| How to setup a proxy radius server (FreeRadius 3) Posted: 22 May 2021 04:27 PM PDT I am trying to setup a proxy Freeradius server that forwards all requests to another Freeradius server. For reference see the following picture: 
The reason for this setup is I want users to be to onnect to the local LAN via VPN, but the local site is not accessible due to NAT implementet at the ISP. I am however able to make a site2site VPN connection from local LAN to the VPN server, so I want users to be able to make a VPN connection to the local network via the public VPN server, provided they are a valid user on the local net. I have a Freeradius server running on local LAN that validates users against a database - and that part is working fine. Configuration VPN server side As far as I understand the only thing I need to modify on the server is the file proxy.conf. Assuming usernames logging onto the VPN is on the form users@example.com then I would only need to add the following entry to proxy.conf: realm example.com { type = radius secret = VeryS3cretPassw0rd authhost = local-radius.example.com:1812 accthost = local-radius.example.com:1813 nostrip }
The nostrip entry is making sure that the proxied request does not remove the @-postfix from username. I would also need to add the following to /etc/hosts: # VPN Address of local-radius.example.com 192.168.100.2 local-radius.example.com
Configuration local radius server side On the local radius server I need to update client.conf so any queries to the local radius server and originating from the VPN ip adress is permittet. Like for instance this entry: client vpn-net { # Allow requests originating from VPN subnet. ipaddr = 192.168.100.0/24 secret = VeryS3cretPassw0rd }
Running the following command on VPN server works as expected: radtest -t mschap user@example.com SecretPassword local-radius.example.com:1812 0 VeryS3cretPassw0rd
I get the following response back: Sent Access-Request Id 108 from 0.0.0.0:47466 to 192.168.100.2:1812 length 148 User-Name = "user@example.com" MS-CHAP-Password = "SecretPassword " NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "SecretPassword" MS-CHAP-Challenge = .... MS-CHAP-Response = ... Received Access-Accept Id 108 from 192.168.100.2:1812 to 192.168.100.1:47466 length 84 MS-CHAP-MPPE-Keys = ... MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 4
However running the following command on the VPN server fails: radtest -t mschap user@example.com SecretPassword localhost:18120 0 testing123
The output from the command is: Sent Access-Request Id 104 from 0.0.0.0:39558 to 127.0.0.1:18120 length 148 User-Name = "user@example.com" MS-CHAP-Password = "SecretPassword" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "SecretPassword" MS-CHAP-Challenge = ... MS-CHAP-Response = ... Received Access-Reject Id 104 from 127.0.0.1:18120 to 127.0.0.1:39558 length 20 (0) -: Expected Access-Accept got Access-Reject
Running the command freeradius -X on VPN server gives among others this output: (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "example.com" for User-Name = "user@example.com" (0) suffix: Found realm "example.com" (0) suffix: Adding Realm = "example.com" (0) suffix: Proxying request from user user@example.com to realm example.com (0) suffix: Preparing to proxy authentication request to realm "example.com" (0) [suffix] = updated (0) ntdomain: Request already has destination realm set. Ignoring (0) [ntdomain] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated (0) There was no response configured: rejecting request
Monitoring freeradius on local net indicates that the server was never called, from the vpn server, so what am I missing?  |
| How do I find my server? Posted: 22 May 2021 06:31 PM PDT I have a private NuGet server that I've been using for several years. I need to debug an issue on the server, the trouble is can't find any record of it, I don't know where this site is hosted. I thought it would be on Azure but it's not listed there. How can I find the host?  |
| Cron Job to move files not running Posted: 22 May 2021 10:22 PM PDT I added this command in my crontab, but it's not working. I saved in both my user and root crontab but neither is working. * * * * * [ $(ls -al /media/cyper/evo_1tb | grep plot | wc -l) -gt 0 ] && [ $(ps aux | grep mv | grep -v grep | wc -l) -eq 0 ] && mv /media/cyper/evo_1tb/*.plot /media/cyper/Farm5 grep CRON /var/log/syslog
shows it is being executed, but no files are being copied. May 22 23:53:01 Plotter CRON[1010104]: (root) CMD ([ $(ls -al /media/cyper/evo_1tb | grep plot | wc -l) -gt 0 ] && [ $(ps aux | grep mv | grep -v grep | wc -l) -eq 0 ] && mv /media/cyper/evo_1tb/*.plot /media/cyper/Farm5) May 22 23:53:01 Plotter CRON[1010105]: (cyper) CMD ([ $(ls -al /media/cyper/evo_1tb | grep plot | wc -l) -gt 0 ] && [ $(ps aux | grep mv | grep -v grep | wc -l) -eq 0 ] && mv /media/cyper/evo_1tb/*.plot /media/cyper/Farm5)
 |
| Minimum and maximum number of packets to figure out all routes for a network with distance-vector routing Posted: 22 May 2021 01:56 PM PDT What is the minimum and maximum number of packets needed to figure out all routes in a network with 8 nodes and distance-vector routing such that every two nodes are not separated from each other by more than 4 nodes? Which toplogies do these numbers suggest? Please explain the process using which the answer is given.  |
