| Google GCE VM - how to kill VMs if startup script fails Posted: 05 May 2022 09:00 AM PDT We launch workloads in GCE using Managed Instance Groups (MIG), which oversee the lifecycle and health of these VMs. New VMs are provisioned with a startup script (bash), which, on rare occasions, fails in some way. However, the VM is still able to start, launch it's workload, and pass it's health checks. Is there some setting in GCE / MIGs that says "if the init script does not execute successfully, kill the VM, and recreate it" ? I could shut down if an error is trapped, eg.: ... exception() { echo 'startup script error; shutting down!' shutdown -h now } trap 'exception' ERR ...
But was hoping there was a more managed option. |
| How to get items DynamoDB table using CDK Posted: 05 May 2022 08:57 AM PDT I am creating a Stack using CDK, and I store my user Data in DynamoDB. What I want to do is to create some resources for each user using CDK. After a quick search I found out about AwsCustomResource. Here is what I tried: const customResource = new cdk.custom_resources.AwsCustomResource(this, 'aws-custom', { onCreate: { service: 'DynamoDB', action: 'scan', parameters: { TableName: 'Users' }, physicalResourceId: cdk.custom_resources.PhysicalResourceId.of('Users' + '_scan'), }, policy: cdk.custom_resources.AwsCustomResourcePolicy.fromSdkCalls({ resources: cdk.custom_resources.AwsCustomResourcePolicy.ANY_RESOURCE, }) }); const data = customResource.getResponseField("Items"); console.log(data)
I also tried to Token.asList and Token.asString but nothing worked. Any ideas on the best way to get data from Dynamo DB using CDK ? |
| Windows 10 random time outs Posted: 05 May 2022 08:31 AM PDT I recently started experiencing the issue that my internet just randomly "cuts out". At home I have a DSL Router and a Repeater, all from the same brand (Fritz!). The repeater is wirelessly connected to the router and added to a mesh. I am locally connected to my repeater with a RJ45 cable, directly connected to my motherboard NIC. I started experiencing the problem like a week ago, and what I did to fix it was the following: - I restarted both the router and the repeater (simple, thought it might help, it didn't),
- Then I looked on both my repeater and my router for a strange behavior (web gui) and if I had any duplicates in my network (idk how it could be possible because I only have 1 DHCP Server but I checked it just to be sure). That wasn't the case.
- I reinstalled the Firmware update on my repeater, I thought it might have been broken, but no.
- I restored Factory settings on my repeater and configured it manually
- Tried different NICs on my computer just to check if it was a broken NIC, it wasn't, no network card worked properly.
- Tried the good old windows troubleshooter but it didn't show me anything
- Finally reinstalled windows 10 and noticed that it got better, but I still get random timeouts when pinging (also random freezes when playing, watching a stream etc.).
- I also tried doing same ping on ubuntu, it didn't work, so it wasn't the OS fault.
- The funny thing about it was the fact, that after disconnecting my computer completely from the network and waited for router to notice it I then connected the external NIC to my laptop and tried pinging my router (which didn't work on my desktop pc) and everything worked just fine so I don't think the repeater is broken. The wifi provided by the repeater is also working, but not on my desktop pc. I have a Realtek 8821AE Wireless card in my computer and some kind of Realte PCIe GbE controller, tried updating the drivers, disabling it, uninstalling etc... Nothing worked.
Do you guys have any idea what could cause this strange problem? I tried so many things I don't know what else I could do. |
| TCP slow start and duplicate ack Posted: 05 May 2022 08:21 AM PDT In TCP slow start, what happens when 3 duplicate ack is received. I am aware of the recovery process in congestion avoidance, however I read a blog post that if 3 duplicate acks are received in slow start, TCP perform fast recovery. I was under the impression that whether it is RTP or 3 dup ack, in slow start, TCP fall back to initial cwnd value. "The final way in which slow start can end is if three duplicate ACKs are detected, in which case TCP performs a fast retransmit and enters the fast recovery state." |
| General Processing Error IKEv2 on Windows 10 Posted: 05 May 2022 08:08 AM PDT General Processing Error IKEv2 on Windows 10 Will not establish VPN connection. |
| mtls configuration in NGINX - upstream chain validation Posted: 05 May 2022 07:54 AM PDT I have several questions regarding the mtls configuration in NGINX: When configuring with ngx_http_proxy_module, to verify upstream certificate, does upstream's TLS chain have to be stored in a cert which is used in proxy_ssl_trusted_certificate property? or just the Root CA certificate? or intermediary and root? The server's TLS chain looks approximately like this: 0 - A cert for a company's domain, issued by Digicert Global CA G2 1 - Digicert Global CA G2, issued by Digicert Global Root G2 Does NGINX validate the signatures on all certs in upstream TLS chain? If no, how to enable? |
