Hubba's Blog

Category Archives | Automation | HowTo | Packaging (RPM) | Shell Scripting | System - AIX | System - Apple / OSX | System - Linux | System - Solaris | System - Windows | Virtualization |

Date Archives | June 2025 | February 2025 | December 2024 | March 2024 | February 2024 | December 2023 | August 2023 | June 2023 | March 2023 | October 2022 | June 2022 | November 2020 | March 2012 | December 2011 | October 2011 | September 2011 | December 2010 | July 2010 | June 2010 |

RSS Feed

EXIT

Managing AD Computer Accounts with adcli and kerberos on Linux

Posted on Mon, Jun 02, 2025 at 12:12 by Hubertus A. Haniel

When configuring Samba on Linux against active directory these steps are part of this as well but you may just want to use kerberos on its own so these are the initial streps to get it working on RHEL8/9

First you need to install the krb5-workstation and adcli packages which should be available in the default repos.

Then you need to configure /etc/krb5.conf to reflect your AD domain (mine is upnor.localnet.lan)

    
 includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = UPNOR.LOCALNET.LAN
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  UPNOR.LOCALNET.LAN = {
  kdc = 192.168.0.10
  }

Now we need to join the domain and for this the command is something like:

 adcli join -v --domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan
  

Note that the OU stuff seems back to front to what it shows in the Windows Active Directory GUI where my OU or path is "\SERVERS\Unix Samba Servers" and you obviously have to escape the spaces with \ - The userid needs to be somebody that has the rights to manage computer accounts in that OU. - This has to be run as root.

The command will create the computer account and the /etc/krb5.keytab file.

You should now be able to get a kerberos ticket with "kinit <userid>"

Now we are in a position to run other commands and we can authenticate against AD with the kerberos ticket (-C option)

So we can for example create a SPN for our host (again as root as /etc/krb5.keytab will get modified)

 adcli update --add-service-principal=cifs/alias.upnor.localnet.lan --domain "upnor.localnet.lan" -v -C
  

alias.localnet.lan is an alias to my server running samba and we may need this to authenticate against samba on this server using this alias. - All these commands I have run in verbose mode (-v) as with this command I noticed that while adding an SPN where the update in AD failed but it still carried on updating the local keytab file.

We should be able to query the SPN from a windows client using "setspn -T upnor.localnet.lan -Q */alias.upnor.localnet.lan"

We can also pre-set a computer account for another server that may not have adcli installed but we want to join the domain using samba with "net ads join -U <userid>" because samba for some reason does not create computer accounts and certainly can not create them in a specific OU:

 adcli preset-computer <other server name> -domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan -v -C
  

The only bit I can not figure out is how to edit the SPN's for a remote host like you can with setspn in windows - I have, without success, tried various combinations to archive the same as:

 setspn -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
    if no such SPN exists in the domain
 setspn -D http/daserver daserver1
   It will delete SPN "http/daserver" for computer "daserver1"   

If you work it out - let me know and I will add it here!

Edited on: Mon, Jun 02, 2025 13:30

Posted in HowTo (RSS), System - Linux (RSS), System - Windows (RSS)

Version comparison using rpm

Posted on Thu, Feb 20, 2025 at 11:35 by Hubertus A. Haniel

I have been playing a little bit with ChatGPT and its code generators and while doing this I stumbled across this. I wrote about versiion comparison in a previos post which is sort of a common thing that keeps coming up and I have used the function that I refer to there lots of times. It seems that rpm actually has a build in function to do this which returns result codes so you can refer to this with a function like this but obviously it will not work on other platforms and it seems that this has not been available on all rpm versions but I do not know when it was introduced:

compare_rpm_versions() {
    local version1="$1"
    local version2="$2"
    
    if [[ -z "$version1" || -z "$version2" ]]; then
        printf "Error: Two versions must be provided\n" >&2
        return 1
    fi

    if ! command -v rpm &>/dev/null; then
        printf "Error: rpm command not found\n" >&2
        return 2
    fi

