Recent Questions - Server Fault

---

• How to define a common location once in NGINX and share it across multiple server blocks?
• Azure NSG Flow Logs not logging as expected
• Blocking API requests from unknown "Origins"
• SSL authentication failed with 403.7 on windows server 2022
• ssmtp don't work and don't want to log
• Create new SubCA certificate fails with NTE_PROV_TYPE_NOT_DEF
• "random" subdomain is shown on invalid subdomain instead of error page [duplicate]
• check_kvm_support script failed to start error when attempting to create VM
• Do you Secure my VPS Server? [closed]
• What is the easiest way to create an image of an existing running Windows 10 or Windows Server system?
• frontend HTTPS access to http backend ngix
• Local Security Authority Process lsass.exe high cpu - not freeing cpu. windows server 2019 [closed]
• VMWAre OVFtool export fails with error "Failed to create directory"
• Samba/Winbind domain member authentication issue
• Azure Stack REST APIs
• How to send notifications to teams using azure devops pipeline?
• Managing Firewall Rules for Azure Analysis Services
• Enable SSL/LDAPS in openLDAP 2.4 on Ubuntu 16.04.5 LTS - ldap_result: Can't contact LDAP server (-1)
• Office 365 In-Place Hold preventing me from deleting user
• Apache HTTPd 2.2 is ignoring LocationMatch regex
• Connecting to remote server failed with the following error message : The user name or password is incorrect
• SSH issue - Disconnecting: Received data for nonexistent channel 0
• Moving a lot of files with robocopy and 7zip
• Test whether mod_security is actually working
• Draytek SSL VPN connection incorrect subnet mask and gateway
• Can not switch drbd to secondary
• Is it safe to set validateIntegratedModeConfiguration=false in order to continue using identity impersonate=true?
• Execute local (bash|python) script with mysql SQL
• backup solution for media company (large files)
• Cheap full-featured .NET 3.5 hosting in India?

How to define a common location once in NGINX and share it across multiple server blocks? Posted: 04 Jan 2022 04:04 AM PST I have several server blocks, each one corresponds to a different domain. All of them share a common location that has the purpose of renewing SSH certificates (for those familiar with this, it's the .well-known route that Letsencrypt uses for that purpose, just in case someone out here already solved this ;) ). I'd like to define this location once and share it across each different server block, but I can't seem to find an appropriate directive in the documentation. Any pointers are deeply appreciated :)

Azure NSG Flow Logs not logging as expected Posted: 04 Jan 2022 03:43 AM PST incorrect post. Will delete soon.

Blocking API requests from unknown "Origins" Posted: 04 Jan 2022 03:00 AM PST I have an API that I'd like to block from unknown origins in production. CORS would work when the API is accessed by a website/browser, but how can I prevent it from being accessed from another servers or curl or some script running on localhost? Thank you!

SSL authentication failed with 403.7 on windows server 2022 Posted: 04 Jan 2022 02:32 AM PST We have a list of web services & wcf project [Sslprotocols.TLS12 as hardcoded] configured with selfsigned certificates, which will be deployed in IIS & able to access the webservices successfully on the other windows server i.e windows server 2016, 2012, etc... But on Windows Server 2022 [v21H2 OS build 20348.230] with IIS [v10.0.20348.1], we get 403.7 forbidden with access denied error when access the URL via IE on windows server. and the exceptions are when access "https://localhost:8083/adminservice/admin.svc" via httpclient, Dec-15-2021 02:10:33.002 UTC [EXCEPTION] One or more errors occurred. at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken) at System.Threading.Tasks.Task.Wait() at Common.HttpClientInstance.GetWithClientCert(String uri, HttpContent content, String& getResponse, String ClientCertThumbprint) Dec-15-2021 02:10:33.002 UTC [EXCEPTION] InnerException : System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) --- End of inner exception stack trace --- at System.Net.Security._SslStream.EndRead(IAsyncResult asyncResult) at System.Net.TlsStream.EndRead(IAsyncResult asyncResult) at System.Net.PooledStream.EndRead(IAsyncResult asyncResult) at System.Net.Connection.ReadCallback(IAsyncResult asyncResult) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) --- End of inner exception stack trace --- As the MSDN states that TLS1.3 enabled by default, but the server should be compatible with the older versions if the client requests TLS1.2. Also, there is no registry key for Protocols [TLS1.2, TLS 1.3] when checked the registry keys under SCHANNEL. And added TLS1.2 registry key [client/server] manually & able to access the URL with HTTPS successfully & & **wondering why getting this error when access "https://localhost:8083/adminservice/admin.svc" [without having TLS1.2 enabled registry key] ** Could you please provide suggestions or solutions?

ssmtp don't work and don't want to log Posted: 04 Jan 2022 02:14 AM PST I've configured SSMTP to send mail, but the problem is that i can't send mail from my webserver and there is no logs in /var/log. Sometimes, i've got Sender mismatch in apache logs. My config : Debian 11, and webserver into a Docker container. This is my config of SSMTP : hostname=domain.fr root=no-reply@domain.fr mailhub=mail.infomaniak.com:587 AuthUser=no-reply@domain.fr AuthPass=PASS UseTLS=YES UseSTARTTLS=YES Debug=YES Into revaliases i've got : www-data:no-reply@domain.fr:mail.infomaniak.com:587 root:no-reply@domain.fr:mail.infomaniak.com:587 EDIT : This is the part in my Dockerfile where I install and configure SSMTP : && apt -y install ssmtp mailutils \ && echo "hostname=domain.fr" > /etc/ssmtp/ssmtp.conf \ && echo "root=no-reply@domain.fr" >> /etc/ssmtp/ssmtp.conf \ && echo "mailhub=mail.infomaniak.com:587" >> /etc/ssmtp/ssmtp.conf \ && echo "AuthUser=no-reply@domain.fr" >> /etc/ssmtp/ssmtp.conf \ && echo "AuthPass=" >> /etc/ssmtp/ssmtp.conf \ && echo "UseTLS=YES" >> /etc/ssmtp/ssmtp.conf \ && echo "UseSTARTTLS=YES" >> /etc/ssmtp/ssmtp.conf \ && echo "Debug=YES" >> /etc/ssmtp/ssmtp.conf \ && echo "www-data:no-reply@domain.fr:mail.infomaniak.com:587" >> /etc/ssmtp/revaliases For information, in CLI i can send emails while i'm on root account. What could be my problem ? Thanks for your help !

Create new SubCA certificate fails with NTE_PROV_TYPE_NOT_DEF Posted: 04 Jan 2022 01:45 AM PST I am trying to manually create a key and CSR for a new Windows AD CS Enterprise Subordinate CA (Windows Server 2019). I'd like to store the key in the modern Microsoft Software Key Storage Provider. It fails with Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF). The command I use is: certreq.exe -new C:\requestconfig.inf C:\certificate.req The C:\requestconfig.inf file is this: [Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=My Subordinate CA" HashAlgorithm = sha256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "Microsoft Software Key Storage Provider" KeyContainer = "My Subordinate CA" ExportableEncrypted = true MachineKeySet = true RequestType = PKCS10 SuppressDefaults = true SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY)" [RequestAttributes] CertificateTemplate = SubCA [Extensions] 2.5.29.15 = "{critical}{hex}03020186" ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing 2.5.29.19 = "{critical}{text}ca=1&pathlength=1" ; Basic Constraints (critical) 1.3.6.1.4.1.311.21.1 = "{hex}020100" ; CA Version V0.0 Troubleshooting Steps I checked that the CSP is valid by running certutil -csplist: [...] Provider Name: Microsoft Strong Cryptographic Provider Provider Type: 1 - PROV_RSA_FULL Provider Name: Microsoft Software Key Storage Provider Provider Name: Microsoft Passport Key Storage Provider [...] It does not have a provider type, but nonetheless, I added ProviderType = 0 and ProviderType = 1 to the config, to no avail. I was able to use a very similar config to create my root certificate: [Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=My Root CA" HashAlgorithm = sha256 KeyAlgorithm = RSA KeyLength = 4096 ;KeyUsage = CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE ProviderName = "Microsoft Software Key Storage Provider" KeyContainer = "My Root CA" ExportableEncrypted = true MachineKeySet = true RequestType = Cert SuppressDefaults = true SecurityDescriptor = "D:P(A;OICI;0xd01f01ff;;;BA)(A;OICI;0xd01f01ff;;;SY) [Extensions] 2.5.29.15 = {critical}{hex}03020186 ; Key Usage (critical): Digital Signature, Certificate Signing, CRL Signing 2.5.29.19 = {critical}{text}ca=1&pathlength=None ; Basic Constraints (critical) 1.3.6.1.4.1.311.21.1 = {hex}020100 ; CA Version V0.0 The main difference is that with this config, I create a key and certificate instead of a key and CSR. The differences are: RequestType is Cert and not PKCS10 and it does not have the RequestAttributes section. This config did not fail with NTE_PROV_TYPE_NOT_DEF. What is causing the sudden failure with the config for my sub CA?

"random" subdomain is shown on invalid subdomain instead of error page [duplicate] Posted: 04 Jan 2022 12:29 AM PST So for example if I enter a non existing qwerty.mydomain.com the content of actual.mydomain.com is shown. I would expect an error page (or redirect to mydomain.com). Does the try_files clause play a role and is it important at which point it stands (order)? mydomain conf: server { listen 443 ssl; # managed by Certbot listen 8448 ssl http2; server_name mydomain.com ; root /var/www/mydomain; index index.html index.htm index.php index.nginx-debian.html; ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot location / { include includes/headers.ngx; include conf.d/myheaders.conf; location ~* "\.(?:css|js)$" { include includes/headers.ngx; include conf.d/myheaders.conf; include includes/.static-files-one-year.ngx; } location ~* "(?:^/(?:browserconfig|crossdomain)\.xml|\.(?:3gp|cur|eot|gif|htc|ico|jng|jpe?g|mp(?:3|4)|og(?:g|v)|otf|png|svgz?|swf|tiff?|ttc|ttf|txt|wav|web(?:m|p)|woff2?))$" { include includes/headers.ngx; include conf.d/myheaders.conf; include includes/.static-files-one-month.ngx; } location ~* "\.(?:rss|atom)$" { include includes/headers.ngx; include conf.d/myheaders.conf; include includes/.static-files-one-hour.ngx; } location ~* "\.(?:manifest|appcache|html?|xml|json)$" { add_header Cache-Control "no-cache, must-revalidate"; include includes/headers.ngx; include conf.d/myheaders.conf; include includes/.static-files-none.ngx; } location /_matrix { proxy_pass http://127.0.0.1:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; } location /.well-known/matrix/server { return 200 '{"m.server": "enterthematrix.mydomain.com:443"}'; add_header Content-Type application/json; } location /.well-known/matrix/client { return 200 '{"m.homeserver": {"base_url": "https://enterthematrix.mydomain.com"},"m.identity_server": {"base_url": "https://vector.im"}}'; add_header Content-Type application/json; add_header "Access-Control-Allow-Origin" *; } include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; sub_filter_once off; sub_filter ijasdi4ijjiadaioq $request_id; try_files $uri $uri/ =404; } } subdomain conf: server { server_name dimension.mydomain.in.net ; root /var/www/mydomain/matrix-dimension; index index.html; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:8184; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot include /etc/nginx/bots.d/ddos.conf; include /etc/nginx/bots.d/blockbots.conf; } I have multiple subdomains configured but this is the one shown when an invalid one is used.

check_kvm_support script failed to start error when attempting to create VM Posted: 03 Jan 2022 11:54 PM PST When I attempt to initialise a VM on Debian 10 instance I am getting an error : multipass launch --name kube-master --cpus 1 --mem 1024M --disk 3G launch failed: The check_kvm_support script failed to start. Ensure it is in multipassd's PATH. I checked virtualization parameters and the instance has Microsoft virtualization (not kvm): lscpu CPU family: 6 Model: 63 Model name: Intel(R) Xeon(R) CPU E5-2690 v3 @ 2.60GHz Stepping: 2 CPU MHz: 2596.991 BogoMIPS: 5193.98 Hypervisor vendor: Microsoft Virtualization type: full I have attempted to enable virtualization as per suggestions but it appears since I have Microsoft I cannot : kvm-ok INFO: Your CPU does not support KVM extensions KVM acceleration can NOT be used I have tried the suggested fix command : sudo modprobe kvm intel and retried to initialize the VM but Im still getting the same error. My question - How do I enable virtualization when my underlying virtualization provider is of type Microsoft (and not kvm)? This is my system details : Icon name: computer-vm Chassis: vm Machine ID: 2096d4c088f84a09bcf4e4f7bb730aac Boot ID: 27760bc0b01848a182d7e53f00acad9e Virtualization: microsoft Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 5.10.0-0.bpo.9-amd64 Architecture: x86-64

