[CentOS] Strange symbolic link behaviour?
Hi, I'm running CentOS 5 and running into a strange situation with symbolic links that I have never seen or noticed before. If I create the following symbolic link: [eric@eric-laptop ~]$ pwd /home/eric [eric@eric-laptop ~]$ ls Mail draft inbox queue sent trash [eric@eric-laptop ~]$ ln -s Mail/inbox test [eric@eric-laptop ~]$ ls test 1 2 3 4 5 [eric@eric-laptop ~]$ cd test [eric@eric-laptop test]$ pwd /home/eric/test [eric@eric-laptop test]$ ls 1 2 3 4 5 [eric@eric-laptop test]$ ls .. draft inbox queue sent trash The strange behaviour here is when listing the parent directory (..). In this case, ls .. is listing the contents of Mail/ directory - not /home/eric. In the past, I always recall being able to use the parent identified (..) to move up one level in the directory structure whether in a symlink or not. In this case, I would have expected ls .. to list the contents of /home/eric - not /home/eric/Mail. Am I wrong? Am I seeing strange behaviour here? If so, is there a way to enable the behaviour I expect? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 5.3 Xen installation trouble installing FUSE
Hi, I've got CentOS 5.3 installed as a Xen client installed. I've recently been trying to install TrueCrypt on the VM, but am having miserable troubles with the Fuse kernel module. To date, I've installed the following packages: yum install truecrypt yum install fuse However, to launch the fuse module, I need the dkms_autoinstaller running. However, when I try to start the dkms_autoinstaller service I get the following error messages: Jun 28 23:31:57 charliebrown dkms_autoinstaller: fuse (2.7.4-1.nodist.rf): Installing module on kernel 2.6.18-128.2.1.el5xen. Jun 28 23:31:57 charliebrown dkms_autoinstaller: Kernel headers for 2.6.18-128.2.1.el5xen are not installed. Cannot install this module. Jun 28 23:31:57 charliebrown dkms_autoinstaller: Try installing linux-headers-2.6.18-128.2.1.el5xen or equivalent. Indeed, the kernel modules available in yum are for 2.6.18-194.3.1.el5. I fished around, and found a kernel-headers package for 2.6.18-128.2.1.el5 (http://137.138.246.63/cern/slc5X/x86_64/yum/updates/repoview/kernel-headers.html). I downloaded the RPM, and downgraded my kernel-headers package. So I now have the kernel-headers package for 2.6.18-128.2.1.el5 installed. However, when I try to start the dkms_autoinstaller, I still get the same error message indicating that the Kernel headers for 2.6.18-128.2.1.el5xen are not installed. Where can I find this package? They aren't on the Citrix repos. From the few threads I've read, ppl are suggested to download a DDK VM to build new modules, etc, but that still won't help me, as I need the headers on the actual machine to run the dkms_autoinstaller service. I'm currently stuck / lost. Any help / suggestions would be greatly appreciated! Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Resizing a PV that belongs within a Volume Group?
Hi, I was wondering if there was a way to extend (ie: grow) a PV that is part of a Volume Group? I currently have a partition on my HD that is being used as a PV for my Volume Group, but would like to make it larger. I have the space on my drive to extend my partition, but using standard tools (ex: gparted, Partition Magic, etc) would likely end up corrupting the data on in the Logical Volumes that are housed within the VG. I realize that I could just create a new partition on my HD and just add it to my Volume Group and extend my Volume Group, however, given that it would be two contiguous partitions on the HD, I was just wondering if there was a way of resizing the original partition within the VG without causing any problems. I tried looking at tools like pvresize but I can't seem to understand the right arguments to use it as whatever I try never seems to resize the original partition itself. I also looked at system-config-lvm GUI tool, but that doesn't seem to allow me to make the PV any larger. Does anyone have any suggestions? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Autofs cannot bind LDAP server
Kwan Lowe kwan.l...@gmail.com wrote in message news:b7e478370912020407p35def217td1bcf579d7bb8...@mail.gmail.com... On Fri, Nov 27, 2009 at 12:30 PM, Eric B. ebe...@hotmail.com wrote: My problem, however, is that once my ldap server is back up, autofs never seems to retry to connect to it, so all my /home mounts fail. Basically, it means I have to make sure that my LDAP server is never down while another server is rebooting. I figure there must be something in the configuration file that would allow me to tweak this to indicate to autofs to recheck the ldap server periodically to see if it has come back up, but can't seem to find anything. Once the server is back up, does restarting the autofs daemon fix the behaviour? Yes. Restarting autofs daemon causes it to reconnect to the ldap server, and all automounts work properly at that point. Also, try setting the logging to debug.. Might give you a better idea of why it's not reconnecting. I tried, but I got not additional useful information out of the automounter. Basically, it says that it failed to connect to ldap server, and never retries. But nothing particularly more useful (to me at least) there. Any ideas of lists or groups that I can try otherwise? I've tried posting to the kernel.autofs mailing list, but for some reason my posts never make it on. I even tried mailing the list admins but got no response back from them either. Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Autofs cannot bind LDAP server
Alan McKay alan.mc...@gmail.com wrote in message news:844129e80912011526o16aa6aen206a1cf7676a5...@mail.gmail.com... I'm using Autofs and LDAP for mounting my home directories via nfs. In general, everything seems to work fine. However, I have one small problem. If I reboot my server using autofs while my LDAP server is down, I get the following error message in my logs: I can't help you - but can you help me by pointing me to the docs you used to get this far? Holy cow. It wasn't easy... I had to do a lot of digging around to find the necessary stuff, and unfortunately, don't have all the links any more. I did a lot of searching online using LDAP and autofs as query strings. Some of the links I found were the following that helped me understand. Mind you, none were howto recepies as such. http://www.linuxtopia.org/online_books/rhel5/rhel5_administration/rhel5_s1-nfs-client-config-autofs.html http://www.openldap.org/faq/data/cache/599.html In a nutshell (if memory serves properly), you needed to do the following (this is all assuming you already have a functional LDAP server up and running and properly configured in your nsswitch.conf files and your ldap.conf files, etc). 1) Add the autofs schema to your ldap server (add the following line to the slapd.conf file: include /etc/openldap/schema/redhat/autofs.schema). I don't remember if I already had the autofs.schema file or not, or if I had to search for it. 2) Modify your /etc/sysconfig/autofs to uncomment: # MAP_OBJECT_CLASS=automountMap ENTRY_OBJECT_CLASS=automount MAP_ATTRIBUTE=ou ENTRY_ATTRIBUTE=cn VALUE_ATTRIBUTE=automountInformation 3) Create an ldif file and import into your LDAP server to show the following. Note, that my NFS server has the home directories located at /var/nfs/home/user name. Your mapping may be different. dn: ou=auto.home,dc=domain,dc=com objectClass: top objectClass: automountMap ou: auto.home dn: cn=/,ou=auto.home,dc=domain,dc=com objectClass: automount cn: / automountInformation: -rsize=8192,wsize=8192,intr nfs_server.domain.com:/var/nfs/home/ dn: ou=auto.master,dc=domain,dc=com objectClass: top objectClass: automountMap ou: auto.master dn: cn=/home,ou=auto.master,dc=domain,dc=com objectClass: automount cn: /home automountInformation: ldap:ldap_server.domain.com:ou=auto.home,dc=domain,dc=com 4) Cross your fingers and restart your ldap server and your autofs daemon and hope it works. I got this working on CentOS 5.3. Hope this helps. I remember having to do a lot of digging around, a lot of searching and a lot of trial and error to get it working. But hopefully the above points should at least set you off in the correct path. Keep in mind I am by far no expert - I just poked around until I got it working, and once I did, stepped away from it. Good luck. Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Autofs cannot bind LDAP server
Todd Denniston todd.dennis...@tsb.cranrdte.navy.mil wrote in message news:4b168426.9030...@tsb.cranrdte.navy.mil... Kwan Lowe wrote, On 12/02/2009 07:07 AM: On Fri, Nov 27, 2009 at 12:30 PM, Eric B. ebe...@hotmail.com wrote: My problem, however, is that once my ldap server is back up, autofs never seems to retry to connect to it, so all my /home mounts fail. Basically, it means I have to make sure that my LDAP server is never down while another server is rebooting. I figure there must be something in the configuration file that would allow me to tweak this to indicate to autofs to recheck the ldap server periodically to see if it has come back up, but can't seem to find anything. Once the server is back up, does restarting the autofs daemon fix the behaviour? Also, try setting the logging to debug.. Might give you a better idea of why it's not reconnecting. Perhaps the following links from an autofs list thread will point to something for Eric: subject: [autofs] ldap and reloading http://linux.kernel.org/pipermail/autofs/2009-June/005775.html http://linux.kernel.org/pipermail/autofs/2009-June/005779.html BTW the 'how to' debug Autofs is at: http://people.redhat.com/jmoyer/ Thanks for the links. Not exactly what I need, but maybe an alley to help me down the path. In the meantime, if anyone else has any suggestions what I can do, would love to hear about it. Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Autofs cannot bind LDAP server
Benjamin Donnachie benja...@py-soft.co.uk wrote in message news:732076a80912020835u4cc87abwb3633c40320e8...@mail.gmail.com... 2009/12/2 Eric B. ebe...@hotmail.com: In the meantime, if anyone else has any suggestions what can do, would love to hear about it. Do you just have the one LDAP server? I would probably set up a slave and add it to your client's ldap configuration. Yes - thanks. Actually, my problem has to do with sequencing. I'm running most of my servers as Virtual Machines, so if/when a Virtual Host reboots, all the vms on it reboot as well. If any of the other vms happen to boot prior to the ldap servers, I run into this problem. So I'm trying to figure out if there is a way around this, apart from making sure never to boot both the ldaps at the same time. Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Autofs cannot bind LDAP server
Hi, I'm using Autofs and LDAP for mounting my home directories via nfs. In general, everything seems to work fine. However, I have one small problem. If I reboot my server using autofs while my LDAP server is down, I get the following error message in my logs: automount[3358]: bind_ldap_anonymous: lookup(ldap): Unable to bind to the LDAP server: (default), error Can't contact LDAP server which is understandable, since my ldap server is temporarily down. My problem, however, is that once my ldap server is back up, autofs never seems to retry to connect to it, so all my /home mounts fail. Basically, it means I have to make sure that my LDAP server is never down while another server is rebooting. I figure there must be something in the configuration file that would allow me to tweak this to indicate to autofs to recheck the ldap server periodically to see if it has come back up, but can't seem to find anything. My /etc/sysconfic/autofs file is pretty plain: # TIMEOUT - set the default mount timeout (default 600). # TIMEOUT=300 # LOGGING - set default log level none, verbose or debug # LOGGING=verbose # Other common LDAP nameing # MAP_OBJECT_CLASS=automountMap ENTRY_OBJECT_CLASS=automount MAP_ATTRIBUTE=ou ENTRY_ATTRIBUTE=cn VALUE_ATTRIBUTE=automountInformation Is there anything I can do to force autofs to check to see if my LDAP server is back online? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP useradd command?
Steve Huff sh...@vecna.org wrote in message news:3fa0bdab-b7d0-42b7-8615-5a7fd2f84...@vecna.org... On Aug 17, 2009, at 4:51 PM, Eric B. ebe...@hotmail.com wrote: Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS. 'man libuser.conf' worked well for me. from this doc you will learn that libuser requires either TLS or a ldaps:// URI. I've read through libuser.conf and the specific for ldap server says: A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap. My libuser.conf reads: serverldap://snoopy.domain.com/ According to the man pages, this should allow for the connection without TLS. Thoughts? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP useradd command?
Craig White craigwh...@azapple.com wrote in message news:1250547989.4486.6.ca...@lin-workstation.azapple.com... On Mon, 2009-08-17 at 15:00 -0400, Eric B. wrote: Hi, Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time. Is there not an easier / faster way? Webmin http://www.webmin.com Use the LDAP Users and Groups module I use this everywhere I go I'll take a look at it. But to be honest, I tried webmin years and years ago (maybe 8 or 10 or so?) and was somewhat disappointed with it. Plus, I found it to be a serious sercurity hole at the time. Since then, I haven't really taken a look at it since. Maybe I'll give it a quick look at again. But I still would want a console-based option available. Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP useradd command?
Bill Campbell cen...@celestial.com wrote in message news:20090818153023.ga23...@ayn.mi.celestial.com... Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS. 'man libuser.conf' worked well for me. from this doc you will learn that libuser requires either TLS or a ldaps:// URI. I've read through libuser.conf and the specific for ldap server says: A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap. My libuser.conf reads: serverldap://snoopy.domain.com/ According to the man pages, this should allow for the connection without TLS. Which man pages? As I read it, the libuser.conf file specifically says that it requires TLS which can connect to the ldap: URL, then requests a secure connection. It sounds pretty sane to me that it requires a secure LDAP connection to handle user maintenance. libuser.conf man page says that a URI using the ldap protocol allows connection without TLS. I specified my server to be: server = ldap://snoopy.domain.com./ but still seems to fail on TLS. So, just to be on the safe side, I generated a self-signed certificate for the OpenLDAP server (am using the default one that is installed in /etc/pki/tls/certs/. I restarted the openldap server, and tested it using Apache Directory Studio with TLS enabled. Works fine. I then tried my luseradd command, but it still fails with the same errors negotiating the TLS certificate. I even tried modifying the /etc/ldap.conf file: tls_checkpeer no tls_reqcert never but it still seems to fail with the same TLS error. Any suggetsions / ideas? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP useradd command?
Filipe Brandenburger filbran...@gmail.com wrote in message news:e814db780908181007g454b680ar30aaaef7ab19...@mail.gmail.com... Hi, On Tue, Aug 18, 2009 at 12:50, Eric B.ebe...@hotmail.com wrote: Any suggetsions / ideas? I believe you have to copy the certificate to /etc/openldap/cacerts/ in the LDAP client. The certificate file name there is special, it should be hashed from the certificate data... I believe the easiest way to install it there is using the authconfig command and specifying the certificate URL. You should also have TLS_CACERTDIR /etc/openldap/cacerts on /etc/openldap/ldap.conf (not only /etc/ldap.conf, they are different!) I also did not have much luck with self-signed certificates with LDAP, I had to create a self-signed certificate for a dummy CA, and then use that certificate to sign a certificate for the LDAP server with the server's name as a cn. I believe you should be able to test it using ldapsearch with the -Z and -ZZ options in order to require TLS and see if that works. I suggest you first get that part working fine before going on with your libuser configuration... LDAP with TLS is kind of a pain to set up... but once it is running it really works OK. Thanks. You're a genius. I struggled a lot, but think I finally managed to get something working. I tried to follow the openldap faq at http://www.openldap.org/faq/data/cache/185.html for creating CA certificates, but my shell script is called CA not CA.sh. I've done the following: # cd /etc/pki/tls/misc/ # ./CA -newca (filled in all prompted information, and gave it a pwd) # openssl req -new -nodes -keyout newreq.pem -out newreq.pem (filled in all prompted information) # CA.sh -sign # cp /etc/pki/CA/cacert.pem /etc/openssl/cacerts/ # cp newcert.pem /etc/openssl/ssl/servercrt.pem # cp newreq.pem /etc/openssl/ssl/serverkey.pem Then updated my slapd.conf to show: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem Then updated /etc/ldap.conf to show: tls_cacert /etc/openldap/cacerts/cacert.pem Finally /etc/openssl/ldap.conf: TLS_CACERT /etc/openldap/cacerts/cacert.pem Restart the slapd daemon # service ldap restart And I can finally get ldapsearch to work. Although I tried tls_cacertdir for both /etc/ldap.conf and /etc/openldap/ldap.conf and it doesn't work for some odd reason. Not sure why. # ldapsearch -Z -x (uid=eric) returns the ldif entry for uid=eric So next test was to create a new user. luseradd foo works perfect. I find it in my ldap tree as expected. All I had to do is modify the create_modules and modules to specify ldap only (to avoid it modifying the passwd and shadow files), and everything seems to be working. Thanks for your help! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP useradd command?
Filipe Brandenburger filbran...@gmail.com wrote in message news:e814db780908171213h581bf267m10a95ab837be4...@mail.gmail.com... Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time. You can try libuser, it's available in CentOS 5 (yum install libuser) and apparently has support for LDAP. libuser is an attempt to generalize the useradd/mod/del, groupadd/mod/del commands to work with generic backends. The implementation includes a module to work with an LDAP backend, I just don't know how functional/stable it is... You can start by installing the package and having a look at /etc/libuser.conf, and at the commands luseradd, lgroupadd, ... (the same ones you already use, only with the l prefix.) For more information: https://fedorahosted.org/libuser/ Thanks. I tried it out but can't seem to get it to work for me. Doesn't display any error msgs, but doesn't actually do anything to the LDAP server. I've looked at the site, but it is incredibly bare; not even any links for mailing lists, support, etc. Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS. Any thoughts where I can find more info? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] recent rsyslog package available for CentOS?
Kanwar Ranbir Sandhu m3fr...@thesandhufamily.ca wrote in message news:1247320412.22555.0.ca...@ranbir.thesandhufamily.local... On Sat, 2009-07-11 at 13:34 +0100, Karanbir Singh wrote: I have been building and using myself much newer versions of rsyslog. Let me look at getting these into a slightly more public area. I've been doing the same. Works great, minus maintaining the package myself, but that's not a disaster. Do you start from srpms or the tar ball? If sprm, where do you get it from? If tar balls, how do you go from a tgz to an srpm/rpm? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] recent rsyslog package available for CentOS?
Karanbir Singh mail-li...@karan.org wrote in message news:4a5886dc.9010...@karan.org... On 07/10/2009 09:00 PM, Eric B. wrote: I'm looking for a recent version of rsyslog. The yum repositories only show me a version that is 2.0.6. According to the www.rsyslog.com site, they are up to version 5 (dev), which means that I would think/assume that there would at least be v3 or v4 available somewhere. Does anyone know if/where I can find something more recent than 2.0.6? I have been building and using myself much newer versions of rsyslog. Let me look at getting these into a slightly more public area. That would be great. Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP/Autofs instructions are conflicting in Centos5.3
Kwan Lowe kwan.l...@gmail.com wrote in message news:b7e478370907092006x5340883n1ec1652fa27b5...@mail.gmail.com... On Thu, Jul 9, 2009 at 10:37 PM, Eric B. ebe...@hotmail.com wrote: Hi, I'm not sure if I am posting this in the right place, so if this belongs more on another list, please let me know. The 389 list is a better place: 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Thanks. Will try to post there for more information. Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] recent rsyslog package available for CentOS?
Hi, I'm looking for a recent version of rsyslog. The yum repositories only show me a version that is 2.0.6. According to the www.rsyslog.com site, they are up to version 5 (dev), which means that I would think/assume that there would at least be v3 or v4 available somewhere. Does anyone know if/where I can find something more recent than 2.0.6? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] LDAP/Autofs instructions are conflicting in Centos5.3
Hi, I'm not sure if I am posting this in the right place, so if this belongs more on another list, please let me know. I am trying to get Autofs configured to use LDAP on CentOS5.3, but am running into an inconsitency. On CentOS5.3, the openldap server is installed with an extra schema/redhat/autofs.schema file. From what I can tell, that schema file seems to follow RFC2307bis. In the schema, it uses cn and ou. However, in all docs I can find for RHEL5, everything indicates that I should be using automountMapName and automountKey as the Map attribute and the Entry Attribute. I am very confused. Which is the right one to use? If I follow the RHEL docs and tell autofs to use MAP_ATTRIBUTE as automountMapName, then I can't use the schema that is distributed with CentOS5.3. Should I be using the schema that is distributed with the CentOS openLdap package, or is there another one that I should be using instead? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] How to create static routes on startup with CentOS4?
Hi, I'm working with the iproute2/iptables toolset on my CentOS4 server to create custom routing rules. However, I'm a bit at a loss how to create these permanently so that they are automatically reloaded upon reboot of the server. I know that iptables has a config file in /etc/sysconfig/iptables that is loaded by /etc/init.d/iptables startup script. Is there anything that works similarly for the iproute2 ruleset? I can't seem to find anything in /etc/init.d/network except for references to static routes using /sbin/route, which isn't good enough if one wants to use multiple routing tables. Nor can I find anything in /etc/init.d/ that would seem applicable to the iproute2 system. Any ideas/suggestions? Do I have to create my own custom startup script for this? Or is there somewhere already existant I can put iproute2 commands? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: How to create static routes on startup with CentOS4?
Filipe Brandenburger [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tue, Apr 15, 2008 at 12:36 PM, Eric B. [EMAIL PROTECTED] wrote: Is there anything that works similarly for the iproute2 ruleset? I can't seem to find anything in /etc/init.d/network except for references to static routes using /sbin/route, which isn't good enough if one wants to use multiple routing tables. Nor can I find anything in /etc/init.d/ that would seem applicable to the iproute2 system. You should put it in /etc/sysconfig/network-scripts/route-eth0 (change eth0 to the name of the interface the routes apply to). For every line in this file, when the interface goes up, it will run /sbin/ip route add $line (see /etc/sysconfig/network-scripts/ifup-routes script if you want to understand exactly what it's doing). Apparently there's also a new syntax for /etc/sysconfig/network-scripts/route-eth0, in which you specify several variables, the same you do in ifcfg-eth0, then you set something like: ADDRESS0=1.2.3.0 NETMASK0=255.255.255.0 GATEWAY0=4.3.2.1 And then you go ADDRESS1, ADDRESS2, ..., as you need more routes. There used to be a /etc/sysconfig/static-routes for this purpose but, as I understand, now the way to do it is per interface with the route-${ifname} files. To test if your file is working, do a service network restart and check if the routes are up as expected. You can also do ifdown eth0 and ifup eth0 if you want to restart only one interface (for instance if you're remotely connected through another interface). Awesome! Thanks so much. That's exactly what I was looking for. I must have missed it when I tried to grep the directory looking for the file that handled that stuff. The last question then is if there is a way to add ip rule rules to specify which routing table to use based on packet information. ex: ip rule add fwmark 3 table 3 Are any of the network scripts able to handle this as well? Thanks again! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: How to create static routes on startup with CentOS4?
Filipe Brandenburger [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tue, Apr 15, 2008 at 3:48 PM, Eric B. [EMAIL PROTECTED] wrote: The last question then is if there is a way to add ip rule rules to specify which routing table to use based on packet information. ex: ip rule add fwmark 3 table 3 Are any of the network scripts able to handle this as well? If you look at the end of the same script (ifup-routes), you'll see that it reads rules from file /etc/sysconfig/network-scripts/rule-eth0. For each line in that file, it will run /sbin/ip rule add $line. It's unfortunate that this isn't all better documented somewhere. But on Linux you can always... Use the source, Luke! Really? I looked through ifup-routes but I don't see anything that searches for rule-ifname anywhere. All my ifup-routes looks for is files called route-$2. Further more a quick grep rule /etc/sysconfig/network-scripts/* finds nothing. My last two lines in ifup-routes (unless I don't know how to read them properly) are: # Red Hat network configuration format NICK=${2:-$1} CONFIG=/etc/sysconfig/network-scripts/$NICK.route [ -f $CONFIG ] handle_file $CONFIG $1 And if I look at handle_file method, I see all it does is call /sbin/ip route add $line. Am I missing something obvious somewhere? Or do you have a different version of ifup-routes? I'm running CentOS4 with the latest patches Thanks again! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: Re: How to create static routes on startup withCentOS4?
Filipe Brandenburger [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tue, Apr 15, 2008 at 4:36 PM, Eric B. [EMAIL PROTECTED] wrote: Am I missing something obvious somewhere? Or do you have a different version of ifup-routes? I'm running CentOS4 with the latest patches I'm running CentOS5 here, that's probably new in CentOS5. You may consider appending the last 15 lines of ifup-routes from CentOS5 to your CentOS4 installation. It's not that beautiful but it's not that ugly either. At least it's forward compatible in a way that if you upgrade to CentOS5 later it will continue working. I'm sending the file attached to you in case you want to do it. Awesome! That's perfect! I had kinda figured that might be what the difference was. Thanks so much. Will definitely update my ifup-routes script with this. Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Is iptables -j CONNMARK not available in CentOS4??
Hi, I'm running CentOS 4 with most of the latest updates, but am having trouble with iptables and the CONNMARK target. Is it available in the CentOS 4 kernel? Running on i386: kernel: 2.6.9-67.0.4.ELsmp iptables: v1.2.11 # iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 1 iptables: No chain/target/match by that name I see I do have the CONNMARK lib in /lib/iptables/libipt_CONNMARK.so. Am I doing something wrong to have access to it? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Python 2.4 on CentOS4?
Hi, Has anyone managed to find a Python 2.4 rpm binary that can be installed on CentOS4? I'm running CentOS4.6 and an application that I want to use required python 2.4 or greater. All the CentOS/RHEL4 python rpms that I find are all for python 2.3. I can't seem to find anything that works with CentOS4 libs. Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Python 2.4 on CentOS4?
Eric B. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, Has anyone managed to find a Python 2.4 rpm binary that can be installed on CentOS4? I'm running CentOS4.6 and an application that I want to use required python 2.4 or greater. All the CentOS/RHEL4 python rpms that I find are all for python 2.3. I can't seem to find anything that works with CentOS4 libs. Ok - I may have been a little quick to post this. I finally found Python 2.4 on python.org (don't know why i couldn't find it the first time I checked there). http://www.python.org/download/releases/2.4/rpms/ However, it doesn't upgrade python 2.3, but installs alongside. If I try to upgrade python 2.3 to 2.4, am I just asking for trouble? Tx, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] alternatives package?
Hi, In my struggle today to get python2.4 installed on my CentOS4 system, I saw that it installed a packaged called alternatives which is supposed to handle symbolic links to default commands in a nice clean, structured way. However, I am having trouble understanding how this thing works. I have read the man page half a dozen times already, and yet the alternative link for python which was installed doesn't seem to follow what is written in the man page. I am trying to modify the default behaviour for it, but having a lot of difficulty. Of course, with a name like alternatives, it makes searching Google, tldp.com, etc very difficult. Does anyone have experience with this package and/or can anyone point me in the direction of some good examples, documentation for it? Something a bit more explanative than the man page. Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: Python 2.4 on CentOS4?
Ray Van Dolson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tue, Mar 11, 2008 at 04:01:52PM -0400, Eric B. wrote: Eric B. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, Has anyone managed to find a Python 2.4 rpm binary that can be installed on CentOS4? I'm running CentOS4.6 and an application that I want to use required python 2.4 or greater. All the CentOS/RHEL4 python rpms that I find are all for python 2.3. I can't seem to find anything that works with CentOS4 libs. Ok - I may have been a little quick to post this. I finally found Python 2.4 on python.org (don't know why i couldn't find it the first time I checked there). http://www.python.org/download/releases/2.4/rpms/ However, it doesn't upgrade python 2.3, but installs alongside. If I try to upgrade python 2.3 to 2.4, am I just asking for trouble? Yeah. Just do the side-by-side thing I'd say and make your scripts reference /usr/bin/python2.4 ... Thanks - that's what I will end up doing Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Python 2.4 on CentOS4?
Ray Van Dolson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tue, Mar 11, 2008 at 09:06:00PM +0100, Tim Verhoeven wrote: On Tue, Mar 11, 2008 at 8:58 PM, Ray Van Dolson [EMAIL PROTECTED] wrote: On Tue, Mar 11, 2008 at 03:55:06PM -0400, Eric B. wrote: Hi, Has anyone managed to find a Python 2.4 rpm binary that can be installed on CentOS4? I'm running CentOS4.6 and an application that I want to use required python 2.4 or greater. All the CentOS/RHEL4 python rpms that I find are all for python 2.3. I can't seem to find anything that works with CentOS4 libs. I think pyvault (google for it) may be your best bet as far as a somewhat clean RPM-based implementation. However, I don't know how maintained it is and the docs for getting it set up correctly were pretty non-existent last time I checked. Maybe someone knows of a better way. I don't but I strongly suggest that you do NOT replace the base python packages with a newer version. A lot of core tools (like yum) depend on python. So replace the base python package with a newer one could very well break your complete system. As Eric suggests find a way to install python 2.4 besides the core python in a seperate place so you don't start mixing them. Yeah, definitely a can of worms. I will note that the pyvault RPM's do seem to have a lot of packages geared towards keeping functionality working -- including making use of 'alternatives'. I've tried it and everything appeared to work, but.. who knows? :) Yeah - that is actually a problem I am having. I'm having trouble with the alternatives link that it has placed as /usr/bin/python. I've been struggling to use alternatives to point /usr/bin/python to /usr/bin/python2.3, but just can't seem to understand how this alternatives pkg works. Does anyone have experience with it? Tx, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: alternatives package?
On Tue, 2008-03-11 at 18:20 -0400, Eric B. wrote: In my struggle today to get python2.4 installed on my CentOS4 system, I saw that it installed a packaged called alternatives which is supposed to handle symbolic links to default commands in a nice clean, structured way. However, I am having trouble understanding how this thing works. I have read the man page half a dozen times already, and yet the alternative link for python which was installed doesn't seem to follow what is written in the man page. I am trying to modify the default behaviour for it, but having a lot of difficulty. As an end-user, the only important commands you need are: alternatives --display name: Show information about an alternative alternatives --config name: Allow selection of an alternative ls /var/lib/alternatives: Show valid alternatives That's what I thought too, however, if I look in my /usr/bin directory I see the following: # ls -l /usr/bin/pyt* lrwxrwxrwx 1 root root 18 Mar 11 17:43 /usr/bin/python - /etc/alternatives/links/|usr|bin|python lrwxrwxrwx 1 root root 40 Mar 11 17:31 /usr/bin/python2 - /etc/alternatives/links/|usr|bin|python2 -rwxr-xr-x 2 root root 5396 Dec 11 05:30 /usr/bin/python2.3 -rwxr-xr-x 1 root root 3268 Sep 28 2005 /usr/bin/python2.4 but # alternatives --display python returns nothing. If I look in /var/lib/alternatives, I only find print, mta and etags. So I'm not quite sure how to update / modify the python alternative to point to another location instead. If I look in /etc/alternatives/links I see the following: # ls -l /etc/alternatives/links/ total 12 lrwxrwxrwx 1 root root 18 Mar 11 17:31 |usr|bin|python - /usr/bin/python2.4 lrwxrwxrwx 1 root root 15 Mar 11 17:31 |usr|bin|python2 - /usr/bin/python lrwxrwxrwx 1 root root 34 Mar 11 17:31 |usr|share|man|man1|python.1.gz - /usr/share/man/man1/python2.4.1.gz The rpm installer automatically created these links when I yum installed python24 from pyvault. (It automatically installed the alternatives pkg). Thanks for the help! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] How to delete files with specical characters in the name?
Hi, I've got an odd situation here. Somehow, I find myself with two files that start with the - character. [EMAIL PROTECTED] mysql]$ ls -l total 93348 -rw-r--r-- 1 mysql mysql 9273344 Nov 13 19:03 -N=2007-11-08 -rw-r--r-- 1 mysql mysql 38879232 Nov 13 19:02 --newer=2007-11-08 Don't ask how they were created; something went wrong with a script at some point. My problem is that I am trying to delete them, but can't figure out how to delete these files. Everything I try, I get the same msg: [EMAIL PROTECTED] mysql]$ rm '-N=2007-11-08' rm: invalid option -- N Try `rm --help' for more information. I have tried single quotes, double quotes, escaping it with a \ and still get the same error. Any ideas / suggestions? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: How to delete files with specical characters in the name?
My problem is that I am trying to delete them, but can't figure out how to delete these files. Everything I try, I get the same msg: [EMAIL PROTECTED] mysql]$ rm '-N=2007-11-08' rm: invalid option -- N Try `rm --help' for more information. I have tried single quotes, double quotes, escaping it with a \ and still get the same error. Any ideas / suggestions? rm -- -N=2007-11-08 The -- tells (most?) programs to stop processing options. This is listed as an example in the rm man page, so you should know that, right? I mean, you *did* read the man page Actually, yes - I have read the man page for rm many times before, but I guess I just missed / forgot that section. To be honest, I had no idea that -- will tell most programs to stop processing options. Of course, now that everyone has spelled it out for me, I went back to the man page and it was plainly obvious. Thanks again! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: Re: Re: Re: What libs req'd to resolveDNSwithinachrootjail?
Can you post your complete hosts.allow and hosts.deny files? Not much to them actually: /chroot/tftpd/etc/hosts.allow: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.tftpd : eric.test.com : allow /chroot/tftpd/etc/hosts.deny: # # hosts.denyThis file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.tftpd : ALL : deny Again, I have concerns that I might be missing something in my chroot jail, but when I change my hosts.allow file to read the following, it works fine. in.tftpd: 192.168.3.103 : allow So I am utterly and totally confused. I keep thinking that there must be something DNS related that I need in the chroot jail that I am missing. I do have a /chroot/tftpd/etc/resolv.conf with the nameserver entry that points to the DNS server, and all files in my /chroot/tftpd/etc dir are world readable. I also have a /chroot/tftpd/etc/hosts file (that is pretty much empty - just a line for 127.0.0.1). # ls -l /chroot/tftpd/etc -rw-r--r-- 1 root root 148 Jan 14 17:53 hosts -rw-r--r-- 1 root root 417 Jan 14 17:37 hosts.allow -rw-r--r-- 1 root root 370 Jan 13 12:13 hosts.deny -rw-r--r-- 1 root root 1267 Jan 12 21:43 localtime -rw-r--r-- 1 root root 1686 Jan 12 15:50 nsswitch.conf -rw-r--r-- 1 root root86 Jan 14 17:52 resolv.conf -rw-r--r-- 1 root root 20373 Jan 12 15:47 services Is there anything else I need that I am missing? Either config file or lib? Any suggestions of things I can try? Thanks, Eric Something I found: 15.2.3.2. Access Control Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the allow or deny directive as the final option. For instance, the following two rules allow SSH connections from client-1.example.com, but deny connections from client-2.example.com: sshd : client-1.example.com : allow sshd : client-2.example.com : deny By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny. Some consider this an easier way of organizing access rules. Conceivably, you could put all rules into one file (hosts.allow maybe). See if that helps.. Just tried putting everything in the hosts.allow but didn't make any difference. Tried also in the hosts.deny bu no success either. Where did you find that reference? What does 15.2.3.2 point to? Any other ideas / theories? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: Re: Re: Re: Re: What libs req'dto resolveDNSwithinachrootjail?
Again, I have concerns that I might be missing something in my chroot jail, but when I change my hosts.allow file to read the following, it works fine. in.tftpd: 192.168.3.103 : allow So I am utterly and totally confused. I keep thinking that there must be something DNS related that I need in the chroot jail that I am missing. I do have a /chroot/tftpd/etc/resolv.conf with the nameserver entry that points to the DNS server, and all files in my /chroot/tftpd/etc dir are world readable. I also have a /chroot/tftpd/etc/hosts file (that is pretty much empty - just a line for 127.0.0.1). # ls -l /chroot/tftpd/etc -rw-r--r-- 1 root root 148 Jan 14 17:53 hosts -rw-r--r-- 1 root root 417 Jan 14 17:37 hosts.allow -rw-r--r-- 1 root root 370 Jan 13 12:13 hosts.deny -rw-r--r-- 1 root root 1267 Jan 12 21:43 localtime -rw-r--r-- 1 root root 1686 Jan 12 15:50 nsswitch.conf -rw-r--r-- 1 root root86 Jan 14 17:52 resolv.conf -rw-r--r-- 1 root root 20373 Jan 12 15:47 services Is there anything else I need that I am missing? Either config file or lib? Any suggestions of things I can try? Thanks, Eric Something I found: 15.2.3.2. Access Control Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the allow or deny directive as the final option. For instance, the following two rules allow SSH connections from client-1.example.com, but deny connections from client-2.example.com: sshd : client-1.example.com : allow sshd : client-2.example.com : deny By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny. Some consider this an easier way of organizing access rules. Conceivably, you could put all rules into one file (hosts.allow maybe). See if that helps.. Just tried putting everything in the hosts.allow but didn't make any difference. Tried also in the hosts.deny bu no success either. Where did you find that reference? What does 15.2.3.2 point to? Any other ideas / theories? - make sure tftpd is really using the in.tftpd name (you said it works with IPs?) Yes. It works with the IPs, so I am somewhat sure that the daemon name in hosts.allow/deny is right and that I am editing the correct hosts.allow/deny files. When I change the IP in those files, I get the responses that I expect (either access allowed or denied). - make sure it does resolve the IP correctly. I have no idea how you could test this. Me neither. That's the problem. I have no idea how I can test that the daemon is resolving it properly. but what is the benefit in managing the zone file instead of hosts.*? I mean, since you put the IP in the DNS zone file, why not put it in hosts.*? Looks like I prob. won't have a choice afterall. But was originally thinking that it would neater and easier to read by have FQDN in teh hosts.* file. Plus, it also means I only need to update things in one place (DNS) if/when my server changes IPs Like this I would need to update DNS and remember to update my hosts.* files Tx, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: What libs req'd to resolve DNS within a chroot jail?
I've been working at getting a tftp server up an running in a chroot jail, and I have finally succeed getting almost everything working. The server itself works fine, however, it is implemented as a tcpwrapper application (ie: in.tftpd) and I am having trouble getting it to resolve DNS names. I copied my /etc/hosts.allow and /etc/hosts.deny in my chroot/etc folder, however, they only work properly if I provide IP addresses. If I use FQDN, they fail. For instance, in hosts.allow: in.tfptd: 192.168.1.101 allow works fine But the following fails in.tftptd: eric.test.com allow I'm assuming I am missing a library/libraries in my chroot jail, but am not sure which ones. I've got all the libs req'd by ldd, but I am guessing there is something else that I am missing. -- End Original Message -- from a security standpoint i don't think you want to control access by fqdn. the name being given access is based on the inverse-map lookup (in-addr.arpa) on the inbound ipnumber - not the forward lookup. so, this isn't controlled by the keepers of the test.com zone, rather, anyone can set up eric.test.com as an inverse entry for an ipnumber for which they control the in-addr.arpa records. i.e., putting an fqdn in the hosts.allow file only gives security by obscurity. if someone figures out the fqdns that you're giving access to, and has control of the in-addr.arpa for an ipnumber range they can connect from, they can gain access to your system. - Rick Thanks for the feedback Rick. I didn't realize that security implication. However I'm already running this on a machine that is heavily firewalled on a VPN so I am fairly sure that no one will be accessing this externally, but I still would like to restrict access to particular machines. Ideally, would rather use FQDN to make life easier for me to administer. I have created my additional reverse-dns pointer but I am still having problems with it. nslookup from the server gives me: # nslookup 192.168.3.103 Server: 192.168.1.67 Address:192.168.1.67#53 103.3.168.192.in-addr.arpaname = eric.test.com.3.168.192.in-addr.arpa. However, when I try to connect to the tftp server, my connection is still refused, and I get the following in the log msgs: Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from 192.168.103.103 I am obviously doing something still incorrect, but not sure what. Can you help point me in the right direction please? Is my reverse DNS incorrectly set up? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: What libs req'd to resolve DNS within a chroot jail?
Eric B. wrote: I've been working at getting a tftp server up an running in a chroot jail, and I have finally succeed getting almost everything working. The server itself works fine, however, it is implemented as a tcpwrapper application (ie: in.tftpd) and I am having trouble getting it to resolve DNS names. I copied my /etc/hosts.allow and /etc/hosts.deny in my chroot/etc folder, however, they only work properly if I provide IP addresses. If I use FQDN, they fail. For instance, in hosts.allow: in.tfptd: 192.168.1.101 allow works fine But the following fails in.tftptd: eric.test.com allow from a security standpoint i don't think you want to control access by fqdn. the name being given access is based on the inverse-map lookup (in-addr.arpa) on the inbound ipnumber - not the forward lookup. so, this isn't controlled by the keepers of the test.com zone, rather, anyone can set up eric.test.com as an inverse entry for an ipnumber for which they control the in-addr.arpa records. If hosts.allow and friends use the fqdn without reverse validation, then I consider this a huge bug. The original tcp wrappers will set the hostname to unknown if the reverse and rdns do not match (ip - rdns - ip must return the original IP). I am certain this is still the case in the current implementations. i.e., putting an fqdn in the hosts.allow file only gives security by obscurity. if someone figures out the fqdns that you're giving access to, and has control of the in-addr.arpa for an ipnumber range they can connect from, they can gain access to your system. - Rick Thanks for the feedback Rick. I didn't realize that security implication. However I'm already running this on a machine that is heavily firewalled on a VPN so I am fairly sure that no one will be accessing this externally, but I still would like to restrict access to particular machines. Ideally, would rather use FQDN to make life easier for me to administer. I have created my additional reverse-dns pointer but I am still having problems with it. nslookup from the server gives me: # nslookup 192.168.3.103 Server: 192.168.1.67 Address:192.168.1.67#53 103.3.168.192.in-addr.arpaname = eric.test.com.3.168.192.in-addr.arpa. It looks like there is a missing trailing dot in your DNS zone configuration. I doubt you are authoritative for the in-addr.arpa zone. in your zone file, you should have something like 103 IN PTR eric.test.example. (notice the last dot). Otherwise, the zone name (@ORIGIN) will be added. make sure you have a matching reverse _and_ forward resolution. you should get something like: 192.168.3.103 = eric.test.example _and_ eric.test.example = 192.168.3.103 If you only have the reverse lookup, the result is untrusted and sane applications should ignore it. Thanks for the pointer. Indeed, I was missing the trailing . after my FQDN in my revers file. I have updated my reverse files, and nslookup is resolving better, but still not further ahead. My reverse file: 3.168.192.in-addr.arpa now contains the following line: 103 IN PTR eric.test.com. If I try nslookups now, my results are as follows: # nslookup 192.168.3.103 Server: 192.168.1.67 Address:192.168.1.67#53 103.103.168.192.in-addr.arpaname = eric.test.com. # nslookup eric.test.com Server: 192.168.1.67 Address:192.168.1.67#53 Name: eric.test.com Address: 192.168.3.103 So from that, it seems as though the DNS / rDNS are properly configured, does it not? Similarly, I have both the forward and reverse domain name on the DNS server as the nslookups show. However, I still get the same error msg: Jan 14 17:46:50 apollo atftpd[15905]: Connection refused from 192.168.103.103 I have even tried putting a trailing dot in the hosts.allow files, but that too (as expected) made no difference. I have concluded that it isn't a firewall issue, as it works fine if I give it the full address instead of the FQDN in the hosts.allow file. So I figure I still have something wrong with either my DNS setup and/or missing some critical lib in my chroot jail that I don't know about (although the app doesn't complain that I am missing any libs, and works fine given an ip address). Any ideas what else I might be doing incorrectly? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: Re: What libs req'd to resolve DNS within achroot jail?
William L. Maltby [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Mon, 2008-01-14 at 17:53 -0500, Eric B. wrote: Eric B. wrote: snip Thanks for the feedback Rick. I didn't realize that security implication. However I'm already running this on a machine that is heavily firewalled on a VPN so I am fairly sure that no one will be accessing this externally, but I still would like to restrict access to particular machines. Ideally, would rather use FQDN to make life easier for me to administer. I have created my additional reverse-dns pointer but I am still having problems with it. nslookup from the server gives me: # nslookup 192.168.3.103 Server: 192.168.1.67 Address:192.168.1.67#53 103.3.168.192.in-addr.arpaname = eric.test.com.3.168.192.in-addr.arpa. It looks like there is a missing trailing dot in your DNS zone configuration. I doubt you are authoritative for the in-addr.arpa zone. in your zone file, you should have something like 103 IN PTR eric.test.example. (notice the last dot). Otherwise, the zone name (@ORIGIN) will be added. make sure you have a matching reverse _and_ forward resolution. you should get something like: 192.168.3.103 = eric.test.example _and_ eric.test.example = 192.168.3.103 If you only have the reverse lookup, the result is untrusted and sane applications should ignore it. Thanks for the pointer. Indeed, I was missing the trailing . after my FQDN in my revers file. I have updated my reverse files, and nslookup is resolving better, but still not further ahead. My reverse file: 3.168.192.in-addr.arpa now contains the following line: 103 IN PTR eric.test.com. If I try nslookups now, my results are as follows: # nslookup 192.168.3.103 Server: 192.168.1.67 Address:192.168.1.67#53 103.103.168.192.in-addr.arpaname = eric.test.com. # nslookup eric.test.com Server: 192.168.1.67 Address:192.168.1.67#53 Name: eric.test.com Address: 192.168.3.103 So from that, it seems as though the DNS / rDNS are properly configured, does it not? Similarly, I have both the forward and reverse domain name on the DNS server as the nslookups show. However, I still get the same error msg: Jan 14 17:46:50 apollo atftpd[15905]: Connection refused from 192.168.103.103 AAA Correct? -||| Whoops - cut paste typo. That line is supposed to read: Jan 14 17:46:50 apollo atftpd[15905]: Connection refused from 192.168.3.103 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Re: Re: Re: What libs req'd to resolve DNS withinachrootjail?
Mike Kercher [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks for the pointer. Indeed, I was missing the trailing . after my FQDN in my revers file. I have updated my reverse files, and nslookup is resolving better, but still not further ahead. My reverse file: 3.168.192.in-addr.arpa now contains the following line: 103 IN PTR eric.test.com. If I try nslookups now, my results are as follows: # nslookup 192.168.3.103 Server: 192.168.1.67 Address:192.168.1.67#53 103.103.168.192.in-addr.arpaname = eric.test.com. # nslookup eric.test.com Server: 192.168.1.67 Address:192.168.1.67#53 Name: eric.test.com Address: 192.168.3.103 So from that, it seems as though the DNS / rDNS are properly configured, does it not? Similarly, I have both the forward and reverse domain name on the DNS server as the nslookups show. However, I still get the same error msg: Jan 14 17:46:50 apollo atftpd[15905]: Connection refused from 192.168.103.103 AAA Correct? -||| Whoops - cut paste typo. That line is supposed to read: Jan 14 17:46:50 apollo atftpd[15905]: Connection refused from 192.168.3.103 Can you post your complete hosts.allow and hosts.deny files? Not much to them actually: /chroot/tftpd/etc/hosts.allow: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.tftpd : eric.test.com : allow /chroot/tftpd/etc/hosts.deny: # # hosts.denyThis file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.tftpd : ALL : deny Again, I have concerns that I might be missing something in my chroot jail, but when I change my hosts.allow file to read the following, it works fine. in.tftpd: 192.168.3.103 : allow So I am utterly and totally confused. I keep thinking that there must be something DNS related that I need in the chroot jail that I am missing. I do have a /chroot/tftpd/etc/resolv.conf with the nameserver entry that points to the DNS server, and all files in my /chroot/tftpd/etc dir are world readable. I also have a /chroot/tftpd/etc/hosts file (that is pretty much empty - just a line for 127.0.0.1). # ls -l /chroot/tftpd/etc -rw-r--r-- 1 root root 148 Jan 14 17:53 hosts -rw-r--r-- 1 root root 417 Jan 14 17:37 hosts.allow -rw-r--r-- 1 root root 370 Jan 13 12:13 hosts.deny -rw-r--r-- 1 root root 1267 Jan 12 21:43 localtime -rw-r--r-- 1 root root 1686 Jan 12 15:50 nsswitch.conf -rw-r--r-- 1 root root86 Jan 14 17:52 resolv.conf -rw-r--r-- 1 root root 20373 Jan 12 15:47 services Is there anything else I need that I am missing? Either config file or lib? Any suggestions of things I can try? Thanks, Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Can TFTPD run in a chroot jail?
I've been struggling with this problem for the last couple of hours and am nowhere near solving the problem. I am trying to run a tftp server in a chroot jail. Now perhaps I am being paranoid, but I would like to have it launched from within its own jail even if it supposedly does a chroot itself and runs with a parameterizable user. there is only one chroot under unix (you can't chroot from the shell then in the daemon). If a service implements chroot correctly, then it is better to use it (because it can load the necessary stuff before, so you don't need to copy a whole system to the jail). Thanks for the info. I looked through the code and realized that it doesn't actually chroot at all; just runs with a parameterizable user/group. After scouring a little more, I found out I needed the /lib/libnss_* libraries. In my particular case, it was the /lib/libnss_files.so.* lib that are used by NSS (Name Service Switch) to read the /etc/passwd, group and services files. Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] What libs req'd to resolve DNS within a chroot jail?
Hi, I've been working at getting a tftp server up an running in a chroot jail, and I have finally succeed getting almost everything working. The server itself works fine, however, it is implemented as a tcpwrapper application (ie: in.tftpd) and I am having trouble getting it to resolve DNS names. I copied my /etc/hosts.allow and /etc/hosts.deny in my chroot/etc folder, however, they only work properly if I provide IP addresses. If I use FQDN, they fail. For instance, in hosts.allow: in.tfptd:192.168.1.101allow works fine But the following fails in.tftptd:eric.test.comallow I'm assuming I am missing a library/libraries in my chroot jail, but am not sure which ones. I've got all the libs req'd by ldd, but I am guessing there is something else that I am missing. Any suggestions? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Can TFTPD run in a chroot jail?
Hi, I've been struggling with this problem for the last couple of hours and am nowhere near solving the problem. I am trying to run a tftp server in a chroot jail. Now perhaps I am being paranoid, but I would like to have it launched from within its own jail even if it supposedly does a chroot itself and runs with a parameterizable user. I downloaded the atftp-server package and tried to set up my own tftpd jail. I copied over the linked libs to the proper place, the /etc/passwd, /etc/groups, /etc/hosts, /etc/nsswitch.conf, /etc/resolv, /etc/services files. I even created the dev/null device and set up syslog to read from the jail/dev/log device. However, I can't seem to launch it from within the jail. It works fine when I try from the regular prompt, but when I try to launch from within the jail, I doesn't want to start: [EMAIL PROTECTED] tftpd]# /usr/sbin/chroot /chroot/tftpd/ /usr/sbin/atftpd --daemon --no-fork in /var/log/messages: Jan 12 23:09:02 apollo atftpd[17479]: atftpd: udp/tftp, unknown service So it apparently is unable to read my /chroot/tftpd/etc/services file. If I set the port number manually: [EMAIL PROTECTED] tftpd]# /usr/sbin/chroot /chroot/tftpd/ /usr/sbin/atftpd --daemon --no-fork --port 69 -user eric.eric Jan 12 23:16:05 apollo atftpd[17556]: atftpd: can't change identity to eric.eric, exiting. I know the tftpd daemon is able to read the /chroot/tftpd/etc/ directory as it is properly reading my /etc/localtime file (if i remove /etc/localtime the logged timestamp changes). Can anyone point me in the right direction as to things to try? I've tried everything I can think of, and even then some things, but just can't figure it out... Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] A good primer to User Administration?
Hi, I've been running Linux as a workstation OS for years, and have been dealing with Windows networks and standalone Linux servers for a while now. However, the time has come for me to complete redo the server installation and am looking to move to a complete CentOS install base, with only Windows workstations. My question is the following. I've been searching online for a good reference to describe good practices when building a linux network, but haven't really been able to find much when it comes to best practices for user administration, ACLs, optimal (or recommended) file locations, etc. For example, I know I need an LDAP server, but not sure how that ties into system login, or how to use a Linux LDAP server as the basis for a primary domain controller (is it still called that given Windows AD world?), etc. Or even how to properly create group structures and ACLs that accurately reflect group ownership/etc. The octal permissions at the file level are only good enough for a single group; I need to give multiple groups different permissions on the same files, etc. I realize that there are a lot of questions that I need to research, but I was hoping someone could point me in the direction of some advanced admin docs with best practices, etc. Most of the stuff I find relates on how to set up a basic standalone PC, without any reference to how to network together a bunch of servers running off central authentication, etc... Thanks for the advice! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: A good primer to User Administration?
Shibu C Varughese [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] My question is the following. I've been searching online for a good reference to describe good practices when building a linux network, but haven't really been able to find much when it comes to best practices for user administration, ACLs, optimal (or recommended) file locations, etc. For example, I know I need an LDAP server, but not sure how that ties into system login, or how to use a Linux LDAP server as the basis for a primary domain controller (is it still called that given Windows AD world?), etc. Or even how to properly create group structures and ACLs that accurately reflect group ownership/etc. The octal permissions at the file level are only good enough for a single group; I need to give multiple groups different permissions on the same files, etc. I realize that there are a lot of questions that I need to research, but I was hoping someone could point me in the direction of some advanced admin docs with best practices, etc. Most of the stuff I find relates on how to set up a basic standalone PC, without any reference to how to network together a bunch of servers running off central authentication, etc... Eric, if you are thinking of setting up ldap, email, address book ...etc.. all in one go ... then you need to test out ...something like zimbra from zimbra.com Thanks for the input; I have already looked at Zimbra, and it looks like a very interesting soln for me once I have everything else set up. I see Zimbra as a nice group-ware pkg, but not as something to help me with user-authentication to the server (for shell access), setting up file permissions, shares, SMB permissions/shares, etc, etc, etc. Tx! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: Open Source CPanel equivalent for CentOS?
Barry Brimer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I was wondering if anyone knew of a solid, reliable Open Source equivalent of Cpanel/Plesk that I can run on my CentOS boxes. I've done some searching around and find a bunch of them which seem to have stopped or stalled development, but I am figuring that there has got to be a strong market / demand for something out there. Is anyone using something secure, solid and complete? I don't need something for users to sign up themselves online, but would like something to give them abilities to administer their own domains. I am more than happy to move my entire existing mail server and accounts to something new if I can give my users this ability. Webmin/Virtualmin/Usermin http://www.webmin.com Emu http://www.emusoftware.com/ Thanks for the links. I had already looked at Webmin, but after doing more research on it, ppl seemed to think it could be a security leak. I had never heard of Emu / NetDirector though, and after looking around at the site and the demos, I must say I am extremely impressed by it. I also like the fact that it is OS Java based. My only concern, however, is that I can't seem to find any community support for it. Does that mean there is no install base? Sourceforge mailing lists have no activity and no one on them, as do the SourceForge forums. Do you know if there are other forums or mailing lists that are used by the community for this? Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Open Source CPanel equivalent for CentOS?
Hi, I was wondering if anyone knew of a solid, reliable Open Source equivalent of Cpanel/Plesk that I can run on my CentOS boxes. I've done some searching around and find a bunch of them which seem to have stopped or stalled development, but I am figuring that there has got to be a strong market / demand for something out there. Is anyone using something secure, solid and complete? I don't need something for users to sign up themselves online, but would like something to give them abilities to administer their own domains. I am more than happy to move my entire existing mail server and accounts to something new if I can give my users this ability. Thanks! Eric ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos