| authenticate ASP.Net App on Azure WS2019 against Azure SQL via AAD - Access token could not be acquired No mapping between account names and securi Posted: 25 Apr 2021 10:38 PM PDT I try to reconfigure our ASP.Net app with .Net Framework 4.7.2 from SQL username/password Auth. to token based Azure Active Directory Authentication by using the system assigned managed identity of the VM running the Web Site. I started with https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell Enabled AD Admin on SQL Server created a AAD group, in which i added the SMI of the VM created a User in SQL for each database with "FROM EXTERNAL PROVIDER" and i can logon to the SQL Server with SSMS using the AAD MFA Authentication. On the VM i installed https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication & https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/ through copying the dlls to my bin directory of the website. In the web.config i added the two SqlAuthenticationProviders sections with the public key token and a reconfigured connection string: add name="Master" connectionString="server=tcp:xxxxdb01.privatelink.database.windows.net,1433;Initial Catalog=master_dev;UID=app;Authentication=Active Directory Interactive;TrustServerCertificate=True" providerName="System.Data.SqlClient" IIS, after several errors, not able to find the dlls, finally gave the error: Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: https://login.windows.net/97293BC6-059A-4DCB-9520-7FF64761E91E. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Failed to get user name from the operating system.Inner Exception : No mapping between account names and security IDs was done. I thought about the link between the "System assigned managed identity", which is authorized on the datebase, and the ASP.Net app, running on the VM. How does the IIS get the managed id to authenticate against SQL ?  |
| Postfix Can't Receive Internet Email - warning: SASL: Connect to /var/spool/postfix/private/auth failed Posted: 25 Apr 2021 10:26 PM PDT Using CentOS 8, I've setup dovecot and postfix and tested that: - I can sign in as an authenticated user
- Read email (IMAP)
- Send email to the same/different account on the server
- Send email outbound, to an internet mail server
- Server does not act as an open relay
I can't receive email from an outside (internet) email server. I can clearly see attempts made to deliver email. Inside /var/log/maillog I see the following lines (replacing the host name with <emailserver>: Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: warning: SASL: Connect to /var/spool/postfix/private/auth failed: No such file or directory Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: fatal: no SASL authentication mechanisms
A larger scope of the log (with debugging turned on, 00.00.0.000 is my email server's internet ip): Apr 25 22:27:23 <emailserver> postfix/submission/smtpd[565409]: connect from unknown[00.00.0.000] Apr 25 22:27:23 <emailserver> postfix/submission/smtpd[565409]: disconnect from unknown[00.00.0.000] ehlo=1 mail=0/1 quit=1 commands=2/3 Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: connect from unknown[00.00.0.000] Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: Anonymous TLS connection established from unknown[00.00.0.000]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: warning: SASL: Connect to /var/spool/postfix/private/auth failed: No such file or directory Apr 25 22:27:48 <emailserver> postfix/submission/smtpd[565409]: fatal: no SASL authentication mechanisms Apr 25 22:27:49 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565409 exit status 1 Apr 25 22:30:32 <emailserver> postfix/smtpd[565512]: connect from <emailserver>.<tld>[00.00.0.000] Apr 25 22:30:40 <emailserver> postfix/smtpd[565512]: SSL_accept error from <emailserver>.<tld>[00.00.0.000]: lost connection Apr 25 22:30:40 <emailserver> postfix/smtpd[565512]: lost connection after CONNECT from <emailserver>.<tld>[00.00.0.000] Apr 25 22:30:40 <emailserver> postfix/smtpd[565512]: disconnect from <emailserver>.<tld>[00.00.0.000] commands=0/0 Apr 25 22:32:02 <emailserver> postfix/smtpd[565532]: warning: hostname zg-0416a-115.stretchoid.com does not resolve to address 192.241.214.121: Name or service not known Apr 25 22:32:02 <emailserver> postfix/smtpd[565532]: connect from unknown[192.241.214.121] Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Apr 25 22:32:02 <emailserver> postfix/smtpd[565532]: fatal: no SASL authentication mechanisms Apr 25 22:32:02 <emailserver> dovecot[403811]: auth: Debug: auth client connected (pid=0) Apr 25 22:32:03 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565532 exit status 1 Apr 25 22:32:03 <emailserver> postfix/master[404333]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling Apr 25 22:33:43 <emailserver> postfix/anvil[565533]: statistics: max connection rate 1/60s for (smtp:192.241.214.121) at Apr 25 22:32:02 Apr 25 22:33:43 <emailserver> postfix/anvil[565533]: statistics: max connection count 1 for (smtp:192.241.214.121) at Apr 25 22:32:02 Apr 25 22:33:43 <emailserver> postfix/anvil[565533]: statistics: max cache size 1 at Apr 25 22:32:02 Apr 25 22:37:32 <emailserver> postfix/smtpd[565650]: connect from unknown[37.49.225.144] Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Apr 25 22:37:32 <emailserver> dovecot[403811]: auth: Debug: auth client connected (pid=0) Apr 25 22:37:32 <emailserver> postfix/smtpd[565650]: fatal: no SASL authentication mechanisms Apr 25 22:37:33 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565650 exit status 1 Apr 25 22:37:33 <emailserver> postfix/master[404333]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling Apr 25 22:38:33 <emailserver> postfix/smtpd[565666]: connect from unknown[00.00.0.000] Apr 25 22:38:33 <emailserver> postfix/smtpd[565666]: fatal: no SASL authentication mechanisms Apr 25 22:38:33 <emailserver> dovecot[403811]: auth: Debug: auth client connected (pid=0) Apr 25 22:38:34 <emailserver> postfix/master[404333]: warning: process /usr/libexec/postfix/smtpd pid 565666 exit status 1 Apr 25 22:38:34 <emailserver> postfix/master[404333]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling Apr 25 22:39:35 <emailserver> postfix/smtpd[565697]: connect from unknown[185.220.205.196]
I can clearly see the directory exists: [root@emailserver ~]# ls -lZ /var/spool/postfix/private/auth srw-rw----. 1 postfix postfix system_u:object_r:postfix_private_t:s0 0 Apr 18 23:58 /var/spool/postfix/private/auth
Also no SELinux denials/errors... [root@emailserver ~]# grep "denied" /var/log/audit/audit.log [root@emailserver ~]# grep "SELinux is preventing" /var/log/messages [root@emailserver ~]#
The dovecot config checked against Connect to private/auth failed: No such file or directory: [root@<emailserver> ~]# dovecot -n # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf # OS: Linux 4.18.0 x86_64 CentOS Linux release # Hostname: <emailserver>.<tld> auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_username_format = %n first_valid_uid = 1000 mail_location = maildir:~/Maildir mail_privileged_group = mail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { auto = create special_use = \Drafts } mailbox Junk { auto = create special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = create special_use = \Trash } prefix = } passdb { driver = pam } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = postfix mode = 0666 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_ca = </etc/pki/tls/certs/<emailserver>.<tld>.ca-bundle ssl_cert = </etc/pki/tls/certs/<emailserver>_<tld>.crt ssl_cipher_list = PROFILE=SYSTEM ssl_key = # hidden, use -P to show it userdb { driver = passwd } protocol lmtp { hostname = <emailserver>.<tld> postmaster_address = postmaster@<emailserver>.<tld> }
The postfix config (I assume the 'noanonymous' has something to do with my problem?): [root@<emailserver> ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailbox_transport = lmtp:unix:private/dovecot-lmtp mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix mydestination = <emailserver>.<tld>, $myhostname, localhost.$mydomain, localhost mydomain = <emailserver>.<tld> myorigin = <emailserver>.<tld> newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = /usr/lib64/postfix smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CApath = /etc/pki/tls/certs/ smtp_tls_loglevel = 1 smtp_tls_security_level = may smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/pki/tls/certs/<emailserver>.<tld>.crt smtpd_tls_key_file = /etc/pki/tls/private/<emailserver>_<tld>.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtputf8_enable = no unknown_local_recipient_reject_code = 550 virtual_transport = dovecot [root@<emailserver> ~]#
The /etc/postfix/master.cf file: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_sender=yes #-o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o broken_sasl_auth_clients=yes -o smtpd_sasl_path=/var/spool/postfix/private/auth smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_sender=yes -o smtpd_tls_wrappermode=yes #-o smtpd_recipient_restrictions=reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o broken_sasl_auth_clients=yes -o smtpd_sasl_path=/var/spool/postfix/private/auth #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname #-o smtpd_sender_login_maps=hash:/etc/postfix/virtual -o smtpd_sender_restrictions=reject_sender_login_mismatch # -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot #-o smtpd_sasl_path=private/auth #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr
As per another SF question the sasl package is installed: [root@emailserver ~]# dnf install cyrus-sasl-plain Last metadata expiration check: 0:59:13 ago on ... PM CDT. Package cyrus-sasl-plain-2.1.27-5.el8.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@emailserver ~]#
Any help resolving this would be greatly appreciated.  |
| difference between creating server via nova and heat Posted: 25 Apr 2021 09:19 PM PDT What are the pros and cons of creating server via nova and heat stack? When should we use nova and when we should use heat?  |
| Find VFAT Partition on USB bus Posted: 25 Apr 2021 09:15 PM PDT I have to find a way to mount the first "external" vfat partition on 250 different headless hosts via shell. It could be sdb sdb1 sdc sdc1 etc. I need the device name to mount it with ansible for further processing. Normally I would go like lsblk -lno PATH,HOTPLUG,FSTYPE | awk '/sd.*1.*vfat/{print $1}' but: - Some of the hosts don't have lsblk, they are to old (util-linux-2.17)
- Some of the sticks are FAT16 some FAT32
- The partitions dont have a special label or UUID
- sometimes it is even the whole device instead of a partition.
- it has to run in ansible, so better no loops
Any ideas? Thanks in advance.  |
| New Kubernetes IngressClass resource and only specifying IngressClassName (nginx ingress controller) Posted: 25 Apr 2021 08:59 PM PDT Summary I am specifying an IngressClassName without a corresponding IngressClass resource and it is unexpectedly working fine; my understanding was you need to define the IngressClass resource as well. Previously we were using the annotation based approach, kubernetes.io/ingress.class, so I am migrating to the new way. Details My reading of the above doc makes me think if you set IngressClassName as follows apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" labels: app: example-service.example.com manager: nginx-ingress-controller name: example spec: ingressClassName: example-com-public rules: - host: example-service.example.com http: paths: - backend: serviceName: example-service servicePort: 8080 path: /
Then there needs to be a IngressClass with name example-com-public. However, in our cluster, this is not the case since we are migrating from the old annotation-only approach. Yet everything works. It seems we may not need to have to create IngressClass resources?  |
| How to control AWS EC2 live from a web app Posted: 25 Apr 2021 08:57 PM PDT We are building some penetration testing stations (both attack & target) for a hackathon in AWS VPC and I need a way to control the following in a live setting: VPN connection access: if someone does something bad, or misbehaves in the forums, we need a way to revoke their access immediately EC2 state reset (we will probably use Ansible for this) What I envision is a nice clean dashboard with squares for each user and a kill switch. The app itself is outside scope of the Q but you get my idea. Is there a way to control AWS like this from a web app? Is CDK capable of handling this? It doesn't appear as though Terraform is suitable.  |
| ssh tunnel for https SOAP web service Posted: 25 Apr 2021 08:19 PM PDT I need to consume a web service from my local computer but the web service allows only the predefined ip's so i need to consume the service via a middle host which has an ip defined to reach the web service host. So i need to do something like ssh tunnel hopping: Local computer(mac) ---> middle host(ubuntu) ---> https soap web service <--- <---
My local computer is a mac, middle host is ubuntu linux and the service is a https service. First i want to ask is this a possible scenarion? Then what i've tried and what i've achieved: I initiated a tunnel with ssh command: ssh -L 8443:service_url:443 -Nf root@middle_host_ip
I'm using SoapUi app. to test the conenction but i got javax.net.ssl.sslexception connection reset error. On the ssh connection side i got channel 2: open failed: connect failed: Name or service not known error. The url i tried in SoapUi application are https://localhost:8443 and https://127.0.0.1:8443 I also updated the /etc/host file; to check if the problem was about it; as: 127.0.0.1 service_url 255.255.255.255 broadcasthost ::1 localhost
But i still got the same error. Is there an easier way to test the connection and is there an obvious mistake i'm making? Thanks.  |
| How to ignore destroy and recreate operation on AWS with Terraform? Posted: 25 Apr 2021 07:59 PM PDT Since did an aws provider version upgrade before, the current AWS RDS's option group has been added from 1 to 2. Maybe Terraform did it(create a new one and will delete the old one). But the old option group is using so can't been deleted in AWS. Now run terraform plan again, got svc1 An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: - destroy Terraform will perform the following actions: # module.db.module.db_option_group.aws_db_option_group.this[0] (deposed object 012390131) will be destroyed - resource "aws_db_option_group" "this" { - arn = "arn:aws:rds:us-east-1:02312091831:og:svc-mysql-20210102020102020202" -> null - engine_name = "mysql" -> null - id = "svc-mysql-20210102020102020202" -> null - name = "svc-mysql-20210102020102020202" -> null - name_prefix = "svc-mysql-" -> null - option_group_description = "Option group for svc-mysql" -> null - timeouts { - delete = "15m" -> null } } Plan: 0 to add, 0 to change, 1 to destroy.
It will delete the old group. svc2 An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: ~ update in-place - destroy +/- create replacement and then destroy Terraform will perform the following actions: # module.db.module.db_instance.aws_db_instance.this[0] will be updated in-place ~ resource "aws_db_instance" "this" { ~ apply_immediately = true -> false id = "svc2-mariadb" name = "svc2" ~ option_group_name = "svc2-mariadb-202102020101002020320-2021030202020101010" -> (known after apply) # (44 unchanged attributes hidden) # (1 unchanged block hidden) } # module.db.module.db_option_group.aws_db_option_group.this[0] must be replaced +/- resource "aws_db_option_group" "this" { ~ arn = "arn:aws:rds:us-east-1:02312091831:og:svc2-mariadb-202102020101002020320-2021030202020101010" -> (known after apply) ~ id = "svc2-mariadb-202102020101002020320-2021030202020101010" -> (known after apply) ~ name = "svc2-mariadb-202102020101002020320-2021030202020101010" -> (known after apply) ~ name_prefix = "svc2-mariadb-202102020101002020320-" -> "svc2-mariadb-" # forces replacement ~ tags = { ~ "Name" = "svc2-mariadb-202102020101002020320" -> "svc2-mariadb" # (2 unchanged elements hidden) } # (3 unchanged attributes hidden) # (1 unchanged block hidden) } # module.db.module.db_option_group.aws_db_option_group.this[0] (deposed object 46f85f7a) will be destroyed - resource "aws_db_option_group" "this" { - arn = "arn:aws:rds:us-east-1:02312091831:og:svc2-mariadb-202102020101002020320" -> null - engine_name = "mariadb" -> null - id = "svc2-mariadb-202102020101002020320" -> null - name = "svc2-mariadb-202102020101002020320" -> null - name_prefix = "svc2-mariadb-" -> null - option_group_description = "Option group for svc2-mariadb" -> null - timeouts { - delete = "15m" -> null } } Plan: 1 to add, 1 to change, 2 to destroy.
