personal reminder: Convert Nikon NEF to JPG with ufraw

$ ufraw-batch --out-type=jpeg --out-path=/home/itsme/Pictures/export --compression=85 --size=1280 /media/Data/home/itsme/Pictures/MyPics/*.nef

for more details cf. http://otype.net/2008/08/convert-nikon-nef-to-jpg-with-ufraw/

howto copy CalendarServer (content) - use rdiff-backup

rsynced a complete and functional copy of CalendarServer to another drive (and to another file system). afterwards, the server started and didn't complain but iCal.app didn't show any calendar (but still logged in and didn't complain about anything - just no calendar!).

tryied rsync -aA, rsync -rlpAtgoD (long version - one never knows...), and cp -a - but all to no avail.

finally, i tried rdiff-backup -b - and this worked... why? not quite sure! ideas welcome....

personal reminder: building debian packages from source

...for future reference:

1. apt-get source (-t testing) PACKAGENAME
2. apt-get build-dep (-t testing) PACKAGENAME
   
3. cd PACKAGANAME-version
4. OPT: vi debian/rules (e.g. to activate some experimental features)
   
5. OPT: vi debian/patches/00list (to enlist a patch that should be applied)
6. OPT: vi debian/patches/... (the patch enlisted previosly)
7. dpkg-buildpackage -rfakeroot -uc -b
8. dpkg -i ../PACKAGENAME-version-etc (only the necessary packages)
   

apt-listchanges chokes on its DB (bsddb.db.DBRunRecoveryError)

in case of:

Traceback (most recent call last):
File "/usr/bin/apt-listchanges", line 229, in ?
main()
File "/usr/bin/apt-listchanges", line 150, in main
seen.close()
File "bsddb/__init__.py", line 237, in close
bsddb.db.DBRunRecoveryError: (-30974, 'DB_RUNRECOVERY: Fatal error, run database recovery -- PANIC: fatal region error detected; run recovery')

(similarly to the post below) something along the lines of:

cd /var/lib/apt
db4.6_dump listchanges.db | db4.3_load temp.db
mv temp.db listchanges.db

helps.

spamassassin (or spamd) fails while accessing bayes databases - R/O: tie failed: Transport endpoint is not connected

just found lines like these in the spamd.log (i.e. spamassassin was not able to use the bayes databases any more...)

warn: bayes: cannot open bayes databases /.../.spamassassin/bayes_* R/O: tie failed: No such file or directory
...
warn: bayes: cannot open bayes databases /.../.spamassassin/bayes_* R/O: tie failed:
warn: bayes: cannot open bayes databases /.../.spamassassin/bayes_* R/O: tie failed: Transport endpoint is not connected

the problem seemed to have been a mismatch in used versions of the BereklyDB files (don't know how exactly they got mixed up...)
anyways, the following commands helped:

for i in auto-whitelist bayes_*; do db4.6_dump ${i} | db4.3_load ${i}.db; chown Debian-exim:Debian-exim ${i}.db; chmod g-rwx ${i}.db; done;
mmv '*.db' '#1'

after that one may check/sync/rebuild the databases along the lines of:

sudo -u Debian-exim sa-learn -u USERNAME --rebuild --dbpath /.../.spamassassin/ -D

some inspiration cam from this thread: http://lists.debian.or.jp/debian-users/200601/msg00113.html

tweking perl dependencies in debian

wanted to install dkimproxy on a debian server and was happy to find that the package existed. however, installing this package would have altered quite a lot of the perl installation - including many removes (due to dependency errors...); after some manual tweaking of aptitude, apt-get, and dpkg i finally, realized that this won't work...

but then i found: http://www.debian-administration.org/articles/78 - and started with:

dh-make-perl Mail-DKIM-0.32/

...but found that more modules were needed:

dh-make-perl --cpan Crypt::OpenSSL::Random --build
dh-make-perl --cpan Crypt::OpenSSL::RSA --build
dh-make-perl --cpan Crypt::OpenSSL::Bignum --build

installation is done via regular dpkg -i. and afterwards:

sudo aptitude install --without-recommends dkimproxy/testing

worked.


References:

1. http://dkimproxy.sourceforge.net/
2. http://www.cpan.org/modules/01modules.index.html
3. https://help.ubuntu.com/community/GnuPrivacyGuardHowto (in case something like 'running debsign failed' comes up...)
   

CalDAV support in Google Calendar

neat, Google Calendar can be used with iCal.app and Mozilla Sunbird/Lightning:  http://www.google.com/support/calendar/bin/answer.py?answer=99355

oo documents in svn

short summary of how to get oo documents into svn (content aware...) - well, it doesn't really work. but, at least, some idea: http://www.oooforum.org/forum/viewtopic.phtml?t=51797&postdays=0&postorder=asc&start=0 which goes along the lines of:

unzip -oq [filename] -d [directory]
zip -rq9DX [filename] *

Apple Calendar Server and memcached

the apple calendar server (in r2002) seems to 'forget' to make libevent - it works hard to download, compile and install - available for the executable...

[memcached] memcached: error while loading shared libraries: libevent-1.4.so.2: cannot open shared object file: No such file or director

/usr/local/share/libevent-1.4.4-stable/_root/lib holds the files (per default) - cf. man ldconfig and ld.so to proceed from there...

OpenVPN and fail2ban

wanted to combine Shorewall and fail2ban for SSH and OpenVPN - but found no OpenVPN filters, hence, added http://www.fail2ban.org/wiki/index.php/OpenVPN.

How many days in the current month?

echo `cal | wc -w ` - 9 | bc

Shorewall and Limit: how to reset a Limit counter

...i have still no ide how to reset the counter in /proc/net/ipt_recent/

but found a way to circumvent the blocking of an address for some time:

1. sudo iptables -L | grep -e "Chain.*%Limit\([0-9]\+\)\? "
 - this lists all the Limit Chains
2. sudo iptables -I %Limit -m recent --name SSHA --remove -s IPADDRESS
 - in case the Chain is calld %Limit and the name for the recent module is SSHA

References:

• http://www.shorewall.net/Actions.html
  

OS X Leopard (>= 10.5.4 + Security Update 2008-005) - 'Add Printer' for non-admin users

funnily enough the latest Security Update seems to have outdated this hack.

now the Add Printers... dialogue shows all broadcasted cups printers. however, users cannot add them without authenticating as an Administrator of the computer.

a possible solution seems to be to edit a different part of the cupsd.conf file. look for this section and change it accordingly...

  # All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
  # AuthType Default
  # Require user @SYSTEM
  Require valid-user
  Order deny,allow
</Limit>

Referenes:

• http://discussions.apple.com/thread.jspa?threadID=1373822&tstart=173

Change OS X 10.5 Leopard Dock from 3D to 2D

a quick reminder for myself (because i'd rather like the two lines than downloading a software...)

defaults write com.apple.dock no-glass -boolean YES
killall Dock

references:

• http://osxdaily.com/2007/12/24/change-the-105-leopard-dock-from-3d-to-2d/
  

Flushing DNS Cache

mac os x:

lookupd -flushcache

win:

ipconfig /flushdns

linux:

/etc/init.d/ncsd restart

flashplugin-nonfree on Debian GNU/Linux amd64

installation of flashplugin-nonfree resulted in:

*** NSPlugin Viewer *** preloader not found
nspluginwrapper: no appropriate viewer found for /usr/lib/flashplugin-nonfree/libflashplayer.so

debugging went along the lines of

ldd /usr/lib/nspluginwrapper/i386/linux/npviewer.bin

and finding that some libs were missing...
(in between i also found that linux32 should be installed - but wasn't. strace -f was helpful...)
...what helped in the end:

aptitude install -t testing linux32 ia32-libs ia32-libs-gtk flashplugin-nonfree/unstable

references:

1. https://bugs.launchpad.net/ubuntu/+source/nspluginwrapper/+bug/235946
2. https://bugs.launchpad.net/ubuntu/+source/flashplugin-nonfree/+bug/182013
   

svn-finder integration for (very) basic use cases

was about to write some tiny scripts to get some basic svn commands integrated into Finder.app - luckily, came first across: http://svn-finder.sourceforge.net/

backup: notification instead of polling

realized that my machine needs an awful lot amount of time to walk through a directory to check whether anything has changed and, hence, need to go into a backup. instead, i thought, it would be neat to use e.g. inotify. 

current idea: use iwatch to monitor for file system events, record the files, feed the list to the backup...

- will keep you posted...

change language in "grammar and spelling" on OS X

in case you want to change the language in the "grammar and spelling" dialog box the short cut 

CMD+SHIFT+: comes very handy...

well, but then you are stuck with a floating windows - grab the mouse and change the setting. now,

CTRL+F6 comes handy - this should focus the floating window.

after the first switch the 

SHIFT+TAB comes handy to switch to the language field. when leaving the dialog box open, now, the language is pre selected...

cleaning house in osx

- use xslimmer or monolingual to strip down languages and unneeded architectures

- for all those compiling left overs of macports
sudo port clean --all -vf installed

- and mostly not needed inactive ports
sudo port -f uninstall inactive

- get rid of all the gui developer files (don't do this if you yourself develop applications on that machine, it will delete all designable.nib files)
sudo find / -iname "designable.nib" -exec rm "{}" \;

future reminder: FreeBSD for dummies, aka. linux users...

don't ask - but i might need this in the near future...

1. http://h3g3m0n.wordpress.com/2008/03/03/freebsd-review-and-howtos-from-a-linux-user/
2. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
   

nss signtool, xulrunner, firefox 3 add-ons and things i don't want to mention - currently on a debian system

in the very unlikely case someone wants to write an add-on for firefox - and let's assume this add-on should run with the new ff3... and the add-on should not be hosted on mozilla.org... well, this is going to be a tough one (and i dont't even want to go into that).

furthermore, let's assume (now, that it's obvious that this add-on needs to be signed) the signing is supposed to take place on a current debian system...

...and, last but no least, this system should also run a xulrunner in ver.> 1.8.1

these constraints will lead (among others) to the following packages:
libnss3-1d, 3.12.0~rc3-1
libnss3-tools, 3.12.0~rc3-1

in case the signtool refuses to do part of its job (and complains about missing libraries) this might help:

ln -s /usr/lib/nss/libsoftokn3.so /usr/lib/libsoftokn3.so
ln -s /usr/lib/nss/libnssdbm3.so /usr/lib/libnssdbm3.so

related:

1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483774
   

How to Twitter from Skype

cf. http://www.pacificit.ca/article/319

OpenVPN, Tunnelblick, bridged network (tap device), mDNSResponder, and daapd on OS X - Part 2

• i found the following sh-script (executed with administrator privileges) does help most of the time (cf. http://iiegn.blogspot.com/2008/03/openvpn-tunnelblick-bridged-network-tap.html for the problem...)
  

#!/usr/bin/env bash

killall openvpn
sleep 1

launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

sleep 3
kextunload /Library/Extensions/tun.kext
kextunload /Library/Extensions/tap.kext
sleep 5
kextload /Library/Extensions/tap.kext
kextload /Library/Extensions/tun.kext
sleep 5
kextunload /Library/Extensions/tun.kext
kextunload /Library/Extensions/tap.kext

launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

in order to get this sh-script executed the following lines of AppleScript might be helpful (saved as an Application Bundle with the above script inside the bundle):

set myPath to POSIX path of (path to me as string)

do shell script myPath & "/Contents/Resources/Scripts/upndowntaptun.command" with administrator privileges

display dialog "You may now restart your Tunnelblick Connecrtion." buttons {"OK"} default button 1

references:

1. http://developer.apple.com/technotes/tn2002/tn2065.html
2. http://lists.apple.com/archives/Applescript-users/2007/Apr/msg00232.html

Static Lib contents

It is written at the top of the ar manpage, but I seem to miss it every time: to print all symbols contained in a static archive, emit

nm --print-armap [archive]

really simple.

firefox and system-wide installation/deployment of certificates

wanted to add CACert.org Root Certificate in firefox for all users on a system. it seems as if this were not possible...
(but see: http://wiki.cacert.org/wiki/NSSLib and https://bugzilla.mozilla.org/show_bug.cgi?id=215243)

however, one can use certutil to create a cert8.db and deploy that with the default profile - of course, that doesn't help with users who already have profiles...

certutil -N -d . 

certutil -A -n "SomeName" -t "C,C,C" -i some.crt -d .
and then copy cert8.db, key3.db and secmod.db to Firefox-Root-Dir/defaults/profile.

references:

1. http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
2. http://kb.mozillazine.org/Profile_folder_-_Firefox
3. http://straxus.javadevelopersjournal.com/creating_a_mozillafirefox_drag_and_drop_file_upload_script_p_1.htm
4. http://open.itworld.com/5037/book_050425firefoxhacks/page_1.html
   

VIM: Punch the Mode Line

mode line: lines at top or bottom of source code files that contain options for configuring the editor, c.f.:

:help modeline

(of course, in emacs 'mode line' denotes a entirely different concept...)

OpenVPN, Tunnelblick, bridged network (tap device), mDNSResponder, and daapd on OS X

tried to get the music library from a server running firefly to a mac via an OpenVPN tunnel 

- where the same server is also the OpenVPN server and is using a tap device and

- the mac was using Tunnelblick 

though this setup seemed to work for my linux machine it didn't quite do the job on the mac: there the mdns information was only used occasionally (though ethereal aka. wireshark confirmed that it was being transmitted).

currently i think that the mDNSResponder is behaving - at least - strange and a possible work-around seems to be 

- install the tun/tap-driver separately from Tunnelblick (so the driver is loaded at boot time and mDNSResponder is not 'surprised' by its late appearance...)

