Is ssh reporting Load key ... invalid format when trying to use a private key? The file might be missing a newline at EOF.

TIL, the Mojolicious tag helper can be nested. This

<ul class="navigation">
%= tag 'li', tag 'a', href => "#$_", $_ foreach qw/foo bar baz/
</ul>

becomes

<ul class="navigation">
  <li>
    <a href="#foo">foo</a>
  </li>
  <li>
    <a href="#bar">bar</a>
  </li>
  <li>
    <a href="#baz">baz</a>
  </li>
</ul>

Trying to install a replica on Rocky 9? Failing when setting up CA or KRA with creating installation admin user:

[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa2.$domain,ou=people,o=ipaca on ldap://ipa1.$domain:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa2.$domain,ou=people,o=ipaca did not replicate to ldap://ipa1.$domain:389

Seems like there is a problem with password setting/synchronisation.

On the new replica, patch dogtaginstance.py:

--- dogtaginstance.py   2024-09-18 13:07:59.800133397 +0000
+++ /usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py        2024-09-18 13:08:24.763219686 +0000
@@ -676,6 +676,7 @@

         # add user
         password = ipautil.ipa_generate_password()
+        logger.debug( "FOOBAR " + password )
         entry = api.Backend.ldap2.make_entry(
             dn,
             objectclass=[

Start ipa-replica-install

Watch /var/log/ipareplica-install.log for the FOOBAR line.

On an existing machine, set password:

ldappasswd -D 'cn=Directory Manager' -W -S uid=admin-ipa2.$domain,ou=people,o=ipaca

Needs to be done once for CA and once for KRA.

Trying to get a Kerberos ticket for a user on a master? Getting

kinit: Generic error (see e-text) while getting initial credentials

Log shows

ipa1.$domain krb5kdc... AS_REQ ... HANDLE_AUTHDATA: $user@$realm ... No such file or directory

Did you forget to add SIDs on upgrade/replica install?

This helped:

ipa config-mod --enable-sid --add-sids

Trying to install an additional KRA and getting

KRA connector has already been defined for this CA

Has your KRA transport certificate rolled over since the original installation? If yes, /etc/pki/pki-tomcat/ca/CS.cfg on the machine you try to sync from might still have the old certificate in ca.connector.KRA.transportCert.

Since ipa-replica-install ... --setup-kra copies that file, it will try to add itself with the wrong certificate leading to the above error.

• Get the current transport certificate:

    pki -u admin ca-kraconnector-show
  
    Host: ipa1.$domain:443
        ...
        Transport Cert:
  
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        ...
  

• On the machine you sync from, replace the base64 encoded value for ca.connector.KRA.transportCert in /etc/pki/pki-tomcat/ca/CS.cfg

• reload tomcat.

To generate an install token used in f.e.

pki ca-kraconnector-add --install-token ...

Run

curl -u admin
    "https://$( hostname -f )/ca/rest/securityDomain/installToken\
    ?hostname=$( hostname -f)&subsystem=KRA"

enter the directory manager password, save the content of <token> to a file, and use that for --install-token.

Trying to debug some early boot failures? Passing systemd.debug-shell=1 to the kernel command line? Running ip a to inspect network interfaces, and getting no output? Try

ip a | cat

Useful use of cat.

Is NixOS not creating your bridges on sudo nixos-rebuild switch?

Try running sudo systemctl restart network-setup.service.

Also, see #50208 and #42828.

Upgraded to bookworm and containers started with podman-compose can no longer resolve names?

Switching to the netavark networkBackend helped, f.e. by reseting:

podman system reset --force

It will delete all your stuff, though.

Looking to dump all properties of a certificate with $SERIAL:

Get-ChildItem -Path Cert: -Recurse `
| Where-Object -Property SerialNumber -Value $SERIAL -eq `
| Select-Object -Property *