Sysadmin Mega Thread

That’s usually my hint to keep going. I wanna double the number and assert my dominance over the megathread.


At work the company I support just rolled out a half-baked MFA solution.

Apparently, they thought it was so bulletproof that there wouldn’t need to be a resolver group in case there were any issues.

So of course on Day 1 they turn it on, and ‘accidentally’ added an extra 850 end users to that first day of the rollout and our Service Desk got slammed with 150% more volume than we can handle and it was a bloody mess.

So now I’ve got an extra 80 tickets in my queue with no where to go because the internal support teams can’t figure out who should take credit.

face desk


Happy Friday!

1 Like

For real. Who deploys stuff on a Friday?!?!

1 Like

I’ve known this is possible but never had the time to figure it out…
Does someone have a quick rundown on how to do it?

I know about the sudoers.d directory

One of our VMware guys decided to clear out Veeam replication this morning and somehow deleted a production install of 38 separate VMs for a Fortune 100 client. The DR, also updated by Veeam, hadn’t been updated since June 28th. Luckily the backups worked. Good times.

Not a fan of Veeam.


Not my choice of words, but happy to keep it loose until someone takes issue…

I am happy with how it’s going so far. Thanks for the good conversation, everyone.

1 Like

Yeah, I didn’t mean of topic with sysadmins, I just meant conversational with sysadmins lol

1 Like

It’s not, I’m being lazy. I need to get some people on the ball.

1 Like


1 Like

They died again?

Nah, they never died, just recalled.

Have to see if there’s anything useful I can do with the old ones… I’m not sure there’s any function that isn’t crippled by bad randomness.

1 Like

Oh, yeah, FIPS basically means “we don’t want to make changes unless we’re called out”

This is because certification testing is expensive.

Hardware key for LUKS? That might be okay, plus, if it’s not that important, you could get away with it on your non-business machines.

1 Like

Yeah. At the time I bought them, I was really interested in OpenSCAP and DISA STIG specifically. Not because I have any ties to government, but because I thought it was a good way to learn about hardening Linux.

Naturally, it’s all FIPS, so I bought these. Later I realized this:

That’s a good idea. Basically just use it as a password on a stick.


More like mfa for your fde. I’m gonna look into it on my test laptop if I have time this week. It’s been on my list, especially with my yubikey getting less and less use lately.

Does anyone have a preferred registrar/dns service for use with letsencrypt dns challenges. Currently, I have most of mine in Google Domains out of convenience, but they don’t have an api suitable for the letsencrypt dns challenges.

Here’s a list of the supported ones:

I’d prefer not to self-host my own public name servers…

I use Linode. I also use Traefik for everything local though, so…

1 Like

Might try cloudflare out first. I need to set up an account with them anyway.

I want to try and generate letsencrypt certificates to use with ldaps on a domain controller, so it’s not something I can solve with a proxy. Traefik looks cool though. I haven’t encountered it before.

I’m not super sure of all of it’s capabilities, but I use it as a auto-configuring reverse proxy for docker containers and auto-ssl-upgrader.

1 Like

Namecheap + Digital Ocean, Linode, or AWS Route53 baby :wink:

1 Like