To make Windows server 2016 time service unreliable to make it reliable

I was trying to resolve How do I force sync the time on Windows Workstation or Server?, and surprise! You need to make it “unreliable”!

Let’s make sure the w32time service is already configure to use external NTP. If not, run following to configure w32time:

w32tm.exe /config /manualpeerlist:”ntp1.example.net ntp2.example.net” /syncfromflags:manual /update

Also follows the article setting NTP server on Windows machine using PowerShell if you also want your control panel in-sync.

Most solutions do not work if the host is a Windows Server 2016 Active Directory Domain Controller (ADDC), as it treats itself as a “reliable” source that cannot make big time change.

w32tm /resync /force does not work, because the /force does not appear in server 2016.

net time /SET /Y does not work either, because it would have asked:

Do you want to set the local computer’s time to match the time at
\AD.example.net? (Y/N) [Y]

Of course, it won’t work if you are on AD.example.net, /Y just hides the question.

The steps work for me using PowerShell:

1. Set w32time service as unreliable

w32tm /config /reliable:no /syncfromflags:manual /update

Option /syncfromflags:manual means sync with NTP listed in peer list (i.e. external NTP), /update for notifying the time service the configuration have changed.

2. Restart the w32time

Stop-Service w32time
Start-Service w32time

3. sync

w32tm /resync

This should work.

4. If you DO need ADDC as a reliable time source, make it reliable again:

w32tm /config /reliable:yes /update
Stop-Service w32time
Start-Service w32time

How to Join an Active Directory Domain in Windows 10?

Short answer: the using the Run as Administrator PowerShell command line like

Add-Computer -domain example.net

Benefits are:

1. Command line is less likely to change. Most of the GUI steps I found do not apply to my Windows 10
2. You got more clue (i.e. debug message). GUI just tell me “Something is wrong, ask your administrator…”, but I am the administrator, who should I ask?

Command line reveals me the true cause: “The user is disabled”. After I enable the user on the server side with

dsmod user <UserDN> -disabled no

Things are worked as expected.

The “Proper” Way to Use Microsoft Word Master Document

Long story short, don’t use it, use field IncludeText instead.

As a DevOps/software engineer, I prefer to keep my files (even the MS word documents) consistent and synchronised.

I am looking for jobs and sending my resume to two kinds of organisations: public sector and industry. Public sector jobs usually require referees, while in industry, referees are not mandatory. So I have two types of resumes: with or without referees.

Why don’t I just use the one with referees? Some international recruiters are not aware of time differences and just call you in the most inconvenient time. I have received a call at 4:30 am, when all of my family are sleeping. So that’s why I am reluctant to include referees in my industry resume.

To keep both branches in sync, I though the master document was a good idea, until I saved and opened the master document, and I see mess, just as describe in Why Master Documents corrupt. And I saw an interesting quote:

There are two kinds of Master Documents: Those that are corrupt and those that will be corrupt soon. – John McGhie

I have also tried auto text in “building block”. The main problem of that is: I have hard time to locate them. I cannot remember whether I save it in normal.dot or buildingblock.dot . When I need to update contacts several months later, I will probably forget they are in auto text.

Eventually, I found that the field IncludeText actually helps. But there are CATCHES:

1. The insert field command is also not easy to find in UI. Search “Insert field” is more reliable. (The search field is at “Tell me what you want to do”)
2. You need to manually input the filename, there are NO file dialog for you to choose.
3. If the document is on OneDrive, the full path in local drive WON’T WORK. You need related path to OneDrive\Documents. For example. If the sub document, referees.docx is in the directory OneDrive\Job and your main document is also at OneDrive\Job, you need to insert ../Job/referees.doc to the field IncludeText in your main document.
4. URLs in sub documents need to be well-formatted. In other words, for email addresses, user@example.com WON’T work, you need mailto:user@example.com
5. Even if you do enter the correct URLs, MS Word like to show them as it pleases. It is up to MS Word to decide whether to show the URL as URL or plain text.

I uses Office 365, so version-wise it supposes to be always the latest. Perhaps I should have written the sub-documents as HTML+CSS and version control them.

