Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Alliterate Addict
Jul 10, 2012

dreaming of that face again

it's bright and blue and shimmering

grinning wide and comforting me with it's three warm and wild eyes
poo poo that pisses me off: If I'm not listening to music while working, I'll occasionally find the spawn Lum's unholy DJ work flitting around my brain.

I don't have brain bleach potent enough for this.

Adbot
ADBOT LOVES YOU

Qtotonibudinibudet
Nov 7, 2011



Omich poluyobok, skazhi ty narkoman? ya prosto tozhe gde to tam zhivu, mogli by vmeste uyobyvat' narkotiki

anthonypants posted:

Some outside vendor is trying to SSH in, but they're getting blocked and don't know why. According to our UNIX/Linux guy, incoming connections are limited during tax season, that they'll just have to keep trying, and there's nothing we can do about it.

Errr... What?

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

fivre posted:

Errr... What?
Yep.

Maneki Neko
Oct 27, 2000

Good news everybody!

quote:

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems

http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html

Thanks Ants
May 21, 2004

#essereFerrari


So not only are they awful at writing software (specifically installers), they also appear to be unable to keep a website secure. Nice going Adobe.

baquerd
Jul 2, 2007

by FactsAreUseless

But it's not tax season?

Alliterate Addict
Jul 10, 2012

dreaming of that face again

it's bright and blue and shimmering

grinning wide and comforting me with it's three warm and wild eyes

baquerd posted:

But it's not tax season?

Actually, it's almost always tax season-- apparently this time of year is the tax time for people who put off their stuff in April.

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

baquerd posted:

But it's not tax season?
I'm not a tax guy, but it is about six months after, so maybe six-month extensions need to be filed in a couple weeks? But between the "tax season" thing and the "limiting incoming connections while incoming connections are important" thing, I think the second thing is much worse.

Agrikk
Oct 17, 2003

Take care with that! We have not fully ascertained its function, and the ticking is accelerating.

roflsaurus posted:

I figured this was one of the better threads to ask, but feel free to redirect me if I'm wrong.

I'm a CJ / developer for my small company. We have two Hyper-V hosts that have a few Win2k3 VMs that we haven't gotten around to upgrading (ain't broke, don't fix, etc, etc).

I'm now ready to replace our main virtual file server from 2k3 to 2012 (for a number of reasons). Rather than deal with the butthurt of peoples UNC shortcuts changing and mapped drives breaking, can I do an in-place switch over a weekend and keep the same hostname (lets call it fs01).

I'd rather do a fresh install of 2012 rather than in place upgrade. Lots of cruft on that 2003 box....

i.e.

- Create new 2012 VM but don't join to domain
- Kick everyone off on a Friday night
- Remove 2003 machine from AD and shutdown
- Rename 2012 machine to the new hostname (fs01).
- Join 2012 VM to AD
- Attach VHD from 2003 machine to 2012 machine as readonly (temporarily)
- Copy files to new VHD on 2012 machine
- Re-share all the folders

viola....everything works on Monday? \\fs01\butts will work the same?

Or is there some AD / kerberos stuff I'm not aware of and it will all blow up in my face when people can't get to their butts?


The way I've done file server migrations (P2V, P2P, V2V) without mucking with VHDs:

- Create new 2012 VM and join it to the domain as Server2
- Robocopy all data from Server1 to Server2 preserving all security attributes
(with the /SEC or /COPYALL flag)
- Use this registry export/import technique to copy the share information from Server1 to Server2
- Kick everyone off on a Friday night
- Remove server1 from AD and shut it down
- wait until AD change has propagated
- Rename Server2 to Server1
- restart the lanmanserver service on the new Server1



Protip: You should master this technique by building a test 2003 file server and a test 2012 server and practice with some scratch data on a few test shares.

Agrikk fucked around with this message at 22:13 on Oct 3, 2013

guppy
Sep 21, 2004

sting like a byob

Well, that's consistent with the level of work quality I've come to expect from Adobe.

the littlest prince
Sep 23, 2006


Yet another security system compromised. Same poo poo different day.