Do you Secure my VPS Server? [closed] Posted: 03 Jan 2022 11:44 PM PST 9 Ways To Keep Your VPS Secure These days, the content of web hosting security seems to be everyplace, a concern not only discussed among big companies but also individualities with an online presence. And for good reason. With stolen particular and financial information, client data loss, and destroyed website content, cyber pitfalls are veritably real and shouldn't be taken smoothly. In this composition, we 'll specifically address security measures regarding VPS Hosting, where we 've linked ways to keep yours redundant secure. 1.Change Your Default SSH Login multiple VPS users use SSH or Secure Shell, a system for remote computer-to-computer connection, to log in to their servers. Still, there's a threat of getting a victim of a brute- force attack,If you use an SSH system to log in to your server. When a "brute- force attack" occurs, this generally means someone tries to log in to your SSH using a variety of common passwords. Keep in mind, still, that when you disable root logins without assigning authorized access already, you may lock yourself out of your VPS. 2.Use The Latest Software Versions It goes without saying that the older the software version, the more vulnerable your VPS becomes. Luckily, all it takes is a few clicks of your mouse to run the necessary updates for your operating system (OS). You may also want to consider automating this process. And depending on the OS you use, you'll most likely use apt-get for Debian and Ubuntu or yum/rpm for CentOS to perform system updates. This can be automated by cron jobs, a Linux-based utility that schedules a command or script on your VPS to run at a specified time and date or through your control panel. 3. Cover Your VPS Server Logs Managing your server logs helps you to stay in control over what's passing with your VPS. By tracking your VPS systems and software, you 'll be more set if any issues rear their unattractive heads. When you laboriously cover events, resource operation, business situations, stoner exertion, and software-generated errors, you 're better set to handle the issues at hand. Whether that's precluding or resolving, being apprehensive of what issues are at hand can only help to break them briskly. A helpful tip? Set up dispatch announcements for any warnings and errors so you can follow the events in real time. 4. Set Up Your Firewall You do n't want unwanted business, right? That's why a firewall matters. Most Linux- predicated operating systems havepre- installed firewalls ( suppose iptables, firewalld, ufw, DebianFirewall). This firewall architecture script works to give better security for your VPS while giving you an developed, intuitive interface for managing your firewall settings. 5. Make Sure Your Server Is Malware- defended In addition to setting up a firewall that guards incoming business, you also need to consider covering the lines that have formerly been and are being uploaded to your VPS, just in case any vulnerabilities do.This is also a good way to descry any suspicious exertion and helps you to counterblockade unwanted lines. Luckily, there are plenitude ofanti-malware software operations available, the most popular bones being ClamAV and CXS. Sure, there might be some false positive cases, but as the saying goes, it's far better to be safe than sorry. 6. Cover Against Critter- force Attacks As we mentioned preliminarily, brute- force attacks be when hackers discover weak passwords, giving the bushwhacker full access to your VPS. Unfortunately, it's not enough presently just to have a strong password. You also need tools that can help you descry brute- force attacks and block unwanted logins from passing. cPhulk, a point that's integrated within cPanel is a perfect illustration. cPhulk helps block logins after several failed login attempts and blocks not only cPanel logins but also WHM, FTP, and dispatch- grounded bones. 7. Control User access In the search for VPS security, you may decide how you 'd like control to be distributed. In other words, the fields where your users can operate. Besides setting the different file warrants, you might want to consider taking a look at tools like SELinux ( available with Red Hat Enterprise), which allows you to control process initializations, network interfaces, lines, and file systems along with stoner- operation access. 8. Keep Calm And Perform Backups Not just for VPS Hosting, backups (or better yet, automatic backups) are crucial for every type of hosting. Immaculately, backups should be performed outside the server, just in case commodity goes wrong with your server. Although some providers vend provisory functionality as an fresh service, Namecheap offers server backups for all types ofmanagement.However, we recommend Full Operation for VPS Hosting, If you're interested in offsite storehouse. 9. Use SSL Certificates For Everything SSL certificates help you produce an translated channel between the server and customer to insure that nothing disrupts your sequestration. In order to keep your sensitive data safe, SSL certificates are pivotal to every type of hosting, whether that's transmitting lines, transferring emails or entering your login details. To rightly apply SSL certificates, still, some specialized know- style is needed. In this case, it's worth it to hire a system director to arrange everything for you and give you added peace of mind.

What is the easiest way to create an image of an existing running Windows 10 or Windows Server system? Posted: 04 Jan 2022 12:16 AM PST For the purposes of, let's say, moving it to a cloud location? I do recall doing it for a client, transplanting them to Azure, but I don't recall how they created an image. Azure simply had an interface to create an OS from an image we were supplying. Windows 10, Windows Server or even Windows 7 - each option would be interesting.

frontend HTTPS access to http backend ngix Posted: 04 Jan 2022 02:03 AM PST I have a frontend in Angular which support https,while I have a backend at port 10080 which support http. I try a few way of reverse proxy in the ngix configuration file but it still facing the same issues. While I try this method always get the error "Access to XMLHttpRequest at 'https://example.com:30080/api/remoteControl/getactiveusers' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource." server { listen 443 ssl; server_name _; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; root /usr/share/nginx/html; index index.html index.htm; include /etc/nginx/mime.types; gzip on; gzip_min_length 1000; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; ssl_certificate "xxx.crt"; ssl_certificate_key "xxx.key"; ssl_session_timeout 1d; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling off; location / { if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; add_header Content-Type text/plain; add_header Content-Length 0; return 204; } add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; try_files $uri $uri/ /index.html; } location ~* \.(eot|ttf|woff|woff2)$ { add_header Access-Control-Allow-Origin *; } } server { listen 10080 ssl http2; server_name _; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_certificate "xxxx.crt"; ssl_certificate_key "xxx.key"; ssl_session_timeout 1d; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; location / { proxy_pass "http://backend:80" ; proxy_set_header Connection Keep-alive; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # proxy_set_header X-Forwarded-Host $host; # proxy_hide_header X-Frame-Options; proxy_buffers 4 256k; proxy_buffer_size 128k; proxy_busy_buffers_size 256k; } } Anyone know how to solve this? Thanks

Local Security Authority Process lsass.exe high cpu - not freeing cpu. windows server 2019 [closed] Posted: 04 Jan 2022 01:17 AM PST Thanks for the reception- why you pepole vote done? if something wrong with my answer please help me and tell me what it is.... Local Security Authority Process lsass.exe high cpu - not freeing cpu. Windows server 2019. .net 4.5 that use advapi32.dll LogonUser method for Perform Impersonated Task... In our server 2016 everything working fine! (left 2016 server right 2019 server) After sometimes the server crashed! And after we recycle pools on iis we can see at event viewer a lot of "Audit Success Logoff" and the cpu get free. Any idea??? HELP! Thanks.

VMWAre OVFtool export fails with error "Failed to create directory" Posted: 04 Jan 2022 03:58 AM PST I am trying to export a VM using OVFtool running on a windows server ovftool.exe --allowExtraConfig --noImageFiles --noSSLVerify "vi://xx.xx.xx.xx/myVM" "c:\myPath" Enter login information for source vi://xx.xx.xx.xx/ Username: myid Password: ************ Opening VI source: vi://myid@xx.xx.xx.xx:443/myVM Opening OVF target: "C:\mypath" Error: Failed to create directory: "c:\myPath" Warning: - ExtraConfig option 'nvram' is not allowed, will skip it. - ExtraConfig options exists in source. I interrogated vi://myid@xx.xx.xx.xx ovftool.exe --noSSLVerify "vi://xx.xx.xx.xx/" and determined that source path "vi://myid@xx.xx.xx.xx:443/myVM" is valid I have permissions to create target path I tried all conceivable OVFtool options --noSSLVerify --allowAllExtraConfig --noImageFiles without much avail I also ensured there arent amy CD drives on my VMS pointing to images. How do I debug this ? Any inputs welcome Thanks Yogesh

