Recent Questions - Server Fault

---

• Repository of regular expressions for logs
• Managing WSUS with Powershell. How to remove an automatic approval rule?
• How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes?
• Outlook not expanding M365 Groups
• Linux monthly network usage for virtual interfaces
• Can php-fpm and swoole coexist on the same virtual host /server block
• Best way to do 301 redirects
• If I have multiple versions of Postgres installed, how do I use a version specific tool?
• Are on-prem Windows Virtual Desktop servers still a thing?
• Is a valid SSL certificate important when accessing a localhost URL via SSH tunnel?
• Finding the ESX/ESXi host in vSphere cluster on which a virtual machine is running programmatically via REST API
• Where sieve file must be located if dovecot runs with virtual_mailbox_maps
• Create proxy server from home modem
• Files can't be uploaded on Google cloud after deleting user folder
• If 'dnssec-enable' is obsolete and must be removed, what is the alternative when creating a DNS server on BIND 9?
• qemu commandline can't see /dev/net/tun
• Using Office 365 now, can we pilot intune MDM on just 1-2 users or devices?
• nginx reverse proxy - proxy_pass leads to 503 service unavailable
• GCP - Shared VPC vs VPC Peering among projects - main differences?
• SFTP users can't remove files
• Slow DNS resolution inside docker container
• GCP Equivalent for AWS Landing zone solution
• Azure RDS HTML5 Web Client Unable to Access Gateway
• Uninstall Symantec Endpoint Protection 12.1 (with uninstall password) using PowerShell?
• squid proxy on ubuntu refuses connections
• SMTP network ACL on AWS
• Sendmail and Gmail
• Unable to bind OSX 10.9 to Active Directory 2008
• kvm guest can not connect to outside of host, vice versa
• Mount network drive as physical drive

Repository of regular expressions for logs Posted: 14 Jul 2022 11:22 AM PDT Does a public repository of regular expressions exist for parsing out the dynamic fields of common logs on Linux machines? SSH logins, kernel faults, etc.

Managing WSUS with Powershell. How to remove an automatic approval rule? Posted: 14 Jul 2022 10:30 AM PDT I'm writing Powershell scripts to manage WSUS. One script can create, read, and update automatic approval rules. But it can't delete rules. WSUS allows admins to make rules with duplicate names. If there are multiple rules with the same name, the script needs to remove the duplicates before proceeding. I can't find a method to do that. I'm pulling a lot of information from Microsoft's documentation on the WSUS Class Library (https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms744624(v=vs.85)) The script I have needs to set an automatic update approval rule to the right settings. $myServer = Get-WsusServer $rule = $myServer.GetInstallApprovalRules() | Where-Object {$_.Name -eq 'WSUS Automation Rule'} #This returns data type Microsoft.UpdatesServices.Internal.BaseApi.AutomaticUpdateApprovalRule #********************************* Need code here**************** if ($rule.count -gt 1){ #If there is more than one rule named 'WSUS Automation Rule', delete the duplicates. } #********************************* Need code here**************** if ($rule = $null){ #If there is no rule with that name, make one. $rule = $myServer.CreateInstallApprovalRule('WSUS Automation Rule') } #Snipped code. Create a list of update classifications in $classifications. #Snipped code. Create a list of update categories in $categories. $rule.setSetUpdateClassifications($classifications) $rule.setCategories($categories) $rule.save() $rule.apply()

How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes? Posted: 14 Jul 2022 11:03 AM PDT I enabled DNSSEC on my primary domain about a week ago. It's not a major website or anything -- just my personal domain name that I use for email and the like (TLD: com; DNSSEC algorithm 13; authoritative DNS provider: Cloudflare). Over the last 24 hours, the domain has received 15,605 queries. In response, it has dished out 15,601 NOERROR response codes and a total of 4 NXDOMAIN response codes. How are NXDOMAIN responses still possible? What could be generating them? Personally I cannot trigger one no matter what query I attempt, and my understanding is that DNSSEC should, at least in theory, eliminate this response code entirely. Am I incorrect?

Outlook not expanding M365 Groups Posted: 14 Jul 2022 08:48 AM PDT Good morning Folks. I am having some issues and I am going to try and explain this to the best of my ability. I am reorganizing our Azure environment and part of that is converting mail enabled security groups to dynamic M365 groups. There is about 1600 groups. My PowerShell script to do this has been created and is working as expected. I have not made these changes to all 1600 groups my D-DAY is the 22nd. This brings me to my issue. When I created my test groups, I noticed that when I pull up the new group in the "To" field in outlook (pulled from the GAL, not using the autocomplete) I noticed that when I hover over the new group email in the "To" field I get a pop up saying there are no members in that group. I checked in Azure and o365 and I have all my 10 users in there, pulled in using my dynamic rule syntax. I do not know why it is showing no members. Being able to see who is in those groups will be well used by our users and something like this will generate a whole bunch of support calls\tickets. When I try to expand the group, I get an error saying "Cannot perform the requested operation. The command selected in not valid for this recipient. The operation failed" If anyone has any ideas I would love to hear them. Thank you Johan

Linux monthly network usage for virtual interfaces Posted: 14 Jul 2022 08:43 AM PDT I'm looking for something to keep track of network usage (rx and tx) for all virtual interfaces, not just the main interface. I tried vnstat, but it only recognizes the main interface. Any help is appreciated!

