Archive for the ‘Troubleshooting’ Category

How-To fix Sophos Central Endpoint “Installation Failed” on macOS Sierra

Tuesday, October 17th, 2017
Sophos Central Endpoint Installation Failed

“Installation Failed. Contact your computer system administrator or Sophos Technical Support for further assistance.”

If you get this error while trying to (re)install Sophos Endpoint or even Sophos Home and in /var/log/install.log you see something like:

2017-10-17 10:47:56-06 hulk Sophos Bootstrap[5051]: [SMESophosBootstrapAppDelegate.m:1656] System verified 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEInstallController.m:237] Installing saas version 9.6.5 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEInstallController.m:857] Upgrading the "saas" product 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.prepare.stopProcesses" success: YES 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMERemoveFilesStrategy.m:110] Removing files belonging to components: [prepare] 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.prepare.removeComponents" success: YES 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.prepare.removeKeychains" success: YES 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEReceiptClient.m:199] Failed to launch receipt at /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer. launch path not accessible 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEReceiptClient.m:56] Failed to launch receipt. 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEReceiptClient.m:199] Failed to launch receipt at /Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer. launch path not accessible 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEReceiptClient.m:73] Failed to launch receipt. 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEBuildInstallPlanStrategy.m:115] Failed to connect with receipt 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.localPayload.buildPlan" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.localPayload.cacheManifestComponents" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.localPayload.remoteRemove" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.localPayload.createUsersAndGroups" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.localPayload.installComponents" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.localPayload.processStart" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.localPayload.distributeNotifications" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEAggregateInstallStrategy.m:93] "installer.writeReceipt" success: NO 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEInstallController.m:467] "installer" success: NO 2017-10-17 10:48:36-06 hulk Sophos Bootstrap[5051]: [SMESophosBootstrapAppDelegate.m:1131] Received failure notification: (1) 2017-10-17 10:48:36-06 hulk Sophos Installer[5087]: [SMEInstallController.m:347] Successfully sent the installer telemetry 2017-10-17 10:48:37-06 hulk Sophos Installer[5087]: [SGCServerAuthenticator.m:159] Server connection successfully validated 2017-10-17 10:48:38-06 hulk Sophos Installer[5087]: [SGCCDFSBroker.m:306] Feedback json file was successfully uploaded (status code: 201). 2017-10-17 10:48:38-06 hulk Sophos Installer[5087]: [SMEInstallController.m:377] Failed to update saas to 9.6.5 2017-10-17 10:48:38-06 hulk Sophos Installer[5087]: [SophosDistantObject.m:219] An exception was encountered while messaging the server: SophosNilProxyException.

a passible cause is that the file "/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer" permissions are incorrect and the file is not marked as executable as per the cause described on Sophos’ Community blog https://community.sophos.com/products/sophos-home/f/sophos-home-for-mac/89938/sophos-home-not-working-unable-to-uninstall—trapped-by-sophos-what-to-do/326016#326016 to fix the issue run the following commands from the command-line:

cd /Library/Application\ Support/Sophos/saas/Installer.app/Contents/MacOS/tools/
sudo chmod a+x InstallationDeployer

then run the Sophos Antivirus installer again and the process should complete successfully.

How-To unlock MAGIC-SIM stuck in DUAL-MODE (007) on an iPhone 6

Monday, January 12th, 2015

The MAGIC-SIM DUAL-MODE (aka 007 mode) is not working well on any iPhone model.
Once activated it will take away the `STK menu` from your SIM Applications list with no apparent way to roll back to normality. At this point the MAGIC-SIM is practically useless.

The only one to restore the STK menu without the need to use a non-Apple mobile, is very simple by the way, but surely not intuitive (especially because not documented anywhere):

  1. Go to iPhone’s ‘Settings’ application
  2. Enter the ‘Phone’ settings
  3. Edit the ‘My Number’ option: type there 007
  4. The MAGIC-SIM will receive the input and immediately restore the STK menu in the SIM Application list

Enjoy!

