tewardis it usual for a postfix server that basically acts as a 'forwarder relay' (i.e. address1@domain.net is emailed, postfix forwards it to myaddress@otherdomain.net) to get its messages flagged as 'spam' or 'Suspicious' by Google?  (mail server is mailserver.yetanotherdomain.xyz, if it matters)00:04
=== Lcawte is now known as Lcawte|Away
=== dw2 is now known as dw1
Logos01Howdy, folks. I've a bit of a mixed environment here; I'm trying to set up centralized authentication using sssd/krb against my company's AD servers.02:08
Logos01My configuration works perfectly on rhel/centos but on the ubuntu 14.04 box I'm working on, I can't seem to successfully authenticate as any domain users.02:08
Logos01The accounts get created; I can su - ${domain_user} -c "kinit" all day long.02:09
Logos01But what I *can't* do is sudo -l w/ password enabled or ssh into the user account; those sorts of things.  What am I missing?02:09
=== xar is now known as xar-
maddawg2logos do you have it set to allow AD users to login03:26
maddawg2i cant remember exactly where that is but there's a setting the allow them to login locally03:27
maddawg2let me see if my work machine is on03:27
Logos01maddawg2: I do have it set to allow AD users to login.03:27
Logos01maddawg2: It's the same configuration I'm using on CentOS/RHEL and it works perfectly there.03:28
Logos01Here, I cannot successfully perform any transactions which require the passwords from the domain users.03:28
maddawg2kinit testuser@DOMAIN.COM03:28
Logos01Works perfeclty.03:28
Logos01It's only when I do password transactions through PAM that it's failing.03:28
Logos01I've turned up sss_debuglevel to see if something stands out...03:31
Logos01I've noticed "[get_and_save_tgt] (0x0100): TGT validation is disabled." which seems suspicious03:31
maddawg2have you checed the DC logs?03:35
maddawg2to see if anything is erroring there03:35
maddawg2or if it'll log invalid attempts of sorts03:35
Logos01maddawg2: Oh, I know, but I don't have access to those.03:35
maddawg2well those might be more helpful03:36
Logos01... now this is interesting, considering I have caching disabled:03:37
Logos01[sss_krb5_check_ccache_princ] (0x0020): krb5_cc_get_principal failed.03:37
=== Ursinha-afk_ is now known as Ursinha
=== Ursinha is now known as Guest82331
=== inaddy is now known as tinoco
=== rsalveti_ is now known as rsalveti
=== broder_ is now known as broder
=== tgm4883_ is now known as tgm4883
=== justizin_ is now known as justizin
=== Guest82331 is now known as Ursinha
=== Ursinha is now known as ursula1234
=== Guest46854 is now known as Uptime
=== ursula1234 is now known as Ursinha
=== ggherdov`_ is now known as ggherdov`
Logos01Reporting in with success: The problem was the sssd binary version.04:36
Logos01Ubuntu 14.04 ships with 1.11.x; el7 has 1.12.x04:36
Logos01Thankfully there is a PPA ( https://launchpad.net/~sssd/+archive/ubuntu/updates ) -- associated fairly decently with reputable sources.04:37
Logos01Correction: I can authenticate as one user. The user that joined the server to the domain.04:44
Logos01Huh. I managed to somehow only upgrade one part of the sssd suite.05:00
=== dcmorton_ is now known as dcmorton
jonahhi can anyone please help. I've been tryiing to configure my server for a week or so and in the end got a bit fed up and ordered a static ip from my ISP. The server is working well and it was working before I got the static IP - but I wanted to add virtual hosts and use my own nameservers so I could have other domains resolve to it. Could any body please help me to put my new static IP in there correctly? I have webmin installed too07:27
jonahmy router gives my server the ip
jonahI have NOIP.com working so my main domain loads up a page from my server07:28
jonahbut I can't get any other domains to work which is why I thought I'd best order a static IP07:29
adun153I dont have a lot of time, but MIGHT be able to give you some tips. What exactly do you need?07:45
adun153How to configure static IPs?07:45
jonahadun153: thanks - well i have the static ip but it's just getting my server to use it correclty and set up nameservers...07:46
adun153jonah: What type of router do you have?07:47
jonahadun153: i don't want to put the static in the wrong place and overwrite the current local network settings as my router gives my server it's local ip - but i want to use my isp static ip for the outside and for nameservers07:47
jonahadun153: i have an asus ac68u07:47
jonahadun153: but that is already working well and i can access my server on and internet works etc07:48
adun153also, #networking might be able to help as well, as this is mostly a networking issue.07:48
jonahadun153: but if you look at my domain dns check http://intodns.com/hostingyorkshire.com07:48
adun153Ah, a home/office router.07:48
jonahadun153: it says my nameserves aren't set right - yeah office router07:48
adun153You need to configure your router's WAN interface to use the static IP.07:49
jonahadun153: even though it gets it ok dynamically at the moment?07:49
jonahadun153: ok thanks07:49
adun153I'm assuming that the static IP and the current DHCP'ed IP are in the same network?07:50
adun153Should be07:50
jonahadun153: yes07:50
adun153So yep, what I said, you need to do that.07:50
