This post has a very good explanation of the problems I’ve been suffering with my IPsec tunnels recently:
MTU woes in IPsec tunnels and how you can fix it
Two things have fixed my stalled transmissions over IPsec tunnels:
net.ipv4.tcp_mtu_probing=1As seen in this post, the values of net.ipv4.tcp_mtu_probing are:
Using this recipe you’ll get a single ssh-agent and a single gpg-agent running for your user and the correct environmental variables will be set everywhere. Just add this code to your ~/.bashrc: [code lang=“bash”]# GPG Agent if [ -x $(which gpg-agent) ] && [ -d “${HOME}/.gnupg” ]; then oldumask=$(umask) umask 0077 pgrep -U $LOGNAME gpg-agent >/dev/null 2>&1 || gpg-agent –daemon –write-env-file “${HOME}/.gnupg/gpg-agent-info” >/dev/null 2>&1 umask $oldumask GPG_TTY=$(tty) export GPG_TTY if [ -r “${HOME}/.gnupg/gpg-agent-info” ]; then . “${HOME}/.gnupg/gpg-agent-info” export GPG_AGENT_INFO fi fi
Please, be careful with this new kernel, I have suffered from multiple fs corruptions. Give a look to:
http://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg38092.html http://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg38039.html
It seems that the bug is already identified, so a fix will land soon. Great news!
Today a user wasn’t able to log in from his Windows machine to a shared folder in Samba. He was said that his user name (from Active Directory) was not found. The system log was logging the security kerberos event ID 14.
After some digging, I found out this thread with the solution:
rundll32 keymgr.dll,KRShowKeyMgr
This shows up a credentials manager window, where we can delete the problematic credentials. After doing this, the user logged in without problems.
After clearing the CMOS in a computer, the EFI boot entry of my Fedora installation disappeared. To restore it, I booted a Live CD and registered it again:
# efibootmgr -c -w -d /dev/sda -l 'EFIfedorashim.efi' -L "Fedora"
With this line you get all the users of an Active Directory group recursively, so any nested group is expanded. It is also exported to a CSV file.
[code lang=“powershell” light=“true”]Get-ADGroupMember -Identity ‘GroupName’ -Recursive | Get-ADUser -Properties ‘*’ | Select-Object samAccountName, name, givenName, sn, mail, l | Export-Csv -Encoding UTF8 -Delimiter ‘;’ -path ‘.users.csv’[/code]
I’ve updated my router’s fimware to latest version of OpenWrt, and there are great improvements everywhere. The one I like more is the overhaul of the IPv6 configuration, with the new daemon odhcpd and the automatic prefix delegation. You can consult the details in the wiki.
However, I’ve found one caveat trying to configure a client to have a static DHCPv6 lease. After asking in the forums, I found the solution: First, the client has to obtain an IP by DHCPv6, that way the DUID of the client is registered in /var/hosts/odhcpd. Then, the DUID has to be added to /etc/config/dhcp.
In this setup I configure 2 clustered HAproxies in CentOS 7 to be the frontend of a web application.
[Read More]When you have an Exchange server in your organization and you also use a Postfix server as gateway, you need the list of all valid recipients of your organization at your gateway. In this way, you can reject invalid emails at the gateway, and what’s more important, when the sender address is forged, you don’t spam innocent people with undeliverable emails.
I use this script in Exchange 2003 to generate all addresses.
[Read More]With the recent release of fail2ban 0.9 there are very important improvements to the journal and firewalld integration. With these simple configurations, I get fail2ban working in Fedora 20 without a syslog daemon and avoiding being DOSed by a local user.
/etc/fail2ban/fail2ban.local
[Definition]
loglevel = INFO
logtarget = SYSLOG
In /etc/fail2ban/jail.local we set the backend to systemd, so we monitor directly the journal, we also choose as default action firewallcmd-ipset, so the rules are inserted with firewall-cmd and use the ipset facility. Finally, all the jails needed are enabled.
[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
bantime = 3600
[sshd]
enabled = true
[postfix]
enabled = true
[dovecot]
enabled = true