Azure Sing in logs (Interrupted, Failure) [closed] - azure-active-directory

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 months ago.
Improve this question
I cannot find any explanation to following situation. I can see 2 sign-in logs in Azure. First one has status Interrupted and the second one Failure see picture1 (in some cases I see first Failure and after several Interrupted logs).
But if I check authentication details of the first interrupted log, there is a detail Password Hash Sync - Succeeded - true (see the picture2). Should I think that the attacker knows the password of the user? Log after is Failure with Password Hash Sync False - Invalid username or pass...(picture3)
Can someone explain me the flow and why I can see Passw Hash Sync true?
picture1 picture2 picture3
checked other situations and it is still not clear, same occurrence in the logs

Related

Datastore: DatastoreFailureException: Unable to fetch global config [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 2 years ago.
Improve this question
Has anyone ever had this error before? I can't find a single shred of evidence on google that this has ever happened to anyone.
Here is the stacktrace which starts from a .delete() call on the datastore.
com.google.appengine.api.datastore.DatastoreFailureException: Unable to fetch global config
at com.google.appengine.api.datastore.DatastoreApiHelper.translateError(DatastoreApiHelper.java:71)
at com.google.appengine.api.datastore.DatastoreApiHelper$1.convertException(DatastoreApiHelper.java:129)
at com.google.appengine.api.utils.FutureWrapper.get(FutureWrapper.java:97)
at com.google.appengine.api.datastore.AsyncDatastoreServiceImpl$7.get(AsyncDatastoreServiceImpl.java:406)
at com.google.appengine.api.datastore.AsyncDatastoreServiceImpl$7.get(AsyncDatastoreServiceImpl.java:402)
at com.google.appengine.api.utils.FutureWrapper.get(FutureWrapper.java:89)
at com.google.appengine.api.utils.FutureWrapper.get(FutureWrapper.java:89)
at com.google.appengine.api.datastore.FutureHelper.getInternal(FutureHelper.java:76)
at com.google.appengine.api.datastore.FutureHelper.quietGet(FutureHelper.java:36)
at com.google.appengine.api.datastore.DatastoreServiceImpl.delete(DatastoreServiceImpl.java:76)
at com.universeprojects.cacheddatastore.CachedDatastoreService.delete(CachedDatastoreService.java:929)
We recently identified an issue with a bad instance in our infrastructure which caused timeouts for a limited number of configuration requests from AppEngine applications. The issue was resolved when the faulty instance was restarted ~6:00 AM Pacific Time 9/20/2016.
To prevent these errors in the future we are taking the following actions:
Modifying the retry behavior for configuration requests to better
handle individual bad instances.
Implementing stricter monitoring
policies around these instances to better detect these errors.
Check that the Key.getAppId portion of the key you are trying to delete is set identically to any Key.getAppId that you have read from Datastore.
I'm having this error suddenly without changes to code or models, it happens in three different apps.
As this error happens to many users, in Python and in Java, I think is due to internal google's datastore code or updates.
InternalError: Unable to fetch global config
at check_rpc_success (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/datastore/datastore_rpc.py:1373)
at __query_result_hook (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/datastore/datastore_query.py:2906)
at get_result (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/api/apiproxy_stub_map.py:613)
at _on_rpc_completion (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/ext/ndb/tasklets.py:513)
at _run_to_list (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/ext/ndb/query.py:995)
at _help_tasklet_along (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/ext/ndb/tasklets.py:427)
at get_result (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/ext/ndb/tasklets.py:383)
at fetch (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/ext/ndb/query.py:1218)
at positional_wrapper (/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/ext/ndb/utils.py:160)
I raised this error to Google Cloud Platform support team, when I have news I will post them here.

