--- Log opened Thu Sep 21 00:00:24 2023
00:08 -!- Mirage [~mirage@ra.thehippo.net] has quit [Remote host closed the connection]
05:07 <@Dolemite> mr0ning, be0tches and h0ez!
06:24 < Evilpig> one of my old wow buddies is in town to see chappelle tonight at bridgestone
06:24 < Evilpig> he rented an air bnb on music row for $200 a night and thinks that's a great deal
06:30 <@Dolemite> Well it likely is based on current pricing
06:41 < Evilpig> I just looked at it as he saw something on music row and figured he was getting something good 
07:39 -!- Mirage [~mirage@ra.thehippo.net] has joined #se2600
07:39 -!- mode/#se2600 [+o Mirage] by ChanServ
08:15 <@Mirage> My EdgeRouter-4 auto-updated the firmware a couple days ago and now my hairpin configuration is borked.  Grrr
08:18 <@Mirage> Getting a *TON* of these errors now when hitting squirrelmail:
08:18 <@Mirage> [Thu Sep 21 08:14:30.193013 2023] [proxy_fcgi:error] [pid 33153:tid 140422923929344] (70007)The timeout specified has expired: [client 192.168.1.1:62515] AH01075: Error dispatching request to : (polling), referer: https://www.thehippo.net/mail/src/webmail.php
08:18 < PigBot> TheHippo.net - You must be logged in to access this page. (at www.thehippo.net) https://tinyurl.com/277dv4ry
08:32 <@Dolemite> Did it change the timezone?   
08:34 <@Mirage> Nope.  Just checked and time is correct on both
08:53 <@Dagmar> I'm about to be an outright jerk to some people we just took in
08:54 <@Dagmar> I'm pretty sure their network is in a state that can be described as "on fire" and I'm just not in the mood to play the whole "Fix our network for us" game
08:54 <@Dagmar> They're having connectivity issues reaching stuff on our side of the network, and turn around and say "Oh the VPN is down, that's why"
08:55 <@Dagmar> Meanwhile the fucking VPN has been up all the time as far as I can tell, because I've got something that would get the log entries if it actually stopped working
08:55 <@Dagmar> ...but when asked for an IP address that could be monitored, they gave me some random fucking desktop IP over there
08:55 <@Dagmar> WHen I asked them if that's _actually_ going to be up all the time... crickets
08:56 <@Dagmar> When I asked them why they're not just making an interface on their Meraki pingable... crickets
08:56 <@Dagmar> We made it to the last group of chowderheads that it was time to stop screwing around or I will log into their shit and just take it oevr
08:58 <@Dagmar> If they want to be the sole managers of their routing equipment, that's fine, but it means when their shit is broken my response is going to be "Sucks to be you guys"
08:58 <@Dagmar> God I hate redneck networking people
09:15 <@Dolemite> Heh, Lower Decks just keeps getting better and better each episode
09:22 < Evilpig> htis cuntsultant is full of doublespeak and it's pissing me off
09:22 < Evilpig> Dolemite: your boss is in here too
09:27 <@Dolemite> Dionne?   What's the meeting?
09:27 < Evilpig> cisco ise and 802.1x
09:28 < Evilpig> this vendor can't tell us how to make linux do it.  he has some google searches that I could have done
09:28 < Evilpig> we have to get certs from windows pki, but he doesn't know how that works
09:28 <@Dolemite> heh
09:28 < Evilpig> etc
09:28 < Evilpig> it's a giant clusterfuck
09:28 <@Dagmar> "through AD"
09:28 <@Dagmar> lol
09:29 <@Dagmar> ...although I'll be the first to admit the documentation for that is shit
09:29 <@Dagmar> Like, you can even generate people's ssh keypairs in AD and distribute them that way, but the documentation for it is hilariously vague
09:33 < Evilpig> i've messed with the ssh keypairs and know what is needed for that
09:33 < Evilpig> our linux boxes are not joined to ad
09:33 <@Dagmar> You lucky dog you
09:34 < Evilpig> I have a project to document the caveats with joining them too
09:34 <@Dagmar> 1. Don't trust winbind to make good choices about how to translate Windows GUIDs to UIDs/GIDs
09:34 < Evilpig> I have been struggling on how to identify when crap like sssd / winbind just hang and stop authentication but don't producte any logged errors
09:34 <@Dagmar> 2. Don't trust winbind to stick with the mapping it decided on last week
09:34 <@Dagmar> 3. Don't fucking use winbind, use sssd.
09:34 <@Dagmar> ;)
09:35 < Evilpig> you have to use winhind if you use samba
09:35 <@Dagmar> sssctl exists
09:35 < Evilpig> we've discussed this
09:35 <@Dagmar> Winbindctl does not
09:35 <@Dagmar> No you don't
09:35 < Evilpig> most certainly did and you told me I was full of shit.
