Univ426's questions

We have a Tomcat application from a vendor running with Apache in front of it, but we don't have access to the application code. We have our own single sign on wrapped around the application, so if a user clicks "Log Out" in the application, the user is taken to an unused "Login" screen. We would like to redirect that Login screen to the default Tomcat page, but I can't seem to get the syntax right.

I've tried a number of adjustments with no luck (escaping the /'s, etc). Does anyone have any ideas? I already have an HTTP to HTTPS redirect working (included in the directives below).

The "Logout" link goes through a few redirects, ultimately ending on: http://ourserver.com/abc/login

To keep things simple, we'd like to redirect any request for the login page to: http://ourserver.com/

<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
RewriteRule ^/abc/login$ / [L]
</VirtualHost>

I posted this on IT Security but thought it may be more appropriate here. I'm still not sure about cross posting etiquette, so anyone with high enough rep, please feel free to migrate this question

I have a basic to moderate understanding of VLAN's and their pros and cons as they relate to network segmentation but I'm wondering where to start as one moves into virtualized environments.

From a security perspective, how does traditional VLAN segmentation stand up to products/solutions focused on virtual environments, such as VMWare's vCloud Networking and Security product? When you're working with collocated VM's what strategies/technologies do you rely on to segment VM traffic?

I know this may be overly broad, but any starting points would be extremely helpful. For the sake a specific question though, perhaps a good way to put it would be - Do you consider virtual network security products to be at least as good as tradition VLAN's for the purpose of segmenting network traffic?

As volumes larger than 16TB became more common, it was recognized that the 32 bit value used to report disk size and usage within the standard "HOST-RESOURCES" MIB in SNMP was not large enough to report the proper disk size.

Net-SNMP seems to have addressed this issue by simply manipulating the value of "AllocationUnits" to maintain a 32 bit value for disk utilization (since total disk size/usage is equal to the 32 bit space value times the allocation unit), to allow for the calculation of a volume larger than 8/16TB. Presuming you don't have any reporting interest in the allocation unit, and are ok with a small level of inaccuracy. this seems like an elegant solution.

https://bugzilla.redhat.com/show_bug.cgi?id=654384

Window's built in SNMP service, however, seems to continue to suffer from this error, simply reporting the modulo of the used/assigned disk space, resulting in inaccurate disk size reporting.

Is there a way to enable Windows to correctly report disk usage for volumes over 16TB? We attempted to simply install Net-SNMP 5.5 x64 and disable Windows SNMP service entirely, however this unfortunately did not fix our issue.

When using the NetSNMP extensions, the information we collect for the particular disk we're interested in is as follows:

These results are the same regardless of whether we're using the vanilla Windows SNMP service, or NetSNMP.

I've seen people in the Cacti community mention simply scripting out a solution. Unfortunately, we're using Observium for quick and basic systems monitoring. If the issue can't be corrected on the Window's side, can Observium be made to report custom MIBs?

--Update--

Looking into the bug report's mention of adding "realStorageUnits" to the snmpd.conf file, we experienced the following problem when setting that directive:

--Update 2--

Well, after much tinkering, it doesn't look like any of the Windows versions of Net-SNMP like the "realStorageUnits" directive. Including the directive results in a warning when starting SNMP. We tried on version 5.5, 5.6, and 5.7. Has anyone has here ever figured out how to get SNMP to report out 16+ TB volumes on Windows?

I'm working with kernel module parameters, and I've found myself a bit confused.

In particular, I'm attempting to enable posix ACL support for XFS file systems. This requires the XFS module to be loaded with the parameter XFS_POSIX_ACL set to yes. Without it, attempts to set ACL's with "setfacl" result in "Operation not supported" errors.

In a test environment, I ran the command "modprobe -v xfs XFS_POSIX_ACL=y". Despite now knowing that you need to first remove a module before you can set parameters, this command appeared to have worked. After running it, I was successfully able to run "setfacl", set some ACL's and test them with full functionality.

Moving over to production though, it appears - not surprisingly - that simply running "modprobe -v xfs XFS_POSIX_ACL=y" doesn't seem to enable ACL support, likely due to the fact that I haven't unloaded the module first. Running the command produces no output, and attempts to set an ACL result in "Operation not supported" errors.