| Group Policy scheduled task for running .bat file applies, but task does not create Posted: 05 May 2022 07:52 AM PDT I am trying to add a scheduled task to run a batch file that updates / installs software. I created a GPO to create the task, using these settings: Task Settings Task settings 2 Task settings 3 For one of them, I am using item level targeting to only apply to one group. But this issue is happening with both. I also have tried using both User Configuration and Computer Configuration, with the same settings as above. The other thing that I have changed, is the 'Start in' setting, which I have set to C:\ and C:\Windows to test, and still had the same issue. On the endpoints, I run gpresult and see the policy has applied successfully, but there is no task. I turned on the logging and tracing option in group policy and saw this in the resulting file: 2022-05-03 10:49:26.732 [pid=0x604c,tid=0x54ec] Entering ProcessGroupPolicyExSchedTasks() 2022-05-03 10:49:26.734 [pid=0x604c,tid=0x54ec] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{AADCED64-746C-4633-A97C-D61349046527} 2022-05-03 10:49:26.734 [pid=0x604c,tid=0x54ec] BackgroundPriorityLevel ( 7 ) 2022-05-03 10:49:26.734 [pid=0x604c,tid=0x54ec] DisableRSoP ( 0 ) 2022-05-03 10:49:26.734 [pid=0x604c,tid=0x54ec] LogLevel ( 2 ) 2022-05-03 10:49:26.734 [pid=0x604c,tid=0x54ec] Command subsystem initialized. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:26.814 [pid=0x604c,tid=0x54ec] ----- Parameters 2022-05-03 10:49:26.814 [pid=0x604c,tid=0x54ec] CSE GUID : {AADCED64-746C-4633-A97C-D61349046527} 2022-05-03 10:49:26.814 [pid=0x604c,tid=0x54ec] Flags : ( X ) GPO_INFO_FLAG_MACHINE - Apply machine policy rather than user policy 2022-05-03 10:49:26.814 [pid=0x604c,tid=0x54ec] ( X ) GPO_INFO_FLAG_BACKGROUND - Background refresh of policy (ok to do slow stuff) 2022-05-03 10:49:26.814 [pid=0x604c,tid=0x54ec] ( ) GPO_INFO_FLAG_SLOWLINK - Policy is being applied across a slow link 2022-05-03 10:49:26.815 [pid=0x604c,tid=0x54ec] ( ) GPO_INFO_FLAG_VERBOSE - Verbose output to the eventlog 2022-05-03 10:49:26.815 [pid=0x604c,tid=0x54ec] ( ) GPO_INFO_FLAG_NOCHANGES - No changes were detected to the Group Policy Objects 2022-05-03 10:49:26.815 [pid=0x604c,tid=0x54ec] ( ) GPO_INFO_FLAG_LINKTRANSITION - A change in link speed was detected between previous policy application and current policy application 2022-05-03 10:49:26.815 [pid=0x604c,tid=0x54ec] ( ) GPO_INFO_FLAG_LOGRSOP_TRANSITION - A change in RSoP logging was detected between the application of the previous policy and the application of the current policy. 2022-05-03 10:49:26.815 [pid=0x604c,tid=0x54ec] ( X ) GPO_INFO_FLAG_FORCED_REFRESH - Forced Refresh is being applied. redo policies. 2022-05-03 10:49:26.815 [pid=0x604c,tid=0x54ec] ( ) GPO_INFO_FLAG_SAFEMODE_BOOT - windows safe mode boot flag 2022-05-03 10:49:26.815 [pid=0x604c,tid=0x54ec] ( ) GPO_INFO_FLAG_ASYNC_FOREGROUND - Asynchronous foreground refresh of policy 2022-05-03 10:49:26.816 [pid=0x604c,tid=0x54ec] Token (computer or user SID): S-1-5-18 2022-05-03 10:49:26.816 [pid=0x604c,tid=0x54ec] Abort Flag : Yes (0xa3c28330) 2022-05-03 10:49:26.816 [pid=0x604c,tid=0x54ec] HKey Root : Yes (0x80000002) 2022-05-03 10:49:26.816 [pid=0x604c,tid=0x54ec] Deleted GPO List : No 2022-05-03 10:49:26.816 [pid=0x604c,tid=0x54ec] Changed GPO List : Yes 2022-05-03 10:49:26.816 [pid=0x604c,tid=0x54ec] Asynchronous Processing : Yes 2022-05-03 10:49:26.817 [pid=0x604c,tid=0x54ec] Status Callback : No (0x00000000) 2022-05-03 10:49:26.817 [pid=0x604c,tid=0x54ec] WMI namespace : Yes (0xa3cb7380) 2022-05-03 10:49:26.817 [pid=0x604c,tid=0x54ec] RSoP Status : Yes (0x61e7e970) 2022-05-03 10:49:26.817 [pid=0x604c,tid=0x54ec] Planning Mode Site : (none) 2022-05-03 10:49:26.817 [pid=0x604c,tid=0x54ec] Computer Target : No (0x00000000) 2022-05-03 10:49:26.817 [pid=0x604c,tid=0x54ec] User Target : No (0x00000000) 2022-05-03 10:49:26.818 [pid=0x604c,tid=0x54ec] Calculated list relevance. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:26.818 [pid=0x604c,tid=0x54ec] ----- Changed - 0 2022-05-03 10:49:26.818 [pid=0x604c,tid=0x54ec] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled. 2022-05-03 10:49:26.818 [pid=0x604c,tid=0x54ec] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO. 2022-05-03 10:49:26.818 [pid=0x604c,tid=0x54ec] Options (raw) : 0x00000000 2022-05-03 10:49:26.818 [pid=0x604c,tid=0x54ec] Version : 524296 (0x00080008) 2022-05-03 10:49:26.819 [pid=0x604c,tid=0x54ec] GPC : LDAP://CN=Machine,cn={8CD56729-C9ED-4281-91B7-E2ADADE058B3},cn=policies,cn=system,DC=ad,DC=domain,DC=com 2022-05-03 10:49:26.819 [pid=0x604c,tid=0x54ec] GPT : \\ad.domain.com\SysVol\ad.domain.com\Policies\{8CD56729-C9ED-4281-91B7-E2ADADE058B3}\Machine 2022-05-03 10:49:26.819 [pid=0x604c,tid=0x54ec] GPO Display Name : Office 365 Update / Install Task 2022-05-03 10:49:26.819 [pid=0x604c,tid=0x54ec] GPO Name : {8CD56729-C9ED-4281-91B7-E2ADADE058B3} 2022-05-03 10:49:26.819 [pid=0x604c,tid=0x54ec] GPO Link : ( ) GPLinkUnknown - No link information is available. 2022-05-03 10:49:26.819 [pid=0x604c,tid=0x54ec] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote). 2022-05-03 10:49:26.820 [pid=0x604c,tid=0x54ec] ( ) GPLinkSite - The GPO is linked to a site. 2022-05-03 10:49:26.820 [pid=0x604c,tid=0x54ec] ( X ) GPLinkDomain - The GPO is linked to a domain. 2022-05-03 10:49:26.820 [pid=0x604c,tid=0x54ec] ( ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit. 2022-05-03 10:49:26.820 [pid=0x604c,tid=0x54ec] ( ) GP Link Error 2022-05-03 10:49:26.820 [pid=0x604c,tid=0x54ec] lParam : 0x00000000 2022-05-03 10:49:26.820 [pid=0x604c,tid=0x54ec] Prev GPO : No 2022-05-03 10:49:26.820 [pid=0x604c,tid=0x54ec] Next GPO : Yes 2022-05-03 10:49:26.821 [pid=0x604c,tid=0x54ec] Extensions : [{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}] 2022-05-03 10:49:26.821 [pid=0x604c,tid=0x54ec] lParam2 : 0xa4a03778 2022-05-03 10:49:26.821 [pid=0x604c,tid=0x54ec] Link : LDAP://DC=ad,DC=domain,DC=com 2022-05-03 10:49:26.821 [pid=0x604c,tid=0x54ec] Completed get GPH path. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:26.822 [pid=0x604c,tid=0x54ec] Completed remove GPH. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:26.917 [pid=0x604c,tid=0x54ec] Read GPE XML data file (953 bytes total). 2022-05-03 10:49:26.917 [pid=0x604c,tid=0x54ec] Starting filter [AND NOT FilterOrgUnit]. 