Category: System Administration

December 6, 2025

Expanding a qcow2-backed system disk (host + guest)

Expanding a qcow2-backed system disk (host + guest) — guest volume is lvm and xfs file system

HOST (resize qcow2)

Optional backup:
cp –reflink=auto /vms/fedora02.qcow2 /vms/fedora02.qcow2.bak
Offline resize (VM stopped):
qemu-img resize /vms/fedora02.qcow2 +5G
# Start the VM after resizing.

GUEST (grow partition, PV, LV, filesystem)

Confirm the disk shows the larger size:
lsblk -o NAME,SIZE,TYPE,MOUNTPOINT
#If needed:
#partprobe /dev/sda
Grow the LVM partition (sda2) to the end of the disk:
dnf install -y cloud-utils-growpart
growpart /dev/sda 2
partprobe /dev/sda
Resize the LVM PV and extend the root LV:
pvresize /dev/sda2
lvextend -l +100%FREE /dev/fedora/root
Grow the filesystem:
xfs_growfs /
Verify:
lsblk -o NAME,SIZE,TYPE,MOUNTPOINT
df -h /

December 3, 2025

Exchange SMTP – Sender Reputation DB

Our Exchange server was refusing mail

451 4.7.0 Temporary server error. Please try again later. PRX5

Attempts to send mail would connect, send data, and then hang for a few seconds before returning the tempfail error.

Looks like there’s “sender reputation” data stored at .\Exchange Server\V15\TransportRoles\data\SenderReputation that is used. Since I’m not actually doing filtering on the Exchange server, stopping the transport services, moving the files out of the folder, and then re-starting the services rebuilt the data and allowed mail to send again.

December 2, 2025

LSOF Scoped To Multiple PIDs

You can run lsof -p with a comma-delimited list of PIDs — but you can also transform the pidof output into a comma separated list of PIDs. Which means you can run lsof for all of the PIDs associated with a specific program. In my case, it’s rsync …

lsof -p “$(pidof rsync | tr ‘ ‘ ‘,’)”

November 29, 2025

Linux: Getting Drive Serial Number

[lisa@FVD01 /mnt/lisa/]# smartctl -i /dev/sdc
smartctl 7.5 2025-04-30 r5714 [x86_64-linux-6.15.7-200.fc42.x86_64] (local build)
Copyright (C) 2002-25, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family: Western Digital Red (CMR)
Device Model: WDC WD40EFRX-68N32N0
Serial Number: WD-WCC7K4HY5TKD
LU WWN Device Id: 5 0014ee 2b9a3d0c5
Firmware Version: 82.00A82
User Capacity: 4,000,787,030,016 bytes [4.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 3.5 inches
Device is: In smartctl database 7.5/5706
ATA Version is: ACS-3 T13/2161-D revision 5
SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Tue Dec 2 17:24:27 2025 EST
SMART support is: Available – device has SMART capability.
SMART support is: Enabled

2025-12-02 17:24:27 [root@FPP01 /mnt/MythAndZoneminder/]# smartctl -i /dev/sda
smartctl 7.5 2025-04-30 r5714 [x86_64-linux-6.15.7-200.fc42.x86_64] (local build)
Copyright (C) 2002-25, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Model Family: Western Digital Red (CMR)
Device Model: WDC WD40EFRX-68N32N0
Serial Number: WD-WCC7K7JZSZ0E
LU WWN Device Id: 5 0014ee 264576d5e
Firmware Version: 82.00A82
User Capacity: 4,000,787,030,016 bytes [4.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 3.5 inches
Device is: In smartctl database 7.5/5706
ATA Version is: ACS-3 T13/2161-D revision 5
SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Tue Dec 2 17:24:38 2025 EST
SMART support is: Available – device has SMART capability.
SMART support is: Enabled

October 30, 2025

Getting Cert Info From Host

An OpenSSL command to retrieve the cert chain from a host and parse out the CN and expiry info

[lisa@linux05 ~]# openssl s_client -connect 10.5.5.75:443 -servername lisa.rushworth.us -showcerts </dev/null 2>/dev/null | sed -n ‘/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ | openssl x509 -noout -subject -startdate -enddate -nameopt RFC2253
subject=CN=lisa.rushworth.us
notBefore=Sep 2 03:28:34 2025 GMT
notAfter=Dec 1 03:28:33 2025 GMT

August 19, 2025

PingFederate – OGNL Customization of AuthnContext

After a recent merger, we have added federated authentication in our PingFederate environment that allows the incoming company to continue to use their Entra (ADFS) logon process to authenticate through PingFederate. All of the IDs exist in our directory, and contract attributes are populated based on the local account. But the authentication is handled by their existing system. It’s really cool, and works for 99.9% of the applications. One, however, was not happy with the resultant attribute contract. It worked fine for me, logging in directly with PingFederate. Anyone who authenticated through Entra, however, got a very specific error:

AuthenticatingAuthority array contains a value which is not a wellformed absolute uri

And, yes, I concur – there is absolutely an element in the AuthenticatingAuthority array that is not a well-formed absolute URI

Luckily, there appears to be a solution. On the ACS URL tab, select “Show Advanced Customizations”

Use the drop-down to select the message type of “AssertionType” and the expression provided at https://support.pingidentity.com/s/article/OGNL-Examples-Message-Customization#rm-authauthority to remove authenticating authority values when multiple are present (which also works when only one is present)

Now I no longer have authenticating authorities but the AuthnContextClassRef is “urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony” … so, in the assertion creation, we need to add SAML_AUTHN_CTX to the attribute contract

In the attribute contract fulfillment, map this to a static TEXT string – I am using “urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified” which is used as the default in PingFederate

Final Answer! I have an AuthnContext that does not contain any invalid URI strings and a AuthnContextClassRef that is expected.

