vimrc notes

Do not insert spaces for tabs when modifying debian/rules files.

au BufRead,BufNewFile,BufCreate,BufEnter */debian/rules set noexpandtab 
Advertisements

Voobly notes

Voobly on Wine in Linux

For some reason, one of my voobly installations in Wine on Linux (devuan specifically) runs like a dog. While the system is indeed really old, Voobly was running smoother on it before the OS reinstall.

After an strace, I learned it kept looking for a tzres.dll in C:\Program Files\Voobly\, and there wasn’t one. So I copied it in from the system32 directory and re-ran Voobly. It seems to operate a little better now, although it’s still not exactly a smooth experience.

cp -p ~/.wine/drive_c/windows/system32/tzres.dll ~/.wine/drive_c/Program\ Files/Voobly/

Kerberos notes and sssd Internal credentials cache error

If sssd gives you errors about unable to connect, it’s probably the host password (keytab) is out of date with what AD has. You have to reset the host account in AD, or even delete the computer account and rejoin the domain.

kdestroy -A
kinit domainadmin
msktutil -f -s host
msktutil -u -s host
kinit -k "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$@MSAD.EXAMPLE.COM"
klist -kt

The kvno value in the output of klist -kt should match the attribute “msDS-KeyVersionNumber” of the server object in AD.

Error can include:

(Thu Aug  9 15:28:57 2018) [[sssd[krb5_child[3177]]]] [create_ccache] (0x0020): 1009: [-1765328188][Internal credentials cache error]
(Thu Aug  9 15:28:57 2018) [[sssd[krb5_child[3177]]]] [map_krb5_error] (0x0020): 1657: [-1765328188][Internal credentials cache error]
(Thu Aug  9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Thu Aug  9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Thu Aug  9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [bgstack15\@MSAD.EXAMPLE.COM@MSAD.EXAMPLE.COM] might not be correct.

Notes for git log

git log --graph --oneline --all
* 5240127 cladu.sh: fix the tluid=tduid check syntax
* 9a4afe3 fix comments about branch in metadata of various files
*   93893b0 Merge remote-tracking branch 'origin/master' into work1
|\  
* \   7ba8d7e Merge branch 'master' of https://gitlab.com/bgstack15/bgscripts into work1
|\ \  
* | | 476f863 add cladu and bump to 1.3-4
* | | abbb687 userinfo: add chage
* | | 3c87f21 fix work1 branch again
* | | b9caef9 update %files core in spec

Git log output

Ldapsearch notes

This post will be updated over time.

List all members of an AD group, including following the nested group membership

ldapsearch -b 'dc=dc=example,dc=com' -s 'sub' -x -D 'CN=B Stack,OU=Domain Users,DC=example,DC=com' -W -H 'ldaps://ds5.example.com:636' '(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=complex_sample_group,OU=Linux,OU=Security Groups,DC=example,DC=com))' samaccountname | awk '/^samaccountname/{print $2;}'

AD via ldap – how can I return all ancestor groups from a query [stackoverflow.com]

List all groups of an AD user, including nested groups

ldapsearch -LLL -O maxssf=0 -o ldif-wrap=300 '(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=CN=John Doe,OU=Domain Users,DC=ad,DC=example,DC=com))' dn /dev/null | sed -r -e 's/^\s*#.*//g;' -e '/^\s*$/d;'

Source: Active Directory: LDAP Syntax Filters [social.technet.microsoft.com]

Multiple servers
If your ldaps servers do not use correct SANs on their certs and therefore do not present a certificate that matches the name used to connect, just provide multiple URIs in ldap.conf.

URI     ldaps://ad.example.com ldaps://dc201.ad.example.com ldaps://dc202.ad.example.com ldaps://dc101.ad.example.com ldaps://dc102.ad.example.com

Use host kerberos auth and work with AD

ldapsearch -LLL -O maxssf=0 -o ldif-wrap=300 '(cn=User Name)' memberOf 2>/dev/null | sed -r -e 's/^\s*#.*//g;' -e '/^\s*$/d;'

The maxsff is needed because AD does not use a proper security setting apparently, and the ldif-wrap just fixes the output.
Source: Can’t query AD using kerberos from linux host [serverfault.com]

Notes about set-gid and sticky bits for directories

I can never remember how the set-gid and sticky bits work on directories, so I finally spent some time to re-read man (but had to resort to info) about chmod. This is my cheat sheet.

set-gid

Setgid (octal permission 2000) makes new files in the directory owned by the group that owns the directory. This is very useful for teams.

How to set

chmod g+s thisdir
chmod 2770 thisdir

How to clear

chmod g-s thisdir
chmod 00770 thisdir

sticky bit, or restricted deletion

Sticky bit (octal permission 1000) on a directory prevents Bob from deleting a file owned by Alice. Even if the directory is owned by one of Bob’s groups and is writable, Bob cannot delete the Alice’s files. This is particulary helpful for the /tmp directory. Check it out:

$ ls -lad /tmp
drwxrwxrwt. 4 root root 120 Jan 23 09:40 /tmp

How to set sticky bit

chmod a+t thisdir
chmod 1770 thisdir

How to clear

chmod a-t thisdir
chmod 00770 thisdir

According to info coreutils chapter 27.4, “Directories and the Set-User-ID and Set-Group-ID Bits,” gnu chmod needs a 5-digit octal to clear this bit.
Basically, if it’s worth setting set-gid, you should throw in sticky bit.

chmod 03770 thisdir