2022-05-03 10:49:26.917 [pid=0x604c,tid=0x54ec] Properties handled. [ hr = 0x80070057 "The parameter is incorrect." ] 2022-05-03 10:49:26.918 [pid=0x604c,tid=0x54ec] There was a failure so the run once filter was rolled back. [ hr = 0x80070057 "The parameter is incorrect." ] 2022-05-03 10:49:26.918 [pid=0x604c,tid=0x54ec] Error suppressed. [ hr = 0x80070057 "The parameter is incorrect." ] 2022-05-03 10:49:26.918 [pid=0x604c,tid=0x54ec] ----- Changed - 1 2022-05-03 10:49:26.918 [pid=0x604c,tid=0x54ec] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled. 2022-05-03 10:49:26.918 [pid=0x604c,tid=0x54ec] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO. 2022-05-03 10:49:26.919 [pid=0x604c,tid=0x54ec] Options (raw) : 0x00000000 2022-05-03 10:49:26.919 [pid=0x604c,tid=0x54ec] Version : 1966110 (0x001e001e) 2022-05-03 10:49:26.919 [pid=0x604c,tid=0x54ec] GPC : LDAP://CN=Machine,cn={7427C20A-C7B7-4E72-8CFA-C08AD7F69FDE},cn=policies,cn=system,DC=ad,DC=domain,DC=com 2022-05-03 10:49:26.919 [pid=0x604c,tid=0x54ec] GPT : \\ad.domain.com\SysVol\ad.domain.com\Policies\{7427C20A-C7B7-4E72-8CFA-C08AD7F69FDE}\Machine 2022-05-03 10:49:26.919 [pid=0x604c,tid=0x54ec] GPO Display Name : AutoDesk Deployment Task 2022-05-03 10:49:26.920 [pid=0x604c,tid=0x54ec] GPO Name : {7427C20A-C7B7-4E72-8CFA-C08AD7F69FDE} 2022-05-03 10:49:26.920 [pid=0x604c,tid=0x54ec] GPO Link : ( ) GPLinkUnknown - No link information is available. 2022-05-03 10:49:26.920 [pid=0x604c,tid=0x54ec] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote). 2022-05-03 10:49:26.920 [pid=0x604c,tid=0x54ec] ( ) GPLinkSite - The GPO is linked to a site. 2022-05-03 10:49:26.920 [pid=0x604c,tid=0x54ec] ( X ) GPLinkDomain - The GPO is linked to a domain. 2022-05-03 10:49:26.920 [pid=0x604c,tid=0x54ec] ( ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit. 2022-05-03 10:49:26.920 [pid=0x604c,tid=0x54ec] ( ) GP Link Error 2022-05-03 10:49:26.921 [pid=0x604c,tid=0x54ec] lParam : 0x00000000 2022-05-03 10:49:26.921 [pid=0x604c,tid=0x54ec] Prev GPO : Yes 2022-05-03 10:49:26.921 [pid=0x604c,tid=0x54ec] Next GPO : No 2022-05-03 10:49:26.922 [pid=0x604c,tid=0x54ec] Extensions : [{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}] 2022-05-03 10:49:26.922 [pid=0x604c,tid=0x54ec] lParam2 : 0xa4c7d008 2022-05-03 10:49:26.922 [pid=0x604c,tid=0x54ec] Link : LDAP://DC=ad,DC=domain,DC=com 2022-05-03 10:49:26.922 [pid=0x604c,tid=0x54ec] Completed get GPH path. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:26.923 [pid=0x604c,tid=0x54ec] Completed remove GPH. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:27.032 [pid=0x604c,tid=0x54ec] Read GPE XML data file (1002 bytes total). 2022-05-03 10:49:27.033 [pid=0x604c,tid=0x54ec] Starting filter [AND FilterGroup]. 2022-05-03 10:49:27.034 [pid=0x604c,tid=0x54ec] Preliminary filter processing (status may be adjusted). [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:27.034 [pid=0x604c,tid=0x54ec] A filter failed to pass so the run once filter was rolled back. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:27.034 [pid=0x604c,tid=0x54ec] Completed get next GPO. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:27.035 [pid=0x604c,tid=0x54ec] Logging 0 new RSoP entries. 2022-05-03 10:49:27.035 [pid=0x604c,tid=0x54ec] Completed get GPO list. [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:27.035 [pid=0x604c,tid=0x54ec] IsRsopPlanningMode() [SUCCEEDED(S_FALSE)] 2022-05-03 10:49:27.292 [pid=0x604c,tid=0x54ec] Leaving ProcessGroupPolicyExSchedTasks() returned 0x00000000
The DC is Server 2019 and the endpoints are all Windows 10. Any ideas on why this is happening? |
| What is the difference between 0.0.0.0/0 and 0.0.0.0/1 Posted: 05 May 2022 08:59 AM PDT In the history, I mostly used 0.0.0.0/0 for "match every IP Address". Recently, I saw a 0.0.0.0/1 subnet filter. What is the difference between 0.0.0.0/0 and 0.0.0.0/1 and what's the practical use of 0.0.0.0/1? |
| How to access IP address in a different network through a middle computer? Posted: 05 May 2022 07:00 AM PDT I have a computer A connected to a network with computer B. Computer B is also connected to another network, not visible directly by computer A. Computer B, therefore, can access IP X from that second network. Imagine that IP X is a website on the local network and B can access that website using IP X through a web browser. How can I make computer A be able to access that website through its browser since computer A can talk with computer B through their mutal network? |
| RAID10 Performance on newer hardware slower then RAID5 performance on older hardware? Posted: 05 May 2022 08:01 AM PDT I am currently trying to figure out a performance issue with a new server compared to a old server. Performance should be better but it's not and I'm having trouble figuring out why. Old server is a Dell R640 (2x Xeon Gold 5218, 128Gb RAM) with a PERC H740P Mini and 8Gb cache. 6x Samsung Pm1645 1.6Gb 12Gb/s SAS mixed use enterprise SSDs in a RAID 5 virtual disk New server is a Dell R650 (2x Xeon Gold 6330, 256Gb RAM) with a PERC H755 and 8Gb cache. 6x Seagate Nytro 2532 1.92Tb 12Gb/s SAS mixed use enterprise SSDs in a RAID 10 virtual disk The new drives are physically slower in both reads and writes but going from a 6 drive RAID5 array to a 6 drive RAID10 I thought that would make up a good deal of that. The old drives are rated at 1Gb sequential read and 1.2Gb sequential write while the new drives are at 840Mb and 650Mb. In a simple test creating a new 200Gb vhdx on both machines: the old server creates the file in about 46 seconds, the new server takes 102 seconds. Should it really take twice as long even with the performance gain of the newer RAID? How is the old RAID5 doing it so quickly or am I just not understanding something. |
| Routing all Traffic through a VPN Node while accepting incoming WAN Connections Posted: 05 May 2022 06:40 AM PDT I want to route all traffic through another VPN-Node, while: - Keep the Connection to the VPN-Server active (already works)
- Still accepting WAN-Connections on that Client.