Mapping Active Directory Users with Postfix [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I created an smtp mail server and it was successfully configured using postfix, dovecot, and roundcube.
Wanting to add functionality and to get active directory users to authenticate, I chose to use pbis (http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True) and found that I was able to easily add to the Active Directory domain ultimately using this command after install and completing a few prerequisites:
$ ./domainjoin-cli join TEST.LOCAL testuser
where "TEST.LOCAL" is the domain in active directory and "testuser" is a user account I set up in the active directory domain.
When logging into the account on roundcube:
I use: TEST\testuser and I am able to successfully login
This required a slight change to the dovecot configuration file /etc/dovecot/conf.d/10-auth.conf and adding the "\" to the list of characters under "auth_username_chars"
I can send an e-mail to a system linux account "user" and verify receipt of that e-mail. I have to change the outgoing e-mail address from TEST\testuser#test.local to testuser#test.local because of incorrect syntax.
What I can't seem to do is send mail to the active directory account "testuser"
I get the following error when attempting this:
SMTP Error (550): Failed to add recipient "testuser#test.local" (5.1.1 <testuser#test.local>: Recipient address rejected: User unknown in local recipient table).
This seems to correspond to alias mapping but I don't know how to do that and the guides I am finding online don't seem to quite fit what I am looking to do. No, I do not have virtual mapping. The user accounts I am trying to map to are all under this directory:
/home/local/TEST/
My question is basically this: How do I map "testuser#test.local" to "TEST\testuser#test.local" in postfix?
Actually submitted this a bit prematurely because I found my answer but had to alter it to my environment to get it to work.
Following the directions on: www.electrictoolbox.com/update-postfix-virtual-alias-map was incredibly helpful.
The exception was the /etc/postfix/virtual file had to have the windows slashes in it.
Basically what I did was
Add a line to /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual
Created a /etc/postfix/virtual file with the following contents:
testuser#test.local TEST\\testuser
Applied the settings:
postmap /etc/postfix/virtual

how to change the unix system password automatically after every week? [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Can anyone tell me if it is possible to change the linux system password at a given time interval (ex. once every 7 days) using shell script or any other programming technique without explicitly changing it? The script should be running continuously to check if the time interval has passed and if it has, then to change the passwd to some default password mentioned in the script itself.
It may work to put on the cron job
passwd --expire username
This will expire the password for the given account immediately, forcing to change it at the second login. You can setup the job to run at any time policies you need, and (if run as root) this command will have effect on any specified user.
It is not secure to set some explicit password you later need to tell somehow to the user. It may be better to allow the user to think the password.
Use cron to schedule your script.
I agree this seems like a Bad Idea, but I don't know why you want to do this.
It is a Very Bad Idea. Without root, you are screwed for good. And messing with the relevant files by a script is a terrible idea on its own.
If you want to disallow root login at all, give it an impossible password (like * in the password field in /etc/shadow. Just make sure to have the rescue disk at hand...
Or use the "password aging", check out passwd(5) and shadow(5).

Sender address rejected: Domain not found [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I'm getting the error below when sending mail via smtp through google apps mail. Can anyone see why I get this error? As far as I can tell my domain exists!
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has been delayed:
a.kozikowski#tutek.pl
Message will be retried for 2 more day(s)
Technical details of temporary failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain tutek.pl by mx.maxus.pl. [213.241.89.166].
The error that the other server returned was:
450 4.1.8 <aquarius#aquariusprams.co.uk>: Sender address rejected: Domain not found
this error means that the recipient mail server can not resolve the MX (and A) records of aquariusprams.co.uk. It works fine here, so its probably a generic dns problem on the recipient side or a routing issue between the recipient and your nameservers ns1.console-covers.com / ns2.console-covers.com.

How verbose should validation output be? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I have an application that reads a database and outputs alerts to any dependencies that are not being met. My thinking on this issue is "Give the minimum information that points the user to the issue." I have been told by a co-worker that I should be as verbose as possible, printing out the values of the database fields for each field I mention verses giving the minimum message that "field one needs to be less then field two".
I know that there must be some convention or standard for this issue as it reminds me of compiler errors and warnings. Does anyone know how a compiler messages are are chosen?
What suggestion does the community have for this issue?
When writing, know your audience.
If you're logging warning/error messages for your own consumption, then it's fairly easy: what do you need to know when something goes wrong?
If you're logging warning/error messages for someone else, then things get tricky. What do they know? What does their mental model of the system look like? What sorts of problems can they solve, and what information do they need to solve them?
Pushing every last scrap of data into a message is punting - at best, the reader will have to wade through irrelevant information in order to find what they need; at worst, they'll become confused and end up making decisions based on the wrong data.
The compiler analogy is apt: think how annoying it would be if the entire symbol table was dumped along with every warning...
I think the key is to be concise. Put as much detail as is required for the reason for the warning to be communicated and nothing more.
For normal, day-to-day operation, I give a data validation message that gives enough information that the user can fix the problem, so that the data validates. For example, if I have two fields (fieldA and fieldB) and one of them have to be greater than the other, then I would state that on the validation output, specifying which field is the offending field.
For example, if A has to be greater than B, and they supply an answer less than B, then the message would be "fieldA needs to be higher than fieldB"
That said, I also program a debug mode into my applications (especially the web-applications) which has a verbose mode, telling exactly what's happening with everything. If that's turned on you would see two messages, the user-friendly error, and then "FieldA=XX and FieldB=YY: XX is not greater than YY".
That's simplified, but it's the general idea.
I would suggest that you should implement both modes. During normal operation you need a useful but short message. But sometimes things could go wrong and in this case a 'dump' mode which gives the user all possible information is a life saver.
I think there are 3 levels of the details of an error message for the 3 typical user groups:
The end user. This is a surfer on a web site or an user of a desktop application. He should receive an error message if the problem can not be compensate. It should include the minimum of information. The end user should not receive any information over the system like current configuration and file paths. The end user should contact the administrator. A continuous error id can be helpful that the administrator can find more informations.
The administrator need more helpful information to solve the problem self. It can include information like table xy not fount or login to database failed.
The developer: If the administrator can not solve the problem then it will contact the software vendor. In this case the administrator should be able to send a log file that the developer can solve it also if he can not reproduce the problem.
The specifics of the content of a log can be discussed, but it is my experience that the level of verbosity will quickly determined during stress test.
If the system can not function properly, it is because you just:
get either too verbose with your logs, or
did log too often (actually, I believe Jeff himself had a similar problem)
Atwood: We were logging in such a way that the log.... during the log call was triggering another log call. Which is normally okay, but with the load that we have, eventually they would happen so close together that there's also a lock. So, there's two locks going on there.
Spolsky: [...] you have a tendency to wanna log everything. But then you just get logs that are, you know, a hundred megabyte per user and you get thirty of them a minute and it can't possibly be analyzed or stored in any reasonable way. So the next thing you have to do is to start culling your logs or just have different levels of debugging, where it's like in high debug mode everything is logged and in low debug mode nothing is logged. And... it's kind of hard to figure out what you really want in a log.
Atwood: I mean that, ironically, to troubleshoot this hang, which turned out to be because of logging, we were adding more logging.
Spolsky: [laughs]
Atwood: The joke just writes itself! The joke just writes itself, right...
So my point is, when you will run your system in a production-like environment, you should quickly be able to determine if the level of verbosity you choose is sustainable.
Dealing with errors Vs. warnings first: An error should be for something which violates the standard. A warning should be for something which is allowed, but quite likely isn't what the author intended.
For example, the W3C Markup Validator will warn about the use of the syntax <br /> in an HTML document. In XHTML this means "A line break", but in an HTML document, while being allowed, actually means "A line break followed by a greater than sign" (even if most browsers don't respect this).
As for verbosity, what is best does depend on who is using the system. Some users would be better with brief messages that they can skim through, while other users (perhaps those less advanced) would find the additional information useful. Without knowing more about who they are, I'd tend towards using a flag (-v is traditional) to let the user select which version they prefer.

Resources