[00:21] <Goosemoose> so i installed ubuntu over the network, add to late_command to join an AD domain, the computer shows up in AD and domainjoin-cli query shows it's on the domain. But I can't login as a domain user. Any suggestions?
[01:01] <uvirtbot`> New bug: #270713 in net-snmp (main) "snmpd: error getting netmask for interface" [Undecided,New] https://launchpad.net/bugs/270713
[01:31] <uvirtbot`> New bug: #270720 in mysql-dfsg-5.0 (main) "ty" [Undecided,New] https://launchpad.net/bugs/270720
[01:38] <twb> What's the difference between the "generic" and "server" kernel flavours?
[02:18] <docta_v> anyone tried building a newer e1000 on a somewhat older kernel? (2.6.16)
[02:18] <docta_v> supposedly it's possible but i'm running into a lot of issues with missing header files and undefined symbols
[02:24] <twb> docta_v: are you referring to the kernel driver for the e1000 intel gigabit NIC?
[02:31] <docta_v> twb: yes.. I need to install a newer version of the driver but it won't compile
[02:32] <twb> docta_v: I don't think you can just use a driver from a newer kernel.
[02:32] <docta_v> it's not from a newer kernel
[02:32] <docta_v> you can download the driver standalone
[02:32] <docta_v> says it supports 2.4.x and 2.6.x
[02:32] <ScottK-laptop> docta_v: What system are you running.  Ubuntu never shipped 2.6.16 in a final release.
[02:33] <docta_v> yeah this is a debian system unfortunately
[02:33] <docta_v> but i use ubuntu everywhere else
[02:33] <ScottK-laptop> Well Debian and Ubuntu kernels are completely different.
[02:33] <docta_v> we bought this nfs head product from a vendor that has a really old kernel on it
[02:33] <ScottK-laptop> So Ubuntu kernel advice is unlikely to apply.
[02:34] <twb> docta_v: you should ask #debian on OFTC (irc.debian.org)
[02:34] <docta_v> those guys never answer any questions
[02:34] <docta_v> but i'll try
[05:31] <chmac> Any bright ideas on how to shred the disk of a running machine to which I only have ssh access?
[05:56] <twb> chmac: if /home is on a separate partition, it's easy.
[05:57] <chmac> twb: Yeah, no separate partitions
[05:57] <chmac> twb: Turns out my host turned off my server already, so it's no longer an issue! :)
[05:57] <twb> I guess you could do sudo find /home -type f -exec shred {} + -delete
[05:57] <twb> Oh well.
[05:57] <chmac> twb: Shred has an option to delete the file
[05:57] <chmac> shred -u I think
[05:57] <chmac> I'm not too worried though :)
[07:56] <twb> Is it a bad idea to use /etc/hosts.{allow,deny} instead of iptables rules, when setting up some basic rules like "hosts on the WAN shouldn't be allowed access to my services."
[07:57] <vk5foss> i've done it before, its not the most secure way of doing things aiui, but it does work
[07:58] <twb> I was hoping for a blog article or suchlike that explains exactly WHY it's less secure than iptables DROP/REJECT rules, with example attack vectors.
[07:58] <vk5foss> never looked sorry.
[08:05] <twb> vk5foss: a brief google suggests that it avoids DOS attacks (if you DROP packets instead of REJECTing them), and it also guards against the case where a package isn't built with tcp-wrappers support (in which case hosts.deny would be ignored).
[08:06] <vk5foss> random question: should i recomend users use rsa or dsa keys for their ssh? i thought rsa was 'it', but i've seen dsa recomended
[08:21] <twb> Hmm, I wonder if, with "ALL: 192.168.: ALLOW" and "ALL: ALL: DENY", my server will respond to DHCP requests.
[08:23] <slangasek> tcpwrappers doesn't generally block udp traffic, no
[08:33] <Koon> slangasek/coffeedude: did you sync on the likewise-open PAM subject ? Is my help needed in any way ?
[08:37] <Koon> kgoetz: based on recent research I'd recommend RSA now
[08:37] <Koon> kgoetz: you could ask in #ubuntu-hardened to get more experts opinions
[08:40] <kgoetz> Koon: i've gone with rsa, as thats what i seemed to recall debian now required of its devs. i was hoping for a 'comfort factor' 2nd opinion :)
[08:41] <slangasek> Koon: no, I ended up fighting with the pam-auth-update stuff all afternoon and have just now posted a patch to the bug
[08:41] <Koon> kgoetz: I'd say they are both safe, but DSA usually fails less gracefully
[08:41] <slangasek> I also suspect that likewise-open may be killing my network-manager :/
[08:41]  * Koon looks
[08:43] <slangasek> Koon: I've posted a patch rather than just uploading, to get a second opinion on the change first; it's the best I can come up with at the moment, but I'm not entirely happy with it
[08:44] <Koon> slangasek: i'll test it. It may not fix the issue in the best way, but it would be nice to have in in alpha6 instead of the currently broken version we have atm
[08:45] <slangasek> Koon: well, if we decide that this is the wrong way to do it, it may become substantially harder to back out afterwards
[08:46] <Koon> slangasek: what would be your choice between patching 2956 to just fix the PAM issue and the libwbclient0 incompatibility and switching to 2982 bugfix microrelease (through a FFe ?)
