rhavenn

Swiss company - Quad9 https://quad9.net

https://azure.status.microsoft/ should work.

Sure, but that’s 16.7million IPs of which they were using 32. I think that’s fair. I’ve never heard it be a problem for /24 or smaller and if you’re really using it then no one bothers you. We own 2 /16s and a handful of /24s and it’s never been an issue. They are still heavily used both publicly and internally.

It works and as long as the do NAT on the outside AND never actually need to talk to those IPs on the public side it’s totally “fine” from a pure networking / routing perspective. More or less the person who set it up didn’t know what they were doing / was a newb. I did it for awhile when I was getting my feet wet in the 90s doing SMB work and didn’t know any better.

That’s gotta be some roach.

A service of this level shouldn’t be taken out by a hardware failure. You should be running hot in multiple data centers. The real problem is a lot of financial shit is controlled by a looot of red tape and 50 year old cobol code at the root that no one wants to touch.

A service at this level should be running hot / hot data centers. There is no way they don’t have the money for it. A LB DNS entry that just drops their down data center for the front end and some config changes “under-the-good” to disable the backend connections.

To each their own. I don’t use the Linux zoom client…browser only…but had to file a bug report or 2 for zoom over the years. It wouldn’t change your audio output…well, the UI would let you select one…but it never changed. It was like that for months. Yes, the Linux electron teams client was ass, but no long term complaints for the browser version. Does it have bugs and breakages? Yeap…but most don’t last more than a few hours or days. Same can be said about any of the MS portals or “clients” or really anything.

Teams works fine in all browsers. Teams Voice works fine in Edge and Chrome / Chromium. I run Linux only. Zero issues doing anything in Teams browser. Occasional bugs / hiccups, but no worse than anything else. No client needed.

644 on a directory won’t work. Directories have to be executable. 755 is what you want for the same as the file.

You need to go touch some my grass and let go some of the anger in your life. It does: https://www.cyberciti.biz/faq/linux-tmout-shell-autologout-variable/ Also, bash and the shell certainly has the concept of a login vs. just a "shell" script call or something.

Make sure it’s not your shell logging you out. bash has idle logout timers.

Appreciate the details. Yeah, I know MS SQL on Linux and MS SQL on Windows are totally not in feature parity. Personally, I wouldn't consider SSAS / SSRS to be part of the "database engine" core anyway. They're more add-on services that you can do with something else just as easily. We use Azure ARC a lot, but I've never come across any discussion about it providing OS level authentication. Do you have any links to that? I know it'll create a "machine object" / "managed identity" in Azure and allow a Linux machine to have an "identity" as a Azure object, but I didn't think it provided anything inside the OS for authentication at the user level to EntraID. We SSSD join all our Linux machines to AD for AD auth and user management, but I hadn't come across allowing them to be "Entra ID" auth enabled.

Fair enough. I'm not a Windows clustering expert either. I totally get that MS would mesh "SQL clustering" with "Windows clustering" to provide a more cohesive package and that's fine and if it works and is solid, great. It doesn't however mean it's the end all, be all of SQL clustering and that "MS SQL clustering" on Linux not working is somehow a fault of or a negative towards Linux. It just is what it is.

lol. You didn’t explain anything. You word vommited some large and technical sounding words and hoped I wouldn’t understand. Oracle Linux is a literal RHEL clone. They didn’t write shit. They just recompiled it, slapped an Oracle logo on it and then charged you for it. https://en.m.wikipedia.org/wiki/Oracle_Linux

Please expound on why I’m wrong. A SQL cluster has nothing to do with the OS. If Microsoft can’t figure out how to make Clustering work on Linux then that’s on Microsoft. PostgreSQL, MariaDB / MySql and Oracle have no problem doing DB clusters on Linux.

Wow. Tell me you have no idea what you’re talking about without telling me you have no clue. SQL clustering has nothing to do with the OS and if it sucks on Linux that’s still a SQL server problem. Linux can’t fix that. Kerberos works fine. MIT or Heimdal. Take your pick. SSSD also works fine. EntraID? You mean SAML auth? If not…MS hasn’t published the specs for it…but it’s more or less LDAP auth. Just use LDAPS to a LDAP cluster. Done. SAML auth isn’t meant for a OS login. There are however 3rd party tools that will do it via PAM if you really want to. SMT is either on or off. It’s a BIOS / UEFI level setting. If it’s on then Linux will use those extra “cores” just like Windows. Honestly, you’re one of the first people in a long time that claims Windows performs better than Linux. “Performance” is usually not the reason you choose Windows. As for Turbo boost. Seems it’s mostly is it “on” or “off” issue from years ago, but I will admit I’ve never ever worried about it on Windows or otherwise.

Well, it’s running a base64 encoded string through a decode and piping it through bash. So, decode the string and see what it says.

Hugh. Didn't know that was a thing. Read the docs for unbound. Good to know. Thanks.

If you're setting up a zone "example.com" on the local server as authorative you will also need to match your public zone entries otherwise your local clients will get SERVFAIL responses when they lookup, for example, the MX record for "example.com" as the local server is authoratative for it and it's now not defined. Any DNS server I'm familiar with requires you to set a "zone" and then add a host entry, ie: wiki.example.com is a host entry in the example.com zone. You could, I suppose, set the zone to be "wiki.example.com", but then you're limited to a A record only for the root zone record. Personally, you should keep your zones 100% seperate. In this case using nginx with a proxy setup and a proxy_response rewrite should take care of any Host rewrites docuwiki is doing for external clients and internal clients just use wiki.local.

Just do 2 and do Host rewrites. Your docuwiki shouldn't even know about "wiki.example.com". nginx rewrite wiki.example.com to wiki.local and does a proxypass to the "wiki.local" site. Take any responses and re-write the Host back to wiki.example.com via proxy_redirect directive.

This is a bitch to manage though since you'll have to duplicate any other DNS settings in 2 places so stuff like email works, etc... This really only is a good idea if you're dual-homing your DNS servers and run DNS locally for both external and internal queries.

Postfix, sendmail, exim, etc... all would work fine, but overall, they're way to "fat" for what you're trying to do. Look for something more like DMA (DragonFly Mail Agent) or a much simpler MTA that is designed to just listen on localhost:25 / sendmail "binary" call. Alternatively, use a syslog service or a logging agent and something like greylog on your central host. This has the added benefit of being able to add alerting and parsing rules, etc... to your log stream. So, instead of sending email your local services would talk to the local syslog. Since what you mostly seem to be looking for is "centralized logging" doing it via email seems like a "hack" when you have tools available to do "logging". That being said..if it works for you...hack away and have fun / learn something.

You probably had local response caches which is why it took a bit to start failing again.

Well, if it works anything like the UNIX / Linux one it will run a command as the other user and if you look in task manager or something it’ll show as elevated user. However, it will allows limits on what can be run. So, you can allow sudo rights to restart SQL Server service to someone, but that’s all they can do as that upper level or alternate role. For example. As long as there is a correlation log or some evidence it’s good.

Haha. I run Linux. Talking to a Dell rep about some work on my laptop back in the day when Dell had zero Linux support. “Sorry sir…we don’t support that OS you’ll need to be running Windows”. Took me about 15 seconds to install it and “ooohhh…wouldn’t you know it has the same problem”. I forget… it was something about the BIOS not even getting to the boot loader..I think the drive was toast. It’s been a good many years. They replaced it once “I was running windows” and it all worked fine running Linux until the cat spilled a bottle of water on the open keyboard while it was on.

Yeah, this. If you get to the backend teams at MS you often will still run into accents, but they normally understand your problem, can be extremely technical and know their shit. Problem is it can take you a month+ to convince the initial script monkeys that it is a MS problem. The amount of hoops you have to jump through and re-iterate and explain and argue is insane. 90% of the time it’s not worth it. Just figure it out yourself or ask on Reddit. You’ll usually get bettter answers. Sucks when your managers blame you for why it’s not working though.

And on calm days MOB (Man OverBoard) drills happened a lot too.

Egh…if it doesn’t work right away or has issues in Linux I just ask for a refund. Nothing worth playing is worth running Windows.

But you bought it to get that far…so what do they, Rockstar, care? They’ve got your money.

That’s not what that hosts entry means. It just means that www.company.com and company.com will resolve to 127.0.0.1 aka:local host and skip a DNS lookup. You can put any number of host names on the 1 line. Your problem was more likely that a lot of Linux mail servers will send out email using the host name and a lot of linuxes will use the 127.0.0.1 / local host entry for their host name if one isn’t defined explicitly elsewhere. So, the system was just sending mail out as user @defaulthostname. You could have re-configured the mail server too to use whatever domain you wanted. But lol..no dns lookups. Server was never updated then either unless they had hosts entries for the update servers.

I like SAML just fine and we use it a lot and even pass in extra info in the AAD claims tokens for devs to use, but trying to hack a "CLI login out of it" just left me frustrated it didn't have some simple API endpoints to just GET / PUT / POST too. All the tools I could find are doing some hacky web scraping to pull the various GUIDS / tokens out they need and basically just replicating a "browser".

Yeap, SAML is an absolute PITA of a protocol. I think MS or whoever championed it purposely made it obtuse to make it harder to work with. There is no reason they couldn't have made a simple REST API for it. After all, you end up just typing in a username and password plus your MFA stuff and then sharing tokens (cookies). It's just in a web UI. If your device can talk LDAP it's "on the network" and could easily be setup to hit a HTTP proxy server to talk to a SAML provider, etc... and a PAM module should be able to do a username, password and then a MFA response as a prompt and input before deciding on a "allowed / not allowed" to login. The problem is more that SAML in and of itself relies on data in the token. It doesn't tie you to a "directory" per se. ie: Once you login with the SAML token information (your home path, UID, etc...) it's done and there is no "checking for updates" or anything like what a LDAP provider can do. You're essentially disconnected from the "directory". You can refresh the token, etc...but all and all..it's just a different flow. That being said. Being able to tie a Linux login to a SAML provider or AAD with Conditional Access policies and MFA would be really nice.

Mine is one of the Minions. I'm on Teams meetings where the CTO is also present semi-regulary and the first time I was in a in-person meeting with him I don't think he knew who I was. I introduced myself and he said "oh..you're the minion" :) Luckily, our org is pretty lax. Some people have face shots and others have Mandalorian helmets or the cover of a Journey album. As long as it's not lewd or disrespectful or whatever. No one cares. My first job out of college (ISP server room grunt) I used to have "God? Root? What is difference?" as an email quote and a customer actually complained that it was an affront to God and my boss asked me to change it.