[00:52] has someone gone and run s/Debian/Ubuntu in the libpam-ldap and libnss-ldap README.Debian files? is there any particular reason to have done so? [02:00] Cool. I can requeue messages without super user priviledges now in Postfix. One less reason to be root. [02:00] ScottK: which version? [02:01] or is it just having write access to deferred and friends? [02:01] postqueue -i in 2.4 [02:01] * ScottK hadn't read the postqueue man page in a while. [02:01] * lamont needs to read the nmap man page this week [02:01] * ScottK had been using postsuper -r. [02:07] dendrobates: you need to email fridge-devel to get your meetings listed on the fridge [03:33] lamont: Speaking of which, Debian Bug# 453238 does not sound like a smart idea to me. [03:38] hi all. i'm wondering if someone can recomend a log level for openldap (slapd) to help debug a libpam_ldap problem. level 256 doesnt seem to help me much. help with libpam_ldap /libnss_ldap would be apreciated too :/ [03:47] kgoetz: -1 will give you all available output. [03:48] -1 where? slapd? [03:49] kgoetz: /etc/default/slapd there's a SLAPD_OPTIONS="" try -d -1. then restart slapd [03:49] so you'll have SLAPD_OPTIONS="-d -1" [03:52] sommer: should i remove th debuglevel 256 from the slapd.conf? [03:52] *loglevel [03:52] * kgoetz sets to 0 [03:54] actually I've never used the loglevel option [03:54] mm ok. i'll disable it entirely [03:55] when debugging a big issue I start slapd in a terminal with these options slapd -d -1 -h "ldap:/// ldaps:///" -f /etc/ldap/slapd.conf [03:55] you'll get all the output to the console... usually a lot of output. [03:58] slapd doesnt seem to be restartin, shoudl i expect it to run in the forground now? [03:59] kgoetz: I may have been wrong about the SLAPD_OPTIONS="-d -1"... try setting them back to "" [04:01] kgoetz: I thought that would work [04:01] are you getting Starting OpenLDAP: slapd and it's just kind of hanging there [04:01] sommer: slapd's running and i'm gettin debug to syslog, i'm just supprised it didnt background [04:01] esp. as theres nothing going to stdout [04:02] did you start slapd in a console with the options I posted? [04:03] i added '-d -1' to the /etc/default/slapd file. whenever i run slapd in a console it chowns the database to root [04:05] apologies I may have been wrong about that file... you might try just running slapd from console [04:06] your right in a much as it is debugging, but i'm bemused its still forgrounded - if its loggingn to syslog theres no reason for it to hold the terminal [04:08] ya that's strange does ctrl+c work? [04:08] ^C kills the daemon [04:10] mmmm... I'd just start slapd from console until you've figured out the issue then (it just feels cleaner) [04:12] hm. [04:56] hate softwar with no clear debugging options. pam is inn that catagory :( [04:56] now i see some pam_debug module ... yay, another module to load and confuse :S [05:02] which gui best for iptables [05:04] vetri: vim [05:16] gui? for a text file? [05:56] in DNS terms you have reverse zone files... is it correct to call the regular zone file a forward zone file? [05:57] * ScottK has heard of reverse lookups, but never reverse zone files. [05:57] afaik so [05:57] But /me knows more about DNS protocol than admining DNS servers. [05:58] cool just wondering [05:59] the data for reverse lookups is stored in a reverse zone... a file in bind9 terms [06:00] not sure about MS dns... reverse zones are configured in gui mode [07:55] <_ruben> forward and reverse zones arent really that different from eachother .. except that one (reverse) has entries below in-addr.arpa. and uses PTR records, and the other (forward) has entries below . and uses A/CNAME/MX/etc records :p [08:04] uh, is the mount.nfs4 braindead or what.. it does a readlink() in the current directory, and when the server path doesn't exist there it fails [08:04] this is on hardy [08:05] anyone here using nfs/nfs4 mounts on hardy? [08:05] hardy? maybe try #ubuntu+1 [08:06] avatar_: nope, I'll try linux-nfs@ instead [08:06] hardy is atm alpha quality and not production ready [08:06] moin [08:06] avatar_: I'm core-dev, I know ;) [08:07] ah, okay :) [08:08] <_ruben> heh [08:08] it wouldn't matter to me unless braindead software didn't insist on having $HOME (Mathematica) [08:10] <_ruben> bugger .. time to investigate pf_ring on short term i guess .. [08:10] <_ruben> Nov 28 06:41:25 ismlnx-fw07 pmacctd[7790]: wan0: (1196228485) 962816 packets received by filter [08:10] <_ruben> Nov 28 06:41:25 ismlnx-fw07 pmacctd[7790]: wan0: (1196228485) 0 packets dropped by kernel [08:10] <_ruben> Nov 28 06:56:25 ismlnx-fw07 pmacctd[7790]: wan0: (1196229385) 1032605 packets received by filter [08:10] <_ruben> Nov 28 06:56:25 ismlnx-fw07 pmacctd[7790]: wan0: (1196229385) 13239 packets dropped by kernel [08:57] hi [08:58] <_ruben> g'day [09:26] hello - Have installed JBoss on Ubuntu server 7.04. Works fine from localhost but when I try to hit a page remotely I get "The connection was reset". Any ideas? [09:28] Steve_____: isn't there a rule in JBoss that by default only allows connections from localhost? [09:29] Didn't think of that. Will try to find out - Currently running a slightly different version of jboss on ubuntu desktop 6.10 without problems [09:30] Steve_____: I am no JBoss specialist, but google points to /usr/local/jboss/run.conf [09:33] thanks nijaba. Will feedback if I get anywhere with that === ivoks_ is now known as ivoks [11:26] How can I tell whether ubuntu is preventing access from remote machines to port 8080? [11:27] iptables -L [11:30] sudo lsof -i |grpe 8080 [11:30] sudo lsof -i |grep 8080 [11:30] on wich interface is your daemon listening? [11:30] iptables shows now rules (I tried iptables -F) [11:32] -F je flush [11:33] so if you had -P DROP, then -F would result in total jail of your system :) [11:33] sorry... -F is flush [11:33] iptables shows no rules [11:33] then no one is blocking your ports [11:34] lsof -i | grep 8080 gives nothing [11:34] maybe your service isn't listening on 8080 [11:34] I can telnet to 8080 from localhost and HEAD [11:34] you can telnet to localhost, right? [11:34] or wget localhost:8080 and wget a web page [11:34] yes [11:34] checkout netstat -an | grep 8080 [11:35] How do I tell which interface the deamon is listening on [11:35] tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN [11:35] it listens only on localhost [11:36] thanks [14:05] Has anyone seen instances where a NIC stops responding to external requests and only starts responding once you initiate a connection from that machine? [14:06] yes [14:06] you can achive that with firewall [14:06] That's the firewall? [14:07] could be [14:07] it could also be a broken nic [14:07] If so, that is a policy that redefines dumb [14:07] akincer: dumb? [14:07] akincer: well, who is the dumb one in this story? :) [14:08] dump, stupid, moronic [14:08] haha [14:08] not me [14:08] stock install [14:08] then it's not firewall [14:08] On ifconfig, packets aren't even making it to the machine [14:09] although I can see where SOME data is coming in and out [14:10] yesterday i saw a network setup where packages where coming in, but couldn't get out from server [14:10] turns out that guy who is administrating network and servers doesn't have a clue about networking :) [14:11] haha, well I know enough about both to keep my sanity [14:11] I'm checking with the network guys to see if they can check the Catalyst for frame errors [14:11] that guy's server didn't have a route to the rest of the network... [14:11] LOL [14:12] maybe your machines don't have a route to your server/machine [14:12] If I walk into the server room and initiate a ping from the server to anything, it will start responding again [14:12] No, it does [14:12] same subnet [14:12] intel nic? [14:12] dapper? [14:12] I could have an invalid GW and it would still respond [14:13] Gutsy [14:13] Not sure about NIC. Onboard on a Dell [14:13] lspci would give you a hint [14:14] Intel 82541GI [14:14] Let's see what Google says [14:17] i put my money on broken network setup :) [14:18] Hmmm. I'll go check /etc/network/interfaces to see what it says. [14:18] not on the server, but in network topology :) [14:18] this sounds like all other machines don't have a clue about server's mac address [14:19] and untill server broadcast it, they can't find it [14:20] check arp table on clients, when your server is unavailable [14:20] I didn't configure the network, so I can't be sure. I am pretty sure there are issues though [14:20] Long story, but I don't have control over the network [14:21] I'm a one man IT shop, but the network is outsourced at the moment [14:28] Trying to get a response from the network folks about that. I'm betting you're right [14:32] coffeedude: hi [14:37] hey [14:38] is there any console based tools for detecting wireless ap ? [14:38] or picking any available without wep ? [14:38] iwconfig [14:38] yea but thats for setting statically [14:38] i want something to display broadcasted networks [14:38] iwlist [14:38] iwlist interface scan [14:38] oh cool! [14:39] hm i got a blank essid from that [14:46] hm cool! it didn't pick up on its own but a scan with a essid got it! [15:24] What factors effect how long it takes for new software revisions to make it into the repos? [15:25] mathiaz: i'll check out ucf thing; i was fully unaware of such a tool :D [15:26] mathiaz: and... you said you have worked on ror implementation? [15:26] ivoks: s/implementation/design/ [15:28] ok [15:30] mathiaz: makefile is still broken :) [15:31] ivoks: you mean in tasksel ? [15:31] yes [15:32] it has hardcoded linking to desktop.preinst [15:32] which is absurd... since it has : [15:32] for script in info/*; do \ [15:50] in gutsy can i use security as well as gutsy-security ? [15:51] there's only gutsy-security [15:51] so how do i get libgd2-dev then / [15:52] there's no such package [15:52] there are libgd2-noxpm-dev and libgd2-xpm-dev [15:52] http://packages.ubuntu.com/dapper/oldlibs/libgd2-dev [15:53] whats the difference in those packages ? [15:53] im following the nagios ubuntu quickstart and its telling me to install this stuff [15:53] you asked about gutsy and then pasting dapper links [15:53] oh ... well i just did a google search sorry.. [15:53] nagios quickstart in ubuntu is apt-get install angios [15:53] nagios [15:53] 6.10 is gutsy isn't i t? [15:53] or nagios3 [15:53] 6.10 is edgy [15:54] hm [15:54] the walk through is a bit oudated [15:54] it will be obsolete in 5 months [15:54] oh wow were on 7.10 right ? [15:54] yes [15:54] .10 ... thats why i thought i twas right [15:55] ok well ill use the meta package [15:55] but i wonder they didn't update this [15:56] hm you meant nagios2 ? [15:56] right [15:57] hm see this is why i like ubuntu over