Categories
Fixes for Windows

Fix Server Manager data retrieval failures (WS-Management Envelope Size)

tl;dr

AdminPowerShell(oneLine): Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 8192

Sometimes in Server Manager you’ll get an error where you can’t get information from other servers.

Manageability: Online – Data retrieval failures occurred

When you click to get more information about the error you get:

servername : Configuration refresh failed with the following error: The WS-Management server cannot process the request. The computed response packet size (519883) exceeds the maximum envelope size that is allowed (512000).

A well-adjusted person would think something is wrong with the remote server, ZPLEX in the example above and it’d be understandable if you went immediately to the remote server looking for something wrong. The something-something exceeds something else, this has clearly an accusatory tone to it: the envelope must be sent smaller so it doesn’t exceed whatever it’s exceeding. It makes sense.

But this is Microsoft software, nothing makes sense. Nothing is straightforward.

Before you go and screw up your remote server, open an Administrative PowerShell in the local server, execute Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 8192

It will behave like BASH, meaning: if it didn’t return any crap, it went through correctly. Refresh Server Manager, information should be pulled correctly now.

Most of the time I use PowerShell because it can also run standard Command Prompt commands. Sometimes an elevated session (Administror-level user, administrative) isn’t even needed, but if it isn’t needed it could not hurt so I go with that.

When Microsoft decided to distract people with PowerShell instead of doing a good GUI, they assigned new names to the old commands and gave them shortcuts using their old names plus shortcuts using what a matching command would be in BASH.

For instance, move is now Move-Item, or mv in BASH. dir is now Get-ChildItem, or ls in BASH.

To fix this Envelope nonsense they didn’t come up with a different version though, if you want to use a Command Prompt window (cmd.exe) you need to run the following:

To get the current envelope size: winrm get winrm/config you’ll get a lot of data, make your windows taller or scroll up, the value will be on the very first of the Config section.

To set a working value: winrm set winrm/config @{MaxEnvelopeSizekb="8192"}

Categories
LostInThought/SlightRanting

Nextcloud as NAS replacement

Today for the second time in a few weeks I noticed my computer’s fans were at high speed when I had no other app that one for remoting into somewhere else. Immediately I knew this must be Nextcloud doing its CPU-heavy syncing which I confirmed by opening Activity Monitor on my Mac.

Nextcloud for some reason trips up and deletes all of my files without warning. I know there’s a setting to actually warn if I’m syncing more than X at a time, but when many of the files I frequently use are more than X, and every other files fits under X, there’s no point checking it up.

Luckily, in addition to syncing to Nextcloud, I’m also using a Synology unit which has a version explorer that allows me to recover deleted and/or modified files. This has saved me for the second time this month and has just made me think twice about continuing using Nextcloud.

Here’s why:

Synology’s DSM has access over NFS, SMBv1-v3, AFP, in addition to Nextcloud’s complicated WebDAV link, Synology’s is much easier to remember. Windows computers in the domain will even automatically mount users’ home folders in A:\ and a shared resource on B:, both on the Synology unit use a single address and it becomes available on the web GUI, and in several other places, including Nextcloud itself. While true, you can access the system hosting Nextcloud over any of these protocols, there’s no telling what’s going to happen if you do, and you manage to do it correctly over the right shares, over the right permissions, over the right everything. There are too many variables and not enough documentation.

Synology’s client syncs fast. My personal files is not that big, maybe 15GB. Synology Drive takes a few minutes to complete synchronization. Nextcloud takes days.

As far as I know, Nextcloud has no way to recover deleted files.

Nextcloud has an impressive set of apps that keeps growing fast, but so does Synology. It’s not as impressive as Nextcloud’s but somehow they are feel much cohesive, faster and reliable. Case in point: my Nextcloud database is hosted on a Synology unit.

I’d like to point out many more but frankly there’s only one that I think matters the most and I think is the only consideration those looking into Nextcloud should take: Synology’s DiskStation Manager handles disks, Nextcloud is unaware of disks.

As such, if you want to keep your data on redundant storage (I’m not talking backup, just redundancy) you must know about Linux disk administration, and be proficient at managing things like LVM and whatnot which I think are horribly complicated things to manage. Even is much easier, and I’m saying this as some who only has a vague idea about ZFS. All of this makes Nextcloud better suited to run as a VM, not as an independent system. Running Nextcloud on a VM lets you have redundancy and HA at the hypervisor level, assuming you have the tools. Is isn’t cheap, but it’s easier than the first-party option.