Can php-fpm and swoole coexist on the same virtual host /server block Posted: 14 Jul 2022 08:04 AM PDT I have been searching for days, and apart from this unanswered question os Stack Overflow no info whatsoever has appeared, a big zero. So I wonder if the wise people around here might know of a working nginx or apache configuration where swoole and php-fpm can coexist

Best way to do 301 redirects Posted: 14 Jul 2022 08:04 AM PDT Which is the best way to do 301 redirects (for whole domains and also for specific pages/directories)? Using Apache virtual blocks, .htaccess or other solutions? "Best" for me probably means the fastest and most SEO-friendly option, but maybe there are other important factors (security, easier to configure and maintain...). Right now I'm using Apache, but for example for https apparently always checks the certificate of the old domain before redirecting to the new one, so maybe there are faster solutions? (I don't really know much about this subject, just asking) Thanks!

If I have multiple versions of Postgres installed, how do I use a version specific tool? Posted: 14 Jul 2022 07:58 AM PDT For development reasons I have both Postgres 12 and 14 installed on my local machine. However, often I also need to use the pg_dump utility to create backups. pg_dump 12 won't connect to a Postgres 14 database and viceversa. If I simply run pg_dump, Ubuntu will use the one in /bin by default which is pg_dump@12. If I want to run version 14 I have to manually type: /usr/lib/postgresql/14/bin/pg_dump Is there any way I can quickly switch between them? Something like: pg_dump@14

Are on-prem Windows Virtual Desktop servers still a thing? Posted: 14 Jul 2022 07:40 AM PDT My supervisor wants me to look into a virtual Windows 10/11 desktop solution leveraging our on-prem VMware cluster. Luckily, our cluster hardware has plenty of CPU/RAM/storage to accomplish the scope of the solution. The issue I'm running into is finding tutorials on how to set this up using Windows Server 2022-era products. All the solutions I can find seem to require an Azure tenant. I would have no issues recommending an Azure-integrated solution, except for the kicker: My company's Azure tenant is managed by a non-US corporation, to which we have no administrative access and getting an Azure VDI solution in place is so convoluted as to be effectively impossible. I know Windows Virtual Desktop is old tech and I totally understand why Microsoft is pushing Azure cloud services instead of on-prem solutions, but my situation dictates that I come up with an on-prem solution that will have the potential to last the next 3-5 years without Microsoft killing it with EoL support and security update cancellations. My question is two-fold: Is Microsoft Virtual Desktop still a thing, and if so, where can I find some tutorials (preferable video-based, like YouTube) on setting it up? Is an on-prem, Windows-based VDI solution viable (even if you wouldn't recommend it over Azure, Horizon VDI, or Citrix) for the next 3-5 years (until my company gets with the times and moves to the cloud)?

Is a valid SSL certificate important when accessing a localhost URL via SSH tunnel? Posted: 14 Jul 2022 08:24 AM PDT I've got a PHPMyAdmin installation set up, but accessible only via localhost. This means that to access the URL, I need to set up an SSH tunnel before I access the URL. When I do so, however, I get a warning saying that the SSL connection is unsafe because the certificate is not valid (my domain has a valid certificate). Is it safe to bypass this, considering I have many users who will be accessing the URL via SSH tunnel? If it is not, what do I have to do to rectify this issue?

Finding the ESX/ESXi host in vSphere cluster on which a virtual machine is running programmatically via REST API Posted: 14 Jul 2022 07:14 AM PDT For any powered on VM in a given folder I want to retrieve its IP address and the ESXi host it's running on. I'm haveing problems finding an REST API endpoint to retrieve the ESXi host a VM is running. Albeit I'm able to retrieve the IP addresses of the VMs like so: 1. Get Session ID curl -X "POST" "https://vsphere.company.tld/rest/com/vmware/cis/session" \ -H 'vmware-use-header-authn: test' \ -u 'username:password' Output { "value": "random-session-id" } 2. Get all VMs from a folder curl "https://vsphere.company.tld/rest/vcenter/vm?filter.power_states=POWERED_ON&filter.folders=group-v40515" \ -H 'vmware-api-session-id: random-session-id' \ -H 'Accept: application/json' Output { "value": [ { "memory_size_MiB": 4096, "vm": "vm-40572", "name": "runner-br2z81xk-1657760400-7de8fc3e", "power_state": "POWERED_ON", "cpu_count": 2 }, { "memory_size_MiB": 4096, "vm": "vm-40573", "name": "runner-br2z81xk-1657760400-a2d27360", "power_state": "POWERED_ON", "cpu_count": 2 } ] } 3. Get details (IP address) of VM curl "https://vsphere.company.tld/rest/vcenter/vm/vm-40572/guest/identity" \ -H 'vmware-api-session-id: random-session-id' \ -H 'Accept: application/json' Output { "value": { "full_name": { "args": [], "default_message": "Other 4.x or later Linux (64-bit)", "id": "vmsg.guestos.other4xLinux64Guest.label" }, "name": "OTHER_4X_LINUX_64", "ip_address": "192.168.14.19", "family": "LINUX", "host_name": "runner-br2z81xk-1657760400-7de8fc3e" } } Does one know a way to retrieve the ESXi host for a given VM? I can see the ESXi host easily from the vSphere web UI. But don't find a suitable API endpoint in the vCenter api documentation.

Where sieve file must be located if dovecot runs with virtual_mailbox_maps Posted: 14 Jul 2022 07:33 AM PDT I have postfix + dovecot install that uses virtual_mailbox_maps I want to do sieve for specific users. where I should put the sieve file, since there are no user directories? In dovecot configuration I have this: plugin { sieve_extensions = +editheader sieve_editheader_max_header_size = 1k # Protected special headers sieve_editheader_forbid_add = X-Verified sieve_editheader_forbid_delete = X-Verified X-Seen sieve_redirect_envelope_from = recipient sieve = /etc/dovecot/sieve/default.sieve } However, i do not want to use default.sieve, I want additional sieve file for specific users.

Create proxy server from home modem Posted: 14 Jul 2022 07:15 AM PDT I live in New Delhi, India. I have virtual machines at Hetzner cloud (Finland, Helsinki). Each VM has a static IP address from Finland, Helsinki. I run some applications on the VM. How do I set the ip address of my internet connection at my home location, ac as a proxy ip of my VM ?So that: The real ip from Finland is hidden All requests from VM go through the ip address of my internet connection at home All requests are forwarded to the VM

Files can't be uploaded on Google cloud after deleting user folder Posted: 14 Jul 2022 11:15 AM PDT I'm using CentOS 7 on Google Cloud. I deleted accidentally the folder with my username, /home/username, that folder was used for uploading files via Google SSH. I've created a folder with the same name. But now I can't upload any files. Is there something else I have to configure?

If 'dnssec-enable' is obsolete and must be removed, what is the alternative when creating a DNS server on BIND 9? Posted: 14 Jul 2022 07:10 AM PDT I'm trying to set up a Forwarding DNS server, using this tutorial https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-16-04. I've followed all the steps and inserted the line dnssec-enable yes; dnssec-validation yes; However, when running: sudo named-checkconf It's telling me that option 'dnssec-enable' is obsolete and should be removed Therefore, what's the alternative? I've tried to search it on Goolge and make a quick look on Bind 9 doc but doesn't say anything about it. I'd really appreciate your help.

qemu commandline can't see /dev/net/tun Posted: 14 Jul 2022 08:40 AM PDT i am newbie with qemu and libvirt. I hit the issue with virsh and qemu, especially with tun interface setup. Once i run qemu-system-x86_64 \ -nographic -enable-kvm \ -cpu host -m 2048 \ -serial mon:stdio \ -netdev tap,id=et0,ifname=tap0,script=no -device e1000,netdev=et0 It works without problem, it also creates tap0 interface at host machine. The problem comes up when i try to create VM using libvirt xml: <domain type="kvm" xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> <name>testttt</name> <uuid>21ddfabd-1312-45ad-aced-cf7a10257d83</uuid> <memory unit="MB">2048</memory> <currentMemory unit="MB">2048</currentMemory> <vcpu placement="static">1</vcpu> <os> <type arch="x86_64" machine="pc-i440fx-6.2">hvm</type> <boot dev="hd"/> </os> <features> <acpi/> <apic/> <vmport state="off"/> </features> <cpu mode="host-passthrough" check="none" migratable="on"/> <clock offset="utc"> <timer name="rtc" tickpolicy="catchup"/> <timer name="pit" tickpolicy="delay"/> <timer name="hpet" present="no"/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <pm> <suspend-to-mem enabled="no"/> <suspend-to-disk enabled="no"/> </pm> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <disk type="file" device="disk"> <driver name="qemu" type="vdi"/> <source file="..."/> <target dev="hda" bus="ide"/> <address type="drive" controller="0" bus="0" target="0" unit="0"/> </disk> <controller type="usb" index="0" model="ich9-ehci1"> <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x7"/> </controller> <controller type="usb" index="0" model="ich9-uhci1"> <master startport="0"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0" multifunction="on"/> </controller> <controller type="usb" index="0" model="ich9-uhci2"> <master startport="2"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x1"/> </controller> <controller type="usb" index="0" model="ich9-uhci3"> <master startport="4"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x2"/> </controller> <controller type="pci" index="0" model="pci-root"/> <controller type="ide" index="0"> <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x1"/> </controller> <controller type="virtio-serial" index="0"> <address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"/> </controller> <serial type="pty"> <target type="isa-serial" port="0"> <model name="isa-serial"/> </target> </serial> <console type="pty"> <target type="serial" port="0"/> </console> <channel type="spicevmc"> <target type="virtio" name="com.redhat.spice.0"/> <address type="virtio-serial" controller="0" bus="0" port="1"/> </channel> <input type="mouse" bus="ps2"/> <input type="keyboard" bus="ps2"/> <graphics type="vnc" port="-1" autoport="yes"> <listen type="address"/> </graphics> <video> <model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1" primary="yes"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/> </video> <redirdev bus="usb" type="spicevmc"> <address type="usb" bus="0" port="2"/> </redirdev> <redirdev bus="usb" type="spicevmc"> <address type="usb" bus="0" port="3"/> </redirdev> <memballoon model="virtio"> <address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/> </memballoon> <rng model="virtio"> <backend model="random">/dev/urandom</backend> <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/> </rng> </devices> <qemu:commandline> <qemu:arg value='-serial'/> <qemu:arg value='mon:stdio'/> <qemu:arg value='-device'/> <qemu:arg value='e1000,netdev=et0'/> <qemu:arg value='-netdev'/> <qemu:arg value='tap,id=et0,script=no,downscript=no,ifname=tap0'/> </qemu:commandline> </domain> The machine got created but once i try to run it i get folllowing error: internal error: qemu unexpectedly closed the monitor: 2022-07-13T12:12:59.151035Z qemu-system-x86_64: -netdev tap,id=et0,script=no,downscript=no,ifname=tap0: could not open /dev/net/tun: No such file or directory I think, there is something wrong with: <qemu:commandline> <qemu:arg value='-serial'/> <qemu:arg value='mon:stdio'/> <qemu:arg value='-device'/> <qemu:arg value='e1000,netdev=et0'/> <qemu:arg value='-netdev'/> <qemu:arg value='tap,id=et0,script=no,downscript=no,ifname=tap0'/> </qemu:commandline> I ran cat /dev/net/tun and get cat: /dev/net/tun: File descriptor in bad state so the tun should be ok, also it works in when i run qemu-system-x86_64.

Using Office 365 now, can we pilot intune MDM on just 1-2 users or devices? Posted: 14 Jul 2022 10:51 AM PDT We have Microsoft hosting for exchange, office 365, defender for endpoint and are using the Office 365 MDM for device management. We only have Azure AD basic not premium. I've started an intune trial, created a Windows 10 VM as a device, added AD-based user, added the device and user to an intune group with policy and installed the company store app from the Windows store. In that app, settings > sync runs without errors. The device shows up in the intune device list and is compliant, but managed apps never sync. They are stuck at "Waiting for install status" My guess is this is because our MDM is Office 365, but I don't see any way in the admin panel or in any docs I've found to change that for just this test user, or the test device, or the intune group. Is there some way to force intune to be the MDM for just this user, device, group? Additional information: On the device, Settings > Accounts > Access Work or School shows the device as "Connected to (company) MDM" (which will be the office 365 MDM?) and "Connected to (company)'s Azure AD" In intune, DESKTOP-xxxxxx | Enrollment table shows "no results" for the device Is that significant? Joining AD and installing the company portal are both supposed to enroll the user or device if I'm reading the docs right.

nginx reverse proxy - proxy_pass leads to 503 service unavailable Posted: 14 Jul 2022 08:37 AM PDT i have to following configuration: server { listen: 8080; location / { proxy_pass https://somehost.abc.xyz; proxy_redirect off; proxy_set_header Host somehost.abc.xyz; proxy_set_header X-Real-IP somehost.abc.xyz; proxy_set_header X-Forwarded-For somehost.abc.xyz; proxy_set_header X-Forwarded-Host somehost.abc.xyz; proxy_set_header HELLO pizza; } } Whenever i hit the the proxy, let's say i go to http://localhost:8080/home , i get 503 service unavailable (not from the nginx service, from the app i'm trying to go to https://somehost.abc.xyz/home). But if i just go to https://somehost.abc.xyz/home or do a redirect return 301 https://somehost.abc.xyz/home; its all good and i get to the app. Although this doesn't help me, beacuse i want to get there through the proxy so i can add a request header to every request that goes through. Any ideas what could possibly cause this and how to solve it?

