Edward Ned Harvey's questions

On a RHEL 7.4 system, I add the salt-latest repo as follows:

yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm

Notice, amongst other things, this creates the following two GPG key files:

/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
/etc/pki/rpm-gpg/saltstack-signing-key

For later reference, notice the fingerprint of the CentOS key ends with f4a80eb5:

# gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt

pub  4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>
      Key fingerprint = 6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5

Attempt to reposync download:

mkdir /root/foobar

reposync --gpgcheck --plugins --repoid=salt-latest --download_path=/root/foobar --newest-only --downloadcomps --delete --download-metadata

It fails with errors like these:

Removing babel-0.9.6-8.el7.noarch.rpm, due to missing GPG key.
Removing libyaml-0.1.4-11.el7_0.i686.rpm, due to missing GPG key.
Removing libyaml-0.1.4-11.el7_0.x86_64.rpm, due to missing GPG key.

So I manually download all the files that failed (in a for-loop) and check the signatures of their signing keys. They are all the same, so here's just one of them for example:

wget http://repo.saltstack.com/yum/redhat/7/x86_64/latest/base/babel-0.9.6-8.el7.noarch.rpm

rpm -K babel-0.9.6-8.el7.noarch.rpm

babel-0.9.6-8.el7.noarch.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#f4a80eb5)

Notice the key PGP#f4a80eb5 matches the key referenced above, F4A8 0EB5. So why is it failing the gpg check?

Things I've tried include:

• I edited /etc/yum.repos.d/salt-latest.repo and changed the gpgkey= line. I got the same failure with all three of these variations. As far as I can tell, changing the gpgkey= line has no effect:

  gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key
  gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
  gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7-Salt
  

• I tried running reposync without --gpgcheck. It works, but obviously, it's bad to use it this way.

  reposync --plugins --repoid=salt-latest --download_path=/root/foobar --newest-only --downloadcomps --delete --download-metadata
  

• I wonder if reposync is refusing to use the key because it's too weak? MD5. But I couldn't think of any way to confirm or deny this.

• I wonder if the key actually has an expiration date? But I couldn't find any way to confirm or deny this either.

I have a Windows 7 Ultimate x86_64 machine, which is failing to access a network samba server. I launch the "Run" dialog, and type in \\192.168.x.x so I am bypassing DNS and NetBIOS name resolution, and broadcast discovery, just going directly to the server IP address. I ran wireshark and found that the client is trying to connect to the server on port 80, not 445. (This of course fails because the server is not listening on 80; the server is only running samba and nmbd etc, so only port 445 and 137-139 are applicable).

I am aware of this question and I don't believe this is a duplicate, because (a) that question is over 2 years old, on Win XP, and (b) none of the answers there are helping in this case, although that other question has been marked as answered.

The error message is: Windows Cannot Access \\192.168.x.x and when I click "See Details" it says Error Code 0x800704cf The network location cannot be reached

I confirmed that Client for Microsoft Networks is present, and enabled. I even removed it (was forced to reboot) and reinstalled it. No effect.

I disabled IPv6, no effect.

I confirmed the WebClient service is not running. (It is set to Manual, and it's not Running).

I confirmed the TCP/IP NetBIOS Helper service is running. (It is set to Automatic, and it's Running.)

Of course I have rebooted and retried. (Several times and several ways).

The problem seems to exist with an old patch level, and also continues to exist after applying all Windows Updates.

Why would Windows attempt to use port 80 (webdav) instead of port 445 (samba/smb/cifs) to connect file explorer to a UNC path?

net view 192.168.x.x throws an error message on the affected client:

C:\Windows\system32>net view 192.168.x.x
System error 53 has occurred.

The network path was not found.


C:\Windows\system32>ping 192.168.x.x

Pinging 192.168.x.x with 32 bytes of data:
Reply from 192.168.x.x: bytes=32 time<1ms TTL=64
Reply from 192.168.x.x: bytes=32 time<1ms TTL=64

But works fine on another client:

C:\Users\eharvey>net view 192.168.x.x
Shared resources at 192.168.x.x

netfiles server (Samba, Ubuntu)

Share name  Type  Used as  Comment

-------------------------------------------------------------------------------
myshare     Disk           My Company data storage
The command completed successfully.

I am experimenting with bitlocker deployment via AD at work. Have googled all over the internet, but the most useful reference seems to be:

• http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx

Server 2012 R2, fully updated. Test client is Windows 7 Ultimate 64bit, fully updated.

For some reason, it's not working - How can I find out what's wrong? I created a GPO, linked it to an OU, joined the win7 machine onto domain, and moved the win7 machine into the OU. I would expect it (perhaps incorrect?) to simply start encrypting, and save the bitlocker recovery key into AD somewhere (not sure yet where to find that.) But it does nothing.

Checked in BIOS that the TPM is enabled. I tried '''gpupdate /force''' and rebooting the win7 machine ... But still, nothing.

• Computer / Policies / Admin Templates / System / TPM Services
  • (Disabled) Turn on TPM backup to AD
• Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption
  • (Enabled) Store bitlocker recovery info in AD (Server 2008 and Vista)
• Computer / Policies / Admin Templates / Windows Components / Bitlocker Drive encryption / Operating System Drives
  • (Enabled) Enforce drive encryption on operating system drives

The first thing I notice is that it only says "2008 and Vista" ... Are there supposed to be some additional settings somewhere else for Win7 and 8?

Gosh, it would be really nice to find some way of diagnosing why it's not working, rather than guessing blindly... Also, if anyone has done this successfully and documented the process?

There are lots of articles out there describing how to architect your replication toplogy, and all the reasons why, and they all boil down to conserving bandwidth, and achieving a convergence time that is acceptable for your organizaiton.

In my mind, AD replication is a tiny amount of data, and I think I would like to tweak the replication frequency to absolute maximum speed. (Which is 4 times per hour within a site, and once every 15 minutes inter-site, whereas the default is 1 time per hour within a site, and once every 180 minutes inter-site.)

I browsed around and found a list of ports & protocols used in AD replication, and there are a ton. LDAP, Kerberos, Ping (ICMP Echo), RPC, etc. Sure I can create a wireshark capture to view that traffic, but it would be a huge massive capture filter, very complex.

So my question is:

Does anybody know any way to measure the bandwidth used by AD replication? I am looking to test my assumption that it's a tiny amount of traffic, basically irrelevant in the modern age where the slowest connection is 3 Mbit.