[11:40] <athos_> I see lots of build failures in the update excuses pages without logs from syncs in the past ~4 hours; I am retriggering some of the php ones.
=== athos_ is now known as athos
[12:54] <ahasenack> does anyone know how to use resolvectl to accomplish this: use 192.168.122.10 for the "test.lan" domain, and 192.168.122.1 for anything else, including a "vms" search domain
[12:54] <ahasenack> I'm trying to use the SNI syntax, but it just complains, even though the manpage says it should work
[12:55] <ahasenack> like "That is, the acceptable full formats are "111.222.333.444:9953%ifname#example.com" for IPv4"
[12:55] <ahasenack> root@j-dc:~# resolvectl dns 192.168.122.1:53%enp1s0#vms
[12:55] <ahasenack> Failed to resolve interface "192.168.122.1:53%enp1s0#vms": Invalid argument
[12:56] <ahasenack> even /etc/systemd/resolved.conf has that SNI example
[12:56] <ahasenack> # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
[12:56] <ahasenack> # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
[12:57] <ahasenack> oh, this worked: resolvectl dns enp1s0 192.168.122.1#vms
[12:57] <ahasenack> well, it didn't complain
[13:12] <sdeziel> ahasenack: the SNI thing is for DNS over TLS (DoT) or DNS over HTTPS (DoT) certificate validation (where https://1.1.1.1/ should have a cert with a CN or SAN matching "cloudflare-dns.com")
[13:13] <ahasenack> I knot SNI has a meaning in the TLS context, but here I thought it was also just a way to specify routing
[13:13] <ahasenack> that syntax, ip:port%nic#domain is also used by dnsmasq
[13:13] <ahasenack> well, not the exact same syntax
[13:13] <ahasenack> --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<interface>]
[13:14] <ahasenack> so, back to the original question, forgetting about this sni
[13:14] <ahasenack> there must be a way to use resolvectl via its command line options to do what I described?
[13:15] <ahasenack> https://pastebin.com/k2E4VN62 is my starting point, after reboot
[13:15] <sdeziel> ahasenack: `resolvectl dns enp1s0 192.168.122.1 domain vms` maybe
[13:16] <sdeziel> or possibly use `~vms` instead
[13:16] <ahasenack> this is a syntax error: resolvectl dns enp1s0 192.168.122.10 domain ~test.lan
[13:16] <ahasenack> I think each dns and domain are their own commands
[13:17] <sdeziel> ahasenack: https://linuxcontainers.org/lxd/docs/latest/howto/network_bridge_resolved/ might give you a hint
[13:17] <ahasenack> yeah, I googled that too, but so far I only have hints
[13:17] <ahasenack> not answers :)
[13:19] <sdeziel> ahasenack: I don't know why but the LXD doc does 2 calls to resolvectl, one for the dns and another for the domain so maybe that's important somehow
[13:19] <ahasenack> yeah, but I want the domain from the second call to use a different dns ip
[13:19] <ahasenack> so somehow I need to tie those together
[13:19] <ahasenack> I have two dns servers
[13:19] <ahasenack> domain vms -> 192.168.122.1
[13:19] <ahasenack> domain test.lan -> 192.168.122.10
[13:20] <sdeziel> and another default resolver?
