LinuxAdmin: Expanding Linux SysAdmin knowledge

Subscribe to LinuxAdmin: Expanding Linux SysAdmin knowledge feed
Expanding Linux SysAdmin knowledgelinuxadmin: Expanding Linux SysAdmin knowledge
Updated: 8 min 9 sec ago

Some problems creating a two-way trust between IPA and AD

4 hours 55 min ago


so I've been having problems trying to create a two-way trust between IPA and AD. As far as I can tell, the trust is only one way, the AD says it can't verify the IPA. I've been following this guide: One exception is that I didn't configure DNS on the IPA since I'd like my AD to take care of that. Is that something that's just not possible? BTW my IPA domain is a subdomain of the AD domain.

submitted by /u/PopularWatch
[link] [comments]

Ubuntu 16.04.4 LTS 4.4.0-108+ hangs when sssd is enabled

Fri, 03/16/2018 - 18:17

Guest OS: Ubuntu 16.04.4 LTS (kernel versions 4.4.0-108 to current 116)

Virtualization env: VMWare ESXi 6.0

Host hardware: Dell R720

Using SSSD to bind linux servers to the AD domain for authentication. This was working fine right up to 4.4.0-104. After the update to -108,-109,-112, or -116, if sssd is enabled OR if it is disabled but then started after a successful boot and you perform a lookup (i.e. id some_domain_user), the entire system will freeze, and you have to force a reboot. There's even a blip in the syslog when it happens.

I increased loglevel to 9 in the sssd.conf file in all the sections, and then started SSSD and tried to lookup a user. The most meaningful things I've been able to pull out are:


(Fri Mar 16 13:06:03 2018) [sssd] [service_send_ping] (0x2000): Pinging (Fri Mar 16 13:06:03 2018) [sssd] [sbus_add_timeout] (0x2000): 0x88a9d0 (Fri Mar 16 13:06:03 2018) [sssd] [service_send_ping] (0x2000): Pinging nss (Fri Mar 16 13:06:03 2018) [sssd] [sbus_add_timeout] (0x2000): 0x8904c0 (Fri Mar 16 13:06:03 2018) [sssd] [service_send_ping] (0x2000): Pinging pam (Fri Mar 16 13:06:03 2018) [sssd] [sbus_add_timeout] (0x2000): 0x88ede0 (Fri Mar 16 13:06:03 2018) [sssd] [service_send_ping] (0x2000): Pinging ssh (Fri Mar 16 13:06:03 2018) [sssd] [sbus_add_timeout] (0x2000): 0x889710 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x88a9d0 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x888c10 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching. (Fri Mar 16 13:06:03 2018) [sssd] [ping_check] (0x2000): Service replied to ping (Fri Mar 16 13:06:03 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x88ede0 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x890e00 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching. (Fri Mar 16 13:06:03 2018) [sssd] [ping_check] (0x2000): Service pam replied to ping (Fri Mar 16 13:06:03 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x889710 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x88d5f0 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching. (Fri Mar 16 13:06:03 2018) [sssd] [ping_check] (0x2000): Service ssh replied to ping (Fri Mar 16 13:06:03 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x8904c0 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x88eae0 (Fri Mar 16 13:06:03 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching. (Fri Mar 16 13:06:03 2018) [sssd] [ping_check] (0x2000): Service nss replied to ping


(Fri Mar 16 13:05:06 2018) [sssd[nss]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply]

(Fri Mar 16 13:05:13 2018) [sssd[be[]]] [sbus_message_handler] (0x2000): Received SBUS method on path /org/freedesktop/sssd/service (Fri Mar 16 13:05:13 2018) [sssd[be[]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Mar 16 13:05:23 2018) [sssd[be[]]] [sbus_dispatch] (0x4000): dbus conn: 0xf1e840 (Fri Mar 16 13:05:23 2018) [sssd[be[]]] [sbus_dispatch] (0x4000): Dispatching.


(Fri Mar 16 13:06:53 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x1817880 (Fri Mar 16 13:06:53 2018) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Fri Mar 16 13:06:53 2018) [sssd[ssh]] [sbus_message_handler] (0x2000): Received SBUS method on path /org/freedesktop/sssd/service (Fri Mar 16 13:06:53 2018) [sssd[ssh]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit

Trying to capture boot time logs wasn't successful (with sssd enabled with systemd). Just a big gap in kernel.log and syslog. Watching the boot process shows that it hangs at:

Started D-Bus System Messaging Bus

Which appears to be corroborate the problems being indicated in the sssd logs. Some kinda problem with sssd sending dbus messages, right? If I revert to -104, all good. Anything above that version, sadness.

What is weird is that I do not have these problems on a test system using VirtualBox on my MacBook Pro running the same version of Ubuntu 16.04.4 LTS. I'm wondering if this might be a Meltdown related issue, as it happened with the kernel version that was initially released to address it (-108). We applied updates to our physical hosts, ESXi and the fixes for the guest OS. I haven't seen any notices or errata on the sssd mailing list, or anything related in recent Google searches. I'm afraid it is a weird confluence of host+vmware+guest OS problems.

So far, I've tried installing sssd-dbus (which is oddly not a dependency), and in conjunction with that setting sssd's system unit file to start sssd after dbus.service, and finally started it last (i.e. No dice.

Any insight or help appreciated! Thanks!

submitted by /u/Groinkie
[link] [comments]

Guide for Samba on Ubuntu 16.04 with Windows ACL

Fri, 03/16/2018 - 17:22

I built a test server over a year ago and I'm trying to replicate the process. I have no clue what guide I used, but I got it to work before. I've been using the following as guides this time around but keep having starting over after failing:

Can anyone point me in the direction of a good thorough guide for this?

I keep getting so close but then missing the mark.

submitted by /u/insanerwayner
[link] [comments]

Building a server for practicing.

Fri, 03/16/2018 - 04:54

Hi guys, i'm learning linux in the past 4 months mostly by my self, i thought that if i want to go in the job market i have to have some practical experience i can show in job interviews,

thought about making a project out of my old laptop, and make it a running server centos based.

i mostly learned about how to operate linux and less about servers, so i would like to hear some ideas of which kind of services should i put in my server. (web/data/w\e)... i mean like what is nice to work with and stuff like this.

any other related tips would be great !

submitted by /u/shai50
[link] [comments]

Looking for a shell that will audit user actions and remain completely hidden.

Fri, 03/16/2018 - 01:08

Essentially if a staff member hops onto one of our servers and begins meddling in things they shouldn't i'd like a log of this.

I'd also like to do something like display a falsified authorized_keys file encase they wish to see what shell they're being sent into.

submitted by /u/autotom
[link] [comments]

When a process dies, a port it owned is unavailable for about 60 seconds

Thu, 03/15/2018 - 14:44

Hey /r/linuxadmin,

I have a dotnet core project that interacts with some python processes locally on a linux box on port 5555 (I recognize we could use socket files... don't ask). When I restart all processes, dotnet complains that port 5555 is already in use for about a minute, and that it cannot claim the port. While things are running, netstat shows that all is well, and 5555 is owned by dotnet

# netstat -pantl | grep 5555 tcp 0 0* LISTEN 12600/dotnet tcp 0 0 ESTABLISHED 12600/dotnet tcp 0 0 ESTABLISHED 12665/python

When the dotnet and python processes (12600 and 12665 above) are killed off, netstat still shows that 5555 is active, but no process is associated with it.

# netstat -pantl | grep 5555 tcp 0 0 TIME_WAIT -

If I wait 60 seconds, that connection drops out, and I can successfully start up the dotnet and python processes again - dotnet is able to claim 5555

Any idea why I need to wait a minute before I can grab that port? If I restart apache2 or something, it'll release ports 80 or 443 immediately, so it can reclaim them if it starts back up, but it seems like the OS is doing something weird when I restart dotnet. Is there something I can set in config so that ports are released immediately when a process dies?


submitted by /u/Kayco2002
[link] [comments]

Windows is starting to grow on me

Thu, 03/15/2018 - 13:55

Had terrible experiences with Windows growing up and early in my career, and Linux was a love at first sight thing, so I naturally disliked anything Windows.

But I've been playing around with Powershell, Hyper-V, and exploring the Windows OS and I hate to say it, but I'm really starting to love it.

I'm slowly starting to like it more than Linux, am I being crazy here?

submitted by /u/livintx
[link] [comments]

Help with Centos7, SSSD, and SSHD

Thu, 03/15/2018 - 13:06

I am trying to configure AD authentication on a host of Centos7 boxes and hit a bit of a snag with ssh access...everything works great until I set AllowGroups to an AD group. To join the domain I did the following:

yum install sssd realmd oddjob oddjob-mkhomedir samba samba-common realm join --verbose --user=domainusername

there were no errors, warnings or anything displayed

realm list returns type: kerberos realm-name: AD.MYDOMAIN.COM domain-name: configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: login-policy: allow-realm-logins

I have two ad groups, one called sudo_users and one called ssh_users. I added sudo_users to the sudoers file and everything worked great. I can sudo now with the AD accounts in the group. When I add AllowGroups ssh_users to the end of /etc/ssh/sshd_config it gives the following error when trying to ssh with any domain user, even ones in the group...

sshd[6070]: User domainusername from not allowed because none of user's groups are listed in AllowGroups.

If I type id domainusername it shows me the groups I expected to see

uid=409801107(domainusername) gid=409800513(domain users) groups=409800513(domain users),409801110(sudo_users),409801103(ssh_users)

I tried AllowGroups 409801103 and AllowGroups DOMAIN/ssh_users and AllowGroups and none of those work either. Any help would be appreciated!

submitted by /u/hobbymaster001
[link] [comments]

How to authenticate PhpLdapAdmin page and Apache home page using LDAP?

Thu, 03/15/2018 - 09:46

Hey there, I have a virtual box which has two guest OS running on it both are Ubuntu 16.04 one is the ldap server configured and second is the ldap client configured on it. Now I want that if I hit the servers IP address it should ask for credentials and after providing the credentials it should authenticate using the ldap server, is this possible pls help working on this from past two days.

submitted by /u/VincentHasReddit
[link] [comments]

Gitlab Ldap tab not showing up

Thu, 03/15/2018 - 09:46

Did an install of gitlab-ce and was trying to hook it up to my FreeipA server install for authentication. I edited the gitlab.rb file accordingly:

gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = YAML.load <<-EOS main: label: 'LDAP' host: 'myldap.localdomain.loc' port: 389 uid: 'uid' method: 'plain' bind_dn: 'uid=svc-readonly,cn=users,cn=accounts,dc=localdomain,dc=loc' password: '...' timeout: 10 active_directory: false allow_username_or_email_login: false block_auto_created_users: false base: 'cn=users,cn=accounts,dc=localdomain,dc=loc' user_filter: '(memberOf=cn=gitlab-users,cn=groups,cn=accounts,dc=localdomain,dc=loc)' attributes: username: ['uid', 'userid', 'sAMAccountName'] email: ['mail', 'email', 'userPrincipalName'] name: 'cn' first_name: 'givenName' last_name: 'sn' EOS

For testing purposes, I ran the gitlab-rake command and it polls the FreeipA server and returns back the users in the gitlab-users group, however when I browse to the page there's no "LDAP" tab and therefore I can not log in via LDAP. Anyone encountered this issue before? I submitted an issue on the gitlabhq site but figured I would poke here as well.

submitted by /u/bfrown
[link] [comments]

Good encryption software/methods for data used in collaborations?

Thu, 03/15/2018 - 00:37

Hiya! I have a lot of data with PII that needs to be encrypted while it exists on my servers but can be decrypted when we want to run scripts on it. There will be multiple users who interact with it so I'm wondering if there's a good encryption program we can use with collaborators to decrypt things when we need them.

submitted by /u/polkaron
[link] [comments]

Read-only fs errors, but inconsistent

Wed, 03/14/2018 - 14:24

I get various operations that try to write to the file system failing with "Read-only file system", however it isn't consistent. For example, I open a (Libreoffice) spreadsheet at the console of a KVM VM as user xxx, and it opens fine. But when opened from a shell window in an Xpra desktop, it opens read-only. Write operations in that same shell also fail. Also fail when su'd in as root. However, in another shell window in the same Xpra desktop, inside a Byobu session, writing works fine. All as the same user.

This is in a Fedora VM (on Debian/Proxmox KVM) running on ZFS. No fs errors (or any relevant-looking) errors in /var/log/messages. Fscks are clean. No ZFS errors. The ZFS did have some errors at some point, but is clean now. I'd initially rsync'd directories to this VM from another machine which has different UIDs (so user xxx had UID aaa on the VM and UID bbb on the source) but the error persists after chmod -R aaa:aaa.

Is this a user ID problem, or filesystem error, or what?

submitted by /u/JSW_TDI
[link] [comments]

How to authenticate Ubuntu users login using LDAP?

Wed, 03/14/2018 - 10:02

Hey there, I have configured LDAP server on Ubuntu 16.4 which is running in a virtual machine and I have also installed Ubuntu 16.4 in virtual machine. Means I have a virtual box with two instances one with the ldap server configured on it and one with basic Ubuntu. I want that my basic Ubuntu should get authenticated while login using ldap. Is this possible ?

submitted by /u/VincentHasReddit
[link] [comments]

PF Need Help - pf.conf issues

Wed, 03/14/2018 - 00:51

We have a site-to-site VPN setup for our remote office in China. I am having an issue with our firewall blocking the connection and do not know enough about pf to configure it properly.

This is the tcpdump from our fw:

rule 3/(match) block in on em1: >

For reference, turning off pf fixes the issue, I just do not know how to write the command to isolate this IP only.

Thanks in advanced. I will update this post if I come across the answer

submitted by /u/Octavios314
[link] [comments]

Apache SSL certificates

Tue, 03/13/2018 - 20:06

Hi all,

Centos 7.4 x86_64 Server version: Apache/2.4.6 Our SSL certifficates got canned in the recent Digicert/Trustico mess (for those not in the know, more here )

So. New certificates.

I've setup SSL in a server with a certificate and an intermediate certificate, along the lines of:

Listen 443 https SSLCertificateFile /usr/share/ssl/certs/my_cert.crt SSLCertificateKeyFile /usr/share/ssl/certs/my_cert.key SSLCertificateChainFile /usr/share/ssl/certs/chain.crt SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:...etc SSLHonorCipherOrder on

That's cert file, key file, chain file.

Something I haven't come across before is the following setup:

SSL Cert:


== Private info ===


(call that my_cert.crt)

Intermediate CA Certs:


== Private info ===


(call that my_int_1.crt)


== Private info ===


(call that my_int_2.crt)


== Private info ===


(call that my_int_3.crt)

(or, alternatively, wrap them all up inside my_int.crt)



== Private info ===


(call that my_cert.key)

That's three intermediate certificates. Just wondering what my ssl setup should be now. Presumably the CertificateFIle and the CertificateKeyFile remain the same (with updated contents obviously), but how to cope with the three intermediates?



submitted by /u/Laurielounge
[link] [comments]

Anyone have experience with Samba / Winbind accross Multiple AD Domains (Forest Trust) ?

Tue, 03/13/2018 - 18:14

Hello, I am currently having issues authenticating users via Winbind (CentOS 7) and cross-forest trusted domains. I can join DomainA and authenticate no problem. From DomainA, I can see DomainB (wbinfo -m, etc...) but cannot authenticate a user account to it or see any data from it. DomainA and DomainB are separate Microsoft AD Domain Forests , but maintain a two-way forest trust between them. If I run "wbinfo --online-status", it shows DomainB as offline - even though I know the domain is up and have defined a KDC for the domain in /etc/krb5.conf. There are also appropriate SVR records in DNS for domain controllers for DomainA and DomainB.

Any ideas where to look or begin? If you view the link below, it shows what most of my config files look like.


submitted by /u/tylerhipp
[link] [comments]

Setting NGiNX to Cache Static Objects

Mon, 03/12/2018 - 13:54

So I have a server with Nextcloud running and NGiNX web server but I wanted to see if I can setup my reverse proxy to cache static objects such as images and serve them much faster.

This is the config I have for the reverse proxy:

submitted by /u/psych0ticmonk
[link] [comments]