Recent Questions - Server Fault

---

• Block Symlink and Junction creation for a Directory
• Dig only able to do zone transfers when +nocookie flag is enabled
• ICMP/Ping works even after adding iptables drop rule
• Is there a way to find out what files are being moved by rsync and when and where it's scheduled?
• http_ssl_module failed to install when compile from source code of nginx
• Troubleshooting SATA/SAS reverse breakout cable
• how to limit git bash to use https url alone and to use only one git platform to push the code to private repo?
• Remove missing sub-LVs from LVM2 raid1 array
• How to restrict users from uploading files from Azure Virtual Desktop(AVD) to personal or public sites?
• AWS cdk environment strategy: one per branch, one per developer, or only dev/staging/prod?
• rsync does not respect exclude parameter copying from remote server
• nslookup, dig, and host only return half of my TXT records
• how to determine if I have the latest security update or not by powershell?
• NET SESSION Doesn't show real domain account username
• Add multiple header field matches to Exchange rule
• Could not chdir to home directory /home/Me: No such file or directory
• How do you add an existing "microsoft account" to a azure subscription
• putty software caused network abort
• Varnish cache headers to browser
• OpenVPN over UDP stopped working for some clients
• how to limit Dovecot.index.cache size
• Can Only SSH After Ping
• Automatic unlock bitlocker to go (usb stick) on domain computer
• Access to “Windows Security” logs for “eventlog” group
• nginx: Multiple cross-domain 301 redirects with different page addresses
• Bind9 DNS resolves full domain to localhost
• Is the Kerberos SPN FQDN significant to the server, or is the keytab enough?
• Reset Mac OS X Workstation After Logout
• No network after hyper v power outage
• how to use xauth to run graphical application via other user on linux

Block Symlink and Junction creation for a Directory Posted: 19 Sep 2021 10:23 PM PDT I want block the creation of Symbolic Link and Junction for a particular windows directory due to security reason. So is it possible to do this and if yes, what windows API should I use? I went through lots of article and blogs but couldn't find any solution.

Dig only able to do zone transfers when +nocookie flag is enabled Posted: 19 Sep 2021 09:42 PM PDT I am learning about DNS enumeration and I am working on a lab exercise at the moment. To do a zone transfer, I entered the following: dig @10.83.185.5 example.com AXFR the result is ;; global options: +cmd ; Transfer failed. However, when I add the +nocookie flag ie: dig @10.83.185.5 example.com AXFR +nocookie The zone transfer is successful. While I know that +nocookie forces not sending cookies, what I want to know is why does sending cookies result in a blank response, and should I be checking both sending with and without cookies whenever I'm enumerating DNS servers? Also, is there a way to disable cookies with nslookup?

ICMP/Ping works even after adding iptables drop rule Posted: 19 Sep 2021 08:28 PM PDT We have an application which will configure network interface as well as iptables rules based on user configuration. Please find the iptables rules after configuring with the application Even after adding this rule we can able to ping 10.10.10.10 from test PC. Why iptables fails to drop ICMP?

Is there a way to find out what files are being moved by rsync and when and where it's scheduled? Posted: 19 Sep 2021 07:57 PM PDT Is there a way to find out what files are being moved by rsync and when and where it's scheduled? I was told by the senior administrator that there was a rsync process that allowed us to back the data from server A to server B. Is there a way to see from server B where the rsync process is called and how it's scheduled? I know it's scheduled on server A, but I would like to know if from server B, I can know what is moved, how it's moved and if the full command that's being run on server A from server B.

http_ssl_module failed to install when compile from source code of nginx Posted: 19 Sep 2021 07:27 PM PDT I am trying to setup my https using certbot , so I need to recompile ngx adding '--with-http_ssl_module', here is the complete steps： - sudo make clean sudo - ./auto/configure --prefix=/var/www/html --sbin-path=/usr/sbin/nginx --conf- path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --with-pcre --with-http_ssl_module --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --modules-path=/etc/nginx/modules - check Makefile , I can see 'http_ssl_module' added in objs/Makefile - ./auto/configure sudo make sudo make install After completed all steps above(no error observed) I checked 'ngx_modules.o'(still missing ssl module) and ran command below sudo certbot --nginx -d feedme.pub Saving debug log to /var/log/letsencrypt/letsencrypt.log The nginx plugin is not working; there may be problems with your existing configuration. The error was: PluginError('Nginx build is missing SSL module (--with-http_ssl_module).') Also , I checked my ssl lib- libssl is intalled: ldconfig -p | grep libssl libssl3.so (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libssl3.so libssl.so.1.1 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 libssl.so.1.0.0 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 libssl.so (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libssl.so Anyone can help to answer why I am not able to build '--with-http_ssl_module' in ?

Troubleshooting SATA/SAS reverse breakout cable Posted: 19 Sep 2021 06:43 PM PDT For a new server build, I'm trying to connect a SAS HDD backplane (SFF-8643) to a SATA motherboard. From my research, this should be possible using reverse breakout cables. I bought and installed two "SFF-8643 to 4x SATA" reverse breakout cables, but when I start the machine it does not recognize any of the disks (all SATA) on the backplane. As a spot test, I connected one of the disks directly to the mobo and it worked fine. Is my understanding correct that this configuration should work? What other troubleshooting can I do?

how to limit git bash to use https url alone and to use only one git platform to push the code to private repo? Posted: 19 Sep 2021 05:44 PM PDT We want to setup security to gitbash cli on our shared windows10 virtual desktop. Non-admin Users should use only https url (example: https://gitlab///). Using personal access tokens & ssh keys should be blocked. Also, we want to use windows credential manager to authenticate our remote repo using gitbash. Scenario we want to achieve is, we want our contractor developers to use only our company's git repo to push code. Pushing code from git bash cli to outside our company's repo should be blocked. We are find with pulling code from other repos which are not our company related, but commit & push should be done only to our company's repo. Note:- we do use SSO for our company's Github & Gitlab (yes we do use both Git platforms with Single Sign On (SSO) ). Please suggest how to achieve this.

Remove missing sub-LVs from LVM2 raid1 array Posted: 19 Sep 2021 04:55 PM PDT I have a two drive LVM2 RAID1 array where I've handled two HDD failures. It still works now, but when I examine my logical volume I can see it contains sub LVs for the physical volumes that are no longer there. root@desktop ~ # lvs -a -o name,devices LV Devices hdd_raid1 hdd_raid1_rimage_0(0),hdd_raid1_rimage_1(0),hdd_raid1_rimage_2(0),hdd_raid1_rimage_3(0 [hdd_raid1_rimage_0] /dev/sdb1(1) [hdd_raid1_rimage_1] [hdd_raid1_rimage_2] [hdd_raid1_rimage_3] /dev/sda1(1) [hdd_raid1_rmeta_0] /dev/sdb1(0) [hdd_raid1_rmeta_1] [hdd_raid1_rmeta_2] [hdd_raid1_rmeta_3] /dev/sda1(0) How do I remove hdd_raid1_r{image,meta}_{1,2}?

How to restrict users from uploading files from Azure Virtual Desktop(AVD) to personal or public sites? Posted: 19 Sep 2021 04:49 PM PDT How to restrict users from uploading files from Azure Virtual Desktop(AVD) to personal or public sites like gmail, google drive, personal onedrive, personal office365 account, dropbox, box, github, gitlab, bitbucket, azure git, etc. such site. Basically we want to restrict users from uploading files to any websites via browser or cli. Only exception should be to the sites which we want to allow. How to achieve this? Please help. Note:- we don't have anything on-premise. our AVD is in Azure cloud only.