July 7, 2025

Quickref: tmux

Our newer servers don’t have screen – and you cannot install it – so I’ve had to start using tmux:

# list running sessions
tmux ls

# Start a new session or reattach to an existing session named LJR
tmux new-session -A -s LJR

# In session, detach
ctrl+b d Detach

# attach to an existing session named LJR
tmux attach-session -t LJR

June 23, 2025

Did you know … you can import accounts into Cyberark?

Adding one account to CyberArk takes about a dozen clicks. Adding fourteen was going to take me half the day!

Luckily, I discovered that the “Add account” button is actually a drop-down menu that also offers the ability to Add accounts from file

Create a CSV file with the following columns:

userName	address	safeName	platformID	secret	automaticManagementEnabled	manualManagementReason	groupName	logonDomain
user1	server1	OURSAFE	Generic Unmanaged	abc123	FALSE	Platform does not support automatic password management
user2	server2	OURSAFE	Generic Unmanaged	bcd234	FALSE	Platform does not support automatic password management
user3	server3	OURSAFE	Generic Unmanaged	cde345	FALSE	Platform does not support automatic password management
user4	server4	OURSAFE	Generic Unmanaged	def456	FALSE	Platform does not support automatic password management
user5	server5	OURSAFE	Generic Unmanaged	efg567	FALSE	Platform does not support automatic password management

Then browse to select the CSV file. It will show you how many accounts are included in the file – 6 here

Click “Upload”. The accounts will be created, and you will see a banner at the top of the site

June 18, 2025

Did you know … you can view just your favorite accounts in CyberArk?

Is your CyberArk account view an overwhelming list of accounts? You are constantly using “Search for accounts” to find one of the three accounts you regularly use because they are buried somewhere in this list?

There’s a better way! The star at the left-hand side of each line allows you to mark an account as a “Favorite”. There’s a link under “Views” to just display your favorite accounts. Even better, though, if you click on the ellipsis button to the right of the “Favorites” link, you can select “Set as default”.

Now, when you log into CyberArk, you immediately see your curated list of accounts instead of all of them!

April 22, 2025

Authenticating WebLogic Admin Console with SAML 2.0 and PingID

Log into your console. Navigate to “Security Realms” and click on your admin console’s realm – here “myrealm”

From the first row of tabs, select “Providers”. On the second row of tabs, ensure you are on “Authentication”. Click “New” to create a new identity asserter.

Provide a name – here, it is called SAML_IA – and ensure the type is “SAML2IdentityAsserter”

Click OK to create the item. Then click the “New” button again to create a new SAML Authenticator

Restart the WebLogic server, then navigate to “Environment” => “Servers” and select the AdminServer

On the first row of tabs, select “Configuration”, on the second row of tabs, select “Federation Servies”, and on the third row of tabs select “SAML 2.0 General”

The published site URL will be your WebLogic host base followed by /saml2

Provide a unique entity ID that needs to match up with what we configure in PingID. Here, I used “LJRWebLogic”

Save the changes and then use the “Publish Metadata” button to save a metadata file that I will use with PingID. You will be saving an XML file

Now select the “SAML 2.0 Service Provider” tab on the third row of tabs. Click “Enabled” to enable the service provider. POST binding should be enabled, but we do not need Artifact binding enabled. Click “Save” to save the changes.

Navigate back to “Security Realms” and select your realm. On the first row of tabs, select “Providers”; on the second row of tabs, select “Authentication”. Click the hyperlink for “SAML_IA”

Click the “Management” tab

You will be provided a metadata file from PingID. Place that somewhere on your server (I used /tmp). Click “New” and then select “New Web Single Sign-On Identity Provider Partner”

Navigate to the metadata file and select it. Provide a name for the identity provider – here, I used PingID. Cilck “OK” to import the PingID details.

Click on the new entry to configure it

Click “Enabled” to enable the Identity Provider. The redirect URIs should be /console/*

Finally, on the WebLogic Server Admin Console, navigate to the domain name -> [Configuration] -> [General] and expand the [Advanced] link

Update cookie name in WLS admin console to be JSESSIONID.

Save the changes and restart the WebLogic server. Navigating to the console, here https://docker.rushworth.us:7001/console, will direct the user to PingID for authentication and then redirect the user’s browser back to the WebLogic server. Looking in the upper right corner of the screen, they will see they are logged in with their directory ID.

Note: You can still access the local authentication dialog by navigating directly to console/login/LoginForm.jsp – e.g. http://docker.rushworth.us:7001/console/login/LoginForm.jsp — but the “normal” URL will redirect users to PingID

Note Also: There needs to be some step here to map PingID users to a role in WebLogic

Failing to do so, you will complete the PingID authentication but be denied access to the WebLogic Admin Console: