Yves Martin's questions

I am deploying a BigIP IdP SAML virtual server in IdP initiated mode thanks to iApps template f5.saas_idp.v1.0.1rc1 based on instruction from https://www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf

It works well from BigIP wizard but I expect to automate and document deployment thanks to a Ansible playbook

- name: Deploy {{ idp_host }} with f5.saas_idp iApp template
  bigip_iapp_service:
    name: "saas_idp_{{ idp_host }}"
    template: f5.saas_idp.v1.0.1rc1
    parameters:
      tables:
        - name: saas_apps__saas_choice
          columnNames:
            - app_name
            - app_selection
            - app_sp
            - sp_initiated
          rows:
            - row:
                - "{{ saml_saas_name }}"
                - "/#zendesk#"
                - "{{ saml_saas_sp }}"
                - no # which means "Yes, IdP and SP"
        - name: saas_apps__saas_attributes
          # Empty
      variables:
        - name: options__advanced_mode
          value: yes
        - name: saas_virtual__addr
          value: "{{ idp_address }}"
        - name: saas_virtual__port
          value: 443
        - name: idp_encryption__cert
          value: /Common/{{ idp_host }}_saml_idp_metadata_cert.crt
        - name: idp_encryption__key
          value: /Common/{{ idp_host }}_saml_idp_metadata_cert.key
        - name: saas_virtual__vlan_listening
          value: enabled
        - name: saas_virtual__vlan_selections
          value: /Common/Internal
        - name: saas_virtual__lan_or_wan
          value: LAN
        - name: saas_virtual__tcp_lan_opt
          value: tcp-lan-optimized
        - name: saas_virtual__http
          value: http
        - name: saas_virtual__clientssl
          value: /Common/clientssl_wildcard_2017-2020
        - name: saas_virtual__chainssl
          name: "/#do_not_use#"
        - name: apm__apm_policy
          value: "/#create_new#"
        - name: apm__saml_entity_id_format
          value: url
        - name: apm__saml_entity_id
          value: https://{{ idp_host }}
        - name: apm__aaa_profile
          value: /Common/AAA_myAD
        - name: apm__logging
          value: /Common/default-log-setting
    force: no
    state: present
    strict_updates: no

But script fails requiring saas_virtual__key, saas_virtual__cert and saas_virtual__chainssl whereas they are not expected as I provides an existing saas_virtual__clientssl in Advanced mode:

message":"script did not successfully complete: (can't read "::saas_virtual__key": no such variable
    while executing
"iapp_conf create $cssl_cmd key $::saas_virtual__key cert $::saas_virtual__cert  chain none"
    invoked from within
"subst $substa_out"
    invoked from within
"if { [info exists [set substa_in]] } {
            set substa_out [subst $$substa_in]
            set substa_out [subst $substa_out]
        } else {
..."
    ("uplevel" body line 3)
    invoked from within
"uplevel {
        append ::substa_debug "
$substa_in"
        if { [info exists [set substa_in]] } {
            set substa_out [subst $$substa_in]
 ..."
    (procedure "iapp_substa" line 9)
    invoked from within
"iapp_substa client_ssl_arr($new_client_ssl,$do_chain_cert)"
    invoked from within
"iapp_conf create ltm virtual ${app}_vs  destination [iapp_destination $::saas_virtual__addr $::saas_virtual__port]  ip-protocol tcp  profiles replace-..."

Providing these variables does not help, script fails to load because of key password I cannot provide:

Error reading key PEM file /Common/wildcard_2017-2020.key
for profile /Common/saas_idp.app/saas_idp_myidphost_client-
ssl: error:0906A068:PEM routines:PEM_do_header:bad password read

So from my point of view, best option is to get template using my existing clientssl profile. How to proceed ? Is there a way to 'debug' iApps template script, at least inspecting variables ?

I try to setup DRBD on a raw disk device /dev/sdb without partition table, nor LVM stack PV/VG/LV

As this disk is virtual and hypervisor I use allow on-the-fly disk extension, I do not want to bother with LVM operations or re-partitioning when comes time to extend my DRBD file system

My resource definition cannot be simpler

resource data {
  device  /dev/drbd1;
  meta-disk internal;
  disk    /dev/sdb;
  on node1 {
    address 10.10.10.16:7789;
  }
  on node2 {
    address 10.10.10.17:7789;
  }
}

Create metadata works

# drbdadm create-md data
initializing activity log
NOT initializing bitmap
Writing meta data...
New drbd meta data block successfully created.

But attach operation fails

 # drbdadm attach data
 1: Failure: (127) Device minor not allocated
 additional info from kernel:
 unknown minor
 Command 'drbdsetup-84 attach 1 /dev/sdb /dev/sdb internal' terminated with exit code 10

Error message really sounds like command expect a partition table index as device minor code.

How should I attach a raw device to DRBD resource ?

On a Debian system, my ViewVC database still refers to no longer accessible Subversion repositories (archived, moved to another server...)

Because it hosts a large number of repositories, I cannot delete and rebuild for all repositories.... it would be far to long, disk and CPU intensive. 1 Gb MySQL ViewVC database for 90 Gb of repositories.

So how to remove a repository selectively from a ViewVC database ?

VMware allows to extend the size of a virtual disk online - when the VM is running. The next expected steps for Linux system are:

1. extend the partition: delete and create a larger one with fdisk
2. extend the PV size with pvresize
3. use free extents for lvresize operations
4. and then resize2fs for file system

But I am stuck on the first step: fdisk and sfdisk still display the old size for the disk.

My disk is a SCSI virtual disk connected thanks to the virtual LSI Logic controller.

How to refresh the virtual disk size and partition table information available in Linux kernel without reboot ?

As far as I know all that steps are possible for a running Windows, without reboot and even without any user actions thanks to VMWare tools. On Linux, I expects to do all steps online too and I already know steps 2, 3 and 4 work online. But the first one - change partition size declared in the partition table (still) seems to require a reboot.

Update: My system is a Debian Lenny with kernel 2.6.26 and the disk I have extended is the main disk with a large PV containing the "root" LV for "/".

I am configuring Kerberos authentication for Alfresco CIFS protocol fully implemented in Java (JLAN project). That is not the first time, I used to set it up right in a single shot.

In the same network, with an ActiveDirectory Windows 2008R2 and the same procedure, I have already done successfully the setup for two environments but the production environment give me troubles.

The production keytab was generated by ktpass on ActiveDirectory with RC4-HMAC like for other environments. The account AlfrescoCifsP is dedicated for production and for this only service:

ktpass -princ cifs/[email protected]
       -mapuser MYDOMAIN\AlfrescoCifsP -pass <password>
       -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\prod.keytab

Now I try to use it on RedHat 5.8 with MIT Kerberos libraries and utilities in version 1.6.1-70-el4 and I got the following error:

$ kinit -k -t prod.keytab cifs/myserver.mydomain.com
kinit(v5): Key table entry not found while getting initial credentials

Here are what I have checked (many times):

• My krb5.conf is OK with default realm set
• I can open prod.keytab with ktutil and list the slot for cifs/myserver.mydomain.com
• I can authenticate with password and command kinit cifs/myserver.mydomain.com
• kvno cifs/myserver.mydomain.com returns the same key number than from the keytab entry
• I also deleted the ActiveDirectory account and does the stuff again. Still the same result.

So everything has been done to succeed. It was successfully for two service accounts and failed for the third one. The only difference may be the SPN length which is a bit longer than for others but far less than the SPN limit of 260 characters.

I have straced the kinit -k -t prod.keytab cifs/... command and I just saw the read operation on keytab file and just behind the output of the error message to stderr.

Is there any known issue matching my trouble in a similar environment ?

How to diagnose the source cause of this issue ?

What may be the main reasons for such a failure ?

What should I try in the hope to find a way out ?