Samba/Winbind domain member authentication issue Posted: 04 Jan 2022 02:31 AM PST In setting up a new Linux Samba fileserver as a AD member I keep running into an issue with authentication. It appears to be triggered by running with selinux in Enforcing mode after joining AD, but it doesn't go away if I turn off selinux with setenforce 0 or reboot with SELINUX=permissive in the selinux config - at least not for an hour or so. On the first test VM I set up with the same distro, setup steps and updates it has been working OK consistently, but right now I'm running into this auth issue on and off with the server I'm setting up for production use. This is on Rocky Linux 8.5 and Samba 4.14.5 smb.conf mostly has default settings in [global] and I setup a public [testshare] [global] security = ads passdb backend = tdbsam printing = cups printcap name = cups load printers = no cups options = raw kerberos method = secrets and keytab template homedir = /home/%U@%D template shell = /bin/bash idmap config ADOMAIN : range = 2000000-2999999 idmap config ADOMAIN : backend = rid idmap config * : range = 10000-999999 idmap config * : backend = tdb winbind use default domain = yes winbind refresh tickets = yes winbind offline logon = yes # Allow guest access for public share without password map to guest = bad user # these should be set to no for prod use winbind enum groups = yes winbind enum users = yes # Mac tweaks for ACLs map acl inherit = Yes store dos attributes = Yes # Mac tweaks for Apple Resource forks vfs objects = fruit streams_xattr fruit:aapl = yes fruit:time machine = no fruit:resource = xattr fruit:nfs_aces = no fruit:model = MacSamba workgroup = ADOMAIN realm = ADOMAIN.LAN [testshare] path = /mnt/data01/smb/testshare browsable =yes writable = yes guest ok = yes read only = no domain join was done with realm join --membership-software=samba --client-software=winbind adomain.lan Kerberos auth keeps working OK wbinfo -K user This one also works getent passwd ADOMAIN\\user But the following fail smbclient -L localhost -U guest% wbinfo -a user smbclient -d 3 //localhost/testshare -U user The last one spits out this: lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface ens192 ip=10.18.100.102 bcast=10.18.103.255 netmask=255.255.252.0 Client started (version 4.14.5). resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> Connecting to 127.0.0.1 at port 445 Enter ADOMAIN\user's password: GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GSE to 'localhost' does not make sense Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights. session setup failed: NT_STATUS_ACCESS_DENIED The audit log normally does not show any AVC denied errors. I tried turning off the dontaudit rules and allowed the AVC denied messages that turned up but that didn't help. Do I need to give up on selinux to get this stable? Any other tips?

Azure Stack REST APIs Posted: 04 Jan 2022 02:09 AM PST We are looking for Azure stack Resource REST APIs. we want to handle Azure stack Resources like Resource groups, Virtual machines, Vnet, Subnet, etc. using REST APIs, can anyone point us to any link or document so where we can get all these APIs.

How to send notifications to teams using azure devops pipeline? Posted: 04 Jan 2022 02:12 AM PST I saw there is a teams app for azure pipelines and while adding that it is asking for complete pipeline access to the group we add to. Instead of using this, I just want to send notification to a teams group or individual users that build is successful or failed. Can anyone please guide how to do that. May be any pipeline step at the end also feasible.

Managing Firewall Rules for Azure Analysis Services Posted: 04 Jan 2022 03:39 AM PST My customer (a legal firm) has an Azure Analysis Services database. Access to the model is tightly controlled to prevent leakage of confidential data. Employees who need to access the model whilst working from home can only do so if their public IP address has been whitelisted by adding a firewall rule to the server. However, the company VPN software (which is always on and cannot be disabled by users) assigns a new IP address each time they log on, which means the firewall rules need constant updating. Is there an easier to maintain/update the firewall rules in such a scenario? I don't know the specifics of the VPN software, so not sure to what extent it can assign the same IP address to each user.

Enable SSL/LDAPS in openLDAP 2.4 on Ubuntu 16.04.5 LTS - ldap_result: Can't contact LDAP server (-1) Posted: 04 Jan 2022 03:06 AM PST I have the following Problem and googled for weeks now. Because I´ve really no clue where the problem is I´m asking my question here with the hope to find some ldap or ssl genius :) I have a working openLdap Server with a stand alone client maschine (both running Linux Ubuntu 16.04.5). The connection works fine. Now I´d like to secure the conection using ldaps. First I´ve changed the SLAPD_SERVICES in /etc/default/slapd from ldap:/// ldapi:/// to ldap:/// ldaps:/// ldapi:/// Then I´ve created an own CA with a self signed Certificate and an ldap-server key, csr and crt (signed by the CA I´ve built). I´ve added my own ca.crt to the trusted certs by copying it to /usr/local/share/ca-certificates/ and executing this command: sudo update-ca-certificates I´ve copied the ca.crt, the ldap.key and the ldap.crt to /etc/ldap/ssl/files and make them owned by openldap (chown & chgrp) after I´ve done this I followed the tutorial (https://www.server-world.info/en/note?os=Debian_9&p=openldap&f=4) to create an mod_ssl.ldif # mod_ssl.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/files/ca.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/files/ldap.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/files/ldap.key # After creating the ldif I´d wanted to add it to my config using this command ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif The output of this command is: root@ldap-server:/etc/ldap/schema# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_result: Can't contact LDAP server (-1) # After this command my slapd was dead. (--> Checked open ports bevore executing this command with netstat -tulpan and after executing.) Restarted slapd with /etc/init.d/slapd restart I enabled logging of slapd with loglevel -1 For my understanding the logs are totally clean and showing no Issues. tail -f /var/log/syslog Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on: Oct 19 08:59:17 ldap-server slapd[1464]: Oct 19 08:59:17 ldap-server slapd[1464]: slap_listener_activate(11): Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 busy Oct 19 08:59:17 ldap-server slapd[1464]: >>> slap_listener(ldapi:///) Oct 19 08:59:17 ldap-server slapd[1464]: daemon: listen=11, new connection on 16 Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on: Oct 19 08:59:17 ldap-server slapd[1464]: Oct 19 08:59:17 ldap-server slapd[1464]: daemon: added 16r (active) listener=(nil) Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 fd=16 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 2 descriptors Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on: Oct 19 08:59:17 ldap-server slapd[1464]: 16r Oct 19 08:59:17 ldap-server slapd[1464]: Oct 19 08:59:17 ldap-server slapd[1464]: daemon: read active on 16 Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16) Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16): got connid=1001 Oct 19 08:59:17 ldap-server slapd[1464]: connection_read(16): checking for input on id=1001 Oct 19 08:59:17 ldap-server slapd[1464]: op tag 0x60, time 1539932357 Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on: Oct 19 08:59:17 ldap-server slapd[1464]: Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 do_bind Oct 19 08:59:17 ldap-server slapd[1464]: >>> dnPrettyNormal: <> Oct 19 08:59:17 ldap-server slapd[1464]: <<< dnPrettyNormal: <>, <> Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND dn="" method=163 Oct 19 08:59:17 ldap-server slapd[1464]: do_bind: dn () SASL mech EXTERNAL Oct 19 08:59:17 ldap-server slapd[1464]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 Oct 19 08:59:17 ldap-server slapd[1464]: SASL Canonicalize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Oct 19 08:59:17 ldap-server slapd[1464]: slap_sasl_getdn: conn 1001 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55] Oct 19 08:59:17 ldap-server slapd[1464]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN Oct 19 08:59:17 ldap-server slapd[1464]: <==slap_sasl2dn: Converted SASL name to <nothing> Oct 19 08:59:17 ldap-server slapd[1464]: SASL Canonicalize [conn=1001]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Oct 19 08:59:17 ldap-server slapd[1464]: SASL proxy authorize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" Oct 19 08:59:17 ldap-server slapd[1464]: SASL Authorize [conn=1001]: proxy authorization allowed authzDN="" Oct 19 08:59:17 ldap-server slapd[1464]: send_ldap_sasl: err=0 len=-1 Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71 Oct 19 08:59:17 ldap-server slapd[1464]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0 Oct 19 08:59:17 ldap-server slapd[1464]: send_ldap_response: msgid=1 tag=97 err=0 Oct 19 08:59:17 ldap-server kernel: [ 1801.480222] slapd[1468]: segfault at 35 ip 00007f1093e55360 sp 00007f104bffc268 error 4 in libgmp.so.10.3.0[7f1093e41000+7f000] Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 RESULT tag=97 err=0 text= Oct 19 08:59:17 ldap-server slapd[1464]: <== slap_sasl_bind: rc=0 Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on: Oct 19 08:59:17 ldap-server slapd[1464]: 16r Oct 19 08:59:17 ldap-server slapd[1464]: Oct 19 08:59:17 ldap-server slapd[1464]: daemon: read active on 16 Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16) Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16): got connid=1001 Oct 19 08:59:17 ldap-server slapd[1464]: connection_read(16): checking for input on id=1001 Oct 19 08:59:17 ldap-server slapd[1464]: op tag 0x66, time 1539932357 Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 do_modify Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 do_modify: dn (cn=config) Oct 19 08:59:17 ldap-server slapd[1464]: >>> dnPrettyNormal: <cn=config> Oct 19 08:59:17 ldap-server slapd[1464]: <<< dnPrettyNormal: <cn=config>, <cn=config> Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 modifications: Oct 19 08:59:17 ldap-server slapd[1464]: #011add: olcTLSCACertificateFile Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 33 Oct 19 08:59:17 ldap-server slapd[1464]: #011replace: olcTLSCertificateFile Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 35 Oct 19 08:59:17 ldap-server slapd[1464]: #011replace: olcTLSCertificateKeyFile Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 35 Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 MOD dn="cn=config" Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCACertificateFile) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCACertificateFile Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateFile) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access to "cn=config" "olcTLSCertificateFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateFile Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: delete access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateFile) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateFile Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateKeyFile) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access to "cn=config" "olcTLSCertificateKeyFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateKeyFile Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: delete access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateKeyFile) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateKeyFile Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd) Oct 19 08:59:17 ldap-server slapd[1464]: slap_queue_csn: queueing 0x7f104bffc340 20181019065917.048487Z#000000#000#000000 Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_required entry (cn=config), objectClass "olcGlobal" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "objectClass" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "cn" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcArgsFile" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcLogLevel" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcPidFile" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcToolThreads" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "structuralObjectClass" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "entryUUID" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "creatorsName" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "createTimestamp" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCACertificateFile" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCertificateFile" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCertificateKeyFile" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "entryCSN" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "modifiersName" Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "modifyTimestamp" Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on: Oct 19 08:59:17 ldap-server slapd[1464]: Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero And last but not least.. Here is the output of my netstat -tulpan Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 992/sshd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1535/slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1535/slapd UPDATE: I´ve configured my ldap-client maschine to use ldaps (bevore configuring ldaps everything works fine via ldap :389) Added the CA.crt from the ldap server and trust this like described above Chnged the /etc/ldap/ldap.conf and added the path to the new trusted CA.crt Changed the /etc/ldap.conf to use ldaps and uncommented the line ssl start_tls changed ldap uri wth executing the command sudo dpkg-reconfigure ldap-auth-config I´ve restarted the client maschine and opened a tcpdump on my ldap server listening for the ip of the client ans all connections for the portrange 389-636 10:00:27.149772 IP ldap-client.52803 > ldap-server.ldaps: Flags [S], seq 1684570111, win 29200, options [mss 1460,sackOK,TS val 4294902186 ecr 0,nop,wscale 7], length 0 10:00:27.149813 IP ldap-server.ldaps > ldap-client.52803: Flags [S.], seq 3586026827, ack 1684570112, win 28960, options [mss 1460,sackOK,TS val 1292850 ecr 4294902186,nop,wscale 7], length 0 10:00:27.149924 IP ldap-client.52803 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902186 ecr 1292850], length 0 10:00:27.151549 IP ldap-client.52803 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902186 ecr 1292850], length 117 10:00:27.151567 IP ldap-server.ldaps > ldap-client.52803: Flags [.], ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902186], length 0 10:00:27.151949 IP ldap-server.ldaps > ldap-client.52803: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902186], length 0 10:00:27.152095 IP ldap-client.52803 > ldap-server.ldaps: Flags [.], ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0 10:00:27.152157 IP ldap-client.52803 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0 10:00:27.152174 IP ldap-server.ldaps > ldap-client.52803: Flags [.], ack 119, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0 10:00:27.152288 IP ldap-client.52804 > ldap-server.ldaps: Flags [S], seq 1697088540, win 29200, options [mss 1460,sackOK,TS val 4294902187 ecr 0,nop,wscale 7], length 0 10:00:27.152305 IP ldap-server.ldaps > ldap-client.52804: Flags [S.], seq 2792459463, ack 1697088541, win 28960, options [mss 1460,sackOK,TS val 1292850 ecr 4294902187,nop,wscale 7], length 0 10:00:27.152360 IP ldap-client.52804 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0 10:00:27.152502 IP ldap-client.52804 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 117 10:00:27.152512 IP ldap-server.ldaps > ldap-client.52804: Flags [.], ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0 10:00:27.152909 IP ldap-server.ldaps > ldap-client.52804: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0 10:00:27.152998 IP ldap-client.52804 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0 10:00:27.153010 IP ldap-server.ldaps > ldap-client.52804: Flags [.], ack 119, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0 10:00:28.153396 IP ldap-client.52805 > ldap-server.ldaps: Flags [S], seq 592612370, win 29200, options [mss 1460,sackOK,TS val 4294902437 ecr 0,nop,wscale 7], length 0 10:00:28.153437 IP ldap-server.ldaps > ldap-client.52805: Flags [S.], seq 1983710944, ack 592612371, win 28960, options [mss 1460,sackOK,TS val 1293101 ecr 4294902437,nop,wscale 7], length 0 10:00:28.153580 IP ldap-client.52805 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 0 10:00:28.153759 IP ldap-client.52805 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 117 10:00:28.153767 IP ldap-server.ldaps > ldap-client.52805: Flags [.], ack 118, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0 10:00:28.154285 IP ldap-server.ldaps > ldap-client.52805: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0 10:00:28.154413 IP ldap-client.52805 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 0 10:00:28.154423 IP ldap-server.ldaps > ldap-client.52805: Flags [.], ack 119, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0 ^C 513 packets captured 513 packets received by filter 0 packets dropped by kernel 61 packets dropped by interface I hope someone knows my problem and can help me :) Kind Regards Tabby

Office 365 In-Place Hold preventing me from deleting user Posted: 04 Jan 2022 02:00 AM PST I am using AD Connect to synchronize my on-premises Active Directory to our Office 365 tenant. I tried disabling a user from on-premises and then synchronizing to O365. However, it seems to have broken everything because nothing is synchronizing any longer and the user still exists in O365. When I open the user properties in O365 admin, I see the following error: Exchange: An unknown error has occurred. Refer to correlation ID: 769ccf2f-bd09-4651-801e-983aaeaace7f; If I try to run Get-MsolUser I get the following error: Exchange can't disable the mailbox "ZZZZ.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/domain.onmicrosoft.com/UserName" because it is on In-Place Hold. I can't find any In-Place Hold policy active and I can't seem to be able to delete this user. I even tried running Remove-MailUser and got the error: The operation couldn't be performed because object 'user@domain.com' couldn't be found on 'YYYY.ZZZZ.PROD.OUTLOOK.COM'.

Apache HTTPd 2.2 is ignoring LocationMatch regex Posted: 04 Jan 2022 01:03 AM PST I am trying to create a Reverse Proxy that match every URL except one in Apache 2.2. It works on Apache 2.4 (Centos 7), but not in Apache 2.2 (Centos 6.6) ... # Do not modify this <LocationMatch "^/my-website-2"> ProxyPass http://X.X.X.X:PORT/my-website-2 ProxyPassReverse http://X.X.X.X:PORT/my-website-2 (...) </LocationMatch> # Match every URL except the one finishing with /redirect <LocationMatch "^/my-website(?!/redirect)"> ProxyPass http://X.X.X.X:PORT/my-website ProxyPassReverse http://X.X.X.X:PORT/my-website AuthType XXX RequestHeader set XXX YYY (...) </LocationMatch> # Do anothers directives with this URL only, finishing with /redirect <Location "/my-website/redirect"> AuthType XXX (...) </Location> My server is looking for /var/www/html/my-website (that doesn't exist) when I type https://my-server.com/my-website because the regex doesn't match ^/my-website(?!/redirect) I know that Apache 2.2 doesn't understand every negative PCRE regex but it seems that some tricks exist... See : Apache location directive - PCRE negative combinations (match all but..) https://stackoverflow.com/questions/3404037/how-to-make-a-regex-for-files-ending-in-php https://stackoverflow.com/questions/8545680/how-to-tell-apache-to-locationmatch-opposite-of-this Then, I try a simple regex : <LocationMatch "/my-website(.*)"> ... and it appears that is not even interpreted as PCRE ... With this use case, if I type /my-website(.*) in the URL, it works. Same behaviour with (From http://httpd.apache.org/docs/2.2/en//mod/core.html#locationmatch) : <LocationMatch "/(extra|special)/data"> ... I need to type http://my-server.com/(extra|special)/data in the URL bar of the browser. Does Apache HTTPd 2.2 need an additionnal package to understand PCRE in LocationMatch ? Installed packages : httpd.x86_64 2.2.15-60.el6.centos.6 apr.x86_64 1.3.9-5.el6_9.1 @Default_Organization_CentOS_6_CentOS_6_Update_x86_64 apr-util.x86_64 1.3.9-3.el6_0.1 @in-std pcre.x86_64 7.8-7.el6 @Default_Organization_CentOS_6_CentOS_6_Base_x86_64 pcre-devel.x86_64 7.8-7.el6 @Default_Organization_CentOS_6_CentOS_6_Base_x86_64 Weird ... Thanks

Connecting to remote server failed with the following error message : The user name or password is incorrect Posted: 04 Jan 2022 04:05 AM PST I am trying to connect PowerShell remotely to an Exchange server. This is to a separate AD Domain. (Connecting domainA to domainB) I can connect from domainA to servers on other domains just fine. I receive the following error: PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : LogonFailure,PSSessionOpenFailed This isn't specific to this server, I get the same results to two other servers in the same domain. My username is in UPN format me@domainB.tld If I use domainB\me I get the following error: PS Y:\Personal\scripts> $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server1.domainB.tld/PowerShell/ -Authentication Kerberos -Credential $cred New-PSSession : [server1.domainB.tld] Connecting to remote server server1.domainB.tld failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. At line:1 char:12 + $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ht ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException + FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed I've also tried connecting to domainB from other domains and receive the same results. I assume there is a permission somewhere that needs to be set, but I'm not sure what. wsman:\localhost\client\trustedhosts is set to the correct values I can RDP in with the same credentials no problem, so I know my credentials are valid. I'm also a domain admin. Servers are Windows 2012 R2. PSRemoting is enabled [PS] D:\>Enable-PSRemoting -Force WinRM is already set up to receive requests on this computer. WinRM is already set up for remote management on this computer. PSSessionConfiguration Name : microsoft.powershell PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.powershell.workflow PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.powershell32 PSVersion : 4.0 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed Name : microsoft.windows.servermanagerworkflows PSVersion : 3.0 StartupScript : RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed In addition, I tried remoting from a server in domainB to server1.domainB and it works fine. So it has something to do with connecting from outside of the domain. Test auth in IIS works fine Removing -Authentication Kerberos or using Negotiate also results in errors wsman trustedhosts - Added FQDN of client to server. Added FQDN and IP of server to client. No change. What do I need to fix to be able to remote in here?

SSH issue - Disconnecting: Received data for nonexistent channel 0 Posted: 04 Jan 2022 02:44 AM PST The log below is from SSHD server when SSH client is trying to connect. I'm sure that I have correct ssh key. I just compared two RHEL5 servers. As I red, this means that server closed the connection for some reason. But any suggestions how to try to solve the issue and find the root cause? Jul 29 20:12:11 sshd[13259]: subsystem request for sftp Jul 29 20:12:11 sshd[13259]: channel_by_id: 0: bad id: channel free Jul 29 20:12:11 sshd[13259]: Disconnecting: Received data for nonexistent channel 0. OS: RHEL 5.11, SSHD service: default

Moving a lot of files with robocopy and 7zip Posted: 04 Jan 2022 02:00 AM PST With the help of StackOverflow and a number of other places I've created the following script, the purpose is to look at a folder and it's subdirectories, if the files are older than 32 days -> move them to another folder and zip that folder. If the zipped folder is older than 366 days, delete it. I believe the script works well on a smaller scale with a couple hundred files but the issue I'm facing is there's now 12 months worth of data in these directories that I now need to analyse. There's about 8 folders and an average of 500,000 files in each all around the 1kb - 2kb in size. Additionally I'm expecting to have an issue where all the files from the last 12 months will be added to the same archive, rather than an individual archive for each date. What are my options for optimising this? I understand I have probably done this incorrectly. Script below: @echo off if not exist c:\7za920\7za.exe goto end SET LOGS=C:\logs SET TEMP=C:\temp SET ARCHIVE=C:\archive SET DELETEDARCHIVE=C:\deletedarchive For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b) For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a%%b) ROBOCOPY %LOGS% %TEMP% /move /minage:32 /MT:32 for %%X in (%TEMP%\*.*) do "c:\7za920\7za.exe" a -tzip "%ARCHIVE%\%mydate%_%mytime%_ARCHIVE.zip" "%%X" ROBOCOPY %ARCHIVE% %DELETEDARCHIVE% /move /minage:366 del %DELETEDARCHIVE% /q

Test whether mod_security is actually working Posted: 04 Jan 2022 02:39 AM PST I'm running this on my staging server for the first time and I think I did everything correctly. I can see entries in modsec_audit.log when I run nikto2 against it, but for the life of me I can't manually make mod_security block anything. I've dropped SQL into URLs, into forms, etc and I just got our typical user friendly HTML 404 page, not a block from mod_security, which should be a 403 error or an outright block. I'm worried that its only detecting and not stopping. I've checked my config and its definitely set to stop attacks not just detect them. Any idea on how I can verify this thing is actually blocking attacks? Anyone have a test URL or something I can do that will prove to me that its actually working?

Draytek SSL VPN connection incorrect subnet mask and gateway Posted: 04 Jan 2022 01:03 AM PST I have remote machine connecting to our office lan through a draytek 2930 router in our office with a fixed IP (FW3.3.0). I have set it up to use SSL VPN with Draytek smartvpn client software on the remote machine connecting with a username and password. The smartvpn connects successfully to the router giving a green vpn light and status connected on the client. The router shows the connection as well. ipconfig /all on the remote machine is below. The question is why can I not ping any other work machine other than the router 192.168.10.1? ultimately I want connect to intranets and via samba to local shares but lets start with ping. I suspect it is to do with the subnet mask and default gateway being incorrect on the drayssltunnel adapter but I don't know where to set them. The IP address comes from the routers inbuilt DHCP server but I can't see where to specify the subnet mask or gateway for vpn connections. Thanks, Adrian >ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : george Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No PPP adapter DraySSLTunnel: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : DraySSLTunnel Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.10.102(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 DNS Servers . . . . . . . . . . . : 8.8.8.8 8.8.4.4 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Local Area Connection 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V9 Physical Address. . . . . . . . . : 00-FF-FC-38-2E-7E DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet Physical Address. . . . . . . . . : A0-B3-CC-E0-0F-09 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::e826:4ba1:372f:3c53%11(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.75(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.254 DHCPv6 IAID . . . . . . . . . . . : 245412812 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-E0-C7-A9-A0-B3-CC-E0-0F-09 DNS Servers . . . . . . . . . . . : fe80::9e97:26ff:fe22:5ef2%11 192.168.1.254 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{7CB34103-4A28-490C-B49E-97A61AA607A0}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 9: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:10fb:1320:3f57:f599(Pref erred) Link-local IPv6 Address . . . . . : fe80::10fb:1320:3f57:f599%13(Preferred) Default Gateway . . . . . . . . . : :: NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter isatap.{FC382E7E-EA41-4983-8BD7-A75FD0081F41}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter isatap.{C7E8EB1B-A1CC-4442-8806-9D444AEDFB5F}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes

Can not switch drbd to secondary Posted: 04 Jan 2022 01:18 AM PST I'm running drbd83 with ocfs2 in centos 5 and planning to use packemaker with them. Afer some time, I'm facing drbd split brain problem. version: 8.3.13 (api:88/proto:86-96) GIT-hash: 83ca112086600faacab2f157bc5a9324f7bd7f77 build by mockbuild@builder10.centos.org, 2012-05-07 11:56:36 1: cs:StandAlone ro:Primary/Unknown ds:UpToDate/DUnknown r----- ns:0 nr:0 dw:112281991 dr:797551 al:99 bm:6401 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:60 I can't switch my drbd to secondary. drbdadm secondary r0 1: State change failed: (-12) Device is held open by someone Command 'drbdsetup 1 secondary' terminated with exit code 11 My drbd resource config: resource r0 { syncer { rate 1000M; verify-alg sha1; } disk { on-io-error detach; } handlers { pri-lost-after-sb "/usr/lib/drbd/notify-split-brain.sh root"; } net { allow-two-primaries; after-sb-0pri discard-younger-primary; after-sb-1pri call-pri-lost-after-sb; after-sb-2pri call-pri-lost-after-sb; } startup { become-primary-on both; } on serving_4130{ device /dev/drbd1; disk /dev/sdb1; address 192.168.4.130:7789; meta-disk internal; } on MT305-3182 { device /dev/drbd1; disk /dev/xvdb1; address 192.168.3.182:7789; meta-disk internal; } } Status of ocfs2 status: service ocfs2 status Configured OCFS2 mountpoints: /data lsof show that, there is one process relative with drbd. lsof | grep drbd COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME drbd1_wor 7782 root cwd DIR 253,0 4096 2 / drbd1_wor 7782 root rtd DIR 253,0 4096 2 / drbd1_wor 7782 root txt unknown /proc/7782/exe And it's a dead symlink: # ls -l /proc/7782/exe ls: cannot read symbolic link /proc/7782/exe: No such file or directory lrwxrwxrwx 1 root root 0 May 4 09:56 /proc/7782/exe # ps -ef | awk '$2 == "7782" { print $0 }' root 7782 1 0 Apr22 ? 00:00:20 [drbd1_worker] Notice that this process is wrapped in square brackets: man ps: args COMMAND command with all its arguments as a string. Modifications to the arguments may be shown. The output in this column may contain spaces. A process marked <defunct> is partly dead, waiting to be fully destroyed by its parent. Sometimes the process args will be unavailable; when this happens, ps will instead print the executable name in brackets. So, the final question is: how can we manually recover DRBD in this case without rebooting? Reply to @andreask: My partition table: # df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 35G 6.9G 27G 21% / /dev/xvda1 99M 20M 74M 22% /boot tmpfs 1.0G 0 1.0G 0% /dev/shm /dev/drbd1 100G 902M 100G 1% /data The device names: # dmsetup ls --tree -o inverted (202:2) ├─VolGroup00-LogVol01 (253:1) └─VolGroup00-LogVol00 (253:0) Pay attention to the block device (253:0), it is the same as from the output of lsof: # lvdisplay --- Logical volume --- LV Name /dev/VolGroup00/LogVol00 VG Name VolGroup00 LV UUID vCd152-amVZ-GaPo-H9Zs-TIS0-KI6j-ej8kYi LV Write Access read/write LV Status available # open 1 LV Size 35.97 GB Current LE 1151 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:0 Reply to @Doug: # vgdisplay --- Volume group --- VG Name VolGroup00 System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 3 VG Access read/write VG Status resizable MAX LV 0 Cur LV 2 Open LV 2 Max PV 0 Cur PV 1 Act PV 1 VG Size 39.88 GB PE Size 32.00 MB Total PE 1276 Alloc PE / Size 1276 / 39.88 GB Free PE / Size 0 / 0 VG UUID OTwzII-AP5H-nIbH-k2UA-H9nw-juBv-wcvmBq UPDATE Fri May 17 16:08:16 ICT 2013 Here are some ideas from Lars Ellenberg: if the filesystem is still mounted ... oh well. unmount it. not lazy, but really. I'm sure, OCFS2 was already unmounted. If nfs was involved, try killall -9 nfsd killall -9 lockd echo 0 > /proc/fs/nfsd/threads No, NFS was not involved. if lvm/dmsetup/kpartx/multipath/udev is involved, try dmsetup ls --tree -o inverted and check if there are dependencies from drbd. As you can see from my above output, LVM doesn't related to DRBD: pvdisplay -m --- Physical volume --- PV Name /dev/xvda2 VG Name VolGroup00 PV Size 39.90 GB / not usable 20.79 MB Allocatable yes (but full) PE Size (KByte) 32768 Total PE 1276 Free PE 0 Allocated PE 1276 PV UUID 1t4hkB-p43c-ABex-stfQ-XaRt-9H4i-51gSTD --- Physical Segments --- Physical extent 0 to 1148: Logical volume /dev/VolGroup00/LogVol00 Logical extents 0 to 1148 Physical extent 1149 to 1275: Logical volume /dev/VolGroup00/LogVol01 Logical extents 0 to 126 fdisk -l Disk /dev/xvda: 42.9 GB, 42949672960 bytes 255 heads, 63 sectors/track, 5221 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/xvda1 * 1 13 104391 83 Linux /dev/xvda2 14 5221 41833260 8e Linux LVM Disk /dev/xvdb: 107.3 GB, 107374182400 bytes 255 heads, 63 sectors/track, 13054 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/xvdb1 1 13054 104856223+ 83 Linux if loop/cryptoloop/etc is involved, check if one of those is still accessing them. if some virtualization tecknique is in use, shut down/destroy all containers/VMs that may have been accessing that drbd during their life time. No, it doesn't. Sometimes it is just udev or equivalent doing a race. I have disabled the multipath rule and even stop the udevd, and nothing change. Sometimes it is a unix domain socket or similar still held open (won't necessary show up in lsof/fuser). If so, how can we find out this unix socket? UPDATE Wed May 22 22:10:41 ICT 2013 Here is the stacktrace of DRBD worker process when dumping via magic SysRq key: kernel: drbd1_worker S ffff81007ae21820 0 7782 1 7795 7038 (L-TLB) kernel: ffff810055d89e00 0000000000000046 000573a8befba2d6 ffffffff8008e82f kernel: 00078d18577c6114 0000000000000009 ffff81007ae21820 ffff81007fcae040 kernel: 00078d18577ca893 00000000000002b1 ffff81007ae21a08 000000017a590180 kernel: Call Trace: kernel: [<ffffffff8008e82f>] enqueue_task+0x41/0x56 kernel: [<ffffffff80063002>] thread_return+0x62/0xfe kernel: [<ffffffff80064905>] __down_interruptible+0xbf/0x112 kernel: [<ffffffff8008ee84>] default_wake_function+0x0/0xe kernel: [<ffffffff80064713>] __down_failed_interruptible+0x35/0x3a kernel: [<ffffffff885d461a>] :drbd:.text.lock.drbd_worker+0x2d/0x43 kernel: [<ffffffff885eca37>] :drbd:drbd_thread_setup+0x127/0x1e1 kernel: [<ffffffff800bab82>] audit_syscall_exit+0x329/0x344 kernel: [<ffffffff8005dfb1>] child_rip+0xa/0x11 kernel: [<ffffffff885ec910>] :drbd:drbd_thread_setup+0x0/0x1e1 kernel: [<ffffffff8005dfa7>] child_rip+0x0/0x11 I'm not sure if this OCFS2 heartbeat region is preventing DRBD from switching to secondary: kernel: o2hb-C3E41CA2 S ffff810002536420 0 9251 31 3690 (L-TLB) kernel: ffff810004af7d20 0000000000000046 ffff810004af7d30 ffffffff80063002 kernel: 1400000004000000 000000000000000a ffff81007ec307a0 ffffffff80319b60 kernel: 000935c260ad6764 0000000000000fcd ffff81007ec30988 0000000000027e86 kernel: Call Trace: kernel: [<ffffffff80063002>] thread_return+0x62/0xfe kernel: [<ffffffff8006389f>] schedule_timeout+0x8a/0xad kernel: [<ffffffff8009a41d>] process_timeout+0x0/0x5 kernel: [<ffffffff8009a97c>] msleep_interruptible+0x21/0x42 kernel: [<ffffffff884b3b0b>] :ocfs2_nodemanager:o2hb_thread+0xd2c/0x10d6 kernel: [<ffffffff80063002>] thread_return+0x62/0xfe kernel: [<ffffffff800a329f>] keventd_create_kthread+0x0/0xc4 kernel: [<ffffffff884b2ddf>] :ocfs2_nodemanager:o2hb_thread+0x0/0x10d6 kernel: [<ffffffff800a329f>] keventd_create_kthread+0x0/0xc4 kernel: [<ffffffff80032632>] kthread+0xfe/0x132 kernel: [<ffffffff8005dfb1>] child_rip+0xa/0x11 kernel: [<ffffffff800a329f>] keventd_create_kthread+0x0/0xc4 kernel: [<ffffffff80032534>] kthread+0x0/0x132 kernel: [<ffffffff8005dfa7>] child_rip+0x0/0x11

Is it safe to set validateIntegratedModeConfiguration=false in order to continue using identity impersonate=true? Posted: 04 Jan 2022 03:06 AM PST We have upgraded an ASP.NET web application from IIS6 to IIS7 integrated mode. Our application uses: <identity impersonate="true"/> and therefore we have had to set: <validation validateIntegratedModeConfiguration="false" /> Is this sensible? My instincts say not, but searching on google for this issue, this "workaround" is suggested on every page visited. Is impersonation no longer a good practice in IIS7 integrated, and should we abandon it and come up with a different solution?

Execute local (bash|python) script with mysql SQL Posted: 04 Jan 2022 04:05 AM PST I want to create a trigger so that when a field is updated it kicks off a local bash script (or python...whatever) to kick off a workflow (emails, work requests, etc). Is it possible to execute local system scripts/executables from mysql SQL? My google searches have been unsuccessful.

backup solution for media company (large files) Posted: 04 Jan 2022 03:39 AM PST I am working as a webdeveloper in a media company (around 25 employees) and I am not very happy with our current backup solution. I am no expert on this, but I am pretty sure the current setup is BS. What is our current setup? Well, we have a fileserver with a 500 GB HD (sic!). If one remembers, one manually makes a .zip files and puts it on that server. Thats about it. Apart from the very small HD, nobody bothers making backups, maybe once a month. I think my boss has not backed up her data for maybe 3 months... I would very much like to have an automated solution that creates a backup from all important files at night and... stores it somewhere. The problem is: the backups can be quite large. As a developer I mainly work with text based stuff, so my backup including email etc. is around 7 GB. But the designers working in that company have backups in the size of 50 - 100 GB (already zipped). And there are at least 5 - 10 of these large backups. Because of data loss recently I am pretty sure management would be willing to spend some $$$ on this if someone could come up with a good plan. So, what would be a viable solution for a company of that size? Everbody in the company is working on OS X, if the operation system matters.

Cheap full-featured .NET 3.5 hosting in India? Posted: 04 Jan 2022 02:40 AM PST Anyone aware of good full-featured .NET 2.0, 3.x hosting on Windows Server 2008 in India? Links would be appreciated. Suggestions for either co-located / dedicated hosting welcome.

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States