[13:20] <ahasenack> what's unique here probably is that it's only one nic
[13:26] <ahasenack> it's too geared towards interfaces
[13:30] <sdeziel> ahasenack: might be one for #systemd
[14:02] <ahasenack> sergiodj: ok, std join from kinetic, old sssd (2.6.3), failed with a more reasonable error
[14:02] <ahasenack>    *  (2022-06-21 14:01:56): [gpo_child[1474]] [copy_smb_file_to_gpo_cache] (0x0400): [RID#8] smb_uri: smb://j-dc.test.lan/sysvol/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
[14:02] <ahasenack> and
[14:02] <ahasenack>    *  (2022-06-21 14:01:56): [gpo_child[1474]] [copy_smb_file_to_gpo_cache] (0x0020): [RID#8] smbc_getFunctionOpen failed [2][No such file or directory]
[14:02] <sergiodj> OK
[14:03] <ahasenack> so it tried to fetch that gpo, which does not exist, and failed
[14:03] <ahasenack> access denied
[14:03] <sergiodj> alright, makes sense
[14:03] <ahasenack> what should I check now, create that file, or upgrade sssd? :)
[14:03] <ahasenack> I think create that file
[14:03] <sergiodj> (actually, No such file or directory)
[14:03] <sergiodj> yeah, create the file
[14:03] <sergiodj> baby steps
[14:05] <ahasenack> ok, worked
[14:05] <sergiodj> the login worked?
[14:05] <ahasenack> yes, on kinetic, sssd 2.2.x, with the inf file
[14:05] <ahasenack> so far so good
[14:05] <sergiodj> that's good
[14:05] <ahasenack> now add cráshed to GPT.INI
[14:06] <ahasenack> this drove us nuts yesterday
[14:06] <ahasenack> I'm thinking about snapshotting this vm
[14:06] <sergiodj> good idea
[14:06] <ahasenack> both are snapshotted: server and client
[14:07] <ahasenack> # echo "displayName=crásher" | iconv -f UTF-8 -t CP850 >> GPT.INI 
[14:08] <ahasenack>    *  (2022-06-21 14:07:55): [gpo_child[1585]] [perform_smb_operations] (0x0020): [RID#16] Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
[14:08] <ahasenack> failed as expected
[14:08] <ahasenack> now upgrade sssd?
[14:08] <ahasenack> this on k still
[14:08]  * ahasenack checks on the sssd migration
[14:08] <ahasenack> failed to build?
[14:09] <ahasenack> ah, the i386
[14:09] <ahasenack> time to ping vorlon
[14:09] <ahasenack> I'll grab it from the ppa
[14:09] <ahasenack> https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-bugfix/ right?
[14:10] <sergiodj> ahasenack: yes
[14:10] <sergiodj> ahasenack: I pinged vorlon yesterday.  will ping again
[14:12] <ahasenack> E: The repository 'https://ppa.launchpadcontent.net/sergiodj/sssd-bugfix/ubuntu kinetic Release' does not have a Release file.
[14:12] <sergiodj> wait, what?
[14:12] <sergiodj> I uploaded the package yesterday "just in case"
[14:12] <ahasenack> what indeed
[14:12] <ahasenack> I did the usual add-apt-repository -y -u 
[14:12] <ahasenack> and apt update again
[14:13] <ahasenack> oh, wait
[14:13] <ahasenack> you don't have a kinetic build there
[14:13] <sergiodj> don't I?
[14:13] <sergiodj> ah, right
[14:13] <ahasenack> no, was it a different ppa for the merge?
[14:13] <sergiodj> yes
[14:13] <sergiodj> should be sssd-merge
[14:13] <sergiodj> yep
[14:13] <sergiodj> https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-merge/+packages
[14:14] <ahasenack> you, sir, need to do some cleanup in your ppas :)
[14:14] <sergiodj> hah
[14:15] <ahasenack> ok, updating to 2.7.1
[14:15] <sergiodj> btw, have you done anything different when setting up the samba AD DC VM?
[14:15] <ahasenack> yes
[14:15] <sergiodj> I'm still wondering why I can't make the GptTmpl.inf trick work here
[14:16] <ahasenack> on the ad dc, just install "samba winbind"
[14:16] <sergiodj> hm
[14:16] <ahasenack> no need for libnss*, krb5-kdc
[14:16] <ahasenack> or pam
[14:16] <sergiodj> OK, that was it?
[14:16] <ahasenack> can't say
[14:16] <ahasenack> I just simplified things
[14:16] <sergiodj> I will simplify the Test Plan too
[14:16] <ahasenack> and the samba wiki says to not use the ad as a file server, so there is no need to actually install libnss-winbind and use it, afaik
[14:17] <ahasenack> I also did some things around resolved and netplan
[14:17] <ahasenack> but no rocket science, just simplifying it
[14:17] <ahasenack> and yes, we have to disable systemd-resolved
[14:17] <sergiodj> OK
[14:17] <ahasenack> samba doesn't like that it cannot bind to 0.0.0.0:53, even though resolved is only using 127.0.0.53:53
[14:18] <ahasenack> ok, sssd upgraded
[14:18] <ahasenack> login should work now, with a notice about the invalid chars in GPT.INI being replaced by "?"
[14:18] <ahasenack> nope
[14:18] <ahasenack> got "permission denied" now
[14:19] <ahasenack>    *  (2022-06-21 14:18:35): [gpo_child[3892]] [copy_smb_file_to_gpo_cache] (0x0400): [RID#5] smb_uri: smb://j-dc.test.lan/sysvol/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
[14:19] <ahasenack>    *  (2022-06-21 14:18:41): [gpo_child[3892]] [copy_smb_file_to_gpo_cache] (0x0020): [RID#5] smbc_getFunctionOpen failed [13][Permission denied]
[14:19] <sergiodj> that same permission denied?
[14:19] <ahasenack> this is bonkers
[14:19] <sergiodj> hm
[14:20] <sergiodj> and this is with sssd 2.7.1-2, right?
[14:20] <ahasenack> yes
[14:20] <ahasenack> maybe we should try a join with that version already
[14:20] <ahasenack> maybe it's an upgrade problem
[14:20] <sergiodj> wait
[14:20] <sergiodj> can you revert the change to GTP.INI and try again?
[14:21] <ahasenack> sure
[14:21] <sergiodj> GPT.INI*
[14:21] <ahasenack> and I just realized my "echo" from above missed a \n
[14:21] <ahasenack> the file got kind of corrupted
[14:21] <ahasenack> [General]
[14:21] <ahasenack> Version=0displayName=crsher
[14:21] <sergiodj> ah
[14:21] <sergiodj> yeah, but that shouldn't trigger a Permission Denied error
[14:22] <ahasenack> but still, it failed at parsing before, so I think the test was still valid
[14:22] <ahasenack> file restored, it's working (!)
[14:22] <sergiodj> alright!
[14:22] <ahasenack> let's reintroduce the crásher, properly
[14:22] <sergiodj> yes
[14:23] <ahasenack> worked, and I got
[14:23] <ahasenack> ^[[D(2022-06-21 14:23:33): [gpo_child[4045]] [gpo_sanitize_buffer_content] (0x3f7c0): [RID#20] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
[14:23] <sergiodj> OK, so everything is working, then
[14:23] <ahasenack> so, hm
[14:23] <ahasenack> yeah
[14:24] <ahasenack> but I still have the .inf file I think
[14:24] <ahasenack> yeah, let me get rid of it
[14:24] <sergiodj> OK
[14:24] <ahasenack> worked again
[14:24] <sergiodj> that should still work
[14:24] <ahasenack> but I got two replacement warnings
[14:24] <ahasenack> like it fetched GPT.INI twice
[14:25] <ahasenack> maybe that's what happened before with the corruption, the first time it replaced the á with ?, and then the second time the file was really invalid due to my bad echo >
[14:25] <ahasenack> hm, no, it was probably something to do with a local cache
[14:26] <ahasenack> now I just get one parsing notice
[14:26] <sergiodj> I'm happy that you finally got everything to work, but I am puzzled about why my setup doesn't work
[14:26] <ahasenack> well, even my "all is working" might be temporary
[14:26] <ahasenack> as it was yesterday
[14:26] <sergiodj> yes, this setup is very fragile
[14:27] <ahasenack> one thing I did was just not use dhcp on the addc
[14:27] <sergiodj> I'm actually impressed at how easy it is to break it
[14:27] <ahasenack> specified everything manually
[14:27] <ahasenack> ip, nameserver, default route
[14:27] <ahasenack> also specified myself as a dns server, and .1
[14:27] <ahasenack> and in smb.conf, there is a forwarder to .1
[14:27] <ahasenack> the provisioning tool adds a forwarder to 127.0.0.53
[14:28] <sergiodj> you know, yesterday I was really suspicious of my DNS setup here
[14:28] <ahasenack> trying to cope with systemd-resolved I gues
[14:28] <ahasenack> now, let's try jammy
[14:28] <sergiodj> OK
[14:29] <sergiodj> heh, this is all part of the MP review
[14:29] <ahasenack> sssd/samba/winbind/allthatstack is definitely not simple
[14:29] <ahasenack> it can be 1h or 1d
[14:29] <ahasenack> imagine taking care of this in production
[14:30] <ahasenack> even maintaining the packages and coping with all scenarios would require a team over here
[14:30] <sergiodj> one can say that 2 people are already a team ;)
[14:31] <ahasenack> yeah, calling is a coupld would be weird
[14:31] <ahasenack> :D
[14:31] <ahasenack> couple*
[14:31] <ahasenack> duo
[14:31] <sergiodj> but I do agree, this is all complex and requires a lot of time to setup
[14:32] <ahasenack> on the + side, this works, no need to specify the samba ip: # realm discover -v test.lan
[14:32] <ahasenack> just the domain
[14:32] <ahasenack> once this client machine is using the samba addc as its dns server
[14:33] <sergiodj> I think it's the DNS that fixed it
[14:33] <sergiodj> if you're available, I'd like to compare notes after the standup
[14:33] <ahasenack> right after I can't, family lunch
[14:33] <ahasenack> but I can now
[14:33] <sergiodj> OK
[14:33] <sergiodj> meet you there
[15:47] <rbasak> athos: https://code.launchpad.net/~bryce/ubuntu/+source/nginx/+git/nginx/+merge/424337 has an empty comment from you and I think you grabbed the slot. Is this intentional?
[16:07] <athos> rbasak: I picked the slot but tried to restore it at some point. I thought I did it.
[16:08] <athos> given the size of the merge, it would be nice to have someone who did touch nginx before to review that one
[16:08] <athos> rbasak: I guess I could not re-assign that slop
[16:08] <athos> slot*
[16:09] <Soni> when do they make 22.04.1?
[16:09] <lotuspsychje> Soni: around august
[16:13] <rbasak> athos: no problem I'll review, thanks.
[16:13] <rbasak> (not sure I'll finish today though)
[16:22] <athos> thanks, rbasak :)
[16:29] <Maik> Soni: if you're already running 22.04 it will automatically become 22.04.1 just by keeping it up to date
[16:29] <Maik> no need to re-install
[20:31] <ahasenack> sergiodj: does this just need a retry click? https://launchpad.net/ubuntu/+source/sssd/2.7.1-2ubuntu1/+build/24097136
[20:32] <sergiodj> ahasenack: https://launchpad.net/ubuntu/+source/jose/11-2/+build/24097239 -- jose's build is still pending
[20:32] <sergiodj> has been like this for hours and hours
[20:32] <ahasenack> "start in 42min"
[20:34] <sergiodj> sometimes I think someone should write a crawler to parse the build page and use this estimate as a random number generator
[20:36] <ahasenack> did you trigger that build, or it's been like this since yesterday perhaps?
[20:37] <ahasenack> if you cancel it, can you retry it?
[20:37] <sergiodj> ahasenack: vorlon triggered that build
[20:37] <sergiodj> yesterday, when he added jose to i386
[20:38] <sergiodj> I can try cancelling it, but I don't know if this will have any undesired consequences or not
[20:41] <sergiodj> I'll wait a bit more.  if it doesn't start building by my EOD, I'll cancel and retry