My Client Node Configuration: # 35.1.1.1: WAN IP of VPN-Server # 192.168.8.1: WAN Gateway of Client # 10.25.0.1: Internal VPN Server IP (not used below) # 10.25.0.3: VPN Gatway for the Client (The gatway itself is also an Client) ip route add 35.1.1.1/32 via 192.168.8.1 # protect route to VPN-Server ip route del default via 192.168.8.1 # remove original default route ip route add default via 10.25.0.3 # redirect to another VPN Node
When running these commands, the gateway works - Every traffic from the Client node is routed through the VPN Gateway (10.25.0.3), while keeping the connection to the Server (35.1.1.1/10.25.0.1) intact. The only problem is, the Client will not accepting connections anymore. I read something about fwmarkand sourced based policy rules but I do not get the point what I really need and what commands I need to enter. |
| Only federate some users in AzureAD and not a whole domain Posted: 05 May 2022 06:34 AM PDT We want to test a new IDP in our organization ( this IDP is an inhouse SAML-compatible idp ). We are using AzureAD. If we federate a new domain, we can test the authentication, and it works ( xxx@NewDomain.Com). Now, we want to select some real users from our main domain ( User1@MainDomain.com ), and federate only these users so that they can start testing the idp without interrupting all the other users. Is this possible? Can we federate only some users to use an IDP in AzureAD, or it must be always a whole domain ? Our goal is to achieve a gradual migration of the users, so that we can fix eventual first bugs with minimal impact. |
| Why is my Kubernetes service not working? Firefox can’t establish a connection to the server Posted: 05 May 2022 06:26 AM PDT On my Ubuntu, I have minikube installed and working. minikube ip 192.168.49.2
I am trying to reach my Kubernetes service. Name: fleetman-queue Namespace: default Labels: <none> Annotations: <none> Selector: mylabelname=queue,release=0 Type: NodePort IP Family Policy: SingleStack IP Families: IPv4 IP: 10.96.155.15 IPs: 10.96.155.15 Port: http 8161/TCP TargetPort: 8161/TCP NodePort: http 30010/TCP Endpoints: <none>
In my browser at http://192.168.49.2:30010/, I got Unable to connect Firefox can't establish a connection to the server at 192.168.49.2:30010.
Why? I checked minikube dashboard  |
| How to get Kafka consumer metrics with JMX exporter for Prometheus? Posted: 05 May 2022 05:59 AM PDT Kafka version: 3.1 I didn't find a way to get Kafka consumer metrics as described in Kafka documentation from my Kafka servers. Even if I leave the "rules" section empty in the config of the JMX exporter there are no "kafka_consumer_*" metrics available. Is there a setting I need to change in my Kafka cluster? I run Kafka as one systemd service on each member of the cluster. |
| Chromium based browsers do not remember cookies on a domain joined server Posted: 05 May 2022 05:41 AM PDT We have a problem that Chromium based browsers do not remember cookies on a domain joined server. Can any one point us in the right direction? What did we do: We freshly installed the server (2019 or 2022) from VLSC iso. Create a local user and immediately login as that user. Setup proxy in the browser and see if it remembers cookies when we browse to a site. Cookies are stored and we do not get an annoying popup for cookie preferences when we visit a site. ^^^so this step is wanted behavior. In AD we create a new Test OU with no policies and disable inheritance. We put the computername in the Test OU. We make the server member of AD and it is in the Test OU. We check the server with "gpresult /h /test.html" and RSOP.msc if any policies are loaded and this is not the case. We login to the server with a domain account (regular or DA does not matter for end result) and browse to the same site we used as a local test user. We get a popup to set our cookie preferences. When we close the browser and go back to the site we get the prompt again. <-- unwanted behavior When we check if the cookies file is changed this is not the case. It is 20KB and does not change. If we remove the file and start the browser the file is recreated and has the same size but it is never updated after. Cookie location: C:\Users<username>\AppData\Local\Microsoft\Edge\User Data\Default\Network We have tested and can replicate this behavior in Chromium based browsers: Chrome Enterprise, Edge Firefox is ok. |
| How would you troubleshoot / fix samba ad dc dns errors Posted: 05 May 2022 06:25 AM PDT I set up 2 samba ad dcs on Ubuntu Server 21.10 in a heterogeneous environment and came across some errors trying to remote backup DB of DC01 to DC02 via Samba-Tool. I hit up the mailing list and ended up rejoining the second DC which must've messed up some dns records. Clients of DC02 get the no internet globe in the taskbar which - after some tests - means a dns problem to me. I was thinking about completely removing site 2 implementing dc02 in site 1 and set it up after control of functionality but im worried i'll end up worse than right now i'll end up worse than right now. DC02 is currently on site 2. ipconfig DC01 network: version: 2 renderer: networkd ethernets: eno1: addresses: - 192.168.50.11/24 nameservers: addresses: [192.168.50.11, 10.0.1.9, 192.168.50.1] routes: - to: default via: 192.168.50.1
ipconfig DC02 network: version: 2 renderer: networkd ethernets: eno1: addresses: - 10.0.1.9/24 nameservers: addresses: [192.168.50.11, 10.0.1.9] routes: - to: default via: 10.0.1.253
smb.conf DC01 # Global parameters [global] min protocol = NT1 dns forwarder = 8.8.8.8 netbios name = dc01 realm = my.domain server role = active directory domain controller workgroup = my idmap_ldb:use rfc2307 = yes map to guest = Bad User log file = /var/log/samba/%m log level = 3 template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/my.domain/scripts read only = No #--------------------location1---------------------------- [U2-X] path = /var/lib/samba/shares/location1/U2/X read only = no [U1-X] path = /var/lib/samba/shares/location1/U1/X read only = no [U1-Y] path = /var/lib/samba/shares/location1/U1/Y read only = no [U1-Fetview] path = /var/lib/samba/shares/location1/U1/Fetview read only = no [Z] path = /var/lib/samba/shares/location1/Z read only = no [Scan] path = /var/lib/samba/shares/location1/Scan read only = no
