/srv/irclogs.ubuntu.com/2009/11/20/#ubuntu-server.txt

qman__ah, got it all working00:12
qman__turns out the main problem I was having was a typo in my root qdisc00:12
qman__had handle 1: instead of handle 1:000:12
qman__mucked everything up00:12
=== erichammond1 is now known as erichammond
glauberhi guys. I have 2 servers and a shared sas storage. I'd like to create a cluster between both servers to have some VMs and put its disk in the sas storage using a clustered FS. Should I use ubuntu+Xen+ ... ? Does UEC apply to my case? (I'm new to cluster stuff, sorry if I'm doing conceptual mistakes).00:17
smcquayDoes UEC work?00:44
smcquayI've had horrible luck trying to install a private cloud. Currently stuck on step 4 of 7 on the UEC CDInstall instructions. It fails trying to discover nodes with some pythonic error that yields very little on google. Does anyone know what to do for this error: Failed to resolve service 'x07' of type '_eucalyptus._tcp' in domain 'local': Timeout reached ??00:46
glaubersmcquay, I guess UEC is not for my case. just 2 xen dom0 in a cluster would solve my case, I guess00:48
smcquayglauber: that sounds reasonable00:49
glaubersmcquay I was trying debian, but I could not get ocfs to work..01:12
oh_noesI put dir,syncdir in my / mount options in /etc/fstab ... is this enough to turn off Write Caching on the root partition?01:15
oh_noesI still get "Assuming Drive Write Cache" when 8.04.3 boots.01:16
=== freeflyi1g is now known as freeflying
maxagazhi01:53
maxagazhow to change the home folder path ?01:53
maxagazfor a given user01:53
oh_noesvi /etc/passwd01:56
maxagazok, it has to be done manually01:57
maxagazsome people think ftp should die, but what can replace it ?01:58
owhssh02:07
twbmaxagaz: SFTP (for rw) and HTTP (for ro)02:35
maxagazowh, ssh looks too dangerous02:54
owhmaxagaz: Too dangerous for what?02:55
maxagazowh, to dangerous to give someone rw access to one directory only02:55
maxagazowh, but i probably don't understand it enough02:56
maxagazowh, is possible to restrain the access to one directory ?02:56
maxagazand its subdirs02:56
twbmaxagaz: ssh receives far more security scrutiny than a typical FTP daemon02:57
owhmaxagaz: That statement makes no sense. ssh is a mechanism to transport information across the Internet in an encrypted fashion. SFTP uses ssh to transport FTP commands across the net. You don't need to give shell access to a user.02:57
twbmaxagaz: locking it down is very well understood, because openssh is widely used02:57
twbAnd as owh says, you can hand out SFTP access without giving full shell access.02:57
maxagaztwb, interesting, i didn't know that...02:58
xperia2hello to all. i am having trouble installing the newest postfixadmin from sourceforge.03:04
xperia2get downloaded it with03:04
xperia2sudo wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3_all.deb?use_mirror=garr03:04
xperia2and wanted to install it with03:04
xperia2dpkg -i postfixadmin_2.3_all.deb03:04
xperia2bit it stop with the error message03:04
xperia2dpkg: Error ....03:04
xperia2anybody know how to install the newest postfixadmin ?03:05
owhxperia2: Is this package specific to your version of Ubuntu?03:05
xperia2it is not a specific version for ubuntu. i am following this wiki help article here03:07
xperia2https://help.ubuntu.com/community/PostfixCompleteVirtualMailSystemHowto#Enhanced%20Mail%20Services03:07
xperia2that advice me to do this03:07
xperia2normally it should work as written in the wiki page03:07
xperia2too pitiy that this package is not in the ubuntu repositorys. it would be great to have this in the reps for upgrading later the system full03:11
owhHave you lodged a packaging request for it?03:11
twbxperia2: installing third-party packages is very strongly discouraged.03:12
xperia2never heared about this how to do it ! do you have a link or similar ?03:13
twbBecause they are not subject to the same quality control as official Ubuntu packages.03:13
xperia2twb: i understand but from my side of view this package should be in the repositority as it is very helpfull03:14
xperia2the only possibility at the moment to use it is installing it as external package03:15
twbxperia2: the alternative would be to learn how to manage postfix directly.03:15
twbBut as owh says, you can also file a Request for Package bug.03:16
qman__xperia2, that tutorial refers to a version that is considerably out of date03:17
owhxperia2: You could download the source and compile it from source, but since you didn't tell us what the actual error is, there is little we can do from here. As twb says, it's strongly discouraged to install external software - to the point where we probably won't give you actual support.03:17
qman__did you check universe/multiverse to see if it's been packaged?03:17
twbhttp://hpaste.org/fastcgi/hpaste.fcgi/view?id=12449#a1244903:18
twbNot nearly as bad as webmin's third-party .deb, but it's still clear that they don't really know what they're doing.03:18
=== MarwolTuk_ is now known as MarwolTuk
twbqman__: I did; it hasn't.  It's a PHP/MySQL web app for managing postfix/main.cf, so it's hardly surprising that nobody wants to package it.03:19
qman__ah03:19
xperia2well postfix looks really very helpfull especially when it comes to mysql backed postfix solution.03:30
xperia2http://postfixadmin.sourceforge.net/03:30
xperia2have installed now the older version as i need it.03:30
xperia2will look to create a package request for this application if nobody till yet has created03:30
xperia2first however i need to update the wiki page as the version is heavy outdated03:31
twbI have hosts with heterogeneous disk sizes.03:38
twbI wish to lvextend /dev/mapper/foo-bar on all these hosts, to use up all remaining PFree03:39
twbCan I specify --size in terms of pfree?03:39
twbAh, --extents 100%FREE03:41
maxagaztwb, how to make restriction with ssh so that a user can only browse its folder ?03:47
twbmaxagaz: talk to #openssh03:48
maxagaztwb, ok03:48
twbmaxagaz: it should mostly be covered by the sshd_config manpage03:48
xperia2okay gug is now allso filled up at launchpad !04:07
xperia2https://bugs.launchpad.net/ubuntu/+bug/48564504:07
uvirtbotLaunchpad bug 485645 in ubuntu "[needs-packaging] postfixadmin" [Undecided,New]04:07
xperia2:-)04:10
spirits-sightOK, I have two user account I would like them to control the directory that are connect to their domain, how would I do this?05:04
qman__I can't get my traffic shaping to work right--upload throttling is working, but download throttling isn't. Here's my script: http://pastebin.com/m42db884205:50
qman__output of tc show commands indicate no packets are being sent to the 1:10 class05:51
maxagazhow to allow a user to browse only his folder ?06:19
twbmaxagaz: in what?06:26
maxagaztwb, in his home folder06:28
twbmaxagaz: I mean, in what service?06:28
maxagaztwb, i'm still on my ssh problem, but it seems it's not a ssh problem06:28
twbmaxagaz: in SFTP, then?  Or full ssh?06:29
twbmaxagaz: did you ask the #openssh people about it?06:29
maxagaztwb, i just want to allow this user to scp or ssh to his folder but I don't want him to see anything else06:29
twbSo you *do* want to allow full SSH, not just SFTP06:30
maxagaztwb, i don't really understand sftp06:38
maxagaztwb, do i have to install something else than openssh-server to do sftp ?06:38
twbopenssh-server includes sftp06:39
maxagaztwb, actually i need someone to send some files on my server regularly, that's all06:40
maxagazso, sftp looks the good solution if it allows this only06:40
twbmaxagaz: do you need normal ssh to work, too?06:40
maxagazno06:41
twbThat is, does any user (including yourself) need to ssh into the box?06:41
maxagaznot those users06:41
maxagazi need to ssh into the box06:41
twbOK06:41
maxagazbut some users (all belonging to the same group) can only send files to the server06:42
qman__I tackled that situation by creating a jail for those users with jailkit06:42
twbYou need to write a Match block in your sshd_config, which has ForceCommand internal-sftp and ChrootDirectory /srv/pub or /home/fred or similar06:42
maxagazI put them in: /opt/my_special_users/06:43
twbqman__: openssh-server handles the jailing internally -- and best of all, requires no libraries or anything inside the chroot06:43
maxagazi mean their home folder06:43
qman__nice06:43
twbqman__: apparently this is a relatively recent development in openssh-server06:43
qman__yeah, it certainly didn't exist when I was addressing it06:43
qman__hence the somewhat complex jailkit setup06:44
qman__ah06:46
qman__it was added circa april 200806:46
qman__last time I did it was in 200706:46
maxagaztwb, i'm in the sshd_config file, can you please teach me how to do this for the group ? i'm not sure to understand...06:46
twbmaxagaz: you want (at the bottom of the file) something like (untested): Match User fred \n ForceCommand internal-sftp \n ChrootDirectory /srv/pub06:46
twbqman__: if your sshd_config mentions internal-sftp, you should have it.06:47
maxagaztwb, what if I want to do it with two users ? Just add another block ? Nothing tells ssh when the block ends ?06:55
twbAs sshd_config says, the match block ends at the end of the file, or at the start of a new Match block06:55
twbIt looks like you can say "Match User alice, bob" or something, but I haven't checked.06:56
twbObviously you will test this before placing it in production...06:57
kaushalhi06:58
kaushali get Nov 19 22:55:22 host0104 kernel: [19938.001554] program smartctl is using a deprecated SCSI ioctl, please convert it to SG_IO06:58
kaushalNov 19 22:55:22 host0104 kernel: [19938.002814] 3w-9xxx: scsi0: ERROR: (0x03:0x0101): Invalid command opcode:opcode=0x80.06:58
kaushalon ubuntu hardy server06:58
kaushalAny clue ?06:59
twbkaushal: safe to ignore, I think06:59
qman__kaushal, if you're not experiencing any problems, the errors are safe to ignore07:00
qman__make sure that smartctl is doing what you want07:00
kaushalok07:00
kaushalbut the system is unstable07:01
kaushalqman__: how do i use smartctl to fix the above issue ?07:01
qman__the first error is regarding smartctl; if smartctl is working properly, it can be safely ignored07:02
qman__the second is likely an error with the configuration or drivers of your 3-ware RAID controller, or the hardware is failing07:02
qman__the thing about the second error is, if everything works, it can be ignored07:03
qman__but if there's a problem, it might point you in the right direction07:03
twbOh sorry, I only looked at the first message07:03
kaushalsmartctl -a -d ata /dev/sda07:04
kaushalSmartctl: Device Read Identity Failed (not an ATA/ATAPI device)07:04
qman__that one's pretty self explanatory, /dev/sda is not an ata device, you need a different -d option07:05
qman__usually omitting the -d option will let it autodetect the correct one07:06
qman__but it doesn't always work, check the manual for the other options07:06
twb-d ata is for SATA drives07:07
twbBut since you're using 3-ware, you probably need something vendor-specific like -d 3ware07:07
kaushal03:03.0 RAID bus controller: 3ware Inc 9xxx-series SATA-RAID07:11
twbkaushal: the error means smartd CAN'T talk SATA to the drives in your hardware raid07:12
kaushalbit confused here07:19
maxagaztwb, thanks a lot07:20
kaushalwhat needs to be done exactly to sort out this issue ?07:20
twbkaushal: read the smartd manpage?07:21
kaushalyeah07:21
twbFind out which -d you need07:22
twb18:07 <twb> But since you're using 3-ware, you probably need something vendor-specific like -d 3ware07:22
kaushalDevice: AMCC     9500S-4LP  DISK  Version: 2.0807:22
kaushalplease try adding '-d 3ware,N'07:22
kaushalyou may also need to change device to /dev/twaN or /dev/tweN07:22
kaushalwhen i run smartctl -a -d scsi /dev/sda07:22
twbkaushal: and did you try that?07:23
kaushalsmartctl -a -d 3ware,0 /dev/sda07:23
kaushalWARNING - NO DEVICE FOUND ON 3WARE CONTROLLER (disk 0)07:24
twbI'm not familiar with 3ware, so the only other thing I can suggest is you contact your hardware vendor and ask them.07:24
kaushaltwb: so i have to use smartctl to fix the issue? am i understanding you correctly ?07:26
qman__kaushal, you haven't said what the issue is07:26
kaushalthe issue is the machine gets freezed and becomes unstable07:27
twbkaushal: well, nothing you do in smartctl will fix that07:27
qman__yeah07:27
twbsmartctl/smartd just reports hardware errors in your disks07:27
kaushalunderstood07:28
kaushalThanks07:28
qman__since you have another error regarding your 3ware controller, that's one thing that could be causing the problem07:28
kaushalso i have to run the smartctl to look for hardware errors on my disk07:29
qman__check for driver conflicts, misconfiguration, or hardware failure07:29
magatzHi all i've got a question/problem using ecryptfs with dovect maildir on my home (encrypted filesuystem)07:31
twbI hate hardware raid for that reason07:31
magatzspecifically, everything works correctly when i am logged via ssh into the server07:31
magatzbut i log-off maildrop doesn't uses may ~/Maildir but the /var/mail maildir07:32
magatzi think the problem comes from the home encrypted filesystem that is not mounted when i logoff from the server07:33
qman__that's correct07:33
magatzany hint?07:33
qman__it can't access ~/Maildir when it's encrypted and not mounted07:33
qman__however, I don't know what you need to do to work around that07:34
qman__probably set it up to store your mail in a temporary folder while logged off, then move it when you log on07:34
magatzok, but how can i keep it mounted when i'm logging off07:34
qman__or something like that07:34
magatzalready works this way, but it's a pain in a multi-user environment....07:35
magatzI'd like to keep the home filesystem always mounted07:36
qman__that's outside my knowledge and a quick google isn't helping, sorry07:37
magatzthanks anyway :)07:37
maxagaztwb, where is the doc you were referring about for the Match block ?07:43
twbmaxagaz: man sshd_config07:45
maxagaztwb, thanks07:46
kaushalqman__: shall i pastebin the observation ?07:51
dayohow do i lock the account of a user on an nfs server? i'm using openldap to authenticate them.07:53
kaushaltwb: shall i pastebin the observation ?07:53
maxagaztwb, it seems i can't do it on hardy => http://www.debian-administration.org/articles/59007:57
maxagaztwb, how should i update openssh-server on a production machine ?07:58
twbmaxagaz: unless it's in hardy-backports, you shoudln't08:03
maxagazUnbuntu-Package search looks to be down...08:04
maxagaztwb, unfortunately, it's not... 1:4.7p1-8ubuntu108:09
twbSince 4.7 doesn't have this feature, you'll have to make a chroot environment and run a second ssh daemon in there -- super sucky08:11
twbSo it might be reasonable to add intrepid entries to your sources.list and write some pins into apt.conf, though that's a bit of a hassle08:12
a_okUbuntu 8.04 hans after saying Activating Swap [OK], No messages in log and not telling what it is doing. Any idea whats going on here?08:49
twbI'd say it's hanging immediately after activating swap.08:51
a_oktwb: it seems that activating swap is the last action of S35mountall.sh i doubt it hangs there08:58
twba_ok: so what is the next script after that?09:00
maxagazhow to sort by size with ls ?09:04
\shmaxagaz, man ls ; ls -S09:06
a_okS36mountall-bootclean.sh09:13
a_oktwb: I think this might be the problem script09:13
twba_ok: so put set -x at the top of it and try again09:15
twba_ok: be sure to boot without usplash, if you have that installed09:15
a_oktwb: well its a production server so not reboting it anytime soon what does set -x do btw?09:19
twbIt turns on tracing09:20
a_oktwb: are there servers using usplash?09:21
twba_ok: stupid ones, yes09:21
twbThere are lots of stupid people in this channel, so I have to check09:21
twbEven my boss makes me put gnome on servers, "because customers are used to Microsoft TS and SBS, which has a local display"09:22
a_oktwb: wtf you should fire your boss09:30
a_okunless your run it for thinclient stuff09:31
twbWhy would it matter if the server serves thinclients?09:31
a_okdoes it not need to run X with gnome libs etc?09:32
twbOh, right.  It needs it installed, but not running on the server.09:32
GorlistMorning, quick question09:32
GorlistI restarted fail2ban09:33
Gorlistbut it failed because the .sock was still present09:33
Gorlistso I removed the /var/run/fail2ban directory and now getting "09:33
Gorliststart-stop-daemon: Unable to set gid to 0 (Operation not permitted)" when I try to restart09:33
twbGorlist: you're not running it as root09:34
Gorlistjust launch under sudo?09:34
Gorlistright its running, thanks09:34
twbhttp://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/09:34
twb-m recent is more elegant than that userspace fail2ban crap09:35
Gorlistright, will read through it09:35
Gorlistthanks09:35
twbBetter, of course, is to remove password-based authentication from ssh09:35
twbThat article isn't really up with best practices, but it's the least worst I could find on short notice.  Check up with #netfilter if you decide to go with iptables09:36
Gorlistits not ssh09:36
Gorlistim having problems with ftp and mail09:36
twbIt should work for other services, too09:37
Gorlistwill take a look, use to use denyhosts but decided to try fail2ban this time around09:38
twbOf course, FTP is a stupid protocol and requires an extra bit of magic -- but SFTP (rw) or HTTP (ro) is a better idea anyway09:38
Jeeves_Who should I bother about the -virtual kernel config?09:46
twbIs there an #ubuntu-kernel?09:55
twbJeeves_: plan B is launchpad09:56
Jeeves_twb: I'm trying #ubuntu-virt now, but they all seem to be asleep :)09:57
magatzhi, any suggestion on how turn-off encrypted home directory, on 9.10?10:16
magatzthis feature is giving me a lot of problem with nfs and dovecot10:17
* twb boggles10:20
twbIt's on by default?10:20
magatzi've installed it on 9.04 and after upgrade to 9.10 stilll there10:20
magatzyes in on by default10:20
twbGood grief10:20
twbI'm glad I stick to LTS10:21
twb(And Debian, for my own stuff ;-)10:21
Jeeves_It's not on by default, afaik?10:21
maswanI got asked a question about it, I don't remember which was the default choice though..10:22
twbmaswan: ah, so it probably isn't the default10:22
teddymills9.10 server with sshd..is like 5 to 7 seconds from grub to login10:46
magatzfound! here the link: http://ubuntu-ky.ubuntuforums.org/showthread.php?t=113412110:55
\shmaswan, the default is "no"...11:02
\shmaswan, btw...didn't you had some strange syslog entries like diskio.c: don't know how to handle 9 request somehow?11:02
\sh(HP + SmartArrray)11:02
maswanhttps://bugs.launchpad.net/ubuntu/+source/linux/+bug/41307011:03
uvirtbotLaunchpad bug 413070 in linux "karmic cciss: error messages on working device" [Undecided,New]11:03
\shhmmm...since jaunty I have now the message I pasted above...I wonder what that is11:05
\shand karmic does it still11:05
maswanAh, seems to be a different one then. I haven't seen that.11:06
incorrecti am building some http cache servers using varnish, I am debating about not creating any swap11:07
incorrectthere used to be a performance hit if you built a system with no cache11:08
incorrecterr swap11:08
a_okincorrect: well I ran my linux box for years without swap and no performance issues at all, do note that when you run out of memory linux locks up instandly (way faster that is) compared to when you have a swap file11:40
incorrectthere used to be issues with not having swap11:41
incorrecta box locking up is ok11:41
a_okno its not lol11:41
a_okincorrect: was it ubuntu speciffic?11:41
incorrectmaybe kernel 2.2 days11:42
a_okow thats way back. linux memorymanagement is quite different now11:43
incorrecti just wanted to ask11:47
dvrcoderhi, question: after update my console is not 80x25 anymore. how do i get this back?11:52
a_okdvrcoder: frame buffer?11:56
dvrcodera_ok: i set vga=normal in menu.lst11:56
dvrcoder(and i'm still using the old grub)11:56
dvrcoderah, i obviously did it wrong :D11:58
epinkydvrcoder: check the table here http://crunchbang.org/archives/2007/10/10/changing-bootup-and-console-screen-resolutions/11:58
dvrcoderepinky: thx11:59
a_okdvrcoder: nothing to do with grup furtunately kernel params11:59
qman__no VGA line should make it 80x25, 640x480 makes it 80x3011:59
qman__I prefer 80x30, more lines, just as readable12:00
a_okI prefere higher resolutions logfiles tend to have longer lines12:01
qman__well, I do too, but for my one box I actually have the console up with, I prefer the low res so I can read it without my glasses12:01
a_okqman__: yeah it does depend on what monitor you have lol12:02
qman__all the other ones I just ssh from this desktop12:02
dvrcoderwell right now it's at about 60 lines. i don't know, i just like good old 80x25 on the console (since i have the same over ssh)12:02
qman__dvrcoder, well, you can set the vga mode in the kopt= line, then run 'sudo update-grub' to apply it12:02
qman__that's for grub 1, no idea about grub 212:03
qman__I also generally remove the 'quiet splash' from it too12:03
qman__that way when something goes wrong you can actually see what it is12:03
qman__but that's just personal preference12:03
qman__a_ok, it's a 17" CRT, plenty big enough, I just have very poor vision without my glasses ;)12:05
a_okqman__: didn't know you had to do an update-grub when you adjust menu.lst12:10
epinkydvrcoder: try with "vga=ask" ?12:10
twbvga=normal is 80x2512:11
twbFor grub2, you want to edit /etc/default/grub, particularly on x86-like systems to disable as fb there as it tells you to12:12
qman__a_ok, you don't if you just modify the actual boot lines, but in ubuntu, the proper way is to modify the kopt= line in the top section, then run update-grub12:12
qman__that also makes it stick for kernel updates and such12:12
a_okhmm good to know, I'm more of a manual man myself that is probalby why I still have gentoo at home. Since ubuntu failed me once with an upgrade I never trusted it12:16
twbPersonally, I prefer video=vesafb:1600x1200-3212:18
twb(Or uvesafb for widescreens, but that's a huge pain in the arse.)12:18
dvrcoderre12:21
dvrcoderbtw, can i just unselect the pae kernel in aptitude if i don't need it?12:22
twbI don't see why not12:23
Adrian1Hello. Can you please help me install ebox ?12:23
epinkyAdrian1: ebox server?12:25
Adrian1Ebox..... https://help.ubuntu.com/9.04/serverguide/C/ebox.html12:25
Adrian1That how to doesn't work.12:26
uvirtbotNew bug: #485766 in lm-sensors (main) "lack of support for Fintek F71889F" [Undecided,New] https://launchpad.net/bugs/48576612:26
epinkyAdrian1: I don't use ebox, but what Ubuntu version are you using?12:29
Adrian18.0112:30
Adrian1Or smth like that.12:30
Adrian18.1012:32
Adrian1invoke-rc.d: initscript ebox, action "apache" failed.12:33
epinkyif it's 8.10 then bad news12:33
epinkyAdrian: https://bugs.launchpad.net/ubuntu/+source/ebox/+bug/25536812:34
uvirtbotLaunchpad bug 255368 in ebox "ebox: Depends: libapache-authcookie-perl but it is not installable " [Undecided,Fix released]12:34
Adrian1Well... I installed it, let's see if it works.12:35
Adrian1Aaaa noap.12:35
twbwasn't ebox totally broken in 8.04 and/or 8.10?12:36
twbI remember someone saying that in here, though obviously I stay the hell away from web UIs12:36
epinkytwb: you're right, it tells that here https://help.ubuntu.com/community/eBox12:37
\shtwb, /me is always saying that13:18
=== david is now known as Guest21743
dvris there an irc channel with openldap support?13:31
epinkydvr: #openldap ?13:32
dvrepinky: oh cool, there really is :D13:33
uvirtbotNew bug: #485807 in qemu-kvm (main) "XP guest installs but gives BSoD on reboot unless in safe mode" [Undecided,New] https://launchpad.net/bugs/48580714:11
uvirtbotNew bug: #485820 in mysql-dfsg-5.0 (main) "deca" [Undecided,New] https://launchpad.net/bugs/48582014:31
=== chuck_ is now known as zul
a_okwhat is the goal of /etc/init.d/bootclean14:45
a_ok ?14:45
a_okI thought that tmp could just be emptied instead of dicected and cleaned14:46
uvirtbotNew bug: #485873 in logwatch (universe) "logwatch should report apparmor events" [Undecided,New] https://launchpad.net/bugs/48587315:46
incorrectis it possible to force a pxe install to always prompt for manual network config15:56
uvirtbotNew bug: #485799 in postfix (main) "package postfix (not installed) failed to install/upgrade: sub-processo novo script pre-installation retornou estado de sa?da de erro 1" [Undecided,New] https://launchpad.net/bugs/48579916:11
KurtKrautShould I rely more on BIOS fan control or should I set up fancontrol daemon on Ubuntu?16:13
LanceHaig_wrkKey17:42
LanceHaig_wrkI am wondering if there is a patch and config management tool for multiple ubuntu servers?17:42
kaushalhi17:43
LanceHaig_wrkI have 100 that need to be managed and I can't seem tot find anything by searching the net17:43
mushroomblueso, when configuring a server to authenticate to LDAP, I disabled all other methods of authentication. I was able to auth as an LDAP user. after reboot, it's not authenticating, and not accepting system users. is there another way to log into this machine, other than chroot?17:43
kaushalanyone closing following my issue on ubuntu-server mailing list ?17:43
mushroombluecos I'm 2000 miles away, and I don't want to lead a monkey through a chroot. especially because I'17:44
mushroomblue'm not sure what partition it is, etc.17:44
kaushalabout 3w-9xxx: scsi0: ERROR17:45
mushroombluenevermind. I forgot single user mode was an option.17:51
kaushalchecking in again for my query ?18:08
cyphermoxkaushal, running memtest86 for a couple of hours should tell you whether your memory is good for that server.18:15
kaushalcyphermox, so its sure shot a memory issue ?18:17
kaushalI mean sympton18:17
cyphermoxkaushal, it's a common cause of lockups.18:17
kaushalok18:17
kaushalcan memtest86 run on 64bit architecture18:17
kaushal?18:18
cyphermoxkaushal, you should check whether there are other errors in syslog, and perhaps post them up on in the mailing list thread, for the benefit of everyone in the thread18:18
cyphermoxi think so, yes18:18
kaushalcyphermox, i have done it already18:18
cyphermoxnothing other than the errors for 3w-9xxx?18:19
kaushalyeah18:20
cyphermoxkaushal, or even including an excerpt of your syslog from say, that error message, up until the time you get a freeze, that could help.18:21
kaushalok18:22
=== MarwolTuk_ is now known as MarwolTuk
uniquewhy is my mail server rejecting all the emails telling them "Relaying denied [RCPT_TO]" im using sendmail and courier-imap18:38
ivokskaushal: yes :)18:40
teddymillscan i add mdadm to an existing single drive ubuntu-8041-server?18:59
=== hggdh_ is now known as hggdh
=== MarwolTuk_ is now known as MarwolTuk
jerrcsHi guys.. I downloaded the ubuntu server iso ages ago, burned it on a cd.. now it's corrupt.. but it still boots.. just some files are missing.. anyway to do a netinstall from that same disc?20:24
aberhowok, so i just installed, and the only package i choose on install was the openbsd ssh server20:44
aberhowon boot at the console the server starts20:44
aberhowthen it restarts20:44
aberhowwhat's the deal?20:44
KurtKrautaberhow, the server is restarting by itself?20:45
aberhowyup, on boot it is20:45
aberhowor it seems that way20:45
ziesemerAnything mentioned in the log files?20:47
aberhownot other than the server is listening20:50
aberhowthen a few seconds later after the restart it says the server is listening again20:50
aberhowon 2220:50
ziesemerIs it not listening on :22 the first time?  If not, it sounds like it might be restarting to rebind to a new network interface.20:50
aberhowthat could be it, the computer is set to dhcp20:51
aberhowi would thit it would have its ip by then though20:52
ziesemerdhclient should show up in your logs, too.  Should be easy enough to check.20:57
=== MarwolTuk_ is now known as MarwolTuk
=== MarwolTuk__ is now known as MarwolTuk
=== luis__lopez is now known as luis_lopez
ziesemerOK, I think I have OpenLDAP all setup and working, as well as basic FreeRADIUS.  Now the part I don't exactly understand:  How are client certificates associated with a user account - or are they even?21:19
ivoksziesemer: i might say lots of nonsense cause i haven't slept for quite a while21:40
ziesemerI know the feeling.  :-)21:40
ziesemerSo basically, I'm sure I could get FreeRADIUS to allow authentication using the same user/pass combinations as for local access, etc.21:40
ziesemerClient -> user/pass -> FreeRADIUS -> OpenLDAP21:41
ivoksok21:41
ziesemerI'd like to use certificates instead.  Client -> X509 cert -> FreeRADIUS -> OpenLDAP21:41
ivoksnever played with that :/21:41
ziesemerUnder Microsoft AD, for example, the public keys for any issued certs are stored with the user's entry in AD (LDAP).  If it doesn't exist there or if the user isn't active, login denied.21:42
ziesemerSeems that FreeRADIUS will work the same.  If the public key isn't in the CA or is revoked, access denied.21:42
ziesemerI was just wondering if it still ties into user authentication when moving from user/pass to certificates.21:43
ziesemerAll I can seem to find online is a reference to the "named client" in the WPA_HOWTO at http://wiki.freeradius.org/WPA_HOWTO .21:43
ziesemerSo I guess I'll just have to test, but an hoping / assuming that the cn (common name) passed in the certificate is still used to check against the username.  (Is account still enabled, etc.?)21:44
ivokshttp://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos521:44
ivokssomething like that...?21:46
ivoksthis is for sure something to test and explore21:48
ivoksi never tried it21:48
ziesemerI'll experiment and post back.21:48
ivoksa write up would be great21:48
ziesemerWill probably end up becoming a blog entry at blogger.ziesemer.com .21:48
ivoksgreat21:48
ziesemerThanks!  Get some sleep!!21:49
epinkyziesemer: http://zone.ni.com/cms/images/devzone/tut/8021X.png21:49
ivoksnote that freeradius is built without openssl in ubuntu and debian21:49
ivoksat least last time i checked :)21:49
ziesemerepinky:  OK.  I'm looking at the image, and don't see how it applies.21:50
ziesemerIf I'm authenticating with a certificate rather than a user/pass, (how) does FreeRADIUS determine and authorize the username, beyond just validating that the client certificate is valid?21:50
ivoksright21:51
ivoks                --without-openssl \21:51
ivoks                --without-rlm_eap_tls \21:51
ivoks                --without-rlm_eap_ttls \21:51
ivoks:)21:51
epinkyziesemer: http://www.interlinknetworks.com/whitepapers/Intro_802_1X_for_Wireless_LAN_clip_image002.jpg21:51
ziesemerepinky: Another good image, but I'm not seeing the relevance to the question. (?)21:52
epinkyziesemer: then sry, I can't help you :(21:53
ziesemerk, thx21:53
ziesemerhttp://freeradius.org/doc/EAPTLS.pdf may be my answer.  Didn't find it before due to it being a PDF.  It shows a log file of a user authenticating with a certificate.  It appears to pull the username out of the certificate.  I'd guess from the common name (cn) field.  Will have to test later.21:58