AWS cdk environment strategy: one per branch, one per developer, or only dev/staging/prod? Posted: 19 Sep 2021 03:46 PM PDT we're currently setup with a dev, staging, and prod environments on aws. We're finding it hard to do QA properly, since often many commits happen in a short span of time, and are all included in a codepipeline build, which makes it hard to associate failures to a specific commit. We were looking into spinning up one environment per feature branch, in a manner similar what this aws quickstart example is doing: However, I'm finding it hard to justify spinning up our entire backend (which is huge) to test, in some cases, a single apigateway->lambda->dynamodb route. Furthermore, this can work for serverless services, but we also use elasticsearch server. In such a case, it doesn't even seem possible to spin an ES server just for testing a new feature branch. But if we point our feature branch to, say, staging's ES server, how do we make sure not to pollute it in case of bugs? How do people usually go about solving this problem?

rsync does not respect exclude parameter copying from remote server Posted: 19 Sep 2021 03:39 PM PDT I am using rsync like below to copy the whole filesystem of the remote server with the hostname "beton" to a local directory. I would like to exclude virtual directories like proc, but even if I use the exclude parameter, it is still copied! sudo rsync -aAXv root@beton:/ --exclude={/dev*,/lost+found*,/media*,/proc*,/run*,/sys*,/tmp*} /mnt/big/beton_backup I also tried other possibilities, but the excluded directories always get copied! --exclude='/sys/*' --exclude='/tmp/*' --exclude='/dev/*' --exclude='/proc/*' or --exclude={/dev,/lost+found,/media,/mnt,/proc,/run,/sys,/tmp} It's a problem because /proc is like 64TB, and I don't want to copy it!

nslookup, dig, and host only return half of my TXT records Posted: 19 Sep 2021 03:46 PM PDT nslookup, dig, and host only return half of my TXT records: host -t txt machelpnashville.com 8.8.8.8 nslookup -type=txt machelpnashville.com 8.8.8.8 dig machelpnashville.com TXT 8.8.8.8 They return the four records that have the name @ but they ignore the other four records that are there. is there a way to pull ALL TXT records using a wildcard?

how to determine if I have the latest security update or not by powershell? Posted: 19 Sep 2021 07:54 PM PDT I'm a beginner to exchange server and powershell, I'm working on Exchange server (on-premise), how can I determine if I have the latest updates, security update, version of windows server (core) and exchange server, or not, so I have to update it? (by powershell). Thanks in advance

NET SESSION Doesn't show real domain account username Posted: 19 Sep 2021 05:11 PM PDT I'm using Windows server 2012 r2 as AD and File Share, I have trouble with auditing file log because some PC shows account name as Administrator instead of their real domain username. any help? Thank you. EDIT (More information) : I have enable Auditing File access on my shared folder to check who delete edit or access files. When I check on Event Viewer some log activity are fine it shows the real account name (domain joined) that accessed the file but some log it shows account name as Administrator instead. I have use NET SESSION Command some computer shows Administrator at Username too. Hope this information would clarify my situation. Thank you.

Add multiple header field matches to Exchange rule Posted: 19 Sep 2021 07:02 PM PDT I can't seem to find it so perhaps there isn't a way but does anyone know how (or if) to add multiple header field matches to an Exchange Online rule? I'm talking about when you create a rule and select "A message header matches these text patterns". Is there any way to add the predicate multiple times? What if I wanted to match an email based on two or three different header fields. Once you've selected that option you cannot add it again and it only seems to support one value for the header field name.

Could not chdir to home directory /home/Me: No such file or directory Posted: 19 Sep 2021 08:02 PM PDT On a daily basis, I interact with 10s of productions servers which do not, and should not have a home directory for my personal user. Every SSH session is met with the same error message: Could not chdir to home directory /home/Me: No such file or directory Killed by signal 1. Is there a way to prevent SSH from trying to cd me into /home/Me, or is there any other way to surpress this message?