adun153Of course, your nameserver(s) are behind the router, configure the router to port forward incoming port 53 TCP and UDP to your nameservers on your internal network.07:51
jonahadun153: ok so i'm in the router admin and can change it from automatic to static ip but then there are three boxes to fill in. ip address, subnet mask and default gateway!07:52
adun153You dont' need ns2.hostingyorkshire.com. as well, since you only have one IP address and nameserver anyway.07:53
adun153Just obtain the subnet mask and default gateway values from the DHCP'ed address.07:53
jonahadun153: i just added the second one due to my domain registrar requiring two nameservers07:53
adun153I see. No need to, then07:53
jonahadun153: is there a linux command to grab those subnet mask and default gateway values? and then I guess i just put the first option of IP address as my static one? or is that the router default gateway?07:54
adun153Yes, the IP address is the static address07:55
adun153you can't see the subnet mask and gateway from the router's web interface? That should be viewable07:56
adun153And no, there is no command you can run from your server/desktop/laptop to check, as the NATting is transparent to your computer07:57
adun153only the router can really "see" the outside network.07:57
jonahadun153: it won't let me set the default gateway... it says i can't use the IP - not sure how to find my default gateway...07:59
adun153jonah: Is there really no "screen" where you can see what IP address and network settings your router uses when it uses DHCP?08:01
jonahadun153: the front router screen gives me the default gateway as the same as my static ip but when i put that in on connection settings it says they can't be the same... are you sure i need to set this up manually as the router is grabbing the static ip etc ok, i just need it to work on the server?08:02
adun153The default gateway and the static IP CANNOT be the same address.08:03
adun153The default gateway is a router managed by your ISP.08:03
adun153The static IP should be your router's address. That address should be on the same network as the default gateway.08:04
adun153If when your router uses DHCP, and uses your "static IP address" as the default gateway, then clearly, your ISP gave you a wrong address to use for your static IP.08:05
jonahadun153: hi sorry i totally lost my internet and had to go back to automatic ip setting on the router!08:26
adun153jonah: I see08:27
adun153You should probably contact your ISP08:27
adun153Tell them that the Static IP they gave you is your network's gateway.08:27
jonahadun153: thanks will do08:29
Danny2Hey guys, question: I have a server and I have just added a new IP to it (was provided it from my host), it is binded to eth0:0, and I have a git server on my other IP, now the new ip goes to my git server for some reason, so I was wondering how would I go about setting making apache listen to that IP09:22
Danny2^ the server I use runs Ubuntu 14.0409:24
hateballDanny2: you configure that in the settings for the website in question09:30
Danny2hateball: what do you mean?09:30
hateballDanny2: the virtualhost section09:31
hateballDanny2: see https://httpd.apache.org/docs/2.2/vhosts/examples.html09:31
Danny2but my git server is nginx, and I want to then have apache running my website?09:31
hateballyou were the one talking about apache09:31
Danny2yeah I am, I have nginx running the git server on the main IP, and I want the apache server running on the new IP?09:32
hateballI am not sure if you are asking if you want to, or if you're asking how to09:33
Danny2I am asking how to09:33
=== Lcawte|Away is now known as Lcawte
hateballYes, so you edit the config for your websites, under /etc/apache/, as per your liking09:37
hateballreplace *:80 with your.ip.here:80 or whatever you like09:37
Danny2hateball: see this is not in my apache2.conf file? I can't find it at all09:39
hateballDanny2: No, the config for your website. Is this just a default install of apache?09:39
Danny2hateball: errr yeah it is? I just installed it and then I have a www folder to but stuff in?09:40
Danny2put stuff*09:41
hateballDanny2: Well the config for the website is in /etc/apache/sites-available/ or sites-enabled09:41
hateballmost likely called 000-default or some such09:41
Danny2hateball: I have 2? 000-default.conf and default-ssl.conf09:41
hateballSo... you edit that, and reload apache, and it should bind to the desired interface09:41
hateballDanny2: Yes, are you using SSL?09:41
hateballThen you will need to edit them both09:42
Danny2Maybe? I am not sure, it was a while ago I added apache209:42
Danny2but I shall edit both09:42
hateballWell, you're unlikely to have setup SSL with a fair bit of crying so it would have left scars that you'd remember09:42
hateballWithout, that is09:43
Danny2hateball: I just remember having to mess with it a lot, but I get this error:  * Restarting web server apache2                                                (98)Address already in use: AH00072: make_sock: could not bind to address [::]:80 (98)Address already in use: AH00072: make_sock: could not bind to address no listening sockets available, shutting down09:44
hateballDanny2: yes, most likely because nginx is already binding to *:80 as well09:45
Danny2Oh, so err, how do I do that?09:45
hateballWell you'd need to tell nginx to use a dedicated interface, and apache another09:45
hateballI don't remember nginx config offhand, I am afraid09:46
Danny2hateball: I.. err.. how do I do that?09:46
Danny2Oh hmm09:46
Danny2tbh when I installed git, it was a pain getting it to work...09:46
Danny2Okay so my next question, is anyone good with setting up virtual hosts using nginx?09:56
=== Lcawte is now known as Lcawte|Away
=== Lcawte|Away is now known as Lcawte
=== Piper-Off is now known as Monthrect
=== Monthrect is now known as Piper-Off
=== Piper-Off is now known as Monthrect
locodir-userwhen I execute "service xinetd restart", there was no message12:30
locodir-userI want see message "OK" or "FAIL" something like that12:30
locodir-userHow to resolve it ?12:31
DulcinHi, I'm wondering, if I run 'hostname -f' it returns 'localhost' instead of the FQDN12:35
DulcinWhere did I go wrong?12:35
asacany idea where i can find the package manifests for:12:48
asac* vanilla Ubuntu server as installed with D-I or other installers * Ubuntu images on the cloud (its not "Ubuntu Cloud" its just "Ubuntu12:48
asacServer") * LXD images * Ubuntu installed by MAAS12:48
asacsmoser: ?12:49
ogra_asac, the first one is in the seeds branch12:50
ogra_asac, bzr branch lp:~ubuntu-core-dev/ubuntu-seeds/ubuntu.xenial/12:51
ogra_no idea about the latter two though12:52
asacogra_: do you highlight my nick :) ... or do you read all channels you join all the time? :)12:52
asacogra_: the manifest is in the seeds branch? thought would guess the seed does not include all the implicit dependencies12:52
ogra_i skim over the channels with activity while waiting for tasks to finish (launchpad in this case) ;)12:52
ogra_asac, the seed is indeed the input and doesnt show all deps, for that you can use the cdimage manifest file12:53
ogra_or run germinate manually to generate a table with deps12:53
asacright. looking for the real exploded manifests12:54
asacso i can diff them :)12:54
ogra_asac, so beyond cdimage there is http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.xenial/12:55
ogra_http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.xenial/server is the base12:55
ogra_http://cdimage.ubuntu.com/ubuntu-server/daily/current/ has the image manifests12:56
ogra_the .manifest file has the actual rootfs contents for a basic server, the .list files show whats in the archive pool on the CD for additional tasks you can install12:57
asacogra_: ack... so the manifest is exactly what you get when you dont select more tasks?13:01
ogra_asac, right13:11
placeedHi all, I have a keystone problem in openstack on my ubuntu server. Someone can help me ?13:20
placeedSometime, it stay blocked on /auth/tokens?13:20
placeedno result13:20
=== niedbalski_ is now known as niedbalski
smoserogra_, i'm pretty sure that manifest is not what you get "by default"13:35
smoserbut ratherw what is on the cd.13:35
smoserasac, ^13:35
ogra_smoser, manifest is what the squashfs contains, the squashfs content becomes your rootfs during install13:36
smoserthe cloud images have manifests next to them.13:36
ogra_if you dont select anything in tasksel that is all you get13:36
ogra_if you use tasksel to pick additional tasks the archive pool on the CD is used to install it13:36
smoserogra_, thats clearly not 100% true13:36
smosertheres no 'linux-image' in that list13:36
ogra_i'm pretty sure it is13:37
smoseror grub13:37
ogra_no, thats d-i's job13:37
smoserwell, thats what asac is after.13:37
smoserwhat gets installed13:37
ogra_bootloader and kernel are not part of the rootfs13:37
ogra_as i understand from the mail discussion he referred to above he is after plain rootfs content13:37
smoseri dont knwo.13:38
smoseri didnt see  mailing list discussion.13:38
ogra_on snappy-devel13:38
smoserasac, for maas images, we dont have a manifest, but we could for sure provide one of what is in the -root.gz image.13:39
smoserhas information on what is different. maas images are cloud image + a hardware kernel installed.13:40
smoserbut similar to the iso manifest if you actually do an install, other hpackages might be added (like lvm or things of that nature)13:41
ogra_yeah, that wont help with snappy :)13:42
smoseryou have link ?13:43
smoserto the discussion?13:43
ogra_smoser, mark wants full unification between all images it seems13:44
ogra_so first we need to find all the differences in a default install :) thats what asac does atm i guess13:44
smoserogra_, yeah.  i've seen this before.13:45
smoservery much, differences amoungst them all (server iso install, "maas image", cloud image) all can be considered "hardware enablement".13:46
smoserthe changes are few. i've had problems showing that clearly in the past.13:46
ogra_well, i'm not sure i want a server install to drive my drone13:46
ogra_what i'm 100% sure about is that i dont want 2minute long boots with 50sec cloud-init doing nothing on an embedded device13:47
asacsmoser: ogra_: right. i am afer the list of things that end up being installed14:07
asaci guess14:07
asacwell, also interesting to see the list of what is int he downloadable image14:07
asacbecause at best we would like to have ONE and only ONE14:08
asacacross all headless/smallish variants14:08
asacsmoser: you hasd problems showing the differences in the past?14:09