I swear it's nearly guaranteed to happen to every company at some point. At least the numbers were encrypted. They didn't say anything about passwords so I guess it's just sales data?

Maneki Neko
Oct 27, 2000

the littlest prince posted:

Yet another security system compromised. Same poo poo different day.

I swear it's nearly guaranteed to happen to every company at some point. At least the numbers were encrypted. They didn't say anything about passwords so I guess it's just sales data?

No, they got encrypted passwords too.

rolleyes
Nov 16, 2006

Sometimes you have to roll the hard... two?

Maneki Neko posted:

No, they got encrypted passwords too.

Here's what I worry about : with all of the revelations about what the megalomaniacs at the NSA have been up to (potential backdoors inserted into industry standard NIST algorithms, or even deliberately compromising the design from the outset, etc) exactly how long is it going to be until someone figures out how to exploit those same weaknesses? I reckon there's going to be a point in the next couple of years where anything encrypted with one of those algorithms today might as well be in pain text.

I know someone's going to say "but password encryption should be one way only" (i.e. hashed) and I agree, it should, but this is Adobe we're taking about so it probably isn't. Plus the credit card numbers definitely won't be.

wintermuteCF
Dec 9, 2006

LIEK HAI2U!

anthonypants posted:

I'm not a tax guy, but it is about six months after, so maybe six-month extensions need to be filed in a couple weeks? But between the "tax season" thing and the "limiting incoming connections while incoming connections are important" thing, I think the second thing is much worse.

I used to do IT at a tax consulting firm that handled corporate taxes (and some businesses like partnerships and sole proprietorships that go on the individual's taxes). You've got it right.

Corporate tax = 3/15
Individual tax = 4/15
Corporate tax extensions = 9/15
Individual tax extensions = 10/15

"Tax season" for us was pretty much February 1 through April 15, and August 1 through October 15. Meant there were about five months out of the year that vacations and whatnot were frozen out :(

guppy
Sep 21, 2004

sting like a byob
You can also optionally file quarterly, I believe, which would mean around now.

Inspector_666
Oct 7, 2003

benny with the good hair

rolleyes posted:

Here's what I worry about : with all of the revelations about what the megalomaniacs at the NSA have been up to (potential backdoors inserted into industry standard NIST algorithms, or even deliberately compromising the design from the outset, etc) exactly how long is it going to be until someone figures out how to exploit those same weaknesses? I reckon there's going to be a point in the next couple of years where anything encrypted with one of those algorithms today might as well be in pain text.

I know someone's going to say "but password encryption should be one way only" (i.e. hashed) and I agree, it should, but this is Adobe we're taking about so it probably isn't. Plus the credit card numbers definitely won't be.

I don't think the problem is as bad as you make it out to be. I mean, AES has been studied and poked and prodded for over a decade now and still can't be reliably cracked.

There is a good block of text about this from GigaOM via Businessweek about this exact issue in the context of Silent Circle changing their crypto. I am by no means any sort of crypto expert though, so I'm just relying on Professor Alan Woodward knowing his poo poo in this case.

Sirotan
Oct 17, 2006

Sirotan is a seal.



I didn't think it was possible to hate Adobe more than I do already, but there you have it.

GargleBlaster
Mar 17, 2008

Stupid Narutard

Maneki Neko posted:

Good news everybody!

Couldn't you have said "everyone"? You caused me to start hearing that in Professor Farnsworth's voice, and then it kind of squeaked out into a body. I demand a refund on my hearing-this-in-my-voice experience, please do the needful.

roflsaurus
Jun 5, 2004

GAOooooooh!! RAOR!!!

