I have a script to remove and then relink the user folders to another location. No issues there. Note this script runs as the user, no admin access needed or desired.

But before I can relink, the Documents folder needs to have these three hidden system linked files removed.

Edit: I relieved took the screenshot after I ran the Remove-Item and it remove the junction. These three files are junctions and should have these attributes: d--hsl

Just piping that to Remove-Item fails. I did it once a couple of weeks ago, and thought I documented it, but I cannot find where I saved the note.

To do it manually, you need to show hidden and system files in the Windows Explorer GUI and then delete them. You get a UAC prompt, but they do delete.

@krzykat said in Alternative to never in stock Ubiquiti EdgeMax line:

@JaredBusch Yeah, that sucks, but I'm holding out hope. I've actually been thinking about getting back into use pfSense on Qotom.

I don't like how Netgate has handled it since they got control of it.

The open source version is still open. Just do not like Netgate's mentality.

@krzykat said in Alternative to never in stock Ubiquiti EdgeMax line:

@JaredBusch I hope they catch back up. I see they now have the ER-x in stock that hasn't been around for a while. Hoping they get the rest of their supply chain worked out. I did buy a dozen just in case though.

I need an ER-4 and an EdgeSwitc 24 POE 250
cannot find anywhere

@Dashrender said in Tenant disabling of Basic Auth cause OAUTH iPhone to break:

is it possible to know which method was used when signing in with the native client?

I signed in via the oauth web page, so basic auth should have been in solved in nothing.

This is also not the first account hit. So now, I expect something similar as MS moved through the tenants I have accounts on.

MS just disabled Basic Auth this morning on the tenant of one of my clients. Did not know and did not care, because zero things at this site use basic auth. All the users are on the current O365 version of the installed apps.

But some of the iPhone users have been spammed with the pop up to enter their Exchange password.

This pop up actually is useless on iOS, because you have to sign in to MS services with the "log in" method by going into settings (repeatedly cancelling the password pop up box) and into mail -> accounts -> then tap re-enter password to get the auth webpage.

My phone, and all the other users were correctly setup with OAUTH style "log in" for their email in the Mail app on iOS.

Disabling of Basic Auth should have done nothing.

So 2022 is almost done and Ubiquiti never has stock of EdgeMax gear.

I need to move on.

What do you all recommend today?

If I need a NGFW because “compliance” I go with Watchguard.

But for everything I have used EdgeMax for so long, I don’t have a solid grasp on options.

A manufacturer that make switches and a basic router is probably the best choice, but I am not tied to anything at this point.

@BraswellJay said in Does the end of O365 Basic Authentication mean no more app passwords:

I got caught by this last week myself. There is a one time ability to reenable basic auth through the rest of 2022 which is what I did for now. According to what I found though this is a one time grace period that will not be extended again. I took advantage though to give a little more time to find a different method.

Yeah, I wasn't even thinking about IMAP/POP regarding basic auth. I've turned Basic Auth back on only for IMAP at this client and told them to send a report to their vendor.

Customer has a LoB application called Enfocus Switch.

It has a mail retrieval function that connects via IMAP using an app password on a normal O365 email account with MFA enabled.

It stopped retrieving email on the morning of Wednesday October 12th.

Since Microsoft finally killed Basic Auth on Tuesday, I assume this is related, but I can find no information on this at all.

@Pete-S said in UFW or IPTABLES:

So I think the current recommendation is to either stick to ufw or firewall-cmd or just use nft directly.

I try to. This was the first time I've had a need to go outside the box of ufw or firewall-cmd to use direct iptables in years.

@Pete-S said in UFW or IPTABLES:

@JaredBusch
I think ufw can collide with manual rule entering because ufw handles persistantency on it's own.

UFW does add it's own chains. But, I could find no examples of how to do that same command with UFW.

Ah my lack of raw iptables skill shows.. I thought -L showed everything, but is does not.
Specifying the nat table shows it.

jbusch@BowWowRTSP:~$ sudo iptables -t nat -L 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 5443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination   

So now, that I see where it is, I used sudo iptables-save rebooted, and all good.

I setup an Ant Media server for someone last week. All working except for the iptables redirect rule not surviving a reboot.

The native tomcat (i think) server uses port 5443 for https by default. The guide says if you want to use port 443, you should not fuck with the web server settings and instead use this iptables rule.

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5443

The rule works perfectly. The problem is it does not survive a reboot. I used ufw to configure the firewall as this is Ubuntu 20 (Yes the appliance install uses the LTS, just went with recommended appliance in Vultr).

I assume the problem is that the manual command is not saved. I can deal with that, sudo iptables-save is built for that. But I first checked with sudo iptables -L (or -S) and I do not see the manual rule. Port 5443 is only referenced once. In the main allow.

jbusch@RTSP:~$ sudo iptables -L | grep 5443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5443
jbusch@RTSP:~$ sudo iptables -S | grep 5443
-A ufw-user-input -p tcp -m tcp --dport 5443 -j ACCEPT

So, I did not issue the save command. Any recommendations?

@bbigford said in Misc go-to FOSS options:

NoSQL DB: MongoDB went through a really shady legal bit

Still is.

@bbigford said in Misc go-to FOSS options:

TSQL: Defaulted to MySQL

MariaDB is the standard default installed DB in all operating systems now, except maybe Oracle Linux because owner...

As for what DB to use, I do not do development, so I do not choose databases. I use whatever the tool says.

@bbigford said in Misc go-to FOSS options:

Server OS: I've bounched back and forth with CentOS before Stream (the split between 6 and 7 was weird)

For me, I prefer the RHEL ecosystem, but I do not believe in the super slow updating RHEL itself. So I use Fedora server when given a choice. Most people that I have seen complain about Fedora Server are complaining because they think it is bleeding edge, which it is not.

Now that said, when I said "when given a choice," i mean that because many times I am installing some solution. Nextcloud, UniFi Controller, FreePBX, VitalPBX, Mesh Central, wtfever..

When I am installing those things, I do not force my preference. I install them on the operating system supported by the development team of the solution.

Because I am doing things in a business environment that requires I be able to get support. Sure, most of the time that support is myself and Google or a community like this. But if push comes to shove, I need to be able to pay the developers support team for support, and to do that, I need to be on the platform they support.

@WrCombs said in Blue Stacks:

Anyone use Blue Stacks for gaming?

https://www.bluestacks.com/

I use it for work but was looking to get into some more gaming in my free time.

Never used it for gaming. Only for getting android apps on a computer

@scottalanmiller said in What Are You Doing Right Now:

@Dashrender said in What Are You Doing Right Now:

@JaredBusch said in What Are You Doing Right Now:

@Dashrender said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

And of course Rogue One, was great. Andor has a lot of potential.

Yeah, it's pretty awesome so far. Sux it's Disney keeping to the ol' television dole out one episode per week.

All of the streamers do that for the biggest name stuff, even Netflix.

I've never seen Netflix do that - but I haven't watched a Netflix series in years....

I don't recall Netflix doing it, but I think that they might have. None of my NEtflix shows has, though. Stranger THings did all episodes except two, which were movie length, then those two. But that was different.

Amazon Prime is doing it with Lord of the Rings right now, though

They used to do it a lot a couple years ago. Looking at my home page now, I don't see any tagged that way.

It would be like this tag, except it would say "New Episodes Weekly"

@Dashrender said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

And of course Rogue One, was great. Andor has a lot of potential.

Yeah, it's pretty awesome so far. Sux it's Disney keeping to the ol' television dole out one episode per week.

All of the streamers do that for the biggest name stuff, even Netflix.

Blocking by user sounds like a complete fucking mess.

Why not just add TOTP based 2FA to your ssh or something? It is available on pretty much everything.

You have key based auth only access already right? How much cost are you wanting to add here? Versus how much actual risk?

I mean the only purpose of this is to protect from a compromised internal user that uses ssh. The threat level should mean something extremely targeted is already the only credible attack vector.

@siringo said in New server q's:

What do you mean by blind swap Jared? Do you mean hot swap? Remove while powered up?

Blind swap is hot.

But hot can be done without being blind.

Hot means the system is powered on. But with all software RAID and good Hardware RAID, you can manually mark a disk to be removed, swap it and then start the rebuild.

Blind means an idiot walks in, rips it out, sticks the new one in and then it rebuilds itself.

@RojoLoco said in What Are You Doing Right Now:

About to go to a wing festival in Chicago. After a hot dog of course.

Don't get shot.