Nate Silva

Installing the HP LaserJet Pro 400 Color MFP M475dn

The printer

The HP LaserJet Pro 400 Color MFP M475dn is a laser printer with all the bells and whistles: it scans, faxes and duplexes. Instead of a tiny LCD that says PC LOAD LETTER, it has an easy-to-use touch screen.

(Be sure to update the firmware. Ours came with older firmware that didn’t support the scan-to-email¹ and scan-to-network features.)

Hardware-wise, it’s a really great all-in-one device. One of the best I’ve seen in years. The Windows driver software, on the other hand, maintains HP’s (ahem) well-established reputation.

After plugging it in to the network, here’s how to install it.

On a Mac

1. Open System Preferences.
2. Click Print & Scan.
3. Click the “+” button to add a printer.
4. Select the printer from the list and click “Add”.
5. Click the “+” button again.
6. Select the printer’s fax profile from the list and click “Add”.

Result: You can now print, scan from your Mac, and send faxes with an optional cover page from any app.

On Windows

1. Open the printer’s web page (you will need to know its name or IP address).
2. Go to the HP Smart Install tab.
3. Download and run the 72 MB installer.
4. Sit in front of the PC for 5 or 10 minutes, answering the prompts that come up at random times.
   • Be sure to un-check the browser toolbar and other unwanted software it offers.
     • Like the thing that pops up every time you print asking you to “authenticate” the toner cartridges. (It continues to pop up even after you “authenticate”. At least it did for me.) I’m guessing this was the item called “HP Printer Status and Alerts”, but it could also be “Device Experience Support”. Just uncheck everything you don’t need.
     • For this reason, you may want to avoid installing “HP Update”. Who knows what shovelware it will try to foist on your users in the future.
     • On several of our PCs the installer crashed at the end of the process. This doesn’t seem to matter.
5. You can now print and fax, but you won’t know which you are doing, because:
   1. The printer name is very long, for example: “HP LJ300-400 color MFP M375-M475 PCL 6”
   2. And the fax name is very long, for example: “HP LJ300-400 color MFP M375-M475 Series Fax”
   3. And when you print, the Windows print dialog only shows the first part of the printer or fax name, so it’s hard to tell the two apart.
6. Try to solve the above problem by renaming the printer to something like “Copier”.

Result: You cannot fax. Once you’ve renamed the printer driver, faxing no longer works.

7. Rename the printer back to its original name.
8. This time, rename the fax driver, not the printer driver.

Result: You can now print, scan, and send faxes, but cover pages do not appear to be supported at this time.

It turns out you can rename the printer, as long as the new name contains the complete phrase “HP LJ300-400 color MFP M375-M475 PCL 6”. For example, you could call it “Copier - HP LJ300-400 color MFP M375-M475 PCL 6” and faxing will still work.

Although it’s a network printer, you can’t share the fax portion of it from your Windows Server (which would enable automatic installation at the client). You can only share the printer portion from your server.

In order to get fax support, you must install the 72 MB package, including printer driver, at each client. You can’t install just the fax driver. Thus, it’s pointless to use this as a Windows shared printer unless you don’t need network faxing support. Hope you didn’t plan to manage it via Active Directory.

In CentOS Linux 6.0, you can’t SSH using authorized_keys

The problem

Using CentOS Linux 6.0, you’ve created a ~/.ssh/authorized_keys file on the host and placed your RSA key in that file.

However, when you ssh to the host, you are still prompted for your password. If you enable debug logging on the server, you might see something like this:

Aug 30 21:31:37 mysql sshd[4331]: debug1: userauth-request for user nate service ssh-connection meth
od publickey
Aug 30 21:31:37 mysql sshd[4331]: debug1: attempt 1 failures 0
Aug 30 21:31:37 mysql sshd[4331]: debug1: test whether pkalg/pkblob are acceptable
Aug 30 21:31:37 mysql sshd[4330]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Aug 30 21:31:37 mysql sshd[4330]: debug1: trying public key file /home/nate/.ssh/authorized_keys
Aug 30 21:31:37 mysql sshd[4330]: debug1: restore_uid: 0/0
Aug 30 21:31:37 mysql sshd[4330]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Aug 30 21:31:37 mysql sshd[4330]: debug1: trying public key file /home/nate/.ssh/authorized_keys2
Aug 30 21:31:37 mysql sshd[4330]: debug1: restore_uid: 0/0
Aug 30 21:31:37 mysql sshd[4330]: Failed publickey for nate from 10.33.204.4 port 49454 ssh2

Cause and solutions

This problem may be caused by the SELinux security layer in CentOS. SELinux is not allowing the SSH daemon to read files in your ~/.ssh directory.

There’s more than one way to solve it.

