[00:10] <JanC> Kallis: maybe try asking in #samba also
[00:11] <pmatulis> Kallis: i have never heard of a conversion from windows to Samba. also, you might want to wait a week to use 16.04 and not 15.10
[00:30] <Kallis> pmatulis, yeah it would have just saved me resetting up all of the ACL for users, there are a lot QQ
[00:30] <Kallis> JanC, I have asked in there as well thanks JanC :D
[01:07] <devster31> do I need to specify APT::Default-Release if I want to pin packages or can I just set Package: * Pin: release a=trusty Pin-Priority: 990 ?
[05:09] <patdk-lap> something go wrong with apt-daily.timer
[05:10] <patdk-lap> it is appearing in my dmesg every few seconds :(
[05:12] <patdk-lap> but not on all of my xenial machines, and not even on two mirror imaged ones
[05:12] <patdk-lap> http://paste.ubuntu.com/15886862/
[05:17] <UserUS> anyone here have ubuntu server on there computer, and use the OS for other things as well?
[05:20] <patdk-lap> exactly how do you use an os for other things as well?
[05:20] <UserUS> irc, web browsing, making videos, skyping...etc
[05:21] <patdk-lap> you cannot do that on ubuntu-server
[05:21] <patdk-lap> you can do those on ubuntu-desktop though
[05:21] <UserUS> yes, you can?
[05:21] <UserUS> I've installed it and done so
[05:21] <patdk-lap> the difference, is nothing, though
[05:21] <UserUS> you just install gnome gui
[05:21] <patdk-lap> you can run skype without a gui?
[05:22] <UserUS> you install a gui mate
[05:22] <patdk-lap> and as soon as you did so, your using ubuntu-desktop
[05:22] <UserUS> just install ubuntu-desktop
[05:22] <UserUS> yeah, but it keeps the server and  apache
[05:22] <patdk-lap> and, the same would be true if you install ubuntu desktop, and installed apache
[05:22] <patdk-lap> I don't see your point
[05:22] <patdk-lap> the same would be the case if I installed windows 10, then installed apache
[05:22] <UserUS> my point is, does it matter if i do so
[05:23] <UserUS> run the server on the same pc
[05:23] <UserUS> or will it be deadly slow...etc
[05:23] <patdk-lap> it will be slower
[05:23] <patdk-lap> you just added a bunch more crap into ram, cpu, ...
[05:23] <UserUS> or kick users from the site for lack of bandwith
[05:23] <UserUS> its an i7 with 16gb of ram
[05:23] <UserUS> fourth gen intel
[13:48] <devster31> so I have this right now: https://bpaste.net/show/07230537e2b5 how do package dependencies behave? meaning, does nginx-common automatically get updated if theres's the requirement on the newer package?
[15:07] <Kallis> hi there, looking at moving my windows server over to a linux server and am just going about setting up samba with acl, was just wondering if there was an easy way for me to copy all current user acl's that are in place on the windows server over to the new samba linux box please or do i need to redo all acl for all users on all directories
[15:11] <RoyK> Kallis: never tried it, but if you enable ACLs in Samba and copy the files with Windows, that may be all you need
[15:11] <RoyK> Kallis: you'll have to try it out
[15:12] <Kallis> RoyK, ok cool, I mean worst that can happen is I spend a few days redoing all ACL's but if there was a faster way would have been nice
[15:12] <RoyK> Kallis: make sure the filesystem is mounted with the 'acl' option and that ACLs are enabled in the samba config
[15:12] <Kallis> RoyK, Yeah i have already enabled ACL in fstab and just about to do the Samba configs
[15:13] <RoyK> try getfacl/setfacl somewhere to test it first
[15:13] <patdk-lap> robocopy :)
[15:13] <RoyK> patdk-lap: can that do ACLs?
[15:13] <patdk-lap> hmm, ya, since like always
[15:13] <RoyK> ok
[15:13] <RoyK> Kallis: listen to patdk-lap - he seems to know this a wee better than I ;)
[15:14] <patdk-lap> the question is, do you have the users setup correctly in linux though?
[15:14] <Kallis> RoyK, cool cool, patdk-lap yeah it is LDAP
[15:14] <RoyK> same UIDs?
[15:14] <Kallis> patdk-lap, ldap is running fine with pbis
[15:14] <Kallis> RoyK, yeah
[15:14] <patdk-lap> kerberos I hope
[15:15] <Kallis> yeah kerb
[15:15] <RoyK> The Hound
[15:16] <Kallis> also wanted to ask, i keep getting hammered by various ip addresses trying to brute force SSHD , I have setup a script to block an IP permanently after 3 failed logins, but is there anything else I can do ?
[15:17] <Kallis> most of the ip's geo are china
[15:18] <RoyK> fail2ban is nice
[15:18] <RoyK> sshguard too, although it's a bit paranoid
[15:18] <Kallis> lol
[15:18] <Kallis> but reall the only option is constantly banning the ip's yeah
[15:19] <patdk-lap> you can always do security by obscurity? and move it to port ?rand?
[15:19] <patdk-lap> but that doesn't fix anything, just cuts back on log noise for awhile
[15:19] <RoyK> denyhosts is also good, although it hasn't been updated for years, so it's no longer in the repos
[15:19] <Kallis> yeah
[15:19] <RoyK> (iirc)
[15:24] <Kallis> i will probably just leave it as is then tbh, banning after 3 attempts has decreased log noise a lot
[15:25] <Kallis> maybe jusr change the port as well
[15:29] <patdk-lap> even more if you set the ban time to like 30days :)
[16:13] <baldini> Hi, when will you fix the major issue with proftpd and your releases
[16:14] <baldini> LoadModule mod_copy.c
[16:14] <baldini> I thought you guys were cutting edge?
[16:16] <baldini> It leaves all servers using Ubuntu to a very serious hack
[16:16] <baldini> SERIOUS
[16:17] <baldini> other distros have apparently sorted it
[16:26] <baldini1> :)
[16:26] <baldini1> sort it guys
[16:27] <baldini1> I just lost a client with 5 dedies because of this
[16:28] <baldini1> one server fell foul and about 70 sites affected, then he closed his other servers
[16:28] <baldini1> all Ubuntu
[16:29] <baldini1> Ubuntu plz get your head out of your ass on this
[16:37] <cowboydodo> hi guys, trying to setup an ldap authentication having a a posixAccount in "cn=Test Appsiting,ou=benutzer,dc=example,dc=com"
[16:37] <cowboydodo>  and its gid is "appsiting", which in turn is "cn=appsiting,ou=gruppen,dc=example,dc=com" . My apache configurtation is: https://www.refheap.com/117749 but when trying to login with "testappsiting" I get a "invalid credentials, why is that?"
[16:41] <tarpman> cowboydodo: for a start, "ou=benutzer" != "ou=benutzer,dc=example,dc=com"
[16:42] <tarpman> cowboydodo: hard to do more than guess, since you haven't shown any debug logs, neither from apache nor the ldap server
[16:43] <tarpman> cowboydodo: since you said posixAccount, I also want to check - are you using LDAP groups (groupOfNames or groupOfUniqueNames) or RFC2307 groups (posixGroup)? 'Require ldap-group' is going to require the former
[16:43] <tarpman> cowboydodo: per https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup
[16:51] <cowboydodo> tarpman: The apache2 log says user testappsiting: authorization failure for "/", the slapd i cant find, there is no /var/log/slapd.log, oh and cn=appsiting is a posixGroup. I'll change it
[16:52] <baldini>  LoadModule mod_copy.c  when you going to fix this guys
[16:52] <baldini> anytime in the last year would have been fine
[16:52] <tarpman> baldini: it looks like bug 1462311 is just waiting for someone to propose a patch (debdiff) for review; maybe you could do that?
[16:53] <baldini> lol
[16:53] <baldini> wtf
[16:53] <tarpman> baldini: as the first comment on the bug says, proftpd is in universe, so not supported by the security team
[16:53] <baldini> tarpman:  please give me a break
[16:54] <baldini> just dump the crap if its not secure
[16:54] <cowboydodo> tarpman: groupOfNames  would be fine as well, right?
[16:54] <tarpman> cowboydodo: yes
[16:54] <tarpman> baldini: just to be clear - i'm not affiliated with ubuntu in any way. just trying to be helpful in a constructive way
[16:55] <baldini> np, I appreciated your input
[16:55] <baldini> but really
[16:55] <tarpman> baldini: if you want help from the security team, asking nicely in #ubuntu-security might get more attention
[16:55] <baldini> I do
[16:55] <baldini> for the last 6 months
[16:55] <baldini> but id proftpd is not secure it should be dropped
[16:55] <baldini> if sry
[16:56] <tarpman> not sure how you "drop" something that many users (apparently including yourself) have already installed
[16:56] <baldini> how many people using proftpd on Ubuntu at the moment and totally unaware they are totally hackackable
[16:57] <baldini> its a major security risk
[16:57] <tarpman> cowboydodo: slapd log -> https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-server-logging -- 'stats' would be a good log level to start with (logs every query)
[16:57] <cowboydodo> tarpman: getting closer, instead of a "user not found" i now get a "authorization failure"
[16:57] <tarpman> baldini: proftpd is far from the only package in universe with glaring security problems
[16:58] <baldini> tarpman: agreed
[16:58] <baldini> but that just affected me
[16:58] <baldini> maybe its tile for Ubuntu to pack it in?
[16:58] <baldini> time
[16:58] <tarpman> baldini: if you want to make sure you only run security-supported packages, you have to remove universe from sources.list altogether
[16:58] <baldini> tarpman:  noted
[16:59] <baldini> all my installs are minimal
[16:59] <tarpman> baldini: or consider debian - the entire archive gets security support (in theory... in practice the security team there is also overworked)
[16:59] <baldini> I know about overworked
[16:59] <baldini> its all imploding
[17:00] <tarpman> baldini: but for the immediate problem you're working on (proftpd): the shortest path to a good solution for you and all the other proftpd users is for someone to propose a debdiff for review
[17:00] <tarpman> anyway, i'm going in circles now, i'll shut up :)
[17:00] <baldini> hehe
[17:00] <baldini> easy fix is # the module
[17:03] <cowboydodo> oh my god i got it, thanks tarpan
[17:03] <cowboydodo> had to use the full dn
[17:03] <cowboydodo> after require ldap-group
[17:46] <profall> Is it worth it to move to 16.04 yet?
[17:50] <tarpman> profall: for evaluation/pre-production use, or if you consider yourself an "early adopter", certainly
[17:50] <profall> Well, it will be used in a production environment. Just worried about setting up things on 14.04 and then having to move everything over 6 months from now...
[17:51] <tarpman> profall: for production use, depends on your risk tolerance; you might want to wait a month or two for the bugs found by initial adopters to be fixed
[17:51] <profall> true
[17:51] <profall> I think ill just wait, plus it gives me a job in the future :P
[17:51] <tarpman> profall: if you're just starting a project now, I'd say 16.04 is a better choice than 15.10
[17:53] <profall> How long is 14.04 supported for?>
[17:54] <tarpman> https://wiki.ubuntu.com/Releases -> April 2019
[17:54] <patdk-lap> generally it's best to wait till 16.04.1
[17:54] <patdk-lap> that is normally aug time frame
[17:54] <profall> yea