Recent Questions - Server Fault

---

• Windows 2019 and IIS Virtual SMTP Virtual Relay (Office 365)
• neg. lookahead not working for postfix header
• How can I migrate soft raid array made by mdadm to new server and new OS?
• Why windows Server 2008 R2 send/forward strong DNS requests or data?
• How to debug the cause of my suddenly extremely slow running database backups maintenance plan?
• Accessing dict subelement value
• Blocking a location in apache reverse proxy with require directives not working correctly
• How to host encrypted users' files in a way that I won't be able to read them?
• Obtaining the CPU L2 shared memory percentual of usage on Linux machine
• How should I set my nginx configuration to use subdomains with CNAME host record?
• Can I learn to RHCSA on EC2
• Configuring IPv6 to expose local device(s) to the internet
• Nginx Reverse proxy excluding files
• Why and how is Postfix automatically reading main.cf file?
• rdiff-backup on Windows: source from volume root, ignore $recycle.bin and "System Volume Information"
• How do I disable Bitlocker Encryption settings using Intune?
• OpenVPN fails to reconnect with wake-on-LAN after long sleep
• Windows 10 Group Policy Preferences Drive Maps failing over Wireless
• Credential Manager has been disabled by Administrator and cannot re-enable
• What's the easiest way to integrate Authy (two-factor) authentication with Apache httpd?
• Cisco IOS, Multiple WAN & Port Forwards (Outside -> Inside PAT)
• Random machine hangs with NFSv4 on CentOS/RHEL 6.5
• ssh tunnel refusing connections with "channel 2: open failed"
• Assign static IP to Users that access using Terminal Services (Remote Desktop)
• Nginx config reload without downtime
• Empty rewrite.log on Windows, RewriteLogLevel is in httpd.conf
• Cancel/Kill SQL-Server BACKUP in SUPSPENDED state (WRITELOG)
• Watchguard config, drop-in or mixed-routing mode?
• How to set guest user password on SAMBA server?

Windows 2019 and IIS Virtual SMTP Virtual Relay (Office 365) Posted: 06 Sep 2021 09:04 PM PDT I have hit a wall with this setup and I cant for the life of me figure this out, despite having setup a few other Virtual SMTP servers in the past. Maybe something has changed in 2019? I will provide as much info as possible to help you help me :) I have installed SMTP Server and Telnet Client on my 2019 server, I have followed guides and rechecked my settings to ensure all is setup correctly. [General] I have all unassigned IP addresses allowed [Access] Authentication set to 'Anonymous' TLS Greyed out Connection control and relay restrictions set to allow all with a blank list below. [Messages] All left as default [Delivery] Outbound Security Basic Authentication with the Office 365 username and password set. Outbound connection TCP Port: 587 Advanced Delivery Smart host is set to: smtp.office365.com [LDAP] and [Security] tabs are default. The Office 365 user is set to SMTP auth enabled and I have confirmed this via powershell. telnet 127.0.0.1 25, shows: 220 mydomain.com Microsoft ESMTP MAIL Service, Version: 10.0.17763.1697 ready at Tue, 7 Sep 2021 13:53:35 +1000 However, when trying to send an email via this relay it stays in the C:\inetpub\mailroot\Queue directory and I get the below in the event log: Message delivery to the host 'X.X.X.X' failed while delivering to the remote domain 'recipientsdomain.com' for the following reason: The remote SMTP service rejected AUTH negotiation. I will probably kick myself once I figure this out, but I must be going mad. edit forgot to add... I can also telnet from the network to smtp.office365.com on port 587 and have also configured a connector in Office 365 for WAN IPs which are in use on my network. Thanks! Bil

neg. lookahead not working for postfix header Posted: 06 Sep 2021 08:50 PM PDT I'm trying to exclude all emails not received from a mainstream domain The full postfix regex in /etc/postfix/header_checks is: /Received:(?!.*\.((net|com|edu|gov|org|info)))/m DISCARD Bu the negative lookahead is failing to match longer header strings. These longer header strings are seen in emails that are automatically forwarded from a gmail account (in the example below, forwarded from rocketman600@gmail.com to hello@mydomain.com): Received: by 2002:a05:651c:98a:: with SMTP id b10mr2387341ljq.280.1630748063910;? Sat, 04 Sep 2021 02:34:23 -0700 (PDT) from mail-lj1-f176.google.com[209.85.208.176]; from=<rocketman600+caf_=hello=mydomain.com@gmail.com> to=<hello@mydomain.com> proto=ESMTP helo=<mail-lj1-f176.google.com> is it something to do with the ;? part of the string? I have no idea why its failing thanks MD

How can I migrate soft raid array made by mdadm to new server and new OS? Posted: 06 Sep 2021 08:43 PM PDT I have a raid array which level is raid0 and made by mdadm, in my old server. The member of this array is 6 NVMe SSD, and I create this array with below coommand: sudo mdadm -C /dev/md0 -l 0 -n 6 /dev/nvme0n1 /dev/nvme1n1 /dev/nvme2n1 /dev/nvme3n1 /dev/nvme4n1 /dev/nvme5n1 Last week my old server OS disk (not this array) was broken. Since old server's IPMI have some dardware problem, I install a new OS in a new server, and plugin my all 6 NVMe SSD on new server. After reboot server, I found device /dev/dm0 is not exist. Then I tried execute below commadn: ~$ sudo mdadm --assemble --scan mdadm: No arrays found in config file or automatically I wonder how can I find back my soft raid disk? Thankyou in advance.

