blog [AdminSysGNULinux]

blog

Table des matières

8 billet(s) pour mars 2026

2026:
- janvier
- février
- mars

2025:
- mars
- avril
- mai
- juin
- juillet
- août
- septembre
- octobre
- novembre
- décembre

8 billet(s) pour mars 2026

Notes conteneurs oras artifact OCI	2026/03/23 21:13	Jean-Baptiste
Notes podman secret	2026/03/23 15:10	Jean-Baptiste
Notes ansible podman	2026/03/23 14:08	Jean-Baptiste
Notes podman volume	2026/03/23 14:00	Jean-Baptiste
Find list - Trouver des fichiers à partir d'une liste	2026/03/18 14:32	Jean-Baptiste
AWX inventaire vault	2026/03/17 18:04	Jean-Baptiste
AWX - Configuration git en local (sans serveur web)	2026/03/05 16:24	Jean-Baptiste
OpenSMTP	2026/03/03 16:58	Jean-Baptiste

Notes Windows Manager

wmctrl

Lancer une application dans un workspace spécifique

apt-get install wmctrl

Off-Screen Window Restore

Source : https://github.com/mezga0153/offscreen-window-restore

A simple shell script that moves off-screen windows back.

This script was made to fix a bug in unity where if you have multiple monitors, when they wake up after being off some windows move off-screen.

sudo apt-get install wmctrl x11-xserver-utils

offscreen-window-restore.sh

#!/bin/bash
#
# This script moves back windows that have been moved off screen
#
# Author: Tine Mezgec tine.mezgec@gmail.com
#
 
width=`xrandr | grep current | awk {'print $8'}`
 
wmctrl -l -G | awk -v w=$width '{
	if ($8 != "unity-dash" && $8 != "Hud") {
		if ($3 >= w || $3 < 0) {
			system("wmctrl -i -r " $1 " -e 0," sqrt($3*$3) % w ",-1,-1,-1");
		}
	}
}'			
 
height=`xrandr | grep current | awk {'print $10'} | cut -d ',' -f1`
wmctrl -l -G | awk -v h=$height '{		
	if ($8 != "unity-dash" && $8 != "Hud") {
		if ($4 >= h || $4 < 0) {
			system("wmctrl -i -r " $1 " -e 0,-1," sqrt($4*$4) % h ",-1,-1");
		}
	}
}'
 
# restart unity to avoid problems with restored windows (unclickable areas)
unity

2025/03/24 15:06

brouillon, x11

Client XMPP Poezio

Poezio de prend pas (à ce jour) BOSH (XMPP over HTTPS), à la place il convient d'utiliser SSH et Corkscrew par exemple. Tunnel SSH over HTTPS Merci à l’équipe https://jappix.com/?r=poezio@muc.poez.io

Installation

git clone git://git.poez.io/poezio
cd poezio/
python3 setup.py install --user

Install OTR http://doc.poez.io/0.9/plugins/otr.html

git clone https://github.com/afflux/pure-python-otr.git
cd pure-python-otr
python3 setup.py install --user

Lancement automatique du plugin

~/.config/poezio/poezio.cfg

# Colon-separated list of plugins to load on startup
plugins_autoload = otr:tell

Lancement

~/.local/bin/poezio

~/.config/poezio/poezio.cfg

jid = jean@acme.fr
 
# Adresse du serveur. Normalement pas nécessaire, car résolut par le DNS
custom_host = 192.168.2.100

Fichier d'erreur : ~/.local/share/poezio/logs/errors.log

2025/03/24 15:06

xmpp, app, console

Notes windows - Active Directory AD - Kerberos - WinRM

Voir :

Connexion AD Active Directory LDAP
Prerequisites_for_ad_to_support_sssd_id_mapping Flux réseau AD WinRM
https://docs.semaphoreui.com/user-guide/inventory/kerberos/

Les ports suivants sont utilisés :

5985/tcp (En clair)
5986/tcp (TLS)

Verif ports en écoute

netstat -tn |findstr "5985 5986"

netsh http show iplisten
 
Get-Service WinRM

Pb Connection refused This problem occurs because one or more of the following conditions are true:

The application is experiencing problems or is not running ?
The user does not have Remote PowerShell Enabled status.
Windows Remote Management (WinRM) is configured incorrectly on the server.

Test avec curl

source : https://gist.github.com/g3rhard/b8a829b4932be9c3e8854656945f32d9

check_winrm.sh

#!/bin/bash
if [ $# -eq 0 ]; then
    echo "please provide hostname or ip address"
    exit 1
fi
 
url=$1
output=$(curl -s -f -k -m 10 --header "Content-Type: application/soap+xml;charset=UTF-8" --header "WSMANIDENTIFY: unauthenticated" http://${url}:5985/wsman --data "<s:Envelope xmlns:s=http://www.w3.org/2003/05/soap-envelope xmlns:wsmid=http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd><s:Header/><s:Body><wsmid:Identify/></s:Body></s:Envelope>" || true);
if [[ $output == *"IdentifyResponse"* ]]
then
        echo "Online";
else
        echo "Offline";
fi

Test des domaines / contrôleurs de domaines

winrm_check_domains.sh

#! /bin/bash
 
set -uo pipefail
 
echo "DOMAIN;IS_AD;FLUX_TCP88"
 
#for DOMAIN in $(grep -v -e '^#' domains.txt)
while read -r DOMAIN
do
        if [[ $(dig +short SRV _kerberos._tcp.dc._msdcs."${DOMAIN}" | wc -l) -eq 0 ]]
        then
                IS_DOM_AD=N
                TCP=na
        else
                IS_DOM_AD=Y
                declare -i DOM_TCP_ERR=0
                for SRV in $(getent hosts "$DOMAIN" | awk '{ print $1 }')
                do
                        echo $SRV >> plop.txt
                        timeout 2 curl -s --connect-timeout 1 telnet://"${SRV}":88 </dev/null
                        if [[ "$?" -ne 124 ]]
                        then
                                DOM_TCP_ERR=$(( DOM_TCP_ERR + 1))
                        fi
                done
                if [[ "$DOM_TCP_ERR" -eq 0 ]]
                then
                        TCP=OK
                else
                        TCP=NOK
                fi
        fi
        echo "$DOMAIN;$IS_DOM_AD;${TCP}"
# done
done < domains.txt

Connexion WinRM depuis GNU/Linux

sudo apt-get install winrm
winrm-go -hostname 192.168.237.29 -username Administrator -password "P@ssw0rd" cmd
 
sudo apt-get install txwinrm
winrm --remote 192.168.237.29 --username "Administrator" --password "P@ssw0rd" -f "select * from Win32_NetworkAdapter"
winrm --remote 192.168.237.29 --username "Administrator" --password "P@ssw0rd"

Ansible

sudo apt-get install python-pip
sudo pip install pywinrm

ansible -u Administrator -i 192.168.237.29, -m win_ping --connection=winrm -e ansible_winrm_server_cert_validation=ignore -k all
ansible -u Administrator -i 192.168.237.29, -m setup --connection=winrm -e ansible_winrm_server_cert_validation=ignore -k all

La collection ansible.windows est nécessaire.

play-test-ping-win.yml

#! /usr/bin/env ansible-playbook
---

- name: ping win
  hosts: all
  #gather_facts: no

  vars:
    #ansible_ssh_user: 'Administrator'
    ansible_winrm_user: 'Administrator'
    #ansible_ssh_pass: 'P@ssw0rd'
    #ansible_winrm_transport: basic
    #ansible_ssh_port: 5985
    ansible_winrm_port: 5985
    ansible_connection: winrm
    ansible_winrm_server_cert_validation: ignore

  tasks:
    - name: ping
      win_ping:

./play-test-ping-win.yml -i 192.168.237.29, -k

WinRM avec Kerberos

dans les credentials utilisés : on met le realm kerberos en majuscules (Exemple : USER1@DOMAIN.LOCAL)
dans l'inventaire, on modifie la cible en lui attribuant les caractéristiques suivantes :
- comme nom d'hôte, utilisation du FQDN : l'hôte srv1 devient srv1.acme.local

# dig any +short _kerberos._tcp.dc._msdcs.acme.local
dig srv +short _kerberos._tcp.dc._msdcs.acme.local

nslookup
set type=all
_kerberos._tcp.acme.local
_kerberos._tcp.dc._msdcs.acme.local

Dans les variables de l'hôte

ansible_connection: winrm
ansible_winrm_host: srv1.acme.local
ansible_winrm_server_cert_validation: ignore
#ansible_winrm_port: 5986
#ansible_winrm_transport: kerberos

Pour valider la connexion Kerberos, depuis un nœud d'exécution :

kinit USER1@ACME.LOCAL

Un mot de passe est demandé

Puis pour afficher le ticket associé.

klist

Messages d'erreurs Ansible

Name or service not known	Le nom n'est pas correct ou n'est pas un FQDN
Max retries exceeded with url.*timed out	Flux pas ouverts
Server not found in Kerberos database.*timed out	Le serveur n'est pas connu de l'AD (workgroup?)
Cannot contact any KDC for realm (sauf si Max retries exceeded)	Le domaine n'est pas une forêt AD
Specified credentials were rejected by the server	Mauvais MDP ou compte verrouillé / expiré

Pb

Pb Erreur nom compte ou MDP

$ winrm-go -hostname 192.168.237.29 -username Administrator -password "P@ssw0rd" cmd
http error: 401 -

Erreur nom compte ou MDP

Pb credentials have been revoked while getting initial credentials

Kerberos auth failure for principal SRV_APP_PLOP@ACME.LOCAL with pexpect: Client's credentials have been revoked while getting initial credentials

Le compte est verrouillé

Voir : Windows - Active Directory - Vérifier si un compte AD est verrouillé

Err - Cannot contact any KDC for realm

Erreur Ansible win_ping WinRM

{
  "unreachable": true,
  "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may provide more information', 851968), (\"Cannot contact any KDC for realm 'ACME.LOCAL'\", -1765328228)), ssl: the specified credentials were rejected by the server",
  "changed": false
}

$ dig A +short acme.local
192.168.18.172
172.16.1.248
172.16.1.246
172.16.1.249
172.16.1.247

Un seul serveur répond au ping (pb de routage)

$ dig A +short acme.local |xargs -P5 -I '{}' bash -c 'ping -c 1 -W 2 {} >/dev/null 2>&1 && echo {}'
192.168.18.172

Les KDC sont injoignables, sauf un.
Heureusement nous avons un KDC joignable par une autre route ou sur un autre VLAN.

Solution de contournement

$ echo "192.168.18.172 acme.local acme.local." | sudo tee -a /etc/hosts

$ dig SRV _ldap._tcp.dc._msdcs.acme.local +short |awk '{print $4}' |xargs -L1 -I'{}' bash -c 'echo 192.168.18.172 {}' | sudo tee -a /etc/hosts
192.168.18.172 dc1.acme.local.
192.168.18.172 dc2.acme.local.
192.168.18.172 dc3.acme.local.
192.168.18.172 dc4.acme.local.

Autres

Ansible requires PowerShell v3.0 or newer

2025/03/24 15:06

windows, bash, ca

Notes Wifi WPA wpa_supplicant

Exemple simple

Voir https://www.raspberrypi.org/documentation/configuration/wireless/wireless-cli.md

/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=FR
 
network={
        ssid="Livebox-2930"
        psk="FFFFFFFFFFFFFFFFFFFFFFFFFF"
}

wpa_passphrase "Livebox-2930" | sudo tee -a /etc/wpa_supplicant/wpa_supplicant.conf

PKI avec RADIUS

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

auto wlp12s0
iface wlp12s0 inet dhcp
	wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant
 
ctrl_interface_group=0
 
eapol_version=1
 
ap_scan=1
 
#fast_reauth=1
 
network={
	ssid="acme-wifi"
	scan_ssid=1
	key_mgmt=WPA-EAP
	pairwise=CCMP TKIP
	eap=TLS
	identity="acme-wifi@acme.com"
	ca_cert="/etc/cert/ca.pem"
	client_cert="/etc/cert/acme-wifi.pem"
	private_key="/etc/cert/acme-wifi.key"
	private_key_passwd="secret"
}

Debug

wpa_supplicant -Dnl80211 -iwlo1 -c /etc/wpa_supplicant/wpa_supplicant.conf 
 
wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -iwlp12s0 -d -f debug.log

2025/03/24 15:06

brouillon, reseau

Notes Weboob

Travelboob

Exemple RER

traveloob departures CHATELET-LES-HALLES@transilien LA-DEFENSE-GRANDE-ARCHE@transilien

Exemple train SNCF

traveloob departures paris nancy 2015-04-02 09:00

Wetboobs

alias meteo="wetboobs forecasts 75001@meteofrance ; echo ; wetboobs forecasts 615702@yahoo"
meteo

Videoob

videoob search groland

Pb

Actuellement ne marche plus pour la Caisse d’Épargne

weboob-config update

$ boobank -d list

2015-12-08 09:27:17,600:DEBUG:modules:1.0:modules.py:161:load_module Loaded module "caissedepargne" from /home/jibe/.local/share/weboob/modules/1.0/caissedepargne
2015-12-08 09:27:17,601:DEBUG:backend:1.0:modules.py:98:create_instance Created backend "caissedepargne" for module "caissedepargne"
                                Account                     Balance    Coming 
---------------------------------------------------------+----------+----------
2015-12-08 09:27:17,612:DEBUG:bcall:1.0:bcall.py:81:backend_process <Backend 'caissedepargne'>: Calling function <bound method Boobank._do_complete of <weboob.applications.boobank.boobank.Boobank object at 0x7feaa247b850>>
2015-12-08 09:27:17,946:DEBUG:backend.caissedepargne.browser:1.0:browser.py:405:lowsslcheck Found 9a5af08c31a22a0dbc2724cec14ce9b1f8e297571c046c2210a16fa3a9f8fc2e as certificate hash
2015-12-08 09:27:17,946:DEBUG:bcall:1.0:bcall.py:87:backend_process <Backend 'caissedepargne'>: Called function <bound method Boobank._do_complete of <weboob.applications.boobank.boobank.Boobank object at 0x7feaa247b850>> raised an error: BrowserSSLError()
Error(caissedepargne): website is unavailable.
---------------------------------------------------------+----------+----------
                                                   Total       0.00       0.00

Solution :

import ssl
from hashlib import sha256
domain='www.caisse-epargne.fr'
sha256(ssl.get_server_certificate((domain,  443))).hexdigest()

'9a5af08c31a22a0dbc2724cec14ce9b1f8e297571c046c2210a16fa3a9f8fc2e'

/home/jean/.local/share/weboob/modules/1.0/caissedepargne/browser.py

Class CaisseEpargne(Browser):
    DOMAIN = 'www.caisse-epargne.fr'
    PROTOCOL = 'https'
    CERTHASH = ['dfff27d6db1fcdf1cea3ab8e3c1ca4f97c971262e95be49f3385b40c97fe640c', '9894ab2088630f341de821a09f1286c525f854f62ac186bd442368b4692c5969', '0e0fa585a8901c206c4ebbc7ee33e00e17809d7086f224e1b226c46165a4b5ac', '74FBF3380D32F4C01137CE37FDC19CBC3B560058EED653B5B27EA3260E42C2F6', '9a5af08c31a22a0dbc2724cec14ce9b1f8e297571c046c2210a16fa3a9f8fc2e']

Test

openssl s_client -connect www.caisse-epargne.fr:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ce.pem
openssl x509 -noout -in ce.pem -fingerprint -sha256

SHA256 Fingerprint=74:FB:F3:38:0D:32:F4:C0:11:37:CE:37:FD:C1:9C:BC:3B:56:00:58:EE:D6:53:B5:B2:7E:A3:26:0E:42:C2:F6

2025/03/24 15:06

web, console

<< Billets récents | Anciens billets >>

blog.txt · Dernière modification : 2025/03/24 15:06 de 127.0.0.1