Contact

Subscribe via Email

Subscribe via RSS/JSON

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

Windows CLI – find groups you are a member of

I knew of doing a gpresult /v and finding the group membership. An even better (and faster) way is whoami /groups.

Other useful whoami switches.

[Aside] Misc ADFS links

Update: To test ADFS as an end-user, go to https://<adfsfqdn>/adfs/ls/IdpInitiatedSignon.aspx. Should get a page where you can sign in and select what trusts are present.

Bored :)

Watching “Cosmos: A Space Time Odyssey” nowadays. 

Also completed “The Leftovers” Season 1 yesterday. Great show, especially the last few episodes where there’s a lot of talk about purpose and such – which is still in my head. 

Now sitting at a restaurant, bored, eating chicken kababs. Thinking: life is so easy for humans now. Ages ago we had to hunt for food. Each day was an unknown – whether we would get something or not. Life itself was unsure. Survival during hunting for instance. But now – here I am, a chubby spectacled nerd who probably wouldn’t have survived at all during the hunter days, sitting here eating a piece of chicken with a fork. How things have changed. 

I guess that’s why we have no sense of purpose now. Back then we had a purpose – survival; fight against nature. Now we have troubles but most of it isn’t of the survival kind. So there’s no sense of purpose – there’s an emptiness. Nothing to do. Work is what we try to find purpose in. But that’s not really purpose. Mostly it’s a means to earn money. And it’s filled with politics and whatnot. It’s not purely about “your” purpose – it’s about the company and the people in it etc. 

Ok time to go, cutting this short! :)

[Aside] AD Sites, Subnets, Trusts, etc.

  • How Domain Controllers are Located Across Trusts – this is a delightful article. I don’t know why, but I simply loved the way the author presented the information. Very logically written. Wish I could write blog posts with such clarity.
    • Praise aside, it is a good article on how subnet and site definitions are used to find a Domain Controller closest to you, and especially how it works across forest trusts.
  • Using Catch-All subnets in AD – Wanted to know how catch-all subnets in AD Sites will interact with specific ones. This one explained it. The specific one takes precedence. Which is exactly what you want. :)

[Aside] NetScaler tracing, telnet, etc.

It is not possible to do a telnet from the NetScaler to any server to troubleshoot connectivity issues. The telnet may or may not succeed, but it doesn’t mean anything as the telnet is initiated from the NSIP where all NetScaler communications to its services happen from the SNIP. Only option in such cases is to create a service bound to that port & protocol, and monitor that.

At work, for instance, we had STA issues. So I created an HTTP service, bound to port 80, for each Delivery Controller. Then I created a new HTTP monitor that checks for /Scripts/CtxSta.dll and expects return code 406. This also lets me create an nstrace against this service itself to see what’s happening.

  • nstrace reference
    • Set the packet size to 0 and file size to 0.
    • Expression will be something like CONNECTION.SVCNAME.EQ("mySTA_svc_name")
  • There’s also nstcpdump.sh, which is a lighter version of nstrace. Less details, but quicker to get up and running. I prefer nstrace. :)
  • A blog post with examples of both.

PowerShell – Find all AD users with ACL inheritance disabled

Quick one-liner to find all AD user objects with ACL inheritance disabled:

Another one:

 

ADFS errors and WID

Spent a bit of time today tracking down an ADFS/ WID issue. Turned out to be a silly one in the end (silly on my part actually, should have spotted the cause right away!) but it was a good learning exercise in the end. 

The issue was that ADFS refused to launch after a server reboot. The console gave an error that it couldn’t connect to the configuration database. The ADFS service refused to start and the event logs were filled with errors such as these:

The Federation Service configuration could not be loaded correctly from the AD FS configuration database.

Additional Data
Error:
ADMIN0012: OperationFault

There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data
Exception details:
System.ServiceModel.FaultException`1[Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault]: ADMIN0012: OperationFault (Fault Detail is equal to Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault).

A SQL operation in the AD FS configuration database with connection string Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True failed.

