Recent Questions - Server Fault

---

• How to configure wildcard subdomains together with some fixed names in NGINX?
• OpenVPN: cannot open domain webpages in browser
• SSH Connection refused from RAC1 SCAN IP to RAC2's PUBLIC IP during Oracle19c DB setup at verification step after successful GI setup on RHEL8
• linux + what is the best way to fix disks that are with read only
• How do I run some commands when linux boots for the first time
• ModSecurity 403, COMODO WAF detects XSS while trying to access phpMyAdmin
• Difference of Dynamic DNS and Change Zone Automatically by Program
• How to forward all port from Debian to Windows with OpenVPN
• How to find out DNS Server IP of other ISPs
• Unable to connect to a site over HTTPS (SSL_ERROR_SYSCALL)
• How to replicate the configuration of a self-signed certificate with OpenSSL?
• Make autodiscover work for second Exchange domain
• Should server be hidden behind a VPN for the SSH access?
• Access Kubernetes Dashboard Via HTTP Instead of HTTPS
• Postfix: Untrusted TLS connection established - How to solve this error?
• Port Forward through wireguard tunnel
• How to issue a windows machine cert for a non-domain joined computer?
• Error installing Active Directory Certificate Services
• GCP HTTP Load Balancers With SSL Certificates for Multiple Websites
• Scheduled Task in Windows Server 2016, run by non-admin Users
• SFTP is periodically extremely slow for no reason
• Started task in z/OS lacks RACF privileges
• Dovecot Authentication failed if trying login with @domain
• DISM inject drivers into WIM gives error 2
• How to refer to current iteration of hash loop in puppet
• Obtain device driver version and associated GUID using PowerShell?
• How does Heartbeat determine when to switch to the secondary? Can you force it to switch?
• AD custom attribute of type numerical string crashes MMC when updated
• Forward SSH through SSH tunnel
• How to track down connectivity drops

How to configure wildcard subdomains together with some fixed names in NGINX? Posted: 12 Jan 2022 12:16 AM PST I have example.com and the following use cases: SSL only www. will be redirected to example.com (no www.) example.com will reverse proxy to :3000 fix1.example.com will reverse proxy to :3001 fix2.example.com will reverse proxy to :3002 ... *.example.com will reverse proxy to :4000 *.example.com/admin will reverse proxy to :5000 example.com/admin, fix1.example.com, fix2.example.com,... will not have /admin and must not reverse proxy to :5000 In my current configuration I have the following files in my sites-available / sites-enabled: exmaple.com fix1.example.com fix2.example.com ... wild.example.com Each file configures his own part as there is no other file. But I end up with duplicate or conflicting configurations, so I'm thinking, there must be a better approach in one file, that handles the entire domain with all use cases. The SSL only and no www part is easy: server { if ($host = www.example.com) { return 301 https://$host$request_uri; } server_name www.example.com; return 301 $scheme://example.com$request_uri; } server { if ($host = example.com) { return 301 https://$host$request_uri; } listen 80; server_name example.com; return 301 http://$server_name$request_uri; } But how do I set up the fixed subdomains and the wild card subdomain together with the /admin path? This is the block I use for the example.com proxy: server { listen 443 ssl http2; server_name example.com; location / { proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } ssl_certificat #... ssl_certificat_key #... }

OpenVPN: cannot open domain webpages in browser Posted: 11 Jan 2022 11:36 PM PST strange problem here! I am using VPN to connect to my work network (openvpn, hosted by my institution, I'm managing it, so I can make changes). Everything works fine, meaning that all traffic is routed through the VPN as it should (at least it seems so), I have internet access, I can access restricted services (e.g. git, shared folders) that require me to be on the same network etc. The problem is that with browsers (tried Safari, Firefox and Chrome), I cannot access webpages that are hosted within the institution's local network. All other web pages work fine (I am posting this connected to the VPN). Let's assume our domain is domain.com Anything hosted under domain.com cannot be accessed via browser. e.g. webserver1.domain.com won't open in browser. Safari states: Safari can't connect to the server Safari can't open the page domain.com because Safari can't connect to server domain.com In terminal webserver1.domain.com is resolved without issues (nslookup), I can ping it, and traceroute seems ok. If I try to checkout a git repo under webserver1.domain.com (from terminal), it works fine. If I try to mount a shared folder (using Finder and the url), also ok All other services work fine (I can mount shared drives, send/receive mails, even use printers). As far as I can tell, everything but browser access works fine. The same VPN configurations work fine in iOS (iOS safari can open domain.com pages when connected to the VPN just fine) I'm on MacOS 12.0.1 and using Tunnelblick 3.8.7a to connect to VPN. I can also access some webpages using IP address and not url (getting the security warning as ssl does not work). As mentioned, DNS is ok and resolves everything. My server.conf is below: server 192.168.255.0 255.255.255.0 verb 3 key /etc/openvpn/pki/private/xxxxxxx.key ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/issued/xxxxxxx.crt dh /etc/openvpn/pki/dh.pem tls-auth /etc/openvpn/pki/ta.key key-direction 0 keepalive 10 60 persist-key persist-tun topology subnet proto udp # Rely on Docker to do port mapping, internally always 1194 port 1194 dev tun0 status /tmp/openvpn-status.log user nobody group nogroup comp-lzo no ### Route Configurations Below route 192.168.254.0 255.255.255.0 ### Push Configurations Below push "comp-lzo no" push "redirect-gateway def1 bypass-dhcp" Any ideas?

