/srv/irclogs.ubuntu.com/2007/11/29/#ubuntu-server.txt

phaidros	kgoetz: you are right ..	00:00
lamont	kgoetz: any luck with ldap?	00:03
kgoetz	lamont: fraid not, i've been busy with other work. i managed to get ldapsearch going ok ( http://pastebin.ca/801040 ) and from my reding of that i can connect to ldap	00:04
lamont	kgoetz: are you doing ldaps or ldap in the end?	00:05
kgoetz	lamont: /etc/ldap.conf -> uri ldap://127.0.0.1/ . ldapi "wasnt working " as i recall	00:06
lamont	you want some spamage here, or pastebin, or where?	00:07
kgoetz	pastebin woul be fine.	00:07
kgoetz	avoid turning the channel against us ;)	00:08
lamont	step 1 is to get ldap://127.0.0.1/ working. Then we can worry about making a cert and getting ldaps happy	00:08
kgoetz	i have ldaps enabled, dont remember if i mad a cert for it or not	00:08
kgoetz	i just didnt see a reason to ldaps: onto localhost	00:08
kgoetz	in /etc/default/slapd i put SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"	00:09
lamont	http://pastebin.ca/801110	00:11
lamont	in there, s/foobaz/whatever/	00:12
lamont	and comment out the TLS_CACERT	00:12
kgoetz	looking atm :)	00:12
lamont	TLS_REQCERT should be uh... something	00:12
lamont	'never'	00:12
lamont	and rootbinddn should be god-of-ldap (whatever you said when you configured slapd)	00:13
lamont	_THEN_ ldapsearch -x -h localhost -D cn=admin,dc=foobaz,dc=com -W "(uid=kgoetz)" uid	00:14
lamont	that'll prompt you for the passphrase, which should be what's stored in /etc/ldap.secret	00:14
lamont	and if _that_ query works, then all we have to do is argue with nsswitch.conf	00:15
kgoetz	*starts looking for all those files/lines in files	00:15
lamont	kgoetz: I just finished smacking my config into usability again for gutsy	00:16
lamont	in the process, I fear I actually understand pam now.	00:16
lamont	don't tell anyone	00:16
lamont	:-)	00:16
kgoetz	hehehe. i got famiar with pam_radius and a few related bits... i wish i still rememberd :)	00:16
phaidros	any ideas what might be the problem with hotplug if "cat /proc/kernel/sys/hotplug" -> cat: /proc/kernel/sys/hotplug: No such file or directory (2.6.22-14-xen)	00:20
phaidros	?	00:20
kgoetz	your file or directory isnt there?	00:20
phaidros	but it shoul, shouldn't it?	00:21
kgoetz	lamont: teh TLS_REQCERT -i dont see that in my config. can i just add it?	00:21
kgoetz	s/teh/the	00:21
lamont	find /proc \| grep plug	00:21
lamont	/proc/sys/kernel/hotplug	00:21
phaidros	uh oh o.O	00:22
lamont	kgoetz: I expect so. That's almost exactly what the file looks like on my machine... worst case it just mutters about lines it doesn't understand	00:22
kgoetz	# here because "lamont said"	00:23
kgoetz	TLS_REQCERT demand	00:23
lamont	you want TLS_REQCERT never	00:24
lamont	for now	00:24
kgoetz	ok.	00:24
lamont	because we're not doing ldaps yet. just ldap.	00:24
kgoetz	ok	00:25
kgoetz	shouldi comment out the extra lines that you dont have?	00:27
kgoetz	oooh. it worked :o	00:29
kgoetz	ls: /etc/libnss-ldap*: No such file or directory	00:30
kgoetz	but the query workd :)	00:30
lamont	libnss-ldap* will need to be there when we say 'getent shadow \|grep kgoetz'	00:34
lamont	which we want to see two lines from, hence the fetcheverythingandgrep solution	00:34
lamont	apt-get install libnss-ldap	00:34
lamont	and may as well install libpam-ldap too	00:35
kgoetz	both are already installed	00:35
lamont	and finger-ldap :-)	00:35
lamont	ah, on gutsy?	00:35
kgoetz	yes.	00:35
lamont	the symlinks may or may not be needed... I'm to lazy to figure it out - they're certainly needed on dapper. :-)	00:36
lamont	and I have dapper machines, too.	00:36