Agrikk posted:

The way I've done file server migrations (P2V, P2P, V2V) without mucking with VHDs:

- Create new 2012 VM and join it to the domain as Server2
- Robocopy all data from Server1 to Server2 preserving all security attributes
(with the /SEC or /COPYALL flag)
- Use this registry export/import technique to copy the share information from Server1 to Server2
- Kick everyone off on a Friday night
- Remove server1 from AD and shut it down
- wait until AD change has propagated
- Rename Server2 to Server1
- restart the lanmanserver service on the new Server1



Protip: You should master this technique by building a test 2003 file server and a test 2012 server and practice with some scratch data on a few test shares.

Thanks!

Share information and permissions are not particularly important, there's only two shares (which I can recreate). And permissions I can reapply manually if need be.

I just wasn't sure how gracefully AD handles a new server with the same name as an old (albeit removed) server.

SyNack Sassimov
May 4, 2006

Let the robot win.
            --Captain James T. Vader


incoherent posted:

I'd rather take the poo poo and get the org on a DFS share with a move to 2012 than continue the same infrastructure. Theoretically, you should be ok. Here is to hoping nothing is calling on the specific SID of that server!

Absolutely this. Set up DFS, add the current server to it, switch everyone to use the DFS shares (which should just be as easy as changing GPO mappings - if it isn't.....fix that). Then set up the 2012 server, add it to the DFS shares, replicate, turn off old server.

I've done about four or five complete overhauls this way of clients' fileserving infrastructure. By this I mean upgrades of fileservers in multiple locations, with absolutely no downtime whatsoever. None.

DFS has its faults, but what it does it does really well, when it works. These days I'll set it up even at clients where there's only one fileserver and there'll only ever BE one fileserver, specifically so that when they need to upgrade, they can just set up the new server, let DFS replicate, enable referrals to the new server, and turn off referrals to the old server.

Only issue is Macs - they supposedly added DFS support in 10.7, but it's janky and unreliable to say the least. So far we've been testing DAVE from Thursby Software, and it seems to solve most of the issues.

Edit: also, you should hold off until Oct 18 if you can so you can use Server 2012 R2. So far in my testing of it, they seem to have done some of the same thing they did with Server 2008 R2, where it had the final level of polish on top of Server 2008 so it was actually usable (i.e. ask me about wiggling a mouse in the lower right hand corner of a GODDAMN RDP WINDOW MICROSOFT YOU FUCKS. YES I KNOW I CAN HIT ALT-HOME, THAT'S STILL RETARDED). Ahem, what I'm saying is that a start button, if it still takes me to Metro, is loving useful as poo poo. gently caress hot corners. And you can set it to boot to desktop without third party software, etc.

SyNack Sassimov fucked around with this message at 06:22 on Oct 4, 2013

nitrogen
May 21, 2004

Oh, what's a 217°C difference between friends?
The following was inspired by things I had my customers either demand I allow on their boxes, or things i've had to fix after they've broken them.


I'm a bad admin (I don't care)
(to the tune of "I'm so bad, baby I don't care)


I telnet to the box as root
I pull the power to reboot

I run my cables above the lights
I give my users admin rights

no ids, no virus scan
I edit passwd file by hand

I cat files with a pipe to more
I store my passwords in a drawer

AD's broke, profiles roam
rm -rf on /home

I'd like to think i'm a bofh
but i'm a bad admin, I don't care

Gwaihir
Dec 8, 2009
Hair Elf

Guarantee this is because someone at adobe didn't update flash, and had their machine compromised.

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

anthonypants posted:

Some outside vendor is trying to SSH in, but they're getting blocked and don't know why. According to our UNIX/Linux guy, incoming connections are limited during tax season, that they'll just have to keep trying, and there's nothing we can do about it.

quote:

The [tax] systems are currently unavailable due to required backups being run for the current tax processing season.

The systems should be availabe within approximately the last hour.
Just before this e-mail went out they called to let us know we might get calls from the vendors about it. This is a cool and good place to work.

Agrikk
Oct 17, 2003

Take care with that! We have not fully ascertained its function, and the ticking is accelerating.

roflsaurus posted:

I just wasn't sure how gracefully AD handles a new server with the same name as an old (albeit removed) server.