    if rpm --eval "%{lua: print(rpm.vercmp('$version1', '$version2'))}" &>/dev/null; then
        local result; result=$(rpm --eval "%{lua: print(rpm.vercmp('$version1', '$version2'))}")
        case "$result" in
            1)  printf "%s is newer than %s\n" "$version1" "$version2"; return 0 ;;
            0)  printf "%s and %s are identical\n" "$version1" "$version2"; return 0 ;;
            -1) printf "%s is older than %s\n" "$version1" "$version2"; return 0 ;;
            *)  printf "Error: Unexpected comparison result: %s\n" "$result" >&2; return 3 ;;
        esac
    else
        printf "Error: Failed to compare versions\n" >&2
        return 4
    fi
}    
  

Edited on: Wed, Jun 04, 2025 15:00

Posted in HowTo (RSS), Packaging (RPM) (RSS), Shell Scripting (RSS), System - Linux (RSS)

Large File System out of lots of small chunks of free space.....

Posted on Thu, Dec 05, 2024 at 10:03 by Hubertus A. Haniel

DON'T TRY THIS AT WORK!
Just because it is possible it does not mean it is good practice!
I would not endorse this trickery/hack in a commercial environment.

This would not be supported in an enterprise environment and is probably not the safest way of keeping your data so I would not recommend this in a critical environment with critical data. On top of this not being the safest way to store your data it will also not be very efficient and I would expect a performance impact as a result of this. So this is just a bit of fun and may just help you out with a temporary fix to get you over a hurdle. I have done this on RHEL9 but it will work in the same way on other Linux distributions

Lets say you have a system with lots of file systems of which the size does not really matter but there are a few gigabytes here and there and you may even be able to add NFS mounted stuff although if there is a network failure you may end up with corruptions when the NFS parts fail. You can not shrink or rearrange the file systems to free up enough to store a larger file. In this example:

/filesystem-01
/filesystem-02
/filesystem-03
/filesystem-04

It is irrelevant of how big these file systems are but let say each of these have only about 25gb free but you want to create a file that is in the region of 80gb to 100gb for what ever reason. So lets go ahead and in each of these file systems we will create a sparse file (We can just create a full size file but a sparse file is faster to create. You will find that after that step the real space is not actually being used yet but with ls -al you will see the file size is shown as what it could grow to.)

dd if=/dev/zero of=/filesystem-01/filestore.img bs=1 count=0 seek=25G
dd if=/dev/zero of=/filesystem-02/filestore.img bs=1 count=0 seek=25G
dd if=/dev/zero of=/filesystem-03/filestore.img bs=1 count=0 seek=25G
dd if=/dev/zero of=/filesystem-04/filestore.img bs=1 count=0 seek=25G

Next we will create loop back devices that point to these files:

losetup --show -f /filesystem-01/filestore.img
losetup --show -f /filesystem-02/filestore.img
losetup --show -f /filesystem-03/filestore.img
losetup --show -f /filesystem-04/filestore.img

These will most likely end up being /dev/loop0 through to /dev/loop3 but if you have other loop back stuff mounted it may differ. The command "losetup -a" will list them for you.

We can now create a raid device on top of these loop devices with level raid 0 to have on continuous device:

mdadm -C /dev/md/filestore -l 0 -n 4 /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3

You can now treat /dev/md/filestore like a normal disk device. So you can partition it create one large filesystem on it.

When you want to unmount it (before rebooting for example although Linux may do it for you the steps are:

1. Unmount the file system
2. Stop the raid device ("mdadm --stop /dev/md/filestore"
3. Remove the loop devices ("losetup -d <for each device created>")

To remount the device again the steps are:

1. "losetup --show -f" for each of the image files as above
2. "mdadm --assemble /dev/md/filestore /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3"
3. mount the device as previously

If you are going to keep this setup for a longer time you may want to script the above to ensure it gets done on boot etc. - The same is probably archievable just with plain LVM but I have not attempted that and I suspect it may be more intrusive as you may have to modify lvm.conf to scan the loop devices. You also run in the danger of messing up your lvm meta data so I did not want to take the risk on creating volume groups on files that are already on top of a volume group which is the case on my system. You also would not want to extend existing logical volumes on to files bearing in mind that you may not be able to shrink stuff down when you want to remove it again.

