/srv/irclogs.ubuntu.com/2007/11/28/#ubuntu-server.txt

kgoetzhas someone gone and run s/Debian/Ubuntu in the libpam-ldap and libnss-ldap README.Debian files? is there any particular reason to have done so?00:52
ScottKCool.  I can requeue messages without super user priviledges now in Postfix.  One less reason to be root.02:00
lamontScottK: which version?02:00
lamontor is it just having write access to deferred and friends?02:01
ScottKpostqueue -i in 2.402:01
* ScottK hadn't read the postqueue man page in a while.02:01
* lamont needs to read the nmap man page this week02:01
* ScottK had been using postsuper -r.02:01
Burgundaviadendrobates: you need to email fridge-devel to get your meetings listed on the fridge02:07
ScottKlamont: Speaking of which, Debian Bug# 453238 does not sound like a smart idea to me.03:33
kgoetzhi all. i'm wondering if someone can recomend a log level for openldap (slapd) to help debug a libpam_ldap problem. level 256 doesnt seem to help me much. help with libpam_ldap /libnss_ldap would be apreciated too :/03:38
sommerkgoetz: -1 will give you all available output.03:47
kgoetz-1 where? slapd?03:48
sommerkgoetz: /etc/default/slapd there's a SLAPD_OPTIONS="" try -d -1.  then restart slapd03:49
sommerso you'll have SLAPD_OPTIONS="-d -1"03:49
kgoetzsommer: should i remove th debuglevel 256 from the slapd.conf?03:52
kgoetz*loglevel03:52
* kgoetz sets to 003:52
sommeractually I've never used the loglevel option03:54
kgoetzmm ok. i'll disable it entirely03:54
sommerwhen debugging a big issue I start slapd in a terminal with these options slapd -d -1 -h "ldap:/// ldaps:///" -f /etc/ldap/slapd.conf03:55
sommeryou'll get all the output to the console... usually a lot of output.03:55
kgoetzslapd doesnt seem to be restartin, shoudl i expect it to run in the forground now?03:58
sommerkgoetz: I may have been wrong about the SLAPD_OPTIONS="-d -1"... try setting them back to ""03:59
sommerkgoetz: I thought that would work04:01
sommerare you getting Starting OpenLDAP: slapd and it's just kind of hanging there04:01
kgoetzsommer: slapd's running and i'm gettin debug to syslog, i'm just supprised it didnt background04:01
kgoetzesp. as theres nothing going to stdout04:01
sommerdid you start slapd in a console with the options I posted?04:02
kgoetzi added '-d -1' to the /etc/default/slapd file. whenever i run slapd in a console it chowns the database to root04:03
sommerapologies I may have been wrong about that file... you might try just running slapd from console04:05
kgoetzyour right in a much as it is debugging, but i'm bemused its still forgrounded - if its loggingn to syslog theres no reason for it to hold the terminal04:06
sommerya that's strange does ctrl+c work?04:08
kgoetz^C kills the daemon04:08
sommermmmm... I'd just start slapd from console until you've figured out the issue then (it just feels cleaner)04:10
kgoetzhm.04:12
kgoetzhate softwar with no clear debugging options. pam is inn that catagory :(04:56
kgoetznow i see some pam_debug module ... yay, another module to load and confuse :S04:56
vetriwhich gui best for iptables05:02
ScottKvetri: vim05:04
mralphabetgui? for a text file?05:16
sommerin DNS terms you have reverse zone files... is it correct to call the regular zone file a forward zone file?05:56
* ScottK has heard of reverse lookups, but never reverse zone files.05:57
kgoetzafaik so05:57
ScottKBut /me knows more about DNS protocol than admining DNS servers.05:57
sommercool just wondering05:58
sommerthe data for reverse lookups is stored in a reverse zone... a file in bind9 terms05:59
sommernot sure about MS dns... reverse zones are configured in gui mode06:00
_rubenforward and reverse zones arent really that different from eachother .. except that one (reverse) has entries below in-addr.arpa. and uses PTR records, and the other (forward) has entries below . and uses A/CNAME/MX/etc records :p07:55
tjaaltonuh, is the mount.nfs4 braindead or what.. it does a readlink() in the current directory, and when the server path doesn't exist there it fails08:04
tjaaltonthis is on hardy08:04
tjaaltonanyone here using nfs/nfs4 mounts on hardy?08:05
avatar_hardy? maybe try #ubuntu+108:05
tjaaltonavatar_: nope, I'll try linux-nfs@ instead08:06
avatar_hardy is atm alpha quality and not production ready08:06
krautmoin08:06
tjaaltonavatar_: I'm core-dev, I know ;)08:06
avatar_ah, okay :)08:07
_rubenheh08:08
tjaaltonit wouldn't matter to me unless braindead software didn't insist on having $HOME (Mathematica)08:08
_rubenbugger .. time to investigate pf_ring on short term i guess ..08:10
_rubenNov 28 06:41:25 ismlnx-fw07 pmacctd[7790]:  wan0: (1196228485) 962816 packets received by filter08:10
_rubenNov 28 06:41:25 ismlnx-fw07 pmacctd[7790]: wan0: (1196228485) 0 packets dropped by kernel08:10
_rubenNov 28 06:56:25 ismlnx-fw07 pmacctd[7790]:  wan0: (1196229385) 1032605 packets received by filter08:10
_rubenNov 28 06:56:25 ismlnx-fw07 pmacctd[7790]: wan0: (1196229385) 13239 packets dropped by kernel08:10
ivokshi08:57
_rubeng'day08:58
Steve_____hello - Have installed JBoss on Ubuntu server 7.04. Works fine from localhost but when I try to hit a page remotely I get "The connection was reset". Any ideas?09:26
nijabaSteve_____: isn't there a rule in JBoss that by default only allows connections from localhost?09:28
Steve_____Didn't think of that. Will try to find out - Currently running a slightly different version of jboss on ubuntu desktop 6.10 without problems09:29
nijabaSteve_____: I am no JBoss specialist, but google points to /usr/local/jboss/run.conf09:30
Steve_____thanks nijaba. Will feedback if I get anywhere with that09:33
=== ivoks_ is now known as ivoks
Steve_____How can I tell whether ubuntu is preventing access from remote machines to port 8080?11:26
