This morning Outlook gave me a big scare. Nope, it didn’t deliver a particularly nasty email, but it crashed as soon as it started. Here’s a look at the nasty error message:

No amount of begging and coaxing would make Outlook start normally, so I started Outlook on Safe Mode and after it managed to start without error, ended it in hopes that it will fix whatever stuff that is wrong when the program quits. And guess what? It did.

So, for anyone who encounters the above error, the first thing you can do before trying the myriad of troubleshooting suggestions found on the internet, give Outlook a chance to fix itself by starting it in Safe Mode. To start Outlook on Safe Mode go to Start -> Run and type:
outlook /safe

I recently purchased a Compaq C749TU via the Citibank Malaysia Shell Card promotion (stated as HP Compaq PC700 Notebook on their promotion). It came with FreeDOS and since I have an unused version of Windows XP, I decided to install on it.

Hardware specification:
Processor - Intel Celeron M Processor 540 - 1.86Ghz
Memory (std/max) - 512MB 667MHz
Hard Disk Drive - 80GB
Optical Drive - DVD/CDRW Combo Drive
Bluetooth/Wireless network - No
Operating System - FreeDOS
Intel Chipset - Intel® GM965
Graphic Chipset - Intel® Graphics Media Accelerator x3100
Audio - 2 Altec Lansing Stereo Speakers
Fax / Modem speeds - High speed 56K
Network Interface - Integrated 10Mbps, 100Mbps
Input Devices - 101 key compatible, 1 Quick Launch Button and Touch Pad
Other media - 5 in 1 integrated digital media reader slot

First hurdle is the lack of SATA harddisk support in Windows XP installation. I burned a new copy the Windows XP cd with SATA drivers integrated in it (you can refer to this blog post on how to do this).

After successfully installed Windows XP, I was horrified to find that there are no Windows XP drivers provided by Compaq (they only officially support Windows Vista). After searching around and trying out solutions, I’ve compiled a list of drivers that will eliminated all the yellow question marks in the Windows device manager list (Right click on My Computer -> Properties -> Hardware -> Device Manager). Install the following drivers/software in sequence and you should be fine:

Audio driver
Download and install Microsoft Universal Audio Architecture Driver
Download Conexant High-Definition Audio Driver. Run to extract the contents to a directory. To install the Conexant High-Defintion Audio Driver, you have to do the following:
1. Click on Start and select Run. Now type devmgmt.msc and press enter.
2. Right click on Audio device on High Definition Audio Bus and click Update driver.
3. Select “Install from a list or specific location”
4. Click Next. Then select “Don’t search, I will choose the driver to install”
5. Click Next and then select “Sound, video and game controller” from the list.
6. Click Next and then click Have Disk.
7. Then browse to the directory that contains the previously extract files.

Modem driver
Download Conexant HDAUDIO Soft Data Fax Modem with SmartCP Driver. Run the program to extract to a temporary folder. Then follow the steps to install Conexant High-Definition Audio Driver to install this driver. This driver is to update Audio device on High Definition Audio Modem (or something like that).

Video Driver
Download and run Intel® Chipset Graphics Driver Software.

Chipset Driver
Download and run Intel Chipset Installation Utility.

Network Interface Card (LAN)
Download and run Realtek RTL8100CL/RTL8110Sb NIC (LAN) Driver.

Input Devices
Download and run Quick Launch Button Driver.
Download and run Synaptics Touchpad Drivers.

Scenario: You have one Oracle database with 3 different SID for different purposes: DR (disaster recovery), UAT (User Acceptance Testing) and SIT (System Integration Testing). You are tasked to configure the Database to open one port for each of the SID to control access. Piece of cake, you will only need to edit two oracle configuration files to achieve it.

Technical details: The following configuration has been tested on Oracle 10GR2 that was installed on AIX 5.3ML6.

Assumptions: The three SID in the Oracle database are named DRDB, UATDB and SITDB. Host name (machine name) is ORACLEDB01 and Global Database name is ORACLEDB. We willl create 3 listeners with the following configuration:
Listener name: LISTENER
Port: 1521 (default listener port)
SID: DRDB
Listener name: LISTENER1
Port: 1522
SID: UATDB
Listener name: LISTENER2
Port: 1523
SID: SITDB


First of all, back up the two files in case we need to restore the original configuration.

The next step is to stop the running listener. Get into your oracle shell (for my case, I need to su - oracle) and stop the activated listener by typing lsnrctl stop.

Now, you will need to located two files with the name tnsnames.ora and listener.ora. If you are using unix like me, you can type in:
find / -name "*.ora"
In my case, the relevant files are located at:
u01/app/oracle/product/10.2.0/db_1/network/admin/tnsnames.ora
/u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora

Next, edit tnsnames.ora and it should look something like this:
# tnsnames.ora Network Configuration File: /u01/app/oracle/product/10.2.0/db_1/network/admin/tnsnames.ora
# Generated by Oracle configuration tools.

EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
)
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
)
)

The next step is to edit listener.ora and it should look something like this:
# listener.ora Network Configuration File: /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER2 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = ORACLEDB01)(PORT = 1523))
)
)


After editing the files, your new listeners are ready for action. If everything is done correctly, you can start each listener on its own by typing:
lsnrctl start listener
lsnrctl start listener1
lsnrctl start listener2
You can stop them individually by typing:
lsnrctl stop listener
lsnrctl stop listener1
lsnrctl stop listener2

Scenario: Your AIX server has OpenSSH installed and sFTP configured. How do you restrict sFTP users from accessing other shells (like ksh, bash, csh, scp, ftp, etc)? How do you prevent them from traversing through your directories and potentially doing all sorts of damage?

The answer: Set up rssh with chroot jail. Restricted shell (rssh) is a replacement for the standard shell (in AIX’s case, ksh) to be used with OpenSSH that lets you restrict shell access to only sftp and scp. It supports chroot jail which is a method to sandbox users and programs in a specific directory.

How do you set it up? Russell Martin wrote an excellent article with detailed explanations and instructions on the subject. I recommend that you read the article to understand what we’re trying to achieve.

Ok, why am I writing this post then? Well, even with the abundance of information from Russell’s article, it still took me a long time to set it up on an AIX 5.3ML6 server running OpenSSH 4.3p2. So, I’m writing down everything that I’ve done just in case someone got stuck like me.

(1) Installing rssh

1. If you do not have gcc or any other compiler installed on your system, head on to IBM AIX Toolbox for Linux Applications download page and grab the gcc 4.0.0(5.3) RPM. To install the gcc rpm, just copy it into your server and issue the command:
   rpm --install gcc-4.0.0-1.aix5.3.ppc.rpm
2. Download rssh 2.3.2 source tarball from http://www.pizzashack.org/rssh/ and copy it into a temporary directory in your server.
3. Unzip and untar the archive:
   gunzip -d rssh-2.3.2.tar.gz
tar xvf rssh-2.3.2.tar
4. The included INSTALL file provides instructions to configure, compile and install rssh. However, there isn’t a GNU libc compatible malloc present in AIX 5.3 and this will cause the configuration script to configure the MakeFile errornously (read about this problem here), so you will have to issue the following command before attempting to follow the instructions:
   export ac_cv_func_malloc_0_nonnull=yes Now we can start to run the commands:
   ./configure
make
su root
make installHowever, in my case sftp-server is located in the /usr/sbin directory, so for the first command, I have to do this instead:
   ./configure --with-sftp-server=/usr/sbin/sftp-server

(2) Creating an user and chroot jail

1. First of all, I’ll explain how I’ll be configuring my chroot jail. In my environment, I’ll be creating a special user called sftpuser for sFTP access. I will “jail” the user in the /var/file_transfer directory and the home directory for sftpuser will be /var/file_transfer/sftpuser.So in effect, when sftpuser logs in, he will land in the /var/file_transfer/sftpuser directory of the server but it will appear as /sftpuser directory to him. If he issues a cd / command, he will arrive in the /var/file_transfer directory of the server, but to him, he is already in the root directory.
2. The first step is to create the user in the system. I’m using smit, so I’ll explain using that method. Type in:
   smit user
   Select the option Add a User.
   Key in sftpuser as the User NAME.
   Key in /var/file_transfer/sftpuser as the HOME directory.
   Key in /usr/bin/ksh as the Initial PROGRAM for now.
   Then, proceed and create the user.
3. After creating the user, we need to set a password for it. Type in:
   smit user
   Select the option Change a User’s Password and set a password for it. After that, try to log in using telnet or SSH and you will be prompted to change the user password.
4. Now, we have to set the user’s shell to rssh so that the user will be controlled by it. Type in:
   smit user
   Select the option Change / Show Characteristics of a User
   Key in sftpuser as the User NAME and proceed.
   Key in /usr/bin/rssh as the Initial PROGRAM and proceed to save the changes. Now, we’re done creating the user in our system.
5. To set up the chroot jail, I modified the script downloaded from Russell’s article to cater for AIX 5.3. You can download the script here. Upload this to any directory on your server and chmod to make it executable:
   chmod 755 chroot.shBefore you run the script create the chroot directory first:
   cd /var
mkdir file_transferThen, edit the paths in the script:
   CHROOTPATH=/var/file_transfer #defines the path of your chroot directory (the directory where you want to confine users to).
USER_HOME_DIR=sftpuser #defines the path of the user's home relative to the CHROOTPATH
USER_NAME=sftpuser #defines the user name
GROUP_NAME=staff #defines the user group
SFTP_PATH=/usr/sbin/sftp-server
SCP_PATH=/usr/bin/scp
RSSH_PATH=/usr/bin/rssh
CHROOT_HELPER_PATH=/usr/local/libexec/rssh_chroot_helper
LDD_PATH=/usr/bin/ldd
KSH_PATH1=/usr/bin/ksh93
KSH_PATH2=/usr/bin/ksh
PWD_PATH1=/bin/pwd
PWD_PATH2=/usr/bin/pwd
LIB_CRYPTO_PATH=/opt/freeware/lib/libcrypto.a
LIB_C_PATH=/usr/lib/libc.a
LIB_CRYPT_PATH=/usr/lib/libcrypt.a

   After changing the paths, run the script:
   ./chroot.sh

6. The next step is to edit the rssh configuration file (mine resides is /etc/rssh/rssh.cfg). The comments in the configuration file is pretty self-explanatory. The resulting file should have the following uncommented lines:
   logfacility = LOG_USER
allowsftp
umask = 022
chrootpath = "/var/file_transfer"

Congratulations! You have finished setting up rssh with chroot jail. Now you can sFTP in and see if all works fine.

In you run into any problems like the dreadful Connection Closed, you will have to check the syslog to see what the problem is.