lamont	sudo /etc/init.d/nscd restart	00:36
kgoetz	they dont seem to be needed anmore ;)	00:36
kgoetz	*any more :)	00:36
lamont	actually, do a stop and then a start - restart doesn't always give me the love I want	00:36
lamont	and the uri in /etc/ldap.conf is ldap://127.0.0.1/, not the ldaps://ldap.foobaz.com/, right?	00:37
lamont	/query lamont and paste /etc/ldap.conf :-)	00:37
kgoetz	i dont have an nscd	00:38
* kgoetz cuts out comments from config file		00:39
lamont	no nscd just means that you'll query the ldap server alot. OTOH, it also means that nscd won't be stepping in the middle and LYING to you	00:40
kgoetz	pm flooded	00:43
lousygarua	did anyone ever tried `rsync` over WebDAV? does it works??	01:18
lamont	Nov 28 16:05:21 mmjgroup postfix/local[15044]: warning: pipe_command_read: read time limit exceeded	02:16
* lamont grumbles		02:16
danp	hi. where would i find a list (or an RSS feed) of packages that are updated in universe/multiverse?	02:39
danp	i have a server running edgy and perdition was updated for security fixes but i couldn't find that announced anywhere	02:39
Burgundavia	danp: ubuntu.nl has feeds	02:47
Burgundavia	danp: https://lists.ubuntu.com/archives/ubuntu-devel/2005-August/009392.html	02:48
danp	thanks, seems to be gone now though	02:49
Burgundavia	they are there still	02:50
Burgundavia	just moved	02:50
Burgundavia	just trying to find them	02:50
Burgundavia	danp: http://blogs.ubuntu-nl.org/dennis/2007/10/21/hardy-heron-changes-feed/	02:52
danp	thanks!	03:07
danp	Burgundavia: hmm, this still only seems to be changes to main. perdition is in universe	03:56
Burgundavia	danp: there have been no changes to edgy since release, as only main is security supported	04:00
kgoetz	any (easy) way to increase teh logging prouced by pam? i'm unable to get multiple logins over ssh using ldap backend (i also have issues with sudo)	04:00
Burgundavia	danp: https://lists.ubuntu.com/archives/edgy-changes/2007-November/thread.html	04:01
Burgundavia	danp: and why are you still running an edgy server?	04:01
Burgundavia	it is not supported for all that much longer (6months)	04:01
danp	that's still only main changes...perdition is in universe and was recently updated	04:02
Burgundavia	http://changelogs.ubuntu.com/changelogs/pool/universe/p/perdition/perdition_1.17-7ubuntu0.6.10.1/changelog	04:02
Burgundavia	hmm, wonder why they are not showing up	04:03
danp	and i'm still running edgy because it's supported for another 6 months :P	04:03
Burgundavia	at which point you need to upgrade to Feisty, for another 6 months	04:04
Burgundavia	and then to Gutsy and then to Hardy	04:04
ScottK	Burgundavia: There have been edgy-security uploads for Universe packages. I've done a couple myself.	04:08
Burgundavia	ScottK: yes, but not many	04:09
Burgundavia	not that I would trust a production server to	04:09
danp	i'm on ubuntu-security and i never got a notice for perdition	04:09
ScottK	Well you take that risk pretty much whenever you run Universe stuff.	04:09
Burgundavia	because -security doesn't carry universe stuff	04:09
Burgundavia	this is a fairly serious issue, the lack of notification	04:09
ScottK	danp: Even when Universe packages get updated, they won't do a USN.	04:09
Burgundavia	it should at a minimum, go to -changes	04:10
ScottK	Agreed.	04:10
danp	is there at least a published list of the changes?	04:10
Burgundavia	let me put it on the tech board agenda	04:10
Burgundavia	danp: there is the mailing list. I have no idea why this upload did no make it there	04:10
ScottK	LP developers dropped security from -changes because the fact that it was there before was a 'bug' and not by design.	04:10