ogra_asac, yeah, that wont happen14:09
ogra_we can probably get down to a "most common denominator" that all of us use as base14:10
asacso what i think would be lovely is if we could consolidate everything to start off with a single unified image14:10
asacthen idf there is need to add stuff for the various variants, that could be done in a clearllyh defined second step14:10
ogra_which tehoretically was always supposed to be "ubuntu-minimal"14:10
smoserasac, i've had problems describing differences.14:10
smoserrunning 'dpkg-query --show' and comparing output from amd64+uefi+lvm to amd64+mbr to arm64+uboot to lxd just is not useful.14:11
urthmoverI have created 4 servers using 14.04.  Each server has two nic's statically assigned (one nic for public and the other for private). 3 of the 4 can ping eachother and one cannot ping the other three.  The other nic on each server is pingable to/from all 4 servers.  Will someone take a moment to help me triage this.  route -n on each server is identical.  The static ip assignments on the problematic server looks accurate14:22
tewardurthmover: suggestion: stick to one channel, and have patience, don't crosspost.14:25
urthmoverteward: do you think that my issue is better suited for server or vanilla ubuntu?14:25
urthmoverteward: Do you think there is a udev issue?  udev seems strange in 14.0414:25
tewardwhy would you assume it's a udev issue?  I don't see anything here that suggests udev is at fault.  I believe that this is better suited for *this* channel14:26
tewardsince you're working with server installations and such14:26
tewardhave patience for someone who can help out to come along :)14:26
urthmoverteward: I'm trying not to assume anything.  In the past I had strange network issues when udev was involved...that's why I brought it up14:27
* urthmover kicking back14:27
TJ-urthmover: shame hastebin require google Javascript to show the content14:27
urthmoverteward: do you think I provided enough information at this point?14:28
tewardurthmover: I think you should first consider using our pastebin instead.  paste.ubuntu.com14:28
urthmoverTJ-: hmm which past service do you like to use?  I'll gladly use something else14:28
tewardand then have patience, TJ- might be able to help though14:28
* teward goes back to kicking nginx code14:28
urthmoverTJ-: http://pastebin.com/LSwMAaxV14:30
TJ-urthmover: I dunno! I just get sick of a simple text paste requiring javascript to display anything, especially when there's also obvious activity tracking as a side-effect. http:/paste.ubuntu.com is well-behaved I think :)14:31
TJ-urthmover: The first thing I'd do is on the server you're pinging, run "tcpdump -ni eth1 icmp" and check if it receives the pings, and if it sends replies. Then I'd look at the firewall rules on both.14:32
urthmoverTJ-: good suggestion...trying that now...in the meantime I've included an updated pastebin with another server that can ping istack2 http://pastebin.com/4JDzny6p14:35
urthmoverI'm having trouble pinging out of istack1.  So I believe that I should be running "tcpdump -ni eth0 icmp" ?14:36
TJ-urthmover: are these servers all connected to the same switch/VLAN ?14:36
urthmoverTJ-: yes14:36
TJ-urthmover: there is no such address as
=== arcsky_ is now known as arcsky
urthmoverTJ-: that is true.  I am pinging
TJ-urthmover: can istack1 "ping -nc 5" ?14:37
urthmoverI get no output using 'sudo tcpdump -ni eth0 icmp' on istack114:38
TJ-urthmover: no, you'd run it on the *target* server, and set the '-i eth0' to be the LAN interface14:38
TJ-urthmover: and is dud! use
urthmoverTJ-: ah ok...tcpdump is a capture tool...thanks for the suggestion...trying tcpdump on istack2 and then pinging from istack1 again14:39
urthmoverTJ-: yeah I got nothing on (I haven't tried that ip is quite a while :))14:40
TJ-urthmover: more importantly, can istack1 "ping -nc 5" ?14:40
urthmoveristack1 CAN ping  so it's public nic is working....I'm also ssh'ing into it14:40
urthmoverTJ-: trying the tcpdump14:40
TJ-urthmover: OK, so not got the ports mixed up :)14:40
RoyK8.8.8.8 and work well14:41
TJ-urthmover: if istack2 sees no packets: check istack1 with iptables. if sees ICMP but doesn't reply: check istack2 route/iptables. if istack2 replies check istack1 iptables14:42
urthmoverTJ-: tcpdump on istack2 is not picking up any icmp packets arriving from istack1 when I ping it from istack1.  istack2 DOES capture icmp when I ping istack2 from istack3 though...so I know tcpdump is working14:43
urthmoverTJ-: ok I'll start tcpdump on istack1 and ping it from istack214:43
TJ-urthmover: right, so iptables on istack1. And also check the NIC itself is active/alive14:43
urthmoveristack1 shows no captured packets when I ping it from istack214:44
urthmoverTJ-: so packets do not appear to be arriving either way between istack1 and istack214:45
TJ-urthmover: any firewall rules/policy set on istack1 ?14:45
urthmoverTJ-: packets do arrive between istack2 and istack3  so this points to an issue solely on istack1  possibly14:45
TJ-urthmover: yes, I concur. istack1 is/has the problem.14:46
urthmoverTJ-: when I disable ufw on istack1 , I am not capturing any incoming icmp packets from istack214:47
urthmoverTJ-: I just double checked that I AM on the same portgroup vlan as istack214:47
