[00:12] <qman__> ah, got it all working
[00:12] <qman__> turns out the main problem I was having was a typo in my root qdisc
[00:12] <qman__> had handle 1: instead of handle 1:0
[00:12] <qman__> mucked everything up
[00:17] <glauber> hi guys. I have 2 servers and a shared sas storage. I'd like to create a cluster between both servers to have some VMs and put its disk in the sas storage using a clustered FS. Should I use ubuntu+Xen+ ... ? Does UEC apply to my case? (I'm new to cluster stuff, sorry if I'm doing conceptual mistakes).
[00:44] <smcquay> Does UEC work?
[00:46] <smcquay> I've had horrible luck trying to install a private cloud. Currently stuck on step 4 of 7 on the UEC CDInstall instructions. It fails trying to discover nodes with some pythonic error that yields very little on google. Does anyone know what to do for this error: Failed to resolve service 'x07' of type '_eucalyptus._tcp' in domain 'local': Timeout reached ??
[00:48] <glauber> smcquay, I guess UEC is not for my case. just 2 xen dom0 in a cluster would solve my case, I guess
[00:49] <smcquay> glauber: that sounds reasonable
[01:12] <glauber> smcquay I was trying debian, but I could not get ocfs to work..
[01:15] <oh_noes> I put dir,syncdir in my / mount options in /etc/fstab ... is this enough to turn off Write Caching on the root partition?
[01:16] <oh_noes> I still get "Assuming Drive Write Cache" when 8.04.3 boots.
[01:53] <maxagaz> hi
[01:53] <maxagaz> how to change the home folder path ?
[01:53] <maxagaz> for a given user
[01:56] <oh_noes> vi /etc/passwd
[01:57] <maxagaz> ok, it has to be done manually
[01:58] <maxagaz> some people think ftp should die, but what can replace it ?
[02:07] <owh> ssh
[02:35] <twb> maxagaz: SFTP (for rw) and HTTP (for ro)
[02:54] <maxagaz> owh, ssh looks too dangerous
[02:55] <owh> maxagaz: Too dangerous for what?
[02:55] <maxagaz> owh, to dangerous to give someone rw access to one directory only
[02:56] <maxagaz> owh, but i probably don't understand it enough
[02:56] <maxagaz> owh, is possible to restrain the access to one directory ?
[02:56] <maxagaz> and its subdirs
[02:57] <twb> maxagaz: ssh receives far more security scrutiny than a typical FTP daemon
[02:57] <owh> maxagaz: That statement makes no sense. ssh is a mechanism to transport information across the Internet in an encrypted fashion. SFTP uses ssh to transport FTP commands across the net. You don't need to give shell access to a user.
[02:57] <twb> maxagaz: locking it down is very well understood, because openssh is widely used
[02:57] <twb> And as owh says, you can hand out SFTP access without giving full shell access.
[02:58] <maxagaz> twb, interesting, i didn't know that...
[03:04] <xperia2> hello to all. i am having trouble installing the newest postfixadmin from sourceforge.
[03:04] <xperia2> get downloaded it with
[03:04] <xperia2> sudo wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3_all.deb?use_mirror=garr
[03:04] <xperia2> and wanted to install it with
[03:04] <xperia2> dpkg -i postfixadmin_2.3_all.deb
[03:04] <xperia2> bit it stop with the error message
[03:04] <xperia2> dpkg: Error ....
[03:05] <xperia2> anybody know how to install the newest postfixadmin ?
[03:05] <owh> xperia2: Is this package specific to your version of Ubuntu?
[03:07] <xperia2> it is not a specific version for ubuntu. i am following this wiki help article here
[03:07] <xperia2> https://help.ubuntu.com/community/PostfixCompleteVirtualMailSystemHowto#Enhanced%20Mail%20Services
[03:07] <xperia2> that advice me to do this
[03:07] <xperia2> normally it should work as written in the wiki page
[03:11] <xperia2> too pitiy that this package is not in the ubuntu repositorys. it would be great to have this in the reps for upgrading later the system full
[03:11] <owh> Have you lodged a packaging request for it?
[03:12] <twb> xperia2: installing third-party packages is very strongly discouraged.
[03:13] <xperia2> never heared about this how to do it ! do you have a link or similar ?
[03:13] <twb> Because they are not subject to the same quality control as official Ubuntu packages.
[03:14] <xperia2> twb: i understand but from my side of view this package should be in the repositority as it is very helpfull
[03:15] <xperia2> the only possibility at the moment to use it is installing it as external package
[03:15] <twb> xperia2: the alternative would be to learn how to manage postfix directly.
[03:16] <twb> But as owh says, you can also file a Request for Package bug.
[03:17] <qman__> xperia2, that tutorial refers to a version that is considerably out of date
[03:17] <owh> xperia2: You could download the source and compile it from source, but since you didn't tell us what the actual error is, there is little we can do from here. As twb says, it's strongly discouraged to install external software - to the point where we probably won't give you actual support.
[03:17] <qman__> did you check universe/multiverse to see if it's been packaged?
[03:18] <twb> http://hpaste.org/fastcgi/hpaste.fcgi/view?id=12449#a12449
[03:18] <twb> Not nearly as bad as webmin's third-party .deb, but it's still clear that they don't really know what they're doing.
[03:19] <twb> qman__: I did; it hasn't.  It's a PHP/MySQL web app for managing postfix/main.cf, so it's hardly surprising that nobody wants to package it.
[03:19] <qman__> ah
[03:30] <xperia2> well postfix looks really very helpfull especially when it comes to mysql backed postfix solution.
[03:30] <xperia2> http://postfixadmin.sourceforge.net/
[03:30] <xperia2> have installed now the older version as i need it.
[03:30] <xperia2> will look to create a package request for this application if nobody till yet has created
[03:31] <xperia2> first however i need to update the wiki page as the version is heavy outdated
[03:38] <twb> I have hosts with heterogeneous disk sizes.
[03:39] <twb> I wish to lvextend /dev/mapper/foo-bar on all these hosts, to use up all remaining PFree
[03:39] <twb> Can I specify --size in terms of pfree?
[03:41] <twb> Ah, --extents 100%FREE
[03:47] <maxagaz> twb, how to make restriction with ssh so that a user can only browse its folder ?
[03:48] <twb> maxagaz: talk to #openssh
[03:48] <maxagaz> twb, ok
[03:48] <twb> maxagaz: it should mostly be covered by the sshd_config manpage
[04:07] <xperia2> okay gug is now allso filled up at launchpad !
[04:07] <xperia2> https://bugs.launchpad.net/ubuntu/+bug/485645
[04:10] <xperia2> :-)
[05:04] <spirits-sight> OK, I have two user account I would like them to control the directory that are connect to their domain, how would I do this?
[05:50] <qman__> I can't get my traffic shaping to work right--upload throttling is working, but download throttling isn't. Here's my script: http://pastebin.com/m42db8842
[05:51] <qman__> output of tc show commands indicate no packets are being sent to the 1:10 class
[06:19] <maxagaz> how to allow a user to browse only his folder ?
[06:26] <twb> maxagaz: in what?
[06:28] <maxagaz> twb, in his home folder
[06:28] <twb> maxagaz: I mean, in what service?
[06:28] <maxagaz> twb, i'm still on my ssh problem, but it seems it's not a ssh problem
[06:29] <twb> maxagaz: in SFTP, then?  Or full ssh?
[06:29] <twb> maxagaz: did you ask the #openssh people about it?
[06:29] <maxagaz> twb, i just want to allow this user to scp or ssh to his folder but I don't want him to see anything else
[06:30] <twb> So you *do* want to allow full SSH, not just SFTP
[06:38] <maxagaz> twb, i don't really understand sftp
[06:38] <maxagaz> twb, do i have to install something else than openssh-server to do sftp ?
[06:39] <twb> openssh-server includes sftp
[06:40] <maxagaz> twb, actually i need someone to send some files on my server regularly, that's all
[06:40] <maxagaz> so, sftp looks the good solution if it allows this only
[06:40] <twb> maxagaz: do you need normal ssh to work, too?
[06:41] <maxagaz> no
[06:41] <twb> That is, does any user (including yourself) need to ssh into the box?
[06:41] <maxagaz> not those users
[06:41] <maxagaz> i need to ssh into the box
[06:41] <twb> OK
[06:42] <maxagaz> but some users (all belonging to the same group) can only send files to the server
[06:42] <qman__> I tackled that situation by creating a jail for those users with jailkit
[06:42] <twb> You need to write a Match block in your sshd_config, which has ForceCommand internal-sftp and ChrootDirectory /srv/pub or /home/fred or similar
[06:43] <maxagaz> I put them in: /opt/my_special_users/
[06:43] <twb> qman__: openssh-server handles the jailing internally -- and best of all, requires no libraries or anything inside the chroot
[06:43] <maxagaz> i mean their home folder
[06:43] <qman__> nice
[06:43] <twb> qman__: apparently this is a relatively recent development in openssh-server
[06:43] <qman__> yeah, it certainly didn't exist when I was addressing it
[06:44] <qman__> hence the somewhat complex jailkit setup
[06:46] <qman__> ah
[06:46] <qman__> it was added circa april 2008
[06:46] <qman__> last time I did it was in 2007
[06:46] <maxagaz> twb, i'm in the sshd_config file, can you please teach me how to do this for the group ? i'm not sure to understand...
[06:46] <twb> maxagaz: you want (at the bottom of the file) something like (untested): Match User fred \n ForceCommand internal-sftp \n ChrootDirectory /srv/pub
[06:47] <twb> qman__: if your sshd_config mentions internal-sftp, you should have it.
[06:55] <maxagaz> twb, what if I want to do it with two users ? Just add another block ? Nothing tells ssh when the block ends ?
[06:55] <twb> As sshd_config says, the match block ends at the end of the file, or at the start of a new Match block
[06:56] <twb> It looks like you can say "Match User alice, bob" or something, but I haven't checked.
[06:57] <twb> Obviously you will test this before placing it in production...
[06:58] <kaushal> hi
[06:58] <kaushal> i get Nov 19 22:55:22 host0104 kernel: [19938.001554] program smartctl is using a deprecated SCSI ioctl, please convert it to SG_IO
[06:58] <kaushal> Nov 19 22:55:22 host0104 kernel: [19938.002814] 3w-9xxx: scsi0: ERROR: (0x03:0x0101): Invalid command opcode:opcode=0x80.
[06:58] <kaushal> on ubuntu hardy server
[06:59] <kaushal> Any clue ?
[06:59] <twb> kaushal: safe to ignore, I think
[07:00] <qman__> kaushal, if you're not experiencing any problems, the errors are safe to ignore
[07:00] <qman__> make sure that smartctl is doing what you want
[07:00] <kaushal> ok
[07:01] <kaushal> but the system is unstable
[07:01] <kaushal> qman__: how do i use smartctl to fix the above issue ?
[07:02] <qman__> the first error is regarding smartctl; if smartctl is working properly, it can be safely ignored
[07:02] <qman__> the second is likely an error with the configuration or drivers of your 3-ware RAID controller, or the hardware is failing
[07:03] <qman__> the thing about the second error is, if everything works, it can be ignored
[07:03] <qman__> but if there's a problem, it might point you in the right direction
[07:03] <twb> Oh sorry, I only looked at the first message
[07:04] <kaushal> smartctl -a -d ata /dev/sda
[07:04] <kaushal> Smartctl: Device Read Identity Failed (not an ATA/ATAPI device)
[07:05] <qman__> that one's pretty self explanatory, /dev/sda is not an ata device, you need a different -d option
[07:06] <qman__> usually omitting the -d option will let it autodetect the correct one
[07:06] <qman__> but it doesn't always work, check the manual for the other options
[07:07] <twb> -d ata is for SATA drives
[07:07] <twb> But since you're using 3-ware, you probably need something vendor-specific like -d 3ware
[07:11] <kaushal> 03:03.0 RAID bus controller: 3ware Inc 9xxx-series SATA-RAID
[07:12] <twb> kaushal: the error means smartd CAN'T talk SATA to the drives in your hardware raid
[07:19] <kaushal> bit confused here
[07:20] <maxagaz> twb, thanks a lot
[07:20] <kaushal> what needs to be done exactly to sort out this issue ?
[07:21] <twb> kaushal: read the smartd manpage?
[07:21] <kaushal> yeah
[07:22] <twb> Find out which -d you need
[07:22] <twb> 18:07 <twb> But since you're using 3-ware, you probably need something vendor-specific like -d 3ware
[07:22] <kaushal> Device: AMCC     9500S-4LP  DISK  Version: 2.08
[07:22] <kaushal> please try adding '-d 3ware,N'
[07:22] <kaushal> you may also need to change device to /dev/twaN or /dev/tweN
[07:22] <kaushal> when i run smartctl -a -d scsi /dev/sda
[07:23] <twb> kaushal: and did you try that?
[07:23] <kaushal> smartctl -a -d 3ware,0 /dev/sda
[07:24] <kaushal> WARNING - NO DEVICE FOUND ON 3WARE CONTROLLER (disk 0)
[07:24] <twb> I'm not familiar with 3ware, so the only other thing I can suggest is you contact your hardware vendor and ask them.
[07:26] <kaushal> twb: so i have to use smartctl to fix the issue? am i understanding you correctly ?
[07:26] <qman__> kaushal, you haven't said what the issue is
[07:27] <kaushal> the issue is the machine gets freezed and becomes unstable
[07:27] <twb> kaushal: well, nothing you do in smartctl will fix that
[07:27] <qman__> yeah
[07:27] <twb> smartctl/smartd just reports hardware errors in your disks
[07:28] <kaushal> understood
[07:28] <kaushal> Thanks
[07:28] <qman__> since you have another error regarding your 3ware controller, that's one thing that could be causing the problem
[07:29] <kaushal> so i have to run the smartctl to look for hardware errors on my disk
[07:29] <qman__> check for driver conflicts, misconfiguration, or hardware failure
[07:31] <magatz> Hi all i've got a question/problem using ecryptfs with dovect maildir on my home (encrypted filesuystem)
[07:31] <twb> I hate hardware raid for that reason
[07:31] <magatz> specifically, everything works correctly when i am logged via ssh into the server
[07:32] <magatz> but i log-off maildrop doesn't uses may ~/Maildir but the /var/mail maildir
[07:33] <magatz> i think the problem comes from the home encrypted filesystem that is not mounted when i logoff from the server
[07:33] <qman__> that's correct
[07:33] <magatz> any hint?