Burgundavia	ugh, that is dump	04:10
Burgundavia	dumb, rather	04:10
ScottK	They've been thrashed and promise to put it back Real Soon Now.	04:10
ScottK	Well it's LP. That's redundant	04:11
Burgundavia	I am very strongly of the opinion that LP is mostly just a giant non-free rathole	04:11
danp	this is just an example, but in a more general sense i'm looking for a way to get notified/informed of any changes to whatever release i'm using	04:11
Burgundavia	this is one of those holes	04:12
ScottK	Burgundavia: Agreed.	04:12
danp	is my best bet right now to track the package list files?	04:12
ScottK	When I asked, "If it's a bug, where's the spec that describes how it's supposed to work?"	04:12
ScottK	Answer I got was, "will you help us write one"	04:12
Burgundavia	danp: -changes should have everything. This is a bug	04:13
Burgundavia	https://wiki.ubuntu.com/TechnicalBoardAgenda	04:13
Burgundavia	added both items to the next TB meeting	04:13
ScottK	https://wiki.ubuntu.com/UbuntuDevelopment/PackageArchive/SoyuzUserDocumentationDraft is what now exists for documentation. it's a bit, um, thin.	04:14
danp	thanks!	04:14
ScottK	My larger answer on the help write the spec issue is that I have a consulting rate for proprietary system development work.	04:15
ScottK	Which is where the non-free bit kicks in.	04:15
danp	so at the moment what is going to -changes?	04:15
ScottK	For Edgy, you would get edgy-updates.	04:15
ScottK	Backports too, I think.	04:16
danp	cool	04:20
lamont	Burgundavia: bzgrep ^Package: ubuntu/dists/gutsy-security/universe/binary-i386/Packages.bz2 \|wc -l	04:27
lamont	55	04:27
lamont	universe gets security updates, it's just not something that canonical funds doing, other than best-effort by keescook et al.	04:28
ScottK	The larger point that Burgundavia makes is valid though. There's no announcement mechanism.	04:29
Burgundavia	lamont: yep, I get that. This is more about making certain what updates do get done get notifications created	04:29
lamont	"notification" == advisory?	04:29
danp	not necessarily	04:29
ScottK	I've don't -security updates for packages that were in Universe in some releases and in Main in others and the USN just talked about the Main ones (leaving one to reasonably infer the other releases weren't affected when they were(	04:30
ScottK	(/)	04:30
lamont	Burgundavia: and launchpad has nothing to do with -security packages getting built.	04:30
danp	i personally just want a way to be notified of every possible change to a release	04:30
Burgundavia	lamont: I didn't say it did	04:30
Burgundavia	I was talking about mailing lists	04:30
danp	hopefully not as low-level as reviewing changes to the Packages files myself	04:30
lamont	most of the stuff that builds in -security is built while it's embargoed. hence no notice to -changes. the embargo is also the root cause of LP not being involved.	04:31
Burgundavia	but that is a bug that can be fixed	04:31
lamont	since launchpadlibrarian has no concept of read restrictions	04:31
lamont	Burgundavia: fixed how?	04:31
lamont	I can't send you a notification when i build it.	04:31
Burgundavia	lamont: by sending the notification only when it is unembargoed	04:31
ScottK	lamont: At some point LP learns of the change. Then.	04:32
lamont	I _can_ send you a notification when its unembargoed. I've only seen that notification in the form of a security advisory.	04:32
lamont	for _any_ software distro	04:32
lamont	LP learns of the change once it's unembargoed	04:32
lamont	I think.	04:32
lamont	it must be importing -secuity back from the dak archive	04:33