[08:47] <slangasek> Koon: uhm, AFAIUI 2982 does not fix the PAM issue, suffering from the problem I pointed out in https://bugs.launchpad.net/ubuntu/intrepid/+source/likewise-open/+bug/262264/comments/13, so this isn't an either/or choice
[08:47] <uvirtbot`> Launchpad bug 262264 in likewise-open "Fails to join a domain: Unknown pam configuration" [Critical,Triaged]
[08:48] <Koon> slangasek: I mean 2982 + your patch instead of Jerry's one
[08:48] <slangasek> ok
[08:49] <slangasek> well, I haven't reviewed the upstream diff for 2982 yet, and we're into Tuesday already, so I think that for alpha-6 we ought to just patch the bugs and go
[08:49] <Koon> OK, will test that then
[08:50] <slangasek> I'm puzzled by the incompatibility issue, though, I thought ABI compatibility between the samba and likewise-open versions of libwbclient was a non-negotiable requirement for Likewise
[08:52] <Koon> slangasek: jerry said "compatible but not equivalent" and said my fix (using samba's lib) is incorrect
[08:52] <slangasek> ah - yes, the likewise-open one is meant to take precedence :)
[08:52] <Koon> probably :)
[08:53] <Koon> I agree it could be fixed in a nicer way but we are running out of time
[08:53] <slangasek> so ideally, likewise-open would Conflict/Replace/Provide libwbclient0 to satisfy the dep of other packages; but this might not work because of versioned deps, I haven't looked
[08:57] <Koon> slangasek: so basically in your patch you always enable the pam config, but it doesn't break if no domain is joined
[08:57] <slangasek> I believe so
[08:57] <slangasek> let me fix another bug in pam itself here, and I'll do a bit more testing to confirm ;)
[08:58] <Koon> when no domain is joined, does it delay before failing ? Don't want us to add 30 second timeouts ;)
[08:58]  * Koon will build and test against his Windows AD test infra
[08:59] <slangasek> in my testing so far, no, there was no delay; and there shouldn't be, as I asked dendrobates earlier about whether lwi does "winbind use default domain" by default
[08:59] <slangasek> so lwi will acknowledge that any non-domain-y names are not for it
[09:00] <Koon> right
[09:06] <slangasek> ah, bug in that patch
[09:06] <slangasek> Koon: the prerm needs to call pam-auth-update --package --remove likewise-open, not --remove likewise
[09:06] <slangasek> updated patch to post shortly
[09:12] <Koon> slangasek: noted
[09:25] <Koon> slangasek: your patch is also missing the debian/control modification, I'm adding them
[09:26] <slangasek> hrm, so it is; thanks for noticing
[09:27] <slangasek> ah, domainjoin-cli *is* to blame for my desktop crashes
[09:28] <Koon> slangasek: something like bug 222224 ?
[09:28] <uvirtbot`> Launchpad bug 222224 in likewise-open "likewise-open: blows up session when joining the domain" [Undecided,New] https://launchpad.net/bugs/222224
[09:28] <slangasek> title sounds like it :)
[09:29] <Koon> slangasek: not sure the workaround in the bug applies to you
[09:33] <slangasek> Koon: the domain I'm joining to isn't a .local
[09:34] <Koon> yes, the two bugs are completely distinct
[09:34] <slangasek> then I'm not clear on what the workaround is
[09:35] <slangasek> listing dns before mdns4_minimal?
[09:35] <slangasek> that would be an inappropriate workaround (because it means misconfiguring mDNS), so I'll pass. :)
[09:36] <Koon> slangasek: I don't think there is a known workaround. The BrianDrab in the bug was confused by another bug
[09:36] <slangasek> ok
[09:36] <Koon> slangasek: I think this is the result of changing system files in the middle of a session, this still has to be investigated
[09:37] <slangasek> I'd be surprised/dismayed if glibc were that fragile
[09:37] <Koon> one problem being it doesn't /always/ crash.
[10:05] <Koon> slangasek: I've a segfault during domain join/leave
[10:05] <slangasek> yes, so do I
[10:05] <slangasek> but I don't think I caused it :P
[10:06] <Koon> Wasn't there before. Investigating
[10:06]  * slangasek grabs a backtrace, then
[10:07] <slangasek> #0  0x00007fd713101003 in free () from /lib/libc.so.6
[10:07] <slangasek> #1  0x00007fd714431b73 in LWHandle () from /usr/lib/libcentutils.so.1
[10:07] <slangasek> inconclusive
[10:07] <slangasek> it's possible it's due to my patch, then; coffeedude would probably be able to tell easily
[10:08] <Koon> what does the LW_RAISE do ?
[10:08] <slangasek> probably something it shouldn't ;)
[10:09] <Koon> rebuilding with it commented
[10:09] <Koon> slangasek: shouldn't you be sleeping ?
[10:09] <slangasek> yes
[10:10] <slangasek> the LW_RAISE() was what you get if you take apart LW_CLEANUP_CTERR(), which I wasn't using because the cleanup: label was commented out
[10:10] <slangasek> but even that may not be needed, since we never have any errors
[10:16] <ghaleb> hello, I have scheduled a cron task with the config */4 * *  * * root  /bin/updateStatus.sh > /home/log.log  but it's not working
[10:25] <slangasek> Koon: right, now instead of a segfault I just get "Error: Module not configured".  So I'm missing something about how the return handling is supposed to work.
[10:25] <Koon> I'm onit
[10:25] <slangasek> I'll leave you to it, then; if you get it figured out and need an upload, I'll be back in ~6h :)
[10:26] <Koon> slangasek: sounds like a plan
[10:26] <Koon> sleep well (and fast)
[11:16] <ghaleb> hello, how can I be sure that a shell script executed successfully
[11:22] <ScottK-laptop> ghaleb: Use set -e
[11:22] <ghaleb> ScottK-laptop: hmm .. how do I call the script then ?
[11:23] <ScottK-laptop> Add set -e to the script so that it will exit if it encounters any errors.
[11:23] <NCommander> ScottK-laptop: isnt' set -e a bashism?
[11:24] <ScottK-laptop> NCommander: No.
[11:24] <NCommander> ok
[11:24]  * NCommander returns to his quiet hole in the wall
[12:43] <\sh> hmm..something is wrong with the bonding network stuff...
[12:44] <\sh> auto bond0 \n iface bond0 inet static \n address...\n slaves eth0 eth1 \n bond-mode 0 \n ... works as expected
[12:44] <\sh> auto bond1 \n iface bond1 inet static \n ... doesn't work...
[12:45] <\sh> is there some magic step to tell modprobe somehow to use modprobe -o bond0 bonding \n modprobe -o bond1 bonding ? because with the second modprobe statement bond1 comes up
[12:46] <\sh> (and yes, modprobe.d/aliases -> alias bond1 bonding is in place, but doesn't get recognized anymore it seems
[13:07] <Koon> slangasek/coffeedude: please see patch @ https://bugs.launchpad.net/ubuntu/intrepid/+source/likewise-open/+bug/262264/comments/19
[13:07] <uvirtbot`> Launchpad bug 262264 in likewise-open "Fails to join a domain: Unknown pam configuration" [Critical,In progress]
[13:37] <\sh> damnit.-..
[13:37] <\sh> with alias and optins inside /etc/modprobe.d/ it doesn't work...and the old line "install /sbin/modprobe --ignore-install bonding ..." works
[14:42] <Pizarro> Hi everyone
[14:42] <Pizarro> I have to issues: the first one is that I would like to perform a daily backup of some folders to a CD-RW, is there anyway?
[14:43] <Pizarro> I want to erase and burn a cd everyday for example at midnight, is there anyway to do so under Ubuntu Server?
[14:44] <sommer> Pizarro: you can probably script cdrdoa or another utility... I've never done it myself though
[14:45] <Pizarro> sommer, what I want to do is very simmple in others server plattforsm
[14:45] <Pizarro> What is cdrdoa?
[14:45] <Deeps> !backup | Pizarro
[14:46] <Pizarro> Deeps, I've seen all those links but unfortunatly all are talking about tar files
[14:46] <Pizarro> my probelm is how to erase a CDRW and burn it daily with the back up files
[14:46] <Pizarro> the cd will saty always in the recorder, so everyday we have a hardcopy of our data
[14:46] <Deeps> might wanna read up on command line cd recording utilities, such as cdrdoa i guess
[14:47] <Pizarro> Deeps, yes, I am now looking at cdrdao web site
[14:47] <Deeps> good luck!
[14:47] <Pizarro> so I think I can put this into a cron script right?
[14:48] <Pizarro> First obstacle:
[14:48] <Pizarro> Cdrdao records audio or data CD-Rs in disk-at-once (DAO) mode based on a textual description of the CD contents
[14:48] <Pizarro> CD-R
[14:48] <Pizarro> so no disk erase
[14:49] <Pizarro> It's strange, none wanted to do this before?? This is a server!!, the data should be stored periodically
[14:49] <Deeps> cdrtools
[14:49] <Deeps> cdrecord -blank=fast -force
[14:49] <Deeps> first hit on google for "erase cdrw command line"
[14:50] <Deeps> and heh, you might find few people trust their backups to cdrws
[14:51] <Pizarro> Deeps, my concern is for example the HD gets damaged,...so what??'
