@JaredBusch said in Replace your Netgear router if you have one.:

@Dashrender said in Replace your Netgear router if you have one.:

@travisdh1 said in Replace your Netgear router if you have one.:

I've moved my family to ER-X+UPA-AC-XXX now, forget that consumer grade crud.

ug, can't recall, these do not have an option for auto updating... assuming they don't, not really good for consumers.

WTF? You quoted the part about Ubiquiti. No UniFi or EdgeMax gear has auto updates. It is not for consumers.

Unifi offers it now.

@JaredBusch Might take another look then... My FTTH comes in as a tagged VLAN and it wouldn't pick up a dhcp lease on v2, even after a few reboots but once I downgraded to v1 it picked up the lease from the ISP right away.

Yeah this is bread and butter for config management tools. You'd either use a template for the config or the lineinfile module for Ansible.

Your template would have something like this:

PermitRootLogin {{ root_login_enabled }}

In it and then you can control which servers allow root login with the root_login_enabled variable.

@Obsolesce said in Searching for text in file:

@dafyre said in Searching for text in file:

@Pete-S said in Searching for text in file:

If you have a text file that looks like this:

start_folder='/folder1/abc.txt' iterations='123' passphrase='xyz' last_command='invoke' return_value='0'

How can you pick out just xyz when looking for "passphrase"?

I know grep will get me the line but what should I use if I want just a part of the line?
Can it be done in one command or do I have to pipe several together?

If you the text has a character that would be a good delimiter, you can pipe grep to cut... ie:

cat myfile.txt|grep "iterations"|cut -d '=' -f 2 Output: '123'

the -f # is which column you want.

There may be other ways to do it, but that's the first way I can think of.

You can specify a file with grep, no need to pipe in from cat.

This is true! I always seem to get it backwards when I do that, so i just cat $thefile | grep | blah ... Cuts down on frustration, ha ha.

@Pete-S said in Utility to change raw data?:

I think I might have a solution with dd and printf.

printf "8718\r\n0x23abc\0x00" | dd of=raw.bin seek=2345 oflag=seek_bytes

Something like that.

Interesting. Makes sense though.

@openit said in Building your own lab:

@scottalanmiller @Pete-S
Do we have any complete post or article on ML which describes how to build a Lab with design, like server, switch etc. arrangement.

Really appreciate, if someone can provide any links, which gives complete lab design, to prepare me as a good Windows System Administrator, which should include all tasks, activities a typical SysAdmin requires.

https://www.servethehome.com/

Some tasks would be setting up a monitoring alert system that alerts you of reboots, account lockouts, high CPU usage, disk usage, network, etc. Get familiar with using PowerShell to manage your Windows systems. Setting up a Dev or test to in order test your Windows or 3rd party applications before deploying to production.

@Pete-S said in Is certbot the best way to handle Let's Encrypt certs?:

@stacksofplates said in Is certbot the best way to handle Let's Encrypt certs?:

Lego is another good one from what I've seen. It does all 3 challenge types.

https://go-acme.github.io/lego/

Thanks, might have a look at it next time.

I went with certbot this time because it was very clear what needed to be done. Debian has a package for it's all you need to do is have a http server up and running and then:

# apt-get install certbot python-certbot-apache # certbot --apache

It will do everything for you - create & install the certificate, set up redirection from http to https, set up a job that updates the cert etc.

The site has instructions for every common OS (redhat, ubuntu etc) and http daemon (apache, nginx etc) combination.
https://certbot.eff.org/lets-encrypt/debianbuster-apache

Yeah certbot is the easiest. Lego is just more flexible and you only need the binary. Def start with the easiest for now.

I ran some test on a VM and created some groups and added some top-level directories for those groups.

Changed the group on each top-level directories and files below recursively with chown -R.

Set directories to permission 2770 and files to 0660 with chmod -R.

Changed smb.conf and added create mask=0660 and directory mask=2770.

Now new files and directories created on the share have the right permission and belongs to the right group automatically, simply depending on what group the top-level directory belongs to.

If you're not a member of a group, you will not even see the directories or files that belongs to that group.

I think this is a good interim solution without too much work. Then moving to onedrive or whatever can be done in the future on a department to department basis.

Only admin required for adding users is to add them to linux/samba and make sure they become members of the right groups.

It's also very simple to make a separate share out of the top-level folders if you wanted.

@Pete-S said in What's behind the scenes of Windows network discovery?:

Just found out with some network sniffing that Win 10 is not using DNS to find the IP for hostnames. It's using multicast queries. WTF.

First something called LLMNR (Link-local Multicast Name Resolution). If you ping xyz, it will ask for xyz.

Secondly it will use mDNS (multicast DNS). If you ping xyz, it will ask for xyz.local.

