Topics created by JaredBusch

@flaxking said in Need and IIS based hosting option aside from Azure:

they could rewrite enough to upgrade to the latest .Net and not have to run on Windows.

And confirmed. They are updating to ASP.Net Core 7

So they can run everything pretty much anywhere. Time to test out Kestrel and YARP it seems.

There is a ppd you can use for cups in the Mac driver.

Primera LX900 - ColorLabelSugned - Payload~~ - Library - Printers - PPDs - Contents - Resources - CL900.ppd

@JaredBusch said in Zerotier installs but no conectivity on Fedora 38:

@syko24 said in Zerotier installs but no conectivity on Fedora 38:

@JaredBusch - I know their site says Windows, but maybe something related with the firewall rules getting messed up.

https://discuss.zerotier.com/t/attention-zerotier-on-windows-users-please-update-your-client-s-to-1-10-6-or-later/12706

I temporarily shutdown firewalld on both systems as well as disabled selinux.

While I doubt it's the issue - ZT has it's own firewall rules, any possible issue there?

@Eric-Ross said in CentOS 7 VM won't boot after migration to Proxmox:

@JaredBusch Ah, too bad that wasn't the fix.

I didn't bother at the dracut point. I likely could have recovered the system. I simply decided to stop putting off the migration of those workloads.

They were still running CentOS 7 after all.

just updated my instance to current and they still work.
1579617f-7dc9-47f9-93fa-ae1c18fed158-image.png
95300b7c-a57e-4724-bf66-ba5a25a78edf-image.png

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

I'm not saying Proxmox is insecure, I'm just saying it wasn't designed with security as it's primary focus.
KVM by default for instance is managed by libvirt and by default doesn't open any tcp ports at all. That gives the administrator the option to decide what level of security versus convenience they want.

Ignoring "by default" in that, ProxMox can be the same. You can close everything up and only manage however you like. You don't have to use the web interface on it, it can be totally shut down. Obviously defeating lots of the purpose, but plausible.

I spend far more time on ProxMox via command line via MeshCentral than via the web interface and the web interface, while we don't lock it down from the LAN in most cases (we run a LOT of ProxMox these days) we primarily access it from the PM host itself from a jump box running on top of it for the cases when the web interface is needed. So while we don't go to the degree of locking it off from the LAN, we could and we wouldn't notice the difference most of the time.

That's not a default, so obviously totally different. But it's a really simple setting.

That's good to know.

We don't use gui anymore either but we're moving away from pre-packaged hypervisors and to pure KVM with libvirt compatible management tools.

We have found that to be the best solution for our use case (high degree of automation and customization).

I'd like to see that for sure. There's a lot of benefit to that, potentially at least.

We're automating a lot.

But the real problem is not the automation itself. The real problem is that automation and standardization is time consuming.

@JasGot said in What to use for new Windows network domain:

No need for split DNS this way.

That is a huge reason.

As an update the solution for Windows 11 now also works for Windows 10 if you are on Windows 10 22H2 and fully updated.

3ecd352e-4e80-4d97-bb2a-742ae38d326a-image.png

@JaredBusch said in Tenant disabling of Basic Auth cause OAUTH iPhone to break:

Disabling of Basic Auth should have done nothing.

If the security setting are changed on an account it makes sense to force users to reauthenticate. It might even be best practice.

I think it works the same on other providers.

But there should be some better mechanism regarding authentication in ios and android.

@scottalanmiller said in Alternative to never in stock Ubiquiti EdgeMax line:

@Pete-S said in Alternative to never in stock Ubiquiti EdgeMax line:

I don't know if that is the case with Ubiquiti but some products in their line sure looks like it.
Looking at the number of employees working at Ubiquiti versus their revenue, also suggests that (most?) of their products are not designed in-house. That's just speculation of course.

Well the Edge line, and this is me guessing, is likely third party hardware that they buy (that's pretty easy) and they basically use an open source OS barely modified. They were half public about that when they started, so it kinda made sense with that line. No idea if they continued that with Unifi and others.

Well, they started with RF-based products so they have that expertise in-house.

It would make sense that their wifi products are developed by themselves and manufactured by OEMs while the rest are ODM products.

That's the quickest way to expand the product range. Otherwise you need a ton of employees. From the info online they're only about 1000 employees worldwide.

@scottalanmiller said in Does the end of O365 Basic Authentication mean no more app passwords:

@Pete-S said in Does the end of O365 Basic Authentication mean no more app passwords:

@JaredBusch said in Does the end of O365 Basic Authentication mean no more app passwords:

Customer has a LoB application called Enfocus Switch.

It has a mail retrieval function that connects via IMAP using an app password on a normal O365 email account with MFA enabled.

It stopped retrieving email on the morning of Wednesday October 12th.

Since Microsoft finally killed Basic Auth on Tuesday, I assume this is related, but I can find no information on this at all.

The vendor do what they do, but I noticed that most applications that need this kind of functionality uses mail forwards from customers mailboxes to their own IMAP mailboxes.

That can be a way to solve this when microsoft kills it. Redirect from customers O365 mailbox to another provider that supports IMAP with normal authentication. Have the LoB application use that inbox instead.

We have customers doing that. Setting up MailCow to get past all the primary vendor security systems.

That makes sense.

I think you could probably run a bare mailserver with just dovecot as well. Since it only needs to handle incoming email from Microsoft and be an IMAP server, there's a lot things that becomes irrelevant - like spam detection, ip reputation etc.

@JaredBusch said in UFW or IPTABLES:

@Pete-S said in UFW or IPTABLES:

So I think the current recommendation is to either stick to ufw or firewall-cmd or just use nft directly.

I try to. This was the first time I've had a need to go outside the box of ufw or firewall-cmd to use direct iptables in years.

Yes, it's only when you need more control.

I've looked into this before and it wasn't not super obvious how all these tools interact. But nowadays ufw and firewalld are services to manage nftables. nftables itself manages the netfilter packet filtering mechanism in the kernel.

The ability to use iptables are just for legacy reasons and they're converted to nftables rules behind the scenes.

Since ufw (canonical project) and firewalld (redhat project) where initiated when iptables was used, I'm not sure their existence is warranted in the same way. At least not by sysadmins.

I'm looking at setting firewall rules automatically in a project and it seems like using nftables directly makes the most sense. That said I have to learn nftables first 🙂

Tested and it works all the time by hostname instead of IP.

It finally finished..
5624900b-cb96-41ee-b8f1-29373e262692-image.png

While I was waiting, I looked at pvecm status and found out it thought I had 4 nodes (see expected votes), when I only have 2 nodes.

76a4d9f9-18ba-4fe5-af47-4ea037892bfc-image.png

I used pvecm expected 2 on both and suddenly the updates moved on and I was able to log in to the web interface immediately.
d5ecd18f-8e07-4222-afea-0b04d215775c-image.png

In the web interface, it showed a pve3 and pve4. These were some test setups I did months ago.
I deleted the nodes from the CLI and everything looks clean again.
782c49e5-1457-499d-8c58-5afbc3c2efda-image.png

As an update to this, the issue is not resolved, but I purged a couple old nextcloud user accounts, that once deleted, and got enough space to get the needed users fully sync'd again.

I'll be spinning up a new Nextcloud instance and simply manually migrating users to it I think.

I'll be spinning up a new Nextcloud instance and simply manually migrating users to it I think.

@JaredBusch
Thanks.