[14:51] <Pizarro> all the stuff lost
[14:51] <Pizarro> even if we use a replicant HD, 2 or 3
[14:51] <Deeps> backup to another hd, backup to another machine
[14:51] <Pizarro> you are still having a risk
[14:51] <Deeps> backup over net offsite
[14:51] <Deeps> tape drives
[14:51] <Pizarro> tape drives? aren't DVDs more flexible and stable?
[14:52] <Deeps> well DVDs certainly do bend easier
[14:52] <Deeps> but i've dropped a tape on it's side and not suffered any damage
[14:52] <Deeps> ive dropped a cd and a dvd on it's side and the dye's run
[14:53] <Pizarro> Iam probably wrong, but what I wanted to do is to keep always a CDRW or DVDRW into the server, and everynight store to it the most relevant info
[14:53] <Deeps> the reliability of a cdrw tends to get pretty poor after a few uses too
[14:53] <Pizarro> and what about DVDs?
[14:53] <Deeps> dvdrw seems to be similar
[14:53] <Deeps> i haven't used them as much as i did cdrws, mostly for not wanting to take the risk
[14:54] <Deeps> that and i invested in a couple of NAS units instead
[14:54] <Pizarro> are they expensive?
[14:54] <Deeps> depends on what you consider expensive
[14:55] <Deeps> qnap 409pro is a pretty nice 4disk nas enclosure, good for small businesses, costs about $600
[14:55] <Pizarro> that's expensive now for us, we are a very small buisness just started 6 months ago (3 people)
[14:56] <Deeps> well, if you're looking to scrape the bottom of the barrell, i'd recommend backing data up from your server to your desktops (and vice versa i guess)
[14:56] <uvirtbot`> New bug: #270899 in apache2 (main) "apache doesn't come back up after weekly logrotate restart" [Undecided,Incomplete] https://launchpad.net/bugs/270899
[14:56] <Deeps> along with cdr and dvdr backups every week or so
[14:57] <Deeps> if you insist on cdrw/dvdrw i'd bin hte disk and replace it every 2-3 weeks
[14:57] <Deeps> well, 20-30 burn cycles, anyway
[14:57] <Deeps> all depends on how valuable the data is and the cost of recovery in the event of disaster
[14:57] <Pizarro> ok, we proably will go like that for 4 - 6 month until the budgets lets us go for a best equipment
[14:58] <Pizarro> however cdrtools is not present in apt-cache
[14:59] <Pizarro> cdrw-taper - taper replacement for amanda to support backups to CD-RW or DVD+RW
[14:59] <Pizarro> What about that?
[15:33] <Pizarro> Hi,
[15:33] <Pizarro> How can I mount the dvdrw on my ubuntu server? I am trying "mount /dev/dvdrw" but I get an error
[15:59] <Koon> kirkland: about service --status-all, I think we need some way to distinguish in /etc/init.d between scripts that just do an action at startup/shutdown and daemon initscripts that really (should) have a status. The current filname-based filter in service doesn't catch them correctly
[16:02] <kirkland> Koon: i think that's a great idea
[16:03] <Koon> or maybe making sure they have a status action before calling them, which somehow solves it too
[16:05] <Koon> kirkland: we can also beautify the output using status's $?, allowing to have a nice table output (in the ideal world where all status return correct values)
[16:05] <kirkland> Koon: let's continue this after the meeting ;-)   i'd love to flesh this out some more
[16:06] <Koon> kirkland: sure :)
[16:52] <uvirtbot`> New bug: #270961 in net-snmp (main) "snmpd isn't stopped before postinst tries to start it" [Undecided,New] https://launchpad.net/bugs/270961
[16:56] <Fenix|work> Greetings
[16:56] <Fenix|work> quick question on file systems
[16:56] <RediXe> Just installed the mailserver, where/how do I setup accounts?
[16:56] <Fenix|work> I'm setting up a web proxy... and would like to get the best performing file system for the task... any recommendations?
[17:18] <Koon> coffeedude: ping
[17:22] <Koon> slangasek/coffeedude: will be back in a couple of hours if you want to discuss https://bugs.launchpad.net/ubuntu/intrepid/+source/likewise-open/+bug/262264/comments/19
[17:22] <uvirtbot`> Launchpad bug 262264 in likewise-open "Fails to join a domain: Unknown pam configuration" [Critical,In progress]
[17:23] <Pizarro> Esto:
[17:23] <Pizarro> genisoimage -V"mis datos" -R -hide-rr-moved -J -joliet-long /home/share/ | wodim -v -eject dev=/dev/scd0
[17:23] <Pizarro> no va
[17:24] <coffeedude> Koon: sounds good.
[17:24] <Koon> coffeedude: the patch, or discussing it in two hours ?
[17:26] <coffeedude> discussing.  Sorry.  was wresting with git :-)
[17:27] <Koon> coffeedude: great, see you in two hours then
[17:46] <RediXe> How do I add a user to postfix?
[17:50] <slangasek> Koon: your mod looks good / makes sense to me
[18:07] <Koon> slangasek: feel free to upload it if coffeedude is OK with it
[18:07] <slangasek> coffeedude: have any time to discuss sooner? :)
[18:19] <no0tic> hi, I'm trying to configure postfix with smtp authentication via sasl+mysql but it doesn't work. logs and probably other useful information here: http://pastebin.ca/1204482
[18:19] <no0tic> I'm using this guide http://flurdy.com/docs/postfix/
[18:19] <no0tic> anyone can help me out?
[18:22] <ScottK> no0tic: Did you look at the Ubuntu Server Guide?
[18:23] <spiekey> hi
[18:23] <no0tic> ScottK, not yet..
[18:25] <ScottK> no0tic: OK.  I'd look at that.
[18:26] <spiekey> hey...anyone here with xen experience?
[18:26] <spiekey> soren seems to be away
[18:27] <soren> wazzup?
[18:30]  * soren will be back later
[18:41] <no0tic> ScottK, it uses completely another method :) good to know
[18:42] <ScottK> no0tic: That's the approach you're most likely to get help with here.
[18:42] <no0tic> ScottK, I'll follow your advices, as always
[18:43] <spiekey> if i do a dumpe2fs /dev/lvm/HOST_A and /dev/lvm/HOST_B then i get tehe same Filesystem UUID. (this is LVM and ext3)
[18:43] <Pizarro> Hi everybody
[18:43] <spiekey> is this normal?
[18:43] <Pizarro> I have isntalled Ubuntu server plus OpenVPN which seems is UP, but I don't knwo how to go further to set up my VPN network, can anyone help me please?
[18:44] <Pizarro> I mean, I don't know id something is still needed to make it to work, or it is already confugured, etc..????
[18:47] <RediXe> is there a way to do mail.internalip ? ... mail.domain.com isn't up so I have to use the server's ip address but can't figure out how to do it
[18:48] <Pizarro> Nobody made a vpn server????
[18:57] <Goosemoose> anyone with experience with likewise? I have it joining the domain via preseed.cfg over the network. The installer logs show it's sucessfully. domainjoin-cli query shows it's joined, AD shows it's joined, but I can't log in to the domain. If I leave and rejoin it works fine. Any ideas on why that would be?
[18:59] <spiekey> how do i exit an xen console?
[19:02] <sommer> kirkland: pong
[19:03] <no0tic> ScottK, the postfix guide in the ubuntu server guide sets up a server that authenticates mail users against system users, not against a properly populated mysql table.. Authenticating against real system users can constitute a security threat...
[19:04] <ScottK-laptop> OK.  Virtual is another way to do it.  In my experience if you're doing a non-trivial installation of Postfix, having a copy of "The Book of Postfix" on your desk when you do it is a very good idea.
[19:05] <no0tic> ScottK, I have one in pdf right here :)
[19:06] <ScottK-laptop> no0tic: OK.  With the one exception that Debian/Ubuntu have postfix in chroot by default, all the stuff in that book should work.
[19:16] <danielm_mc> gah!  i keep getting stuck in ubuntu-read-topic when i try and join #ubuntu - anyone know what's up with this?  i'm behind a NAT, but it looks like there's some issue in there
[19:16] <danielm_mc> whats up with that?
[19:18] <danielm_mc> !help
[19:18] <danielm_mc> !#ubuntu
[19:18] <danielm_mc> stupid bot
[19:20] <no0tic> hi RoAkSoAx ;)
[19:21] <RoAkSoAx> hi no0tic long time no see :)
[19:23] <RoAkSoAx> no0tic, what have you been up to
[19:23] <no0tic> RoAkSoAx, I'm desperately triyng to set up a mail server :)
[19:25] <RoAkSoAx> no0tic, have you tried: http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p5 ?
[19:26] <Goosemoose> is there some way to 'push' programs to ubuntu workstations like there is in windows?
[19:29] <sommer> Goosemoose: ssh
[19:30] <Goosemoose> no fun when you have 500 machines
[19:30] <sommer> Goosemoose: actually I think apps like cfengine and puppet can do that, and maybe landscape...
[19:30] <Deeps> ssh in a script?
[19:30] <Goosemoose> deeps, yeah but still a pain tracking all the computer names
[19:30] <Goosemoose> ill check out the programs sommer mentioned
[19:30] <Goosemoose> ive never used any of them
[19:31] <no0tic> RoAkSoAx, as I said before you joined.. I need virtual mailboxes :)
[19:31] <no0tic> RoAkSoAx, thanks anyway
[19:31] <danielm_mc> yah, cfengine and puppet are stock, puppet kind of sucks, and cfengine really sucks
[19:31] <RoAkSoAx> no0tic, oh i see... browse there in howtoforge.. i think i've seen how to set up virtual mailboxes :)
[19:31] <danielm_mc> why are you asking about basic system administration in #ubuntu-server though?
[19:31] <Deeps> Goosemoose: they're not all stored in a db/ldap/something else?
[19:32] <danielm_mc> deeps: yeah no kidding, i'm just working on my own thang like that
[19:33] <Goosemoose> deeps, yes but i have a mix of windows & linux machines
[19:33] <Goosemoose> it's a school
[19:33] <Goosemoose> i should make my login script add the computers to a ubuntu group, hmm
[19:37] <Pizarro> alguien por favor puede echarme una mano en montar una red VPN por favor os lo ruego
[19:44] <Pizarro> Can anyone PLEASE help me with a VPN server on Ubuntu Server????????
[19:46] <Pizarro> I NEED HELP!!!!!
[19:46] <danielm_mc> yeah
[19:46] <danielm_mc> whats up pizarro
[19:47] <danielm_mc> you need help with vpn?
[19:47] <danielm_mc> what is the problem
[19:47] <Pizarro> danielm_mc, thanks for your attention,
[19:47] <danielm_mc> whats up
[19:47] <Pizarro> I am trying to set up a VPN server in Ubuntu server
[19:47] <danielm_mc> which vpn server
[19:47] <Pizarro> OpenVpn is already installed
[19:47] <danielm_mc> okay, whats the problem
[19:47] <Pizarro> I folowed https://help.ubuntu.com/community/VPNServer
[19:47] <Pizarro> but when I try to start the server it fails
[19:48] <Pizarro> I followed exactly what the wiki say
[19:48] <danielm_mc> did you read: http://openvpn.net/index.php/documentation/howto.html
[19:48] <danielm_mc> that's an old doc on ubuntu wiki
[19:48] <Pizarro> a little
[19:48] <danielm_mc> should go straight to the distribution wiki
[19:49] <Pizarro> that document is huge!
[19:49] <danielm_mc> i've had bad experiences with tun+ (bridged networking in openvpn)
[19:49] <danielm_mc> welcome to sysadmin hell
[19:49] <danielm_mc> anyways, use the tap+ interfaces, not tun+
[19:49] <danielm_mc> it's much easier, and it's SSL + PKI
[19:49] <Pizarro> puff
[19:49] <danielm_mc> puff puff, you need help i served
[19:49] <Pizarro> I apreciate it
[19:50] <Pizarro> and I thank you
[19:50] <danielm_mc> no prob, have fun reading
[19:50] <danielm_mc> just make sure you switch to the tap+ ; don't do bridged ethernet
[19:50] <Pizarro> but frankly spoken, that's a nightmare to set up a simpel VPN neetwork
[19:50] <danielm_mc> no no, it's really _not_
[19:50] <_ruben> danielm_mc: tap+ is bridging, tun+ is routing
[19:50] <danielm_mc> ehhh
[19:51] <Pizarro> well, the only time I set a vpn server was in Xp, and was 6 clicks
[19:51] <danielm_mc> tap is SASL/TLS -
[19:51] <Pizarro> and it is still working fine since 2 years ago
[19:51] <danielm_mc> try setting up FreeSWAN
[19:51] <_ruben> freeswan's dead .. openswan is pretty much a breeze to setup really
[19:51] <Pizarro> what's that?
[19:52] <_ruben> openswan is ipsec vpn software
[19:52] <Pizarro> ok, so I will start reading,
[19:52] <Pizarro> you said bridged vpn right?
[19:52] <_ruben> (openvpn is ssl vpn software)
[19:53] <danielm_mc> http://openvpn.net/index.php/documentation/howto.html#vpntype
[19:53] <_ruben> with bridged vpn your vpn clients will be part of (logical) subnet/network of the server .. with routed vpn your vpn clients will be in a dedicated subnet
[19:53] <_ruben> off to watch a movie .. g'luck
[19:54] <danielm_mc> ... i'm off to build some python modules ...
[19:55] <Pizarro> ok, thanks
[20:04] <w8tah> i am setting up keypair auth on my firewall - i created my keys there -- the pub key stays on the firewall -- where do i put my private key on my laptop that i'll use to connect to it?
[20:11] <ScottK-laptop> leonel: Any progress on clamav patches?
[21:04] <sommer> kirkland: bing
[21:05] <kirkland> sommer: hey
[21:05] <kirkland> sommer: okay...  the server guide ;-)
[21:05] <sommer> kirkland: have a chance yet?
[21:05] <kirkland> sommer: doing it now
[21:05] <sommer> kirkland: ah, cool
[21:07] <kirkland> sommer: serverguide/C/installation.xml?