Why windows Server 2008 R2 send/forward strong DNS requests or data? Posted: 06 Sep 2021 09:09 PM PDT My Server man has covid-19 and can not work because of this sorry if this is a simple question. I was checking my Server (Windows Server 2008 R2) and found that there is a high sending bit rate but no receiving (is zero always) to the URLs/Websites like below: 99-74-190-20.lightspeed.iplsin.sbcglobal.net 047-234-166-054.res.spectrum.com It seems it is related to the DNS Rule(installed on my server) and when I stop this service, all data sending to the mentioned in the screenshot will stop. Is this normal or not and should I stop/block them? and how?

How to debug the cause of my suddenly extremely slow running database backups maintenance plan? Posted: 06 Sep 2021 07:20 PM PDT (Originally posted on DBA.StackExchange.com but closed, hopefully more relevant here.) Alexander and the Terrible, Horrible, No Good, Very Bad...backups. The Setup: I have an on-premise SQL Server 2016 Standard Edition instance running on a virtual machine from VMWare. @@Version: Microsoft SQL Server 2016 (SP2-CU17) (KB5001092) - 13.0.5888.11 (X64) Mar 19 2021 19:41:38 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows Server 2016 Datacenter 10.0 (Build 14393: ) (Hypervisor) The server itself is currently allocated 8 virtual processors, has 32 GB of memory, and all the disks are NVMes which get around 1 GB/sec of I/O. The databases themselves live on the G: drive, and the backups are separately stored on the P: drive. The total size across all of the databases is about 500 GB (before being compressed into the backup files themselves). The maintenance plan runs once a night (around 10:30 PM) to do a full backup on every database on the server. Nothing else out of the ordinary is running on the server, nor is anything else running at that time in particular. The Power Plan off the server is set to "Balanced" (and "Turn off hard disk after" is set to 0 minutes aka never turn it off). What Happened: For the last year or so, the total runtime for the maintenance plan job took about 15 minutes total to complete. Since last week, it has skyrocketed to taking about 40x as long, about 15 hours to complete. The only thing I'm aware of changing on the same day the maintenance plan slowed down was the following Windows updates were installed on the machine prior to the maintenance plan running: KB890830 KB5004752 KB5005043 VMWare - SCSIAdapter - 1.3.17.0 VMWare - Display - 8.17.2.14 We also have another similarly provisioned SQL Server instance on another VM that underwent the same Windows updates, and then subsequently experienced slower backups as well after. Thinking the Windows updates were directly the cause, we rolled them back completely, and the backups maintenance plan still runs extremely slow anyway. Weirdly, restoring the backups for a given database happens very quickly, and uses almost the full 1 GB/sec of I/O on the NVMes. Things I've Tried: When using Adam Mechanic's sp_whoisactive, I've identified that the Last Wait Types of the backup processes are always indicative of a disk performance issue. I always see BACKUPBUFFER and BACKUPIO wait types, in addition to ASYNC_IO_COMPLETION: When looking at the Resource Monitor on the server itself, during the backups, the Disk I/O section shows that the total I/O being utilized is only about 14 MB/sec (the most I've ever seen since this issue occurred is 30 MB/sec): After stumbling on this helpful Brent Ozar article on using DiskSpd, I tried running it myself under similar parameters (only lowering the number of threads to 8 since I have 8 virtual processors on the server and setting the writes to 50%). This is the exact command diskspd.exe -b2M -d60 -o32 -h -L -t8 -W -w50 "C:\Users\...\Desktop\Microsoft DiskSpd\Test\LargeFile.txt". I used a text file I manually generated that's just under 1 GB big. I believe the I/O it measured seems OK, but the disk latencies were showing some ludicrous numbers: The DiskSpd results seem literally unbelievable. After further reading, I stumbled on a query from Paul Randall that returns disk latency metrics per database. These were the results: The worst Write Latency was 63 milliseconds and the worst Read Latency was 6 milliseconds, so that seems to be a big variance from DiskSpd, and doesn't seem terrible enough to be the root cause of my issue. Cross-checking things further, I ran a few PerfMon counters on the server itself, per this Microsoft article, and these were the results: Nothing extraordinary here, the max value of all the counters I measured was 0.007 (which I believe is milliseconds?). Finally, I had my Infrastructure team check the disk latency metrics that VMWare was logging during the backups job and these were the results: Seems like at worst, there was a spike of latency of about 200 milliseconds around midnight, and the highest I/O was 600 KB/sec (which I don't really understand since the Resource Monitor is showing that the backups are at least using around 14 MB/sec of I/O). Other Things I've Tried: I just tried restoring one of the larger databases (it's about 250 GB) and it only took about 8 minutes total to restore. Then I tried running DBCC CHECKDB on it and that took a total of 16 minutes to run (not sure if this is normal) but Resource Monitor showed similar I/O problems (the most I/O it ever utilized was 100 MB/s), with nothing else running: Here is sp_whoisactive results when I first ran DBCC CHECKDB and then after it was 5% complete, notice the Estimated Time Remaining increased about 5 minutes even after it was already 5% done. Start: 5% Done: I'm guessing this is normal with it just being an estimate, and 16 minutes doesn't seem too bad for a 250 GB database (though I'm not sure if that's normal) but again the I/O was only maxing out at about 10% of the drive's capabilities, with nothing else running on the server or the SQL instance. These are the results of DBCC CHECKDB, no errors reported. I also have been experiencing weird slowness issues with the SHRINK command. I just tried to SHRINK the database which had 5% space to release (about 14 GB). It only took about 1 minute for it to complete 90% of the SHRINK: About 5 minutes later, and it's still stuck at the same percent complete, and my Transaction Log Backups (that usually finish in 1-2 seconds) have been under contention for about 30 seconds: 15 minutes later and the SHRINK just finishes, while the Transaction Log Backups are still under contention for about 6 minutes now, and only 50% complete. I believe they immediately finished right after that since the SHRINK finished. The whole time the Resource Monitor showed the I/O sucking still: Then I got an error with the SHRINK command when it finished: I retried SHRINK again and it resulted in the same exact outcome as above. Then I tried manually scripting a T-SQL backup to a file on the P: drive and that ran slow just like the maintenance plan backup job: I ended up cancelling it after about 3 minutes, and it immediately rolled back. Summary: Coincidentally, the backups maintenance plan job got about 40x slower (from 15 minutes to 15 hours) every night, right after Windows updates were installed. Rolling back those Windows updates didn't fix the issue. SQL Server Wait Types, Resource Monitor, and Microsoft DiskSpd indicate a disk problem (I/O in particular), but all other measurements from Paul Randall's query, PerfMon, and VMWare Logs don't report any issues with the disks. Restoring the backups for a particular database are quick and use almost the full 1 GB/sec I/O. I'm scratching my head...

