/srv/irclogs.ubuntu.com/2010/07/06/#ubuntu-server.txt

SorrellHey guys, I have a hardware question.00:24
genii!ask00:25
ubottuPlease don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-)00:25
SorrellI have a few servers that have a single 1gb networking adapter and I was wondering if I should buy a new NIC with a multiple RJ45 jack on i or just get one with a single RJ45 head and run it with the motherboard input and the external card input00:27
Sorrellalso if you have any hardware suggestion I would love them.00:27
Coder7Sorrell: that depends on what you need the extra jacks for00:28
CppIsWeirdSorrell, really depends on what you're trying to do.00:28
CppIsWeirdSorrell, i dont think you need servers with more than one ethernet interface.00:28
CppIsWeirdSorrell, if you are desiring such functionality you should switch to a fabric infrastructure00:29
SorrellI am setting up a DNS server. They will be in that. One will be exterior and one will be internal00:29
CppIsWeirdSorrell, make use of switches.00:29
CppIsWeirdSorrell, MUCH cheaper.00:29
Coder7Sorrell: if you are using bind, there is no need to have different physical interfaces.00:32
Sorrellreally, I didn't know that.00:33
Coder7Sorrell: you can configure who gets access to which versions of the zone files based on source addresses00:33
Coder7Sorrell: all of my DNS servers have multiple views, but a single interface00:34
SorrellI will have to look into that. Thanks Coder7  and CppIsWeird00:35
CppIsWeirdyw. but i think Coder7 knew what you were talking about. :-P00:36
Coder7Sorrell: http://pastebin.com/KBF9unpp00:38
SorrellI know it wasn't a very good explanation.00:38
Coder7that was a snippet of a bind config file00:39
Sorrellty00:39
Coder7all 10.0.0.0/8 and 127.0.0.0/8 addresses get the inside view, everything else gets the outside view00:39
Sorrellokay00:40
=== KenjiPops is now known as FOCer
CppIsWeirdim on a windows machine puttying to a linux server. can i use scp to transfer a file from one to the other?01:17
qman__CppIsWeird, use pscp.exe, it's included in the putty installation if you used that01:21
CppIsWeirdok.01:22
qman__the actions must be carried out from the windows machine, because windows does not have an SSH daemon01:22
qman__but you can transfer files in both directions using it01:22
dale__If pscp.exe isn't included in the putty installation, look for "winscp" on Google.01:23
CppIsWeirdwhat do these things mean [ ] in bash scripting?01:29
qman__brackets are used for a number of things01:35
qman__provide some context01:36
CppIsWeirdso i was just told to run ". eucarc" and someone called it "sourcing eucarc" can i get a little more explaination please?01:39
qman__it basically sets a bunch of temporary variables01:39
qman__you can also run "source eucarc" to do the same thing01:39
qman__to see what variables they are, less eucarc01:39
CppIsWeirdso "sourcing" is not the same as "running" a batch file? or the eucarc is not a "batch" file, its a "source" file?01:39
CppIsWeirdbah01:40
qman__well, there are no batch files01:40
CppIsWeirdreplace batch with bash and ignore the windows connection01:40
qman__but eucarc is not being run, so much as parsed01:40
qman__more like a configuration file than a shell script01:40
CppIsWeirdokay. thanks. :-)01:40
Jordan_UCppIsWeird: Sourcing is basically equivelent to copying and pasting the contents of the file into the shell, it runs the commands in the current shell rather than spawning a new one (which means among other things that variables set in the script persisist in the shell after sourcing it)01:41
CppIsWeirdahh, okay.01:41
CppIsWeirdthat makes more sense.01:42
giovaniI wonder if there isn't a better solution to the fragmented linux distro support channels on freenode01:43
debugviewhi, is it possible to install a GUI for ubuntu server if i only have SSH remote access?02:14
debugviewhow would i access it like remote desktop to that of windows RDP?02:14
hallynvnc02:14
hallynyou'd start vncserver on the server, and run vncviewer on the client to connect to it.  are you sure you need a gui?02:15
hallyn(got a fast link from client to server?)02:15
debugviewhallyn, yup02:16
debugviewi wanted to run vmware on it etc02:16
debugviewhallyn, how would the vnc recognise the system then since its CLI only?02:16
Roxyhart0hi there. somebody have any guide to intall a NAT in ubuntu server?02:17
debugviewRoxyhart0, try http://ubuntuforums.org/showthread.php?t=71387402:18
Roxyhart0great thanks!02:18
debugviewhallyn, ping02:18
debugviewi am looking at NX wonder if its good02:20
hallyndebugview: sorry, wandered away02:22
hallyndebugview: vnc works quite well, id say just give it a shot02:22
debugviewok02:23
debugviewhallyn, i dont need to install X and stuff right?02:23
debugviewor whatever KDE/GNome desktop etc02:23
hallynyoiu don't need kde/gnome, but you'll need to pick some window manager02:24
hallynfvwm isn't a bad one...02:24
hallynvenerable02:24
hallynso yes you do need x i suspect02:24
debugviewhallyn, what are your opinions on http://www.nomachine.com?02:24
* hallyn takes a look02:24
hallyndebugview: ah, nx02:25
hallyni haven't tried it, have heard good things02:25
hallyni won't recommend against it by any means02:25
hallyni just rarely use x remotely for anything...02:25
debugviewoh okie i will try vncserver and see how it goes02:25
hallynlinux journal had a favorable article on NX, which was the first i'd heard of it i believe02:26
debugviewhallyn, sometimes i just hate using CLI for anything :D02:26
hallyn:)02:26
debugviewi am shifting from windows 2008 to a linux variant02:27
debugviewso just trying out02:27
hallyndebugview: i think your first instictmight have been right, NX might be most like what you want02:29
debugviewthat leaves the installation portion to be desired :x02:29
hallynwhat do you mean exactly?02:30
hallynyou want to minimize your work, or the work on the part of the servers?02:30
hallyn(just curious)02:30
debugviewminimize my work02:31
debugviewi dont mind working with CLI but sometime editing conf files or what02:31
debugviewinstalling stuff02:31
debugviewi rather cut down the chase02:31
debugviewthan trying to tinker around why X doesnt work because Y needs to be modified but Z have yet to be installed so Y cant work etc..02:32
debugviewa UI would very much cut that portion down02:32
debugviewof course your opinions might differ02:33
hallynmaybe i should do a short blog post on the shortest (imo) way to get a remote gui on ubuntu server...  would probably get some arguments :)02:33
debugviewhallyn, please do and pm me your blog url so i can add it to my daily must read blogs list02:33
debugviewbetter not spam me with popups :<02:33
hallynif it were me, i would 'apt-get install tightvncserver vncviewer fvwm', start up a vncserver running fvwm (takes roughly 3 steps the first time), and then you're running02:34
hallynlol - "caching02:34
hallyn"02:34
hallynca-ching that is02:34
debugviewlet me google what is fvwm02:34
hallynjust an old window manager02:34
hallyninstalling gnome-desktop will probably give you exactly what you'd expect from a normal login screen.  so if your servers and net link can handle it, do that02:35
CppIsWeirdhow do i mount a cdrom?02:35
hallyn'mount /dev/cdrom /mnt/cdrom'02:35
CppIsWeirdty02:35
debugviewhallyn, heh a xeon server would handle that fine :(02:36
CppIsWeirdspecial device /dev/cdrom does not exist?02:36
hallynCppIsWeird: (you might need to dmesg to check which device was actually assigned)  do make sur eit wasn't already auto-mounted by yoru desktop under /media/?02:36
hallyndmesg| tail, it's probably /dev/sdc1 or somesuch02:36
debugviewhallyn, apt-get install gnome-desktop-environment  first yeah?02:37
hallyndebugview: yup02:37
hallyn(had to check aptitude real quick)02:38
debugviewhallyn, i guess it will install X dependencies if its missing?02:38
CppIsWeirdnever mind, would help if i was in the right ssh window >_<02:38
debugviewCppIsWeird, hehe02:39
CppIsWeirdtoo many servers! they're here to SERVE us!02:39
debugviewdestroy them with coffee02:39
* hallyn has done that...02:39
hallyndebugview: yes, alldependencies should be auto-installed02:40
hallyndebugview: mind you i've not tried it, but if not i'd call it a big bug02:40
debugviewhallyn, ha..cant expect much from linux :x even windows have their quarks02:41
hallynheh - i expect the world from it :)02:42
debugviewi was trying centos the other day02:42
debugviewand it was a horrible experience02:42
debugviewi had all the dependecies install and yet ./configure keeps saying its not installed :(02:43
hallyncentos is based on pretty old rhel right?02:45
Shapeshiftrok, I need some help. It's a bit specific, but I think I'll be able to explain the general idea. I need to run an .exe (with mono) on 10.04 command line, while also being able to access the user@server1:~$ command line.02:46
debugviewi have got no idea seriously :x02:46
Shapeshiftrhow do I go about doing this?02:46
debugviewShapeshiftr, erm open two sessions?02:47
Shapeshiftr..?02:47
Shapeshiftrhow?02:47
hallynShapeshiftr: run 'screen' or 'byobu' (a themed screen) i think02:47
Shapeshiftrhrm, i tried screen, but to no avail.02:48
debugviewwhat about dtach?02:48
hallynShapeshiftr: the mono prog should just run persistently in the background?02:48
Shapeshiftr1) How do I switch between screens once on the .exe's command line? 2) will it stay open once I close putty?02:48
hallyncontrol-a control-c to create a new screen02:49
hallynthen control-a control-d detaches the screen02:49
Shapeshiftrctrl-c closes, right?02:49
Shapeshiftrhmm?02:49
Shapeshiftrdetach?02:49
hallynsorry, control-a c02:49
hallynyes, so then you can log out that putty session,b ut teh screen session keeps going,02:49
hallynand you can log back in, and re-attach02:49
hallynusing 'screen -r'02:49
debugviewyeah screen is basically the easiest to use02:49
hallynit stops me mostly having to worry about junk like 'nohup'  :)02:50
debugviewhehe02:50
ShapeshiftrI tried nohup, lol, i think it failed.02:50
debugviewhallyn, btw the gnome-desktop installation is still ongoing02:51
debugviewmy server definitely needs bluetooth..rofl02:51
debugviewi am so gonna bluetooth to my server from miles away02:51
Shapeshiftrso, I typed in screen, then I started my .exe. now what?02:51
debugviewpress Ctrl A02:51
debugviewthen Ctrl D02:51
hallyni've just re-comissioned an 8-yr old laptop, so i'm running a very barebones 'dwm' window manager :)02:51
debugviewto detach back to your command line02:52
debugviewyour linux commandline that is02:52
debugviewto resume type screen -r02:52
Shapeshiftrok, now to test.02:52
Shapeshiftr:D02:52
debugviewif you have multiple screens you have to specify the number of the screen02:52
ShapeshiftrD:02:52
debugviewscreen -r 12345602:52
Shapeshiftrno, didn't work?02:52
hallynbtw you can name the session using 'screen -S myname'02:52
Shapeshiftrscreen -x shows all screens, right?02:52
debugviewShapeshiftr, define not working...02:53
debugviewcrash? etc...02:53
Shapeshiftrone sec.02:53
hallynShapeshiftr: screen -list02:53
hallyn-x is something different02:53
debugviewhallyn, i wish i have the time to play around with DWM...but i guess it will need lots of configuration doesnt it?02:54
hallyndebugview: i do reconfigure it, but on this laptop am using it stock, it's still very nice.02:55
ShapeshiftrThere are several suitable screens on:02:55
Shapeshiftr        20853.pts-0.server1       (07/05/2010 09:50:30 PM)        (Detached)02:55
Shapeshiftr        20065.pts-0.server1       (07/02/2010 11:26:48 PM)        (Detached)02:55
Shapeshiftr        9048.pts-0.server1        (07/02/2010 10:52:47 PM)        (Detached)02:55
ShapeshiftrType "screen [-d] -r [pid.]tty.host" to resume one of them.02:55
Shapeshiftrhmm.02:55
Shapeshiftrtype what?02:55
hallynbut you do need to make sure you know the names of the progs you use...  often unrelated to the menu entry listing :)02:55
hallynShapeshiftr: screen -r 2853 i guess02:55
ShapeshiftrI want the 05 one, of course.02:55
Shapeshiftrok, that number?02:56
hallynShapeshiftr: yes really i think any unique substring int he name will work02:56
debugviewyeah using a name is easier02:56
debugviewbut i usually try one by one till i get the correct one02:56
debugviewits fast anyway02:56
Shapeshiftrhow do I close a screen, then?02:57
debugviewjust exit your application then type exit02:57
qman__exit the shell02:57
debugviewjust like what you normally do when you exit your console02:57
qman__exit, logout, ctrl+D, etc02:57
Shapeshiftroh, oh, right.02:57
debugviewShapeshiftr, how's the mono support on linux already?02:57
debugviewthe last time i tried it was still buggy02:58
Shapeshiftrit's fine, I think.02:58
Shapeshiftrthe program i'm using was developed with mono support.02:58
hallyn(you can also just do control-a K to kill the screen session)02:58
debugviewmaybe i might go back using mono for linux02:58
hallynyeah mono is what i need to get netflix on linux one day right?02:58
debugviewor java02:58
hallynlol - or python :)02:58
debugviewhallyn, ok i am done with apt-get  install gnome-desktop02:59
qman__I refuse to use mono on principle alone02:59
debugviewwhat else do i need to know?02:59
debugviewqman__, meh..man it up and chuck those principles aside :D02:59
qman__mono does not offer anything for me02:59
qman__besides, ignoring principles is the exact opposite of "manning up"03:00
debugviewqman__, i kid :<03:02
debugviewhallyn, are there any special "clients" that i need to view gnome desktop remotely after installing it via CLI?03:03
qman__you need a VNC client03:04
qman__I recommend tightVNC03:04
debugviewqman__, what's the noob level on that?03:04
debugviewi mean difficulty03:04
qman__I'm not qualified to gague it03:04
debugviewalright03:05
qman__since I'm the type who would never bother installing a GUI on ubuntu server03:05
debugviewlucky you :(03:05
debugviewi might stop using GUI once i get the hang of it03:05
qman__it really does not provide any advantages03:05
debugviewtightvncserver - virtual network computing server software03:05
qman__all the services, configurations, etc will all be done from the command line anyway03:05
debugviewi guess this should be th eone03:05
qman__you'll just have some gnome-terminals open, doing exactly the same thing you would over SSH03:06
debugviewyeah i know i am just making my life easier, less stressful03:06
debugviewfor starters03:06
hallyndebugview: yes, that's the server, then you'll need the client (apt-get install xtightvncviewer) on the remote end03:06
qman__GUIs have their place, but ubuntu server is not it03:07
debugviewhallyn, yea but i am using windows03:07
qman__I don't understand how it could be any easier03:07
debugviewso i will get the windows equivalent03:07
hallyndebugview: oh, then.  whatever is the windows vnc client :)03:07
hallynyeah03:07
debugviewqman__, yeah just for starters like i said no harm03:07
qman__well that's just it, it makes things complicated03:07
debugviewin fact i am learning about CLI just by doing all this installing stuff am i? :D03:07
qman__X opens a lot of potential security issues03:07
qman__and uses considerable resources03:08
debugviewhallyn, do i need to configure any files for tightvncserver after installing it?03:08
qman__the same goes for VNC03:08
hallyndebugview: since you want to run the gnome desktop, i don't think so - it shoudl all jsut do what you want03:08
qman__don't use VNC over the net, at least not without an SSH tunnel03:08
qman__that's asking for trouble03:09
hallynagreed on the ssh tunnel for vnc!  was assuming your'e on a local link03:09
debugviewwhy? its not encrypted?03:09
hallynheh, no.03:09
qman__no03:09
qman__and the authentication is limited to an 8-character password03:09
hallynread the original paper.  it's an academic exercise :)03:09
qman__cracking it is child's play03:10
qman__there are bots that search the net for open VNC servers03:10
qman__just like they search for SSH servers03:10
debugviewlets say i installed the vncserver already03:10
debugviewits using my root password to login right?03:10
qman__no03:10
hallyndebugview: so on the CLI bit - you said you wanted vmware so i think you must have GUI for that, but i'd suggest you look into libvirt CLI with kvm/qemu03:10
qman__and you should not have a root password03:10
qman__if you do, and you want to keep it, there are other things you need to change to secure your system03:11
* hallyn will abstain from getting into any arguments tonight about sudo vs. having a root password03:11
qman__that argument aside03:11
qman__many things are configured to allow root logins03:11
qman__that should not be03:11
qman__such as SSH03:11
giovaniheh03:11
debugviewqman__, yeah mine doesnt allow root login03:11
debugviewi have to do a sudo once i login using another account03:12
qman__you need to disable those if you want to give root a password03:12
giovaniI'd love to discuss mass server management with qman__ sometime03:12
debugviewgosh tightvnc website is so freaking slow03:12
debugviewcant even download their client03:12
qman__of course, using passwords at all is not really that good of an idea these days03:13
qman__but you have to draw the line between security and usability somewhere03:13
giovaniwell, you have protect your bios/bootloader somehow03:14
giovaniI've yet to see something other than passwords implemented03:14
qman__that's really a moot point03:14
qman__if your physical security is compromised, it doesn't really matter what you do03:14
giovanineither of those is specific to physical security03:14
giovanis/is/are/03:15
* hallyn draws out his broadsword03:15
giovanisorry, I don't mean to hijack an otherwise mild conversation03:15
debugviewbut then you cant login without providing a password03:15
hallynlol03:15
giovaniwe can continue this after helping debugview03:15
debugviewwhat sort of authentication exists besides password?03:15
qman__key-based03:15
debugviewbut isnt that based on a password to generate the key file too03:15
qman__no03:16
giovanino03:16
qman__it is randomly generated03:16
giovaniand sometimes the key is additionally encrypted with a password -- but, ultimately, the key itself is a far better method of providing remote access03:16
qman__there are other types but key-based is arguably the strongest and most convenient03:16
qman__but it's only secure as long as you keep your keys safe03:17
debugviewhallyn, ok i ran the vnc client and i entered my IP and it says connection failed? how do i know if its working on the server side?03:17
debugviewqman__, you mean like the german spy? :x03:17
giovaniI hear russian spies are really good at encryption03:17
giovani:)03:18
qman__ps ax | grep vnc03:18
debugview22918 pts/0    S+     0:00 grep --color=auto vnc03:18
debugviewroot@27AO33:/home/sysadmin#03:18
qman__well, unless the daemon does not contain 'vnc' in its name, it's not running03:19
debugviewok that makes sense..now i will need to figure out how to run this tightvncserver after installing it03:19
qman__I don't know enough about the server to say for certain, but there may be a configuration preventing it from starting in /etc/default03:20
Shapeshiftrhow do I delete the contents of a directory?03:20
qman__like "IS_CONFIGURED=no"03:20
debugviewrm -R ?03:20
qman__rm03:20
Shapeshiftrmmk.03:20
hallyndebugview: did you do 'vncserver' to start a server session?03:21
giovaniShapeshiftr: do you want to delete the directory AND its contents? or just its contents?03:21
ShapeshiftrAnd, lol, the reason why it wasn't working was because the program didn't have mono support in that revision >_<03:21
Shapeshiftrjust the contents.03:21
qman__rm directory/*03:21
qman__that won't remove hidden files though03:21
giovaniwell, rm -r directory/*03:21
giovaniin case there are subdirs03:21
Shapeshiftrthat's fine, I created the directory.03:21
Shapeshiftrand there are subdirs03:22
debugviewhallyn, yeah i did03:22
giovaniso rm -r then03:22
debugviewi did a netstat -an and there is a port listening on 590103:22
qman__the default port for most clients is 590003:22
qman__try specifying 590103:22
debugviewsweet, its working03:22
debugview\o/03:23
debugviewi am enlightened03:23
giovaniyou are living dangerously ;)03:23
qman__now that you have verified that it works, I suggest you immediately turn it off03:23
qman__and use SSH tunnels instead03:23
debugviewok a question that begs to be asked, how do i turn it off? :x03:23
debugviewi know its easy doing kill -903:23
debugviewbut is there a better way?03:24
hallynyou can do 'vncserver kill :1', but03:24
qman__that's the last resort way to kill processes03:24
hallynreally what you want is to just prevent access to port 5901 directly using ipfilter i assume03:24
qman__if you started it by running 'vncserver', do `ps ax | grep vncserver` to get the PID, then kill that PID03:24
hallynyou don't need to stop the server03:24
qman__really, it should be running as a daemon with an init or upstart script03:25
debugviewoh yeah03:25
ShapeshiftrI can't sudo rm -r03:25
Shapeshiftrnothing happens.03:25
debugviewroot@27AO33:/home/sysadmin# tightvncserver -kill :103:25
debugviewKilling Xtightvnc process ID 2293003:25
qman__ShadeS, no output means it's working03:25
qman__err03:25
qman__Shapeshiftr, ^03:25
giovaniShapeshiftr: you sure you want to run it with sudo?03:25
Shapeshiftrbut I looked at the directory in filezilla, and all the files are still there.03:26
giovaniand, you'll of course need to supply the directory as we instructed03:26
Shapeshiftri did.03:26
qman__make sure it refreshes03:26
giovani"rm -r /path/to/directory/*"03:26
Shapeshiftrmmhm, giovani03:26
debugviewok what is this SSH tunnel stuff? does it allows remote desktop like VNC too?03:26
qman__no03:26
giovaniShapeshiftr: trust me -- it's a simple command -- you likely didn't run it properly, or, as qman__ points out -- refresh FileZilla03:26
qman__an SSH tunnel allows you to forward your VNC connection through an encrypted, authenticated channel03:26
hallyndebugview: 'ssh -L 5951:localhost:5901 server.name' and then you can do 'vncviewer localhost:51"03:27
qman__first, configure your VNC server to only listen on localhost03:27
Shapeshiftrah, refreshing wokrs.03:27
Shapeshiftr*works03:27
giovanisigh03:28
debugview"Probably, the best way to secure Xvnc server is to allow only loopback connections from the server machine (the -localhost option) and to use SSH tunneling" according to google...i am gonna try it03:28
Shapeshiftryeah, really, giovani >_,03:28
ShapeshiftrI'm quite the beginner with command line OSs03:29
giovaniI don't think FileZilla qualifies as a command-line tool03:29
debugviewi am really surprised ubuntu doesnt have a remote desktop built in like windows RDP03:29
qman__ubuntu desktop does, it has uses VNC03:29
qman__this is ubuntu server03:29
giovanidebugview: completely different target markets03:29
giovanithey're not competing OSes really03:29
qman__on ubuntu server, the GUI only complicates things03:30
qman__especially if you let it install NetworkManager03:30
hallyngah03:30
qman__then you're in for a real mess03:30
hallynjust removed that from my new xubuntu install a few hours ago03:31
giovanixfce's bloat man03:32
giovanistay away from that03:32
debugview<hallyn> debugview: 'ssh -L 5951:localhost:5901 server.name' and then you can do 'vncviewer localhost:51" <-- is this for linux only?03:32
qman__the only kind of ubuntu server that needs X is an LTSP server03:32
qman__which is a special case03:32
qman__debugview, that's the command when using the openssh client03:32
qman__if you're using putty, you have to configure it03:33
hallyngiovani: i did - removed gdm next, and am running dwm03:33
hallynbut had to start somewhere, and server doesn't ahve wireless03:33
giovaniwhy did you even install xubuntu then?03:33
giovanijust do a minimal install03:33
giovaniyou mean the server kernel doesn't03:33
giovaniyou don't need to run the server kernel03:34
hallyn<shrug>  i've only got 5 cds available to burn and this old laptop wont' boot off usb03:34
giovanidwm's pretty old-fashioned03:34
hallynrock on03:34
giovanitry a newer, more awesome tiling window manager03:34
giovanixmonad, awesome, stumpwm03:34
hallyni use wmii ocne in awhile03:34
hallynthe nice thing about dwm is it's simple enough there's no thinking involved at all03:34
hallyni have considered trying awesome03:34
giovanixmonad is pretty nice03:35
qman__I haven't tried any of those03:35
=== amstan_ is now known as amstan
qman__I used to use fluxbox back when I ran gentoo03:35
giovaniqman__: what wm do you run?03:35
hallynhah - stumpwm  - i havne't run a lisp wm since i tried gwm in 199603:36
debugviewhallyn, does the stuff i run over VNC terminate if i close the vnc session?03:36
giovanihaskell is where it's at03:36
hallyndebugview: not if you terminate the client03:36
hallynif you terminate the server, then yes - unless you run screen in each terminal under vnc :)03:36
giovanibut stumpwm is pretty clean -- a few people at work use it03:36
giovaniparticularly the emacs folks03:36
hallyngiovani: i'm looking (obviously)03:36
qman__and I've used iceWM, which I rather liked, but it's kind of broken in ubuntu03:36
giovanihallyn: looking?03:37
giovaniqman__: all the good wms are broken in ubuntu03:37
qman__on a day to day basis I just use regular ubuntu/gnome03:37
giovanithat's what happens when the user community goes mainstream03:37
giovaniyikes man03:37
giovanihow do you function?03:37
qman__slowly03:37
qman__;)03:37
qman__my desktop is still running karmic03:37
qman__because I don't want the mess that is the new UI03:38
giovaniwith lots of carpal tunnel with the mouse movement03:38
giovanixmonad is pretty broken in lucid03:38
giovanitook about 15 minutes to fix it03:38
hallyndwm work sfine out of the box :)03:38
debugviewhallyn, yeah ssh tunneling work too03:38
debugviewconnecting to localhost:590103:38
hallynconfigs are still nice, but it's not broken03:38
giovanihallyn: ratpoison worked out of the box03:38
hallyndebugview: cool03:39
giovanion lucid03:39
giovaniyou could try that, it's what stumpwm is based on03:39
hallyndebugview: note that the vnc session port is 5900+index, so server:1 = port 590103:39
qman__but yeah, I just haven't had much time to mess with it03:40
debugviewhallyn, roger03:40
hallyngiovani: mind you i'm happy with dwm atm :)  but i'm looking at stumpwm pages out of curiosity03:40
qman__I got gnome to a tolerable layout and just deal with the slowness03:40
giovanihallyn: dwm is lame by comparison to anything new03:40
giovaninot customizable to the same level03:40
* hallyn chuckling03:41
giovaniglad I can provide entertainment :)03:42
qman__my biggest complaint about it is firefox, though03:42
