[00:34] <kgoetz> its installed, and has a file (+x) in /etc/cron.daily/00logwatch, but i dont get emails from it. when i run it manually i get mail from the script
[00:34] <kgoetz> s/its intalld/ i have logwatch installed
[00:35] <soren> syslog tells you when cron runs something. Does it mention it?
[00:37] <kgoetz> let me check
[00:40] <kgoetz> holy heck, how has syslog hit 32mb :S
[00:41] <kgoetz> Jan  4 09:17:01 moon CRON[13505]: Authentication service cannot retrieve authentication info
[00:42] <kgoetz> looks like syslog/cron has been broken since 27th of september
[00:48] <kgoetz> soren: looks like thats the problem :/ i'll try and work out this cron+syslog issue
[03:20] <kgoetz> turns out shadow was misformed. fixed that and cron+other stuff starts working again.
[04:18] <XiXaQ> I want to setup a shared folder on my ubuntu server so that windows clients can connect using only a password. I've been reading and reading, but I don't understand how it's possible. I don't want to duplicate all users usernames and passwords between all windows clients and ubuntu.
[04:18] <XiXaQ> can someone explain this? I've tried setting security = share, but then it isn't password protected at all..
[04:21] <XiXaQ> I wonder if irc would be as popular if everyone was required to read the irc protocol before they were allowed to run the client.. :)
[04:21] <XiXaQ> it feels like samba is doing something similar to me.
[04:27] <PanzerMKZ> well I setup my samba install
[04:27] <PanzerMKZ> and gave it one user
[04:29] <PanzerMKZ> give it a valid user = username
[04:30] <XiXaQ> I don't want to tie it to usernames. Everybody that knows the password should be able to read and write, just like in windows. Isn't that possible?
[04:31] <PanzerMKZ> I have one username
[04:31] <PanzerMKZ> panzer
[04:31] <PanzerMKZ> so that line is set to valid user = panzer
[04:31] <PanzerMKZ> and there is a password for user panzer
[04:32] <PanzerMKZ> so I go to any of my windows boxen and pop that share and log in using panzer
[04:32] <XiXaQ> ok, so if a friend comes over for tea, brings his laptop and wants to open a file, then he just has to create a new user in his system, log out and back in with that user, then connect to the share?
[04:32] <PanzerMKZ> no
[04:33] <PanzerMKZ> you come over to my pad
[04:33] <PanzerMKZ> for tea
[04:33] <PanzerMKZ> you got a windows box
[04:33] <PanzerMKZ> you log in as you on your box
[04:33] <PanzerMKZ> you go to start>run
[04:34] <PanzerMKZ> type in //companion
[04:34] <PanzerMKZ> companion in this case being my ubuntu file server running samba
[04:34] <PanzerMKZ> up pops in a user/password window
[04:35] <PanzerMKZ> and you put in the user panzer and my super secret password of lace
[04:35] <PanzerMKZ> and bam you have access to all the file shares
[04:35] <XiXaQ> so I'll have to setup one user per share?
[04:36] <PanzerMKZ> is that not what you wanted?
[04:36] <PanzerMKZ> one user
[04:36] <XiXaQ> do you know how people share files in windows xp?
[04:36] <PanzerMKZ> for all your shares?
[04:36] <PanzerMKZ> there is a ten connection limit for xp file shares
[04:38] <XiXaQ> I'd like to have a share with a password, another share with a different password. This means I have to create two different users, then share the resources as those users and give those usernames and passwords to the people who're supposed to access the shares?
[04:38] <PanzerMKZ> but smb users don't have to be system users
[04:38] <XiXaQ> they don't?
[04:38] <PanzerMKZ> no
[04:39] <XiXaQ> oh...
[04:39] <PanzerMKZ> I could have smb user fred that is no where on my system
[04:40] <XiXaQ> then how do I add this user?
[04:40] <PanzerMKZ> first answer is man samba
[04:40] <PanzerMKZ> which is what I am going to do now
[04:40] <XiXaQ> you don't think I've been doing that for weeks?
[04:41] <XiXaQ> everyone has been explaining how to install single-signon setups with directory controllers, and ldap, dhcp and god knows. I only want my damn directory to be available to those who know the password :)
[04:42] <XiXaQ> the samba configuration guide has 47 chapters.
[04:42] <PanzerMKZ> nice
[04:42] <PanzerMKZ> man smbpasswd
[04:42] <XiXaQ> well, actually, that's just the howto :)
[04:42] <PanzerMKZ> it will talk about adding users
[04:42] <XiXaQ> thanks :)
[04:42] <PanzerMKZ> and changing passwords
[04:44] <PanzerMKZ> the -a command adds a user
[04:45] <PanzerMKZ> you need example of my smb.conf file?
[04:45] <XiXaQ> that would be nice.
[04:48] <PanzerMKZ> http://pastebin.com/d6421821c
[04:48] <PanzerMKZ> is for a iso share I have
[04:50] <XiXaQ> that's the kind of share I want to setup. :)
[04:51] <XiXaQ> but panzer is a real user, right?
[04:51] <PanzerMKZ> well on that box yes
[04:51] <XiXaQ> panzer can login using ssh with that password, for instance?
[04:51] <PanzerMKZ> but the passwd for panzer on smb is different then the system
[04:52] <PanzerMKZ> so the answer is no
[04:52] <XiXaQ> how do I do that?
[04:53] <PanzerMKZ> setup the share
[04:53] <PanzerMKZ> and then work your magic with smbpasswd
[04:53] <XiXaQ> oh.. Ok. Normal user doesn't automatically have access to their own shares? You must use smbpasswd first?
[04:53] <PanzerMKZ> to add users and passwords
[04:53] <PanzerMKZ> yea
[04:53] <XiXaQ> aha..
[04:54] <XiXaQ> does that make sense in anyway?
[04:54] <PanzerMKZ> yea
[04:55] <PanzerMKZ> basicly you are asking if you have a samba server up
[04:55] <XiXaQ> pardon?!
[04:55] <PanzerMKZ> and you add a new user to the system does the system users home dir get shared out automatically
[04:56] <XiXaQ> no. If I make normal user. I then add that users home directory as a share in /etc/samba/smb.conf. That users password will be invalid, because I haven't set a sambapassword for him yet?
[04:56] <PanzerMKZ> yea
[04:58] <XiXaQ> ok.. Is that a requirement, or is it possible to use pam instead?
[04:59] <PanzerMKZ> you can set it up different ways by changing the smb.conf
[04:59] <PanzerMKZ> there should be things you uncomment
[05:01] <XiXaQ> ok, that's fine for my setup. However, if I wanted to let other unix users share their folders at will.. I really don't want to make all admins?
[05:02] <XiXaQ> it seems to me strange that shares should be spesified in the main configuration file?
[05:02] <PanzerMKZ> there is parts for users to add
[05:08] <XiXaQ> By default, \\server\username shares can be connected to by anyone with access to the samba server.  Un-comment the following parameter to make sure that only "username" can connect to \\server\username This might need tweaking when using external authentication schemes
[05:08] <XiXaQ>    ;valid users = %S
[05:09] <XiXaQ> does this mean that by default, all users can read from and write to other users homes?
[05:17] <XiXaQ> PanzerMKZ, thanks. I think I got it.
[05:17] <XiXaQ> it's the documentation that confused me. help.ubuntu.com's samba documentation seems to explain more about how Active Directory works and what LDAP is than how to setup a share.
[05:18] <XiXaQ> think maybe I'll write a simpler guide when I get this right.
[05:22] <c1|freaky> does anyone know if theres a tool for windows which can knock on port? because i want to secure ssh using knockd
[05:23] <c1|freaky> and is there any good firewall solution for ubuntu server?
[05:23] <c1|freaky> i mean, configuration, standard mechanisms etc.?
[05:30] <c1|freaky> I also need some intrusion detection software ...
[05:38] <ScottK> iptables is built into the kernel.  That's your firewall.
[05:39] <c1|freaky> ok
[05:39] <ScottK> Is it just you connecting via SSH?
[05:39] <c1|freaky> no
[05:40] <ScottK> OK.  I generally just rate limit SSH connections via iptables, but it doesn't scale well for lots of users.
[05:41] <c1|freaky> i want to secure ssh logins using knockd ... but i dont know if theres any software for windows which can knock on ports
[05:41] <c1|freaky> like knock does
[05:46]  * ScottK doesn't use Windows.  Sorry.  Can't help on that.
[05:56] <c1|freaky> ok thanks
[05:57] <c1|freaky> im waiting for my new server :D
[05:58] <c1|freaky> 6GB DDR2, 2 750GB SATA II HDDs, AMD Athlon 64 X2 DualCore :D
[06:20] <normanm> hi all
[06:22] <normanm> We use ubuntu on some servers here. We need to support php4 because of some old CRM. I saw feisty dropped the php4 support. Any idea if there are some sources where we can get the needed debs ?
[06:26] <ScottK> Run Dapper would be my suggestion.
[06:26] <normanm> ScottK, dapper is really out of date :-/
[06:26] <ScottK> Yes, but you want to run PHP4.
[06:27] <ScottK> I'm typing this on a Dapper desktop because it basically does what I need.
[06:28] <ScottK> Debian is, I think, also dumping PHP4, so it's a losing battle I think.
[06:28] <normanm> ScottK, Dapper not works on the x4100 servers with the "supported" kernel
[06:28] <normanm> ScottK, well I don't want... I need :-/
[06:28] <ScottK> Ah.
[06:29] <ScottK> I don't know enough about PHP to have a useful opinion then.
[06:29] <normanm> The company i'm workin for is using a self devolped crm wich only support php4
[06:29] <normanm> btw.. Is dapper still getting security updates ?
[06:35] <lamont> hrm... do I want to turn on IDN support in bind9, I wonder?
[06:35] <lamont> normanm: only until june of 2011 (for ubuntu-standard portions), or June of 2009 (for desktop stuff)
[06:35] <lamont> :-)
[06:36] <normanm> lamont, hmm thats not bad..
[06:36] <normanm> So now i need to think about if i want to use dapper drake or i want to use freebsd
[06:36] <normanm> on the webservers
[06:40] <lamont> normanm: or stall until april and put hardy on, which will have server security support until april of 2013 :-)
[06:41] <normanm> lamont, ;-)
[06:41] <lamont> or I suppose you could just dist-upgrade from dapper to hardy once it's out. (That'll be tested/supported)
[06:41] <normanm> lamont, well i don't think hardy will support php4
[06:42] <lamont> ah, there is that.
[06:42] <normanm> lamont, :-P
[06:42] <lamont> you do know that it stands for "Please Hack Promptly", right?
[06:42] <normanm> I allready upgraded all servers except the webservers to gutsy
[06:43] <normanm> lamont, tell me something new... But what should i do if my boss wants it :-P
[06:43] <lamont> normanm: short term?  do it.  longer term?  resume.
[06:43] <normanm> lamont, yes.
[06:44] <normanm> BTW, do you know if there is something like kernel security level planed for ubuntu ?
[06:44] <lamont> ijiot circumstances require change... :-)
[06:44] <lamont> as in C2 or B1 or such?
[06:44] <lamont> orange-book levels?
[06:44] <lamont> no clue on that one.
[06:44] <lamont> security fixes? already happens
[06:45] <normanm> Something like in freebsd which prevent modules to be loaded. don't allow the the time to be set more then 1 second in the past/future. Don't allow raw access to block devices etc
[06:47] <lamont> ah.  one could use selinux to do that, quite possibly could use apparmor (which is there by default in gutsy...)
[06:47]  * lamont prefers selinux, wasn't consulted wrt what got turned on in gutsy's kernel
[06:50] <lamont> time to sleep
[08:57] <kraut> moin
[08:57] <_ruben> mornin
[15:44] <ScatterBrain> By default the snmp daemon runs as user "snmp".  How can I give that user permissions to read the log files in /var/log?
[15:44] <ScatterBrain> I've tried adding it to the "adm"group, but that doesn't seem to work.
[15:45] <Kamping_Kaiser> why do you want them to?
[15:45] <ScatterBrain> I need to run a script that greps the logs via snmp'd "pass" functionality so I can keep stats with Cacti.
[15:46] <Kamping_Kaiser> unsure. night mate
[15:46] <ScatterBrain> at this point, I'm looking to keep track of Postfix and Amavis.
[15:47] <lamont> ScatterBrain: group adm should be sufficient.  OTOH, it probably requires restarting the daemon
[15:48] <ScatterBrain> lamont, yeah did that.
[15:48] <ScatterBrain> I'm still getting permission denied trying to read /var/log/mail.log
[15:48] <ScatterBrain> even with 644 permissions.
[15:48] <ScatterBrain> Go figure.
[15:49] <lamont> and what are the perms on /var/log :-)
[15:51] <jetole> hey guys, I need to know how badly I have just fsck'd myself
[15:51] <ScatterBrain> lamont: by default they are 640, with root/adm user/group ownership.
[15:51] <jetole> root didn't look twice before hitting enter and did a rm -f /var/log
[15:51] <ScatterBrain> When I change then 644, the script works.
[15:52]  * jetole is currently waiting for the server to reboot
[15:52] <lamont> ScatterBrain: ls -ld /var/log :)
[15:52] <lamont> it's not 640 by default
[15:52] <jetole> hmmm, it looks like most the files recreated themselves upon reboot... I think
[15:53] <lamont> jetole: mkdir /var/log; chmod 755 var/log; chown root:root /var/log
[15:53] <lamont> (or reboot and everything should just do the right thing)
[15:53] <ScatterBrain> lamont: mine was.
[15:53] <lamont> except maybe /var/log/ would wind up 555 instead of 755...
[15:53] <lamont> ScatterBrain: the directory had no execute permissions?
[15:53] <lamont> that would explain why you couldn't open any file under it...
[15:53] <lamont> (since exec is needed to open a file...)
[15:54] <ScatterBrain> oh, the lod directory itself.
[15:54] <lamont> er..
[15:54] <ScatterBrain> not the file.
[15:54] <ScatterBrain> s/lod/log
[15:54] <lamont> exec permission on a directory is needed to open files in the directory
[15:54] <lamont> ScatterBrain: yes.
[15:54] <jetole> lamont: rm -f /var/log/
[15:54] <lamont> jetole: that shouldn't do anything, should it?
[15:54] <jetole> doesn't delete the directory or any subdirs
[15:54] <jetole> just all flat files in /var/log
[15:55] <lamont> mkdir x; rm -f x
[15:55] <lamont> rm: cannot remove `x': Is a directory
[15:55] <jetole> right, well I wasn't sure if all logs recreated themselves or not
[15:55] <ScatterBrain> lamont: blue tmp # ls -ld /var/log
[15:55] <ScatterBrain> drwxr-xr-x 8 root root 2048 2008-01-04 10:37 /var/log
[15:55] <lamont> ScatterBrain: which is what it should be,.
[15:55] <jetole> since I know logrotate has options for logs that need to be touched after an old one is moved
[15:55] <ScatterBrain> so If I change the directory so that root/adm owns it will that be OK?
[15:56] <lamont> ScatterBrain: anyone in the world is allowed to open files in that directory, depending on the permissions
[15:56] <lamont> is apparmour bitching about anything?
[15:57] <jetole> I have an apparmor dir in var/log so I am not sure why I would change perms on var/log for a file that has it's own var/log/apparmor
[15:57] <lamont> jetole: if there are any logs that don't rebuild after a restart of the daemon (so that a reboot of the system is sufficient....), then it's a bug in the daemon
[15:57] <jetole> lamont: any known bugs in server common packages that I may need to be aware of? ;)
[15:58] <lamont> apparmor does all kinds of neat funky stuff with permissions totally independent of the filesystem permissions
[15:58] <lamont> jetole: not personally, no
[15:59] <jetole> alright, well thanks for the help
[15:59] <lamont> ScatterBrain: if the file is mode 644 and you can read it but the snmp daemon can't, then it's something outside of FS permissions
[15:59]  * lamont finally heads off to get to work for the dasy
[15:59] <ScatterBrain> lamont: like what?
[15:59] <lamont> like apparmor
[15:59] <lamont> or selinux
[15:59] <ScatterBrain> the script works as root and if I set the perm to 644.
[15:59] <ScatterBrain> on a dapper box?
[16:00] <lamont> root skips all kinds of perm checks
[16:00] <lamont> dapper.
[16:00] <lamont> if the daemon can't open it, I
[16:00] <lamont> 'm pretty sure it's FS perms somewhere.
[16:00] <lamont> anyway, gotta run
[16:00] <ScatterBrain> lamont: OK, I'll keep looking.
[16:01] <ScatterBrain> thanks.
[18:19] <sergevn> Does anyone has any experience with denyhosts?
[19:21] <nealmcb> sergevn: what's your question?
[22:14] <hangthedj> i just upgraded to hardy, how to i change the shell to say hardy instead of gutsy 7.10 Tribe 3?
[22:22] <delphiuk> can someone help me with a 6.06 upgrade problem? I have an output if you need to see it?
[22:35] <Kamping_Kaiser> delphiuk, what is the problem?
[22:35] <Kamping_Kaiser> hangthedj, not sure, try /etc/issue, but be sure you know what your doing before messing with stuff like htat
[22:37] <hangthedj> ok thanks
[22:46] <delphiuk> Kamping_Kaiser: http://paste.ubuntu-nl.org/50774/
[22:54] <Kamping_Kaiser> delphiuk, hm
[22:54] <Kamping_Kaiser> are you using offical repositories?
[22:54] <delphiuk> Kamping_Kaiser: Oh yes, nothing is "non standard"
[22:55] <Kamping_Kaiser> BTW, try running `export LANG=C` to get rid of those locale/perl errors (makes things easier to read)
[22:57] <Kamping_Kaiser> delphiuk, try `export LANG=C && apt-get -f install`
[22:57] <Kamping_Kaiser> tell me what that outputs
[22:58] <delphiuk> richard@sugar:~$ sudo export LANG=C && apt-get -f install
[22:58] <delphiuk> sudo: export: command not found
[23:03] <Kamping_Kaiser> `export LANG=C && sudo apt-get -f install`
[23:03] <Kamping_Kaiser> export is a shell built in (see help export in the shell if you want to see more)
[23:05] <delphiuk> Kamping_Kaiser: http://paste.ubuntu-nl.org/50778/
[23:07] <Kamping_Kaiser> try `sudo apt-get --purge remove apache2-utils` (it may remove a bunch of stuff, i'm not sure)