Join AD domain after installing sssd without reboot

The problem

In my team’s experience, we have a known issue where we had to reboot after installing the domain-joining packages (sssd and realmd primarily) before we could actually join the domain.

If, you install the rpms and then without a reboot try to join the domain with realm, you get a failure.

# /usr/sbin/realm join --computer-ou="OU=Linux,OU=Resources" --user="linuxdomainjoin" "ad.example.com" timeout=30
realm: Couldn't connect to realm service: Error calling StartServiceByName for org.freedesktop.realmd: Timeout was reached

You can examine the journalctl output for a little more detail.

Jan 14 09:15:44 host73.ad.example.com realmd[75184]: couldn't claim service name on DBus bus: org.freedesktop.realmd
Jan 14 09:15:44 host73.ad.example.com realmd[75184]: couldn't claim service name on DBus bus: org.freedesktop.realmd
Jan 14 09:16:09 host73.ad.example.com dbus[3222]: [system] Failed to activate service 'org.freedesktop.realmd': timed out

Jan 14 09:19:13 host73.ad.example.com realmd[75942]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf
Jan 14 09:19:13 host73.ad.example.com realmd[75942]: holding daemon: startup
Jan 14 09:19:13 host73.ad.example.com realmd[75942]: starting service
Jan 14 09:19:13 host73.ad.example.com realmd[75942]: connected to bus
Jan 14 09:19:13 host73.ad.example.com realmd[75942]: released daemon: startup
Jan 14 09:19:13 host73.ad.example.com realmd[75942]: couldn't claim service name on DBus bus: org.freedesktop.realmd
Jan 14 09:19:13 host73.ad.example.com realmd[75942]: couldn't claim service name on DBus bus: org.freedesktop.realmd
Jan 14 09:20:01 host73.ad.example.com CROND[76060]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 14 09:20:43 host73.ad.example.com systemd[1]: realmd.service start operation timed out. Terminating.
Jan 14 09:20:43 host73.ad.example.com realmd[75942]: stopping service
Jan 14 09:20:43 host73.ad.example.com systemd[1]: Failed to start Realm and Domain Configuration.
Jan 14 09:20:43 host73.ad.example.com systemd[1]: Unit realmd.service entered failed state.
Jan 14 09:20:43 host73.ad.example.com systemd[1]: realmd.service failed.

The solution

Just restart dbus!

sudo systemctl restart dbus

WARNING! Because I haven’t done a lot of reading on the dbus topic, I cannot say that this is a safe procedure if you have existing workloads. My environment was a new build, so possibly blipping services was not a problem there.

A case study in wholistic computer system support

A case study in wholistic computer system support

A user emailed me directly asking for me to look at why his webapp isn’t starting. He was having trouble even looking at the logs with journalctl.

I had built the servers for the user, so he always tries to shortcut the support process of opening a ticket to the team queue, and just assigned it directly to me. I emailed the user back saying, “I’ve assigned it to the team queue for you.”

Well, within 5 minutes the level 1 support guy reached out to me saying he couldn’t find anything wrong. And yes, while nothing was wrong on the OS and filesystem level, the app still wasn’t starting.

The user, in the mean time, had remembered his service account that runs the app so he switched user to that and read the logs. It didn’t have permission to the parent directories, on the nfs mount point.

I set aside the tasks I had scheduled for this afternoon, and took a look. Aside from some setgid on the parent directory without g+rx, nothing looked amiss. The directory was owned by root.root which didn’t seem different from the other contents on the filesystem.

My manager approved just fixing the problem and we’ll sort out what caused it later. So the user and I ran chown -R appuser.appuser /mnt/appdir/subdir1 and then the application could get started again.

The investigation

I checked the sudoers history on the two application servers to see if any users ran sudo chown or sudo chmod even though it was locked down enough to prevent that. No activity with sudo looked related, so I then turned to the filesystem itself.

It is nfs, so it could be affected by other systems. After using mount | grep /mnt/appdir and showmount -e $SERVERNAME | grep $EXPORTNAME I had a list of the IP addresses that have access to this export from the nfs server.

I did a reverse dns lookup to get the hostnames because obviously those are easier to recognize than just a whole series of IP addresses. Immediately I recognized the systems as the other container proof of concept.

Before I even started checking bash history on those hosts, I reached out to the container research guy and he told that I think a reckless chown affected an nfs mount point that affected the app running on the original servers. He said yes, it was him, and he “was trying to set the permissions on the logs directory, but the container mounted the entire nfs.”

I thanked him for being honest, and reminded him that chown -R is serious business. He claimed that this is a further reason for having his own nfs mount point. Additionally, kubernetes has a known security flaw about the availability of an entire mount when mounting just a path of it to a container.

This second user made an additional rookie mistake last week when he changed network settings on a system over a network connection before confirming he had console access. Of course, it went offline and he had to get assistance fixing it.

Conclusion

Be very, very careful when you execute a chown -R! And you probably shouldn’t be doing that inside a container with any bind mounts…

Voobly notes

Voobly on Wine in Linux

For some reason, one of my voobly installations in Wine on Linux (devuan specifically) runs like a dog. While the system is indeed really old, Voobly was running smoother on it before the OS reinstall.

After an strace, I learned it kept looking for a tzres.dll in C:\Program Files\Voobly\, and there wasn’t one. So I copied it in from the system32 directory and re-ran Voobly. It seems to operate a little better now, although it’s still not exactly a smooth experience.

cp -p ~/.wine/drive_c/windows/system32/tzres.dll ~/.wine/drive_c/Program\ Files/Voobly/

Connect to wireless network from command line, for wicd

In my personal life, I’m endeavoring to use less and less systemd and its derivatives and relatives and any other *ives (and I’m not even being figurative!).

So, for my devuan installs on my laptop fleet, I’m trying to automate all my installs and configs, because I automate things for work. And part of my documented workflow is to “Add to the wicd interface settings screen device ‘wlan0’ for the wireless nic.” So I wanted to learn how to connect to my wireless network from the command line.

After some research, I discovered a brief way to do it. I hope this helps somebody.

MYNETWORK=myssidname
MYPASSPHRASE="mypassphrase"
nid="$( wicd-cli -ySl | awk -v "n=${MYNETWORK}" '$NF==n {print $1}' )"
wicd-cli -y -n"${nid}" -p apsk -s "${MYPASSPHRASE}"
wicd-cli -y -n"${nid}" -c

I will explain a few parts briefly, but for more details you should check out the references below.
-y use wireless connection.
-S scan
-l list cached results, so what we just learned from the scan
-n use this network id, which is a number internal to wicd to keep track of the networks it has seen.
-p display a property
-s value, so with a -p SOMETHING and -s VALUE combo, it will set the property for you instead of display it.
-c connect.

In my tests, I discovered that I was unable to implement the saved password with the connect command. So it takes multiple invocations of wicd-cli, but I can live with that.
This for some reason took me way less time to research how to connect with wicd, than with nmcli in the past.

References

Weblinks

  1. Helped me minimally Wicd tutorial [www.gadgetdaily.xyz]
  2. what enlightened me about -p SOMETHING -s VALUE as opposed to -s ‘SOMETHING=VALUE’ like I tried at first README.cli [github.com]
  3. how I found wicd-cli in the first place: Linux: Can I get the wicd daemon to disconnect my wireless network from the command line? [superuser.com]

Web searches used

  1. wicd-cli connect example [google]
  2. wicd set wireless network from command line

man pages

  1. wicd-cli(8)
  2. wicd(1)

Alternatives and other reading

  1. How to connect and disconnect to a network manually in terminal? [askubuntu.com]

Fedora and scanners

If you are running Fedora and you want to use a scanner, you probably already have sane (backends at least) and simple-scan installed.

What is incredibly frustrating is when scanimage -L shows you the scanner, but simple-scan does not list it.

What you are missing is

sudo dnf install libnsl

This package is different from libnsl2, which is probably already installed. But some applications must depend on libnsl, including simple-scan. Thanks to suspiciousmilk of Ask Fedora.

References

Weblinks

  1. Brother scanner driver don’t work [ask.fedoraproject.org]

PolicyKit rule for admins to automatically mount iso files in file manager

If you use a graphical file manager and want to take advantage of automatically mounting .iso files, you might be prompted to authenticate as an authorized user. This interrupts the workflow, and should not happen.

XFCE PolicyKit Agent warning about authentication required to perform an action
Workflow interruption detected! A Linux guru is needed if you want to automate this.

Here is a polkit rule you can make and place in the /usr/lib/polkit-1/rules.d directory. I don’t think freeipa has policykit abilities, so you have to apply this file locally for any system that needs it.
https://gitlab.com/snippets/1793736

// File: /usr/share/polkit-1/rules.d/mount-iso.rules
// File: /usr/share/polkit-1/rules.d/mount-iso.rules
// Author: bgstack15
// Startdate: 2018-12-29 19:18
// Title: PolicyKit Rules for Allowing FreeIPA admins to mount loop devices for ISO files
// History:
// Usage:
// Reference:
//    https://www.freeipa.org/page/Howto/FreeIPA_PolicyKit
//    lightdm.rules
//    https://askubuntu.com/questions/536405/location-of-policykit-log-output/536432#536432
// Documentation: comments are C-style
polkit.addRule(function(action, subject) {
    if ( (action.id.indexOf("org.freedesktop.udisks2.filesystem-mount-system") == 0) || 
         (action.id.indexOf("org.freedesktop.udisks2.loop-modify-others") == 0) ) {
        polkit.log("action=" + action);
        polkit.log("subject=" + subject);
        if (subject.isInGroup ("wheel") || subject.isInGroup("admins") || subject.isInGroup("cdrom")) {
            return polkit.Result.YES;
        }
    }
});

I realize the logic is crude so if you have any improvements, please share them!

X11 change application titlebar and icon in window manager panel

If you are trying to change the listing of a running application in the window list, regardless if you’re running XFCE or Cinnamon or another display manager, you might want to go down the same line of research I did.

In an upcoming article, I will talk exactly about how I run a game in DOSBox with a wrapping shell script and batch file. But today, this article is about how I rename the window and change its icon.

First, I run the application and I know what the titlebar looks like. I have to learn the window ID to set the icon.

I set the window title to the preferred name, and then use that window name to search and then execute a series of commands, which change the class and redraws the window so the panel learns the correct name.

tid="$( xwininfo -root -children -all | grep -iE "dosbox.*STARTREK" | awk '{print $1}' )"
echo "modifying id ${tid}"
xseticon -id "${tid}" "${ICONFILE}"
xdotool set_window --name "STARTREK" "${tid}"
xdotool search --name "STARTREK" set_window --classname "STARTREK" --class "STARTREK" windowunmap windowmap

I researched on the Internet to discover how to change the application icon. I had to compile a nifty little tool written in C (xseticon), so I bundled it into an rpm. But it does exactly as the description says.
Changing what appears on my Cinnamon panel was a different story, however.
I eventually remembered using xdotool for something in the past, and decided to read its man page. After a lot of experimentation, I got the classname and class adjusted. But it still didn’t do any good.
So I finally tried the windowunmap command, which was recommended after doing some other change. And then I had to hurriedly windowmap it again, so I could see the window. It doesn’t minimize the application; it removed it from the panel and display entirely, even though the process was still running. After the windowmap, it showed the custom icon, and the exact title I wanted!
I learned how to chain the commands together into fewer invocations.

References

Web links

link to xseticon https://unix.stackexchange.com/questions/179174/change-icon-for-an-application-form-command-line
compiling xseticon https://forum.xfce.org/viewtopic.php?id=11116
xseticon source http://www.leonerd.org.uk/code/xseticon/
rpm spec https://gitlab.com/bgstack15/stackrpms/tree/master/xseticon
xseticon rpm in copr https://copr.fedorainfracloud.org/coprs/bgstack15/stackrpms/package/xseticon/

Further reading

https://stackoverflow.com/questions/36650865/set-wm-class-with-wnck-xprop-or-something-else

Internet searches

xprop change icon of running application

Man pages

xdotool(1)