[00:00] <phaidros> kgoetz: you are right ..
[00:03] <lamont> kgoetz: any luck with ldap?
[00:04] <kgoetz> lamont: fraid not, i've been busy with other work. i managed to get ldapsearch going ok ( http://pastebin.ca/801040 ) and from my reding of that i can connect to ldap
[00:05] <lamont> kgoetz: are you doing ldaps or ldap in the end?
[00:06] <kgoetz> lamont: /etc/ldap.conf -> uri ldap://127.0.0.1/ . ldapi "wasnt working " as i recall
[00:07] <lamont> you want some spamage here, or pastebin, or where?
[00:07] <kgoetz> pastebin woul be fine.
[00:08] <kgoetz> avoid turning the channel against us ;)
[00:08] <lamont> step 1 is to get ldap://127.0.0.1/ working.  Then we can worry about making a cert and getting ldaps happy
[00:08] <kgoetz> i have ldaps enabled, dont remember if i mad a cert for it or not
[00:08] <kgoetz> i just didnt see a reason to ldaps: onto localhost
[00:09] <kgoetz> in /etc/default/slapd i put SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
[00:11] <lamont> http://pastebin.ca/801110
[00:12] <lamont> in there, s/foobaz/whatever/
[00:12] <lamont> and comment out the TLS_CACERT
[00:12] <kgoetz> looking atm :)
[00:12] <lamont> TLS_REQCERT should be uh... something
[00:12] <lamont> 'never'
[00:13] <lamont> and rootbinddn should be god-of-ldap (whatever you said when you configured slapd)
[00:14] <lamont> _THEN_ ldapsearch -x -h localhost -D cn=admin,dc=foobaz,dc=com -W "(uid=kgoetz)" uid
[00:14] <lamont> that'll prompt you for the passphrase, which should be what's stored in /etc/ldap.secret
[00:15] <lamont> and if _that_ query works, then all we have to do is argue with nsswitch.conf
[00:15] <kgoetz> *starts looking for all those files/lines in files
[00:16] <lamont> kgoetz: I just finished smacking my config into usability again for gutsy
[00:16] <lamont> in the process, I fear I actually understand pam now.
[00:16] <lamont> don't tell anyone
[00:16] <lamont> :-)
[00:16] <kgoetz> hehehe. i got famiar with pam_radius and a few related bits... i wish i still rememberd :)
[00:20] <phaidros> any ideas what might be the problem with hotplug if "cat /proc/kernel/sys/hotplug" -> cat: /proc/kernel/sys/hotplug: No such file or directory (2.6.22-14-xen)
[00:20] <phaidros> ?
[00:20] <kgoetz> your file or directory isnt there?
[00:21] <phaidros> but it shoul, shouldn't it?
[00:21] <kgoetz> lamont: teh TLS_REQCERT -i dont see that in my config. can i just add it?
[00:21] <kgoetz> s/teh/the
[00:21] <lamont>  find /proc | grep plug
[00:21] <lamont> /proc/sys/kernel/hotplug
[00:22] <phaidros> uh oh o.O
[00:22] <lamont> kgoetz: I expect so.  That's almost exactly what the file looks like on my machine... worst case it just mutters about lines it doesn't understand
[00:23] <kgoetz> # here because "lamont said"
[00:23] <kgoetz> TLS_REQCERT demand
[00:24] <lamont> you want TLS_REQCERT never
[00:24] <lamont> for now
[00:24] <kgoetz> ok.
[00:24] <lamont> because we're not doing ldaps yet.  just ldap.
[00:25] <kgoetz> ok
[00:27] <kgoetz> shouldi comment out the extra lines that you dont have?
[00:29] <kgoetz> oooh. it worked :o
[00:30] <kgoetz> ls: /etc/libnss-ldap*: No such file or directory
[00:30] <kgoetz> but the query workd :)
[00:34] <lamont> libnss-ldap*  will need to be there when we say 'getent shadow |grep kgoetz'
[00:34] <lamont> which we want to see two lines from, hence the fetcheverythingandgrep solution
[00:34] <lamont> apt-get install libnss-ldap
[00:35] <lamont> and may as well install libpam-ldap too
[00:35] <kgoetz> both are already installed
[00:35] <lamont> and finger-ldap :-)
[00:35] <lamont> ah, on gutsy?
[00:35] <kgoetz> yes.
[00:36] <lamont> the symlinks may or may not be needed... I'm to lazy to figure it out - they're certainly needed on dapper. :-)
[00:36] <lamont> and I have dapper machines, too.
[00:36] <lamont> sudo /etc/init.d/nscd restart
[00:36] <kgoetz> they dont seem to be needed anmore ;)
[00:36] <kgoetz> *any more :)
[00:36] <lamont> actually, do a stop and then a start - restart doesn't always give me the love I want
[00:37] <lamont> and the uri in /etc/ldap.conf is ldap://127.0.0.1/, not the ldaps://ldap.foobaz.com/, right?
[00:37] <lamont>  /query lamont and paste /etc/ldap.conf :-)
[00:38] <kgoetz> i dont have an nscd
[00:39]  * kgoetz cuts out comments from config file
[00:40] <lamont> no nscd just means that you'll query the ldap server alot.  OTOH, it also means that nscd won't be stepping in the middle and LYING to you
[00:43] <kgoetz> pm flooded
[01:18] <lousygarua> did anyone ever tried `rsync` over WebDAV? does it works??
[02:16] <lamont> Nov 28 16:05:21 mmjgroup postfix/local[15044]: warning: pipe_command_read: read time limit exceeded
[02:16]  * lamont grumbles
[02:39] <danp> hi. where would i find a list (or an RSS feed) of packages that are updated in universe/multiverse?
[02:39] <danp> i have a server running edgy and perdition was updated for security fixes but i couldn't find that announced anywhere
[02:47] <Burgundavia> danp: ubuntu.nl has feeds
[02:48] <Burgundavia> danp: https://lists.ubuntu.com/archives/ubuntu-devel/2005-August/009392.html
[02:49] <danp> thanks, seems to be gone now though
[02:50] <Burgundavia> they are there still
[02:50] <Burgundavia> just moved
[02:50] <Burgundavia> just trying to find them
[02:52] <Burgundavia> danp: http://blogs.ubuntu-nl.org/dennis/2007/10/21/hardy-heron-changes-feed/
[03:07] <danp> thanks!
[03:56] <danp> Burgundavia: hmm, this still only seems to be changes to main. perdition is in universe
[04:00] <Burgundavia> danp: there have been no changes to edgy since release, as only main is security supported
[04:00] <kgoetz> any (easy) way to increase teh logging prouced by pam? i'm unable to get multiple logins over ssh using ldap backend (i also have issues with sudo)
[04:01] <Burgundavia> danp: https://lists.ubuntu.com/archives/edgy-changes/2007-November/thread.html
[04:01] <Burgundavia> danp: and why are you still running an edgy server?
[04:01] <Burgundavia> it is not supported for all that much longer (6months)
[04:02] <danp> that's still only main changes...perdition is in universe and was recently updated
[04:02] <Burgundavia> http://changelogs.ubuntu.com/changelogs/pool/universe/p/perdition/perdition_1.17-7ubuntu0.6.10.1/changelog
[04:03] <Burgundavia> hmm, wonder why they are not showing up
[04:03] <danp> and i'm still running edgy because it's supported for another 6 months :P
[04:04] <Burgundavia> at which point you need to upgrade to Feisty, for another 6 months
[04:04] <Burgundavia> and then to Gutsy and then to Hardy
[04:08] <ScottK> Burgundavia: There have been edgy-security uploads for Universe packages.  I've done a couple myself.
[04:09] <Burgundavia> ScottK: yes, but not many
[04:09] <Burgundavia> not that I would trust a production server to
[04:09] <danp> i'm on ubuntu-security and i never got a notice for perdition
[04:09] <ScottK> Well you take that risk pretty much whenever you run Universe stuff.
[04:09] <Burgundavia> because -security doesn't carry universe stuff
[04:09] <Burgundavia> this is a fairly serious issue, the lack of notification
[04:09] <ScottK> danp: Even when Universe packages get updated, they won't do a USN.
[04:10] <Burgundavia> it should at a minimum, go to -changes
[04:10] <ScottK> Agreed.
[04:10] <danp> is there at least a published list of the changes?
[04:10] <Burgundavia> let me put it on the tech board agenda
[04:10] <Burgundavia> danp: there is the mailing list. I have no idea why this upload did no make it there
[04:10] <ScottK> LP developers dropped security from -changes because the fact that it was there before was a 'bug' and not by design.
[04:10] <Burgundavia> ugh, that is dump
[04:10] <Burgundavia> dumb, rather
[04:10] <ScottK> They've been thrashed and promise to put it back Real Soon Now.
[04:11] <ScottK> Well it's LP.  That's redundant
[04:11] <Burgundavia> I am very strongly of the opinion that LP is mostly just a giant non-free rathole
[04:11] <danp> this is just an example, but in a more general sense i'm looking for a way to get notified/informed of *any* changes to whatever release i'm using
[04:12] <Burgundavia> this is one of those holes
[04:12] <ScottK> Burgundavia: Agreed.
[04:12] <danp> is my best bet right now to track the package list files?
[04:12] <ScottK> When I asked, "If it's a bug, where's the spec that describes how it's supposed to work?"
[04:12] <ScottK> Answer I got was, "will you help us write one"
[04:13] <Burgundavia> danp: -changes should have everything. This is a bug
[04:13] <Burgundavia> https://wiki.ubuntu.com/TechnicalBoardAgenda
[04:13] <Burgundavia> added both items to the next TB meeting
[04:14] <ScottK> https://wiki.ubuntu.com/UbuntuDevelopment/PackageArchive/SoyuzUserDocumentationDraft is what now exists for documentation. it's a bit, um, thin.
[04:14] <danp> thanks!
[04:15] <ScottK> My larger answer on the help write the spec issue is that I have a consulting rate for proprietary system development work.
[04:15] <ScottK> Which is where the non-free bit kicks in.
[04:15] <danp> so at the moment what is going to -changes?
[04:15] <ScottK> For Edgy, you would get edgy-updates.
[04:16] <ScottK> Backports too, I think.
[04:20] <danp> cool
[04:27] <lamont> Burgundavia: bzgrep ^Package: ubuntu/dists/gutsy-security/universe/binary-i386/Packages.bz2 |wc -l
[04:27] <lamont> 55
[04:28] <lamont> universe gets security updates, it's just not something that canonical funds doing, other than best-effort by keescook et al.
[04:29] <ScottK> The larger point that Burgundavia makes is valid though.  There's no announcement mechanism.
[04:29] <Burgundavia> lamont: yep, I get that. This is more about making certain what updates do get done get notifications created
[04:29] <lamont> "notification" == advisory?
[04:29] <danp> not necessarily
[04:30] <ScottK> I've don't -security updates for packages that were in Universe in some releases and in Main in others and the USN just talked about the Main ones (leaving one to reasonably infer the other releases weren't affected when they were(
[04:30] <ScottK> (/)
[04:30] <lamont> Burgundavia: and launchpad has nothing to do with -security packages getting built.
[04:30] <danp> i personally just want a way to be notified of every possible change to a release
[04:30] <Burgundavia> lamont: I didn't say it did
[04:30] <Burgundavia> I was talking about mailing lists
[04:30] <danp> hopefully not as low-level as reviewing changes to the Packages files myself
[04:31] <lamont> most of the stuff that builds in -security is built while it's embargoed.  hence no notice to -changes.  the embargo is also the root cause of LP not being involved.
[04:31] <Burgundavia> but that is a bug that can be fixed
[04:31] <lamont> since launchpadlibrarian has no concept of read restrictions
[04:31] <lamont> Burgundavia: fixed how?
[04:31] <lamont> I can't send you a notification when i build it.
[04:31] <Burgundavia> lamont: by sending the notification only when it is unembargoed
[04:32] <ScottK> lamont: At some point LP learns of the change.  Then.
[04:32] <lamont> I _can_ send you a notification when its unembargoed.  I've only seen that notification in the form of a security advisory.
[04:32] <lamont> for _any_ software distro
[04:32] <lamont> LP learns of the change once it's unembargoed
[04:32] <lamont> I think.
[04:33] <lamont> it must be importing -secuity back from the dak archive
[04:33] <Burgundavia> right, I am not arguing implementation at the moment
[04:33] <lamont> so at the point that LP imports the -security bits from dak, it could generate a -changes mail
[04:33]  * lamont is speculating on that bit of process.
[04:34] <Burgundavia> right, those are details I don't know, nor do I really specifically care, given I am not an LP dev
[04:38] <ScottK> The key bit is that it used to be there and was removed.  What man has once accomplished he can aspire to achieve again.
[04:40] <lousygarua> wow, it's cold in here and i've just put a nice heat-blower straight on my feet!
[04:40]  * lousygarua is delighted
[04:40] <kgoetz> i just found my ldap is far more broken then i thought
[04:40]  * kgoetz is upset
[04:41] <lousygarua> how can an ldap get broken?
[04:41] <danp> Burgundavia and ScottK, thanks for the tips. i look forward to -changes being my answer soon :)
[04:42] <kgoetz> my lookups arnt working properly somehow. I have no name!@newmoon:/root$
[04:42] <Burgundavia> danp: no worries. Sorry we cannot help you in the imm.
[04:43] <danp> it's cool. i can make do with looking at Packages in the mean time. but i'm sure other people would appreciate that information if it was readily available
[04:44] <kgoetz> lamont: you aroud? i cant seem to figure out some issues
[04:44] <lamont> heh
[04:44] <kgoetz> :(
[04:44] <lamont> fire away
[04:45]  * lamont waits for "how do we find the girl?  If we do find the girl, how do we get away?"
[04:46] <kgoetz> i can run 'id $USERNAME' and it lists out the users IDs, but bash/anything else cant map the IDs
[04:46] <kgoetz> i can ssh in as the user, but it seems only once at a time
[04:46] <lamont> make life easier: apt-get install nscd
[04:47] <lamont> which, amusingly, shouldn't change anything
[04:47] <kgoetz> intalling now
[04:48] <kgoetz> reasonably small config file
[04:48] <lamont> it has a config file?
[04:48] <lamont> :-)
[04:49] <kgoetz> yes... dont i need it? :\
[04:49] <lamont> I expect so.
[04:49] <lamont> I never even noticed
[04:49] <lamont> as in, it won't need any edits
[04:49] <kgoetz> ok
[04:49] <lamont> how is bash trying to map the id?
[04:50] <lamont> (as in, what do you mean that it can't?  what's your testcase?)
[04:51] <kgoetz> installing that makes a difference o
[04:51] <kgoetz> s/ o//
[04:51] <kgoetz> lamont: i typed in 'bash'
[04:51] <kgoetz> and got "I have no name!@newmoon:/root$" back
[04:51] <lamont> is /etc/ldap.conf readable by mortals?
[04:51] <kgoetz> now i get "kim@newmoon:/etc/pam.d$
[04:51] <kgoetz> "
[04:52] <lamont>  /etc/nsswitch.conf?
[04:52] <lamont> (/etc/ldap.secret should be root:root, 600
[04:52] <kgoetz> yes they are.
[04:52] <lamont> the others, should be 644
[04:52] <kgoetz> yep
[04:52] <lamont> so installing nscd fixed it?
[04:53] <kgoetz> yes
[04:53] <lamont> if you figure out why, I'd love to know
[04:53] <kgoetz> you are a genius :)
[04:53] <lamont> thanks
[04:54] <lamont> I should really put the whole mess into a howto on the wiki sometime
[04:56] <kgoetz> i was goign to work on one/two as well. getting it working became a higher priority then writing about it though ;)
[04:56] <lamont> I wonder if it's because nscd runs as root
[04:56]  * lamont automated ssh key replication to clients from ldap
[04:57]  * lamont is lazy
[04:58] <kgoetz> .... your writing the guide :P
[05:05] <lamont> heh
[05:12] <kgoetz> hm. root@newmoon:~# ldapaddgroup kgoetz 1179
[05:12] <kgoetz> grep: /etc/pam_ldap.conf: No such file or directory
[05:12] <kgoetz> is pam_ldap.conf still in use? iirc i read its been retired
[05:13] <lamont> if it's being used, it should be a symlink to /etc/ldap.conf
[05:13] <lamont> _I_ have it. :0)(
[05:15] <kgoetz> reading /usr/share/doc/libpam-ldap/README.Debian is interesting
[05:16] <lamont> yeah.  that and the manpage for pam.conf were very eye opening on monday night
[05:17] <kgoetz> stupid pam
[05:18] <lamont> heh.  pam is love, man.