Edited on: Thu, Dec 05, 2024 13:42

Posted in HowTo (RSS), System - Linux (RSS)

Free up space on a Apple MAC / OSX

Posted on Fri, Mar 15, 2024 at 15:29 by Hubertus A. Haniel

Apple Mac laptops are beautiful devices but they do cost a lot of money and usually come with very limited disk space which gets eaten up with mostly your photo library if you have an iPhone as well. - This will come and haunt you when you want to perform an update and suddenly your Mac says it does not have enough disk space. - Well here is a simple fix how to solve it.

By default on you Mac you will find it will download all your photos that you take on your other apple devices will download to the Mac in full quality. So first thing you need to do is go into you photo library preferences and change "Download Originals to this Mac" to "Optimize Mac storage"

Now this will not free up space straight away unless you are actually running out of space. - To make this happen keep open your photo library and open up a couple of terminal windows. In one of these windows being in your home directory you can start a job to fill up your available space with "dd if=/dev/zero of=bigfile.tmp". You can use the other window with "df -h ." to watch how your disk space shrinks and also do a "du -sh Pictures" to see how that directory shrinks.

Once you think that you have shrunk your photo library sufficiently you can kill the dd job and remove bigfile.tmp which should then give you sufficient space on your drive to perform your upgrade.

Posted in System - Apple / OSX (RSS)

AIX 7.1 to 7.2 upgrade

Posted on Wed, Mar 13, 2024 at 15:23 by Hubertus A. Haniel

Note: This guide is not aimed as a step by step command reference as systems may be configured in different way - It is more of a reminder of the steps that are involved and it is still a work in progress guide.

One should familiarize themselves with the following articles:

• The AIX migration guide
• Best Practice: Migrating to AIX 7.2

The assumption is that we are working on an AIX server where rootvg is mirrored across hdisk0 and hdisk1. Just to ensure that the boot partitions are up to date it is advisable to execute "bosboot -ad /dev/hdisk0" and the same for hdisk1.

It should be ensured that we have an up to date mksysb or we should create one preferably on a NIM server that we can boot of and recover this image.

We will now have to break the rootvg mirror using "unmirrorvg rootvg hdisk1" which will now free up hdisk1.

Now we can use "alt_disk_copy -d hdisk1" to create an alternative rootdisk copy which is NOT a mirror but a copy in itself. - This will create a copy and set hdisk1 as a bootdisk.

After the copy has completed we can reboot the server and we should now see that hdisk1 has become the active rootvg and hdisk0 is in a volume group called old_rootvg.

While running on this rootvg copy we should upgrade any components that may need to be upgraded as a pre requisite to AIX 7.2 eg Veritas Filesystems if they are in use.

To do the migration to 7.2 we need to boot of the 7.2 boot media from NIM or CD/DVD and the NIM server may need to be prepped for that by adding the NIM client for a bos_install.

Once we are successfully booting of the media (remember the LED lights so you can see the process) we should be prompted on the console to press 1 to recognise that we are on the correct console. We may also be prompted for a language selection.

We should then be dropped into the install menu which by default should have chosen "Migration" rather then "Full install" - This can be checked in the advanced install configuration menu and one should also make sure that the correct disk is selected which in our case should be hdisk1 but the default may go for hdisk0 which we do not want to touch.

After the migration the server should then boot into AIX 7.2 on hdisk1 and once we have confirmed that everything is OK we can remove old_rootvg and fully remirror the disks not forgetting bosboot on all mirrors to make sure the boot sector is populated.

Edited on: Wed, Mar 13, 2024 15:55

Posted in HowTo (RSS), System - AIX (RSS)