| postfix/sasl/pam (mysql) auth error Posted: 22 May 2021 05:01 PM PDT I've followed tutorial on http://flurdy.com/docs/postfix/ to set up an email server, and most of it works (after switching from Courier to Dovecot). Just not sending email through SMTP. Sending with sendmail works. This is what I see in /var/log/auth.log when I try to send an email with Thunderbird: May 22 18:45:59 myserver postfix/submission/smtpd[16560]: sql auxprop plugin using mysql May 22 18:45:59 myserver saslauthd[16141]: pam_unix(smtp:auth): check pass; user unknown May 22 18:45:59 myserver saslauthd[16141]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= May 22 18:46:01 myserver saslauthd[16141]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure May 22 18:46:01 myserver saslauthd[16141]: : auth failure: [user=user1] [service=smtp] [realm=myserver.nl] [mech=pam] [reason=PAM auth error] May 22 18:46:01 myserver saslauthd[16142]: pam_unix(smtp:auth): check pass; user unknown May 22 18:46:01 myserver saslauthd[16142]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= May 22 18:46:04 myserver saslauthd[16142]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure May 22 18:46:04 myserver saslauthd[16142]: : auth failure: [user=user1] [service=smtp] [realm=myserver.nl] [mech=pam] [reason=PAM auth error]
(I'm logged in as user1@myserver.nl, and IMAP works.) And I can see something query mysql for user user1@myserver.nl, but there are some many processes and daemons and configs working together, I have no idea which part fails. A summary: - postfix is set up to use sasl (in
/etc/postfix/main.cf and /etc/postfix/sasl/smtpd.conf) - saslauthd is set up to use pam (in
/etc/default/saslauthd) - pam smtp is set up to use mysql for its user db (but it never seems to?) (in
/etc/pam.d/smtp) The sql_select from /etc/postfix/sasl/smtpd.conf is used to query for user1. I can see changes there in the mysql log. The configured table and columns in /etc/pam.d/smtp are never used. Changes there don't do anything. testsaslauthd only 'works' for me if I add -f /var/spool/postfix/var/run/saslauthd/mux, but it ALWAYS returns a NO "authentication failed" and NEVER queries mysql, so I've no idea how that could ever work. But the auth.log output is very similar to the output from Thunderbird's real request (that does trigger a mysql query/lookup):
May 22 18:59:56 myserver saslauthd[16756]: pam_unix(imap:auth): check pass; user unknown May 22 18:59:56 myserver saslauthd[16756]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= May 22 18:59:58 myserver saslauthd[16756]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure May 22 18:59:58 myserver saslauthd[16756]: : auth failure: [user=user1@myserver.nl] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
And then there's the password hash. I've set up Dovecot to only accept SSL and use the plaintext password (users.clear). I don't know if the hashed password (users.crypt) is correct, or if it's even used by Postfix. I've tried all combinations in all config files. The auth.log output is always the same. No details. Thunderbird tells me it can't send the message, and then shows a kind of error message: ... "unexpected error 80004005" ... "could not be sent for an unknown reason". That doesn't seem like a wrong password error, but an internal server error somewhere. But no horrible error messages in the logs... After adding some debug level somewhere (sorry I can't remember, so many config files!!) the syslog contains more on the smtp connection: May 22 19:10:45 myserver postfix/submission/smtpd[16779]: SSL_accept:SSLv3/TLS read finished ... May 22 19:10:45 myserver postfix/submission/smtpd[16779]: Anonymous TLS connection established from ip-1.2.3.4.ip.myisp.net[4.3.2.1]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) ... May 22 19:10:45 myserver postfix/submission/smtpd[16779]: Read 22 chars: EHLO [192.168.0.101]?? ... May 22 19:10:45 myserver postfix/submission/smtpd[16779]: Read 49 chars: AUTH PLAIN AHVzZXIxQG15c2VydmVyLm5sAHBp May 22 19:10:48 myserver postfix/submission/smtpd[16779]: warning: SASL authentication failure: Password verification failed May 22 19:10:48 myserver postfix/submission/smtpd[16779]: warning: ip-1.2.3.4.ip.myisp.net[4.3.2.1]: SASL PLAIN authentication failed: authentication failure May 22 19:10:48 myserver postfix/submission/smtpd[16779]: Write 64 chars: 535 5.7.8 Error: authentication failed: ... May 22 19:10:48 myserver postfix/submission/smtpd[16779]: Read 12 chars: AUTH LOGIN?? May 22 19:10:48 myserver postfix/submission/smtpd[16779]: Write 18 chars: 334 VXNlcm5hbWU6?? ... May 22 19:10:50 myserver postfix/submission/smtpd[16779]: warning: ip-1.2.3.4.ip.myisp.net[4.3.2.1]: SASL LOGIN authentication failed: authentication failure May 22 19:10:50 myserver postfix/submission/smtpd[16779]: Write 64 chars: 535 5.7.8 Error: authentication failed: ... May 22 19:10:52 myserver postfix/submission/smtpd[16779]: disconnect from ip-1.2.3.4.ip.myisp.net[4.3.2.1] ehlo=2 starttls=1 auth=0/2 quit=1 commands=4/6
The EHLO + AUTH PLAIN ... are interesting... The EHLO isn't myserver? The logged base64 is cut off? And then "Password verification failed", but no details on which part failed. I can't find any more debugging than this. syslog, mail log, auth log, mysql log. All the config files are huge, so I didn't add most. I followed http://flurdy.com/docs/postfix/ pretty exactly, and verified every step several times, so that's what I got. EXCEPT clear vs crypt, I've changed that around a few times. Any brilliant ideas?  |
| License cost of the AWS windows community machine images Posted: 22 May 2021 10:25 PM PDT When we use windows server 2012 r2 community machine images in AWS EC2 instances, are we being charged for the license cost by AWS? In a legal aspect, are we allowed to use community machine images for commercial purpose? When I check AWS documentation I could not find a place which they explicitly discuss about community-based machine images (AMI). In contrast to community AMI, when we are getting AMI from the AWS marketplace we are asked to pay separately or bring license separately. can someone please explain?  |