Running Nextcloud as a VM comes with many of the same issues too. First of all, unless it’s run as a Docker instance in a RAID-aware system that has easy disk administration, like unRAID, you will still have storage issues. For instance: being a VM means its virtual disks bust be given something like a dedicated datastore with managed redundant disks to thick provision it and be done with it. If it’s thin provisioned, it’s likely to be migrated from time to time to reallocate resources. This won’t be an easy feat because of Nextcloud very nature of storing files, disk are expected to be huge. A word of containers; containers are harder to understand, harder to manage and harder to configure than VMs. Good look deploying DNS-based LetsEncrypt on a container if you’re behind a proxy that won’t allow you to get HTTP validations.

Being a VM disk also makes up for huge potential data waste, for instance, if a Nextcloud user decided to voluntarily (versus spontaneously vanishing data) take his/her things off of Nextcloud suddenly a big chunk of space would become available on the VM but not on the storage backend because VM disks cannot be shrunk once the grow, at least not on the most popular virtualization platforms, like vSphere and Hyper-V.

Nextcloud’s data could be stored using a remotely mounted system on the Nextcloud host for Nextcloud, but that’s a lot of the same again: you must be a Linux filesystems/permissions wiz to know how to correctly do it. Perhaps be joined to a directory to have UIDs/GIDs sync, IDK.

So, assuming you’re OK with randomly losing data and having your computer partly frozen because of a sync zeroing in your lost files, and then partly frozen from the sync from reuploading your files (assuming you have a way to recover, which should’ve been Nextcloud’s role in the first place), if you have no user-friendly disk management, none of Nextcloud features matter.

Lastly there’s the workaround option: mounting external storage directly in Nextcloud. The best method is probably SMB: if you sign in directly on Nextcloud, it’ll use Kerberos –provided it’s configured correctly– to authenticate with storage server which in turn do its own authentication to let you users in so they won’t need a password. That’s best case scenario though. If you’re using some form of Single Sign-On like ADFS, authentication claims don’t get mapped into Kerberos tickets, so you’ll have to reauthenticate to the external storage. You can let your users do it own their own and save the passwords for later, but when it’s time to change passwords they wouldn’t know what to do. Finally WebDAV. Very slow. The real question here would be: if you’re using another server to store stuff that probably has tricks of its own, Synology’s ffice (or whatever it’s called) for instance is a very robust suite, what’s the point of Nextcloud?

So, what are the options. First Nextcloud Enterprise.

My first thought, but, it starts at EUR1900. It’s astronomically high and you must have at least 50 users which I do not, even SMBs don’t. You can get a NAS unit for that that comes with inclusive support for the life of the unit. A EUR1900 NAS unit can definitely support more than 50 users and can even do virtualization and not only support domain-joining but being an actual Active Directory domain controller—not LDAP, full-fledged Active Directory. And you’d still be left with about EUR1200-1400 to get some disks and a couple of cache NVMe sticks to put in your unit. For EUR1900 you could even get a rack-mounted unit and worry about the disks later since it will be able to rebalance them on the fly as you need to add space. I’m speaking of Synology here because it’s the only widely available NAS products I have first hand experience, but I hear offerings from brands such as QNAP and whatever-Asus-NAS-line-is-called can offer more flexibility, though not as robust support.

Fun fact: middle tier and up Synology products can run Docker and host websites complete with reverse-proxy both serving HTTP/2 sites, so technically you can run Nextcloud on DiskStation Manager–twice.

Secondly, what exactly are they willing to support? Nextcloud is something you install on your choice Linux variant, so will they walk you through every possible setting? Or will they do it remotely like the people at Synology does?

I once had an issue with a Synology unit (power outage at the wrong moment) were the partition tables got screw up. It was only a wrong move before having complete data loss. I got in contact with Synology’s through the built-in tools (because the system still managed to boot) and remotely they recovered access to the data, mounting temporarily the filesystems so I could copy files off the unit and rebuild the array.

You can even activate an agent that will facilitate them tunneling in with a temporary key you give them if you don’t know your way around your firewall. Unlike Nextcloud, Synology’s tools are not open source, well… most aren’t. But they are very upfront and transparent about what their goals are and they are generally trustworthy. They also have a steep entrance price.

I’ve also come across a few instances where I have noticed documentation for Nextcloud purposely hidden, yet the open source work is still taken from user input. Configuration of SAML is one of these, another is High Availability and/or Clustering. As an open source organization, hiding away documentation to me seems shady. Highly. But, I want to believe in Nextcloud so I’ll leave it at that.

What if Nextcloud was distributed with an OS? I’m not saying to lock it down and scare away developers and innovation, nothing like that. I’m saying distribute it in such a way that Nextcloud isn’t just a web app but disk-aware system, that has guidelines for something like a superocc (from the file occ, for lack of a more imaginative name) a daemon or framework or whatever you call it that dictates/manages how the things should behave reconfiguring/fixing common areas essential for the system’s proper function and scalability either up (e.g; running bare-metal, adding a disk to its array and have Nextcloud manage it and/or create/rebalance disk array) or down (e.g; running virtual, letting the hypervisor know it’s using so much disk space and it’s OK to shrink, perhaps work in tandem with hypervisor to redistribute blocks if needed) and how easy this should be for non-tech savvy users who have never touched a CLI.

So here’s an idea. How about having an entrance fee that not a yearly EUR1900. I’m not saying start charging per feature (even those thought to be only needed in the biggest of the Enterprise sector, like SAML, HA, branding/theming) or to keep our private clouds “with the latest updates”, two of the most cringeworthy statements that public cloud providers seemingly think are their selling points when it’s usually the least appealing thing they could advertise and something that could definitely harm open source contributions to Nextcloud; becoming controlled, specially remotely by forcing updates. I’m talking about about having low entrance fee, something symbolic that maybe would be worthless by the count of one user alone, but if all of us contribute to it, it becomes… IDK, how big the reported installed base is, millions?

Probably enough to have Nextcloud delivered as a whole package that’s installable bare-metal, as a VM or (by having “superocc” guidelines) ported into another base distribution that still lets your users locally or lets Nextcloud Support remote in to fix things easily because they will always know what to expect.

You’d still have Nextcloud Enterprise Support, hopefully at a much more palatable price and it would be more like a mission critical scenario, as for the rest of us have (low) incident-based pricing. Since Nextcloud systems would be deployed to specifications, it would be trivial to support them and hence maintain a low pricing, it could even be automated.

By keeping a symbolic price, guidelines for system recovery, an open base system (where users can dnfapt or xyz at their leisure) users wouldn’t feel alienated and stop contributing to Nextcloud and to keep pricing low have superocc warn the users or the aspiring developer/super tinkerer that continuing doing a certain modification would break superocc guidelines resulting on its inability to recover therefrom and impeding the Nextcloud instance to continue to receive support.

You could still post in an article ways to recover manually, and have superocc go through a checklist of all its needed permissions and files so not all is ended for the user. Both parties win: you don’t lose completely revenue from low-cost incidents, and the users may feel 1, a little empowered fixing something on their own yet not too much and 2; in gratitude towards Nextcloud supporting them. I know I’ve felt this several times using Synology’s support and each time I can feel strengthens my brand loyalty for them when they make what I deem impossible happen.

I think this would allow users to continue to trust Nextcloud as all of these preventions would work in-system yet they would not block the user to fuck up the system if he/she chooses to ignore a warning. The system, despite being delivered as a whole by Nextcloud, would be still the users’ to tinker with.

Nextcloud could make a little money from everyone without appearing as an untrustworthy motherfucker company to the little users and the developers, possibly delivering even superior support to enterprises to which the same support tools would apply. Since this imaginary superocc would be like the configuration mastermind it could be made not only system-aware but also cluster-aware and ease support in the Enterprise sector…or home users with one too many arrays.

The one thing I have not thought through is how this could be charged, I certainly wouldn’t recommend activation nor per-instance pricing as I mentioned earlier, many rely on hypervisor-based HA in the absence of native clustering documentation, even if our instances’ user count is 3 with 1 of those 3 being the local admin account. Although if it’s truly a symbolic pricing, this should not matter.

Categories
Fixes for Windows

Change the default Organizational Unit where machine accounts drop

This is an easy one.

If you want to customize your directory’s default location for newly-joined machine accounts (that do not specify OU where they wish to join), it’s a single 2-part command.

As is the norm with these tasks, launch an Administrative PowerShell and run redircmp OU=Devices,OU=MyDomain,DC=example,DC=tld. If your there are spaces on the address of your LDAP tree, wrap the LDAP string in “”, e.g; redircmp "OU=Awaiting Placement,OU=My Domain,DC=example,DC=tld". Windows is very forgiving with whitespaces but it’s best to be sure. Microsoft is not know for consistency.

Remember, Domain Controllers go into their own thing. Ignore them as much as you can and keep forcing replication (repadmin /syncall). If you change too many things.

Categories
Fixes for Windows

Repair computer’s relationship with domain

Sometimes you go on a cleanse and decide it’s fine to move around computers in your directory, or perhaps forgot to disconnect the network from VM clone causing conflict in the directory.

Power losses, bad time, machine- or machine’s password resets are a few of other things that can cause a computer’s relationship with the domain to break.

