| teward | is it usual for a postfix server that basically acts as a 'forwarder relay' (i.e. address1@domain.net is emailed, postfix forwards it to myaddress@otherdomain.net) to get its messages flagged as 'spam' or 'Suspicious' by Google? (mail server is mailserver.yetanotherdomain.xyz, if it matters) | 00:04 |
|---|---|---|
| === Lcawte is now known as Lcawte|Away | ||
| === dw2 is now known as dw1 | ||
| Logos01 | Howdy, folks. I've a bit of a mixed environment here; I'm trying to set up centralized authentication using sssd/krb against my company's AD servers. | 02:08 |
| Logos01 | My configuration works perfectly on rhel/centos but on the ubuntu 14.04 box I'm working on, I can't seem to successfully authenticate as any domain users. | 02:08 |
| Logos01 | The accounts get created; I can su - ${domain_user} -c "kinit" all day long. | 02:09 |
| Logos01 | But what I *can't* do is sudo -l w/ password enabled or ssh into the user account; those sorts of things. What am I missing? | 02:09 |
| === xar is now known as xar- | ||
| maddawg2 | logos do you have it set to allow AD users to login | 03:26 |
| maddawg2 | i cant remember exactly where that is but there's a setting the allow them to login locally | 03:27 |
| maddawg2 | let me see if my work machine is on | 03:27 |
| Logos01 | maddawg2: I do have it set to allow AD users to login. | 03:27 |
| Logos01 | maddawg2: It's the same configuration I'm using on CentOS/RHEL and it works perfectly there. | 03:28 |
| Logos01 | Here, I cannot successfully perform any transactions which require the passwords from the domain users. | 03:28 |
| maddawg2 | kinit testuser@DOMAIN.COM | 03:28 |
| Logos01 | Works perfeclty. | 03:28 |
| maddawg2 | hmmm | 03:28 |
| maddawg2 | strange | 03:28 |
| Logos01 | It's only when I do password transactions through PAM that it's failing. | 03:28 |
| Logos01 | I've turned up sss_debuglevel to see if something stands out... | 03:31 |
| Logos01 | I've noticed "[get_and_save_tgt] (0x0100): TGT validation is disabled." which seems suspicious | 03:31 |
| maddawg2 | have you checed the DC logs? | 03:35 |
| maddawg2 | to see if anything is erroring there | 03:35 |
| maddawg2 | or if it'll log invalid attempts of sorts | 03:35 |
| Logos01 | maddawg2: Oh, I know, but I don't have access to those. | 03:35 |
| maddawg2 | oh | 03:36 |
| maddawg2 | well those might be more helpful | 03:36 |
| Logos01 | ... now this is interesting, considering I have caching disabled: | 03:37 |
| Logos01 | [sss_krb5_check_ccache_princ] (0x0020): krb5_cc_get_principal failed. | 03:37 |
| === Ursinha-afk_ is now known as Ursinha | ||
| === Ursinha is now known as Guest82331 | ||
| === inaddy is now known as tinoco | ||
| === rsalveti_ is now known as rsalveti | ||
| === broder_ is now known as broder | ||
| === tgm4883_ is now known as tgm4883 | ||
| === justizin_ is now known as justizin | ||
| === Guest82331 is now known as Ursinha | ||
| === Ursinha is now known as ursula1234 | ||
| === Guest46854 is now known as Uptime | ||
| === ursula1234 is now known as Ursinha | ||
| === ggherdov`_ is now known as ggherdov` | ||
| Logos01 | Reporting in with success: The problem was the sssd binary version. | 04:36 |
| Logos01 | Ubuntu 14.04 ships with 1.11.x; el7 has 1.12.x | 04:36 |
| Logos01 | Thankfully there is a PPA ( https://launchpad.net/~sssd/+archive/ubuntu/updates ) -- associated fairly decently with reputable sources. | 04:37 |
| Logos01 | Correction: I can authenticate as one user. The user that joined the server to the domain. | 04:44 |
| Logos01 | Huh. I managed to somehow only upgrade one part of the sssd suite. | 05:00 |
| === dcmorton_ is now known as dcmorton | ||
| jonah | hi can anyone please help. I've been tryiing to configure my server for a week or so and in the end got a bit fed up and ordered a static ip from my ISP. The server is working well and it was working before I got the static IP - but I wanted to add virtual hosts and use my own nameservers so I could have other domains resolve to it. Could any body please help me to put my new static IP in there correctly? I have webmin installed too | 07:27 |
| jonah | my router gives my server the ip 192.168.0.100 | 07:28 |
| jonah | I have NOIP.com working so my main domain loads up a page from my server | 07:28 |
| jonah | but I can't get any other domains to work which is why I thought I'd best order a static IP | 07:29 |
| adun153 | I dont have a lot of time, but MIGHT be able to give you some tips. What exactly do you need? | 07:45 |
| adun153 | How to configure static IPs? | 07:45 |
| adun153 | jonah | 07:45 |
| jonah | adun153: thanks - well i have the static ip but it's just getting my server to use it correclty and set up nameservers... | 07:46 |
| adun153 | jonah: What type of router do you have? | 07:47 |
| jonah | adun153: i don't want to put the static in the wrong place and overwrite the current local network settings as my router gives my server it's local ip - but i want to use my isp static ip for the outside and for nameservers | 07:47 |
| jonah | adun153: i have an asus ac68u | 07:47 |
| jonah | adun153: but that is already working well and i can access my server on 198.168.0.100 and internet works etc | 07:48 |
| adun153 | also, #networking might be able to help as well, as this is mostly a networking issue. | 07:48 |
| jonah | adun153: but if you look at my domain dns check http://intodns.com/hostingyorkshire.com | 07:48 |
| adun153 | Ah, a home/office router. | 07:48 |
| jonah | adun153: it says my nameserves aren't set right - yeah office router | 07:48 |
| adun153 | You need to configure your router's WAN interface to use the static IP. | 07:49 |
| jonah | adun153: even though it gets it ok dynamically at the moment? | 07:49 |
| adun153 | Yes. | 07:49 |
| jonah | adun153: ok thanks | 07:49 |
| adun153 | I'm assuming that the static IP and the current DHCP'ed IP are in the same network? | 07:50 |
| adun153 | Should be | 07:50 |
| jonah | adun153: yes | 07:50 |
| adun153 | So yep, what I said, you need to do that. | 07:50 |
| adun153 | Of course, your nameserver(s) are behind the router, configure the router to port forward incoming port 53 TCP and UDP to your nameservers on your internal network. | 07:51 |
| jonah | adun153: ok so i'm in the router admin and can change it from automatic to static ip but then there are three boxes to fill in. ip address, subnet mask and default gateway! | 07:52 |
| adun153 | You dont' need ns2.hostingyorkshire.com. as well, since you only have one IP address and nameserver anyway. | 07:53 |
| adun153 | Just obtain the subnet mask and default gateway values from the DHCP'ed address. | 07:53 |
| jonah | adun153: i just added the second one due to my domain registrar requiring two nameservers | 07:53 |
| adun153 | I see. No need to, then | 07:53 |
| jonah | adun153: is there a linux command to grab those subnet mask and default gateway values? and then I guess i just put the first option of IP address as my static one? or is that the router default gateway? | 07:54 |
| adun153 | Yes, the IP address is the static address | 07:55 |
| adun153 | you can't see the subnet mask and gateway from the router's web interface? That should be viewable | 07:56 |
| adun153 | And no, there is no command you can run from your server/desktop/laptop to check, as the NATting is transparent to your computer | 07:57 |
| adun153 | only the router can really "see" the outside network. | 07:57 |
| jonah | adun153: it won't let me set the default gateway... it says i can't use the IP - not sure how to find my default gateway... | 07:59 |
| adun153 | jonah: Is there really no "screen" where you can see what IP address and network settings your router uses when it uses DHCP? | 08:01 |
| jonah | adun153: the front router screen gives me the default gateway as the same as my static ip but when i put that in on connection settings it says they can't be the same... are you sure i need to set this up manually as the router is grabbing the static ip etc ok, i just need it to work on the server? | 08:02 |
| adun153 | The default gateway and the static IP CANNOT be the same address. | 08:03 |
| adun153 | The default gateway is a router managed by your ISP. | 08:03 |
| adun153 | The static IP should be your router's address. That address should be on the same network as the default gateway. | 08:04 |
| adun153 | If when your router uses DHCP, and uses your "static IP address" as the default gateway, then clearly, your ISP gave you a wrong address to use for your static IP. | 08:05 |
| jonah | adun153: hi sorry i totally lost my internet and had to go back to automatic ip setting on the router! | 08:26 |
| adun153 | jonah: I see | 08:27 |
| adun153 | You should probably contact your ISP | 08:27 |
| adun153 | Tell them that the Static IP they gave you is your network's gateway. | 08:27 |
| jonah | adun153: thanks will do | 08:29 |
| Danny2 | Hey guys, question: I have a server and I have just added a new IP to it (was provided it from my host), it is binded to eth0:0, and I have a git server on my other IP, now the new ip goes to my git server for some reason, so I was wondering how would I go about setting making apache listen to that IP | 09:22 |
| Danny2 | ^ the server I use runs Ubuntu 14.04 | 09:24 |
| Danny2 | ? | 09:28 |
| hateball | Danny2: you configure that in the settings for the website in question | 09:30 |
| Danny2 | hateball: what do you mean? | 09:30 |
| hateball | Danny2: the virtualhost section | 09:31 |
| hateball | Danny2: see https://httpd.apache.org/docs/2.2/vhosts/examples.html | 09:31 |
| Danny2 | but my git server is nginx, and I want to then have apache running my website? | 09:31 |
| hateball | you were the one talking about apache | 09:31 |
| Danny2 | yeah I am, I have nginx running the git server on the main IP, and I want the apache server running on the new IP? | 09:32 |
| hateball | I am not sure if you are asking if you want to, or if you're asking how to | 09:33 |
| Danny2 | I am asking how to | 09:33 |
| === Lcawte|Away is now known as Lcawte | ||
| hateball | Yes, so you edit the config for your websites, under /etc/apache/, as per your liking | 09:37 |
| hateball | replace *:80 with your.ip.here:80 or whatever you like | 09:37 |
| Danny2 | hateball: see this is not in my apache2.conf file? I can't find it at all | 09:39 |
| hateball | Danny2: No, the config for your website. Is this just a default install of apache? | 09:39 |
| Danny2 | hateball: errr yeah it is? I just installed it and then I have a www folder to but stuff in? | 09:40 |
| Danny2 | put stuff* | 09:41 |
| hateball | Danny2: Well the config for the website is in /etc/apache/sites-available/ or sites-enabled | 09:41 |
| hateball | most likely called 000-default or some such | 09:41 |
| Danny2 | hateball: I have 2? 000-default.conf and default-ssl.conf | 09:41 |
| hateball | So... you edit that, and reload apache, and it should bind to the desired interface | 09:41 |
| hateball | Danny2: Yes, are you using SSL? | 09:41 |
| hateball | Then you will need to edit them both | 09:42 |
| Danny2 | Maybe? I am not sure, it was a while ago I added apache2 | 09:42 |
| Danny2 | but I shall edit both | 09:42 |
| hateball | Well, you're unlikely to have setup SSL with a fair bit of crying so it would have left scars that you'd remember | 09:42 |
| hateball | Without, that is | 09:43 |
| Danny2 | hateball: I just remember having to mess with it a lot, but I get this error: * Restarting web server apache2 (98)Address already in use: AH00072: make_sock: could not bind to address [::]:80 (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down | 09:44 |
| hateball | Danny2: yes, most likely because nginx is already binding to *:80 as well | 09:45 |
| Danny2 | Oh, so err, how do I do that? | 09:45 |
| hateball | Well you'd need to tell nginx to use a dedicated interface, and apache another | 09:45 |
| hateball | I don't remember nginx config offhand, I am afraid | 09:46 |
| Danny2 | hateball: I.. err.. how do I do that? | 09:46 |
| Danny2 | Oh hmm | 09:46 |
| Danny2 | tbh when I installed git, it was a pain getting it to work... | 09:46 |
| Danny2 | Okay so my next question, is anyone good with setting up virtual hosts using nginx? | 09:56 |
| Michael_p | hi | 10:44 |
| === Lcawte is now known as Lcawte|Away | ||
| === Lcawte|Away is now known as Lcawte | ||
| === Piper-Off is now known as Monthrect | ||
| === Monthrect is now known as Piper-Off | ||
| === Piper-Off is now known as Monthrect | ||
| locodir-user | when I execute "service xinetd restart", there was no message | 12:30 |
| locodir-user | I want see message "OK" or "FAIL" something like that | 12:30 |
| locodir-user | How to resolve it ? | 12:31 |
| Dulcin | Hi, I'm wondering, if I run 'hostname -f' it returns 'localhost' instead of the FQDN | 12:35 |
| Dulcin | Where did I go wrong? | 12:35 |
| asac | any idea where i can find the package manifests for: | 12:48 |
| asac | * vanilla Ubuntu server as installed with D-I or other installers * Ubuntu images on the cloud (its not "Ubuntu Cloud" its just "Ubuntu | 12:48 |
| asac | Server") * LXD images * Ubuntu installed by MAAS | 12:48 |
| asac | ? | 12:48 |
| asac | smoser: ? | 12:49 |
| ogra_ | asac, the first one is in the seeds branch | 12:50 |
| ogra_ | asac, bzr branch lp:~ubuntu-core-dev/ubuntu-seeds/ubuntu.xenial/ | 12:51 |
| ogra_ | no idea about the latter two though | 12:52 |
| asac | ogra_: do you highlight my nick :) ... or do you read all channels you join all the time? :) | 12:52 |
| asac | ogra_: the manifest is in the seeds branch? thought would guess the seed does not include all the implicit dependencies | 12:52 |
| ogra_ | i skim over the channels with activity while waiting for tasks to finish (launchpad in this case) ;) | 12:52 |
| ogra_ | asac, the seed is indeed the input and doesnt show all deps, for that you can use the cdimage manifest file | 12:53 |
| ogra_ | or run germinate manually to generate a table with deps | 12:53 |
| asac | right. looking for the real exploded manifests | 12:54 |
| asac | so i can diff them :) | 12:54 |
| ogra_ | asac, so beyond cdimage there is http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.xenial/ | 12:55 |
| ogra_ | http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.xenial/server is the base | 12:55 |
| ogra_ | http://cdimage.ubuntu.com/ubuntu-server/daily/current/ has the image manifests | 12:56 |
| ogra_ | the .manifest file has the actual rootfs contents for a basic server, the .list files show whats in the archive pool on the CD for additional tasks you can install | 12:57 |
| asac | ogra_: ack... so the manifest is exactly what you get when you dont select more tasks? | 13:01 |
| ogra_ | asac, right | 13:11 |
| placeed | Hi all, I have a keystone problem in openstack on my ubuntu server. Someone can help me ? | 13:20 |
| placeed | Sometime, it stay blocked on /auth/tokens? | 13:20 |
| placeed | no result | 13:20 |
| === niedbalski_ is now known as niedbalski | ||
| smoser | ogra_, i'm pretty sure that manifest is not what you get "by default" | 13:35 |
| smoser | but ratherw what is on the cd. | 13:35 |
| smoser | asac, ^ | 13:35 |
| ogra_ | smoser, manifest is what the squashfs contains, the squashfs content becomes your rootfs during install | 13:36 |
| smoser | the cloud images have manifests next to them. | 13:36 |
| ogra_ | if you dont select anything in tasksel that is all you get | 13:36 |
| ogra_ | if you use tasksel to pick additional tasks the archive pool on the CD is used to install it | 13:36 |
| smoser | ogra_, thats clearly not 100% true | 13:36 |
| smoser | theres no 'linux-image' in that list | 13:36 |
| ogra_ | i'm pretty sure it is | 13:37 |
| smoser | or grub | 13:37 |
| ogra_ | no, thats d-i's job | 13:37 |
| smoser | well, thats what asac is after. | 13:37 |
| smoser | what gets installed | 13:37 |
| ogra_ | bootloader and kernel are not part of the rootfs | 13:37 |
| ogra_ | as i understand from the mail discussion he referred to above he is after plain rootfs content | 13:37 |
| smoser | i dont knwo. | 13:38 |
| smoser | i didnt see mailing list discussion. | 13:38 |
| ogra_ | on snappy-devel | 13:38 |
| smoser | asac, for maas images, we dont have a manifest, but we could for sure provide one of what is in the -root.gz image. | 13:39 |
| smoser | https://docs.google.com/document/d/1w5EeGNXKhSrnJJ5JvXD3axiv5sGLBhEC_v1KVyba3Rg/edit# | 13:39 |
| smoser | has information on what is different. maas images are cloud image + a hardware kernel installed. | 13:40 |
| smoser | but similar to the iso manifest if you actually do an install, other hpackages might be added (like lvm or things of that nature) | 13:41 |
| ogra_ | yeah, that wont help with snappy :) | 13:42 |
| smoser | you have link ? | 13:43 |
| smoser | to the discussion? | 13:43 |
| ogra_ | https://lists.ubuntu.com/archives/snappy-devel/2015-November/001193.html | 13:43 |
| ogra_ | smoser, mark wants full unification between all images it seems | 13:44 |
| ogra_ | so first we need to find all the differences in a default install :) thats what asac does atm i guess | 13:44 |
| smoser | ogra_, yeah. i've seen this before. | 13:45 |
| smoser | very much, differences amoungst them all (server iso install, "maas image", cloud image) all can be considered "hardware enablement". | 13:46 |
| smoser | the changes are few. i've had problems showing that clearly in the past. | 13:46 |
| ogra_ | well, i'm not sure i want a server install to drive my drone | 13:46 |
| ogra_ | what i'm 100% sure about is that i dont want 2minute long boots with 50sec cloud-init doing nothing on an embedded device | 13:47 |
| asac | smoser: ogra_: right. i am afer the list of things that end up being installed | 14:07 |
| asac | i guess | 14:07 |
| asac | well, also interesting to see the list of what is int he downloadable image | 14:07 |
| asac | because at best we would like to have ONE and only ONE | 14:08 |
| asac | across all headless/smallish variants | 14:08 |
| asac | smoser: you hasd problems showing the differences in the past? | 14:09 |
| ogra_ | asac, yeah, that wont happen | 14:09 |
| ogra_ | we can probably get down to a "most common denominator" that all of us use as base | 14:10 |
| asac | so what i think would be lovely is if we could consolidate everything to start off with a single unified image | 14:10 |
| asac | then idf there is need to add stuff for the various variants, that could be done in a clearllyh defined second step | 14:10 |
| ogra_ | which tehoretically was always supposed to be "ubuntu-minimal" | 14:10 |
| smoser | asac, i've had problems describing differences. | 14:10 |
| smoser | running 'dpkg-query --show' and comparing output from amd64+uefi+lvm to amd64+mbr to arm64+uboot to lxd just is not useful. | 14:11 |
| urthmover | I have created 4 servers using 14.04. Each server has two nic's statically assigned (one nic for public and the other for private). 3 of the 4 can ping eachother and one cannot ping the other three. The other nic on each server is pingable to/from all 4 servers. Will someone take a moment to help me triage this. route -n on each server is identical. The static ip assignments on the problematic server looks accurate | 14:22 |
| urthmover | http://hastebin.com/usotarajob.hs | 14:22 |
| teward | urthmover: suggestion: stick to one channel, and have patience, don't crosspost. | 14:25 |
| urthmover | teward: do you think that my issue is better suited for server or vanilla ubuntu? | 14:25 |
| urthmover | teward: Do you think there is a udev issue? udev seems strange in 14.04 | 14:25 |
| teward | why would you assume it's a udev issue? I don't see anything here that suggests udev is at fault. I believe that this is better suited for *this* channel | 14:26 |
| teward | since you're working with server installations and such | 14:26 |
| teward | have patience for someone who can help out to come along :) | 14:26 |
| urthmover | teward: I'm trying not to assume anything. In the past I had strange network issues when udev was involved...that's why I brought it up | 14:27 |
| * urthmover kicking back | 14:27 | |
| TJ- | urthmover: shame hastebin require google Javascript to show the content | 14:27 |
| urthmover | teward: do you think I provided enough information at this point? | 14:28 |
| teward | urthmover: I think you should first consider using our pastebin instead. paste.ubuntu.com | 14:28 |
| urthmover | TJ-: hmm which past service do you like to use? I'll gladly use something else | 14:28 |
| teward | and then have patience, TJ- might be able to help though | 14:28 |
| * teward goes back to kicking nginx code | 14:28 | |
| urthmover | TJ-: http://pastebin.com/LSwMAaxV | 14:30 |
| TJ- | urthmover: I dunno! I just get sick of a simple text paste requiring javascript to display anything, especially when there's also obvious activity tracking as a side-effect. http:/paste.ubuntu.com is well-behaved I think :) | 14:31 |
| TJ- | urthmover: The first thing I'd do is on the server you're pinging, run "tcpdump -ni eth1 icmp" and check if it receives the pings, and if it sends replies. Then I'd look at the firewall rules on both. | 14:32 |
| urthmover | TJ-: good suggestion...trying that now...in the meantime I've included an updated pastebin with another server that can ping istack2 http://pastebin.com/4JDzny6p | 14:35 |
| urthmover | I'm having trouble pinging 10.43.201.0/24 out of istack1. So I believe that I should be running "tcpdump -ni eth0 icmp" ? | 14:36 |
| TJ- | urthmover: are these servers all connected to the same switch/VLAN ? | 14:36 |
| urthmover | TJ-: yes | 14:36 |
| TJ- | urthmover: there is no such address as 10.43.201.0/24 | 14:36 |
| === arcsky_ is now known as arcsky | ||
| urthmover | TJ-: that is true. I am pinging 10.43.201.12 | 14:37 |
| TJ- | urthmover: can istack1 "ping -nc 5 4.4.4.4" ? | 14:37 |
| urthmover | I get no output using 'sudo tcpdump -ni eth0 icmp' on istack1 | 14:38 |
| TJ- | urthmover: no, you'd run it on the *target* server, and set the '-i eth0' to be the LAN interface | 14:38 |
| TJ- | urthmover: and 4.4.4.4 is dud! use 8.8.8.8 | 14:39 |
| urthmover | TJ-: ah ok...tcpdump is a capture tool...thanks for the suggestion...trying tcpdump on istack2 and then pinging from istack1 again | 14:39 |
| urthmover | TJ-: yeah I got nothing on 4.4.4.4 (I haven't tried that ip is quite a while :)) | 14:40 |
| TJ- | urthmover: more importantly, can istack1 "ping -nc 5 8.8.8.8" ? | 14:40 |
| urthmover | istack1 CAN ping 8.8.8.8 so it's public nic is working....I'm also ssh'ing into it | 14:40 |
| urthmover | TJ-: trying the tcpdump | 14:40 |
| TJ- | urthmover: OK, so not got the ports mixed up :) | 14:40 |
| RoyK | 8.8.8.8 and 8.8.4.4 work well | 14:41 |
| TJ- | urthmover: if istack2 sees no packets: check istack1 with iptables. if sees ICMP but doesn't reply: check istack2 route/iptables. if istack2 replies check istack1 iptables | 14:42 |
| urthmover | TJ-: tcpdump on istack2 is not picking up any icmp packets arriving from istack1 when I ping it from istack1. istack2 DOES capture icmp when I ping istack2 from istack3 though...so I know tcpdump is working | 14:43 |
| urthmover | TJ-: ok I'll start tcpdump on istack1 and ping it from istack2 | 14:43 |
| TJ- | urthmover: right, so iptables on istack1. And also check the NIC itself is active/alive | 14:43 |
| urthmover | istack1 shows no captured packets when I ping it from istack2 | 14:44 |
| urthmover | TJ-: so packets do not appear to be arriving either way between istack1 and istack2 | 14:45 |
| TJ- | urthmover: any firewall rules/policy set on istack1 ? | 14:45 |
| urthmover | TJ-: packets do arrive between istack2 and istack3 so this points to an issue solely on istack1 possibly | 14:45 |
| TJ- | urthmover: yes, I concur. istack1 is/has the problem. | 14:46 |
| urthmover | TJ-: when I disable ufw on istack1 , I am not capturing any incoming icmp packets from istack2 | 14:47 |
| urthmover | TJ-: I just double checked that I AM on the same portgroup vlan as istack2 | 14:47 |
| urthmover | TJ-: although I am not opposed to rebuilding istack1 from a default 14.04 install, I just did yesterday wanting to start with a fresh build today | 14:48 |
| TJ- | urthmover: ignore UFW! use "sudo iptables -nvL" and check the default table policies even if there are no specific rules | 14:49 |
| urthmover | TJ-: pm | 14:51 |
| urthmover | TJ-: trying sudo iptables -nvL | 14:51 |
| TJ- | urthmover: I have PMs disabled :) | 14:51 |
| urthmover | TJ-: heh ok...well I was hoping to send to login creds | 14:52 |
| teward | urthmover: Security 101: Don't give people you don't personally know or trust logon credentials | 14:53 |
| teward | ever | 14:53 |
| urthmover | teward: this is an isolated environment on a server network that I'm willing to burn down | 14:53 |
| urthmover | teward: usually I would agree but this is a special case | 14:53 |
| TJ- | urthmover: as istack2 wasn't seeing anything inbound, you'd have to assume any istack1 netfilters rule would be on the OUTPUT table | 14:54 |
| urthmover | TJ-: http://pastebin.com/KATMe7Am | 14:54 |
| TJ- | urthmover: nothing there; but the packet counters are indicating some traffic | 14:57 |
| urthmover | TJ-: http://pastebin.com/bEiQbcPU | 14:57 |
| urthmover | TJ-: wtf now I can ping istack1 from istack2 | 14:58 |
| TJ- | which system were those 2 pastes from? | 14:58 |
| urthmover | TJ-: oddly only in one direction are packets flowing istack2 -> istack1 | 14:58 |
| urthmover | TJ-: same system...first paste was with ufw disabled second paste was with ufw enabled | 14:59 |
| urthmover | TJ-: whoops I'm wrong. so sorry | 15:00 |
| urthmover | TJ-: I was pinging itself because I moved my panes around | 15:00 |
| urthmover | no ping either way istack1 <-> istack 2 | 15:01 |
| TJ- | urthmover: I suspect the hardware | 15:03 |
| urthmover | TJ-: I have begun continuous pings from istack1 -> istack2 and tcpdump on each eserver pointing at eachother | 15:03 |
| TJ- | urthmover: can you port-mirror istack1 LAN port on the switch to another system and check if istack1 is sending anything? | 15:04 |
| urthmover | TJ-: ok I think you are right...but I wanted to exhaust everything possible. The strange part is that I have 2 otherdev servers using the exact same vlans, same os, similar static networks... | 15:04 |
| urthmover | TJ-: unfortunately I don't have any visibility on the switching layer. This is a partially hosted environment. All I get to do is specify the vlan that each nic uses :( | 15:05 |
| TJ- | urthmover: find out what the NIC chipset is; maybe use ethtool to check it isn't in a power-save state | 15:07 |
| urthmover | TJ-: I'm using the paravirtualized driver for all the servers called vmxnet3 when I compare ethtool between the istack2,3,4 and istack1 they are the same | 15:11 |
| TJ- | urthmover: OH! these are all VM guests? | 15:11 |
| urthmover | TJ-: yes....do you have any others thoughts about things I can check? | 15:12 |
| urthmover | TJ-: esx 5.5 | 15:12 |
| TJ- | urthmover: For some reason I thought you said / indicated they were bare-metal. In which case check the hypervisor network config! | 15:12 |
| TJ- | urthmover: I bet the LAN interface hasn't been connected to the LAN/VLAN bridge | 15:13 |
| urthmover | TJ-: I have limited access to that ....it's a bastardized power user into vcenter. the hypervisor shows link up on that vlan. | 15:13 |
| urthmover | TJ-: I like your thinking with that....I have confirmed that it is link UP on that vlan | 15:13 |
| TJ- | urthmover: well there doesn't seem much else you can do without control of the 'physical' layer | 15:13 |
| teward | urthmover: diagnosing is going to be tricky if you don't have 'root' on the Vmware ESXi hypervisor - I'd check with the sysadmin that does have access to that to check the network stuff | 15:15 |
| urthmover | TJ-: holy sh*t......so I built another server istack5 and it CAN ping 10.43.201.11 but cannot ping 10.43.201.12,13,14 do you think there is some strange switching problems going on behind the scenes? | 15:15 |
| TJ- | ^^hardware a.k.a hypervisor | 15:17 |
| urthmover | TJ-: ok thank you I'll reach out to the network team in charge of that environment. Thanks for all your help | 15:18 |
| urthmover | network issues are so frusterating when you are blind | 15:19 |
| teward | TJ-: blah, i forgot hardware and hypervisor aren't equated to each other :) | 15:20 |
| * teward beats his head against the dictionary of tech jargon | 15:20 | |
| === Monthrect is now known as Piper-Off | ||
| TJ- | urthmover: makes me think someone changed the port association. I wouldn't be surprised if you could ping istack1's LAN port from istack2's WAN port - with suitable changes to istack2's route table | 15:23 |
| urthmover | TJ-: trying that now | 15:24 |
| urthmover | TJ-: what would the route add statement look like? route add 10.43.201.0/24 eth0 ? | 15:25 |
| urthmover | TJ-: googling syntax don't bother yourself please | 15:26 |
| TJ- | urthmover: something like "ip route add 10.43.201.12/32 dev eth0" - use istack1's LAN IP and the correct (WAN) interface name, | 15:27 |
| sarnold | iproute2 packages finally have documentation these days, check out the ip-route manpage | 15:27 |
| urthmover | TJ-: I CAN ping 10.43.201.11 from istack2 when I added this route on istack 2 'ip route add 10.43.201.0/255.255.255.0 dev eth0' | 15:28 |
| * urthmover shakes head | 15:28 | |
| urthmover | TJ-: so do you mind explaining more what you think is going on here so that I can relay this more specifically to the network team? | 15:29 |
| TJ- | urthmover: OK, and .11 is istack1 is it? | 15:29 |
| urthmover | yes 10.43.201.11 = istack1 | 15:29 |
| TJ- | urthmover: like I said earlier; the port is connected to the wrong bridge, it's on the WAN bridge, not the LAN | 15:29 |
| urthmover | TJ-: ok thank you I'll explain our findings to them | 15:29 |