It will create a new one and delete the old group. How to ignore these operation with Terraform? Both of them aren't we hope to do. The db module in our service is using aws rds module. Even Idownload this module to local, add lifecycle ignore in its db_option_group module resource, how to avoid these 2 services' changing?  |
| Apache 2.4 mod_ldap "Require ldap-group" not working Posted: 25 Apr 2021 07:53 PM PDT I have a RHEL 7 server running Apache 2.4 with multiple vhosts. I am having an issue with basic auth using mod_ldap to authenticate against Active Directory. My vhost config looks like this <AuthnProviderAlias ldap FDUAD-SAM> AuthLDAPUrl "ldaps://adserver.fdu.edu:3269/DC=fdu,DC=edu?sAMAccountName?sub" AuthLDAPBindDN CN=ad-user,DC=fdu,DC=edu AuthLDAPBindPassword "P@ssW0rd" </AuthnProviderAlias> <AuthnProviderAlias ldap FDUAD-UPN> AuthLDAPUrl "ldaps://adserver.fdu.edu:3269/DC=fdu,DC=edu?userPrincipalName?sub" AuthLDAPBindDN CN=ad-user,DC=fdu,DC=edu AuthLDAPBindPassword "P@ssW0rd" </AuthnProviderAlias> <Directory "/var/www/html"> Options Indexes FollowSymLinks MultiViews AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member AuthLDAPMaxSubGroupDepth 0 AuthLDAPSubGroupAttribute member AuthLDAPSubGroupClass group AllowOverride AuthConfig AuthType Basic AuthName "For FDU personnel only (use FDU NetID and password to login)" AuthBasicProvider FDUAD-SAM FDUAD-UPN <RequireAll> Require method GET <RequireAny> Require ldap-group CN=group1,OU=Users,DC=fdu,DC=edu Require ldap-group CN=group2,OU=Users,DC=fdu,DC=edu Require ldap-group CN=group3,OU=Users,DC=fdu,DC=edu Require ldap-group CN=group4,OU=Users,DC=fdu,DC=edu Require ldap-group CN=group5,OU=Users,DC=fdu,DC=edu Require ldap-group CN=group6,OU=Users,DC=fdu,DC=edu Require ldap-group CN=group7,OU=Users,DC=fdu,DC=edu </RequireAny> </RequireAll> </Directory>
Here's what I see in the logs If I do "Require valid-user" everything works fine. I don't believe Apache is retrieving attributes. I have tried dumping the AUTHENTICATE_ and AUTHORIZE_ variables. The only one I see set is AUTHENTICATE_SAMACCOUNTNAME. [Sun Apr 25 21:54:19.171000 2021] [socache_shmcb:debug] [pid 23967:tid 140333123143424] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x98 -> subcache 24) [Sun Apr 25 21:54:19.171637 2021] [socache_shmcb:debug] [pid 23967:tid 140333123143424] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32) [Sun Apr 25 21:54:19.171648 2021] [socache_shmcb:debug] [pid 23967:tid 140333123143424] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/194 [Sun Apr 25 21:54:19.171660 2021] [socache_shmcb:debug] [pid 23967:tid 140333123143424] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully [Sun Apr 25 21:54:19.171816 2021] [ssl:debug] [pid 23967:tid 140333123143424] ssl_engine_kernel.c(377): [client x.x.x.x:57752] AH02034: Initial (No.1) HTTPS request received for child 129 (server dev-server.fdu.edu:443) [Sun Apr 25 21:54:19.171830 2021] [mod_shib:debug] [pid 23967:tid 140333123143424] mod_shib.cpp(369): [client x.x.x.x:57752] get_request_config created per-request structure [Sun Apr 25 21:54:19.172026 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require method GET: granted [Sun Apr 25 21:54:19.172050 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require ldap-group CN=group1,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172057 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require ldap-group CN=group2,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172063 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require ldap-group CN=group3,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172069 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require ldap-group CN=group4,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172075 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require ldap-group CN=group5,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172081 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require ldap-group CN=group6,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172086 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of Require ldap-group CN=group7,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172092 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172096 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet) [Sun Apr 25 21:54:19.172101 2021] [authz_core:debug] [pid 23967:tid 140333123143424] mod_authz_core.c(820): [client x.x.x.x:57752] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sun Apr 25 21:54:24.173455 2021] [ssl:debug] [pid 23967:tid 140333106358016] ssl_engine_io.c(1103): [client x.x.x.x:57752] AH02001: Connection closed to child 131 with standard shutdown (server dev-server.fdu.edu:443) [Sun Apr 25 21:54:31.858538 2021] [socache_shmcb:debug] [pid 23965:tid 140333131536128] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0xb5 -> subcache 21) [Sun Apr 25 21:54:31.858624 2021] [socache_shmcb:debug] [pid 23965:tid 140333131536128] mod_socache_shmcb.c(849): AH00847: insert happened at idx=1, data=(180:212) [Sun Apr 25 21:54:31.858633 2021] [socache_shmcb:debug] [pid 23965:tid 140333131536128] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/2, data_pos/data_used=0/374 [Sun Apr 25 21:54:31.858644 2021] [socache_shmcb:debug] [pid 23965:tid 140333131536128] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully [Sun Apr 25 21:54:31.859476 2021] [ssl:debug] [pid 23965:tid 140333131536128] ssl_engine_kernel.c(377): [client x.x.x.x:58070] AH02034: Initial (No.1) HTTPS request received for child 0 (server dev-server.fdu.edu:443) [Sun Apr 25 21:54:31.859526 2021] [mod_shib:debug] [pid 23965:tid 140333131536128] mod_shib.cpp(369): [client x.x.x.x:58070] get_request_config created per-request structure [Sun Apr 25 21:54:31.859893 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require method GET: granted [Sun Apr 25 21:54:31.859923 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group1,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859946 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group2,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859952 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group3,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859959 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group4,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859965 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group5,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859971 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group6,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859976 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group7,OU=Users,DC=fdu,DC=edu: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859982 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859987 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet) [Sun Apr 25 21:54:31.859992 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Sun Apr 25 21:54:31.860111 2021] [authnz_ldap:debug] [pid 23965:tid 140333131536128] mod_authnz_ldap.c(523): [client x.x.x.x:58070] AH01691: auth_ldap authenticate: using URL ldaps://adserver.fdu.edu:3269/DC=fdu,DC=edu?sAMAccountName?sub [Sun Apr 25 21:54:33.604924 2021] [authnz_ldap:debug] [pid 23965:tid 140333131536128] mod_authnz_ldap.c(620): [client x.x.x.x:58070] AH01697: auth_ldap authenticate: accepting testuser [Sun Apr 25 21:54:33.604986 2021] [mod_shib:debug] [pid 23965:tid 140333131536128] mod_shib.cpp(934): [client x.x.x.x:58070] shib_auth_checker entered in pid (23965) [Sun Apr 25 21:54:33.605137 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require method GET: granted [Sun Apr 25 21:54:33.605152 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group1,OU=Users,DC=fdu,DC=edu: denied [Sun Apr 25 21:54:33.605158 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group2,OU=Users,DC=fdu,DC=edu: denied [Sun Apr 25 21:54:33.605164 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group3,OU=Users,DC=fdu,DC=edu: denied [Sun Apr 25 21:54:33.605170 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group4,OU=Users,DC=fdu,DC=edu: denied [Sun Apr 25 21:54:33.605176 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group5,OU=Users,DC=fdu,DC=edu: denied [Sun Apr 25 21:54:33.605181 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group6,OU=Users,DC=fdu,DC=edu: denied [Sun Apr 25 21:54:33.605187 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of Require ldap-group CN=group7,OU=Users,DC=fdu,DC=edu: denied [Sun Apr 25 21:54:33.605192 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of <RequireAny>: denied [Sun Apr 25 21:54:33.605196 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of <RequireAll>: denied [Sun Apr 25 21:54:33.605201 2021] [authz_core:debug] [pid 23965:tid 140333131536128] mod_authz_core.c(820): [client x.x.x.x:58070] AH01626: authorization result of <RequireAny>: denied [Sun Apr 25 21:54:33.605205 2021] [authz_core:error] [pid 23965:tid 140333131536128] [client x.x.x.x:58070] AH01631: user testuser: authorization failure for "/":
 |
| hello friends i have an issue with my kali linux network Posted: 25 Apr 2021 07:41 PM PDT enter image description here I'm connecting using a wireless RALINK 802.11 nWLAN I made a screen shot of service network manager status and here is the results any help appreciated  |
| Can I use IIS 10 on Windows Server 2012 R2 to serve pages in HTTP/2 Posted: 25 Apr 2021 07:12 PM PDT My server is windows server 2012 R2 Currently running asp.net 4.8 web site with IIS 8.5 I want to be able to serve HTTP2 Can I just install IIS 10 express and start serving my websites? Anyone have experience? I plan to test on an hyper machine but I would appreciate your experience and feedback I am using Let's Encrypt SSL These are my current settings 
 |
| escalation.sh return `RTNETLINK answers: Cannot assign requested address` in EC2 Posted: 25 Apr 2021 06:18 PM PDT I'm creating database cluster with Postgresql-11 and PgPool-II v4.2.2 on CentOS8 on EC2.