qman__it gets worse with every new version03:42
giovaniqman__: what's "it" in this context?03:42
qman__firefox03:42
giovaniyour biggest complaint about firefox is firefox?03:42
qman__er, the first it, being the gnome setup03:42
giovaniah03:42
giovaniwell firefox is slow no matter what wm you run03:43
qman__everything else isn't too bad performance wise03:43
hallynwell, i was happy with vimprobable for awhlie, but it broke on 64-bit so i'm using surf.  any better browser suggestions?03:43
giovaniI need firefox03:43
giovaniall those extensions I'm addicted to03:43
qman__yeah03:43
qman__as terribly bloated and broken as it gets03:43
qman__nothing else offers the right featurs03:43
giovaniit's still got more functionality than any other03:43
giovaniso I use it03:44
hallyn'itsalltxt' is the only plugin i'm using these days03:44
giovaniI have like 75 extensions03:44
giovaniuse every one of them03:44
hallynjinkeys03:44
qman__also, it's the new fad to screw up the tab order, even firefox jumped on it03:44
qman__don't upgrade to firefox 3.603:44
giovanitab mix plus ftw03:44
qman__I used to use tabbrowser preferences03:45
qman__but that one died off03:45
giovanitab mix plus03:45
giovanitrust me03:45
qman__my system is to the point where I just have to leave flash and java disabled03:46
qman__firefox crashes every time it loads one03:46
qman__I use other browsers to view flash objects03:46
giovanithat sounds abnormal03:46
qman__it used to just crash sometimes03:46
giovanitry upgrading flash and firefox03:46
giovaniit really works fine for me03:46
giovanionce in a while a crash, yes03:47
giovanibut 3.6+ includes the plugin crash handling iirc03:47
qman__I've been upgrading this same install since 7.1003:47
qman__does lucid have 3.6 in it?03:47
giovaniyes03:47
qman__ok03:47
giovaniyou'll want to use 32-bit of course03:48
qman__yeah03:48
giovaniadobe has stopped supplying 64-bit flash again03:48
qman__oddly enough, this is my only 32-bit system left03:48
qman__it's got a 64-bit processor, but support was bad three years ago03:49
giovaniall of my laptops/desktops are atoms now03:49
giovanicloud computing ;)03:50
debugviewhallyn, ok i had fun with the gui i guess i can remove gnome-desktop-environment now03:50
debugviewis there a way to purge everything back to where it was before the install?03:51
giovanisudo apt-get remove gnome-desktop-environment && sudo apt-get autoremove should remove everything that installed as a result of that03:51
giovanibut back to pristine new install condition? not that I'm aware of03:51
qman__but will leave config files03:51
qman__use purge instead of remove to delete those03:51
giovanitrue03:51
qman__but it'll still be changed03:51
debugviewchanged as in?03:52
qman__when you install that many packages, things are bound to get changed03:52
Shapeshiftr...03:52
qman__it's a removal or a purge, not an "undo"03:52
Shapeshiftrit's still not working.03:52
hallyndebugview: so you don't need to run vmware?03:52
ShapeshiftrI can't connect to the server.03:52
ShapeshiftrI've updated to the mono-supported version.03:52
Shapeshiftrstill no.03:52
debugviewhallyn, i think i will skip it and i will try to install the software manually myself instead of loading windows inside ubuntu server03:53
hallynexcellent03:53
Shapeshiftrdebugview, can you think why it wouldn'03:54
Shapeshiftrt be working? even out of screen?03:54
debugviewShapeshiftr, what is not working?03:54
dolittleIs there a way to perform secure dynamic dns-update with dhcp3-server on an ad-based dns-server?03:54
Shapeshiftrthat server i was trying to get up.03:55
qman__dolittle, "secure dynamic updates" use AD authentication03:55
qman__that is a feature that is not implemented in any open source DNS/DHCP softwares I know of03:55
hallynShapeshiftr: no error msgs in the screen session?03:55
Shapeshiftrnope.03:56
ShapeshiftrI'm talking to the creator, too, to see if it's a coding issure.03:56
Shapeshiftr*issue03:56
* hallyn out for awhile03:57
=== dendro-afk is now known as dendrobates
chrismsnzhey guys - anybody here have some experience with supervisord?04:15
=== dendrobates is now known as dendro-afk
p1l0tSo in my auth.log I have seemingly brute force attempts at getting root from shanghai China via SSH204:33
p1l0tIs there a way to limit attempts from IP to like 2 per day...04:34
qman__yes04:34
qman__see the iptables recent module04:35
qman__if that's difficult to implement with an existing firewall, there is also fail2ban04:35
qman__of course, disabling password authentication on SSH is even better04:35
p1l0tHow would one connect then?04:36
qman__key-based authentication04:36
p1l0tOh so only my cell phone or my netbook could connect..04:36
qman__only a device containing a valid key for the user they are attempting to log in with04:37
twbUnder what circumstances will 8.04's mount believe that an LVM snapshot of its root filesystem is05:18
twbmount: unknown filesystem type 'silicon_medley_raid_member'05:18
twbThe nightly backup has failed that way twice in the last month.  (The other nights, it succeeded.)05:19
twbGoogle suggests it's a misbehaving fakeraid controller.  The fakeraid should be off, but I've told the proximal monkey to check for a "more off" option in the BIOS.05:33
netwidgetNew to Ubuntu, Linux, and networking.  Setting up home network on server 10.04 with all DHCP.  DSL is DHCP.  does dynamic DNS allow me to set up static  IP in server?05:55
twbnetwidget: "dyndns" and similar services allow you to have a fixed DOMAIN NAME (e.g. fred.nurk.name) with a (potentially rapidly) changing IP.06:00
twbI don't know of any other "dynamic dns"06:00
netwidgetSo if I registered a domain of say home.lan with dyndns would I then be able to use home.lan say in Bind9 to resolve nameservers and hostnames?06:03
netwidgetThat is Bind9 configured on the server?06:04
twbdyndns replaces running your own bind06:07
twbYou shouldn't be running bind on a home network unless you're a bearded unix veteran who can't see his toes for the beer gut06:08
=== gallifrey is now known as alco-ninja
=== alco-ninja is now known as v
netwidgettwb - Thx for the imagery.  So if I set up DDNS with domain of home.lan and my servers hostname is servermain, how do I get host computers to find home.lan.servermain?06:20
jmarsdenYou don't, it would be called servermail.home.lan :)06:22
twbNote that ".lan" is not (yet) a valid top-level domain, so that'd only be for internal, not public, use.06:24
netwidgetjmarsden - I assume you meant servermain.home.lan?06:24
jmarsdenIndeed.06:25
netwidgettwb - Yes it would only be for private LAN.  I am trying to simply keep the LAN talking on the client/server level using resolved naming without assigning in ip addresses06:26
twbnetwidget: well, if it's for internal use, dyndns doesn't make sense.06:27
twbSince you're using .lan, I guess you have an OpenWRT router?06:27
netwidgetNot sure what the OpenWRT router is but the .lan was just an example.  My uses for the home LAN are file server, printer server, web development server (testing).  No public access just private access to net.  How do I get client computers to see server (by name) and vs versa to mount drives and create mount-points?06:32
jmarsdentwb: I think netwidget wants a DHCP server to assign IP addresses "dynamically", and to have the host A records auto-added to DNS by the DHCP server.06:33
=== MTecknology is now known as MTeck
twbjmarsden: yeah.  That's why I asked about OpenWRT, because it runs dnsmasq and it Just Does That06:38
twbjmarsden: so all he'd have had to do is edit /etc/hosts and /etc/ethers on the router and/or configure dhclient3 to have: send host-name "servermain";06:39
netwidgettwb, jmarsden, - I have a basic DSL account (non static), I have a Netopia 3347 modem/router from ISP set to DHCP for WAN and LAN sides. Wireless is turned off because I have a second Linksys WRT300N router sending wireless and is used as a switch for cabled ether.  Server is cabled to Lynksis.  Linksys is also set to DHCP both sides.06:39
jmarsdentwb: OK.  Without it, he'll need to set up dnsmasq or some equivalent on the server, instead.06:39
twbRight06:40
twbIt's not hard to set up dnsmasq, I just didn't feel like going through it06:40
twbjmarsden: the main point is that because dnsmasq serves both DNS and DHCP, it automatically knows how to integrate them -- cf. isc dhcp + bind06:41
jmarsdenMakes sense.06:41
=== EvilTrek is now known as Mithos
rahmanHi,  I installed openldap on 9.10 server but when I do "slapadd -l example.ldif"   I get this: "Available database(s) do not allow slapadd"  here is ldap.conf : http://pastebin.com/fzZPZbcL06:43
netwidgetWas planning on moving server to DSL router (direct cable) and run the Lynksys as a nested lan from the server.  Don'06:44
netwidgetDon't know if that will required port forwarding on the DSL router and wether that will interfere in the dnsmasq?06:45
jmarsdennetwidget: Your internal machine naming and name resolution are only within your LAN, so the router shoudn't need to care about them.06:47
twbBasically your internal DHCP and DNS servers need to care06:49
twbBut if they're on your all-in-one appliance router, then you're probably screwed06:49
jmarsdentwb: Well, so you disable them in the router and add them to your server.  But yes.06:50
twbYeah.06:51
twbWhere "screwed" means "do it a different way"06:51
netwidgetSo than I should install the dnsmasq services on the server and set dhcp range in /etc/dnsmasq.conf?  other than configuring the nameservers and resolving hostnames in conf files on server do I just the DHCP ranges of the routers for no conflicts?07:08
jmarsdenTurn off the DHCP server in the router completely.07:10
huatsmorning07:11
netwidgetAre you referring to the DSL router (connection to ISP)?07:15
netwidgetjmarsden:  Since the Linksys wireless is going to provide wireless connectivity to the LAN, I assume that it needs to have a static IP address from the server and have DHCP turned on for the nested LAN.07:25
jmarsdennetwidget: Probably; if you can put it into "Access Point Mode" and then set its LAN IP manually, that should be fine.  You don't want it doing any routing, if I am understanding you correctly.07:27
* jmarsden is off to bed...07:28
netwidgetjmarsden, twb: Thanks for the help.07:33
jmarsdenYou're welcome.07:33
taneligrub not finding hdd's; only grub rescue prompt is shown08:06
twbtaneli: are the disks in a software RAID array?08:07
taneliyep08:07
twbGrub doesn't support that properly08:07
twbYou need to boot a live CD or similar, and reinstall the grub MBR08:08
twbYou MAY be able to get it working by swapping the order of disks in the array08:08
twbBasically, what happens is that grub is very stupid and records the disk number (according to the BIOS), so when the first disk fails, and the BIOS renumbers the disks, grub MBR loads of /dev/sdb, which is now /dev/sda, and the MBR tries to bootstrap /dev/sdb, which no longer exists.08:09
tanelinice08:10
twb(I'm assuming you're having the same problem as me.)08:10
tanelipropable08:10
twbIt happens to me about once a month with servers I have in South Africa and Israel, which is a bloody nightmare to fix08:11
tanelinothing helps to get it stable?08:11
twbFortunately, extlinux doesn't have this problem!08:11
twbtaneli: like I said, swapping the disk order or putting a blank drive in the first SATA slot *might* help.08:12
twbtaneli: it depends on how "clever" the BIOS is08:12
uvirtbotNew bug: #602155 in samba (main) "sambadidn't install" [Undecided,New] https://launchpad.net/bugs/60215508:36
tanelitwb: how can i tell grub, that my / mountpoint is on lvm-partition09:56
twbYou don't tell grub that10:02
twbYou tell your RAMDISK that.10:02
twbTypically something like root=/dev/mapper/VGraid-LVroot10:02
RoyKtaneli: iirc you can't boot off lvm, I think you need a separate /boot partition to use lvm as root10:21
twbgrub2 *can* boot with /boot on LVM.10:21
twbBut it's probably a dumb thing to do10:22
twbs/probably/usually/10:22
=== lifeless_ is now known as lifeless
twbI'm netbooting a 10.04 image, using casper to merge the read-only NFS root filesystem with a tmpfs ramdisk11:57
twbMost of it's working, but /home (a read-write NFS mount) isn't ever mounted during boot.11:58
twbHow do I debug upstart enough to find out what's wrong?11:58
twb(I suspect it's because an event like "net-device-up" is never generated, because it's up BEFORE init starts.)11:59
=== jussi is now known as Guest7125
=== oubiwann is now known as oubiwann-away
alvintwb: Are you talking about lucid or karmic?12:15
alvinIn Lucid, my NFS mounted home is up 'late' after boot. I just have to wait a bit before logging in.12:16
twblucid12:20
twbalvin: I *need* it to come up before gdm12:20
alvinAh, did you use the undocumented 'bootwait' option?12:20
twbI don't *think* it comes up at all, let me check.  It's hard to tell because plymouth eats /dev/console when gdm starts12:20
alvinYou can check mountall in /var/log/boot.log See bug 50422412:23
uvirtbotLaunchpad bug 504224 in mountall "NFS mounts at boot time prevent boot or print spurious errors" [Medium,Fix released] https://launchpad.net/bugs/50422412:23
twbThe last thing in boot.log is init-bottom (from the ramdisk)12:25
twbI'll try nobootwait, anyway.  I'll also stick a single in there and disable /etc/init/gdm.conf, so I have a bit more visibility about what's happening12:27
twbI *was* getting the 504224 in some other builds, but I don't think I'm getting them now12:28
=== dendro-afk is now known as dendrobates
twbalvin: even with nobootwait, I see it bitching about rpc.statd not running12:31
=== jussi01 is now known as jussi
alvinMight be bug 48420912:32
uvirtbotLaunchpad bug 484209 in nfs-utils "/etc/init/statd.conf: race with portmap startup" [Medium,Fix released] https://launchpad.net/bugs/48420912:32
twbIn this current boot, rpc.statd is definitely running when I look for it, and at that time "mount -a" gets me a /home12:32
twbI'm running lucid with all patches from -security applied, so hopefully bugs marked as "fixed" shouldn't affect me...12:33
=== oubiwann-away is now known as oubiwann
alvinI don't think 'fixed' means that there is an actual fix in the repositories. All these bugs apply to me too. NFS has been flaky for some releases now.12:39
* twb rants12:40
twbThe point of avoiding non-LTS releases is that Ubuntu fixes stuff like this by the time I get here12:40
alvinWell, in my experience, Lucid IS more stable than the two previous releases, but most certainly not more stable than hardy. Technologies like mdadm, lvm and NFS show regressions. Maybe I'm ranting too, but I'm not sure about the direction ubuntu is taking.12:43
twbThe direction of "annoy twb"12:43
twbJust because it's a desktop distro they think it's OK to put desktop users first...12:43
tanelitwb: btw, the problem was a lvm-snapshot. after removing the snapshot the server got back up as expected12:45
twbtaneli: oh, not that bloody issue12:46
pmatulisthat's pretty much fixed12:46
twbtaneli: anything that looks for a UUID will see both snapshot and origin as matching.12:46
twbMaybe grub was too dumb to prefer the origin12:46
tanelitwb: the funny part is: it wasn't a snapshot of my Volgroup-root, but totally different lv12:47
twbtaneli: OK, then I don't know12:47
pmatulisthe snapshot/grub2 problem exists in debian as well and a fix has been released.  please see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=57486312:54
uvirtbotDebian bug 574863 in grub-pc "grub-pc: grub-probe unable to find mapping for /boot on LVM with a snapshot LV" [Grave,Fixed]12:54
twbpmatulis: ty12:57
twbOK, if I patch all the upstart jobs to dump their scriplets to /var/log, I can see mountall.conf invoking mountall --daemon, which is what appears to run mount and appears to be bitching about rpc.statd not running.13:04
twbmountall-net.conf looks for the mountall daemon in order to send a -USR1 to it, but by that time there's no such process -- mountall --daemon has already exited.13:04
twbLet's try patching a spinlock into mountall-net...13:05
twbNo joy; "status mountall" doesn't give a nonzero status for "I've already finished".13:08
twbAnd "status mountall" did completely the wrong thing; it started plymouth (despite "splash" being absent from the boot parameters) and similar nonsense.13:09
pmatulistwb: i'm not following what you're doing but is there a bug about it?13:17
twbpmatulis: there's no bug report13:20
pmatulistwb: why don't you file one?13:21
twbBecause it's a massive pain in the arse to use launchpad, so I only do it when there's no alternative13:21
twbi.e. when I've found and solved the problem and it's ubuntu-specific and now I just need my patch accepted into the archive.13:21
twbI'm booting with boot=casper and netboot=nfs, which works in 10.04 as it did in 8.04, except that my -olock,rw NFS mounts /home and /srv filesystems aren't mounted.  They're mounted if I manually invoke "mount -a" after booting with single.  They're listed in fstab immediately after it's generated, at boot, in /usr/share/initramfs-tools/casper-bottom/12fstab13:23
twbs/listed/appended to/13:23
twbIf I prevent gdm starting, on vt7 I can see complaints about rpc.statd not running (which is needed for NFS locking), and tracing /etc/init/mountall-net.conf shows that when it starts, the mountall(8) program isn't running.13:25
=== luist__ is now known as luist
pmatulistwb: you seem to have a good grip on the matter.  i'm still not sure why you think reporting the last few comments on LP is such a big deal13:26
twbBecause it wants me to either use a browser and "log in", or to manually compose the email (cf. reportbug).13:27
twbBasically, I don't want to reward Ubuntu for breaking reportbug on their distro13:28
* twb RTFS' mountall(8)13:30
twbOr, I would, if it was part of upstart...13:31
twbAh, mountall is its own package, and isn't in Debian.13:32
twbHm, what's the technique for making /tmp a tmpfs in 10.04?13:39
twbNever mind, looks like it was /etc/fstab before, so changes to the init process won't affect that13:39
apwkirkland, about ?13:45
kirklandapw: yup13:45
zulsmoser: ping debian has a newer python-boto fyi13:45
apwi have a lucid system which i am trying to start existing VM's (qemu/kvm) and am getting an apparmour error all of a sudden13:45
apwkirkland, any ideas what the heck causes that ?13:46
apw'error: error calling aa_change_profile()13:46
apwfrom libvirt13:46
kirklandjdstrand: ^13:46
zulwild stab in the dark... apparmor? :)13:46
apwzul, heh .. yeah ... but  .... yeah ... but ... yeah ... but ... no13:46
kirklandapw: jdstrand will be able to answer you effortlessly;  i'll play 20 questions to get there13:46
apwshame he is not on my timezone13:47
twbHuh, I read aa as libcaca13:47
twbapparmor makes much more sense :-)13:48
twb"#include <nih/macros.h>"13:49
twbIs that "nih" as in "not invented here"?13:49
apwkirkland, crap cannot make new VMs either13:49
* apw is going to reboot just in case13:49
twbHa, it is.13:49
twbLooks like another glib-esque "I like C but I wish it had [...]"13:50
twb21:20 <alvin> Ah, did you use the undocumented 'bootwait' option?13:53
twbalvin: reading mountall.c, I think I misread you.  Are you talking about a mount option (as opposed to a /proc/cmdline option)?13:53
informatix1hello13:53
informatix1hello13:54
alvintwb: Yes, _netdev doesn't work and I used bootwait, because otherwise the boot will stall and/or /home will not be there when I want to log on.13:54
alvintwb: It's a mount option13:54
* twb tries13:54
informatix1have setup up a website on ubuntu but can't get to the site from outside the local network13:55
uvirtbotNew bug: #601501 in apache2 (main) "Apache should tap into the shared-mime-info database" [Undecided,New] https://launchpad.net/bugs/60150113:55
panfisti've been trying to get openldap up and running unsuccessfully following the server guide13:56
panfisti'm trying to start over, so i did aptitude remove --purge slapd ldap-utils13:56
panfisti noticed that there were still files in /etc/ldap , so i removed the directory manually13:56
panfistafter re-installing the packages according to the guide, it seems i'm missing some usually included schema files; my /etc/ldap/schema is empty13:57
Jeeves_panfist: isn't that in schema.d?13:58
Jeeves_Oh, no.13:58
Jeeves_It isn't13:58
sommergood morning all13:58
panfistgood morning13:59
panfistok now i'm scared...because dpkg -S cosine says that the package slapd contains /etc/ldap/schema/cosine.ldif and cosine.schema , but when i do sudo apt-get install slapd ... those files are not installed14:00
apwkirkland, ok seems its a 2.6.35 issue ... would you expect kvm lucid userspace to work with 2.6.35 kernels14:01
_chris__heja14:01
_chris__i added a crontab , can i somehow see if it was executed ?14:02
_chris__syslog ?14:02
kirklandapw: um, yeah, it damn well better ... hallyn, do you know anything about this?14:02
kirklandhallyn: have you tried kvm in 2.6.35?14:02
Pici_chris__: Check /var/log/auth.log14:03
_chris__Pici, ah ok i see thanks14:04
panfisti've installed slapd every which way but i'm not getting files that are supposed to be included according to this http://packages.ubuntu.com/lucid/amd64/slapd/filelist14:06
=== dendrobates is now known as dendro-afk
twbalvin: OK, so if I add bootwait, the system just hangs around forever and I never get a root shell14:13
joschipanfist: does `dpkg -L slapd` produce any output?14:15
twbjoschi: it's openldap-server, IIRC14:16
panfistyes. actually, dpkg -L slapd|grep schema shows exactly the files that are not on my system14:16
twbpanfist: install debsums and/or cruft and ask them if your package is tits-up?14:16
alvintwb: unfortunately, that doesn't surprise me. There is a bug in karmic (should be fixed in lucid) that prevented booting when NFS mounts were not mounted fast enough (due to network, etc,...) That's bug 47077614:17
uvirtbotLaunchpad bug 470776 in mountall "retry remote devices when parent is ready after SIGUSR1" [Medium,Fix released] https://launchpad.net/bugs/47077614:17
panfistwell...it shows the files that i want14:17
twbOh, my mistake.  Apparently it is "slapd".14:17
joschitwb: you probably mixed that up with openldap-utils14:17
twbalvin: hmm, maybe I should put my spinlock back into mountall-net (which generates the SIGUSR1)?14:18
alvintwb: another (fixed in lucid) one is that you can't mount NFS drives at boot when you have a static network configuration. I switched all servers to DHCP and haven't switched back yet.14:18
twbalvin: it's all fixed DHCP here14:18
alvintwb: I don't know much about the internal workings, sorry. Just experiencing a lot of trouble and looking for workarounds.14:18
twb(That is, dnsmasq only responds if you're whitelisted in /etc/ethers)14:19
alvintwb: here also14:19
twbalvin: no worries; you've been a lot of help already, I was a bit too obtuse to catch on14:19
joschipanfist: are the files still missing when you reinstall slapd?14:20
panfistyes14:20
twbjoschi: a reinstall won't replace conffiles, at least14:20
twbThe other stuff should come back14:20
joschipanfist: `aptitude purge slapd && aptitude install slapd` should do the trick14:20
panfistspecifically, i purged it before and saw there were still files in /etc/ldap so i manually removed the dir, now reinstalling doesn't seem to be complete14:21
joschiI had a similar problem with postgresql some time ago14:22
twbjoschi: you should check that he has a backup before recommending something that radical14:22
twbe.g. maybe he's logging in with LDAP still14:22
joschitwb: hm, I don't think slapd works correctly when the schema files are missing14:22
twbMaybe it hasn't restarted since14:23
twbJust saying: be paranoid14:23
joschitwb: at least some base files like core.schema/core.ldif *must* exist14:23
panfistjoschi how the hell did you know that would work? i could have sworn i have executed those commands over and over, not in that exact order i guess14:24
twbRepeat grumble about having to realign the LCD's ADC all the time due to "helpful" framebuffer console14:24
joschipanfist: educated guess ;)14:24
joschipanfist: aptitude will (well, in most of the cases) reinstall config files after a package was purged14:24
panfistso apt-get skips those after a package was purged? isn't that a bug?14:25
joschipanfist: you've probably run `apt-get remove slapd` instead of `apt-get remove --purge slapd` which will also remove the config files14:26
twbalvin: hum, 470776 claims to be fixed in mountall 2.0, and I have 2.1414:26
joschioh, I see there's a "purge" action in apt-get too. so forget my last comment, panfist14:26
panfisti can verify in my history, i did `sudo aptitude remove --purge`14:27
panfisti dunno if that's the same as `aptitude purge`14:28
incorrecthi, what is the magic key press to get the grub menu these days?14:28
twbhold shift during boot14:30
twbHope that your USB keyboard is initialized before GRUB, etc.14:31
incorrecthmm shift not working,14:31
twbNo, wait, the problem I was having was that the USB keyboard definitely WASN'T enabled in the bios, and the onboard keyboard was nearly dead14:31
incorrectthis is via a RAC14:32
incorrectoh grief i hate grub214:32
twbTell me about it14:32
panfisti'm stuck on the initial configuration of ldap according to the server guide https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html14:33
twbLike os-prober's "oh hai, you updated your kernel while your USB rescue key was inserted, so I have added its boot entries to the list"14:33
panfisti've done a find and replace of dc=example with dc=myexample and dc=com with dc=lan ;14:33
incorrectah /etc/default14:33
panfistwhen i get to the part where i add frontend.example.com.ldif , i get a `ldap_add: Naming violation (64)`14:33
panfisthmmmmmmm could my mistake be in not changing the file names from example.com to my domain name? i don't see how the file names would be relevant in this part of the configuration14:34
alvintwb: I presume you are looking at the mountall source. Isn't bug 470776 fixed in your version? I thought it was. It was a major problem for me. It still is in karmic, but it's gone in Lucid.14:34
uvirtbotLaunchpad bug 470776 in mountall "retry remote devices when parent is ready after SIGUSR1" [Medium,Fix released] https://launchpad.net/bugs/47077614:34
joschipanfist: no, the file names do not matter. their content does on the other hand ;)14:34
panfisti've pasted the contents here14:35
panfisthttp://dpaste.com/215112/14:35
twbalvin: I'm not sure if it's fixed14:35
twbJust because a patch is made doesn't mean the patch fixes the problem ;-)14:35
joschipanfist: have you created the backend configuration?14:35
joschie.g. created dn: olcDatabase=hdb,cn=config14:36
panfistyeah, the command to add the backend completed successfully14:36
panfist`sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif`14:37
panfistnevermind....i executed the wrong command that takes the frontend ldif file as the argument14:37
twbOK, how does mountall(8) know it needs rpc.statd for /home...14:38
twbRather: s/how//14:38
panfistnevermind my nevermind....i executed the correct command and i get the same error message, a naming violation14:38
=== dendro-afk is now known as dendrobates
hallynkirkland: no i have not14:41
alvintwb: Interesting question. I think bug 547139 describes that issue.14:42
uvirtbotLaunchpad bug 547139 in nfs-utils "mountall tries to mount NFS filesystem before statd starts" [Undecided,Won't fix] https://launchpad.net/bugs/54713914:42
kirklandhallyn: jdstrand: apw is reporting some kvm/libvirt/apparmor issues with 2.6.3514:42
twbalvin: that was the third hit :-)14:42
hallynwait what is stock maverick kernel?14:42
joschipanfist: check the configuration DIT (cn=config...) with ldapsearch14:42
apwkirkland, hallyn, jdstrand, yep booting same machine back to the latest lucid kernel resolves the issues14:43
kirklandapw: what's Maverick's target kernel version?14:43
kirklandapw: 2.6.35 i presume/14:43
twb"Since you say the NFS filesystem does eventually get mounted"14:43
apwkirkland, indeed so14:43
twbalvin: I don't have that behaviour14:43
hallynwell then yeah, i've used kvm there14:44
twbUnless "eventually" means hours, not minutes14:44
apwkirkland, this of course gives us interesting issues with the lts backports kernel for server14:44
hallynwith no problems14:44
alvinI do. I have to wait a while, but eventually the NFS filesystem gets mounted. Mind you, in Karmic it was much worse. booting without manual intervention was impossible.14:44
hallynkirkland: apw: is there a bug with more details?14:44
alvinyou could try the undocumented 'nobootwait' option14:44
kirklandhallyn: well, i presume apw is testing a preview kernel that's not in Maverick yet14:44
hallynright, i can d/l kernel and bisect so long as it's in maverick git tree14:45
apwhallyn, not as yet14:45
alvintwb: nobootwait should start your system and eventually, your mounts will be there. The downside is, that services that depend on the mount points being there will fail.14:45
twbalvin: presumably nobootwait *or* bootwait is the default, right?14:46
alvinI think so14:46
twbI tried with neither, and with "bootwait"14:46
alvinHmm, nobootwait is probably the default14:46
twbIn the first case, I get a shell and /home isn't mounted after an hour; in the latter case it hangs, I get no shell, and it isn't back after at least five minutes.14:47
alvinman mount only lists _netdev14:47
twbalvin: probably because mount(8) was written by util-linux or Debian, and bootwait is some Ubuntu nonsense14:47
alvinWell, I've read that debian will eventually adopt upstart, so they'll probably change the manual :-). upstart is doing a good job on my phone, but on ubuntu-server, I have to wrestle with it.14:48
twbI doubt it14:49
alvintwb: Is /var/log/boot.log saying something about /home ?14:49
panfistjoschi ldapsearch with no arguments returns something like #filter: (objectclass=*); search: 2; result: 32 No such object14:49
twbalvin: with -obootwait, I don't get a shell, so I can't check14:50
panfistldapsearch cn=config returns the same results except #filter: cn=config14:50
twb(There are volatile units, so /var/log in't preserved after a boot.)14:50
alvintwb: Hmm, a console that shows boot messages would be nice too.14:50
twbWell, I got that by throwing out gdm for a while14:50
alvinand it's saying nothing about NFS mounts?14:51
alvinStuff like: mount error(101): Network is unreachable14:51
twbIt's bitching about rpc.statd not being ready14:51
twbLike always14:51
alvinNot even "mountall: mount /home [951] terminated with status 32"?14:52
twbLemme reproduce it again14:52
alvinI don't see the rpc.statd errors in boot.log here. Let me check some other machines14:52
twbmount /home [675] failed with status 3214:53
alvinHmm, 'failed'. Not 'terminated'14:54
twbLemme check again14:54
twbI'm transcribing because the machine's way over >there<14:54
alvinMy logs are full with 'terminated' messages, but the filesystems do get mounted14:54
twbmountall: mount /home [675] terminated with status 3214:55
twbI get *one*14:55
twbThen it sits there forever spinning its nipple-nuts14:55
* Pici blinks14:55
alvinAha, there is a difference. I get each 'terminated' message twice (besides DNS resolution errors)14:55
alvinHmmm, false alarm. I just checked a lot of other machines. The messages appear between 1 and 3 times for each NFS filesystem.14:58
alvinbut no rpc errors14:58
joschipanfist: http://www.zytrax.com/books/ldap/ch6/slapd-config.html is a good introduction IMHO14:58
joschipanfist: http://www.zytrax.com/books/ldap/ in general14:59
twbalvin: sticking --verbose in boot (per #upstart) shows me what events are arriving, which should help significantly14:59
panfistthank you joschi... brb, reading15:00
twbOK, why isn't netconsole working?15:04
twbnetconsole=@/,@10.128.0.1/15:04
twbARGH, because it's compiled as a module and probably modules can't be accessed before mountall goes stupid15:09
twbI'll just roll a new ramdisk with that manually insmodding....15:11
twbOK, that'll work15:12
smt-mobilhi, im running a (hardy) server with multiple vhosts, i have one vhost (a subdomain) proxied to another machine, wich works fine for http, but: how can i proxy ftp request to that subdomain too?15:13
smt-mobiltried mod-proxy-ftp but the ftp server on the server seems to fetch all ftp requests15:14
smt-mobil1 ip only15:14
joschismt-mobil: that's because there's no mod_proxy_ftp in apache httpd ;)15:15
joschismt-mobil: http://www.ftpproxy.org/ should help. there's also a package for this in hardy15:15
twbhttp://mywiki.wooledge.org/FtpMustDie15:15
joschismt-mobil: but remember that FTP doesn't know a Host header like HTTP/1.115:16
smt-mobili know that, if it would know it, it would be quite easy, and there is a module called mod_proxy_ftp15:17
smt-mobilhmm i guess i will have to use another port for that and forward it right away to the other machine15:19
twbjoschi: but FTP can act as an open relay15:21
twbjoschi: so you'd just set up a local FTP server that acted as an open relay from the LAN to the internet, but not vice-versa15:21
joschitwb: ?15:22
twbEr, yeah, ignore that.  It'd require the FTP client to be clever15:23
=== Guest16812 is now known as lau
lauis it possible to use ec2-bundle-vol in order to create an ubuntu ami image of a current ubuntu running machine ?15:30
lauor do I need first an ami running machine ?15:31
Jeeves_Does anyone know why my libvirtd would consume this much memory?16:04
Jeeves_ 1599 root      20   0 1139m 847m 2948 S    0 10.6   8:06.92 /usr/sbin/libvirtd -d16:04
hallynhm, yes, having odd apparmor refusal trying to create a VM with virt-manager16:07
hallyn(in maverick)16:07
* hallyn installs auditd to help himself out16:07
jdstrandhallyn: is this a getattr denial?16:09
blackxoredhey guys16:09
blackxoredpasting16:09
blackxored i'm becoming lame, i used to know how to do this, but obviously i'm doing it wrong, i want this setup i want my machine to work as a gateway for my phone, i want all traffic originating from my phone to be proxied by the tor and polipo setup i've got, i want to make some iptables rules to make dports 80 and 443 coming from <phone source ip> to be i belive redirected to the 8118 port and i want to take responses aka secondary connectio16:09
blackxoredns or an16:09
blackxored<blackxored> ything back to my phone, how can i achieve thi16:09
hallynjdstrand: i think so, but i realized i haven't upgraded in a few days, so am waiting on upgrade, will reboot and re-test16:12
hallynjdstrand: btw, 0.8.2 should be tagged now16:13
hallyn(havent' seen much activity about how it's going)16:13
jdstrandhallyn: if you see a getattr denial, that is a know issue... I think fixed in the latest maverick kernels16:13
=== dendrobates is now known as dendro-afk
hallynjdstrand: ok cool then after reboot it should just work :)16:13
jdstrandhallyn: oh, you asked about me merging 0.8.2. I haven't thought about it at all. if it is required, we can look at it16:13
blackxoredanyone? i've tried iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8118 didn't worked, and also iptables -t nat -A POSTROUTING -s <phone_ip> -p tcp --dport 80 -j DNAT <mypc_ip>:8118,. either16:13
apwhallyn, kirkland, finally got booted back into that kernel ... bug filed:16:15
apwhttps://bugs.edge.launchpad.net/ubuntu/+source/virt-manager/+bug/60230816:15
uvirtbotLaunchpad bug 602308 in virt-manager "virt-manager cannot start VMs on lucid with v2.6.35 maverick kernel" [Undecided,New]16:16
kirklandapw: thanks16:16
kirklandjdstrand: ^ looks to be apparmor/libvirt issues16:16
apwan hour for the fsck after a crash held me up16:16
lauI tried the ec2-bundle-vol with the --no-inherit option but get rsync execution failed any idea ?16:19
lauI am trying to create an ami image from a kvm running machine16:19
=== dendro-afk is now known as dendrobates
blackxoredany of you, knows how to setup those iptables rules???16:22
uvirtbotNew bug: #602308 in virt-manager (main) "virt-manager cannot start VMs on lucid with v2.6.35 maverick kernel" [Undecided,New] https://launchpad.net/bugs/60230816:24
hallynjdstrand: after upgrade i still have the problem (checking apw's bug to see if it is the same)16:26
hallynyup, same thing!16:26
hallyn(so i marked it confirmed)16:27
hallynjdstrand: i'm leaving soon for lunch, but i'll look at bug 6023808 in detail this afternoon if you don't get a chance or want to16:27
apwhallyn, fun!16:28
jdstrandhallyn: you might ask jj about it if it is a kernel bug16:29
hallynwill do (though he seems to be out)16:36
* hallyn back later16:36
mdeslaurhallyn, jdstrand: libvirt bug is a dupe of #59945016:55
jdstrandmdeslaur: I asked that initially, but thought it was fixed in the latest kernel? I guess by your bug's status it is not16:57
jdstrandkirkland: that is most likely a kernel issue16:57
jdstrandkirkland: (which is known)16:57
kirklandjdstrand: k -- reassign the bug to the kernel package?16:57
kirklandjdstrand: cool16:57
kirklandjdstrand: it's apw reporting it16:57
jdstrandkirkland: we need hallyn to confirm it is a dupe of #59945016:58
LowValueTargetis the sun-java-jre in the ubuntu repos the server version?17:07
falktxhi guys17:35
falktxcan someone help me with a tomcat thing?17:35
falktxjust need to set ip restrictions17:35
falktxfrom what I read on the net,17:36
falktxI need to edit /etc/tomcat6/context.xml17:36
falktxand set ...valves.RemoteAddrValve17:36
falktxallow="x.x.x.x"17:37
falktxthe thing is even when I set it to allow my ip, i'm still blocked17:37
falktxi'm currently testing the block="x.x.x.x", just to check if tomcat is working properly17:38
falktx(using ubuntu 10.04 btw)17:38
hggdhjiboumans, ttx: I may be late today to the meeting, have to get to my bank and work out a fraud against my bank account17:42
jiboumanshggdh: ack - we'll push the agenda item back if need be17:42
jiboumansgood luck17:42
hggdhjiboumans: thank you, I will need luck :-(17:43
Krazyderekcan someone walk through a printer install and share over a local network with me?17:48
shtylmandoes anyone know if you have to do anything special to get a netboot(ed) ubuntu to output to an ILO console? I have console=ttyS1,115200n8 in the pxe cfg default file17:53
shtylmanbut there is no output on the ILO terminal17:53
panfisti'm trying to set up openldap server according to the server guide here... https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html17:55
LowValueTargetcan somone recommend a good irc server?17:57
LowValueTargetto host an internal one17:57
panfisti can set it up fine if i use dc=example,dc=com like in the docs, but as soon as i replace that with dc=foo,dc=bar i can't get passed the 6th command in the guide (sudo ldapadd ... frontend.ldif)17:57
=== dendrobates is now known as dendro-afk
falktxhe, no one is able to help...18:08
giovaniLowValueTarget: can you elaborate on the purpose?18:10
LowValueTargetgiovani: I want a secure, internal means of a "chatroom" for our support engineers. Figured IRC on an internal network would be best.18:11
LowValueTargetthere may be better solutions18:11
cloakablejabber18:15
LowValueTargetcloakable: jabber allow group chat?18:18
=== dendro-afk is now known as dendrobates
cloakableLowValueTarget: yes18:20
Krazyderekprinters anyone?18:23
Krazyderekthe problem i'm having is that the guide on https://help.ubuntu.com/10.04/serverguide/C/cups.html doesn't match up with what i'm seeing after i install cups18:32
SpamapSKrazyderek: it may need an update18:36
Krazydereki just installed it though18:36
SpamapSKrazyderek: can you be specific? It makes it easier if you phrase things in the form of an open ended question.18:36
Krazyderekafter i sudo apt-get install cups everything goes fine, then i use nano to add the serveradmin email address18:37
Krazyderekthere is no line for it so i just creat one in the .conf file18:37
luistwhen i start apache i get this warning: * Restarting web server apache2     [Tue Jul 06 17:36:46 2010] [warn] NameVirtualHost *:80 has no VirtualHosts   is it something to worry aboiut?18:39
SpamapSluist: do you mean for there to be name-based virtual hosts on your server?18:39
luistSpamapS, hm... i think so... im running gitorious18:40
SpamapSluist: do you have <VirtualHost xxx> tags in your configs?18:43
hallynmdeslaur: kirkland: it looks mostly the same.  only diff is that on my system all the failures were for '/', not for longer pathnames.18:43
hallynmdeslaur: kirkland: apw: oh, yeah there are a very few other pathnames in mine, so confirmed it's a dupe18:44
panfisti'm trying to set up openldap server according to the server guide here... https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html18:44
panfisti can set it up fine if i use dc=example,dc=com like in the docs, but as soon as i replace that with dc=foo,dc=bar i can't get passed the 6th command in the guide (sudo ldapadd ... frontend.ldif)18:44
apwhallyn, sounds good feel free to dup it over18:44
luistSpamapS, yes...18:45
hallyndone18:45
cloakablepanfist: Are you editing that file correctly? it contains references to dc=example,dc=com18:45
panfisti saved the html, did a global replace for dc=example -> dc=foo, dc=com -> dc=bar, and example.com -> foo.bar18:46
panfistthen i loaded the edited html back in my browser and worked from there18:46
cloakableHmmm18:46
panfisti thought such a global find and replace would be pretty much fool proof18:46
* cloakable bites tongue18:47
luistSpamapS, http://pastie.org/1033012 this is it18:47
cloakableDon't be lazy, have a look through the ldif, and learn how it works :P18:47
panfisti dunno how much you know about openldap, but if i did an aptitude purge slapd, rm -R /etc/ldap and start over, would that get rid of any configuration from the last go-around?18:48
panfisti.e. would that truly be starting from scratch?18:48
panfisti've gone over both the backend and frontend ldifs, and while i wouldn't say i'm really know what's going on, i don't see anything that would raise any flags. i'm also reading this http://www.zytrax.com/books/ldap/ in the meantime18:49
Krazyderekif man cups says browsing options are yes and no, and the default is off, then is no = off?18:49
cloakablepanfist: also, rm -r /var/lib/ldap18:49
panfisti'll try that18:49
cloakablepanfist: depending on if you want to get rid of the database too18:50
laumy /etc/apt/preferences looks like http://paste.ubuntu.com/459929/18:50
lausudo apt-cache policy returns lxc -> 0.6.5-1 (the lucid version)18:51
SpamapSluist: the bits after VirtualHost have to match the bits after NameVirtualHost18:51
laubut I want to keep lxc -> 0.6.3-1 (the karmic version)18:51
SpamapSluist: so you need to either change it to NameVirtualHost *, or VirtualHost *:8018:51
lauwhen I sudo aptitude full-upgrade , lxc prompt for upgrade18:51
lauwhat did I miss ?18:52
luistSpamapS, ok... *:80 fixed it :)18:54
SpamapSluist: ^518:55
=== dendrobates is now known as dendro-afk
zuldamn i should update mysql-cluster19:08
uvirtbotNew bug: #602379 in openssh (main) "package openssh-server 1:5.3p1-3ubuntu4 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/60237919:11
mathiazjjohansen: running the maverick kernel on lucid is a good idea?19:23
jjohansenyeah19:23
jjohansenit is going to be supportted, there is a backports ppa give me a minute to find it19:24
mathiazttx: o/ - how is bordeaux doing?19:30
ttxIt's doing well !19:30
ttxCity center is nice on those summer days19:30
mathiazttx: :)19:31
zulhi ttx19:37
ttxzul: o/19:37
smoserjdstrand, are you around?19:41
smoseri19:41
jdstrandsmoser: yes19:41
smoseri'm looking for some crypto understanding19:41
hallynrot13 ftw19:43
smoserjdstrand, are you at all familiarl with what a eucalyptus/ec2 manifest looks like or contains ?19:44
smoserhttp://pastebin.com/Q55wxrq119:44
jdstrandsmoser: I'm not, no, but I am looking at it19:45
smoserwell, heres an over view of what i  understand/know.19:45
smoseryou crate a tarfile (generically payload).19:45
=== dendro-afk is now known as dendrobates
smoserthen ec2-bundle-image, which tars, chunks, and encrypts it19:46
smoseri think it stores the key and initialization vector for decryption in the manifest file19:47
smoserencrypted with both the user's key and amazon's public key19:47
smoserso, now my question19:47
smoserwe upload these things, and they only contain our filesystem images.19:47
smoseri want to share those filesytem images.19:48
smosersince i'm already storing this in s3, i'd like to re-use those bundled files.19:48
smoser(does my understanding above make sense  ?)19:48
ShadeSwho hollard my name19:51
smoserjdstrand, ^19:52
jdstrandsmoser: yeah, I was looking at it19:52
smoser:)19:53
smosersorry. sorry to nag19:53
hggdhdarn, it was difficult even to get money at the branch :-(19:53
jdstrandsmoser: I don't feel like I understand what they are doing well enough. you hinted at public key crypto, but I see AES-128-CBC which aiui is used in symmetric key setups (ie, shared secret)19:54
jdstrandkees, mdeslaur, sbeattie: are you guys familiar with the eucalyptus encryption stuff ^19:55
mdeslaurnot really, but I'm taking a look19:56
smoserfwiw, most of what i've learned is from reading euca2ools source19:56
mdeslaursmoser: what's your question?19:58
smoserok. my question is19:59
smosera.) would there be security consequences to making our manifests and payload data public19:59
smoser (i'm fairly sure the answer is 'no', as ec2-upload-bundle has a '--acl public-read' flag)20:00
smoserb.) given what is there, is there a way that I could re-use the published manifests (such as that pastebin) to allow users other than Canoincal user and amazon to read the payload.20:01
mdeslaursmoser: I hope not, since the first thing google gives me when searching for "ec2_encrypted_key" is the manifest you pasted an hour ago :)20:02
smoserawesome.20:02
smoserin fear of that i ramdomly changed some of the encrypted_key and encrypted_iv data20:03
mdeslaursmoser: to answer that, I would need to know why they're encrypted in the first place. I can't answer your question.20:04
smoserour images themselves have no reason to be encrypted20:04
mdeslaursmoser: they are only encrypted in case the image contains confidential data?20:04
smoserbut you can publish private AMIs that would then live in S3.20:04
smoseri think so, yes.20:04
mdeslaursmoser: where does the manifest file live?20:05
smosernext to the parts in s320:05
smoserbucket20:05
smoserie: bucket/name.manifest.xml bucket/name.part.0020:05
smoser...20:05
mdeslaurand the AES key used to decrypt the image is itself encrypted using your key and amazon's public key?20:06
smoserwhich, by default, is set only to be readable by the owner and 'za-read' , which is the EC2 user that then provisions the system.20:06
smosermdeslaur, thats what i think, yeah.20:06
erichammondmdeslaur: Yes.  Either the author or the Amazon system can decrypt the image.20:06
smoserone way or another , there are 2 parties privey to the data there. you , and amazon.20:06
erichammondwith their corresponding private keys.20:07
erichammondsmoser: There was a presentation at a security conference a year or two ago which talked about possible attacks on ssh host keys if the EC2 image is publicly available.  I chatted for a while with the authors to make sure that my AMIs were not affected (the images were not public) but I don't know if it is an issue for the AMIs published by Canonical.20:07
smosererichammond, you have any  more information on that ?20:07
mdeslaursmoser: so, how were you expecting to share this with other if the AES key is encrypted with your host key?20:07
erichammondsmoser: Looking20:08
smoseri cant see how that would be the case.20:08
smoserbut, as obvious to most, i'm quite illiterate20:08
smosermdeslaur, i could share the key, or use a constant key.20:08
smoseri dont care about the contents of the payload. i *want* to make them public (i think)20:09
mdeslaursmoser: but then everyone's payload is encrypted with the same key20:09
mdeslaursmoser: that might be an issue20:09
erichammondsmoser: It had to do with knowing the starting state of the machine and the general time at which the system started.  Given this, they thought that it might be possible to substantially reduce the key space.20:09
smoser"everyone's payload" ?20:09
mdeslaursmoser: also, you would have to remove the AES key that is encrypted with your host key20:09
mdeslaursmoser: well, what would people be doing with these images?20:10
smoserok. maybe better explanation.20:10
smoserright now, we upload these images to ec2 as "bundles" (with manifest ... encrypted as described above).20:11
smoserwe also publish (on uec-images.ubuntu.com) the image so people can download them.20:11
smoserbut, we're already paying for storage in 4 regions (in order to create amis that people can run) on EC2.20:12
smoseri'd like to just let people get at that data so they can "download" that way20:12
smoseralso, i would use them in the publication of our EBS images.20:12
p1l0tOk so I am getting repeat brute-force attacks on my server trying to guess the root password... I want to set up RSA key identification. I'm kinda of new to this though... I have to run ssh-keygen on the server right? and then copy one of the keys to any client machine that wants to connect right?20:13
CppIsWeirdi just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools.20:14
erichammondsmoser: http://www.slideshare.net/astamos/cloud-computing-security around pages 62-68.20:14
erichammondsmoser: The authors were accessible and may have done further research.20:15
jdstranderichammond: I haven't read that, but if it is anything like the blackhat one I saw last year, this is a different problem. ie, with an EC2 image, the instances are all identical and often starting on the same host, without anything special going on with the rng20:16
smoserhmm..20:17
smoserslide 6620:17
smoser"random.seed"20:17
smoserwhat is that ?20:17
jdstrandoh, hehe20:18
jdstrandthat was the one I saw at blackhat ;)20:18
p1l0t!rsa20:19
jdstrandsmoser: it is the seed file used to reseed the system after a reboot20:22
jdstrandsmoser: err... s/system/rng/20:22
smoserpath ?20:22
smoseroh. i se20:22
jdstrandsmoser: in lucid it is /var/lib/urandom/random-seed20:22
jdstrandsmoser: which is used by /etc/init.d/urandom20:22
jdstrandthe point in the paper is that between the seed always being the same in an image, and the hardware being idential, and the same host being used on multiple guests, your entropy pool is reduced20:23
jdstrandafaik, it is still a theoretical attack, but makes sense20:23
p1l0tCan I suggest adding https://help.ubuntu.com/community/SSH/OpenSSH/Keys to ubottu under !rsa20:24
SpamapSvery interesting about the random generation20:25
jdstrand(fyi, 'man random' talks about how the seed is used)20:26
erichammondsmoser, jdstrand: It seems that potential security risks could be reduced by setting the random-seed (randomly) when the public image is copied to create a new AMI.  Then the contents of that AMI should not be available to the public.  The random-seed will be changed once the system boots and the user is able to access it.20:29
erichammondThere may still be some issues with EBS boot as users might be able to "stop" the instance before it finishes booting (not sure if this is possible) and look at the contents of the EBS volume.20:30
=== dendrobates is now known as dendro-afk
=== dendro-afk is now known as dendrobates
SpamapSerichammond: ultimately without good local random number support, you have to assume you are at a moderate level of communication security.20:37
panfisti'm trying to set up openldap server according to the server guide here... https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html20:39
panfisti can set it up fine if i use dc=example,dc=com like in the docs, but as soon as i replace that with dc=foo,dc=bar i can't get passed the 6th command in the guide (sudo ldapadd ... frontend.ldif)20:39
giovanipanfist: can you pastebin exactly what commands you're running, and the output?20:45
panfistis it possible to copy the stuff that's already entered into my terminal into a text file? (not just history but the output too?)20:46
giovaniyes20:47
giovaniselect and copy20:47
panfisttext console20:47
panfistselect how?20:47
giovanimeaning not an xterm/ssh session from an xterm?20:47
panfistthere is no x20:47
CppIsWeirdi just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools.20:47
giovanithen no20:47
giovaniyou should be sshing in20:47
giovanifrom a desktop20:47
giovaniso you have control over the terminal20:47
panfisti see20:48
panfistlet me see what i can do20:48
panfistwhat about gnu screen copy mode? i'm looking into it20:49
smosererichammond, i surely want to get to the point where our images are publicly available (as we do with the uec-images.ubuntu.com)20:51
smoserand, jdstrand , erichammond , fwiw:20:52
smoser$ ls /mnt//var/lib/urandom/random-seed20:52
smoserls: cannot access /mnt//var/lib/urandom/random-seed: No such file or directory20:52
smoserwhere /mnt is an image from uec-images20:53
erichammondsmoser: Right, it's not installed on the default image which is just as much a known starting point as having a large, fixed set of data on a public image.20:54
smoseri'm not sure that i understand the attack.20:54
erichammondIt is generated during boot time using theoretically non-random information and then that is used to generate the ssh host key.20:55
smoserthat random seed initially be created by a (possibly bad) random number generator20:55
erichammondIf an attacker can guess the ssh host key, then there is a mitm attack and ssh sessions are no longer secure.20:55
smoserah. so if that non-random information is bad enough, the seed could be guessed.20:56
smoserwhich could reduce the space from which the host key was generated.20:56
erichammondsmoser: exactly.20:56
erichammondsmoser: If, when you build the AMI for EC2, you start with the uec image and then set a random-seed which only you know before registering the AMI, then Ubuntu on EC2 would be more secure.20:57
=== io is now known as steffan
smoseri dont follow that20:58
erichammondsmoser: But this requires that you not let the public download the contents of the AMIs.  The public should only be allowed to run them.20:58
smoseras, if there is no random seed in the image, it is at least partially unknown. i'm guessing created by timestamp or something.20:59
smoserso that, given X instances, only some portion of them will have a given ramdom-seed.20:59
smoserbut, if i create the same random-seed file in all our images, then *all* will have that.20:59
erichammondsmoser: Even when there is a random seed, it is modified by the boot time info.21:00
erichammondNo random seed = known public random seed.21:00
erichammondPrivate random seed is secure.21:00
erichammondEr, I hesitate to say anything is completely secure, but based on my understanding it is *more* secure :-)21:02
smoserhm... right. there is obvioulsy a reason its being kept21:02
erichammondwhat is being kept?21:02
smoserwell, random-seed is being kept. in "normal operation" to seed the random number generator21:03
smoseras putting some random-ish value there is better than essentially '0' at boot time all the time.21:03
erichammondThe more sources of randomness you can inject into the system, the more random the result.  It is kept between boots so that some randomness from the last time the system was run can be included into the current boot.21:04
smoserright21:04
smoserthats what i was saying.21:04
erichammondUnfortunately, if it is known then it does not help add any randomness, so the only source of randomness available to the instance is the boot time.21:04
smoserits being kept, because its considered better to keep it.21:04
smoserright.21:04
erichammondYou've got far better security experts at your disposal than me.  I just raise this point for it to be investigated and thought about for improving the EC2 images.21:05
erichammondAlso as it might affect your decision to make the AMIs downloadable.21:05
smoseryeah. it is affecting my decision. :)21:05
smoserbut i would really like for them to be downloadable.21:06
smoserbasically, i was going through, and trying to reduce my "publish to ec2" time.21:06
erichammondI'm happy with the availability of the UEC images for use with EC2.21:06
smoserwhich consists of instance-store and ebs volume publish.21:06
smoserthe ebs volume was pulling from the uec-images, which is horrifically in ap-southeast-121:07
erichammondOnce you sort out the security issues you might publish a best practice document describing how folks can generate their own random-seed before registering an AMI (if it turns out that is the best option).21:07
smoserand i thought "Wait, i've already *got* the data over there in the form of the instance-store bundle"21:07
SpamapSI wonder if EGD would be useful in this case21:08
erichammondsmoser: Since it's your account, you can download and decrypt the AMI bundle.21:08
erichammondsmoser: See ec2-download-bundle and ec2-unbundle21:09
smoseryes, by pushing my key to the instance21:09
erichammondtrue21:09
smoserwhich is worse :)21:09
SpamapSthis affects puppet too21:09
SpamapSpuppet instances have to generate unique client certs to auth to the puppet master21:09
erichammondGlad to hear you're sensitive about protecting the Ubuntu AWS keys those as they affect the entire user base if compromised.21:10
smoserSpamapS, why would egd be any better than /dev/random ?21:10
SpamapSsmoser: it pulls from sources that are at least a little less predictible than the virtual interrupts cited as problematic in the slide deck linked earlier21:11
SpamapSthe problem with egd is the system really has to be busy21:11
smoserbut early in first boot, there would be no randomness21:11
smoserie 'w' and 'last' and 'vmstat' would be very un-random at that point.21:12
SpamapSso its fine if your AMI starts up your web app and starts serving traffic, but not so much if you need to start out by ssh'ing in and doing something. ;)21:12
smoseri must be missing something.21:12
smoserwhy would EGD be superior to /dev/random21:13
SpamapSanother source of randomness which sounds nuts but its not is to join the tor network. ;)21:13
smoserunless /dev/random was known-broken (and harder to service)21:13
=== erichammond1 is now known as erichammond
SpamapSsmoser: the jitter on a virtual instance IRQ is probably a lot more uniform than the IRQ's from an actual system booting up21:14
smoserah. ok. so you could be seeding the EGD with possibly higher level sources of randomness than the kernel would have.21:14
SpamapShttp://true-random.com/  lets ask Amazon to put some of these in their dom0's ;)21:14
SpamapSsmoser: Rackspace could offer that as a value add. :)21:14
smoserfwiw, the there was a thread on lkml (i think) suggesting the use of network data would reduce the randomness21:15
smoseras it could be then seeded by someone throwing well defined network traffic at the instance.21:15
smoseranwyay21:15
smoserthis is all well over my head , or what i care to learn at the moment.21:15
SpamapSthis has been a problem on all kinds of devices21:17
smoseri suggested once (maybe someone would point out a reason that it would be a bad idea) was a virt-random module that basically passed through /dev/random requests in a guest to the host.21:17
SpamapSI don't know how smart phones are doing it now, but Palm Treo's would always warn you that their crypto sucked.21:17
smoserso that the idea of "the guest has no suitable randomness" would be false21:17
smoserand that you could install whatever source of "more real random" you wanted in the host21:17
SpamapSyou just need to have something locally that will get you 4kbit of "better than average" randomness.21:18
SpamapSanother way to do it is to use perfect forward secrecy methods of communication to use the bad key only for the purposes of obtaining a higher quality key..21:19
panfistgiovani here's my success with dc=example,dc=com http://dpaste.com/215242/21:19
SpamapSbut that won't protect you if there is a permanent man in the middle.21:19
* SpamapS really hates the security rabbit hole sometimes21:20
panfistgiovani and here's my failure with dc=foo,dc=bar http://dpaste.com/215243/21:20
panfistsorry if it's ugly21:20
SpamapSsort of mitigates it completely if you just restrict SSH in your default profile though.21:21
panfistboth examples show me purging the package, removing /var/lib/ldap, reinstalling and following the guide through to ldapadd ... frontend.ldif21:21
giovanipanfist: well, you'll need to pastebin your ldifs as well -- because that's likely where the problem is21:23
giovanibackend/frontend*.ldif, that is21:23
panfistthe ldifs are copy-pasted directly from the site, and you can see it works at first, then in the second i have included in the pastebin the sed command i used to change the files from dc=example,dc=com to dc=foo,dc=bar21:24
panfisti can pastebin the actualy files...1 sec21:24
panfistbackend.foo.bar.ldif http://dpaste.com/215246/21:26
panfistfrontend http://dpaste.com/215247/21:27
* cloakable has found your problem21:28
cloakabledn: cn=example,ou=groups,dc=foo,dc=bar21:28
cloakableobjectClass: posixGroup21:28
cloakablecn: example21:28
cloakablegidNumber: 100021:28
cloakableActually, hmm.21:29
cloakableNo, that seems to be correct21:29
* cloakable misread the dn21:29
panfisti thought there might be a problem with my choice of dc...one of my original DCs was over 8 charactrs but i repeated my experiment actually using dc=foo,dc=bar with the same problem21:30
panfistthen i went to go read the RFC that describes the rules for domain names in LDAP and i didn't see anything wrong there21:30
panfistRFC 2247 and RFC 237721:35
panfistsooo where should i go to 'escalate' this? the forums? file a bug report?21:40
peeps[work]anyone here using an offsite backup service?21:47
CppIsWeirdi just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools.21:47
giovanipeeps[work]: yes21:47
peeps[work]giovani, which one do you use, and how do you like it?21:47
giovanipeeps[work]: I'm using s3 at home -- it works fine, it's cheap given the replication you're getting21:48
giovanino minimum fees -- so when I have like 1GB to back up, it costs me a few cents a month21:48
panfistgiovani so i guess you gave up on my problem? any advice where I can go from here?21:49
giovanipanfist: I didn't 'give up' -- just swamped at work -- I didn't see anything wrong, although I've never tried using "invalid" TLDs in an LDAP dc -- it's probably fine, but, it would be worth trying with dc=foo,dc=com21:50
giovaniother than that, I don't know -- sorry21:50
panfisti appreciate your time. i'll give that a try next.21:50
giovanipanfist: yeah, sorry to make you jump through hoops only to give you a non-answer :\21:51
giovaniI searched a bit to see if anyone was using 'invalid' tlds in production21:51
giovanibut couldn't find anything but examples, which aren't necessarily being used21:52
panfistwell i already have the dc=foo,dc=com files, it will only take me a moment21:52
giovanitrue21:52
panfistthis ldap server is going to be for a sneakernet so i didn't even think about using a valid TLD21:52
giovanipanfist: yeah, I don't think it's likely to be the issue -- but it's worth trying21:53
panfistdidn't work21:56
panfistis there a particular forum you'd recommend that I post this on? i posted the issue before, but without very detailed terminal output with no results on the ubuntu server board21:56
giovanipanfist: well I'd recommend heading to the ldap channels on freenode21:57
giovaniwhere you'll get ldap experts21:57
giovanirather than people who have just used ldap as a small part of their job21:57
panfisttwice i have ventured in there and the advice i get is "don't follow the how-to, learn ldap from scratch"21:57
giovaniah21:58
panfisti'll try again and see what happens. again, thank you very much for your time21:58
giovanisorry I couldn't be of more help21:58
giovanior any, really21:58
panfistat least now i have the proper output to show exactly what my problem is21:58
giovanipanfist: it's likely that these scripts, or something specific to the howto is to blame21:59
giovaniso they're probably right about learning it from scratch21:59
serverhorrorpanfist:  the ldap base dn doesn't have any (whatsoever) implications regarding being a TLD or not...21:59
=== steffan is now known as io
micahganyone run zabbix-server-mysql?22:06
p1l0tDoes ssh-copy-id copy the public key or the private key? I assume the public key...22:15
p1l0tn/m i guess it copies whichever one you tell it to :P22:16
p1l0tq22:17
erichammondp1l0t: According to the manpage ssh-copy-id does not copy the private key.22:19
erichammondI wasn't aware of that command.  I've been using one I wrote a very long time ago which I named "ssh-trustme" :)22:20
p1l0tlol a great name22:20
CppIsWeirdi just tried installing ubuntu-xen-server and it says it cant be installed because one of its dependencies cannot be found, xen-tools. if i install xen-tools from source will the ubuntu-xen-server package see this and install?22:35
CppIsWeirdif i install xen-tools from source will the ubuntu-xen-server package see this and install?22:39
=== lifeless_ is now known as lifeless
qman__CppIsWeird, not unless you compile it into a package, name the package xen-tools, and give it a version number the ubuntu-xen-server depends on22:46
qman__if you must compile from source, you're better off installing the distribution package first, and then installing the source version to /usr/local or /opt or something22:48
giovaniCppIsWeird: my understanding is that xen support has been almost dropped from ubuntu22:49
giovaniin favor of KVM22:49
jmedinawhat appens with xen?22:50
* jmedina uses xen everyday in ubuntu server22:50
giovanijmedina: it's not actively supported anymore, it appears22:50
giovanihttps://bugs.launchpad.net/ubuntu/+source/xen-tools/+bug/53891722:50
uvirtbotLaunchpad bug 538917 in xen-tools "xen-tools is not available in lucid" [Undecided,New]22:50
giovanithat was from months ago22:51
giovaniand xen-tools still isn't in lucid22:51
qman__it gets left up to universe/multiverse, I guess22:51
qman__if someone wants to update the packages, they'll update, otherwise nothing will happen22:51
jmedinabut it is so easy to install xen-tools, you dont even need to compile, they are only bash and perl scripts22:51
jmedinahere the steps22:52
jmedinahttp://tuxjm.net/docs/Administracion_de_Servidores_Virtuales_con_Xen_y_GNU_Linux/html-multiples/ch04s06.html#id60824022:52
jmedinait works in hardy and lucid22:52
giovanijmedina: well, the fact that it's a depend, and missing implies that support is dropping22:52
qman__yeah22:52
giovaniand that it may be completely untested, since you can't even properly install it through apt-get22:52
qman__the fact that the package is missing means that you can't just apt-get install it22:52
jmedinaah ok I understan22:53
jmedinafor lucid I prefer to compile xen 4.0.x and kernel 2.6.31.13 with PVOPS22:53
jmedinait is not that hard22:53
jmedinaI alwasy compiled xen by hand, since dapper22:54
giovaniyeah, the point is simply this: working != supported22:54
jmedinabut I never was, well only by community22:54
peeps[work]giovani, i'm still looking into amazon s3.  are there any particular tools you use to keep your data synced up, or do you upload files manually or what?22:54
jmedinafor this "unsupported" things I prefer to go upstream22:55
jmedinaI like KVM but my customers still have a lot of servers withouth hardware virt support22:55
serverhorrorpeeps[work]:  there's an rsync based tool. but I forgot the name (of course). It'll encrypt your backups and all (incremental, full, differential - if scripted properly from the command line...)22:59
serverhorrorpeeps[work]:  duplicity :)23:01
serverhorrorpeeps[work]:  (if you want to look into an alternative from S3 you might want to use rackspace and their cloudfiles storage. Not quite as cheap but your trust level might be better with them - and no, I'm not an employee nor affiliate of rackspace...)23:02
p1l0tSo RSA authentication now works... All I have to do is turn off password authentication for SSH23:15
p1l0tsomewhere in sshd_config I imagine...23:17
p1l0tPasswordAuthentication no /*without the # maybe*/23:19
serverhorrorp1l0t:  sudo grep -ri password /etc/ssh/sshd_config23:19
p1l0tserverhorror: thanks23:19
serverhorroror rather without sudo. sshd_config is IIRC world readable. Though I have no idea why that actually is the default...23:20
KeyBoardx86Hello everyone23:20
=== serverhorror is now known as everyone
everyonehello KeyBoardx8623:20
=== everyone is now known as serverhorror
KeyBoardx86Is anyone here that it migh help me with a good tutorial to setup a Ubuntu Server as a PDC, right now I'm using a Windows 2008 server running DHCP Server, DNS Server and Active Directory , and I would like to change to Ubuntu server with the same services23:22
qman__KeyBoardx86, good luck with that23:22
qman__samba 3 is on a hybrid windows NT/2003 level23:22
serverhorrorKeyBoardx86:  impossible, samba can't act as an AD yet23:22
qman__wait for samba 423:23
p1l0tDoes it really need to be a PDC? You could do all the other things anyway23:23
serverhorrorPDC _is_ perfectly fine. What you can't get from it is the actual AD stuff.... (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id2564237)23:24
qman__yeah23:25
qman__basically, it runs Windows NT style domains23:25
KeyBoardx86Well what I would like to do is a server that can act as Windows 2008 server23:25
qman__but supports all the other features on a level with 2003/200823:25
serverhorrorKeyBoardx86:  define "Windows 2008 Server"23:25
KeyBoardx86'cuz right now I have 3 server, 1 is running Untangle, the other 2 runs Windows. (one is a PDC server and the other one is a File Server)23:26
qman__you need to specify what features you need, specifically23:26
p1l0tKeyBoardx86: You can do dhcp, dns and share folders and whatnot23:26
serverhorrorKeyBoardx86:  are you refering to a file/print server? if so. Just install samba point it to the "real" windows server to handle authNZ and be done. Otherwise: impossible...23:26
qman__if you use group policy at all, you're SOL23:26
KeyBoardx86ok , let me try to specify, sorry for my english .. I'm from Colombia23:26
KeyBoardx86in the first server (Windows 2008 that is acting as PDC server ) I'm running, Active Directory, DHCP Server and DNS Server...23:27
p1l0tYour english is fine23:27
qman__yes, but what are you using AD for? what features do you need?23:27
KeyBoardx86that's the one that I want to replace with Ubuntu Server but I'm afraid that I will not able to add the second Windows Server (that is acting as File Server)23:28
serverhorrorKeyBoardx86:  (My Opinion) Honestly, if you do have Active Directory in place with Windows stay with that for the AD/DNS part. Use Samba for file/printer/whatnot sharing. But keep the Active Directory on Windows - that'll save you a lot of headaches (and possibly your job)23:28
KeyBoardx86I'm using AD to create the organizations and users23:28
qman__then, the short answer is, it can't be replaced with linux (yet)23:28
KeyBoardx86serverhorror, thx for the advise23:28
KeyBoardx86mmm Ok... gotta23:29
qman__samba 4 will be able to do that23:29
qman__but it's still in alpha stages23:29
qman__incomplete, buggy, unsupported23:29
KeyBoardx86samba 4 will be abel to act as AD?23:29
jjohansenmathiaz: https://launchpad.net/~kernel-ppa/+archive/ppa23:29
qman__yes23:30
KeyBoardx86cool, well so I believe I have to wait for that23:30
KeyBoardx86does anyone here have heard about eBox?23:30
p1l0t!ebox23:31
ubottuebox is a web-based GUI interface for administering a server. It is designed to work with Ubuntu/Debian style configuration management. See https://help.ubuntu.com/community/eBox23:31
KeyBoardx86so eBox an webmind will be the same almost?23:31
KeyBoardx86!webmind23:32
qman__!webmin23:33
ubottuwebmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system. See !ebox instead.23:33
serverhorrorKeyBoardx86:  only mention I found is in the ubuntu server guide. But I don't have an especially high opinion on those GUI interfaces to manage a server....seems all so cpanel like. I rather go with puppet and the recipes crafted to the requirements _I_ (read: my company has) have...23:33
KeyBoardx86Does Ubuntu-server comes with its own GUI Interface?23:34
qman__yes, I am also not fond of these types of systems23:34
qman__no23:34
clustyhey23:34
serverhorrorqman__:  no?23:34
qman__you can install one, but there is no point23:34
KeyBoardx86Ok, well guys thx anyway for all the information...23:34
serverhorrorqman__:  well...that depends :)23:34
KeyBoardx86so I might need to wait for Samba 423:35
clustyi cannot access my smb share (bad password). do i still need to set a separate smb psswd?23:35
clustyi thought these days it used the unix password23:35
qman__serverhorror, he asked if it comes with one, and it does not23:35
serverhorrorclusty:  depending on your configuration, (smb passdb backend - but the way you phrase your question the answer for your problem is probably yes, see "man smbpasswd")23:36
qman__clusty, you have to set one with smbpasswd23:36
qman__it synchronizes it with the unix password23:36
qman__but it doesn't automatically create it23:36
serverhorrorqman__:  right, but the server doesn't come with ldap/krb either :)23:36
clustyqman__: as in if smbpasswd will change my unix password23:36
clusty?23:36
p1l0tno23:36
qman__once an smbpasswd is set23:37
qman__every time you change your unix password, it will change your smbpasswd too23:37
clustythanks23:38
clustythat was it23:38
clustyqman__: does it do it through PAM?23:38
qman__libpamsmbpass23:38
qman__is what provides the feature23:38
clustygreat23:39
clustythanks23:39
serverhorrorsmbpasswd...it does that? I guess I really need to (a) streamline our server OSs and (b) reread all the (config) manpages. *sigh* again it's been only 2 or 3 years since I last updated the basic stuff :)23:39
jmedinait is possible to build a AD-like solution with lucid23:40
qman__truthfully, I'm surprised we still have this problem23:40
qman__but it won't create an smb password for you23:40
qman__it will only update one23:40
jmedinayou can integrate samba+openldap for domain controller using NTLM (almost deprecated in win7) and then you run kerberos to do SSO23:40
jmedinaalmost everything is in the server guide23:41
qman__it is actually deprecated23:41
qman__you have to change some security settings in the policy and registry23:41
jmedinaif you want someehing easiers trye zivios23:41
serverhorrorqman__:  probabyl because it wouldn't make any sense to initially set a password for uses having a hash in /etc/shadow upon installing samba23:41
serverhorrors/uses/users23:41
jmedinaqman__: yeap, I have some squid3+AD systems, and they all use AD integration using samba+winbind+kerberos23:42
qman__serverhorror, that's true, but users added after the fact don't get smb passwords, or at least didn't last time I set one up23:42
serverhorrorqman__:  can't comment on that. I can't even remember whether our ldap server initially was woody or sarge :) (yeah, sorry it's debian I'm looking for a corner to hide in our office...) :)23:43
qman__jmedina, yeah, I had a windows 2000 printer server because I couldn't get samba to make the magic print$ share work right, and soon as I got a windows 7 client, it was an event getting it to play nice23:44
serverhorrorqman__:  hmmm I've recently tried to write an article for linuxgazette.com. And I have a print$ config (with all the whizzbang Printer Config Windows Wizard in XP/Vista/7 working....)23:45
serverhorrorqman__:  but it's 0045am here. If you want me to I could send you a paste of the config parts plus some comments "tomorrow" depending on the time zone of course :)23:45
qman__I think it had more to do with the specific printer drivers than the share configuration23:45
clustydo you guys have experience with making samba advertise it's shares via avahi?23:46
serverhorrornope sorry23:47
qman__I don't really know anything about avahi23:47
clustymade it advertise AFP23:47
jmedinaI just know how to disable it23:47
clusty:D23:47
qman__mine all just show up as windows shares23:47
clustyfor once i need avahi23:47
serverhorrorI just know that I usually kills everything I use with .local (or .localdomain or something like that)23:47
clustyonly thing to do, is to figure out how to make my DNS zone file proper :D23:48
clustythanks for your help23:48
qman__I once had to get a windows AD DNS zone up on a BIND server, because the windows server crashed23:49
qman__the zone was invalid, had to fix a few records23:49
serverhorrorhmmm why would I even want to deal with "if the primary (or unique) key does not exist: insert the new row _or_ if the primary (or unique) key does exist: do nothing" <- couldn't i just insert, and if it chokes ignore that stuff? (sorry some blog post just came up)23:49
qman__only if you can be certain that an invalid insert won't change anything23:50
qman__now, and forever into the forseeable future23:50
clustyserverhorror: guess it's uncool not handling an error23:51
clustycause your insert could choke cause server is down23:51
serverhorrorqman__:  the way I read those 2 requirements, the second could never happen, since it would violate a unique constraint. Thus throwing some error back to the application. So I simply insert and if my database tells me constraint violation I'll just catch that exception and do whatever is appropriate...23:51
serverhorrorclusty:  what happened to "it's better to ask for forgiveness than for permission" (something like that - not a native english speaker so I might as well missquote)23:52
serverhorrorclusty:  and hopefully any sane language will let me (somehow) differentiate between a host unreachable, port unreachable, no route and/or uniq constraint violation....23:53
serverhorror<rant>don't know about PHP thou...</rant> :)23:54
clustyserverhorror: well if we are speaking hyphothetical, you  could run a big fat sql script23:54
clustyyou don't it choking in the middle23:54
serverhorrorhmm yeah right that's a point :)23:54
serverhorrorbut I have rollbacks and transactions :)23:54
oettingerHi23:55
clustyi know for a fact PG can ignore errors and just go on23:55
oettingerDoes anyone have time for a dist upgrade question?23:55
=== serverhorror is now known as anyone
anyoneoettinger:  definitely maybe23:55
=== anyone is now known as serverhorror
oettinger:) sounds good.23:56
oettingerI just did a "sudo do-release-upgrade" on our web/database server23:56
oettingerIt looks like everything went well (so Yay ubuntu). But...23:56
serverhorror.oO(drumroll)23:57
oettingerI was hoping that my php would be upgraded to 5.3.x23:57
oettingerbut a phpinfo() and "$ php -version" still shows 5.2.x23:57
serverhorrorapt-cache policy php5 php # will tell you where it installs from. And apache needs to _restart_ to get the new php version23:58
qman__my one server running lucid is on php 5.3.223:58
qman__and that was upgraded from hardy23:58
oettingerjacob@trabant:~$ apt-cache policy php523:59
oettingerphp5:23:59
oettinger  Installed: (none)23:59
oettinger  Candidate: 5.2.10.dfsg.1-2ubuntu6.423:59
oettinger  Version table:23:59
oettinger     5.2.10.dfsg.1-2ubuntu6.4 023:59
oettinger        500 ftp://mirror.hetzner.de karmic-updates/main Packages23:59
oettinger        500 ftp://mirror.hetzner.de karmic-security/main Packages23:59
oettinger     5.2.10.dfsg.1-2ubuntu6 023:59
oettinger        500 ftp://mirror.hetzner.de karmic/main Packages23:59
p1l0t!flood | oettinger23:59
ubottuoettinger: For posting multi-line texts into the channel, please use http://paste.ubuntu.com | To post !screenshots use http://tinyurl.com/imagebin | !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic.23:59
clustyno flood kick?23:59
oettingernope. But a warning i think :) (irc noob)23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!