smb.conf DC02 # Global parameters [global] dns forwarder = 8.8.8.8 netbios name = dc02 realm = my.domain server role = active directory domain controller workgroup = my idmap_ldb:use rfc2307 = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/my.domain/scripts read only = No
dcdiag C:\Users\Administrator.my>dcdiag /test:dns /e /s:dc02.my.domain Verzeichnisserverdiagnose Anfangssetup wird ausgeführt: * Identifizierte AD-Gesamtstruktur. Auf dem Server dc02 ist bei der Attributsuche der LDAP-Suchfunktion ein Fehler aufgetreten. Rückgabewert = 81 Fehler beim Überprüfen des Domänencontrollers auf Verwendung von FRS oder DFSR. Fehler: Win32 Error 81 Die Tests "VerifyReferences", "FrsEvent" und "DfsrEvent" können aufgrund dieses Fehlers möglicherweise nicht ausgeführt werden. Sammeln der Ausgangsinformationen abgeschlossen. Erforderliche Anfangstests werden ausgeführt. Server wird getestet: Location1\dc01 Starting test: Connectivity ......................... dc01 hat den Test Connectivity bestanden. Server wird getestet: Location2\dc02 Starting test: Connectivity Der Host 72041d70-edc8-4609-ba97-caf97ed84c23._msdcs.my.domain konnte nicht zu einer IP-Adresse aufgelöst werden. Überprüfen Sie DNS-Server, DHCP, Servername, usw. Fehler beim Überprüfen der LDAP- und RPC-Konnektivität. Überprüfen Sie die Firewalleinstellungen. ......................... Der Test Connectivity für dc02 ist fehlgeschlagen. Primärtests werden ausgeführt. Server wird getestet: Location1\dc01 Server wird getestet: Location2\dc02 Starting test: DNS Starting test: DNS DNS-Tests werden ordnungsgemäß ausgeführt. Warten Sie einige Minuten... ......................... Der Test DNS für dc01 ist fehlgeschlagen. ......................... Der Test DNS für dc02 ist fehlgeschlagen. Partitionstests werden ausgeführt auf: my Partitionstests werden ausgeführt auf: Schema Partitionstests werden ausgeführt auf: ForestDnsZones Partitionstests werden ausgeführt auf: Configuration Partitionstests werden ausgeführt auf: DomainDnsZones Unternehmenstests werden ausgeführt auf: my.domain Starting test: DNS Testergebnisse für Domänencontroller: Domänencontroller: dc02.my.domain Domäne: my.domain TEST: Basic (Basc) Fehler: Keine LDAP-Konnektivität Error: No WMI connectivity Für diesen Domänencontroller wurden keine Hosteinträge (A oder AAAA) gefunden. Domänencontroller: dc01.my.domain Domäne: my.domain TEST: Basic (Basc) Error: No WMI connectivity Für diesen Domänencontroller wurden keine Hosteinträge (A oder AAAA) gefunden. Zusammenfassung der DNS-Testergebnisse: Auth. Bas. Weiterl. Entf. Dyn. RReg. Erw. _________________________________________________________________ Domäne: my.domain dc02 PASS FAIL n/a n/a n/a n/a n/a dc01 PASS FAIL n/a n/a n/a n/a n/a ......................... Der Test DNS für my.domain ist fehlgeschlagen.
RSAT-DNS If i check the DNS-Entries now it all seems right. my.domain mcdns dnsupdate IPs: ['10.0.1.9'] force update: A dc01.my.domain 10.0.1.9 force update: CNAME a452ed54-667a-43d3-9182-21d84a4919a4._msdcs.my.domain dadc0 1.my.domain force update: NS my.domain dc01.my.domain force update: NS _msdcs.my.domain dc01.my.domain force update: A my.domain 10.0.1.9 force update: SRV _ldap._tcp.my.domain dc01.my.domain 389 force update: SRV _ldap._tcp.dc._msdcs.my.domain dc01.my.domain 389 force update: SRV _ldap._tcp.32052c12-4458-47f7-adb0-95f7c16fc694.domains._msdcs .my.domain dc01.my.domain 389 force update: SRV _kerberos._tcp.my.domain dc01.my.domain 88 force update: SRV _kerberos._udp.my.domain dc01.my.domain 88 force update: SRV _kerberos._tcp.dc._msdcs.my.domain dc01.my.domain 88 force update: SRV _kpasswd._tcp.my.domain dc01.my.domain 464 force update: SRV _kpasswd._udp.my.domain dc01.my.domain 464 force update: SRV _ldap._tcp.Location1._sites.my.domain dc01.my.domain 389 force update: SRV _ldap._tcp.Location1._sites.dc._msdcs.my.domain dc01.my.in tern 389 force update: SRV _kerberos._tcp.Location1._sites.my.domain dc01.my.domain 8 8 force update: SRV _kerberos._tcp.Location1._sites.dc._msdcs.my.domain dc01.mv z.domain 88 force update: SRV _ldap._tcp.pdc._msdcs.my.domain dc01.my.domain 389 force update: A gc._msdcs.my.domain 10.0.1.9 force update: SRV _gc._tcp.my.domain dc01.my.domain 3268 force update: SRV _ldap._tcp.gc._msdcs.my.domain dc01.my.domain 3268 force update: SRV _gc._tcp.Location1._sites.my.domain dc01.my.domain 3268 force update: SRV _ldap._tcp.Location1._sites.gc._msdcs.my.domain dc01.my.in tern 3268 force update: A DomainDnsZones.my.domain 10.0.1.9 force update: SRV _ldap._tcp.DomainDnsZones.my.domain dc01.my.domain 389 force update: SRV _ldap._tcp.Location1._sites.DomainDnsZones.my.domain dc01.m vz.domain 389 force update: A ForestDnsZones.my.domain 10.0.1.9 force update: SRV _ldap._tcp.ForestDnsZones.my.domain dc01.my.domain 389 force update: SRV _ldap._tcp.Location1._sites.ForestDnsZones.my.domain dc01.m vz.domain 389 29 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ update(nsupdate): A dc01.my.domain 10.0.1.9 Calling nsupdate for A dc01.my.domain 10.0.1.9 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: dc01.my.domain. 900 IN A 10.0.1.9 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): CNAME a452ed54-667a-43d3-9182-21d84a4919a4._msdcs.my.domain d adc01.my.domain Calling nsupdate for CNAME a452ed54-667a-43d3-9182-21d84a4919a4._msdcs.my.inter n dc01.my.domain (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a452ed54-667a-43d3-9182-21d84a4919a4._msdcs.my.domain. 900 IN CNAME dc01.my. domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): NS my.domain dc01.my.domain Calling nsupdate for NS my.domain dc01.my.domain (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: my.domain. 900 IN NS dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): NS _msdcs.my.domain dc01.my.domain Calling nsupdate for NS _msdcs.my.domain dc01.my.domain (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _msdcs.my.domain. 900 IN NS dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A my.domain 10.0.1.9 Calling nsupdate for A my.domain 10.0.1.9 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: my.domain. 900 IN A 10.0.1.9 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.my.domain dc01.my.domain 389 Calling nsupdate for SRV _ldap._tcp.my.domain dc01.my.domain 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.my.domain. 