VMWare ESXi 4.0: Adding user fails

Trying to add a user in ESXi 4.0 using the vSphere Client, always gave me this error:

A general system error occurred: passwd: Authentication token manipulation error passwd:

The solution is extremely simple. The problem is the error message. It seems to tell us there’s a problem with authentication, but actually, all that is happening is the password is too short or too simple. Making it at least 8 characters is length did the trick for me.

Grandstream ATA ultimate dial plan string

Unlike plain old telephone service, the ATA that links your home phone to the VoIP provider must know when you’re done before attempting to dial the numbers you’ve entered. Therefore, all ATAs have a setting called “Dial Plan” (or somethings Dial String) in order to analyze the digits typed, and make the appropriate decisions for dialing.

By default, an ATA will simply wait until the user doesn’t add new numbers for a few seconds, and then dial that. There’s a few problems with that:

  • Always have to wait for that timeout period before actually making the call.
  • If you make a pause mid-typing, it will try to dial that, and then you have to start over.
  • All special numbers (311, 511, 811…) won’t work. Even 911 might not work if the VoIP provider did not implement it.

For all those reasons, I have spent some time to create a very practical dial plan. It’s particularly helpful for residents of Quebec (and Montreal) because certain services (x-1-1) are rerouted to the actual phone number of these services. Therefore, with this dial plan, I can reach:

  • 311: Montreal City
  • 411: A free phone directory service (800-555-1212)
  • 511: Quebec 511 line (transports)
  • 811: Health Line (Info-Santé)

Note that I’m using this with FreePhoneLine, so they already cover the 911 services. If your provider doesn’t link emergency services to 911, you can add a section to call your local emergency services. To get the number, just call your local police station at their non-emergency line, and simply ask for a number to reach them from “internet telephone” or something. They might have to search for it as it is quite unusual.

For GrandStream ATA devices:
For Linksys ATA devices:
Explanation of this dial string:
  • 911S0| Emergency service provided by my VoIP provider. Dial immediately.
  • <311:5148720311>S0| Montreal’s information line, dial immediately.
  • <411:18005551212>S0| Phone directory services, dial immediately.
  • <511:18883550511>S0| Quebec 511 service, dial immediately.
  • <811:18003613977>S0| Quebec Info-Santé, dial immediately.
  • x11S0| Any other x-1-1 number not covered above will be dialed anyway, so that if my VoIP provider implements them in the future, they’ll work.
  • *xxS0| All star-x-x numbers are dialed. Obvious case is voicemail *98, but certain features could be supported too.
  • [2-9]xxxxxxxxxS0| All north american ‘”local” numbers, dialed immediately. This covers all free areas where my line has access to.
  • 1xxxxxxxxxxS0| All of north america in long-distance (+1). Make sure you have a long distance plan to call those!
  • 011xxxxxxxxxxxx.| International calls. Requires a minimum of 12 digits, preceded by 011. No immediate dial because the length is unknown.
  • 1900x.!| BLOCK all 1-900 pay numbers.
  • 1976x!| BLOCK all 1-976 numbers.
Important details:
Grandstream uses the caret (^) for blocking, Linksys uses the exclamation (!)
Grandstream uses the equal (=) for remapping numbers, Linksys uses colon (:)
Linksys supports immediate dial (S0), Grandstream does not.
Grandstream uses accolades around the string { } while Linksys uses parenthesis ( )
Many thanks to Netphone Directory for a their explanations on Dial Plan constructions.

Installing Grandstream HT502 ATA with FreePhoneLine.ca SIP account

I recently discovered the great services over at freephoneline.ca. As their name implies, it’s a free phone line. The trick? It’s a voice-over-IP provider that pays for its service via extras to the service, like multiple phone numbers, international long distance plans, etc. The base phone service, however, is free. Free after you pay for initial setup, of course, but free after that.

Once the account activated, I found an inexpensive ATA (Analog Telephone Adapter) to bring this internet telephone service to my actual telephones in my house, in order to fully replace Bell (bye bye Bell!) This set me off another 45$, or barely more than a month of Bell service anyway. The one I got is Grandstream HT502, for 45$. I’ve been told this is one of the most stable and reliable units. Furthermore, this unit can actually manage 2 lines simultaneously, so if I ever want a second SIP account, this device would support it directly.

Here’s a mini-install guide, or rather, the steps I just took to install a brand new Grandstream HT502 ATA with my FreePhoneLine account.

The HT502, when left unchecked, wants to become your network router. It could replace our typical Linksys routers and whatnot, but honestly, I want my devices to do the thing they’re built for only, and have each do its own job. Therefore, I will not use mt 502 as a router or NAT, which changes a few things from how they explain it in the manual.

  1. I connected the WAN port to my network, like any other device in my home. I will not use the LAN port.
  2. I plugged in a phone in port #1, dialed * * *, and then followed the guide to put the unit in DHCP so that my router controls the IP allocation, and to get the MAC address. Nota: Since it’s not really a switch with 2 ports, the 502 has actually two network cards in it, and therefore, two MAC addresses. The LAN port has the MAC address that is printed on the label, and is the same as you get form the voice menus. The WAN port has the MAC address of the LAN one, +1. If it’s a letter, then it goes up one (A -> B, etc). Since they’re given in pairs, LAN will have an odd ending one (or A, C, E) and WAN will have even number (or B, D, F).
  3. After turning DHCP on, I logged into my Linksys (with Tomato firmware) and setup a DHCP static IP for this device. Go in Basic, then Static DHCP. Use the MAC address from the +1 strategy explained in the nota above because we want the MAC of the WAN port.
  4. While I’m in the Tomato firmware, let’s also forward ALL ports that may be used by the VoIP adapter. Go in Port Forwarding, then Basic.
  5. There’s Quality of Service we could setup here to guarantee that the VoIP application has upmost priority for traffic on my internet line, but we’ll do that in another post.
  6. Reboot the HT502 adapter, and open a browser to the configuration page: (the IP I gave it). Default password is “admin”
  7. Go in Basic Seetings. Only thing to change here is to set Device Mode to Bridge. Why? This will disable all NAT functions of this router, and will prevent it from trying to reroute traffic left and right.
  8. Go in Advanced Settings and write a new admin password. This device controls your phone and, as such an important part of your house/life, shouldn’t be left with default “please hack me” passwords.
  9. Go in FXS port 1, and set it up just like this (don’t forget your own account number and password, of course):

Well, that’s it! I made calls, used DTMF to check my voicemail and confirm the tones work. I received a call as well (from my cellphone). Everything works out fine.

Note that, above, I picked codec G729 which is the indicated choice of FPL. Also the Dial Plan (call string) cannot be read completely in the screenshot, but it’s what’s been said several times in this thread, which is:


Hope this helps someone!

Note that I’ve shared this guide with the customer forums at FreePhoneLine.ca

Edit: I’ve tweaked the Dial Plan in this post.

Postfix SMTP relay broken, MX host not found.

Yesterday, all outgoing emails started to accumulate in the Postfix queue with this error:

Jun 29 13:35:02 intranet postfix/smtp[15330]: 88AE28C839: to=, relay=none, delay=8921, delays=8897/4/20/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=myprovider.isp.hosting type=MX: Host not found, try again)

First thing I did, nslookup and dig tests, yep the host can be found, although there is no MX record. Could it be that Postfix absolutely requires the MX record?

As it turns out: no. What actually happened is that I changed DNS settings for this server. I went into /etc/resolv.conf and updated the settings, as a new DNS server was installed and replaced and agin one.

What I didn’t know is that Postfix keeps a cached copy of this resolv.conf in a mini-chroot jail located in /var/spool/postfix/etc/resolv.conf

That file had the old DNS server settings! I changed it for the correct servers, and issued

postfix reload
postqueue -p


FIX: VPN server on 2008, no data goes through

This post isn’t a regular “fix” in the sense that I point out a problem that is often overlooked or badly documented. It’s just that after spending so many hours chasing this problem, I felt compelled to share it in case it can help, even though it makes little sense.

The setup: I want to add VPN access to my corporate network, consisting of a few servers behind a Linksys/Tomato router. Most servers are Windows 2008 virtualized on VmWare ESX4i servers (but that doesn’t really make any difference.) The VPN server will be placed on a windows 2008 machine that currently serves WSUS (updates) and anti-virus deployment. DNS, DHCP, domain controller, that’s all on other machines.

I followed the guides I could find on the net, but every time I would be able to log my user on to the VPN, but not access anything (not ping any host).

Finally, I resolved this by uninstalling the role from the Server Admin page, rebooting that box, re-installing the role and re-installing the feature.

It worked right away!

6 weeks in advance, my allergies begin :(

Thanks to a surprisingly warm spring, my allergies are starting no less than 6 weeks earlier this year than they did last year.

Dammit!  :(


Cat + tissue box (the revenge)

Howto: Changing the installed language of any Windows 7

Windows 7 Ultimate has the ability to change its own installed language to any of the supported languages. This feature did not make the cut for the Home versions of the OS.

Unfortunately sometimes, when purchasing computers, there may be a mixup in the desired language for the OS. Today, I received a computer for one of my clients with Windows 7 in English instead of French. Could be my mistake, could be Dell’s, but the problem remains.

Thankfully, someone (which name I could not find) created an extremely useful little software called Vistalizator that forces Microsoft’s own language packs to be installed. In a matter of 5 minutes, I switched this Windows 7 Home Premium from English to French.

Merci au codeur masqué!

Howto: Grocery list shopping with ToodleDo on iPhone

It’s been asked numerous times in the support forums of Toodledo, people want a way to have a grocery list. In essence, the requirements are simple. I need to have a list with 3-state items in it:

  • Not needed.
  • Needed for next grocery shopping.
  • Item is in shopping cart.

This becomes extremely useful because before going to the market, I can review the list of everything I’m ever purchased (the “Not needed” items), and check what I’d like to add to my list today. Then as I make the purchases, I cross those out until I’m done shopping.

The customer support of ToodleDo said that they did not wish to program this functionality in ToodleDo because they feel it would make the application too complex. While I normally agree with such decisions to keep software simple and efficient, this is just dumb. 3-state items doesn’t bring complexity in the program. SplashShopping has been doing it for years and the application is simple.

I’ve come up with a way to do something very close to that with ToodleDo on my iPhone. Here’s how.

  1. Go to Folders, and tap Add Folder, name it “Groceries”.
  2. Go in the Groceries folder, tap the Sort button.
  3. “First sort”, select “Star”
  4. “Then sort”, select “Alphabetical”

Add a few items (Milk, eggs, etc) to make up an initial list of items to purchase.

Whenever you want to make a list for shopping, go to that folder, and add a Star to everything you need to buy. Just bo back to Folders, and then back into your Groceries folder to re-sort the items. Every starred item with be on the top. This is your shopping list.

As you make your purchases, check the box.

When you’re done shopping, it takes only a few seconds to remove all the stars. The resulting list of checked items with no stars becomes your list of previous items for next shopping trips. Just uncheck and star the ones you want for the next trip, and so on.

I realize this is far from perfect, but it does the job for me just fine, so I thought I’d share it.

VMware ESX4i packet loss with VMs

I’ve just finished building this ESX4i server with a few VMs in it and as I plug it into the serve space and into the network switch, I notice that the vSphere console is laggy, to the point of being really annoying.

I ping the server from a workstation, a few packets get lost in transit. I grew the ping packets to 60 kilobytes, and sure enough, about 10% packet loss. I tried pinging the hypervisor management interface, still from my workstation, and I get a slightly lower, but still significant amount of packet loss.

After checking all my cables and trying another network switch, I finally saw that the switch was not illuminating the “Full duplex” light, indicating it was, instead, half-duplex.

Going back into vSphere client, clicking my host in the left menu, then going in the configuration tab, then Networking, then Properties. Second tab “Network Adapters”, then Edit. In there, the Status of my physical NIC was set at 100 mbit Full Duplex (so it should have worked.) I changed it to Auto Negociate and now everything works perfectly. 1800 ping packets transmitted, 0 loss.

Activating permanent SSH server in ESX4i

VMWare ESX4i comes with a built-in (but hidden) shell console that is extremely useful to move around vm files and hard disks. Accessing it is easy:

  1. Press ALT-F1 to switch terminal to the unsupported console.
  2. Type “unsupported” (there will be no feedback on the screen), press enter.
  3. It will ask for “Password:” so type in your root password, press enter.

You’re now in the shell. It’s quite limited (mostly BusyBox tools), but very useful nonetheless.

Then, you can enable SSH so that you can access this shell remotely:

  1. Type:  vi /etc/inetd.conf
  2. Use the down arrow to reach the first like that starts with #ssh
  3. Type the letter i to enable editing.
  4. Use the right arrow to move the cursor to the letter s
  5. Press backspace to erase the # symbol.
  6. Press escape to exit editing mode.
  7. Type :wq to write the file and quit.

Now this is the part that other posts on the web about this subject did not include, so I’m adding it in case it helps out anyone.

To enable the SSH server immediately, without rebooting, and without restarting all the services (thus disconnecting all open consoles):

  1. Type ps | grep inetd and note the first number
  2. Type kill -HUP (number)


~ # ps | grep inetd
5080 5080 busybox              inetd
~ # kill -HUP 5080