urthmoverTJ-: although I am not opposed to rebuilding istack1 from a default 14.04 install, I just did yesterday wanting to start with a fresh build today14:48
TJ-urthmover: ignore UFW! use "sudo iptables -nvL" and check the default table policies even if there are no specific rules14:49
urthmoverTJ-: pm14:51
urthmoverTJ-: trying sudo iptables -nvL14:51
TJ-urthmover: I have PMs disabled :)14:51
urthmoverTJ-: heh ok...well I was hoping to send to login creds14:52
tewardurthmover: Security 101: Don't give people you don't personally know or trust logon credentials14:53
urthmoverteward: this is an isolated environment on a server network that I'm willing to burn down14:53
urthmoverteward: usually I would agree but this is a special case14:53
TJ-urthmover: as istack2 wasn't seeing anything inbound, you'd have to assume any istack1 netfilters rule would be on the OUTPUT table14:54
urthmoverTJ-: http://pastebin.com/KATMe7Am14:54
TJ-urthmover: nothing there; but the packet counters are indicating some traffic14:57
urthmoverTJ-: http://pastebin.com/bEiQbcPU14:57
urthmoverTJ-: wtf now I can ping istack1 from istack214:58
TJ-which system were those 2 pastes from?14:58
urthmoverTJ-: oddly only in one direction are packets flowing istack2 -> istack114:58
urthmoverTJ-: same system...first paste was with ufw disabled second paste was with ufw enabled14:59
urthmoverTJ-: whoops I'm wrong.  so sorry15:00
urthmoverTJ-: I was pinging itself because I moved my panes around15:00
urthmoverno ping either way istack1 <-> istack 215:01
TJ-urthmover: I suspect the hardware15:03
urthmoverTJ-: I have begun continuous pings from istack1 -> istack2 and tcpdump  on each eserver pointing at eachother15:03
TJ-urthmover: can you port-mirror istack1 LAN port on the switch to another system and check if istack1 is sending anything?15:04
urthmoverTJ-: ok I think you are right...but I wanted to exhaust everything possible.  The strange part is that I have 2 otherdev servers using the exact same vlans, same os, similar static networks...15:04
urthmoverTJ-: unfortunately I don't have any visibility on the switching layer.  This is a partially hosted environment.  All I get to do is specify the vlan that each nic uses :(15:05
TJ-urthmover: find out what the NIC chipset is; maybe use ethtool to check it isn't in a power-save state15:07
urthmoverTJ-: I'm using the paravirtualized driver for all the servers called vmxnet3  when I compare ethtool between the istack2,3,4 and istack1 they are the same15:11
TJ-urthmover: OH! these are all VM guests?15:11
urthmoverTJ-: yes....do you have any others thoughts about things I can check?15:12
urthmoverTJ-: esx 5.515:12
TJ-urthmover: For some reason I thought you said / indicated they were bare-metal. In which case check the hypervisor network config!15:12
TJ-urthmover: I bet the LAN interface hasn't been connected to the LAN/VLAN bridge15:13
urthmoverTJ-: I have limited access to that ....it's a bastardized power user into vcenter.  the hypervisor shows link up on that vlan.15:13
urthmoverTJ-: I like your thinking with that....I have confirmed that it is link UP on that vlan15:13
TJ-urthmover: well there doesn't seem much else you can do without control of the 'physical' layer15:13
tewardurthmover: diagnosing is going to be tricky if you don't have 'root' on the Vmware ESXi hypervisor - I'd check with the sysadmin that does have access to that to check the network stuff15:15
urthmoverTJ-: holy sh*t......so I built another server istack5  and it CAN ping but cannot ping,13,14  do you think there is some strange switching problems going on behind the scenes?15:15
TJ-^^hardware a.k.a hypervisor15:17
urthmoverTJ-: ok thank you I'll reach out to the network team in charge of that environment.  Thanks for all your help15:18
urthmovernetwork issues are so frusterating when you are blind15:19
tewardTJ-: blah, i forgot hardware and hypervisor aren't equated to each other :)15:20
* teward beats his head against the dictionary of tech jargon15:20
=== Monthrect is now known as Piper-Off
TJ-urthmover: makes me think someone changed the port association.  I wouldn't be surprised if you could ping istack1's LAN port from istack2's WAN port - with suitable changes to istack2's route table15:23
urthmoverTJ-: trying that now15:24
urthmoverTJ-: what would the route add statement look like?  route add eth0 ?15:25
urthmoverTJ-: googling syntax  don't bother yourself please15:26
TJ-urthmover: something like "ip route add dev eth0" - use istack1's LAN IP and the correct (WAN) interface name,15:27
sarnoldiproute2 packages finally have documentation these days, check out the ip-route manpage15:27
urthmoverTJ-: I CAN ping from istack2 when I added this route on istack 2 'ip route add dev eth0'15:28
* urthmover shakes head15:28
urthmoverTJ-: so do you mind explaining more what you think is going on here so that I can relay this more specifically to the network team?15:29
TJ-urthmover: OK, and .11 is istack1 is it?15:29
urthmoveryes = istack115:29
TJ-urthmover: like I said earlier; the port is connected to the wrong bridge, it's on the WAN bridge, not the LAN15:29
urthmoverTJ-: ok thank you I'll explain our findings to them15:29
bmullan_@sarnold - I've found this iproute2 cheat sheet really useful... http://baturin.org/docs/iproute2/15:30
