommend but their recommendation does not work for my server. All http connections end up being anonymous but I don’t care.
I got an email from Jan asking me to comment on his Essentials webparts on his weblog. I really like them because they show what I have been working on. I set up a quick and dirty homepage to use them as a simple status report. I used a default template and just dropped the Navigation webpart, the Whats New webpart, and the RSSReader webpart on to the left side. Simple but satisfying!
Since I had recently reinstalled Sharepoint to fix an unrelated problem, I had to reinstall the webparts. So I made sure I had the latest versions and started off with the RSSReader. It looked easy. It had an installer! The bad news is that it finishs with an error.
========= WPPackager install log started 3/26/2004 11:18:39 AM =========
3/26/2004 11:18:58 AM: Error: Config file: ‘d:inetpubwwwrootweb.config’ for virtual server ‘http://companyweb/’ is missing or appears invalid. Could not apply required CAS settings to this server.
3/26/2004 11:18:58 AM: Error: Could not apply required CAS settings to virtual server ‘http://companyweb/’ during installation of ‘Lead-it SharePoint RSSReader Webpart’
3/26/2004 11:18:59 AM: Success: Installation Successfully Completed
The good news is that the error does not matter!? The dll is in the GAC. The web.config is configured. The webpart is in the wpcatalog. Once you figure out how to configure your firewall you are set. That was actually quite hard. I decided to put my findings in a second post on my weblog since it is specific to ISA.
The installation of Essentials was quite easy if you knew the locations of your wpcatalog, web.config, and GAC. I found that I only needed to restart the sharepoint server to start using them.
Yesterday I renewed my mail account on Yahoo and upgraded to Mail Plus. This adds more disk space, a spam learning feature, and virus protection. Today I installed the latest version of Mailwasher Pro and turned on its spam learning feature. Both these products show a remarkable amount of agreement on which mail is spam. I am hoping these two products will help me get rid of spam and avoid false positive mishaps. I think the use of Yahoo and other web mail providers is a viable strategy for small businesses. Although my setup is probably overkill it is not costly or time consuming. Email that makes it to my PC probably goes through three or four spam detectors and at least two virus checkers. I averaged 156 deleted emails per day with MailWasher. The bulk of these obviously were spam. It is interesting to note that the latest average for the week is only 126. Maybe this is a trend.
Today I finally got Sharepoint installed and working. Here was the plan.
- Stop the Sharepoint database with NET STOP mssql$sharepoint.
- From the Add or Remove Programs, remove Sharepoint.
- From the Add or Remove Programs, remove the MSDE instance of sharepoint.
- Install a new instance of SQL Server called SHAREPOINT using the Premium cdrom. When it asks, change the default disk location. Ignore warning message about SQL and Windows 2003.
- Apply SQL Service Pack 3a to the new instance.
- Start the database.
- Run STSV2 and pick the server farm option. It tells you that you will have to manually extend the site after the installation completes. I got an error at the end complaining about FrontPage extensions on the default server.
- Go into Sharepoint Central Administration and extend the companyweb site. I used the DefaultAppPool with Network Service.
- Pick a site template.
I verified my installation by saving a document into Sharepoint and then bringing it back up. It knew who I was and did not ask me for a logon.
I finally gave up on trying to tweak Sharepoint to work and starting the process of re-installing. Guess what! The reinstall fails. It doesn’t create the two databases. Maybe I am missing something? So I have downloaded STSV2. I think I will try to stuff it directly into a new SQL Server instance rather than go through MSDE first. I want to put the sharepoint databases on a seperate partition.
Along the way I downloaded the web version of SQL Enterprise manager. To get it to not ask me for my userid I had to give NETWORK SERVICE full access to the Microsoft.NetFrameworkv1.1.4322 directory. I was trying to view my MSDE instances. It didn’t help. My problem was that I was’entering the server name incorrectly.
I modified my Sharepoint intranet site to use a couple of webparts from Leadit.SharePoint.Essentials. Jan Tielens did a nice job on everything except the instructions on how to install it. I think the Whatsnew and Navigation webparts on my main page are really handy. My intranet site is getting a little more useful than the ordinary file system it replaces.