NixOS, dhcpcd, and NAMESPACING

Using DHCP on a bridge with NixOS 24.11? No longer getting an IP? dhcpcd.service failing to start? Worked with 24.05?

dhcpcd.service: Failed to set up mount namespacing: /proc/sys/net/ipv6: No such file or directory
dhcpcd.service: Failed at step NAMESPACE spawning ... No such file or directory

Seems to fail with

boot.kernelParams = ["ipv6.disable=1"];

Also there is #355450.

Solr, Zookeper and OPTS

Does your SolrCloud successfully talk to ZooKeeper over TLS? But bin/solr zk ls fails?

In order to set custom System Properties when running any Solr utility other than start (e.g. stop, create, auth, status, api), the SOLR_TOOL_OPTS environment variable should be used.

See Setting Java System Properties.

smbclient, Workgroup, Kerberos and NT_STATUS_NOT_SUPPORTED

Trying to list shares of a windows machine

smbclient -W WORKGROUP -U user -L //server.domain/
Password for [WORKGROUP\user]:
session setup failed: NT_STATUS_NOT_SUPPORTED

and failing?

Running with -d 10

Kinit for user@WORKGROUP to access server.domain failed: Cannot find KDC for requested realm
...
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
...
Starting GENSEC submechanism ntlmssp

and seeing it falling back to NTLM?

Using the REALM instead of WORKGROUP helped:

smbclient -W REALM -U user -L //server.domain/

Ssh key and invalid format

Is ssh reporting Load key ... invalid format when trying to use a private key? The file might be missing a newline at EOF.

Mojolicious, TagHelpers and nesting

TIL, the Mojolicious tag helper can be nested. This

<ul class="navigation">
%= tag 'li', tag 'a', href => "#$_", $_ foreach qw/foo bar baz/
</ul>

becomes

<ul class="navigation">
  <li>
    <a href="#foo">foo</a>
  </li>
  <li>
    <a href="#bar">bar</a>
  </li>
  <li>
    <a href="#baz">baz</a>
  </li>
</ul>

FreeIPA, dogtag, Rocky 9 and ipa-replica-install

Trying to install a replica on Rocky 9? Failing when setting up CA or KRA with creating installation admin user:

[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa2.$domain,ou=people,o=ipaca on ldap://ipa1.$domain:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa2.$domain,ou=people,o=ipaca did not replicate to ldap://ipa1.$domain:389

Seems like there is a problem with password setting/synchronisation.

On the new replica, patch dogtaginstance.py:

--- dogtaginstance.py   2024-09-18 13:07:59.800133397 +0000
+++ /usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py        2024-09-18 13:08:24.763219686 +0000
@@ -676,6 +676,7 @@

         # add user
         password = ipautil.ipa_generate_password()
+        logger.debug( "FOOBAR " + password )
         entry = api.Backend.ldap2.make_entry(
             dn,
             objectclass=[

Start ipa-replica-install

Watch /var/log/ipareplica-install.log for the FOOBAR line.

On an existing machine, set password:

ldappasswd -D 'cn=Directory Manager' -W -S uid=admin-ipa2.$domain,ou=people,o=ipaca

Needs to be done once for CA and once for KRA.

FreeIPA, kinit, e-text and ENOSUCH

Trying to get a Kerberos ticket for a user on a master? Getting

kinit: Generic error (see e-text) while getting initial credentials

Log shows

ipa1.$domain krb5kdc... AS_REQ ... HANDLE_AUTHDATA: $user@$realm ... No such file or directory

Did you forget to add SIDs on upgrade/replica install?

This helped:

ipa config-mod --enable-sid --add-sids

FreeIPA and KRA connector has already been defined for this CA

Trying to install an additional KRA and getting

KRA connector has already been defined for this CA

Has your KRA transport certificate rolled over since the original installation? If yes, /etc/pki/pki-tomcat/ca/CS.cfg on the machine you try to sync from might still have the old certificate in ca.connector.KRA.transportCert.

Since ipa-replica-install ... --setup-kra copies that file, it will try to add itself with the wrong certificate leading to the above error.

  • Get the current transport certificate:

      pki -u admin ca-kraconnector-show
    
      Host: ipa1.$domain:443
          ...
          Transport Cert:
    
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          ...
    
  • On the machine you sync from, replace the base64 encoded value for ca.connector.KRA.transportCert in /etc/pki/pki-tomcat/ca/CS.cfg

  • reload tomcat.

FreeIPA, dogtag, KRA and and install token

To generate an install token used in f.e.

pki ca-kraconnector-add --install-token ...

Run

curl -u admin
    "https://$( hostname -f )/ca/rest/securityDomain/installToken\
    ?hostname=$( hostname -f)&subsystem=KRA"

enter the directory manager password, save the content of <token> to a file, and use that for --install-token.