Citrix SSL Error 61 – “GlobalSign Root CA”

After a long period of not having issues with Citrix, this old chestnut popped up again.

You have not chosen to trust “GlobalSign Root CA”, the issuer of the server;s security certificate (SSL error 61)


I checked back and we had this one before way back in 2012. The problem is that the cert is not in the plugin directory that wfica uses. So the solution is to get it and put it in the correct place.

At the time Firefox had removed the option to export certificates but fortunately it has bee restored.

Firefox F10 > Edit > Preferences > Advanced > Certificates > View Certificates

Scroll down and click on “GlobalSign Root CA” (under GlobalSign nv-sa), and then press Export.


Save it somewhere.


Then copy it into the correct directory.

sudo cp ~/tmp/cert/GlobalSignRootCA.crt /opt/Citrix/ICAClient/keystore/cacerts/

Posted in citrix | 2 Comments

I am trying to mount a cifs share aka smaba/smb/windows share, from a Debian server so I can access log files when needed. To do this automatically I create two mounts, one which is read only and is automatically mounted and another that is read/write which is not mounted. The /etc/fstab file looks a bit like this:

// /mnt/server-d cifs auto,rw,credentials=/root/.ssh/server.credentials,domain= 0 0
// /mnt/server-d-rw cifs noauto,ro,credentials=/root/.ssh/server.credentials,domain= 0 0

To mount all the drives with “auto” in the /etc/fstab file you can use the “-a, –all” option . From the man page, Mount all filesystems (of the given types) mentioned in fstab (except for those whose line contains the noauto keyword). The filesystems are mounted following their order in fstab.

However when I ran the command I get:

root@server:~# mount -a
mount: wrong fs type, bad option, bad superblock on //,
missing codepage or helper program, or other error
(for several filesystems (e.g. nfs, cifs) you might
need a /sbin/mount. helper program)

In some cases useful info is found in syslog - try
dmesg | tail or so.

Well it turns out that Debian is no longer shipping cifs as a default option. It can be added easyly enough using the command:

root@server:~# aptitude install cifs-utils

Now mount -a works fine

root@server:~# mount -a
Posted in General | Leave a comment

Adding SQLite as a datasource to SQLeo

An audio version of this post is available on Hacker Public Radio.

I have been looking for a tool that will graphically and programmatically track identifiers as they pass through systems. I could have done this in Inkscape after following the excellent tutorials on, however I also wanted to be able to describe the relationships programmatically.

This got me to thinking about graphical query builders for databases. The idea is to show each system as a table block and then draw lines between them to show how “Field_X” in “System_A” will map to “Field_Y” in “System_B”. Many of the proprietary and some free database solutions allow this type of view. However I also want to easily package the entire thing up, so that someone else could access it without needing to pay for or install any specialized software. That limited the choice of database to SQLite, which is small, supported on many platforms and is released into the Public Domain.

SQLite is an in-process library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine. The code for SQLite is in the public domain and is thus free for use for any purpose, commercial or private. SQLite is the most widely deployed database in the world with more applications than we can count, including several high-profile projects.

Please follow the instructions on the SQLite site for information on how you can install it on your system. For me on Fedora it’s simple to install via dnf/yum. You might also want to install some GUI managers if that’s your thing.

dnf install sqlite sqlitebrowser sqliteman

I created a small database for demonstration purposes, consisting of two tables and one field in each.

Next step is to download SQLeo Visual Query Builder which has support for a graphical query builder.

A powerful SQL tool to transform or reverse complex queries (generated by OBIEE, Microstrategy, Cognos, Hyperion, Pentaho …) into diagrams to ease visualization and analysis. A graphical query builder that permits to create complex SQL queries easily. The GUI with multi-connections supports virtually all JDBC drivers, including ODBC bridge, Oracle, MySQL, PostgreSQL, Firebird, HSQLDB, H2, CsvJdbc, SQLite. And top of that, everything is open-source!

SQLeo is a Java Tool and there is a limited version available on the web site which is limited to 3 tables per graph and 100 rows. Now as the program is released under the GPLv2.0, you could download the code and remove the restrictions. You can also support the project to the tune of €10 and you will get the full version ready to rock.

Unzip the file and enter the newly created directory, and run the program as follows:

java -Dfile.encoding=UTF-8 -jar SQLeoVQB.jar

One slightly confusing thing, and the reason for this post, is that I could not find support for SQLite listed in the list of databases to connect to. A quick search on the support forum and I found the question “Connection to SQLite DB“. I found the answer a bit cryptic until I read the manual related to JDBC Drivers, which told me how to add the sqlite library.

SQLeo uses a standard Java sqlite library that is released under the Apache Software License, Version 2.0. You can download it from the SQLite JDBC MVNRepository and save it into the same directory as SQLeo.

Right Click in the Metadata explorer window and select new driver.


Click “add library

SQLeo_SQLite_02Enter the following information
Name: SQLite JDBC
Driver: org.sqlite.JDBC
Example: jdbc:sqlite:~/yourdb.db


Next right click on the newly created driver and select “new datasource


The name can be anything you like, but the url needs to start with jdbc:sqlite: and then the path to the sqlite database you created earlier. I selected auto-connect and pressed connect as well.