Mike_lifeguardHi, how can I stop pam_motd in libpam-modules from changing my /etc/motd?22:02
epinkyMike_lifeguard: look for /etc/pam.d/ssh look for a line "session optional pam_motd.so" and comment it out22:06
axisysi have two ethernet ports on my server .. how do I do network load balance and failover ? right now i am using only one ethernet port ..22:07
Mike_lifeguardepinky: /etc/pam.d/ssh doesn't exist22:08
ziesemeraxisys - what are you connected to in terms of a network switch?22:08
ziesemerIdeally, you'd just trunk to a compatible network switch, which would handle both load balancing and failover.22:09
Mike_lifeguardah, there is login ... let's see if that's it22:09
axisysziesemer: i am connected to a switch .. i think cat 5500 .. let me double check22:10
ziesemerOtherwise, you could set a 2nd IP on the 2nd port, and use DNS balancing to hand out alternating IPs for each request to a given hostname.22:10
Mike_lifeguardepinky: That line appears in /etc/pam.d/login -- however the description is that it "prints the motd upon successful login" (I still want to show the motd, I just want pam_motd to stop changing it from what I've set.22:11
axisysziesemer: cisco cat 400022:11
ziesemerThat doesn't mean much to me, except that it is a Cisco Catalyst, which I'm sure supports just about everything.  :-)22:12
axisysziesemer: how do I do the DNS balancing ?22:12
ziesemerGiven that you have a supporting switch, I'd just use that instead.22:12
ziesemerI just did a quick Google search.  It's a little dated (for 6.10), but still appears applicable:  http://www.howtoforge.com/network_bonding_ubuntu_6.1022:13
epinkyMike_lifeguard: "session  optional  pam_motd.so  motd=/etc/motd"22:14
axisysziesemer: thanks.. i want to do the bonding instead.. since i have to depend on network guys for my config ..22:14
ziesemerEven better:  https://wiki.ubuntu.com/LinkAggregation22:15
axisysziesemer: thanks a lot :-)22:16
axisysziesemer: i did not know what to google search... i only used IPMP and dladm on solaris22:16
Mike_lifeguardepinky: That seems to have no effect :\22:19
axisysziesemer: Prerequisite: Ethtool support in the base drivers for retrieving the speed of each slave22:19
axisysziesemer: how do I know my card supports that ^ ?22:19
epinkyMike_lifeguard: then PAM is not changing your motd22:20
axisysziesemer: i see ethtool gets me the speed .. so i guess i am good w/ prereqa22:21
axisysprereqs*22:21
axisyshow do I make sure /var/log/messages file is readable by hobbit always.. i think some rotate job reverts it.. whats the recommended way to make the change so hobbit can read messages file ?22:29
axisysdo I have to add hobbit to adm group ?22:29
ivoksyep22:30
ivoksnote that that will give it access to all logs22:30
Mike_lifeguardepinky: Do you know of anything else that would be doing it?22:30
ivoksread-only22:30
axisysivoks: hmm.. that gives hobbit too much privilege.. i guess i need to ask hobbit guys on how to make changes in the app so hobbit can read the file using sudo instead22:31
ivokswhy?22:31
ivoksit can only read logs22:31
ivoksthat's not perfect, for sure...22:31
axisysso adm group has no other priv than just reading logs ?22:31
ivoksright22:31
axisysivoks: oh ok.. then its fine.. its simpler than anything else.. i guess22:32
axisysadduser hobbit adm will add the hobbit as part of adm group.. but will it remove its assosication w/ other group with that command ?22:32
Mike_lifeguardIs there a list of the groups what what privileges they confer? Some are quite cryptic :\22:32
ivoksno22:33
axisyslet me read the man22:33
ivoksit just adds it to the group22:33
axisysivoks: oh! u r fast .. thanks22:33
ivokseach user can be a member of multiple groups22:33
epinkyMike_lifeguard: not really, sry :(22:33
axisysivoks: yep.. i just dont remember the command to do it throuh cli..22:34
ivoksadduser user group22:34
axisysivoks: i can from solaris env.. that's why22:34
ivoks:)22:34
axisyss/can/came/22:34
Mike_lifeguardepinky: oh well. thanks for the help anyways22:35
=== erichammond1 is now known as erichammond
epinkyivoks: just use usermod -G <group> <youruser>22:36
ivoksor that22:36
ivoksadduser username group is faster :p22:36
axisysepinky: like in solaris22:37
aberhowmake sure you use -a too in that usermod command so it appends the groups22:38
aberhowusermode -a -G adm hobbit22:39

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!