TJ-you're now routing from the WAN side of istack2 to the LAN side of istack215:30
TJ-you're now routing from the WAN side of istack2 to the LAN side of istack115:30
urthmoverTJ-: right15:30
urthmoverout eth0 (public) on istack2 into eth1 (private) on istack115:30
TJ-urthmover: which imples istack1 LAN and WAN are on the same bridge; I assume that new instance you spun up is likewise, which was why it could ping istack115:31
urthmoverTJ-: ok15:31
TJ-urthmover: "arp -n" on them all might make it a bit clearer15:31
urthmoverTJ-:  good suggestion I'll do that and include my findings15:32
sarnoldbmullan_: looks great, thanks :)15:33
wehdehas any here migrated m$ AD to openldap or apacheds?16:27
=== wmp is now known as Guest77113
=== Guest77113 is now known as wiuempe
hallynjdstrand: jjohansen: 'network ipv6' is a valid apparmor rule all the way back to trusty?17:04
hallyn(is there a table somewhere that shows what is valid where?)17:05
sarnoldhallyn: "network inet6," -- and it does work in trusty17:08
sarnoldhallyn: it should be the case that all AF_.... works with the AF_ stripped off and lower-cased17:08
hallynsarnold: ok, thx.17:12
urthmoveris there a way to clear the whole arp cache in one command?17:32
urthmoverarp -d * ?17:32
=== goosfraba2 is now known as goosfraba
PryMar56I have a vivid server (no X11). Any suggestions for a font list which is good enough to run kvm/qemu?17:56
PryMar56or geany editor?17:56
PryMar56I have only 1 freetype font now17:57
sarnoldhow do fonts figure into things?17:58
sarnoldfwiw I quite like the terminus font17:58
PryMar56sarnold, I still forward X, so some fonts are needed.. I know it seems strange18:06
sarnoldand you forward .. the qemu display or omsething? rathre than ssh to that guest?18:06
PryMar56sarnold, yes18:06
Lord255i have followed this tutorial: https://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-ubuntu-14.04-lts18:14
PryMar56I have ubuntu desktop to mine a font list from, or I would do that18:14
PryMar56^^ no desktop18:14
Lord255but when i try to login to squirellmail i got an imap error and in the mail.log i can see that it says no such file or directory18:14
Lord255i saw many comments about this on the net but i dont know how to fix :\18:14
kriskropd_Does anyone here use rssh? I set up a user with -s /usr/bin/rssh and they are blocked from logging in to a shell,b tu when I try to sftp I receive exit code 1 and when I try to scp a single file from /tmp I receive the "This account is restricted by rssh." response18:52
kriskropd_s/b tu/but/18:52
jonahHi in the end I just got fed up with trying to get the dynamic IP working with webmin/virtualmin on my Ubuntu Server 14.04.3 - so I've now managed to get a static IP from my ISP. I just wondered if anyone knows what I need to change in webmin/virtual min to get this working? My domain currently isn't resolving with the nameservers I've tried to create: http://intodns.com/hostingyorkshire.com19:14
jonahthe domain did work with the dynamic IP before, but I was using NOIP.com nameservers and their dynamic dns service. Since trying to add my own nameservers myself I can't get it to work!19:15
jonahany help really appreciated. Thanks19:16
kriskropd_to my issue with rssh - never mind - it was easily remidied by modifying the rssh.conf19:28
TJ-jonah: it looks like the authoritative name servers for the domain aren't registered19:32
jonahTJ-: thanks TJ, I don't suppose you'd know how I get them setup or you could check my settings sound ok for me?19:33
jonahTJ-: i spoke to you last week I think and you helped me back then as my printer wasn't working on the server - at that point the domain was resolving on the dynamic IP but it seems there is always something wrong with my settings!!19:34
TJ-jonah: check with your domain registrar. your domain lists {ns1,ns2}.hostingyorkshire.com as the name servers, but those won't resolve because the registrar doesn't have their IP addresses configured.19:34
jonahTJ-: ah I see thank you I will ask them!19:35
TJ-jonah: when the same domain hosts its own authoritative nameservers, you/the registrar has to ensure the IP addresses of those hosts are independently entered in the TLD operators' DNS19:36
TJ-jonah: usually those are hosted on a different domain/server especially if you only have a single server instance for the domain19:37
jonahTJ-: thanks - is there a way I can update them or do you have to be a registrar to have access to that?19:39
TJ-jonah: most registrars have a facility in their domain management tools to do it19:39
jonahTJ-: thanks I can't find a tool in their control panel but I've submitted a support ticket so hopefully they'll get it sorted for me soon. really appreciate you helping me out. thanks19:43
acro458i have :  grep -o -P '(?<=5490val">).*(?=<span)' output.txt            This gives me:   100</span>              NOW HOW TO GET RID OF </span>19:53
TJ-acro458: please stop spamming multiple channels with the same question. Stick to ##linux19:56
sarnoldcan you use a real html or sgml parser instead? parsing html with regex is a pain that's bound to lean to more pain.19:56
acro458can you recommend one?19:59
sarnoldacro458: off this list https://en.wikipedia.org/wiki/Comparison_of_HTML_parsers  i20:02
