Nextcloud, Collabora and 404s

Running your own docker based Collabora Online server? Getting 404s after an update with these log entries:

https://.../browser/.../cool.html?WOPISrc=...

Seems like some URLs where changed:

Seems like /loleaflet has been renamed to /browser and lool to cool in latest collabora version.

See #1904 and Proxy Settings.

MariaDB and lost+found

Having /var/lib/mysql on a separate partition? MariaDB thinks lost+found is a Database? Create /etc/mysql/conf.d/ignore.cnf with

[mysqld]
ignore-db-dir=lost+found

Restart MariaDB and drop the database:

drop database `lost+found`;

Focal and Black Screen

Performing a minimal Ubuntu 20.04 install on a server? Black screen after rebooting? Switch to console via ALT+F1 and change in /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_TERMINAL=console

Run update-grub and reboot.

Powershell and Certificate Chain

On Windows, and need to generate a certificate chain to a server? This script creates one file per certificate in the chain:

$destination = 'foo'

$webRequest = [Net.WebRequest]::Create(https:// + $destination)
$webRequest.AllowAutoRedirect = $FALSE
$webRequest.Method = 'HEAD'
$webRequest.Timeout = 1000

try {
    "Connecting to $destination... " | Write-Host -NoNewline
    $webRequest.GetResponse().HResult | Write-Host
}
catch [System.Net.WebException] {
    $_.Exception.Status | Write-Host

    if ( $_.Exception.Status -ne 'Timeout' ) {
        throw $_
    }
}

"Building certificate chain..." | Write-Host
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
$chain.build( $webRequest.ServicePoint.Certificate ) | Out-Null

$contentType = [Security.Cryptography.X509Certificates.X509ContentType]::Cert

"Saving..." | Write-Host
# Skip server certificate
$chain.ChainElements.Certificate | Select-Object -Skip 1 | ForEach-Object {
    set-content `
        -value $( $_.Export( $contentType  ) ) `
        -path "$pwd\$( $_.Thumbprint ).cer" `
        -encoding byte

    $_
} | Format-Table | Out-String | Write-Host

FreeIPA, Firefox and SSL

Playing with FreeIPA? Recreating the CA? Firefox complaining about SEC_ERROR_REUSED_ISSUER_AND_SERIAL? Can’t find the certificate via Preferences / Privacy & Security / Certificates?

Try deleting it via CLI:

certutil -L -d <folder/to/cert8.db> | grep -i ipa
certutil -D -d <folder/to/cert8.db> -n <nickname>

MySQL, MariaDB and Ubuntu

Migrating from MySQL to MariaDB on Ubuntu? MariaDB not starting? There may be an old AppArmor Profile in the way. Or mysql.service and mariadb.service may both be enabled.

Active Directory, LDAP, Kerberos and SSL

Trying to talk to AD via ldaps:// and -Y GSSAPI? Getting

sb_sasl_generic_pkt_length: received illegal packet length of 813957120 bytes

According to Microsofts Open Specification: 5.1.1.1.2 SASL Authentication:

While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer encryption/integrity verification mechanisms on such a connection.

Also passing -O "maxssf=0,minssf=0" to ldapsearch works for me.

See redhat:4661861, lp:#1015819, cyrus-sasl:#419, cyrus-sasl:#603.

Jenkins, Kerberos and Python

Trying to talk to Jenkins while authenticating with Kerberos and getting

GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept

Using requests_gssapi and specifying SPNEGO:

import gssapi
import requests
from requests_gssapi import HTTPSPNEGOAuth

login = 'http://jenkins/login'
job = 'http://jenkins/view/.../job/.../'

# GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
spnego = gssapi.mechs.Mechanism.from_sasl_name("SPNEGO")

s = requests.Session()

rl = s.get( login, auth=HTTPSPNEGOAuth( mech=spnego ) )
rj = s.get( job )

works for me.

ldapsearch, Kerberos and Active Directory

Trying to use -Y GSSAPI when ldapsearching Active Directory and getting:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)

Does the host’s IP address you try to connect to not resolve back to it’s name, for example:

ldapsearch -H ldap://gc.local/

gc.local has address 192.168.0.1
1.0.168.192.in-addr.arpa domain name pointer foo.local.
foo.local has address 192.168.0.1

Try using the other name: ldapsearch -H ldap://foo.local/