miken32's questions

I'm having some troubles migrating a signed DNS zone to a new server. I've copied over the zone files (unsigned, signed, and journal), signing keys, and DS sets. Once in place, BIND is happy to serve the zone but it cannot be signed. This is the result when I try running rndc sign example.com:

29-Sep-2022 17:16:42.605 general: info: received control channel command 'sign example.com'
29-Sep-2022 17:16:42.605 general: debug 1: zone_settimer: zone example.com/IN: enter
29-Sep-2022 17:16:42.605 general: debug 1: zone_timer: zone example.com/IN: enter
29-Sep-2022 17:16:42.605 general: debug 1: zone_maintenance: zone example.com/IN: enter
29-Sep-2022 17:16:42.605 dnssec: info: zone example.com/IN: reconfiguring zone keys
29-Sep-2022 17:16:42.606 dnssec: warning: EVP_SignFinal failed (failure)
29-Sep-2022 17:16:42.606 dnssec: info: error:03000098:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:961:
29-Sep-2022 17:16:42.606 dnssec: error: zone example.com/IN: sign_apex:add_sigs -> failure
29-Sep-2022 17:16:42.606 dnssec: debug 3: zone example.com/IN: zone_rekey failure: failure (retry in 600 seconds)
29-Sep-2022 17:16:42.606 general: debug 1: zone_settimer: zone example.com/IN: enter

Relevant parts of the config are:

options {
    dnssec-enable yes;
    dnssec-validation auto;
};
zone "example.com" IN {
    type master;
    file "dynamic/db.example.com.signed";
    auto-dnssec allow;
    update-policy {
        grant "local-nsupdate" wildcard *;
        grant "acme-clients" subdomain example.com. TXT;
    };
    also-notify { office-routers; };
};

The new config is almost the same, just removing dnssec-enable yes; as the log tells me it's outdated now.

The old server is running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 (Extended Support Version) <id:7107deb> on Scientific Linux 7.6 and the new one is BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f> on AlmaLinux 9.0.

Editing to add that EVP_SignFinal looks to be an OpenSSL function, so it's possible the problem isn't in BIND at all. Old version's named -V says:

compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017

and new version says:

compiled by GCC 11.2.1 20211203 (Red Hat 11.2.1-7)
compiled with OpenSSL version: OpenSSL 3.0.1 14 Dec 2021
linked to OpenSSL version: OpenSSL 3.0.1 14 Dec 2021

I had a simple ACL in place on my server that was working fine. I've decided to set up SSSD to authenticate user logins via LDAP, so I need to give more access to the SSSD bind account. In the process I've somehow blocked all access beyond the first ACL; despite the break statement at the end of ACL {0}, every search that isn't by a root-level user returns error 32 (object not found.)

The structure of the database looks roughly like this:

organization: dc=r1,dc=internal
    organizationalUnit: ou=users,dc=r1,dc=internal
        inetOrgPerson: uid=mike,ou=users,dc=r1,dc=internal
    organizationalUnit: ou=groups,dc=r1,dc=internal
        groupOfUniqueNames: cn=root,ou=groups,dc=r1,dc=internal
        posixGroup: cn=mike,ou=groups,dc=r1,dc=internal
    organizationalUnit: ou=system,dc=r1,dc=internal
        inetOrgPerson: uid=sssd,ou=system,dc=r1,dc=internal

Here is my ACL:

version: 1

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
# admin users can write anything in this subtree
# also the root SASL user (eg ldapmodify -QY EXTERNAL -H ldapi:/// ...)
# nobody else has access, but continue searching for matches below
olcAccess: {0}to dn.subtree="dc=r1,dc=internal"
  by anonymous break
  by group/groupOfUniqueNames/uniqueMember="cn=root,ou=groups,dc=r1,dc=internal" write
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by * break
# sssd user can read all user/group attributes
# other users keep looking
olcAccess: {1}to dn.onelevel="ou=users,dc=r1,dc=internal"
  by dn.exact="uid=sssd,ou=system,dc=r1,dc=internal" read
  by * break
olcAccess: {2}to dn.onelevel="ou=groups,dc=r1,dc=internal"
  by dn.exact="uid=sssd,ou=system,dc=r1,dc=internal" read
  by * break
# you can update your own password
# anonymous users can authenticate against it
# nobody else sees it
olcAccess: {3}to dn.subtree="dc=r1,dc=internal"
  attrs=userPassword
    by self write
    by anonymous auth
    by * none
# anonymous users can read select user/group attributes
olcAccess: {4}to dn.onelevel="ou=users,dc=r1,dc=internal"
  attrs=entry,cn,uid,sn,givenName,mail,telephoneNumber,mobile,memberOf
    by anonymous read
    by * break
olcAccess: {5}to dn.onelevel="ou=groups,dc=r1,dc=internal"
  attrs=entry,cn,description,uniqueMember,memberUid
    by anonymous read
    by * break
# all users can update their own records
# and see all other users' attributes
# everyone (including anonymous) can search
olcAccess: {6}to dn.onelevel="ou=users,dc=r1,dc=internal"
  by self write
  by users read
  by * search

