Vinícius Ferrão's questions

After upgrading some servers from RHEL8 to RHEL9 using the Leapp utility there's some warnings after the upgrade in dnf and rpm: warning: Signature not supported. Hash algorithm SHA1 not available.

Every time that I ran any of those commands I got this warnings:

[root@web ~]# rpm -q kernel
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
kernel-5.14.0-362.18.1.el9_3.x86_64
kernel-5.14.0-427.18.1.el9_4.x86_64
kernel-5.14.0-427.20.1.el9_4.x86_64

[root@web ~]# dnf repolist
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
Updating Subscription Management repositories.
repo id                          repo name
rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)
rhel-9-for-x86_64-baseos-rpms    Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)

I don't know from which package or what trigger this issue. The majority of the solution available on the web involves reenabling SHA1, which is not effectively a solution.

Also all the packages are tagged with el9 except for some gpg-pubkey packages, so I think there's nothing from RHEL9 around.

[root@web ~]# rpm -qa | grep -v el9
warning: Signature not supported. Hash algorithm SHA1 not available.
warning: Signature not supported. Hash algorithm SHA1 not available.
gpg-pubkey-fd431d51-4ae0493b
gpg-pubkey-a14fe591-578876fd
gpg-pubkey-d4082792-5b32db75

How can I trace the real issue to get rid of this warnings?

I'm trying to use nmap to check which services are running on a given network but it cannot start just because nmap issues ARP Ping Scans on IPv4 network, and on a Infiniband Network, as far as I know, there's no ARP, because broadcasting is not supported, but you have IP addressing if you're using IPoIB (IP over Infiniband).

I can confirm that IP network is working since I can do normal ping, ssh and everything else, but nmap fails.

Here's the output:

# nmap 172.27.0.1-21 -v

Starting Nmap 6.40 ( http://nmap.org ) at 2023-02-04 13:32 -03
Initiating ARP Ping Scan at 13:32
Scanning 21 hosts [1 port/host]
Completed ARP Ping Scan at 13:32, 1.23s elapsed (21 total hosts)
Nmap scan report for 172.27.0.1 [host down]
Nmap scan report for 172.27.0.2 [host down]
Nmap scan report for 172.27.0.3 [host down]
Nmap scan report for 172.27.0.4 [host down]
Nmap scan report for 172.27.0.5 [host down]
Nmap scan report for 172.27.0.6 [host down]
Nmap scan report for 172.27.0.7 [host down]
Nmap scan report for 172.27.0.8 [host down]
Nmap scan report for 172.27.0.9 [host down]
Nmap scan report for 172.27.0.10 [host down]
Nmap scan report for 172.27.0.11 [host down]
Nmap scan report for 172.27.0.12 [host down]
Nmap scan report for 172.27.0.13 [host down]
Nmap scan report for 172.27.0.14 [host down]
Nmap scan report for 172.27.0.15 [host down]
Nmap scan report for 172.27.0.16 [host down]
Nmap scan report for 172.27.0.17 [host down]
Nmap scan report for 172.27.0.18 [host down]
Nmap scan report for 172.27.0.19 [host down]
Nmap scan report for 172.27.0.20 [host down]
Nmap scan report for 172.27.0.21 [host down]
Read data files from: /usr/bin/../share/nmap
Nmap done: 21 IP addresses (0 hosts up) scanned in 1.30 seconds
           Raw packets sent: 42 (1.176KB) | Rcvd: 0 (0B)

Confirm that network is working:

ping 172.27.0.10
PING 172.27.0.10 (172.27.0.10) 56(84) bytes of data.
64 bytes from 172.27.0.10: icmp_seq=1 ttl=64 time=0.101 ms
64 bytes from 172.27.0.10: icmp_seq=2 ttl=64 time=0.067 ms
64 bytes from 172.27.0.10: icmp_seq=3 ttl=64 time=0.061 ms
64 bytes from 172.27.0.10: icmp_seq=4 ttl=64 time=0.105 ms
^C
--- 172.27.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.061/0.083/0.105/0.021 ms

And also TCP:

# ssh 172.27.0.10
Last login: Sat Feb  4 12:28:26 2023 from xxxxxxx
[root@n10 ~]# hostname
n10

How can I use nmap on a IPoIB network?