SSH Connection refused from RAC1 SCAN IP to RAC2's PUBLIC IP during Oracle19c DB setup at verification step after successful GI setup on RHEL8 Posted: 11 Jan 2022 11:21 PM PST The weird situation starts here during Oracle(19.3.0.0) DB setup after successful GI setup on RHEL8 at the verification step. (i cannot upload an image due to insufficient reputation) The "Details" shows TCP connectivity from node rac1 10.12.67.17(SCAN-IP) to rac2 10.12.67.29 (PUBLIC-IP) test failed. Host file config(same on both nodes): 10.12.67.28 rac1 10.12.67.29 rac2 10.12.67.18 rac1-vip 10.12.67.19 rac2-vip 192.168.67.28 rac1-prv 192.168.67.29 rac2-prv 10.12.67.17 rac-scan ifconfig RAC1: ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.12.67.28 netmask 255.255.255.0 broadcast 10.12.67.255 inet6 fe80::250:56ff:feb0:9e2a prefixlen 64 scopeid 0x20<link> ether 00:50:56:b0:9e:2a txqueuelen 1000 (Ethernet) ... ens192:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.12.67.18 netmask 255.255.255.0 broadcast 10.12.67.255 ether 00:50:56:b0:9e:2a txqueuelen 1000 (Ethernet) ens192:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.12.67.17 netmask 255.255.255.0 broadcast 10.12.67.255 ether 00:50:56:b0:9e:2a txqueuelen 1000 (Ethernet) ens192:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.12.67.16 netmask 255.255.255.0 broadcast 10.12.67.255 ether 00:50:56:b0:9e:2a txqueuelen 1000 (Ethernet) ens256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.67.28 netmask 255.255.255.0 broadcast 192.168.67.255 inet6 fe80::250:56ff:feb0:e1bf prefixlen 64 scopeid 0x20<link> ether 00:50:56:b0:e1:bf txqueuelen 1000 (Ethernet) ... ens256:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 169.254.17.89 netmask 255.255.224.0 broadcast 169.254.31.255 ether 00:50:56:b0:e1:bf txqueuelen 1000 (Ethernet) lo: ... virbr0: ... ifconfig RAC2: ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.12.67.29 netmask 255.255.255.0 broadcast 10.12.67.255 inet6 fe80::250:56ff:feb0:a62c prefixlen 64 scopeid 0x20<link> ether 00:50:56:b0:a6:2c txqueuelen 1000 (Ethernet) RX packets 4528426 bytes 368814839 (351.7 MiB) RX errors 0 dropped 306 overruns 0 frame 0 TX packets 6745571 bytes 1717233204 (1.5 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens192:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.12.67.19 netmask 255.255.255.0 broadcast 10.12.67.255 ether 00:50:56:b0:a6:2c txqueuelen 1000 (Ethernet) ens256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.67.29 netmask 255.255.255.0 broadcast 192.168.67.255 inet6 fe80::250:56ff:feb0:5dfe prefixlen 64 scopeid 0x20<link> ether 00:50:56:b0:5d:fe txqueuelen 1000 (Ethernet) ... ens256:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 169.254.8.154 netmask 255.255.224.0 broadcast 169.254.31.255 ether 00:50:56:b0:5d:fe txqueuelen 1000 (Ethernet) lo:... virbr0:... In order to know what's happening, i did following SSH connection tests: on node RAC1 (only failed from ens192:2[10.12.67.17] to RAC2's primary IP[10.12.67.29]): ssh -B ens192:2 10.12.67.29 date -> ssh: connect to host rac2 port 22: Connection refused ssh -B ens192:2 10.12.67.19 date -> Wed Jan 12 13:20:19 CST 2022 ssh -B ens192:1 10.12.67.29 date -> Wed Jan 12 13:20:19 CST 2022 ssh -B ens192:1 10.12.67.19 date -> Wed Jan 12 13:20:19 CST 2022 ssh -B ens192 10.12.67.29 date -> Wed Jan 12 13:20:19 CST 2022 ssh -B ens192 10.12.67.19 date -> Wed Jan 12 13:20:19 CST 2022 on node RAC2 (all OK to RAC1): ssh -B ens192:2 10.12.67.28 date -> Wed Jan 12 13:26:04 CST 2022 ssh -B ens192:2 10.12.67.18 date -> Wed Jan 12 13:26:04 CST 2022 ssh -B ens192:2 10.12.67.17 date -> Wed Jan 12 13:26:04 CST 2022 ssh -B ens192 10.12.67.28 date -> Wed Jan 12 13:26:04 CST 2022 ssh -B ens192 10.12.67.18 date -> Wed Jan 12 13:26:04 CST 2022 ssh -B ens192 10.12.67.17 date -> Wed Jan 12 13:26:04 CST 2022 Then, i created a new IP/Alias on RAC1, namely ens192:3[10.12.67.16], surprisingly this ip acts exactly like ens192:2[10.12.67.17]. *note: i also noticed that ens192:2[10.12.67.17] is an alias seemingly maintained by Grid infrastructure, for if i remove it by "ifconfig 10.12.67.17 down", it would be created automatically on the other node by certain daemon program(for GI is successfully installed and running). on node RAC1 (failed only from ens192:3[10.12.67.16] to RAC2's primary IP): ssh -B ens192:3 10.12.67.29 date -> ssh: connect to host rac2 port 22: Connection refused ssh -B ens192:3 10.12.67.19 date -> Wed Jan 12 13:20:19 CST 2022 however,from RAC1: ping -I 10.12.67.17 10.12.67.29 ping -I 10.12.67.16 10.12.67.29 are both OK! Can someone give explanation & solution to make ssh ens192:2[10.12.67.17] to RAC2's primary IP[10.12.67.29] work?

linux + what is the best way to fix disks that are with read only Posted: 11 Jan 2022 10:01 PM PST I wrote the following procedure in order to fix the disks that are with read only and they are not OS disk for example we have machine with sdb,sdc,sde physical disks on sdc we notices that we get ro ( read only from mount | grep sdc ) mount | grep sdc /dev/sdc on /grid/sdc type ext4 (ro,noatime,stripe=128,data=ordered) so I wrote the following fixing stop the services that wrote data to disks as sdc lsof /grid/sdc , and kill all PIDS that access to /grid/sdc umount /grid/sdc fsck -y /dev/sdc mount /dev/sdc verify from dmesg if sdc disk is healthy any additional notes will be healthful

How do I run some commands when linux boots for the first time Posted: 11 Jan 2022 08:58 PM PST I want to run some system initialization commands if and only if the system is booting for the first time. Specifically, I want to generate identity keys and submit a CSR for signing. I want to do this only once so the identity cert will remain valid through reboots. I don't want to simply check the filesystem to see if the cert has already been created because if an attacker could write their own cert and keys to the boot image file(s) they could install their own identity. My question is, How do I determine if Linux is booting for the first time? Thanks,

ModSecurity 403, COMODO WAF detects XSS while trying to access phpMyAdmin Posted: 11 Jan 2022 08:49 PM PST I have a copy of phpMyAdmin in one of my server in a subdomain 'pma' and inside a directory in it named 'app' (manual installed from zip archive, not via yum), which I use for DB related management and it was working ok for couple of months. A couple of days ago my local IP got blocked while trying to login there and after much digging following log found in /var/log/apache2/error_log (replaced my local IP and server domain with <PLACEHOLDER_TEXT> for obvious reasons) [Fri Jan 07 11:37:54.198143 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/themes/pmahomme/img/ajax_clock_small.gif"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1 [Fri Jan 07 11:37:54.198701 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"] [Fri Jan 07 11:37:54.215776 2022] [core:error] [pid 60361] [client <IP_ADDRESS>:60532] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1 [Fri Jan 07 11:37:54.235059 2022] [core:error] [pid 60364] [client <IP_ADDRESS>:60535] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace. [Fri Jan 07 11:37:54.238782 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"] [Fri Jan 07 11:37:54.238830 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1 [Fri Jan 07 11:37:54.244507 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"] [Fri Jan 07 11:37:54.244559 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1 While I'm ok with SSH and CLI, I'm not a core server admin, and it took me some time and help from both ISP and Hosting Provider to figure out the IP ban issue in CSF/LFD, but I'm trying to understand the actual issue so it can be avoided in future. Can anyone decipher the reason? thanks!

Difference of Dynamic DNS and Change Zone Automatically by Program Posted: 11 Jan 2022 11:15 PM PST I know DDNS is translating Dynamic IP (IP which always changes in a device) to a Domain, but I don't know how the story behind it or I don't know how does it work. I'm using bind9 as DNS server, we know in bind9, there file contain record file. Then what the difference if I program zone file like mydomain.com.db which contain many records where program modified (read/write) that file? Basically my program is like how We manually change record when using text editor (nano or vim) to record files. Also what is difference of Dynamic DNS and Dynamic Zone in bind9?

How to forward all port from Debian to Windows with OpenVPN Posted: 11 Jan 2022 11:39 PM PST My Setup: Debian 10 from Azure Windows 10 from Azure Debian 10 is a clean new server from Azure with only OpenVPN installed and set up using the script from this Repository. Windows 10 is full of programs and has Xampp running on it and I can connect to Debian 10 from Windows 10 with both OpenVPN and SSH. Issue: I don't want to give away my Windows 10 IP address but I want people to access the website on Xampp using the Debian 10 IP. Goal: I can port forward or Tunnel all the requests made to the Debian IP TCP port (80, 443, 3000, 8080) to the Windows 10 Port through OpenVPN, or if it can be done with SSH. Progress: I have set up OpenVPN on Debian with the script from here and it's successful and my Windows 10 connects with the OpenVPN. Windows 10 firewall is disabled. I try using C2S with Bitverse SSH to forward port, it only works locally. There is a Topics on OpenVPN forum that try to do this but is not comprehensive enough. this is the link Please, if anyone can forward all ports or those specific ports from Linux to Windows, using any method please let me know how I can do it. Thank you so much in advance.

How to find out DNS Server IP of other ISPs Posted: 12 Jan 2022 12:14 AM PST I am currently building a tool that needs the response from multiple different DNS Servers. The programming part is all done but I am currently lacking the IP Addresses of major ISP DNS Servers. All I can find are, what I assume, old ones that don't work anymore. When entering my local DNS Server or Public DNS Servers (Google, Cloudflare, etc.) I get the expected result. So my question is, is there a list or way to find the DNS Servers from those ISPs? (Specifically, ISPs located in Germany)

Unable to connect to a site over HTTPS (SSL_ERROR_SYSCALL) Posted: 11 Jan 2022 08:13 PM PST I've got a server running Debian 8. Yes, a pretty old one. But there's something really strange about it. I can't connect to it over HTTPS: $ curl -sSLv https://example.com * Trying xx.yyy.xx.yyy:443... * Connected to example.com (xx.yyy.xx.yyy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 $ sslscan example.com Version: 2.0.11 OpenSSL 1.1.1m 14 Dec 2021 Connected to xx.yyy.xx.yyy Testing SSL server example.com on port 443 using SNI name example.com SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 disabled TLSv1.3 disabled TLS Fallback SCSV: Connection failed - unable to determine TLS Fallback SCSV support TLS renegotiation: Session renegotiation not supported TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support Heartbleed: Supported Server Cipher(s): Certificate information cannot be retrieved. $ dpkg -l | grep openssl ii openssl 1.0.1t-1+deb8u12 amd64 Secure Sockets Layer toolkit - cryptographic utility $ cat /etc/nginx/nginx.conf | grep ssl ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; $ dpkg -l | grep nginx ii nginx 1.6.2-5 all small, powerful, scalable web/proxy server ii nginx-common 1.6.2-5 all small, powerful, scalable web/proxy server - common files ii nginx-full 1.6.2-5 amd64 nginx web/proxy server (standard version) To compare it to another Debian 8 server: $ sslscan example2.com Version: 2.0.11 OpenSSL 1.1.1m 14 Dec 2021 Connected to xx.xxx.xx.xxx Testing SSL server example2.com on port 443 using SNI name example2.com SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 disabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Secure session renegotiation supported TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support Heartbleed: TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits CAMELLIA128-SHA Server Key Exchange Group(s): TLSv1.2 128 bits secp256r1 (NIST P-256) SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 4096 Subject: example2.com Altnames: DNS:example2.com Issuer: R3 Not valid before: Dec 17 21:00:13 2021 GMT Not valid after: Mar 17 21:00:12 2022 GMT $ dpkg -l | grep openssl ii openssl 1.0.1k-3+deb8u2 amd64 Secure Sockets Layer toolkit - cryptographic utility $ cat /etc/nginx/nginx.conf | grep ssl ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; $ dpkg -l | grep nginx ii nginx 1.6.2-5 all small, powerful, scalable web/proxy server ii nginx-common 1.6.2-5 all small, powerful, scalable web/proxy server - common files ii nginx-full 1.6.2-5 amd64 nginx web/proxy server (standard version) What's wrong with the first server? How do I make https work?

