Tuesday, August 22, 2017

Fixing the annoying popup in FreeIPA

I love FreeIPA except for one thing: That annoying popup when using Chrome:

This popup confuses the hell out of my users when they can't log in. So what is it? One nice feature of FreeIPA is it's ability to do Single Sign on via Kerberos. The problem is that not all browsers support this and the configuration of this feature for users has a high bar of entry - I'm not even sure you can get it working in Chrome. So when a user goes to the FreeIPA page which supports Kerberos logins and sees this popup they (understandably) think they need to log in. Since the browser is not configured for Kerberos, this inevitably fails. But what is worse, is that unauthenticated users are prompted to log in twice. So pretty quickly this can turn into a service call or ticket when a user "can't login." The workaround is to click cancel twice to be taken to the forms based login. But instead, why don't we just suppress this popup?

Since the FreeIPA documentation is notoriously abysmal, I'll provide my solution to the problem here. Simply do the following:

Log in to your host
edit /etc/httpd/conf.d/ipa-rewrite.conf
Add to the end of this file:

#The following disables the annoying kerberos popup for Chrome
RewriteCond %{HTTP_COOKIE} !ipa_session
RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$
RewriteRule ^/ipa/session/json$ - [R=401,L]
RedirectMatch 401 ^/ipa/session/login_kerberos

And that's it! Restart your web server and this popup should go away! So what does it do?

The first three lines set very specific conditions for triggering a 401 response for the page /ipa/session/json. The web client uses JSON to communicate with the IPA server, so we only want to send the 401 response if there is no ipa_session cookie (set on login) and the user is coming from the ui page and not, say, making their own JSON call from the command line. Otherwise we risk inadvertently breaking something.

It is worth noting that in older versions of FreeIPA, this path was /ipa/session/xml, but it was renamed. If you are on an old version of IPA either upgrade or adjust your configuration appropriately.

The second thing this does is returns a 401 when someone tries to access the kerberos login page. It is these two pages that generate the http basic authentication login and by immediately returning a 401 instead of allowing these pages to try to authenticate with kerberos, we are ultimately able to resolve this issue.

Wednesday, December 28, 2016

11 questions IT people should ask in an interview

Job seekers are frequently advised that an interview is not just for prospective employers to see if you, the interviewee are the right fit, but also for the interviewee to see if they find the prospective employer to be a right fit. Every prospective employer should give the interviewee the opportunity to ask any questions they might have. You should be leery of any interview in which you are not given sufficient time to ask questions. Clearly, prospective employers who do not make time for you now certainly aren't going to be more considerate after you are hired. In fact, companies will never treat you as well as when they are looking to hire you. Generally, the better you are treated during an interview, the better you will be treated during your employment. As such, be sure to leverage the opportunity during your interview to get answers to the following 11 questions:

  1. What is your background? Were you promoted from a technical role, or a business role?
  2. For some reason, there is a pervasive myth that if you are an expert in a given field, you are qualified to manager others in that field. Nothing could be farther from the truth. It is not a manager's job to be an expert in their field (This is the role of a Subject Matter Expert [SME]), instead it is a mangers job to be an expert in personnel management. Management should be seen as a role parallel to engineering, not a role which is over engineering to which one is promoted.

    This leads to two types of companies: Companies that understand that personnel management is an entirely different discipline than engineering and companies that do not. You want to be working for the former. This is because a manager who was hired for his or her people skills and expertise in organizational management will be far more pleasant to work for than one who was promoted for their technical expertise.

    By inquiring as to the background of your interviewer (who is presumably your prospective manager) you can determine the management philosophy of the company and individual you are interviewing with. If you are not interviewing with your future manager, this should be cause for concern. While it is not uncommon to first interview with a hiring manager or an HR person, at some point during your interview process you should be interviewing with your future manager. If you do not, this is a cause for alarm as you have no idea if you will get along with your future manager and you may not make a good fit for the team that they run.

    If you find that a manager has been promoted for their technical expertise, before you write them off completely ask:

  3. Do you have a favorite book about technology and/or management?
  4. Asking this question will tell you a lot about your future manager. You want to be sure that your manager is an expert in management and has considered their management philosophy. This helps to avoid authoritarian managers who motivate and manage by fear. Far better are those managers who motivate and manage through loyalty. Managers who have not even taken the time to ponder this very basic question about management style are far more likely to be the former type of manager instead of the latter. Managers who motivate employees and manage through loyalty are often far more capable of introspection.

    This question also allows you to determine if your future manager knows anything about management. For example, a manager who has read books like "The Mythical Man Month" or Gene Kim's "The Phoenix Project" and responds with one of these as their favorite tells you a great deal. For example, they know that adding people to a project does not necessarily speed up that project. They know the importance of measuring work and determining where their bottlenecks are and they know the Three Ways of DevOps. Managers like these are a rare unicorn, possessing both technical expertise and capabilities in personnel management. These kinds of managers have probably made a career shift from a technical role to a managerial one - perhaps getting a masters in business by taking night classes.

    On the other hand, if your prospective manager respond with something like K┼Źnosuke Matsushita's "The Path" or Ken Blanchard and Sheldon Bowles' "Raving Fans" or a similar tome, this tells you something completely different: This manager probably has formal training in management or business, but probably does not have much experience with the challenges in management within the technology field. While they know how to work with and motivate people, they may have very little understanding or sympathy for the difficulties of technology. Explanations of issues or outages may sound like technical jargon or mumbo-jumbo to this person which they may see as just means masking excuses for poor performance in some cases.

    Or, if your interviewer responds with a book from the O'Reilly series, "Beginning Linux Programming" or the "TCP/IP Bible", this tells you that this individual was most likely promoted out of the field and has little experience in management. They may have made very little effort to try to improve as a manager or understand the role that they have been placed into. Instead of managing, this person may demonstrate very little ambition for betterment in their new role and attempt to continue doing the duties of their previous role, leaving their employees without direction or shielding those employees from upper management.

  5. What ticketing system(s) do you use?
  6. While ticketing systems can seem like a drag and a mechanism for "the man" to control every little detail of your time and make sure that they are squeezing every ounce of productivity out of you, believe it or not, ticketing systems are your friend. While tracking your Time-On-Task can seem ominous, it is important that managers keep track of how much of their employee's time is used in order to maintain an optimal Pareto efficiency. Good managers will know that you can't achieve a 100% or more utilization without suffering productivity decreases from their employees and instead will target around 90%.

    But without tracking your time, your manager can't do that. If they don't know that 8 employees are having to achieve a 97% utilization and your backlog of tickets is still growing, they don't know it's time to hire. Simply put, tracking your work helps achieve a good work-life balance for you if your manager is using this data correctly.

    Asking what ticketing system is used tells you a lot. First, if they use 3 ticketing systems as one employer I worked for did, then they are using none of them properly. Conversely, if they have no ticketing system and work out of E-mail, then you can be confident that they don't have it together enough to be able to tell how much work they have and manage their workforce appropriately and in either of these cases your work-life balance will suffer. Finally, a good ticketing system will have the ability to track time against a requester and against the systems impacted. You want to be able to trend which server is constantly breaking, or which annoying users is always putting in tickets and wasting team time. This allows you to identify and remediate trouble areas within your organization or find areas of growth which may need resources directed towards them. Similarly, a good ticketing system will have team queues and allow teams to have a digital Kanban board for managing their workflow.

  7. Do you have a formal Disaster Recovery (DR) plan?
  8. Few things are as important within an IT organization as scalability and redundancy. Scalability ensures that an organization has thought not just at the small scale, but a large scale as well. As things scale out, they sometimes encounter architectural challenges; particularly when scaling geographically. Companies that need to think at large scale generally indicate they have seen growth and are healthy. There is nothing worse than an app hitting a brick wall in terms of scalability and having to pull long hours in order and re-architect an application and to overcome design challenges that could have been prevented by simply doing the job right in the first place

    Similarly, redundancy ensures that in the middle of the night when a server's disk does fill up and the server goes offline or a power outage occurs, you are not receiving phone calls at 3 AM. It guarantees that the application and hardware fabric is robust enough to elegantly handle failures without causing an emergency. This also ensures minimal outages which can be stressful even during business hours, let alone during the middle of the night or during the holidays.

    Asking about a disaster recovery plan is a great way ensure that a company has scalability and redundancy. Ideally, their DR plan will be tested periodically using a DR exercise. I once worked for a company that moved offices and during the office move, they simply simulated a disaster. Everyone went home and telecommuted for the week while a moving company moved the entire office. One week later we all started showing up at the new office and during this time, our customers didn't even notice. They had built a solid enough architecture with enough scalability and redundancy to be able to accommodate that. Not all organizations have.

