Repairing the Domain Trust Relationship

Posted on by Andy

If a computer is restored from an old restore point or a snapshot that was created before the computer’s password was changed in AD, the machine password in the snapshot will differ from the AD computer object password.

When the trust relationship between a workstation and the Active Directory domain is broken, you will encounter errors such as:

The trust relationship between this workstation and the primary domain failed.

or

The security database on the server does not have a computer account for this workstation trust relationship.

To restore trust between the machine and the domain, you must log on to the computer locally using an account with local administrator privileges. Open your elevated terminal session and check if you have a valid trust relationship with the AD Domain with following PowerShell command:

Test-ComputerSecureChannel -Verbose

Should the result be something like

VERBOSE: The secure channel between the local computer and the domain <DOMAIN> is broken.

You can fix it by running the repair command:

Test-ComputerSecureChannel -Repair -Credential <DOMAIN>\<ADMINUSER> -Verbose

Result should be like this:

VERBOSE: The secure channel between the local computer and the domain <DOMAIN> was successfully repaired.

No reboot or delete/add to AD is needed.

Enable EXT4 quotas on root partition

Posted on by Andy

Enabling quota handled by EXT4 on a root partition is not doable as it needs the device to be unmounted and can only be done if booted from a live disk or alike… Yeah whoever took that decision needs to be punished. I found a script which tunes the FS before it is getting mounted at boot time. Here the script:

#!/bin/bash


cat > /etc/initramfs-tools/scripts/init-premount/ext4_quota <<"EOF"
#!/bin/sh

PREREQ=""

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac


/sbin/tune2fs -l "${ROOT}" | grep -q features || (echo "no ext4 found in ${ROOT}"; exit 0)
echo "Enabling ext4 quota on ${ROOT} "
/sbin/tune2fs -O quota "$ROOT" || echo "tune2fs: $?"
EOF

chmod 0755 /etc/initramfs-tools/scripts/init-premount/ext4_quota

cat >/etc/initramfs-tools/hooks/tune2fs <<"EOF"
#!/bin/sh

PREREQ=""

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac

. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/tune2fs /sbin
EOF

chmod 0755 /etc/initramfs-tools/hooks/tune2fs

update-initramfs -k all -u
rm -v /etc/initramfs-tools/scripts/init-premount/ext4_quota /etc/initramfs-tools/hooks/tune2fs

I found the script over here:

https://anton.dollmaier.name/2024/10/enable-native-filesystem-quotas-in-ext4

Thank you a ton dear Anton!

How to create full chain certificates

Posted on by Andy

Full chain certificates can be created relatively easy. Just use the cat-command or copy/paste the content of the files in that specific order into a new file:

$ cat server.crt server.key intermediate.crt ca.crt > fullchain.pem

As already said, mind the order:

  1. Server certificate
  2. Server Private Key (optional if loaded separately)
  3. Intermediate certificate(s)
  4. CA Root certificate