 

 

How-To Remove The Password From a SSL Certificate Key File

Tuesday, September 11th, 2012

In case you find yourself with a SSL Certificate for your your domain and need to use it in systems where automatic processed will restart the web server (i.e. Apache 2), I guess you have discovered that a serious problem arise: the web server will not restart properly until you provide the password for the certificate.

As far as you consider secure the system from theft of the certificate, a workaround to this problem is to generate a copy of the SSL Certificate Key stripped of the password, you can achieve that executing this following command:

~$ sudo openssl rsa -in my_domain_certificate_with_password.com.key -out my_domain_certificate_without_password.com.key

At this point you just need to update the virtualhost configuration on your webserver to use the new key file (or remove the key file protected by password overwriting it with the key file NOT protected by password).

This information has been sourced from:
http://chrisschuld.com/2008/08/removing-the-password-on-an-apache-ssl-certificate/

Any comment and advise is welcome as always

It’s time to change passwords after LinkedIn and Last.fm have been hacked

Thursday, June 14th, 2012
Listen to me!
Audio MP3

download mp3
A few days ago LinkedIn service has been hacked and many users passwords have been compromised.

Here there is an article of the Guardian about that: http://www.guardian.co.uk/money/work-blog/2012/jun/07/linkedin-hacking-internet-security

This is a link to a tool from LastPass.com to check if your LinkedIn password is among the ones that have been disclosed by the crackers: https://lastpass.com/linkedin/ 

It is advisable to check if your LinkedIn Password is among the published ones.
It’s possible that your password has not been compromised BUT it’s not sure if crackers are holding it for future uses, then I advise to change it anyway.

ADDITIONALLY in the unfortunate case that your LinkedIn password is the same for other of your services, it is important that you change the password on each of such services.

It is easy for a cracker that old one of your passwords to guess on which services you have been probably using it: i.e. Facebook, Flickr, Instagram, Hotmail, Gmail etc…

How-To Fix a Bricked OS X Lion System After Thunderbolt Software Update Causes Boot Failure?

Thursday, June 14th, 2012
Listen to me!
Audio MP3

download mp3
Following the WWDC 2012 Apple has released some new system and applications updates for OS X Lion 10.7; one of them is an update for the Thunderbolt port, and unfortunately brings with it a serious bug that may badly corrupt your system generating a Kernel Panic as soon as it start loading the system.

As reported on many tech blogs (like iClarified http://www.iclarified.com/entry/index.php?enid=22556) many users after the update have not been able to re-boot their systems properly reporting Kernel panics, or simply unable to go further the boot menu. Basically the system got stuck, or more precisely BRICKED!

If you possess a MacBook Pro or MacBook Air purchased during the year 2011 or later or in any case if your Mac has a Thunderbolt port, it is advisable not to install the Thunderbolt Software Update for now, hopefully Apple will release a newer and safer update.

In case you have installed the update and your system is bricked reinstalling the whole system is NOT the only solution to fix the problem.

If you have the luck to have a second Mac computer with a firewire port, you can follow the following steps to ripristine your system with a minimal effort:

  1. Start the bricked Mac into TARGET MODE (pressing ‘T’ before the start-up chime).
  2. On a spare Mac, download from Apple website the latest Combo System Update for Lion 10.7.4.
  3. Run the Combo System Update installation and specifying as target the mounted volume of the bricked Mac. <== VERY IMPORTANT

That will fix the installation of unfortunate Mac

Side Effects: Reinstalling the Combo System Update for Lion 10.7.4. will over-write all the Apple updates released after the 9th of May 2012 and you will have to re-run the Software Update application to reinstall them (don’t forget to skip the Thunderbolt Software Update)

I hope this has been helpful for many of you as much as it has been for me.

How-To Redirect PATHINFO (Almost Pretty) Permalinks To Pretty Permalinks

Wednesday, March 21st, 2012

This post is about supporting your former PATHINFO Permalinks structure (a.k.a. Almost-Pretty-Permalinks), on your new web-site using Pretty-Permalinks.

 Redirect 301 /index.php/ http://www.yoursite.com/
 RewriteRule . /index.php [L]

These are the lines of Apache’s configuration that must be present in the website’s main .htaccess file:

 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 Redirect 301 /index.php/ http://www.yoursite.com/
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>

This case applies to those websites formerly configured to use PATHINFO Permalinks and for which all the old posts and pages have been indexed by the Web Search Engines (Google, Yahoo, Bing, etc) using the former structure that included the HORRIBLE! “/index.php” string in their URIs, i.e.:

https://www.marcomc.com/index.php/tech/

When these sites finally migrate to the Pretty-Permaling structure, the one that does NOT include the  horrifying “/index.php” piece, i.e.:

https://www.marcomc.com/tech/

it happens that all the search engines’ indexes will result suddently outdated, and that will penalise the sites at least in two ways:

  1. It will cause a loss of accesses because the back-links to the sites that are present on other blogs or in people’s favourites and bookmarks, or in the search engines’ indexes will be ‘broken’ (old) and the people will be unable to access the pages or posts unless browsing from the homepage.
  2. It will cause a loss of ranking in the search engines’ databases (S.E.O. perspective) because the sites will result ‘broken (unaccessible) and in some cases may even result like sites with duplicated content because the search engines’ spiders will index the pages as NEW pages (due to their new URIs) and the content will match the caches indexed with the old URIs (at least until the caches expire).

To prevent such mayhem you need to put in place a 301 (permanent) redirection that will tell the search engines that all the requests to URIs containing the ‘/index.php’ bit have to redirected to similar URIs not containing it, i.e.:

Redirect 301 /index.php/ https://www.marcomc.com/

This string gives instructions to the web server about what to communicate to the Search Engines when a PATHINFO request is received.

Most importantly the 301 redirection will instruct the search engines that the URIs containing “/index.php” have to be considered deprecated and that from now on, the site will not use it anymore. This is fundamental to avoid the search engines to consider the content of the site as a duplicated content.

Secondly you will need to put in place also a generic rewrite instruction that will tell the local web server (Apache) to accept all the incoming requests to URIs with a PATHINFO format and return the content of the new and purged URIs:

RewriteRule . /index.php [L]

This string gives instructions to the web server on what it must to do when a PATHINFO request is received.

I did use these redirection settings for my WordPress blog when I did migrate to a full L.A.M.P. server (GNU/Linux, Apache, MySQL, PHP) from the former Windows Server hosting service running Microsoft IIS and that did not support ‘.htaccess’ files but exclusively PATHINFO directives and for which I did not have access to the server’s core configurations, therefore I was forced to use “/index.php” in my permalinks.

If you did like this post leave a comment in sign of appreciation, ad if you are Facebook please consider to ‘Like’ MarcoMC.com page. Check the FB banner on the right widgets column of this page …     ========================================>>

I did take inspiration for this post at following this thread:

http://www.wptavern.com/forum/troubleshooting/489-mod_rewrite-make-pretty-permalinks-prettier.html

How-To Set Up a Continuos Synchronization on The Background With Windows 7 and The Group Policy Editor

Saturday, September 3rd, 2011

Using the Offline Files in Windows Vista or Windows 7 is not always a smooth process and can cause a lot of Offline Folders And Files Synchronization Errors.

Offline Files synchronization errors

Offline Files synchronization errors

I found the latest generation of Windows to be very sensitive in the process to keep synchronized the Offline Files and folders copy with the  remote share.

Depending on the quality of the network you rely or the quality of the link to the share the Windows 7 (or VISTA) clients may think that the share is temporarily unavailable and stop synchronizing the Offline Folder while leaving temporary files on the server.
That may confuse some applications, especially Microsoft Office making them believing that a file you just edited and closed is still opened by another application and will refuse to open such file again.

I.E.. I have a very unadvisable configuration where a Linux server is providing an NFS share to a Mac OS X Snow Leopard server, and that server is then re-sharing via SMB and AFP that share to Windows and Mac OS X clients. I have experienced problem with Windows Clients stopping to synchronize files without any reasonable motivation.

I understood that because of an obvious delay on the communication from the Windows client through the Mac OS X server (via SMB)  to the Linux server (via NFS) would make the Windows client believe that the share was offline with many unconfortable conseguences.

I have found a workaround to this problem playing a little with the Windows’s Group Policy Editor.

As I don’t have a Windows Domain in place I couldn’t generate a policy file to be pushed once for all to all the clients so I had to manually start and configure the Group Policy Editor on each single Window VISTA and Windows 7 machine.

This is how to set up a continuos synchronization on the background with the Local Group Policy Editor:

  1. Start the Local Group Policy Editor

    Launch The Local Group Policy Editor

    Launch The Local Group Policy Editor

  2. Expand the Computer Configuration policies to ‘Network -> Offline Files’
    Group Policy Editor

    Group Policy Editor

    Slow Link Speed

    Slow Link Speed

  3. Access the ‘Configure Backgraund Sync’ option to enable the background sync

    Configure Background Sync

    Configure Background Sync

  4. Activate the ‘Enable Transparent Caching’ option

    Enable Transparent Caching

    Enable Transparent Caching

  5. Access the ‘Configure slow-link mode’ option to enable the support for slow-link networks

    Slow Link Mode

    Slow Link Mode

  6. Access the ‘Configure slow-link speed’ to configure the latency level to detect weather the connection get slow.
    Follow the suggestions shown in the LGPE to calculate the appropriate value.

    Configure Slow Link Speed

    Configure Slow Link Speed

These settings should avoid many of your problems and so far they did not create any additional issue.

Please comment and post your experience about any problems with the use of Offline Files and Folders.

How-To fix pGina: “Warning: Current plugin selected could not be loaded!”

Thursday, September 1st, 2011

After installing pGina and the chosen plugins (i.e. LDAP Auth, LDAP Group, RADIUS) on Windows Vista or Windows 7, it may happen that trying to access the plugin configuration it results in an error loading the plugin with the following error message being returned:

"Warning: Current plugin selected could nor be loaded!
You may not be able to login using pGina!"
Warning: current plugin selected could not be loaded

Warning: current plugin selected could not be loaded

The most common reasons for such error are:

 

  1. The installed plugin is for a different architecture:According to your system you must choose to install the x86 (32 bits) or
    x64 (64 bits) version of the plugin.
    Some plugin may be released on a single version but this doesn’t imply that it will work for both the architectures.
  2. Otherwise it most probably happens the you are missing the installation of the Visual C++ 9.0 (2008) runtime libraries (VC90.CRT 2008):In this case you need simply to download the Microsoft Installer package from Microsoft’s site at

    x86: http://www.microsoft.com/download/en/details.aspx?id=5582
    x64: http://www.microsoft.com/download/en/details.aspx?id=2092

Applying one of these two fixes you should have resolved your problems otherwise you may consider to check the file permissions on the plugin files.

 

Mac OS X Server 10.6 Open Directory Replica: “Kerberos is: Stopped”

Friday, March 18th, 2011

It is common that the configuration process of a Mac OS X Snow Leopard Server 10.6 as an Open Directory Replica for your Open Directory Master comes with some problematic issues: it’s very common that the Kerberos service is not initialized properly and will appear in the ‘Server Admin’ Open Directory’s Overview panel as ‘Kerberos is: Stopped‘.

Googoling about this problem I found that is a fault in the DNS name resolution the most common reason that breaks the configuration of the kerberos service preventing the Open Directory Replica server to be recognized and associated with the proper FQDN (Fully Qualified Domain Name).

The fix to this problem is not complicated but will force us to carefully perform these operations:

  1. First things first, although this is a recommended option for local domain naming, make sure that your domain name  is NOT ending in ‘.local.
    In Mac OS X by default the ‘.local’ domains are resolved by the Bonjour service, with priority over the DNS service.
    I recommend to choose a non public domain name like ‘.private’, ‘.lcl’, ‘.my’, ‘.office’…. and so on.
  2. After that, make sure your DNS is PERFECTLY configured to serve FQDN names (i.e. replica.mynetwork.private.) and that one of this name is fully matching to the replica’s hostname(with the exception of the tail ‘.’ ).
  3. Also check the DHCP service, if activated, to be delivering the correct search domain and the IP address of the DNS server able to resolve the name of your Open Directory Master and Replica servers.
  4. Adjust the Replica server’s hostname accordingly to the DNS settings.You can modify the hostname of your replica server with the ‘scutil’ command:
    # scutil --set HostName replica.mynetwork.private
  5. Now decommission the replica server to a standalone directory using the Open Directory Assistant to change the server’s role.