Burgundavia	right, I am not arguing implementation at the moment	04:33
lamont	so at the point that LP imports the -security bits from dak, it could generate a -changes mail	04:33
* lamont is speculating on that bit of process.		04:33
Burgundavia	right, those are details I don't know, nor do I really specifically care, given I am not an LP dev	04:34
ScottK	The key bit is that it used to be there and was removed. What man has once accomplished he can aspire to achieve again.	04:38
lousygarua	wow, it's cold in here and i've just put a nice heat-blower straight on my feet!	04:40
* lousygarua is delighted		04:40
kgoetz	i just found my ldap is far more broken then i thought	04:40
* kgoetz is upset		04:40
lousygarua	how can an ldap get broken?	04:41
danp	Burgundavia and ScottK, thanks for the tips. i look forward to -changes being my answer soon :)	04:41
kgoetz	my lookups arnt working properly somehow. I have no name!@newmoon:/root$	04:42
Burgundavia	danp: no worries. Sorry we cannot help you in the imm.	04:42
danp	it's cool. i can make do with looking at Packages in the mean time. but i'm sure other people would appreciate that information if it was readily available	04:43
kgoetz	lamont: you aroud? i cant seem to figure out some issues	04:44
lamont	heh	04:44
kgoetz	:(	04:44
lamont	fire away	04:44
* lamont waits for "how do we find the girl? If we do find the girl, how do we get away?"		04:45
kgoetz	i can run 'id $USERNAME' and it lists out the users IDs, but bash/anything else cant map the IDs	04:46
kgoetz	i can ssh in as the user, but it seems only once at a time	04:46
lamont	make life easier: apt-get install nscd	04:46
lamont	which, amusingly, shouldn't change anything	04:47
kgoetz	intalling now	04:47
kgoetz	reasonably small config file	04:48
lamont	it has a config file?	04:48
lamont	:-)	04:48
kgoetz	yes... dont i need it? :\	04:49
lamont	I expect so.	04:49
lamont	I never even noticed	04:49
lamont	as in, it won't need any edits	04:49
kgoetz	ok	04:49
lamont	how is bash trying to map the id?	04:49
lamont	(as in, what do you mean that it can't? what's your testcase?)	04:50
kgoetz	installing that makes a difference o	04:51
kgoetz	s/ o//	04:51
kgoetz	lamont: i typed in 'bash'	04:51
kgoetz	and got "I have no name!@newmoon:/root$" back	04:51
lamont	is /etc/ldap.conf readable by mortals?	04:51
kgoetz	now i get "kim@newmoon:/etc/pam.d$	04:51
kgoetz	"	04:51
lamont	/etc/nsswitch.conf?	04:52
lamont	(/etc/ldap.secret should be root:root, 600	04:52
kgoetz	yes they are.	04:52
lamont	the others, should be 644	04:52
kgoetz	yep	04:52
lamont	so installing nscd fixed it?	04:52
kgoetz	yes	04:53
lamont	if you figure out why, I'd love to know	04:53
kgoetz	you are a genius :)	04:53
lamont	thanks	04:53
lamont	I should really put the whole mess into a howto on the wiki sometime	04:54
kgoetz	i was goign to work on one/two as well. getting it working became a higher priority then writing about it though ;)	04:56
lamont	I wonder if it's because nscd runs as root	04:56
* lamont automated ssh key replication to clients from ldap		04:56
* lamont is lazy		04:57
kgoetz	.... your writing the guide :P	04:58
lamont	heh	05:05
kgoetz	hm. root@newmoon:~# ldapaddgroup kgoetz 1179	05:12
kgoetz	grep: /etc/pam_ldap.conf: No such file or directory	05:12
kgoetz	is pam_ldap.conf still in use? iirc i read its been retired	05:12
lamont	if it's being used, it should be a symlink to /etc/ldap.conf	05:13
lamont	_I_ have it. :0)(	05:13
kgoetz	reading /usr/share/doc/libpam-ldap/README.Debian is interesting	05:15
lamont	yeah. that and the manpage for pam.conf were very eye opening on monday night	05:16
