TrueDuality's questions

I have a web application that handles potentially sensitive information that needs to be exposed more publicly. Unfortunately it has it's own proprietary webserver built in that doesn't support SSL. Due too a software approval process I have to use Apache as the reverse proxy.

I have it almost entirely working, directly accessing any page on over SSL works perfectly but redirects sent by the webserver are not being rewritten. For example attempting to access the root URL https://frontend.example.tld:4000/ when you are not logged in should redirect you to https://frontend.example.tld:4000/login but instead it's redirecting to http://frontend.example.tld:4000/login which results in a BadRequest.

All of the Googling I've done on this have revealed outdated settings that don't seem to be available in apache2 anymore are are suggesting changing the application behind the proxy to handle it (which unfortunately isn't an option).

Here is the relevant portion of my apache config:

<IfModule mod_ssl.c>
  Listen 4000

  <VirtualHost *:4000>
    ServerAdmin webmaster@localhost
    ServerName frontend.example.tld

    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
    CustomLog ${APACHE_LOG_DIR}/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel info

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2

    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/frontend.crt
    SSLCertificateKeyFile /etc/ssl/private/frontend.key
    SSLCertificateChainFile  /etc/ssl/certs/gd_bundle.crt

    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
  </VirtualHost>
</IfModule> 

Elsewhere I have the proxy and proxy_http module loaded.

Update:

Here are the contents of the error message received after the attempted redirect:

Bad Request

Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Hint: https://frontend.example.tld/

I'm just starting to setup DPM 2010 in a test environment with a Domain Controller and a File Server. Everything seem to be working fairly well and I can get all of my backup jobs to succeed except for the "Computer\System Protection" backups.

Both servers are running fully up to date 64 bit Windows Server 2008 R2 Enterprise with Service Pack 1. The error that is being provided is:

DPM cannot create a backup because Windows Server Backup (WSB) on the protected computer encountered an error (WSB Event ID: 517, WSB Error Code: 0x8078001D). (ID 30229 Details: Internal error code: 0x809909FB)

This Microsoft Knowledge Base article describes the issue perfectly and provides a hotfix. I downloaded the hotfix, moved it onto the affected server, attempt to run it and receive the following error:

The update is not applicable to your computer.

I've verified that I have indeed downloaded the 64 bit version. According to this thread the hotfix got rolled into Service Pack 1, yet I'm still experiencing the issue. Both machines do have the Windows Server Backup feature installed.

Can anybody point me in the right direction? What am I missing?

After searching extensively online and on this site I haven't found an answer. I've seen other users that have 'Send As' permission issues but that is not entirely the case here...

We have an Exchange 2007 server running. Most of our users connect either via webmail or IMAPS/SMTP. Occasionally I've had a few user's report that they were unable to send mail. I'd check their 'Send As' permissions and sure enough 'NT AUTHORITY/SELF' was missing. I'd add it back in and all would be well.

What happened to my account yesterday made me think this was a symptom of an ongoing problem. I had that error happen to me went in and checked and sure enough me 'Send As' permissions didn't include 'NT AUTHORITY/SELF'. I added the permission back and went about my business. Two hours later the same thing happened and I had to re-add the permission. This morning it happened once again. My account had not locked out or otherwise been disabled though I don't think that should have any effect on the permissions anyway.

Does anyone have any idea why users would spontaneously have 'NT AUTHORITY/SELF' removed from their 'Send As' permissions?

I'm replacing our Windows 2003 print server with one running on Windows 2008 R2. I have connected and configured all of our printers and can successfully print to them from the server itself. All of the printers are shared and user's have permission to print on all of them.

Whenever one of our clients attempts to connect through the shares they receive the following error message:

Operation could not be completed (error 0x0000709). Double check the printer name and make sure that the printer is connected to the network.

No messages are generated on the client Event Log nor is anything generated on the server.

I have reinstalled the drivers as suggested by a few forum posts I came across and it didn't solve the issue. There are twelve different printer drivers and they are all experiencing this issue so I believe it is unrelated to the driver.

I have disabled UAC on both the client and server since that has caused so many headaches before, but it too did not solve this problem. Does anyone have any idea what may be causing this?

We recently upgraded our domain controllers to Windows Server 2008 R2 (Still at functional level 2003).