900 IN SRV 0 100 389 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.dc._msdcs.my.domain dc01.my.domain 389 Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain dc01.my.domain 389 ( add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.my.domain. 900 IN SRV 0 100 389 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.32052c12-4458-47f7-adb0-95f7c16fc694.domains._m sdcs.my.domain dc01.my.domain 389 Calling nsupdate for SRV _ldap._tcp.32052c12-4458-47f7-adb0-95f7c16fc694.domains ._msdcs.my.domain dc01.my.domain 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.32052c12-4458-47f7-adb0-95f7c16fc694.domains._msdcs.my.domain. 900 I N SRV 0 100 389 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.my.domain dc01.my.domain 88 Calling nsupdate for SRV _kerberos._tcp.my.domain dc01.my.domain 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.my.domain. 900 IN SRV 0 100 88 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._udp.my.domain dc01.my.domain 88 Calling nsupdate for SRV _kerberos._udp.my.domain dc01.my.domain 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.my.domain. 900 IN SRV 0 100 88 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.dc._msdcs.my.domain dc01.my.domain 88 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain dc01.my.domain 8 8 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.dc._msdcs.my.domain. 900 IN SRV 0 100 88 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kpasswd._tcp.my.domain dc01.my.domain 464 Calling nsupdate for SRV _kpasswd._tcp.my.domain dc01.my.domain 464 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.my.domain. 900 IN SRV 0 100 464 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kpasswd._udp.my.domain dc01.my.domain 464 Calling nsupdate for SRV _kpasswd._udp.my.domain dc01.my.domain 464 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.my.domain. 900 IN SRV 0 100 464 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Location1._sites.my.domain dc01.my.domain 3 89 Calling nsupdate for SRV _ldap._tcp.Location1._sites.my.domain dc01.my.inter n 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Location1._sites.my.domain. 900 IN SRV 0 100 389 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Location1._sites.dc._msdcs.my.domain dc01.mv z.domain 389 Calling nsupdate for SRV _ldap._tcp.Location1._sites.dc._msdcs.my.domain dc01 .my.domain 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Location1._sites.dc._msdcs.my.domain. 900 IN SRV 0 100 389 dc01.mv z.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.Location1._sites.my.domain dc01.my.inte rn 88 Calling nsupdate for SRV _kerberos._tcp.Location1._sites.my.domain dc01.my.i ntern 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Location1._sites.my.domain. 900 IN SRV 0 100 88 dc01.my.inter n. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.Location1._sites.dc._msdcs.my.domain dadc0 1.my.domain 88 Calling nsupdate for SRV _kerberos._tcp.Location1._sites.dc._msdcs.my.domain da dc01.my.domain 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Location1._sites.dc._msdcs.my.domain. 900 IN SRV 0 100 88 dc01 .my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.pdc._msdcs.my.domain dc01.my.domain 389 Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.my.domain dc01.my.domain 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.pdc._msdcs.my.domain. 900 IN SRV 0 100 389 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A gc._msdcs.my.domain 10.0.1.9 Calling nsupdate for A gc._msdcs.my.domain 10.0.1.9 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.my.domain. 900 IN A 10.0.1.9 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _gc._tcp.my.domain dc01.my.domain 3268 Calling nsupdate for SRV _gc._tcp.my.domain dc01.my.domain 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.my.domain. 900 IN SRV 0 100 3268 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.gc._msdcs.my.domain dc01.my.domain 3268 Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain dc01.my.domain 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.gc._msdcs.my.domain. 900 IN SRV 0 100 3268 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _gc._tcp.Location1._sites.my.domain dc01.my.domain 326 8 Calling nsupdate for SRV _gc._tcp.Location1._sites.my.domain dc01.my.domain 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.Location1._sites.my.domain. 900 IN SRV 0 100 3268 dc01.my.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Location1._sites.gc._msdcs.my.domain dc01.mv z.domain 3268 Calling nsupdate for SRV _ldap._tcp.Location1._sites.gc._msdcs.my.domain dc01 .my.domain 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Location1._sites.gc._msdcs.my.domain. 900 IN SRV 0 100 3268 dc01.m vz.domain. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A DomainDnsZones.my.domain 10.0.1.9 Calling nsupdate for A DomainDnsZones.my.domain 10.0.1.9 (add) Successfully obtained Kerberos ticket to DNS/dc01.my.domain as dc02$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: DomainDnsZones.my.domain. 900 IN A 10.0.1.9 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.DomainDnsZones.my.domain dc01.my.domain 389 Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain dc01.my.domain ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 29 entries
What came to my attention is, the duplicate 10...* IP with the DC01 as Host. I tried deleting duplicate or wrong pointed records but they appear again after refreshing - using samba-tool as well as rsat && The entries of the second site Location2 are also pointing to DC01. Will setting these correctly fix the dns issues? Can someone tell what is wrong? I'm worried rejoining will only mess them up even more. How would you troubleshoot this? |
| Can postfix log source ports for inbound SMTP connections? Posted: 05 May 2022 05:57 AM PDT At the moment, postfix logs inbound connections like this: May 4 11:15:01 hostname postfix/smtpd[161025]: connect from unknown[192.0.2.1]
This isn't enough information for hosting providers to respond to abuse reports where they use CGNAT. They need the source port to identify the offending customer. Is there any way to make postfix log the source port? Something like this would be ideal: May 4 11:15:01 hostname postfix/smtpd[161025]: connect from unknown[192.0.2.1:12345]