sarnoldacro458: i've heard good things about beautiful soup, html::parser, and nokogiri20:02
sarnoldacro458: libxml2 seems to get a lot of use for xml, but i don't hear about it doing html often. it might still be good..20:03
kriskropd_acro458: I don't personally know of any good xml parsers - nearly all of them ar epicky about headers and will ignore any html parsing you give it - if you only need to parse html in batch only one time and are comfortable with regex, I suggest using awk - it's still terrible to use regex to parse html in the long run, but for quick, one-time jobs that's what I would do - after that I choose to use20:04
TJ-In Python https://docs.python.org/2/library/xml.dom.minidom.html20:05
Semiartyhello, so I am root on my server, but I get permission denied when trying to get into for example /etc/login.defs, what could I be doing wrong?20:54
sarnoldwhat does it mean to "get into" a file?20:55
SemiartyI guess not into a file then20:56
Semiartyim trying to access that particular20:56
PiciSemiarty: how are you trying to access it?20:57
jonahTJ-: hi sorry to bother you but support replied and said I've got port 53 closed which is why my nameservers aren't working... I've tried to port forward it on my router but it still doesn't work. Do I have to do something else for bind to pick it up?21:08
sarnoldbe sure to forward both tcp and udp for port 53 if that's what you're doing21:09
jonahsarnold: yes forwarded them on my router as BOTH21:09
jonahsarnold: but I think I need BIND server to also listen on the port somehow?21:10
sarnoldbind does need to listen to whatever ports you forwarded to21:10
jonahsarnold: trying to Google it but my named.conf file seems different due to using webmin, do you know how I can get it to listen to the port?21:10
TJ-jonah: are you trying to host the domain at home, behind a NATing router?21:11
jonahTJ-: yes that's right21:11
jonahTJ-: tech support at my registrar just said to get port 53 unblocked as when they try ping it they can see that port it blocked...21:12
jonahTJ-: now i've forwarded the port on my router but it still doesn't seem to be working21:12
jonahTJ-: but i think i also need ot do something with BIND...21:13
jonahI've just got to take the dog for a walk so hope to be back in a bit if you have any ideas. Thanks TJ! and Sarnold!21:13
TJ-jonah: Yes, you'll need a named with a zone file that is SOA for the domain21:13
sarnoldyay happy dog walk time :)21:14
jonahTJ-: well I have a master zone file21:14
sarnoldfwiw i'd be hesitant to host dns behind a NAT.. can you get a few cheap cloud instances somewhere?21:14
jonahhaha love to walk the dog!21:14
patdk-wkwhat is *router*?21:14
patdk-wkis it one of these home things?21:15
patdk-wka lot of those can't handle udp packets correctly21:15
tarpmandon't most registrars provide a nameserver or two? i'm surprised at needing to host a nameserver at home...21:15
patdk-wkyou did forward udp and tcp both right?21:15
jonahpatdk-wk: well it is a decent one. AC68U asus21:15
jonahtarpman: it's just so I can pick up various domains with different providers and have them resolve back to my server on virtual hosts for different sites and cms stuff like owncloud etc21:16
jonahok dog is barking so i'm off for now thanks21:16
sarnoldteward: hey, we've been talking at our sprint about http2, we're not feeling like it's time to turn on http2 support just yet21:47
sarnoldteward: I know you were looking forward to turning it on for your next upload, but we'd really like it kept off for xenial. we can always sru it back to xenial after a few more releases has knocked out the worst of its issues21:48
jonahok back from the dog walk, was a good one!21:52
jonahTJ-: any ideas how I can get this master zone listening on port 53?21:53
TJ-jonah: just a regular bind config: configure zone files, test config, enable named service, start it21:54
jonahTJ-: haha is that all21:55
jonahTJ-: i have named.conf.default-zones named.conf.options and named.conf.local in my /etc/bind folder...21:57
TJ-jonah: have you started the service? is it currently running?21:58
jonahTJ-: when i do netstat -an | grep "LISTEN " i can see some port 53 stuff going on with LISTEN in red...21:59
TJ-jonah: "sudo netstat -ulnp | grep 53"22:00
jonahTJ-:* LISTEN for example22:00
jonahTJ-: http://pastebin.com/iduwEbVS22:00
TJ-jonah: Haha! you've only got the daemon listening on localhost - it needs to listen on ALL interfaces to be accessible from the network22:01
jonahTJ-: oh dear22:01
jonahTJ-: how can i fix it?22:02
sarnoldfind the listen or bind or whatever line in the configs and tell it to listen to or whatever spceific address it should listen on22:02
TJ-jonah: "sudo grep listen-on /etc/bind/*" might help22:03
jonahsarnold: well I have various named.conf files I can edit in bind on webmin but just not sure which one I should add to and what I'm adding!22:04
sarnoldgrep is your friend, it'll show the one that's currently configured :)22:04
jonahsarnold: http://pastebin.com/iduwEbVS22:05
jonahTJ-: http://pastebin.com/QGC49puf22:06
TJ-OH! it IS listening on the other interfaces, named individually22:06
jonahsarnold: sorry i meant the last paste i just sent TJ22:06
sarnoldeww, how is named and dnsmasq both listening on something's gonna hate that :)22:06
