Recent Questions - Server Fault

---

• Billing Dashboard for Multi-Cloud Platform
• How can I redirect range of ports from server to another lan device using IPTABLES
• Configure postfix to relay e-mails to G Suite without password
• kube-apiserver logs that certificate has expired but it's not
• Wireguard is loosing connection for no reason. No connection issues
• how to log the port details in nginx access-log?
• Linux: telnet arrives to target but no response
• Run cron without timelimit
• Unable to connect to SFTP neither using Filezilla nor PuTTY (client_loop: send disconnect: Broken pipe)
• Disable connection tracking
• How to properly define ip6tables rule in ansible
• Office 365 and powershell: is there a way to get the list of devices where the user has signed in
• Ansible dual log format
• Usernames with spaces unable to login to Ubuntu machine joined to Windows AD domain
• GSSAPI Error: KDC has no support for encryption type on RHEL 8 joined to multi-domain AD forest
• Google Cloud Project with No Owner
• permission denied publickey using rsync with GCP
• SSSD+Samba+SSH GSSAPI authentication issues
• Why am I only achieving 2.5Gbps over a 10Gbe direct connection between 2 machines?
• Exchange 2013 ContentIndex State Failed
• Slab reclaimable memory is not freed when needed
• Forwarding Application Logs using nxlog
• Is the Kerberos SPN FQDN significant to the server, or is the keytab enough?
• Restore (or re-add) SharePoint - 80 Website that was deleted from IIS6
• Where is the host file located on OpenVMS systems?
• Can ping, can establish SSH connection in one way but not on other way
• Does SQL Server Express 2008 R2 eliminate the need to install MS SQL Server 2008 Express then SP1?
• DKIM error: dkim=neutral (bad version) header.i=
• How can I proxy multiple LDAP servers, and still have grouping of users on the proxy?

Billing Dashboard for Multi-Cloud Platform Posted: 21 Jun 2022 07:21 AM PDT Our cloud platform is about 90% AWS based, with the rest with GCP and Azure. The financial department is requesting we make a consolidated dashboard that details the monthly cost of each cloud platform. Do you have any recommendations for a billing dashboard that includes billing information from multiple cloud platforms? Thank you.

How can I redirect range of ports from server to another lan device using IPTABLES Posted: 21 Jun 2022 07:17 AM PDT I have a server and few lan devices that are hosting custom services on custom ports. All of the devices use linux. Only the server is exposed to the internet (ports are forwarded). I'm trying to redirect all traffic on x ports range to device 1 range of ports for example: server_ip: 192.168.5.5 device 1 ip: 10.0.0.1 A request on 192.168.5.5:4001 should be redirected to device 1 (10.0.0.1) on port 2001 I'm trying to redirect any traffic on the port range 4001:4050 to device1 on ports 2001:2050 and external ports should match internal ports (4001 -> 2001, 4002 -> 2002 ..etc) I used the following IPTable rules and it worked fine for single ports redirection but for the port range it does not match: (4001 sometimes connects to 2005 where it should connect to 2001) IPTABLE rules: iptables -t nat -A PREROUTING -p tcp -m tcp --dport 4000:4050 -j DNAT --to-destination Device_1_IP:2000-2050 iptables -t nat -A POSTROUTING -d device1_ip -p tcp --dport 2000:2050 -j SNAT --to-source Server public ip I've also tried using rinetd but couldnt figure out how to redirect a whole port range. kind regards

Configure postfix to relay e-mails to G Suite without password Posted: 21 Jun 2022 06:09 AM PDT I am trying to configure postfix to relay e-mails to our G Suite however I am failing to do so. First of all, I have configured G Suite to route outgoing SMTP relay messages, as described here:Route outgoing SMTP relay messages through Google Secondly, I installed Cyberpanel(to ease with the creation of local mailboxes), created an example domain with a mailbox, and tried to send e-mails. Obviously, that did not work, as I received the following error: relay=smtp-relay.gmail.com[173.194.76.28]:587, delay=0.44, delays=0.1/0.01/0.28/0.05, dsn=5.7.1, status=bounced (host smtp-relay.gmail.com[173.194.76.28] said: 550-5.7.1 Invalid credentials for relay [My Public IP]. The IP address you've 550-5.7.1 registered in your G Suite SMTP Relay service doesn't match domain of 550-5.7.1 the account this email is being sent from. If you are trying to relay 550-5.7.1 mail from a domain that isn't registered under your G Suite account 550-5.7.1 or has empty envelope-from, you must configure your mail server 550-5.7.1 either to use SMTP AUTH to identify the sending domain or to present 550-5.7.1 one of your domain names in the HELO or EHLO command. For more 550-5.7.1 information, please visit 550 5.7.1 https://support.google.com/a/answer/6140680#invalidcred i127-20020a1c3b85000000b0039c371a8a66sm212039wma.23 - gsmtp (in reply to MAIL FROM command)) I then tried to force postfix to send HELO as the primary domain in our gsuite: # Force EHLO smtp_always_send_ehlo = yes smtp_helo_name = primarydomain.com Other than that, postfix's configuration is the default one. I have seen a lot of threads and posts regarding postfix and Gmail/Gsuite but in all of them, they achieve the relay through user authentication. I was wondering since I am whitelisting the IP in G Suite, couldn't I achieve the same result without having to authenticate? Any help/tips I would greatly appreciate. Thank you.

kube-apiserver logs that certificate has expired but it's not Posted: 21 Jun 2022 06:31 AM PDT kube-apiserver pod print following log: authentication.go:104] Unable to authenticate the request due to an error: x509: certificate has expired or is not yet valid I already renewed all certs renew certs admin.conf copied to ~/.kube/config I deleted kubelet.conf and files from /var/lib/kubelet/pki and then create new ones. After that kubelet was restarted. I also restarted apiserver pod but it still print log that certificate is expired. Interesting thing is that all I don't see any problems with cluster. Kubectl works as always. I use v1.17.6 version. My cluster has 2-master and 8-worker nodes. Any ideas?

Wireguard is loosing connection for no reason. No connection issues Posted: 21 Jun 2022 07:06 AM PDT I really need some advice, cause I just don't know how to deal with my problem. So, I have a WG "server" on ubuntu 18.04.6 LTS, hosted in the oracle free tier. I've installed wireguard using well-known https://github.com/angristan/wireguard-install script. Then I've generated several configs for my desktops, phones, etc. It connects and runs perfectly, but sometimes it just freezes for no reason. There's no connectivity issues or something like that. Logs on client side says something like that: 2022-06-21 03:01:01.845: [TUN] [win] Keypair 17 created for peer 1 2022-06-21 03:01:01.846: [TUN] [win] Sending keepalive packet to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:03:01.822: [TUN] [win] Sending handshake initiation to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:03:01.884: [TUN] [win] Receiving handshake response from peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:03:01.884: [TUN] [win] Keypair 16 destroyed for peer 1 2022-06-21 03:03:01.884: [TUN] [win] Keypair 18 created for peer 1 2022-06-21 03:03:01.884: [TUN] [win] Sending keepalive packet to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:05:02.058: [TUN] [win] Sending handshake initiation to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:05:02.106: [TUN] [win] Receiving handshake response from peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:05:02.106: [TUN] [win] Keypair 17 destroyed for peer 1 2022-06-21 03:05:02.106: [TUN] [win] Keypair 19 created for peer 1 2022-06-21 03:05:02.106: [TUN] [win] Sending keepalive packet to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:06:21.302: [TUN] [win] Retrying handshake with peer 1 (SERVER_IP:SERVER_PORT) because we stopped hearing back after 15 seconds 2022-06-21 03:06:21.302: [TUN] [win] Sending handshake initiation to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:06:26.423: [TUN] [win] Handshake for peer 1 (SERVER_IP:SERVER_PORT) did not complete after 5 seconds, retrying (try 2) 2022-06-21 03:06:26.423: [TUN] [win] Sending handshake initiation to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:06:31.471: [TUN] [win] Handshake for peer 1 (SERVER_IP:SERVER_PORT) did not complete after 5 seconds, retrying (try 3) 2022-06-21 03:06:31.473: [TUN] [win] Sending handshake initiation to peer 1 (SERVER_IP:SERVER_PORT) 2022-06-21 03:06:36.517: [TUN] [win] Handshake for peer 1 (SERVER_IP:SERVER_PORT) did not complete after 5 seconds, retrying (try 4) If I reconnect WG client, it immediately connects and everything is ok. Any advices? I tried to experiment with PersistentKeepAlive param (on both sides!) that doesn't change anything. My server cfg: [Interface] Address = 10.66.66.1/24,fd42:42:42::1/64 ListenPort = SERVER_PORT PrivateKey = M?????Uyg4r3mo= PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -I FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -I INPUT -i ens3 -p udp --dport SERVER_PORT -m state --state NEW,ESTABLISHED -j ACCEPT PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -D INPUT -i ens3 -p udp --dport SERVER_PORT -m state --state NEW,ESTABLISHED -j ACCEPT ### Client iphone [Peer] PublicKey = 0+V???????4HnM= PresharedKey = s???????amJCxJyqcE= AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128 ### Client mac [Peer] PublicKey = Tet4??????mI= PresharedKey = Ld???r8= AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128 My client cfg [Interface] PrivateKey = 4Bp????= Address = 10.66.66.2/32,fd42:42:42::2/128 DNS = 8.8.8.8,1.1.1.1 [Peer] PublicKey = 5R?????c= PresharedKey = sY????E= Endpoint = SERVER_IP:SERVER_PORT AllowedIPs = 0.0.0.0/0,::/0 some stats root@oraclevpn:~# wg show all interface: wg0 public key: 5R?????c= private key: (hidden) listening port: SERVER_PORT peer: 0+?????nM= preshared key: (hidden) endpoint: 666.666.666.666:11111 allowed ips: 10.66.66.2/32, fd42:42:42::2/128 latest handshake: 2 minutes, 2 seconds ago transfer: 533.52 MiB received, 5.18 GiB sent

how to log the port details in nginx access-log? Posted: 21 Jun 2022 05:33 AM PDT I am maintaining nginx as the load balancer for the servers. Now I am maintaining the access-logs, I need the details of the port of which I am receiving the request from the external servers. For example if any external server calls, my server, I am getting the ip details in the access-log , I also need through which port the external server is calling to my server. How to customize the log format in order to log the detail of port number like 8080 0r 443?