Accessing dict subelement value Posted: 06 Sep 2021 07:17 PM PDT Here's my playbook - name: Host's luns debug: msg: "{{ luns }}" vars: luns: "{{ ansible_facts.lvm.pvs }}" And the output for this is TASK [Luns del vg] ************************************************************ ok: [awxworker_rhel6] => { "msg": { "/dev/sda2": { "free_g": "20.72", "size_g": "79.72", "vg": "vg00" }, "/dev/sdb1": { "free_g": "3.99", "size_g": "4.99", "vg": "vg01" }, "/dev/sdc1": { "free_g": "0.99", "size_g": "4.99", "vg": "vg02" }, "/dev/sdd1": { "free_g": "4.99", "size_g": "4.99", "vg": "vg01" } } } I need to get the luns of a matched vg Ej: "The vg01 luns are: /dev/sdb1 /dev/sdd1" I have tried this beetwen other ways - name: Luns del VG set_fact: vg_luns: "{{ item }}" with_items: "{{ ansible_facts.lvm.pvs }}" vars: VGname: "{{ VG }}" when: ansible_facts.lvm.pvs.vg_luns.vg == VGname - name: Print VG's luns debug: msg: - "The {{ VGname }} luns are: {{ vg_luns }}" VG is an extravariable where I put the matched VGname $ ansible-playbook -i proyects/Inventory/awx_hosts -l testhost getvgluns.yml -e VG=vg01 Hope you can help Thanks in advance!

Blocking a location in apache reverse proxy with require directives not working correctly Posted: 06 Sep 2021 06:03 PM PDT so I have a virtual host reverse proxy pointing to a service at servicesubdoamin.mydomain.com and that service has an admin page at servicesubdoamin.mydomain.com/admin and I want to block access to the admin page and only allow it from local ip's. I've tried a couple different things that should work however when I try to access them from outside my local netowrk the page gets served with no issue. This is what I currenty have: <VirtualHost *:443> SSLEngine on ServerName servicesubdoamin.mydomain.com SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem ProxyPreserveHost On ProxyRequests off RequestHeader set X-Real-IP %{REMOTE_ADDR}s <Location "/admin"> <RequireAll> Require ip 192.168.1 </RequireAll> </Location> RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /notifications/hub(.*) ws://127.0.0.1:3012/$1 [P,L] ProxyPass / http://127.0.0.1:888/ ProxyPassReverse / http://127.0.0.1:888/ ErrorLog ${APACHE_LOG_DIR}/service-error.log CustomLog ${APACHE_LOG_DIR}/service-access.log combined Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> but I have also tried <Location /admin> <RequireAll> Require ip 192.168.1 </RequireAll> </Location> <Location /admin> Require ip 192.168.1 </Location> and also placing the <Location> directive with all the different variations under the ReWriteEngine block to get <VirtualHost *:443> SSLEngine on ServerName servicesubdoamin.mydomain.com SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem ProxyPreserveHost On ProxyRequests off RequestHeader set X-Real-IP %{REMOTE_ADDR}s RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /notifications/hub(.*) ws://127.0.0.1:3012/$1 [P,L] ProxyPass / http://127.0.0.1:888/ ProxyPassReverse / http://127.0.0.1:888/ <Location "/admin"> <RequireAll> Require ip 192.168.1 </RequireAll> </Location> ErrorLog ${APACHE_LOG_DIR}/service-error.log CustomLog ${APACHE_LOG_DIR}/service-access.log combined Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> But nothing works. I cant seem to block this page, any and all help is greatly appreciated.