| Change an active slave of Linux network bonding interface without ifenslave command Posted: 22 May 2021 01:40 PM PDT Linux supports bonding of multiple Ethernet network interfaces for extra reliability or load balancing. Bonding driver used to be configured via ifenslave command, which has been deprecated (superseded by ip command from iproute2 toolkit), so ifenslave was removed from the kernel sources. One particular feature of deprecated command which I can't find a modern equivalent for is changing an active slave of the bonding interface (assuming that bonding interface is operating in the active-backup mode). For example, the following commands set eth0 network card as an active slave of bond0 interface: # ifenslave -c bond0 eth0
# ifenslave --change-active bond0 eth0
Is there a way to change an active slave of Linux bonding interface using ip command from the iproute2 toolkit or, alternatively, via sysfs?  |
| Ubuntu server won't boot after reboot on google cloud console Posted: 22 May 2021 01:25 PM PDT Ubuntu server won't boot after reboot on google cloud console. After rebooting, I noticed that there is 0 disk space, but I can not expand it since the server is starting (((Error in the screenshot. Please help screenshot
I created a new snapshot of the disk of this VM, and created a VM from this snapshot, but the errors are the same  |
| DHCPDISCOVER requests from off-by-one MAC addresses Posted: 22 May 2021 07:11 PM PDT Recently I was doing some wireshark capture and tcpdump in an isolated local network. I noticed unusual dhcp traffic from mac addresses that are 1 off from existing mac address of network interfaces wireshark capture of dhcp traffic from machine 1 wireshark capture of dhcp traffic from machine 2 machine 1 mac addresses machine 2 mac addresses I searched for solutions such as how to stop dhcp and dhcpdiscover off by 1 and verified /etc/dhcp/dhclient.conf doesn't existdhcpd and dhclient are not running- There is no explicit IPMI setting in BIOS. I'm not sure if it's phrased differently in my case.
lshw tool is not available on the machines. lspci and dmidecode do not show any hidden network interfaceslsmod shows ipmi_ssif and ipmi_devintf and ipmi_msghandler It is strongly discouraged to install any third-party software on the two machines for security reasons, so I have to make use of only what's available. What is the cause of such DHCP traffic and how should I go about disabling them?  |
| Port unavailable in Kubernetes pod Posted: 22 May 2021 10:13 PM PDT I have a three node Kubernetes cluster and a deployment with 5 replicas. Each pod of the deployment exposes port :3401 and :4000 (one for debugging, and one for the application). I have two services (one for each port the pods expose). I have an ingress controller, and a single ingress for the application that is exposed by the application service. Three of my pods are able to start while the other two log the following error: main: error: server error: listen tcp :3401: bind: address already in use
Is it possible to have more pods than nodes listening on a single port using Kubernetes? If so, where would I go about debugging this issue?  |
| Nginx with only TLS1.3 cipher suites Posted: 22 May 2021 07:02 PM PDT I am trying to configure Nginx to use only TLS1.3 with 2 ciphers: TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256. So, I tried this configuration: ssl_protocols TLSv1.3; ssl_ciphers TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256;
But nginx -s reload errors out with nginx: [emerg] SSL_CTX_set_cipher_list("TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)", "operationName": "Default", "category": "Default"}
Looks like I need to append at least one non-TLS1.3 cipher to make the config work. I tried various such combinations and they worked. One of them is: TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
Why is it so? I think it's happening because OpenSSL itself doesn't accept the original ciphersuite string. I am using OpenSSL-1.1.1g. root@2ed6cae6e062:/azure/appgw# openssl ciphers -v TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256 Error in cipher list 140686067873536:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2558:
There are some useful links I came across but couldn't figure out how to achieve what I want - using only TLS1.3 ciphersuites. https://forum.nginx.org/read.php?2,284909,284914#msg-284914
https://trac.nginx.org/nginx/ticket/1529
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites  |
| Is authentication mandatory when setting up a reverse proxy? Posted: 22 May 2021 06:51 PM PDT I have never deployed a reverse proxy before and i was wondering if it is mandatory from a security perspective, to ensure only authenticated requests reach my web application server past the DMZ? My web application server which runs linux tomcat stack, has all the mandatory security and firewall infrastructure and can authenticate its own requests. We just dont want to host it in the DMZ since it does not always run the latest OS or tomcat instance. Googling "reverse proxy best practices" or "reverse proxy security best practices", did not turn up any recommendations to mandatorily enable authentication at the proxy. What are the guidelines on this and what is generally practiced in the field ? I would appreciate all answers and especially so from folks who have actually deployed reverse proxies in a security conscious environment like banks etc ... Thanks in advance.  |
| UEFI Enabled; unable to get IP address from DHCP, WDS Posted: 22 May 2021 04:07 PM PDT I'm trying to boot PCs from a Windows 2012R2 WDS server in UEFI mode. it works fine BIOS mode, but I want to boot from UEFI mode. I have change the boot setting to UEFI mode; secure boot in BIOS. I am using Dell laptops and when I try to boot from NIC IPv4 under UEFI boot shows as below. Checking Media Presence........... Media Present... Start PXE over IPv4.