[07:33] <qman__> it can't access ~/Maildir when it's encrypted and not mounted
[07:34] <qman__> however, I don't know what you need to do to work around that
[07:34] <qman__> probably set it up to store your mail in a temporary folder while logged off, then move it when you log on
[07:34] <magatz> ok, but how can i keep it mounted when i'm logging off
[07:34] <qman__> or something like that
[07:35] <magatz> already works this way, but it's a pain in a multi-user environment....
[07:36] <magatz> I'd like to keep the home filesystem always mounted
[07:37] <qman__> that's outside my knowledge and a quick google isn't helping, sorry
[07:37] <magatz> thanks anyway :)
[07:43] <maxagaz> twb, where is the doc you were referring about for the Match block ?
[07:45] <twb> maxagaz: man sshd_config
[07:46] <maxagaz> twb, thanks
[07:51] <kaushal> qman__: shall i pastebin the observation ?
[07:53] <dayo> how do i lock the account of a user on an nfs server? i'm using openldap to authenticate them.
[07:53] <kaushal> twb: shall i pastebin the observation ?
[07:57] <maxagaz> twb, it seems i can't do it on hardy => http://www.debian-administration.org/articles/590
[07:58] <maxagaz> twb, how should i update openssh-server on a production machine ?
[08:03] <twb> maxagaz: unless it's in hardy-backports, you shoudln't
[08:04] <maxagaz> Unbuntu-Package search looks to be down...
[08:09] <maxagaz> twb, unfortunately, it's not... 1:4.7p1-8ubuntu1
[08:11] <twb> Since 4.7 doesn't have this feature, you'll have to make a chroot environment and run a second ssh daemon in there -- super sucky
[08:12] <twb> So it might be reasonable to add intrepid entries to your sources.list and write some pins into apt.conf, though that's a bit of a hassle
[08:49] <a_ok> Ubuntu 8.04 hans after saying Activating Swap [OK], No messages in log and not telling what it is doing. Any idea whats going on here?
[08:51] <twb> I'd say it's hanging immediately after activating swap.
[08:58] <a_ok> twb: it seems that activating swap is the last action of S35mountall.sh i doubt it hangs there
[09:00] <twb> a_ok: so what is the next script after that?
[09:04] <maxagaz> how to sort by size with ls ?
[09:06] <\sh> maxagaz, man ls ; ls -S
[09:13] <a_ok> S36mountall-bootclean.sh
[09:13] <a_ok> twb: I think this might be the problem script
[09:15] <twb> a_ok: so put set -x at the top of it and try again
[09:15] <twb> a_ok: be sure to boot without usplash, if you have that installed
[09:19] <a_ok> twb: well its a production server so not reboting it anytime soon what does set -x do btw?
[09:20] <twb> It turns on tracing
[09:21] <a_ok> twb: are there servers using usplash?
[09:21] <twb> a_ok: stupid ones, yes
[09:21] <twb> There are lots of stupid people in this channel, so I have to check
[09:22] <twb> Even my boss makes me put gnome on servers, "because customers are used to Microsoft TS and SBS, which has a local display"
[09:30] <a_ok> twb: wtf you should fire your boss
[09:31] <a_ok> unless your run it for thinclient stuff
[09:31] <twb> Why would it matter if the server serves thinclients?
[09:32] <a_ok> does it not need to run X with gnome libs etc?
[09:32] <twb> Oh, right.  It needs it installed, but not running on the server.
[09:32] <Gorlist> Morning, quick question
[09:33] <Gorlist> I restarted fail2ban
[09:33] <Gorlist> but it failed because the .sock was still present
[09:33] <Gorlist> so I removed the /var/run/fail2ban directory and now getting "
[09:33] <Gorlist> start-stop-daemon: Unable to set gid to 0 (Operation not permitted)" when I try to restart
[09:34] <twb> Gorlist: you're not running it as root
[09:34] <Gorlist> just launch under sudo?
[09:34] <Gorlist> right its running, thanks
[09:34] <twb> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
[09:35] <twb> -m recent is more elegant than that userspace fail2ban crap
[09:35] <Gorlist> right, will read through it
[09:35] <Gorlist> thanks
[09:35] <twb> Better, of course, is to remove password-based authentication from ssh
[09:36] <twb> That article isn't really up with best practices, but it's the least worst I could find on short notice.  Check up with #netfilter if you decide to go with iptables
[09:36] <Gorlist> its not ssh
[09:36] <Gorlist> im having problems with ftp and mail
[09:37] <twb> It should work for other services, too
[09:38] <Gorlist> will take a look, use to use denyhosts but decided to try fail2ban this time around
[09:38] <twb> Of course, FTP is a stupid protocol and requires an extra bit of magic -- but SFTP (rw) or HTTP (ro) is a better idea anyway
[09:46] <Jeeves_> Who should I bother about the -virtual kernel config?
[09:55] <twb> Is there an #ubuntu-kernel?
[09:56] <twb> Jeeves_: plan B is launchpad
[09:57] <Jeeves_> twb: I'm trying #ubuntu-virt now, but they all seem to be asleep :)
[10:16] <magatz> hi, any suggestion on how turn-off encrypted home directory, on 9.10?
[10:17] <magatz> this feature is giving me a lot of problem with nfs and dovecot
[10:20]  * twb boggles
[10:20] <twb> It's on by default?
[10:20] <magatz> i've installed it on 9.04 and after upgrade to 9.10 stilll there
[10:20] <magatz> yes in on by default
[10:20] <twb> Good grief
[10:21] <twb> I'm glad I stick to LTS
[10:21] <twb> (And Debian, for my own stuff ;-)
[10:21] <Jeeves_> It's not on by default, afaik?
[10:22] <maswan> I got asked a question about it, I don't remember which was the default choice though..
[10:22] <twb> maswan: ah, so it probably isn't the default
[10:46] <teddymills> 9.10 server with sshd..is like 5 to 7 seconds from grub to login
[10:55] <magatz> found! here the link: http://ubuntu-ky.ubuntuforums.org/showthread.php?t=1134121
[11:02] <\sh> maswan, the default is "no"...
[11:02] <\sh> maswan, btw...didn't you had some strange syslog entries like diskio.c: don't know how to handle 9 request somehow?
[11:02] <\sh> (HP + SmartArrray)
[11:03] <maswan> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/413070
[11:05] <\sh> hmmm...since jaunty I have now the message I pasted above...I wonder what that is
[11:05] <\sh> and karmic does it still
[11:06] <maswan> Ah, seems to be a different one then. I haven't seen that.
[11:07] <incorrect> i am building some http cache servers using varnish, I am debating about not creating any swap
[11:08] <incorrect> there used to be a performance hit if you built a system with no cache
[11:08] <incorrect> err swap
[11:40] <a_ok> incorrect: well I ran my linux box for years without swap and no performance issues at all, do note that when you run out of memory linux locks up instandly (way faster that is) compared to when you have a swap file
[11:41] <incorrect> there used to be issues with not having swap
[11:41] <incorrect> a box locking up is ok
[11:41] <a_ok> no its not lol
[11:41] <a_ok> incorrect: was it ubuntu speciffic?
[11:42] <incorrect> maybe kernel 2.2 days
[11:43] <a_ok> ow thats way back. linux memorymanagement is quite different now
[11:47] <incorrect> i just wanted to ask
[11:52] <dvrcoder> hi, question: after update my console is not 80x25 anymore. how do i get this back?
[11:56] <a_ok> dvrcoder: frame buffer?
[11:56] <dvrcoder> a_ok: i set vga=normal in menu.lst
[11:56] <dvrcoder> (and i'm still using the old grub)
[11:58] <dvrcoder> ah, i obviously did it wrong :D
[11:58] <epinky> dvrcoder: check the table here http://crunchbang.org/archives/2007/10/10/changing-bootup-and-console-screen-resolutions/
[11:59] <dvrcoder> epinky: thx
[11:59] <a_ok> dvrcoder: nothing to do with grup furtunately kernel params
[11:59] <qman__> no VGA line should make it 80x25, 640x480 makes it 80x30
[12:00] <qman__> I prefer 80x30, more lines, just as readable
[12:01] <a_ok> I prefere higher resolutions logfiles tend to have longer lines
[12:01] <qman__> well, I do too, but for my one box I actually have the console up with, I prefer the low res so I can read it without my glasses
[12:02] <a_ok> qman__: yeah it does depend on what monitor you have lol
[12:02] <qman__> all the other ones I just ssh from this desktop
[12:02] <dvrcoder> well right now it's at about 60 lines. i don't know, i just like good old 80x25 on the console (since i have the same over ssh)
[12:02] <qman__> dvrcoder, well, you can set the vga mode in the kopt= line, then run 'sudo update-grub' to apply it
[12:03] <qman__> that's for grub 1, no idea about grub 2
[12:03] <qman__> I also generally remove the 'quiet splash' from it too
[12:03] <qman__> that way when something goes wrong you can actually see what it is
[12:03] <qman__> but that's just personal preference
[12:05] <qman__> a_ok, it's a 17" CRT, plenty big enough, I just have very poor vision without my glasses ;)
[12:10] <a_ok> qman__: didn't know you had to do an update-grub when you adjust menu.lst
[12:10] <epinky> dvrcoder: try with "vga=ask" ?
