Bug Alert - ANSIBLE
Posted on Fri, Aug 29, 2025 at 17:40 by Hubertus A. Haniel
Just came across something weird modifying some of my roles so I can play with RHEL10:
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version >= '9'
The above statement does not seem to be including RHEL10 in fact if I test it the other way with "<=9" it will actually include 10 - I am not sure why but I think I have a bug.
This is with Ansible 2.16.14 and python 3.12 running from a RHEL8 machine targeting a RHEL10
Pretty weird HUH?
Edited on: Fri, Aug 29, 2025 17:47
Posted in Automation (RSS)
LIFX device onboarding on iPhone
Posted on Sun, Aug 17, 2025 at 10:11 by Hubertus A. Haniel
I have several of these LIFX bulbs around my house and they are pretty cool and reliable most of the time but sometimes one of them will drop of the network and refuses to reconnect to the WiFi. This happens only on very rare occasions hence I am writing this note as when it happens it takes me hours trying to figure out how to get it removed and on boarded again searching the web for documentation.
The standard way of first on boarding it into HomeKit does not seem to always work for me as my phone does not seem to find the light or the light ends up on the wrong WiFi because I have multiple WiFi in the house that serve different use cases and I am trying to separate stuff for security reasons.
Before you start you should ensure your iPhone is not connected to any VPN etc but your proper WiFi network - I have Wire Guard configured to come on when I am not connected to my normal WiFi to enable me to connect back into my network when I am out and about.
So first I remove the light from HomeKit and the LIFX app completely and reset it by turning on and back of 5 times. On the 5th time it should cycle through all the colors meaning it is reset and in pairing mode.
Then I use the manual way so I wait for 15 minutes for it to come out of "HomeKit mode" so the device in my WiFi selection of the iPhone will not be in the "Set up new device" but it will show in "Other Networks". - If it shows under "My Networks" because you have done this before, you should forget the device from your settings as you will not be able to tell what mode it is in. When it is in "Other Networks " you can connect to it and then use the LIFX app to manually add it to the WiFi you want.
Now this is the part which always gets me - How do you get it to show up in home kit as well now? - When you go into your Light Settings in the LIFX for that bulb in the HomeKit section it will just say not in HomeKit and you used to be able to pair it to HomeKit from there. - To enable that step you have to physically turn the light off for a couple of minutes and turn it back on. If you now got back into the settings it should present you with a button to pair to HomeKit and you just follow those steps to get it fully up and running.
Hope this helps!
Posted in Toys and Gadgets (RSS)
Managing AD Computer Accounts with adcli and kerberos on Linux
Posted on Mon, Jun 02, 2025 at 12:12 by Hubertus A. Haniel
When configuring Samba on Linux against active directory these steps are part of this as well but you may just want to use kerberos on its own so these are the initial streps to get it working on RHEL8/9
First you need to install the krb5-workstation and adcli packages which should be available in the default repos.
Then you need to configure /etc/krb5.conf to reflect your AD domain (mine is upnor.localnet.lan)
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = UPNOR.LOCALNET.LAN
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
UPNOR.LOCALNET.LAN = {
kdc = 192.168.0.10
}
Now we need to join the domain and for this the command is something like:
adcli join -v --domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan
Note that the OU stuff seems back to front to what it shows in the Windows Active Directory GUI where my OU or path is "\SERVERS\Unix Samba Servers" and you obviously have to escape the spaces with \ - The userid needs to be somebody that has the rights to manage computer accounts in that OU. - This has to be run as root.
The command will create the computer account and the /etc/krb5.keytab file.
You should now be able to get a kerberos ticket with "kinit <userid>"
Now we are in a position to run other commands and we can authenticate against AD with the kerberos ticket (-C option)
So we can for example create a SPN for our host (again as root as /etc/krb5.keytab will get modified)
adcli update --add-service-principal=cifs/alias.upnor.localnet.lan --domain "upnor.localnet.lan" -v -C
alias.localnet.lan is an alias to my server running samba and we may need this to authenticate against samba on this server using this alias. - All these commands I have run in verbose mode (-v) as with this command I noticed that while adding an SPN where the update in AD failed but it still carried on updating the local keytab file.
We should be able to query the SPN from a windows client using "setspn -T upnor.localnet.lan -Q */alias.upnor.localnet.lan"
We can also pre-set a computer account for another server that may not have adcli installed but we want to join the domain using samba with "net ads join -U <userid>" because samba for some reason does not create computer accounts and certainly can not create them in a specific OU:
adcli preset-computer <other server name> -domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan -v -C
The only bit I can not figure out is how to edit the SPN's for a remote
host like you can with setspn in windows - I have, without success,
tried various combinations to archive the same as:
setspn -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the domain
setspn -D http/daserver daserver1
It will delete SPN "http/daserver" for computer "daserver1"
If you work it out - let me know and I will add it here!
Edited on: Mon, Jun 02, 2025 13:30Posted in HowTo (RSS), System - Linux (RSS), System - Windows (RSS)
Version comparison using rpm
Posted on Thu, Feb 20, 2025 at 11:35 by Hubertus A. Haniel
I have been playing a little bit with ChatGPT and its code generators and while doing this I stumbled across this. I wrote about versiion comparison in a previos post which is sort of a common thing that keeps coming up and I have used the function that I refer to there lots of times. It seems that rpm actually has a build in function to do this which returns result codes so you can refer to this with a function like this but obviously it will not work on other platforms and it seems that this has not been available on all rpm versions but I do not know when it was introduced:
compare_rpm_versions() {
local version1="$1"
local version2="$2"
if [[ -z "$version1" || -z "$version2" ]]; then
printf "Error: Two versions must be provided\n" >&2
return 1
fi
if ! command -v rpm &>/dev/null; then
printf "Error: rpm command not found\n" >&2
return 2
fi
if rpm --eval "%{lua: print(rpm.vercmp('$version1', '$version2'))}" &>/dev/null; then
local result; result=$(rpm --eval "%{lua: print(rpm.vercmp('$version1', '$version2'))}")
case "$result" in
1) printf "%s is newer than %s\n" "$version1" "$version2"; return 0 ;;
0) printf "%s and %s are identical\n" "$version1" "$version2"; return 0 ;;
-1) printf "%s is older than %s\n" "$version1" "$version2"; return 0 ;;
*) printf "Error: Unexpected comparison result: %s\n" "$result" >&2; return 3 ;;
esac
else
printf "Error: Failed to compare versions\n" >&2
return 4
fi
}
Edited on: Wed, Jun 04, 2025 15:00Posted in HowTo (RSS), Packaging (RPM) (RSS), Shell Scripting (RSS), System - Linux (RSS)
Large File System out of lots of small chunks of free space.....
Posted on Thu, Dec 05, 2024 at 10:03 by Hubertus A. Haniel
DON'T TRY THIS AT WORK!
Just because it is possible it does
not mean it is good practice!
I would not endorse this
trickery/hack in a commercial environment.
This would not be supported in an enterprise environment and is probably not the safest way of keeping your data so I would not recommend this in a critical environment with critical data. On top of this not being the safest way to store your data it will also not be very efficient and I would expect a performance impact as a result of this. So this is just a bit of fun and may just help you out with a temporary fix to get you over a hurdle. I have done this on RHEL9 but it will work in the same way on other Linux distributions
Lets say you have a system with lots of file systems of which the size does not really matter but there are a few gigabytes here and there and you may even be able to add NFS mounted stuff although if there is a network failure you may end up with corruptions when the NFS parts fail. You can not shrink or rearrange the file systems to free up enough to store a larger file. In this example:
/filesystem-01
/filesystem-02
/filesystem-03
/filesystem-04
It is irrelevant of how big these file systems are but let say each of these have only about 25gb free but you want to create a file that is in the region of 80gb to 100gb for what ever reason. So lets go ahead and in each of these file systems we will create a sparse file (We can just create a full size file but a sparse file is faster to create. You will find that after that step the real space is not actually being used yet but with ls -al you will see the file size is shown as what it could grow to.)
dd if=/dev/zero of=/filesystem-01/filestore.img bs=1 count=0 seek=25G
dd if=/dev/zero of=/filesystem-02/filestore.img bs=1 count=0 seek=25G
dd if=/dev/zero of=/filesystem-03/filestore.img bs=1 count=0 seek=25G
dd if=/dev/zero of=/filesystem-04/filestore.img bs=1 count=0 seek=25G
Next we will create loop back devices that point to these files:
losetup --show -f /filesystem-01/filestore.img
losetup --show -f /filesystem-02/filestore.img
losetup --show -f /filesystem-03/filestore.img
losetup --show -f /filesystem-04/filestore.img
These will most likely end up being /dev/loop0 through to /dev/loop3 but if you have other loop back stuff mounted it may differ. The command "losetup -a" will list them for you.
We can now create a raid device on top of these loop devices with level raid 0 to have on continuous device:
mdadm -C /dev/md/filestore -l 0 -n 4 /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
You can now treat /dev/md/filestore like a normal disk device. So you can partition it create one large filesystem on it.
When you want to unmount it (before rebooting for example although Linux may do it for you the steps are:
- Unmount the file system
- Stop the raid device ("mdadm --stop /dev/md/filestore"
- Remove the loop devices ("losetup -d <for each device created>")
To remount the device again the steps are:
- "losetup --show -f" for each of the image files as above
- "mdadm --assemble /dev/md/filestore /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3"
- mount the device as previously
If you are going to keep this setup for a longer time you may want to script the above to ensure it gets done on boot etc. - The same is probably archievable just with plain LVM but I have not attempted that and I suspect it may be more intrusive as you may have to modify lvm.conf to scan the loop devices. You also run in the danger of messing up your lvm meta data so I did not want to take the risk on creating volume groups on files that are already on top of a volume group which is the case on my system. You also would not want to extend existing logical volumes on to files bearing in mind that you may not be able to shrink stuff down when you want to remove it again.
Edited on: Thu, Dec 05, 2024 13:42Posted in HowTo (RSS), System - Linux (RSS)