======================================================================== then it hold for a while to get IP address from DHCP server then fails and prompts to reboot laptop.  |
| Add multiple header field matches to Exchange rule Posted: 22 May 2021 04:07 PM PDT I can't seem to find it so perhaps there isn't a way but does anyone know how (or if) to add multiple header field matches to an Exchange Online rule? I'm talking about when you create a rule and select "A message header matches these text patterns". Is there any way to add the predicate multiple times? What if I wanted to match an email based on two or three different header fields. Once you've selected that option you cannot add it again and it only seems to support one value for the header field name. 
 |
| How to enable email relay in Zimbra in same domain, sent from O365 Posted: 22 May 2021 10:01 PM PDT So i have to use a shared domain during migration from Zimbra to O365. MX points to Zimbra, but is also configured to enable outgoin emails from O365 to the world in the same domain. I've configured a connector on O365 to the zimbra (it works), and created contacts for not-yet-migrated users. The plan is, that during migration, the incoming mail comes to zimbra and is redirected to O365 to onmicrosoft domain, for migrated users. When i send email from O365 to anywhere (except my domain) it works correctly. When I send to anyone within company, that is still on zimbra, I get either of the errors: 550 5.7.1 ... Relaying denied 553 5.7.1 : Sender address rejected: not logged in
Zimbra clearly blocks my user, as it already exists within its server, but I don't know, where to start to unlock it? I've done similar things with other services before, but most didn't care about that.
 |
| Best way to run python 3.7 on Ubuntu 16.04 which comes with python 3.5 Posted: 22 May 2021 08:57 PM PDT I would like to avoid backports, they always seem to mess up my packages. So I was thinking tools like conda / virtualenv / maybe even docker can help. What's the most simple / cleanest way to work with python 3.7 on my system?  |
| How do you add an existing "microsoft account" to a azure subscription Posted: 22 May 2021 08:07 PM PDT We have an existing subscription that we'd like to give a user access to with their existing Microsoft Account. When we go into Azure subscription's access control and add the user, the only option we see "Azure AD user, group, or application" which creates a Azure AD user. We're wanting to add a Microsoft Account. We have an existing user that is added like this already, and they can switch between subscriptions easily in the top right Azure menu. We just can't figure out how to do it again. Here is what it looks like with a MS Account added... 
VS a AD user. 
 |
| Failed to fully start up daemon: Connection timed out Posted: 22 May 2021 07:02 PM PDT After a few Ubuntu updates this started happening. Whenever logging into this server, either by using the LDAP client or a local user, it takes a long time to get authenticated and log in. /var/log/auth.log: Jan 14 06:19:16 norwich systemd-logind[18114]: Failed to fully start up daemon: Connection timed out Jan 14 06:19:41 norwich systemd-logind[18225]: Failed to enable subscription: Connection timed out Jan 14 06:19:41 norwich systemd-logind[18225]: Failed to fully start up daemon: Connection timed out Jan 14 06:19:41 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 14 06:20:06 norwich systemd-logind[18329]: Failed to enable subscription: Connection timed out Jan 14 06:20:06 norwich systemd-logind[18329]: Failed to fully start up daemon: Connection timed out Jan 14 06:20:06 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 14 06:20:31 norwich systemd-logind[18441]: Failed to enable subscription: Connection timed out Jan 14 06:20:31 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 14 06:20:31 norwich systemd-logind[18441]: Failed to fully start up daemon: Connection timed out Jan 14 06:20:56 norwich systemd-logind[18552]: Failed to enable subscription: Connection timed out Jan 14 06:20:56 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 14 06:20:56 norwich systemd-logind[18552]: Failed to fully start up daemon: Connection timed out Jan 14 06:21:21 norwich systemd-logind[18665]: Failed to enable subscription: Connection timed out Jan 14 06:21:21 norwich systemd-logind[18665]: Failed to fully start up daemon: Connection timed out Jan 14 06:21:21 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out
The server is using Ubuntu 16.04 LTS and: Linux norwich 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
I have already restarted the server with no effect. Here's the journal log: Jan 15 13:01:03 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 15 13:01:03 norwich systemd[1]: systemd-logind.service: Main process exited, code=exited, status=1/FAILURE Jan 15 13:01:03 norwich systemd[1]: Failed to start Login Service. Jan 15 13:01:03 norwich systemd[1]: systemd-logind.service: Unit entered failed state. Jan 15 13:01:03 norwich systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Jan 15 13:01:03 norwich systemd[1]: systemd-logind.service: Service has no hold-off time, scheduling restart. Jan 15 13:01:03 norwich systemd[1]: Stopped Login Service. Jan 15 13:01:03 norwich systemd[1]: Starting Login Service... Jan 15 13:01:03 norwich systemd[1]: Failed to forward Released message: No buffer space available Jan 15 13:01:03 norwich systemd[1]: Failed to forward Released message: No buffer space available Jan 15 13:01:28 norwich systemd-logind[11142]: Failed to enable subscription: Connection timed out Jan 15 13:01:28 norwich systemd-logind[11142]: Failed to fully start up daemon: Connection timed out Jan 15 13:01:28 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 15 13:01:28 norwich systemd[1]: systemd-logind.service: Main process exited, code=exited, status=1/FAILURE Jan 15 13:01:28 norwich systemd[1]: Failed to start Login Service. Jan 15 13:01:28 norwich systemd[1]: systemd-logind.service: Unit entered failed state. Jan 15 13:01:28 norwich systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Jan 15 13:01:28 norwich systemd[1]: systemd-logind.service: Service has no hold-off time, scheduling restart. Jan 15 13:01:28 norwich systemd[1]: Stopped Login Service. Jan 15 13:01:28 norwich systemd[1]: Starting Login Service... Jan 15 13:01:28 norwich systemd[1]: Failed to forward Released message: No buffer space available Jan 15 13:01:53 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 15 13:01:53 norwich systemd-logind[11146]: Failed to enable subscription: Failed to activate service 'org.freedesktop.systemd1': timed out Jan 15 13:01:53 norwich systemd-logind[11146]: Failed to fully start up daemon: Connection timed out Jan 15 13:01:53 norwich systemd[1]: systemd-logind.service: Main process exited, code=exited, status=1/FAILURE Jan 15 13:01:53 norwich systemd[1]: Failed to start Login Service. Jan 15 13:01:53 norwich systemd[1]: systemd-logind.service: Unit entered failed state. Jan 15 13:01:53 norwich systemd[1]: systemd-logind.service: Failed with result 'exit-code'. Jan 15 13:01:53 norwich systemd[1]: systemd-logind.service: Service has no hold-off time, scheduling restart. Jan 15 13:01:53 norwich systemd[1]: Stopped Login Service. Jan 15 13:01:53 norwich systemd[1]: Starting Login Service... Jan 15 13:01:53 norwich systemd[1]: Failed to forward Released message: No buffer space available Jan 15 13:02:18 norwich systemd-logind[11150]: Failed to enable subscription: Connection timed out Jan 15 13:02:18 norwich dbus[929]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out Jan 15 13:02:18 norwich systemd-logind[11150]: Failed to fully start up daemon: Connection timed out Jan 15 13:02:18 norwich systemd[1]: systemd-logind.service: Main process exited, code=exited, status=1/FAILURE Jan 15 13:02:18 norwich systemd[1]: Failed to start Login Service.
 |
| FreeRadius, login not working when using mschap Posted: 22 May 2021 08:07 PM PDT I've been trying to make RADIUS work with Zentyal without success, I've tried logging in with an Android phone and a Windows 10 PC but none of them worked. Joining the domain using LAN works fine, using radtest without mschap works fine too, the problem here seems to be mschap, I've searched the web for hours but nothing worked for me. When I tried to log in using my phone or PC I used an Ubiquiti Access Point that seems to be configured correctly, requests are handled by FreeRADIUS. The AP is not the problem since radtest doesn't work either but anyways here is how I'm connecting using my phone. EAP Method: PEAP Phase 2 Authentication: None CA Certificate: Don't convalidate Identity: Elia Password: stackoverflow
Radtest works fine when not using mschap root@zenelia:~# radtest -x Elia stackoverflow localhost 0 secret Sending Access-Request of id 211 to 127.0.0.1 port 1812 User-Name = "Elia" User-Password = "stackoverflow" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=211, length=20
freeradius -X output of previous command rad_recv: Access-Request packet from host 127.0.0.1 port 52877, id=91, length=74 User-Name = "Elia" User-Password = "stackoverflow" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x0cca55945b14f3caf1f8f1ab3374df4c # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 1 ++[files] = ok [ldap] performing user authorization for Elia [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> Elia [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=Elia) [ldap] expand: DC=zentyal-domain,DC=lan -> DC=zentyal-domain,DC=lan [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap://127.0.0.1, authentication 0 [ldap] bind as CN=zentyal-radius-zenelia,CN=Users,DC=zentyal-domain,DC=lan/ELEwgGNcoFmjQ@Yj5oJS to ldap://127.0.0.1 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in DC=zentyal-domain,DC=lan, with filter (sAMAccountName=Elia) [ldap] rebind to URL ldap://zentyal-domain.lan/CN=Configuration,DC=zentyal-domain,DC=lan [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +group LDAP { [ldap] login attempt by "Elia" with password "stackoverflow" [ldap] user DN: CN=Elia Perantoni,CN=Users,DC=zentyal-domain,DC=lan [ldap] (re)connect to ldap://127.0.0.1, authentication 1 [ldap] bind as CN=Elia Perantoni,CN=Users,DC=zentyal-domain,DC=lan/stackoverflow to ldap://127.0.0.1 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user Elia authenticated succesfully ++[ldap] = ok +} # group LDAP = ok Login OK: [Elia] (from client 127.0.0.1/32 port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 91 to 127.0.0.1 port 52877 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 91 with timestamp +8 Ready to process requests.
