Charlweed's questions

I want a particular user to recursively change owner and group of all the contents of a particular directory, and only that directory. The directory is a kind of "inbox", where a service writes files, and subdirectories.

Currently, I have an administrator sudo chown, but I would prefer the destination owner to do it themselves, without that user having any more permissions then required. Let's say the original owner is "headsman", and the final owner should be "audience". Neither user is in the same group.

sudo chown -R audience:watchers /usr/files/pathofdir Is not quite right, because I don’t want audience to have unlimited authority to use chown. My first guess was to try to add "audience" to /etc/ sudoers with permission to /usr/bin/chown and /usr/bin/chgrp. But that is too much authority.

I thought of writing a script exclusively for audience, but I don’t know how to make that script have the correct permissions and no more.

What is a good way to do this?

I have Windows 10 pro, with NTFS. I think the filesystem is fully case-sensitive. I can have the file Bill_and_Ted.txt in a directory, and write scripts that won't mistake it for bill_and_ted.txt. Linux WSL apps accessing NTFS directories are fully case-sensitive. But it seems that Windows utilities get confused.

So NTFS is probably case sensitive, but perhaps Windows is not. Is it possible in Windows to create two files in the same directory that only differ in ASCII case?

For various software development reasons, I would like to have the files Bill_and_Ted.txt and bill_and_ted.txt in the same directory, and then change the content. But so far, Powershell Copy-Item and Windows xcopy refuse to copy to the same directory when the filenames differ only in case. They fail with "File cannot be copied onto itself"

Is there a built-in Windows way to copy to the same directory and only change the case of the filename?

I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command CertUtil -downloadOcsp .\certs .\ocsp_responses downloadonce A single p7b certificate is in the certs directory. I read the log of my openssl 1.1.1f OCSP responder in real-time, and I can see that the connection is made. And the output from certutil looks like it downloads the response. But certutil reports an error, and no ocsp response is saved in .\ocsp_responses

The output from certutil is:

7/6/2021 2:43 PM 14.488s :: Check certificate files in directory <certs>
7/6/2021 2:43 PM 14.488s :: Open OCSP subject certificate file -- saratoga.candy-land.name_exchange_20210630145440_exchange.p7b
7/6/2021 2:43 PM 14.498s :: Add OCSP response file -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>
7/6/2021 2:43 PM 14.498s :: Waiting for 1 download OCSP reponses to complete

====  Downloaded OCSP Responses  ====
7/6/2021 2:43 PM 14.498s :: Error => Pending OCSP response download -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>

Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2

CertUtil: -downloadOcsp command completed successfully.

I get the same behavior on Windows 10 Pro, and Windows Server 2019. The OCSP responder is openssl 1.1.1f

What might the problem be, and How can I correct it?

TL;DR; How to discover what is wrong with OCSP response on Windows?

I am trying to install a new certificate in on-premises Exchange Server 2019. But Exchange always reports that the new certificate fails the revocation check and will not use it. The new certificate has a chain of trust from the new cert, through an intermediate CA to my root ca. When I open the new cert in certmgr.msc, I see that that chain, and all certificates are reported as OK in certmgr. I have installed my root CA into the “Trusted Root Certification Authorities” store. I have installed the intermediate CA into the “Intermediate Certification Authorities” store.

The new cert’s Authority Info Access URL specifies my own OCSP responder. I know this is not a connection nor proxy problem, because I watch the OCSP logs real-time, and I know the connection is made, and my OCSP responder sends cert “OK”. I have tested with openssl-ocsp on a linux host, and that validation succeeds, when I use this openssl command:

   openssl ocsp 
      -issuer "$ca_sub_cert_file" 
      -cert "$exchangeCert" 
      -resp_text 
      -CApath "$CA_ROOTS_HASHES_DIR" 
      -url "http://$hostNameFull:$ocsp_port/"

Please note that the above openssl command explicitly refers to the issuer, and the CApath, and that enables trust upon the intermediate CA. On Windows, I expected that installing the root-ca and the intermediate CA would similarly enable trust for the OCSP response. But I do not know how to test this.

It should not be necessary, but I also “installed” a certificate for the ocsp-responder. I allowed the wizard to choose the store automatically, and I can not find where it was put. It does not appear when I search for it in certmgr.msc. I have not installed it manually, because I do not know which store I should use.

I suspect that the response from my openssl OCSP responder is wrong for Exchange Server 2019. My theories are:

• A trust chain cannot be built from the new certificate to my root CA
• The chain is built, but one of the certificates for ocsp-responder, the intermediate-ca, or root-ca is not trusted. Even though intermediate-ca, and root-ca are installed.
• The openSSL response is incompatible with Windows and or Exchange Server 2019

How can I test the above theories? I searched the windows event logs but they do not contain any mention of OCSP or revocation.

I have an ip4 192.168.0.0 subnet, with a few dozen hosts, and 6 or so servers with static IPs. I use bind 9 (On Centos 7) internally to service ip4 DNS requests. For years, I've disabled ip6, because I did not need it, and because there is no ip6 infrastructure, it would not work anyway. But now I have some applications where ip6 would be useful. I know basically nothing about ip6, but I need to provide ip6 addresses for at least my servers and provide name resolution.

I can install dhcp6, but I have already seen a client fail to start because it could not resolve a hostname to an ip6 address. I imagine I could create an ip6 zone in my bind 9 server, but I expect that I can't just choose any ip6 addresses I want.

What is the best way for my modest needs? Thanks!

I have CentOS 7, and I want lvm mirrors on my root logical volume.

I had some panic after I used "lvconvert -m3 cl_excalibur/root" to create two mirrors, and it would not boot. The logical volume does not activate at boot when it is raid1. I booted from a liveUSB, and used "lvconvert -m0" to convert it back to un-mirrored, and all seems well. But I'm back to square one. I expect I must use dracut -f --add<-drivers?> <name of the lvm raid kernel module>, but I don't know the exact arguments I need.

During a failed boot, in the dracut lvm tool, I tried lvchange -ay cl_excalibur/root, but lvm complained that the module "dm-raid" was not in the kernel. So that's what I think I need to install.

I found the file /usr/lib/modules/3.10.0-1062.1.1.el7.x86_64/kernel/drivers/md/dm-raid.ko.xz. However, I don't know which add flag to use, nor how to go from the filename above to the argument dracut requires.

This host is important to our infrastructure, so I have not yet tried anything. I've now built a virtual CentOS 7 server so I can hack around with dracut and grub2, but I'll appreciate any help :)

On Linux, I want to replace a bash script with powershell. The script needs to test a file to determine if it is a symbolic link. In bash, one can use the -L operator:

if [[ -L "/tmp/mysteryfile" ]] ; then ; echo "It is a link" ; fi

How can I do the same in powershell on Linux?

I have Centos 7+ systems, and they all use systemd. Sometimes the best way to proceed after an important system change is to restart each currently running service. If I restart each service one-at-a-time, then the system generally stays online, and it is very easy to see service problems as they appear. So I hacked out this little bash script, which restarts each running systemd service, EXCEPT certain named services which I think are core to keeping the box online.

#!/bin/bash
set -e
set -u
running=$(systemctl list-units --type service | grep running \
    | grep -iv audit \
    | grep -iv disk \
    | grep -iv drive \
    | grep -iv getty \
    | grep -iv irq \
    | grep -iv libstoragemgt \
    | grep -iv lvm \
    | grep -iv multipath \
    | grep -iv polkit \
    | grep -iv storage \
    | cut -d' ' -f1)

for service in $running ; do
    echo "$service"
    systemctl restart "$service"
done

There are several things I wish were better:

• Grepping for "running" is a crude way to filter for running tasks, and the multiple pipes are pretty expensive.
• Using cut is really brittle, and breaks when the output format of systemd changes.
• systemctl restart does not set a return code on start failure, so the script keeps going even if a service fails to stop or start.

What may be some better ways to to this?

I have a Samba 4.6.2 samba ActiveDirectory member server. Every month or so, all clients lose the ability to connect to all the shares. I can work around the issue by leaving the domain, deleting the machine account, and re-joining the domain, but it is obviously wrong that I have to do this every few weeks. I thought that it was a machine account password expiration issue, but running adcli update does not help. I tried changing the Group Policy for machine password expiration, but that did not help either.

• Centos 7.4.1708
• Samba 4.6.2
• sssd-krb5-1.15.2
• SSSD 1.15.2-50
• realmd-0.16.1-9

The error message on the client side is

"\\cheetoes is not accessible. You might not have permissions to use this network resource. Contact the administrator of this server to find out if you have access permissions.
Login Failure: The target account name is incorrect"

On the server side, at startup, log.smbd contains:

[2018/05/09 12:03:41.622878,  0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password [email protected] failed: Preauthentication failed
[2018/05/09 12:03:41.622923,  1] ../source3/libads/sasl.c:821(ads_sasl_spnego_bind)
  ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/true-companion.hymesruzicka.org with user[CHEETOES$] realm=[HYMESRUZICKA.ORG]: Preauthentication failed

And the per-client log shows:

[2018/05/09 12:06:58.259646,  1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
  gss_accept_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Request ticket server cifs/[email protected] not found in keytab (ticket kvno 3)]
[2018/05/09 12:06:59.099902,  1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
  gss_accept_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Request ticket server cifs/[email protected] not found in keytab (ticket kvno 3)]

Immediately after I rejoin, I do not get the client failures, nor the "Preauthentication failed" error in the log.smbd. I'm particularly puzzled why rejoining works, but only for a while.

My openvpn server running on CentOS 7, I've got 20 or so users with modern IOS devices half with iOS 11. We generate .ovpn scripts with python, and used iTunes to configure the IOS OpenVPN client, until Apple broke it.

As of iTunes 12.7, all features for managing apps have been removed. In particular, users cannot use iTunes to load files into particular apps. These was the recommended way to install ovpn files into OpenVPN for iOS. Older versions of iTunes retain this functionality, but it is not compatible with devices newer than iPhone 5, iPad Air. So now what do I do? I'm going try to serve via apache http, because I saw a post that hinted that you can configure MIME metadata to get iOS safari to open a file in OpenVPN. I've never seen that work, so I'm skeptical.

Any other ideas?

We have a minor disaster on a Centos7 system. A bug in a config script recursively set /, /bin, and /usr/bin, to 400 permissions. This means that basic commands like, chmod, mount, and almost everything else is un-executable. I'm pretty confident I can fix this by booting from a live-usb, but I'd have to make one. Also, the damaged machine is our router, so when it goes down, we lose our internet access.

I have another box with linux x64 binaries for chmod, bash, mount and the rest, is there some clever way to execute them from a usb (or the network or whatever) without rebooting?