The problem I'm having, is that after going back to my test environment and attempting to "flip the parameters switch properly," running modprobe -r xfs followed by "modprobe -v xfs XFS_POSIX_ACL=n" doesn't turn off ACL support. I've run modprobe -r in verbose mode, and the module is in fact unloaded (rmmod /lib/modules/...xfs.ko) , but reloading it with the ACL parameter set to NO has no effect.

Any ideas what I might be doing wrong?

RHEL 4.9, 2.6.9-89

Update

It looks like I have the parameter wrong. Looking at dmesg after running modprobe xfs XFS_POSIX_ACL=N:

xfs: Unknown parameter `XFS_POSIX_ACL'
SGI XFS with ACLs, security attributes, large block/inode numbers, no debug enabled
SGI XFS Quota Management subsystem

I found the ACL parameter here: http://how-to.wikia.com/wiki/How_to_configure_the_Linux_kernel/fs/xfs

Any idea what the proper parameter might be? modinfo -p xfs returns nothing and I'm having a heck of a time finding it online.

This may be a canonical question, and it may simply be a function of my inexperience, but I'm curious to know if there are best practices aimed at avoiding dependency hell when you find yourself in an environment with limited access to common, open repositories.

In our specific case, our struggle is working within the context of a large corporation with security policies that severely diminish the ability to access outside repos for packages when installing various software.

How do you balance security with the need for access to public repos? Is there a way to limit the dependance on external repos without making the installation of Linux software impossible? What kind of arguments can be made for the security and reliability of yum or apt-get repos?

A broad question I know - I hope it's appropriate here - but I'm very curious to see what other people's experience in this area has been.

I'm looking for help with what I'm sure is an age old question. I've found myself in a situation of yearning to understand network throughput more clearly, but I can't seem to find information that makes it "click"

We have a few servers distributed geographically, running various versions of Windows. Assuming we always use one host (a desktop) as the source, when copying data from that host to other servers across the country, we see a high variance in speed. In some cases, we can copy data at 12MB/s consistently, in others, we're seeing 0.8 MB/s. It should be noted, after testing 8 destinations, we always seem to be at either 0.6-0.8MB/s or 11-12 MB/s. In the building we're primarily concerned with, we have an OC-3 connection to our ISP.

I know there are a lot of variables at play, but I guess I was hoping the experts here could help answer a few basic questions to help bolster my understanding.

1.) For older machines, running Windows XP, server 2003, etc, with a 100Mbps Ethernet card and 72 ms typical latency, does 0.8 MB/s sound at all reasonable? Or do you think that slow enough to indicate a problem?

2.) The classic "mathematical fastest speed" of "throughput = TCP window / latency," is, in our case, calculated to 0.8 MB/s (64Kb / 72 ms). My understanding is that is an upper bounds; that you would never expect to reach (due to overhead) let alone surpass that speed. In some cases though, we're seeing speeds of 12.3 MB/s. There are Steelhead accelerators scattered around the network, could those account for such a higher transfer rate?

3.) It's been suggested that the use SMB vs. SMB2 could explain the differences in speed. Indeed, as expected, packet captures show both being used depending on the OS versions in play, as we would expect. I understand what determines SMB2 being used or not, but I'm curious to know what kind of performance gain you can expect with SMB2.

My problem simply seems to be a lack of experience, and more importantly, perspective, in terms of what are and are not reasonable network speeds. Could anyone help impart come context/perspective?

We have a windows domain that also has a RHEL member server in it. All the servers have a primary network connection to the LAN, but some servers also have private dedicated links to the RHEL server, which serves as a head to our SAN storage.

This particular server is running Samba 3.5.15, and is running in ADS authentication mode.

Users can access shares on this server without a problem over the LAN connection from our Windows servers, but if a user tries to access the shares over the private link (i.e. a 192.168.1.2 address to the RHEL server) users get an error "The trust relationship between this workstation and the primary domain failed."

When I watch the logs, I get a lot of errors that you'll see everywhere online - one of those situations where nothing fits my situation specifically. Nonetheless here they are, maybe someone will see something I don't:

I get these two errors together three times:

Failed to get schannel session key from server DC for domain DOMAIN

connect_to_domain_password_server: unable to open the domain client session to machine DC - NT_STATUS_ACCESS_DENIED

Then I get these two errors:

domain_client_validate: Domain password server not available

check_ntlm_password: Authentication for user <the user trying to access the share> FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

This set of errors then repeates three times each for each access attempt.