This doesn't, note that I'm using mschap here root@zenelia:~# radtest -x -t mschap Elia stackoverflow localhost 0 secret Sending Access-Request of id 183 to 127.0.0.1 port 1812 User-Name = "Elia" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0xf7a1a65b013d5d6b MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f024d5b89a20308d6a54dffacb2c4bb6ca20a6deedaebf71 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=183, length=38 MS-CHAP-Error = "\000E=691 R=1"
Output of freeradius -X when executing previous command rad_recv: Access-Request packet from host 127.0.0.1 port 59549, id=63, length=130 User-Name = "Elia" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0xb28350b23c97bdfc9d9bac99504dcd4a MS-CHAP-Challenge = 0xadac5f0fddda582f MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 1 ++[files] = ok [ldap] performing user authorization for Elia [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> Elia [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=Elia) [ldap] expand: DC=zentyal-domain,DC=lan -> DC=zentyal-domain,DC=lan [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap://127.0.0.1, authentication 0 [ldap] bind as CN=zentyal-radius-zenelia,CN=Users,DC=zentyal-domain,DC=lan/ELEwgGNcoFmjQ@Yj5oJS to ldap://127.0.0.1 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in DC=zentyal-domain,DC=lan, with filter (sAMAccountName=Elia) [ldap] rebind to URL ldap://zentyal-domain.lan/CN=Configuration,DC=zentyal-domain,DC=lan [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +group MS-CHAP { [mschap] Client is using MS-CHAPv1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> Elia [mschap] expand: %{%{User-Name}:-None} -> Elia [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=Elia [mschap] mschap1: ad [mschap] expand: %{mschap:Challenge} -> adac5f0fddda582f [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=adac5f0fddda582f [mschap] expand: %{mschap:NT-Response} -> b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=b4a9b44b238efc1cc4fbaf934c8e8b47fc72ebf43104a100 Exec output: Logon failure (0xc000006d) Exec plaintext: Logon failure (0xc000006d) [mschap] Exec: program returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] = reject +} # group MS-CHAP = reject Failed to authenticate the user. Login incorrect (mschap: External script says Logon failure (0xc000006d)): [Elia] (from client 127.0.0.1/32 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> Elia attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 63 to 127.0.0.1 port 59549 MS-CHAP-Error = "\000E=691 R=1" Waking up in 4.9 seconds. Cleaning up request 0 ID 63 with timestamp +9 Ready to process requests.
