LocalLost

After enabling AD authentication on a server you might end up with a « huge » /var/log/lastlog file that in my case did not played nice with my BackupPC with rsync xfer method: it resulted in a 300 GB lastlog file!

The reason is that this /var/log/lastlog file is a « pre-allocated database » file that stores the login activity for all the users UIDs on the server, and being connected to a Samba AD DC, I now have users with UIDs well above 1 billion! This « pre-allocation » uses the sparse feature and allows to have a 300 GB file allocated using only 28 KB of real disk space:

# ls -lh /var/log/lastlog
-rw-rw-r-- 1 root utmp 279G oct.  31 12:35 /var/log/lastlog

# ls -sh /var/log/lastlog
28K /var/log/lastlog

Handy feature. However, when you start backuping a host like this, you might end up with disk-usage problems when all your backup chain is not « sparse-aware » and is not able to treat sparse files efficiently.

This showed up with BackupPC using the rsync transfer method, when dumping this new host blew up my disk space.

The problem here is that the BackupPC’s rsync transfer do not handle sparse file « efficiently » resulting in effectively retrieving and storing 300 GB of data before compressing it to its cpool.

Warning : do not try to add the --sparse flags to the rsync transfer method as the BackupPC’s rsync receiver is not compatible with it or you might end up with corrupted files in your backup.

So, the only safe solution for the moment is to exclude the /var/log/lastlog from backup.

P.S.: here is a quick one-liner to detect sparse files, ordered by increasing ratio of real-data-size / total-sparse-size (lower means a huge sparse file with few data in it):

find / -type f -printf "%S\t%h/%f\n" 2>/dev/null | grep -v '^0[[:space:]]' | sort -k1g | head

Testing Gzip and Gnupg throughput for compressing and encrypting large files on-the-fly on Intel Core i5-6200U @2.30 GHz.

gzip vs. pigs:

• gzip --best : 23,8 MB/s
• pigz -p 2 --best : 51 MB/s
• pigs -p 4 --best : 60 MB/s

gpg vs. gpg2:

• gpg --encrypt : 19,5 MB/s

• gpg2 --encrypt : 22,5 MB/s

• gpg --encrypt --compress-level 0 : 56,5 MB/s

• gpg2 --encrypt --compress-level 0 : 98,5 MB/s

Summary :

• Gzip compression (with --best level) is the limiting factor: use pigz to parallelize and maximize compression throughput.
• Gnupg performs by default a compression which is redundant if you feed him already compressed files: use pigz to parallelize and maximize the throughput AND disable Gnupg’s compression (--compress-level 0). Also, if you leave Gnupg’s compression on, it might not be able to parallelize it as pigz does, hence the benefit of performing the compression separately with pigz to maximize throughput.
• gpg2 is almost two time faster than gpg when performing AES256 encryption: use gpg2 to maximize throughput.
• The overall best « combo » for compressing and encrypting large files on-the-fly might be: pigz --best | gpg2 --encrypt --compress-level 0

Trying to join an AD domain (Sama 4 AD DC) from a specific (Ubuntu 20.04) server would fail with a « Server not found in Kerberos database » error:

# realm join -U john.doe -v AD_EXAMPLE_NET
 * Resolving: _ldap._tcp.ad.example.net
 * Performing LDAP DSE lookup on: 10.100.100.2
 * Successfully discovered: ad.example.net
Password for john.doe:
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.example.net --domain-realm AD.EXAMPLE.NET --domain-controller 10.100.100.2 --login-type user --login-user john.doe --stdin-password
 * Using domain name: ad.example.net
 * Calculated computer account name from fqdn: SRV
 * Using domain realm: ad.example.net
 * Sending NetLogon ping to domain controller: 10.100.100.2
 * Received NetLogon info from: smb.ad.example.net                                                                                                      
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-dN4Dz2/krb5.d/adcli-krb5-conf-JLqdZ0
 * Authenticated as user: john.doe@AD.EXAMPLE.NET
 ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to ad.example.net domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
 ! Insufficient permissions to join the domain

It turns out that this problem was that the IP address of the AD controller would not resolve back in reverse to it’s original DNS name!

The explanation of this problem (and solution) was found in the following post: https://aws.nz/best-practice/ad-join/

The solution is either to:

• set a correct DNS reverse PTR that points back to the DNS name of the AD controller
• or add the option rnds = false in the [libdefaults] setion in `/etc/krb5.conf`

After a DSL/network outage, I launched a tcpdump on the ethernet interface to see if pppd was renegotiating the PPPoE session, and I saw all these LCP Term-Request frames that seems to come from other customers’ equipments (given the various source MAC addresses) and destined to a Siara Systems equipment (which I guess is a DSLAM, or core router, on which all these equipments are connected).

Is this an expected behavior to receive all these LCP Term-Request frames?

Here is a sample of unique/sorted frames captured during the DSL/network outage:

Continuer la lecture →