kgoetz	stupid pam	05:17
lamont	heh. pam is love, man.	05:18
kgoetz	polletheme pam :\	05:19
kgoetz	win 32	05:19
zero-9376	is there a metapackage for the lamp server that you install from the server cd	07:08
kraut	moin	08:11
_ruben	mornin	08:22
soren	zero-9376: No, but if you had bothered to stick around for more than 27 seconds, someone might have told you what to do..	08:37
_ruben	;)	08:46
_ruben	well .. 6 minutes a bit longer than 27 secs .. but still :-)	08:47
Burgundavia	soren: I see him being in channel for 5 minutes at least	09:18
soren	Burgundavia: Potato, potato.	09:20
soren	Doesn't really work in writing, does it?	09:20
soren	Burgundavia: 5 minutes is still an annoyingly short time to stick around for when you've asked a question.	09:20
joycetick	ive just installed ubuntu-server 7.10 on a laptop but its wireless pcmcia card is being recognised (i think, it shows up in iwconfig at eth2) but returns errors when trying to connect to the network (this card was working before in xubuntu 7.04)	11:50
=== Pumpernickle is now known as Pumpernickel
kraut	joycetick: why do you install ubuntu-server on a laptop?	13:22
joycetick	its a 800Mhz machine so i wanted to install fluxbox or similar on it	13:23
firecrotch	joycetick: what about Xubuntu?	13:24
joycetick	and my isp mirrored the iso so it was easier to get than fluxbuntu (which i just found through google)	13:24
joycetick	i was using that before i installed ubuntu-server, might have to go back to it	13:25
phaidros	any xen expert around ?	14:11
avatar_	!ask	14:19
ubotu	Don't ask to ask a question. Just ask your question :)	14:19
avatar_	i'm not an expert	14:19
henrix	or try #ubuntu-xen ;)	14:20
Gargoyle	libc6 is what is commonly known as glib isn't it?	15:36
Gargoyle	*glibc	15:36
spiekey	how can you force ubuntu to write directly onto usb stick, without caching?	15:57
spiekey	is this a mount option?	15:57
soren	spiekey: I don't remember if "flush" works?	16:24
soren	spiekey: mount -o flush -t vfat /dev/whatever /media/whereever	16:24
soren	spiekey: Otherwise, "-o sync" is what you're looking for.	16:24
soren	spiekey: It'll kill your usb stick, though.	16:25
soren	spiekey: They're only built to handle a certain amount of writes to them. If you mount it with sync, and you have a particularly stupid application write to it, just writing a single file to it can cause it to be written to several thousand times.	16:25
=== dendrobates is now known as dendro-away
darrend	hi all	17:14
darrend	I have a cron job in /etc/cron.hourly that fails when cron executes it ("Exec Bad Format" or similar message). If I execute it manually, it runs fine. Any ideas?	17:15
darrend	script is at http://pastebin.com/d13dc62ab	17:15
mralphabet	darrend: that looks right . . . the bad format is from syslog?	17:25
darrend	mralphabet: the message was being added to the email that cron was sending (which was ending up in ~/dead.letter but is now being accepted by the remote mail server and ending up in a black hole	17:31
darrend	let me try to disable the mail output so I see the messages again.	17:31
lamont	keescook: are you the apparmor guy?	17:31
lamont	Nov 29 10:01:22 mix kernel: [739593.226765] audit(1196355682.459:35): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/etc/ldap/ldap.conf" pid=16512 profile="/usr/sbin/cupsd"	17:32
lamont	how do I tell it that it's OK?	17:32
keescook	lamont: well, mathiaz and I both work on it	17:32
keescook	why is cups trying to read ldap.conf? but anyway, sudo vi /etc/apparmor.d/*cups	17:32
keescook	add: /etc/ldap/ldap.conf r,	17:32
keescook	then sudo /etc/init.d/apparmor reload	17:33
lamont	and then restart cups	17:33
keescook	nope	17:33
lamont	well, I did the first two steps...	17:33
keescook	the aa reload will just update the running process's confinement	17:33
keescook	you can do sudo aa-status to see what aa thinks of the world	17:34
keescook	if you did apparmor stop/start you're SOL, and you need to restart cups	17:34
lamont	aalib is part of apparmor? :-)	17:34
keescook	that would rule	17:34
keescook	"I'm pwning you in ASCII!"	17:34
lamont	I might have done /etc/init.d/apparmor restart	17:35
lamont	mind you, I'd rather see us make selinux happier	17:35
keescook	restart == reload so that's okay	17:35
keescook	lamont: sure, we're just waiting on some upstream patches to roll out for that	17:35
keescook	lamont: where does aa-status report cupsd?	17:36
lamont	2 profiles are in enforce mode.	17:36
lamont	/usr/sbin/cupsd	17:36
lamont	/usr/lib/cups/backend/cups-pdf	17:36
lamont	1 processes are in enforce mode :	17:36
lamont	/usr/sbin/cupsd (18409)	17:36
darrend	mralphabet: error message is.. "run-parts: failed to exec /etc/cron.hourly/00backup: Exec format error"	17:36
keescook	(also, you added the ldap.conf to the cupds section not the cups-pdf section of /etc/apparmor.d/*cupsd ?	17:37
lamont	Nov 29 10:36:12 mix kernel: [741679.573259] audit(1196357772.436:39): type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/etc/ldap/ldap.conf" pid=18573 profile="/usr/sbin/cupsd"	17:37
lamont	no.	17:37
lamont	abstractions/cups-client	17:37
* lamont does the right file		17:37
keescook	ah, yeah, the cups-client is for stuff trying to talk to the cups server, etc.	17:38
darrend	mralphabet: I think google may know the answer.. looks like I need /bin/sh and not /bin/bash	17:39
lamont	yeah! helps to fix the right file.	17:39
lamont	thansk	17:39
mralphabet	darrend: heh	17:40
darrend	hmm.. no - still fails	17:40
darrend	brb	17:41
mralphabet	;(	17:43
rodpod	would it be better if i used iptables to forward GRE and port 1723 to access a RRAS VPN (PPTP) server, or just setup the VPN stuff on my ubuntu server and use LDAP for authenticating...what would be the best package with ldap support for doing this?	17:45
* nealmcb congratulates jdstrand on Ubuntu Membership :-)		17:51
jdstrand	thanks again nealmcb! :)	17:52
=== gamble6x is now known as gamble\|mission
AlexJTanner	i have a question	18:28
AlexJTanner	anyone there?	18:29
somerville32	!ask	18:30
ubotu	Don't ask to ask a question. Just ask your question :)	18:30
AlexJTanner	well here's my question "everytime I use apt-get install on my ubuntu servers they want me to put in the DVD, how can I get it to instead of taking the packages from the DVD to take them fromt the reprostories	18:30
AlexJTanner	I have SSH acess to both of them	18:34
ember	how may have it source.list to get it from dvd i think	18:34
rodpod	nano /etc/apt/sources.list	18:35
rodpod	take out the cdrom entries	18:35
AlexJTanner	k thanks	18:35
AlexJTanner	I feel a bit of a newb asking this question	18:35
AlexJTanner	this is just my first time running ubuntu without gnome	18:36
AlexJTanner	i am working on getting both of them ready to go into my basement, and part of that is not having to run down and put a DVD in everytime I need to install something	18:38
=== gamble\|mission is now known as gamble6x
=== macd_ is now known as macd
ScottK	lamont: I think Bug #172925 is worth you having a look at.	22:43
ubotu	Launchpad bug 172925 in postfix "postfix upgrade does not add 'retry' service" [Medium,Confirmed] https://launchpad.net/bugs/172925	22:43
lamont	gah.	22:58
lamont	will do	22:58

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!