[21:07] <sommer> kirkland: yep, or http://doc.ubuntu.com/ubuntu/serverguide/C/advanced-installation.html
[21:07] <kirkland> sommer: i just pulled the source
[21:07] <sommer> kirkland: that works too :)
[21:08] <Goosemoose> dendrobates Are you around? Im having a likewise issue. I have it join the domain in a late_command while installing over the network and the logs show it installed fine. If I run domainjoin-cli query is shows I'm joined. If I look in AD the computer is listed, but I get an error if I log in as a domain user. If I then leave then rejoin everything works fine.
[21:09] <kirkland> sommer: hmm, i think step 6, "#Choose "bootable flag" setting it to "on". Then select the "Done setting up the partition" option." might need to be removed
[21:09] <dendrobates> Goosemoose: in hardy or intrepid?
[21:09] <kirkland> sommer: i can test again, but I'm not sure if that works or not
[21:09] <kirkland> sommer: i know if works if it's NOT selected
[21:09] <kirkland> sommer: there may be a bug, when selecting it
[21:10] <sommer> kirkland: okay, I'll update that... it also should mention the degraded question somewhere
[21:10] <kirkland> sommer: yeah, i'm getting to that
[21:10] <kirkland> sommer: after step 5, Finally, select "Finish partitioning and write changes to disk".
[21:11] <kirkland> sommer: i'll paste the exact text in a pastebin....
[21:11] <sommer> kirkland: cool
[21:12] <kirkland> sommer: the screen will look something like this:
[21:12] <kirkland> sommer: http://pastebin.ubuntu.com/47562/
[21:12] <Goosemoose> dendrobates, in hardy
[21:13] <Goosemoose> dendrobates, the installer logs show a sucessfull join, as does domainjoin-cli query, that's the wierd thing
[21:13] <kirkland> sommer: add maybe just that last line as step 6
[21:13] <dendrobates> Goosemoose: it is a bug.  The likewise daemon isn't starting.
[21:13] <kirkland> sommer: this paragraph should be updated.... "By default Ubuntu Server Edition will not boot using to a degraded RAID device, due to the chance of data corruption This may or may not be the desired behavior you want, especially if the machine is in a remote location. "
[21:14] <sommer> kirkland: gotcha will do
[21:14] <kirkland> sommer: we should probably define the Dapper - Hardy behavior, and then also the Intrepid+ behavior
[21:14] <Goosemoose> dendrobates, ok, suggested fix then? i added this to my late_command script before joining: /etc/init.d/likewise-open start
[21:14] <Goosemoose> just to make sure it was started
[21:14] <kirkland> sommer: ie, what you've said there is true up to and including Hardy
[21:15] <dendrobates> Goosemoose: sudo update-rc.d defaults
[21:15] <Goosemoose> dendrobates, add that to my late script?
[21:16] <dendrobates> Goosemoose: no run it once.
[21:16] <Goosemoose> dendrobates, on the server? or run it manually on the workstation
[21:16] <sommer> kirkland: mentioning previous releases may be better suited to the wiki... at least in the past the serverguide has been focussed on the current release
[21:16] <kirkland> sommer: for Intrepid and beyond, the BOOT_DEGRADED question will appear in the installer, and if the user wants to change this at a later time, they should run "dpkg-reconfigure mdadm"
[21:16] <kirkland> sommer: fair enough.....
[21:16] <dendrobates> Goosemoose: the workstation that is trying to connect using likewise-open
[21:17] <Goosemoose> dendrobates, i can just leave the doing and join it again and that works fine too
[21:17] <kirkland> sommer: as for the kernel option, i don't think that's necessary to mention, though it doesn't hurt
[21:17] <Goosemoose> dendrobates: sudo update-rc.d defaults also isn't valid
[21:17] <kirkland> sommer: the key thing is that the user will also get an interactive prompt
[21:17] <Goosemoose> dendrobates: i get the help screen
[21:17] <kirkland> sommer: if their raid has become degraded and they haven't chosen to boot degraded
[21:18] <kirkland> sommer: after the 30 second timeout looking for disks, the initramfs will prompt, saying:
[21:18] <Goosemoose> dendrobates: problem is im about to roll out to 500 computers and dont want to manually rejoin domains
[21:18] <dendrobates> Goosemoose: oops.   sudo update-rc.d likewise-open defaults
[21:19] <kirkland> sommer: http://pastebin.ubuntu.com/47564/
[21:19] <kirkland> sommer: that question is on a 15 second timeout
[21:19] <sommer> kirkland: good call I'll mention the prompt
[21:20] <kirkland> sommer: i figure if someone has interactive access to the console, that prompt is more useful than the kernel param
[21:20] <sommer> kirkland: ya that makes sense, plus if they know about the option they'll probably edit the file
[21:20] <kirkland> sommer: right
[21:20] <kirkland> sommer: i guess the kernel param *might* be useful to override, though
[21:20] <kirkland> sommer: it's your call
[21:21] <kirkland> sommer: i don't mind it there, and you've written it up already
[21:21] <kirkland> sommer: i'd just ask you to make the dpkg-reconfigure and the interactive prompt more prominent than the kernel parameter bit
[21:21] <sommer> kirkland: I'll take another high level look after the updates you mentioned and make sure it still fits
[21:22] <kirkland> sommer: are you making these changes that I mentioned, or are you expecting a diff from me?
