Fish shell MOTD with lolcat and cowsay

Setting fish shell message of the day with all the crazy stuff you need for a daily work:

function fish_greeting
     set -l toon (random choice {default,bud-frogs,dragon,dragon-and-cow,elephant,moose,stegosaurus,tux,vader})
         fortune -s | cowsay -f $toon | lolcat
 end

Full version: https://gist.github.com/angstbear/a0499e955ecf282c06c4a7dd9cb8bd35

Extract PEM certificates and keys from a shared NSS DB

$ certutil -L -d .

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

FreeIPA CA CT,C,C

$ certutil -L -d . -a -n ‘FreeIPA CA’ > freeipa.crt

The PEM certificate should now be stored in free-ipa.crt.

To extract the PEM key from key3.db use certutil, pk12util and openssl.

$ certutil -K -d . -a
$ pk12util -o keys.p12 -n ‘FreeIPA Key’ -d .
$ openssl pkcs12 -in keys.p12 -out freeipa.key -nodes

Google Accounts engine problem and Gnome 3

I have login.keychain corrupted in my Gnome 3 enabled workplace due to the recent Google Accounts engine problem. For some reason it has become completely unusable, Gnome Keychain was unable to unlock it, Google Chrome stopped loading sites, goa-daemon died (as usual) and Evolution has stopped getting mail.

Goog Friday morning frustration.

OOM-killer fun

Recently I had installed RHEL 7 FreeIPA test lab on my workplace. I have made virtual host with default 1GB RAM, installed the system, enrolled it into the IPA domain OK, then tried ipa-replica-install. Turns out that 1GB is not enough and OOM-killer tries to solve the problem by killing processes that ipa-replica-install had spawned. Surprisingly turns out that for some reason the script is not detecting errors caused and you have strangely configured replica as the result.

AD + SSSD

If you have host in the AD with the SSSD then your root user can be any user from the domain. So

%groupname ALL=(ALL) NOPASSWD:ALL

would actually give permissions to all users from the “groupname” to become any AD user they want, and if they’re SSH’ng the localhost then, they would have Kerberos ticket as well. It is not actually that evident, but Active Directory is an identity provider, so if you are superuser on the host — you can be AD user on the host.