How to host encrypted users' files in a way that I won't be able to read them? Posted: 06 Sep 2021 08:40 PM PDT I am making plans for a new project and looking for a way to allow users upload their files and keep them encrypted and only accessible by them, but at the same time I need their contacts to access the files too. To explain a little bit more: User uploads the file(s) on my server via a web application. Me (the server) should not have access to the files' contents. Contacts of the user should be able to have access to the files, IF the user decides to share the files with them. Is something like that even possible?

Obtaining the CPU L2 shared memory percentual of usage on Linux machine Posted: 06 Sep 2021 04:52 PM PDT on linux based systems, how can I estimate or maybe read the CPU L2 shared memory % of usage?

How should I set my nginx configuration to use subdomains with CNAME host record? Posted: 06 Sep 2021 06:06 PM PDT running Debian 11. How should I add my subdomain to my site using my CNAME DNS records? My website directory is located at /var/www/ and I'm wondering if I can make a subdirectory for the subdomain within that directory. i.e. /var/www/domain-dir/subdomain-dir Can I add subdomain server_name to right in my sites-available config file? I don't want to create tons of A/AAAA records to point to my subdomain as it could become messy as I'll likely create more subdomains later, blog.example.com, git.example.com, etc.. Sorry if this post is long, I'm new to this and don't know how to make it more concise!

Can I learn to RHCSA on EC2 Posted: 06 Sep 2021 05:41 PM PDT I have MacBook with M1 processor and I want to learn to RHCSA exam. There are no ARM distributions yet and I can't create local environment, would it be ok to provision EC2 centOS instance? I'm just afraid that I won't be able to recreate some test cases.

Configuring IPv6 to expose local device(s) to the internet Posted: 06 Sep 2021 08:58 PM PDT I am trying to expose a local client to the net to host a website. I am struggling to understand IPv6. Current setup: ISP --> bridged ISP router --> TP-Link router --> LAN I've configured the TP-Link router to use IPv6. In the router's menu I see: The "global address" under "IPv6/WAN" is XXXX:YYY:ZZZ:aaa:RRRR:TTTT:UUUU:VVVV The "LAN IPv6 address" under "IPv6/LAN" is XXXX:YYE:ZZZ:aaa:<some local address> My questions: What is the difference? I thought XXXX:YYY:ZZZ are assigned to my own network. "LAN" subtitle says "Configure the LAN IPv6 address of the router.". What is a LAN address? Why is it almost, but not quite the same as the router address? Compare YYY wiht YYE. I expected it to be the same since the router's address is the entry point to my local network. I am not sure if my devices are already exposed or not. If not, what do I have to do to expose a single device? I have also not seen any port related setting, but then how do I only publish one app listening on say port 8080, but not all from the device)?

Nginx Reverse proxy excluding files Posted: 06 Sep 2021 09:02 PM PDT I've a landing page done using wordpress and is hosted on example.com. I've an app running on app.example.com on external url. When user try to access wordpress files, it should be served from example.com and if that url or folder is not available the url must be masked and must go to remote url as example.com/$1. I've tried using nginx reverse-proxy but it is not working. location / { try_files $uri $uri/ /index.php?$query_string @proxy; } location @proxy { proxy_pass https://example.com/$1; proxy_set_header HOST $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

Why and how is Postfix automatically reading main.cf file? Posted: 06 Sep 2021 05:19 PM PDT today I changed TLS cert paths in Postfix main.cf file. Those paths turned out to be broken. In a few minutes, Postfix has read those changed paths and my TLS connections became broken (becouse of broken paths). Question 1: Why Postfix automatically reads changes from main.cf file? Is is documented? I can't find any information about it. Question 2: Can I turn off this behaviour? I expected Postfix to replace certs after reload of the service, not on the fly. Thanks

rdiff-backup on Windows: source from volume root, ignore $recycle.bin and "System Volume Information" Posted: 06 Sep 2021 05:10 PM PDT I'm trying to use rdiff-backup in Windows, using the root of a local disk as a source and a local folder on a different local disk as a destination. rdiff-backup keeps crashing when it tries reading the "System Volume Information" folder; I am trying to discover what syntax may cause it to ignore that one, and "$RECYCLE.BIN" as well; I tried giving an ignore file with those absolute paths in it, with paths with those prefixed with ** to try and match any files like that, ran an experiment to see if it would ignore those if I created them in a test folder (which succeeded), etc. So, is there a syntax that will cause rdiff-backup to ignore those in the root of a mounted drive? As a starting point I tried: rdiff-backup backup --ignore 'y:/$RECYCLE.BIN' --ignore 'y:/System Volume Information' y:/ z:/backup-y but had no joy.

