Facebook Twitter
Linkedin LJ
Git Instagram

I write mostly about security, mail, web and linux. My contacts are: me@andreybondarenko.com, Telegram, FB chat, WhatsApp, +420-773-591-443. I am not using abondarenko@gmail.com and +7-903-7929724 anymore and you will not find me in Moscow, Russia. My CV. This site can use cookies.

17QxrNyk9BCrP6LGUbqCNnXCzu4oeoYKaH (btc) 0x57500960FBC986225209E597D5B97065A9A10043 (eth)

Later Ctrl + ↑


If you have host in the AD with the SSSD then your root user can be any user from the domain. So


would actually give permissions to all users from the “groupname” to become any AD user they want, and if they’re SSH’ng the localhost then, they would have Kerberos ticket as well. It is not actually that evident, but Active Directory is an identity provider, so if you are superuser on the host – you can be AD user on the host.

2017   IT   linux   sssd

Debugging IDM

One of the most frequent cases I have is that “sometimes” and “somewhere” user is not getting authenticated. Trying to SSH to the host works for some users not always, “id username” returns errors sometimes – it’s all the same problem in the environment with LDAP replication. It does not actually matter what kind of the LDAP server or domain controller is being used, always check:

  1. enable debug log on the client. If the client is SSSD, add “debug_level = 9” to the /etc/sssd/sssd.conf and then restart it. Invalidate it’s cache if possible.
  2. repeat the test so you would see the error.
  3. collect the log file from the client. You would see what server it has queried to get the information.
  4. check server’s log. Most likely there is no requested information on this LDAP instance due to replication issues.

This would help to identify and fix the problem.

2017   idm   IT   ldap   linux   sssd

Parsing sssd debug log

Lol, hope to add more in furure

grep -v "timed event" |grep -v "timer event"|grep -v "Requesting"|grep -v "SBUS"|grep -v "callback"|grep -v "dispatch"|grep -v "a sysbus message"|grep -v "No sub-attributes for" |grep -v "reusing cached connection" |grep -v "nesting:"|grep -v "sbus_remove_watch"|grep -v "be_client_destructor"|grep -v "sdap_process_result"|grep -v "Comparing LDAP with LDAP" |grep -v "Message type:"|grep -v "unenforced gpo skipped"
2017   IT   linux   sssd

More .bashrc improvements

I need to see long path and host name. And not to lose command line space at the same time:

BOLD="\[$($TTY  && /usr/bin/tput bold)\]"
COLOR_BLACK="\[$($TTY  && /usr/bin/tput setaf 0)\]"
COLOR_RED="\[$($TTY  && /usr/bin/tput setaf 1)\]"
COLOR_GREEN="\[$($TTY  && /usr/bin/tput setaf 2)\]"
COLOR_YELLOW="\[$($TTY && /usr/bin/tput setaf 3)\]"
COLOR_BLUE="\[$($TTY  && /usr/bin/tput setaf 4)\]"
COLOR_MAGENTA="\[$($TTY  && /usr/bin/tput setaf 5)\]"
COLOR_CYAN="\[$($TTY  && /usr/bin/tput setaf 6)\]"
COLOR_WHITE="\[$($TTY  && /usr/bin/tput setaf 7)\]"
COLOR_GRAY="\[$($TTY  && /usr/bin/tput setaf 8)\]"
RESET="\[$($TTY  && /usr/bin/tput sgr0)\]"

function prompt_command  {     
    local TIMESTAMP="${BOLD}${COLOR_GRAY}\D{%d/%m %H:%M:%S}${RESET}"
    local CURPWD="${BOLD}${COLOR_BLUE}${PWD/#${HOME}/~}${RESET}"

    PS1=${PS1}"└─"${TIMESTAMP}${BOLD}"-> "


2017   bash   IT   linux
2017   life

Opera Neon

Funny browser: mouse multitouch, gestures, extensions, settings import, vpn, turbo, profile login – that’s all does not work. No Linux version. But tab management is really neat!

Strange things: there are 3 search engines pre-configured: google, Yandes and mail.ru. I am not located in the Russia though!

2017   desktop   mac   opera   opera neon

Google group calendars in Evolution Mail

If your organization uses Google Apps as mail service but you are using Evolution, there is no evident way to view and edit shared group calendars until recent versions. To add group calendar you need:

  1. go to calendar settings on web
  2. Calendar Address: -> ID (somenting like example.com_1d32345331343234213832@resource.calendar.google.com)
  3. Evolution -> New Calendar -> Google
  4. User name -> this ID
  5. Auth with usual name-pass or other means you use (Kerberos, OTP) in the window appear.
  6. Allow Evolution to use the Google’s resources.
2017   desktop   IT   linux


Recently I have checked my messages headers of the mail that comes from the andreybondarenko.com MX and found that Google shows that my DKIM signature is invalid:

Authentication-Results: mx.google.com; dkim=temperror (no key for
 signature) header.i=@andreybondarenko.com;

In the spam score section:


However the header itself is present:

DKIM-Filter: OpenDKIM Filter v2.10.3 andreybondrenko.com CE25780BAC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=andreybondarenko.com; s=default; t=1483634085;

I have found that it’s quite common configuration error of the OpenDKIM, the selector you choose to store key can be chosen randomly, but the TXT record should match /etc/opendkim.conf. In my case:

##  Defines the name of the selector to be used when signing messages.
Selector   default

But the DNS record:

[user@andreybondarenko ~]$ dig TXT mail._domainkey.andreybondarenko.com

mail._domainkey.andreybondarenko.com. 1800 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdGRWtWPPZVIg0fy7Pr0+rsBsoL6Imt1GBE/QRd3X5Izv1iAJFUsOtea

Changing ‘Selector’ to ‘mail’ and restating opendkim (it’s faster then change DNS):

Authentication-Results: mx.google.com; dkim=pass

In the spam score section:

2017   dkim   linux   mail   security

Let’s encrypt cert updates

Let’s encrypt is wonderful, but certificate are getting expired every 3 months. Since it’s a first time I need to renew them, I have done it manually. The tool authenticates you (by default) with special file created in the .well-know/acme-challenge directory of the root, so the blog engine should not interfere or rewrite anything and should not return it’s own 404 page. Historically my nginx.conf has lots of existing redirects and rules, I am too lazy to correct and simplify it, so simple

localtion ~ .well-known {
        allow all;

does not work. And I am too lazy to figure out why it is so (bad for me). So the most simple way to renew certs for me is to switch to minimal config. Putting it here for the future reference.

user  nginx;  
worker_processes  1;
error_log  /var/log/nginx/error.log;
pid        /run/nginx.pid;
events {
    worker_connections  1024;
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    server_names_hash_bucket_size 128;
    index   index.html index.htm;
    server { listen 80;
        listen [::]:80;
        server_name andreybondarenko.com;
location / {
                 root   /var/www/;

2016   IT   linux   nginx
Earlier Ctrl + ↓