/var/log/freeradius/radius.log Fri Jun 9 16:11:52 2017 : Auth: Login OK: [Elia] (from client 127.0.0.1/32 port 1812) Fri Jun 9 16:11:58 2017 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [Elia] (from client 127.0.0.1/32 port 1812)
NTLM seems to be working root@zenelia:~# ntlm_auth --username=Elia --password=stackoverflow NT_STATUS_OK: Success (0x0)
Searched online I found out that a common problem resulting in the same error MS-CHAP-Error = "\000E=691 R=1" is not giving user freerad read access to /var/lib/samba/winbindd_privileged but that doesn't seem to be my case. root@zenelia:/var/lib/samba# ls -l total 1404 -rw------- 1 root root 421888 mag 31 17:03 account_policy.tdb -rw------- 1 root root 696 mag 31 17:03 group_mapping.tdb drwxr-x--- 2 root ntp 4096 giu 9 15:21 ntp_signd drwxr-xr-x 10 root root 4096 mag 31 17:02 printers drwxr-xr-x 8 root root 4096 giu 9 16:26 private -rw------- 1 root root 528384 mag 31 17:03 registry.tdb -rw------- 1 root root 421888 mag 31 17:03 share_info.tdb drwxrwx---+ 3 root adm 4096 mag 31 17:07 sysvol drwxrwx--T 2 root sambashare 4096 mag 31 17:03 usershares -rw------- 1 root root 32768 giu 9 16:24 winbindd_cache.tdb drwxr-x--- 2 root winbindd_priv 4096 giu 9 15:21 winbindd_privileged root@zenelia:/var/lib/samba# grep '^winbindd_priv:' /etc/group winbindd_priv:x:118:freerad
winbindd_privileged is owned by group winbindd_priv which freerad is part of. Some users online suggest adding users manually in /etc/freeradius/users Elia Cleartext-Password := "stackoverflow", MS-CHAP-Use-NTLM-Auth := No
which does work but the next one doesn't Elia Cleartext-Password := "stackoverflow"
Now I cannot afford adding each users manually, I need FreeRADIUS to gather users from the domain but I thought pointing out that disabling NTLM works, even though I don't know how to disable it for every user. Is there a way to make FreeRADIUS work with Zentyal without having to add users manually?  |
| Does anyone know better way to scan for IPMI devices? Posted: 22 May 2021 06:01 PM PDT Iam using a simple nmap scan on IPMI/BMC port 623/tcp. Is this enough or Is there anything more I need to be aware using nmap? nmap -p 623 IP-IPEND
 |
| Enabling ChrootDirectory breaks my SFTP on AWS, gives error for wrong dir Posted: 22 May 2021 05:02 PM PDT I'm trying to set up an SFTP server on AWS that multiple customers can use to upload data securely. It is important that they are not able to see the data of any other customer, and to do that I need to jail the directories with ChrootDirectory in My sshd_config has the following: Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /home/chroot/ftptest/ AllowTcpForwarding no ForceCommand internal-sftp
If I comment out the ChrootDirectory line everything works fine, except that you can see all the files on the system. I configured everything based off of the instructions here using vsftpd. I and am using ssh keys to control access to each of the customer accounts, as per Amazon's instructions. I am using the Amazon AMI. Edit: I changed the chroot directory to /home/chroot/ftptest/ and created directories with the following permissions: ls -ld / /home /home/chroot /home/chroot/ftptest/ dr-xr-xr-x 25 root root 4096 Feb 23 03:28 / drwxr-xr-x 6 root root 4096 Feb 23 20:26 /home drwx--x--x 3 root root 4096 Feb 23 20:27 /home/chroot drwxr-xr-x 2 ftptest ftptest 4096 Feb 23 20:27 /home/chroot/ftptest/
It's still not working. In /var/log/secure I see Authentication refused: bad ownership or modes for directory /home/ftptest
even though /home/ftptest isn't the directory I am trying to chroot to. Why would it be throwing an error for that directory? Could this be an issue with the ~/.ssh directory?  |
| How do I configure apache2 to serve static assets from server root subdirectory? Posted: 22 May 2021 05:02 PM PDT Front end developer here - I just inherited a server (Mac Pro) to host my prototypes within our network. There's already an apache server set up on it, but I don't know much about it's config. This is a shared server, so while the server root is set up at /Users/Shared, I only have permissions to place my prototypes at /Shared/mydiv/mydept/prototypes
I build my site with webpack and it places static assets in a dist directory. The server configuration is working; users can browse to sharedserver.url.com/mydiv/mydept/prototypes and the index.html is served correctly. The problem is that index.html references scripts.js, also located within the dist directory, but the web server is looking for them in the server root at sharedserver.url.com, which obviously returns a 404. I'm referencing scripts in index.html like this: <script src="scripts.js"></script>
Likewise, I need to reference some fonts located in dist/fonts. sharedserver.url.com/ <-- APACHE TRYING TO ACCESS STATIC ASSETS HERE |_mydiv/ |_ mydept/ |_ prototypes/ |_ _ dist/ |_ index.html |_ scripts.js <-- REALLY WISH APACHE LOOK FOR STATIC ASSETS HERE | _ _fonts/ |_.eof,.ttf,etc.
I've read a little about using vhosts but the module is not already loaded in httpd.conf (commented out) and I don't want to cause a conflict with existing configuration, which I don't yet fully have my head around. I've also read about .htaccess files but AllowOverride is set to None in httpd.conf - I could change it and then start learning about .htaccess but I wonder if there's another way as I am inexperienced setting up this sort of thing. Are there any other (easyish) ways to get apache to look for my static assets in my directory?  |
| Powershell - how can i list both username and group membership for users of a named group? Posted: 22 May 2021 02:08 PM PDT I am relatively new to powershell and I have two statements on the cmd line: get-adgroupmember <group name> | select-object name,samaccountname
To produce a nicely formatted table with two columns of a persons real name and their username. get-adgroupmember <group name> | get-adprincipalgroupmembership | select-object name
To produce list of groups that each user in a named group belongs to. I would like to combine these so that I have a users real name + username and then the groups they belong to for each user e.g. name samaccountname memberof ---- -------------- -------- joe bloggs jbloggs group1 group2 groupq bob laithwaite blaithwaite group2 groupm groupp groupq
or maybe joe bloggs jbloggs group1 group2 groupq bob laithwaite blaithwaite group2 groupm groupp groupq
Is there any simple way to create this? I am not overly concerned about it being beautiful. If there is no simple way can anyone give me any pointers to how I can create this a difficult way? If there is only a difficult way then whilst a working answer would be nice I would sooner have pointers to start with to see if I can produce something myself. I am still learning after all. My original Google search found https://gallery.technet.microsoft.com/scriptcenter/Powershell-Get-users-who-b0420fe1 but could not get it to work on the cmd line by replacing variables with hard coded strings. This is what I ultimately want to achieve but with just 2 groups however in the first instance I want to start with something like the output above. I also found How can I generate a list of the security groups a set of users belong to? in the process of writing this question but this just appears to produce similar list to that which I created in the 2nd cmd line, the one that uses get-adprincipalgroupmembership.  |
| Cpu overuse replicating a Gluster Volume Posted: 22 May 2021 06:01 PM PDT I've this scenario: srv01 srv02 srv03 there is a gluster volume "vol1" running on srv03, and all the servers can use for i/o. vol1 contains a lot of mixed side images, ranging from few kbs to 3-4Mb, The total amount is about 1.5TB. Gluster version is 3.6.2 It's not a silver bullet, need some tuning, but works pretty well. Now I've to replicate srv03's brick to the other servers. The problem is that srv03's cpu skyrockets to 100% and cannot serve normal requests. Net traffic is low. Options are: cluster.data-self-heal-algorithm: full cluster.self-heal-daemon: off performance.cache-size: 1gb I've to keep the service running while the replication is running, Your suggestions are welcome  |
| OpenSSL connection Error called stream_socket_enable_crypto() Posted: 22 May 2021 09:06 PM PDT in my php coding i have following line which uses by SWIFT MAILER Class if(!stream_socket_enable_crypto($this->smtp_conn, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) { return false; }
however rarely (not always) i get following php error stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
i am not sure where the problem is or should i ignore this as this happens only once in a while  |
| Xen USB pass through Posted: 22 May 2021 02:08 PM PDT Running the Xen (Debian). I want to access the iKey USB dongle from Windows DomU. I have 2 PCI: lspci: 00:14.0 USB controller: Intel Corporation Lynx Point USB xHCI Host Controller (rev 04) 00:1a.0 USB controller: Intel Corporation Lynx Point USB Enhanced Host Controller #2 (rev 04) After using Pciback, I am able to Pass the USB to Guest. DomU.log: register_real_device: Real physical device 00:14.0 registered successfuly! register_real_device: Real physical device 00:1a.0 registered successfuly! In the machine, USB and USB-SS Ports are available. But even after installing Xen drivers, in the DomU, I can see only 1a.0 and Not 14.0. When I start DomU, getting the following error for 14.a: The kernel doesn't support reset from sysfs for PCI device.. Any tips??  |
| How do i set a open_basedir with php using fastcgi/apache2 on linux? Posted: 22 May 2021 10:01 PM PDT I tried to add this line to my virtual hosts in Apache, but failed: php_admin_value open_basedir "/var/www/users/test"
My installation: root# apt-get install apache2 apache2-suexec libapache2-mod-fcgid php5-cgi
Any ideas? Something I noticed in php manual that worried me enough (http://www.php.net/manual/en/ini.list.php): open_basedir is marked as PHP_INI_ALL meaning "Entry can be set anywhere" so, even at run-time a user can change it or am I having wrong?* (*: confirmed, user can NOT change it at run-time)  |
| Ubuntu 12.04 open port 80 inside VLAN Posted: 22 May 2021 09:06 PM PDT I have an nginx server running on ubuntu 12.04 that serves http through port 80 and https through port 443. Everything works fine if I access it from the same computer via localhost, 127.0.0.1 or the local IP 192.168.0.11. If I try to access the server from another computer in the same VLAN it does not work for http; it works for https. I have changed my nginx configuration to also listen to port 8000 for http; I can then access http from the other computer in the same VLAN via "http://192.168.0.11:8000". I also have a web server running on port 80 on a windows machine and can access it from another device in the same VLAN, therefore the router is not blocking incoming http traffic. The nginx process is run by root. I have used tcpdump and I see that packets are arriving to Ubuntu: 192.168.0.16.49735 > 192.168.0.11.80 and that some response is being given 192.168.0.11.80 > 192.168.0.16.49735 (I do not know what the response is though). There is no request arriving at the nginx web server (I have checked the access log). I have iptables empty. I have unsuccessfully tried to find a solution for a long time to this, it has now become a matter of happiness or bitterness :).  |
| 'ALTER table' for all tables in a database Posted: 22 May 2021 07:47 PM PDT |
| Directory in /var/run gets deleted after hard reboot Posted: 22 May 2021 07:18 PM PDT I keep my sphinx pid in /var/run/sphinx/searchd.pid but every time I hard reboot the directory /var/run/sphinx disappears and sphinx fails to start. Is there a way to make that directory stick or have it automatically created? How do people usually handle this situation? I use Ubuntu Hardy  |
No comments:
Post a Comment