How do I disable Bitlocker Encryption settings using Intune? Posted: 06 Sep 2021 05:34 PM PDT We've activated Intune Bitlocker encryption and configured it needs a password to unlock. Since we don't want our users to change the Bitlocker pin, we want to disable the Settings below. Bitlocker Encryption settings For all non Germans, it's under: Control Panel\System and Security\BitLocker Drive Encryption Thanks for any help! :)

OpenVPN fails to reconnect with wake-on-LAN after long sleep Posted: 06 Sep 2021 09:06 PM PDT I have a RaspberryPi on my parents' house with PiVPN set up and configured to provide a personal VPN service for me and a few friends. This VPN has worked flawlessly since the beggining, I have used it with my PC and never got an error. I recently set up another computer with Windows10 at my parents' house, to act as a server for various purposes (in case it is related to this issue, I use it as a home multimedia server with Plex Media Server and also as a Git Repository for personal use). I need it to connect automatically to the VPN, so I did the following: I configured PiVPN to generate the correspondent .ovpn file, installed OpenVPN GUI client on the new server machine and imported the ovpn file. As a matter of fact, I configured static IPs for all the connections to my VPN as I want them to always have the same IPs. I configured OpenVPN to automatically connect at server's startup. I achieved this by placing a direct link to OpenVPN GUI in this folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp, and that direct link had this argument "C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --connect ServerW10.ovpn I configured the server BIOS to automatically boot whenever the AC came back (so the server boots up again if the electricity goes down) and I also configured it to log in automatically into the user I created when installing Win10. So with this, the server is hopefully always logged in whenever is powered on. As I am concerned about power consumption on my parents' house, I configured this server to sleep after 3h of inactivity (Windows 10 settings) and to sleep always (with a batch script) when reaching 2AM Due to the automatic sleep stuff, I configured the BIOS to accept Wake-on-LAN packets to wake up the server. I tested this several times and it worked nicely. This way I could wake up the server whenever I needed to for 3h (enough for my purposes). I spent a few days testing the server: putting it to sleep manually, letting it sleep after 3h of inactivity, forcing shutdown, etc, and OpenVPN always worked nice and reconnected without issues. Now the problem appeared when I tested the VPN connection to the server after the "2AM sleep". I woke up the server and then tried to ping it as usual with its static VPN IP but I couldn't reach it. I logged in through TeamViewer to check what was happening and when I opened OpenVPN's gui, I found that it was stuck in a loop like this: Thu Mar 01 10:26:28 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017 Thu Mar 01 10:26:28 2018 Windows version 6.2 (Windows 8 or greater) 64bit Thu Mar 01 10:26:28 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10 Thu Mar 01 10:26:29 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Mar 01 10:26:29 2018 TCP/UDP: Preserving recently used remote address: [AF_INET](my ip):(my port) Thu Mar 01 10:26:29 2018 UDP link local: (not bound) Thu Mar 01 10:26:29 2018 UDP link remote: [AF_INET](my ip):(my port) Thu Mar 01 10:27:29 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Mar 01 10:27:29 2018 TLS Error: TLS handshake failed Thu Mar 01 10:27:29 2018 SIGUSR1[soft,tls-error] received, process restarting Thu Mar 01 10:27:34 2018 TCP/UDP: Preserving recently used remote address: [AF_INET](my ip):(my port) Thu Mar 01 10:27:34 2018 UDP link local: (not bound) Thu Mar 01 10:27:34 2018 UDP link remote: [AF_INET](my ip):(my port) Thu Mar 01 10:28:34 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Thu Mar 01 10:28:34 2018 TLS Error: TLS handshake failed etc... I tested the VPN with my PC and works nicely as usual, so the best bet is that it's the server's fault. I personally think that maybe has something to do with the batch script I made and programmed to run at 2AM to put the PC to sleep at 2AM, because I had no problems with other sleep methods (manual sleep and inactivity sleep). The batch script looks like this: rundll32.exe powrprof.dll,SetSuspendState 0,1,0 I used this script because I saw a tutorial on how to do a batch script for this. As in that tutorial said, I also ran the following command in order to do sleep instead of hibernation: Powercfg -H OFF What could be the problem?

Windows 10 Group Policy Preferences Drive Maps failing over Wireless Posted: 06 Sep 2021 08:08 PM PDT I'm struggling getting Group Policy Preferences Drive Mapping to work over wireless (WPA2-Enterprise using Certificates) from our Windows 10 Surface Pro 4s. The Active Directory user account's Home Folder drive map also does not appear. All of these paths use DFS (Server 2008 R2). Shortly after login, a manual Gpupdate will cause the mapped drives to appear. Waiting 30 seconds before login also works. We've had the "Always wait for the network at computer startup and logon" enabled since XP days. I tried setting the "Specify startup policy processing wait time" to 60 but this made no difference (nor did it lengthen boot). The wireless NIC does not appear to have a "Wait For Link" type setting to enable. Event logs show Event ID 4098 with source "Group Policy Drive Maps" saying the preference item "failed with error code '0x80070035 The network path was not found.'" I had wondered if the underlying problem might be the new UNC Hardening feature but even adding an exception for "\\DomainNetBIOSname" did not help. (See here: Windows 10: Group Policy fails to apply directly after boot, succeeds later) The only significant clue to what's going on is that when I changed my user account home folder to a direct UNC path to the server rather than via DFS, my home drive was able to appear correctly. The DFS Client service (as seen in regedit) already has a Start type signifying "System". I'm not sure where to go from here. Does anyone have any ideas? Thanks!