Just as long as you give AD time to replicate changes between steps you'll be fine.

I did a migration like this in a hurry one time and things got a little hinky for a while because I didn't give AD enough time to propagate the "delete old server info" step before the "create new server as old server name" step.

Replication finally sorted itself out after a little bit, but during that time there were authenticated user access issues.

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

nitrogen posted:

I edit passwd file by hand

Does that include vipw? Because I use that to edit passwd daily....

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams

Agrikk posted:

Just as long as you give AD time to replicate changes between steps you'll be fine.

I did a migration like this in a hurry one time and things got a little hinky for a while because I didn't give AD enough time to propagate the "delete old server info" step before the "create new server as old server name" step.

Replication finally sorted itself out after a little bit, but during that time there were authenticated user access issues.

code:
repadmin /syncall

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum
This happens maybe 75% of the time when a new user account is created:


  • The user logs in with their temporary password as instructed. Everything is fine, nothing is broken.
  • The user is never prompted to change their password, but they are able to get to the desktop.
  • The account's "grace login" counter goes to zero, and needs to be reset by the helpdesk before the user will be able to log in again.
  • If the user logs off or locks their computer, they will be unable to log back in. They will be given an error message saying that they are out of grace logins, and to call the helpdesk.
  • Setting the user's grace logins to 1 and allowing the user to attempt another login will prompt the user to change their password.
  • If the user's computer was locked, they will not be able to reset their password. The helpdesk must give them a temporary password and have them unlock their computer first. They will be able change their password from the Ctrl+Alt+Del screen once they are at the desktop.

I don't know how or why this happens, I just know it happens to new accounts the most. Sometimes it happens to existing employees.

nitrogen
May 21, 2004

Oh, what's a 217°C difference between friends?

feld posted:

Does that include vipw? Because I use that to edit passwd daily....

Nah, vipw is cool, just like visudo is. It wont let you save it if you gently caress up.

I had someone try to comment out an entry in the passwd file to disable a user once...

MrMoo
Sep 14, 2000


That's a nice UX horror.

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

MrMoo posted:

That's a nice UX horror.
Copyright (c) 1997-2007 Novell, Inc.

Zhentar
Sep 28, 2003

Brilliant Master Genius

rolleyes posted:

Here's what I worry about : with all of the revelations about what the megalomaniacs at the NSA have been up to (potential backdoors inserted into industry standard NIST algorithms, or even deliberately compromising the design from the outset, etc) exactly how long is it going to be until someone figures out how to exploit those same weaknesses? I reckon there's going to be a point in the next couple of years where anything encrypted with one of those algorithms today might as well be in pain text.

I know someone's going to say "but password encryption should be one way only" (i.e. hashed) and I agree, it should, but this is Adobe we're taking about so it probably isn't. Plus the credit card numbers definitely won't be.

People pretty much always use inappropriate algorithms to hash/encrypt passwords anyway. If you've got a long, completely random password, you might be okay, but 90% of those passwords might as well be plaintext.

Scikar
Nov 20, 2005

5? Seriously?

anthonypants posted:

Copyright (c) 1997-2007 Novell, Inc.

That's also your answer to why it happens.

diremonk
Jun 17, 2008

Started a new job last week and the change from working in the private sector to working at the county admin building has been a shock. Like having to use Groupwise for everything. I understand legacy systems, entrenched, etc. but isn't Exchange somewhat a standard?

Adding to that, what the job listing and what I was told in my interview is just a tiny bit different than what I'm actually going to be doing. I thought it was a maintenance position and would be assisting someone else while the county TV station upgrades to HD. Turns out, I'm in charge of everything having to do with the station. I'm still trying to wrap my brain around that since I had no power/position at my old station and I considered myself a glorified helper monkey.

"Here's a list that a consultant made four years ago with recommended items. He's working on another one that we will actually use for the purchasing plan."
:hehe: "Great, I'll look it over." I don't recognize any of these brands and they all look way overpriced.

"Hey, we used to get the Pentagon channel a couple years ago on the sat dish but its gone now. Could you find it again."
:hehe: "OK, let me find a page that translates the acronyms that the dish controller uses into actual sat names. Found one, damm I didn't know tripod still existed."
20 minutes later
:hehe: "Cool, got the signal. Dammit, they aren't broadcasting due to the shutdown of the federal government."

But I'm trying to look at it in a positive way. I'm going to be in charge of every aspect, from systems to buy to the color of individual wires. So I'm gonna be documenting the hell out of everything; labels, Visio, MS Project, etc. I figure I do good here and I can write my ticket elsewhere.

ihafarm
Aug 12, 2004

anthonypants posted:

This happens maybe 75% of the time when a new user account is created:


  • The user logs in with their temporary password as instructed. Everything is fine, nothing is broken.
  • The user is never prompted to change their password, but they are able to get to the desktop.
  • The account's "grace login" counter goes to zero, and needs to be reset by the helpdesk before the user will be able to log in again.
  • If the user logs off or locks their computer, they will be unable to log back in. They will be given an error message saying that they are out of grace logins, and to call the helpdesk.
  • Setting the user's grace logins to 1 and allowing the user to attempt another login will prompt the user to change their password.
  • If the user's computer was locked, they will not be able to reset their password. The helpdesk must give them a temporary password and have them unlock their computer first. They will be able change their password from the Ctrl+Alt+Del screen once they are at the desktop.

I don't know how or why this happens, I just know it happens to new accounts the most. Sometimes it happens to existing employees.

Does your org have Universal Passwords enabled? If so, you have to ignore that entire page in ConsoleOne as UP supersedes netware/simple passwords; use iManager to set their password. It sounds to me as if some of your admins/account creators aren't aware that UP is enabled and that isn't being taken into account when the users are set up.

What version of the client are you using on the desktop; is it configured for passive logon(aka "non-novell credential provider")?

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

diremonk posted:

Adding to that, what the job listing and what I was told in my interview is just a tiny bit different than what I'm actually going to be doing.

Do your title and pay reflect your new found responsibilities?

wilfredmerriweathr
Jul 11, 2005

Volmarias posted:

Do your title and pay reflect your new found responsibilities?

What, do you think he's a business major or something?

:whip:

Motronic
Nov 6, 2009

diremonk posted:

Like having to use Groupwise for everything. I understand legacy systems, entrenched, etc. but isn't Exchange somewhat a standard?

No.....not really. Especially in older organizations.


This sounds like a fantastic opportunity, not something that should piss you off.

diremonk
Jun 17, 2008

Motronic posted:

This sounds like a fantastic opportunity, not something that should piss you off.

It really doesn't piss me off too much. I'm actually excited by the opportunity. I just wish I had known that I would be what is basically a chief engineer instead of just a grunt. Plus I wish I was getting paid a bit better too for this, it's still very good but less than what I know other people with the same sort of responsibility get.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

diremonk posted:

It really doesn't piss me off too much. I'm actually excited by the opportunity. I just wish I had known that I would be what is basically a chief engineer instead of just a grunt. Plus I wish I was getting paid a bit better too for this, it's still very good but less than what I know other people with the same sort of responsibility get.

Let's double-schedule everything. First in Outlook and then again in Podio or whatever collaboration tool we're using this week. Bonus points if the time/dates/location aren't the same between two identical events.

Adbot
ADBOT LOVES YOU

GargleBlaster
Mar 17, 2008

Stupid Narutard
Haha, our place can be so petty.

They're spending goodness knows how many tens of thousands of pounds doing a refurb job, but in the canteen are notices that the drinks facilities are for staff only, not for the contractors. Sorry builder boys, you're gonna have to sort out your own goddam tea! A mug of that stuff costs us like £0.10, we're not made of money!


To add actual IT content, erm..
unpredictable backups-to-tape running on an ancient version of Backup Exec on ancient unpredictable hardware. Will it take 4 hours today or 8? Only way to find out is wait for the results!

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply