[00:00] i would say it's some hardware issue more like [00:00] ugh [00:02] _jmedina, i've been trying all sorts of howto's [00:02] _jmedina, one query that does work: ldapsearch -xLLL -b "dc=debian,dc=lan" uid=john sn givenName cn [00:02] <_jmedina> clusty: do you already have data on your directory? [00:02] <_jmedina> :) [00:02] <_jmedina> dc=debian=dc=lan? [00:02] <_jmedina> which one is your search base? [00:03] <_jmedina> vlazar@algorithmica:~/ldap$ ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f people_group.ldif [00:03] _jmedina, that is what i want now [00:03] the ldif's have all the data there [00:03] <_jmedina> :) [00:03] _jmedina, the one i showed you now worked [00:03] <_jmedina> you cannot do that [00:04] <_jmedina> Configurar un servidor Controlador de Dominio con Samba y OpenLDAP en Ubuntu Server Hardy 8.04 [00:04] _jmedina, well followign this howto :D http://www.debuntu.org/ldap-server-and-linux-ldap-clients [00:04] <_jmedina> that is the topic for my howto [00:04] <_jmedina> in spanish [00:04] <_jmedina> http://tuxjm.net/docs/cursos/Samba+OpenLDAP+PAM+NSS-4Ubuntu/html/ [00:05] _jmedina, that will give me mala de teta, but i will figure it out :D [00:05] <_jmedina> clusty: if you defined dc=debian,dc=lan at configure time you cannot add entries with another search base [00:06] <_jmedina> clusty: could you paste your people.ldif file? [00:06] _jmedina, at install i defined the domain: debian.lan [00:06] _jmedina, and org: algorithmica [00:06] _jmedina, from what i read that will create dc=debian,dc=lan [00:06] ? [00:06] <_jmedina> yeap [00:06] so what is cn ? [00:07] stands for common nanme [00:07] but what is IT :D [00:07] <_jmedina> culd you paste your ldfi file? [00:08] http://pastebin.com/m3e125484 [00:08] looks fishy [00:08] :( [00:09] <_jmedina> again [00:09] <_jmedina> dn: ou=Group, dc=debuntu, dc=local [00:09] <_jmedina> you need to change that to dc=debian,dc=lan" [00:09] did that [00:09] no effect [00:09] <_jmedina> and the same for the ldapadd command [00:10] <_jmedina> ldapadd -x -W -D "cn=admin,dc=debian,dc=lan" -f people_group.ldif [00:10] vlazar@algorithmica:~/ldap$ ldapadd -x -W -D "cn=admin,dc=debuntu,dc=lan" -f people_group.ldif [00:10] Enter LDAP Password: [00:10] ldap_bind: Invalid credentials (49) [00:10] <_jmedina> of you can reconfigure slapd and define another search base [00:10] <_jmedina> :) [00:11] <_jmedina> please read my comments [00:11] <_jmedina> I told you to change the base search for cn=admin... [00:11] i am very sorry, i understand if you get mad [00:11] <_jmedina> you dont have a cn=admin,dc=debuntu,dc=lan in your directory [00:11] i am lost badly :D [00:11] <_jmedina> invalid credentials in your case means unknown user :) [00:13] ldapadd -x -W -D "cn=admin,dc=debuntu,dc=lan" -f people_group.ldif [00:13] samed as yours [00:13] also changed the file [00:13] dn: ou=People, dc=debuntu, dc=lan [00:13] what am i missing? [00:13] <_jmedina> I dont know [00:14] <_jmedina> I would start over... [00:14] <_jmedina> dpkg-reconfigure -plow slapd [00:14] _jmedina, ok doing now [00:14] <_jmedina> and read my document [00:14] <_jmedina> I added so post instalations checklists... [00:15] when I auth against my mail server with anything but LOGIN and PLAIN, it fails even though postfix shows it supported them [00:15] _jmedina, will do [00:16] I'm using saslauthd and pam.d/smtp to perform the auth [00:16] <_jmedina> LiraNuna: what about logs? [00:16] _jmedina, "authentication failure" [00:16] <_jmedina> thats all? [00:17] yep [00:17] it works great when I use PLAIN or LOGIN [00:17] _jmedina, Aug 20 16:06:54 train postfix/smtpd[13284]: warning: localhost[127.0.0.1]: SASL DIGEST-MD5 authentication failed: authentication failure [00:17] that's about it [00:18] Alright. dhcpd3-server, is it capable of running a primary and secondary server? [00:18] <_jmedina> Psi-Jack yeap [00:18] Sweet.. How? LOL [00:18] <_jmedina> is not that hard [00:19] <_jmedina> man dhcpd.conf [00:19] <_jmedina> that is the first place to ask... [00:19] <_jmedina> check the DHCP FAILOVER section [00:20] Gotcha. [00:21] * _jmedina looks at his TODOcument list and see dhcp slave at 50 %... [00:21] Cool. now I just need to figure out how to use eBox's hooks to tie that in. ;) [00:26] _jmedina, worked. i am blind had a typo [00:27] <_jmedina> :) [00:27] _jmedina, new problem: http://pastebin.com/m5e6a5e91 [00:27] <_jmedina> hard to catch typos at this hours [00:28] can you tell what is wrong with the second part of the ldif? [00:28] <_jmedina> probably you have spaces at the end of your ldif file [00:29] <_jmedina> or a hidden character [00:44] _jmedina, you're the man :D [00:44] _jmedina, imported all the damn data [00:44] <_jmedina> clusty: ? [00:44] <_jmedina> how? [00:44] _jmedina, tweaking the ldifs to match my conf [00:45] <_jmedina> :) [00:45] and compu pasted around to fix the file issue [00:45] start getting the hang of this slowly [01:05] _jmedina, reading your guide about the client side of ldap [01:05] _jmedina, the server address you set to 127.0.0.1, but this is localhost. don't i need to specify the IP of the server? [01:05] heh [01:18] how can I provide smtp auth using mysql database without storing them in CLEAR TEXT? [01:18] hi folks [01:19] I tried using saslauthd but it only supports AUTH PLAIN and AUTH LOGIN [01:19] I tried auxprop sql and it requires clear password in the database [01:19] you can encrypt them in the mysql database [01:19] KillMeNow, they are already encrypted [01:19] then the initial transmission can be doing over TLS or SSL [01:19] using PLAIN and LOGIN ? [01:19] pls how do i configure bind9 to respond to queries from intranet clients [01:20] they are encrypted in my database [01:20] KillMeNow, same here - I got AUTH LOGIN and AUTH PLAIN working, but AUTH MD5-* doesn't work [01:20] you will need to create different "views" for your Bind9 install Troy [01:20] queries from the server to outsider using server works but clients on the intranet seem not to be able to query with the server [01:20] let me finish typing out this email and I'll check my setup again [01:21] troytroy, sounds like network configuration problem, do you set the bind9 server as a DNS server in your intranet router? [01:21] LiraNuna yes pls [01:22] forwarders Troy [01:22] actually yes [01:22] if you're using your Bind server as the resolver, if the bind server doesn't have the zone file, it will need to forward the query to an upstream dns resolver [01:23] yes i have opendns servers configured as the forwarders [01:23] actually queries from intranet client for other intranets clients dont return [01:24] but if i do the queries in the server everything seems fine [01:27] <_jmedina> clusty I mean openldap client utilities, not a linux client [01:28] so any clues what could be going wrong [01:28] http://ubuntu.pastebin.com/m22cbd670 [01:29] so you're doing a query for other intranet clients ? [01:29] thats a firewall script kindly check if that is the course for block dns queries [01:29] KillMeNow yes pls [01:29] LiraNuna... i'm running saslauthd and courier [01:30] are those other intranet clients in the zone file for your domain? [01:30] KillMeNow, I took your solution, I made TLS mandatory for login, and only supported logins are PLAIN and LOGIN [01:30] <_jmedina> KillMeNow: you can configure postfix sasl client wth courier authdaemon, bypassing cyrus sasl saslauthd [01:30] that way I'm forcing encryption and everyone's happy [01:30] i think i found the same issue you did, and finally just require TLS to secure the password transmission [01:31] KillMeNow, smtp auth is such a mess [01:31] i just looked at my configs and it's same as you... PLAIN and LOGIN [01:31] yeah, I guess it's best of both worlds :/ [01:31] <_jmedina> # cat /etc/postfix/sasl/smtpd.conf [01:31] <_jmedina> pwcheck_method: authdaemond [01:31] <_jmedina> log_level: 3 [01:31] <_jmedina> mech_list: plain login [01:31] <_jmedina> authdaemond_path:/var/run/courier/authdaemon/socket [01:31] <_jmedina> that is from jaunty server [01:31] thanks for the clarification, KillMeNow [01:31] _jmedina, yeah, plain and login [01:31] over TLS [01:31] <_jmedina> this way postfix comunicates directly to authdaemon.. [01:31] <_jmedina> yes [01:32] <_jmedina> what is wrong with that? [01:32] nothing [01:32] <_jmedina> if you need strong auth and encryption use kerberos [01:32] before that I didn't have TLS [01:32] there is supposed to be a MD5 crypt that *should* work but doesn't [01:32] so I couldn't use cram-md5 or crypt-md5 [01:32] KillMeNow http://ubuntu.pastebin.com/m153b7093 [01:32] that is my named.local.options file [01:32] thank you both, KillMeNow and _jmedina, finally got that thing sorted out :/ [01:33] hehe, even google has that [01:33] AUTH LOGIN [01:33] 530 5.7.0 Must issue a STARTTLS command first. m6sm194510wag.21 [01:33] ^ google [01:33] LiraNuna: Error: "google" is not a valid command. [01:33] i'm trying to remember my bind here... 0.0.0.0/0 gives recursion to anyone? [01:34] <_jmedina> XD [01:34] yep [01:34] <_jmedina> KillMeNow: yeap, openrelay [01:34] <_jmedina> I never use recursion, everything is controlled by allow query [01:34] yea, that's not necessarilly a good thing if it's public facing at all [01:34] <_jmedina> I use allow query globally, allowing only localhost and trusted subnets [01:35] <_jmedina> and then I allow-query any for each external zone [01:35] but anyways, Troy... if your internal clients hit the dns server, and it doesn't have any of your intranet clients in the domain zone file, it will try to forward the query to opendns [01:35] so do you have either your intranet zone file clients appending dynamically or statically? [01:35] KillMeNow there is a domain zone file [01:36] KillMeNow the problem is queries on the server work perfectly [01:36] ok so follow my logic here... lets say your domain is xyz.com [01:36] and it's internal [01:36] forget outside [01:36] but it seems not to work from outside the server [01:37] if you have client A, that tries to resolve client B, but client B doesn't have a host record in teh zone file that the bind server is authoritative for it's going to bomb [01:38] KillMeNow hmm there are zone files and reverse zone files [01:38] all working perfectly when queried in the server [01:38] ok, so which is it? you said " actually queries from intranet client for other intranets clients dont return" [01:39] e.g host clientA server get a hit when run from the server [01:39] ok, so when you try to resolve from the bind server it resolves? [01:39] but lets say nslookup clientA server return unknown [01:40] its like the server is rejecting queries from the intranet clients [01:40] yes [01:40] and client A has the bind server as it's resolver? /etc/resolv.conf [01:41] yes [01:42] have you checked using netstat -nap | grep 53 to verify that the service is up? [01:42] otherwise, do a iptables --flush [01:42] take IPtables out of the equation and see if it then resolves from client A [01:42] if it does after you flushed your iptables, then the problem is your iptables rules [01:43] its up and running [01:43] UDP or TCP or both? [01:43] http://ubuntu.pastebin.com/d36aedd3b [01:43] bot [01:43] both [01:43] ok [01:43] so dump your iptables and try from client A again [01:45] ok [01:45] same error bro [01:46] check your /var/log/messages [01:46] ok [01:49] nothn pertaing to the nameserver ther [01:50] kindly check my "iptables -S" for me [01:51] hold on, did you flush your iptables? [01:51] KillMeNow http://ubuntu.pastebin.com/d14541343 [01:51] prior to running the query from client A? [01:51] yes [01:51] yes [01:51] then we can deduce that it's not your iptables yet [01:51] if you do a iptables -L [01:51] you should see nothing [01:51] yep [01:52] just run the script again to enable remote ssh logon [01:52] well, i'm not seeing a UDP port for 53 [01:52] only tcp [01:52] ok let me add that [01:53] also i'm seeing anything coming in to eth1 to be sent to the DROP bucket [01:54] you know, i use IPKungfu for doing all my firewall scripts [01:54] makes life MUCH easier [01:54] ok i am trying to setup a wireless hotspot box [01:54] www.linuxkungfu.org [01:55] ok, then why not use DD-WRT? [01:55] or something similar? [01:55] so eth1 is hooked to switch with access points attached [01:55] ahh [01:55] ok [01:56] everything is setup fine just this nameresolution error [01:56] anyways, point is... if you flushed your iptables and ran the query from client A, then you can deduce there is something borked in your config [01:56] ok [01:57] i'm off work now, so i'm gonna go home [01:57] checked /var/log/syslog no errors with respect to nameserver config [01:57] thanks very much [01:57] ur assistance is very much appreciated [01:57] well, it's working from local [01:58] so if you run a dig @localhost hostname [01:58] you should get some type of return [01:58] bind can be really tricky [01:58] have fun [02:16] any reason why update-grub wouldn't put new kernels in the list? [02:17] mine has the latest as 2.6.28-11 in /boot/grub/menu.lst but there are about 3 updated kernels since then. manually running update-grub doesn't create the entries either. [02:22] I still will neve3r get why people quit a few seconds/minutes after asking a question during off-hours [02:23] giovani, who quit? [02:24] oh, that's my error -- I mistook Psi-Jack_ for PhotoJim [02:24] my comment stilly applies in the general sense though :) [02:25] PhotoJim: can you ls -lah /boot for us? [02:27] hi giovani [02:27] giovani: I actually figured it out. I had to edit the # kopt=blahblah line to include my rootdelay=70 line (needs a delay due to RAID issues) and then re-invoke update-grub. once I did that, the problem disappeared. [02:27] giovani: thanks for offering though :) [02:27] been battling with bind9 configuration for 12 hours now [02:28] it just refuses to respond to queries from clients in the intranet [02:29] PhotoJim: how does that relate to update-grub not detecting your newer kernels? [02:30] giovani: good question. I'm not entirely sure. I think the first update-grub just updated the menu.lst configuration options but didn't include the new kernels. the second invokation added the new kernels. [02:30] hmm, that seems unlikely [02:30] but alright [02:31] giovani: my first attempt had me have a kopt line without the preceding # (I thought it needed to be uncommented). [02:31] giovani: I don't really know for certain. I just know that it worked this past time. [02:46] the first try probably failed because it was completely uncommented [02:46] update-grub takes one-#-in lines [02:46] that sounds right [02:46] and when I corrected it, that let it work properly [02:55] New bug: #416750 in samba (main) "package samba-common 2:3.2.3-1ubuntu3.5 failed to install/upgrade: subprocess post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/416750 [02:58] odd question, but has anyone here set up pygopherd? i'm trying to get it to use a hostname i specify instead of the hostname of the system, and i can't seem to get it to. [02:58] You're running a GOPHER server? [02:58] well, in theory. in practice, its not quite working ;p [02:58] Cool. [02:59] i DID say it was an odd question didn't i? ;p [02:59] YAY FOR GOPHER! [02:59] * faileas is running IRC (with qwebirc) and web right now. gopher looks like fun, but its rather hard