/srv/irclogs.ubuntu.com/2008/09/16/#ubuntu-server.txt

Goosemooseso i installed ubuntu over the network, add to late_command to join an AD domain, the computer shows up in AD and domainjoin-cli query shows it's on the domain. But I can't login as a domain user. Any suggestions?00:21
uvirtbot`New bug: #270713 in net-snmp (main) "snmpd: error getting netmask for interface" [Undecided,New] https://launchpad.net/bugs/27071301:01
uvirtbot`New bug: #270720 in mysql-dfsg-5.0 (main) "ty" [Undecided,New] https://launchpad.net/bugs/27072001:31
twbWhat's the difference between the "generic" and "server" kernel flavours?01:38
docta_vanyone tried building a newer e1000 on a somewhat older kernel? (2.6.16)02:18
docta_vsupposedly it's possible but i'm running into a lot of issues with missing header files and undefined symbols02:18
twbdocta_v: are you referring to the kernel driver for the e1000 intel gigabit NIC?02:24
=== PrivateVoid_ is now known as PrivateVoid
docta_vtwb: yes.. I need to install a newer version of the driver but it won't compile02:31
twbdocta_v: I don't think you can just use a driver from a newer kernel.02:32
docta_vit's not from a newer kernel02:32
docta_vyou can download the driver standalone02:32
docta_vsays it supports 2.4.x and 2.6.x02:32
ScottK-laptopdocta_v: What system are you running.  Ubuntu never shipped 2.6.16 in a final release.02:32
docta_vyeah this is a debian system unfortunately02:33
docta_vbut i use ubuntu everywhere else02:33
ScottK-laptopWell Debian and Ubuntu kernels are completely different.02:33
docta_vwe bought this nfs head product from a vendor that has a really old kernel on it02:33
ScottK-laptopSo Ubuntu kernel advice is unlikely to apply.02:33
twbdocta_v: you should ask #debian on OFTC (irc.debian.org)02:34
docta_vthose guys never answer any questions02:34
docta_vbut i'll try02:34
=== nealmcb1 is now known as nealmcb
chmacAny bright ideas on how to shred the disk of a running machine to which I only have ssh access?05:31
twbchmac: if /home is on a separate partition, it's easy.05:56
chmactwb: Yeah, no separate partitions05:57
chmactwb: Turns out my host turned off my server already, so it's no longer an issue! :)05:57
twbI guess you could do sudo find /home -type f -exec shred {} + -delete05:57
twbOh well.05:57
chmactwb: Shred has an option to delete the file05:57
chmacshred -u I think05:57
chmacI'm not too worried though :)05:57
twbIs it a bad idea to use /etc/hosts.{allow,deny} instead of iptables rules, when setting up some basic rules like "hosts on the WAN shouldn't be allowed access to my services."07:56
vk5fossi've done it before, its not the most secure way of doing things aiui, but it does work07:57
twbI was hoping for a blog article or suchlike that explains exactly WHY it's less secure than iptables DROP/REJECT rules, with example attack vectors.07:58
vk5fossnever looked sorry.07:58
twbvk5foss: a brief google suggests that it avoids DOS attacks (if you DROP packets instead of REJECTing them), and it also guards against the case where a package isn't built with tcp-wrappers support (in which case hosts.deny would be ignored).08:05
vk5fossrandom question: should i recomend users use rsa or dsa keys for their ssh? i thought rsa was 'it', but i've seen dsa recomended08:06
twbHmm, I wonder if, with "ALL: 192.168.: ALLOW" and "ALL: ALL: DENY", my server will respond to DHCP requests.08:21
slangasektcpwrappers doesn't generally block udp traffic, no08:23
=== vk5foss is now known as kgoetz
Koonslangasek/coffeedude: did you sync on the likewise-open PAM subject ? Is my help needed in any way ?08:33
Koonkgoetz: based on recent research I'd recommend RSA now08:37
Koonkgoetz: you could ask in #ubuntu-hardened to get more experts opinions08:37
kgoetzKoon: i've gone with rsa, as thats what i seemed to recall debian now required of its devs. i was hoping for a 'comfort factor' 2nd opinion :)08:40
slangasekKoon: no, I ended up fighting with the pam-auth-update stuff all afternoon and have just now posted a patch to the bug08:41
Koonkgoetz: I'd say they are both safe, but DSA usually fails less gracefully08:41
slangasekI also suspect that likewise-open may be killing my network-manager :/08:41
* Koon looks08:41
slangasekKoon: I've posted a patch rather than just uploading, to get a second opinion on the change first; it's the best I can come up with at the moment, but I'm not entirely happy with it08:43
Koonslangasek: i'll test it. It may not fix the issue in the best way, but it would be nice to have in in alpha6 instead of the currently broken version we have atm08:44
slangasekKoon: well, if we decide that this is the wrong way to do it, it may become substantially harder to back out afterwards08:45
Koonslangasek: what would be your choice between patching 2956 to just fix the PAM issue and the libwbclient0 incompatibility and switching to 2982 bugfix microrelease (through a FFe ?)08:46
slangasekKoon: uhm, AFAIUI 2982 does not fix the PAM issue, suffering from the problem I pointed out in https://bugs.launchpad.net/ubuntu/intrepid/+source/likewise-open/+bug/262264/comments/13, so this isn't an either/or choice08:47
uvirtbot`Launchpad bug 262264 in likewise-open "Fails to join a domain: Unknown pam configuration" [Critical,Triaged]08:47
Koonslangasek: I mean 2982 + your patch instead of Jerry's one08:48
slangasekok08:48
slangasekwell, I haven't reviewed the upstream diff for 2982 yet, and we're into Tuesday already, so I think that for alpha-6 we ought to just patch the bugs and go08:49
KoonOK, will test that then08:49
slangasekI'm puzzled by the incompatibility issue, though, I thought ABI compatibility between the samba and likewise-open versions of libwbclient was a non-negotiable requirement for Likewise08:50
Koonslangasek: jerry said "compatible but not equivalent" and said my fix (using samba's lib) is incorrect08:52
slangasekah - yes, the likewise-open one is meant to take precedence :)08:52
Koonprobably :)08:52
KoonI agree it could be fixed in a nicer way but we are running out of time08:53
slangasekso ideally, likewise-open would Conflict/Replace/Provide libwbclient0 to satisfy the dep of other packages; but this might not work because of versioned deps, I haven't looked08:53
Koonslangasek: so basically in your patch you always enable the pam config, but it doesn't break if no domain is joined08:57
slangasekI believe so08:57
slangaseklet me fix another bug in pam itself here, and I'll do a bit more testing to confirm ;)08:57
Koonwhen no domain is joined, does it delay before failing ? Don't want us to add 30 second timeouts ;)08:58
* Koon will build and test against his Windows AD test infra08:58
slangasekin my testing so far, no, there was no delay; and there shouldn't be, as I asked dendrobates earlier about whether lwi does "winbind use default domain" by default08:59
slangasekso lwi will acknowledge that any non-domain-y names are not for it08:59
Koonright09:00
slangasekah, bug in that patch09:06
slangasekKoon: the prerm needs to call pam-auth-update --package --remove likewise-open, not --remove likewise09:06
slangasekupdated patch to post shortly09:06
Koonslangasek: noted09:12
Koonslangasek: your patch is also missing the debian/control modification, I'm adding them09:25
slangasekhrm, so it is; thanks for noticing09:26
slangasekah, domainjoin-cli *is* to blame for my desktop crashes09:27
Koonslangasek: something like bug 222224 ?09:28
uvirtbot`Launchpad bug 222224 in likewise-open "likewise-open: blows up session when joining the domain" [Undecided,New] https://launchpad.net/bugs/22222409:28
slangasektitle sounds like it :)09:28
Koonslangasek: not sure the workaround in the bug applies to you09:29
slangasekKoon: the domain I'm joining to isn't a .local09:33
Koonyes, the two bugs are completely distinct09:34
slangasekthen I'm not clear on what the workaround is09:34
slangaseklisting dns before mdns4_minimal?09:35
slangasekthat would be an inappropriate workaround (because it means misconfiguring mDNS), so I'll pass. :)09:35
Koonslangasek: I don't think there is a known workaround. The BrianDrab in the bug was confused by another bug09:36
slangasekok09:36
Koonslangasek: I think this is the result of changing system files in the middle of a session, this still has to be investigated09:36
slangasekI'd be surprised/dismayed if glibc were that fragile09:37
Koonone problem being it doesn't /always/ crash.09:37
=== PanzerMKZ_ is now known as panzermkz
Koonslangasek: I've a segfault during domain join/leave10:05
slangasekyes, so do I10:05
slangasekbut I don't think I caused it :P10:05
KoonWasn't there before. Investigating10:06
* slangasek grabs a backtrace, then10:06
slangasek#0  0x00007fd713101003 in free () from /lib/libc.so.610:07
slangasek#1  0x00007fd714431b73 in LWHandle () from /usr/lib/libcentutils.so.110:07
slangasekinconclusive10:07
slangasekit's possible it's due to my patch, then; coffeedude would probably be able to tell easily10:07
Koonwhat does the LW_RAISE do ?10:08
slangasekprobably something it shouldn't ;)10:08
Koonrebuilding with it commented10:09
Koonslangasek: shouldn't you be sleeping ?10:09
slangasekyes10:09
slangasekthe LW_RAISE() was what you get if you take apart LW_CLEANUP_CTERR(), which I wasn't using because the cleanup: label was commented out10:10
slangasekbut even that may not be needed, since we never have any errors10:10
ghalebhello, I have scheduled a cron task with the config */4 * *  * * root  /bin/updateStatus.sh > /home/log.log  but it's not working10:16
slangasekKoon: right, now instead of a segfault I just get "Error: Module not configured".  So I'm missing something about how the return handling is supposed to work.10:25
KoonI'm onit10:25
slangasekI'll leave you to it, then; if you get it figured out and need an upload, I'll be back in ~6h :)10:25
Koonslangasek: sounds like a plan10:26
Koonsleep well (and fast)10:26
=== freaky[t] is now known as fReAkY[t]
=== fReAkY[t] is now known as freaky[t]
=== siretart_ is now known as siretart
ghalebhello, how can I be sure that a shell script executed successfully11:16
ScottK-laptopghaleb: Use set -e11:22
ghalebScottK-laptop: hmm .. how do I call the script then ?11:22
ScottK-laptopAdd set -e to the script so that it will exit if it encounters any errors.11:23
NCommanderScottK-laptop: isnt' set -e a bashism?11:23
ScottK-laptopNCommander: No.11:24
NCommanderok11:24
* NCommander returns to his quiet hole in the wall11:24
=== freaky[t] is now known as fReAkY[t]
=== fReAkY[t] is now known as freaky[t]
=== freaky[t] is now known as fReAkY[t]
=== fReAkY[t] is now known as freaky[t]
\shhmm..something is wrong with the bonding network stuff...12:43
\shauto bond0 \n iface bond0 inet static \n address...\n slaves eth0 eth1 \n bond-mode 0 \n ... works as expected12:44
\shauto bond1 \n iface bond1 inet static \n ... doesn't work...12:44
\shis there some magic step to tell modprobe somehow to use modprobe -o bond0 bonding \n modprobe -o bond1 bonding ? because with the second modprobe statement bond1 comes up12:45
\sh(and yes, modprobe.d/aliases -> alias bond1 bonding is in place, but doesn't get recognized anymore it seems12:46
Koonslangasek/coffeedude: please see patch @ https://bugs.launchpad.net/ubuntu/intrepid/+source/likewise-open/+bug/262264/comments/1913:07
uvirtbot`Launchpad bug 262264 in likewise-open "Fails to join a domain: Unknown pam configuration" [Critical,In progress]13:07
\shdamnit.-..13:37
\shwith alias and optins inside /etc/modprobe.d/ it doesn't work...and the old line "install /sbin/modprobe --ignore-install bonding ..." works13:37
PizarroHi everyone14:42
PizarroI have to issues: the first one is that I would like to perform a daily backup of some folders to a CD-RW, is there anyway?14:42
PizarroI want to erase and burn a cd everyday for example at midnight, is there anyway to do so under Ubuntu Server?14:43
sommerPizarro: you can probably script cdrdoa or another utility... I've never done it myself though14:44
Pizarrosommer, what I want to do is very simmple in others server plattforsm14:45
PizarroWhat is cdrdoa?14:45
Deeps!backup | Pizarro14:45
ubottuPizarro: There are many ways to back your system up. Here's a few: https://help.ubuntu.com/community/BackupYourSystem , https://help.ubuntu.com/community/DuplicityBackupHowto , https://wiki.ubuntu.com/HomeUserBackup , https://help.ubuntu.com/community/MondoMindi - See also !sbackup and !cloning14:45
PizarroDeeps, I've seen all those links but unfortunatly all are talking about tar files14:46
Pizarromy probelm is how to erase a CDRW and burn it daily with the back up files14:46
Pizarrothe cd will saty always in the recorder, so everyday we have a hardcopy of our data14:46
Deepsmight wanna read up on command line cd recording utilities, such as cdrdoa i guess14:46
PizarroDeeps, yes, I am now looking at cdrdao web site14:47
Deepsgood luck!14:47
Pizarroso I think I can put this into a cron script right?14:47
PizarroFirst obstacle:14:48
PizarroCdrdao records audio or data CD-Rs in disk-at-once (DAO) mode based on a textual description of the CD contents14:48
