@scottalanmiller said in Restrict access to parent folder but allow child folder access:

What we do is we don't use mapped drives / SMB shares but instead use a modern cloud based solution (Zoho WorkDrive in our case, but they are mostly the same) and there aren't child folders only top level folders (that have perms.) It forces you to keep all perms at the top folder level (like at the share level.) Far less granular, but it is a lot cleaner. I feel we are far less likely to overlook something or give permission that we don't know about. Since only folders that someone has access to become visible, it actually works decently well.

In Zoho you can actually set "permissions" on a lower level folder as well. Well, you can't do it by setting actual permissions. But you do it by sharing that lower level folder with whatever group or individual in your company that need access to it.

This would work well in a project organization where you'd only be given access to the projects you're working on. Those folders will appear under the "Shared with Me".

@WrCombs said in Application error -:

So being told this is a windows issue, but I'm not sure how.

I've been beating my head against my desk with this for weeks now.
any advice would be appreciated.

In dotnet applications developers can build their applications against different version of .net.

As we know, the gazzilion .NET versions is a mess. So to alleviate the mess the application have config files with redirect bindings so you can decide which version of .net the application should use - even if it was intended for another version.

Since you don't have 4.0 you can try and redirect to 4.8 instead.

However you can also install 3.5 on Windows 11 and redirect to that, which I think maybe has a higher probability of succeeding. Since 3.5 is backwards compatible with 2.x and 3.x applications and it looks like your application originally required version 2.x.

There is actually a good chance that just installing 3.5 will solve your problem, because there are automatic redirects going on as well. (But undo your changes to the config file).

Links to look at:
https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/redirect-assembly-versions
https://docs.microsoft.com/en-us/dotnet/framework/install/on-windows-11

@scottalanmiller said in Ubuntu Ethernet before WiFi:

@hobbit666 said in Ubuntu Ethernet before WiFi:

@Pete-S said in Ubuntu Ethernet before WiFi:

@Pete-S said in Ubuntu Ethernet before WiFi:

So I would look at:

changing the NIC the software binds to (configuration files?)

A quick search seems to indicate that Minecraft Server have config file called server.properties .

Inside that there is a setting called server-ip.

Set that to the static IP of the computer's IP on the LAN and I'm guessing it will bind to your LAN port every time.

Yeah will give that a try.
For some reason you can't "bind" to a specific port. It's been a requested feature with M$ for a while now.

Such an easy thing to do, too.

With "port" are we talking about a NIC or tcp/ip port? Sometime people say port but are actually referring to a specific network interface which can cause confusion. So to clarify, port in the text below is tcp/ip port and not network interface.

The normal thing for a server application is to bind to all or one specific IP address that the server have and to a specific port. Not a specific NIC.

As you may or may not know this comes from the low level socket api that all OSes use but originated from unix (BSD). The function that tells a socket what ip & port to use is called bind.

Higher level functions in programming languages such as java, python or whatever are usually just wrappers for the socket api.

From what I can see there seems to be options in the configuration files for Minecraft server to set which ports it should bind to as well. I don't have any experience with Minecraft, that info is just from a quick search.

Normal procedure if you want more control over a server and which IP addresses it actually replies on, is to have it bind to all IPs then employ access control with the OS firewall.

Default behavior for the bind function is to actually bind to all IPs - if you don't specify an IP. So I would expect Minecraft server to actually bind to all IPs if none are specified. But the OS firewall may not be open to accept traffic on all interfaces.

On linux you can check what service are bound to what ports and IPs with netstat -tulpn
It will not show if the firewall is open or closed though (I think...) You have to check that as well.

@scottalanmiller said in Windows 10 and RHEL 9 Dual Boot help.:

@Saba said in Windows 10 and RHEL 9 Dual Boot help.:

I used the RHEL installation for a few hours then rebooted to Windows 10.

Was this starting from a boot? Is it possible that you hadn't installed yet and were just running live?

My thought as well.

@scottalanmiller said in Ubuntu Ethernet before WiFi:

@hobbit666 said in Ubuntu Ethernet before WiFi:

@scottalanmiller said in Ubuntu Ethernet before WiFi:

Terminal should just be using OpenSSH.

This might be the issue. Will have a play after my holidays

In theory, Window's OpenSSH implementation is completely identical to the one on Linux and BSD. I can't way I've tested much in Windows 11, but on 10, it's definitely identical.

"Completely identical" is a bit of a stretch since it's a fork, so it has additions and changes and might not support everything the main project does. It's likely lagging behind the main project too.

But "works the same" or "practically the same" or "has the same code base"...

Microsoft only has one fork, so windows version shouldn't make any noticeable difference.
https://github.com/PowerShell/openssh-portable

PS. In OP's case he has probably hasn't the right key in openssh. OpenSSH and Putty don't share their ssh keys. They are in different folders.

@Saba said in Windows 10 and RHEL 9 Dual Boot help.:

@Pete-S When i rebooted from Linux, I actually selected Windows 10 from the list of available operating systems

Sorry, I can't help you. I stopped trying to get Windows and Linux to coexist on the same drive with dual boot because Windows would often cause some problem even when it's suppose to work.

So when I need windows and linux on the same machine I do one of three things:

• run the secondary OS in a VM and then both OSes can run at the same time
• install each OS on it's own drive and swap drives as needed
• have windows installed but boot linux from a USB drive without actually installing it

@Mr-Jones said in Unable to send emails to Gmail from my domain:

GoDaddy TXT Record:
v=spf1 a:mail.contoso.com ip4: 104.200.130.82 -all

This is invalid. There should be no space between ip4: and the ip address.

Also it's common to do ~all instead of -all when starting out.
~ will cause a soft fail on SPF failure while - will cause a hard fail.

@Mr-Jones said in Unable to send emails to Gmail from my domain:

Error:
"mx.google.com gave this error:
Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked. "

This doesn't say anything about SPF, DKIM or DMARC failure, but the fact that you don't have them is a sign that your message is spam.

Also the fact that you are sending from your own IP is also a sign that it is spam. Mail servers build up IP reputation on servers that send them emails. This is different from the blacklists.

If you haven't checked your IP against blacklists you must do so as well.

@Mr-Jones said in Unable to send emails to Gmail from my domain:

*I'm still waiting for Budget approval/acquisition for the DMARC stuff.

There is nothing you need to buy to implement it.

You should implement SPF, DKIM and DMARC.

The only thing you might want to buy is a service that will watch your DMARC reports and generate notifications if there is a problem.

I think this is very good and good value as well:
https://www.uriports.com/pricing

Use their awesome free service to test your email setup and learn more about DMARC.
https://www.learndmarc.com/

@JaredBusch said in Question about fdisk:

@Pete-S said in Question about fdisk:

You're running a virtual disk under Hyper-V so physical sectors has no bearing at all.

Of course they matter, because the guest OS doesn't know or care that it is virtual.

Oh, so you thought partition alignment is about the OS? It's not. The OS doesn't care (and never has) about partition alignment - regardless if it runs in a VM or on bare metal.

Partition alignment is only about optimizing the performance of the storage subsystem.

@Dashrender said in Zoho Mail has new secure sending option:

@Pete-S said in Zoho Mail has new secure sending option:

@Dashrender Good to know.

One purpose of the OTP is that you can't forward the email and have another person read it.

Not directly forward - sure, but you could screen shot it and forward that to someone.

I assume the OTP is more so that people don't have to create accounts in the Zoho system.

It looks like Zoho had the forwarding thing specifically in mind since they mentioned that on their website. A lot of people will forward messages without thinking about the sensitive information that is usually longer down in the mail. I've seen that a lot when I get emails forwarded to me with information that is clearly not intended for me.

In the MS system you have to create an account, same goes for Zix, even if you will only ever read this one message on that system.

Yeah, I hate that. It's just to get more users. I love OTP though.

I'll have to check how these secure feature works with sending huge mail attachments as well. Haven't tried it yet.

@d-cunnings said in User Profile migration Problem AAD -> AD:

I always advise customers to go easy on cloud and see where it goes.

I understand what you're saying but there is nothing to see really. It will only go one way. Microsoft want you to move everything to the cloud their cloud.

You might not want that but Microsoft will force you with their planned obsolescence scheme, vendor lock-in and if needed with unlawful business practices. That is their MO and it has worked well since the 80s.

Companies that are knee-deep in Microsoft solutions will never be able to wriggle themselves out of that situation. Not until it's too late and too costly and then they just have to abandon any resistance and go full cloud. Company attitude is how they ended up with MS in the first place.

So the reason you can't find an easy way to do move from AAD to AD is because Microsoft doesn't want you to. It's not astonishing negligence, it's the result of a well planned strategy.

@scottalanmiller

Could you please update the post with one or two examples of how a "scam" address would look?

@scottalanmiller said in AP's geared toward home use?:

@Pete-S said in AP's geared toward home use?:

I agree that a controller is not needed for a few APs.

No, not needed, just makes monitoring, support, and updates easier. I think its extra important for consumers who will never understand or remember updates and if things stop updating, will just never know.

Controllers are extra beneficial for home users.

Your typical consumer can't manage any of it, regardless of controller or not.

They're best off having someone else supporting them. Like they do with their car service and repairs and most anything else that requires a technician.

Heck, most people don't even know the distinction between wifi and internet or sending messages over the cellular network versus internet.

@scottalanmiller said in AP's geared toward home use?:

@Pete-S said in AP's geared toward home use?:

Your typical consumer can't manage any of it, regardless of controller or not.

That's my point exactly. It all comes down to getting them the best, cheapest, outside support.

I agree.
In this case I thought it was for @Dashrender himself though. Hence no controller needed.

In all other cases, the best option is what the the ones that are going to support it wants. Cloud controller, on-prem controller whatever.

@scottalanmiller said in Production KVM server "hardening"?:

I get that. My point was that you'd get the same security without the private network or the VPN. They only give an illusion of additional security, but cause a lot more effort and more effort often results in work arounds.

Yeah, I agree. Anyway, I don't want to go down the rabbit hole of network design specifics at this time. Might circle back to that later though.

My primary concern right now is if there are any special configuration needed to run pure minimal linux KVM virtualization hosts in production in a responsible manner.

@scottalanmiller said in Does block level sync exist?:

I do backups for financial systems, for example. And we always explain "well, we can quiesce the database and ensure that database is not corrupt, but we can never know if the database has been given quiesced application data because only the developers can tell us that".... and 99% of the time, the devs don't even know themselves and never accounted for needing to make the application safe to back up at all!

I agree. If the application isn't designed for backups in a specific manner then the only safe bet is to shut it down, snapshot the data for backup and power it up again.

The same operations needed to shutdown is a superset of the operations needed to put the database and application data in a safe known state. And most applications are designed to shutdown and startup safely.

It may be clumsy but with VMs the service interruption will usually be short. Maybe 30 seconds or so.

@Dashrender said in Weird DNS resolution issue:

Was there something else I should have tried?

When troubleshooting you can make DNS queries to specific DNS servers that doesn't use the clients DHCP originated default DNS servers.

For example:

nslookup mangolassi.it 8.8.8.8

or

nslookup mangolassi.it 8.8.4.4

It would be better than just pinging.

---

You also have ipconfig as a tool on Windows.
To clear the clients DNS cache

ipconfig /flushdns

to force DHCP renewal

ipconfig /renew

or to check what DNS server it has been given.

ipconfig /all

And look for "DNS Servers"

@scottalanmiller said in Does block level sync exist?:

@Pete-S said in Does block level sync exist?:

@scottalanmiller said in Does block level sync exist?:

@Pete-S said in Does block level sync exist?:

@scottalanmiller said in Does block level sync exist?:

Duplicati

What is Duplicati? It sound like something you install locally on each server that will send backups to NAS/cloud/wherever. Is that correct?

Yup, it's backup software. Does both image and file based. Can send to local, remote, or cloud destinations. It's an agent, so it installs ON Windows, MacOS or Linux.

How do you keep track of all the backups if you have hundreds of duplicati installations running? There are no central backup server or UI right? All installations are independent of each other?

Ah, excellent question. So there is no central server, that is correct. All installations are independent, also correct. But they are open source and have some APIs and messaging options. That's great when you have one or two. But with hundreds (like we will have once the conversion is done) you need something more.

Thankfully there is a non-open source Duplicati monitoring service that we are using that is cheap and does just that. It does NOT control them, only monitors. But honestly, that's perfect. It is so easy to use MeshCentral to hop on and manage the instances when they need something. The central system just tells us that all is well or not. So while Duplicati ITSELF doesn't do that, third party tools do and that's what we are doing now.

Also talking about building our own open source solution to do that for reasons of integration into other things (namely helpdesk) but that hasn't gone very far since the other solution is cheap and working.

Great, thanks for clarifying. I often find myself looking at a product amazed at how badly they manage to explain what it's for and how it works. But you summed it up nicely.

Does anyone have experience with Mikrotik's software firewall/routers?
Or any opinion on their products in general, especially for business use?

I used to think they were some kind of garage company but it turns out they're a billion dollar company.