Both Postgresql and PgPool-II are in the same server, and the cluster consists of 3 servers.
I setup it as https://www.pgpool.net/docs/latest/en/html/example-cluster.html, but when I start pgpool service, all of the secondly servers' status is unused in show pool_nodes command. in the pgpool log, I found RTNETLINK answers: Cannot assign requested address so I think this is the cause, but I don`t know how to fix it. Can anyone help me? Or should I use Elastic IP?
Thanks  |
| Why are random reads on NVME SSD slower than sequential reads? Posted: 25 Apr 2021 05:23 PM PDT NVME flash SSDs can operate on data in parallel. So why is it that random IO is still slower than sequential IO on SSDs?  |
| How to open a socket on EC2 instance? Posted: 25 Apr 2021 05:47 PM PDT I want to send webcam video from my laptop to aws EC2 instance. I'm trying to follow suggestions from here and code from here. The issue I'm facing is that I do not know how to open a socket and listen to incoming traffic on EC2. My EC2 is a Amazon Linux free tier instance. No matter what I try I can't get it to work. I added an inbound rule to allow TCP traffic on the port I want to listen to. If it helps, binding to a port doesn't seem to be an issue but it seems that the code gets stuck on socket.accept() line of code from link 2. I would appreciate if somebody showed me how to do this properly.  |
| Deploying Wordpress with Portainer and editing afterwards Posted: 25 Apr 2021 07:05 PM PDT I have deployed a Wordpress container through Portainer and all is well with the container actually working. However, when I try to find the files locally to edit, I cannot. Did I miss a step? What do I need to do to put the data on my local Mac file system or create symlinks during the deployment of the container? When I utilize docker compose up -d to deploy the stack, I can see the files start to appear in my VS Code workspace. I know I can docker exec -it name bash into the container, but I cannot see and edit that locally within my MacOS file system. Thanks community!  |
| Domain registrar said I need to provide at least two of DNS servers Posted: 25 Apr 2021 09:21 PM PDT I'm trying to build a home server, like example.com should be bounded to my global ip 123.xx.xx.456 through my wifi router (tplink router) dynamic DNS setting. But the problem is that on the domain registrar saying I need to provide at least two of DNS servers for some reason, but on the router setting it's only available for only one server e.g. myhostname.tplinkdns.com but not more than two e.g. myhostname.tplinkdns.com and myhostname02.tplinkdns.com So, is there any way to workaround this issue?  |
| What makes a selinux-caused EACCESS to not be logged in audit Posted: 25 Apr 2021 10:28 PM PDT I've got a system with samba running with standard targetted policy for Fedora. At some point samba is trying to access a directory tagged unconfined_u:object_r:unlabeled_t:s0 and fails. Through strace I can see: lstat("/data", 0x7ffcabcad570) = -1 EACCES (Permission denied)
I expected this to get logged in audit with other policy violations, but it was not. What can prevent the report in this case?  |
| firewalld rich rules don't drop incoming traffic (CentOS 8 behind a NAT) Posted: 25 Apr 2021 07:06 PM PDT G'day, I've got a small development server at my home with port 80 and 443 port forwarded from my modem. To restate the title in the form of a question for the down-voter: Why doesn't the firewall drop the incoming traffic from the IPv4 addresses that are listed in the rich rules. Background: As you would expect, 'bots and baddies' ™ are looking for various things that a) don't exist, and b) would be bad if they got into. So I have a script that pulls IP addresses from logs, which then end up in the firewall. However, the firewall isn't dropping the connections. Addresses that are added on previous days are present in the new rules to be added and the logs again on subsequent days. Details: The command that puts in the rich rules is this: firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='165.227.87.0/24' reject"
However some rules were entered manually, and have extra info: rule family="ipv4" source address="74.120.14.0/24" log prefix="Censys Scanner" reject
While the newer ones are simply rule family="ipv4" source address="42.224.165.0/24" reject
(those last two are rules copied from the output of firewall-cmd --list-all) The active zone is public, which isn't explicitly noted in the rule as I read that without it specified, it applies to the active zone. While researching this, I realised that I might be in an unexpected situation with the Modem port forwarding to the machine, rather than having it in a DMZ or hosted externally. The Apache logs show the internet facing IP addresses for the http/s client machines, and I've been assuming that these IPs are the address that presented to the firewall. (netstat -tn does show a current connection to an external IPv4 address, but I can't establish if that's inbound or outbound.) Other things to note: - The firewall is reloaded after adding new rules
- The server reboots every night
- This server was CentOS Stream, but I converted it to CentOS 8
- The firewall is active, enabled and functional (
firewall-cmd --state returns 'running') - I've just executed
firewall-cmd --complete-reload for the first time as I wrote this. And ideas? -- Edit (1) -- I've only had a short time to observe this, but it appears that executing firewall-cmd --complete-reload may have had some positive effect. The processing of the rules have not found any duplicates.  |
| Best way to install cfn-bootstrap utilities on CentOS 8 Posted: 25 Apr 2021 05:17 PM PDT I'm working on a CentOS 8 based instance/launch configuration in AWS and would like to use cfn-init to manage some of the setup/provisioning steps. However, I'm finding that the provided RPM does not deploy, since the way Python2 and Python3 have been packaged up differs enough that the AWS supplied RPM can't find its dependencies. The command I'm using to install is: yum install -y https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.amzn1.noarch.rpm This is resulting in the following error: Error: Problem: conflicting requests - nothing provides python >= 2.6 needed by aws-cfn-bootstrap-1.4-34.noarch - nothing provides python-setuptools needed by aws-cfn-bootstrap-1.4-34.noarch - nothing provides python-daemon needed by aws-cfn-bootstrap-1.4-34.noarch - nothing provides pystache needed by aws-cfn-bootstrap-1.4-34.noarch
Which I suspect is because python in CentOS <= 7 is now python2 in CentOS8. What would be the best way to install these tools in this instance?  |
| How do I specify disk size for new machine instance for Azure? Posted: 25 Apr 2021 09:34 PM PDT I want to create a new NC6 instance (for my GPU and ML works). Few days ago I created my first instance for the NC6 instance, it was 150 GB standard SSD one, it was too much for me, so I tried to change the disk to low price one, but I noticed you cannot shrink or swap/change the disk to reduced size one or HDD one. So, I ended up deleting the instance and now trying to create a new one, but here, seems there is no way to change disk size, it seems you can change "OS disk type" to SSD to HDD, but no disk size e.g. 150 GB to 32 GB. So, How do I specify disk size for new machine instance for Azure? Thanks. 
 |
| Can Linux kernel support RSTP (802.1w)? Posted: 25 Apr 2021 09:59 PM PDT Last week, I ran Spanning Tree Protocol (STP) in Linux kernel successfully. Now, I am trying to support Rapid Spanning Tree Protocol (RSTP) in Linux kernel. I also found out some solutions in user space such as mstp (https://github.com/mstpd/mstpd). However, I want to find a solution in the kernel. I searched patch from internet but I can't find anything. Is there any limitation that Linux kernel is not able to support RSTP?  |
| When do you have to use quotes in Nginx configuration? Posted: 25 Apr 2021 10:01 PM PDT I've seen people use excessive quotes: add_header 'Access-Control-Allow-Origin' '*';
I've seen people use no quotes: add_header Access-Control-Allow-Origin *;
Both work fine as far as I know, so when do you actually have to use quotes?  |
| Can an Exchange Online distribution group be configured to forward mail to it's users alternate email? Posted: 25 Apr 2021 07:07 PM PDT I've been trying to figure out how to create a distribution list containing personal email addresses for all our staff. This could be done by adding each staff member as a mail contact with their personal email address and adding those mail contacts to a distribution group - but it seems silly to have both a user and a mail contact for each staff member. Active Directory Online has a field for "alternative email address". Is there a way to use either that or a custom user field to populate a distribution group and then have email sent to that group be forwarded to it's members alternate address/the address in a custom field for each user?  |
| mount(2): Stale file handle NFS after update server to Debian 8 Posted: 25 Apr 2021 07:07 PM PDT I've several server that mounting NFS on remote backups server Everything worked until I did an update on the NFS server to Debian Jessie. Now some machines work and others not work. Try several docs over internet about problem and i do not get a solution mount -t nfs -vv stor01.KIKO.net:/srv/storage/backup/srv107/backupremote /backupremote2/ final mount options: '(null)' mount.nfs: timeout set for Thu Jun 23 15:22:54 2016 mount.nfs: trying text-based options 'vers=4,addr=195.154.xx.xx,clientaddr=5.135.xx.xx' mount.nfs: mount(2): Stale file handle mount.nfs: trying text-based options 'vers=4,addr=195.154.xx.xx,clientaddr=5.135.xx.xx' mount.nfs: mount(2): Stale file handle mount.nfs: trying text-based options 'vers=4,addr=195.154.xx.xxx,clientaddr=5.135.xx.xx' mount.nfs: mount(2): Stale file handle
Server /etc/exports /srv/storage/backup/srv105 176.31.XX.xx(sync,no_root_squash,rw,nohide) # WORK FINE /srv/storage/backup/srv107 5.135.XX.xx(sync,no_root_squash,rw,nohide) # NOT WORK
Two clients has a same Centos 7 version. Try reboot server and clients... nothing... some clients work, others no. SOLVED Problem it's a not trivial question. I update my systems to XFS and put long disk (20TB) Find this question Big XFS filesystem NFS export mount fails with stale nfs handle and read, XFS & Inode64 for I understand concept. After this, remove disk, and reformat with older ext4 system ;-)  |
| How do big companies like Youtube load balance traffic with only one IP? [duplicate] Posted: 25 Apr 2021 05:25 PM PDT Examining the A records for youtube.com (for example), I see only one IP address. How can this be possible, given the volume of traffic they handle? Do they use anycast with load balancers behind it?  |
| OpsCenter 5.1 add existing cluster Posted: 25 Apr 2021 08:12 PM PDT I have recently removed the old opscenter and installed new opscenter Opscenter 5.1. When I am trying to add existing cluster to opscenter I keep getting error "Error creating cluster: Timeout while adding cluster. Please check the log for details on the problem." The opscenter logs 2015-03-06 21:37:56+0000 [] WARN: Unable to find a matching cluster for node with IP [u'xx.xxx.x.177', u'fe80:0:0:0:8d1:ff:fe01:a40e%2', u'0:0:0:0:0:0:0:1%1', u'127.0.0.1']; the message was [u'5.1.0', u'/1540438085/conf']. This usually indicates that an OpsCenter agent is still running on an old node that was decommissioned or is part of a cluster that OpsCenter is no longer monitoring.