Additional Data

Exception details:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server)

The last one repeated many times. 

I hadn’t installed the ADFS server in our firm so I had no clue how it was setup. Importantly, I didn’t know it used the Windows Internal Database (WID) which you can see in the error messages above. It is possible to have ADFS work with SQL for a larger setup but that wasn’t the case here. Following some blog posts on the Internet (this and this) I downloaded SQL Server Management Studio (SSMS) and tried connecting to the WID at the path given in the error (\\.\pipe\microsoft##wid\tsql\query). That didn’t work for me – it just gave me some errors that the SQL server was unreachable. 

BTW, according to one of the blog posts it is better to launch SSMS as the user who has rights to connect to the WID database (the service account under which your ADFS service runs for instance). That didn’t help in my case (not saying the advice is incorrect, my issue was something else). Found a Microsoft blog post too that confirmed I was connecting to the correct server name – \\.\pipe\microsoft##wid\tsql\query for Windows 2012 and above; \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query for Windows 2003 & 2008 – but no go. 

That’s when I realized the WID has its own service. I had missed this initially. Trying to start that gave an error that it couldn’t start due to a login failure. This service runs under an account NT SERVICE\MSSQL$MICROSOFT##WID and looks like it didn’t have logon as service rights. It looks like someone had played around with our GPOs (or moved this server to a different OU) and this account had lost its rights. 

The fix is simple – just give this account rights via GPO (or exclude the server from whatever GPO is fiddling with logon as a service rights; or move this server to some other OU). Since the NT SERVICE\MSSQL$MICROSOFT##WID is not a regular account, you can’t add it to GPO from any server (because the account is local and will only exist if WID is installed). So I opened GPMC on my ADFS server and modified the GPO to give this account logon as a service rights. 

Generating certificates with SAN in NetScaler (to make it work with Chrome and other browsers)

I want to create a certificate for my NetScaler and get it working in Chrome. Creating a certificate is easy – there are Citrix docs etc for it – but Chrome keeps complaining about missing subjectAlternativeName. This is because Chrome 58 and upwards ignore the Common Name (CN) field in a certificate and only check the Subject Alternative Names (SAN) field. Other browsers too might ignore the CN field if the SAN field is present (they are supposed to at least); so as a best practice it’s a good idea to fill the SAN field in my NetScaler certificate and put all the names (including the CN) in this field. 

Problem is the NetScaler web UI doesn’t have an option for specifying the SAN field. Windows CA (which is what I use internally) supports SAN when making requests, but since the CSR is usually created on the NetScaler and that doesn’t have a way of mentioning SAN, I need an alternative approach. 

Here’s one approach from a Citrix blog post. Typically the CLI loving geek in me would have taken that route and stopped at that, but today I feel like exploring GUI options. :)

So I came across the DigiCert Certificate Utility and a guide on how to generate a CSR using that. I don’t need to use the guide entirely as my CA is internal, but the tool (download link) is useful. So I downloaded it and created a certificate request. 

A bit of background on the above. I have two NetScalers: ns105-01.rockylabs.zero (IP 10.10.1.150) and ns105-02.rockylabs.zero (IP 10.10.1.160) in an HA pair. For management purposes I have a SNIP 10.10.1.170 (DNS name ns105.rockylabs.zero) which I can connect to without bothering which is the current primary. So I want to create a certificate that will be valid for all three DNS names and IP addresses. Hence in the Subject Alternative Names field I fill in all three names and IP address – note: all three names including the one I put in the common name, since Chrome ignores this field (and other browsers are supposed to ignore the CN if SAN is present).

I click Generate and the tool generates a new CSR. I save this someplace. 

Now I need to use this CSR to generate a certificate. Typically I would have gone with the WebServer template in my internal CA, but thing is eventually I’ll have to import this CSR, the generated certificate, and the private key of that certificate to the NetScaler – and the default WebServer template does not allow key exporting. 

So I make a new template on my CA. This is just a copy of the default “Web Server” template, but I make a change to allow exporting of the private key (see checkbox below).

Then I create a certificate on my CA using this CSR. 

The template name “WebServer_withKey” is the name of the template. Need to use that with the certreq command instead of the display name. 

This will create the certificate and save it at a location I specify. 

At this point I have the CSR and the certificate. I can’t import these into the NetScaler as that also requires the private key. The DigiCert tool generates the private key automatically and keeps it with itself, so we need to import this certificate into the tool and export with key from there. This exports the certificate, along with key, into a PFX format. 

This Citrix article is a good reference on the various certificate formats. It also gives instructions on how to import a PFX certificate into NetScaler.

Before proceeding however, a quick summary of the certificate formats from the same article for my own reference:

  • PFX is a format for storing a server certificate or any intermediate certificate along with private key in one encrypted file. 
    • PFX == PKCS#12 (i.e. both terms can be used interchangeably). 
  • PEM is another format. And a very common one actually. It can contain both certificates and keys, or only either separately. 
    • These are Base64 encoded ASCII files and have extensions such as .pem, .crt, .cer, or .key. 
  • DER is a binary form of the PEM format. (So while PEM formats can be opened in Notepad, for instance, as a text file, DER format cannot). 
    • These are binary files. Have extensions such as .cer and .der. (Note: .cer can be a PEM format too).

So I go ahead and import the PFX file.

And then I install a new certificate created from this imported PFX file. 

Note: After taking the screenshot I changed the first field (certificate-key pair name) to “ns105_rockylabs_zero_withKey” just to make it clear to my future self that this certificate includes the key with itself and that I won’t find a separate key file as is usually the case. The second field is the name of the PEM file that was previously created and is already on the appliance.

The certificate is successfully installed:

The next step is to go ahead replace the default NetScaler certificate with this one. This can be done via GUI or CLI as in this Citrix article. The GUI is a bit of a chore here, so I went ahead the CLI way. 

And that’s it! Now I can access my NetScalers over SSL using Chrome, with no issues. 

[Aside] SPNs

Trying to get people at work to clean up duplicate SPNs, and came across some links while reading about this topic. 

From the official MSDN article: A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

Basically when a client application tries to authenticate with a service instance and the domain controller needs to issues it Kerberos tickets, the domain controller needs to know whose password to use for the service instance – is it that of the server where this instance runs, or any service account responsible for it. This mapping of service -> service account/ computer account is an SPN. It’s of the format service/host:port and is associated with the AD account of the service account or computer account (stored in the servicePrincipalName attribute actually).

That’s all!

[Aside] DFRS links

Just putting these here as bookmarks to myself.

One of our DCs at work had the following DFSR warnings in the DFS Replication logs:

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Additional Information:
Volume: C:
GUID: 56234A2C-C156-11E2-93E8-806E6F6E6111

Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid=”56234A2C-C156-11E2-93E8-806E6F6E6111″ call ResumeReplication

For more information, see http://support.microsoft.com/kb/2663685.

Sounded like an easy fix, so I went ahead and tried resuming replication as directed. That didn’t work though. Got the following:

The DFS Replication service stopped replication on the folder with the following local path: D:\SYSVOL_DFSR\domain. This server has been disconnected from other partners for 154 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.

To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group.

Additional Information:
Error: 9061 (The replicated folder has been offline for too long.)
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: xxxxx
Replication Group Name: Domain System Volume
Replication Group ID: xxxxxx
Member ID: xxxxx

Yeah, bummer!

Check out this Microsoft blog post for content freshness and the MaxOfflineTimeInDays parameter. You can’t simple remove SYSVOL from DFSR replication groups via the GUI as it is a special folder, so you have to work around. I found some forum posts and blog posts that suggested simply raising this parameter for the broken server to a number larger than the number of days its currently been offline (154 in the above case) and then resuming replication. I wasn’t too comfortable with that. What if any older changes from this server now replicate to the other servers? That could cause more damage than it’s worth. I don’t think this will happen, but why take a risk. What I really want is to force a replication onto this server from some other server. Do a non-authoritative replication basically. So I followed the steps in this article and that worked.

A non-authoritative sync is like a regular sync, just that it is rigged to let the source win. :p So all the existing files on the destination server are preserved. The event log gets filled with entries like these:

The DFS Replication service detected that a file was changed on multiple servers. A conflict resolution algorithm was used to determine the winning file. The losing file was moved to the Conflict and Deleted folder.

Additional Information:
Original File Path: D:\SYSVOL_DFSR\domain\Policies\{F4A04331-3C62-474A-A1CE-517F17914111}\GPT.INI
New Name in Conflict Folder: GPT-{4B7F4510-3C34-4A8A-A397-BC736AE5D9B6}-v55459.INI
Replicated Folder Root: D:\SYSVOL_DFSR\domain
File ID: {8189DA2F-DCBE-4755-A042-72154B648111}-v949
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 05ECDBE0-A0E6-4A9A-B5BE-7C404E323600
Replication Group Name: Domain System Volume
Replication Group ID: 46C8DB83-463F-459F-8785-DCB19231C52B
Member ID: 7A0E2DA6-4841-40A1-B02D-F5F341345B98
Partner Member ID: 7851F335-6824-4B0D-9978-5A5520ECD547

If you want to see where these files are now moved to check out this blog post. That post has a lot more useful info.

Thoughts on leaving things midway

When I was a kid I used to always finish whatever book I was reading. Once I reached college and was generally lost in life my reading habit took a turn for the worse and many a times I didn’t manage to finish what I began reading. I took this as a negative thing and much later when I became relatively less lost in life I started reading avidly again and tried to finish whatever I started. I didn’t read every book I bought – mostly because I was still sort of lost in life, but also because the books I started reading since college were mostly non-fiction and I just never got to reading them all due to changing interests. However, if I started a book, I did my best to complete it especially if it was fiction. 

I don’t know if this is a good decision though. I don’t have an answer either ways – I am just unsure. The reason why I take this habit of “not finishing a book” as bad is coz that’s what gets drilled into your head. If you start something but don’t complete, it’s generally frowned upon. Plus I read this essay as a child where the author said that young people do more coz they don’t have a choice – they are forced to do from school or parents etc and so they do what is told even if they don’t like, and generally manage to do something of it – but as we grow older we have choices and so become spoilt/ pampered and just give up at the first time something doesn’t go our way. 

I get these points but nowadays I also feel that maybe wasting time finishing something just coz we have to finish it is probably just a waste of time. Yes it’s an accomplishment that you don’t leave things half way, but maybe it’s better to just restrict this philosophy to stuff that matters? Like say if you are a person who does a half job of everything – then yes, not good! But maybe you try and do a good job of most things, and mostly succeed too, so perhaps it is ok to ignore it when it comes to some areas (such as reading)? I don’t know. 

If I am watching a TV show or movie and leave it midway I don’t chide myself. But I do when it comes to reading a book. That’s because reading a book is more effort than watching something, but end of the day both are entertainment after all. If the objective is to be entertained then why must I give more importance and suffering when it comes to reading?

One reason why I am thinking all this now is due to Audible. They have their Great Listen guarantee wherein if you don’t like an audiobook you can return it. That’s amazing coz sometimes I just don’t like an audiobook – not coz of the narrator or narration or quality etc, I just don’t like it. But since Audible is giving me permission to return it back I don’t have any guilt that oh I bought something and will be wasting money not listening to it. If I am not enjoying it, I can return it – period. There’s nothing Bad involved. Wish similar programs existed for eBooks too!

Recently for instance I started reading two books. “The 100 Year Old Man Who Climbed Out Of The Window and Disappeared” and also “The Winter Fortress”. 

“The 100 Year” is great in movie form, and sort of interesting in reading form. I guess coz that sort of content translates well to a movie structure with good score and camera work etc; while if you are reading it all the coincidences and luck get trite after a while. 

“The Winter Fortress” is a great non-fiction book about the efforts during World Wor II to destroy a factory in Norway that produced heavy water (used in making nuclear bombs). I read about a third of it and it was a great read. I didn’t know most of it. Then I got side tracked with some other stuff (father in law passing away) and I lost the flow. Now I am trying to get back into it and not in the mood coz I simply have lost the flow. I tried to cheat by purchasing the audiobook version but a) I am still not managing to get into the mood and b) the narrator wasn’t that great (I didn’t like his voice). But I was able to return the audiobook thanks to Audible and so felt no guilt, but I had a heavy heart deciding what to do about the eBooks. Finally I decided it was pointless wasting more time with these two books and so decided to move on. And thought I’d write this post too putting my thoughts down. :)

Part of me feels bad at leaving these two books midway. But (a larger) part of me is relieved at moving on coz I would just have been depressed trying to get “entertained” with these books and not getting anywhere. 

Recently I also finished hearing James Franco’s narration of Stephen King’s “The Dark Zone”. This book was nothing like I expected – coz it was quite detailed and the overall plot was simple but what mattered was the details and descriptions and thoughts etc – and while I struggled to finish through it, I didn’t let go because it was manageable. I knew it was only a case of me expecting something else, but the book was well written and narrated and I could hold on till the end. Sometimes it’s worth it; sometimes (like now) it isn’t. Just got to make a case by case decision I think rather than some overarching “policy”. 

TV Updates

Think it’s been a while since I posted any TV watching updates. :)

Broadchurch – Season 3

An amazing season and a wonderful end to a great show. Everything about this season was great. The plot, the characters, the music, just everything … you will be missed!

Medici: Masters of Florence

Happened to see this on Netflix and checked it out. Nothing great, but worth a watch if you have nothing else to do. The actor who played the main chap (Cosimo) had a dead look about himself. Not sure if that’s intentional. The music is great, including the opening title sequence (which is there on Apple Music). The stories were enlightening in that I wasn’t aware of how much interaction there was between the Church and banks. The show started slowly but became better as it progressed. I remember binge watching the last few episodes coz I was curious what would happen. 

Peaky Blinders

On the last episode of Season 1 currently. A good show so far – enjoying it. Not too fast but not too slow either. Good characters, great set/ lighting/ camera work. Good music. I began watching it coz it’s created by Steven Knight, who directed “Locke” which was an amazing movie. Cillian Murphy & Sam Neill are great. Looking forward to Tom Hardy in the next season. 

Baahubali

Wanted to put this somewhere and didn’t seem to be worth a blog post of its own. I re-watched “Baahubali: The Beginning” a few days ago – mainly to refresh myself and also for the benefit of my daughter who hadn’t seen it. Then saw “Baahubali: The Conclusion” yesterday. Both movies are filled with typical South Indian heroism where the hero can do just about anything and everyone else just watches in awe; and all the women are mesmerized by the hero, with the heroine usually being a strong/ arrogant character until she meets the hero after which he manages to “break” her (kind of like how you’d break a bull) and then she too is all smitten by him. The latter had an overdose of heroism, which frankly I couldn’t bear, but has a lot more special effects and some amazing scenes. Definitely watch it for these. Whatever I feel about the heroism, the director S.S. Rajamouli is a genius for envisioning this sort of stuff.

I guess I hate these heroism kind of movies coz I grew up watching these in Hindi and Tamil movies which were filled with these, and to my child mind that seemed to be how the world is – where if you are a good person you are a hero and have special powers and can do good and move mountains, and everyone looks up to you – but as I grew up and reality hit, I realized that the world isn’t like this. So my mind sort of revolts at this misinformation. I have nothing against super hero movies  coz these usually have an origin story or something that explains why the heroes are “super”; I am only against movies where regular heroes are just able to do super things for no reason except that they are a hero and this is a movie. That gets to me. I know movies are unreal and movies such as Baahubali are fantasy – but when it becomes too fantastical my mind is unable to digest it and I lose interest in the movie. 

Self-learning; picking up new stuff

I realize over time that I am not good at learning things. As in, if I have to pick up something because say it’s a new topic and I must read about it, or maybe there’s an exam/ certification I wan’t to clear and so must study for it – I just can’t do these kind of tasks. I am also not good at just picking up stuff by doing it – like say maybe learn Linux but installing a distro and spending some time with it. I just don’t work that way. 

I knew this from before but used to consider this a negative quality of mine, mixed with fears that maybe I am not good enough. But nowadays I realize that while it still is not a good way to be, that’s just how I am and there’s no point overly thinking about it. Just have to take it in the stride. 

Like now for instance – I attended a Citrix course some months back and want to do its certification. Thought I’d get the list of objectives and course material and read through it and prepare myself. But I am just unable to focus. Knowing this nature of mine I had previously tried setting up a Citrix lab to get a hang of stuff. While that was a better success than this current idea of reading, that too didn’t get to the point I want to because I am not good at creating my own objectives – especially when I know it’s a “fake” one. It’s sort of like how I enjoy walking, but ask me to do a treadmill or just walk outdoors for exercise and I can’t do it. I’ll walk if there’s a need to – I don’t hate walking, in fact I love walking and think I am quite good at it – but I am not going to go for walks just for kicks. Weather and mood permitting I might for a walk just to listen to some podcast or an audio book; but that wouldn’t be coz I want to walk, it would be coz I want to listen to something and walking will let me do it peacefully. 

This is a difficult situation to be in when you are an IT professional. If your workplace is one where there’s plenty of new projects happening or things to do, it is a good state coz I know I will jump into these and quickly pick stuff up and do wonders; but if your workplace is not of that sort then I will get bored and get into a rut soon – stagnating and becoming pretty useless. This nature leaves me at the mercy of my environment than letting me be a self-driven person. That sucks!

Anyways, time to go back and read Citrix. Enough distractions via blogging. :)

[Aside] Citrix VDI Best Practices for XenApp and XenDesktop 7.6 LTSR

This is an amazing document! Skimming through the PDF version and I am blown away. Some day when I have to make Citrix related decisions, this is the document I will be turning to. (Came across it via the Citrix blog, so thank you!)

There’s also a XenDesktop handbook but I haven’t read it yet. 

Rakshadhikari Baiju Oppu – a slice of life

Saw the mallu movie “Rakshadhikari Baiju Oppu” today. It was a delightful watch. Slightly long and the ending was kind of sad; but I loved it. It’s the sort of movie that doesn’t really have any story. It’s like the director/ story writers just captured a slice of life in a village and its characters (centered around a chap called Baiju, played by Biju Menon). The movie reminded me of Adam Sandler’s “Grown Ups”. They are not the same but very similar. Both movies, to me, have a similar feel – as if someone dipped into the water of and bottled a bit of it for us to see and enjoy. 

“Rakshadhikari” touches on many things. Friendship, sports, studies, life, love, failed love, new gen, old gen, happiness, sadness … and Baiju is sort of the central character in all of this. He is not the hero or main person or anything like that. He’s not a Rajnikanth :) just someone who is there and whom everyone looks up to, makes fun of, can depend upon … As one of his friends said before the intermission he is a lucky man who’s happy. People run around trying to find happiness – Baiju just is happy. It’s not like he is doing anything to gain respect or be happy – he just does what he likes and is. 

The movie isn’t preachy. Nor tries to take a side in old vs new or nature vs technology etc. It makes fun of FB and relationships over FB but at the same time highlights the benefits of social apps like WhatsApp that let two old friends keep in touch. Even the hospital that takes over the playground in the end isn’t portrayed in a negative light. Hospitals are useful and that is subtly mentioned in a scene. And the only message the movie ends with in the end is that all this progress and running towards wealth and career and ambition etc is good but we must not forget playgrounds and chilling out.. simple. The movie doesn’t even end on a high note like a typical “movie” might do – with some forced happy ending. Life isn’t always happy; it’s more sadness than happiness, one might say, but it moves on and you take it in that (sportsman) spirit and go along with it… and that’s how the movie too ends. 

Check it out! I liked it.