ivoksiptables -L11:27
avatar_sudo lsof -i |grpe 808011:30
avatar_sudo lsof -i |grep 808011:30
avatar_on wich interface is your daemon listening?11:30
Steve_____iptables shows now rules (I tried iptables -F)11:30
ivoks-F je flush11:32
ivoksso if you had -P DROP, then -F would result in total jail of your system :)11:33
ivokssorry... -F is flush11:33
Steve_____iptables shows no rules11:33
ivoksthen no one is blocking your ports11:33
Steve_____lsof -i | grep 8080 gives nothing11:34
ivoksmaybe your service isn't listening on 808011:34
Steve_____I can telnet to 8080 from localhost and HEAD11:34
ivoksyou can telnet to localhost, right?11:34
Steve_____or wget localhost:8080 and wget a web page11:34
Steve_____yes11:34
ivokscheckout netstat -an | grep 808011:34
Steve_____How do I tell which interface the deamon is listening on11:35
Steve_____tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN11:35
ivoksit listens only on localhost11:35
Steve_____thanks11:36
akincerHas anyone seen instances where a NIC stops responding to external requests and only starts responding once you initiate a connection from that machine?14:05
ivoksyes14:06
ivoksyou can achive that with firewall14:06
akincerThat's the firewall?14:06
ivokscould be14:07
ivoksit could also be a broken nic14:07
akincerIf so, that is a policy that redefines dumb14:07
ivoksakincer: dumb?14:07
ivoksakincer: well, who is the dumb one in this story? :)14:07
akincerdump, stupid, moronic14:08
akincerhaha14:08
akincernot me14:08
akincerstock install14:08
ivoksthen it's not firewall14:08
akincerOn ifconfig, packets aren't even making it to the machine14:08
akinceralthough I can see where SOME data is coming in and out14:09
ivoksyesterday i saw a network setup where packages where coming in, but couldn't get out from server14:10
ivoksturns out that guy who is administrating network and servers doesn't have a clue about networking :)14:10
akincerhaha, well I know enough about both to keep my sanity14:11
akincerI'm checking with the network guys to see if they can check the Catalyst for frame errors14:11
ivoksthat guy's server didn't have a route to the rest of the network...14:11
akincerLOL14:11
ivoksmaybe your machines don't have a route to your server/machine14:12
akincerIf I walk into the server room and initiate a ping from the server to anything, it will start responding again14:12
akincerNo, it does14:12
akincersame subnet14:12
ivoksintel nic?14:12
ivoksdapper?14:12
akincerI could have an invalid GW and it would still respond14:12
akincerGutsy14:13
akincerNot sure about NIC. Onboard on a Dell14:13
ivokslspci would give you a hint14:13
akincerIntel 82541GI14:14
akincerLet's see what Google says14:14
ivoksi put my money on broken network setup :)14:17
akincerHmmm. I'll go check /etc/network/interfaces to see what it says.14:18
ivoksnot on the server, but in network topology :)14:18
ivoksthis sounds like all other machines don't have a clue about server's mac address14:18
ivoksand untill server broadcast it, they can't find it14:19
ivokscheck arp table on clients, when your server is unavailable14:20
akincerI didn't configure the network, so I can't be sure. I am pretty sure there are issues though14:20
akincerLong story, but I don't have control over the network14:20
akincerI'm a one man IT shop, but the network is outsourced at the moment14:21
akincerTrying to get a response from the network folks about that. I'm betting you're right14:28
ivokscoffeedude: hi14:32
methodshey14:37
methodsis there any console based tools for detecting wireless ap ?14:38
methodsor picking any available without wep ?14:38
ivoksiwconfig14:38
methodsyea but thats for setting statically14:38
methodsi want something to display broadcasted networks14:38
ivoksiwlist14:38
ivoksiwlist interface scan14:38
methodsoh cool!14:38
methodshm i got a blank essid from that14:39
methodshm cool! it didn't pick up on its own but a scan with a essid got it!14:46
GargoyleWhat factors effect how long it takes for new software revisions to make it into the repos?15:24
ivoksmathiaz: i'll check out ucf thing; i was fully unaware of such a tool :D15:25
ivoksmathiaz: and... you said you have worked on ror implementation?15:26
mathiazivoks: s/implementation/design/15:26
ivoksok15:28
ivoksmathiaz: makefile is still broken :)15:30
mathiazivoks: you mean in tasksel ?15:31
ivoksyes15:31
ivoksit has hardcoded linking to desktop.preinst15:32
ivokswhich is absurd... since it has :15:32
ivoks        for script in info/*; do \15:32
methodsin gutsy can i use security as well as gutsy-security ?15:50
ivoksthere's only gutsy-security15:51
methodsso how do i get libgd2-dev then /15:51
ivoksthere's no such package15:52
ivoksthere are libgd2-noxpm-dev and libgd2-xpm-dev15:52
methodshttp://packages.ubuntu.com/dapper/oldlibs/libgd2-dev15:52
methodswhats the difference in those packages ?15:53
methodsim following the nagios ubuntu quickstart and its telling me to install this stuff15:53
ivoksyou asked about gutsy and then pasting dapper links15:53
methodsoh ... well i just did a google search sorry..15:53
ivoksnagios quickstart in ubuntu is apt-get install angios15:53
ivoksnagios15:53
methods6.10 is gutsy isn't i t?15:53
ivoksor nagios315:53
ivoks6.10 is edgy15:53
methodshm15:54
methodsthe walk through is a bit oudated15:54
ivoksit will be obsolete in 5 months15:54
methodsoh wow were on 7.10 right ?15:54
ivoksyes15:54
methods.10 ... thats why i thought i twas right15:54
methodsok well ill use the meta package15:55
methodsbut i wonder they didn't update this15:55
methodshm you meant nagios2 ?15:56
ivoksright15:56
methodshm see this is why i like ubuntu over pure debian15:57
methodsso v3 is still unstable ?15:59
