January 15, 2009: Getting Into the Post Holiday Groove

“The impact of the impossible is often rather small.”

Boy is it a cold day today.  I am so thankful that it is so much warmer here than so many other places that I have lived in the past.  We got down to around fifteen degrees in the middle of the day but the sun was out and I was still able to walk Oreo in my pajamas and fleece jacket and no gloves, hat, scarf, winter coat, etc.  Oreo was wearing his t-shirt and fuzzy sweater.  He did fine though.  He was not nearly as cold as he gets when the snow is deep and wet.  That is the worst for him.

The basement is extremely cold today.  My feet feel like they are going to fall off.  It would be very cost prohibitive to attempt to keep the basement warm.  There is no point, really, it is just me down here.  Oreo chooses to remain in the living room with the warm people when it gets this cold down here.

Today was an extremely busy day at the office.  Probably the busiest yet this year.  Dominica really needed some help with Liesl this afternoon, but I was so busy that I couldn’t leave the basement.

It was late by the time that I was able to go upstairs and join Dominica for dinner.  We ate butternut squash pasta and watched some of the second season of The Dick Van Dyke Show.  Then, after dinner, Dominica decided that she felt like reading so she read a book and I took the opportunity to play some Oblivion on the PS3.

This was my first time playing Oblivion on the new television and I can honestly say that the 720p cap output on that game from the PS3 really shows on the 1080p LCD.  It doesn’t really look any better than the old television did (bigger, but not really better) while the upgrade to Fable 2 was tremendous.  Anyone who says that you can’t see the difference between 720p and 1080p needs to be declared legally blind.  It is a significant difference that you should notice immediately.  I don’t have very good eyesight and it was glaringly obvious the moment that the game started that there were scaling issues and that the scenes were pixelated in comparison to Fable 2.  Now I am quite envious of Andy who played Oblivion on the PC with much higher resolution than my version and full 3d (with polarized glasses.)  Really makes the console version look sad.

Today was a really rough day for Liesl. She was quite unhappy all day long.  We don’t know if she just had a tummy ache or what but the entire day she was quite distraught.  We are all glad that today is finally over.

Managing Apache and Subversion Through Active Directory (Part 1 – Authentication)

In my previous article, Installing Subversion on RHEL5, we went over how to install the Subversion server and how to make it accessible through the Apache web server.  This solution is great but leaves us without any user authorization and authentication.  For most Subversion instances these are features that we will want to have.  We have many choices for our A/A solution and I have decided to integrate my example repository with a Microsoft Active Directory (AD) system running on Windows 2003.  This, I feel, is probably the most commonly desired scenario for enterprise shops although a non-AD based LDAP and Kerberos system may also be very popular.  We will start by address authentication via Kerberos in this article.

In addition to using Kerberos for secure authentication, we are also switching from using plain HTTP as our transport to HTTP over SSL so be aware that after applying the Apache configuration file here that you will need to access your Subversion directory with HTTPS rather than HTTP and that, unless otherwise configured, you will need to open your firewall both locally and remotely to allow port 443 traffic out instead of (or in addition to) port 80 traffic.

Installing Necessary Components

As with anything else in the Red Hat world, most of the heavy lifting is done by our friends at Red Hat engineering and we just need to leverage what they have already done for us.  We need to install the module for SSL transport and Kerberos authentication in Apache:

yum -y install mod_auth_kerb

This will automatically install the file /etc/httpd/conf.d/auth_kerb.conf which will take care of loading the Kerberos module into Apache and will provide a sample configuration if you want to learn more about Kerberos authentication in Apache.

Setting Up the Apache KeyTab File

Now we need to set up our Apache to Kerberos authentication table.  The Red Hat standard for this file is to be located at /etc/httpd/conf/keytab although you control its location through your Apache configuration.  We will not deviate from the standard here.

This file needs to contain

echo HTTP/[email protected] >> /etc/httpd/conf/keytab
chown apache.apache /etc/httpd/conf/keytab

Setting Access Control

The traditional examples will generally tell you to use the .htaccess file to manage your authentication mechanisms.  For most cases it is better to avoid the use of the .htaccess file and to switch to configuring these details within your <Location> section in your Apache configuration files.  This is better for performance reasons as well as for ease of security management.  Now you only need to worry about specifying your security information in a single location and Apache need not traverse the entire directory structure seeking out .htaccess files for each access attempt.

I use the file /etc/httpd/conf.d/subversion.conf for the configuration of my Subversion repository.  Here are its contents:

   <Location /svn>
     DAV svn
     SVNPath /var/projects/svn/
     AuthName "Active Directory Login"
     AuthType Kerberos
     Krb5Keytab /etc/httpd/conf/keytab
     KrbAuthRealm EXAMPLE.COM
     KrbMethodNegotiate Off
     KrbSaveCredentials off
     KrbVerifyKDC off
     Require valid-user
     SSLRequireSSL
   </Location>

Configuration of Kerberos

Kerberos is configured in Red Hat Linux in the /etc/krb5.conf file.  Obviously replace EXAMPLE.COM and ad.example.com with the name of your Domain and your KDC.  This file should have been created for you using almost exactly these settings by the RPM installer so there is very little here that needs to be changed.

