Usefull insigths

I used wildcard.fix-perisitent-utilities. Wenn started for the site root it crashed with a type error in line 185 (get set descriptor as argument for encodeb64). It could be started from the plone root and I manually requested to remove the gomobile interface class (the one that shows up in the error message when trying to modify extensions). Then it could be started from the site root and actually re-added that class (and some more) as a fake class.

Now suddenly everything works normal (I hope it stays that way).

Google asks to hold "volume down" and "power" to hard-reset your mobile. If the battery is realy empty. you have to:

deconnect charger

hold the keys and while holding them

reconnect charger

have a look into

<every user folder> -> AppData -> Local -> VirtualStore

many deinstallers forget data there.

Seemingly the repeater cannot tag packets. It is not possible to use several IDs on the repeater. Disable VLAN on the repeater or (almost) nothing will work. (12/22/2014, hope Zyxel fixes that)

If you want the data from the repeater put into a VLAN you have to set that ID in the SSID offered for repeating by the Root-AP on the RootAP. All packets from the repeater will receive that ID.

To remotely manage the Repeater it will need a LAN-IP Address supported by that one VLAN-ID (no VLAN meens no managment-VLAN).

The repeater does not repeat other SSIDs defined on the Root-AP. All SSIDs have to be defined locally and cannot be defined on the band used for repeating. This band is effectively "lost" for the repeater, wich is not a bug but a smart decision considering throughput.

Caveat: If you do not specify other SSIDs on the (other band of the) repeater it will offer access to the SSID used for repeating WITHOUT SECURITY; seems to be some fallback mechanism.

Otherwise if system time is too different from real time, dnssec will prevent ntp from resolving names as all certificates are outdated.

Thus NTP cannot set the time and the problem will not be resolved automatically.

This seems to be a known problem and might be fixed in the future.

using $1,$2 in rewrites that take place after map has matched something fails.

so use named parameters instead

rewrite a(.*) yolo$1

becomes

rewrite a(?<myname>.*) yolo$myname

You will _not_ have this problem if you completely reinstall everything.

Using a binary linked to libssl 1.x in an 0.9.8 environment will show all certificates as invalid. This is because the root certificates are hashed with a different hash function in 1.x.

You have to download the 1.x distro from openssl.org, Then call the included c_rehash as "c_rehash -n <the certs directory>". You must use the one from the download, not the default one AND  make sure the OPENSSL environment variable points to a 1.x openssl binary. Then -n will prevent the old links from beeing deleted, so your 0.9.8 software will continue to operate.

You are probably using trunking on on of your switches. Some switches implement "load balancing" by distributing packets to the different ports according to some hash value of the MACs involved. A part of the trunk has lost connection, so some MACs effiently are blocked.

Computers in the same broadcast domain work perfectly one used alone, but fail when used simultaneously: Check their MAC addresses! Some vendor managed it to deliver four computers with identical MACs to us. This happens when you set the MAC by software (why ever) an then clone the drives.

The symptoms are these: 3d party pinned stuff is still translated. Stuff from new packages is not translated although the content language is set correctly.

Whith Plone 4 the .po files are not automatically compiled to .mo files. You have to add this to your buildout:

To match only untagged packets in Mikrotik ingress-vlan-translation you have to set a customer-vid of 0. This cannot be done from the graphical interface in 6.32 (bug). You have to use the ssl/telnet interface.

The client is known to the outer (default) session, but the gid is only known to the inner (inner-html).

->add new dictionary entries

ATTRIBUTE williGID 3000 integer
ATTRIBUTE williAllowedGID 3001 integer

->add list of allowed gids in hints

DEFAULT NAS-IP-Address == 192.168.72.3
williAllowedGID = 1003,
williAllowedGID += 101

->get gid assigned in ldap module

control:williGID := 'gidNumber'

->check it in authorize part of inner.tunnel

if (&outer.request:williAllowedGID){

if (&outer.request:williAllowedGID[*] == &control:williGID){
noop
}
else{
reject
}

Kernel/Audit are dropping stuff.

read this:

http://blog.siphos.be/2015/05/audit-buffering-and-rate-limiting/

If you use a buffered output function like fprintf you have to flush the associated filedescriptor/stream before calling fork, otherwise the buffer will be duplicated by fork an the output is written twice.

This is about the ACL part of the switch part. This is not for general RouterOS, but as in the cheaper switches the RouterOS part is connected with 1Gb/s to the switch while the switch works at 10Gb/s per SFP+ Port, you have to use vlan/acl from this menu.

Seemingly "invert"  in the "new ACL" dialog does not only invert matching for ports (as suggested by the surroundig box) but for everything, so you mostly end up matching way more than you want,

I wanted to match all dhcp server packets not from the uplink port, but it matched all not (dhcp server packets from the uplink port) and completely locked me and everybody out. So I hat to connect to the serial port (only other choice: full reset) to fix this. 

Btw. the pinout for the serial cable on the mikrotik website is flipped. Check out pinouts for "Cisco serial" to see better descriptions. And finally: a speed of 115200 worked for me.  

-> selinux does not transition to entry-points on nosuid partitions unless the contexts are nested by typebounds. 

You will find long stories about why in the web.

In order to use a parent key with a password you have to run openssl als single command and issue the sub-commands interactively

openssl

> engine ... -pre PID:mysecret

> req ...

Anything allowed in the "lower" class must be allowed in the "upper" too, in order to be executed.

Audit2allow / Audi2why will always blame the "lower" class for this although the change needs to be done in the "upper".

filename has pre-allocated space (4096 chars)

extract etc. have not.

https://imagemagick.org/api/MagickCore/struct__ImageInfo.html

Windows associates on premise Accounts with Azure AD by comparing the ObjectGUID from the local Account to the immutableID of Azure.

The following scripts use the email address as unique identifier to rejoin local and remote accounts:

Get the ObjectGUIDs ( example on linux, can be windows too):

ldapsearch -h <host> -p 3268 -D "cn=<admin>" -b "ou=<where the users are>" -W -x -s sub sAMAccountName objectGUID > /tmp/immutables

Format and create Email-Adresses:

cat /tmp/immutables | awk '/^objectGUID/{a=$2;}/^sAMA/{print$2"@<company.com>",a}' > /tmp/match

Now we switch to a Windows computer.

Copy the /tmp/match file to that computer

Start Powershell

Install-Module -Name AzureAD

Connect-AzureAD

Login with administrator credentials

set-executionpolicy remotesigned

Create Backup of old immutableIDs (max 2000)

Get-AzureADUser -top 2000 | Select-Object userprincipalname,immutableid > C:\users\public\BackupImmutable.txt

Set new immutables:

cat <wherever match is> | ForEach-Object{$mail,$immut=$_.split("");Set-AzureADUser -ObjectId "$mail" -immutableid "$immut"}