methodsdo you recogmend i install 3 on my own or stick with 2 ?15:59
ivoksi would go with v216:02
ivoksand, fwiw, ubuntu nagios2 package is exactly the same as debian's16:03
akincerMethods, have you looked Zenoss as an alternative to Nagios?16:04
ivoksmethods: if you haven't - don't :)16:04
akincerwhy?16:05
ivokscuse it creates user16:06
ivokscause16:06
ivoksand puts it in sudoers16:06
ivokswith NOPASSWD16:06
ivoksso, that user can wipe your entire system, and you have a web service running under it's privileges16:06
ivoksi can't thnik of worst security installation out there :)16:07
methodswtf is zenoss ?16:07
ivokszenoss.com16:08
methodswahts fwiw ?16:08
ivoksgood looking nagios :)16:08
akincerI don't remember it doing that. Haven't tried it in a while16:08
ivoksakincer: i wanted to package it... i gave up very soon16:08
akincerI remember a few things being a PITA for no apparent reason, but no more than Nagios16:08
ivoksmaybe it changed in last couple of months16:09
akincerI loaded up a VM appliance, so I couldn't honestly tell you what it did under the hood16:09
methodsso wahts zenoss ?16:10
akincerzenoss is to nagios what postfix is to sendmail (in function)16:10
methodsa cheap alternative ?16:10
methodsit appears to offer comercialized versions16:11
methodsim looking to help open source movement for inteligent systems16:11
methodsnot p ropritized jerks16:11
ivoksanother problem with zenoss is that it has files without copyright16:13
ivoksthat, and nopasswd things are the reasons why zenoss packages were never introduced in debian16:13
ivokson debian guy and i wanted to package it, but we gave up after 10 minutes with that software :)16:14
ivokss/on/one16:14
methodsthis package gave me no information16:27
methodsand appears to have an internal server error when i go to the web site16:28
akincerGotcha. I need to pick Nagios back up. Last time I gave it a shot, I quit after becoming extremely annoyed at how unnecessarily difficult it seemed to be to configure16:31
InnatechHello. Having a problem with OpenVPN setup. Running the vars script that does a bunch of export fails to set the environment vars, while setting them at the command line works, and they seem to work within the script @ runtime in its echo statements. What gives?17:12
InnatechThis is on 7.10 server.17:13
lousygaruahello17:27
lousygaruadid anyone every use w3m-img?17:27
lousygaruas/every/ever17:27
=== oly_ is now known as oly-
juliuxhi18:57
juliuxdoes somebody knows how can i run more then one ssh server on a server?18:57
lousygaruajuliux, hmm you can probaby run sshd with a different configuration file specifying a differnet listening port.18:58
lousygaruawhy would you want to run two ssh servers?18:58
juliuxi want one for users and one for backuping18:59
juliuxfor the backuping i want to use sshkeys without a passwort18:59
juliuxbut this ssh server should only work on the ip of my vpn18:59
lousygaruai.e. users access from WAN and backupping is only from VPN?19:01
juliuxlousygarua, yep19:21
juliuxlousygarua, i have several servers and clients and they should automaticly backup via rsync and ssh over the vpn19:22
lousygaruajuliux, i don't have much experience with SVN but shouldn't it be transparent to the SSH clients whether they connect an external or LAN/VPN IP?19:23
lousygaruaor you want the backup ssh server to accept connection *only* from LAN VPN so it's more 'secure'19:23
juliuxi want for the vpn clients ssh with sshkeys without any passwords19:23
lousygaruawell setting up ssh key authentication is really easy i've once done it myself for backup purposes19:23
juliuxi know19:23
lousygaruano passwords19:24
juliuxi only want an extra ssh server for the vpn;)19:24
mralphabetand you want passwords for the vpn connections19:24
mralphabetcan't you do both?19:24
juliuxmralphabet, i have keys for the vpn19:24
lousygaruajuliux, man sshd shows a `-f` option for specifying a differnet configuration file19:24
lousygaruabut still i don't see the use for two separate ssh servers19:25
juliuxi don't want ssh with keys on a ssh server that is reachable from the normal wan19:26
lousygaruabut if the vpn clients are unreachable from WAN there's no chance their private key to be stolen somehow19:26
lousygaruaand a hacker will find it very hard to create a clone private key for connecting your servers19:27
juliuxhmmm19:27
lousygaruaanyway, you can probably run an additional sshd server taht only listens on 192.168.xxx.yyy so it's only available to VPN hosts19:29
zylmakhello im trying to install ubuntu server and i need some help19:34
lousygaruazylmak, what help do you need :) be more specific19:34
zylmakthe first thing i need to know is what im doing :) ... well what im trying to do is to ser a test server behind a router19:35
zylmakthe server dosent need to be visible from outside the router19:36
zylmakso the first thing i need is to set my ip adress so it will be fix19:36
zylmaki found the file /etc/network/interface but dont know what is broadcast for19:37
lousygaruazylmak, broadcast is the ip address that all hosts will listen to, smt like 192.168.0.25519:38
lousygaruazylmak, because it has 255 which is binary for all 1's then the network interface on each host knows it should process the message19:39
lousygaruait's like screaming "HELLO EVERYONE" in your lan19:39
zylmakok19:40
lousygaruaanyone knows of a CLI WebDaV client?19:41
* lousygarua will be back soon19:42
zulcadaver maybe?19:47
proprietarysuckshow do I stop ubuntu from asking me to continue when it says it cannot verify the security (aka it can't access the internet) during a kickstart installation?20:11
proprietarysucksalso what is the kickstart syntax for a swap partition for ubuntu? the 'regular' way isn't working20:11
zylmakmy next question is: do i need dhcp and bind, since my isp give the ip address to my rooter20:11
zylmakoups time to go to a reunion will come back later20:14
ivokshello20:24
ivoksanyone has anything against maildir by default in mail-server task?20:25
proprietarysucksneverming I figured out the second question20:27
proprietarysucksman it's hard finding anyone in ubunut that actually KNOWS ubuntu20:28
somerville32lol20:28
ivokshm20:28
mralphabetand by ubuntu you mean kickstart20:28
proprietarysucksno I mean ubuntu20:31
proprietarysuckskickstart is the same protocol, ubuntu decided to accept or not accept various parameters20:32
ivokskickstart isn't a protocol20:32
proprietarysucksfor example in ubuntu server 6.10 you can't use --noipv620:32
proprietarysucksthat's not kickstart, that's ubuntu20:32
ivoksi repeat, kickstart is not a protocol, it's a file20:32
proprietarysucksalso you have to use part swap --size 2048 instead of part --fstype swap --size 2048 because of ubuntu20:33
proprietarysuckskickstart is a file that follows the kickstart protocol to feed selections to anaconda, the red hat installer20:33
ivokskickstart is a file, used to load some settings into anaconda20:34
ivoksin ubuntu, sane people, use it just to get to preseeding20:34
ivokspreseeding, otoh, has much more power than kickstart20:35
proprietarysucksif an OS doesn't accept an option it's not because kickstart is somehow different for that OS, it's because that OS has arbitrarily changed their anaconda (or other) input mechanisms20:35
proprietarysuckstherefore it's ubuntu not kickstart20:35
ivoksi'm not sure who told you that ubuntu supports all options in kickstart...20:35
ivoksbut it doesn't20:35
ivoksand that's not a secret20:35
spiekeyhi20:36
spiekeyi can´t log into webmin as root anymore.20:36
lousygaruaproprietarysucks, what is kickstart either way20:36
proprietarysucksall I asked was how to get ubuntu to stop the automatic installation to ask me a question20:36
spiekeyi get: Nov 28 21:32:17 localhost webmin[7500]: Invalid login as root from 127.0.0.120:36
proprietarysucksI know ubuntu doesn't support all the optiosn20:36
spiekeyi wonder why?! Since ssh works with root20:37
zulthen why complain?20:37
jjessespiekey: you mentioed anymore? does that mean at one time you were able to login as root?20:37
jjessespiekey: so you enabled root?20:37
spiekeyjjesse: for the last 2 years, yes20:37
spiekeyoversudden it does not work anymore, and i dont think i updated the machines in the last few month either.20:37
spiekeywebmin uses the pam infos (user/pass) to auth, right?20:38
jjessethat's wierd that all of the sudden it changed20:38
jjessei think so, someone might be able to correct me20:38
jjessebeen awile since i used webmin20:38
spiekeyoh, he?!20:38
proprietarysucksI just installed ubuntu 6.10, using kickstart and it has stopped the automatic installation to ask me if it's ok to proceed after not being able to reach security.ubuntu.com. How do I automatically say yes here? It's not a kickstart question because red hat linux doesn't do this. It's a ubuntu question because it is obviously wanting some custom argument, and the ubuntu documentation on this particular issue is20:39
spiekeythe old password works!20:39
spiekeyjjesse: its the password from 2006!20:39
spiekeywtf?!20:39
ivoksproprietarysucks: preseeding20:39
ivokslook for debian preseeding20:39
ivokslearn it and then come back saying 'omg, i didn't know kickstart is so lame'20:40
ivoks:)20:40
jjessespiekey: sorry, don't mean to be rude, but does google help?20:40
spiekeyjjesse: not with the error messages i get in my logs20:41
proprietarysucksour system automatically detects and configures all configurations of hard drives, nics, packages and everything we need, not sure how much better it can be20:41
proprietarysucksthe only thing that's not working right now is that ubuntu stops and complains about not being able to call home20:41
spiekeywebmin must have its own passwd file or something..?!20:41
ivoksi give up20:41
jjessespiekey: thats what i meant when i asked about google can you google webmin password file or something, sorry a little busy with work20:42
proprietarysucksanyone know someone who actually knows ubuntu20:42
jjessei know ivoks20:42
somerville32proprietarysucks, Whats the issue?20:43
spiekeyjjesse: i feel so dumb now :-/20:43
jjessespiekey: did it?20:43
proprietarysucksI just want to know what kickstart option ubuntu is waiting for to allow it to not stop and ask if it's ok to proceed when it can't contact security.ubuntu.com20:43
jjessespiekey: don't worry i do stupid things all the time20:43
jjesseor what i feel are stupid things20:44
ivoksproprietarysucks: kickstart doesn't support these things, preseed does20:44
spiekeyjjesse: you are a sysadmin, right? :D20:44
mralphabet!webmin @ spiekey20:44
ivokswe don't support webmin20:44
proprietarysucksivoks: kickstart is a text file, it supports anything you can type20:44
mralphabetbah20:45
mralphabet!webmin20:45
ubotuwebmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system20:45
jjessespiekey: not right now, full time consultant but used to be a sys admin20:45
ivoksproprietarysucks: it doesn't support answering to questions, preseed does20:45
ivoksproprietarysucks: preseed will intercept question and provide an answer20:45
ivokskickstart doesn't do that20:45
proprietarysuckskickstart doesn't do anything20:46
ivokskickstart has limited number of functions20:46
proprietarysucksit's a text file20:46
proprietarysucksperhaps you are thinking of anaconda?20:46
ivokspreseed can be used to set up debconf entries20:46
ivokswe are not talking about anaconda here, since we don't use anaconda20:46
proprietarysucksyou are a very confused person about this20:47