HOWTO: sign dkms kernel module for UEFI secure boot

If you are stuck with UEFI secure boot, and desperately need to build and install a custom kernel module, then you need to know how to sign your kernel module.

To sign a dkms custom kernel, please refer my Git repository: dkms-module-util

Fix NTFS “unsupported reparse point”

Reparse point is an application-defined data that associate with a file or directory.  So it can be anything from symbolic link to mount point, and many more.

A comment in ntfs: unsupported reparse point says that plugins from Advanced NTFS-3G Features fix the problem. My own experience: systcomp.zip works, but binary provided in onedrive.zip is not.

HOWTO: Unwatch packages in Fedora package source (src.fedoraproject.org)

If you don’t want to get messages from certain Fedora packages:

1. Login  to https://src.fedoraproject.org
2. Click Watchlist
3. Click the package you want to unwatch, this will bring you to package Overview page
4. There is an Unwatch  pull down which looks like the below picture. Click it and select Unwatch. 

Note that you CANNOT unwatch the packages you maintained.

Legacy Python str.format() gotcha

In Python 2.7, str.format() works with empty string like:

python -c "print '{}'.format('')"

However, in Python < 2.6,  you will see:

ValueError: zero length field name in format

Workaround? Use %-formatting like:

python -c "print '%s' % ''"

 

Indent in Fedora-Flavored Markdown

I cannot find any documents about the indent in Fedora-Flavored Markdown. Yet I figure out following:

You need 4 spaces to indent. The rest is same with this Markdown Cheatsheet.

For example

- Upstream update to 1.10.0
    + Bug fixes:
        - Log to file defaults to unwritable location
        - Losing GUI config when restarting the OS

    + Enhancements:
        - CLI argument to control screen lock feature
        - Customizable size limit on clipboard sharing

- BuildRequires qt5-qtbase-devel

Becomes:

• Upstream update to 1.10.0
  • Bug fixes:
    • Log to file defaults to unwritable location
    • Losing GUI config when restarting the OS
  • Enhancements:
    • CLI argument to control screen lock feature
    • Customizable size limit on clipboard sharing
• BuildRequires qt5-qtbase-devel

See https://bodhi.fedoraproject.org/updates/synergy-1.10.0-1.el7 for the actual result.

Debugging Customizable Kickstart File

Kickstart file automates the installation Linux system. It does not provide a convenient way to pass parameters. Luckily,  passing kernel parameters to %pre installation section works. This method requires you to write your kickstart generation script in %pre section, then in the command section, you call the generated kickstart file.

Unfortunately, this mean it is more likely to fail if the parameters are not correct. How to debug? If you can at lease reach the installer, this document may point you direction.

1. Get the shell access

After anaconda the installer starts,  there are several console tabs, the ones that are useful are:

• main: the main information screen (Alt-F1 or Ctrl-Alt-F1)
• Shell: the shell access (Alt-F2 or Ctrl-Alt-F2)
• GUI: show the install progress if graphical mode is not disabled (Alt-F6 or Ctrl-Alt-F6)

For now, shell access is the focus. Switch to Shell tab by pressing Alt-F2 or Crt-Alt-F2.

2. Inspect parameters by looking at /proc/cmdfile

Just cat /proc/cmdfile to inspect whether the parameters looks right. Personally, I do not want to write complex parser, thus I use quote_plus() from python to encode tricky characters like space, line feed, $ and so on.

3. Inspect the generated scripts and log files

The first thing to check is generated kickstart file. Then check following interesting files in /tmp

• ks-script-XXX: The script in  section %pre  will be here. Inspect it, and even run it to see how it works or not
• *.log: various of log files

Enjoy the debugging. 🙂

Solved: nginx module incompatible

I encountered when I run nginx -t:

nginx: [emerg] module
"/usr/lib64/nginx/modules/ngx_http_auth_spnego_module.so"
version x instead of y in 
/usr/share/nginx/modules/mod-spnego-http-auth-nginx-module.conf:1

It indicated that the module version is incompatible.
If nginx was installed using yum or dnf, use following command to set the version:

yum downgrade nginx{,-all-modules,-filesystem,-mod-*}-[version]-[release]