Forcing the machine to leave the broken relationship and rejoin the domain will fix this but may also cause loss of data from the lingering files of a roaming user profile, for instance.

This is also not an option if the machine happens to be an Enterprise Certificate Authority. CAs cannot be unbound from AD while they hold the role.

To test that a machine has a valid relationship with the domain, launch an Administrative PowerShell and run Test-ComputerSecureChannel right away you’ll get a true or false.

If it’s false, fix it with Test-ComputerSecureChannel -Repair -Credential [email protected].

BTW, it’s fine if you try to repair where it’s not broken.

If you run this on a domain controller, you’ll get a huge error.

You’ll need to use an account with privileges to domain-join; you’ll be fine using a Domain Admin’s or an Enterprise Admin’s account.

A new window will pop up to enter the account’s password, the user account will be prepopulated. Despite the nonsensical redundancy, -Credential switch is needed in the PowerShell syntax.

Categories
Fixes for Windows

Install Telnet (client) on Windows

Back when my mind was becoming slightly untethered trying to route email directly from my server, I came across one email relay that was willing to forward me my email from their servers for free but I had to guarantee things were in working order; which is completely fair of course.

It was then when I learned that a Telnet client besides of its normal outdated SSH-like functions, it also works to check on open SMTP ports. Telnet, though not immediately obvious, still comes with Windows.

Windows Server

In the Server family, it’s available as part of Windows’ Features. To install use Server Manager and add the feature to the server you wish.

The faster way is with an Administrative PowerShell window; execute Install-WindowsFeature -Name Telnet-Client

Non-Server Windows

Yep… Each passing moment Microsoft and Apple lock things more and make it more difficult for you to find settings that might reduce telemetry or allow you install things where they don’t get a cut when the purchase wasn’t made through their stores for your security.

Categories
Fixes for Windows

Fixes for Windows

When I say Windows, I really mean anything done my Microsoft. If you’re deploying/using a product made my Microsoft and the magical migration doesn’t go as planned. Even purchasing is a nightmare and they sell you direct. Don’t be too hard on yourself. Microsoft’s products never work as advertised, they’re sort of geniuses at that actually–if only they’d applied their smart at doing something half-assedlessly. You probably wouldn’t be here, I guess.

A recurring thought of mine for years has been Microsoft never disappoints disappointing.

Fix Macs’ scrolling in Windows

Useful for those times you wipe macOS on a whim and remember about the Boot Camp drivers too late when you tried to scroll down Windows’ EULA and it went the other way.

Open an Administrative PowerShell and run:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Enum\HID\*\*\Device` Parameters FlipFlopWheel -EA 0 | ForEach-Object { Set-ItemProperty $_.PSPath FlipFlopWheel 1 }

Here I have witnessed some weird behavior if you don’t restart the system immediately. Either do what you need to do and then execute the command or do the command, restart and continue doing what you were after the restart. From PowerShell you can execute Restart-Computer -Force to more or less guarantee the system won’t hiccup restarting. Though this is Windows: no guarantees. Restart-Computer does a normal restart.

Categories
Guide/HowTo

Set up Telnyx SMS notifications on Synology DSM 6

Before you proceed, consult the tariff tables and consider setting up rates so you don’t kill your Telnyx balance. This can be done both on Telnyx and on DSM.

Since I first got DiskStation Manager, I’ve been itching to set SMS notifications, not that I strictly needed them or anything but it is nevertheless an awesome feature from the system.

Synology makes amazing products with excellent support but sometimes leaves things very loosely defined and makes some weird choices that take forever to be fixed or improved. Among these there are the federation options/choices and SMS notifications.

For a while I used an Android phone SMS gateway with SIM card to do this but it was a prepaid card and I always kept forgetting to go top up its balance so it could send texts. Where I live, unlimited messages are the norm even on prepaid lines except that the catch is that you have to be topping up the line’s balance every month. It only costs like USD5 to have unlimited messaging for the month. Another option is getting a voice plan that also includes unlimited texting but that costs double of that–the upside from that is that you can be charged automatically to some card or pay over the phone or the carrier’s app, and if you forget about it, it takes a while before your service is cut off. You’re on a contract after all, so you get some leeway.

Telnyx is a great trunking provider with good pricing. It seems to be really big, so big in fact that the number I ported to Telnyx from my previous provider, was actually a Telnyx number already; the old provider was reselling the number.

Setup

Requirements

  • A Synology unit with DSM 6+
  • An SMS-enabled Telnyx phone number
  • Admin access everywhere

Good to have

  • A text editor like TextWrangler, Notepad++, VS Code, TextEdit without formatting (menu Format > Make Plain Text)
  • A terminal window and curl (if it doesn’t have curl and you can’t install it there, you may SSH to another computer that has curl

Create (or edit) a messaging profile

If you already have an associated messaging profile and are not using it just change its API version to API 1 and click on Save. You can leave its name if you wish.

If you haven’t already, on Telnyx Mission Control (their user dashboard) go to Messaging on the sidebar and click on Add new profile.

Set a generic name for it (e.g; Automated) change to API v1 and scroll all the way down to click Save.

Open the profile you just created and scroll down to get the API V1 Profile Secret under Outbound Settings. Paste the code somewhere, no need to save though.

Associate a phone number with messaging profile

In Telnyx Mission Control go to Numbers on the sidebar and locate the number you want to use from the list.

On the Messaging Profile column click the dropdown menu to select the messaging profile you created. Changes here cost money, this is why if your phone number had already a messaging profile associated it’s a better idea to edit it instead so you’re not charged.

Be careful because if it’s got already a profile associated it will not show the dropdown anymore, it will disassociate it straight away, no questions asked. Re-associating it will incur a fee.

On the Telnyx side this is basically it. Login to DSM with any admin account.

Add SMS Service Provider in DSM

In the Control Panel app go to Notifications on the sidebar, click on the SMS tab and finally click on the Add SMS service provider button.

Enter Telnyx on Provider name. Select POST as HTTP Method and on SMS URL enter https://sms.telnyx.com/messages

Click Next to define the headers.

Click Add to define the first header set. These will be changed later so unless specified, copy them as are:

ParameterValue
Content-Typeapplication/json
X-Profile-Secretapi_id

Click Next to define the body sections.

ParameterValue
fromsender
tophone
bodyhello world

Click Next to match values.

Using the dropdowns in the next section, match the values as follows:

Click Apply to return to main window.

In the main window fill the following:

SMS service providerTelnyx
SenderYour phone number in +E.164 format, e.g;
+15554351127
+528459654265
API keyThe API key copied before, e.g;
DGkrru1yvM34KmMnNoid9DL5
Primary phone numberSame as before, in +E.164 compose a number to receive (and test) texting. First box is + sign, second is country code, third is number.

Click Apply and click Send a test SMS message to send a test to the specified number. Adding secondary phone number means you’ll send double the texts for each notification.

Give it some moments, if it arrives, you’re done.

Testing delivery with cURL

Texts are send via REST calls, which are basically requests to a web server like those you do when you use a web browser but instead of delivering something like an image or a page, the code running on the web server interprets the request as an order to do something.

cURL lets you do that minus the browser.

curl -X POST "https://sms.telnyx.com/messages" \
  -H "Content-Type: application/json" \
  -H "X-Profile-Secret: YOUR_MESSAGING_PROFILE_SECRET" \
  -d '{
    "from": "+13125550001",
    "to": "+13129450002",
    "body": "Hello!"
}'

The \symbol is used to break lines so formatting is easier. In reality that command is a single line. Unless wrapped in "" spaces are ignored. But, just so you know… spaces wrapped in "" in this case, are not allowed.

If something is wrong you’ll get some clues in a response. If it goes through you’ll also get a response that it was sent.

Example error
Example success

Note that a successful delivery here means that it was successfully delivered from Telnyx to the carrier of the destination number. It does not mean the carrier has delivered the message to the user.

Other providers

Though the use of REST APIs is very common, the APIs themselves are not standardized. Meaning values such as X-Profile-Secret could be Authorization or Auth-ID in another provider and for every other parameter. They make their own. This is why at the end you must tell DSM which means what so it can replace it, it’s also why you leave some marked as other because while DSM might not need it, your provider does.

I recommend you avoid the big name providers like Twillio. They were smart to let themselves be known when these technologies were catching on and they made partnerships (basically, advertising) with a lot of providers early on but now they’re just marketing. They aren’t easier to set up than any other and have a pretty high price mark up.

Example pricing to the major mobile carriers in Mexico:

TwillioTelnyx
AT&TUSD 0.0490USD 0.0116-0.0169
MovistarUSD 0.0490USD 0.0143
TelcelUSD 0.0490USD 0.0163

While writing this I found even cheaper carriers than Telnyx. For instance, Flowroute at 0.004 vs Twillio at 0.0075 to texts to the US. Both come with a surcharge for some carriers but sadly that’s to be expected from dealing with US-based corporations. Telnyx starts at 0.0059 per message up to 0.0358 for T-Mobile and some other carriers’ numbers in the US, but it has no little to no fine print for their service. They’re upfront and honest about it which, which is increasingly harder to find in a sea of misleading advertising.