Re: Debian server for backups of Windows clients

[Neal P. Murphy]

On Fri, 9 Sep 2016 23:14:30 -0500
David Wright  wrote:

> On Fri 09 Sep 2016 at 20:36:39 (-0700), David Christensen wrote:
> > On 09/09/2016 11:51 AM, Celejar wrote:
> > > On Tue, 9 Aug 2016 18:57:02 -0700
> > > David Christensen  wrote:
> > > 
> > > ...
> > > 
> > >> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
> > >> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
> > >> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
> > >> hardware can match or beat Gigabit.
> > > 
> > > You get ~50Mbps over a/b/g? 54Mbps is the theoretical maximum, and
> > > everything I've read says that 20-24Mbps is the real-world maximum.
> > > 
> > > Celejar
> > > 
> > 
> > Benchmarking using WiFi (48 Mb/s):
> > 
> > 2016-09-09 20:18:51 dpchrist@t7400 ~
> > $ time dd if=/dev/urandom of=urandom.100M bs=1M count=100
> > 100+0 records in
> > 100+0 records out
> > 104857600 bytes (105 MB) copied, 12.6709 s, 8.3 MB/s
> > 
> > real0m12.703s
> > user0m0.000s
> > sys 0m12.481s
> > 
> > 2016-09-09 20:19:32 dpchrist@t7400 ~
> > $ time scp -p urandom.100M samba:.
> > urandom.100M
> > 
> > 
> >   100%  100MB   1.5MB/s   01:08
> > 
> > real1m16.023s
> > user0m4.548s
> > sys 0m0.744s
> > 
> > 
> > So, 1048576900 bytes * 8 bits / byte / 76.024 seconds
>  ↑
> 
> What's this 9?
> 
> Cheers,
> David.
> 

Assuming the talk is about transfer rates over the medium, not something like 
pre-compression data rates (which might be called 'marketing-speak').

Good eye! I was going to say it's not possible to get 110Mb/s over 802.11g; 
40-50 is closer tothe best I get. And 193Mb/s over 100Mb/s ethernet is right 
out; best I've ever managed is maybe 97Mb/s, and 92-95 is more typical. 
11,034,157Mb/s on W/L and 19,338,838Mb/s on wired is *much* more believable.

Unless one has a very fast multicore CPU with hardware crypto assistance, very 
fast RAM and the data to be transferred cached in RAM, one will probably never 
saturate a fastE or gigE link where one end must decrypt the data from 
disk/cache then encrypt the data to scp, and the other end must decrypt the 
data from scp then encrypt the data to disk. Even simple compression slows 
transfer down far too much.

Now if one had many CPUs, hacked scp to open as many sockets and thread/child 
procs as there are CPUs, and had each thread work on a small-ish block of data 
at a time, one *might* be able to speed up the tranfser.

Installing Lenny -- how to deal with expired repo signing keys?

[Rick Thomas]

It's a long story, but I need to install a fresh-out-of-the-box Debian 
amd64 Lenny system.


I found ftp.us.debian.org/debian-archive/debian/ which has installer 
images for old Debian releases, including Lenny.  The README file says I 
need to use

deb http://archive.debian.org/debian/ lenny main contrib
for the sources.list entry.

This works OK when I boot a l"live" cd, though it complains about the 
repo keys being expired and requires me to type "Yes" if I want to 
ignore that and install packages anyway.


So my first question is: Is there something I can do in apt preferences 
somewhere that will make it accept the expired keys by default?


After some experimentation with my "live" system, I decided that I 
really needed a fully installed system that didn't loose all my 
configuration stuff on reboots.


So I downloaded a "netinst" CD and tried to install using it.  Of 
course, I had to give it the archive repo URL manually (netinst isn't 
really happy without a network repo).  It accepted that but then it 
appeared to hang.  Looking at the -F4 screen revealed that it was 
asking the same question about whether I wanted to accept the expired 
repo keys, but this time there was no way to give it the required "Yes" 
answer.  Or at least no way that I could see.


So my second question is: Does anybody know how to give it the necessary 
answer?  Or, failing that somehing I can do in the -F2 screen that 
will prevent it from asking?


Thanks! in advance,

Rick

Re: Debian server for backups of Windows clients

[David Wright]

On Fri 09 Sep 2016 at 20:36:39 (-0700), David Christensen wrote:
> On 09/09/2016 11:51 AM, Celejar wrote:
> > On Tue, 9 Aug 2016 18:57:02 -0700
> > David Christensen  wrote:
> > 
> > ...
> > 
> >> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
> >> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
> >> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
> >> hardware can match or beat Gigabit.
> > 
> > You get ~50Mbps over a/b/g? 54Mbps is the theoretical maximum, and
> > everything I've read says that 20-24Mbps is the real-world maximum.
> > 
> > Celejar
> > 
> 
> Benchmarking using WiFi (48 Mb/s):
> 
> 2016-09-09 20:18:51 dpchrist@t7400 ~
> $ time dd if=/dev/urandom of=urandom.100M bs=1M count=100
> 100+0 records in
> 100+0 records out
> 104857600 bytes (105 MB) copied, 12.6709 s, 8.3 MB/s
> 
> real  0m12.703s
> user  0m0.000s
> sys   0m12.481s
> 
> 2016-09-09 20:19:32 dpchrist@t7400 ~
> $ time scp -p urandom.100M samba:.
> urandom.100M
> 
> 
>   100%  100MB   1.5MB/s   01:08
> 
> real  1m16.023s
> user  0m4.548s
> sys   0m0.744s
> 
> 
> So, 1048576900 bytes * 8 bits / byte / 76.024 seconds
 ↑

What's this 9?

Cheers,
David.

Re: atualizacao

[Célio Roberto]

Fala galera, muito obrigado pelas dicas, todas foram avaliadas e foram de
grande importancia.
Como fazia: a bastante tempo tenho um pendrive com Debian, utilizo
basicamente para acesso a web e multimedia(audio), ele fica ligado direto,
a cada 5 a 7 dias, ele trava do nada, não sei se com o tempo a RAM não é
suficiente ou algo assim. Era chato reinstalar navegadores e suporte a
multimedia a cada vez que isso ocorria.

Como fiz: Segui a dica de instalar no pendrive, baixei a versão testing da
última segunda feira 05/09 e instalei nesse mesmo pendrive que tinha o
live, utilizou 3,7GB, já instalei os programas básicos que utilizo e por
enquanto está uma maravilha. Testei em 3 micros diferentes, em todos
funcionou perfeitamente, em apenas 1 precisei ativar o módulo wifi, de
resto só alegria.

Mais uma vez muito obrigado a todos que contribuiram com dicas.

Abraço

Em 8 de setembro de 2016 02:04, Gustavo S. L.  escreveu:

> Em 6 de setembro de 2016 15:02, Célio Roberto 
> escreveu:
>
>> Se eu instalar no pendrive, depois utilizar em outro micro, ele vai
>> reconhecer os componentes?
>>
>
> Se o Kernel tiver suporte tem chances de sim. Kernel é o núcleo do
> sistema. Se você achar complicado o sistema de backports que citei
> anteriormente, você pode usar uma máquina virtual para teste como citado
> por outro colega e ai usar a versão testing com tranquilidade, para
> realmente testá-la. Você pode enviar pra lista a dúvida que tiver.
> <%2B55%20%2861%29%203546%207191>
>

Re: Debian server for backups of Windows clients

[David Christensen]

On 09/09/2016 12:43 PM, Daniel Bareiro wrote:
> On 09/08/16 22:57, David Christensen wrote:
>> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
>> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
>> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
>> hardware can match or beat Gigabit.
> 
> I think it is reasonable to expect that the wireless transfer rate is
> lower than the one obtained in a wired network. But there is a big
> difference compared to the ~50 Mpbs you mentioned. The peak obtained
> with rsync was 10 Mbps. Maybe the best is to take a metric with iperf,
> what do you think?

See the benchmark I just posted for 802.11g WiFi --  dm-crypt -> scp ->
dm-crypt, all without AES-NI --  110341671 bits/second.  Yuck.


>> My biggest problem with rsync is when I reorganize file/ directory trees
>> on my file server; especially big stuff ... I have yet to figure out an 
>> rsync incantation
>> that does the corresponding moves on the destination ...
> 
> If you make a move of files, but always within the same root filesystem
> provided to rsync, you might want to consider using --delete for get an
> identical image in the source and destination.

--delete is a different idea.  I'm thinking -y/--fuzzy.


David

Re: Debian server for backups of Windows clients

[David Christensen]

On 09/09/2016 11:51 AM, Celejar wrote:
> On Tue, 9 Aug 2016 18:57:02 -0700
> David Christensen  wrote:
> 
> ...
> 
>> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
>> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
>> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
>> hardware can match or beat Gigabit.
> 
> You get ~50Mbps over a/b/g? 54Mbps is the theoretical maximum, and
> everything I've read says that 20-24Mbps is the real-world maximum.
> 
> Celejar
> 

Benchmarking using WiFi (48 Mb/s):

2016-09-09 20:18:51 dpchrist@t7400 ~
$ time dd if=/dev/urandom of=urandom.100M bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 12.6709 s, 8.3 MB/s

real0m12.703s
user0m0.000s
sys 0m12.481s

2016-09-09 20:19:32 dpchrist@t7400 ~
$ time scp -p urandom.100M samba:.
urandom.100M


  100%  100MB   1.5MB/s   01:08

real1m16.023s
user0m4.548s
sys 0m0.744s


So, 1048576900 bytes * 8 bits / byte / 76.024 seconds

= 110341671 bits/second


Testing again using Fast Ethernet (100 Mb/s):

2016-09-09 20:29:54 dpchrist@t7400 ~
$ time scp -p urandom.100M samba:.
urandom.100M


  100%  100MB   2.4MB/s   00:42

real0m43.377s
user0m4.476s
sys 0m0.876s


So, 1048576900 bytes * 8 bits / byte / 43.377 seconds

= 193388552. bits/second


Wow.  Even worse than I was expecting...


David

Re: [OT Consejo sobre portátil]

[ziprasidone146939...@gmail.com]

On Fri, 2016-09-09 at 22:26 -0300, divagante wrote:
> 
> El 09/09/16 a las 14:37, Angel Vicente escribió:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> >
> > Hola a todos. Espero que hayáis pasado un buen verano.
> >
> > Voy a necesitar comprar un portátil para los estudios de mi hija.
> > Necesitaría algo de menos de 15'', ligero (es para llevarlo a la
> > universidad), que ande bien de memoria, y que pueda mover sin problemas
> > una Debian, esto es muy importante, necesita instalar Google Earth.
> >
> > Ahora tenemos un Lenovo B560 de 15,6'' pero se me antoja un poco pesado
> > para trasladarlo todos los días.
> >
> > He visto en PCComponentes alguna cosa de Asus de 11'' pero no sé...
> >
> > Saludos y gracias de antemano
> 
> 
>   Hola che! Es importante que nos digas de donde sos! -tu pais de 
> procedencia-. Por ejemplo aca en Argentina, Buenos Aires, acabo de ver 
> un equipo a un exelente precio que creo que cubre tus necesidades.
> 
>   te dejo el link por las dudas:
> 
> http://tecnovortex.com/asus-x555la/

Buenas...

Si; creo que ademas es una cuestión de educación.
Por ejemplo, también soy de Argentina, y estamos en Invierno.

Un saludo, y disculpas por no aportar nada de lo que busca el OP

> 
> 
> saludos.
> >
> >
> > - --
> > Key fingerprint 01DC 0386 2B28 0A02 A270 E243 008B AABF 1822 9851
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v2
> >
> > iF4EAREIAAYFAlfS8z0ACgkQAIuqvxgimFGq0gD/R7CPil7KCRqvhcxdJbXR+2DL
> > HKxUdXlTaVrLGvd/SREA/RL4QlNf4F2kzGoe2K6AMDg0BMEwctivPO3RtON6GOmi
> > =56b6
> > -END PGP SIGNATURE-
> >

Re: [OT Consejo sobre portátil]

[divagante]

El 09/09/16 a las 14:37, Angel Vicente escribió:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hola a todos. Espero que hayáis pasado un buen verano.

Voy a necesitar comprar un portátil para los estudios de mi hija.
Necesitaría algo de menos de 15'', ligero (es para llevarlo a la
universidad), que ande bien de memoria, y que pueda mover sin problemas
una Debian, esto es muy importante, necesita instalar Google Earth.

Ahora tenemos un Lenovo B560 de 15,6'' pero se me antoja un poco pesado
para trasladarlo todos los días.

He visto en PCComponentes alguna cosa de Asus de 11'' pero no sé...

Saludos y gracias de antemano



 Hola che! Es importante que nos digas de donde sos! -tu pais de 
procedencia-. Por ejemplo aca en Argentina, Buenos Aires, acabo de ver 
un equipo a un exelente precio que creo que cubre tus necesidades.


 te dejo el link por las dudas:

http://tecnovortex.com/asus-x555la/


saludos.



- --
Key fingerprint 01DC 0386 2B28 0A02 A270 E243 008B AABF 1822 9851
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlfS8z0ACgkQAIuqvxgimFGq0gD/R7CPil7KCRqvhcxdJbXR+2DL
HKxUdXlTaVrLGvd/SREA/RL4QlNf4F2kzGoe2K6AMDg0BMEwctivPO3RtON6GOmi
=56b6
-END PGP SIGNATURE-

<>

Re: SMTP relay issue with emails to specific domain

[Daniel Bareiro]

Hi, Joe.

Thanks for your reply.

On 09/09/16 18:06, Joe wrote:

>>> An email client connects to its SMTP smarthost using SMTP, so
>>> there's no way a given SMTP server can tell whether it's a client
>>> (MUA) or another SMTP server (MTA) trying to connect to it.  

>> That's outdated information.
>>
>> SMTP is used to exchange messages between mail servers (MTAs), but
>> a client submitting a new message to its designated relay may use
>> the "Submission" protocol on port 587 instead.  (Really old clients
>> may still use SMTP.)
>>
>> Relay control is a pretty important, nontrivial field.  

> And a separate issue in this case, where no relaying was requested. The
> protocol used is still SMTP, possibly with a few bells and whistles
> bolted on, and does not vary depending on whether a mail client or
> server is the originator. The port and authentication required vary
> according to whether local delivery or relaying is occurring, not
> according to what kind of software is on the transmitting end.
> 
> I've used a SMTP server to send authenticated mail to another server,
> as it was necessary in that time and place. The receiving server
> couldn't tell that the sender was another server. I've used a terminal
> window, a mail client by anyone's standards, to send unauthenticated
> port 25 SMTP directly to a recipient's server, something a client is
> not normally expected to do.
> 
> The issue in this case is that a SMTP server *seems* to be demanding
> authentication for local delivery. There may be more to it than that,
> but certainly there are DNS irregularities. There is no MX record for
> the domain (which, to be honest, I would have thought meant that no
> delivery was even attempted), and the domain administrators may have
> made other configuration errors. It may just be that the OP's postfix
> installation is failing to find the MX, getting confused, and returning
> an error message which is less than helpful.

Apparently, in Hostgator they don't have an MX record for this domain.
Even making the query directly to the Google DNS, it returns nothing:

---
$ dig -t mx @8.8.8.8 lkeusa.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -t mx @8.8.8.8 lkeusa.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17815
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;lkeusa.com.IN  MX

;; AUTHORITY SECTION:
.   1799IN  SOA ns6073.hostgator.com.
root.gator3037.hostgator.com. 1372031250 86400 7200 360 86400

;; Query time: 254 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 09 20:09:22 ART 2016
;; MSG SIZE  rcvd: 106
---

According to the Section 5 of RFC 5321 [1], if no MX record is present
mail servers should fall back to the A record for the domain. This is
probably what's happening in this case. Although not clarify the problem
of authentication that I am observing.

Tomorrow I'll try to make a test from the other side to see if I get the
same error.


Kind regards,
Daniel

[1] https://tools.ietf.org/html/rfc5321#section-5



signature.asc
Description: OpenPGP digital signature

Re: Fim do OpenOffice?

[Rodrigo Cunha]

Galera, o projeto pode morrer mas a herança é eterna.
A quantidade de código do openoffice que deve ter sido utilizada no
libreoffice deve ser enorme...a questão de focar em um projeto é mais
gerencial e administrativa.
Penso que todas as iniciativas de codigo aberto são um legado a humanidade.

Em 9 de setembro de 2016 12:40, Helio Loureiro 
escreveu:

> Isso é mais lenda urbana que realidade.  O projeto está morrendo for falta
> de gente capacitada pra mexer no código.  Você acha realmente que alguém
> vai pegar isso é continuar o trabalho?  Só porque é sofware livre o código
> é fácil de ler e entender? É isso?
>
> Parece a ideia de quem cria uma nova distro pra ter seu tema carregado por
> padrão no wm.
>
> ./helio
>
> -= sent via Android =-
>
> On Sep 8, 2016 05:32, "Rodrigo Cunha"  wrote:
>
>> Srs. essa ideia de fim de um projeto opensource é quase impossivel, uma
>> vez que o código é livre, qualquer um pode reiniciar, pegar o código e
>> colocar outro nome, etc, etc...
>>
>> Em 7 de setembro de 2016 16:07, Gilberto F da Silva <
>> gfs1...@mandic.com.br> escreveu:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> On Tue, Sep 06, 2016 at 09:52:18AM -0300, jaitony souza wrote:
>>> > Bom dia
>>> > Era de se esperar com o surgimento do libre office e adoção de quase
>>> todas
>>> > as distribuições Linux por ele o OpenOffice até demorou muito pra morre
>>> >
>>> > Enviada por um dispositivo móvel
>>> >
>>> > Em 06/09/2016 09:46, "Nélio Macedo"  escreveu:
>>>
>>>   Melhor que haja somente uma suite forte para o Linux.
>>>
>>> - --
>>>
>>> Gilberto F da Silva - gfs1...@gmx.net - ICQ 136.782.571
>>> Stela dato:2.457.639,295  Loka tempo:2016-09-07 16:05:14 Merkredo
>>> - -==-
>>> Faz o que tu queres..  há de ser tudo da lei!
>>>  -- Raul Seixas
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v2
>>>
>>> iEYEARECAAYFAlfQZXgACgkQJxugWtMhGw4ACQCfevEDGlnBSfVt72IBErPSoIjd
>>> 8VYAoNMrK92jDpAAvDdo5BnTJJGas098
>>> =055Q
>>> -END PGP SIGNATURE-
>>>
>>>
>>
>>
>> --
>> Atenciosamente,
>> Rodrigo da Silva Cunha
>>
>>


-- 
Atenciosamente,
Rodrigo da Silva Cunha

Re: Ayuda con helper/plugin de openvpn-auth-ldap.so

[OddieX]

El día 9 de septiembre de 2016, 19:45, OddieX  escribió:
> El día 9 de septiembre de 2016, 19:39, Maykel Franco
>  escribió:
>> El 10 sept. 2016 12:24 a. m., "OddieX"  escribió:
>>>
>>> Estimados, ante todo esta es una consulta para programadores de C, ya que
>>> basicamente el problema que tengo es de programacion del helper...
>>>
>>> Estoy teniendo un problema con el helper que viene con Debian Jessie, para
>>> autenticar OpenVPN via LDAP...
>>>
>>> El tema es el siguiente:
>>>
>>> Mi scheme de OpenLDAP, en la rama ou="group" no tiene el MemberAttribute =
>>> "memberOf" o "member", sino que tiene memberUid:
>>> Eh aqui el problema, el helper esta programado para que cuando haga una
>>> busqueda de grupos, le pase ese MemberAttribute con el %u y luego el DN Base
>>> completo...
>>>
>>> El atributo memberOf o member, toma lo siguiente: member:
>>> uid=test,ou=people,dc=domain,dc=com
>>> En cambio el atributo memberUid: toma lo siguiente: memberUid: uid=test
>>>
>>> Yo necesitaria modificar el source del helper, para que deje de pasarle
>>> luego del MemberAttribute el DN Base y pase solo el uid=%u
>>>
>>> El problema es que no tengo idea de lenguaje C, y me estoy volviendo loco,
>>> ya de movida, tengo el problema del header objc-api.h que esta deprecated a
>>> partir de la version 4.8 de gcc-objc, cambie ese header por runtime.h, pero
>>> compila barbaro y cuando pruebo el helper crashea...
>>>
>>> Y el segundo problema, es que quiero eliminar esa parte del filtro, edite
>>> el archivo auth-ldap.m y lo modifique:
>>>
>>> while ((entry = [entryIter nextObject]) != nil) {
>>> if ([ldap compareDN: [entry dn] withAttribute: [groupConfig
>>> memberAttribute] value: [ldapUser dn]]) {
>>> /* Group match! */
>>> result = groupConfig;
>>> }
>>> }
>>>
>>>
>>> Le elimine de withAttribute: en adelante quedando asi:
>>>
>>> while ((entry = [entryIter nextObject]) != nil) {
>>> if ([ldap compareDN: [entry dn] ]) {
>>> /* Group match! */
>>> result = groupConfig;
>>> }
>>> }
>>>
>>> Me gustaria saber si esta bien lo que estoy haciendo en el codigo (ya que
>>> no entiendo mucho de C)... Y si alguien la tiene clara y me dice como
>>> solucionar lo de objc-api.h, ya que creo que por ese header me crashea el
>>> binario cuando lo testeo (sin hacerle modificaciones)...
>>>
>>> Saludos
>>
>> Buenas, porque no añades el atributo memberof?
>>
>> http://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/
>>
>> Saludos.
>
>
> Tengo 3 paneles diferentes en diferentes sites, que matchean contra
> ese LDAP, deberia reprogramar los 3 paneles, las busquedas, los entrys
> todo...

Ademas hay otro tema, los scheme que yo uso en LDAP, no permiten
posixGroup y groupOfnames... Tendria que cambiar el nis por el rfc...
Pero de todos modos, eso se puede hacer, pero me dejaria de funcionar
los paneles

Re: Ayuda con helper/plugin de openvpn-auth-ldap.so

[OddieX]

El día 9 de septiembre de 2016, 19:39, Maykel Franco
 escribió:
> El 10 sept. 2016 12:24 a. m., "OddieX"  escribió:
>>
>> Estimados, ante todo esta es una consulta para programadores de C, ya que
>> basicamente el problema que tengo es de programacion del helper...
>>
>> Estoy teniendo un problema con el helper que viene con Debian Jessie, para
>> autenticar OpenVPN via LDAP...
>>
>> El tema es el siguiente:
>>
>> Mi scheme de OpenLDAP, en la rama ou="group" no tiene el MemberAttribute =
>> "memberOf" o "member", sino que tiene memberUid:
>> Eh aqui el problema, el helper esta programado para que cuando haga una
>> busqueda de grupos, le pase ese MemberAttribute con el %u y luego el DN Base
>> completo...
>>
>> El atributo memberOf o member, toma lo siguiente: member:
>> uid=test,ou=people,dc=domain,dc=com
>> En cambio el atributo memberUid: toma lo siguiente: memberUid: uid=test
>>
>> Yo necesitaria modificar el source del helper, para que deje de pasarle
>> luego del MemberAttribute el DN Base y pase solo el uid=%u
>>
>> El problema es que no tengo idea de lenguaje C, y me estoy volviendo loco,
>> ya de movida, tengo el problema del header objc-api.h que esta deprecated a
>> partir de la version 4.8 de gcc-objc, cambie ese header por runtime.h, pero
>> compila barbaro y cuando pruebo el helper crashea...
>>
>> Y el segundo problema, es que quiero eliminar esa parte del filtro, edite
>> el archivo auth-ldap.m y lo modifique:
>>
>> while ((entry = [entryIter nextObject]) != nil) {
>> if ([ldap compareDN: [entry dn] withAttribute: [groupConfig
>> memberAttribute] value: [ldapUser dn]]) {
>> /* Group match! */
>> result = groupConfig;
>> }
>> }
>>
>>
>> Le elimine de withAttribute: en adelante quedando asi:
>>
>> while ((entry = [entryIter nextObject]) != nil) {
>> if ([ldap compareDN: [entry dn] ]) {
>> /* Group match! */
>> result = groupConfig;
>> }
>> }
>>
>> Me gustaria saber si esta bien lo que estoy haciendo en el codigo (ya que
>> no entiendo mucho de C)... Y si alguien la tiene clara y me dice como
>> solucionar lo de objc-api.h, ya que creo que por ese header me crashea el
>> binario cuando lo testeo (sin hacerle modificaciones)...
>>
>> Saludos
>
> Buenas, porque no añades el atributo memberof?
>
> http://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/
>
> Saludos.


Tengo 3 paneles diferentes en diferentes sites, que matchean contra
ese LDAP, deberia reprogramar los 3 paneles, las busquedas, los entrys
todo...

Re: Ayuda con helper/plugin de openvpn-auth-ldap.so

[Maykel Franco]

El 10 sept. 2016 12:24 a. m., "OddieX"  escribió:
>
> Estimados, ante todo esta es una consulta para programadores de C, ya que
basicamente el problema que tengo es de programacion del helper...
>
> Estoy teniendo un problema con el helper que viene con Debian Jessie,
para autenticar OpenVPN via LDAP...
>
> El tema es el siguiente:
>
> Mi scheme de OpenLDAP, en la rama ou="group" no tiene el MemberAttribute
= "memberOf" o "member", sino que tiene memberUid:
> Eh aqui el problema, el helper esta programado para que cuando haga una
busqueda de grupos, le pase ese MemberAttribute con el %u y luego el DN
Base completo...
>
> El atributo memberOf o member, toma lo siguiente: member:
uid=test,ou=people,dc=domain,dc=com
> En cambio el atributo memberUid: toma lo siguiente: memberUid: uid=test
>
> Yo necesitaria modificar el source del helper, para que deje de pasarle
luego del MemberAttribute el DN Base y pase solo el uid=%u
>
> El problema es que no tengo idea de lenguaje C, y me estoy volviendo
loco, ya de movida, tengo el problema del header objc-api.h que esta
deprecated a partir de la version 4.8 de gcc-objc, cambie ese header por
runtime.h, pero compila barbaro y cuando pruebo el helper crashea...
>
> Y el segundo problema, es que quiero eliminar esa parte del filtro, edite
el archivo auth-ldap.m y lo modifique:
>
> while ((entry = [entryIter nextObject]) != nil) {
> if ([ldap compareDN: [entry dn] withAttribute: [groupConfig
memberAttribute] value: [ldapUser dn]]) {
> /* Group match! */
> result = groupConfig;
> }
> }
>
>
> Le elimine de withAttribute: en adelante quedando asi:
>
> while ((entry = [entryIter nextObject]) != nil) {
> if ([ldap compareDN: [entry dn] ]) {
> /* Group match! */
> result = groupConfig;
> }
> }
>
> Me gustaria saber si esta bien lo que estoy haciendo en el codigo (ya que
no entiendo mucho de C)... Y si alguien la tiene clara y me dice como
solucionar lo de objc-api.h, ya que creo que por ese header me crashea el
binario cuando lo testeo (sin hacerle modificaciones)...
>
> Saludos

Buenas, porque no añades el atributo memberof?

http://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/

Saludos.

Ayuda con helper/plugin de openvpn-auth-ldap.so

[OddieX]

Estimados, ante todo esta es una consulta para programadores de C, ya que
basicamente el problema que tengo es de programacion del helper...

Estoy teniendo un problema con el helper que viene con Debian Jessie, para
autenticar OpenVPN via LDAP...

El tema es el siguiente:

Mi scheme de OpenLDAP, en la rama ou="group" no tiene el MemberAttribute =
"memberOf" o "member", sino que tiene memberUid:
Eh aqui el problema, el helper esta programado para que cuando haga una
busqueda de grupos, le pase ese MemberAttribute con el %u y luego el DN
Base completo...

El atributo memberOf o member, toma lo siguiente: member:
uid=test,ou=people,dc=domain,dc=com
En cambio el atributo memberUid: toma lo siguiente: memberUid: uid=test

Yo necesitaria modificar el source del helper, para que deje de pasarle
luego del MemberAttribute el DN Base y pase solo el uid=%u

El problema es que no tengo idea de lenguaje C, y me estoy volviendo loco,
ya de movida, tengo el problema del header objc-api.h que esta deprecated a
partir de la version 4.8 de gcc-objc, cambie ese header por runtime.h, pero
compila barbaro y cuando pruebo el helper crashea...

Y el segundo problema, es que quiero eliminar esa parte del filtro, edite
el archivo auth-ldap.m y lo modifique:

while ((entry = [entryIter nextObject]) != nil) {
if ([ldap compareDN: [entry dn] withAttribute: [groupConfig
memberAttribute] value: [ldapUser dn]]) {
/* Group match! */
result = groupConfig;
}
}


Le elimine de withAttribute: en adelante quedando asi:

while ((entry = [entryIter nextObject]) != nil) {
if ([ldap compareDN: [entry dn] ]) {
/* Group match! */
result = groupConfig;
}
}

Me gustaria saber si esta bien lo que estoy haciendo en el codigo (ya que
no entiendo mucho de C)... Y si alguien la tiene clara y me dice como
solucionar lo de objc-api.h, ya que creo que por ese header me crashea el
binario cuando lo testeo (sin hacerle modificaciones)...

Saludos

Re: Debian server for backups of Windows clients

[deloptes]

Daniel Bareiro wrote:

> Still, 20-24 Mbps is more than 10 Mpbs I was seeing with rsync. There
> could be a bottleneck somewhere?

In my case it was the IO on the disk - I couldn't do more than 12Mbps even
on wired connection, because I have encrypted disk ... it took me a while
to understand why though.

Re: Debian server for backups of Windows clients

[Celejar]

On Fri, 9 Sep 2016 16:46:35 -0300
Daniel Bareiro  wrote:

> Hi, Celejar.
> 
> On 09/09/16 15:51, Celejar wrote:
> 
> >> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
> >> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
> >> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
> >> hardware can match or beat Gigabit.
> 
> > You get ~50Mbps over a/b/g? 54Mbps is the theoretical maximum, and
> > everything I've read says that 20-24Mbps is the real-world maximum.
> 
> Still, 20-24 Mbps is more than 10 Mpbs I was seeing with rsync. There
> could be a bottleneck somewhere?

As per your own suggestion in another message, definitely benchmark
with iperf to see if that's better. And as we discussed in another
thread some time ago, (especially) if you're using wireless, benchmark
throughput in *both* directions, since the transmitter (or receiver) may
be better on one machine than on another.

Celejar

Re: SMTP relay issue with emails to specific domain

[Joe]

On Fri, 9 Sep 2016 16:13:10 -0400
Greg Wooledge  wrote:

> On Fri, Sep 09, 2016 at 08:58:15PM +0100, Joe wrote:
> > An email client connects to its SMTP smarthost using SMTP, so
> > there's no way a given SMTP server can tell whether it's a client
> > (MUA) or another SMTP server (MTA) trying to connect to it.  
> 
> That's outdated information.
> 
> SMTP is used to exchange messages between mail servers (MTAs), but
> a client submitting a new message to its designated relay may use
> the "Submission" protocol on port 587 instead.  (Really old clients
> may still use SMTP.)
> 
> Relay control is a pretty important, nontrivial field.  

And a separate issue in this case, where no relaying was requested. The
protocol used is still SMTP, possibly with a few bells and whistles
bolted on, and does not vary depending on whether a mail client or
server is the originator. The port and authentication required vary
according to whether local delivery or relaying is occurring, not
according to what kind of software is on the transmitting end.

I've used a SMTP server to send authenticated mail to another server,
as it was necessary in that time and place. The receiving server
couldn't tell that the sender was another server. I've used a terminal
window, a mail client by anyone's standards, to send unauthenticated
port 25 SMTP directly to a recipient's server, something a client is
not normally expected to do.

The issue in this case is that a SMTP server *seems* to be demanding
authentication for local delivery. There may be more to it than that,
but certainly there are DNS irregularities. There is no MX record for
the domain (which, to be honest, I would have thought meant that no
delivery was even attempted), and the domain administrators may have
made other configuration errors. It may just be that the OP's postfix
installation is failing to find the MX, getting confused, and returning
an error message which is less than helpful.

-- 
Joe

Re: Jessie & Fixed IP Address

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Sep 09, 2016 at 02:10:53PM -0500, Tim McDonough wrote:
> On 9/9/2016 4:26 AM, Cindy-Sue Causey wrote:
> >You know what, though, I did have two entries in there the other day.
> >And I found that tip because I was getting the "RTNETLINK answers:
> >File exists" error that led to that tip (k/t Raspberry Pi @
> >StackExchange). My firsthand experience is that tip leans towards
> >being true because I eliminated ALL my homespun entries and am now no
> >longer receiving *that* particular error message. *grin*
> 
> You typically (most networks) would have only one gateway specified.
> It's the IP address of the router used by your network to access the
> Internet.
> 
> I imagine there are more elaborate schemes with multiple gateways
> and could not offer advice on that, I have no experience.

You can define different gateways depending on target hosts/networks.
The default gateway "takes the rest".

Example:

  ip route add to 192.168.99/24 via 192.168.42.12

sets up host 192.168.42.12 as gateway to the subnet 192.168.99.xxx

regards
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlfTHrsACgkQBcgs9XrR2kbGbgCaAxwUHaUbxd45A/uRHlY/fjXU
3G8An1A7UWJS/kHfnjblNycPBPBMCTHH
=3Ya9
-END PGP SIGNATURE-

Re: SMTP relay issue with emails to specific domain

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Sep 09, 2016 at 04:05:28PM -0300, Daniel Bareiro wrote:
> 
> 
> On 09/09/16 15:05, Stephan Beck wrote:

[...]

> H... I do not quite understand this situation. That is, lkeusa.com
> asked to use SMTP authentication, but this would make sense if the email
> client connects directly to lkeusa.com for deliver the email. And this
> is not the case. The client connects to an intermediate server, the
> relay server, which is the one delivering the email to lkeusa.com. Or
> maybe I'm missing something?

What I miss from cursory reading of the other answers: the intermediate
server can also authenticate (playing the role of client) with the next
server. For exim, this is described in exim4_passwd_client(5)

Regards
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlfTHWIACgkQBcgs9XrR2kYsUgCfd4Mmx/oQgJDKKS22tqOc0wUr
s6cAnArPQ6cqldgmFf0esGcV/N6p2WXA
=NgmA
-END PGP SIGNATURE-

Re: SMTP relay issue with emails to specific domain

[Greg Wooledge]

On Fri, Sep 09, 2016 at 08:58:15PM +0100, Joe wrote:
> An email client connects to its SMTP smarthost using SMTP, so there's no
> way a given SMTP server can tell whether it's a client (MUA) or another
> SMTP server (MTA) trying to connect to it.

That's outdated information.

SMTP is used to exchange messages between mail servers (MTAs), but
a client submitting a new message to its designated relay may use
the "Submission" protocol on port 587 instead.  (Really old clients
may still use SMTP.)

Relay control is a pretty important, nontrivial field.  Some servers
rely on an "SMTP AUTH" protocol that involves a username and password
to authenticate the client.  A few may still use the old "POP before SMTP"
hack, in which a client that performs an authenticated POP3 retrieval
opens up permission to use SMTP for some time period.  I don't know
how widespread this practice still is; it's quite antiquated.

And of course some servers may simply whitelist their clients by IP
address.  This works extremely well in internal corporate settings,
but very poorly if you have people working from home, on the road, etc.
(I've seen the phrase "road warriors" used to refer to these clients.)

Internet service providers probably use some variant of this, magically
knowing who their customers are by IP address.  This is outside of my
experience.

DJB proposed authenticating client emails by having them be PGP-signed,
with the server holding the public keys necessary to validate the
clients' signatures.  I've never seen this actually implemented, though.

So, long story short, you have to get permission to use a given host
as your mail submission/relay.  And how you do that is up to the owner
of that host.

Re: SMTP relay issue with emails to specific domain

[Joe]

On Fri, 9 Sep 2016 16:05:28 -0300
Daniel Bareiro  wrote:

> On 09/09/16 15:05, Stephan Beck wrote:
> 
> > Hi Daniel,  
> 
> Hi, Stephan. Thanks for your reply.
> 
> >>> I recently set up an relay SMTP server on a host of Digital
> >>> Ocean, using Debian and Postfix.
> >>>
> >>> The main reason for setting up this relay is that the cPanel VPS
> >>> is hosted at Godaddy, and they force everyone to send email
> >>> through their shared SMTP relay. As expected, that shared relay
> >>> is continually being flagged for spam.
> >>>
> >>> So the outgoing emails are routed through this server. Usually
> >>> everything worked smoothly. Mails to accounts on Google, Yahoo,
> >>> Hotmail and other servers are delivered. But I found a problem
> >>> with a specific domain:
> >>>
> >>> ---
> >>> Sep  7 14:36:11 smtp postfix/smtp[8036]: 5EAA520AAD:
> >>> to=, relay=lkeusa.com[50.87.144.56]:25],
> >>> delay=13, delays=0.91/0.06/6.1/5.9, dsn=5.0.0, status=bounced
> >>> (host lkeusa.com[50.87.144.56] said: 550-Please turn on SMTP
> >>> Authentication in your mail client, or login to the 550-IMAP/POP3
> >>> server before sending your message.  smtp.server.com
> >>> 550-[x.y.z.t]:41988 is not permitted to relay through this server
> >>> 550 without authentication. (in reply to RCPT TO command))
> >>> ---
> >>>
> >>> I'm not sure why this specific domain is complaining in this
> >>> way.  
> 
> > I think it's because it requires SMTP authentication, whereas
> > apparently the other servers you mention don't (mails are
> > delivered). Have you checked if the mail client's option
> > mail.smtpserver.default.authMethod is set to 0, which means there
> > is no SMTP authentication at all. That could explain the issue.
> > For a list of methods, see (1)
> > Looking at exim's server ready 220 response below, it does not like
> > people to send spam or bulk email.
> > The 550 return code means that the mailbox you are trying to reach
> > can't be found or you are lacking access rights. In your case it's
> > the latter, as the server response indicates.
> > 
> > 
> > (1)
> > http://www.afterlogic.com/mailbee/docs/SMTP_props_AuthMethod.htm  
> 
> H... I do not quite understand this situation. That is, lkeusa.com
> asked to use SMTP authentication, but this would make sense if the
> email client connects directly to lkeusa.com for deliver the email.
> And this is not the case. The client connects to an intermediate
> server, the relay server, which is the one delivering the email to
> lkeusa.com. Or maybe I'm missing something?
> 
>
An email client connects to its SMTP smarthost using SMTP, so there's no
way a given SMTP server can tell whether it's a client (MUA) or another
SMTP server (MTA) trying to connect to it.

That said, a SMTP server should accept mail addressed to a valid
recipient of a domain for which it is authoritative, unconditionally, it
should not ask for authentication. Authentication will only be required
for relaying, i.e. expecting lkeusa to pass the message on to someone
who is not a local recipient. If this were not the case, anyone sending
email to anyone else would be expected to be able to authenticate to
the recipient's server, which is nonsense.

The error message you are seeing seems to involve relaying. Are you
definitely sending email to a valid recipient on the lkeusa.com domain?
If so, no relaying is being requested, the error message you are seeing
does not make sense ("to=, relay=lkeusa.com") and you
need to contact the postmaster for the domain to ask what is going on.

P.S. A quick dig at lkeusa.com shows no MX record, and mxtoolbox.com
confirms this. 50.87.144.56 is the IP address given by an A record for
the domain name itself, and the only other DNS records are the hosting
company's nameservers. This may have something to do with the problem.

-- 
Joe

Re: Tableau de bord Mate

[humbert . olivier . 1]

À noter qu'il y a eu pas mal de commits sur l'empaquetage de MATE aujourd'hui 
autour de 17h40 en France métropolitaine (15h40 UTC) :
http://lists.alioth.debian.org/pipermail/pkg-mate-commits/Week-of-Mon-20160905/thread.html

Merci Martin Wimpress !

Re: Debian server for backups of Windows clients

[Daniel Bareiro]

Hi, Celejar.

On 09/09/16 15:51, Celejar wrote:

>> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
>> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
>> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
>> hardware can match or beat Gigabit.

> You get ~50Mbps over a/b/g? 54Mbps is the theoretical maximum, and
> everything I've read says that 20-24Mbps is the real-world maximum.

Still, 20-24 Mbps is more than 10 Mpbs I was seeing with rsync. There
could be a bottleneck somewhere?


Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: Debian server for backups of Windows clients

[Daniel Bareiro]

Hi, David.

Thanks for your reply.

On 09/08/16 22:57, David Christensen wrote:

>> As you can see, the transfer was over than 3 GB and it were not hung. I
>> did several tests and all were without problems.
>>
>> I wonder if in the mentioned episodes of hangs you remember whether the
>> transferred volume was higher or lower than in this case (or it hung
>> randomly).

> Script it and run it every night for a week.  If it works every time,
> try again for 30 days.  Then 90.  Then 365.

Yes, I have to start testing on a daily basis. Anyway, the mentioned
test results were quite satisfactory.

>> As a side note, the larger file (disk01.img) took more than 40 minutes
>> to be transferred. So the rsync was running quite some time without
>> hanging. While it does not have to do with the topic of this thread, in
>> rsync progress data we can see that the average transfer rate was 10
>> Mbps. I guess it will have to do with that I'm going through a wireless
>> network. In this testing the Debian computer is a notebook connected to
>> the wireless router and the KVM Windows is on the wired network. May it
>> be so large the decrease in transfer speed? The wireless router is
>> TPLink WDR3600 with OpenWRT.

> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
> hardware can match or beat Gigabit.

I think it is reasonable to expect that the wireless transfer rate is
lower than the one obtained in a wired network. But there is a big
difference compared to the ~50 Mpbs you mentioned. The peak obtained
with rsync was 10 Mbps. Maybe the best is to take a metric with iperf,
what do you think?

> For the initial full backup, I have found that scp is faster than rsync.

It is likely, since rsync adds control information used by rsync
algorithm to track the synchronization.

> When I know that I've added a bunch of new and/or large files on the
> sender, I sometimes try the rsync 'whole-file' option.  As I haven't
> benchmarked it, I don't know if/when it is helping.
>
> My biggest problem with rsync is when I reorganize file/ directory trees
> on my file server; especially big stuff -- raw video, movies, disk
> images, ISO images, etc..  I have yet to figure out an rsync incantation
> that does the corresponding moves on the destination, rather than
> mindlessly copying and deleting 100's of GB.  I have often considered
> writing an rsync prelude script for just this case.

If you make a move of files, but always within the same root filesystem
provided to rsync, you might want to consider using --delete for get an
identical image in the source and destination.


Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: Tableau de bord Mate

[Haricophile]

Le Fri, 9 Sep 2016 10:59:22 +0200,
Frédéric MASSOT  a écrit :

> MATE sur Debian est passé à GTK3 depuis la version 1.14, ici il s'agit
> d'incompatibilité et d'API cassée entre les versions de GTK 3.

La grande spécialité des dev de vers chez Gnome ces derniers temps, il
me semble.

-- 
haricoph...@aranha.fr 

Re: Jessie & Fixed IP Address

[Tim McDonough]

On 9/9/2016 4:26 AM, Cindy-Sue Causey wrote:

You know what, though, I did have two entries in there the other day.
And I found that tip because I was getting the "RTNETLINK answers:
File exists" error that led to that tip (k/t Raspberry Pi @
StackExchange). My firsthand experience is that tip leans towards
being true because I eliminated ALL my homespun entries and am now no
longer receiving *that* particular error message. *grin*


You typically (most networks) would have only one gateway specified. 
It's the IP address of the router used by your network to access the 
Internet.


I imagine there are more elaborate schemes with multiple gateways and 
could not offer advice on that, I have no experience.


Tim

Re: SMTP relay issue with emails to specific domain

[Daniel Bareiro]

On 09/09/16 15:05, Stephan Beck wrote:

> Hi Daniel,

Hi, Stephan. Thanks for your reply.

>>> I recently set up an relay SMTP server on a host of Digital Ocean, using
>>> Debian and Postfix.
>>>
>>> The main reason for setting up this relay is that the cPanel VPS is
>>> hosted at Godaddy, and they force everyone to send email through their
>>> shared SMTP relay. As expected, that shared relay is continually being
>>> flagged for spam.
>>>
>>> So the outgoing emails are routed through this server. Usually
>>> everything worked smoothly. Mails to accounts on Google, Yahoo, Hotmail
>>> and other servers are delivered. But I found a problem with a specific
>>> domain:
>>>
>>> ---
>>> Sep  7 14:36:11 smtp postfix/smtp[8036]: 5EAA520AAD:
>>> to=, relay=lkeusa.com[50.87.144.56]:25], delay=13,
>>> delays=0.91/0.06/6.1/5.9, dsn=5.0.0, status=bounced (host
>>> lkeusa.com[50.87.144.56] said: 550-Please turn on SMTP Authentication in
>>> your mail client, or login to the 550-IMAP/POP3 server before sending
>>> your message.  smtp.server.com 550-[x.y.z.t]:41988 is not permitted to
>>> relay through this server 550 without authentication. (in reply to RCPT
>>> TO command))
>>> ---
>>>
>>> I'm not sure why this specific domain is complaining in this way.

> I think it's because it requires SMTP authentication, whereas apparently
> the other servers you mention don't (mails are delivered). Have you
> checked if the mail client's option mail.smtpserver.default.authMethod
> is set to 0, which means there is no SMTP authentication at all. That
> could explain the issue.
> For a list of methods, see (1)
> Looking at exim's server ready 220 response below, it does not like
> people to send spam or bulk email.
> The 550 return code means that the mailbox you are trying to reach can't
> be found or you are lacking access rights. In your case it's the latter,
> as the server response indicates.
> 
> 
> (1) http://www.afterlogic.com/mailbee/docs/SMTP_props_AuthMethod.htm

H... I do not quite understand this situation. That is, lkeusa.com
asked to use SMTP authentication, but this would make sense if the email
client connects directly to lkeusa.com for deliver the email. And this
is not the case. The client connects to an intermediate server, the
relay server, which is the one delivering the email to lkeusa.com. Or
maybe I'm missing something?


Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: Debian server for backups of Windows clients

[Celejar]

On Tue, 9 Aug 2016 18:57:02 -0700
David Christensen  wrote:

...

> My laptop has 802.11 a/b/g WiFi and Fast Ethernet.  Wireless data
> transfers are slow (~50 Mbps).  Wired is twice as fast (100 Mbps); still
> slow.  Newer WiFi (n, ac) should be faster, but only the newest WiFi
> hardware can match or beat Gigabit.

You get ~50Mbps over a/b/g? 54Mbps is the theoretical maximum, and
everything I've read says that 20-24Mbps is the real-world maximum.

Celejar

Re: Using serial console as a poor mans IP kvm?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Sep 09, 2016 at 09:03:33PM +0300, Jarle Aase wrote:
> Hi,
> 
> I was just about to order some usb2serial hardware when I read this.
[...]
> I'll try it when I get the first server assembled. Thanks a lot!

Hey, glad to help :-)

- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlfTBAQACgkQBcgs9XrR2kb2oQCfXciqNGw+duZSi0+j293y9X26
mFcAnRJFuhTP641mbXmJ9YS0l5VZnd6j
=3unC
-END PGP SIGNATURE-

gdm3 doesn't work any more after the upgrade from Wheezy to Jessie 8.5

[Jean-Paul Bouchet]

Hello,

We used during 2 years Gnome and gdm3 on a server with Debian Wheezy to 
let users work from their Windows PC via Cygwin and xlaunch (xdmcp). It 
worked well till the upgrade to Jessie, for these Windows PC, as for the 
system console, a very simple terminal.


The migration has been done a few days ago after a last upgrade of 
Wheezy and a verification that our server was OK, including connection 
features. The dist-upgrade has not been perfect: here are the last lines 
of the process:

...
update-initramfs: Generating /boot/initrd.img-3.16.0-4-amd64
W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3
Traitement des actions différées (« triggers ») pour sgml-base 
(1.26+nmu4) ...

Traitement des actions différées (« triggers ») pour menu (2.1.47) ...
Des erreurs ont été rencontrées pendant l'exécution :
 tex-common
E: Sub-process /usr/bin/dpkg returned an error code (1)

dpkg --audit gives me a list of 149 packages with the half-configurated 
status. Among them: libpam-ldap:amd64, libpam-mount, xorg, xserver-xorg.
I have launched manually 'dpk -configure' for all of them and 
reinstalled tex-common.


Now dpkg --audit returns nothing. I have not yet done apt-get autoremove 
to eliminate the packages the have become useless.


During the upgrade I have installed the new version of 
/etc/gdm3/daemon.conf, /etc/init.d/gdm3 and got [ ok ] Scheduling reload 
of GNOME Display Manager configuration: gdm3.


After the migration it has been possible during the 3 first days to open 
sometimes a gnome session but with many problems, several minutes to get 
the users' list, and again a long time, up to 10 minutes, to get the 
gnome window. Once displayed, the desk was fully functional, but the 
whole process, from the launch of cygwin was much too long and uncertain 
(we could also never get the connexion window with the list of users). 
It has never been possible to lock or close properly a session and to 
get again the connection window.