I went to make a change to one of our login scripts in the SYSVOL\{domain}\scripts\ directory, despite the account I was logged in with having Enterprise Administrator and Domain Administrator permissions it will not let me edit the scripts or add new ones.

I've tried googling around to see if I can find any information but so far I'm turning up dry. Does anyone have any idea how I could fix this?

So I am experiencing some weirdness on one of my servers. It has two on board gigabit ethernet ports on it's motherboard both of which seem to have been detected correctly (Broadcom NetXtreme II Gigabit Ethernet). Both ports are plugged into two separate managed switches on the same subnet.

I have given both eth0 and eth1 independent IP addresses on the same subnet (10.0.10.20 and 10.0.10.30 respectively). I have verified that I can ping both of them.

On the managed switches if I turn off the port that eth1 is connected too I can no longer ping 10.0.10.30 as expected. Turning the port back on resume the service. When I turn off the port that eth0 is connected to I can no longer ping either address. Turning the port back on resumes the service for both addresses.

"ifdown eth0" also takes down both interfaces (though ifconfig shows eth1 as still up)

If I put eth0 on a separate network while still being physically up I encounter the same problem of both interfaces not responding (this is my biggest issue with this problem).

There are no errors generated in the boot log or messages log, and the messages log reflects that both interfaces go completely down whenever I take eth0 off the same network as eth1 for any reason.

The only errors that I have seen what-so-ever are on ifconfig where at the very bottom of eth0 and eth1 it will show one of three messages (they are not consistent and not always there). The messages are:

Interrupt:185 Memory:ea000000-ea012800

Interrupt:17

Interrupt:18

Googling those has resulted in some vague questions, but never a solution.

We recently started leasing a small new site and part of the agreement was to have the owner of the building provide a point to point link between our main site and this building and we would purchase configure and maintain the hardware. The job fell on me to configure the two routers (1841s with CSU/DSU cards).

I unfortunately am not very Cisco savvy and I'm hoping to find some help here. I'm hoping to configure the two routers to essentially work like a standard ethernet cable. They need to be on the same subnet as one of our other departments (not NAT'd). The only examples I can find online involve both ends of the router being on separate subnets.

On our main site I have a port ready with the subnet I need. Can anyone out there provide me with some help?

I have installed the Print and Document Services role on a fresh Windows Server 2008R2 Enterprise box that is fully updated and on my domain. I have a second hard drive "E:\" that I would like to have my spooler on.

Whenever I change the spooler folder in the print server properties to "E:\" and click "Ok" it gives me the error "Unable to save server settings. Access is denied." There is no event log generated.

I am using a Domain Admin account and UAC is disabled on the server. Does anyone know why this is happening?

I just did a fresh base install of fedora 12, and did a yum install 389-ds. I went through the included setup script (setup-ds-admin.pl) and everything started fine and was working normally. I could access the directory server and login using the directory manager account created during the setup.

After a reboot I tried starting the dirsrv service using the following command:

[root@test-ds ~]# /etc/init.d/dirsrv-admin start
Starting dirsrv-admin:                                  [  OK  ]
[root@test-ds ~]# /etc/init.d/dirsrv start
Starting dirsrv: 
test-ds...
[26/Feb/2010:14:59:11 -0500] dse - The entry cn=config in file
/etc/dirsrv/slapd-test-ds/dse.ldif is invalid, error code 53
(DSA is unwilling to perform) - nsslapd-errorlog-mode: Failed to chmod
error log file to 600: errno 1 (Operation not permitted)

[26/Feb/2010:14:59:11 -0500] dse - Could not load config file [dse.ldif]
[26/Feb/2010:14:59:11 -0500] dse - Please edit the file to correct the
reported problems and then restart the server.
                                                           [FAILED]
  *** Warning: 1 instance(s) failed to start

If I turn off SELinux with "setenforce 0", it can start without any issue. There are no entries generated in /var/log/audit/audit.log like I'd normally see for an SELinux error but it's infinitely repeatable turning SELinux on and off with setenforce.

I am trying to remove a public folder database on an Exchange 2007 SP2 mailbox server so the role can be removed. I used the PowerShell script that comes with Exchange (MoveAllReplicas.ps1) to migrate the replicas to another server. I verified that they are there and removed the replicas on this server. However there are five, all seem to be related to Outlook 2003 that give me this error whenever I try and remove them:

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
Action 'Remove' could not be performed on object 'SCHEDULE+ FREE BUSY'.

SCHEDULE+ FREE BUSY
Failed
Error:
The folder '\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY' or some of its subfolder(s) encountered errors and could not be deleted.

MapiExceptionPartialCompletion: Unable to delete folder. (hr=0x40680, ec=0)
Diagnostic context:
    Lid: 18969   EcDoRpcExt2 called [length=54]
    Lid: 27161   EcDoRpcExt2 returned [ec=0x0][length=85][latency=0]
    Lid: 23226   --- ROP Parse Start ---
    Lid: 27962   ROP: ropDeleteFolder [29]
    Lid: 17082   ROP Error: 0x80070005
    Lid: 19297  
    Lid: 21921   StoreEc: 0x80070005
    Lid: 27962   ROP: ropNone [0]
    Lid: 26881  
    Lid: 21817   ROP Failure: 0x80070005
    Lid: 24721  
    Lid: 20625   StoreEc: 0x80070005

I am under a time constraint so I'm hoping someone out there will be able to help me.

I've run into an issue with a piece of third party software that creates it's own alias file to be used by sendmail. Looking through the configuration options, google, and the man pages it seems like I can only define one alias file which means either I only get all the software's addresses or all of the local aliases.

I have tried appending my own entries to the software's alias file but it gets rebuilt everytime there is a change of addresses and my entries get blown away.

My question is, is there a way to define addional alias files in sendmail.mc or to include additional addresses from another file?

A critical security update came out a while ago, that I have been unable to install. I've spent the better part of today trying to figure this one out and I'm stumped. I've tried using the automatic update, as well as manually downloading the update from the Microsoft website.

My systems are running Windows Server 2008 Enterprise x64. This same update is failing on three independent and isolated servers (the only Windows Server 2008 servers I have access to).

Whenever the system attempts the update I get the following error:

Installer encountered an error: 0x8007000d The data is invalid.

And it creates an companion event log seen below:

- System 

  - Provider 

   [ Name]  Microsoft-Windows-WUSA 
   [ Guid]  {09608c12-c1da-4104-a6fe-b959cf57560a} 

   EventID 3 

   Version 0 

   Level 2 

   Task 0 

   Opcode 0 

   Keywords 0x8000000000000000 

  - TimeCreated 

   [ SystemTime]  2009-10-26T18:00:08.659Z 

   EventRecordID 11 

   Correlation 

  - Execution 

   [ ProcessID]  6732 
   [ ThreadID]  6592 

   Channel Setup 

   Computer server.example.com 

  - Security 

   [ UserID]  S-1-5-21-1868723478-1673120740-2095933981-27156 


- EventData 

  UpdateTitle  
  ErrorCode 2147942413 
  ErrorString The data is invalid. 
  CommandLine "C:\Windows\system32\wusa.exe" "C:\Users\admin\Desktop\Windows6.0-KB967723-x64.msu"

Does anyone have any ideas?

Something changed today. I can't seem to track down what, but one of our 3750s decided that it was going to forward all the multicast traffic it saw from the ghost server across every VLAN it has.

I've tried writing a simple access group that consists of the following:

access-list 100 deny ip any 224.0.0.10 0.0.0.255
access-list 100 permit ip any any

I apparently mistakenly assumed that once applied to an interface that it would block all of the multicast traffic on that interface regardless of VLAN.

I do not want any multicast traffic flowing through this particular switch to any VLAN or even to stay on the same VLAN beyond this switch. Does anyone have any ideas?

We are currently in the beginning stages of migrating from Exchange 2003 to Exchange 2007. We have got to the point where internal mail between the two systems is working perfectly with all of our testing accounts, the problem is now that Exchange 2007 is not able to send email to external domains.

Seems like an easy enough problem, I've googled it read many articles that have all said the same thing. Create an Internet Send Connector with an address space of '*' and a cost of '1', use domain name system '(MX)' records to route mail automatically.

After reading through that on so many different sites including technet I finally went ahead and did just that. I sent an email to an external address from one of the testing accounts and it didn't make it. I went and checked the mail queues on the hub server and the Unreachable queue had several hundred other messages in it! All email destined for the Internet from the Exchange 2003 side started trying to get out through the Send Connector which still couldn't send to the internet.