[05:19] <kgoetz> polletheme pam :\
[05:19] <kgoetz> win 32
[07:08] <zero-9376> is there a metapackage for the lamp server that you install from the server cd
[08:11] <kraut> moin
[08:22] <_ruben> mornin
[08:37] <soren> zero-9376: No, but if you had bothered to stick around for more than 27 seconds, someone might have told you what to do..
[08:46] <_ruben> ;)
[08:47] <_ruben> well .. 6 minutes a bit longer than 27 secs .. but still :-)
[09:18] <Burgundavia> soren: I see him being in channel for 5 minutes at least
[09:20] <soren> Burgundavia: Potato, potato.
[09:20] <soren> Doesn't really work in writing, does it?
[09:20] <soren> Burgundavia: 5 minutes is still an annoyingly short time to stick around for when you've asked a question.
[11:50] <joycetick> ive just installed ubuntu-server 7.10 on a laptop but its wireless pcmcia card is being recognised (i think, it shows up in iwconfig at eth2) but returns errors when trying to connect to the network (this card was working before in xubuntu 7.04)
=== Pumpernickle is now known as Pumpernickel
[13:22] <kraut> joycetick: why do you install ubuntu-server on a laptop?
[13:23] <joycetick> its a 800Mhz machine so i wanted to install fluxbox or similar on it
[13:24] <firecrotch> joycetick: what about Xubuntu?
[13:24] <joycetick> and my isp mirrored the iso so it was easier to get than fluxbuntu (which i just found through google)
[13:25] <joycetick> i was using that before i installed ubuntu-server, might have to go back to it
[14:11] <phaidros> any xen expert around ?
[14:19] <avatar_> !ask
[14:19] <ubotu> Don't ask to ask a question. Just ask your question :)
[14:19] <avatar_> i'm not an expert
[14:20] <henrix> or try #ubuntu-xen ;)
[15:36] <Gargoyle> libc6 is what is commonly known as glib isn't it?
[15:36] <Gargoyle> *glibc
[15:57] <spiekey> how can you force ubuntu to write directly onto usb stick, without caching?
[15:57] <spiekey> is this a mount option?
[16:24] <soren> spiekey: I don't remember if "flush" works?
[16:24] <soren> spiekey: mount -o flush -t vfat /dev/whatever /media/whereever
[16:24] <soren> spiekey: Otherwise, "-o sync" is what you're looking for.
[16:25] <soren> spiekey: It'll kill your usb stick, though.
[16:25] <soren> spiekey: They're only built to handle a certain amount of writes to them. If you mount it with sync, and you have a particularly stupid application write to it, just writing a single file to it can cause it to be written to several thousand times.
=== dendrobates is now known as dendro-away
[17:14] <darrend> hi all
[17:15] <darrend> I have a cron job in /etc/cron.hourly that fails when cron executes it ("Exec Bad Format" or similar message).  If I execute it manually, it runs fine.  Any ideas?
[17:15] <darrend> script is at http://pastebin.com/d13dc62ab
[17:25] <mralphabet> darrend: that looks right . . . the bad format is from syslog?
[17:31] <darrend> mralphabet: the message was being added to the email that cron was sending (which was ending up in ~/dead.letter but is now being accepted by the remote mail server and ending up in a black hole
[17:31] <darrend> let me try to disable the mail output so I see the messages again.
[17:31] <lamont> keescook: are you the apparmor guy?
[17:32] <lamont> Nov 29 10:01:22 mix kernel: [739593.226765] audit(1196355682.459:35):  type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/etc/ldap/ldap.conf" pid=16512 profile="/usr/sbin/cupsd"
[17:32] <lamont> how do I tell it that it's OK?
[17:32] <keescook> lamont: well, mathiaz and I both work on it
[17:32] <keescook> why is cups trying to read ldap.conf?  but anyway, sudo vi /etc/apparmor.d/*cups
[17:32] <keescook> add:   /etc/ldap/ldap.conf  r,
[17:33] <keescook> then sudo /etc/init.d/apparmor reload
[17:33] <lamont> and then restart cups
[17:33] <keescook> nope
[17:33] <lamont> well,  I did the first two steps...
[17:33] <keescook> the aa reload will just update the running process's confinement
[17:34] <keescook> you can do   sudo aa-status   to see what aa thinks of the world
[17:34] <keescook> if you did apparmor stop/start you're SOL, and you need to restart cups
[17:34] <lamont> aalib is part of apparmor? :-)
[17:34] <keescook> that would rule
[17:34] <keescook> "I'm pwning you in ASCII!"
[17:35] <lamont> I might have done /etc/init.d/apparmor restart
[17:35] <lamont> mind you, I'd rather see us make selinux happier
[17:35] <keescook> restart == reload so that's okay
[17:35] <keescook> lamont: sure, we're just waiting on some upstream patches to roll out for that
[17:36] <keescook> lamont: where does aa-status report cupsd?
[17:36] <lamont> 2 profiles are in enforce mode.
[17:36] <lamont>    /usr/sbin/cupsd
[17:36] <lamont>    /usr/lib/cups/backend/cups-pdf
[17:36] <lamont> 1 processes are in enforce mode :
[17:36] <lamont>    /usr/sbin/cupsd (18409)
[17:36] <darrend> mralphabet: error message is.. "run-parts: failed to exec /etc/cron.hourly/00backup: Exec format error"
[17:37] <keescook> (also, you added the ldap.conf to the cupds section not the cups-pdf section of /etc/apparmor.d/*cupsd ?
[17:37] <lamont> Nov 29 10:36:12 mix kernel: [741679.573259] audit(1196357772.436:39):  type=1503 operation="inode_permission" requested_mask="r" denied_mask="r" name="/etc/ldap/ldap.conf" pid=18573 profile="/usr/sbin/cupsd"
[17:37] <lamont> no.
[17:37] <lamont> abstractions/cups-client
[17:37]  * lamont does the right file
[17:38] <keescook> ah, yeah, the cups-client is for stuff trying to talk to the cups server, etc.
[17:39] <darrend> mralphabet: I think google may know the answer.. looks like I need /bin/sh and not /bin/bash
[17:39] <lamont> yeah!  helps to fix the right file.
[17:39] <lamont> thansk
[17:40] <mralphabet> darrend: heh
[17:40] <darrend> hmm.. no - still fails
[17:41] <darrend> brb
[17:43] <mralphabet> ;(
[17:45] <rodpod> would it be better if i used iptables to forward GRE and port 1723 to access a RRAS VPN (PPTP) server, or just setup the VPN stuff on my ubuntu server and use LDAP for authenticating...what would be the best package with ldap support for doing this?
[17:51]  * nealmcb congratulates jdstrand on Ubuntu Membership :-)
[17:52] <jdstrand> thanks again nealmcb! :)
=== gamble6x is now known as gamble|mission
[18:28] <AlexJTanner> i have a question
[18:29] <AlexJTanner> anyone there?
[18:30] <somerville32> !ask
[18:30] <ubotu> Don't ask to ask a question. Just ask your question :)
[18:30] <AlexJTanner> well here's my question "everytime I use apt-get install on my ubuntu servers they want me to put in the DVD, how can I get it to instead of taking the packages from the DVD to take them fromt the reprostories
[18:34] <AlexJTanner> I have SSH acess to both of them
[18:34] <ember> how may have it source.list to get it from dvd i think
[18:35] <rodpod> nano /etc/apt/sources.list
[18:35] <rodpod> take out the cdrom entries
[18:35] <AlexJTanner> k thanks
[18:35] <AlexJTanner> I feel a bit of a newb asking this question
[18:36] <AlexJTanner> this is just my first time running ubuntu without gnome
[18:38] <AlexJTanner> i am working on getting both of them ready to go into my basement, and part of that is not having to run down and put a DVD in everytime I need to install something
=== gamble|mission is now known as gamble6x
=== macd_ is now known as macd
[22:43] <ScottK> lamont: I think Bug #172925 is worth you having a look at.
[22:43] <ubotu> Launchpad bug 172925 in postfix "postfix upgrade does not add 'retry' service" [Medium,Confirmed] https://launchpad.net/bugs/172925
[22:58] <lamont> gah.
[22:58] <lamont> will do