Credential Manager has been disabled by Administrator and cannot re-enable Posted: 06 Sep 2021 06:03 PM PDT I'm having trouble getting a Windows 7 work computer to keep credentials for a mapped drive. Whenever I load Credential Manager, I get "Windows Credentials have been disabled by your Administrator." I'm logged into an Administrator account (but not the built-in account), and haven't had much luck removing this restriction. The computer is not on a domain, so there is no domain policy enforcing this. I checked gpedit.msc, and looked under: Computer > Windows Settings > Security Settings > Local Policies > Security Options I found the option Network Access: Do not allow storage of passwords and credentials for network authentication, but it is already disabled. I performed this check on both the server and user computer. I made sure it is in the same work group as all of the other computers. I tried CCleaner to see if maybe there was a registry issue, but it just found missing .DLLs and unnecessary file types. I was trying VaultCMD in Command Prompt, and created a new Vault, but I don't have the proper option to store the credentials for the server. Any suggestions? Thanks in advance.

What's the easiest way to integrate Authy (two-factor) authentication with Apache httpd? Posted: 06 Sep 2021 07:06 PM PDT EDIT: Something similar to Authy would work too, if that service was i) hosted/SaaS and ii) able to send SMS messages. Most examples advocate RADIUS for two-factor authentication but I'm already using OpenLDAP for centralized authentication and would rather not add another local service to administer (but I'm happy calling out to Authy). The app itself that I want to two-factor authenticate is a Tomcat app which has it's own internal form-based authentication, which will serve as the second type of authentication (see below). Apache httpd* is used to reverse proxy the app (as we do for all our Tomcat apps) so I can protect the resource at that point (as I've done occasionally w/LDAP). Once httpd grants access, the Tomcat authentication will proceed. I didn't see any mod_auth_authy or the like on their developer site https://www.authy.com/developers -- just mostly libraries for languages, so I'm not sure how best to implement this. (*Apache httpd may be replaced by NGINX at some point, so ideally the solution suggested would carry over, but please don't refrain from suggesting Apache httpd-only solutions!)

Cisco IOS, Multiple WAN & Port Forwards (Outside -> Inside PAT) Posted: 06 Sep 2021 04:04 PM PDT I have been trying to work out how to accomplish PATing from Outside to Inside on a Cisco IOS router, in this case specifically a Cisco 2901 running IOS Version 15.1(4)M1. Firstly, the problem I am trying to solve is that we'd like external port forwards to work regardless of which connection is the default gateway. On this particular router we have two WAN connections. One is on the built in Gig0/0 interface and the other by an EHWIC card exposing Gig0/0/0. An example port forward rule in this device: ip nat inside source static tcp 192.168.1.10 3389 x.x.x.x 3389 extendable Where x.x.x.x is the IP address of interface Gig0/0/0. This works fine if Gig0/0/0 is the default gateway for the router, however if Gig0/0 is the default gateway the port forward breaks. It's also worth noting that the Gig0/1 interface is the default gateway for all LAN computers and servers, and is designated ip nat inside where Gig0/0 and Gig0/0/0 are both ip nat outside. I am performing my standard Inside to Outside PAT by using route-map items which matches my NAT ACL with the interface. I know I can mess around with ip nat outside and NAT pools, but is there a cleaner way I can achieve what I want? Even if I'm going about it the complete wrong way and NAT/PAT isn't the solution to my problem, pointing me in the right direction would be a major help! The only reason why I think this is my best bet is the fact that every firewall device I've used has functionality in its policies to perform source NAT translation to the IP address of the egress interface, and it is so simple to turn on! Edit: Watered down config interface GigabitEthernet0/0 description ----WAN_INTERFACE_PRI---- mtu 1596 ip address x.x.x.x 255.255.255.248 ip access-group SECURE-IN in ip flow ingress ip nat outside ip virtual-reassembly in duplex full speed 1000 no cdp enable service-policy output EthernetAccessService ! interface GigabitEthernet0/1 description ----INTERNAL---- ip address 192.168.1.1 255.255.255.0 ip access-group OUT-FILTER in no ip redirects no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/0/0 description ----WAN_INTERFACE_BACK---- ip address y.y.y.y 255.255.254.0 no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly in duplex auto speed auto ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0/0 3389 ip nat inside source route-map BACK_WAN interface GigabitEthernet0/0/0 overload no-payload ip nat inside source route-map PRI_WAN interface GigabitEthernet0/0 overload no-payload ! <Many port forwards cut> ip route 0.0.0.0 0.0.0.0 (x.x.x.x Gateway) permanent ip route 0.0.0.0 0.0.0.0 (y.y.y.y Gateway) 10 permanent ! ip access-list extended NAT-ACL permit ip 192.168.1.0 0.0.0.255 any deny ip any any ip access-list extended OUT-FILTER permit icmp any any permit ip object-group Unrestricted-Access-Group any deny ip 192.168.1.0 0.0.0.255 any deny ip any any ip access-list extended SECURE-IN permit ip host <allowed telnet/ssh addresses> any deny tcp any any eq telnet log deny tcp any any eq 22 log permit ip any any ! no cdp run ! ! ! route-map PRI_WAN permit 10 match ip address NAT-ACL match interface GigabitEthernet0/0 ! route-map BACK_WAN permit 10 match ip address NAT-ACL match interface GigabitEthernet0/0/0

