Bart De Vos's questions

We've built a rather large RemoteApp environment on 2012 R2, fully patched. Everything is working fine, so now comes the time to offshore and delegate tasks to the first line team.

We would like to be able to have our first line guys manage the sessions. If, for example, a session would hang (lost connection to the profile drive). They should be able to log off the session.

I've tried setting permissions like this on all servers:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "ADMIN\MyGroupWithPeopleManagingTheTS",2

But to no avail, they can't open Server Manager > Remote Desktop Services, because they can't connect to the RD Connection Brokers.

If they open up task manager and try logging off users there, they don't have the appropriate rights. This option is also not the best because it would require them to go and look on each server if the user is logged on there (auto load balanced across multiple servers and regions).

So, basically: How can members of a certain group log users off, without giving them admin permissions on the machine?

This is how I would do it on 2008, but the tools are no longer available: https://technet.microsoft.com/en-us/library/cc753032.aspx

We have a RemoteApp deployment (Web, Gateway, High Available Connection Brokers, ...). We use profile disks stored on a file share. We publish most of our applications, but from time to time, a user needs a full fletched desktop.

That's why we also published mstsc with the path to the original .rdp-file from when there were no applications published.

This all works fine, unless a user has an application open when they open the desktop. The server fails to mount their profile disk (because it's already mounted by the session providing the application and thus locked).

This causes the session host to load a temporary profile.

Is there any way around this, while still using User Profile Disks?
Is it possible to get the session that is providing the apps when opening the desktop somehow?

We are trying to acquire a new certificate/label. In order to get this certificate/label we need to monitor the creation of mailboxes in Microsoft Exchange.

We are currently using Microsoft ACS (Audit Collection Services), but if a mailbox is created we are not able to get it in the logs. There is nothing in the evntvwr.

Is there a way to log the creation of a new mailbox in Exchange 2003/2010?

I'm trying to enable SELinux on a CentOS 5.5 server with Squid 3.1.12 that handles authentication via ncsa_auth.

When I turn off SElinux everything works fine, but when I enable it, Squid crashes on the authentication-plugin, ncsa_auth.

This is the error message:

May 29 19:12:21 us squid[1458]: Squid Parent: child process 1493 started
May 29 19:12:21 us kernel: printk: 27 messages suppressed.
May 29 19:12:21 us kernel: type=1400 audit(1306696341.922:74): avc:  denied  { execute } for  pid=1494 comm="squid" name="ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
May 29 19:12:22 us (squid): The basicauthenticator helpers are crashing too rapidly, need help! 
May 29 19:12:22 us squid[1458]: Squid Parent: child process 1493 exited with status 1
May 29 19:12:22 us squid[1458]: Exiting due to repeated, frequent failures

When SELinux is permissive, these are the warnings I'm getting:

May 29 19:25:27 us kernel: type=1400 audit(1306697127.741:81): avc:  denied  { execute } for  pid=1524 comm="squid" name="ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
May 29 19:25:27 us kernel: type=1400 audit(1306697127.741:82): avc:  denied  { execute_no_trans } for  pid=1524 comm="squid" path="/opt/squid-3.1.12/helpers/basic_auth/NCSA/ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file

The ncsa-auth:

[bart@us NCSA]# ls -alZ ncsa_auth
-rwxrwxrwx  root root user_u:object_r:usr_t            ncsa_auth

I think he expects the label to be unconfined_u:system_r:squid_t:s0, but I have no idea how to set it properly. After I tried setting it with:

chcon unconfined_u:system_r:squid_t:s0 ncsa_auth

I got the following error: chcon: failed to change context of ncsa_auth to unconfined_u:system_r:squid_t:s0: Invalid argument

I'm trying to forward an FTP-server with IPTables. The FTP-Server is running on a Windows 2008 box (Cerberus).

Details Win Box:

• IP: 192.168.220.51
• FTP-Port: 21
• PASV-Ports: 11000-13000

The FTP-server works great in LAN.

The router is working fine for other clients (Serving NAT, DHCP, Firewall,...). I need to forward the FTP-service to the outside world, but I can't use ports 20-21 (already taken).

I tried this, but it didn't work:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2121 -j DNAT --to 192.168.220.51:21

Current IPTables config:

[root@router ~]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
2    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  127.0.0.1            0.0.0.0/0           
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67 
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:68 
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1194 
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3128 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
11   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
12   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
13   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
14   DROP       udp  --  0.0.0.0/0            0.0.0.0/0           
15   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Any help would be great :-).

Bounty-Edit: I have not been able to figure this out, any help would be greatly appreciated.

EDIT2

I'm able to telnet into my FTP-server now, after running there commands:

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2121 -j DNAT --to 192.168.220.51:21

I'm starting to get there... I think I just need to get my PASV-Ports working now...

EDIT3: Extra Info

[root@router ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 3251 packets, 154K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  540 48534 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
4270K 5625M ACCEPT     all  --  *      *       192.168.220.0/24     0.0.0.0/0           
    0     0 DROP       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:68 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1194 
   65  8487 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    8   404 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3128 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
63870   81M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  974  224K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  638 34956 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 

Chain FORWARD (policy ACCEPT 3578K packets, 3355M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2275K packets, 703M bytes)
 pkts bytes target     prot opt in     out     source               destination  



[root@router ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 33954 packets, 2595K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2121 to:192.168.220.51:21 

Chain POSTROUTING (policy ACCEPT 5925 packets, 699K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
27170 1785K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5777 packets, 457K bytes)
 pkts bytes target     prot opt in     out     source               destination  

Solution

This is how I did it, might not be very pretty, but it works.

[root@router ~]# iptables -t nat -I PREROUTING -p tcp --dport 2121 -j DNAT --to 192.168.220.51:2121
[root@router ~]# iptables -I FORWARD -p tcp -d 192.168.220.51 --dport 2121 -j ACCEPT
[root@router ~]# iptables -t nat -I PREROUTING -p tcp --dport 11000:13000 -j DNAT --to 192.168.220.51:11000-13000
[root@router ~]# iptables -I FORWARD -p tcp -d 192.168.220.51 --dport 11000:13000 -j ACCEPT

Some extra notes: The FTP-server is listening on bot 21 an 2121 and the PASV-range is set from 11000 to 13000

We have a backup application that runs once every 12 hours.

Multiple servers, desktops, and laptops connect to an EC2-instance and push a backup via SFTP using their own log-in credentials.

If they need to recover a file, they can browse files via a simple SFTP-Client and restore their files. This has been running very well for the last 8 months.

I would like to know how many data is transferred on a monthly basis, per user via SSH. I don't need the logs for the past 8 months, but something that would record it starting now would be great.

Is there anything that allows me to do this?

OS: Ubuntu 10.10

I need to create the network below:

Facts:

• The router is a Linux box (don't care about the flavor), it has 2 NIC's.
• The switch is unable to support VLAN's.
• The servers need a WAN-IP. NAT is not an option.
• This is all I get to work with (yeey budget-cuts).

How do I go about building this router (that isn't always a router)? Some of the servers need an IP that is assigned by the ISP based upon the MAC-address but the DNS-discovery doesn't travel over the router. Is there any way I can tell dhcpd to pass these requests to the ISP? Will I have a problem with routing?

I've looked into virtual nics but couldn't find a solution for my problem. I'm open to all suggestions at this point.

I'm looking for a (or multiple if needed) system with web interface to monitor a number of remote networks. All of these networks contain multiple clients, servers, routers, switches, printers, ...

Some info we would like to gather is the remaining ink supply in printers (via SMNP), checking the status of clients (remote assistance via VNC, RDP,... is a plus), monitor network load, check if services are still up, be notified if anything goes down... You get the picture.

The servers are mixed Windows and Linux (CentOS and Ubuntu), clients are mostly Windows.
So far, I have already investigated some possible solutions:

• Nagios (Monitor services)
• Cacti (Monitor server/network)
• OCS (Monitor clients)

Can anyone recommend one of these or suggest something else? Does anyone know of a good implementation for Nagios (like Centreon)?

One solution for all of these problems would be great.

I know Apple's article about SSH. I know the video about how to log in to Mac by SSH.

I have the following settings in MacBookA

I am trying to connect to it by the command in the picture in MacBookB

ssh <username>@<address>

where and are my appropriate username and address, respectively.

I get the following error message

[1448]ssh <username>@<address> 
ssh: connect to host <address> port 22: Operation timed out
[1448]

I have MacbookA on. I put the user of MacbookA online and offline by MacbookA, then tried to log in MacbookB's terminal with Operation timed out -error.

How can you connect to your remote Mac by SSH in terminal?