This message keeps repeating The datastax agent logs ERROR [Initialization] 2015-03-06 21:41:42,414 Can't connect to Cassandra, retrying com.datastax.driver.core.exceptions.NoHostAvailableException: All host(s) tried for query failed (tried: /127.0.0.1:9042 (com.datastax.driver.core.TransportException: [/127.0.0.1:9042] Cannot connect)) at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:220
Although the agent says its not able to connect to cassandra I am able to connect to cluster using the DevCenter. The nodetool status looks good. I tried restarting the agents and opscenter without any success The previous opscenter version was working fine before upgrading to OpsCenter 5.1 Datastax cassandra version being used: 4.0.1 Thanks, Murali  |
| SQL error log can't create/write to file Posted: 25 Apr 2021 08:12 PM PDT I'm quite new to server administration but a keen learner, so if I miss anything or you need any extra info let me know and I'll do my best to provide it ASAP :) I'm running WordPress on a developer plan VPS over at media temple (meaning I have root access, everything is managed by me etc). My OS is Fedora, Apache is latest version and am using MariaDB for MySQL. When trying to read/write menus from the WP admin panel Apache writes this to its error log: [Fri Dec 13 04:28:59.296672 2013] [:error] [pid 11195] [client (my IP, omitted)] WordPress database error Can't create/write to file '/var/tmp/#sql_1ff_0.MAI' (Errcode: 2) for query (**lots of different queries**)
This error repeats for about 20 different queries, and I've checked with perror that error code 2 for SQL means "No such file or directory". I would contact my host about this problem, but as I said I'm on a developer plan meaning they won't help me with anything. Generally from Googling around I can find an answer or solution but in this case I've come up with nothing.  |
| Nginx/Apache not accessible from outside, SSH is accessible. Firewall disabled Posted: 25 Apr 2021 09:08 PM PDT I have ports 37000-37100 redirected to my computer. SSH is accessible when listening on any of these ports (by default I'm using 37022, but tried on 37080 and it's OK). I can only access Nginx on a local IP (example: http : // 192 .168 .49 .198 : 37080), though. When I try to connect from outside (http : // our_network's_ip:37080), the browser times out after a while. PLEASE READ UPDATE BELOW. I installed Apache just to make sure and it's the same. Stock install, only ports are changed. The UTF is disabled. I've done it a hundred times on various home networks and it always worked. This time it's an office network and I'm not the person who configures the router. I'd say the problem's there, but SSH is working... . Ubuntu 12.10. Any ideas? UPDATE: actually I can access my computer from outside networks, I only can't access my computer FROM my own network when I use my network's "external" IP.  |
| Allow SFTP but disallow SSH? Posted: 25 Apr 2021 09:16 PM PDT I'm starting a very little hosting company for a few friends and little clients, nothing big. I want to give my "clients" the right to manage their files on the server. I hate FTP as it is not secure and it's in my opinion obsolete. So I'd like to allow my users to connect through SFTP but not allow them to connect through SSH. (I know, I know, SFTP is using SSH). But I was just wondering, is it possible? So I wouldn't have to install a FTP service on the server and everything would be awesome!  |
| nginx regex characters that require quoting? Posted: 25 Apr 2021 09:08 PM PDT So I was configuring nginx today and I hit a weird problem. I was trying to match a location like this: location ~ ^/([0-9]+)/(.*) { # do proxy redirects }
...for URLs like "http://my.domain.com/0001/index.html". This rule was never matching, despite the fact that it by all rights should. It took me awhile to figure out, based on this documentation, that some characters in regexes need to be quoted. The problem is, the documentation is for rewrites, and it specifically calls out curly braces, not square brackets. After a fair bit of experimentation that involved a lot of swearing, I discovered that I could fix the problem by quoting the regex like so: location ~ "^/([0-9]+)/(.*)" { # do proxy redirects }
Is there a list somewhere of characters that nginx requires quoting regexes with? Or could there be something else going on here that I'm totally missing? This is my first nginx configuration job, so it's very possible I've misunderstood something...  |
No comments:
Post a Comment