How to replicate the configuration of a self-signed certificate with OpenSSL? Posted: 11 Jan 2022 11:10 PM PST I have a load balancer that requires a certificate with a specific configuration, unfortunately those who created the first certificates did not document this configuration and I only have a list of commands that is not complete either. I have these two files: example_ca.crt and example.crt And using this OpenSSL command: openssl x509 -in file_name.crt -text -noout These are its properties (I will omit non-relevant information): example_ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: cb:0f:b8:78:38:9a:a9:da Signature Algorithm: sha256WithRSAEncryption Issuer: CN = example.org Validity Not Before: Jun 10 10:33:06 2020 GMT Not After : May 17 10:33:06 2120 GMT Subject: CN = example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD X509v3 Authority Key Identifier: keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption [...] example.crt Certificate: Data: Version: 3 (0x2) Serial Number: 80:1d:bb:9e:9f:2c:4e:ce Signature Algorithm: sha256WithRSAEncryption Issuer: CN = example.org Validity Not Before: Jun 10 10:33:44 2020 GMT Not After : May 17 10:33:44 2120 GMT Subject: CN = example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Authority Key Identifier: keyid:81:FE:D0:6D:DE:0A:CC:10:1D:B3:74:EA:4B:C8:F3:43:37:B4:D1:FD X509v3 Subject Key Identifier: B1:2C:74:04:EE:03:84:C9:F7:92:35:CE:6E:20:EF:C6:FE:B8:23:A7 Signature Algorithm: sha256WithRSAEncryption [...] I managed to replicate example_ca.crt with these commands and configuration (the expiration date is not relevant): openssl genrsa -out example_ca.key 2048 openssl req -new -x509 -days 365 -key example_ca.key -out example_ca.crt -config root.cnf root.cnf # OpenSSL configuration for Root CA [ req ] prompt = no string_mask = default default_bits = 2048 distinguished_name = req_distinguished_name x509_extensions = x509_ext [ req_distinguished_name ] commonName = example.org [ x509_ext ] extendedKeyUsage = clientAuth, serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid basicConstraints=CA:true My problem comes at this point when I can't replicate example.crt, I have tried so many possibilities in the server.cnf and openssl.cnf file and I don't get any closer to the desired result. For the last steps I have used these commands: openssl genrsa -out example.key 2048 openssl req -new -out example.csr -key example.key -config server.cnf echo extendedKeyUsage = clientAuth > openssl.cnf openssl x509 -req -in example.csr -out example.crt -signkey example.key -CA example_ca.crt -CAkey example_ca.key -CAcreateserial -days 365 -extfile openssl.cnf I will skip the contents of server.cnf because that is where I need help. But basically I always miss the "X509v3 extensions" session of example.crt Feel free to force the use of a password if necessary, or to correct my replication of example_ca.crt I have simply explained the fundamentals. UPDATE: server.cnf # OpenSSL configuration for end-entity cert [ req ] prompt = no string_mask = default default_bits = 2048 distinguished_name = req_distinguished_name x509_extensions = x509_ext [ req_distinguished_name ] commonName = example.org [ x509_ext ] keyUsage=critical,digitalSignature,keyAgreement subjectAltName = @alt_names Multiple Alternate Names are possible [alt_names] DNS.1 = example.org IP.1 = 127.0.0.1 # DNS.2 = altName.example.com

Make autodiscover work for second Exchange domain Posted: 11 Jan 2022 06:19 PM PST We have Active Directory, Domain Controller and Exchange server 2019 for abc.com. They are all behind NAT and all services (Autodiscover, ActiveSync, OWA, ...) work properly. We also need to have email service for xyz.com too, so this is what we've done so far: External DNS mail and autodiscover of xyz.com point to the same public IP address of abc.com. Internal DNS mail and autodiscover of xyz.com point to the same Exchange server as of abc.com. Active Directory xyz.com is defined as alternative UPN suffix in the properties of Active Directory Domains and Trusts. Exchange Server xyz.com is defined in the Accepted Domains of Exchange Server -> Mail Flow. Some email accounts are created with @xyz.com. However, Autodiscover is not working for xyz.com email accounts. All clients we have tried fail to detect the server settings. Again, Autodiscover works fine for main domain which is abc.com. What we are trying to do is even possible?

Should server be hidden behind a VPN for the SSH access? Posted: 11 Jan 2022 06:17 PM PST We have three server instances, Nginx/PHP, PostgreSQL, and ELK stack. My idea is that the PHP server would allow public access for ports 22, 80, and 443, ELK server would have open port 5601 for public access, but all other intercommunication is only allowed through their private IP addresses. Do I need to hide them all behind a VPN as well? What are the benefits of that? VPN would have no other purpose, it is not company-wide or something like that, it is only for securing those servers.