Random machine hangs with NFSv4 on CentOS/RHEL 6.5 Posted: 06 Sep 2021 08:08 PM PDT We have an in-house "compute farm" with about 100 CentOS (free re-distribution of RHEL) 5.7 and 6.5 x86_64 servers. (We are in the process of upgrading all the 5.7 boxes to 6.5.) All these machines do two NFSv4 mounts (with sec=krb5p) to two CentOS 6.5 servers. One NFS server is for user home directories, the other contains various data for user processes. Randomly, one of the client machines will get into a bad state such that any access to the NFSv4 mount hangs ("ls" for example). This means no one (except root) can login, and all user processes that require access to the shares get stuck. In other words, so far this is non-deterministic and cannot be replicated. I have very verbose NFS logging enabled in both the clients and servers, but never get any errors. However, when this state is triggered, I do get these kernel trace errors on the client machines: Mar 25 00:49:48 servername kernel: INFO: task ProcessName:8230 blocked for more than 120 seconds. Mar 25 00:49:48 servername kernel: Not tainted 2.6.32-431.el6.x86_64 #1 Mar 25 00:49:48 servername kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Mar 25 00:49:48 servername kernel: ProcessName D 0000000000000000 0 8230 8229 0x00000000 Mar 25 00:49:48 servername kernel: ffff8804792cdb68 0000000000000046 ffff8804792cdae8 ffffffffa0251940 Mar 25 00:49:48 servername kernel: ffff88010cdc8080 ffff8804792cdb18 ffff88010cdc8130 ffff88010ea5c208 Mar 25 00:49:48 servername kernel: ffff88047b011058 ffff8804792cdfd8 000000000000fbc8 ffff88047b011058 Mar 25 00:49:48 servername kernel: Call Trace: Mar 25 00:49:48 servername kernel: [<ffffffffa0251940>] ? rpc_execute+0x50/0xa0 [sunrpc] Mar 25 00:49:48 servername kernel: [<ffffffff810a70a1>] ? ktime_get_ts+0xb1/0xf0 Mar 25 00:49:48 servername kernel: [<ffffffff8111f930>] ? sync_page+0x0/0x50 Mar 25 00:49:48 servername kernel: [<ffffffff815280a3>] io_schedule+0x73/0xc0 Mar 25 00:49:48 servername kernel: [<ffffffff8111f96d>] sync_page+0x3d/0x50 Mar 25 00:49:48 servername kernel: [<ffffffff81528b6f>] __wait_on_bit+0x5f/0x90 Mar 25 00:49:48 servername kernel: [<ffffffff8111fba3>] wait_on_page_bit+0x73/0x80 Mar 25 00:49:48 servername kernel: [<ffffffff8109b320>] ? wake_bit_function+0x0/0x50 Mar 25 00:49:48 servername kernel: [<ffffffff81135bf5>] ? pagevec_lookup_tag+0x25/0x40 Mar 25 00:49:48 servername kernel: [<ffffffff8111ffcb>] wait_on_page_writeback_range+0xfb/0x190 Mar 25 00:49:48 servername kernel: [<ffffffff81120198>] filemap_write_and_wait_range+0x78/0x90 Mar 25 00:49:48 servername kernel: [<ffffffff811baa3e>] vfs_fsync_range+0x7e/0x100 Mar 25 00:49:48 servername kernel: [<ffffffff811bab2d>] vfs_fsync+0x1d/0x20 Mar 25 00:49:48 servername kernel: [<ffffffffa02cf8b0>] nfs_file_flush+0x70/0xa0 [nfs] Mar 25 00:49:48 servername kernel: [<ffffffff81185b6c>] filp_close+0x3c/0x90 Mar 25 00:49:48 servername kernel: [<ffffffff81074e0f>] put_files_struct+0x7f/0xf0 Mar 25 00:49:48 servername kernel: [<ffffffff81074ed3>] exit_files+0x53/0x70 Mar 25 00:49:48 servername kernel: [<ffffffff81076f4d>] do_exit+0x18d/0x870 Mar 25 00:49:48 servername kernel: [<ffffffff81077688>] do_group_exit+0x58/0xd0 Mar 25 00:49:48 servername kernel: [<ffffffff81077717>] sys_exit_group+0x17/0x20 Mar 25 00:49:48 servername kernel: [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b At this point, the only reliable way to make the machine usable again is to reboot it. (And even that requires a hard power cycle, since the software reboot hangs when it tries to unmount the NFS filesystems.) It seems like this problem is correlated with a process that malfunctions and starts writing data like crazy. For example, a segfault that generates a huge core file, or a bug with a tight print loop. However, I've tried to duplicate this problem in a lab environment with multiple "dd" processes hammering away at the NFS server, but all machines chug along happily.

ssh tunnel refusing connections with "channel 2: open failed" Posted: 06 Sep 2021 07:31 PM PDT All of a sudden (read: without changing any parameters) my netbsd virtualmachine started acting oddly. The symptoms concern ssh tunneling. From my laptop I launch: $ ssh -L 7000:localhost:7000 user@host -N -v Then, in another shell: $ irssi -c localhost -p 7000 The ssh debug says: debug1: Connection to port 7000 forwarding to localhost port 7000 requested. debug1: channel 2: new [direct-tcpip] channel 2: open failed: connect failed: Connection refused debug1: channel 2: free: direct-tcpip: listening port 7000 for localhost port 7000, connect from 127.0.0.1 port 53954, nchannels 3 I tried also with localhost:80 to connect to the (remote) web server, with identical results. The remote host runs NetBSD: bash-4.2# uname -a NetBSD host 5.1_STABLE NetBSD 5.1_STABLE (XEN3PAE_DOMU) #6: Fri Nov 4 16:56:31 MET 2011 root@youll-thank-me-later:/m/obj/m/src/sys/arch/i386/compile/XEN3PAE_DOMU i386 I am a bit lost. I tried running tcpdump on the remote host, and I spotted these 'bad chksum': 09:25:55.823849 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 67, bad cksum 0 (->3cb3)!) 127.0.0.1.54381 > 127.0.0.1.7000: P, cksum 0xfe37 (incorrect (-> 0xa801), 1622402406:1622402421(15) ack 1635127887 win 4096 <nop,nop,timestamp 5002727 5002603> I tried restarting the ssh daemon to no avail. I haven't rebooted yet - perhaps somebody here can suggest other diagnostics. I think it might either be the virtual network card driver, or somebody rooted our ssh. Ideas..?

Assign static IP to Users that access using Terminal Services (Remote Desktop) Posted: 06 Sep 2021 05:00 PM PDT For a project I'm working on I'm looking for the ability to assign a specific ip to users when they start a terminal service session. I'm using Windows Server 2008 R2 SP1 and I tried using Remote Desktop IP Virtualization but as far I understand it lets me only to enable the ability to assign a random ip to a session when the user access with or without a dhcp (changing some registry keys). I need this to set up filtering rules per user on the project firewall. EDIT From what I understand there are a couple of dlls that handle (in "fake dhcp" mode, changing the registry keys) the ip assigment. If assign a static IP to an Users isn't actually supported, can a library be built from scratch to handle this situation and, if yes, when i can find some MS docs about these libraries (I refer to TSVIPool.dll and the second one that can be assigned to the key Control in the same registry path, I can't find the name)

Nginx config reload without downtime Posted: 06 Sep 2021 06:20 PM PDT I use nginx as a reverse proxy. Whenever I update the config for it using sudo "cp -r #{nginx_config_path}* /etc/nginx/sites-enabled/" sudo "kill -s HUP `cat /var/run/nginx.pid`" I face a brief downtime. How can I avoid that?

Empty rewrite.log on Windows, RewriteLogLevel is in httpd.conf Posted: 06 Sep 2021 06:03 PM PDT I am using mod_rewrite on Apache 2.2, Windows 7, and it is working ... except I don't see any logging information. I added these lines to the end of my httpd.conf: RewriteLog "c:\wamp\logs\rewrite.log" RewriteLogLevel 9 The log file is created when Apache starts (so it's not a permission problem), but it remains empty. I thought there might be a conflicting RewriteLogLevel statement somewhere, but I checked and there isn't. What else could cause this? Could this be caused by Apache not flushing the log file? (I closed it by hitting CTRL-C on the httpd.exe command ... this caused the access logs to be flushed to disk, but still nothing in rewrite.log) My (partial) httpd-vhosts.conf: <VirtualHost *:80> ServerAdmin webmaster@localhost ServerName my.domain.com DocumentRoot c:\wamp\www\folder <Directory c:\wamp\www\folder> Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule . everything-redirects-to-this.php [L] </IfModule> </Directory> </VirtualHost>

Cancel/Kill SQL-Server BACKUP in SUPSPENDED state (WRITELOG) Posted: 06 Sep 2021 04:04 PM PDT I have a SQL 2008 R2 Express on which backups are made by executing sqlmaint from windows task planer. Several backups ran into an error and got stuck in state SUSPENDED with wait type WRITELOG. How can I get these backup processes to stop so they release resources? Simply killing the processes doesn't work. The process will stay in KILL/ROLL for a long time. This didn't change for several hours.

Watchguard config, drop-in or mixed-routing mode? Posted: 06 Sep 2021 05:00 PM PDT I have a Watchguard XTM 2 that is currently acting as a firewall and a router for my business network, I currently have the WG setup in mixed-routing mode and am happy with the current configuration. The reason I am curious about drop-in mode is because I would like to use all the interfaces on the back of the watchguard for the same subnet. My understanding is that drop-in mode will put them all on the same subnet, but it is unclear from the manual that the routing/firewall/vpn will still work as expected. This WG is right behind a DSL modem that is setup in bridge mode, so the WG is handling all PPPoE auth and routing for the network.

How to set guest user password on SAMBA server? Posted: 06 Sep 2021 07:06 PM PDT I'd be generally ok with guest and an empty password as I don't need any access rights management among my users. But the server is a remote internet-accessed machine, so I'd prefer to set a good password for it. What's the most simple way? Can I just specify a password in samba.conf, or absolutely need to use LDAP or add users to the server system?

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States