    A company that has planned for DR is a company that has A) redundancy and B) can scale their redundant environment in an emergency to make sure systems stay online.

  9. How often do you perform test restores?
  10. Often times, backup procedures are not followed - and this is more common than you might think. Asking about test restores ensures that a company has it together enough to A) have backups and B) has the luxury of enough funding and time to actually validate those backups from time to time and ensure they can be restored with minimal-to-no downtime. Backups are like insurance. No one plans for data loss, so this is often the first thing to suffer when staffing gets tight or a team gets overloaded. This can be a canary in a coal mine in terms of how well management has it together. When test restores go out the window, you know that an IT team is beginning to face challenges in either organization or time available to service workload.

  11. What is your inclement weather policy?
  12. While not very important if you live in California, for those who may live in snowy climates or other areas with extreme weather (like hurricanes and tropical storms) it is important to know if your employer is considering your safety. In the IT field, we have the the ability to work from home for a day or two. In fact, some studies show we may even be more productive when working from home.

    Weather-related accidents contribute to 7000 deaths, 800,000 injuries and 45 million dollars of damage each year. An employer who is considering this and tells you to stay home for your safety and work from home instead of coming into the office is bound to be a good employer. This kind of employer sees you as a person, instead of just a mechanism for generating revenue.

  13. Why are you looking to hire? Are you back-filling this position, or is this position new due to growth?
  14. This question is a great way to suss out if a former employee left due to discontent with the position. Ideally a company will be hiring due to growth instead loss of a dissatisfied employee. If the previous employee was unhappy, there is a chance that you will be too. If the employer cannot answer this question due to their HR policies, the most likely cause is that the previous employee was fired for performance-related issues.

  15. What does your unit testing and QA procedure look like?
  16. Inevitably, most IT organizations do at least some amount of in-house development. For some, this is their revenue source. Ensuring that groups follow a full battery of automated testing which validates that all features and functions operate as expected is a mark of a healthy IT department. For those companies that develop a software based product, this kind of testing and Quality Assurance is essential so that the service that the IT team provides is less likely to see outages and bugs.

  17. Do you have a change management process? What does that look like?
  18. While change management may seem like mundane and unnecessary paperwork, it is important to make sure that changes 1) do not collide and 2) happen within convenient time-frames. Unmanaged changes can often happen at times which mean that if there is a problem with a change, you will be woken up at a very inconvenient time once a problem is finally discovered or you may end up working late or during a holiday or vacation due to a failed change. A well defined change management process will go a long way towards ensuring a good work-life balance for employees. The best change management will integrate automated unit testing results and human checks to prevent mistakes. In fact, automated configuration management systems like Puppet or Chef are the single biggest way to prevent mistakes. Machines don't make mistakes; humans do.

  19. What role does this position serve in the company?
  20. Knowing what role your position will serve within a company is very important. Roles that fall under cost centers and expenses within an organization will often be squeezed to reduce expenses and maximize profits. This can often result in sub-par equipment or deploymentswhich ensures that there will be more time spent maintaining and supporting the environment. Conversely, IT departments which are associated with profit centers are responsible for the success and revenue generated by a company. While this can be stressful during outages which will directly impact the bottom line, it also helps to ensure that when IT requests resources that are sincerely needed, these are not denied in a cost saving bid. Furthermore, organizations which silo into Operations, Networking and Development teams can often become embroiled in turf wars. When these teams are consolidated and operate in concert, success for one is success for all groups while headaches for one become headaches for all.

  21. What does your patch management cycle look like
  22. Good organizations should have a patch management system. Great organizations will patch monthly and will ensure that patches go into a QA or staging environments first and systems are checked for issues. Then these patches should be promoted to production. Typically, you will find that unhealthy organizations do not find the time to keep up on this monthly maintenance task.

Hopefully with these questions, you will be able to find an organization which is a good fit for you and will result in a life-long and happy pairing with a company at which you can retire.

Did I miss any questions? Do you have any criticisms of the above questions or additional suggestions? Leave you thoughts in the comments below.

Sunday, November 3, 2013

How I obtained Stock ROMs

The first and most important step to obtaining the stock system ROM is to figure out your partitioning scheme so that you know what you need to and should not backup. To figure this out, you will need to view your Partition Information Table (PIT) - a GPT based descriptor for your NAND flash's logical layout. For the most authoritative source of information that I have found regarding the partitioning on Android phones, check out El Grande Partition thread over at xda-developers.com To get a good sense of your partitioning, you will need both the block device names (used by the mount command) and the actual partition names. This translates roughly into: You need the output of /proc/partitions and parted. Once you have root, getting /proc/partitions is easy. Simply type "cat /proc/partitions":

app_128@android:/ $ su
root@android:/ # cat /proc/partitions

This results in the following output:

major    minor    #blocks        name

To get the output from parted requires a little more skill as parted is not present on most phones by default and it is not included with busybox. Thanks to the guys over at droidforum however, you can download this from here. Once you have unzipped this file and uploaded it to your device, either by placing it into disk mode, using adb push or by taking out the mini-SD card and putting it into your computer, you can then use parted to dump the partition table:
app_128@android:/ $ su
root@android:/ #cp /mnt/extSdCard/parted
Number    Start            End            SizeFile system    NameFlags

dd if=/dev/block/mmcblk0p1 of=/sdcard/modem.bin
dd if=/dev/block/mmcblk0p2 of=/sdcard/sbl1.mbn
dd if=/dev/block/mmcblk0p3 of=/sdcard/sbl2.mbn
dd if=/dev/block/mmcblk0p4 of=/sdcard/sbl3.mbn
dd if=/dev/block/mmcblk0p5 of=/sdcard/aboot.mbn
dd if=/dev/block/mmcblk0p6 of=/sdcard/rpm.mbn
dd if=/dev/block/mmcblk0p7 of=/sdcard/boot.img
dd if=/dev/block/mmcblk0p8 of=/sdcard/tz.mbn
dd if=/dev/block/mmcblk0p9 of=/sdcard/pad.mbn
dd if=/dev/block/mmcblk0p10 of=/sdcard/param.mbn
dd if=/dev/block/mmcblk0p12 of=/sdcard/modemst1.bin
dd if=/dev/block/mmcblk0p13 of=/sdcard/modemst2.bin
dd if=/dev/block/mmcblk0p16 of=/sdcard/persist.ext4
dd if=/dev/block/mmcblk0p18 of=/sdcard/recovery.img
dd if=/dev/block/mmcblk0p21 of=/sdcard/fsg.mbn
dd if=/dev/block/mmcblk0p23 of=/sdcard/grow.mbn

Restoring the Stratosphere II (SCH-I415) to stock/Unrooting and ROMs, Etc.

To Unroot your phone or restore it to stock, simply follow this post which walks you through rooting but use the images below. On this page, you will find all files relevant to your Stratosphere II (SCH-I415)

Android Version 4.1.2 (MA3)

Stock ROM
Cyanogen Mod
My custom ROM

Android Version 4.0.4 (LJ2)

Stock ROM

PIT file (Partition Information Table)


Please note that the PIT file for 4.1.2 and 4.0.4 are the same. The md5 hash of a PIT file dumped from both versions shows that the table is identical on both versions. For a human readable output of the PIT, Check out this page

Boot files
5e6f0d436f3a266aa9a2a448b526465a I415LJ2_aboot_p5.img
bc6859071a8da0d9fbe9ddf2045a1ce5 aboot.mbn

Note that the USB jig works only on the LJ2 (4.0.4) Bootloader. The MA3 (4.1.2) bootloader appears to be an ICS bootloader. I highly recommend using the LJ2 bootloader as it allows for both ClockworkMod recovery and using the USB jig. The MA3 bootloader allows neither.

Tuesday, September 17, 2013

Stratosphere II (SCH-I415) Teardown

After trying to unlock the SIM on my phone, I managed to brick it. In order to attempt a repair, I needed to take it apart, but to date, I haven't found any teardowns for it, so I figured I might as well be the first. For the record, the USB jig does not seem to work with this model of phone.

Disassembling the back of the phone
This yields the motherboard, keyboard, camera and SD/SIM slot

Step 1: Remove the battery cover and battery to expose the battery compartment. Also remove any SIM cards and SD cards.

(Click to enlarge)

Step 2: Remove the 7 screws that hold the back bezel and the front bezel together

(Click to enlarge)

Step 3: Open the keyboard and gently begin prying between the keyboard and back bezel

(Click to enlarge)

The back bezel should pull away and the keyboard will come lose. It is not screwed down. In this picture the keyboard is actually laying upside down in the keyboard tray. To re-install it properly, you would need to flip it over.