Here is a log extract with extra ACL logging:

Aug 26 13:04:10 lemongrab slapd[3991]: => access_allowed: search access to "ou=users,dc=r1,dc=internal" "entry" requested
Aug 26 13:04:10 lemongrab slapd[3991]: => dn: [1] dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: => acl_get: [1] matched
Aug 26 13:04:10 lemongrab slapd[3991]: => acl_get: [1] attr entry
Aug 26 13:04:10 lemongrab slapd[3991]: => acl_mask: access to entry "ou=users,dc=r1,dc=internal", attr "entry" requested
Aug 26 13:04:10 lemongrab slapd[3991]: => acl_mask: to all values by "uid=sssd,ou=system,dc=r1,dc=internal", (=0)
Aug 26 13:04:10 lemongrab slapd[3991]: <= check a_dn_pat: anonymous
Aug 26 13:04:10 lemongrab slapd[3991]: <= check a_dn_pat: cn=admin,dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: <= check a_group_pat: cn=root,ou=groups,dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: => mdb_entry_get: found entry: "cn=root,ou=groups,dc=r1,dc=internal"
Aug 26 13:04:10 lemongrab slapd[3991]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Aug 26 13:04:10 lemongrab slapd[3991]: <= check a_dn_pat: *
Aug 26 13:04:10 lemongrab slapd[3991]: <= acl_mask: [5] applying +0 (break)
Aug 26 13:04:10 lemongrab slapd[3991]: <= acl_mask: [5] mask: =0
Aug 26 13:04:10 lemongrab slapd[3991]: => dn: [2] ou=users,dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: => dn: [3] ou=groups,dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: => dn: [4] dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: => acl_get: [4] matched
Aug 26 13:04:10 lemongrab slapd[3991]: => dn: [5] ou=users,dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: => dn: [6] ou=groups,dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: => dn: [7] ou=users,dc=r1,dc=internal
Aug 26 13:04:10 lemongrab slapd[3991]: <= acl_get: done.
Aug 26 13:04:10 lemongrab slapd[3991]: => slap_access_allowed: no more rules
Aug 26 13:04:10 lemongrab slapd[3991]: => access_allowed: no more rules

The log entries confirm my suspicion that nothing much is being done after the first rule. Why, for example, does it jump from rule 1 to rule 4? From my understanding, rule 2 should be considered next.

I've tried both onelevel and children scopes in the ACL with the same effect. If I change the ACL to olcAccess: {1}to dn.subtree="dc=r1,dc=internal" it seems to work, but there are other OUs besides users and groups that I don't want to grant access to. Am I misunderstanding how the scope works?

I can't find anything specifically saying they're not supported, and I thought ECDSA keys were old enough technology that it wouldn't be a problem.

However, when creating a cert I'm unable to install it using the vSphere Client. The error message I get after uploading the cert, key, and CA (there are no intermediates) is:

Error occurred while fetching tls: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Integer

Seems to be a generic Java error, and I couldn't find anything specific to VMWare.

Trying it from the command line with /usr/lib/vmware-vmca/bin/certificate-manager the response was even less helpful:

2022-08-23T19:47:27.742Z INFO certificate-manager Create a entry using Key and File generated earlier
2022-08-23T19:47:27.742Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmafd/bin/vecs-cli', 'entry', 'create', '--store', 'MACHINE_SSL_CERT', '--alias', '__MACHINE_CERT', '--cert', '/root/vcenter.crt', '--key', '/root/vcenter.key']
2022-08-23T19:47:27.756Z INFO certificate-manager Command output :-

2022-08-23T19:47:27.756Z ERROR certificate-manager
2022-08-23T19:47:27.756Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2022-08-23T19:47:27.757Z ERROR certificate-manager {
    "detail": [
        {
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "args": [
                ""
            ],
            "localized": "An error occurred while invoking external command : ''"
        },
        "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT."
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}

I tried pre-installing the CA as a trusted root, and also provided the machine cert as just the cert and also concatenated with the CA. No luck.