proprietarysuckskickstart is a text file, there's no functions20:47
proprietarysucksthe program, called anaconda, reads this file and interprets the info20:47
ivoksreally?20:47
ivoksso... which anaconda reads that file in ubuntu?20:47
ivokscause we don't have it20:47
proprietarysucksubuntu also has decided to read these files, taking it's own CUSTOM text files20:47
jjesseso use preeseed20:47
proprietarysucksubuntu also has decided to read these files, taking it's own CUSTOM text commands20:48
ivoksproprietarysucks: then use redhat, where's the problem?20:48
proprietarysuckssuch as this one, you may recall:        user --disable20:48
proprietarysucksthat's in the kickstart file and *ubuntu* recognizes it as meaning something20:48
proprietarysucksI'm asking if anyone anywhere knows what other custom commands like this ubuntu has applied to the normal kickstart template20:49
ivoksthis guy reminds me on one my ex professors20:49
ScottKivoks: I think maildir by default is an excellent plan.20:50
ivoksScottK: i agree20:50
ivoks:)20:50
ScottKJust saying so if anyone complains you can say it wasn't just you deciding to do it.20:50
ivoks:)20:51
ScottKivoks: I'm started on the amavisd-new MIR.  While it's still in Universe and I can upload changes, is there anything else you think we should do to the package?20:52
ivokshm...20:53
ivokswe could provide some stuff during tasksel install20:54
ScottKNo rush.  It'll be sometime next week before I get the MIR done.20:54
ivoksamavis has amavis.d, so that would be much easier than with dovecot :)20:54
ivokswe will just drop configs for mail-server task there, and that will be it20:55
ScottKOur diff from Debian is pretty small right now.  If there's anything else we want to change, I'd like to send it all up to them at once.20:55
ScottKOK20:55
ivokswe will not change amavis package20:55
ivokswe will leave it default...20:55
ivoksmail server task from tasksel will drop special stuff we decide to have20:55
ivoksso... apt-get install postfix dovecot-imapd amavisd-new gives you default installation20:56
ivokssudo tasksel install mail-server gives you all that + ubuntu server team goodies20:56
proprietarysucksDoes anyone know the complete list of custom commands like user --disabled ubuntu has applied to the default kickstart template?20:56
zulproprietarysucks: maybe looking at the source might help20:57
ivoksScottK: any objections to:21:07
ivokssmtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated21:07
ivoks?21:07
ScottKivoks: reject_invalid_hostname should be reject_invalid_helo_hostname if we want it.21:11
ScottKThe use case here is for an all in one mail server for sending and receiving mail for a domain, right?21:12
ScottKIf that's the case then reject_invalid_hostname is something we don't want as MUAs often have a bogus HELO name.21:12
ScottKivoks: Let me think about this one for a bit.21:13
ivokswell, bad clients would get 50121:13
ivoksok, maybe we shouldn't go so tight...21:14
ScottKWhat I'm thinking is we should have 465 (for smtps) and 587 enabled with the looser restrictions and keep port 25 tight for recieving mail.21:15
ScottKGotta run out for a bit.21:16
ivoksoh, you would enable 587?21:21
close2__hello, i have a script, which dd's a few bytes every 5 seconds from an external usb-disk and mounts and rsync every 15 minutes21:36
close2__sometimes the mount -t ntfs-3g  just hangs21:36
close2__an strace -p ...    shows that the mount tries to: read(4,  <unfinished ...>21:37
close2__do you have an idea, why this could happen?  How to avoid it?21:37
ivokscheck what file has an ID 421:37
ivoksand this is not server related question21:37
ScottKivoks: Yes.  If we're supporting sending and receiving.  That's really how it ought to be done.  There's even a recent RFC (BCP actually) about it.21:37
close2__it's the server kernel, that's why i though i should ask here21:38
ivoksScottK: then we should do that by default in postfix, right?21:38
ScottKivoks: For an appropriate debconf choice, yes.21:39
ivoksclose2__: look for open ("/some/file", O_RDONLY|)_RWRITE) = 421:39
lamontScottK: MTAs also frequently have bogus hostnames21:39
lamontlittle companies like IBM, last I ran into it.21:40
lamont(the ehlo hostname resoves in their _INTERNAL_ dns...)21:40
ScottKlamont: Agreed.21:43
ScottKlamont: I'd have to look the name up but there's now a test you can do just for rDNS existance that I think is a reasonable default.21:44
lamontok.  the IBM host was NXDOMAIN...  OTOH, that was a few years back, maybe they finally agreed that it was stupid21:45
ScottKIBM currently has PTR names like e1.ny.us.ibm.com.  I don't have ready access to HELO names.21:46
ScottKAOL requires rDNS, so I think it's safe for our default to require it.21:46
=== MenZano is now known as MenZa
lamontok.21:48
lamontrDNS == reverse dns, yes?21:48
ScottKYes21:48
ScottKAs in PTR for the IP.21:48
lamontright21:48
lamontjust making sure there wasn't some new TLA I was missing21:48
* ScottK notes in passing that it had 4 letters ...21:48
lamontyeah... but FLA isn't self-referencing21:49
ScottKBut it sounds naughtier.21:49
ivoksok, uploading new patch21:54
ivoksdone21:55
ivoksplease, do comment, suggest, etc...21:56
lamontpatch to?21:56
ivoksbug 16483721:56
ubotuLaunchpad bug 164837 in dovecot "Dovecot SASL for postfix" [Low,In progress] https://launchpad.net/bugs/16483721:56
ivokspatch for tasksel21:56
lamontthrough, for future ref21:57
lamontwhat more are we doing in postfix to finish lighting up sasl?21:58
lamontand where is it authenticating against?21:58
ivoksoh...21:58
ivokssorry... damn21:58
ivoksforgot the first part :D21:58
lamontlmtp_sasl_type = cyrus21:58
lamontsmtp_sasl_type = cyrus21:58
lamontsmtpd_sasl_type = cyrus21:58
lamontand those prolly need to change, no?21:58
ivoksyeah...21:59
ScottKlamont: The immediate question was do we enable port 587 by default for submission (I'd say yes for any debconf option that supports internet submission).21:59
ScottKlamont: Details.21:59
sorenivoks: Are there any reasons why those settings shouldn't be the default?21:59
lamontbecause, ideally, I'd like to just have sasl configured by default in postfix (modulo debconf, of course)22:00
sorenivoks: Most (all?) of the settings in dovcecot.conf look sane even outside of the postfix sasl stuff.22:00
sorenivoks: All the more reason to make it the *actual* default, and not only the default when you've installed dovecot in a particular way.22:01
lamontScottK: I'm OK with enabling 587 by default any time postfix is listening on port 2522:01
* lamont reviews his templates22:01
ScottKlamont: How about 465 for smtps too then?22:01
lamontScottK: any time that we turn on ssl, yes.22:02
lamont:-)22:02
ScottKIt's needed for non-starttls MUAs (notably Outlook Express and Outlook < 2007)22:02
ScottKOK22:02
ivokssoren: no sane reasons :)22:02
ivoksi would be happier to do this by default22:02
ScottKlamont: Are you good with that for Debian too?22:02
sorenivoks: I'd much prefer that to any post-installation rewriting of config files. If there are saner defaults, we should apply them globally.22:03
lamontScottK: there is only one postfix. :022:03
ScottKlamont: Good.  Just making sure we stay that way.22:03
lamontI only have one forked package (util-linux), and that's purely because of build-deps22:04
lamontwhich I can't do at run time22:04
ivokswe went with tasksel cause we don't want to override stuff for old users22:04
sorenivoks: Well just have to deal with that some other way.22:05
lamontivoks: I need to not muck with conffiles except as I get told by new debconf answers.22:05
lamontand make the default install do the right hting22:05
sorenivoks: Apart from the Maildir change, all the settings could be (relatively) safely applied to existing configurations.22:05
sorenlamont: it's not a conffile (in the dpkg sense)22:05
ivoksi'm trying to recall why we wanted to do it this way...22:06
sorenlamont: and even if it were, it wouldn't be kosher to fiddle with it regardless of debconf.22:06
lamontsoren: there are nuances.22:06
ivoksanyway... doing it by default is what i prefere...22:07
lamontpostfix doesn't list master.cf and main.cf as conffiles simply because the questions from dpkg about who wins, me or the admin, are confusing to most endusers.22:07
lamontaka admins22:07
ivoksah, i know!22:07
lamontwhen postfix asks a question in debconf, it has met the policy requirement of getting permission before mucking.  When it's required to muck, preinst does the asking, and aborts the upgrade if you say 'no'.22:08
ivoksit's because we can't force these changes into debian, and we would like delta to be as small as it can22:08
lamontadding a new question for home_mailbox kinda needs can do interesting things with the defaults based on existing/not-existing configs, but ultimately, changing it from upstream's default means that I need to make it at least medium pri22:09
ivokscause they don't prefere postfix over exim, and/or dovecot over cyrus22:09
sorenivoks: I'd much rather maintain a delta in the default config file than the tasksel change.22:09
lamontivoks: I think we're going to upload a default-mail-transport-agent package to debian, and then start the discussion about having people start Depending on that....22:09
lamontivoks: having the default be different between debian/ubuntu is not an issue... postfix already knows what it's building for...22:10
sorenlamont: I've got that packaga on my laptop, by the way. I just need to extract it and send it your way.22:10
lamontsoren: please22:10
lamontsoren: if we're going to do it as a debian package, how do you feel about housing it in git.debian.org?22:11
sorenlamont: git and I are not friends.22:11
lamontsoren: git 1.5?  or unusably ancient 1.4?22:12
sorenlamont: But... um.. certain other things force me to use git real soon anyway, so I might as well.22:12
sorenlamont: No idea.22:12
ivoksso... we are giving up on tasksel? :)22:12
lamontsoren: go to git.debian.org and create yourself a guest account... then let me know I'll see about getting us a joint-development gid to assign so that we can share one repo instead of two.22:13
sorenivoks: If we implement your postconf changes from that patch into default postfix, and there's dovecot around, what will happen?22:13
lamontivoks: tasksel probably still has _some_ work to do.22:13
ivoksthat's not an issue...22:13
ivoksissue is if someone has saslauthd22:13
sorenlamont: Like what?22:14
sorenivoks: What will happen then?22:14
lamontI expect that the change will wind up being that postfix will Recommend cyrus (debian) or dovecot (ubuntu), and then set things up if it's a fresh install22:14
ivokssoren: we are binding postfix to dovecot here, but not everybody has dovecot for imap/pop22:15
lamonttasksel needs to at least pull in dovecot... I think it wants to be a suggests maybe?22:15
lamontfor postfix, that is22:15
ivokswell... wais a sec...22:15
ivokswait...22:15
ivoksdovecot-common isn't imap/pop22:15
lamontivoks: what I was hoping to do for postfix was to ...22:15
sorenivoks: Precisely.22:15
ivoksso we can have dovecot-common and cyrus at the same time22:16
sorenbrb22:16
lamontat postfix configure time, if we haven't done it before, ask the admin if he wants to set up sasl, pointing at dovecot or cyrus as appropriate (depending on what's installed, maybe).22:16
lamontthe default answer would be where we'd bind postfix to $SASL22:16
ivoksright22:16
lamontwhich could vary between distros22:16
lamont+postconf -e "broken_sasl_auth_clients = yes"22:17
lamontew22:17
ivokscould we 'preseed' debconf value for that question in ubuntu?22:17
lamontI suppose, thouhg.22:17
sorenCan't we just make all the saslauth provides put their socket in the same place and not care?22:17
lamontivoks: we already have places where the source conditionally compiles around ubuntu vs debian... no need to go playing with preseeds... :0)22:18
sorenWe have a lower default priority for debconf questions.22:18
ScottKsoren: No.  I really don't think so.22:18
sorenScottK: Because?22:18
ScottKBecause they work differently.22:18
lamontsoren: and the port25 banner is different22:18
lamontwe have to know which it is.22:18
ScottKEven in Cyrus you have to decide on sasldb versus auxprop and that affect a bunch of stuff.22:19
lamontand the options are "cyrus" "dovecot" and "die, hellspawn"22:19
lamonter, "no'22:19
lamont:-)22:19
* ScottK will review the source before trying that last one.22:19
sorenOk, I wasn't aware.22:19
soreni though they had some sort of well defined protocol.22:19
lamontsoren: this conversation is teaching me much wrt SASL...22:19
sorenMan, typing is hard!22:19
lamontit's been on my "I should figure this out sometime" list for about 5 years or so now.22:20
ivokssoren: i gave up on typing... it's 23:30 :)22:20
lamontand hardy is a perfect time to fix it.22:20
sorenlamont: So the protocol with which you communicate is dependant on the server at the other end?22:20
lamontyes22:20
ivoksyes22:20
ivokspostfix supports two22:20
sorencraptastic22:20
ivoksdovecot and cyrus22:20
ivoksiirc22:20
lamontsoren: hence the *_sasl_type variables22:21
sorenLike completely different as in there's no specification or are people just interpreting them in different ways?22:21
ivokslike dbus and dcop :)22:21
lamonttwo separate implementations of two separate designs.22:21
lamontno common spec.22:21
sorenFantastic.22:21
ivoksthere's no 'standard'22:21
sorenbrb22:22
lamontsoren: think windoze vs linux. :-)22:22
lamontonly this time both suck.  differently.22:22
lamontivoks: btw, good to run into you again - haven't had any good chance to chat since Mataro, wasn't it?22:22
ivoksmataro?22:23
ScottKsoren: SASL is defined, but that's on the wire.  The MTA to SASL implementation API is implementation specific22:23
* ivoks is kind of slow atm22:23
lamontivoks: I somehow got the impression that we'd maybe met in Mataro.22:23
lamont@UDS22:23
ivoksi was only on last uds at cambridge22:24
ivoksmataro sounds spanish :)22:24
lamontah.  I guess more than one person lives in .hr :)22:24
ivoks:)22:24
lamontivoks: that's because it's in spain. :)22:24
ivoksi don't know who else would be there from .hr...22:25
somerville32I'd like to go to the next UDS or the next one after that22:25
ScottKlamont was at the last UDS too, so maybe you two actually did meet there.22:25
ivokshm... maybe :)22:25
lamontquite possibl22:25
lamonte22:25
* ScottK recalls meeting both of you.22:26
kgoetzhi all... anyone willing to look at some openldap debuging output? http://pastebin.ca/801011 i have two users in ldap, i belive both have valid passwords. on user (kgoetz) has a local account as well. only kgoetz can log in, the other (kim) cops an error. suggestions about how to go about debuggin this woul be good too :/22:26
ivoksScottK: i remembre you on package review session; we agreed on amavis :)22:27
ScottKYep.22:28
ivokstypos...22:28
lamontkgoetz: does ldapsearch find the user?  and what about when you bind with the rootdn?22:28
ivoksso, postfix preinst should check sasl method and then, if none, set dovecot :)22:29
ivoksif there is /etc/dovecot/dovecot.conf :)22:29
lamontivoks: I don't think setting type hurts us in any case...22:29
lamontand it'd be postinst that did it.  config that decided the default..22:30
ivoksright, not preinst...22:30
ivoksi know that dovecot will not start if /var/spool/postfix/private/auth doesn't exist22:31
ivoksso, postfix must be installed before dovecot-common22:31
ivoksthis is why it's so easy to do it in tasksel.postinst :)22:31
kgoetzlamont: just checking22:32
kgoetzldapsearch is whining about sasl :\22:32
lamontkgoetz: I have to go fetch kids, but I have a mixed local and ldap world that I can help walk you through fixing your issue once I get back online...  what TZ are you?22:32
lamontah.22:32
lamonttrivia.l22:32
kgoetzlamont: AUS, ~+10.30. its 9am atm.22:33
lamontdoes ldapsearch -x work?22:33
lamontcat <<EOF>>/etc/ldap.conf22:33
lamontuse_sasl no22:33
lamontrootuse_sasl no22:33
lamontEOF22:33
lamontand no, that's not documented anywhere I could find22:33
kgoetzah. -x22:33
lamonts/that's/that was/22:33
lamontok. 'twould suck more if you were in europe somewhere... it'll take me somewhere around 1.5-2 hours before I'll be back online, once I leave in < 5 min22:34
kgoetzthanks for the poiter, i'll have a hack22:34
kgoetznp.22:34
lamontand I'm gone22:40
kgoetzlater22:41
ivoksbye22:41
ivoks'night all22:41
ivoks:)22:41
=== Drazha130 is now known as Drazha
phaidroshi, I have a problem with apt. http://pastebin.ca/80104222:51
phaidrosI have xen-common installed, and can neither update, remove nor reinstall it :(22:52
phaidrosany ideas?22:52
kgoetzare you root? (did you run it with sudo?)22:53
phaidrosI am root22:54
phaidroshi kgoetz :) I ve seen your name in the gobuntu list alot22:54
kgoetzah oh :)22:55
phaidrosI am root with sudo -s22:55
kgoetztry running `apt-get -f install`22:55
phaidrosE: The package xen-utils-3.0 needs to be reinstalled, but I can't find an archive for it.22:56
phaidrosI'll put it in /var/cache/apt/.. but I believe its the same then like dpkg ..22:56
phaidrosit even doesn't recongnize the package in /var/cache/apt/archives22:57
=== paul____ is now known as pschulz01
kgoetzphaidros: try `apt-get update` then `apt-get install --reinstall <yourpackag>`22:58
kgoetzor whatever the aptitude equivilent is :)22:58
phaidrosaptitude samesame apt-get (usually)22:59
kgoetzi know aptitude has a 'reinstall' instead of 'install --reinstall' *wants apt to not need stupid extra switch*23:00
phaidrosno way. ok further the problem it, that I am currently trying to dist-upgrade, therefor there shouldn't be the same version in the tree.23:01
phaidrosbut even if I put the package with the same version in /var/cache/apt/archives/ it doens't fly :/23:01
kgoetzdid you download the package seperately?23:02
phaidrosyes.23:02
phaidrosit is an edgy install, trying to upgrade to feisty / gutsy (tried both)23:02
phaidrosgot the edgy packages. the dist-upgrade got the feisty (and gutsy) package already as well ..23:03
kgoetzah... this could get interesting.23:03
kgoetzbut brb23:03
phaidrosok23:03
phaidroskgoetz: force might be the only way ..23:08
kgoetzphaidros: yes, forcing will be required.23:11
phaidroseven --force-remove-reinstreq doesn't solve :(23:11
kgoetzphaidros: you'll have to try to go from whatever state your system is in now, to a feisty system.23:11
kgoetzthen move from there.23:11
phaidroshow?23:11
phaidrosI am blocked :)23:11
phaidrosmaybe force-all .. which I generally try to avoid23:12
kgoetzchange sources list, update, try to dist-upgrade, see where it bails. force packages to install as needed23:12
phaidroswell, thats were I hang .. exactly the xen-utils .. I found no way around that yet.23:13
phaidrosall apt-get / aptitude / dpkg fail on that package .. I'll have a look in the var/lib/dpkg/info/xen-utils-3.0.postinst23:14
kgoetzfind the package this is in xen.xend.server (and by extentio the file), make sure its tehre23:14
phaidrossry, extentio ?23:16
kgoetz*extention23:16
phaidroswhich dpkg switch helps me finding that package?23:18
kgoetz-S23:18
kgoetziirc23:18
phaidrosno way to fing :/23:23
phaidrosfind23:23
sorenWhat's the problem?23:24
phaidrosxen-utils cannot get updated, removed, reinstalled .. tried all common tricks (force-all, apt-get install -f)23:25
phaidroshttp://pastebin.ca/80104223:25
=== Drazha436 is now known as Drazha
sorensudo dpkg -P --force-remove-reinstreq xen-utils-3.0 =23:25
sorenEr.. no "=" at the end.23:25
sorenOr -r if you don't want to purge the config files.23:26
phaidrossamesame .. http://pastebin.ca/80106423:26
phaidrosyeah, and thats the tricky part now :)23:26
phaidrosany ideas where to tinker?23:28
sorenYes, I'm just trying to find the cleanest way.23:29
sorenphaidros: Not to worry, we'll get it removed in a minute.23:30
phaidroshehe, I got it: replacing /usr/bin/xend with a bashscript saying only "exit 0" helped!!23:31
sorenWell, somethings clearly botched, so if you can live with it might not cleaning up a conffile here or there...23:31
sorenYes, that's one way. :)23:31
phaidroswhat would have been an alternative?23:31
sorenSomething along the same lines.23:31
* phaidros proud23:31
sorenI'd have edited the preinst script, but the effect would be precisely the same.23:31
phaidros:)23:31
phaidroscool!23:31
phaidrosthanx alot soren & kgoetz !23:32
sorenIt's really not the right way to go about it, but.. yeah, well.23:32
phaidrosyeah, but if any standard ways fail .. well, no options given the crude way wins the beauty contest23:33
phaidros:)23:33
phaidrosah something else: how to blacklist packages (eg all xserver related on a server)23:34
phaidros(because I finally got X packages in on one machine, and cannot see which dependency might have caused this)23:35
sorenphaidros: If you try to remove them with apt-get, any package that depends on them will be removed.23:35
sorenphaidros: ...so you can see if anything looks familiar.23:36
phaidrosyeah I believe it is some gdlib or graphviz or such for php23:36
phaidrosbut anyhow, is there a clean way to block a group of packages under any circumstances/23:37
phaidros?23:37
sorenWell, yes, but it really shouldn't  be necessary.23:37
phaidroshehe, not in an ideal world ;)23:38
sorenIf you install a package that needs some x libraries, well... it needs some x libraries.23:38
phaidrosbut as we've just seen .. world tends to non-idealism. I usually call that an entropic issue23:38
sorenphaidros: Can you give me a use case for it?23:38
phaidrosuhm, I need a package like imagemagick for php or cli/scripting purposes on my server, and that package depends somehow (because it is mainly a desktop distro) on X .. I don't want X on a server23:39
sorenWell, do you need imagemagick or don't you?23:40
phaidrosI do, but no X23:40
sorenIt's not installing X.23:40
sorenIt's probably installing a few x libraries.23:40
phaidrosyeah, it was in old debian days. and there are surely packages around which have same strange dependencies nowadays23:41
sorenSeriously.. If a package in Ubuntu depends on another package... It *really* depends on it. It won't work without it.23:41
phaidrosoh, ok23:41
sorenAnd installing imagemagick won't install an X server.23:41
phaidrosso, as soon as my xen instance is back alie i can go and check which dependency caused this23:41
phaidrosalive23:42
sorenX libraries are not uncommon on servers, I believe.23:42
phaidrosreally? I have always a strange feeling if I see X packages on servers23:42
phaidrosthats imho a bad redhat&friends habit23:43
phaidrosuh oh, now I get segfaults on dist upgrade edgy->gutsy23:44
phaidrosis it save to reboot if module-init-tools are not installed properly (there is the segfault)23:46
phaidros?23:46
phaidrosit is23:50
phaidrosok, libc6-xen is the solution for the segfaulting upgrade23:55
kgoetzedgy -> gutsy == bad upgrade path23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!