PizarroCD-R14:48
Pizarroso no disk erase14:48
PizarroIt's strange, none wanted to do this before?? This is a server!!, the data should be stored periodically14:49
Deepscdrtools14:49
Deepscdrecord -blank=fast -force14:49
Deepsfirst hit on google for "erase cdrw command line"14:49
Deepsand heh, you might find few people trust their backups to cdrws14:50
PizarroDeeps, my concern is for example the HD gets damaged,...so what??'14:51
Pizarroall the stuff lost14:51
Pizarroeven if we use a replicant HD, 2 or 314:51
Deepsbackup to another hd, backup to another machine14:51
Pizarroyou are still having a risk14:51
Deepsbackup over net offsite14:51
Deepstape drives14:51
Pizarrotape drives? aren't DVDs more flexible and stable?14:51
Deepswell DVDs certainly do bend easier14:52
Deepsbut i've dropped a tape on it's side and not suffered any damage14:52
Deepsive dropped a cd and a dvd on it's side and the dye's run14:52
PizarroIam probably wrong, but what I wanted to do is to keep always a CDRW or DVDRW into the server, and everynight store to it the most relevant info14:53
Deepsthe reliability of a cdrw tends to get pretty poor after a few uses too14:53
Pizarroand what about DVDs?14:53
Deepsdvdrw seems to be similar14:53
Deepsi haven't used them as much as i did cdrws, mostly for not wanting to take the risk14:53
Deepsthat and i invested in a couple of NAS units instead14:54
Pizarroare they expensive?14:54
Deepsdepends on what you consider expensive14:54
Deepsqnap 409pro is a pretty nice 4disk nas enclosure, good for small businesses, costs about $60014:55
Pizarrothat's expensive now for us, we are a very small buisness just started 6 months ago (3 people)14:55
Deepswell, if you're looking to scrape the bottom of the barrell, i'd recommend backing data up from your server to your desktops (and vice versa i guess)14:56
uvirtbot`New bug: #270899 in apache2 (main) "apache doesn't come back up after weekly logrotate restart" [Undecided,Incomplete] https://launchpad.net/bugs/27089914:56
Deepsalong with cdr and dvdr backups every week or so14:56
Deepsif you insist on cdrw/dvdrw i'd bin hte disk and replace it every 2-3 weeks14:57
Deepswell, 20-30 burn cycles, anyway14:57
Deepsall depends on how valuable the data is and the cost of recovery in the event of disaster14:57
Pizarrook, we proably will go like that for 4 - 6 month until the budgets lets us go for a best equipment14:57
Pizarrohowever cdrtools is not present in apt-cache14:58
Pizarrocdrw-taper - taper replacement for amanda to support backups to CD-RW or DVD+RW14:59
PizarroWhat about that?14:59
PizarroHi,15:33
PizarroHow can I mount the dvdrw on my ubuntu server? I am trying "mount /dev/dvdrw" but I get an error15:33
Koonkirkland: about service --status-all, I think we need some way to distinguish in /etc/init.d between scripts that just do an action at startup/shutdown and daemon initscripts that really (should) have a status. The current filname-based filter in service doesn't catch them correctly15:59
kirklandKoon: i think that's a great idea16:02
Koonor maybe making sure they have a status action before calling them, which somehow solves it too16:03
Koonkirkland: we can also beautify the output using status's $?, allowing to have a nice table output (in the ideal world where all status return correct values)16:05
kirklandKoon: let's continue this after the meeting ;-)   i'd love to flesh this out some more16:05
Koonkirkland: sure :)16:06
uvirtbot`New bug: #270961 in net-snmp (main) "snmpd isn't stopped before postinst tries to start it" [Undecided,New] https://launchpad.net/bugs/27096116:52
Fenix|workGreetings16:56
Fenix|workquick question on file systems16:56
RediXeJust installed the mailserver, where/how do I setup accounts?16:56
Fenix|workI'm setting up a web proxy... and would like to get the best performing file system for the task... any recommendations?16:56
Kooncoffeedude: ping17:18
Koonslangasek/coffeedude: will be back in a couple of hours if you want to discuss https://bugs.launchpad.net/ubuntu/intrepid/+source/likewise-open/+bug/262264/comments/1917:22
uvirtbot`Launchpad bug 262264 in likewise-open "Fails to join a domain: Unknown pam configuration" [Critical,In progress]17:22
PizarroEsto:17:23
Pizarrogenisoimage -V"mis datos" -R -hide-rr-moved -J -joliet-long /home/share/ | wodim -v -eject dev=/dev/scd017:23
Pizarrono va17:23
coffeedudeKoon: sounds good.17:24
Kooncoffeedude: the patch, or discussing it in two hours ?17:24
coffeedudediscussing.  Sorry.  was wresting with git :-)17:26
Kooncoffeedude: great, see you in two hours then17:27
RediXeHow do I add a user to postfix?17:46
slangasekKoon: your mod looks good / makes sense to me17:50
Koonslangasek: feel free to upload it if coffeedude is OK with it18:07
slangasekcoffeedude: have any time to discuss sooner? :)18:07
no0tichi, I'm trying to configure postfix with smtp authentication via sasl+mysql but it doesn't work. logs and probably other useful information here: http://pastebin.ca/120448218:19
no0ticI'm using this guide http://flurdy.com/docs/postfix/18:19
no0ticanyone can help me out?18:19
ScottKno0tic: Did you look at the Ubuntu Server Guide?18:22
spiekeyhi18:23
no0ticScottK, not yet..18:23
ScottKno0tic: OK.  I'd look at that.18:25
spiekeyhey...anyone here with xen experience?18:26
spiekeysoren seems to be away18:26
sorenwazzup?18:27
* soren will be back later18:30
no0ticScottK, it uses completely another method :) good to know18:41
ScottKno0tic: That's the approach you're most likely to get help with here.18:42
no0ticScottK, I'll follow your advices, as always18:42
spiekeyif i do a dumpe2fs /dev/lvm/HOST_A and /dev/lvm/HOST_B then i get tehe same Filesystem UUID. (this is LVM and ext3)18:43
PizarroHi everybody18:43
spiekeyis this normal?18:43
PizarroI have isntalled Ubuntu server plus OpenVPN which seems is UP, but I don't knwo how to go further to set up my VPN network, can anyone help me please?18:43
PizarroI mean, I don't know id something is still needed to make it to work, or it is already confugured, etc..????18:44
RediXeis there a way to do mail.internalip ? ... mail.domain.com isn't up so I have to use the server's ip address but can't figure out how to do it18:47
PizarroNobody made a vpn server????18:48
Goosemooseanyone with experience with likewise? I have it joining the domain via preseed.cfg over the network. The installer logs show it's sucessfully. domainjoin-cli query shows it's joined, AD shows it's joined, but I can't log in to the domain. If I leave and rejoin it works fine. Any ideas on why that would be?18:57
spiekeyhow do i exit an xen console?18:59
sommerkirkland: pong19:02
no0ticScottK, the postfix guide in the ubuntu server guide sets up a server that authenticates mail users against system users, not against a properly populated mysql table.. Authenticating against real system users can constitute a security threat...19:03
ScottK-laptopOK.  Virtual is another way to do it.  In my experience if you're doing a non-trivial installation of Postfix, having a copy of "The Book of Postfix" on your desk when you do it is a very good idea.19:04
no0ticScottK, I have one in pdf right here :)19:05
ScottK-laptopno0tic: OK.  With the one exception that Debian/Ubuntu have postfix in chroot by default, all the stuff in that book should work.19:06
danielm_mcgah!  i keep getting stuck in ubuntu-read-topic when i try and join #ubuntu - anyone know what's up with this?  i'm behind a NAT, but it looks like there's some issue in there19:16
danielm_mcwhats up with that?19:16
danielm_mc!help19:18
ubottuHi! I'm #ubuntu-server's favorite infobot, you can search my brain yourself at http://tinyurl.com/5zfb6t - Usage info: http://wiki.ubuntu.com/UbuntuBots19:18
danielm_mc!#ubuntu19:18
ubottuUbuntu is a complete Linux-based operating system, freely available with both community and professional support. It is developed by a large community and we invite you to participate too! - Also see http://www.ubuntu.com19:18
danielm_mcstupid bot19:18
no0tichi RoAkSoAx ;)19:20
RoAkSoAxhi no0tic long time no see :)19:21
RoAkSoAxno0tic, what have you been up to19:23
no0ticRoAkSoAx, I'm desperately triyng to set up a mail server :)19:23
RoAkSoAxno0tic, have you tried: http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p5 ?19:25
Goosemooseis there some way to 'push' programs to ubuntu workstations like there is in windows?19:26
sommerGoosemoose: ssh19:29
Goosemooseno fun when you have 500 machines19:30
sommerGoosemoose: actually I think apps like cfengine and puppet can do that, and maybe landscape...19:30
Deepsssh in a script?19:30
Goosemoosedeeps, yeah but still a pain tracking all the computer names19:30
Goosemooseill check out the programs sommer mentioned19:30
Goosemooseive never used any of them19:30
no0ticRoAkSoAx, as I said before you joined.. I need virtual mailboxes :)19:31
no0ticRoAkSoAx, thanks anyway19:31
danielm_mcyah, cfengine and puppet are stock, puppet kind of sucks, and cfengine really sucks19:31
RoAkSoAxno0tic, oh i see... browse there in howtoforge.. i think i've seen how to set up virtual mailboxes :)19:31
danielm_mcwhy are you asking about basic system administration in #ubuntu-server though?19:31
DeepsGoosemoose: they're not all stored in a db/ldap/something else?19:31
danielm_mcdeeps: yeah no kidding, i'm just working on my own thang like that19:32
Goosemoosedeeps, yes but i have a mix of windows & linux machines19:33
Goosemooseit's a school19:33
Goosemoosei should make my login script add the computers to a ubuntu group, hmm19:33
=== no0tic is now known as no0`ra
=== no0`ra is now known as no0tic
Pizarroalguien por favor puede echarme una mano en montar una red VPN por favor os lo ruego19:37
PizarroCan anyone PLEASE help me with a VPN server on Ubuntu Server????????19:44
PizarroI NEED HELP!!!!!19:46
danielm_mcyeah19:46
danielm_mcwhats up pizarro19:46
danielm_mcyou need help with vpn?19:47
danielm_mcwhat is the problem19:47
Pizarrodanielm_mc, thanks for your attention,19:47
danielm_mcwhats up19:47
PizarroI am trying to set up a VPN server in Ubuntu server19:47
danielm_mcwhich vpn server19:47
PizarroOpenVpn is already installed19:47
danielm_mcokay, whats the problem19:47
PizarroI folowed https://help.ubuntu.com/community/VPNServer19:47
Pizarrobut when I try to start the server it fails19:47
PizarroI followed exactly what the wiki say19:48
danielm_mcdid you read: http://openvpn.net/index.php/documentation/howto.html19:48
danielm_mcthat's an old doc on ubuntu wiki19:48
Pizarroa little19:48
danielm_mcshould go straight to the distribution wiki19:48
Pizarrothat document is huge!19:49
danielm_mci've had bad experiences with tun+ (bridged networking in openvpn)19:49
danielm_mcwelcome to sysadmin hell19:49
danielm_mcanyways, use the tap+ interfaces, not tun+19:49
danielm_mcit's much easier, and it's SSL + PKI19:49
Pizarropuff19:49
danielm_mcpuff puff, you need help i served19:49
PizarroI apreciate it19:49
Pizarroand I thank you19:50
danielm_mcno prob, have fun reading19:50
danielm_mcjust make sure you switch to the tap+ ; don't do bridged ethernet19:50
Pizarrobut frankly spoken, that's a nightmare to set up a simpel VPN neetwork19:50
danielm_mcno no, it's really _not_19:50
_rubendanielm_mc: tap+ is bridging, tun+ is routing19:50
danielm_mcehhh19:50
Pizarrowell, the only time I set a vpn server was in Xp, and was 6 clicks19:51
danielm_mctap is SASL/TLS -19:51
Pizarroand it is still working fine since 2 years ago19:51
danielm_mctry setting up FreeSWAN19:51
_rubenfreeswan's dead .. openswan is pretty much a breeze to setup really19:51
Pizarrowhat's that?19:51
_rubenopenswan is ipsec vpn software19:52
Pizarrook, so I will start reading,19:52
Pizarroyou said bridged vpn right?19:52
_ruben(openvpn is ssl vpn software)19:52
danielm_mchttp://openvpn.net/index.php/documentation/howto.html#vpntype19:53
_rubenwith bridged vpn your vpn clients will be part of (logical) subnet/network of the server .. with routed vpn your vpn clients will be in a dedicated subnet19:53
_rubenoff to watch a movie .. g'luck19:53
danielm_mc... i'm off to build some python modules ...19:54
Pizarrook, thanks19:55
w8tahi am setting up keypair auth on my firewall - i created my keys there -- the pub key stays on the firewall -- where do i put my private key on my laptop that i'll use to connect to it?20:04
ScottK-laptopleonel: Any progress on clamav patches?20:11
sommerkirkland: bing21:04
kirklandsommer: hey21:05
kirklandsommer: okay...  the server guide ;-)21:05
sommerkirkland: have a chance yet?21:05
kirklandsommer: doing it now21:05
sommerkirkland: ah, cool21:05
kirklandsommer: serverguide/C/installation.xml?21:07
sommerkirkland: yep, or http://doc.ubuntu.com/ubuntu/serverguide/C/advanced-installation.html21:07
kirklandsommer: i just pulled the source21:07
sommerkirkland: that works too :)21:07
Goosemoosedendrobates Are you around? Im having a likewise issue. I have it join the domain in a late_command while installing over the network and the logs show it installed fine. If I run domainjoin-cli query is shows I'm joined. If I look in AD the computer is listed, but I get an error if I log in as a domain user. If I then leave then rejoin everything works fine.21:08
kirklandsommer: hmm, i think step 6, "#Choose "bootable flag" setting it to "on". Then select the "Done setting up the partition" option." might need to be removed21:09
dendrobatesGoosemoose: in hardy or intrepid?21:09
kirklandsommer: i can test again, but I'm not sure if that works or not21:09
kirklandsommer: i know if works if it's NOT selected21:09
kirklandsommer: there may be a bug, when selecting it21:09
sommerkirkland: okay, I'll update that... it also should mention the degraded question somewhere21:10
kirklandsommer: yeah, i'm getting to that21:10
kirklandsommer: after step 5, Finally, select "Finish partitioning and write changes to disk".21:10
kirklandsommer: i'll paste the exact text in a pastebin....21:11
sommerkirkland: cool21:11
kirklandsommer: the screen will look something like this:21:12
kirklandsommer: http://pastebin.ubuntu.com/47562/21:12
Goosemoosedendrobates, in hardy21:12
Goosemoosedendrobates, the installer logs show a sucessfull join, as does domainjoin-cli query, that's the wierd thing21:13
kirklandsommer: add maybe just that last line as step 621:13
dendrobatesGoosemoose: it is a bug.  The likewise daemon isn't starting.21:13
kirklandsommer: this paragraph should be updated.... "By default Ubuntu Server Edition will not boot using to a degraded RAID device, due to the chance of data corruption This may or may not be the desired behavior you want, especially if the machine is in a remote location. "21:13
sommerkirkland: gotcha will do21:14
kirklandsommer: we should probably define the Dapper - Hardy behavior, and then also the Intrepid+ behavior21:14
Goosemoosedendrobates, ok, suggested fix then? i added this to my late_command script before joining: /etc/init.d/likewise-open start21:14
Goosemoosejust to make sure it was started21:14
kirklandsommer: ie, what you've said there is true up to and including Hardy21:14
dendrobatesGoosemoose: sudo update-rc.d defaults21:15
Goosemoosedendrobates, add that to my late script?21:15
dendrobatesGoosemoose: no run it once.21:16
Goosemoosedendrobates, on the server? or run it manually on the workstation21:16
sommerkirkland: mentioning previous releases may be better suited to the wiki... at least in the past the serverguide has been focussed on the current release21:16
kirklandsommer: for Intrepid and beyond, the BOOT_DEGRADED question will appear in the installer, and if the user wants to change this at a later time, they should run "dpkg-reconfigure mdadm"21:16
kirklandsommer: fair enough.....21:16
dendrobatesGoosemoose: the workstation that is trying to connect using likewise-open21:16
Goosemoosedendrobates, i can just leave the doing and join it again and that works fine too21:17
kirklandsommer: as for the kernel option, i don't think that's necessary to mention, though it doesn't hurt21:17
Goosemoosedendrobates: sudo update-rc.d defaults also isn't valid21:17
kirklandsommer: the key thing is that the user will also get an interactive prompt21:17
Goosemoosedendrobates: i get the help screen21:17
kirklandsommer: if their raid has become degraded and they haven't chosen to boot degraded21:17
kirklandsommer: after the 30 second timeout looking for disks, the initramfs will prompt, saying:21:18
Goosemoosedendrobates: problem is im about to roll out to 500 computers and dont want to manually rejoin domains21:18
dendrobatesGoosemoose: oops.   sudo update-rc.d likewise-open defaults21:18
kirklandsommer: http://pastebin.ubuntu.com/47564/21:19
kirklandsommer: that question is on a 15 second timeout21:19
sommerkirkland: good call I'll mention the prompt21:19
kirklandsommer: i figure if someone has interactive access to the console, that prompt is more useful than the kernel param21:20
sommerkirkland: ya that makes sense, plus if they know about the option they'll probably edit the file21:20
kirklandsommer: right21:20
=== mcasadevall is now known as NCommander
kirklandsommer: i guess the kernel param *might* be useful to override, though21:20
kirklandsommer: it's your call21:20
kirklandsommer: i don't mind it there, and you've written it up already21:21
kirklandsommer: i'd just ask you to make the dpkg-reconfigure and the interactive prompt more prominent than the kernel parameter bit21:21
sommerkirkland: I'll take another high level look after the updates you mentioned and make sure it still fits21:21
kirklandsommer: are you making these changes that I mentioned, or are you expecting a diff from me?21:22
sommerkirkland: I'll just make them, I've been taking notes, shouldn't take long21:23
sommerkirkland: I appreciate the feedback21:23
kirklandsommer: awesome21:23
Goosemoosedendrobates, ok doing that and then rebooting worked. can i just add that to my late command script?21:24
kirklandsommer: i think that's it21:24
sommerkirkland: cool, should have it updated this evening21:24
kirklandsommer: awesome, you da man!21:24
dendrobatesGoosemoose: It is only needed when you first join a domain, and it is fixed in intrepid.21:31
Goosemooseok ill add it in then. lol, i just got around to reinstalling from fiesty to hardy21:32
LMJhi21:51
LMJis there a way with find to look for *.jpg OR *.GIF ?21:51
LMJyes, with -or ;)21:52
leonelScottK-laptop: Those patches  where non critical when they released  0.94  but now checking  cve  looks  scary ..21:54
ScottK-laptopleonel: OK.  Please get us some debdiffs.21:54
leonelScottK-laptop:  there are for   cve-2008-3914 cve-2008-3913 cve-2008-391221:55
uvirtbot`leonel: Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown impact and attack vectors related to file descriptor leaks on the "error path" in (1) libclamav/others.c and (2) libclamav/sis.c. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914)21:55
Goosemoosedendrobates, is something broken in hardy with using sudo as well if you enable root via the preseed.cfg?21:55
uvirtbot`leonel: Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 might allow attackers to cause a denial of service (memory consumption) via unspecified vectors related to the "error path." (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913)21:55
uvirtbot`leonel: libclamav in ClamAV before 0.94 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an out-of-memory condition. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912)21:55
dendrobatesGoosemoose: not that I am aware.21:56
Goosemoosehmm21:59
Goosemoosecan't sudo i get an error that the current user isn't in sudoers21:59
leonelhttp://lists.alioth.debian.org/pipermail/pkg-clamav-devel/2008-September/000049.html  <--  ScottK-laptop  reading the thread looks that the only  worry would be  for cve-391422:00
ScottK-laptopYes.22:01
Goosemoosehmmm, might be a conflict between the root user in AD22:01
ScottK-laptopI think that's the most important one.  Preferably I'd like to close them all if it's reasonable to do so.22:01
danielm_mcanyone know whats up with #ubuntu today?  i can't join22:06
Goosemooseprobably the 1350 people in there22:08
danielm_mcyeah thats not too bad, usually around 150022:14
danielm_mci keep getting something about the DCC exploit, but wtf22:14
=== andreas__ is now known as ahasenack
ScottKWahoo.  FWIW openchange has landed in Intrepid.23:35
mathiaz!help cve23:48
ubottuSorry, I don't know anything about help cve23:48
mathiazCVE-2007-272723:48
uvirtbot`mathiaz: The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727)23:48
mathiazkees: jdstrand: how do I know if this one ^^ has been fixed ?23:49
mathiazkees: jdstrand: nm - I've found it on LP23:50
jdstrandmathiaz: can also use http://people.ubuntu.com/~ubuntu-security/cve/2007/CVE-2007-2727.html23:50
uvirtbot`jdstrand: The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727)23:50
mathiazjdstrand: ah - that's muchhh better23:52
mathiazjdstrand: you should add this to the FAQ/Knowledge23:52
mathiazjdstrand: I've been looking around for this url23:52
jdstrandmathiaz: you can also just use http://people.ubuntu.com/~ubuntu-security/cve/CVE-2007-2727.html which is helpful with firefox keywords23:52
uvirtbot`jdstrand: The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727)23:52
* jdstrand kicks uvirtbot` 23:53
jdstranduvirtbot`: just simmer down already :P23:53
uvirtbot`jdstrand: Error: "just" is not a valid command.23:53
mathiazuvirtbot`: chussh23:53
uvirtbot`mathiaz: Error: "chussh" is not a valid command.23:53
jdstrandmathiaz: (that last url omits the '2007' part of the url)23:53
jdstrandmathiaz: kees and I are planning to make that public once things are finalized on that23:56

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!