TJ-how the heck are both dnsmasq and named on the same socket?22:06
jonahTJ-: but there is no mention of my static IP that my nameserver uses which is
jonahsarnold: is that bad?22:07
sarnoldjonah: yeah; it's very nearly catastrophic for a dns server :)22:07
sarnolddns servers probably shouldn't have dnsmasq anywhere nearby, nor avahi.22:07
TJ-jonah: I really don't think you're equipped with the knowledge or skills to run your own DNS/servers; you're headed for disaster, possible compromise, at this rate22:08
sarnoldjonah: because you're port-forwarding, your NAT firewall will re-write the packets to actually be destined to whatever IP you configured in the forwarding..22:08
jonahTJ-: that's bad! just trying to learn and thought webmin would be good as I'm used to cpanel22:08
sarnoldjonah: .. so you'd need to make sure that IP address is configured in bind22:09
sarnoldjonah: you'd do yourself a favor to stop using webmin and cpanel and the like22:09
TJ-jonah: nothing to do with webmin; you are opening your PC up to public access and you don't have the knowledge to protect yourself right now22:09
sarnoldjonah: after brute-forced ssh passwords, cpanel and webmin and the like are the most likely source of being hacked. those things tend to be terrible.22:10
TJ-Only if publicly exposed; which in this case it isn't (would need a port-forward rule)22:11
jonahTJ-: gotta go for now but will check back tomorrow if i can. thanks!22:11
jonahok sorry guys just gotta go now. will be back!22:11
TJ-jonah: if you're running a local server with a web-server on, that's an expoit target22:11
Logos01Is there any chance that anyone here has set up ejabberd w/ PAM authentication? I've got a curious case -- my PAM auth fails for local accounts but *NOT* for accounts provided by SSSD.22:40
TJ-Logos01: what does auth.log report?22:40
* Logos01 is grabbing and anonymizing a relevant log snippet22:42
TJ-Are you seeing "check pass; user unknown"22:42
Logos01unix_chkpwd[XXXXX]: check pass; user unknown22:43
TJ-OK, check /etc/passwd to ensure the user existings, and is in /etc/shadow too.22:43
TJ-Assuming the user IS there, check /etc/passwd to see if there is a duplicate entry using the same UID of that user22:44
Logos01It is definitely the correct user, there is definitely no duplicate entry.22:44
Logos01I even created a unique user specifically to rule that out.22:44
TJ-OK, well, we've had a few reports of this recently, and I was hit by it today too - could log-in the GUI but the screenlock-greeter would report Access Denied, and it led to that in auth.log22:45
TJ-In my case, it was a duplicate UID (I have 2 users with the same UID) and the /sbin/unix_chkpwd" tool was looking up the (first) username in /etc/passwd that matched the UID, THEN comparing that username with the one the greeter passed, and they didn't match22:46
TJ-I solved it by moving the entries around :)22:47
Logos01Definitely no duplicate UIDs.22:47
TJ-The other reports seem to start after a recent libpam update22:47
sarnoldtime was you'd stick a 'toor' account in your passwd/shadow with a statically linked recovery shell...22:47
TJ-Logos01: 'logos' is UID 114? I'm wondering if that being < 1000 could be an issue; there's some strange stuff in the patches we're carrying to support this22:49
Logos01So yeah -- definitely in /etc/shadow. Definitely no duplicate entries. Definitely able to log in as the accounts (since I'm talking to you from one of them right now)22:49
Logos01TJ-: No, 'logos' is uid 100022:49
TJ-Logos01: is ejabberd 114 then?22:49
Logos01uid 114 gid 12222:49
TJ-Ahhh, that makes more sense, although it doesn't help. Unfortunately there's no additional debug logging available for this22:50
TJ-In my case it was:22:52
TJ-pam_unix(kde:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=  user=t22:52
TJ-it's coming from that dratted "debian/patches-applied/extrausers.patch" again, too22:54
TJ-Logos01: this is the code: http://paste.ubuntu.com/13107573/22:55
TJ-Logos01: this is better; the first one lost context http://paste.ubuntu.com/13107593/22:56
Logos01I suppose this isn't really a big deal since as long as I've got my AD users (via SSSD) I'm content.22:58
TJ-Logos01: which has called into: http://paste.ubuntu.com/13107637/22:59
TJ-that seems to suggest either the hash or salt are null on return from get_pwd_hash()22:59
TJ-sorry, *password* or salt23:00
coreycbbeisner, jamespage: testing is complete for UCA kilo-proposed and should be ready to promote to kilo-updates tomorrow (just waiting on vivid-proposed to land in vivid-updates)23:00
=== Piper-Off is now known as Monthrect
dannfhallyn: is there an existing pattern for teach libvirt that qemu has a backported capability? here's what i'm trying http://paste.ubuntu.com/13107961/23:33
dannfthat works, but wanted to follow existing convention if there is one23:33
hallyndannf: urg, no.  you've only backported one capability so we can' tjus tbump the version # right?23:37
hallynthat's fugly, but i think we have to do what you're doing23:37
sarnolddannf: "Package" vs "package" ?23:38
dannfsarnold: oh - yeah, i fixed that - hadn't hit quilt refresh yet23:46
dannfhallyn: yeah - and it might be the only new cap so far - but 2.4.50 is dynamic, and that could change23:47

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!