- turn the interface of the internet connection (the one tunnelblick uses to connect to the server - not the tap one...) off and on 

Use Time Machine (OS X) with a (samba) Network Drive

sudo defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

...but cf. http://pastebin.com/f47499d34 after update to 10.5.2.

references:

1. http://www.2putts4par.com/2007/11/10/use-time-machine-with-a-network-drive/
   

quick reminder: Getting X11 forwarding through ssh working after running su

$ xauth list $DISPLAY
You'll get something like

somehost.somedomain:10 mit-magic-cookie-1 4d22408a71a55b41ccd1657d377923ae

Then, after having done su, tell the new user what the cookie is:

$ xauth add somehost.somedomain:10 MIT-MAGIC-COOKIE-1 4d22408a71a55b41ccd1657d377923ae

(just copy'n-paste the output of the above 'xauth list' onto 'xauth add') That's it. Now, you _should_ be able to start any X application.


references:

1. http://www.debian-administration.org/articles/494

related:

1. http://www.windowsecurity.com/whitepapers/Improving_XWindows_security.html
   

Setup Samba for Bonjour networking with OS X 10.5 Leopard

put the following into /etc/avahi/services/[somename].service on a linux machine running samba and avahi-daemon:

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->

<!DOCTYPE service-group SYSTEM "avahi-service.dtd">

<service-group>
<name replace-wildcards="yes">%h filer</name>
<service>
   <type>_smb._tcp</type>

   <port>139</port>
   <host-name>zaphod.bn.dev</host-name>
</service>
</service-group>

references:

1. http://www.askbjoernhansen.com/2007/10/27/setup_samba_for_bonjour_networking_with_os_x_105_l.html

related:

1. http://www.sanityinc.com/articles/mac-screen-sharing-with-linux
   

Negate find results

Find files that do not match expression and dostuff on them:

find ./ [expressions] -prune -or [dostuff]

Example:

find ./ -name '.svn' -prune -or -type f -print

finds all non-svn files and prints their paths on stdout

Zero Config User Initiated Cross Platfrom Remote Desktop Assistance

Use Case
you frequently give remote assistance to users in very heterogeneous environments

Problem
user-side firewalling makes it impossible to just start up e.g. a vnc server.

Solution
let the user initiate a ssh tunnel from his machine to yours, forwarding his local vnc server port.

Rationale
it is way easier for you to allow for incoming traffic once than it is to do the same on every user's machine.

Implementation
Server
enable your sshd and create a dedicated help user with shell /bin/false
Client
use a shell script to start the vnc server and the ssh tunnel. this is only non-trivial for windows, so I shall outline that below.
Extensions

• use a private/public key pair for ssh authentication
• use a different server user for each supported user
  
• automatically react on incoming ssh sessions

Esp. the last one is interesting: you can tell people to "just click on the support button when you need help" and you will get instant notification with direct access to their desktop.

Appendix: Client on Windows

1. Download the tightvnc zip distribution, unzip
2. Download plink (the putty ssh command line client) and save it into the vnc folder
3. start winvnc.exe
4. enter a password (you will use this later when using your vnc client to connect to the user's machines), fix the port to 5900, quit the application
5. startup regedit
6. add a dword key "AllowLoopback" with value 1 to LOCAL_MACHINE\Software\ORL\WinVNC3
7. export LOCAL_MACHINE and CURRENT_USER\Software\ORL to vnc.reg and vnc2.reg in your vnc folder
8. close regedit
9. create the batch file and zip the whole directory for distribution:
   

create a file run.bat in your vnc directory that contains the following lines:

reg import vnc.reg
reg import vnc2.reg
taskkill /F /IM winvnc.exe
start winvnc -run -shareall
plink helpaccount@my.dns.org -pw helppassword -N -R 5900:localhost:5900

where helpaccount and helppassword match the local account you created on your server and my.dns.org is your server's hostname.
after running this script, you should be able use a vnc viewer to connect to localhost on your server and see the client's screen. you will want to set -compress 9 -encoding tight explicitly to tune the connection.

top (unix command) with two samples in logging mode - but only the second matters

i wanted to use the unix top command with GeekTools and found that this wasn't as straight forward as i had expected...

anyways, the following bundle does the trick:

top -o cpu -l 2 -u -S | sed -e '2,/^Processes:/ d'

use Quick Look (OS X) from command line

qlmanage -p FILE
qlmanage -p FILE >& /dev/null &