Well, I found out why.

If you don't have a DNS suffix in the network settings, Win10 will use multicasting to try to resolve a hostname that doesn't have a top-level domain suffix (such as xyz).

If you have a DNS suffix in your settings, it will use standard DNS.

@coliver said in How to download Win 10 Enterprise ISO.:

@JaredBusch said in How to download Win 10 Enterprise ISO.:

@Dashrender said in How to download Win 10 Enterprise ISO.:

or you could just download it from VLSC.

But the gets around having to deal with signing in to VLSC which sucks balls most days.

If it even works in a modern browser.

If it even works. Full stop.

@JaredBusch

Nevermind - never knew that was an option

Problem solved:
822F2316-4113-4C17-BADF-7EF235C1012A.jpeg

You’re welcome.

I have my name and title and I think my cell phone in my outlook signature. We have 450,000 employees so there's times when I get emailed or email someone and they have no idea who I am. I don't have a signature on my phone.

We are using Teams and Slack so it has been working fine. Too many chat applications that are free and available...

@stacksofplates said in Password manager for ordinary users?:

I'm not sure what there is to 'release' though. Chromium works natively on Linux right now, I don't see what they would have to do.

All their extras and stuff. There's already a beta insider for linux and Mac released in may. They have an Android version (and I assume iOS too)

I guess the beta isn't open yet.. but I can download it when logged in to my insiders account.

https://www.microsoftedgeinsider.com/en-us/

Another advantage to application containers is integrations with things like VSCode. Your whole dev environment for a project can live in the container. It makes entry to helping with projects much easier. For example you can include a Dockerfile in your project and VSCode will build the container according to your Dockerfile. Then you can have VSCode spin up the container and attach to it and you can do the development inside of the container. That way the contributors don't need to install anything on their systems to work with your project. It's a really nice work flow.

@StorageNinja said in RAID rebuild times 16TB drive:

@scottalanmiller said in RAID rebuild times 16TB drive:

Its a system, not an IO, bottleneck typically. Especially with RAID 6. Its math that runs on a single thread.

Distributed storage systems with per object raid FTW here. If I have every VMDK running it's own rebuild process (vSAN) or every individual LUN/CPG (how Compellent or 3PAR do it) then a given drive failing is a giant party across all of the drives in the cluster/system. (Also how the fancy erasure code array systems run this).

Yeah, that's RAIN and that basically solves everything 🙂

Yes, email providers will send you reports when they get emails from your domain.

You do not necessarily have to ever go from quarantine to reject, some mail providers, like O365, treat them the same. But you would want to wait for reports to come in to see if there might be stuff that might be failing the the business would want to go through.

@black3dynamite said in Is it possibe to remove local admin on Windows Server?:

@dbeato said in Is it possibe to remove local admin on Windows Server?:

@Grey said in Is it possibe to remove local admin on Windows Server?:

@dbeato said in Is it possibe to remove local admin on Windows Server?:

@Grey said in Is it possibe to remove local admin on Windows Server?:

@pmoncho said in Is it possibe to remove local admin on Windows Server?:

@dbeato said in Is it possibe to remove local admin on Windows Server?:

@Pete-S said in Is it possibe to remove local admin on Windows Server?:

ve the local admin account on Windows Server that belongs to a domain? Or prevent logins.
Or is always possible to login as local admin (if you know the name/passwd)?

I wouldn't disable the local admin of a server, it would come handy if you need to restore stuff or remove and add from the domain. LAPS works but beware 🙂

I agree with @dbeato. When sh$% hits the fan with the server, no networking or no cached credentials, you will long for a local admin account.

I do disable the Administrator account after creating my own local admin with 20+ char strong password. Less worries on both the security and DR front.

Yes, but if you have physical or kvm access, even virtual, you can use linux ntpass to turn on the admin account and reset the password. This would be the last resort if you really lost the admin access, which is rare.

Not since UEFI... At least it doesn't work with Windows 10 and subsequent kernels.

I can imagine you had problems because of bitlocker or something similar, but not UEFI, unless the system was locked out to only boot a certain way through config. Maybe you could test a UEFI boot with a Hiren's USB boot just for fun?

I have tried with the latest Hiren's Boot drive and still doesn't work for Windows 10 for some reason in UEFI... Even if it was bitlocker I could always decrypt and then use it if worked properly. At least the old ntpasswd didn't work (this one https://pogostick.net/~pnh/ntpasswd/) With WIndows 10. Just for giggles I will try it on a VM today with this https://www.hirensbootcd.org/howtos/

You just use Ubuntu, enable the repo that provides chntpw package to make changes to Windows accounts?

Yeah, I have used that.