| bmullan_ | @sarnold - I've found this iproute2 cheat sheet really useful... http://baturin.org/docs/iproute2/ | 15:30 |
| TJ- | you're now routing from the WAN side of istack2 to the LAN side of istack2 | 15:30 |
| TJ- | you're now routing from the WAN side of istack2 to the LAN side of istack1 | 15:30 |
| urthmover | TJ-: right | 15:30 |
| urthmover | out eth0 (public) on istack2 into eth1 (private) on istack1 | 15:30 |
| TJ- | urthmover: which imples istack1 LAN and WAN are on the same bridge; I assume that new instance you spun up is likewise, which was why it could ping istack1 | 15:31 |
| urthmover | TJ-: ok | 15:31 |
| TJ- | urthmover: "arp -n" on them all might make it a bit clearer | 15:31 |
| urthmover | TJ-: good suggestion I'll do that and include my findings | 15:32 |
| sarnold | bmullan_: looks great, thanks :) | 15:33 |
| wehde | has any here migrated m$ AD to openldap or apacheds? | 16:27 |
| === wmp is now known as Guest77113 | ||
| === Guest77113 is now known as wiuempe | ||
| hallyn | jdstrand: jjohansen: 'network ipv6' is a valid apparmor rule all the way back to trusty? | 17:04 |
| hallyn | (is there a table somewhere that shows what is valid where?) | 17:05 |
| sarnold | hallyn: "network inet6," -- and it does work in trusty | 17:08 |
| sarnold | hallyn: it should be the case that all AF_.... works with the AF_ stripped off and lower-cased | 17:08 |
| hallyn | sarnold: ok, thx. | 17:12 |
| urthmover | is there a way to clear the whole arp cache in one command? | 17:32 |
| urthmover | arp -d * ? | 17:32 |
| === goosfraba2 is now known as goosfraba | ||
| PryMar56 | I have a vivid server (no X11). Any suggestions for a font list which is good enough to run kvm/qemu? | 17:56 |
| PryMar56 | or geany editor? | 17:56 |
| PryMar56 | I have only 1 freetype font now | 17:57 |
| sarnold | how do fonts figure into things? | 17:58 |
| sarnold | fwiw I quite like the terminus font | 17:58 |
| PryMar56 | sarnold, I still forward X, so some fonts are needed.. I know it seems strange | 18:06 |
| sarnold | oh! | 18:06 |
| sarnold | and you forward .. the qemu display or omsething? rathre than ssh to that guest? | 18:06 |
| PryMar56 | sarnold, yes | 18:06 |
| Lord255 | hello. | 18:14 |
| Lord255 | i have followed this tutorial: https://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-ubuntu-14.04-lts | 18:14 |
| PryMar56 | I have ubuntu desktop to mine a font list from, or I would do that | 18:14 |
| PryMar56 | ^^ no desktop | 18:14 |
| Lord255 | but when i try to login to squirellmail i got an imap error and in the mail.log i can see that it says no such file or directory | 18:14 |
| Lord255 | i saw many comments about this on the net but i dont know how to fix :\ | 18:14 |
| kriskropd_ | Does anyone here use rssh? I set up a user with -s /usr/bin/rssh and they are blocked from logging in to a shell,b tu when I try to sftp I receive exit code 1 and when I try to scp a single file from /tmp I receive the "This account is restricted by rssh." response | 18:52 |
| kriskropd_ | s/b tu/but/ | 18:52 |
| jonah | Hi in the end I just got fed up with trying to get the dynamic IP working with webmin/virtualmin on my Ubuntu Server 14.04.3 - so I've now managed to get a static IP from my ISP. I just wondered if anyone knows what I need to change in webmin/virtual min to get this working? My domain currently isn't resolving with the nameservers I've tried to create: http://intodns.com/hostingyorkshire.com | 19:14 |
| jonah | the domain did work with the dynamic IP before, but I was using NOIP.com nameservers and their dynamic dns service. Since trying to add my own nameservers myself I can't get it to work! | 19:15 |
| jonah | any help really appreciated. Thanks | 19:16 |
| kriskropd_ | to my issue with rssh - never mind - it was easily remidied by modifying the rssh.conf | 19:28 |
| TJ- | jonah: it looks like the authoritative name servers for the domain aren't registered | 19:32 |
| jonah | TJ-: thanks TJ, I don't suppose you'd know how I get them setup or you could check my settings sound ok for me? | 19:33 |
| jonah | TJ-: i spoke to you last week I think and you helped me back then as my printer wasn't working on the server - at that point the domain was resolving on the dynamic IP but it seems there is always something wrong with my settings!! | 19:34 |
| TJ- | jonah: check with your domain registrar. your domain lists {ns1,ns2}.hostingyorkshire.com as the name servers, but those won't resolve because the registrar doesn't have their IP addresses configured. | 19:34 |
| jonah | TJ-: ah I see thank you I will ask them! | 19:35 |
| TJ- | jonah: when the same domain hosts its own authoritative nameservers, you/the registrar has to ensure the IP addresses of those hosts are independently entered in the TLD operators' DNS | 19:36 |
| TJ- | jonah: usually those are hosted on a different domain/server especially if you only have a single server instance for the domain | 19:37 |
| jonah | TJ-: thanks - is there a way I can update them or do you have to be a registrar to have access to that? | 19:39 |
| TJ- | jonah: most registrars have a facility in their domain management tools to do it | 19:39 |
| jonah | TJ-: thanks I can't find a tool in their control panel but I've submitted a support ticket so hopefully they'll get it sorted for me soon. really appreciate you helping me out. thanks | 19:43 |
| acro458 | i have : grep -o -P '(?<=5490val">).*(?=<span)' output.txt This gives me: 100</span> NOW HOW TO GET RID OF </span> | 19:53 |
| TJ- | acro458: please stop spamming multiple channels with the same question. Stick to ##linux | 19:56 |
| sarnold | can you use a real html or sgml parser instead? parsing html with regex is a pain that's bound to lean to more pain. | 19:56 |
| acro458 | can you recommend one? | 19:59 |
| sarnold | acro458: off this list https://en.wikipedia.org/wiki/Comparison_of_HTML_parsers i | 20:02 |
| sarnold | acro458: i've heard good things about beautiful soup, html::parser, and nokogiri | 20:02 |
| sarnold | acro458: libxml2 seems to get a lot of use for xml, but i don't hear about it doing html often. it might still be good.. | 20:03 |
| kriskropd_ | acro458: I don't personally know of any good xml parsers - nearly all of them ar epicky about headers and will ignore any html parsing you give it - if you only need to parse html in batch only one time and are comfortable with regex, I suggest using awk - it's still terrible to use regex to parse html in the long run, but for quick, one-time jobs that's what I would do - after that I choose to use | 20:04 |
| kriskropd_ | python | 20:04 |
| TJ- | In Python https://docs.python.org/2/library/xml.dom.minidom.html | 20:05 |
| Semiarty | hello, so I am root on my server, but I get permission denied when trying to get into for example /etc/login.defs, what could I be doing wrong? | 20:54 |
| sarnold | what does it mean to "get into" a file? | 20:55 |
| Semiarty | well | 20:56 |
| Semiarty | I guess not into a file then | 20:56 |
| Semiarty | im trying to access that particular | 20:56 |
| Semiarty | "section" | 20:56 |
| Pici | Semiarty: how are you trying to access it? | 20:57 |
| jonah | TJ-: hi sorry to bother you but support replied and said I've got port 53 closed which is why my nameservers aren't working... I've tried to port forward it on my router but it still doesn't work. Do I have to do something else for bind to pick it up? | 21:08 |
| sarnold | be sure to forward both tcp and udp for port 53 if that's what you're doing | 21:09 |
| jonah | sarnold: yes forwarded them on my router as BOTH | 21:09 |
| jonah | sarnold: but I think I need BIND server to also listen on the port somehow? | 21:10 |
| sarnold | bind does need to listen to whatever ports you forwarded to | 21:10 |
| jonah | sarnold: trying to Google it but my named.conf file seems different due to using webmin, do you know how I can get it to listen to the port? | 21:10 |
| TJ- | jonah: are you trying to host the domain at home, behind a NATing router? | 21:11 |
| jonah | TJ-: yes that's right | 21:11 |
| jonah | TJ-: tech support at my registrar just said to get port 53 unblocked as when they try ping it they can see that port it blocked... | 21:12 |
| jonah | TJ-: now i've forwarded the port on my router but it still doesn't seem to be working | 21:12 |
| jonah | TJ-: but i think i also need ot do something with BIND... | 21:13 |
| jonah | I've just got to take the dog for a walk so hope to be back in a bit if you have any ideas. Thanks TJ! and Sarnold! | 21:13 |
| TJ- | jonah: Yes, you'll need a named with a zone file that is SOA for the domain | 21:13 |
| sarnold | yay happy dog walk time :) | 21:14 |
| jonah | TJ-: well I have a master zone file | 21:14 |
| sarnold | fwiw i'd be hesitant to host dns behind a NAT.. can you get a few cheap cloud instances somewhere? | 21:14 |
| jonah | haha love to walk the dog! | 21:14 |
| patdk-wk | what is *router*? | 21:14 |
| patdk-wk | is it one of these home things? | 21:15 |
| patdk-wk | a lot of those can't handle udp packets correctly | 21:15 |
| tarpman | don't most registrars provide a nameserver or two? i'm surprised at needing to host a nameserver at home... | 21:15 |
| patdk-wk | you did forward udp and tcp both right? | 21:15 |
| jonah | patdk-wk: well it is a decent one. AC68U asus | 21:15 |
| jonah | tarpman: it's just so I can pick up various domains with different providers and have them resolve back to my server on virtual hosts for different sites and cms stuff like owncloud etc | 21:16 |
| jonah | ok dog is barking so i'm off for now thanks | 21:16 |
| sarnold | teward: hey, we've been talking at our sprint about http2, we're not feeling like it's time to turn on http2 support just yet | 21:47 |
| sarnold | teward: I know you were looking forward to turning it on for your next upload, but we'd really like it kept off for xenial. we can always sru it back to xenial after a few more releases has knocked out the worst of its issues | 21:48 |
| jonah | ok back from the dog walk, was a good one! | 21:52 |
| jonah | TJ-: any ideas how I can get this master zone listening on port 53? | 21:53 |
| TJ- | jonah: just a regular bind config: configure zone files, test config, enable named service, start it | 21:54 |
| jonah | TJ-: haha is that all | 21:55 |
| jonah | TJ-: i have named.conf.default-zones named.conf.options and named.conf.local in my /etc/bind folder... | 21:57 |
| TJ- | jonah: have you started the service? is it currently running? | 21:58 |
| jonah | TJ-: when i do netstat -an | grep "LISTEN " i can see some port 53 stuff going on with LISTEN in red... | 21:59 |
| TJ- | jonah: "sudo netstat -ulnp | grep 53" | 22:00 |
| jonah | TJ-: 127.0.0.1:53 0.0.0.0:* LISTEN for example | 22:00 |
| jonah | TJ-: http://pastebin.com/iduwEbVS | 22:00 |
| TJ- | jonah: Haha! you've only got the daemon listening on localhost - it needs to listen on ALL interfaces to be accessible from the network | 22:01 |
| jonah | TJ-: oh dear | 22:01 |
| jonah | TJ-: how can i fix it? | 22:02 |
| sarnold | find the listen or bind or whatever line in the configs and tell it to listen to 0.0.0.0 or whatever spceific address it should listen on | 22:02 |
| TJ- | jonah: "sudo grep listen-on /etc/bind/*" might help | 22:03 |
| jonah | sarnold: well I have various named.conf files I can edit in bind on webmin but just not sure which one I should add to and what I'm adding! | 22:04 |
| sarnold | grep is your friend, it'll show the one that's currently configured :) | 22:04 |
| jonah | sarnold: http://pastebin.com/iduwEbVS | 22:05 |
| jonah | TJ-: http://pastebin.com/QGC49puf | 22:06 |
| TJ- | OH! it IS listening on the other interfaces, named individually | 22:06 |
| jonah | sarnold: sorry i meant the last paste i just sent TJ | 22:06 |
| sarnold | eww, how is named and dnsmasq both listening on 192.168.122.1:53?? something's gonna hate that :) | 22:06 |
| TJ- | how the heck are both dnsmasq and named on the same socket? | 22:06 |
| jonah | TJ-: but there is no mention of my static IP that my nameserver uses which is 87.81.172.179 | 22:07 |
| jonah | sarnold: is that bad? | 22:07 |
| sarnold | jonah: yeah; it's very nearly catastrophic for a dns server :) | 22:07 |
| sarnold | dns servers probably shouldn't have dnsmasq anywhere nearby, nor avahi. | 22:07 |
| TJ- | jonah: I really don't think you're equipped with the knowledge or skills to run your own DNS/servers; you're headed for disaster, possible compromise, at this rate | 22:08 |
| sarnold | jonah: because you're port-forwarding, your NAT firewall will re-write the packets to actually be destined to whatever IP you configured in the forwarding.. | 22:08 |
| jonah | TJ-: that's bad! just trying to learn and thought webmin would be good as I'm used to cpanel | 22:08 |
| sarnold | jonah: .. so you'd need to make sure that IP address is configured in bind | 22:09 |
| sarnold | jonah: you'd do yourself a favor to stop using webmin and cpanel and the like | 22:09 |
| TJ- | jonah: nothing to do with webmin; you are opening your PC up to public access and you don't have the knowledge to protect yourself right now | 22:09 |
| sarnold | jonah: after brute-forced ssh passwords, cpanel and webmin and the like are the most likely source of being hacked. those things tend to be terrible. | 22:10 |
| TJ- | Only if publicly exposed; which in this case it isn't (would need a port-forward rule) | 22:11 |
| jonah | TJ-: gotta go for now but will check back tomorrow if i can. thanks! | 22:11 |
| jonah | ok sorry guys just gotta go now. will be back! | 22:11 |
| jonah | thanks | 22:11 |
| TJ- | jonah: if you're running a local server with a web-server on, that's an expoit target | 22:11 |
| Logos01 | Is there any chance that anyone here has set up ejabberd w/ PAM authentication? I've got a curious case -- my PAM auth fails for local accounts but *NOT* for accounts provided by SSSD. | 22:40 |
| TJ- | Logos01: what does auth.log report? | 22:40 |
| * Logos01 is grabbing and anonymizing a relevant log snippet | 22:42 | |
| TJ- | Are you seeing "check pass; user unknown" | 22:42 |
| Logos01 | unix_chkpwd[XXXXX]: check pass; user unknown | 22:43 |
| Logos01 | Yes. | 22:43 |
| TJ- | SNAP! | 22:43 |
| TJ- | OK, check /etc/passwd to ensure the user existings, and is in /etc/shadow too. | 22:43 |
| TJ- | Assuming the user IS there, check /etc/passwd to see if there is a duplicate entry using the same UID of that user | 22:44 |
| Logos01 | It is definitely the correct user, there is definitely no duplicate entry. | 22:44 |
| Logos01 | I even created a unique user specifically to rule that out. | 22:44 |
| TJ- | OK, well, we've had a few reports of this recently, and I was hit by it today too - could log-in the GUI but the screenlock-greeter would report Access Denied, and it led to that in auth.log | 22:45 |
| TJ- | In my case, it was a duplicate UID (I have 2 users with the same UID) and the /sbin/unix_chkpwd" tool was looking up the (first) username in /etc/passwd that matched the UID, THEN comparing that username with the one the greeter passed, and they didn't match | 22:46 |
| sarnold | interesting | 22:47 |
| TJ- | I solved it by moving the entries around :) | 22:47 |
| Logos01 | http://fpaste.org/287032/44667717/ | 22:47 |
| Logos01 | Definitely no duplicate UIDs. | 22:47 |
| TJ- | The other reports seem to start after a recent libpam update | 22:47 |
| sarnold | time was you'd stick a 'toor' account in your passwd/shadow with a statically linked recovery shell... | 22:47 |
| TJ- | Logos01: 'logos' is UID 114? I'm wondering if that being < 1000 could be an issue; there's some strange stuff in the patches we're carrying to support this | 22:49 |
| Logos01 | So yeah -- definitely in /etc/shadow. Definitely no duplicate entries. Definitely able to log in as the accounts (since I'm talking to you from one of them right now) | 22:49 |
| Logos01 | TJ-: No, 'logos' is uid 1000 | 22:49 |
| TJ- | Logos01: is ejabberd 114 then? | 22:49 |
| Logos01 | uid 114 gid 122 | 22:49 |
| TJ- | Ahhh, that makes more sense, although it doesn't help. Unfortunately there's no additional debug logging available for this | 22:50 |
| Logos01 | Yeah... | 22:50 |
| TJ- | In my case it was: | 22:52 |
| TJ- | pam_unix(kde:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost= user=t | 22:52 |
| TJ- | j | 22:52 |
| TJ- | it's coming from that dratted "debian/patches-applied/extrausers.patch" again, too | 22:54 |
| TJ- | Logos01: this is the code: http://paste.ubuntu.com/13107573/ | 22:55 |
| TJ- | Logos01: this is better; the first one lost context http://paste.ubuntu.com/13107593/ | 22:56 |
| Logos01 | I suppose this isn't really a big deal since as long as I've got my AD users (via SSSD) I'm content. | 22:58 |
| TJ- | Logos01: which has called into: http://paste.ubuntu.com/13107637/ | 22:59 |
| TJ- | that seems to suggest either the hash or salt are null on return from get_pwd_hash() | 22:59 |
| TJ- | sorry, *password* or salt | 23:00 |
| coreycb | beisner, jamespage: testing is complete for UCA kilo-proposed and should be ready to promote to kilo-updates tomorrow (just waiting on vivid-proposed to land in vivid-updates) | 23:00 |
| === Piper-Off is now known as Monthrect | ||
| dannf | hallyn: is there an existing pattern for teach libvirt that qemu has a backported capability? here's what i'm trying http://paste.ubuntu.com/13107961/ | 23:33 |
| dannf | that works, but wanted to follow existing convention if there is one | 23:33 |
| hallyn | dannf: urg, no. you've only backported one capability so we can' tjus tbump the version # right? | 23:37 |
| hallyn | that's fugly, but i think we have to do what you're doing | 23:37 |
| sarnold | dannf: "Package" vs "package" ? | 23:38 |
| dannf | sarnold: oh - yeah, i fixed that - hadn't hit quilt refresh yet | 23:46 |
| dannf | hallyn: yeah - and it might be the only new cap so far - but 2.4.50 is dynamic, and that could change | 23:47 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!