Category: Uncategorized

A few weeks back we went mountain biking, taking our dog with us. It’s a bit hard taking him in summer, as he’s a long haired dog, built for living in the snow. He still wants to come, but he has to get told No, you’re not coming today. He doesn’t understand, so just looks morose, staring longingly at the gate.

But it’s winter here, so he can run along with us, and not die of heatstroke. He sees the bikes getting loaded onto the car, and he’s very happy when he gets the call to jump in. He’s in like a flash, in case we change our mind.

Woodhill Mountain Bike Park is about 45 minutes drive from home, out in the Woodhill forest to the west of Auckland. As soon as we got there, Samson leaps out of the car, and does a runny poo right next to someone else’s car. Hmm, that’s not good. At least it’s not as bad as someone else’s dog that crapped under the picnic tables.

We head out for a good ride, stopping at a stream along the way, where Samson lies in the water, drinking it up. Later he also stops in a small pool of muddy water, drinking some of that too.

Back at the carpark, we wash the bikes down, and give him a bit of rinse off. He drinks up a bit more water. The sign says the water’s not suitable for drinking, but that doesn’t apply to dogs, right?

We get the bikes loaded up, dog installed in the back of the car, and start to pull out. Wait a second. Samson makes a bit of a funny noise, and we turn around to see he’s gone and thrown up an enormous amount of liquid. He’s a big dog, and it turns out he can hold quite a bit…looks like half of his volume has been expelled, and is covering him and the back of the car.

Luckily there’s always a blanket and a tarpaulin that he sits on in the back of the car. Very useful when he’s been at the beach. Just didn’t think it would be needed for him throwing up. Not much actually got on the car, it was mostly him that got it. Poor old fellow. He got rinsed off again before we set off. Didn’t seem to worry him much!

We then had to drive back, on a warmish day, with a lovely dog-sick aroma in the car. I managed to make myself scarce when we got home, doing something with the bikes, while Anna cleaned it up. When he’s good, he’s my/our dog, other times he’s very much Anna’s dog.

The other day I was following a bus, which had a large picture of a typical tropical island covering the back of the bus, and the words “The Cook Islands would be nice about now.” Given that it’s well into winter here, with weather pretty similar to late spring in Scotland, the Cook Islands did indeed sound appealing. It’s been cool here, and going for a run in the morning is a lot tougher in the dark. Trying to find and pick up the dog’s poo is tough when the sun hasn’t come up yet. Usually you need to find it by smell.

Well, I am happy to be able to report that the Cook Islands is indeed nice about now. Blair, a friend of mine from university days, was getting married to the lovely Tara, and we had been invited. Unfortunately Anna and I are a bit short of time at the moment, with work, university and CCIE study, but we were able to take a 4 day weekend, arriving the day before the wedding.

We had both been working far too hard, so the idea of a break was perfect. We were a bit worried that it was going to be a big flashy resort, but it turned out to be anything but. Just a nice relaxed island, a few dogs and chickens running around, easy-going locals, everything we wanted really. Someone had tried to build a flashy Sheraton resort about 2km from where we were staying, but it turned out to be a bit of a debacle – see this video for some idea about what happened.

We were staying at Are Moe, a nice little self-contained studio, about 50m down the road from where Blair, Tara and most of the rest of the wedding guests were staying. We didn’t really know what the details of the wedding were, other than what day it was, and the name of the place they were staying at. But we knew we were staying just down the road, so we figured it would all work out.

We got a shared van from the airport, and as it got down to us and one other couple left, we got chatting. Turned out they were on the island for a wedding. Apparently their grandson was getting married to an American girl. Oh yes, this sounds familiar…well now we’d made contact with at least one other couple, and we knew we weren’t the only ones who didn’t know exactly what the details were going to be.

So we settled in, enjoyed a bottle of wine, went out to dinner, had a couple more drinks, thinking we would have a quiet night…and then Tara found us at dinner time. Apparently the bachelor and bachelorette parties were underway, and we had to go and join them. Oh dear. If you’re going to have a stag do/hen’s night, there’s a very good reason why you should not do it the day before the wedding. I’m not really sure what happened, we didn’t even stay up all that late…but there’s a reason that Anna looks like she’s in serious pain/near death in some of the photos from the wedding. Poor old Tara was worse, and she couldn’t just hide in the background like we did. Anna and I spent most of the morning staying horizontal, that seemed to help. We can also report that they make a good meat pie on Rarotonga. We forgot to check the chocolate milk situation, that would have been a sure-fire hangover restorative.We were mostly revived by afternoon, but we couldn’t stay up late. A bit after 9pm we slipped away. We weren’t the first to go either!

The ceremony itself was a very nice affair, held on the beach near where were staying. It had been raining off and on all morning, but just on 3pm, the pastor walked out onto the beach, looked up at the sky, and it stopped raining. Lasted just long enough for the ceremony and photos too.

We had been hoping to do some diving while in Rarotonga, but we hadn’t gotten around to organising anything. We needed the rest, so we made a late decision to just have a day off following the wedding. I had plenty of reading to do – just picked up “Dance with Dragons” – and we needed to just chill out, and relax. Turned out to be a good decision, as it rained fairly heavily for much of the morning, and the seas were pretty rough. No problem, our place had everything we needed.

Here’s a couple of shots from the weekend:

Last time I made mention of Peter Gostelow, it was about a rather unfortunate incident in Africa, where he had been attacked with a machete, and sustained some nasty injuries. Well, over a year later, he’s still on the road in Africa, and had some more bad luck.

This time he wasn’t physically injured, but pretty much everything of value has been stolen, including his last 6 months of photos, stored on an external hard drive. He’s feeling pretty low about it, and trying to work out how to replace the laptop and camera. He doesn’t need much to pay for his day to day expenses, but a new camera and laptop is hard to manage.

Peter was one of the cyclists who inspired me, years ago. Reading his website when he was touring around Asia was one of the things that gave me impetus to make my own long haul trip. If you’ve come across his blogs, and maybe been a bit inspired, he’d probably appreciate it if you could send a few dollars his way.

I know what it’s like to lose stuff, and not just the expensive kit, but all your photos. Somehow I’m still not as disciplined as I should be with backups, but seriously, if you’re out on the road, take Pete’s advice: BACKUP BACKUP BACKUP

Left to my own devices, I could probably be quite happy working, studying in the evening, going for a bike ride in the weekend, occasionally traveling around the world, basically keeping to myself.

Those that know my fiancé will of course realize that keeping to ones self is not Anna’s style at all. Although her social circle is not as out of control as it once was, she still works hard at maintaining contact with a wide group of people. One of the ways she does this through regular social events, of which the annual “Mid-winter Christmas” dinner. My northern hemisphere readers will wonder why I feel the need to specify mid-winter along with Christmas, but trust me, they don’t go together here.

Here, we use the theme of mid winter Christmas as an excuse for a party in the depths of winter. Brutal it is too, only 10 hours of sunlight a day, and temperatures almost down to single digits. We gather for a not quite informal seated dinner, for 20. Not many people could host a dinner party for 20, but with a bit of rearranging of the house, we somehow manage.

With a limit of 20 or so, competition is fierce for places, but Anna has her favourites. I must ask her why Arden is still on the list, since he doesn’t get cheap booze any more. Wouldn’t be the same without him of course.

So the usual suspects gathered for a huge meal and light entertainment. Luckily we had outsource the main meat cooking to two of the guests – no chance of fitting a leg of lamb and an enormous piece of pork in our oven. It was barely coping with all the vegetables.

Lots of hard work by Anna and the girls, and the party was the usual success. Every year, Anna declares that “this is the last one ever” – and yet the day after, while cleaning up, she says “well it wasn’t too bad, maybe we could have one more.”

just next year it will be just Anna and I, living in a small house. I have no idea how we’ll manage it again…

Dave didn’t like the little plastic hat, he thought it worked better as a tie:

I know, this is not the usual sort of thing I cover here, but it’s something I’ve been working on the last few weeks, and I couldn’t find it documented decently anywhere, at least not for my particular setup. So I thought I’d put it here for Google to index. Maybe it will help someone else out.

Environment:

• Squid proxy server running on RedHat EL 5.x
• Clients using Firefox and Safari, on Macs and Linux
• Mac OS X Server providing authentication services
• ICAP A/V scanning

Previously we were using NTLM authentication with Squid, but it is a pretty poor experience. NTLM authentication on Mac OS X is unstable if you’re also doing Time Machine backups, and users get far too many authentication popups. I’ve been planning on moving to Kerberos authentication for a long time, but never quite got around to it. We also wanted to enable SSL Interception, using DynamicSslCert, so we can properly log and scan SSL traffic.

The default Squid package that ships with RHEL 5.x is 2.6.x. This is getting a bit long in the tooth. DynamicSslCert has recently gone into the 3.1.12.x RC series, so it’s very close to mainstream. Here’s the steps I followed to get SSL interception, and Kerberos authentication working:

• Create a binary RPM from Squid 3.1.12.2. Squid-3.1.12.3 does not compile with ICAP enabled. You will probably want to get the Squid spec file used for Fedora, and use that as a base. Add “–enable-ssl-crtd” and build the package.
• On your Mac OS X Server, create the required Kerberos principal, and export it to a keytab file:
  
sudo kadmin.local -q "add_principal -randkey HTTP/<fqdn of proxy server>"
sudo kadmin.local -q "ktadd -k squid.keytab -norandkey HTTP/<fqdn of proxy server>"

  <FQDN> is the fully qualified hostname of your proxy server
• Install your new Squid RPM on the Proxy server
• Copy your squid.keytab file to /etc/squid/squid.keytab. Ensure it is readable by the squid user
• Edit /etc/init.d/squid, to add this chunk near the top:
  KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME
• Create the SSL cert DB with “/usr/lib64/squid/ssl_crtd -c -s /var/spool/squid/ssl_crtd/”. Ensure that directory, and those below it are owned by Squid.
• Create an intermediate CA certificate on your root CA. I’ve used the Mac OS X CA, but you can use whatever CA you have. Copy the key and certificate to /etc/squid/ssl_cert/ – you’ll need to create that directory. Ensure squid can read the cert and keys.
• Update /etc/krb5.conf. Ensure it has your realm set to your Mac Server.
• If you want to do NTLM fallback, enable the winbind service, and use “net join -W -S -U ” to join the domain.
• Configure authentication in squid.conf with something like this – this will use Kerberos/Negotiate first, with an NTLM fallback:
  auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s HTTP/<fqdn of proxy>
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=<domain> <domain>\<fqdn on mac os server>
auth_param ntlm children 12
acl auth proxy_auth REQUIRED

  Your http_access line must now specify “auth”
• Enable icap with:
  icap_enable on
icap_service service_avscan_resp respmod_precache bypass=0 icap://127.0.0.1:1344/av_scan
adaptation_access service_avscan_resp allow all

• Configure SSL Dynamic cert generation with config like this:
  
sslcrtacl sslbumpbypass dstdomain "/etc/squid/whitelist.https"
d_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/ key=/etc/squid/ssl_cert/ always_direct allow all
ssl_bump deny sslbumpbypass
ssl_bump allow all
sslproxy_cert_error deny all

  Any domains added to /etc/squid/whitelist.https will NOT be intercepted. You probably want to put banking sites in here.
• Modify SELinux. You’ll need to run “semanage -a -t http_port_t -p tcp 1344” to allow Squid to connect to ICAP. You’ll also need to configure a local SELinux policy to allow Squid to read/write the temporary files that squid_kerb_auth puts into /tmp. Use audit2allow, and your audit logs to work out what you need here.

You will need to configure both Firefox, and the System Keychain on your Macs to trust the Intermediate CA used by Squid. Unfortunately it doesn’t pass the whole keychain, including the root CA, so just trusting the root CA is not enough. Hopefully the ability to pass the chain will come in later releases.

I don’t want to publish full configs, but this should be enough to get you started. Any specific questions, fire them this way, and I’ll try to help

Note: Safari and Mail.app do not support Kerberos authentication. They fall back to NTLM happily enough.

That’s the easy part out of the way – I’ve passed CCIE written. I worked my way through the huge stack of books I’ve got, managed to get enough to soak in, and got the written exam out of the way.

It wasn’t too flash, but a pass is a pass, so now I can book the lab. The aim will be to sit it late this year, before my wedding. It takes an average of 2.7 attempts to pass, so I’ll be happy to pass it in 2 attempts. The nearest location for me is Sydney. Not too bad, although it would be nicer to do it at home.

I need to do some research over the next few days, comparing and pricing workbooks, study material and rack rentals from INE, IPexpert and Cisco 360. Unfortunately it’s all very expensive (thousands of $US), so I need to do a bit of analysis before spending the cash. They have a range of different learning options, payment methods and approaches. I’ll probably go with INE, but add in a few bits and pieces from the other vendors.

Guess it was never going to be cheap studying for CCIE.

Other good news: I’ve ordered an iPad, and it should arrive next week! Purely purchased for…ah…study purposes. Yes that’s it.