I tried with a traditional RSA key and while it also didn't work from the web client (no error, just acted like I didn't do anything) it worked fine from CLI. And my LDAP server has an ECDSA key on its certificate and vCenter connects to it just fine, so it definitely supports them as a client.

So my question is just whether or not ECDSA keys are supported at all? It seems not, but I just started building out a new infrastructure and it's my first time moving away from RSA so I'm doubting myself.

I've followed (I believe) all the right steps to install a trusted certificate on my ASA firewall:

• install company root authority into ASA as a CA
• issue a certificate for the ASA's hostname
• install the certificate into ASA as an identity certificate
• apply the certificate to the outside interface

However, I continue to get this error in the browser when trying to connect:

Secure Connection Failed

An error occurred during a connection to asa.xxx.internal. SSL was unable to extract the public key from the peer’s certificate.

Error code: SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE

I've verified with show crypto certificates that the certificate has been imported correctly and shows as associated with the imported CA.

The only thing I'm doing here that isn't 100% familiar to me is working with EC certificates instead of RSA, but it doesn't seem like that should have any bearing.

Relevant parts of show run:

hostname asa
domain-name xxx.internal
http server enable
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 validation-usage ipsec-client ssl-client ssl-server
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 keypair ASDM_TrustPoint1
 no validation-usage
 crl configure
crypto ca trustpool policy
 auto-import
crypto ca certificate chain ASDM_TrustPoint0
 certificate ca 4e7bf88d72c08d4efa48d3ec658e5a3281b2c6aa
    3082028e 30820233 a0030201 0202144e 7bf88d72 b08d4efa 48d3ec65 8e5a3281 
    ...
 quit
crypto ca certificate chain ASDM_TrustPoint1
 certificate c47d26f97ee247a9
    308203d8 3082037e a0030201 02020900 c47d26f9 7ee247a7 300a0608 2a8648ce 
    ...
  quit
 certificate ca 4e7bf88d72c08d4efa48d3ec658e5a3281b2c6aa
    3082028e 30820233 a0030201 0202144e 7bf88d72 b08d4efa 48d3ec65 8e5a3281 
  quit
ssl server-version tlsv1.2
ssl trust-point ASDM_TrustPoint1 outside

My monitoring system is using data from SNMP polls to build graphs. This works fine with a few dozen RHEL 6 and 7 hosts, but graphs for all my new CentOS 8 hosts are not working correctly. I've done some checking and the problem is with the ifSpeed MIB returning zero for all interfaces except lo:

$ snmpwalk -v 3 rhel6.foo.internal 1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 10000000
IF-MIB::ifSpeed.2 1000000000
IF-MIB::ifSpeed.3 1000000000

$ snmpwalk -v 3 centos8.foo.internal 1.3.6.1.2.1.2.2.1.5
IF-MIB::ifSpeed.1 10000000
IF-MIB::ifSpeed.2 0
IF-MIB::ifSpeed.3 0

My snmpd.conf on both boxes is identical, the older systems are running net-snmp 5.7.2 versus 5.8.0 on the new ones. Is there any way I can configure the system to properly return an interface speed?

Thanks to the answers to this question, I've been happily generating Kickstart files for Scientific Linux 6 and 7 for the past 5 years. However, we're now starting to build out some test systems with CentOS 8 and running into some issues.

Despite using the same method for generating hashes (or indeed, reusing the very same hashes) the passwords for the users are not being set correctly. I've been unable to find any documentation suggesting there's been a change between EL 7 and 8.

Here's a test user I'm creating in the Kickstart file:

user --homedir=/var/ftp --name=A3857275828 --password=$6$J52QJaSjIt8GGqRS$4YyusOJ5EtpikCdwgXJrorW7XyiLRCT.jjRZsHLv04ZV7ng8wTdrwFUF2u5QXGWiEmDgu/g9RpXxLKPoRD4Kh0 --iscrypted --shell=/usr/sbin/nologin --uid=5001 --gid=5001

The password should be 9282759601013452 but logins are failing until I manually change the password using the passwd utility. I'm seeing the same failures on all non-privileged accounts created but the root password works fine. Password-based logins have been tested using both SSH and FTP (vsftpd backed by PAM.)