I've joined a FreeNAS 11.3 in an Active Directory and everything works as expected. But one feature that I'm really missing is some kind of override on mapped home directories for users.

By default the directories are with the following template expansion: template homedir = /home/%D/%U

I want to change it to something like: /mnt/pool0/home/%U

There's no way on the web interface to do this, and I don't know if changing it directly on /usr/local/etc/smb4.conf is a good idea.

What would be the recommended solution?

I want to enable NTFS compression on a specific folder, in my case: C:\inetpub\logs.

This is easily done in Windows Server with Desktop Experience, but in Server Core how this can be achieved?

To be precise I just want the equivalent of checking the box "Compress contents to save disk space".

I'm deploying an IKEv2 VPN authenticating against a RADIUS service within a pfSense 2.3-RELEASE box. But I'm afraid of the complications of this approach when the RADIUS server is down.

Since the RADIUS is behind the pfSense box, in an event of a failure, I'll lose the ability to connect to the IKEv2 VPN and left without any option to enter the LAN.

I could do a simple workaround with some fallback mode with a local user account within the pfSense box, but the problem is this "fallback mode". This even exist?

What are the options in this case?

I'm building a log analyser service to start monitoring mainly our pfSense Firewalls, XenServer Hypervisors, FreeBSD/Linux servers and Windows servers.

There's a lot of documentation on the internet about the ELK stack and how to make it work nicely. But I would like to use it in a different manner, but I don't know if it's a good solution or just a waste of time/disk space.

I already have a FreeBSD 10.2 machine acting as a remote syslog server, and my ideia is to simply concentrate all the logs on this machine and them the syslog server forwards the logs with logstash-forwarder to the ELK server.

It's clear to me that this approach will raise the disk requirements for this setup, but in other hand I will have only one machine with the logstash-forwarder daemon installed, which seems good to me.

But talking about problems. The logstash parser matches [host] with the hostname of the server sending the log messages, and in this approach there's only on "server" show on ELK, the remote syslog server.

I'm aware that I can customize the settings on the logstash configuration files but I don't know (and I don't have the experience to know) if this is just a simple setting on the parsers of it if will compromise the entire ELK experience.

In the end I just want some advices about my logging architecture and if it will work, or if I should go without other option.

Thanks in advance,

I'm facing an issue with an huge mail.que file on the folder C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue.

One of our users created an redirect loop and the mailbox blow with more than 100k bounce messages, and this file ended up filling the whole C: drive.

I was reading on the web what this file do, and it appears to keep some old queued messages, but I'm not sure if the information is correct.

As stated here it's safe to delete the file, with the following algorithm:

1. Run “Get-Queue” and take a look at the count of messages in HUB01
2. Goto services.msc and Pause the Microsoft Exchange Transport service
3. Again, run “Get-Queue” and ensure all pending messages are “zeroed” out
4. Once messages pending becomes zero, stop the Transport service
5. Move the mail.que file and all others to a new folder in the same location
6. Start the Transport service

I would like to know if this is really the right procedure, since the information on the link appears to apply for Exchange 2010.

Thanks in advance,

In one of our slave DNS servers BIND, version bind910-9.10.0P2_3, constantly get killed with the following message in /var/log/messages:

Jul 30 01:00:10 cinnabar kernel: pid 602 (named), uid 53, was killed: out of swap space

This service runs on a FreeBSD 10.0 VM in XenServer 6.2, it has 512MB of system memory.

At this moment pstat -m -s return this:

Device          1M-blocks     Used    Avail Capacity
/dev/ada0p3           512        9      502     2%

I don't think it's a swap problem, it appears to be memory leakage, but I'm unsure.

EDIT: Access information.

This is one of two slave DNS servers, they only store the zones from the authoritative server and act as a recursive server for the internal users to the outside world. The number of clients is something between 700-1500 simultaneous users. Since we have a /21 internal space and a /23 public IPv4 space and there's no queries from the outside world, the port 53 is even blocked on the firewall to those machines.

I've a BIND9 server with a lot of zones and I need to increase the serial number of the zone files by one. Some zones are using the YYYYMMDDXX format but other zones just increase it by one, as they are dynamic DNS zones, so updating all by one would do the job for me.

There's a way to do this? I tried with sed but I'm lacking knowledge to do this automatically.

I've a Supermicro server, out of warranty, and it suicided in the last month. Yes, exactly. During a AMIBIOS update process the BIOS Watchdog has been tripped and the motherboard reseted during the flash. We ended up with a non functional motherboard.

Since the BIOS chip isn't socketed, I've got a SOIC8 clip adapter and a TL866 EEPROM programmer to fix the motherboard, but problems started here.

When I try to flash the BIOS chip it complains about over-voltage protection and it can't even read from the chip. I've got a working board and tried the same: read the EEPROM chip, and the same problem happens.

The question is: someone managed to reflash a Supermicro BIOS chip? There are circuit lockouts the blocks custom programmers to write on the chip without removing the chip from the board?

Thanks in advance,

I've some Supermicro servers with IPMI running, and as described in this blog (http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras) there's a critical vulnerability to get plaintext admin passwords from any remote location.

How to check if my server motherboard is compromised?

What are the required steps to authenticate users from an Active Directory running on Windows Server 2012 R2 in FreeBSD 10.0 using sssd with the AD backend with Kerberos TGT working?

I want to use realmd to join an Active Directory domain from Ubuntu 14.04 LTS.

To do that I just installed realmd and some dependencies with this command: aptitude install realmd sssd sssd-tools samba-common krb5-user.

After the installation I tried to join my domain with the command realm --verbose join ad.example.com -U Administrator it asked for the Administrator password but them crashed with this output:

 * Resolving: _ldap._tcp.ad.example.com
 * Performing LDAP DSE lookup on: 10.7.0.2
 * Successfully discovered: ad.example.com
Password for Administrator: 
 * Unconditionally checking packages
 * Resolving required packages
 * Installing necessary packages: samba-common-bin
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QARGGX -U Administrator ads join ad.example.com
Enter Administrator's password:DNS update failed: NT_STATUS_INVALID_PARAMETER

Using short domain name -- AD-EXAMPLE
Joined 'REALMD-TEST' to dns domain 'ad.example.com'
No DNS domain configured for realmd-test. Unable to perform DNS Update.
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QARGGX -U Administrator ads keytab create
Enter Administrator's password:
realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)

After those erros realmd does not even work, any command issued with realmd returns:

realm: Couldn't connect to realm service: Error calling StartServiceByName for 
org.freedesktop.realmd: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildSignaled: 
Process /usr/lib/dbus-1.0/dbus-daemon-launch-helper received signal 11

The file /etc/sssd/sssd.conf appears to be created correctly and /etc/nsswitch.conf modified accordingly. But this isn't sufficient to successfully join the domain.

I'm trying to understand what's behaving errantly on my PAM configuration on FreeBSD 10.0

The machine is configured with two different authentication realms, one is the default Unix authentication and the other one is using the System Security Services Daemon (sssd).

At this moment I'm using this configuration in /etc/pam.d/sshd since I just want to allow sssd logins from ssh.

auth            sufficient      pam_opie.so                  no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so            no_warn allow_local
auth            sufficient      /usr/local/lib/pam_sss.so
#auth           sufficient      pam_krb5.so                  no_warn try_first_pass
#auth           sufficient      pam_ssh.so                   no_warn try_first_pass
auth            required        pam_unix.so                  no_warn use_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_sss.so    ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so                   want_agent
session         optional        /usr/local/lib/pam_sss.so
session         optional        /usr/local/lib/pam_mkhomedir.so      mode=0700
session         required        pam_permit.so

# password
password        sufficient      /usr/local/lib/pam_sss.so    use_authtok
#password       sufficient      pam_krb5.so                  no_warn try_first_pass
password        required        pam_unix.so                  no_warn try_first_pass

If I understood correctly, when a sssd user logs on the machine it will hit the auth sufficient /usr/local/lib/pam_sss.so line and since this is sufficientit will login without any problems. When a local user account tries to login it will fail in the sssd check but will succeed in pam_unix.so using the password entered for the first time, without asking for the password again.

But it's not what's happening. To successfully login as a local account, I must remove use_first_pass from pam_unix.so optiions in auth realm and when the user logins, the system first asks for the sssd account, failing since the local users doesn't exists in the external authentication service. Then the system asks again for the same password, but authenticating on the pam_unix.so module. And finally the access is granted.

As example, it behaves in this manner:

ssh sssd-test.example.com -l local-user-account
Password: 
Password for [email protected]:
Last login: Sat May 24 16:22:40 2014 from 192.168.1.100
FreeBSD 10.0-RELEASE-p1 (GENERIC) #0: Tue Apr  8 06:45:06 UTC 2014

Welcome to FreeBSD!

$

I don't exactly why this happens or if it has something to do with the account session. As for my understand about PAM, the configuration should be right.

Thanks in advance,

I'm trying to setup authentication from Active Directory in FreeBSD 10.0 using nslcd (nss-pam-ldapd-sasl package) and would like to allow both sAMAccountName and userPrincipalName as valid login attributes in the server.

I don't know if it's possible to use this specific configuration.

Here are my actual mappings in /usr/loca/etc/nslcd.conf

# Do not allow uids lower than 1000 to login (aka Administrator)
nss_min_uid 1000
# Disallow disabled accounts to login
pam_authz_search (!(userAccountControl:1.2.840.113556.1.4.803:=2))

#filter passwd (&(objectClass=user)(!(objectClass=computer)))
#map passwd uid sAMAccountName
filter passwd (&(objectClass=user)(userPrincipalName=*)(!(objectClass=computer)))
map passwd uid                  userPrincipalName
map passwd uidNumber            objectSid:S-1-5-21-NULL-NULL-NULL
map passwd gidNumber            primaryGroupID
map passwd gecos                displayName
map passwd homeDirectory        "${unixHomeDirectory:-/home/$sAMAccountName}"
map passwd loginShell           "${loginShell:-/bin/tcsh}"

filter group (objectClass=group)
map group cn                    sAMAccountName
map group gidNumber             objectSid:S-1-5-21-NULL-NULL-NULL

I'm not sure if I should modify nslcd or what I'm looking should be achieved with pam.

Thanks in advance.

Is there a better way to install only the required dependencies of a package, instead of installing it directly with apt-get (or any other frontend of dpkg) and then immediately removing it, leaving out its dependencies?

I'm trying to install a Scientific Linux CERN 6 guest on XenServer 6.2 through the network with PXE Booting but it hangs in the message:

mounting /tmp as tmpfs... done

I'm not using the most equivalent template (the CentOS 6 template) to install this VM, since we want to install it through our PXE Server, because it gets our kickstart file and create the VM with our necessities, and using the template there's no option to boot from the network. So the "Other Install Media" template was used.

I've tried other RHEL based distros, like clean Scientific Linux 6 (not the CERN flavour) and CentOS 6. All of the three got same problem.

Other distros, like Debian and Ubuntu installs fine with this method, and even the older 5.x version of Scientific Linux installs fine.

I think there's something related with the Xen Support removal from the profitable company on the upstream to force their virtualization solution. But I can't confirm if this is really the issue.

I would like to remove the DNS feature of Windows Domain Controllers and point the DNS servers to our BIND9 servers.

I know it's possible to setup coexistence but this requires a number of extra Windows DNS Servers equals to the number of Domain Controllers in the network.

Active Directory expects the _msdcs zone and other things like _tcp, _udp; etc.

The main question is: how to make BIND9 takes care of all this AD specific data? And with dynamic updating to make AD even more happier.

Thanks,

PS: Making BIND9 points to the Windows DNS Servers to resolve the Active Directory specific zones isn't an option. We already do this...

EDIT: As today, I'm running without Windows DNS. I'm writing up a guide on how to do this, and I'll update this topic.

Is there a real importance in this, except to publish the email address of the person responsible for some DNS zone?

In our BIND configuration, we put a mailling list as the responsible for our domain, but we are usure if this is good practice or not.

Area there any kind of services that rely on this email address? In the worse case, can an invalid email in this field compromise our DNS authority?

I would like to create a dynamic group with users from a specific OU in my Active Directory. I can do this perfectly using Exchange Dynamic Distribution List, but of course, Ex DDL's are only for mail.

There's any way to create this? I've found some guides using System Center to handle this, but System Center isn't an option.

Thanks in advance,