eng3's questions

My org is running Active Directory which uses Kerberos for authentication. I have a group of linux computers that are not permitted to be joined to AD. For user authentication, I setup kerberos and pam to point to the AD server. After adding the user to the system, I can login using my AD username and password. After logging in, I have a ticket. This is a great convenience as I don't need to maintain a separate set of credentials for users.

Now I'd like to setup ticket forwarding between my group of computers so I don't have to retype my password every time. This doesnt work.

Example scenario: AD client ssh to server1 in my group of computers not in AD. I can use my username and password to login. After login I have a ticket. I now want to login to server1 in my group of computers not in AD. This prompts me for a password again. Ideally, since I already have a ticket on the AD client, I shouldn't need to enter my password for either login.

Based on my rudimentary understanding of kerberos, I think this is failing on the "TGS-REQ" step where the client tries to get a host (server) service ticket from kdc. Since my host isn't registered/added/joined, I assume the KDC/AD can't provide one and that step fails.

My questions?

1. Am I correct, is this the cause of my issues?
2. Is there any way around this to achieve my single sign-on using AD creds goal?
3. What if I setup my own local KDC/AD/IDM. Is there a way to point that to the main AD?

I'm tryin to setup Gmail send-as to send email via my SMTP server over TLS and I get "tls negotiation failed the certificate doesn't match the host" ever since I renewed my lets encrypt cert.

Background: I have a server with a dedicated IP sharing a few domain names. I'm using virutalmin/webmin. I had issues on renewal so I ran certbot manually verifying via TXT records. I created certs with CN=domain.com and SANS=domain.com,www.domain.com,mail.domain.com. mail.domain.com is an A record setup with cloudflare pointing directly to the IP (without being proxied). Note, everything worked fine before. The server shares multiple domains. The primary domain has no issues with email. It previously stopped working for dovecot and postfix because my cert did not renew with the mail.domain.com in the SANS list. It worked after fixing that. I have a second domain that has stopped working with sending. POP3/IMAP is not use as emails are just forwarded.

let's encrypt generated its files. I setup postfix SNI map to point to the cert files.

When I run openssl x509 -text on the files, I can see the CN and SANS. When I run openssl s_client -connect mail.domain.com:25 -starttls smtp, it only shows the CN not the SANS.

Sending emails with the primary domain works fine. Sending emails with the second domain gives the error. openssl gives the same result. Reading the file shows the CN=domain.com and SANS=domain.com,www.domain.com,mail.domain.com. Connecting to the smtp server only shows the CN for the respective domain.

I'm not sure what gmail is comparing to when it says "certificate doesn't match the host" I thought it was just the CN and SANS to the server name but maybe its something else?

I am running RHEL8 in a virtualbox trying to run reposync to store into a shared folder (on a windows host)

I get the following error:

Error: Cannot rename directory "/repository/rhel8/baseos/rhel-8-for-x86_64-baseos-rpms/tmpdir.sZIHje/repodata" to "/repository/rhel8/baseos/rhel-8-for-x86_64-baseos-rpms/repodata": cannot create directory /repository/rhel8/baseos/rhel-8-for-x86_64-baseos-rpms/repodata: File exists

If I try using 'mv' in the shell, I don't get any error.

Using chmod, I accidentally changed everything in a bin folder and now sudo/su doesn't work.

I know rpm -q --whatprovides can provide which RPM provides a specific file. and rpm --setperms can restore everything provided by a RPM.

Is there a way to restore the permissions of all the files in a folder using rpm?

I have a lambda function that I have setup to start an instance:

import boto3
ec2 = boto3.client('ec2')
response = ec2.start_instances(
    InstanceIds=['i-xxx']
)
print(response)

The response looks good, showing it going to pending from stopped:

START RequestId: 26c0cf5e-6d70-4701-b0bd-68276b06d30d Version: $LATEST
{
    "StartingInstances": [
        {
            "CurrentState": {"Code": 0, "Name": "pending"},
            "InstanceId": "i-xxxxxx",
            "PreviousState": {"Code": 80, "Name": "stopped"},
        }
    ],
    "ResponseMetadata": {
        "RequestId": "fdab5818-0536-457f-a19e-17fea60100f4",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amzn-requestid": "fdab5818-0536-457f-a19e-17fea60100f4",
            "content-type": "text/xml;charset=UTF-8",
            "content-length": "579",
            "date": "Wed, 16 Dec 2020 18:38:57 GMT",
            "server": "AmazonEC2",
        },
        "RetryAttempts": 0,
    },
}
END RequestId: f2ed2be9-e2f2-4beb-a69b-4cddee35bef4
REPORT RequestId: f2ed2be9-e2f2-4beb-a69b-4cddee35bef4  Duration: 1381.48 ms    Billed Duration: 1382 ms    Memory Size: 256 MB Max Memory Used: 97 MB  Init Duration: 688.96 ms    

However, when I look at the console, it still shows as stopped and never starts.

It doesnt seem like it failed to start:

                "StateReason": {
                    "Code": "Client.UserInitiatedShutdown",
                    "Message": "Client.UserInitiatedShutdown: User initiated shutdown",
                },

Execution Based Policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "xxxxxxx",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "xxxxxxFunction",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "xxxxxxxx"
        }
      }
    }
  ]
}

It seems like it didn't really try to start. I've used this code to start other instances. I'm wondering if it is a permissions issue, but there is no error. The lambda function execution role has EC2fullaccess.

Note, another datapoint. I have tried further code that uses ssm send command to send a command once its running (after manually starting). If I try that while it's running it succeeds.

In order to get a mount to work I have to first set the http_proxy environment variable before I run s3fs.

export https_proxy=<proxy address>
s3fs -d <bucket> mount-point -o url=https://s3.us-gov-west-1.amazonaws.com -o use_path_request_style

I'd like to mount my S3 bucket on boot but I am behind a proxy. I can add it to fstab, but it doesnt work because it doesnt know about the proxy.

I'm trying to avoid IP conflicts with wireguard VPN and would like to select the least used private IPV4 address block.

Are there any statistics published on usage of private IPV4 address space? Or perhaps some studies?

Background:

On an isolated network. Multiple RHEL6 Linux systems connected to a Windows 2012R2 DC. Systems joined to domain and authenticating with DC. Using IDMAP_RID. No known changes to windows or linux configuration files. Everything has worked for several years and only recently stopped. There have been changes in the windows side in terms of security configuration but those changes are not well tracked. I would have to ask those admins something specific to look at. RH support has not been very useful.

ISSUE:

Some time in the past month most users no longer show the correct group information. All users are automatically a member of "Domain Users" as this is the default windows group. Nearly all users are in a AD security group named "Program Users" that I created. When I execute "id" or "groups" for all accounts only shows membership in "Domain Users" and none of the other groups. For the "id" command, sometimes it shows the group more than once.

id returns:

uid=###(username) gid=###(domain user) groups=###(domain user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

wbinfo -u and wbinfo -g returns the correct listing of all users and groups

getent group Program\ Users (and wbinfo --group-info) returns:

Program users:*:GID#:comma separated list of users

the list of users is correct and includes the users with missing data.

wbinfo -r does not return the correct list.

I've tried clearing /var/lib/samba/*.tdb but that does not help.

Some configuration data:

SMB.CONF:
[global]
   workgroup = DOMAIN0
   password server = server0.DOMAIN0.LOCAL
   realm = DOMAIN0.LOCAL
   security = ads
   idmap config * : backend = tdb
   idmap config * : range = 300000-399999
   idmap config DOMAIN0:backend = rid
   idmap config DOMAIN0:range = 100000-199999
   idmap config DOMAIN0:base_rid = 0
   template shell = /bin/bash
   winbind enum users = no
   winbind enum groups = no
   winbind separator = +
   winbind use default domain = yes
   winbind offline logon = false
   kerberos method = secrets and keytab
   client signing = mandatory
   server signing = mandatory

NSSWITCH.CONF:
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns

SYSTEM-AUTH:
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth        required      pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4 remember=24 maxrepeat=3
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_lastlog.so showfailed
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

REQUEST-KEY.CONF
#OP     TYPE    DESCRIPTION     CALLOUT INFO    PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create  user    debug:*         negate          /bin/keyctl negate %k 30 %S
create  user    debug:loop:*    *               |/bin/cat
create  user    debug:*         *               /usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate  *       *               *               /bin/keyctl negate %k 30 %S
create  cifs.spnego  *          *               /usr/sbin/cifs.upcall %k
create  cifs.idmap      *       *               /usr/sbin/cifs.idmap %k
create  dns_resolver  *         *               /usr/sbin/cifs.upcall %k

KRB5.CONF
[libdefaults]
 default_realm = DOMAIN0.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DOMAIN0.LOCAL = {
  kdc = server0.DOMAIN0.LOCAL
 }

Background: I have a RHEL6 storage server (lots of HDs) and a RHEL6 Application server (little storage, lots of CPU/memory). They are currently connected to a 1GB Catalyst 2960-X switch. There is also a windows server and 15 client windows computers that pretty much act as terminals also connected. The storage server contains all the data and is linked to the application server via a single NFS4 mount.

Usage: Users SSH (with X11) to the application server to run jobs. Users have the option to run jobs on the storage server as well (because in the past, all we had was the storage server). The storage server will backup all of its data to the windows server nightly.

Question: Since there will be alot of network traffic between the application and storage server, is there a better way to connect the two? For example, I could connect a direct line between the two and mount the NFS4 mount on that dedicated interface. Would it better to use Channel Bonding (I have 4 NICS on each server)? Would that actually help since I'm only using a single NFS mount? Improved fault tolerance is not a concern on this system considering we are only using one line right now. Alternatively, I can used the 2nd NIC on each server for a separate VLAN. That would at least separate the SSH/X11 client traffic from the NFS4/CIFS traffic.

I have two Dell R730 systems which have an identical hardware configuration purchased at the same time. Both are running RHEL6.9 where were imaged from the same image. It was imaged in January. I update the packages from the repository once a month so in general everything on the system should be "nearly" identical. (ie. any software or setting I change on one system gets changed on the other but since it is a manual process, there could be something missed)

I have noticed the performance on one system is 2.5X slower than the other. The jobs I am testing are single threaded CPU intensive. Reading some data files but very low disk io utilization according to iostat. Top shows the process is constantly pegged at 100% but the system has 88 threads and the load average is only approx 1. Very little memory utilization. No network utilization. (All files that it uses are local) One is a complex python script, another is a proprietary software program, both are running much slower on one system versus the other.

/proc/cpuinfo is identical. BIOS settings are identical. Only one user on the system. The faster system is connected to the internet, the slower one is on a standalone network.

In my investigations I've only found two differences. 1. The faster system is running BIOS version 2.25 the slower system is running BIOS version 2.43 2. The slower system has auditd running. However there is zero activity in the audit log during the process.

I realize this is difficult to debug but I am running out of ideas of what to look for. Are there some builtin software tools I can use to give more insight on what might be going on?

I'd like rsnapshot to not create a second copy of all my files and instead just have hardlinks to the original files and only save a copy of changes.

I have a windows and linux server. I would like to have backups of my linux system stored onto the windows system. However I'd also like to have snapshots available for users.

I am running rsnapshot on linux in order to have snapshots. I cannot place the snapshot root on windows since I cannot preserve the file attributes on the different file system, therefore the snapshot resides on linux. This means now my files are using double the space (original and snapshot)

Since a snapshot is not a backup, I create a backup by zipping up my files and sending the zip file over to windows.

The issue is that since I am creating a separate backup, I have no need to keep two copies of the same file on linux. Therefore I'd like rsnapshot to not create a second copy of all my files and instead just have hardlinks to the original files.

Can I simply manually create the first retain/interval folder with all hardlinks? (cp -al)