Access Kubernetes Dashboard Via HTTP Instead of HTTPS Posted: 11 Jan 2022 09:36 PM PST Question How can I enable HTTP requests? I have a primary web server that is a proxy and sends HTTP requests to the MicroK8S server but cannot due to the HTTP error. Install command used: sudo snap install microk8s --classic --channel=1.23/stable Infrastructure Self-Hosted on a virtual machine locally Problem I have a MicroK8S server setup using this command: microk8s enable dashboard dns registry istio I have also edited the dashboard service as such (replaced clusterip with nodeport) kubernetes-dashboard service Result I can navigate to the kubernetes-dashboard by going to https://IP:30051/ of the server (yes, requests using SSL work). However if I try to use HTTP instead of HTTPS I get the following error message. Client sent an HTTP request to an HTTPS server.

Postfix: Untrusted TLS connection established - How to solve this error? Posted: 11 Jan 2022 11:11 PM PST I use Postfix in combination with Lets Encrypt to transmit TLS encrypted e-mails. The following parameters in /etc/postfix/main.cf are relevant: smtp_tls_key_file = /etc/letsencrypt/live/foo.bar/privkey.pem smtp_tls_cert_file = /etc/letsencrypt/live/foo.bar/fullchain.pem smtp_tls_CAfile = /etc/letsencrypt/live/foo.bar/fullchain.pem I can send e-mails without problems, but I get the warning message that Postfix cannot verify the certificate of the receiving site: postfix/smtp[10736]: Untrusted TLS connection established to example.com[xxx.xxx.xxx.xxx]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits) I suspect this is because Postfix is not able to access its certificate store with this parameter: smtp_tls_CAfile = /etc/letsencrypt/live/foo.bar/fullchain.pem A change to smtp_tls_CAfile = /etc/ssl/certs will break my entire TLS-Configuration. What do I have to configure so that Postfix is able to send encrypted messages via Lets Encrypt and to check the certificate on the recipient side?

Port Forward through wireguard tunnel Posted: 11 Jan 2022 10:08 PM PST I have a raspi connected to the Internet with a wireguard roadwarrior tunnel to the office. The raspi should forward traffic at the "raspi Intranet" to the office net to a specific server. Also raspi has access to the specific server at port 3000. "other clients in Raspi Net (port 3000)" ->"raspi:3000"-> Tunnel->office->Server:3000 As example: Raspi Intranet eth0 has 192.168.13.201,Tunnel Address wg0 has 10.10.10.15, Office Server deamon for Port 3000 has 192.168.1.5:3000 I had try this witout success: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.1.5:3000 iptables -A FORWARD -p tcp -d 192.168.1.5 --dport 3000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

How to issue a windows machine cert for a non-domain joined computer? Posted: 11 Jan 2022 07:03 PM PST I have a Windows Server 2012 AD/CA and domain joined computers automatically receive the CA public cert and also get a computer certificate generated and pushed using GPO auto-enrollment. All of this is used for 802.1X and works fine. Now I need to generate a certificate for a non-domain joined win10 computer, so that it can also authenticate via 802.1X. This is proving quite difficult. I've come across this post that describes two ways to accomplish this: option 1 Export the certificate from a domain joined computer. I've tested and this works, but as explained in that post the drawback is that all the non-domain joined computers will share the same certificate. option 2 (preferred) Create an account in AD Issue a certificate from a template that allows the private key to be exported Using name mappings, attach the certificate to the account Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com Install certificate on to target workstation/device This follow-up comment seems to suggest that the five steps above can be reduced to the following: Create computer AD account Issue a computer certificate for the non-domain computer adding SAN:UPN=<hostname>$@<domain.tld> Install computer certificate on client You can make the hard option a little easier and reduce a couple of the steps by using a SAN entry in the certificate with a format of SAN:UPN=<hostname>$@<domain.tld>. This results in a certificate that has an NT Principle Name of <hostname>$@<domain.tld> in the SAN field which is then appropriate for authentication to the NPS as a pure computer object. The only dependency is then the creation of a computer account in Active Directory and adding it to the respective groups for AuthZ. I've created a Computer AD account with the hostname win10test but I don't understand how to generate the certificate and how to add the SAN:UPN=<hostname>$@<domain.tld> to the certificate. Do I need to create a CSR on the non-domain computer? Can someone please elaborate on the instructions from the MS forum post. Thank you. UPDATE I created a csr request.inf that looks like this: [NewRequest] Subject="CN=win10test" KeyLength=2048 KeySpec=1 MachineKeySet=TRUE SMIME = FALSE [RequestAttributes] CertificateTemplate="NonDomainWorkstations" SAN="upn=win10test@test.local" I then copied it to the CA and submitted the request. The cert for win10test was issued but it doesn't contain the SAN field. I don't understand why. UPDATE 2 New CSR request with correct SAN attribute as Crypt32 pointed out. [NewRequest] Subject="CN=win10test" KeyLength=2048 KeySpec=1 MachineKeySet=TRUE SMIME = FALSE [Extensions] 2.5.29.17 = "{text}" _continue_ = "upn=win10test@test.local" [RequestAttributes] CertificateTemplate="NonDomainWorkstations" The issue that remains is that the cert above does not seem to associate with the win10test AD computer account. UPDATE 3 Created AD computer account win10test Modified dNSHostname to win10test.test.local Creat CSR on win10test using the following request.inf: [NewRequest] Subject="CN=win10test" KeyLength=2048 KeySpec=1 MachineKeySet=TRUE SMIME = FALSE [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=win10test.test.local" [RequestAttributes] CertificateTemplate="NonDomainWorkstations" Run certreq -new request.inf win10test.req on win10test Copy win10test.req to CA server and submit request Copy win10test.cer to win10test and install to local machine. Can't 802.1x auth. Get the following error in NPS: Event 6273 host/win10test.test.local TEST TEST\host/win10test.test.local The specified user account does not exist.

Error installing Active Directory Certificate Services Posted: 11 Jan 2022 07:03 PM PST I'm trying to install Active Directory Certificate Services on a Windows Server 2016 Standard Core VM where I logged in with the Administrator account. I ran the following Powershell cmdlet: ps> Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools ps> Install-AdcsCertificateAuthority -CAType EnterpriseRootCA The first cmdlet succeeded, but then the second command fails with the following error message: > Active Directory Certificate Services setup failed with the following > error: A value for the attribute was not in the acceptable range of > values.

GCP HTTP Load Balancers With SSL Certificates for Multiple Websites Posted: 11 Jan 2022 11:43 PM PST I'm trying to setup an HTTPS Load Balancer on GCP (Google Cloud Platform) for my Virtual Machine (VM) Instances. The documentation shows that you can only have a maximum of 10 SSL Certificates per Load Balancer. How can I use an HTTPS Load Balancer on GCP with more than 10 domains? I've got way more than 10 websites. All of these websites require an SSL connection. All HTTP connections will be redirected to HTTPS connections. How can I provide an SSL connection to all of my websites using an HTTPS Load Balancer on GCP? I've got it figured out for non-secure connections but I need them to all be secure. What should I do here? Do I create a separate unique SSL Certificate specifically for the Load Balancer, and then put the SSL Certificates for each website on the VM Instances?

Scheduled Task in Windows Server 2016, run by non-admin Users Posted: 11 Jan 2022 06:03 PM PST In earlier windows server versions (prior to 2016) it was possible to grant non-admin users the permission to run a scheduled task by doing following steps: Scheduled Task: run under system, execute script Give user read and execute rights on specific task under C:\Windows\System32\Tasks\ Now in server 2016 this doesn't work anymore. Do you know how to do it? Thank you related post, which didn't get answered, neither helped: Allow non-admin user to run scheduled task in Windows Server 2016

SFTP is periodically extremely slow for no reason Posted: 11 Jan 2022 10:08 PM PST I am transferring a bunch of gigabyte-sized files using SFTP over a fairly fast connection, between two servers running Ubuntu linux, with not much CPU load. I am usually able to reach 5.0 MB transfer speeds (around 40 megabit/sec), though we have 90 megabit of bandwidth available and it doesn't seem to want to go any higher. Running at 5.0 MB: The source machine has a CPU load of no more than 2.7% for ssh The target machine has a CPU load of no more than 13.3% for sshd and 3.0% for sftp-server I can't get it to go any faster. If I open a second SFTP session, the two never exceed 5.0 MB combined.   And now for the actual question. Occasionally SFTP will transfer incredibly slowly for no apparent reason. Both machines are not busy, and the Internet connection is empty, yet the transfer plods along at around 120 KB/s. Interrupt SFTP, reconnect. Still 120 or so KB/s Interrupt SFTP, reconnect. Still 120 or so KB/s Interrupt SFTP, reconnect. Still 120 or so KB/s Interrupt SFTP, reconnect. This time it starts out slow but works its way back up to 5.0 MB/s What the heck is going on? I know there is some sort of mechanism to keep SFTP from overloading a slow SSH connection, but that mechanism appears to be broken and unreliable.

Started task in z/OS lacks RACF privileges Posted: 11 Jan 2022 08:03 PM PST I wish to test a JDBC server implementation running under z/OS. The usual approach would be to define a JCL procedure and run this as a started task. The started task requires a user ID under which it would run. The JDBC jars are placed in a ZFS file system which has been mounted in OMVS. The user for the started task requires certain RACF privileges This was provided with the following JCL //RUNRACF EXEC PGM=IKJEFT01 //SYSUADS DD DSN=SYS1.UADS,DISP=SHR //SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * AU JDBCUSR NAME('JDBC STC USER') PASSWORD(JDBCUSR) - OWNER(IBMUSER) DFLTGRP(STCGROUP) - UACC(READ) OMVS(HOME(/u/zfs4svr) PROGRAM(/bin/sh) UID(3005) - FILEPROCMAX(131072)) RDEFINE STARTED SVRPROC.** STDATA(USER(JDBCUSR) GROUP(STCGROUP) - TRUSTED(NO)) SETROPTS CLASSACT(STARTED) SETROPTS RACLIST(STARTED) REFRESH PERMIT BPX.SERVER ACCESS(READ) CLASS(FACILITY) - ID(JDBCUSR) SETROPTS CLASSACT(FACILITY) SETROPTS RACLIST(FACILITY) REFRESH When I start the task the following error message turns up in SYSOUT: JVMJZBL1001N JZOS batch Launcher Version: 2.4.4 2013-05-07 JVMJZBL1002N (C) Copyright IBM Corp. 2005, 2012 JVMJZBL1009E Child shell process exited without printing environment; //STDENV should not contain 'exit' JVMJZBL1042E JZOS batch launcher failed, return code=101 After looking this up and reading what the IBM support documentation had to say, I and my colleagues were pretty confused. I then tried starting the server as a straight forward job. The user for the job had system administrator privileges. This works and we can test the JDBC server. Trying to run the job with the user for the procedure results in the same error as shown above. It's obvious that JDBCUSR lacks some privilege or other. To run the server as a started task I need to know what privileges are lacking. We certainly don't wish to give the started task user system admin rights. Is there some way to find out what is missing? This is very frustrating. Edit 11.10.2016 The following JCL is the JOB that does work when <user> has system admin privileges: //V4JSRV JOB USER=<user>,PASSWORD=<password>,REGION=200M //* //******************************************************************* //* Call the server as a job //******************************************************************* //PROCS JCLLIB ORDER=(ACHIM.JDBCSRV.CNTL) //SRV EXEC PROC=SRVPROC //STDENV DD DISP=SHR,DSN=ACHIM.JDBCSRV.CNTL(SRVENV) //STRCTREP DD DISP=SHR,DSN=ACHIM.JDBCSRV.STRCTREP The procedure looks like this: //JDBCPROC PROC JAVACLS='de.ubs.du.jdbcserver.Server', // ARGS='-p 5431 LOG-LEVEL=FINE', // LEPARM='', // LOGLVL='+T' //JAVAJVM EXEC PGM=JVMLDM70,REGION=200M, // PARM='&LEPARM/&LOGLVL &JAVACLS &ARGS' //*JDBCPROC PROC //*JAVAJVM EXEC PGM=JVMLDM70,REGION=200M, //* PARM='de.ubs.du.jdbcserver.Server -p 5431 LOG-LEVEL=FINE' //STEPLIB DD DSN=JVA700.SIEALNKE,DISP=SHR //SYSPRINT DD SYSOUT=* //SYSOUT DD SYSOUT=* //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //CEEDUMP DD SYSOUT=* //ABNLIGNR DD DUMMY As you can see the job does nothing more than run the procedure. When <user> is the username for the started procedure, the error above is produced, when it's an admin user, then the job runs normally. Obviously, to start it as a started task, the proc is copied to a public proc library (USER.PROCLIB to be precise). There' nothing especially spectacular about any of this. In fact it is pretty banal. This is why we suspect that it's a RACF problem. Edit (2) 11.10.2016 It's not a solution as yet, but I have managed to localize the problem. The started procedure functions if it is assigned the TRUSTED attribute. This effectively means the started task is treated as a "super user" in z/OS Unix (in other words it has root privileges). So now it is a matter of determining just what our server needs, that to date is only available when run by a super user. When I find out, I'll post a solution. Edit (3) 12.12.2016 After adding the trace (see modified proc above), the following error occurs: JVMJZBL2999T ->invokeMain() JVMJZBL2999T javaClassName: 'de.ubs.du.jdbcserver.Server' JVMJZBL2999T Arg 1='-p' JVMJZBL2999T Arg 2='5431' JVMJZBL2999T Arg 3='LOG-LEVEL=FINE' JVMJZBL1023N Invoking de.ubs.du.jdbcserver.Server.main()... JVMJZBL1056I Arguments to main... JVMJZBL1057I -p JVMJZBL1057I 5431 JVMJZBL1057I LOG-LEVEL=FINE JVMJZBL2999T -> JniUtil.convert() JVMJZBL2999T <- JniUtil.convert() JVMJZBL2008E Could not find or load class: de.ubs.du.jdbcserver.Server JVMJZBL2999T -> JniUtil.writeStackTrace() JVMJZBL2007E Stack trace follows: java.lang.NoClassDefFoundError: de.ubs.du.jdbcserver.Server Caused by: java.lang.ClassNotFoundException: de.ubs.du.jdbcserver.Server .at java.net.URLClassLoader.findClass(URLClassLoader.java:588) .at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:756) .at java.lang.ClassLoader.loadClass(ClassLoader.java:724) .at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:313) .at java.lang.ClassLoader.loadClass(ClassLoader.java:703) JVMJZBL2999T <- JniUtil.writeStackTrace() JVMJZBL2999T <- invokeMain() JVMJZBL2999T <- run() JVMJZBL2999T -> cleanup() JVMJZBL1014I Waiting for non-deamon Java threads to finish before exiting... JVMJZBL2999T JvmExitHook entered with exitCode=0, javaMainReturnedOrThrewException=0 JVMJZBL1042E JZOS batch launcher failed, return code=100 JVMJZBL2999T DestroyJavaVM elapsed time=0.031311 seconds, cpu time=0.021000 seconds JVMJZBL2999I JZOS batch launcher elapsed time=7 seconds, cpu time=5.090000 seconds JVMJZBL1047W JZOS batch launcher completed with Java exception, return code=100 JVMJZBL2999T <- cleanup() Just why we're getting this run time error is unclear. At this stage it no longer looks like a permissions problem.

Dovecot Authentication failed if trying login with @domain Posted: 11 Jan 2022 09:01 PM PST When I try to test my IMAP server functionality using telnet I encounter the following error. If during the test i omit the @domain.ex everything works fine(as you can see below); a login user password a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in if I try using username@domain.ex . I receive the following error: a login user@domain.ex password a NO [AUTHENTICATIONFAILED] Authentication failed. Someone knows where i'm mistaking ? The output of dovecot -n # 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-openvz-042stab090.5-amd64 x86_64 CentOS Linux release 7.0.1406 (Core) auth_mechanisms = plain login disable_plaintext_auth = no mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } service auth { unix_listener auth-userdb { group = postfix user = postfix } } ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd }

DISM inject drivers into WIM gives error 2 Posted: 11 Jan 2022 09:01 PM PST I have just installed a reference windows 7 x64 machine, sysprep-ed it, went into WinPE mode and captured boot.wim image using ImageX. I then moved the boot.wim to my local PC under c:\wim, and try to inject drivers into it, before I deploy the new boot.wim to other machines. However I got an error 2: Unable to access the image. The commands I am running are (run as administrator): Dism /Get-WimInfo /WimFile:c:\wim\boot.wim DISM /Mount-Wim /wimfile:c:\wim\boot.wim /index:1 /MountDir:c:\mount Dism /Image:c:\mount /Add-Driver /Driver:c:\drivers\latitude /Recurse I have successfully injected drivers using DISM to WinPE boot image, using the same steps. So what is wrong?!!! PS: in terms of permissions, I have full-control permission over the boot.wim file and c:\wim folder. Am really puzzled and stuck.. any input is welcome --update-- I just looked at the log file as suggested by DSIM in the command prompt. It says the Image session has been closed. How come? How can I overcome this problem? 2013-05-21 12:27:24, Info DISM DISM.EXE: Attempting to add the commands from provider: WimManager 2013-05-21 12:27:24, Info DISM DISM.EXE: Succesfully registered commands for the provider: WimManager. 2013-05-21 12:27:24, Info DISM DISM.EXE: Attempting to add the commands from provider: FolderManager 2013-05-21 12:27:24, Info DISM DISM.EXE: Attempting to add the commands from provider: DISM Log Provider 2013-05-21 12:27:24, Info DISM DISM.EXE: Attempting to add the commands from provider: Compatibility Manager 2013-05-21 12:27:24, Info DISM DISM.EXE: Succesfully registered commands for the provider: Compatibility Manager. 2013-05-21 12:27:24, Error DISM DISM.EXE: Failed to access the image folder or image's windows folder. 2013-05-21 12:27:24, Info DISM DISM.EXE: Image session has been closed. Reboot required=no. --update-- To list the boot.wim info, I run Dsim command and the result seems good: C:\Windows\system32>Dism /Get-WimInfo /WimFile:c:\wim\boot.wim Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Details for image : c:\wim\boot.wim Index : 1 Name : Win7 Ent64 Description : <undefined> Size : 14,986,334 bytes The operation completed successfully.

How to refer to current iteration of hash loop in puppet Posted: 12 Jan 2022 12:05 AM PST I have a hash like so net:ip { '': ip => { ip1 => { addr => '192.168.10.1', device => 'eth0', }, ip2 => { addr => '192.168.50.10', device => 'eth10', }, } } In my manifest I call like so define net::ip ( $ip={}, ) { ... } my question is how do I refer to the current loop of the hash iteration. I want to be able to use the "dev" field in this manifest, but since the hash has ip1,ip2 I can't tell what number its on? Thanks Dan

Obtain device driver version and associated GUID using PowerShell? Posted: 11 Jan 2022 06:03 PM PST Right now, I am getting two separate objects A Win32_NetworkAdapter WMI object A Win32_PnpSignedDriver WMI object In my previous scripts, I've made sure I was calling separate objects, and relating them by the GUID $mydev = Get-WmiObject -class Win32_NetworkAdapter | Where-Object {$_.pnpdeviceid -like "*VEN_0000&DEV_00AA*"} If ($mydev.GUID -eq $relatedobj.ParentID) { action } But there is no GUID/ParentID/etc. property for a Win32_PnpSignedDriver object. Is there another way to obtain information about a device's drivers (specifically, the driver version), and also obtain the GUID of the device? Is it possible to do this win the Win32_PnpSignedDriver, and I'm just not seeing it?

How does Heartbeat determine when to switch to the secondary? Can you force it to switch? Posted: 12 Jan 2022 12:05 AM PST I've been trying to understand exactly how Heartbeat works - I understand how when one server dies, it switches to the backup. But, for me, it also switches when the primary has a large increase in workload. But, it doesn't always switch at the same value. There doesn't seem to much information on the web about how it works. The best I've found is this article. How does Heartbeat determine when to switch to the secondary, and how does it determine when it switch back to the primary? Is this an editable setting, and can I force it to switch between one and the other? Sometimes when Heartbeat will switch to the secondary, it takes a few days or I've even seen two weeks before it switches back to the primary. This is well after the primary traffic has gone down. I'm currently using BlueOnyx, and my Heartbeat settings are: Auto Failback: on Keepalive: 1 seconds Warntime: 10 seconds Deadtime: 20 seconds Initdead: 30 seconds

AD custom attribute of type numerical string crashes MMC when updated Posted: 11 Jan 2022 10:52 PM PST I am using windows server 2008. I have a domain with one domain controller (this is a dev environment). I edited the AD schema and created a custom attribute called TestAttribute2 (the LDAP name is testAttribute2) with a syntax of numerical string, single valued, with no minimum or maximum. The attribute's OID was 1.3.6.1.4.1.39668.21769.1.1.1. I also created another test attribute with a Microsoft-issued OID of 1.2.840.113556.1.8000.2554.37861.10620.51629.17372.38569.15288078.14709744.1.2. The attribute is nonindexed, active, not replicated to the GC, not copied when duplicating, and not indexed for containerized searches. I then added this attribute to the person class. Whenever I try to set either of those custom attributes using the attribute editor function of the AD Users and Computers MMC, or ADSI Edit, MMC crashes, and the attribute remains unset. However, other custom attributes with similar OIDs but with other syntaxes (CI string and Unicode string) can be set with no crash. What am I doing wrong?

Forward SSH through SSH tunnel Posted: 11 Jan 2022 08:09 PM PST My situation : Me(localhost) -> Server A(ip:100.100.100.100) =>(server B(ip:192.168.25.100),server....) i'm able to SSH into server since it has a true ip if i then want to connect to server b, i would ssh server b with it's ip(192.168.25.100) example: from my pc: ssh user@100.100.100.100 then in 100.100.100.100, ssh user@192.168.25.100 this would get me to server B with ssh what if i want to connect to server b directly? how can i do that? example: from my oc: ssh@192.168.25.100 i have tried the following: ssh -L 22:localhost:22 user@100.100.100.100 without success

How to track down connectivity drops Posted: 11 Jan 2022 08:03 PM PST My company just changed it's old firewall (Zyxel ZyWALL 70) with a new one (Zyxel ZyWALL USG 300). Everything seems to be working fine but sometimes, in a non-periodic span of time, connectivity seems to drop. Web navigation stops, ftp uploads get interrupted and email checking fails. EDIT: The interruption lasts 10-15 seconds. Everything works if we plug the old firewall, so we are trying to understand what might cause the problem. Connection is not dial-up with firewall but via ethernet with an external modem (unchanged from previous configuration). Accordingly to log, WAN interface is never shut down. How can we track down the issue? Please post a comment to this question if you need any further information.

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States