The Life of a Sysadmin

How to quiet noisy cron entries that send far too much to STDERR:

exec 3>&1 ; /path/to/script 2>&1 >&3 3>&- | egrep -v 'useless|junk' ; exec 3>&-

I've been very busy of late, but the biggest news is that I've started a 3-month temporary part-time assignment here. It's a neat place, and feels a lot like a software startup. Even though it's a small group, they've got certain hardware requirements that are a lot bigger than what I've worked with before; it'll be interesting, to say the least.

• When trying to change an Exchange password using Outlook Web Access at $UNIVERSITY, a user got "Error number: -2147024891". winerror.h describes this as a General access denied error. In the end, it turned out that when the account was created, the "user cannot change password" option was checked. Hope that'll help someone else's google-fu…
• I had managed to miss this quick command-line check for Dan Fucking Kaminsky's DNS bug, aka CERT VU#800113. Just run:

dig +short porttest.dns-oarc.net TXT

and watch the skies.

You can configure OpenSSH's ~/.ssh/authorized_keys file to restrict the commands that key is allowed to run via SSH...thus, say, restricting a particular key to running rsync or dump. You can also restrict it to connections only from certain hosts; as the manual points out, this means that "name servers and/or routers would have to be compromised in addition to just the key."

I'm testing Bacula 3; the new release has just come out, and I'm very much looking forward to rolling it out here.

One of the things I've been doing is trying to get TLS working, which I utterly failed at in my last job. I must've failed to see these pages, which a) point out that the otherwise-excellent Bacula manual is (ahem) sparing when it comes to TLS, and b) you need to put the cert files in places that strike me as unexpected.

Thus, in bacula-dir.conf you put the directives listing the director's cert/key in the client section — IOW, you say "and use this key/cert combo when connecting to client foo." Meanwhile, on client foo, you add the client's cert/key directives in the director section ("and use this key/cert when talking to the director"), along with things like the CA cert and required CNs.

Oh, and did you know that you can debug SSL handshakes with openssl? True story.

Just came across maillog, which looks very cool. From TFM:

Maillog is a powerful tool for selecting and formatting entries from a
sendmail or postfix log. When a message is selected, it collects all
the mailer entries related to that message's queue id and formats them
in a more readable fashion. By default, the log fields that are
printed are: date, from, to, ctladdr, stat, and notes.

This is much better than my cobbled-together multiple-grep scripts. Rather surprised to not find it in Debian...

Reminder to myself: Got a file called .nfs.*? Here's what's going on:

# These files are created by NFS clients when an open file is
# removed. To preserve some semblance of Unix semantics the client
# renames the file to a unique name so that the file appears to have
# been removed from the directory, but is still usable by the process
# that has the file open.

That quote is from /usr/lib/fs/nfs/nfsfind, a shell script on Solaris 10 that's run once a week from root's crontab. Some references:

• Using dtrace instead of lsof to find open files
• Mention of a possible bug in NFSv4 and OpenSolaris
• Another explanation
• Sun Manager's list summary