I disabled both the Windows Firewall and the Anti-virus in case one of them was preventing the mail from getting sent, and the Unreachable queue kept growing. I deleted the Send Connector and after a few minutes mail started routing out to the Internet as normal.

There was only two other thing that I thought might be going wrong. I checked using nslookup that the domain were resolvable by the server, and manually connected to the remote SMTP servers from the server using telnet to verify that the connections could be opened, both worked.

The diagnostic tools built into Exchange 2007 told me nothing more than 'A matching connector can not be found' even with the * connector. I'm stumped can anybody help me?

In our old Exchange 2003 setup, we had two Exchange servers. Neither one was a front-end server so people on server1 would need to go to https://server1.example.com/Exchange and people on server2 would need to go to https://server2.example.com/Exchange to check their mail (we had friendlier redirects setup). We require SSL on both instances of the webmail.

We are now beginning a transition to Exchange 2007 and a cleaner more user-friendly setup. We currently have the CAS server setup, and everything looks like its working so far at this point except for one little detail. When a legacy user attempts to logon to the CAS server, the CAS server is supposed to automagically switch them over to their appropriate mailbox server. This works to a point...

When a legacy user logs into the CAS server (for example sake the user's mailbox is on server1) the CAS server redirects them after a successful logon to http://server1.example.com/Exchange (note the lack of https). They then get presented with a not so friendly error telling them to use an https connection.

I can't seem to find documentation anywhere on this. Does anyone have any ideas?

Edit: As a clarification I would like the CAS server to correctly redirect to the https page. Could this be a setting on the 2003 servers?

I'm just starting the migration from Exchange 2003 to Exchange 2007. Almost immediately I stumbled across this problem. I have performed the ForestPrep and DomainPrep and started installing the Hub Transport Role.

During the prerequisite check it give me the following warning:

Warning: Setup cannot detect an SMTP or Send connector with an address space of '*'. Mail flow to the internet may not work properly.

Needless to say I want my mail flow to the internet to work properly...

This thought occured to me and while not an actual problem I'm curious to know. When a virtual machine syncs it's clock with the hardware clock does that sync the hardware clock of the host? Change to software clock of the host? Does the time difference between the host and software get stored in a VM's file? Does nothing at all happen?

I know this is a random and seemingly meaningless question but I like to understand what goes on under the hood of all my systems. The direct use case for me is NTPD's SYNC_HWCLOCK in a linux Xen VM but I'm curious about other virtualization platforms as well since they all operate differently.

After installing and configuring both MySQL and rsyslog with the mysql extensions I get the following error in /var/log/messages:

rsyslogd:db error (2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)

I can connect through the socket using the mysql client by specifying '--socket=/var/lib/mysql/mysql.sock'.

I have narrowed the problem down to selinux permissions. The /var/log/audit/audit.log file has this to say:

type=AVC msg=audit(1244654592.150:320): avc: denied { search } for pid=6382 comm="rsyslogd" name="mysql" dev=xvda3 ino=1369538 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir

Turning selinux in permissive mode does solve the problem. This is going to be production server and leaving selinux in permissive mode is not an option.

Running restorecon on /var/lib/mysql/mysql.sock also does not solve the problem. Can anyone out there give me a hand?

Edit:

So my quest continues, heres an update. I ended up creating an semodule to explicitly allow this behavior. To do this I did the following (as root):

# cd /var/log/audit/
# grep mysql audit.log | audit2allow

It outputed this:

#============= syslogd_t ==============
allow syslogd_t mysqld_db_t:dir search;
allow syslogd_t mysqld_var_run_t:sock_file write;
allow syslogd_t mysqld_t:unix_stream_socket connectto;

Those were indeed the permissions I wanted to grant to rsyslog... so I compiled it into a module according to RedHat's instructions and installed it using the semodule command.

After attempting to restart the rsyslog service the error continues and there are no new 'denied' messages in the audit log. Anybody have any ideas?

In the past with Windows Server 2003 I was able to ship the event logs to a central network syslog server using evtsys (https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys). It does not mention support for Server 2008 but does mention problems with sending Windows Vista logs.

Are there any good services/utilities or even PowerShell scripts (preferably one of the other ones as this wouldn't be continuous) that could send the event logs to a central syslog server?