pure debian [15:59] so v3 is still unstable ? [15:59] do you recogmend i install 3 on my own or stick with 2 ? [16:02] i would go with v2 [16:03] and, fwiw, ubuntu nagios2 package is exactly the same as debian's [16:04] Methods, have you looked Zenoss as an alternative to Nagios? [16:04] methods: if you haven't - don't :) [16:05] why? [16:06] cuse it creates user [16:06] cause [16:06] and puts it in sudoers [16:06] with NOPASSWD [16:06] so, that user can wipe your entire system, and you have a web service running under it's privileges [16:07] i can't thnik of worst security installation out there :) [16:07] wtf is zenoss ? [16:08] zenoss.com [16:08] wahts fwiw ? [16:08] good looking nagios :) [16:08] I don't remember it doing that. Haven't tried it in a while [16:08] akincer: i wanted to package it... i gave up very soon [16:08] I remember a few things being a PITA for no apparent reason, but no more than Nagios [16:09] maybe it changed in last couple of months [16:09] I loaded up a VM appliance, so I couldn't honestly tell you what it did under the hood [16:10] so wahts zenoss ? [16:10] zenoss is to nagios what postfix is to sendmail (in function) [16:10] a cheap alternative ? [16:11] it appears to offer comercialized versions [16:11] im looking to help open source movement for inteligent systems [16:11] not p ropritized jerks [16:13] another problem with zenoss is that it has files without copyright [16:13] that, and nopasswd things are the reasons why zenoss packages were never introduced in debian [16:14] on debian guy and i wanted to package it, but we gave up after 10 minutes with that software :) [16:14] s/on/one [16:27] this package gave me no information [16:28] and appears to have an internal server error when i go to the web site [16:31] Gotcha. I need to pick Nagios back up. Last time I gave it a shot, I quit after becoming extremely annoyed at how unnecessarily difficult it seemed to be to configure [17:12] Hello. Having a problem with OpenVPN setup. Running the vars script that does a bunch of export fails to set the environment vars, while setting them at the command line works, and they seem to work within the script @ runtime in its echo statements. What gives? [17:13] This is on 7.10 server. [17:27] hello [17:27] did anyone every use w3m-img? [17:27] s/every/ever === oly_ is now known as oly- [18:57] hi [18:57] does somebody knows how can i run more then one ssh server on a server? [18:58] juliux, hmm you can probaby run sshd with a different configuration file specifying a differnet listening port. [18:58] why would you want to run two ssh servers? [18:59] i want one for users and one for backuping [18:59] for the backuping i want to use sshkeys without a passwort [18:59] but this ssh server should only work on the ip of my vpn [19:01] i.e. users access from WAN and backupping is only from VPN? [19:21] lousygarua, yep [19:22] lousygarua, i have several servers and clients and they should automaticly backup via rsync and ssh over the vpn [19:23] juliux, i don't have much experience with SVN but shouldn't it be transparent to the SSH clients whether they connect an external or LAN/VPN IP? [19:23] or you want the backup ssh server to accept connection *only* from LAN VPN so it's more 'secure' [19:23] i want for the vpn clients ssh with sshkeys without any passwords [19:23] well setting up ssh key authentication is really easy i've once done it myself for backup purposes [19:23] i know [19:24] no passwords [19:24] i only want an extra ssh server for the vpn;) [19:24] and you want passwords for the vpn connections [19:24] can't you do both? [19:24] mralphabet, i have keys for the vpn [19:24] juliux, man sshd shows a `-f` option for specifying a differnet configuration file [19:25] but still i don't see the use for two separate ssh servers [19:26] i don't want ssh with keys on a ssh server that is reachable from the normal wan [19:26] but if the vpn clients are unreachable from WAN there's no chance their private key to be stolen somehow [19:27] and a hacker will find it very hard to create a clone private key for connecting your servers [19:27] hmmm [19:29] anyway, you can probably run an additional sshd server taht only listens on 192.168.xxx.yyy so it's only available to VPN hosts [19:34] hello im trying to install ubuntu server and i need some help [19:34] zylmak, what help do you need :) be more specific [19:35] the first thing i need to know is what im doing :) ... well what im trying to do is to ser a test server behind a router [19:36] the server dosent need to be visible from outside the router [19:36] so the first thing i need is to set my ip adress so it will be fix [19:37] i found the file /etc/network/interface but dont know what is broadcast for [19:38] zylmak, broadcast is the ip address that all hosts will listen to, smt like 192.168.0.255 [19:39] zylmak, because it has 255 which is binary for all 1's then the network interface on each host knows it should process the message [19:39] it's like screaming "HELLO EVERYONE" in your lan [19:40] ok [19:41] anyone knows of a CLI WebDaV client? [19:42] * lousygarua will be back soon [19:47] cadaver maybe? [20:11] how do I stop ubuntu from asking me to continue when it says it cannot verify the security (aka it can't access the internet) during a kickstart installation? [20:11] also what is the kickstart syntax for a swap partition for ubuntu? the 'regular' way isn't working [20:11] my next question is: do i need dhcp and bind, since my isp give the ip address to my rooter [20:14] oups time to go to a reunion will come back later [20:24] hello [20:25] anyone has anything against maildir by default in mail-server task? [20:27] neverming I figured out the second question [20:28] man it's hard finding anyone in ubunut that actually KNOWS ubuntu [20:28] lol [20:28] hm [20:28] and by ubuntu you mean kickstart [20:31] no I mean ubuntu [20:32] kickstart is the same protocol, ubuntu decided to accept or not accept various parameters [20:32] kickstart isn't a protocol [20:32] for example in ubuntu server 6.10 you can't use --noipv6 [20:32] that's not kickstart, that's ubuntu [20:32] i repeat, kickstart is not a protocol, it's a file [20:33] also you have to use part swap --size 2048 instead of part --fstype swap --size 2048 because of ubuntu [20:33] kickstart is a file that follows the kickstart protocol to feed selections to anaconda, the red hat installer [20:34] kickstart is a file, used to load some settings into anaconda [20:34] in ubuntu, sane people, use it just to get to preseeding [20:35] preseeding, otoh, has much more power than kickstart [20:35] if an OS doesn't accept an option it's not because kickstart is somehow different for that OS, it's because that OS has arbitrarily changed their anaconda (or other) input mechanisms [20:35] therefore it's ubuntu not kickstart [20:35] i'm not sure who told you that ubuntu supports all options in kickstart... [20:35] but it doesn't [20:35] and that's not a secret [20:36] hi [20:36] i canĀ“t log into webmin as root anymore. [20:36] proprietarysucks, what is kickstart either way [20:36] all I asked was how to get ubuntu to stop the automatic installation to ask me a question [20:36] i get: Nov 28 21:32:17 localhost webmin[7500]: Invalid login as root from 127.0.0.1 [20:36] I know ubuntu doesn't support all the optiosn [20:37] i wonder why?! Since ssh works with root [20:37] then why complain? [20:37] spiekey: you mentioed anymore? does that mean at one time you were able to login as root? [20:37] spiekey: so you enabled root? [20:37] jjesse: for the last 2 years, yes [20:37] oversudden it does not work anymore, and i dont think i updated the machines in the last few month either. [20:38] webmin uses the pam infos (user/pass) to auth, right? [20:38] that's wierd that all of the sudden it changed [20:38] i think so, someone might be able to correct me [20:38] been awile since i used webmin [20:38] oh, he?! [20:39] I just installed ubuntu 6.10, using kickstart and it has stopped the automatic installation to ask me if it's ok to proceed after not being able to reach security.ubuntu.com. How do I automatically say yes here? It's not a kickstart question because red hat linux doesn't do this. It's a ubuntu question because it is obviously wanting some custom argument, and the ubuntu documentation on this particular issue is [20:39] the old password works! [20:39] jjesse: its the password from 2006! [20:39] wtf?! [20:39] proprietarysucks: preseeding [20:39] look for debian preseeding [20:40] learn it and then come back saying 'omg, i didn't know kickstart is so lame' [20:40] :) [20:40] spiekey: sorry, don't mean to be rude, but does google help? [20:41] jjesse: not with the error messages i get in my logs [20:41] our system automatically detects and configures all configurations of hard drives, nics, packages and everything we need, not sure how much better it can be [20:41] the only thing that's not working right now is that ubuntu stops and complains about not being able to call home [20:41] webmin must have its own passwd file or something..?! [20:41] i give up [20:42] spiekey: thats what i meant when i asked about google can you google webmin password file or something, sorry a little busy with work [20:42] anyone know someone who actually knows ubuntu [20:42] i know ivoks [20:43] proprietarysucks, Whats the issue? [20:43] jjesse: i feel so dumb now :-/ [20:43] spiekey: did it? [20:43] I just want to know what kickstart option ubuntu is waiting for to allow it to not stop and ask if it's ok to proceed when it can't contact security.ubuntu.com [20:43] spiekey: don't worry i do stupid things all the time [20:44] or what i feel are stupid things [20:44] proprietarysucks: kickstart doesn't support these things, preseed does [20:44] jjesse: you are a sysadmin, right? :D [20:44] !webmin @ spiekey [20:44] we don't support webmin [20:44] ivoks: kickstart is a text file, it supports anything you can type [20:45] bah [20:45] !webmin [20:45] webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system [20:45] spiekey: not right now, full time consultant but used to be a sys admin [20:45] proprietarysucks: it doesn't support answering to questions, preseed does [20:45] proprietarysucks: preseed will intercept question and provide an answer [20:45] kickstart doesn't do that [20:46] kickstart doesn't do anything [20:46] kickstart has limited number of functions [20:46] it's a text file [20:46] perhaps you are thinking of anaconda? [20:46] preseed can be used to set up debconf entries [20:46] we are not talking about anaconda here, since we don't use anaconda [20:47] you are a very confused person about this [20:47] kickstart is a text file, there's no functions [20:47] the program, called anaconda, reads this file and interprets the info [20:47] really? [20:47] so... which anaconda reads that file in ubuntu? [20:47] cause we don't have it [20:47] ubuntu also has decided to read these files, taking it's own CUSTOM text files [20:47] so use preeseed [20:48] ubuntu also has decided to read these files, taking it's own CUSTOM text commands [20:48] proprietarysucks: then use redhat, where's the problem? [20:48] such as this one, you may recall: user --disable [20:48] that's in the kickstart file and *ubuntu* recognizes it as meaning something [20:49] I'm asking if anyone anywhere knows what other custom commands like this ubuntu has applied to the normal kickstart template [20:49] this guy reminds me on one my ex professors [20:50] ivoks: I think maildir by default is an excellent plan. [20:50] ScottK: i agree [20:50] :) [20:50] Just saying so if anyone complains you can say it wasn't just you deciding to do it. [20:51] :) [20:52] ivoks: I'm started on the amavisd-new MIR. While it's still in Universe and I can upload changes, is there anything else you think we should do to the package? [20:53] hm... [20:54] we could provide some stuff during tasksel install [20:54] No rush. It'll be sometime next week before I get the MIR done. [20:54] amavis has amavis.d, so that would be much easier than with dovecot :) [20:55] we will just drop configs for mail-server task there, and that will be it [20:55] Our diff from Debian is pretty small right now. If there's anything else we want to change, I'd like to send it all up to them at once. [20:55] OK [20:55] we will not change amavis package [20:55] we will leave it default... [20:55] mail server task from tasksel will drop special stuff we decide to have [20:56] so... apt-get install postfix dovecot-imapd amavisd-new gives you default installation [20:56] sudo tasksel install mail-server gives you all that + ubuntu server team goodies [20:56] Does anyone know the complete list of custom commands like user --disabled ubuntu has applied to the default kickstart template? [20:57] proprietarysucks: maybe looking at the source might help [21:07] ScottK: any objections to: [21:07] smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated [21:07] ? [21:11] ivoks: reject_invalid_hostname should be reject_invalid_helo_hostname if we want it. [21:12] The use case here is for an all in one mail server for sending and receiving mail for a domain, right? [21:12] If that's the case then reject_invalid_hostname is something we don't want as MUAs often have a bogus HELO name. [21:13] ivoks: Let me think about this one for a bit. [21:13] well, bad clients would get 501 [21:14] ok, maybe we shouldn't go so tight... [21:15] What I'm thinking is we should have 465 (for smtps) and 587 enabled with the looser restrictions and keep port 25 tight for recieving mail. [21:16] Gotta run out for a bit. [21:21] oh, you would enable 587? [21:36] hello, i have a script, which dd's a few bytes every 5 seconds from an external usb-disk and mounts and rsync every 15 minutes [21:36] sometimes the mount -t ntfs-3g just hangs [21:37] an strace -p ... shows that the mount tries to: read(4, [21:37] do you have an idea, why this could happen? How to avoid it? [21:37] check what file has an ID 4 [21:37] and this is not server related question [21:37] ivoks: Yes. If we're supporting sending and receiving. That's really how it ought to be done. There's even a recent RFC (BCP actually) about it. [21:38] it's the server kernel, that's why i though i should ask here [21:38] ScottK: then we should do that by default in postfix, right? [21:39] ivoks: For an appropriate debconf choice, yes. [21:39] close2__: look for open ("/some/file", O_RDONLY|)_RWRITE) = 4 [21:39] ScottK: MTAs also frequently have bogus hostnames [21:40] little companies like IBM, last I ran into it. [21:40] (the ehlo hostname resoves in their _INTERNAL_ dns...) [21:43] lamont: Agreed. [21:44] lamont: I'd have to look the name up but there's now a test you can do just for rDNS existance that I think is a reasonable default. [21:45] ok. the IBM host was NXDOMAIN... OTOH, that was a few years back, maybe they finally agreed that it was stupid [21:46] IBM currently has PTR names like e1.ny.us.ibm.com. I don't have ready access to HELO names. [21:46] AOL requires rDNS, so I think it's safe for our default to require it. === MenZano is now known as MenZa [21:48] ok. [21:48] rDNS == reverse dns, yes? [21:48] Yes [21:48] As in PTR for the IP. [21:48] right [21:48] just making sure there wasn't some new TLA I was missing [21:48] * ScottK notes in passing that it had 4 letters ... [21:49] yeah... but FLA isn't self-referencing [21:49] But it sounds naughtier. [21:54] ok, uploading new patch [21:55] done [21:56] please, do comment, suggest, etc... [21:56] patch to? [21:56] bug 164837 [21:56] Launchpad bug 164837 in dovecot "Dovecot SASL for postfix" [Low,In progress] https://launchpad.net/bugs/164837 [21:56] patch for tasksel [21:57] through, for future ref [21:58] what more are we doing in postfix to finish lighting up sasl? [21:58] and where is it authenticating against? [21:58] oh... [21:58] sorry... damn [21:58] forgot the first part :D [21:58] lmtp_sasl_type = cyrus [21:58] smtp_sasl_type = cyrus [21:58] smtpd_sasl_type = cyrus [21:58] and those prolly need to change, no? [21:59] yeah... [21:59] lamont: The immediate question was do we enable port 587 by default for submission (I'd say yes for any debconf option that supports internet submission). [21:59] lamont: Details. [21:59] ivoks: Are there any reasons why those settings shouldn't be the default? [22:00] because, ideally, I'd like to just have sasl configured by default in postfix (modulo debconf, of course) [22:00] ivoks: Most (all?) of the settings in dovcecot.conf look sane even outside of the postfix sasl stuff. [22:01] ivoks: All the more reason to make it the *actual* default, and not only the default when you've installed dovecot in a particular way. [22:01] ScottK: I'm OK with enabling 587 by default any time postfix is listening on port 25 [22:01] * lamont reviews his templates [22:01] lamont: How about 465 for smtps too then? [22:02] ScottK: any time that we turn on ssl, yes. [22:02] :-) [22:02] It's needed for non-starttls MUAs (notably Outlook Express and Outlook < 2007) [22:02] OK [22:02] soren: no sane reasons :) [22:02] i would be happier to do this by default [22:02] lamont: Are you good with that for Debian too? [22:03] ivoks: I'd much prefer that to any post-installation rewriting of config files. If there are saner defaults, we should apply them globally. [22:03] ScottK: there is only one postfix. :0 [22:03] lamont: Good. Just making sure we stay that way. [22:04] I only have one forked package (util-linux), and that's purely because of build-deps [22:04] which I can't do at run time [22:04] we went with tasksel cause we don't want to override stuff for old users [22:05] ivoks: Well just have to deal with that some other way. [22:05] ivoks: I need to not muck with conffiles except as I get told by new debconf answers. [22:05] and make the default install do the right hting [22:05] ivoks: Apart from the Maildir change, all the settings could be (relatively) safely applied to existing configurations. [22:05] lamont: it's not a conffile (in the dpkg sense) [22:06] i'm trying to recall why we wanted to do it this way... [22:06] lamont: and even if it were, it wouldn't be kosher to fiddle with it regardless of debconf. [22:06] soren: there are nuances. [22:07] anyway... doing it by default is what i prefere... [22:07] postfix doesn't list master.cf and main.cf as conffiles simply because the questions from dpkg about who wins, me or the admin, are confusing to most endusers. [22:07] aka admins [22:07] ah, i know! [22:08] when postfix asks a question in debconf, it has met the policy requirement of getting permission before mucking. When it's required to muck, preinst does the asking, and aborts the upgrade if you say 'no'. [22:08] it's because we can't force these changes into debian, and we would like delta to be as small as it can [22:09] adding a new question for home_mailbox kinda needs can do interesting things with the defaults based on existing/not-existing configs, but ultimately, changing it from upstream's default means that I need to make it at least medium pri [22:09] cause they don't prefere postfix over exim, and/or dovecot over cyrus [22:09] ivoks: I'd much rather maintain a delta in the default config file than the tasksel change. [22:09] ivoks: I think we're going to upload a default-mail-transport-agent package to debian, and then start the discussion about having people start Depending on that.... [22:10] ivoks: having the default be different between debian/ubuntu is not an issue... postfix already knows what it's building for... [22:10] lamont: I've got that packaga on my laptop, by the way. I just need to extract it and send it your way. [22:10] soren: please [22:11] soren: if we're going to do it as a debian package, how do you feel about housing it in git.debian.org? [22:11] lamont: git and I are not friends. [22:12] soren: git 1.5? or unusably ancient 1.4? [22:12] lamont: But... um.. certain other things force me to use git real soon anyway, so I might as well. [22:12] lamont: No idea. [22:12] so... we are giving up on tasksel? :) [22:13] soren: go to git.debian.org and create yourself a guest account... then let me know I'll see about getting us a joint-development gid to assign so that we can share one repo instead of two. [22:13] ivoks: If we implement your postconf changes from that patch into default postfix, and there's dovecot around, what will happen? [22:13] ivoks: tasksel probably still has _some_ work to do. [22:13] that's not an issue... [22:13] issue is if someone has saslauthd [22:14] lamont: Like what? [22:14] ivoks: What will happen then? [22:14] I expect that the change will wind up being that postfix will Recommend cyrus (debian) or dovecot (ubuntu), and then set things up if it's a fresh install [22:15] soren: we are binding postfix to dovecot here, but not everybody has dovecot for imap/pop [22:15] tasksel needs to at least pull in dovecot... I think it wants to be a suggests maybe? [22:15] for postfix, that is [22:15] well... wais a sec... [22:15] wait... [22:15] dovecot-common isn't imap/pop [22:15] ivoks: what I was hoping to do for postfix was to ... [22:15] ivoks: Precisely. [22:16] so we can have dovecot-common and cyrus at the same time [22:16] brb [22:16] at postfix configure time, if we haven't done it before, ask the admin if he wants to set up sasl, pointing at dovecot or cyrus as appropriate (depending on what's installed, maybe). [22:16] the default answer would be where we'd bind postfix to $SASL [22:16] right [22:16] which could vary between distros [22:17] +postconf -e "broken_sasl_auth_clients = yes" [22:17] ew [22:17] could we 'preseed' debconf value for that question in ubuntu? [22:17] I suppose, thouhg. [22:17] Can't we just make all the saslauth provides put their socket in the same place and not care? [22:18] ivoks: we already have places where the source conditionally compiles around ubuntu vs debian... no need to go playing with preseeds... :0) [22:18] We have a lower default priority for debconf questions. [22:18] soren: No. I really don't think so. [22:18] ScottK: Because? [22:18] Because they work differently. [22:18] soren: and the port25 banner is different [22:18] we have to know which it is. [22:19] Even in Cyrus you have to decide on sasldb versus auxprop and that affect a bunch of stuff. [22:19] and the options are "cyrus" "dovecot" and "die, hellspawn" [22:19] er, "no' [22:19] :-) [22:19] * ScottK will review the source before trying that last one. [22:19] Ok, I wasn't aware. [22:19] i though they had some sort of well defined protocol. [22:19] soren: this conversation is teaching me much wrt SASL... [22:19] Man, typing is hard! [22:20] it's been on my "I should figure this out sometime" list for about 5 years or so now. [22:20] soren: i gave up on typing... it's 23:30 :) [22:20] and hardy is a perfect time to fix it. [22:20] lamont: So the protocol with which you communicate is dependant on the server at the other end? [22:20] yes [22:20] yes [22:20] postfix supports two [22:20] craptastic [22:20] dovecot and cyrus [22:20] iirc [22:21] soren: hence the *_sasl_type variables [22:21] Like completely different as in there's no specification or are people just interpreting them in different ways? [22:21] like dbus and dcop :) [22:21] two separate implementations of two separate designs. [22:21] no common spec. [22:21] Fantastic. [22:21] there's no 'standard' [22:22] brb [22:22] soren: think windoze vs linux. :-) [22:22] only this time both suck. differently. [22:22] ivoks: btw, good to run into you again - haven't had any good chance to chat since Mataro, wasn't it? [22:23] mataro? [22:23] soren: SASL is defined, but that's on the wire. The MTA to SASL implementation API is implementation specific [22:23] * ivoks is kind of slow atm [22:23] ivoks: I somehow got the impression that we'd maybe met in Mataro. [22:23] @UDS [22:24] i was only on last uds at cambridge [22:24] mataro sounds spanish :) [22:24] ah. I guess more than one person lives in .hr :) [22:24] :) [22:24] ivoks: that's because it's in spain. :) [22:25] i don't know who else would be there from .hr... [22:25] I'd like to go to the next UDS or the next one after that [22:25] lamont was at the last UDS too, so maybe you two actually did meet there. [22:25] hm... maybe :) [22:25] quite possibl [22:25] e [22:26] * ScottK recalls meeting both of you. [22:26] hi all... anyone willing to look at some openldap debuging output? http://pastebin.ca/801011 i have two users in ldap, i belive both have valid passwords. on user (kgoetz) has a local account as well. only kgoetz can log in, the other (kim) cops an error. suggestions about how to go about debuggin this woul be good too :/ [22:27] ScottK: i remembre you on package review session; we agreed on amavis :) [22:28] Yep. [22:28] typos... [22:28] kgoetz: does ldapsearch find the user? and what about when you bind with the rootdn? [22:29] so, postfix preinst should check sasl method and then, if none, set dovecot :) [22:29] if there is /etc/dovecot/dovecot.conf :) [22:29] ivoks: I don't think setting type hurts us in any case... [22:30] and it'd be postinst that did it. config that decided the default.. [22:30] right, not preinst... [22:31] i know that dovecot will not start if /var/spool/postfix/private/auth doesn't exist [22:31] so, postfix must be installed before dovecot-common [22:31] this is why it's so easy to do it in tasksel.postinst :) [22:32] lamont: just checking [22:32] ldapsearch is whining about sasl :\ [22:32] kgoetz: I have to go fetch kids, but I have a mixed local and ldap world that I can help walk you through fixing your issue once I get back online... what TZ are you? [22:32] ah. [22:32] trivia.l [22:33] lamont: AUS, ~+10.30. its 9am atm. [22:33] does ldapsearch -x work? [22:33] cat <>/etc/ldap.conf [22:33] use_sasl no [22:33] rootuse_sasl no [22:33] EOF [22:33] and no, that's not documented anywhere I could find [22:33] ah. -x [22:33] s/that's/that was/ [22:34] ok. 'twould suck more if you were in europe somewhere... it'll take me somewhere around 1.5-2 hours before I'll be back online, once I leave in < 5 min [22:34] thanks for the poiter, i'll have a hack [22:34] np. [22:40] and I'm gone [22:41] later [22:41] bye [22:41] 'night all [22:41] :) === Drazha130 is now known as Drazha [22:51] hi, I have a problem with apt. http://pastebin.ca/801042 [22:52] I have xen-common installed, and can neither update, remove nor reinstall it :( [22:52] any ideas? [22:53] are you root? (did you run it with sudo?) [22:54] I am root [22:54] hi kgoetz :) I ve seen your name in the gobuntu list alot [22:55] ah oh :) [22:55] I am root with sudo -s [22:55] try running `apt-get -f install` [22:56] E: The package xen-utils-3.0 needs to be reinstalled, but I can't find an archive for it. [22:56] I'll put it in /var/cache/apt/.. but I believe its the same then like dpkg .. [22:57] it even doesn't recongnize the package in /var/cache/apt/archives === paul____ is now known as pschulz01 [22:58] phaidros: try `apt-get update` then `apt-get install --reinstall ` [22:58] or whatever the aptitude equivilent is :) [22:59] aptitude samesame apt-get (usually) [23:00] i know aptitude has a 'reinstall' instead of 'install --reinstall' *wants apt to not need stupid extra switch* [23:01] no way. ok further the problem it, that I am currently trying to dist-upgrade, therefor there shouldn't be the same version in the tree. [23:01] but even if I put the package with the same version in /var/cache/apt/archives/ it doens't fly :/ [23:02] did you download the package seperately? [23:02] yes. [23:02] it is an edgy install, trying to upgrade to feisty / gutsy (tried both) [23:03] got the edgy packages. the dist-upgrade got the feisty (and gutsy) package already as well .. [23:03] ah... this could get interesting. [23:03] but brb [23:03] ok [23:08] kgoetz: force might be the only way .. [23:11] phaidros: yes, forcing will be required. [23:11] even --force-remove-reinstreq doesn't solve :( [23:11] phaidros: you'll have to try to go from whatever state your system is in now, to a feisty system. [23:11] then move from there. [23:11] how? [23:11] I am blocked :) [23:12] maybe force-all .. which I generally try to avoid [23:12] change sources list, update, try to dist-upgrade, see where it bails. force packages to install as needed [23:13] well, thats were I hang .. exactly the xen-utils .. I found no way around that yet. [23:14] all apt-get / aptitude / dpkg fail on that package .. I'll have a look in the var/lib/dpkg/info/xen-utils-3.0.postinst [23:14] find the package this is in xen.xend.server (and by extentio the file), make sure its tehre [23:16] sry, extentio ? [23:16] *extention [23:18] which dpkg switch helps me finding that package? [23:18] -S [23:18] iirc [23:23] no way to fing :/ [23:23] find [23:24] What's the problem? [23:25] xen-utils cannot get updated, removed, reinstalled .. tried all common tricks (force-all, apt-get install -f) [23:25] http://pastebin.ca/801042 === Drazha436 is now known as Drazha [23:25] sudo dpkg -P --force-remove-reinstreq xen-utils-3.0 = [23:25] Er.. no "=" at the end. [23:26] Or -r if you don't want to purge the config files. [23:26] samesame .. http://pastebin.ca/801064 [23:26] yeah, and thats the tricky part now :) [23:28] any ideas where to tinker? [23:29] Yes, I'm just trying to find the cleanest way. [23:30] phaidros: Not to worry, we'll get it removed in a minute. [23:31] hehe, I got it: replacing /usr/bin/xend with a bashscript saying only "exit 0" helped!! [23:31] Well, somethings clearly botched, so if you can live with it might not cleaning up a conffile here or there... [23:31] Yes, that's one way. :) [23:31] what would have been an alternative? [23:31] Something along the same lines. [23:31] * phaidros proud [23:31] I'd have edited the preinst script, but the effect would be precisely the same. [23:31] :) [23:31] cool! [23:32] thanx alot soren & kgoetz ! [23:32] It's really not the right way to go about it, but.. yeah, well. [23:33] yeah, but if any standard ways fail .. well, no options given the crude way wins the beauty contest [23:33] :) [23:34] ah something else: how to blacklist packages (eg all xserver related on a server) [23:35] (because I finally got X packages in on one machine, and cannot see which dependency might have caused this) [23:35] phaidros: If you try to remove them with apt-get, any package that depends on them will be removed. [23:36] phaidros: ...so you can see if anything looks familiar. [23:36] yeah I believe it is some gdlib or graphviz or such for php [23:37] but anyhow, is there a clean way to block a group of packages under any circumstances/ [23:37] ? [23:37] Well, yes, but it really shouldn't be necessary. [23:38] hehe, not in an ideal world ;) [23:38] If you install a package that needs some x libraries, well... it needs some x libraries. [23:38] but as we've just seen .. world tends to non-idealism. I usually call that an entropic issue [23:38] phaidros: Can you give me a use case for it? [23:39] uhm, I need a package like imagemagick for php or cli/scripting purposes on my server, and that package depends somehow (because it is mainly a desktop distro) on X .. I don't want X on a server [23:40] Well, do you need imagemagick or don't you? [23:40] I do, but no X [23:40] It's not installing X. [23:40] It's probably installing a few x libraries. [23:41] yeah, it was in old debian days. and there are surely packages around which have same strange dependencies nowadays [23:41] Seriously.. If a package in Ubuntu depends on another package... It *really* depends on it. It won't work without it. [23:41] oh, ok [23:41] And installing imagemagick won't install an X server. [23:41] so, as soon as my xen instance is back alie i can go and check which dependency caused this [23:42] alive [23:42] X libraries are not uncommon on servers, I believe. [23:42] really? I have always a strange feeling if I see X packages on servers [23:43] thats imho a bad redhat&friends habit [23:44] uh oh, now I get segfaults on dist upgrade edgy->gutsy [23:46] is it save to reboot if module-init-tools are not installed properly (there is the segfault) [23:46] ? [23:50] it is [23:55] ok, libc6-xen is the solution for the segfaulting upgrade [23:57] edgy -> gutsy == bad upgrade path