How do you add an existing "microsoft account" to a azure subscription Posted: 19 Sep 2021 10:01 PM PDT We have an existing subscription that we'd like to give a user access to with their existing Microsoft Account. When we go into Azure subscription's access control and add the user, the only option we see "Azure AD user, group, or application" which creates a Azure AD user. We're wanting to add a Microsoft Account. We have an existing user that is added like this already, and they can switch between subscriptions easily in the top right Azure menu. We just can't figure out how to do it again. Here is what it looks like with a MS Account added... VS a AD user.

putty software caused network abort Posted: 19 Sep 2021 05:04 PM PDT I have had this problem on my laptop for months. If I connect from any other computers (local or remote) I have no problems with the same user. THE PROBLEM: Using Putty on Windows 10, I can connect to the server, put in username. As soon as I hit enter I see the prompt for the password but I also get a message: "Network error. Software caused connection abort" When I click ok the window goes inactive. This happens on Putty. It also happens when trying to connect WinSCP on the same PC. If I try on my desktop there is no issue. This happens every single time I try to connect. WHAT I TRIED: New IP address Reinstall Putty and WinSCP Reset Router Checked server logs ("groot sshd[10669]: Connection reset by 192.168.1.1 port 54916" That is the only line that comes up in the log when I try to connect. EDIT: I recently put in a Wifi access point in another location than our main one. I decided to try this and it worked. It must be something to do with the wifi router. I think it also happens when sending keys because I tried connecting to a different server and as soon as I clicked yes on confirming a new key the window went inactive with the same error. EDIT 2: Event log drop 2017-07-05 15:53:58 Connecting to 192.168.1.191 port 22 2017-07-05 15:53:58 We claim version: SSH-2.0-PuTTY_Release_0.69 2017-07-05 15:53:58 Server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 2017-07-05 15:53:58 Using SSH protocol version 2 2017-07-05 15:53:58 Doing ECDH key exchange with curve Curve25519 and hash SHA-256 2017-07-05 15:53:58 Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them 2017-07-05 15:53:58 Host key fingerprint is: 2017-07-05 15:53:58 ssh-rsa 2048 b4:e3:25:2f:b5:01:1a:96:28:6d:c1:2c:e4:fd:7d:de 2017-07-05 15:53:58 Initialised AES-256 SDCTR client->server encryption 2017-07-05 15:53:58 Initialised HMAC-SHA-256 client->server MAC algorithm 2017-07-05 15:53:58 Initialised AES-256 SDCTR server->client encryption 2017-07-05 15:53:58 Initialised HMAC-SHA-256 server->client MAC algorithm 2017-07-05 15:54:13 Network error: Software caused connection abort

Varnish cache headers to browser Posted: 19 Sep 2021 06:01 PM PDT Is it possible for varnish to send the "Cache-Control: no-cache, no-store, must-revalidate" cache control response to browser, while varnish caches the response. Scenario is like this. Backend sends cache control :Cache-Control: no-cache, no-store, must-revalidate Varnish should cache the response. Browser should not cache the contents so in response from varnish to -browser should show "cache control :Cache-Control: no-cache, no-store, must-revalidate" I have tried using Cache-Control: no-cache, no-store, must-revalidate in set beresp.http.Cache-Control, but this causes varnish not to cache the responses. Given below is the vcl_backend_response used. sub vcl_backend_response { if (bereq.url == "/") { unset beresp.http.expires; unset beresp.http.set-cookie; set beresp.ttl = 3600s; set beresp.http.Cache-Control = "max-age=0"; if (beresp.status >= 400 && beresp.status <= 599) { set beresp.ttl = 0s; } } } Any help is highly appreciated.