Solution 1 (the “right” way)

Tell SELinux to “label” your ~/.ssh directory such that the SSH daemon is allowed to see it. The following command will re-label everything under /home, including user .ssh directories, with labels as defined in your security policy:

restorecon -R -v /home

In addition, SELinux provides a daemon that is supposed to monitor the filesystem and automatically set the correct labels, so this problem might not happen in the first place. The daemon is called restorecond. You can enable it in the usual manner (for example, chkconfig restorecond on followed by service restorecond start).

Solution 2 (the “wrong” way)

An alternate solution is to put SELinux in permissive mode, where it warns about rule violations but does not enforce them. Be aware that this effectively disables a key security layer! To do this temporarily (until reboot), type:

setenforce Permissive

To make this permanent, edit /etc/selinux/config and change the SELINUX line to permissive.

11 notes

How to preview a Markdown document in Vim

I write a lot of stuff in Markdown using TextMate. Now I’m using Vim, but I need a way to preview what the Markdown will look like.

There are several Vim plug-ins that can do this, but all have limitations. For example, this one is nice, but it requires Ruby and doesn’t properly deal with embedded Unicode characters.

So I wrote my own Vim plug-in that previews Markdown documents. It is tested on Mac OS X and Windows (and should work on Linux, though I don’t have a GUI-based Linux box to test on). It works even if your document contains Unicode text.

The only prerequisite is that you have a markdown command installed (Discount, python-markdown, or John Gruber’s original are good choices).

https://gist.github.com/960015

2 notes

A fix for slow connections to SMB file shares on Mac OS X Snow Leopard

In Mac OS X 10.6 Snow Leopard, I found it takes a long time (30 seconds or more) to connect to a shared folder on my Windows server.

Once connected, everything works fine, but the initial delay is a big hassle.

Please note: There is a different problem where the actual file sharing is slow (or browsing between folders is slow). I have not had that problem so I don’t know the solution. The problem I am fixing is that the initial connection to the SMB share takes a long time.

The Solution

Ignore what I wrote before. I have found the definitive solution (for my network, at least).

The solution is: don’t use a .local name for your Windows domain. .local for your Windows domain is evil. Use a real domain name that you control.

Yes, I know that the example documentation shows domains named company.local. I know it can be a major pain-in-the-tuchus to change the Active Directory domain name (and may not even be possible if you’re using Exchange Server).

But after changing our AD domain name from company.local to hq.company.com, our Macs were miraculously faster at mounting network shares, browsing the network, and joining the domain.

Note that hq.company.com is a DNS subdomain of our real DNS domain name (obviously replace company.com with the company name that I work for). It is only resolvable by our internal AD DNS servers, so there’s no chance of exposing internal hostnames to the world.

The solution (for me) was to create a file called /Library/Preferences/edu.mit.Kerberos with the following contents:

[libdefaults]
default_realm = your-domain.local
dns_fallback = no

Replace your-domain.local with your Windows/Active Directory domain name.

After saving the file, the fix takes effect immediately. Connecting to the share dropped from about 30 seconds to about 5 seconds.

Some notes:

* The server is Windows Server 2008 R2. * The Mac is not joined to the domain. (I am authenticating as a domain user, of course.)

I originally found this information on MacWindows. There is an extremely long thread there and this was one of the solutions that came up.

## Update ##

At some point under 10.6 this stopped working. I am now running 10.7 Lion and this solution no longer works. I am back to slow connections.

2 notes

If the Mac App Store is slow, it’s probably because of your Keychain CRL setting

Recently I had an issue where the Mac App Store became almost unusably slow. It took more than a minute to start up. During that time it would appear completely frozen.

This was caused by enabling a security setting called “certificate revocation list,” or CRL, in Keychain Access.

You can disable this feature and the Mac App Store will become much faster. However—and this is a big one—the CRL is a security feature that you may not want to disable.

A CRL helps your system to detect fraudulent TLS certificates (also known as SSL certificates). While this type of fraud is rare¹, a recent security breach allowed a criminal in Iran to generate these certificates (news story) and enabling the CRL protects you against this.

The Keychain Access CRL feature is disabled by default, but several recent Mac blog articles suggested that you enable it. Here’s one such article.

If you still want to disable it:

1. Open the Keychain Access app.
2. From the menu, choose Keychain Access > Preferences.
3. On the Certificates tab, change the CRL setting to “Off.” (You can leave the other settings as-is.)

¹ Fraudulent certificates may not be so rare (they can be injected using man-in-the-middle attacks), but this type of fraudulent certificate—signed by a legitimate root authority—is rare.

1 note

How to upgrade CentOS Linux running under Hyper-V

When CentOS Linux, running under Hyper-V, is upgraded to a new kernel, it will probably fail to reboot. Open Hyper-V Manager and look at the CentOS server’s screen. Most likely you will see the following error:

switchroot: mount failed: No such file or directory
Kernel panic - not syncing: Attempted to kill init!

Cause

The error is caused by the Microsoft Hyper-V Linux Integration Components not loading properly under the new kernel.

Solution

1. From the Hyper-V Manager, reboot the server. At the moment when it says “Booting CentOS in 3…2…1…,” press any key. You’ll see several kernels listed, including the newest one and the previous one.
   • Make a note of the full, exact version number of the newest kernel.
   • Select the previous kernel and press Enter. It should boot successfully under the old kernel.
2. Log in as root.
3. Use Hyper-V Manager to attach the Microsoft Linux Integration Components CD (LinuxIC v21.iso, available from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=eee39325-898b-4522-9b4c-f4b5b9b64551).
4. Mount and copy it to the Linux server.
   1. mkdir -p /mnt/cdrom
   2. mount /dev/cdrom /mnt/cdrom
   3. cp -rp /mnt/cdrom /opt/linux_ic
   4. umount /mnt/cdrom
5. By default the Linux IC will build for the currently-running kernel. We want to build for the newer kernel instead. Make this happen:
   1. cd /opt/linux_ic
   2. [substitute the new kernel’s version in the following command]
      grep -ilR uname * | xargs sed -i 's/uname \-r/echo "2.6.18-238.5.1.el5"/g'
   3. make && make install
   4. reboot

Your server should now boot under the new kernel.

(Found in this message thread on the CentOS user forums.)

In Sophos Control Center, all computers are greyed out or have hourglass icons

I recently ran across this issue when installing Sophos Control Center on Windows Server 2008 R2, and the corresponding Sophos Endpoint Security on various client PCs.

After installing the Control Center, the PCs would never receive the central configuration from the server, and they never showed up as active in the Control Center. They were able to update, but used default configurations.

The solution was to open the following ports on the server’s firewall:

• TCP 8192
• TCP 8193
• TCP 8194

After opening the ports, the clients will begin to show up in the Control Center after 5-10 minutes.

For some reason the Sophos Control Center installer doesn’t open the ports for you. Also, this was my first Sophos installation on Windows Server 2008 R2, which has a fairly rigorous built-in firewall. The previous installation was on a Server 2003 system with a deactivated firewall, so we never encountered the issue.

A full list of ports for all of Sophos products is available here:

http://www.sophos.com/support/knowledgebase/article/38385.html

Using ping6 on Mac OS X or Linux

The problem

In experimenting with IPv6, one of the first things I tried was to ping computers on my LAN using the ping6 command. For example, this pings the loopback interface (equivalent of 127.0.0.1):

ping6 ::1

To see your IPv6 address(es), go to a Terminal prompt and type ifconfig. If you try to ping6 any address—even your own link-local address that starts with fe80::—you’ll get the following error:

ping6: UDP connect: No route to host

Or on Linux:

connect: Invalid argument

The solution

The solution is to pass the -I command-line argument. Give it the name of the interface you want to ping from. For example, the first ethernet port on Linux is usually called eth0. On a Mac, it’s usually en0 or en1.

ping6 -I en1 fe80::…

Windows

Note that Windows doesn’t have this problem. On Windows, you use the regular ping command for both IPv4 and IPv6 addresses, and it automatically detects which interface to use.

Firewall issue

If you continue to have problems, make sure you can ping6 your own IPv6 address. This is the address that starts with fe80:: and can be seen by typing ifconfig. Try to ping that from the same interface that the address is assigned to (you’ll see the interface name, usually en0 or en1 shown in ifconfig).

And make sure your firewall is not blocking ping requests. The Mac OS X firewall will not respond to pings if “Stealth Mode” is turned on.

How to install a Rocketfish Bluetooth keyboard in Windows 7

I’m posting this here because every time I re-install my OS I forget how to do it. I originally found this in a comment by KAMOTEQ here.

• Problem: Rocketfish (Best Buy) Bluetooth keyboard, model RF-BTKB2, doesn’t work in Windows 7. When you try to pair it, nothing happens and eventually it times out or tells you “Device driver software was not successfully installed.”
• Solution:
  1. Go to “Add a device”
  2. Right-click on “Rocketfish Bluetooth Keyboard” and choose “Properties…”
  3. Check the box that says “Drivers for keyboard, mice, etc. (HID).”
  4. Click OK and your keyboard will be recognized.

How to destroy your database in two clicks using Querious

Open your database in Querious. Then:

1. Click “Users.”
2. Say to yourself, “I wonder what the button with two squares on it does.” Please don’t click the button. Because the instant you do, all of your rights are revoked and there is no way to recover them.

I hope you have another admin login. Otherwise you’re screwed.

Yes, I did this on an Amazon RDS instance. Thank goodness it was a test database and I was just experimenting with Querious. I never imagined such a dangerous operation would happen without warning.

Why on Earth doesn’t Querious have a warning or an “Apply” button so the change doesn’t happen instantly?

See the equivalent screen in Sequel Pro, which has an “Apply” button, making it much safer.

(I suspect you could also screw up your database by un-checking some of the other boxes. Again, there is no “Apply” button in Querious, so you will instantly change your rights.)