to get help with it ;p [03:06] gopher://lupinenet.co.cc [03:06] the issue is i set the hostname to be lupinenet.co.cc in the config file. it seems to be picking up the computer's hostname instead [03:08] hmm [03:09] never mind. looks like my ISP blocked port 70 too [03:09] so linking is of little use ;p [03:19] curl: (1) Protocol gopher not supported or disabled in libcurl [03:19] Sadness [03:23] hello mathiaz === macrocosm_ is now known as macrocosm [04:50] Okay. So, if you're primary focus on making an ubuntu 9.04 server was to make it a router, would you use ufw, firestarter, or something else? [04:50] What I'm looking for, is preferably easy maintenance, possibly web interface for it, and presently, not eBox. [04:51] psi-jack: take a look at untangle [04:51] I just did. [04:52] Fracking thing just crashed the system. [04:52] hmm [04:52] Uses Java crap, too. [04:52] DNS was minimal. IPs to Names, that's it. That's not DNS, that's only 1 100th of DNS. [04:53] thats cause routers don't handle dns, you need a DNS server seperate from the router [04:53] (softwarewise, stuff like BIND or unbound) [04:53] Well, if the router is handling everything, why /not/ have it also handle DNS? I mean, really. [04:53] no no [04:53] you use the same hardware, and add a DNS server [04:53] Right. [04:54] Untangle, didn't really offer such a capability., [04:54] They locked it down far too much. [04:54] untangle is ubuntu with their own custom stuff ;p [04:54] hmm [04:55] No, actually, it's Debian. [04:55] But, still. [04:55] They locked it down so you couldn't really manage it, except through their own interfaces. [04:55] SO anyway. [04:55] I may just write my own interfaces. [04:56] and if its any good share em ;p. its something potentially useful [04:56] but, I want to know, for now, what would be the better option for firewall stuff to handle NAT and port forwarding. [04:56] ufw, to me, seemed very.... Desktop-based, not really server-based at all.. [04:56] for your safety, please remain seated or firmly grip the handrail at all times [04:56] ya [04:57] i think most hardcore server uses would prolly use iptables straight up, and not worry about the front end [04:57] ufw is handy for setting up iptables-restore rules while still providing a stupid thing (ufw(8)) that you can hand to ill-educated customers who want to shoot themselves in the foot. [04:58] As opposed to a straightforward #!/usr/sbin/iptables-restore script in /etc/network/if-pre-up.d/ [04:58] Heh [04:58] True that. [04:58] I mean, yeah, it provides a means to use iptables restore stuff in segments. [04:59] iptables-persistent entered sid recently, which is just an init script that runs iptables-restore on /etc/iptables/foo [05:00] psi-jack: well, I HOPE it essentially cats them -- you can't meaningfully cat iptables-restore scripts. And I *really*, *REALLY* hope ufw doesn't turn into like 1000 individual iptables -A rules [05:05] hi somebody know how i can recover the information when the superblock is broken? [05:16] roxy__: carefully? [05:16] roxy__: which filesystem? [05:16] xfs [05:17] Ahaha [05:18] I believe the recovery process for XFS is "bend over" [05:18] Not exactly. [05:18] XFS is a fine filesystem. [05:19] so, how i can recover? [05:19] Lemme read back [05:20] okay. superblock is broken? What told you that? [05:22] when i try to mount [05:22] XFS is fine up unless you have no write barrier support, or run an old (read: tested) kernel, or happen to lose power unexpectedly. [05:22] i try to use xfs_repair but can't find the superblock [05:22] I see.. Are you sure it's XFS? [05:22] twb: I've had no problems for years. [05:23] psi-jack: how fortunate for you [05:23] # file -sL /dev/puck/root --> Linux rev 1.0 ext3 filesystem data (needs journal recovery) (large files) [05:23] yes [05:23] roxy__: file -sL on the device should confirm that it's XFS [05:24] yes, i got /dev/internal/homes: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs) [05:26] roxy__: Okay, cool, run xfs_check on /dev/internal/homes [05:26] i did and i got can't seek in filesystem at bb 181578224 [05:27] can't read block 0 for directory inode 119914522 [05:27] no . entry for directory 119914522 [05:27] Okay. xfs_repair then [05:28] i did, but said can't not find superblock [05:29] Okay, xfs_repair -d [05:30] if that works, immediately reboot after it's done. [05:30] couldn't verify primary superblock - bad magic number !!! [05:31] attempting to find secondary superblock. [05:31] Okay. Is it still goinf? [05:34] yes [05:34] If my server when i ssh into says there are 16 updates don't i just do apt-get update [05:35] Okay, good start then. [05:35] roxy__: Just remember, when it finishes, you'll /need/ to reboot immediately, else you will cause further damage. [05:36] roxy__: Was this your / filesystem that got damaged? [05:36] chrislabeard: it only lists 16 updates because it has done an "apt-get update" itself [05:36] but still doesn find [05:36] no [05:36] the info, data [05:36] twb: ahhh [05:36] okay [05:36] roxy__: Eh? [05:36] chrislabeard: see /etc/cron.daily/apt [05:36] twb: yeah well it says 19 packages can be updated [05:36] 38 updates are security updates [05:37] sorry i missunderstand your question...yes, i am checking the damage partition [05:38] Okay, is it still running the repair on it and not just dying immediately? [05:41] chrislabeard: If you want to actually upgrade your machine to include those updated packages, do sudo apt-get upgrade [05:42] jmarsden: is it bad to upgrade all those packages [05:42] yes still is lookinf for the superblock but doesn't find [05:42] unable to verify superblock, continuing... [05:42] chrislabeard: Define bad :) Usually it is 100% fine to upgrade them, unless you set your machine to look in strange nonstandard places for updates. [05:43] k cool [05:43] * ball worries about updates too [05:43] roxy__: Okay, tell me about how this came to be, and how you created this xfs drive. [05:44] ball: In the last year, have you had an update from an official Ubuntu repository break anything important? Or is your worry mostly unfounded? [05:45] i didn was ceated time ago for somebody else...one of the disk was corrupt and i take off but no was in raid with this one [05:46] jmarsden: I've had so many things break it's difficult to know what causes what. If I had more experience with Ubuntu I'd be in a better position to judge. [05:46] roxy__: Lets try this again, in English please. [05:46] So, It /was/ in a raid, and now is not, and it was corrupted? [05:46] istr an update to Jaunty that went badly, but it worked better when I installed from a CD [05:47] ball: Hmm, OK. I only worry about updates from strange sources like PPAs or unofficial other repos... can't think of anything I have broken with a 'normal' update... [05:47] * ball nods [05:48] I've found a few Ubuntu bugs, but I don't think any of them were in the Server variant [05:49] I've probably *created* a one or two Ubuntu bugs (minor packaging bugs) and then fixed them :) [05:49] roxy__: I don't want to wait 5+ minutes for each answer to each of my questions I ask you, if that's how it's going to be, I'll be bored and non-responsive. [05:50] im so sorry .. [05:50] i just some user come here for a problem [05:51] still dont get superblock [05:52] i have a LVM with 3 disk on raid and 1 more individual, the disk alone was corrupted [05:53] roxy__: Okay. So, what drive is this XFS filesystem on? [05:53] roxy__: that's what they call "Sod's Law" [05:53] all of them [05:53] roxy__: So, it's part of a raid array? [05:54] yes [05:54] * ball is confused [05:54] What type? [05:54] "1 more individual" != RAID, surely? [05:55] raid 1 [05:55] roxy__: you had a three disk RAID-1 array? [05:55] 2 disk in raid 1 [05:55] sorry 3 disk [05:55] So a mirror raid? I see. And you mentioned LVM as well? [05:55] yes [05:55] Ah, two mirrored disks and a third on its own (as a standby?) [05:56] and one lv is corrupt [05:56] thhe format xfs was done for each lv [05:56] WHat type of LVM is on the partition? [05:57] lvm2 [05:57] Linear or Striped? === chrislabeard is now known as chrisLAbeard [05:57] i am not sure, how can know that? [06:03] Well, First of all. [06:03] vgdisplay -v shows your volumes, correct? [06:05] that show me the VG and the LVs, but I just have one LV with problem and the rest are ok [06:06] Okay. Fine, but does it show the volume that's not okay? [06:06] everything is in the array od disk with raid 1 [06:07] no [06:07] Okay then, there's your problem! [06:07] show me is ok [06:08] The LVM for it isn't okay, hence why the XFS has no superblock, cause lvm hasn't activated it. [06:09] I installed mediawiki on ubuntu using aptitude, but when I open http:/localhost/mediawiki I get a download...intially I thught php was't parsing, but I just tested with phpinfo() and it worked [06:09] I've also added the alias mediawiki in /etc/mediawiki1.10/apache.conf [06:09] so? what i can do? [06:10] Wht can be the problem? wht are the possible problems? [06:12] roxy__: First of all, vgchange -a y to activate the volumes, all of them. [06:14] i did [06:14] Now, does lvdisplay -v show your faulty volume? [06:16] still the problem [06:17] Not showing up? [06:17] no [06:18] Okay. What's the /dev/* for the drive with issues? [06:18] all are active but i can read one of the lv [06:19] dev/internat/homes where internal is the VG and homes the LV [06:19] No [06:19] The ACTUAL device for the hard disk itself, not the mapped name from LVM. [06:20] Like /dev/sda [06:20] This is probly a really stupid question ... if i am using everydns name servers as slaves do i need to add a slave record to bind [06:21] chrisLAbeard: No, That's for actual slave dns servers. [06:22] Psi-Jack__: alright ... in my masterzone longhornpc.com i have them listed there as NS [06:22] and told that record to allow transfers to the name servers Ip address [06:24] roxy__: Here.. Use this website. I apologize, but your responses are just too slow for me to not be falling asleep for. http://www.linuxjournal.com/article/8874 [06:25] You need to recover the raid, then lvm, THEN you can get to the XFS properly. [06:25] that is teh lv [06:26] is /dev/md1 [06:27] the raid is working is just this lv that have the problem [06:29] Yeah, and yet, I ASKED for the actual device node, not the md#, not the lv name, the DEVICE node. [06:29] So, next time you ask for help, and are asked specific questions, answer them. I'm done for now. [06:29] I need sleep. [06:29] Use the website I referred you to. [06:34] Yes i can see that...thanks [06:36] 8.04 appears to have apparmour turned on and in "enforce" mode by default. Is that still the case in current releases? [06:45] hi, i'm trying to set up mod_proxy for a web site. [06:46] http://cardinaleducation.thirdreplicator.com/ [06:46] on port 11000 [06:48] http://pastie.org/590782 [06:48] that's my apache conf file [06:58] twb: think so.. it only enforces for apps that have profiles afaik [06:58] #Apparmor on OFTC is helping me [06:58] see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles [07:28] where does postfix run chrooted? [07:29] /var/run/postfix doesn't seem to be it [07:33] LiraNuna: /var/spool/postfix I think... but it doesn't chroot by default, at least as far as I can tell. Read the /etc/init.d/postfix init script for the details. [07:34] jmarsden, thanks that's exactly it [07:34] and it does chroot for me ... [07:35] and I don't remember configuring it not to [07:35] OK. i read the sxcript and it seems to check for the chroot field in /etc/postfix/master.cf, and that is not set to y in my (very default) config here. [07:35] thanks for the path, that's exactly it [07:37] OK... and I misread the script, - means yes in that colum of the config file, so it does chroot by default :) [07:37] yeah, I had a few annoyances to understand it does chroot by default [07:37] like can't use mysql socket, must use tcp [07:39] OK... well, you could probably put a socket under /var/spool/postfix somewhere and make it work if you really need to :) [07:40] I think mysql can listen on multiple sockets at the same time... not sure though. [07:49] twb: you're welcome, glad I could help (over in #apparmor) [07:49] sbeattie: heh [08:40] ttx: i've uploaded corosync with requested changes and explained why we can't just sync from debian :) [08:41] ivoks: will have a look... but not before Monday. Ping mathiaz or zul about it if you need it faster. [08:41] ok [08:42] will do, since we need it asap [08:42] we need to build other tools on top of corosync [08:42] yes, that's why I warned you :) [08:48] good morning [08:50] once CSR is only valid for the computer that generates it? or it is valid for more than one computer? [09:15] hi, i'm trying to setup unattended dist-upgrades with cron-apt. I'm only worried about what happens to packages configuration files. Example: i have my personal configuration of postfix and don't want an update modify it. I can be sure configuration files are not touched? [09:18] <_ruben> well .. dont do unattended upgrades then [09:20] what are the advantages of having a mail server? [09:21] <_ruben> being able to send and receive mail perhaps? [09:21] _ruben: just looking for an apt-get option which by default leaves configuration files untouched without prompting [09:22] as opposed to like using gmail apps [09:22] <_ruben> imchrislabeard: having full control over it [09:22] i can set up email for a subdomain can't i [09:23] <_ruben> imchrislabeard: i can, not sure if you can ;) [09:23] haha [09:23] _ruben: i would have to create a mail.sub.example.com [09:24] mx record [09:24] in my example.com hosts file [09:26] more precisely i would like to hav apt-get "hold" configurations... [09:26] *have [09:26] <_ruben> imchrislabeard: you'd create a mx record for sub.example.com pointing to whatever mailserver you want to use for it, eg: mail.sub.example.com [09:27] <_ruben> and configure said mailserver to accept mail for sub.example.com [09:29] what is the best mailserver [09:30] in your opinion [09:32] postfix [09:32] + courier-imap [09:37] <_ruben> postfix (+ dovecot for pop3/imap/sasl) [09:38] dovecot-postfix :) [09:53] i found a 'dpkg' option which is called 'confold'. so is there a way to pass arguments to dpkg itself? [10:04] so good morning, [10:06] <\sh> maswan: moins...do you have btw iscsi storage running unter ubuntu/debian somehow? [10:12] \sh: nope, no iscsi [10:13] \sh: we prefer internal storage to external. :) [10:27] \sh: We have [10:38] <\sh> Jeeves_: cool...how do you mount your iscsi devices automatically, I hope you have bond and vlan setups which comes up very late during boot up sequence [10:39] \sh: We don't [10:39] that doesn't work too well [10:41] <\sh> Jeeves_: well..that's one of my problems...somehow /etc/init.d/open-iscsi is called for every ifup but it doesn't work...I have to setup the iscsi device as _netdev in fstab with 0 0 , and then call mount -a -O _netdev in /etc/rc.local that's the only way I got that setup running [10:43] <_ruben> wonder why hooking into ifup wouldnt work [10:45] <\sh> _ruben: I need to investigate, but looks like that open-isci starttargets should be called, I wonder why it doesn't work [10:46] <\sh> in /etc/rc.S/S25open-iscsi that's where the open-iscsi stuff is started and tries for the first time to login into the iscsi portal (in my case a msa2012i) [11:24] what is a zombie process ? [11:25] one with an affinity for brains ;) [11:25] http://en.wikipedia.org/wiki/Zombie_process [12:33] is there a way to monitor hardware of an ibm eserver from linux? like temperature, fan speed ? [12:33] from ubuntu* [12:34] smnp? [12:34] ipmi? [12:37] cemc: sure ... if the sensors are available locally on the machine -- you can do anything you want with them [13:55] Psi-Jack__: the ufw cli command is focused on host-based firewalls. it will work fine on a server. the ufw framework supports anything iptables can [13:55] Psi-Jack__: and it works just fine on servers [13:55] Yeah.. [13:55] oh, I said that :) [13:56] but still, it's not as convenient as straight up iptables commands, iptable-save, iptables-restore. [13:57] Psi-Jack__: I would have to completly disagree [13:57] Psi-Jack__: ufw allow OpenSSH ; ufw enable [13:58] Psi-Jack__: with two commands you have a completely configured firewall [13:58] Okay, show me a ufw command to port forward. [13:58] Show me a ufw command to trigger a block if too many connections come into a single port a second. [13:58] Psi-Jack__: ah, but that is not what you said! 'host-based' implicitly means 'non-routing' [13:58] Show me a ufw command to enable NAT. :) [13:59] Precisely! [13:59] Psi-Jack__: ufw does have a limit command [13:59] but the timeout is currently not configurable [14:00] So, you see.. [14:00] For over simplicity for HOST-based, it's less useful than simply defining your rules in iptables directly and saving and restoring, like Gentoo, for example, uses. [14:00] Psi-Jack__: I said that initially. your statement was a blanket statement, mine was a precise statement [14:01] <_ruben> the use of ufw doesnt require knowledge of iptables [14:01] Psi-Jack__: if you are comfortable setting up your own iptables firewall, ufw won't get in your way and you can write your script [14:01] Psi-Jack__: if you want to quickly setup a host-based firewall, ufw is hard to beat === ivoks_ is now known as ivoks [14:02] Psi-Jack__: if you want to combine host-based rules and NAT, forwarding, etc-- ufw can help [14:03] first my laptop died, and now there's no electricity in my area... i just can't work anymore :/ [14:03] I dunno.. I'm thinking about ripping gentoo's iptables script and modifying it to work with ubuntu personally. heh [14:04] zul: are you here? [14:04] ivoks: yeap [14:05] zul: could you plese look at the only open bug for corosync [14:05] ? [14:05] bug numbe? [14:05] my cell phone battery is low... [14:05] Psi-Jack__: not everyone knows iptables like the back of their hand. not to mention a complicated iptables script is hard to audit. ufw helps make sure you get things right, is easy to read and allows you to do all the complicated stuff. I'm in no way telling you what to use, of course. [14:05] don't know (i'm ircing over nokia) [14:06] it's the only one [14:06] there was a time when iptables had an restore init script, but it was ripped out cause it caused too many problems. maybe gentoo's is better (I don't know) [14:06] sync request from ppa [14:06] s/an/a/ [14:06] ivoks: k just need to up load it right? [14:07] rightt, from ubuntu-ha-maintainers ppa [14:07] gotcha [14:07] ok, will be back as soon as possible [14:07] ivoks: corosync (1.0.0-4ubuntu2) karmic; urgency=low [14:07] <-- this one right? [14:08] yes [14:08] k [14:08] gimme a sec and ill do it [14:08] i don't have it; battery very low [14:08] :) [14:08] sheesh doing it now :) [14:09] there's no bug report, but we'll need openais sync too [14:11] zul: thank you! [14:11] ivoks: its...um... === Nightlurs is now known as Nightlurker [14:35] jdstrand, It is. It actually works. [14:36] jdstrand, See, all it really does, is use the standard iptables commands to save and restore. Done right, it's really simple. [14:36] Done wrong, obviously, will result in bad anomolies. [15:01] Good morning. Can anybody recommend a good script/app for doing some basic QOS? Basically I'm trying to make SIP traffic a priority [15:04] kpettit: yeah, QoS in linux isn't a simple "script"/"app" [15:05] I understand, I've done it before. But it's been a few years so I'm trying to see what's out there. [15:05] New bug: #416958 in openssh (main) "GSSAPI Cascading Credentials support" [Undecided,New] https://launchpad.net/bugs/416958 [15:08] RoAkSoAx: you were saying? [15:08] ivoks, could you please endorse my MOTU Application: http://wiki.ubuntu.com/4nDr3s/MOTUApplication ?Thanks :) [15:12] sure [15:22] ivoks, thanks :) === _jmedina is now known as jmedina [15:40] nice... [15:40] nokia is diching s90 [15:40] s60, lol [15:42] hi ivoks [15:42] hi [16:11] zul: it's me again :) [16:12] ivoks: with more battery power? [16:12] whole power plant :) [16:13] zul: bug 416970 [16:13] Launchpad bug 416970 in openais "Please sync openais 1.0.0-3 (main) from Debian experimental" [Undecided,New] https://launchpad.net/bugs/416970 [16:13] if it's not so hard... [16:13] :) [16:14] ivoks: if the ubuntu changes can be dropped just subscribe ubuntu-archive and they can sync it from debian [16:15] ok [16:15] next? :) [16:15] that's all :) [16:15] next time - beers on me :) [16:20] bears on me... GET THEM OFF! [16:20] :-o [16:20] :-) === johe_ is now known as johe [16:30] Curious. Anyone here use firestarter? [16:31] firestarter requieres a GUI, ubuntu doesnt support GUIs [16:32] I consider firestarter a personal desktop firewall [16:32] Heh [16:32] They consider it useful for desktops and servers. [16:32] And it doesn't /require/ a GUI, it just has one, if I see this right. [16:33] * jmedina used firestarter 6 years ago, then used my own script, and now shorewall installed on about 30 servers [16:33] They have a client/server interface for it, which would make anything able to work with it/ [16:33] well firestarter wont fit my requierements [16:33] "ubuntu doesn't support GUIs" -- huh? [16:33] ubuntu server [16:33] So you use shorewall, eh? [16:33] yeap [16:34] been working with shorewall team for a few years [16:34] Ahhh [16:34] Cool. So, is there's a quickstart guide to shorewall? [16:34] Everytime I look into it, it looks even more painful to use than just straight iptables. [16:34] psi sure [16:35] there are quickstart guides for single interface, two interfaces, three interfaces, multiisp [16:35] And this is usually on my router, where if it's not routing, I'm using links for browsing which makes it worse [16:35] I need multi-interface with ip-masquerading, at theminimum. [16:35] I dont know any other firewall configuration with that extensive documentation [16:35] perhaps you also could take a look on "firehol" [16:35] but shorewall is also very good ;) [16:36] Psi-Jack just take a look at shorewall.net and the documentation section [16:36] Will so. [16:36] do [16:37] they document almost everything, with a active developent, I think last year shorewall was promoted to the best supported open source proyecto or something [16:37] Just trying to figure out whichversion comes with ubuntu 9.04 package repos [16:38] it is easy to install by hand [16:38] or you can use shorewall packages, shorewall debian maintainer is part of the shorewall core team [16:39] heh [16:46] I'm not seeing a simple quickstart guide. [16:49] Well okaaay now, Ubuntu only comes with shorewall 4.0 [16:49] Psi-Jack in the front page "Getting started with shorewall" then New to Shorewall? Download the current Stable version (see above) then select the QuickStart Guide that most closely matches your environment and follow the step by step instructions. [16:49] :) [16:50] you need to read quickstart guides [16:50] Ahh there is it [16:50] it is [16:50] I have my own quickstart guide in spanish, which I use for every firewall implementation [16:50] hehe [16:51] Psi-Jack, read the quickstart guides [16:51] if you have problems please read the shorewall support guide [16:51] http://shorewall.net/support.htm [16:51] Well, that's cool. I could easily do the 3-NIC method, except that I only have 3 gigabit switch. ;) [16:52] err, a , not 3 [16:52] I have a firewall with 6 interfaces [16:52] 3 WAN links, a DMZ and two separate lans [16:52] it is really flexible [16:53] heh [16:53] and for more help you can search mail archives or contact shoewall developers and volunteers at #shorewall [16:54] Yeah, I'm a hands on kinda man myself. [16:54] I can't stand mailing lists. [16:55] * jmedina loves lurkin on lmailin lists.. [16:55] I learn more from mailing lists than other sources.. [16:55] reall problems [16:55] GUess I'll just have to get me another gigabit switch. ;) [16:56] So I can properly DMZ off my servers from my workstations, media stations, and house control servers. [17:00] Psi-Jack_: or just one with vlans ... [17:00] Hmmm [17:01] I suppose I could, but I prefer a physical DMZ zone, and have the router hand out the proper routing methods internally as well as externally. [17:01] much more secure that way. [17:02] and more physical space, more cables, more energy waste, more adminstration... [17:02] heh [17:03] I don't know why VLANs changes routing ... but ok [17:03] * ball wonder if Psi-Jack_ is using DMZ to mean what it usually means. [17:03] granted, virtual security shouldn't be used in areas where security is a big concern -- it's unlikely your home DMZ is one of those [17:05] * ball doesn't use a DMZ [17:05] ...not entirely sure I believe in them. [17:12] I'm not entirely sure what "believing" in them entails [17:12] I'm not sure how separation of duties would ever be a bad thing security-wise [17:13] internet-facing systems shouldn't have the same trust level as non-internet facing systems [17:13] ball: Yes, a seperated physical network for servers away from the personal workstations. [17:14] there's nothing "physical" about a DMZ [17:14] Psi-Jack__: that's not a DMZ [17:14] At least, not a definition of a DMZ that I've ever seen [17:15] ball: it's his real-world application of a DMZ [17:15] his servers will sit in a separate, firewalled/routed network [17:15] that's precisely what a DMZ amounts to [17:15] That makes sense, but I've not seen "DMZ" used in that context. Fair enough though. [17:16] you haven't? [17:16] what context have you heard of DMZs in then? [17:17] Yep. [17:17] Servers that sit basically outside the Firewall, or at least behind just the first firewall with ports forwarded to them. [17:18] ball: that's precisely the same concept [17:18] Seperate route, seperate physical hardware between them, a switch for the DMZ area, a switch for the rest of the network, both connected to one firewall (or more) [17:18] with more details provided [17:18] Psi-Jack_: no, there's nothing inherently physical about a DMZ [17:18] Hmm... okay. [17:19] giovani: Is a switch seperately connecting the DMZ server network not physical? :p [17:19] Psi-Jack__: that's not related to the definition of a DMZ [17:19] if you'd like to make it physical ... go ahead [17:19] but that's not required to achieve the concept of a DMZ [17:19] Psi-Jack__: depends on the switch, presumably. [17:19] I've said this multiple times now [17:20] ball: Okay, I'd like to see a switch made out of thin air. ;) [17:20] Zero mass. ;) [17:20] ... [17:21] heh === ScottK2 is now known as ScottK [17:22] Psi-Jack__: I was thinking more in terms of virtualisation, but a managed switch might be divisable into separate ethernets. [17:22] * Psi-Jack__ nods. [17:23] might be? [17:23] that's what vlans are [17:23] any modern, non-dumb switch does vlans [17:23] and yes, virtualized switches clearly accomplish this as well [17:24] * ball is tempted to buy a modern dumb switch [17:24] why? [17:25] To replace a non-modern 100baseT hub. [17:25] It has worked well for us, but we've run out of ports on it. [17:25] haha, hubs [17:25] I suppose I could get one of these newfangled managed switches [17:25] ...but I'm wary of complexity [17:25] Trying to keep things simple there. [17:26] it's only as complex as you make it [17:26] I've never seen a managed switch not work out of the box as a simple switch [17:26] * ball nods [17:27] I suppose VLANs might be handy for things like VoIP, which I'd like to roll out eventually [17:27] I'll need a PoE switch for that anyway [17:27] Oh that reminds me! [17:27] ...so it may as well be physical [17:27] I was going to look into that Zoom Skype device, to see if it was Linux capable. ;) [17:29] Psi-Jack__: I don't know what that is. I was thinking more of Asterisk or FreeSwitch [17:29] ...and SIP phones on people's desks [17:29] Heh. I have no need for that at home. ;) [17:29] ball: uh, VLANs are essential for any large office that wants to separate networks ... you're just not going to be able to use separate physical switches without a ton of waste, and not very much flexibility [17:30] you should be vlaning all different types of machines [17:30] printers, desktops, servers, phones, etc [17:30] giovani: It's a small LAN. [17:30] and games. [17:30] :) [17:31] ball: even in a small office -- it'd be the right thing to do, although not nearly as necessary [17:31] * ball nods [17:31] and porn servers [17:31] Perhaps I'll find a switch that offers a few PoE ports [17:31] ...and a few that aren't. [17:31] yep, plenty of those exist [17:31] I have a hell of a job finding a switch with the features I want anyway. [17:32] what features are those? [17:32] * ball thinks for a moment [17:32] 24 (or perhaps 32) port 100baseTX with at least one 1000baseT port. [17:33] uh [17:33] Preferably two [17:33] I can name like 10 switches that meet that requirement [17:33] that's ... very common [17:33] giovani: Ah good. Do any of them have 8 PoE ports? [17:33] just ask your hardware store... [17:33] yep [17:33] ball: what's your budget? [17:34] I use linkyss for PoE, they are afforable [17:34] giovani: I'm not sure. [17:34] jmedina: Our other network gear is Linksys, so that might work for us. [17:34] linksys makes crap switches [17:34] but, they are indeed cheap [17:34] I have one [17:35] giovani: do HP make non-crap ones? [17:35] giovani: yeap [17:35] * jmedina is fighting with a linksys print server right now :S [17:35] http://www.netgear.com/Products/Switches/SmartSwitches/FS726TP.aspx [17:35] so there's a 24 port 10/100 switch with 2 gigabit, and 12 of the 24 are PoE [17:36] I don't think I can buy a managed switch from Netgear. I had some bad experiences with their routers. [17:36] *bad* experiences. [17:36] well unless your budget is $1000+ [17:36] you only have a few companies to choose from [17:36] netgear being the best of the bunch [17:36] giovani: if $1,000 is what it costs for what we need, that's fair enough. [17:36] awesome [17:37] go cisco then [17:37] clearly netgear's switch at $250 street price is not going to compete with a $1500 cisco switch [17:37] Only reason I mentioned HP was that we seem to be coalescing around HP gear, especially since we bought the HP server. [17:38] yeah, procurve switches are another option [17:38] they're a bit less than cisco [17:38] but not significantly so [17:38] ...and if I can give them one company to contract support from when I leave, that's a good thing [17:38] and you'll find far more people ready to work on, with experience on cisco [17:38] yeah, I'd not get focused on finding a single company to buy everything from [17:38] that usually leads to buying the wrong products [17:40] is there a security hole in php5 ? [17:40] one? [17:40] thousands [17:42] :) [17:43] Now I have to consider L2 managed Vs. unmanaged. [17:50] I can't find any good info on some linux-friendly wifi card based on ExpressCard 54mm type slot. Any suggestions? [17:51] genii: if you fine one plase tell me [17:51] genii: I'd just google [17:51] In fact I have never seen a express card here in mexico [17:51] I just bought a new laptop and still includes pcmcia [17:52] jmedina: My new laptop came with expresscard only :( . There seems so little info available on them as well (linux based) [17:52] there are very few expresscards on the market anyhow [17:52] so this isn't really a linux thing [17:53] genii: we sell hardware and none supliers know about expresscard :) [17:54] given the lack of a real market [17:54] I'd choose USB over ExpressCard [17:56] New bug: #417030 in samba (main) "instalacion interrumpida" [Undecided,New] https://launchpad.net/bugs/417030 [18:08] Okay, so there's a deb package for shorewall 4.4 available for Ubuntu, yes? [18:10] Ah yes, cool I see it. [18:26] New bug: #417045 in lsb (main) "lsb_release crashed with ImportError in () (dup-of: 383697)" [Undecided,New] https://launchpad.net/bugs/417045 [18:42] jmedina, The ubuntu package, shorewall, won't automatically try starting it upon install, will it? [18:42] The ones from the shorewall repository managed by Benjamin? [18:44] Psi-Jack_: probably, why? [18:44] Cause I wouldn't want it to right off the bat. I'm installing this remotely. [18:44] why would it installing be a problem? [18:45] does it have default rules? that would be stupid [18:45] I dunno. Good questions. ;) [18:45] Better safe than sorry though, right? [18:45] don't use a crappy "firewall manager" then [18:45] * Psi-Jack_ grumbles. [18:45] well you should always have an out-of-band management system [18:45] One thing I hate most, is people telling you what and what not to use when it's nothing to do with them. :p [18:46] Not to mention, rude as heck. [18:46] hate it all you want [18:46] Was about as bad as telling someone to throw their "junk" away, because it's totally unrealated to the question asked. [18:46] except that this is volunteer help [18:47] so it doesn't come with a shut-your-mouth the-customer-is-always-right attitude [18:47] So fracking what? Common decency, common curtesy, common fracking sense. [18:47] if you want that, I'm sure canonical is willing to provide it [18:48] I can help someone fix something, or help decide on something, and give all points of views rleated to it, without barking down them and saying do it this way only. [18:49] all I said was that if you're concerned about this problem, you shouldn't use it [18:49] I didn't say you can "only do it this way" [18:50] No, you said, don't use a crappy firewall manager then. I asked one simple question. Does it start at install, cause a lot of packages for servers do try initially to startup right during installation of it. [18:50] For firewalls, that's a very bad idea, but better safe, than sorry. [18:51] safe would be not using it, is what I'm saying [18:51] or safe would be having an out-of-band management tool [18:51] Safe, would be knowingwhere you leap from and where you'll land. [18:52] Not not doing it in the first place. [18:52] 'knowing' with certainty isn't always possible [18:52] Sure it is. [18:52] It's /always/ possible. [18:52] giovani: I ordered this, http://is.gd/2sada [18:52] shorewall doesn't start automatically. you have to configure it first. [18:52] Psi-Jack, no it is on the howto [18:52] giovani: will be replacing my Atom based NAS box [18:53] jmedina, Cool. So it just installs, but doesn't enable itself out of the install? Good. [18:53] so make sure port 22 is open, so you can ssh in, before you enable it. and when you enable it, test it by starting a new ssh connection first. [18:53] luckyone: with? [18:53] the link [18:53] ah, didn't see link [18:53] ;) [18:53] Psi-Jack in the quickstart guide there is a WARNING: Note to Debian and Ubuntu Users [18:53] luckyone: definitely not $200 [18:54] yeah, 2x that much [18:54] jmedina, Oh! Yep. Sure is! [18:54] giovani: pretty sweet device though [18:54] giovani: has access to ipkg repos [18:54] giovani: very low power arch [18:55] giovani: and I will repurpose my Atom box for a bedroom media center [18:55] if you want to secure your system when shorewall is stopped and you still want to allow remote access check routestopped file [18:55] Heh. Well, that's just great. Cause I'm looking into shorewall for setting up a routing and load balancing server for work as well, but all our servers are housed accross the country. [18:56] Psi-Jack, when you are doing remote changes and if you are not sure about new rules (probably they can reject remote access) always use [18:56] But, likely, those servers will be gentoo, and nothing starts default on gentoo. [18:56] shorwall safe-restart [18:56] Right. [18:56] if you dont accept new changes, shorewall will go back to the previos configuration after 60 seconds [18:56] just likce cisco [18:56] jmedina, It's the initial install that bothers me, that tells me that it installs, runs and locks down the system right away. [18:57] Psi-Jack o_O [18:57] shorewall is not configured by default [18:57] you need to creat your ruleset from scratch [18:57] jmedina, Heh. [18:57] Psi-Jack_: if you have console access, that's a backup too, in case you muck stuff up. [18:58] you need to edit, zones, interfaces, policy, rules and probably shorewall.conf [18:58] PhotoJim, We haven't got a KVM-IP switch yet. ;) [18:58] you cant start shorewall without those files [18:58] Psi-Jack_: get one. :) but it's not hard to get a basic shorewall configuration set up. [18:58] jmarsden, Okay, So JUST installation with apt-get, won't initiate anything or try torun it? Thats all I was asking. [18:58] Psi-Jack_: you have to specifically enable it. there is no harm to installing it. [18:59] Psi-Jack_: there's a specific config setting that needs changing to permit to actually start. [18:59] PhotoJim, That's.. Unfortunately.. Not up to me, but I'm sure I can convince mybosses we need it. [18:59] PhotoJim, Perfect. That's what I wanted to make sure of. ;) [18:59] Psi-Jack_: tell them it's really useful in case of failure. really quite essential unless you have techs with physical access. [18:59] Psi-Jack_: NP. [18:59] As is, I'm just using a very very basic ufw ruleset to enable NAT and ssh ports. [18:59] gotta run an errand, bbl. feel free to PM if you have Qs. [19:00] PhotoJim, That's it. We don't have physical access at all. It's housed in a tier-4 shop [19:00] jmedina, Curious on another point for shorewall.. [19:01] Psi-Jack, if you want ask in #shorewall [19:01] Good idea.. [19:01] I cant help, but this is not shorewalls channel [19:01] * Psi-Jack_ nods. [19:02] Psi-Jack_: I'll advise you to do 'ufw disable' before enabling shorewall (but I'm sure you know that, since you already enabled it :) [19:03] Right. ;) [19:05] jmedina, Okay, one thing you can help me with, I checked out the apt-sources deb lines,, but it still seems to only have 4.0, I'd have figured they'd be 4.4 at least, no? [19:06] Psi-Jack, sorry I always use tar files [19:06] I dont use debs [19:06] you can use elcubano repos [19:07] elcubano? heh [19:07] he is the shorewall maintainer, a little busy these days [19:07] jo jojo, wrong channel [19:07] :) [19:10] Psi-Jack, omache is shorewall developer [19:11] he works as software architech at hp [19:11] if you have more questions, use mailing lists, so he can help offline... [19:38] anyone hosting guests in ubuntu server with virtualbox? [19:39] i need help with bridged networking [19:39] and vbox 3.04 [20:02] Psi-Jack_: yes, definitely arrange to get console access. in your situation it's really quite crucial. [20:03] Yo! Have my ubuntu-server 8.4 that I upgraded to 8.10 and then to 9.04 yesterday. After the upgrades I can't get my virt systems to run again. [20:03] Virsh complains that "error: failed to connect to the hypervisor" [20:03] I have no idea what it can be, do anyone happen to perhaps know what might be wrong? [20:04] PhotoJim, Heh yeah.. I also need to get MegaCLI working, cause we haven't had anything at all to watch over the fricken RAID stuff, all this time. [20:04] loa: there is not xen support for jaunty [20:04] you are on your own [20:04] Im using kvm [20:04] ohh [20:04] then I dont know.... [20:05] it's wierd.. yes... [20:06] I don't really know how this stuff works.. [20:06] major version upgrades are rarely a good idea :) [20:06] but what I understand is that libvirt is using qemu to sort out kvm machines right? [20:07] anyhow the virt-machines that are set to auto-boot is on and working.. [20:07] but I can't manage it with either virsh or virt-manager [20:07] giovani: well didn't really feel for reinstalling it either [20:07] giovani: but I agree [20:08] loa: yep, but, this kind of breakage is pretty typical [20:08] best solution would be to reinstall it aye? [20:09] I'm using software raids.. I figure the installer don't find them automagically? [20:09] backup, use test machine, test and prey [20:09] jmedina: to late now isnt it :P [20:09] loa: you don't have backups? [20:09] not on the system itself no [20:10] you just don't migrate production systems without extensive testing where I'm from [20:10] loa: what do you mean "on the system"? [20:10] who said I'm working on Microsoft? [20:10] Microsoft? what? [20:10] you're not being clear [20:10] it's not like its dangerous that my system is down [20:10] just a hassel [20:11] and no I don't have backups on the system as Im only using it as a kvm host [20:11] so reinstalling just takes time.. [20:11] I just thought someone here might been into the same problem as I have and might have suggestions on stuff to check up [20:16] when I start virsh it sais "Connecting to uri: qemu:///session [20:16] halDeviceMonitorStartup: dbus_bus_get failed org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory" [20:34] I have an Ubuntu 6.06 installation - don't ask; no, I can't upgrade :-) - and there is no "twm", "icewm" or "squeak-vm" packages. It seems the repositories have been massively stripped down. Is there an archive of the full repositories? [20:35] <_ruben> you're in luck .. ubuntu server doesnt have any window managers due to lack of X ;) [20:36] <_ruben> and only 'main' is LTS, perhaps universe and multiverse get stripped, though doubt that [20:36] _ruben: umm, ..., [20:36] there is the x server [20:36] i know this because i installed i [20:36] t [20:37] <_ruben> yeah .. but its not really supported (by the server team) .. as it pretty much turns your server into a desktop [20:38] well, I installed Ubuntu Server because I didn't want the default environment [20:38] Hmm, here's an issue I am having. [20:38] ehird_: you're mistaken -- the repositories are identical between server and desktop versions -- they're the exact same location [20:39] i don't think i disputed that, i think _ruben did though saying it didn't have x [20:39] I have an external USB 2.0 Seagate 500GB SSD drive, and it's got XFS on it, but often times, when I try to access it, it's inaccessable. This is after having not used it in a while, I ls /mnt where I have fstab keeping it mounted at boot time, and it shows up in red. Fixing it, I have to umount it then mount it again and it's fine, and the directory for it in /mnt is blue like a directory again. [20:39] ehird_: you said it seems the repositories have been stripped down -- this isn't the case [20:39] giovani: I find it odd then that numerous packages are missing [20:39] ehird_: they're not missing [20:39] or were twm, icewm and squeak really not in 6.06? [20:39] hmm, oh [20:40] universe is commented out by default [20:40] how embarrassing :) sorry [20:40] it always has been [20:40] thanks [20:40] twm has always been in universe [20:40] you'll probably want to switch to the non -server kernel [20:40] hmm, why? [20:40] and then you won't be getting support from here (as you'll be running a desktop) [20:40] because you probably don't want any of the compiled options the server kernel has [20:40] i don't need any more support :) [20:41] I think I'll just reinstall from the alternate CD [20:41] thanks [20:41] <_ruben> and yes, by "does not have", i actually meant "does not support" :) [20:41] ok, thanks :) [20:47] oh well, going to sleep. Reinstalling the box tomorrow. Thanks for the help anyway giovani [20:58] _ruben: did you discover why your ssh connections were dropping? [20:59] <_ruben> pmatulis: i dont recall any of my ssh conns to drop .. perhaps mixing me up with someone else? :) [21:00] _ruben: yeah, it was "ruben23", sorry [21:00] <_ruben> no problem :) [21:01] <_ruben> its what one gets for using firstname as nick ;) [21:22] hi how do i change my date form IST to EDT...? [21:24] ruben23: you just want to change the timezone? [21:26] ruben23: https://help.ubuntu.com/community/UbuntuTime should help :-) [21:34] ruben23: http://www.linuxsa.org.au/tips/time.html for the non-gui solution [21:37] sgsax: ^^^ has the CLI instructions too :-) [21:38] guntbert: heh, that's even easier :) [21:39] sgsax: ;-) [21:54] mathiaz: you around? [21:54] Sam-I-Am: yes [21:54] been messing with ld_debug... missing symbol in nssov.so... which somehow becomes 'file not found' in openldap [21:56] Sam-I-Am: oh cool. I've looked at this but didn't go anywhere [21:56] gonna see if hyc might know whats causing that... hopefully its not any of the ubuntu patches [21:56] how long has it been fried? [21:56] Sam-I-Am: which symbol? [21:57] ber_bvmatch [21:57] Sam-I-Am: I've seen similar error when libtld had been updated [21:57] Sam-I-Am: 2.4.15 was working correclty [21:57] i know ltdl changed names in karmic [21:57] kinda simplified versioning i think [21:58] Sam-I-Am: right [21:58] Sam-I-Am: there may be a new version too [21:58] hyc claims nssov works in 17... might try compiling upstream in karmic and see if it still breaks [21:58] Sam-I-Am: what is strange though is that all other shared libraries load correctly [21:58] yeah [21:59] Sam-I-Am: 17 saw the addition of pam. I though may be something is missing there. [21:59] hmm... [21:59] Sam-I-Am: it may also be related the toolchain in Ubuntu [21:59] true [21:59] Sam-I-Am: and the way the nssov is built [21:59] Sam-I-Am: I'd run the nssov-build patch by hyc [21:59] well, compiling upstream might answer some of those questions [21:59] yeah, will do [22:00] just waiting for him to return [22:00] meanwhie, i think i should finally file this as a bug [22:01] Sam-I-Am: I would definetly show the nssov-build patch to hyc - it may be an issue there [22:01] yeah i was looking at that [22:02] doesnt seem too intrusive though === ircd is now known as samferry [22:13] you know, looking at ld_debug, theres quite a few undefined symbols... not just in nssov [22:40] hello [22:46] mathiaz: filed bug 417163 [22:46] Launchpad bug 417163 in openldap "NSS overlay (nssov) fails to load" [Undecided,New] https://launchpad.net/bugs/417163 [22:58] I love pam.d [23:01] why do you love pam.d? [23:02] * jmedina doesnt feel love for a directory [23:39] KillMeNow, it's so easy to set up stuff [23:39] and anything plugs into it [23:42] Heh. bleh. [23:42] gah! everyday around this time I'm ready for a nap [23:43] Heh