GCP - Shared VPC vs VPC Peering among projects - main differences? Posted: 14 Jul 2022 08:52 AM PDT I'm testing various GCP features and I've faced with the question in the title. After a little bit of experimentation I think the following should hold: 2 peered VPC can not share the same subnet ranges, while VPC sharing is sharing the same subnets: if we want instances to communicate and we adjust firewall (FW) rules, does this make any practical difference? Shared VPC creates a hierarchical relation where one end is the manager of the network and FW rules and therefore can dictate all service projects abilities and can revoke shares, this also means that the host part must have access to service projects to let pick them and allow them to use the host project VPCs. Anyway VPC peering require a certain level of access to projects if one wants to peer them, but the 2 projects are on-par (both ends must allow the peering): this is an administrative/auth difference Shared VPC allows for a simplified FW setup as you have only one central point to setup your FW rules: you have the same set of subnets shared; while peering - alike VPNs - requires to setup rules on both ends: this is a management simplification Shared VPC can exhaust its resources (IPv4 ranges) faster but this means you have a ton of instances connected... VPC peering can do passthrou (daisy chain) up to 1 level: I've 1 connection from VPC A to VPC B and one from VPC B to VPC C. VPC A and C can not communicate but VPC B can communicate with both. On the opposite in a share scenario a project can only be either a host or a service at the same time but I can create a scenario with multiple projects sharing the same subnet and talk to each other transitively... this is probably the most relevant difference I've seen Let say we have N different projects with N different administrators, if all parts agree on having some sort of network connection among instances, is there any other pro/cons in choosing peering over shared?! Edit maybe this is the really biggest difference: if a service project uses a shared VPC and you later want to remove it, you need first to create a new VPC (or use the service project's default), reassign a new nic to all the instances which are currently using the shared VPC, let this new nic use the project own VPC, redo the FW rules and check for correct connectivity of all instances before detaching them from the shared VPC. additionally VPC peering can be used within the same project to increase the isolation between workloads but letting few selected VM communicate. Edit 2 As of now (2021-01) shared VPC can be used on a second NIC but it is a beta feature also one can not add more than 25 peering to a network, therefore it is quite common to let project communicate via shared VPC in so-called hub-and-spoke designs. Just discovered that VPC peering can be applied even between different organizations! Edit 3 While not a strictly network architecture, Google now offers also Private service access: a way to proxy external services (including those in other projects/VPCs) via a proxy in your VPC Thank you

SFTP users can't remove files Posted: 14 Jul 2022 10:05 AM PDT I've set up a simple SFTP server on Ubuntu 18.04. I have 10 users that should only have access to the files in their home directories and they should not be able to get out of their home directory. We have an API that is writing files to their home directories. So far, so good. The users can login, retrieve the files, and are constrained to their own directories. They cannot, however, remove the files. Any 'rm' command returns a permissions error - Couldn't delete file: Permission denied. The user/group for the folder is root:www-data. If I change it to user:www-data SFTP breaks - they can't login. I created a group 'sftp' but again if I add the user to the sftp group, change the home directory to user:sftp they can't login. Here's what the home folder looks like: drwxr-xr-x 2 root www-data 172032 Feb 6 14:19 29 drwxr-xr-x 2 root www-data 135168 Feb 6 14:17 52 drwxr-xr-x 4 root www-data 69632 Feb 6 14:15 44 drwxr-xr-x 2 root www-data 36864 Feb 6 14:14 68 My sftp config from /etc/ssh/sshdconfig is: Match group sftp ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp My users are set up like this: 29:x:1002:1001::/home/26:/bin/sh 44:x:1003:1003::/home/44:/bin/sh 52:x:1004:1004::/home/52:/bin/sh 68:x:1005:1005::/home/29:/bin/sh My sftp group is: sftp:x:1001:26,44

Slow DNS resolution inside docker container Posted: 14 Jul 2022 11:04 AM PDT I've stuck with a problem of a very slow DNS resolution inside docker container. Simple GET to a 'google.com' takes about 4s to finish while the same request on host takes 0.052 ms. Also request works perfectly if I send it to an IP address that's why I suggested DNS problem. I've searched for an answer most of them were about setting dns servers in a /etc/docker/daemon.json which I did but that didn't help my problem. Server runs on Ubuntu 16.04. I also have a dev server which runs same configurations but it works fine. Host: time curl -g 'google.com' <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML> real 0m0.052s user 0m0.004s sys 0m0.004s time nslookup google.com Server: 188.93.16.19 Address: 188.93.16.19#53 Non-authoritative answer: Name: google.com Address: 173.194.73.102 Name: google.com Address: 173.194.73.139 Name: google.com Address: 173.194.73.100 Name: google.com Address: 173.194.73.113 Name: google.com Address: 173.194.73.138 Name: google.com Address: 173.194.73.101 real 0m0.013s user 0m0.004s sys 0m0.004s Container: time curl -g https://google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="https://www.google.com/">here</A>. </BODY></HTML> real 0m4.592s user 0m0.004s sys 0m0.012s time nslookup google.com Server: 127.0.0.11 Address: 127.0.0.11#53 Non-authoritative answer: Name: google.com Address: 64.233.165.139 Name: google.com Address: 64.233.165.101 Name: google.com Address: 64.233.165.102 Name: google.com Address: 64.233.165.113 Name: google.com Address: 64.233.165.100 Name: google.com Address: 64.233.165.138 real 0m4.029s user 0m0.008s sys 0m0.004s daemon.json: { "dns": ["188.93.16.19", "188.93.17.19", "8.8.8.8", "8.8.8.4"] }

GCP Equivalent for AWS Landing zone solution Posted: 14 Jul 2022 07:13 AM PDT AWS provides a solution called Landing Zone to jumpstart cloud adoption for an enterprise. This solution is based on AWS best practices. It provides a starting point by auto creating multiple accounts and configures shared services such as logging, monitoring etc. Is there an equivalent solution for GCP ?

Azure RDS HTML5 Web Client Unable to Access Gateway Posted: 14 Jul 2022 10:05 AM PDT We have a RDS (Remote Desktop Services) deployment, and recently went through the process of installing the HTML5 web client as per the directions at: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin Our deployment is hosted on domain A, which has an active directory instance. There is also domain B with its own active directory instance, there is a two way trust between the two. The problem we are having is that the traditional RD Web Access works fine for all users, but when users from domain B log on to the HTML 5 web client and try to open an app they get a message "We couldn't connect to the gateway because of an error". At the same time the browser console shows the following error: Connection(ERR): The connection generated an internal exception with disconnect code=GatewayProtocolError(52), extended code=, reason=Gateway tunnel authorization failed with error code=2147965403 During troubleshooting we've tried: Verified that required ports are opened. Disabling all firewalls between gateways, brokers, and session hosts – same error. Re-applied the publicly trusted cert to the HTML5 client (via Import-RDWebClientBrokerCert) – same error Verified that the proper cert was bound to the HTML5 client – same error. Enabled NTLM by setting the GPO: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network Security: Restrict NTLM: NTLM Authentication in this domain. To "Disable" (within same domain as RDP) – same error. Ran regsvr32 wksprtps.dll (dll was already registered, but tried it anyway) Verified that the required KB4025334 from July of last year was installed or not necessary (OS was up to date) Any ideas on other areas we can look at?

Uninstall Symantec Endpoint Protection 12.1 (with uninstall password) using PowerShell? Posted: 14 Jul 2022 07:07 AM PDT We just acquired 400 or so computers during a buyout and they have this installed. So I tried pushing out (Get-WmiObject -Class Win32_Product -Filter "Name='Symantec Endpoint Protection'" -ComputerName . ).Uninstall() as per https://support.symantec.com/en_US/article.TECH102470.html which unsurprisingly doesn't work. I was getting ReturnValue 1602 and not ReturnValue 0. Tried uninstalling it manually on a client using Add/Remove Programs and it needs a password which I've now managed to get from the old company. Any idea how we can use PowerShell to uninstall this with a password? It's SEP 12.1.