Linux: telnet arrives to target but no response Posted: 21 Jun 2022 05:14 AM PDT We have server in AWS that's trying to connect over TCP to an application in an on premise server but fails. Initially we thought it might be routing/firewall issues so we tried to connect to that application using telnet on the specific port it's running while running tcpdump on the on-premise server. What we (think) see is that we get the telenet connection request but nothing is sent back: On the AWS server we run: telnet ON_PREMISE_IP PORT On the On-Premise server we run tcpdump -i INTERFACE -n port PORT And we see: 15:02:49.785795 IP AWS_IP.RANDOM_PORT > ON_PREMISE_IP.int-rcv-cntrl: Flags [S], seq 3124225083, win 62727, options [mss 1350,sackOK,TS val 576158266 ecr 0,nop,wscale 7], length 0 And on the AWS side we get: telnet: Unable to connect to remote host: No route to host I've verified that we're listening on that port by running netstat: sudo netstat -ltnp | grep PORT tcp 0 0 ON_PREMISE_IP:PORT 0.0.0.0:* LISTEN PID/java In addition to that we're able to establish connection from the on premise server to that same AWS server. The on premise server is running CentOS 8 with kernel 4.18.0-305.19.1.el8_4.x86_64 I've no idea how to continue from here :/

Run cron without timelimit Posted: 21 Jun 2022 05:10 AM PDT I have a website where I need to run cron to write in database a lot of data. The problem now is that the webhost limit us to run cron to 5 minutes/cron and the script needs to check a large database, then insert new data that missing or update existing, and this is not enough for me. My plan is to rent a vps to run this crons continuously until the script will be finished, but before this, I want to test on CentOS virtual machine and see if this is actually working. How can I do this?

Unable to connect to SFTP neither using Filezilla nor PuTTY (client_loop: send disconnect: Broken pipe) Posted: 21 Jun 2022 05:13 AM PDT Everything was working this morning but maybe I broke something with my SFTP user. On FileZilla, I was unable to download a file from my Virtualbox VM so I decided to restart my FileZilla client and then I was unable to reconnect. Here are my configurations for /etc/ssh/sshd_config: Subsystem sftp /usr/lib/openssh/sftp-server Match group sftp ChrootDirectory /var/www X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp FileZilla output: Status: Connecting to 127.0.0.1... Status: Using username "sftpuser". Command: Pass: ********** Error: Could not connect to server Status: Waiting to retry... Status: Connecting to 127.0.0.1... Response: fzSftp started, protocol_version=11 Command: open "sftpuser@127.0.0.1" 22 Status: Using username "sftpuser". Command: Pass: ********** Error: Could not connect to server PuTTY output: $ sftp sftpuser@127.0.0.1 client_loop: send disconnect: Broken pipe Connection closed SSH output: $ ls -lua total 28 drwxr-xr-x 5 www-data www-data 4096 june 21 00:00 . drwxr-xr-x 15 root root 4096 june 21 00:00 .. drwxr-xr-x 27 www-data www-data 12288 june 21 00:00 foo drwxrwxr-x 30 www-data www-data 4096 june 21 00:00 bar drwxrwxr-x 27 www-data www-data 4096 june 21 00:00 baz SSH log using journalctl -u ssh | tail -n 12: june 21 00:00:00 developer sshd[14508]: Accepted password for sftpuser from 10.0.2.2 port 54811 ssh2 june 21 00:00:00 developer sshd[14508]: pam_unix(sshd:session): session opened for user sftpuser(uid=1001) by (uid=0) june 21 00:00:00 developer sshd[14508]: pam_unix(sshd:session): session closed for user sftpuser june 21 00:00:00 developer sshd[14653]: Accepted password for sftpuser from 10.0.2.2 port 54816 ssh2 june 21 00:00:00 developer sshd[14653]: pam_unix(sshd:session): session opened for user sftpuser(uid=1001) by (uid=0) june 21 00:00:00 developer sshd[14653]: pam_unix(sshd:session): session closed for user sftpuser june 21 00:00:00 developer sshd[15041]: Accepted password for sftpuser from 10.0.2.2 port 54817 ssh2 june 21 00:00:00 developer sshd[15041]: pam_unix(sshd:session): session opened for user sftpuser(uid=1001) by (uid=0) june 21 00:00:00 developer sshd[15041]: pam_unix(sshd:session): session closed for user sftpuser june 21 00:00:00 developer sshd[15119]: Accepted password for sftpuser from 127.0.0.1 port 54046 ssh2 june 21 00:00:00 developer sshd[15119]: pam_unix(sshd:session): session opened for user sftpuser(uid=1001) by (uid=0) june 21 00:00:00 developer sshd[15119]: pam_unix(sshd:session): session closed for user sftpuser I think it's a permission issue but I don't know where I would have to look. Do you have any ideas ? Edit: I didn't mention it because it was obvious for me but connecting with any other user with SSH is working on PuTTY Thank you !

Disable connection tracking Posted: 21 Jun 2022 04:44 AM PDT I'm on Ubuntu 22.04 and I would like to disable connection tracking for UDP port 123, so I tried: firewall-cmd --direct --add-rule ipv4 raw PREROUTING 1 -p udp --dport 123 -j NOTRACK firewall-cmd --direct --add-rule ipv4 raw OUTPUT 1 -p udp --sport 123 -j NOTRACK but this causes all traffic on that port to be blocked somehow. Can it be that it does not work because my Firewalld uses NFTables instead of IPTables as a backend? I also tried: firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --dport 123 -j CT --notrack firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --sport 123 -j CT --notrack firewall-cmd --direct --add-rule ipv4 raw PREROUTING 0 -p udp --dport 123 -j CT --notrack firewall-cmd --direct --add-rule ipv4 raw PREROUTING 0 -p udp --sport 123 -j CT --notrack firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 123 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --sport 123 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p udp --dport 123 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p udp --sport 123 -j ACCEPT But it had the same result.. What will be the right rules to use?

How to properly define ip6tables rule in ansible Posted: 21 Jun 2022 04:36 AM PDT On current system I have this rule for ip6tables -A INPUT -d <ip6address> -p udp -m udp --dport <port> -m state --state NEW -j ACCEPT For new system I wrote an ansible playbook: - name: Allow someport for ipv6 ansible.builtin.iptables: chain: INPUT protocol: udp match: udp ip_version: ipv6 ctstate: NEW destination_port: 'port' destination: 'ip6address' jump: ACCEPT tags: - iptables6 But when I try to play this I get an error: {... "stderr_lines": ["ip6tables v1.8.7 (nf_tables): unknown option \"--destination-port\"", "Try `ip6tables -h' or 'ip6tables --help' for more information."], "stdout": "", "stdout_lines": []} Ansible 2.10.8 Debian 11 How to properly define this rule?

Office 365 and powershell: is there a way to get the list of devices where the user has signed in Posted: 21 Jun 2022 06:16 AM PDT Since we're already in 2022, I'm wondering if there's a Powershell solution for getting a list of devices where the user has installed/activated office 365.The only references I've found seem to indicate that the operation can't be done through powershell, but I'd like to confirm this. Thanks.

Ansible dual log format Posted: 21 Jun 2022 05:55 AM PDT On Ansible config I can set if output log should be human-readable or JSON. Human readable format is displayed task-by-task as it runs and JSON only after playing ends. It is possible to output to stdout human readable format and also create some logfile with the JSON format?

Usernames with spaces unable to login to Ubuntu machine joined to Windows AD domain Posted: 21 Jun 2022 04:54 AM PDT We are having an Ubuntu 20.04 LTS (server) machine which has been connected to the Windows AD domain. The machine is able to fetch the list of all users in the AD domain using 'getent passwd' command, and our hosts file is configured as below: 127.0.0.1 localhost 127.0.0.1 OurDomainName (our Domain controller address) OurDomainName.in However, the users having a space in their Windows Account usernames (for example, 'Charles B') are not able to login to the Ubuntu machine, even after modifying the NAME_REGEX to allow 'bad usernames'. There is no issue for the users who do not have space in the usernames and they are able to login normally. We are getting an impression that even after adding the Ubuntu machine to a Windows domain, the Linux policy is somehow overriding the Windows domain policy that has no problems with spaces in usernames. Is there any way users with space in their Windows usernames can login to an Ubuntu machine joined to a Windows AD domain? edit: We have tried enclosing the usernames in double quotes("), single quotes, adding escape sequence instead of space but did not work. EDIT 2: We have now tried using 'DOMAIN\Firstname Lastname' and "DOMAIN\Firstname Lastname" also but did not work. CONFIGURATION: Our configuration is as below: Netplan:(DC address) along with Google DNS AD: Kerberos Authentication enabled. We have setup auto-home directory creation for new users in Ubuntu machine. Our LDAP config is as below: {BASE dc=(our DC name),dc=in URI ldap=//(DC IP address)} Windows AD server: we have enabled the setting 'Trust the computer for delegation in any service.

GSSAPI Error: KDC has no support for encryption type on RHEL 8 joined to multi-domain AD forest Posted: 21 Jun 2022 05:55 AM PDT I have a simple MS ADDS multi-domain forest setup with a parent domain and one sub-domain. I joined a RHEL 8 server successfully to the sub-domain by using this official documentation. All OSs have been setup by using as much defaults as possible. I can successfully SSH into the RHEL server by using an AD account of the sub-domain. But when I try to use an account of the parent domain, the login fails. As soon as I submit the username of the parent domain, journalctl reports the following error: sssd_be[...]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type) I checked the DCs of each domain and can confirm that all DCs support the same three default encryption types (which are stored in the msDS-SupportedEncryptionTypes attribute of each DC computer account): RC4_HMAC_MD5 AES128_CTS_HMAC_SHA1_96 AES256_CTS_HMAC_SHA1_96 I also confirmed that RHEL 8 offers suitable encryption types (/etc/crypto-policies/back-ends/krb5.config): [libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac So, there should be two matches: aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96. As I already stated, it is working fine for the sub-domain. So, why is there no suitable encryption type for the parent domain?

Google Cloud Project with No Owner Posted: 21 Jun 2022 05:53 AM PDT We have a Google Cloud project on my team and the owner has since left the organization. We still have access to the project because someone on my team in an editor but editors cannot give others access. She is leaving the team and we are trying to give someone else access. If there is no owner listed and the editor can't give access does that mean there is no way to give anyone else access or assign a new owner?I have included a screenshot of the permissions page

permission denied publickey using rsync with GCP Posted: 21 Jun 2022 05:00 AM PDT I'm trying to connect with rsync to a GCP vm. Whenever I do, I'm getting weird errors related to permissions. I've checked that my username is part of the sudoers group so I can't really see where the issue is coming from. I logged in to my GCP instance which created a user dir under /home following my Mac OS username format, Here are the commands I've been trying, and the results... C02YT3UDLVDL:proj-name j.lname$ ssh -i ~/.ssh/google_compute_engine j.lname@xx.xxx.xxx.xx The authenticity of host 'xx.xxx.xxx.xx (xx.xxx.xxx.xx)' can't be established. ECDSA key fingerprint is SHA256:JW7VfidHTsAtq8JjF9bEkdfIjdskIAadfs80.Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'xx.xxx.xxx.xx' (ECDSA) to the list of known hosts. After which I try moving a test dir... rsync -Pavz testDir/* xx.xxx.xxx.xx:/home/j.lname And get ssh_exchange_identification: Connection closed by remote host rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.2] Trying it one more time get: $ rsync -Pavz testDir/* xx.xxx.xxx.xx:/home/j.lname/ The authenticity of host 'xx.xxx.xxx.xx (xx.xxx.xxx.xx)' can't be established. ECDSA key fingerprint is SHA256:Q8kqWi3iyLno3Q8kqWi3iyLno3Q8kqWi3iyLno3. ECDSA key fingerprint is MD5:ff:56:c3:21:cc:f1:a7:62:1b:72:bc:54:8e:f7:c8:1a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'xx.xx.xx.xx' (ECDSA) to the list of known hosts. yPermission denied (publickey). Edited: At the advice of someone on here also tried rsync -Pavz -e "ssh -i ~/.ssh/google_compute_engine" testDir/* j.lname@xx.xxx.xxx.xx:/home/j.lname/ And that time got: bash: rsync: command not found rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: error in rsync protocol data stream (code 12) at io.c(226) [sender=3.1.3]

SSSD+Samba+SSH GSSAPI authentication issues Posted: 21 Jun 2022 07:02 AM PDT I am configuring SSSD+Samba+SSH on CentOS 7.6. So far I have managed to get all 3 at least working. SSSD is configured and joined using realm join. Samba is configured and connected to AD via net ads join. However, for some reason I cannot get GSSAPI authentication to work with this combination. SSH would constantly complain about keytab ticket issue. First, I noticed the kvno number became out of sync. SSH is attempting to use kvno 2, whereas the server has kvno 4. This causes GSSAPI authentication to fail and defaults to password login, which works. secure.log Apr 13 01:33:17 test-server sshd[10827]: debug1: Unspecified GSS failure. Minor code may provide more information\nRequest ticket server host/test-server.example.com@EXAMPLE.COM kvno 2 not found in keytab; ticket is likely out of date\n klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM 4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM 4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM 4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM 4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM 4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM 5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM 5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM 5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM 5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM 5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM I determined that this was because I did not delete the computer object out of AD, though I don't know why SSH does not try to match the current kvno. I verified that AD is returning the correct number. After deleting the computer object, I repeated the steps to join. It re-created the computer object and reset the kvno to 2. However, now SSH complains that the keytab entry is encrypted using aes256-cts and cannot decrypt. secure.log Apr 13 02:01:35 test-server sshd[13788]: debug1: Unspecified GSS failure. Minor code may provide more information\nRequest ticket server host/test-server.example.com@EXAMPLE.COM kvno 2 enctype aes256-cts found i n keytab but cannot decrypt ticket\n klist -kt -e Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (des-cbc-crc) 2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (des-cbc-md5) 2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (arcfour-hmac) 2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (des-cbc-crc) 2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (des-cbc-md5) 2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (arcfour-hmac) 2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (des-cbc-crc) 2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (des-cbc-md5) 2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (arcfour-hmac) 2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-crc) 2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-md5) 2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (arcfour-hmac) 2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-crc) 2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-md5) 2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (arcfour-hmac) 2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (des-cbc-crc) 3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (des-cbc-crc) 3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (des-cbc-md5) 3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (des-cbc-md5) 3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (arcfour-hmac) 3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (arcfour-hmac) 3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (des-cbc-crc) 3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (des-cbc-crc) 3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (des-cbc-md5) 3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (des-cbc-md5) 3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (arcfour-hmac) 3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (arcfour-hmac) 3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (des-cbc-crc) 3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (des-cbc-md5) 3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (arcfour-hmac) 3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-crc) 3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-crc) 3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-md5) 3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-md5) 3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (arcfour-hmac) 3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (arcfour-hmac) So what exactly am I doing wrong here? Is SSH supposed always use kvno 2? What encryption is the keytab entry supposed to be for SSH to be able to read it? And how do I configure the encryption?

Why am I only achieving 2.5Gbps over a 10Gbe direct connection between 2 machines? Posted: 21 Jun 2022 04:50 AM PDT I have 2 machines directly connected to each other with a 7 foot Cat6a ethernet cable (included in the box of the NIC cards). The PCIe x4 NIC I bought and in both machines is this: https://www.amazon.com/gp/product/B07CW2C2J1 I'm trying to debug why I'm getting almost exactly 2500Mbps transfer between these 2 machines. Any tips or obvious errors I'm overlooking to acheive closer to 10Gbps? Here is what I've tested: Configuration (Machine A) Machine A ifconfig: enp7s0 Link encap:Ethernet HWaddr 24:5e:be:2c:c1:53 inet addr:2.0.0.20 Bcast:2.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::265e:beff:fe2c:c153/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17225416 errors:0 dropped:0 overruns:0 frame:0 TX packets:7021731 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:25712055299 (25.7 GB) TX bytes:9701557546 (9.7 GB) Machine A ip link: 3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 24:5e:be:2c:c1:53 brd ff:ff:ff:ff:ff:ff Machine A ethtool enp7so: Settings for enp7s0: Supported ports: [ TP ] Supported link modes: 100baseT/Full 1000baseT/Full 10000baseT/Full Supported pause frame use: Symmetric Supports auto-negotiation: Yes Advertised link modes: 100baseT/Full 1000baseT/Full 10000baseT/Full Advertised pause frame use: Symmetric Advertised auto-negotiation: Yes Speed: 10000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: external Auto-negotiation: on MDI-X: Unknown Supports Wake-on: g Wake-on: g Link detected: yes Configuration (Machine B) Machine B ifconfig: enp101s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 2.0.0.10 netmask 255.255.255.0 broadcast 2.0.0.255 inet6 fe80::265e:beff:fe2c:c0dc prefixlen 64 scopeid 0x20<link> ether 24:5e:be:2c:c0:dc txqueuelen 1000 (Ethernet) RX packets 2332894765 bytes 3532248694886 (3.5 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 107128853 bytes 32005739542 (32.0 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Machine B ip link: 3: enp101s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 24:5e:be:2c:c0:dc brd ff:ff:ff:ff:ff:ff Machine B ethtool enp101s0: Settings for enp101s0: Supported ports: [ TP ] Supported link modes: 100baseT/Full 1000baseT/Full 10000baseT/Full 2500baseT/Full 5000baseT/Full Supported pause frame use: Symmetric Supports auto-negotiation: Yes Supported FEC modes: Not reported Advertised link modes: 100baseT/Full 1000baseT/Full 10000baseT/Full 2500baseT/Full 5000baseT/Full Advertised pause frame use: Symmetric Advertised auto-negotiation: Yes Advertised FEC modes: Not reported Speed: 10000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: Unknown Link detected: yes Debug Steps So Far I did a netcat on /dev/zero on one machine to /dev/null on the other (B -> A): 3.15GiB 0:00:09 [ 353MiB/s] I also ran ifperf with 2 window sizes (the default 64k and the below 256k) and saw identical results: iperf -s -w 256k ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 416 KByte (WARNING: requested 250 KByte) ------------------------------------------------------------ [ 4] local 2.0.0.10 port 5001 connected with 2.0.0.20 port 55364 [ ID] Interval Transfer Bandwidth [ 4] 0.0-10.0 sec 2.85 GBytes 2.45 Gbits/sec Just to test to make sure and remove the network variable in the transfer: cat /dev/zero | pv > /dev/null 21.0GiB 0:00:04 [5.18GiB/s]

Exchange 2013 ContentIndex State Failed Posted: 21 Jun 2022 05:00 AM PDT I have a two node Exchange 2013 (CU15) DAG. The mailbox servers are performing well except that you cannot search in Outlook client or OWA. Most articles I find are from 2013 and discuss a ContentSubmitters group in AD. I'm not certain, but I don't think that is relevant to CU15. I just migrated from Exchange 2010 in March-April. The services, Exchange Search and Exchange Search Host Controller start. I have stopped these services, deleted the GUID.Single folders and restarted the services, but no new GUID folders were created. I rebooted the server and problem persists. [PS] C:\Windows\system32>Get-MailboxDatabaseCopyStatus Name Status CopyQueue ReplayQueue LastInspectedLogTime ContentIndex Length Length State ---- ------ --------- ----------- -------------------- ------------ DB05\MBX01 Healthy 0 1 6/22/2017 9:54:53 AM Failed DB04\MBX01 Healthy 0 0 6/22/2017 9:53:50 AM Failed DB03\MBX01 Healthy 0 0 6/22/2017 9:53:45 AM Failed DB02\MBX01 Healthy 0 0 6/22/2017 9:53:44 AM Failed DB01\MBX01 Healthy 0 0 6/22/2017 9:52:15 AM Failed [PS] C:\Windows\system32>Get-MailboxDatabaseCopyStatus | FL conte* ContentIndexState : Failed ContentIndexErrorMessage : The database has been dismounted. ContentIndexErrorCode : 4 ContentIndexVersion : ContentIndexBacklog : ContentIndexRetryQueueSize : ContentIndexMailboxesToCrawl : ContentIndexSeedingPercent : ContentIndexSeedingSource : ContentIndexServerSource : [PS] C:\Windows\system32>Update-MailboxDatabaseCopy -identity db01\mbx01 -CatalogOnly Confirm Are you sure you want to perform this action? Seeding database copy "DB01\MBX01". [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y WARNING: Seeding of content index catalog for database 'DB01' failed. Please verify that the Microsoft Search (Exchange) and the Host Controller service for Exchange services are running and try the operation again. Error: There was no endpoint listening at net.tcp://localhost:3863/Management/SeedingAgent-4FEA91B2-FD60-4743-B03A-08B319F04DB312/Single that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.. And finally, in CMD I checked the tcp port status. netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:3863 0.0.0.0:0 LISTENING 3076

Slab reclaimable memory is not freed when needed Posted: 21 Jun 2022 06:07 AM PDT Correct me if I am wrong, but to my understanding slab reclaimable holds cached kernel objects which can be freed if needed. So if application needs to allocate more space, even if the 'free' memory is low, OS will drop some pages from slab reclaimable and privide application with the requested amount of memory (unless its not possible). This is how my memory looks: Mem graph and /proc/meminfo output: MemTotal: 8171852 kB MemFree: 825892 kB MemAvailable: 6273852 kB Buffers: 227448 kB Cached: 1261944 kB SwapCached: 15324 kB Active: 2582260 kB Inactive: 499232 kB Active(anon): 1460764 kB Inactive(anon): 131340 kB Active(file): 1121496 kB Inactive(file): 367892 kB Unevictable: 32 kB Mlocked: 32 kB SwapTotal: 524284 kB SwapFree: 440372 kB Dirty: 372 kB Writeback: 0 kB AnonPages: 1579556 kB Mapped: 40500 kB Shmem: 4 kB Slab: 4113080 kB SReclaimable: 4061308 kB SUnreclaim: 51772 kB KernelStack: 6992 kB PageTables: 70692 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 4610208 kB Committed_AS: 2644508 kB VmallocTotal: 34359738367 kB VmallocUsed: 0 kB VmallocChunk: 0 kB DirectMap4k: 14200 kB DirectMap2M: 2082816 kB DirectMap1G: 8388608 kB First thing I noticed is that the slab and cache are the exact copy of memory used, meaning is contant. To the problem: Sometimes when free memory reaches values around 100 Mb, OOM-killer is invoked, killing vital processes (php, clamd, ...). How is that possible? Shouldnt OS free slab reclaimable before invoking OOM? Things I tried I tried setting vm.vfs_cache_pressure=10000 thinking it will force kernel to drop more caches, but the graph didnt change, even after 24H. Perhaps its a bug in kernel itself https://bugzilla.kernel.org/buglist.cgi?quicksearch=oom&list_id=904801

Forwarding Application Logs using nxlog Posted: 21 Jun 2022 04:05 AM PDT I want to parse the Request URL field in message of application Event Logs by nxlog to kibana but i am not able to parse it as a seperate field. Please suggest what to do in it.

Is the Kerberos SPN FQDN significant to the server, or is the keytab enough? Posted: 21 Jun 2022 04:05 AM PDT I spend most of my time as a developer, so I'm not familiar with all the details... I have a service running on a linux host. I want to use Kerberos to transmit identity information to the service. Some of my clients are on windows clients attached to AD, so they already have a ticket. I understand how to use kinit to get a ticket on my *nix clients, and have verified that I can do so. I have an /etc/krb5.conf file that seems to work on my *nix clients I understand I need to do the following... Ask the AD admin to generate a keytab for a particular SPN. Place the keytab on my server in a place where the service can find it. the clients to use the ticket and the SPN to get a token from the Kerberos infrastructure. Configure the service to receive the token and decode it using the keytab. Here is my issue... The SPN is usually in the form of service_name/FQDN@domain_name. My clients, however, don't construct the SPN using the host name of the service. Instead the SPN is set in a configuration file. It would be easiest for me if I could create a single SPN and use it on each instance of my server. So I would then do the following... Create an SPN of the form service_name/some_dummy_name@domain_name. Generate the keytab and copy it to svr1.mycompany.mydomain, svr2.mycompany.mydomain, ..., svrX.mycompany.mydomain. Configure my clients with the single SPN. I seem to think that this will work, in that the same SPN/keytab can be used on several servers with different host names when servers are clustered. To boil it down - is the FQDN part of an SPN significant to the server, or is it just there so that typical clients can generate the proper SPN? If several servers have the same keytab, can they receive and validate the same tokens, or is something else required? Just to emphasize, the service is a java app on Linux, the clients are java apps on windows and *nix. AD would provide the Kerberos server infrastructure.

Restore (or re-add) SharePoint - 80 Website that was deleted from IIS6 Posted: 21 Jun 2022 06:07 AM PDT In the IIS Manager the website SharePoint - 80 was deleted. What is the best way to restore the site settings? I tried to add it manually and point at the folder doesn't seem to work, are there special settings that need to be added? ** EDIT ** I was able to get a copy of the MetaBase.xml file from IIS, can this file be replaced or the missing section just be added back in?

Where is the host file located on OpenVMS systems? Posted: 21 Jun 2022 06:55 AM PDT Hosts (file) entry on Wikipedia has a table listing the location name of the hosts file (which maps hostnames to IP addresses) on various systems. Where is this info stored on OpenVMS systems?

Can ping, can establish SSH connection in one way but not on other way Posted: 21 Jun 2022 07:02 AM PDT First of all, sorry for my English. We're facing a very strange problem with SSH connection between two specific servers. Let's say we have X1, X2 and Y servers. Where X1 and X2 are behind the same firewall, have installed the same operating system, use same configurations for everything that's possibly related to the situation. We don't have any rule set to allow or block only certain IPs or whatever on IPtables on server Y, but anyway... X1 and X2 servers communicate to the exterior using the same IP address. PROBLEM: Server X1 cannot connect to server Y via SSH. It gets a response on ping, but nothing else, no other service on any other port succeeds to connect. X2 or any other server succeeds to connect to X1 and X1 succeeds to connect to any other server except Y1. [root@X1]# ssh -v root@Y1 OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to Y1 [Y1] port 22. ** It stalls here ** We've restarted both servers and firewalls. We've done a test on trying to connect X1 to Y using different port without configuring that port and instead of getting stalled, we get connection refused. If we configure Y1 SSH daemon to accept connections on that port and do the same test again... it stalls using that newly configured port.

Does SQL Server Express 2008 R2 eliminate the need to install MS SQL Server 2008 Express then SP1? Posted: 21 Jun 2022 04:31 AM PDT To install SQL Server 2008 plus SP1 on Win 7 machines, you have the following options: install the deployment (runtime only - no management tools) version with SP1 built in install the pre-SP1 version (with tools), then upgrade to SP1 (either by downloading SP1, or running windows update -- in either case a 262 MB download, because SP1 is for all editions of SQL server, not just the express edition) Discussed in this article: social.msdn.microsoft.com/Forums/en-US/sqlexpress/thread/6b31a657-fe8a-4d72-a82f-b795f8b1daa3 "Microsoft Update experience far superior to having to run through the installer (again) and recomend using this approach rather than downloading and running the SP manually." ...except that is 262 MB a pop. I then found a SP1 download here: Link Does SQL Server Express 2008 R2 eliminate the need for this process?