(Click to enlarge)

Step 4: Remove the screws securing the motherboard to the digitizer and hinge and pry up the connector on the right side of the phone.

(Click to enlarge)

Step 5: To remove the heat sink, access the front of the motherboard or replace the SIM/SD slot, pry the connector at the top of the phone up and pry at the four corners of the heat sink.

Board Analysis
In this section, we go over the chips and features of the motherboard. For the digitizer, skip to the next section

At this point, the phone should be in several peices:

(Click to enlarge)

Back view of the board:

(Click to enlarge)

In the above, you can clearly see the contacts for the keyboard.

Front view of the motherboard:

(Click to enlarge)

Another view:

(Click to enlarge)

Sorry, these are the highest resolution photos I have. If you need some numbers off a specific chip, E-mail me and I'll see if I can get them for you. Also see the Galaxy S Relay below

(Click to enlarge)
  1. RTR8600 - Qualcomm multi-band/mode RF transceiver WEDGE

  2. RTR8605 Qualcomm IntelliCeiver transceiver for cellular RF management

  3. KLM8G2FE3B-B001 - Samsung eMMC 8 GB NAND flash

  4. K3PE7e700D-XGC2 - 8gb 500MhZ LPDDR2 RAM 1.2V 2CH x32/ch 220-FBGA, 14x14 PoP, DDP, 128Mx32*2

    MSM8960 - 1.5 GhZ Snapdragon S4 Plus 28 nm ARMv7 Processor with integrated Bluetooth 4.0 and 802.11n (2.4/5 GHz)
    L0: 2x4 KB; L1: 2x16 KB; L2: 1 MB

    The above (RAM and CPU) are integrated onto one chip.
    For a schematic of the above, see this PDF For a full "hack pack" for this chip, check out this link.

  5. PM8921 - Qualcomm PM8921 is a power management IC

This board appears to be extremely similar to the SGH-T699 aka Galaxy S Relay 4G (See this)

Additional information about the SGH-T699:

Other devices that use this board are:
Asus Transformer Pad Infinity (3G/4G version), BlackBerry Z10, HTC Droid Incredible 4G LTE, HTC Evo 4G LTE, HTC One X (North America), HTC One XL, HTC Windows Phone 8X, LG Mach, Motorola Atrix HD, Motorola Droid Razr M, Motorola Droid Razr HD, Motorola Razr HD, Motorola Droid Razr Maxx HD, Nokia Lumia 820, Nokia Lumia 920, Nokia Lumia 925, Nokia Lumia 1020, Panasonic Eluga Power, Samsung Galaxy S III (select versions), Galaxy S Relay 4G, Samsung Photon Q 4G, Sharp Aquos Phone sv (SH-10D), Sharp Aquos Phone Zeta (SH-09D), Sony Xperia GX, Sony Xperia TL, Sony Xperia SX, Sony Xperia V, Toshiba Regza Phone (T-02D), ZTE Grand Era LTE, ZTE Grand X LTE, ZTE V96, Pantech Vega Racer 2 IM-A830L

Digitizer/screen replacement
This is incomplete since I didn't need to replace my digitizer or screen. I didn't go any further than this because I didn't want to have to.

(Click to enlarge)

Step 1: Slide the hinge halfway open to reveal all 6 screws on the back to of the screen and remove the screws

(Click to enlarge)

Step 2: Begin prying the back of the LCD off.

(Click to enlarge)

Step 3: Flip up the hinge on the connector to allow you to disconnect the ribbon cable. This is the only hinged connector on the phone. The others just snap together. This connector is similar in style to the ones pictured here.

Note: Reassembly of the LCD is very tricky as you have to slide the hinge halfway between open and closed in order to leave enough ribbon cable to reconnect to the LCD. In the picture below, I will have to flip my hand over and keep the hinge in it's current position (and try to keep my thumb out of the way) and then try to reattach the connector by reaching my fingers through the space in the sliding hinge to flip the ribbon connector closed. I definitely needed about 5 hands to do this and I didn't get the cable as securely attached as it had been initially. I suspect this cable will be the cause of a lot of failed displays. Here is a picture of me halfway through this process:

(Click to enlarge)

So, a few miscellaneous note:
  • I think I found the JTAG interface. If you can identify the pinouts circled in the graphic above, please E-mail me so I can update this teardown