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = ad.example.com:88
 }

[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Enable HTTPS Access Through Firewall

Use the Red Hat management tool to enable HTTPS connection through your host firewall.

system-config-securitylevel-tui

Restart Apache

Now, all that we need to do is to restart the web server to have it pick up the changes that we have made and voila, Kerberos authentication to Active Directory should be working.

/etc/init.d/httpd restart

Testing Your Connection

In order to test your connection you can use a web browser or use the Subversion command line client as below:

svn list https://localhost/svn/

Error Notes:

If you set KrbMethodNegotiate On then, in my experience, you will see Firefox work just fine but Internet Explorer (IE) and Chrome will fail with a 500 error.  In the logs I discovered the following entry:

gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (Unknown code krb5 213)

References:

Providing Active Directory Authentication via Kerberos Procol in Apache by Alex Yu, MVP, Microsoft Support

January 14, 2009: Dominica’s Shopping Day

It is pretty chilly here in the Hudson Valley this week but apparently what we are experiencing is nothing compared to what I have been hearing about from family back home or Twitter friends across the country.  Cold but not unreasonable.  It is times like this that I really appreciate living in downstate New York rather than Upstate.  I love Upstate but in January through March there is no comparison to the lower Hudson’s balmy climate.

We have been in desperate need of some shopping to be done so once I had a lull at work around lunch time Dominica decided to take off and spend about two hours running some errands.  We needed some basic stuff like some plastic file folder bins and file folders from Staples (which turned out to be on sale), some earplugs, new waste baskets and other miscellany such as that.  She decided to take Oreo with her so that he could visit PetsMart where he got his nails trimmed and his ears cleaned.  He doesn’t like getting his nails trimmed, but he is much more happy about having them do it than having us do it.  He does enjoy getting his ears cleaned.  They are so soft after a good cleaning.

Leaving me alone with Liesl for two hours would normally not be a big deal but she was screaming and very unhappy from the moment that Dominica walked out the door.  I had to wear earplugs the entire time as my head was swimming from the pain of my blown eardrums.  I am really scared that I am going to go deaf.  I really have to start wearing earplugs pretty much all of the time.

Liesl needed to be changed (really changed, like different outfits) immediately and needed to be fed, got sick and then I needed to be changed and a lot of laundry needed to be done.  It was a good thing that Oreo was not here since there was no way for me to have been taking care of him as well.  Liesl finally ate a bottle and was asking for another just as Dominica arrived home.

We had dinner and watched more of The Dick Van Dyke Show including watching the original pilot from 1958 with Carl Reiner playing the lead instead of Dick Van Dyck (the show was originally to be called “Head of the Family”.)  I love Carl Reiner but that pilot was awful.  It is amazing that the later show was ever made after seeing that.  It is also amazing how much better the show made in 1962 looked than the one from 1958.  A show from 1988 and 1992 look identical but there was a lot of advanced made in television filming at that point, I guess.  One was blurry and had no contrast and the other is an example of how good monochrome television could look.

After dinner, Dominica decided that Liesl was sleeping early and that this was going to be her one chance to run to the grocery store to do the week’s shopping.  So Liesl, Oreo and I stayed home alone while Dominica went out again.  Leaving me alone with Liesl twice in one day – this is a first, and for a total of over three hours!  That is just crazy.

Liesl slept pretty much the entire time that Dominica was gone but Oreo needed to be walked and given a lot of attention while she was out.  Once Oreo calmed down and settled in to chewing a dingo bone I fired up Fable 2 and spent some time wandering Knothole Island looking for Volume 2 of the history of Knothole Island which somehow I missed on my first pass through the quests.

It wasn’t until after Dominica got home that we finally found the final book and I acquired the Bibliophile achievement in Fable 2.  That is 25 additional gamer points.  Tomorrow I am hoping to get all of the items from the curiosity shop to complete every possible task in Knothole Island.  That should not take long at all.

My big project for today was wrapping up some Subversion via Apache with Active Directory via Kerberos integration.  It took some doing but I have it working really well now.  Using AD as an SSO solution works really well but setup is not always the easiest.  I am really glad to have that working now.

After Dominica was home and we located the final book we put on Hulu and I started carrying up paperwork from the basement that needed to be sorted through.  Dominica picked up those bins today so that we could sort through all of the paperwork that has amassed throughout the house and sort it into bins that can be stored someplace useful – like in the attic maybe.  Almost all of the paperwork is long-term storage “just in case” kind of stuff and nothing that we plan to ever need to go through again but hate to just throw away.

I sorted through several large piles of paperwork before calling it a night.  We are doing this now, with a high priority, because we realized that we have misplaced the American Express card.  It came in a stack of mail recently and we expect is lost in the piles and piles of paperwork all over the house.  So we are trying to dig it out.  There is so much, though, that it is going to be a challenge.