DKIM error: dkim=neutral (bad version) header.i= Posted: 21 Jun 2022 07:40 AM PDT Ive been struggling the last couple of hours with setting up DKIM on my Postfix/CentOS 5.3 server. It finally sends and signs the emails, but apparently Google still does not like it. The errors I'm getting are: dkim=neutral (bad version) header.i=@mydomain.com.au from googles "show original" interface. This is what my DKIM-signature header look like: v=1; a=rsa-sha1; c=simple/simple; d=mydomain.com.au; s=default; t=1267326852; bh=0wHpkjkf7ZEiP2VZXAse+46PC1c=; h=Date:From:Message-Id:To:Subject; b=IFBaqfXmFjEojWXI/WQk4OzqglNjBWYk3jlFC8sHLLRAcADj6ScX3bzd+No7zos6i KppG9ifwYmvrudgEF+n1VviBnel7vcVT6dg5cxOTu7y31kUApR59dRU5nPR/to0E9l dXMaBoYPG8edyiM+soXo7rYNtlzk+0wd5glgFP1I= Very appreciative of any suggestions as to how I can solve this problem! Btw, here is exactly how I installed dkim-milter in CentOS 5.3 for postfix, if anyone is interested (based on this guide): mkdir dkim-milter cd dkim-milter wget http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.3-1.x86_64.rpm ======S====== Newest version: http://www.topdog-software.com/oss/dkim-milter/ ======E====== rpm -Uvh dkim-milter-2.8.3-1.x86_64.rpm /usr/bin/dkim-genkey -r -d mydomain.com.au ======S====== add contents of default.txt to DNS as TXT _ssp._domainkey TXT dkim=unknown _adsp._domainkey TXT dkim=unknown default._domainkey TXT v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GWETBNiQKBgQC5KT1eN2lqCRQGDX+20I4liM2mktrtjWkV6mW9WX7q46cZAYgNrus53vgfl2z1Y/95mBv6Bx9WOS56OAVBQw62+ksXPT5cRUAUN9GkENPdOoPdpvrU1KdAMW5c3zmGOvEOa4jAlB4/wYTV5RkLq/1XLxXfTKNy58v+CKETLQS/eQIDAQAB ======E====== mv default.private default mkdir /etc/mail/dkim/keys/mydomain.com.au mv default /etc/mail/dkim/keys/mydomain.com.au chmod 600 /etc/mail/dkim/keys/mydomain.com.au/default chown dkim-milt.dkim-milt /etc/mail/dkim/keys/mydomain.com.au/default vim /etc/dkim-filter.conf ======S====== ADSPDiscard yes ADSPNoSuchDomain yes AllowSHA1Only no AlwaysAddARHeader no AutoRestart yes AutoRestartRate 10/1h BaseDirectory /var/run/dkim-milter Canonicalization simple/simple Domain mydomain.com.au #add all your domains here and seperate them with comma ExternalIgnoreList /etc/mail/dkim/trusted-hosts InternalHosts /etc/mail/dkim/trusted-hosts KeyList /etc/mail/dkim/keylist LocalADSP /etc/mail/dkim/local-adsp-rules Mode sv MTA MSA On-Default reject On-BadSignature reject On-DNSError tempfail On-InternalError accept On-NoSignature accept On-Security discard PidFile /var/run/dkim-milter/dkim-milter.pid QueryCache yes RemoveOldSignatures yes Selector default SignatureAlgorithm rsa-sha1 Socket inet:20209@localhost Syslog yes SyslogSuccess yes TemporaryDirectory /var/tmp UMask 022 UserID dkim-milt:dkim-milt X-Header yes ======E====== vim /etc/mail/dkim/keylist ======S====== *@mydomain.com.au:mydomain.com.au:/etc/mail/dkim/keys/mydomain.com.au/default ======E====== vim /etc/postfix/main.cf ======S====== Add: smtpd_milters = inet:localhost:20209 non_smtpd_milters = inet:localhost:20209 milter_protocol = 2 milter_default_action = accept ======E====== vim /etc/mail/dkim/trusted-hosts ======S====== localhost 127.0.0.1 ======E====== /etc/mail/local-host-names ======S====== localhost 127.0.0.1 ======E====== /sbin/chkconfig dkim-milter on /etc/init.d/dkim-milter start /etc/init.d/postfix restart

How can I proxy multiple LDAP servers, and still have grouping of users on the proxy? Posted: 21 Jun 2022 05:55 AM PDT I have 2 problems that I'm hoping to find a common solution to. First, I need to find a way to have multiple LDAP servers (Windows AD's across multiple domains) feed into a single source for authentication. This is also needed to get applications that can't natively talk to more than one LDAP server to work. I've read this can be done with Open LDAP. Are there other solutions? Second, I need to be able to add those users to groups without being able to make any changes to the LDAP servers I'm proxying. Lastly, this all needs to work on Windows Server 2003/2008. I work for a very large organization, and to create multiple groups and have large numbers of users added to, moved between, and removed from them is no small task. This normally requires tons of paperwork and a lot of time. Time is the one thing we don't normally have; dodging the paperwork is just a plus. I have very limited experience in all this, so I'm not even sure what I'm asking will make sense. Atlassian Crowd comes close to what we need, but falls short of having it's own LDAP front end. Can anyone provide any advice or product names? Thanks for any help you can provide.

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States