OpenVPN over UDP stopped working for some clients Posted: 19 Sep 2021 10:01 PM PDT I have a frustrating OpenVPN TLS error problem since a few days, where some clients can connect to my OpenVPN server and some cannot. It's running on Windows using UDP/1194 and all the clients have exact same settings. I am attaching a server log level 6 of a working client and one not working. I don't have access to the not working client log (it's remote). In addition, this exact setup used to work for long time (more than a year) until it stopped three days ago. It seems like the client can reach the server but the server cannot reply back to the client. BUT this only happens for some of the clients, even ones that belong to the same telco network (in remote areas). So I cannot imagine how it could be a firewall error. Minimal server.conf dev tun proto udp port 1194 ca ... cert ... key ... dh ... server 10.8.0.0 255.255.0.0 cipher AES-256-CBC comp-lzo persist-key persist-tun Server log for client not connecting Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 Re-using SSL/TLS context Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 LZO compression initialized Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client' Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 Local Options hash (VER=V4): 'a8f55717' Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 Expected Remote Options hash (VER=V4): '22188c5b' Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 UDPv4 READ [14] from [AF_INET]bad_client:49003: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 TLS: Initial packet from [AF_INET]bad_client:49003, sid=7ea5008f ee298f22 Fri Apr 07 09:51:38 2017 us=278366 bad_client:49003 UDPv4 WRITE [26] to [AF_INET]bad_client:49003: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0 Fri Apr 07 09:51:40 2017 us=310517 bad_client:49003 UDPv4 WRITE [14] to [AF_INET]bad_client:49003: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:51:44 2017 us=374822 bad_client:49003 UDPv4 WRITE [14] to [AF_INET]bad_client:49003: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:51:52 2017 us=503448 bad_client:49003 UDPv4 WRITE [14] to [AF_INET]bad_client:49003: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:52:08 2017 us=791909 bad_client:49003 UDPv4 WRITE [14] to [AF_INET]bad_client:49003: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:52:39 2017 us=87018 bad_client:49003 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri Apr 07 09:52:39 2017 us=87018 bad_client:49003 TLS Error: TLS handshake failed Fri Apr 07 09:52:39 2017 us=87018 bad_client:49003 SIGUSR1[soft,tls-error] received, client-instance restarting Fri Apr 07 09:52:39 2017 us=399300 MULTI: multi_create_instance called Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 Re-using SSL/TLS context Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 LZO compression initialized Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client' Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 Local Options hash (VER=V4): 'a8f55717' Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 Expected Remote Options hash (VER=V4): '22188c5b' Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 UDPv4 READ [14] from [AF_INET]bad_client:49004: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 TLS: Initial packet from [AF_INET]bad_client:49004, sid=3850de6b eadae20a Fri Apr 07 09:52:39 2017 us=399300 bad_client:49004 UDPv4 WRITE [26] to [AF_INET]bad_client:49004: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0 Fri Apr 07 09:52:41 2017 us=775314 bad_client:49004 UDPv4 WRITE [14] to [AF_INET]bad_client:49004: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:52:45 2017 us=292476 bad_client:49004 UDPv4 WRITE [14] to [AF_INET]bad_client:49004: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0 Server log for client connecting Fri Apr 07 09:51:46 2017 us=109968 MULTI: multi_create_instance called Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 Re-using SSL/TLS context Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 LZO compression initialized Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client' Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 Local Options hash (VER=V4): 'a8f55717' Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 Expected Remote Options hash (VER=V4): '22188c5b' Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 UDPv4 READ [14] from [AF_INET]good_client:62320: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 TLS: Initial packet from [AF_INET]good_client:62320, sid=0a4a2388 525f8203 Fri Apr 07 09:51:46 2017 us=109968 good_client:62320 UDPv4 WRITE [26] to [AF_INET]good_client:62320: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0 Fri Apr 07 09:51:46 2017 us=156863 good_client:62320 UDPv4 READ [22] from [AF_INET]good_client:62320: P_ACK_V1 kid=0 [ 0 ] Fri Apr 07 09:51:46 2017 us=156863 good_client:62320 UDPv4 READ [114] from [AF_INET]good_client:62320: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100 Fri Apr 07 09:51:46 2017 us=156863 good_client:62320 UDPv4 WRITE [22] to [AF_INET]good_client:62320: P_ACK_V1 kid=0 [ 1 ] Fri Apr 07 09:51:46 2017 us=156863 good_client:62320 UDPv4 READ [114] from [AF_INET]good_client:62320: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100 Fri Apr 07 09:51:46 2017 us=156863 good_client:62320 UDPv4 WRITE [22] to [AF_INET]good_client:62320: P_ACK_V1 kid=0 [ 2 ] As you can see, the P_ACK_V1 that is sent back to the server by the second client, is never sent by the first client. So it tries to complete the handshake forever... I realized this TLS error is a quite common issue, but with some of the clients working and some not? I have checked the server firewall and also some different configurations like the following, to no result. local xxx.xxx.xxx.xxx (public server IP address) Any ideas how to troubleshoot this? Could it be a networking/routing problem? Thanks so much for reading through! Edit: Added client log for a connecting client. As expected, it matches the server log, acknowledging the packets. I don't have a log for a not-connecting client, since I could not replicate the issue with any client from my home network, and those ones are already remote... Fri Apr 07 17:13:25 2017 us=228914 UDPv4 link local: [undef] Fri Apr 07 17:13:25 2017 us=228914 UDPv4 link remote: [AF_INET]vpn_server:1194 Fri Apr 07 17:13:25 2017 us=228914 MANAGEMENT: >STATE:1491578005,WAIT,,, Fri Apr 07 17:13:25 2017 us=228914 UDPv4 WRITE [14] to [AF_INET]vpn_server:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Fri Apr 07 17:13:25 2017 us=229914 UDPv4 READ [0] from [undef]: DATA UNDEF len=-1 Fri Apr 07 17:13:25 2017 us=272916 UDPv4 READ [26] from [AF_INET]vpn_server:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0 Fri Apr 07 17:13:25 2017 us=272916 MANAGEMENT: >STATE:1491578005,AUTH,,, Fri Apr 07 17:13:25 2017 us=272916 TLS: Initial packet from [AF_INET]vpn_server:1194, sid=ba8f04dc 7b6b2ffb Fri Apr 07 17:13:25 2017 us=273916 UDPv4 WRITE [22] to [AF_INET]vpn_server:1194: P_ACK_V1 kid=0 [ 0 ] Fri Apr 07 17:13:25 2017 us=273916 UDPv4 WRITE [114] to [AF_INET]vpn_server:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100 Fri Apr 07 17:13:25 2017 us=273916 UDPv4 WRITE [114] to [AF_INET]vpn_server:1194: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100 Fri Apr 07 17:13:25 2017 us=273916 UDPv4 WRITE [15] to [AF_INET]vpn_server:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1 Fri Apr 07 17:13:25 2017 us=314919 UDPv4 READ [22] from [AF_INET]vpn_server:1194: P_ACK_V1 kid=0 [ 1 ] Fri Apr 07 17:13:25 2017 us=315919 UDPv4 READ [22] from [AF_INET]vpn_server:1194: P_ACK_V1 kid=0 [ 2 ] Fri Apr 07 17:13:25 2017 us=323919 UDPv4 READ [126] from [AF_INET]vpn_server:1194: P_CONTROL_V1 kid=0 [ 3 ] pid=1 DATA len=100 Fri Apr 07 17:13:25 2017 us=324919 UDPv4 WRITE [22] to [AF_INET]vpn_server:1194: P_ACK_V1 kid=0 [ 1 ]

how to limit Dovecot.index.cache size Posted: 19 Sep 2021 04:01 PM PDT In my server I have various email accounts having a very large dovecot.index.cache file i.e. -rw-r----- 1 user user 72506540 Sep 16 20:20 dovecot.index.cache is there any way to size limit dovecot.index files, especially dovecot.index.cache ? Thank you

Can Only SSH After Ping Posted: 19 Sep 2021 09:09 PM PDT I have a virtual machine running RHEL 6, which I can only access after ping. [user@localhost ~]$ ssh remotehost Connection timed out. [user@localhost ~]$ ping remotehost PING remotehost.example.com (10.1.60.93) 56(84) bytes of data. 64 bytes from remotehost.example.com (10.1.60.93): icmp_seq=1 ttl=61 time=1.65 ms ^C --- remotehost.example.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 622ms rtt min/avg/max/mdev = 1.656/1.656/1.656/0.000 ms [user@localhost ~]$ ssh remotehost user@remotehost's password: Everything else seems to be working fine with no problem, but still couldn't reach the root of this issue. What might be causing this behavior ?

Automatic unlock bitlocker to go (usb stick) on domain computer Posted: 19 Sep 2021 09:06 PM PDT Is there a way to automatically unlock bitlocker encrypted USB sticks on windows computers that are domain joined (8.1 Enterprise)? (e.g., based on the "BitLocker identification Field"?) The scenario I'm thinking of is that the IT department encrypts the sticks, hands them out to the user without telling the password, the user plugs them in their domain computer, key is unlocked automatically and user can work with it. We are aware that the user cannot work with this USB stick in another (non-our-domain joined) computer, but that is actually the goal...

Access to “Windows Security” logs for “eventlog” group Posted: 19 Sep 2021 04:01 PM PDT Security logs are not available for users in eventlog group. I've checked this down to security event log file. eventlog group has all permissions. Unfortunately I cannot add my user to Administrators group. Which local\domain policy can block this?

nginx: Multiple cross-domain 301 redirects with different page addresses Posted: 19 Sep 2021 05:04 PM PDT I'm moving my old site over to a new domain, and with that new domain comes new naming conventions. I'm trying to figure out what would be the simplest way of accomplishing the following for roughly 8 different pages: http to https Different domain Redirect (1) old www and (2) old non-www addresses, plus (3) new non-www address to new www address Here are two old pages from the old domain: Portfolio: http://dcturanoinc.com/?dct=portfolio_expediting http://www.dcturanoinc.com/?dct=portfolio_expediting Services: http://dcturanoinc.com/?dct=services_expediting http://www.dcturanoinc.com/?dct=services_expediting Here are two new pages from the new domain: Services: https://dcturano.com/services/ https://www.dcturano.com/services/ Portfolio: https://dcturano.com/portfolio/ https://www.dcturano.com/portfolio/ EDIT: This is my nginx.conf file as it currently stands. server { listen 80; listen [::]:80; listen 443 default_server ssl; server_name dcturano.com www.dcturano.com; if ($scheme = http) { return 301 https://$server_name$request_uri; }

Bind9 DNS resolves full domain to localhost Posted: 19 Sep 2021 08:02 PM PDT I have set up a Bind9 DNS server on my development VM which is running Debian Wheezy. My addresses resolve from my host machine (Win7) to my dev VM, and I can ping from there. Internally on the VM, I can ping my names (www, share, my_name, etc.) and it resolves to the correct ip (11.11.11.11). But when I ping my full FDQN (www.app.dev), it resolves to localhost. This is not true for my_name.app.dev, only the CNAME entries in my db.app.dev file in my /etc/bind/ folder. So if I ping www, resolves to 11.11.11.11, www.app.dev resolves to 127.0.0.1. Pinging www.app.dev or just www from outside the DNS VM resolves fine. Is this expected behavior or am I missing something? Here are the files I think you want. I added resolv.conf in case there's something wrong there. /etc/bind/zones/db.app.dev $TTL 604800 @ IN SOA app.dev. root.app.dev. ( 15 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; app.dev. IN NS my_name.app.dev. app.dev. IN A 11.11.11.11 ;@ IN A 127.0.0.1 ;@ IN AAAA ::1 my_name IN A 11.11.11.11 gateway IN A 11.11.11.2 vmhost IN A 11.11.11.1 www IN CNAME app.dev. stream IN CNAME app.dev. /etc/bind/named.conf.local include "/etc/bind/zones.rfc1918"; zone "app.dev" { type master; file "/etc/bind/zones/db.app.dev"; }; zone "11.11.11.in-addr.arpa" { type master; file "/etc/bind/zones/db.11"; }; /etc/resolv.conf domain app.dev search app.dev nameserver 11.11.11.11 Here is the hosts file /etc/hosts 127.0.0.1 localhost 11.11.11.11 my_name.app.dev my_name # The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback #ff02::1 ip6-allnodes #ff02::2 ip6-allrouters dig provided: dig www.app.dev any #=> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.app.dev any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51223 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.app.dev. IN ANY ;; ANSWER SECTION: www.app.dev. 604800 IN CNAME app.dev. ;; AUTHORITY SECTION: app.dev. 604800 IN NS my_name.app.dev. ;; ADDITIONAL SECTION: my_name.app.dev. 604800 IN A 11.11.11.11 ;; Query time: 2 msec ;; SERVER: 11.11.11.11#53(11.11.11.11) ;; WHEN: Wed Aug 13 12:48:15 2014 ;; MSG SIZE rcvd: 78 here is the ping: ping www.app.dev PING www.app.dev (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.035 ms 64 bytes from localhost (127.0.0.1): icmp_req=2 ttl=64 time=0.032 ms 64 bytes from localhost (127.0.0.1): icmp_req=3 ttl=64 time=0.038 ms ^C --- www.app.dev ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.032/0.035/0.038/0.002 ms

Is the Kerberos SPN FQDN significant to the server, or is the keytab enough? Posted: 19 Sep 2021 06:01 PM PDT I spend most of my time as a developer, so I'm not familiar with all the details... I have a service running on a linux host. I want to use Kerberos to transmit identity information to the service. Some of my clients are on windows clients attached to AD, so they already have a ticket. I understand how to use kinit to get a ticket on my *nix clients, and have verified that I can do so. I have an /etc/krb5.conf file that seems to work on my *nix clients I understand I need to do the following... Ask the AD admin to generate a keytab for a particular SPN. Place the keytab on my server in a place where the service can find it. the clients to use the ticket and the SPN to get a token from the Kerberos infrastructure. Configure the service to receive the token and decode it using the keytab. Here is my issue... The SPN is usually in the form of service_name/FQDN@domain_name. My clients, however, don't construct the SPN using the host name of the service. Instead the SPN is set in a configuration file. It would be easiest for me if I could create a single SPN and use it on each instance of my server. So I would then do the following... Create an SPN of the form service_name/some_dummy_name@domain_name. Generate the keytab and copy it to svr1.mycompany.mydomain, svr2.mycompany.mydomain, ..., svrX.mycompany.mydomain. Configure my clients with the single SPN. I seem to think that this will work, in that the same SPN/keytab can be used on several servers with different host names when servers are clustered. To boil it down - is the FQDN part of an SPN significant to the server, or is it just there so that typical clients can generate the proper SPN? If several servers have the same keytab, can they receive and validate the same tokens, or is something else required? Just to emphasize, the service is a java app on Linux, the clients are java apps on windows and *nix. AD would provide the Kerberos server infrastructure.

Reset Mac OS X Workstation After Logout Posted: 19 Sep 2021 07:02 PM PDT I'm setting up a computer lab in a private school. All the students have LDAP login credentials and they stored all their files on separate shared servers. After the student logs out, I would like the workstation to "reset". That includes: User generated files Downloaded files Modified settings (background, icon placement, etc) Browser history Pretty much, reset it completely. I have a Windows LDAP server and Mac OS X Server. Is there a built-in feature to do this?

No network after hyper v power outage Posted: 19 Sep 2021 09:06 PM PDT So I had a power outage yesterday and it was longer than my UPS's battery (over an hour). Anyhow, the hyper v server power went out. After the power outage I booted it up, but the networking (external) on any of the nics does not work anymore. I have 3 nics in it, one for the host and one each for 2 vm's. I should say networking does not work over the nics anymore. Cant ping to the server from outside, nor ping from the server. If I go into sconfig it shows the hosts nic, as usual, plus a test internal network nic I had not yet removed. using coreconfig I can see those nics as well, they show enabled and connected. Also the switch I plug into shows that they are connected (lights on, 1 Gbit connection) All networking parameters are as they should be (ip, subnet, etc) Using core config VM section, both vm's are up and running. I have tried restarting, powerting off completely and restarting, enebling/disbaling the nic, plugging into different switch ports, tried a different switch. All my other servers are running fine, including two vm servers, so its unlikely external to the server. At this point I really have no idea what to try next. I dont have any spare nics to go try, but I doubt its NIC's considering all 3 are not functional (or better to say the network is not running over any of the 3 nics) Any suggestions as to some things I can try? Thanks

how to use xauth to run graphical application via other user on linux Posted: 19 Sep 2021 05:04 PM PDT My regular user account is, let's say, user1. I created separate user2 for some x application that i would like to run while being logged into x as user1 but in a way that will prevent it from read/write access to user1 data. I thought that i could use xauth and sudo/su to user2 from user1 to run this application. How do i do this? I'm not sure how to configure xauth.

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States