Now you can press the Query Designer button and drag the tables into the view. Once there you can then join up the fields.


That covers the graphical representation, and we can tackle the programmatic implementation by pressing the save button. Which gives the structure as defined by SQL.

ON System_B.Field_Y = System_A.Field_X


So now I can check the SQL into git and have a nice image for adding to documentation any time I like.

Posted in General, Podcasts | 2 Comments

not a dynamic executable

I sometimes have issues running a 32bit program under Linux X64.

When you run ldd it reports that it’s not a dynamic executable

# ldd /usr/bin/snx
not a dynamic executable

However if you run file, you do see that it is.

# file /usr/bin/snx
/usr/bin/snx: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped

You can confirm that you are running 64 bit Linux

# uname -i

To fix this you need to install 32 bit libraries. On Fedora you can install them using

dnf install /lib/

And on Debian

apt-get update
apt-get install lib32z1 lib32ncurses5 libstdc++5:i386

Worked for me.

Posted in General | 1 Comment

I was installing Oracle VirtualBox 5.0 as per

I ran into the following issue.

Stopping VirtualBox kernel modules [ OK ]
Uninstalling old VirtualBox DKMS kernel modulesError! There are no instances of module: vboxhost
5.0.4 located in the DKMS tree. [ OK ]
Trying to register the VirtualBox kernel modules using DKMS[ OK ]
Starting VirtualBox kernel modules [FAILED]
(modprobe vboxdrv failed. Please use ‘dmesg’ to find out why)

It took me ages to find the solution but it turned out to be that changing the kernel is not allowed by secure boot. Stands to reason I guess but it would have been nice if there was more information about that. I disabled secure boot and it works. Not ideal.

Posted in General | Leave a comment

CheckPoint SNX install instructions for major Linux distributions

I decided to do a round up of how to install the software needed on GNU/Linux to enable access through a CheckPoint firewall. My focus was on distributions whose ISO downloads supported UEFI boot, and hard disk encryption out of the box. This explains why Debian is not in this list. These requirements may not apply to you so feel free to add the instructions for your distro of choice to the comments below.

As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run.  Chrome gives this helpful message on the Java website:

The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in.

Despite all this, it still uses the native client but with the “unsupported” -Z option.  Ah well.

With all the distributions I did the following:

  • downloaded the most prominent ISO on offer at the projects main page
  • used dd to transfer the image to usb stick
  • installed using full disk encryption
  • applied all the patch fixes
  • installed openssh-server.

Let me tell you now that your future is full of warnings like, This Connection is Untrusted, I understand the Risks, Add Exception, Confirm Security Exception, allow, allow remember, continue, run, allow, trust server, etc etc. I found it useful to browse to the Verify Java Version site in Firefox to verify that java is working.

You will also need to know the url, username and password for your own checkpoint login site. It should be something like.:

These instructions are going to be terse but the links provided should give you more information if needed.

Ubuntu 15.04 Vivid Vervet

We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Pressing connect will open an xterm window that downloads and runs the native client script. You will need to enter the root password you set earlier, sudo will not work.

Now finally try the Connect > Continue > Accept Key and you should get connected.

Linux Mint 17.2 “Rafaela”

Very similar to Ubuntu, we’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Unlike Ubuntu however the install via the browser did not work for me. You will need to go to your own login site:

Then select Settings > Edit Native Applications Settings > Download installation for Linux

Open a terminal and then run the command from wherever you downloaded it.

# sh +x ~/Downloads/
Installation successfull

Now when you go back to the web site, your Connect button should work.

openSUSE 13.2

This is a distribution I haven’t used too much before but decided to give it a try. Again additional libraries were necessary to get snx to run. I also followed these instructions to install java.

zypper install  libX11-6-32bit libXau6-32bit libxcb1-32bit glibc-devel libstdc++-devel libstdc++48-devel linux-glibc-devel
rpm -ivh ./libstdc++33-3.3.3-29.2.i586.rpm

Then is was just a case of connecting to the website and pressing Connect

Fedora 22

We have covered installing under Fedora 21 before and the biggest problem was installing Oracle Java. Get the latest from and I copied it to /usr/local/src. You’ll need to adjust accordingly.

dnf update
dnf install libcanberra-gtk2.i686 pkgconfig.i686 /usr/local/src/jre-8u60-linux-x64.rpm
alternatives --install /usr/bin/java java /usr/java/latest/bin/java 200000
alternatives --install /usr/lib64/mozilla/plugins/ /usr/java/latest/lib/amd64/ 200000
alternatives --config java


I’m sorry if I haven’t covered your distribution in this round up. As I said at the beginning my requirements were pretty specific, but my time was limited. If you browse through the snx series here, you should be able to find out how you can get it running on your own distribution easily enough. This is what I had to do with openSUSE, for which I was a novice user. If not you can always drop me a line.

Having to run such a bloated and convoluted tool chain just to end up running the same application is very disappointing. I am also concerned that such an essential piece of business software is built using such old libraries, and that there is no 64 bit version.

I would like to hear if there is a way to get this plugin to run from the command line, or at least run without having a browser window open. If you have suggestions please comment below.

Posted in General, snx | 38 Comments

Stopping mplayer from displaying Album Art on Music or Podcasts

I use mplayer as my media player of choice. If it discovers embedded album art in the media files, it will display them as a popup window. To prevent this from happening you can use the switch -vo null which will tell it to ignore video output. For example.

mplayer -vo null /mnt/SANZA_KEN/PODCASTS/TuxJam_44.ogg

Posted in General | 2 Comments

Unable to access SharePoint in Firefox but it is possible in Chrome

Thanks to the the-edmeister  for giving a solution to this issue

That type of message might be related to Insecure NTLM (pre-NTLMv2) authentication being disabled in Firefox 30.

Type about:config in the URL bar and hit Enter. Accept the warning. Type NTLM in the Search bar at the top. Right-click network.negotiate-auth.allow-insecure-ntlm-v1 and select Toggle. Then close Firefox and restart.

See if you can access that SharePoint website without getting that 401 message.


Posted in General | Leave a comment

Can’t locate in @INC

Had a strange one while installing my new work laptop. I was migrating from one system to another, so I did a clean install of Fedora 21 and copied my data over. After that I could no longer open cpan, getting the error:

$ echo o conf | perl -MCPAN -e shell
Can't locate in @INC (you may need to install the CPAN module)

Followed by a list of paths that did not even exist.

I re-installed again and confirmed that perl and cpan were working fine. Then I restored my data, only to find that the same thing happened again. That ruled out a system issue and then I finally did a

which perl
which cpan

Only to find out that they were both pointing to binaries in my home directory. At some stage I must have made a copy of perl and cpan to my ~/bin/ instead of making a symlink. I confirmed that there was a version of cpan in /bin/cpan, and then I deleted the old version from ~/bin/cpan

Posted in General | Leave a comment

Windows Remote Desktop on GNU/Linux

This is the accompanying shownotes for a Hacker Public Radio podcast episode.

I wrote a bash script to connect to various different windows servers from my GNU/Linux desktops. I had a few different requirements:

  • I should be able to call it based on hostname.
  • All windows should be 90% smaller than my screen.
  • It should map my keyboard.
  • It should map my local disk.
  • It should quickly timeout if the port is not available.

You can get the full script here, but let’s walk through it:

The first line calls bash and then gets the server name from the symlink that is calling the script. The port is set as “3389”, but you can change that if you like.

SERVER=`basename $0`

The next few lines finds the smallest vertical and horizontal sizes, even if you are running multiple screens. Then it calculates 90% of that to use as the size.

h=$(echo "scale=0;(($(xrandr | grep '*+' | sed 's/x/ /g' | awk '{print $1}' | sort -n | head -1 )/100)*90)" | bc)
v=$(echo "scale=0;(($(xrandr | grep '*+' | sed 's/x/ /g' | awk '{print $2}' | sort -n | head -1 )/100)*90)" | bc)

Next we set the default username and password. I have it ask me for my password but I put it in here as an example.


In some cases the credentials may be different, so I have a case statement that will cycle through the servers and apply the differences. Depending on your naming schemes you may be able to use regular expressions here to filter out groups of servers.

case "${SERVER}" in
  *server*) echo "Server ${SERVER}"

  *colo*) echo "Server ${SERVER}"
  some_server ) echo "Server ${SERVER}"
  *) echo "No match for ${SERVER}, using defaults"

Next we use an inbuilt bash command to see if a remote port is open and timeout after one second.

timeout 1 bash -c "echo >/dev/tcp/${SERVER}/${PORT}"

I used to connect to rdp using the program rdesktop, but it is now of limited value due to the fact that there are many open bugs that are not getting fixed. Bugs such as Bug 1075697 rdesktop cannot connect to systems using RDP version 6 or newer  and Bug 1002978 Failed to negotiate protocol, retrying with plain RDP . I then switch to using xfreerdp. This is the client that is behind remmina.

You can use xfreerdp /kbd-list to get a list of the available keyboard layouts.

if [ $? -eq 0 ]; then
  echo "${SERVER}:${PORT} is open"
  xfreerdp /v:${SERVER} /size:${SIZE} /kbd-type:0x00000409 /t:${SERVER} /d:${WORKGROUP} /u:${USERNAME} /p:${PASSWORD} /a:drive,pc,/ /cert-ignore &
  echo "${SERVER}:${PORT} is closed"

Next you will need to be sure that your host names are available, either in dns or in your /etc/hosts/ file. For example: server1 server2 server3 coloserver1 coloserver2 coloserver3 some_server

Edit the script to your liking and then put it into your a directory in your path, possibly /usr/local/bash or ~/bin/. You can then make symbolic links to the servers to the bash script, also in a directory in your path, using the command:

ln -s /usr/local/bash/rdp.bash ~/bin/some_server
chmod +x ~/bin/some_server

Which links the global rdp.bash script to your personal symlink, and makes it executable.

All that you need to do then is type the name of the server and a rdp screen should pop up.

In our example:

$ some_server

From there your Windows Server session should pop up.

Posted in General, Podcasts | 1 Comment