/var/log/anaconda/journal.log shows nothing interesting during the setup process:

Jun 26 20:52:17 test.test.local anaconda[1946]: program: Running... useradd -R /mnt/sysimage -g 5001 -d /var/ftp -M -s /usr/sbin/nologin -u 5001 A3857275828
Jun 26 20:52:17 test.test.local useradd[35591]: new user: name=A3857275828, UID=5001, GID=5001, home=/var/ftp, shell=/usr/sbin/nologin

The entry in /etc/shadow has the same hash specified in the Kickstart file:

A3857275828:$6$J52QJaSjIt8GGqRS$4YyusOJ5EtpikCdwgXJrorW7XyiLRCT.jjRZsHLv04ZV7ng8wTdrwFUF2u5QXGWiEmDgu/g9RpXxLKPoRD4Kh0::0:99999:7:::

And after updating with passwd, it's still a valid SHA-512 hash:

A3857275828:$6$SP6IoLdZemXHZbxp$E3/Owe7mciCkeuHdiX4ZnZDUWmTz3nDqa885Rnc3rHMZcPharyX0QSdsUTq3gMneSNsmD1V.FmRf5HCY.uZqH0:18452:0:99999:7:::

The only other file that's touched during a password update is /var/lib/sss/mc/passwd. However, I'm not using authselect in my Kickstart file and authselect current says "No existing configuration detected." From what I've read, this should mean that sssd is out of the picture (anyway, as far as I can see, it's only used for external authentication.)

PAM config is untouched from the default, and I've added the debug option to pam_unix.so but am not getting much verbosity out of it:

Jul 10 17:00:06 pbxtest login[972]: pam_unix(login:auth): username [admin] obtained
Jul 10 17:00:08 pbxtest login[972]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=admin
Jul 10 17:00:10 pbxtest login[972]: FAILED LOGIN 1 FROM tty1 FOR admin, Authentication failure

In the event I'm misunderstanding SSSD, here is /etc/nsswitch.conf:

passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd
hosts:      files dns myhostname
services:   files sss
netgroup:   sss
automount:  files sss
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

(Which, now that I look at it, seems like sssd is getting in the way of things.) There are no files under /etc/sssd/ and the status looks like this:

● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-10-22 17:16:49 EDT; 6 days ago
 Main PID: 899 (sssd)
    Tasks: 3 (limit: 4428)
   Memory: 6.4M
   CGroup: /system.slice/sssd.service
           ├─899 /usr/sbin/sssd -i --logger=files
           ├─940 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
           └─944 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files

Any thoughts on why I'm unable to log in with the expected password until setting it with passwd?

I'm doing a CentOS 8 automated install. I've previously had no problem creating a single user and adding it to a group like so:

user --name=othername --password=big_long_hash --iscrypted --groups=myname --homedir=/var/ftp --shell=/sbin/nologin

Despite documentation saying the group has to exist already, I've never had any issues.

Now I want to add multiple users to this group, so I add another line to my file

user --name=myname --groups=myname --homedir=/var/ftp --shell=/sbin/nologin
user --name=othername --password=big_long_hash --iscrypted --groups=myname --homedir=/var/ftp --shell=/sbin/nologin

And I get an error:

anaconda[1842]: program: Running... useradd -R /mnt/sysimage -U -G myname -d /var/ftp -m -s /sbin/nologin myname
useradd[25852]: failed adding user 'myname', exit code: 9
anaconda[1842]: program: useradd: group myname exists - if you want to add this user to that group, use -g.
anaconda[1842]: program: Return code: 9
anaconda[1842]: anaconda: kickstart.kickstart.user: User myname already exists

So I tried adding the line to create the group:

group --name=myname
user --name=myname --groups=myname --homedir=/var/ftp --shell=/sbin/nologin
user --name=othername --password=big_long_hash --iscrypted --groups=myname --homedir=/var/ftp --shell=/sbin/nologin

But no change. Tried not specifying the group:

group --name=myname
user --name=myname --homedir=/var/ftp --shell=/sbin/nologin
user --name=othername --password=big_long_hash --iscrypted --groups=myname --homedir=/var/ftp --shell=/sbin/nologin

This time the useradd command doesn't have the group in it, but still fails with the same error. I think I'm just going to work around it by calling usermod from the post-install script, but wanted to check if there's something I'm not understanding about adding groups and users in the Kickstart file.

So, I've got a server running Scientific Linux 6.9 that I want to install 7 on. Upgrades are apparently not supported, so I need to do a clean install, which is fine.

I installed the SL6 server using Kickstart, with these options:

...
zerombr
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb vga=788"
clearpart --all --drives=sda
part /boot --fstype=ext4 --size=500
part pv.008002 --grow --size=1
volgroup vg_main --pesize=4096 pv.008002
logvol / --fstype=ext4 --name=lv_root --vgname=vg_main --size=8192
logvol /home --fstype=ext4 --name=lv_home --vgname=vg_main  --fsoptions="usrquota" --size=8192 --grow
logvol swap --name=lv_swap --vgname=vg_main --size=1024
...

I only want to preserve only the /home LV during the new install. I've read about the --noformat option in the documentation, but it can be applied to the partition, volume group, and logical volume configurations. I'm not clear on which level I should use it and, more importantly, how it will identify the structures in question.

Thankfully this is a VM, so I have snapshots to fall back on, but I'd rather not waste too much time on that. So, what options should I use for the SL7 install to ensure that /home is untouched?

Output of fdisk -l if it's helpful:

Disk /dev/sda: 268.4 GB, 268435456000 bytes
255 heads, 63 sectors/track, 32635 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000852f6

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          64      512000   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2              64       32636   261630976   8e  Linux LVM

Disk /dev/mapper/vg_main-lv_root: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000


Disk /dev/mapper/vg_main-lv_swap: 1073 MB, 1073741824 bytes
255 heads, 63 sectors/track, 130 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000


Disk /dev/mapper/vg_main-lv_home: 258.2 GB, 258243297280 bytes
255 heads, 63 sectors/track, 31396 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

And output of vgdisplay -v:

    Using volume group(s) on command line.
  --- Volume group ---
  VG Name               vg_main
  System ID             
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  4
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                3
  Open LV               3
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               249.51 GiB
  PE Size               4.00 MiB
  Total PE              63874
  Alloc PE / Size       63874 / 249.51 GiB
  Free  PE / Size       0 / 0   
  VG UUID               T03S3I-cgaj-A2OY-1e9d-FBiQ-8xpJ-NN3hUo

  --- Logical volume ---
  LV Path                /dev/vg_main/lv_root
  LV Name                lv_root
  VG Name                vg_main
  LV UUID                FPXNoA-pqjg-Krbx-O5Sn-jFzg-GGsb-Ual7ww
  LV Write Access        read/write
  LV Creation host, time rainicorn.domain.internal, 2014-06-05 14:12:41 -0400
  LV Status              available
  # open                 1
  LV Size                8.00 GiB
  Current LE             2048
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:0

  --- Logical volume ---
  LV Path                /dev/vg_main/lv_home
  LV Name                lv_home
  VG Name                vg_main
  LV UUID                E38kVe-nxYm-rKop-Gwka-80Lh-T2VF-vGUkHE
  LV Write Access        read/write
  LV Creation host, time rainicorn.domain.internal, 2014-06-05 14:12:44 -0400
  LV Status              available
  # open                 1
  LV Size                240.51 GiB
  Current LE             61570
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2

  --- Logical volume ---
  LV Path                /dev/vg_main/lv_swap
  LV Name                lv_swap
  VG Name                vg_main
  LV UUID                HoZ84h-eXye-lgNw-ggTN-YIEc-X0fZ-ZLcRCo
  LV Write Access        read/write
  LV Creation host, time rainicorn.domain.internal, 2014-06-05 14:13:07 -0400
  LV Status              available
  # open                 1
  LV Size                1.00 GiB
  Current LE             256
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:1

  --- Physical volumes ---
  PV Name               /dev/sda2     
  PV UUID               shdyY0-fhMC-c7kB-LoKG-Jlk8-qN81-14toG3
  PV Status             allocatable
  Total PE / Free PE    63874 / 0

I'm dealing with a known issue in RHEL 7 whereby services that specify an address to bind to will not start correctly. I've found a number of similar reports, many say they have been resolved with updates to systemd but I still face this problem. This affects all the services on my box (sshd, sshd, vsftpd, nginx) that don't just bind to 0.0.0.0.

I've found all sorts of supposed workarounds but none of them work for me consistently. Taking sshd as an example, config looks like this:

Port 22
ListenAddress 192.168.242.225
...

Here's what I've tried, alone and in combinations:

From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c4 (I've also tried sys-subsystem-net-devices-eth1.device in place of network-online.target but I suspect this doesn't wait for addressing to happen.)

mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
After=network-online.target
EOF

From https://bugzilla.redhat.com/show_bug.cgi?id=1352214#c11

mkdir /etc/systemd/system/sshd.service.d
tee /etc/systemd/system/sshd.service.d/wait.conf << 'EOF'
[Unit]
Wants=network-online.target
After=network-online.target
EOF

From https://bugzilla.redhat.com/show_bug.cgi?id=1438749#c0

systemctl add-wants multi-user.target network.target

From somewhere

mkdir /etc/systemd/system/sshd.service.requires
ln -s /usr/lib/systemd/system/network-online.target /etc/systemd/system/sshd.service.requires/

No matter what I try, I usually end up with "error: bind to port 22 on 192.168.242.125 failed: Cannot assign requested address". Sometimes, everything starts up perfectly, which I am guessing is down to a timing issue.

Running Scientific Linux (RHEL) 7.5 and network manager is enabled, all IP addressing is static. If there are any other details that might help, please let me know. Here is the output of journalctl after a failed startup, with After=network-online.target in the sshd unit file. Relevant stuff starts down around line 1700. Hoping someone has come across this issue and solved it successfully!

I added an attribute to my LDAP database by running

ldapmodify -QY EXTERNAL -H ldapi:/// -f openssh-lpk.schema

as root, where openssh-lpk.schema contains this:

# Author: Eric AUGE <[email protected]>
#
# Based on the proposal of : Mark Ruijter
#
version: 1

dn: cn=openssh-lpk,cn=schema,cn=config
changetype: add
cn: openssh-lpk
objectClass: olcSchemaConfig
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
  DESC 'OpenSSH Public key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
  DESC 'OpenSSH LPK objectclass'
  MUST uid
  MAY sshPublicKey )

dn: cn={5}inetorgperson,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RF
 C2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL
 MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayNam
 e $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddre
 ss $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ page
 r $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIden
 tifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 $ sshPublicK
 ey ) )

This works great – I'm able to modify users to add their public key details to their record, and then read that data from other clients.

Problems pop up when I try to back up the database using slapcat though:

5b044b38 olcObjectClasses: value #0 olcObjectClasses: AttributeType not found: "sshPublicKey"
5b044b38 config error processing cn={5}inetorgperson,cn=schema,cn=config: olcObjectClasses: AttributeType not found: "sshPublicKey"
slapcat: bad configuration file!

What have I done wrong that slapcat isn't able to see the definition for sshPublicKey?

Investigating some call quality issues (0.5 – 1 second dead spots in calls) I took a packet capture of a phone call between two extensions on the same PBX. Since I was capturing from the PBX, I was rather surprised to see Wireshark reporting a huge spike in jitter that synced up with a dead spot in the call:

My understanding was that jitter is caused by packet loss and/or latency in transit, and that the RTP stream leaving the PBX should be relatively pristine. But this spike showed up in all four RTP streams (office 1 to PBX, office 2 to PBX, PBX to office 1, PBX to office 2) so it seems like the packets are already in poor shape by the time they leave the server.

The PBX is Asterisk 13 on Scientific Linux (RHEL) 6.9 (running on a VMWare ESXi 5.5 guest with newly updated tools and VMXNET3 adapters.) The CPU sits pretty steadily around 5-15% usage, and network traffic is minimal. Where can I look to troubleshoot this issue? Are there any common causes for this sort of problem? I'm assuming since the problems are there on the server that I can rule out problems on the external network side?

To make a long story short, a client phone was compromised and used to make illicit calls. An investigation revealed a port forwarding entry to the phone's web UI, which is "protected" by a 6 digit numeric password. We're assuming this was compromised, and are now trying to figure out how they got an extension password from there (it's not available to the UI, nor is it contained in the config file backups you can retrieve from the web UI.) One thing they can do via the web UI is change the registration server.

I know the password is never sent in clear text, but I think the main purpose of the challenge/response authentication is to ensure that the client is who they say they are, for the server's protection. I don't know how much protection is afforded to the client. So, my question: if an endpoint attempts registration against a malicious SIP server, can that server obtain the SIP credentials?

I have the following commands in a Kickstart post-install script:

firewall-offline-cmd --new-zone=management
firewall-offline-cmd --zone=management --add-service=ssh --add-service=snmp
firewall-offline-cmd --zone=management --change-interface=eth1
nmcli device modify eth1 connection.zone management

From my reading it seems that firewalld can't make these changes when NetworkManager is in the picture, so I added in the nmcli command to change the zone. But it is not taking effect. After the install is complete and the server reboots, the interface remains in the default zone. After that I can then run the nmcli command and it will take effect.

I can't find anything online about this problem, except maybe this article, but it's behind a paywall.

I have the following files on my web server:

/var/www/html/--+
                |
                +-misc--+
                |       |
                |       +-misc1--+
                |       |        |
                |       |        +-index.html
                |       |
                |       +-misc2--+
                |       |        |
                |       |        +-index.php
                |       |
                |       +-misc3.php
                |
                +-wordpress--+
                             |
                             +-index.php

I have Nginx set up such that http://example.com/ goes to my Wordpress install. On my previous (Apache) setup I was able to easily create aliases to point to the items in misc but I'm unsure how to do this in Nginx.

    index index.php index.html;
    root /var/www/html/wordpress;

    location ~ [^/]\.php(/|$) {
        limit_except GET POST {}
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_buffer_size 16k;
        fastcgi_buffers 16 16k;

        fastcgi_param    SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param    PATH_INFO          $fastcgi_path_info;
        fastcgi_param    PATH_TRANSLATED    $document_root$fastcgi_path_info;
        fastcgi_param    SERVER_NAME        $host;
        fastcgi_param    HTTP_PROXY         "";

        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~* \.(?:css|js|jpg|jpeg|gif|png|mp4)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    location / {
        try_files $uri $uri/ /index.php;
        limit_except GET {}
    }

What I'd like is:

• http://example.com/ loads /var/www/html/wordpress/index.php
• http://example.com/misc1 loads /var/www/html/misc/misc1/index.html
• http://example.com/misc2 loads /var/www/html/misc/misc2/index.php
• http://example.com/misc3.php loads /var/www/html/misc/misc3.php

What I've tried:

# http://example.com/misc1 shows index.html but anything else in the folder is 404
location /misc1 {
    alias /var/www/html/misc/misc1;
}

# http://example.com/misc1 gives 403, http://example.com/misc1/index.html gives 404
location /misc1/ {
    alias /var/www/html/misc/misc1;
}

# shows Wordpress 404 page
location /misc1/* {
    alias /var/www/html/misc/misc1;
}

# gives 403 error
location ~ /misc1 {
    alias /var/www/html/misc/misc1;
}

Nothing I've tried has had any effect on PHP, it does not work.

We've got two Dell R720 hosts running the Dell customized version of ESXi 5.5 they were installed with in 2014. I'd like to get these up to the latest patch level but am unsure how to do so. We are strictly a Linux environment, so are not able to run VMWare Update Manager. I've found some instructions for doing this update using esxcli that look something like this:

esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20161204001-standard

But if I understand correctly this will take me to a "vanilla" install without Dell's custom features.

I like to think I'm a pretty competent Linux system and network admin, but I have little experience managing ESXi — these servers were set up and installed by outside consultants — and there's a lot of jargon around this process. So, hoping someone who's done this before can provide a step-by-step list. Thanks!

Trying my first Kickstart with Scientific Linux 7, and have ironed out most of the bugs with migrating my scripts from SL6, but one remains.

I boot the VM on DHCP to pull the Kickstart file from an HTTP server, by adding the following at the boot loader prompt:

net.ifnames=0 ip=eth1:dhcp inst.ks=http://server/ks.cfg

This works fine, and the file is downloaded and processed successfully.

Kickstart config:

…
network --bootproto=static --device=eth0 --ip=192.168.242.224 --netmask=255.255.255.0 --gateway 192.168.242.1 --nameserver 192.168.242.200
network --bootproto=static --device=eth1 --ip=10.10.242.224 --netmask=255.255.255.0 --nodns
…

After installation and reboot, eth1 is fine. However, eth0 stays on DHCP. Checking in /etc/sysconfig/network-scripts/ I find both ifcfg-eth0 with the static IP information, but also ifcfg-eth0-1 with a DHCP config.

/etc/sysconfig/network-scripts/ifcfg-eth0

# Generated by parse-kickstart
UUID=9db01644-e98d-4260-a13e-96d26b251297
DNS1=192.168.242.200
IPADDR=192.168.242.224
GATEWAY=192.168.242.1
DEFROUTE=yes
IPV6_AUTOCONF=no
NETMASK=255.255.255.0
BOOTPROTO=static
DEVICE=eth0
ONBOOT=no
IPV6INIT=yes

/etc/sysconfig/network-scripts/ifcfg-eth0-1

HWADDR=00:50:56:93:D0:AA
TYPE=Ethernet
BOOTPROTO=dhcp
DNS1=192.168.242.200
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV4_ROUTE_METRIC=0
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=eth0
UUID=73ef022d-ff28-404e-9326-cb2240ba78c1
DEVICE=eth0
ONBOOT=yes

It appears the second configuration is taking precedence; what can I do to prevent this behaviour?

(If it's relevant, I've disabled "consistent" interface names because they are anything but on virtual hardware. I specify net.ifnames=0 on the boot loader and then remove the biosdevname package in my Kickstart.)

Looking at taking over management of an old network that was done in 2004. Surprisingly, for the time, it is category 6 cable. About 200 ports in each of 5 IDFs, all running PoE.

But I'm worried the cross-connects are unusable for a modern network. The switches are connected to standard patch panels. The cable from there is terminated into a punch down block (BIX.) The cabling coming in from the edge is also terminated into punch down blocks. The connection between the two punch down blocks is made with UTP cables of up to a metre long that have had the jacket removed.

So, can that setup handle gigabit speeds? I'm inclined to say no, but maybe I am just being overly cautious.

A bigger version of the photo.

Specifically, I need to add ORDERING caseIgnoreOrderingMatch to the givenName and surname attributes. I had hoped there was some way to do this using ldapmodify but the following is not working for me (maybe the core schema is read only, but it's giving me a syntax error):

$ ldapmodify -QY EXTERNAL -H ldapi:/// <<EOF
dn: cn=Subschema
changetype: modify
delete: attributetypes
attributetypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'RFC2256: first name
 (s) for which the entity is known by' SUP name )
-
add: attributetypes
attributetypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'RFC2256: first name
 (s) for which the entity is known by' SUP name ORDERING caseIgnoreOrderingMatch )
-
delete: attributetypes
attributetypes: ( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (family)
  name(s) for which the entity is known by' SUP name )
-
add: attributetypes
attributetypes: ( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (family)
  name(s) for which the entity is known by' SUP name ORDERING caseIgnoreOrderingMatch )
EOF

modifying entry "cn=Subschema"
ldap_modify: Invalid syntax (21)
    additional info: attributetypes: value #0 invalid per syntax
$

I've seen some suggestions to edit the schema files directly which I didn't want to do, but that (stop slapd, edit /etc/openldap/schema/core.ldif, restart slapd) seems to have no effect.

Any pointers to how this can be done? My LDAP knowledge is tenuous at best, so any help is appreciated! Thanks.

I have an Expect script that works fine if I run it manually, but fails when run as an action from Fail2ban. The error message is as follows:

spawn /usr/bin/telnet 192.168.242.1
The system has no more ptys.  Ask your system administrator to create more.
    while executing
"spawn /usr/bin/telnet $hostname"

With the corresponding message in audit.log:

type=AVC msg=audit(1407894085.867:54862): avc:  denied  { read write } for  pid=14748 comm="ciscoacl.exp" name="ptmx" dev=devtmpfs ino=5288 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file

The script is running as root (confirmed by running whoami from the script) so I expected not to have any issues. What, if anything, can I do to fix this? (No, I don't want to disable SELinux!)

I don't think the script itself makes a difference here, but I can post it if needed.

I've tried a few different methods of generating an encrypted password on SL 6.5, but nothing seems to work for me. I'm not finding any errors anywhere in the various /var/log/anaconda* files, but I can't log in so it's obviously not working.

The original auto-created file at /root/anaconda-ks.cfg I used as a template looked like this:

rootpw  --iscrypted $6$...(about 100 characters)
authconfig --enableshadow --passalgo=sha512

Next I tried openssl passwd -1 which gave me:

rootpw  --iscrypted $1$...(about 30 characters)
authconfig --enableshadow --passalgo=sha512

I realized that wasn't SHA-512 so I tried a Python one-liner I found repeated in a few places:

rootpw  --iscrypted $6...(about 10 characters)
authconfig --enableshadow --passalgo=sha512

Nothing works; I can't log in and I end up having to reset the root password in single-user mode.