We Keep Coding

Rundeck - problem with jaas LDAPS configuration

[SOLVED - answer in comments]
I've followed how-to from https://docs.rundeck.com/docs/administration/security/authentication.html#communicating-over-secure-ldap-ldaps
Authentication works great for LDAP, but when I change to LDAPS (I am only changing providerUrl="ldap://" to ldaps:// stanza in custom jaas conf), error is being returned:
ERROR jaas.JettyCachingLdapLogModule - Naming error
javax.naming.CommunicationException: simple bind failed: <AD IP>
AD is listening on port 636.
I suspect problem can be with authenticationMethod="simple" - but when I am trying to change it to "tls:simple" (per https://docs.oracle.com/cd/E53394_01/html/E54912/ldapsecure-75.html) Rundeck claims there's syntax issue.
Do you had similar problem?
How switch from simple auth to tls?

Authentication Issues (KRB5\GSS)

We are looking to migrate some systems away from MSSQL. We have our first few environments built and currently using LDAP, which is OK but has a good number of flaws.
I followed this link to setup Kreberos\GSS for the most part: https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
Off the bat I got the below error when trying to connect:
psql: error: SSPI continuation error: The specified target is unknown or unreachable
I believe the SPN is setup properly:
setspn -S POSTGRES/server.domain.local domain\service_account
I suspect something is wrong in the keytab file, as there is an extra "" between the server FQDN and domain:
Keytab name: FILE:/opt/pgsql/server.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 postgres#server.domain.local\#DOMAIN.LOCAL
Server side error:
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres FATAL: GSSAPI authentication failed for user "user#DOMAIN.LOCAL"
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres DETAIL: Connection matched pg_hba.conf line 95: "host all all 0.0.0.0/0 gss"
I'd appreciate any feedback and thank you!

x509: certificate has expired or is not yet valid

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml --insecure-skip-tls-verify=true
it comes out to get the log below,
Unable to connect to the server: x509: certificate has expired or is not yet valid
kubernetes 1.14.0

when i use command below:
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
i got the message below:
--2019-12-15 19:08:41-- https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 127.0.0.1
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|127.0.0.1|:443... connected.
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by "XXXXX"
It just because i can't use https in terminal, it not related to the k8s certificate

Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 127.0.0.1
You are trying to connect to localhost
Please check what you have in your /etc/resolve.conf . The issue looks like the issue with your local certifiacte.
Ihave just attempted to reproduce it and confirm it's working as expected. I'm able downloading that file.
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
--2019-12-16 11:56:54-- https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14416 (14K) [text/plain]
Saving to: ‘kube-flannel.yml’
kube-flannel.yml 100%[==============================================================================================================================>] 14.08K --.-KB/s in 0.02s
2019-12-16 11:56:54 (664 KB/s) - ‘kube-flannel.yml’ saved [14416/14416]
Hope that helps

Not able to authenticate SMTP clients on Debian+Postfix+SASL with rimap

I'm having a strange problem. I followed few guides from the net. My goal is to create a SMTP postfix that will use Cyrus SASL to authenticate users upon sending email with different imap server.
Making all more simple: have to transfer/replace current smtp server with new one as current is on public cloud and gets on black lists pretty often.
What I managed so far is:
Working Postfix
Authentication working when using :
testsaslauthd -u user#domain.com -p password
I'm getting Ok "Success" so I assume sasl itself work.
When I invoke saslfinger -s
I'm getting:
There is no smtpd.conf that defines what SASL should do for Postfix.
SMTP AUTH can't work!
but it seems that all is fine within the configuration files:
/etc/postfix/sasls/smtp.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/postfix/main.cf:
smtpd_recipient_restrictions = reject_invalid_hostname,
permit permit_mynetworks,
permit_sasl_authenticated
disable_vrfy_command = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
/etc/default/saslauthd-postfix:
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="domain.com -r"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
I'm running postfix chroot'ed so had to create a symlink but like I said. It all seems to work independently, just need to be linked somehow.
When I try to setup account in outlook, I got wrong name or password.
The log on Debian says:
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL NTLM authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: SASL authentication failure: unable to canonify user and get auxprops
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL DIGEST-MD5 authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL LOGIN authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: lost connection after AUTH from unknown[192.168.108.1]
May 11 23:35:43 smtp-test postfix/smtpd[741]: disconnect from unknown[192.168.108.1]
Strange thing is it tries NTLM(not mentioned anywhere) instead of RIMAP. And cannot make canonical name of user even after adding -r switch that should combine name and realm/domain name.
I guess that is related to first warning from saslfinger but cannot find the cause.
All updated to newest available versions.
Any help?

wget proxy authentication error

I get the following error when trying to connect to a http URL through a proxy using wget
the error:
wget "http://pro.fastmarkets.com/feeds/default.aspx?usr=anzbank&pwd=587345bv98735vb2b56&feed=physicals-csv" -O /tmp/test.csv
**wget: Error in /home/acdbaqa/.wgetrc at line 3.**
--06:04:15-- http://pro.fastmarkets.com/feeds/default.aspx?usr=anzbank&pwd=587345bv98735vb2b56&feed=physicals-csv
=> `/tmp/test.csv'
Connecting to 59.154.134.109:80... connected.
Proxy request sent, awaiting response... 407 Proxy Authentication Required
06:04:15 ERROR 407: Proxy Authentication Required.
my .wgetrc file contents:
http_proxy=59.154.134.109:80
proxy_user=ACPROXYPROD
proxy_password=test
#password='Ev*luti*n0456789'
#proxy-password='Ev*luti*n0456789'
ftp_proxy=204.2.23.10:80
line 3 is the password. am i missing anything here? not sure why it says error at line 3

Τhis was solved by changing the .wgetrc file with the below parameters
proxy-user=ACPROXYPROD
proxy-passwd=test1245
it is NOT proxy_user and proxy_password.

You are using an older wget release where the password setting used the following syntax (note the missing "or" in password):
proxy_passwd=test