|
| VPN overlapping with network that provides access to internet Posted: 05 May 2022 06:54 AM PDT I have computer which is connected to Network A with ip range 10.0.0.0/24. This network provides access to internet and that's the only thing I need from Network A. My comporate VPN (Network B) using using ip range 10.0.0.0/8. I was thinking about somehow setting up nat and route tables to translate Network B to 11.0.0.0/8. Is there a chance to do that? |
| Shell script to check resolv.conf Posted: 05 May 2022 05:36 AM PDT I need to write a shell script which checks the contents of resolv.conf Eg domain example.com search abc.com abc.org abc.net nameserver 1.1.2.2 nameserver 3.3.4.4
abc.com/abc.org/abc.net can appear in any order
nameserver line can appear in any order
There could be spaces between the parameters. What is the logic that can be used to check the config Eg If abc.com is missing, it should highlight abc.com is missing |
| Powershell Cygwin copy data with Rsync remote as variable Posted: 05 May 2022 06:50 AM PDT I have a problem with Cygwine's rsync. With a Powershell script I am trying to transfer directories from a Novell server to a Windows server The path for the source is a variable that comes from a CSV file Function CopyRsync ([string]$source,[string]$dest){ $sourceRoot = "root@"+$source +"/" $dest = "/cygdrive/g/Shares/" +$dest cmd.exe /C "e:\cwRsync\bin\rsync.exe" -vrts --progress --whole-file --no-compress --no-checksum -e "/cygdrive/e/CWrsync/bin/ssh" $sourceRoot $dest --delete-before } $novel = 'server.domaine.local:/media/nss/rep01/Com/Com dir Soins info' $dfs = "C:\temp\Rsync" CopyRsync -source $novel -dest $dfs
If the source path in the variable does not contain a white space the script runs correctly, but if the path contains a white space the content of the variable will be parsed with quotes and the script stop running because the SSH session recieve "root@... as user with quotes in the begining of user root like this "E:\cwRsync\bin\rsync.exe" -vrts --progress --whole-file --no-compress --no-checksum -e /cygdrive/e/CWrsync/bin/ssh "root@server.domaine.local:/media/nss/rep01/Com/Com dir Soins info/" /cygdrive/g/Shares/C:\temp\Rsync --delete-before
How can I parse a variable to ignore the quote from script variable? |
| SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: Posted: 05 May 2022 08:15 AM PDT A few months ago I started getting complaints from dozens of users about getting errors when connecting to my site. When I look into the error.log of nginx I see daily SSL errors: I have no idea what could cause this issue since 99% of users are getting through and I can't seem to replicate it myself. One user said that switching to a VPN fixed the issue for him. Other posts on stackoverflow suggested that this occurs with malicious requests from the same ip but that is not the case here. Does anyone know a fix to this? (I have not made any changes to this server/config in months.) The webserver is running on Ubuntu 20.10 Nginx error.log 2022/04/16 04:40:19 [crit] 809329#809329: *13542487 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 138.197.194.139, server: 0.0.0.0:443 2022/04/16 04:40:32 [crit] 809329#809329: *13542919 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 38.132.118.76, server: 0.0.0.0:443 2022/04/16 04:58:54 [crit] 809329#809329: *13564742 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 165.227.227.95, server: 0.0.0.0:443 2022/04/16 05:10:29 [crit] 809329#809329: *13578753 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 138.197.194.139, server: 0.0.0.0:443 2022/04/16 05:59:32 [crit] 809329#809329: *13638601 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 178.73.215.171, server: 0.0.0.0:443 2022/04/16 07:16:27 [crit] 809330#809330: *13730741 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 65.49.20.67, server: 0.0.0.0:443 2022/04/16 07:18:19 [crit] 809330#809330: *13733448 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 192.241.223.231, server: 0.0.0.0:443 2022/04/16 09:51:15 [crit] 809330#809330: *13937194 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 165.227.227.95, server: 0.0.0.0:443
Nginx config server { server_name api.rekonise.com www.api.rekonise.com; location / { proxy_pass http://localhost:3000/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } listen [::]:443 ssl; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/api.rekonise.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/api.rekonise.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.api.rekonise.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = api.rekonise.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name api.rekonise.com www.api.rekonise.com; return 404; # managed by Certbot }
|
| AWS ElasticBeanstalk: Early termination of worker [puma] Loading development - gems? Posted: 05 May 2022 06:24 AM PDT I'm currently upgrading rails from 6 to 7 and so had to upgrade my eb platform-version as well (to run ruby-3.0). Now puma isn't able to start and always looping through: [13033] + Gemfile in context: /var/app/current/Gemfile [13033] ! Unable to start worker [13033] /opt/rubies/ruby-3.0.3/lib/ruby/site_ruby/3.0.0/bundler/runtime.rb:309:in `check_for_activated_spec!' [13033] Early termination of worker [13035] + Gemfile in context: /var/app/current/Gemfile [13035] ! Unable to start worker [13035] /opt/rubies/ruby-3.0.3/lib/ruby/site_ruby/3.0.0/bundler/runtime.rb:309:in `check_for_activated_spec!' [13035] Early termination of worker [13037] + Gemfile in context: /var/app/current/Gemfile
When I try to start manually, it is trying to load all the gems from the development-group (which of course aren't available) BUT WHY?! $ bundle exec puma -p 3000 -e production Could not find byebug-11.1.3, rspec-rails-3.9.1, graphiql-rails-1.8.0, spring-2.1.1, spring-watcher-listen-2.0.1, rack-cors-1.1.1, annotate-3.2.0, letter_opener-1.8.0, rspec-core-3.9.3, rspec-expectations-3.9.4, rspec-mocks-3.9.1, rspec-support-3.9.4, sprockets-rails-3.4.2, listen-3.7.1, launchy-2.5.0, diff-lcs-1.5.0, sprockets-4.0.3, rb-fsevent-0.11.1, rb-inotify-0.10.1, addressable-2.8.0, public_suffix-4.0.6 in any of the sources Run `bundle install` to install missing gems.
RAILS_ENV/RACK_ENV are set to production for sure... Any ideas? :) UPDATE: The environment variables (properly set via aws-eb console) aren't available in the shell-session (eb ssh). Is that normal behavior? |
| Is it possible, with Envoy Proxy, to apply an HTTP filter based on the URL? Posted: 05 May 2022 05:50 AM PDT As the title says, I would like an HTTP filter to apply only if the request is for certain URL path. Doing this at the route level is not possible, because my route is defined like this: - match: prefix: "/api/" route: cluster: some_backend_service prefix_rewrite: "/"
But I would like to apply different (security related) filters for /api/foo than for /api/bar. I can't seem to find a way to do this looking at the documentation, is it even possible? Thanks. |
| Trying to get windows scheduled task state in zabbix Posted: 05 May 2022 08:08 AM PDT I've just started using the following template to monitor my windows scheduled tasks: https://share.zabbix.com/operating-s...hes-planifiees So it works perfect but the only problem is it doesn't pull the scheduled task state ( Disabled or Enabled ). Now, I tried to edit the PowerShell script associated with the template my self and added the following lines: switch ($ITEM) { "TaskStatus" { [string] $name = $ID $name1 = $name.replace('â','â').replace('à','à ').replace('ç','ç').replace('é','é') .replace('è','è').replace('ê','ê') $pathtask = Get-ScheduledTask -TaskPath "*" -TaskName "$name1" $pathtask1 = $pathtask.Taskpath $taskResult = Get-ScheduledTask -TaskPath "$pathtask1" -TaskName "$name1" | Select State Write-Output ($taskResult.Status)
But it doesn't seem to work, I get the error below when I try to execute the item: Value of type "string" is not suitable for value type "Numeric (unsigned)". Value ""
I get empty value for some reason, Anyone here can help me please? :P Thank you! Tags: None |
| What options do I have if I need a firewall behind AWS network load balancer? Posted: 05 May 2022 07:17 AM PDT Today we're using WAF for Application Load Balancer and it's great, but WAF not support Network Load balancer. So we need a solution that will protect us behind or after the NLB. For example: 1. Firewall->NLB->App (best option for us) 2. NLB->Firewall->App
Just to be clear, we must use NLB and not ALB because we need to use TCP and not HTTP/HTTPS because we have many domains that we give them SSL on our servers (using CaddyServer) so if we'll use ALB the SSL for this domain name will not work. Thank for the help |
| mount: wrong fs type, bad option, bad superblock on /dev/xvdf1, missing codepage or helper program, or other error Posted: 05 May 2022 08:25 AM PDT I am unable to mount more than one EBS volumes in an EC2 instance. I have 3 EBS Volumes which are 'root-volume' leftovers from previously terminated EC2 instances(Named: /dev/xvdf1, /dev/xvdg1, /dev/xvde1). I was successfully able to mount /dev/xvde1 using the following command: #mount /dev/xvde1 /home/ec2-user/xvde1
But when I repeat this procedure for xvdf1 and xvdg1 I am getting this Error: ec2-user]# mount -t xfs /dev/xvdf1 /home/ec2-user/xvdf1 **mount: wrong fs type, bad option, bad superblock on /dev/xvdf1, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so.**
Supporting Outputs: 1) ec2-user]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 8G 0 disk └─xvda1 202:1 0 8G 0 part / xvdf 202:80 0 8G 0 disk └─xvdf1 202:81 0 8G 0 part xvdg 202:96 0 8G 0 disk └─xvdg1 202:97 0 8G 0 part xvde 202:64 0 8G 0 disk └─xvde1 202:65 0 8G 0 part /home/ec2-user/xvde1* **-->I was able to mount this one successfully.**
ec2-user]# blkid /dev/xvda1: LABEL="/" UUID="f25f5092-0401-4edb-9fac-c57f3c673803" TYPE="ext4" PARTLABEL="Linux" PARTUUID="893c59db-bd86-4d67-b40f-221bc82c14c8" /dev/xvdf1: LABEL="/" UUID="f5bd1ae0-85b5-4686-85ff-ed8deb328c92" TYPE="xfs" PARTLABEL="Linux" PARTUUID="870dbb7e-9386-480b-a946-4d0f7ab5c405" /dev/xvdg1: LABEL="/" UUID="f5bd1ae0-85b5-4686-85ff-ed8deb328c92" TYPE="xfs" PARTLABEL="Linux" PARTUUID="870dbb7e-9386-480b-a946-4d0f7ab5c405" /dev/xvde1: LABEL="/" UUID="f5bd1ae0-85b5-4686-85ff-ed8deb328c92" TYPE="xfs" PARTLABEL="Linux" PARTUUID="870dbb7e-9386-480b-a946-4d0f7ab5c405"
ec2-user]# file -s /dev/xvdf1 */dev/xvdf1: SGI XFS filesystem data (blksz 4096, inosz 512, v2 dirs)* ec2-user]# file -s /dev/xvdg1 */dev/xvdg1: SGI XFS filesystem data (blksz 4096, inosz 512, v2 dirs)* ec2-user]# file -s /dev/xvde1 */dev/xvde1: SGI XFS filesystem data (blksz 4096, inosz 512, v2 dirs)*
ec2-user]# mkfs -t xfs /dev/xvdf1 //Tried formatting xvdf1 *mkfs.xfs: No such file or directory*
|
| Send mail service start error Posted: 05 May 2022 08:08 AM PDT I installed sendmail on CentOS based on some tutorial. When I start sendmail, it showing sendmail failed error. Here the following command result: systemctl status sendmail sendmail.service - Sendmail Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/sendmail.service; enabled) Active: failed (Result: exit-code) since Sun 2015-08-23 10:57:25 EDT; 12min ago Aug 23 10:57:25 test systemd[1]: Starting Sendmail Mail Transport Agent... Aug 23 10:57:25 test systemd[1]: sendmail.service: control process exited, code=exited status=203 Aug 23 10:57:25 test systemd[1]: Failed to start Sendmail Mail Transport Agent. Aug 23 10:57:25 test systemd[1]: Unit sendmail.service entered failed state.
|
| What are the space requirements for vm snapshots in Citrix XenServer 6.2? Posted: 05 May 2022 07:04 AM PDT As I understand it, the only way to do a live backup of a vm in XenServer is to make a snapshot, convert the snapshot to a template, then export the template (to another server), then delete the snapshot. What I can't find anywhere are the specs for how much space a snapshot takes, or how they work, plus I've had conflicting results from my trials so far (more on that below if anyone is interested). Are they supposed to be full copies right from the start? Or do they work on some sort of copy-on-write algorithm? Meaning they start at 0 size, and then grow over time (so if I delete them immediately after the export, I really won't need much disk space at all). That's my question - how much free space to I need to leave on a host in order to do backups of the vm's this way? Some more details on why I'm so confused (other than by the complete lack of documentation by Citrix on this topic): Our issue is that space is at a premium - our disks are not huge on the hosts - only a little over 200GB each (using ssd's). On one host, I get an error "The specified storage repository has insufficient space" when trying to take a snapshot of a 20G vm ... this host has 4 vms currently on it (100+20+20+20=160) Yet on another host, with 2 x 100G vm's I was able to take a snapshot of one of the vm's. I just noticed something odd in the storage tab on xencenter: Name / Type / Shared / Usage / Size / Virtual Allocation Server1 / LVM / No / 98% (205.4 GB Used) / 207.6 GB / 200.4 GB Server2 / Ext3 / No / 59% (120.9 GB Used) / 204.3 GB / 300 GB I should note, there are no snapshots of any other vms than what I mentioned. So the first server has got 40G too much in 'virtual allocation' ... the 2nd server allowed 300 to be allocated out of the 204 available? And only saying 120 is used? |
| Is it possible to add root ssh keys to /etc/ssh/keys-root/authorized_keys on ESX hosts without having to log into every box? Posted: 05 May 2022 07:04 AM PDT I have close to 70 ESX hosts that need to have the root SSH keys added to them. Is there a way to do this through vsphere or powercli, or will I have to manually SSH into each box and add the line to each file? |
| sync a directory between OSX and Ubuntu Posted: 05 May 2022 07:42 AM PDT I need a good way to sync a directory between my OSX 10.6 laptop and my Ubuntu Desktop. Dropbox would obviously be a great choice, however the directory I need to sync is owned by root on both machines and fixing the permissions would screw up the situation I have going. I was considering just writing my own script using rsync (which would indeed be fun) but I'm wondering if perhaps there is something a bit more robust out there. I've heard of Unison, but I don't know very much about it. Would that be a good option for me, or can you come up with something better? Thanks! |
No comments:
Post a Comment