[12:11] <twb> vga=normal is 80x25
[12:12] <twb> For grub2, you want to edit /etc/default/grub, particularly on x86-like systems to disable as fb there as it tells you to
[12:12] <qman__> a_ok, you don't if you just modify the actual boot lines, but in ubuntu, the proper way is to modify the kopt= line in the top section, then run update-grub
[12:12] <qman__> that also makes it stick for kernel updates and such
[12:16] <a_ok> hmm good to know, I'm more of a manual man myself that is probalby why I still have gentoo at home. Since ubuntu failed me once with an upgrade I never trusted it
[12:18] <twb> Personally, I prefer video=vesafb:1600x1200-32
[12:18] <twb> (Or uvesafb for widescreens, but that's a huge pain in the arse.)
[12:21] <dvrcoder> re
[12:22] <dvrcoder> btw, can i just unselect the pae kernel in aptitude if i don't need it?
[12:23] <twb> I don't see why not
[12:23] <Adrian1> Hello. Can you please help me install ebox ?
[12:25] <epinky> Adrian1: ebox server?
[12:25] <Adrian1> Ebox..... https://help.ubuntu.com/9.04/serverguide/C/ebox.html
[12:26] <Adrian1> That how to doesn't work.
[12:29] <epinky> Adrian1: I don't use ebox, but what Ubuntu version are you using?
[12:30] <Adrian1> 8.01
[12:30] <Adrian1> Or smth like that.
[12:32] <Adrian1> 8.10
[12:33] <Adrian1> invoke-rc.d: initscript ebox, action "apache" failed.
[12:33] <epinky> if it's 8.10 then bad news
[12:34] <epinky> Adrian: https://bugs.launchpad.net/ubuntu/+source/ebox/+bug/255368
[12:35] <Adrian1> Well... I installed it, let's see if it works.
[12:35] <Adrian1> Aaaa noap.
[12:36] <twb> wasn't ebox totally broken in 8.04 and/or 8.10?
[12:36] <twb> I remember someone saying that in here, though obviously I stay the hell away from web UIs
[12:37] <epinky> twb: you're right, it tells that here https://help.ubuntu.com/community/eBox
[13:18] <\sh> twb, /me is always saying that
[13:31] <dvr> is there an irc channel with openldap support?
[13:32] <epinky> dvr: #openldap ?
[13:33] <dvr> epinky: oh cool, there really is :D
[14:45] <a_ok> what is the goal of /etc/init.d/bootclean
[14:45] <a_ok>  ?
[14:46] <a_ok> I thought that tmp could just be emptied instead of dicected and cleaned
[15:56] <incorrect> is it possible to force a pxe install to always prompt for manual network config
[16:13] <KurtKraut> Should I rely more on BIOS fan control or should I set up fancontrol daemon on Ubuntu?
[17:42] <LanceHaig_wrk> Key
[17:42] <LanceHaig_wrk> I am wondering if there is a patch and config management tool for multiple ubuntu servers?
[17:43] <kaushal> hi
[17:43] <LanceHaig_wrk> I have 100 that need to be managed and I can't seem tot find anything by searching the net
[17:43] <mushroomblue> so, when configuring a server to authenticate to LDAP, I disabled all other methods of authentication. I was able to auth as an LDAP user. after reboot, it's not authenticating, and not accepting system users. is there another way to log into this machine, other than chroot?
[17:43] <kaushal> anyone closing following my issue on ubuntu-server mailing list ?
[17:44] <mushroomblue> cos I'm 2000 miles away, and I don't want to lead a monkey through a chroot. especially because I'
[17:44] <mushroomblue> 'm not sure what partition it is, etc.
[17:45] <kaushal> about 3w-9xxx: scsi0: ERROR
[17:51] <mushroomblue> nevermind. I forgot single user mode was an option.
[18:08] <kaushal> checking in again for my query ?
[18:15] <cyphermox> kaushal, running memtest86 for a couple of hours should tell you whether your memory is good for that server.
[18:17] <kaushal> cyphermox, so its sure shot a memory issue ?
[18:17] <kaushal> I mean sympton
[18:17] <cyphermox> kaushal, it's a common cause of lockups.
[18:17] <kaushal> ok
[18:17] <kaushal> can memtest86 run on 64bit architecture
[18:18] <kaushal> ?
[18:18] <cyphermox> kaushal, you should check whether there are other errors in syslog, and perhaps post them up on in the mailing list thread, for the benefit of everyone in the thread
[18:18] <cyphermox> i think so, yes
[18:18] <kaushal> cyphermox, i have done it already
[18:19] <cyphermox> nothing other than the errors for 3w-9xxx?
[18:20] <kaushal> yeah
[18:21] <cyphermox> kaushal, or even including an excerpt of your syslog from say, that error message, up until the time you get a freeze, that could help.
[18:22] <kaushal> ok
[18:38] <unique> why is my mail server rejecting all the emails telling them "Relaying denied [RCPT_TO]" im using sendmail and courier-imap
[18:40] <ivoks> kaushal: yes :)
[18:59] <teddymills> can i add mdadm to an existing single drive ubuntu-8041-server?