09:35 < Evilpig> lol
09:35 <@Dagmar> I've got a box at the office that I literally just migrated _off_ of fucking winbind
09:35 < Evilpig> if you run samba, sssd will shit the bed
09:36 <@Dagmar> ...because at one point that shit wouldn't work, and then winbind magically decided to use a wholly different set of ids to map to and immediately fucked everything
09:36 < Evilpig> 100,000% it will happen.  docs from red hat and working with their dipshit techs have it documented.  you have to use winbind if you're running samba
09:36 <@Dagmar> ...and I went back ad set it up with sssd, and it hasn't been an issue since
09:38 <@Dagmar> I literally had to write a perl script to scape the /srv filesystem, lookup every uid/gid it sees through winbind, then query for that user/group through sssd, and go chown/chgrp everything to make that happen
09:38 <@Dagmar> s/scrape/scrape/
09:39 <@Dagmar> The last I saw about what Redhat's people knew was that they were having problems with sssd and had just arbitrarily switched back to "recommending" winbind, and my thinking is "You're the fuckers who are supposed to fix this shit becuase it's _your shit_"
09:40 < Evilpig> i'll find the docs.  it's listed in their systsem with one of those dumb call out boxes that you skip over when working through stuff
09:40 <@Dagmar> ...but I'm definitely using sssd with samba
09:40 < Evilpig> we did too at vandy.  until sssd started hanging systems
09:40 <@Dagmar> I had to turn up vfs auditing on that Samba instance too because one of those groups of users has some idiots who can't reliably not click and move their damn folders into each other, and will blame the fileserver when the files turn up "missing"
09:41 < Evilpig> and it wasn't for using cifs to connect to crap either.  it was directly hosting a share that was the trigger
09:41 <@Dagmar> Yeah well that's Vanderbilt's AD which was being run by dipshits who couldn't figure out how x509 certs work
09:42 <@Dagmar> I wrote them off when they _swore_ in a meeting that all the AD servers were operating and synching correctly and securely
09:43 <@Dagmar> Meanwhile, I'm literally looking at a script that just finished checking their certs
09:43 <@Dagmar> ONe was self-signed bullshit.
09:43 <@Dagmar> Two were expired.
09:44 <@Dagmar> This is also the same group of asshole who had an _obvious syntax error_ in their startup script for nslapd, because some dumbfuck copypasted something from Stack Overflow that contained _smart quotes_ instead of chr$(34), IIRC
09:44 <@Dagmar> ...and they insisted that EAI "adopt responsibility for maintenance" of said init script if we wanted it changed to, you know, ACUTALLY FUCKING START THE DAEMON
09:44 <@Dagmar> Fuck those guys
09:45 <@Dagmar> I am no longer under any obligation whatsoever to not speak the truth about them, so... sucks to be those assholes.
09:46 <@Dagmar> Mirage can back me up on that
09:47 <@Dagmar> That shit was literally _the_ reason they were always so really insistent that they be called if the LDAP servers ever rebooted, so they could "make sure the server came back up correctly"
09:47 <@Dagmar> It was because that stupid noob-ass error meant the system _never_ resumed operation after a reboot
09:47 <@Dagmar> ...and the four of them together were apparently too incompetent to fix it
09:51 < Evilpig> bah.  i've spent too much time looking for this old note.  all I found was this one support doc referencing it.  
09:51 < Evilpig> Root Cause
09:51 < Evilpig> As of Samba 4.8, Winbind is necessary to handle the connection to the Active Directory Domain Controllers.
09:51 < Evilpig> https://access.redhat.com/solutions/3802321
09:51 < PigBot> How to configure a Samba server with SSSD in RHEL with Winbind handling AD Join - Red Hat Customer Portal (at access.redhat.com) https://tinyurl.com/27zu62fc
09:51 < Evilpig> I know it is in the rhel os docs.  I thought I had put a note to the specific one where I had noted the change way back when.  but I iddn't
09:51 <@Dagmar> Oh that's great news
09:51 <@Dagmar> I can't wait for winbind to change how it maps the uids again
09:53 < Evilpig> from a single system standpoint it's not supposed to matter because the id translation is supposed to be done at the system level.  the issues come when you have a san that uses one mapping and your system another and the two aren't using names and are just using ids
09:53 < Evilpig> you'd really need to get everything over to nfsv4 with kerb or something to do the name mapping correctly, but that's an ideal world not where we are
09:53 <@Dagmar> Yeah well, it deffinitely does matter when one day your user account is uid 99080612 and the next day AD resolves it to 1000612
09:54 <@Dagmar> Homedir no exist, u no login.  U no own any fileses.
09:55 <@Dagmar> It seriously broke the shit out of this machine after it had been in production for a month
09:56 <@Dagmar> I was a wee bit furious about that becuase I was trying to convince a group to actually _use it_ instead of continuing to use the piece of shit Buffalo NAS they were on
10:02 <@Dagmar> ...and come to think of it, although it's been a bit, I was reasonably sure that at least the edu's side of things was just using LDAP directlyt
10:03 <@Dagmar> I never really looked at the Samba stuf that much except for one box where the stupid gits wanted us to make files available to certain "Special People" that no one else could see
10:03 <@Dagmar> ...which somehow included us but they would't say it outright
10:04 <@Dagmar> ...which I'm pretty sure were the results of those external audits they paid such ludicrous sums for so they could ignore professionals telling them their major problems are that they're collecting assholes who don't know how to do their own jobs and chase everyone who can away
10:15 -!- Mirage [~mirage@ra.thehippo.net] has quit [Remote host closed the connection]
10:16 -!- Mirage [~mirage@ra.thehippo.net] has joined #se2600
10:16 -!- mode/#se2600 [+o Mirage] by ChanServ
10:19 -!- Mirage [~mirage@ra.thehippo.net] has quit [Remote host closed the connection]
10:25 -!- Mirage [~mirage@ra.thehippo.net] has joined #se2600
10:25 -!- mode/#se2600 [+o Mirage] by ChanServ
10:26 <@Mirage> ok this new "proxy" problem is annoying the shit out of me.  I'm getting the same bullshit hitting the server directly now too.   wtf.  
15:35 <@Mirage> Trying out Starfield.  So far it reminds me of Mass Effect
17:04 -!- Mirage [~mirage@ra.thehippo.net] has quit [Read error: Connection reset by peer]
17:08 -!- Mirage [~mirage@ra.thehippo.net] has joined #se2600
17:08 -!- mode/#se2600 [+o Mirage] by ChanServ
--- Log closed Fri Sep 22 00:00:26 2023