January 13, 2009: Knothole Island Releases

Today is the release day for the Knothole Island Downloadable Content (DLC) for Fable 2 on the XBOX 360.  This was supposed to have released around Christmas but was delayed so those of us who have been waiting for it have been on pins and needles waiting to be able to play it for ourselves.

Liesl turned over again today, twice in a row!  She still surprises herself when she does it and is not happy.  She always cries after flipping herself over.

Work was pretty busy this morning.  Then at lunch I took over the television in the living room and started playing Knothole Island!  I played all through my lunch and then got a chance here and there during the afternoon to play for a few minutes and then at the end of the day was able to wrap up the final quest.  One afternoon, two and a half hours of in-game time, and the Knothole Island quests are complete.  I still have on of the ten hidden books yet to find and I just need a little time to go out and look for it.

I enjoyed the new content but am disappointed in how short it is overall.  I wish that the area was a little larger, had more buildings, maybe had quests that kick in after playing for a while longer or only for the more advanced players or something.  All of the material in it is pretty simple and does not include very much storyline.  It seems like some more could have been done with it.  Perhaps there will be a future expansion that will add more to this region.  As it is it really does feel like an addendum to the rest of the game and does not integrate too cleanly with it.

After work was over, Dominica and I spent the evening taking care of Liesl and Oreo while watching the end of the first season of the Dick Van Dyke Show. What a classic show that is.  Liesl starts her fussy time around six thirty or so, around the time that I finish working, so we spend most of the evening trying to keep her happy.  I come up from the basement and we put on some family viewing (Dominica watches the shows that I don’t like to watch during the day while I work like Bones, Dead Like Me, etc. – mostly shows about dead people actually) and then she starts dinner which always seems to take two or three hours because either Liesl or Oreo needs attention almost continuously all evening so she can never spend more than ten minutes on anything in particular.

We had been hoping to be able to run to the store to get some paper storage bins (plastic bins designed to store organized paper) but never had a chance to do it.  So Dominica is thinking that she is going to make an attempt to go do that tomorrow around lunch time when Liesl takes her early nap.

We have our mail keys in our possession now.  We are now able to check our own mail again.  Now we just need to actually do it.

Knothole Island

The Knothole Island downloadable content expansion for Fable 2 on the XBOX 360 released today.  This is the first additional content available for Fable 2.

Knothole Island contains one new region for Fable 2 expanding the game from thirteen to fourteen regions.  The region contains three new quests and many new items for the player to collect.  Knothole Island does not contain any additional gargoyles or silver keys but it does have its own collectable item, Knothole Island History books of which there are ten to find throughout the region.  Knothole Island also adds one hundred additional achievement points bringing the game total to eleven hundred.  The additional achievement points come in the form of three distinct achievements: fifty points for completing all three Knothole Island themed quests, twenty-five for collecting all ten books and twenty-five for obtaining all of the curiosities in the specialty shop in town.  The village of Knothole Island also has several additional houses and shops in which you are free to invest as well.

I began playing Knothole Island almost as soon as the download became available.  The additional content took me approximately two and a half hours to complete so the size is rather disappointing for the ten dollar price of admission, but for desperate Fable fans it is a highly anticipated addition.

Knothole Island is definitely a beautiful addition to the world of Albion.  My favourite feature of the new content is the innovative weather control system at the center of the plot driving the new quests.  The addition of the weather patterns adds a unique way of expanding the layout of the single region to feel larger.  It also adds more “scenery” than you would normally experience in the single region.  Exploring the Knothole Island region under drought, flood and freezing conditions is very interesting and extremely well done.  The planning that went into the layout of the region is quite impressive.

Each Knothole Island quest involves its own unique dungeon.  The dungeons are not really as impressive as many of the dungeons in the core Fable 2 quests.  The overuse of the lock-disc mechanism as the key to forward momentum at almost every moment within the dungeons is frustrating and boring.  Some additional variety would have been nice.  Some of the lock-disc tasks are extremely simple to figure out but difficult to execute.  Not a fun combination.

Overall the new content is enjoyable and a nice addition to the existing content.  I feel that the new content will work best for players who have not yet completed the main quest in Fable 2 or for players who have not yet started playing Fable 2.  Having the additional content mixed in with the rest of the game would make for a nice break from the rest of the game from time to time and give the player time to make use of the additional items that are only available in Knothole Island.

Playing these quests after having completing Fable 2, though, makes them extremely easy.  The new plot and content does not feel connected to the rest of Albion and almost feels as if you have left the game to go into a separate mini-game somewhere.  This effect is magnified by playing all of Knothole Island at one time without mixing it into the rest of the content.

Knothole Island contains some neat innovations, beautiful scenery and some interesting new content.  The downsides are that it is short, some of the dungeons are tedious and the integration into the Fable 2 universe is not as good as it might have been.  Serious Fable 2 fans definitley want to partake of the content but more casual players may want to save their money until Knothole Island is made part of the standard content (similar to Fable: The Lost Chapters) as it is bound to do in the future.

I am looking forward to additional downloadable content from Lionhead Studios for Fable II.  I really hope that future content will involve expansions to the main storyline or an intersting arc that expands the known Albion regions.