[20:24] <jerrcs> Hi guys.. I downloaded the ubuntu server iso ages ago, burned it on a cd.. now it's corrupt.. but it still boots.. just some files are missing.. anyway to do a netinstall from that same disc?
[20:44] <aberhow> ok, so i just installed, and the only package i choose on install was the openbsd ssh server
[20:44] <aberhow> on boot at the console the server starts
[20:44] <aberhow> then it restarts
[20:44] <aberhow> what's the deal?
[20:45] <KurtKraut> aberhow, the server is restarting by itself?
[20:45] <aberhow> yup, on boot it is
[20:45] <aberhow> or it seems that way
[20:47] <ziesemer> Anything mentioned in the log files?
[20:50] <aberhow> not other than the server is listening
[20:50] <aberhow> then a few seconds later after the restart it says the server is listening again
[20:50] <aberhow> on 22
[20:50] <ziesemer> Is it not listening on :22 the first time?  If not, it sounds like it might be restarting to rebind to a new network interface.
[20:51] <aberhow> that could be it, the computer is set to dhcp
[20:52] <aberhow> i would thit it would have its ip by then though
[20:57] <ziesemer> dhclient should show up in your logs, too.  Should be easy enough to check.
[21:19] <ziesemer> OK, I think I have OpenLDAP all setup and working, as well as basic FreeRADIUS.  Now the part I don't exactly understand:  How are client certificates associated with a user account - or are they even?
[21:40] <ivoks> ziesemer: i might say lots of nonsense cause i haven't slept for quite a while
[21:40] <ziesemer> I know the feeling.  :-)
[21:40] <ziesemer> So basically, I'm sure I could get FreeRADIUS to allow authentication using the same user/pass combinations as for local access, etc.
[21:41] <ziesemer> Client -> user/pass -> FreeRADIUS -> OpenLDAP
[21:41] <ivoks> ok
[21:41] <ziesemer> I'd like to use certificates instead.  Client -> X509 cert -> FreeRADIUS -> OpenLDAP
[21:41] <ivoks> never played with that :/
[21:42] <ziesemer> Under Microsoft AD, for example, the public keys for any issued certs are stored with the user's entry in AD (LDAP).  If it doesn't exist there or if the user isn't active, login denied.
[21:42] <ziesemer> Seems that FreeRADIUS will work the same.  If the public key isn't in the CA or is revoked, access denied.
[21:43] <ziesemer> I was just wondering if it still ties into user authentication when moving from user/pass to certificates.
[21:43] <ziesemer> All I can seem to find online is a reference to the "named client" in the WPA_HOWTO at http://wiki.freeradius.org/WPA_HOWTO .
[21:44] <ziesemer> So I guess I'll just have to test, but an hoping / assuming that the cn (common name) passed in the certificate is still used to check against the username.  (Is account still enabled, etc.?)
[21:44] <ivoks> http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5
[21:46] <ivoks> something like that...?
[21:48] <ivoks> this is for sure something to test and explore
[21:48] <ivoks> i never tried it
[21:48] <ziesemer> I'll experiment and post back.
[21:48] <ivoks> a write up would be great
[21:48] <ziesemer> Will probably end up becoming a blog entry at blogger.ziesemer.com .
[21:48] <ivoks> great
[21:49] <ziesemer> Thanks!  Get some sleep!!
[21:49] <epinky> ziesemer: http://zone.ni.com/cms/images/devzone/tut/8021X.png
[21:49] <ivoks> note that freeradius is built without openssl in ubuntu and debian
[21:49] <ivoks> at least last time i checked :)
[21:50] <ziesemer> epinky:  OK.  I'm looking at the image, and don't see how it applies.
[21:50] <ziesemer> If I'm authenticating with a certificate rather than a user/pass, (how) does FreeRADIUS determine and authorize the username, beyond just validating that the client certificate is valid?
[21:51] <ivoks> right
[21:51] <ivoks>                 --without-openssl \
[21:51] <ivoks>                 --without-rlm_eap_tls \
[21:51] <ivoks>                 --without-rlm_eap_ttls \
[21:51] <ivoks> :)
[21:51] <epinky> ziesemer: http://www.interlinknetworks.com/whitepapers/Intro_802_1X_for_Wireless_LAN_clip_image002.jpg
[21:52] <ziesemer> epinky: Another good image, but I'm not seeing the relevance to the question. (?)
[21:53] <epinky> ziesemer: then sry, I can't help you :(
[21:53] <ziesemer> k, thx
[21:58] <ziesemer> http://freeradius.org/doc/EAPTLS.pdf may be my answer.  Didn't find it before due to it being a PDF.  It shows a log file of a user authenticating with a certificate.  It appears to pull the username out of the certificate.  I'd guess from the common name (cn) field.  Will have to test later.
[22:02] <Mike_lifeguard> Hi, how can I stop pam_motd in libpam-modules from changing my /etc/motd?
[22:06] <epinky> Mike_lifeguard: look for /etc/pam.d/ssh look for a line "session optional pam_motd.so" and comment it out
[22:07] <axisys> i have two ethernet ports on my server .. how do I do network load balance and failover ? right now i am using only one ethernet port ..
[22:08] <Mike_lifeguard> epinky: /etc/pam.d/ssh doesn't exist
[22:08] <ziesemer> axisys - what are you connected to in terms of a network switch?
[22:09] <ziesemer> Ideally, you'd just trunk to a compatible network switch, which would handle both load balancing and failover.
[22:09] <Mike_lifeguard> ah, there is login ... let's see if that's it
[22:10] <axisys> ziesemer: i am connected to a switch .. i think cat 5500 .. let me double check
[22:10] <ziesemer> Otherwise, you could set a 2nd IP on the 2nd port, and use DNS balancing to hand out alternating IPs for each request to a given hostname.
[22:11] <Mike_lifeguard> epinky: That line appears in /etc/pam.d/login -- however the description is that it "prints the motd upon successful login" (I still want to show the motd, I just want pam_motd to stop changing it from what I've set.
[22:11] <axisys> ziesemer: cisco cat 4000
[22:12] <ziesemer> That doesn't mean much to me, except that it is a Cisco Catalyst, which I'm sure supports just about everything.  :-)
[22:12] <axisys> ziesemer: how do I do the DNS balancing ?
[22:12] <ziesemer> Given that you have a supporting switch, I'd just use that instead.
[22:13] <ziesemer> I just did a quick Google search.  It's a little dated (for 6.10), but still appears applicable:  http://www.howtoforge.com/network_bonding_ubuntu_6.10
[22:14] <epinky> Mike_lifeguard: "session  optional  pam_motd.so  motd=/etc/motd"
[22:14] <axisys> ziesemer: thanks.. i want to do the bonding instead.. since i have to depend on network guys for my config ..
[22:15] <ziesemer> Even better:  https://wiki.ubuntu.com/LinkAggregation
[22:16] <axisys> ziesemer: thanks a lot :-)
[22:16] <axisys> ziesemer: i did not know what to google search... i only used IPMP and dladm on solaris
[22:19] <Mike_lifeguard> epinky: That seems to have no effect :\
[22:19] <axisys> ziesemer: Prerequisite: Ethtool support in the base drivers for retrieving the speed of each slave
[22:19] <axisys> ziesemer: how do I know my card supports that ^ ?
[22:20] <epinky> Mike_lifeguard: then PAM is not changing your motd
[22:21] <axisys> ziesemer: i see ethtool gets me the speed .. so i guess i am good w/ prereqa
[22:21] <axisys> prereqs*
[22:29] <axisys> how do I make sure /var/log/messages file is readable by hobbit always.. i think some rotate job reverts it.. whats the recommended way to make the change so hobbit can read messages file ?
[22:29] <axisys> do I have to add hobbit to adm group ?
[22:30] <ivoks> yep
[22:30] <ivoks> note that that will give it access to all logs
[22:30] <Mike_lifeguard> epinky: Do you know of anything else that would be doing it?
[22:30] <ivoks> read-only
[22:31] <axisys> ivoks: hmm.. that gives hobbit too much privilege.. i guess i need to ask hobbit guys on how to make changes in the app so hobbit can read the file using sudo instead
[22:31] <ivoks> why?
[22:31] <ivoks> it can only read logs
[22:31] <ivoks> that's not perfect, for sure...
[22:31] <axisys> so adm group has no other priv than just reading logs ?
[22:31] <ivoks> right
[22:32] <axisys> ivoks: oh ok.. then its fine.. its simpler than anything else.. i guess
[22:32] <axisys> adduser hobbit adm will add the hobbit as part of adm group.. but will it remove its assosication w/ other group with that command ?
[22:32] <Mike_lifeguard> Is there a list of the groups what what privileges they confer? Some are quite cryptic :\
[22:33] <ivoks> no
[22:33] <axisys> let me read the man
[22:33] <ivoks> it just adds it to the group
[22:33] <axisys> ivoks: oh! u r fast .. thanks
[22:33] <ivoks> each user can be a member of multiple groups
[22:33] <epinky> Mike_lifeguard: not really, sry :(
[22:34] <axisys> ivoks: yep.. i just dont remember the command to do it throuh cli..
[22:34] <ivoks> adduser user group
[22:34] <axisys> ivoks: i can from solaris env.. that's why
[22:34] <ivoks> :)
[22:34] <axisys> s/can/came/
[22:35] <Mike_lifeguard> epinky: oh well. thanks for the help anyways
[22:36] <epinky> ivoks: just use usermod -G <group> <youruser>
[22:36] <ivoks> or that
[22:36] <ivoks> adduser username group is faster :p
[22:37] <axisys> epinky: like in solaris
[22:38] <aberhow> make sure you use -a too in that usermod command so it appends the groups
[22:39] <aberhow> usermode -a -G adm hobbit