squid proxy on ubuntu refuses connections Posted: 14 Jul 2022 07:07 AM PDT I have just installed squid on my Ubuntu server. However when I try to connect, I receive connection refused messages from my local computer (In the firewalls I have added permits for my local IP) Below you can find the squid configuration and the cachlog. Any support will be appreciated. /etc/squid/squid.conf acl mylocalip xxx.xxx.xxx.xxx/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow mylocalip http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny all http_port 19228 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 /var/log/squid/cache.log 2017/09/16 10:07:07 kid1| Set Current Directory to /var/spool/squid 2017/09/16 10:07:07 kid1| Starting Squid Cache version 3.5.23 for x86_64-pc-linux-gnu... 2017/09/16 10:07:07 kid1| Service Name: squid 2017/09/16 10:07:07 kid1| Process ID 9499 2017/09/16 10:07:07 kid1| Process Roles: worker 2017/09/16 10:07:07 kid1| With 65535 file descriptors available 2017/09/16 10:07:07 kid1| Initializing IP Cache... 2017/09/16 10:07:07 kid1| DNS Socket created at [::], FD 6 2017/09/16 10:07:07 kid1| DNS Socket created at 0.0.0.0, FD 8 2017/09/16 10:07:07 kid1| Adding nameserver 169.254.169.254 from /etc/resolv.conf 2017/09/16 10:07:07 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf 2017/09/16 10:07:07 kid1| Adding domain c.bibipcom-174407.internal from /etc/resolv.conf 2017/09/16 10:07:07 kid1| Adding domain google.internal from /etc/resolv.conf 2017/09/16 10:07:07 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2017/09/16 10:07:07 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2017/09/16 10:07:07 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2017/09/16 10:07:07 kid1| Store logging disabled 2017/09/16 10:07:07 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2017/09/16 10:07:07 kid1| Target number of buckets: 1008 2017/09/16 10:07:07 kid1| Using 8192 Store buckets 2017/09/16 10:07:07 kid1| Max Mem size: 262144 KB 2017/09/16 10:07:07 kid1| Max Swap size: 0 KB 2017/09/16 10:07:07 kid1| Using Least Load store dir selection 2017/09/16 10:07:07 kid1| Set Current Directory to /var/spool/squid 2017/09/16 10:07:07 kid1| Finished loading MIME types and icons. 2017/09/16 10:07:07 kid1| HTCP Disabled. 2017/09/16 10:07:07 kid1| Pinger socket opened on FD 13 2017/09/16 10:07:07 kid1| Squid plugin modules loaded: 0 2017/09/16 10:07:07 kid1| Adaptation support is off. 2017/09/16 10:07:07 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 11 flags=9 2017/09/16 10:07:07| pinger: Initialising ICMP pinger ... 2017/09/16 10:07:07| pinger: ICMP socket opened. 2017/09/16 10:07:07| pinger: ICMPv6 socket opened 2017/09/16 10:07:08 kid1| storeLateRelease: released 0 objects 2017/09/16 10:18:33 kid1| Preparing for shutdown after 0 requests 2017/09/16 10:18:33 kid1| Waiting 30 seconds for active connections to finish 2017/09/16 10:18:33 kid1| Closing HTTP port [::]:3128 2017/09/16 10:18:33 kid1| Closing Pinger socket on FD 13 2017/09/16 10:18:48| Pinger exiting. 2017/09/16 10:19:04 kid1| Shutdown: NTLM authentication. 2017/09/16 10:19:04 kid1| Shutdown: Negotiate authentication. 2017/09/16 10:19:04 kid1| Shutdown: Digest authentication. 2017/09/16 10:19:04 kid1| Shutdown: Basic authentication. 2017/09/16 10:19:04 kid1| Shutting down... 2017/09/16 10:19:04 kid1| storeDirWriteCleanLogs: Starting... 2017/09/16 10:19:04 kid1| Finished. Wrote 0 entries. 2017/09/16 10:19:04 kid1| Took 0.00 seconds ( 0.00 entries/sec). CPU Usage: 0.064 seconds = 0.060 user + 0.004 sys Maximum Resident Size: 106000 KB Page faults with physical i/o: 0 2017/09/16 10:19:04 kid1| Logfile: closing log daemon:/var/log/squid/access.log 2017/09/16 10:19:04 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log 2017/09/16 10:19:04 kid1| Open FD UNSTARTED 6 DNS Socket IPv6 2017/09/16 10:19:04 kid1| Open FD UNSTARTED 8 DNS Socket IPv4 2017/09/16 10:19:04 kid1| Open FD UNSTARTED 9 IPC UNIX STREAM Parent 2017/09/16 10:19:04 kid1| Squid Cache (Version 3.5.23): Exiting normally.

SMTP network ACL on AWS Posted: 14 Jul 2022 11:04 AM PDT I have a very restricted ACL for my VPC. We have a public subnet and a private subnet, each subnet has its own individual ACL. What I don't understand is why the following ACL works for sending email over port 465 via Amazon SES. public: inbound: src 0.0.0.0/0, port 465 outbound: dest 0.0.0.0/0, port 465 private: inbound: N/A outbound: dest 0.0.0.0/0, port 465 I get both outbound, but the inbound for public doesn't make any sense. Where in the SMTP RFC say the smtp server (SES, a relay) will connect with the client back on port 465? I would expect client pick a high port as shown in the following netstat: tcp 104 0 ip-10-0-1-75.ec:36836 ec2-54-243-225-221.:urd CLOSE_WAIT tcp 0 0 ip-10-0-1-75.ec:50903 ec2-54-243-161-229.:urd ESTABLISHED urd is 465 from what I understand. So my instance in the private subnet routes the request to the NAT instance, and the NAT (in public subnet) sends the packets to the remote server. So why is 465 needed inbound anyway?

Sendmail and Gmail Posted: 14 Jul 2022 08:36 AM PDT I'm trying to send email with sendmail. I followed this how-to: http://linuxconfig.org/configuring-gmail-as-sendmail-email-relay I tried to send the email over console: echo "Just testing my sendmail gmail relay" | mail -v -s "Sendmail gmail Relay - New Server" user@gmailcom The output of command is: WARNING: local host name (server01) is not qualified; see cf/README: WHO AM I? user@gmail.com... Connecting to [127.0.0.1] via relay... 220 server01 ESMTP Sendmail 8.14.4/8.14.4; Thu, 10 Dec 2015 18:05:36 -0200 >>> EHLO server01 250-server01 Hello server1 [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP >>> MAIL From:<root@server01> SIZE=279 250 2.1.0 <root@server01>... Sender ok >>> RCPT To:<user@gmail.com> >>> DATA 250 2.1.5 <user@gmail.com>... Recipient ok 354 Enter mail, end with "." on a line by itself >>> . 250 2.0.0 tBAK5aGc015664 Message accepted for delivery user@gmail.com... Sent (tBAK5aGc015664 Message accepted for delivery) Closing connection to [127.0.0.1] >>> QUIT 221 2.0.0 server01 closing connection But the e-mail never arrives. Can you guys help me? Logs: Dec 10 19:03:31 server01 sendmail[16310]: tBAL3Uua016310: from=root, size=279, class=0, nrcpts=1, msgid=<201512102103.tBAL3Uua016310@server01>, relay=root@localhost Dec 10 19:03:31 server01 sendmail[16311]: tBAL3VCu016311: from=<root@server01>, size=524, class=0, nrcpts=1, msgid=<201512102103.tBAL3Uua016310@server01>, proto=ESMTP, daemon=MTA, relay=corp-poa-pabx1 [127.0.0.1] Dec 10 19:03:31 server01 sendmail[16310]: tBAL3Uua016310: to=user@gmail.com, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30279, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (tBAL3VCu016311 Message accepted for delivery) Dec 10 19:03:32 server01 sendmail[16313]: STARTTLS=client, relay=gmail-smtp-msa.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128 Dec 10 19:03:33 server01 sendmail[16313]: tBAL3VCu016311: to=<user@gmail.com>, ctladdr=<root@server01> (0/0), delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=120524, relay=gmail-smtp-msa.l.google.com. [64.233.190.108], dsn=5.0.0, stat=Service unavailable Dec 10 19:03:33 server01 sendmail[16313]: tBAL3VCu016311: tBAL3XCu016313: DSN: Service unavailable Dec 10 19:03:33 server01 sendmail[16313]: tBAL3XCu016313: to=<root@server01>, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31757, dsn=2.0.0, stat=Sent Thanks in advance..

Unable to bind OSX 10.9 to Active Directory 2008 Posted: 14 Jul 2022 09:00 AM PDT I am struggling to bind OSX 10.9 to a 2008 r2 Active Directory. I can join the domain fine when I boot into Windows from the same machine. From OSX I can find the domain controller successfully and have verified consistency of Active Directory service records (using dig -t SRV _service._tcp.fqdn.example.com to check _ldap, _kerberos, _kpasswd or _gc) but I cannot bind to the domain. I am attempting to join a small network with only one DC. I receive the message: "Authentication Sever could not be contacted. (5200)" This is the case whatever method I attempt to use (Join from the Users and Groups pref pane, Bind from the Open Directory utility, using dsconfigad from terminal). I don't think it is a problem with system time as the time on the client and DC are the same. Any other suggestions as to the problem or direction as to what to look out for in the log files?

kvm guest can not connect to outside of host, vice versa Posted: 14 Jul 2022 09:00 AM PDT I have a vmware vm running ubuntu 12.04 server(name=vmhost), with network bridged and full access to the internet. This vmhost is using the kvm hypervisor and is running a vm(centOS 6.4),network bridged as well. The vmhost can access internet and can also access its vm, and the vm can access the vmhost. The vm cannot access the internet, nor can I ping/ssh into it from another pc on my subnet. I have a bridge for the vmhost/its vm and have checked the iptables/routes but haven't found anything. Also I have ip_forwarding. Running tcpdump I see that vmhost can see the packages but does nothing with them. I have also tried disabling the ufw but didn't help. Infor for VHMOST route: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.0.1 0.0.0.0 UG 100 0 0 virbr0 192.168.0.0 * 255.255.255.0 U 0 0 0 virbr0 The vmhouste Iptables -l Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination Interface file: auto lo iface lo inet loopback auto virbr0 iface virbr0 inet static address 192.168.0.21 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.1 dns-nameservers 192.168.0.1 bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off Brctl show: bridge name bridge id STP enabled interfaces virbr0 8000.000c29f8f8e4 yes eth0 vnet1 vnet0 8000.000000000000 no THE VM ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:c0:a8:00:20 brd ff:ff:ff:ff:ff:ff inet 192.168.0.32/24 brd 192.168.0.255 scope global eth0 inet6 fe80::c0ff:fea8:20/64 scope link valid_lft forever preferred_lft forever ip route 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.32 default via 192.168.0.1 dev eth0 I will post tcpdump results shortly. It is also worth mentioning that I am running opennebula with vmhost as my vm host, but I don't think this is the problem.

Mount network drive as physical drive Posted: 14 Jul 2022 08:43 AM PDT Is there a way to mount a network location so that it appears as a local physical disk? e.g. \\computer\share as D: (not a network drive)

You are subscribed to email updates from Recent Questions - Server Fault. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States