Re: [CentOS] [CentOS-announce] CentOS Project joins forces with Red Hat
On 19/01/14 05:41, Eddie G. O'Connor Jr. wrote: On 01/17/2014 03:33 PM, Les Mikesell wrote: On Fri, Jan 17, 2014 at 2:07 PM, Warren Young war...@etr-usa.com wrote: Anyway, if you want a wide-open Linux, Les, you know where to get it. Sigh..., It's complicated. I want stability and reliable security updates. But I don't like being dependent on any single entity to provide that. Maybe that goes back to relying on some ATT unix systems in what seems like another life. Even though semi-compatible alternatives were available, being forced to change was somewhat painful. So I don't necessarily want wide-open, just a little more open than being married. I don't really think the CentOS team has an evil plan here, but they should take it as a compliment that I think they are smart enough to fool me if they did want to do something like inject a hidden backdoor with their builds. But, the bigger question is where it leaves us if they just decide to quit after assimilating most of the related systems under a build ecosystem that no one else can reproduce easily. Maybe it might be a good idea to do some research on Debian systems?...and using them for file and system servers?..I'm just sayin' LoL! When there is discernible evidence of a deterioration of service, maybe. But until then it's all just FUD. If anything, the evidence currently points to a vastly improved picture since the delays of a few releases back. Back then there was cause for concern. At present I see far less cause for concern. Of course things can change, but at present I see no reason to be concerned. I've never been very good at predicting the future so I will stick to looking at what the present is telling me, and currently the CentOS team are doing a good job on delivering the core product in a timely fashion. That is a metric I can measure today and it tells me something meaningful. IF that changes and things observably deteriorate then there are alternatives but I'd rather make decisions based on what I observe today rather than predictions about what might happen in the future. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [CentOS-announce] CentOS Project joins forces with Red Hat
On 01/19/2014 07:33 AM, Ned Slider wrote: On 19/01/14 05:41, Eddie G. O'Connor Jr. wrote: On 01/17/2014 03:33 PM, Les Mikesell wrote: On Fri, Jan 17, 2014 at 2:07 PM, Warren Young war...@etr-usa.com wrote: Anyway, if you want a wide-open Linux, Les, you know where to get it. Sigh..., It's complicated. I want stability and reliable security updates. But I don't like being dependent on any single entity to provide that. Maybe that goes back to relying on some ATT unix systems in what seems like another life. Even though semi-compatible alternatives were available, being forced to change was somewhat painful. So I don't necessarily want wide-open, just a little more open than being married. I don't really think the CentOS team has an evil plan here, but they should take it as a compliment that I think they are smart enough to fool me if they did want to do something like inject a hidden backdoor with their builds. But, the bigger question is where it leaves us if they just decide to quit after assimilating most of the related systems under a build ecosystem that no one else can reproduce easily. Maybe it might be a good idea to do some research on Debian systems?...and using them for file and system servers?..I'm just sayin' LoL! When there is discernible evidence of a deterioration of service, maybe. But until then it's all just FUD. If anything, the evidence currently points to a vastly improved picture since the delays of a few releases back. Back then there was cause for concern. At present I see far less cause for concern. Of course things can change, but at present I see no reason to be concerned. I've never been very good at predicting the future so I will stick to looking at what the present is telling me, and currently the CentOS team are doing a good job on delivering the core product in a timely fashion. That is a metric I can measure today and it tells me something meaningful. IF that changes and things observably deteriorate then there are alternatives but I'd rather make decisions based on what I observe today rather than predictions about what might happen in the future. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Well I for one will not be jumping ship anytime in the foreseeable future. CEntOS (wish they would change the way it appears to the world...the e should be capitalized...as the OS isits the start of a real word!but I digress!) CEntOS has been good to meand has never given me problems since installing it at 6.0's release. If anything this should solidify the fact that CEntOS is TRULY an Enterprise Class OS available to the masses from a Community that has the (strength?clout?resources?) of Red Hat Enterprise Linux...(this might make my taking the RHCSA a bit easier too!...(wonder if there are any CEntOS certification exams?.or would that be an over-saturation of the market?like...if you're not RHCSA approved...then you go for second string CEntOS?..maybe its better to NOT have one then!...) EGO II ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [CentOS-announce] CentOS Project joins forces with Red Hat
Here is my take (just a CentOS user). The communication from Red Hat/CentOS during this change has been somewhat poor. By reading various blog posts, etc.. A lot of people are confused about what this change actually means. When people read things like CentOS will allow Red Hat to innovate and test new things or however they word it, people read that to mean RHEL != CentOS. I know to a lot of the developers CentOS is a community or something, a collection of repositories and whatnot, but to the average person, CentOS is a product, a clone of RHEL. The average person wants to know this: if I download CentOS 7, and choose Basic Server in the installation, will I get the same packages (sans trademark) that RHEL 7 has? Will it have the same version of gcc and httpd, etc? This hasn't been clear. If I understand the plan properly, CentOS will remain a RHEL clone, but there will be modified versions (variants?) of CentOS with added functionality, and maybe some repositories with extra goodies. If the communication was clearer, people wouldn't be as worried about Red Hat making CentOS some sort of unstable testing grounds, and you'd receive better press. Logan On Sun, Jan 19, 2014 at 6:25 AM, Eddie G. O'Connor Jr. eoconno...@gmail.com wrote: On 01/19/2014 07:33 AM, Ned Slider wrote: On 19/01/14 05:41, Eddie G. O'Connor Jr. wrote: On 01/17/2014 03:33 PM, Les Mikesell wrote: On Fri, Jan 17, 2014 at 2:07 PM, Warren Young war...@etr-usa.com wrote: Anyway, if you want a wide-open Linux, Les, you know where to get it. Sigh..., It's complicated. I want stability and reliable security updates. But I don't like being dependent on any single entity to provide that. Maybe that goes back to relying on some ATT unix systems in what seems like another life. Even though semi-compatible alternatives were available, being forced to change was somewhat painful. So I don't necessarily want wide-open, just a little more open than being married. I don't really think the CentOS team has an evil plan here, but they should take it as a compliment that I think they are smart enough to fool me if they did want to do something like inject a hidden backdoor with their builds. But, the bigger question is where it leaves us if they just decide to quit after assimilating most of the related systems under a build ecosystem that no one else can reproduce easily. Maybe it might be a good idea to do some research on Debian systems?...and using them for file and system servers?..I'm just sayin' LoL! When there is discernible evidence of a deterioration of service, maybe. But until then it's all just FUD. If anything, the evidence currently points to a vastly improved picture since the delays of a few releases back. Back then there was cause for concern. At present I see far less cause for concern. Of course things can change, but at present I see no reason to be concerned. I've never been very good at predicting the future so I will stick to looking at what the present is telling me, and currently the CentOS team are doing a good job on delivering the core product in a timely fashion. That is a metric I can measure today and it tells me something meaningful. IF that changes and things observably deteriorate then there are alternatives but I'd rather make decisions based on what I observe today rather than predictions about what might happen in the future. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Well I for one will not be jumping ship anytime in the foreseeable future. CEntOS (wish they would change the way it appears to the world...the e should be capitalized...as the OS isits the start of a real word!but I digress!) CEntOS has been good to meand has never given me problems since installing it at 6.0's release. If anything this should solidify the fact that CEntOS is TRULY an Enterprise Class OS available to the masses from a Community that has the (strength?clout?resources?) of Red Hat Enterprise Linux...(this might make my taking the RHCSA a bit easier too!...(wonder if there are any CEntOS certification exams?.or would that be an over-saturation of the market?like...if you're not RHCSA approved...then you go for second string CEntOS?..maybe its better to NOT have one then!...) EGO II ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [CentOS-announce] CentOS Project joins forces with Red Hat
On 1/19/2014 5:25 AM, Eddie G. O'Connor Jr. wrote: .(wonder if there are any CEntOS certification exams?. No, since Redhat does not recommend CentOS for production environments only RHEL. More is mention in the FAQ: http://community.redhat.com/centos-faq/#_centos_and_red_hat_enterprise_linux ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Network card throwing messages I dont understand
I am having an issue where eth1 is throwing some messages and stops responding. Restarting networking doesn't work and also just bringing down eth1 with 'ifdown' doesn't fix it. I have never seen anything like these messages: eth1: no IPv6 routers present r8169 :03:00.0: eth1: rtl_counters_cond == 1 (loop: 1000, delay: 10). r8169 :03:00.0: eth1: rtl_chipcmd_cond == 1 (loop: 100, delay: 100). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phy_reset_cond == 1 (loop: 100, delay: 1). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: rtl_phyar_cond == 1 (loop: 20, delay: 25). r8169 :03:00.0: eth1: link up [root@mail jtsm]# lspci | grep -i net 02:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection 03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 01) DEVICE=eth1 HWADDR=00:0A:CD:17:07:7E TYPE=Ethernet UUID=800623a1-adc6-401a-a3fa-c6d1348056c8 ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPADDR=10.0.254.11 PREFIX=24 #GATEWAY=10.0.254.1 DNS1=8.8.8.8 DNS2=8.8.4.4 Does anyone have any ideas or have experienced this before. Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] sudo (+ldap+kerberos) not accepting password
So I have this centos 5.10 box which authenticates network users against ldap(authorizing)+kerberos(authentication). And I now would like to have sudo be able to allow admins (netgroup chinbeards) to sudo about. I am not using sssd though (yet). Here is the output of me trying sudo (debug on): [raub@centos5-x64 ~]$ sudo pwd LDAP Config Summary === uri ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=domain,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 12 timelimit120 ssl start_tls tls_cacertdir/etc/openldap/cacerts === sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_cacertdir - /etc/openldap/cacerts sudo: ldap_set_option: timelimit - 120 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: ldap search '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH! sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for raub: It seems to me that it had no issues finding that I belong to the netgroup chinbeards (allowed to sudo), and realizing I can do a command. So, to me the sudo+ldap part of the transaction (authorization, kinda of what is mentioned in http://www.sudo.ws/sudoers.ldap.man.html and http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine. But, in the next step -- it asks for password -- is when things get interesting. At this point I would expect it to pass that to pam, which would then autenticate me with kerberos (I wonder if it would work by checking if I have a valid kerberos ticket. That is what happens when I, say, do ldapsearch. but I digress). But, according to /var/log/secure, Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=raub It seems to have failed to authenticate me. Would it be due to pam not knowing about kerberos? Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html, should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] updated certificate, but certwatch still reporting it needs to be renewed
Hi I updapted the ssl certificate on the 15th of Jan using the providers update facility. Then I downloaded the new certificate, installed it and restarted httpd. Then I checked with the providers ssl installation diagnostic tool whether everything is fine - and it is, all reported good. Then I opened a browser, loaded the https website, checked the certificate and it's valid until 8/02/2017, which was reported by above, as well. I know I could turn certwatch off, but I like the warning as I have a few certs on different websites, domains and machines. How come certwatch is still complaining? Jobst -- Why do overlook and oversee mean opposite things? | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] updated certificate, but certwatch still reporting it needs to be renewed
Thanks for the reply. I put all the different certs into different subdirectories, so I know it's that one, e.g.: /apachepath/conf.d/cert1 /apachepath/conf.d/cert2 /apachepath/conf.d/cert3 It, too, complains about the /apachepath/conf.d/cert3/domain.crt file, which comes from the provider anyway. I know it's the correct/new/latest one (date,size and from tests). Jobst On Mon, Jan 20, 2014 at 03:01:20AM +0100, Reindl Harald (h.rei...@thelounge.net) wrote: Am 20.01.2014 02:23, schrieb Jobst Schmalenbach: I updapted the ssl certificate on the 15th of Jan using the providers update facility. Then I downloaded the new certificate, installed it and restarted httpd. Then I checked with the providers ssl installation diagnostic tool whether everything is fine - and it is, all reported good. Then I opened a browser, loaded the https website, checked the certificate and it's valid until 8/02/2017, which was reported by above, as well. I know I could turn certwatch off, but I like the warning as I have a few certs on different websites, domains and machines. How come certwatch is still complaining? look about *what* certificate it complains certwatch looks at *all* certificates and you have changed *one* -- If proof denies faith, and uncertainty denies proof, then uncertainty is proof of God's existence. | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] VMware restricting to 3GB RAM
Hi, I am running VMware player on CentOS 5.4 and its working fine. However it does not allow me to increase the RAM more than 3GB. It keeps throwing error stating- Requested memory size is greater than allowed maximum of 3072 MB. Could not initiate memory hot plug. I understand from few threads that 32bit OS has this kind of limitation but I am able to understand why I am seeing this issue when I am using 64bit OS and VMware player is also for 64bit. Regards Hersh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VMware restricting to 3GB RAM
On 1/19/2014 10:17 PM, Hersh Parikh wrote: I am running VMware player on CentOS 5.4 and its working fine. However it does not allow me to increase the RAM more than 3GB. It keeps throwing error stating- Requested memory size is greater than allowed maximum of 3072 MB. Could not initiate memory hot plug. I understand from few threads that 32bit OS has this kind of limitation but I am able to understand why I am seeing this issue when I am using 64bit OS and VMware player is also for 64bit. I'd say, use virtualbox instead of vmware player. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VMware restricting to 3GB RAM
On 01/20/2014 09:17 AM, Hersh Parikh wrote: Hi, Hi, I am running VMware player on CentOS 5.4 and its working fine. However it does not allow me to increase the RAM more than 3GB. It keeps throwing error stating- Requested memory size is greater than allowed maximum of 3072 MB. Could not initiate memory hot plug. What is you host amount of memory? What is your guest type? What VMware version of VM are trying to create? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VMware restricting to 3GB RAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hersh Parikh said the following on 20/01/2014 07:17: I am running VMware player on CentOS 5.4 and its working fine. However it does not allow me to increase the RAM more than 3GB. It keeps throwing error stating- Requested memory size is greater than allowed maximum of 3072 MB. Could not initiate memory hot plug. I understand from few threads that 32bit OS has this kind of limitation but I am able to understand why I am seeing this issue when I am using 64bit OS and VMware player is also for 64bit. Check this VMware article and see if you fall within the limitations described: Virtual machine memory limits and hardware versions (1014006) http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=1014006 Ciao, luigi - -- / +--[Luigi Rosa]-- \ Even bytes get lonely for a little bit. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS3MYgAAoJEO5WT/qgw4yKmvMP/jHUEeaGmdPQhD8ET/JNoON2 a9Sb5pLuP1SvrjajxA0QCdALime4Vx92hfWrOLp1es4T0DlY9RJ4TRIREgjqo5Pk Sm8ZAcDsUhjrrSsGbtu+7uuHX/lQ5Q+GCWS+RXCMcvq8dcBTnK/C6HObyYTu7WXw fIRjHg2qQ60AUWxSxwdauwD66Kgxm4cZRwulAxvQ0hICt6nJ1wxkcLywhXuheLYC sSEIChu4VVTb5k0wlYxChE6ePWTIVeThHgCkdHOASLgfJDQAV1nDe7PG+47dHbYr lW7hVRe/kkZVE7LcnVL1WhykSuDIoxjOCl2NDxwjYsAH7RDj6QmOV2yCXmsLWbtb sogsUvgC5MvVQXed7U27g2e5RPJcVObMEC5uQ+yeONw97e8mifttoWEVVvRfjLBy di4pkBF53b7KUEI7zjAkTDvlbZNEHy5NyhWY/6g8T51Bp9TLMkszNRK23OlSgPHA IRCF3iXlX6QmAa5u7+o6xLvUUD28tVRH2FsjSSt56MYZioAYiyRV0BEHNANyByC9 QPMieJcXBL4NV2XofBgd5i4TxqdPqRMoe8E9NsFd2fshF05jakXMuwU2r0SGLXJw DvUZNxL7UIlvtAfdQljMOH+qnttSlsGS8nCXY1qgF8/VRM83nniqCYBUEt5m9obC WFRR29cGS8rR9kLKHOWu =4VFz -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mail tools preferences?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Gary Greene Sent: den 18 januari 2014 00:59 To: CentOS mailing list Subject: Re: [CentOS] mail tools preferences? That said, I've had more issues with Evolution with it trashing the datastore of it's messages than T-bird[...] Thanks, I thought it was just me... -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sudo (+ldap+kerberos) not accepting password
On Sun, Jan 19, 2014 at 6:12 PM, Mauricio Tavares raubvo...@gmail.com wrote: So I have this centos 5.10 box which authenticates network users against ldap(authorizing)+kerberos(authentication). And I now would like to have sudo be able to allow admins (netgroup chinbeards) to sudo about. I am not using sssd though (yet). Here is the output of me trying sudo (debug on): [raub@centos5-x64 ~]$ sudo pwd LDAP Config Summary === uri ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=domain,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 12 timelimit120 ssl start_tls tls_cacertdir/etc/openldap/cacerts === sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: tls_cacertdir - /etc/openldap/cacerts sudo: ldap_set_option: timelimit - 120 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: ldap search '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH! sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for raub: It seems to me that it had no issues finding that I belong to the netgroup chinbeards (allowed to sudo), and realizing I can do a command. So, to me the sudo+ldap part of the transaction (authorization, kinda of what is mentioned in http://www.sudo.ws/sudoers.ldap.man.html and http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine. But, in the next step -- it asks for password -- is when things get interesting. At this point I would expect it to pass that to pam, which would then autenticate me with kerberos (I wonder if it would work by checking if I have a valid kerberos ticket. That is what happens when I, say, do ldapsearch. but I digress). But, according to /var/log/secure, Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=raub It seems to have failed to authenticate me. Would it be due to pam not knowing about kerberos? Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html, should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so Ok, I am not saying what I wrote above is proper, but the auth entry is enough to satisfy sudo. But, how now I tell authconfig to edit the file properly? The way I did it was authconfig --enableldap --enableldaptls --ldapserver=idir1.internal.domain.com,idir2.internal.domain.com --ldapbasedn=dc=domain,dc=com --enablekrb5 --passalgo=sha512 --disablemd5 --update but that does not seem to add the line to /etc/pam.d/system-auth to tell it that kerberos is in the house. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