[21:23] <sommer> kirkland: I'll just make them, I've been taking notes, shouldn't take long
[21:23] <sommer> kirkland: I appreciate the feedback
[21:23] <kirkland> sommer: awesome
[21:24] <Goosemoose> dendrobates, ok doing that and then rebooting worked. can i just add that to my late command script?
[21:24] <kirkland> sommer: i think that's it
[21:24] <sommer> kirkland: cool, should have it updated this evening
[21:24] <kirkland> sommer: awesome, you da man!
[21:31] <dendrobates> Goosemoose: It is only needed when you first join a domain, and it is fixed in intrepid.
[21:32] <Goosemoose> ok ill add it in then. lol, i just got around to reinstalling from fiesty to hardy
[21:51] <LMJ> hi
[21:51] <LMJ> is there a way with find to look for *.jpg OR *.GIF ?
[21:52] <LMJ> yes, with -or ;)
[21:54] <leonel> ScottK-laptop: Those patches  where non critical when they released  0.94  but now checking  cve  looks  scary ..
[21:54] <ScottK-laptop> leonel: OK.  Please get us some debdiffs.
[21:55] <leonel> ScottK-laptop:  there are for   cve-2008-3914 cve-2008-3913 cve-2008-3912
[21:55] <uvirtbot`> leonel: Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown impact and attack vectors related to file descriptor leaks on the "error path" in (1) libclamav/others.c and (2) libclamav/sis.c. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3914)
[21:55] <Goosemoose> dendrobates, is something broken in hardy with using sudo as well if you enable root via the preseed.cfg?
[21:55] <uvirtbot`> leonel: Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 might allow attackers to cause a denial of service (memory consumption) via unspecified vectors related to the "error path." (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3913)
[21:55] <uvirtbot`> leonel: libclamav in ClamAV before 0.94 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an out-of-memory condition. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3912)
[21:56] <dendrobates> Goosemoose: not that I am aware.
[21:59] <Goosemoose> hmm
[21:59] <Goosemoose> can't sudo i get an error that the current user isn't in sudoers
[22:00] <leonel> http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/2008-September/000049.html  <--  ScottK-laptop  reading the thread looks that the only  worry would be  for cve-3914
[22:01] <ScottK-laptop> Yes.
[22:01] <Goosemoose> hmmm, might be a conflict between the root user in AD
[22:01] <ScottK-laptop> I think that's the most important one.  Preferably I'd like to close them all if it's reasonable to do so.
[22:06] <danielm_mc> anyone know whats up with #ubuntu today?  i can't join
[22:08] <Goosemoose> probably the 1350 people in there
[22:14] <danielm_mc> yeah thats not too bad, usually around 1500
[22:14] <danielm_mc> i keep getting something about the DCC exploit, but wtf
[23:35] <ScottK> Wahoo.  FWIW openchange has landed in Intrepid.
[23:48] <mathiaz> !help cve
[23:48] <mathiaz> CVE-2007-2727
[23:48] <uvirtbot`> mathiaz: The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727)
[23:49] <mathiaz> kees: jdstrand: how do I know if this one ^^ has been fixed ?
[23:50] <mathiaz> kees: jdstrand: nm - I've found it on LP
[23:50] <jdstrand> mathiaz: can also use http://people.ubuntu.com/~ubuntu-security/cve/2007/CVE-2007-2727.html
[23:50] <uvirtbot`> jdstrand: The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727)
[23:52] <mathiaz> jdstrand: ah - that's muchhh better
[23:52] <mathiaz> jdstrand: you should add this to the FAQ/Knowledge
[23:52] <mathiaz> jdstrand: I've been looking around for this url
[23:52] <jdstrand> mathiaz: you can also just use http://people.ubuntu.com/~ubuntu-security/cve/CVE-2007-2727.html which is helpful with firefox keywords
[23:52] <uvirtbot`> jdstrand: The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727)
[23:53]  * jdstrand kicks uvirtbot` 
[23:53] <jdstrand> uvirtbot`: just simmer down already :P
[23:53] <uvirtbot`> jdstrand: Error: "just" is not a valid command.
[23:53] <mathiaz> uvirtbot`: chussh
[23:53] <uvirtbot`> mathiaz: Error: "chussh" is not a valid command.
[23:53] <jdstrand> mathiaz: (that last url omits the '2007' part of the url)
[23:56] <jdstrand> mathiaz: kees and I are planning to make that public once things are finalized on that