Now the most important operations are done.
Now I recommend a reboot of the system and a double-check of the DNS and hostname configuration using the following commands:

# hostname

The ‘hostname’ command will show the hostname that should appear like the FQDN configured in the DNS service.

# changeip --checkhostname

The ‘changeip’ command will perform a more accurate check on the hostname, using the system calls used by the other system processes and application.

# nslookup replica.mynetwork.private

The ‘nslookup’ command will check that the DNS server is returning the appropriate IP for the requested domain name.

Now it’s time to re-configure the server as a Open Directory Replica, you can use again the Open Directory Assistant. Provide the requested information and when the process is terminated, if you’re lucky enough, the problem will be fixed and the ‘Server Admin’ will show ‘Kerberos is: running.

Unfortunately I’ve not been so lucky when I encountered this problem my first time: for my replica server the Kerberos service was still in ‘Stopped’ status.

After a couple of headaches and a lot of wasted time I figured out that one of the main Kerberos’ configuration files ‘/Library/Preferences/edu.mit.Kerberos’ was missing. This was proof that for some reason the ‘kdcsetup’ process hasn’t been executed.

To fix this issue it is necessary to perform the manual procedure to configure and initialize the kerberos process that actually is the last portion of the manual procedure to join a Replica to an existing Open Directory domain, consisting of:

# /usr/sbin/kdcsetup -c /LDAPv3/127.0.0.1 -a diradmin -p -v 1

This command will create the file /Library/Preferences/edu.mit.Kerberos.

# /usr/sbin/kdb5_util -r

The ‘kdb5_util’ will load information from the initial.dump file from the previous step into the REALM.

# kdcsetup -e

The ‘kdcsetup’ command will enable kdcmond and kadmind in the configuration for launchd.

Now the Kerberos services should have been started on the replica server.

Reboot the system to make sure it’s started automatically at the system initialization.

How-To configure unattended clients with TeamViewer for Mac (simulating TeamViewer Host)

Friday, February 25th, 2011

09/09/2011 – UPDATE
The TeamViewer team has recently release a new host version for Mac OS X
TeamViewer for Unattended Servers: TeamViewer Host

Despite the name it can be used in any Mac OS X installation (clients and servers)

http://www.teamviewer.com/download/TeamViewerHost.dmg

http://www.teamviewer.com/en/download/index.aspx

Original post:

Because there is not TeamViewer Host for Mac yet, I’ve been chatting with the support team at TeamViewer GmbH about an official workaround to create a TeamViewer unattended client for Mac OS X, this is what they advised to do:

  1. You would have to predefine a permanent password on TeamViewer for Mac.
  2. A standard user should be logged in.
  3. TeamViewer should be part of the auto starting programs.
  4. The Mac should not go in sleep mode.

The main glitch of this solution is that if the user logs out returning to the Login screen then the TeamViewer software is quitted and the connection is lost.

An additional workaround that would help us maintaing the connection to the Mac also when the main user is logged out is:

  1. Create an ‘autologin’ user
  2. Install and configure TeamViewer as suggested in the previous steps to be part auto starting programs for the ‘autologon’ user.
  3. Immediately auto-lock the account and return to the Login screen using Lock My Mac or MacLoc and configuring one of then as part of auto starting programs.

At this point, with a bit longer system initialization, the user of the Mac will behave like usual while an ‘hidden’ account is running TeamViewer for us.

The catchof this solution is that when the user will want to shutdown the system it will be propted with an alert message notifying him that other users are logged in the system and that if he wants to continue with the shutdown process all open documents and data will be lost. MAybe we can find a way to disable this alert…. suggestions are welcome 🙂