I have reinstalled some packages, including gdm3, searched similar 
situations on the web, verified the configuration in /etc/gdm3 or 
/etc/pam.d, compared with the files we had with Wheezy, rebooted the 
server, as carefully and cautiously as I could, but without the least 
improvement. On the contrary, we are now unable to get the connexion 
window.


Now, what we get, for the system console, as for the windows PCs with 
Cygwin, is what I supposed to be the splash window, a blue background 
screen with the time, the date and at the left bottom 'Debian 8' and no 
button.


systemctl -l status gdm.service
● gdm.service - GNOME Display Manager
   Loaded: loaded (/lib/systemd/system/gdm.service; enabled)
   Active: active (running) since ven. 2016-09-09 13:47:15 CEST; 6h ago
  Process: 1729 ExecStartPre=/usr/share/gdm/generate-config 
(code=exited, status=0/SUCCESS)
  Process: 1721 ExecStartPre=/bin/sh -c [ "$(cat 
/etc/X11/default-display-manager 2>/dev/null)" = "/usr/sbin/gdm3" ] 
(code=exited, status=0/SUCCESS)

 Main PID: 1801 (gdm3)
   CGroup: /system.slice/gdm.service
   ├─1801 /usr/sbin/gdm3
   ├─1814 /usr/bin/Xorg :0 -novtswitch -background none 
-noreset -verbose 3 -auth 
/var/run/gdm3/auth-for-Debian-gdm-wEWSh7/database -seat seat0 vt7

   ├─2065 gdm-session-worker [pam/gdm-launch-environment]
   ├─2194 /usr/bin/gnome-session --autostart 
/usr/share/gdm/greeter/autostart
   ├─2204 /usr/bin/dbus-launch --exit-with-session 
/usr/bin/gnome-session --autostart /usr/share/gdm/greeter/autostart
   ├─2243 /usr/bin/dbus-daemon --fork --print-pid 5 
--print-address 7 --session

   ├─2252 /usr/lib/at-spi2-core/at-spi-bus-launcher
   ├─2256 /usr/bin/dbus-daemon 
--config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
   ├─2259 /usr/lib/at-spi2-core/at-spi2-registryd 
--use-gnome-session

   ├─2289 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
   ├─2376 gnome-shell --mode=gdm
   ├─2455 /usr/bin/pulseaudio --start --log-target=syslog
   ├─2629 /usr/lib/dconf/dconf-service
   ├─3096 gdm-session-worker [pam/gdm-launch-environment]
   ├─3101 /usr/bin/gnome-session --autostart 
/usr/share/gdm/greeter/autostart
   ├─3104 /usr/bin/dbus-launch --exit-with-session 
/usr/bin/gnome-session --autostart /usr/share/gdm/greeter/autostart
   ├─3105 /usr/bin/dbus-daemon --fork --print-pid 5 
--print-address 7 --session

   ├─3108 /usr/lib/at-spi2-core/at-spi-bus-launcher
   ├─3112 /usr/bin/dbus-daemon 
--config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
   ├─3115 /usr/lib/at-spi2-core/at-spi2-registryd 
--use-gnome-session

   ├─3138 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
   ├─3148 

Re: How to get Jessie to run at boot time

[Andrew M.A. Cater]

On Fri, Sep 09, 2016 at 01:58:03PM -0400, Alan McConnell wrote:
> This one should be _real_ easy!
> 
> Two days ago, my hard drive on my (now) discarded computer gave up the ghost.
> After consideration, and advice from friends, I went out to Staples and bought
> a Dell, with  Windoze installed.  I hooked up everything and Windoze 
> boots
> OK, my sound works, etc.
> 
> This morning I installed Jessie, and this time the install went well.  I could
> put in partitions for / , /usr/, /boot, /var, /tmp, and put in a big swap
> partition.  When I rebooted at the end of the install, I got my Windows 
> again, which
> pleased me, since I'd left it in, giving it 50 gig of my terabyte drive.
> 
> But I don't know how to get my new Jessie to boot!  Back when I had one of my
> first Linuxes and MS-DOS on my system, one got a prompt: "L or M" as soon as
> one turned on the computer.  Things are now more subtle I'm sure, and they are
> too subtle for me!
> 
> So can someone who also has a dual-bootable system(with Windows 10 and Jessie)
> please tell me how you choose, at boot-time, which of your systems you wish to
> boot?
> 
> TIA
> 
> Alan McConnell
> 

Boot your install medium - enter rescue mode - reinstall grub?

HTH,

Andy C 

Re: SMTP relay issue with emails to specific domain

[Stephan Beck]

Hi Daniel,

Daniel Bareiro:
> 
> On 08/09/16 13:56, Daniel Bareiro wrote:
> 
>> I recently set up an relay SMTP server on a host of Digital Ocean, using
>> Debian and Postfix.
>>
>> The main reason for setting up this relay is that the cPanel VPS is
>> hosted at Godaddy, and they force everyone to send email through their
>> shared SMTP relay. As expected, that shared relay is continually being
>> flagged for spam.
>>
>> So the outgoing emails are routed through this server. Usually
>> everything worked smoothly. Mails to accounts on Google, Yahoo, Hotmail
>> and other servers are delivered. But I found a problem with a specific
>> domain:
>>
>> ---
>> Sep  7 14:36:11 smtp postfix/smtp[8036]: 5EAA520AAD:
>> to=, relay=lkeusa.com[50.87.144.56]:25], delay=13,
>> delays=0.91/0.06/6.1/5.9, dsn=5.0.0, status=bounced (host
>> lkeusa.com[50.87.144.56] said: 550-Please turn on SMTP Authentication in
>> your mail client, or login to the 550-IMAP/POP3 server before sending
>> your message.  smtp.server.com 550-[x.y.z.t]:41988 is not permitted to
>> relay through this server 550 without authentication. (in reply to RCPT
>> TO command))
>> ---
>>
>> I'm not sure why this specific domain is complaining in this way.

I think it's because it requires SMTP authentication, whereas apparently
the other servers you mention don't (mails are delivered). Have you
checked if the mail client's option mail.smtpserver.default.authMethod
is set to 0, which means there is no SMTP authentication at all. That
could explain the issue.
For a list of methods, see (1)
Looking at exim's server ready 220 response below, it does not like
people to send spam or bulk email.
The 550 return code means that the mailbox you are trying to reach can't
be found or you are lacking access rights. In your case it's the latter,
as the server response indicates.


(1) http://www.afterlogic.com/mailbee/docs/SMTP_props_AuthMethod.htm

Stephan

[...]
> 
> Well, it seems that in the absence of an MX record, Postfix uses the A
> record that it find by querying that domain and in that IP address an
> Exim server responds:
> 
> ---
> # telnet lkeusa.com 25
> Trying 50.87.144.56...
> Connected to lkeusa.com.
> Escape character is '^]'.
> 220-gator3037.hostgator.com ESMTP Exim 4.86_1 #1 Thu, 08 Sep 2016
> 12:15:19 -0500
> 220-We do not authorize the use of this system to transport unsolicited,
> 220 and/or bulk e-mail.
> ---
> 

Re: How to get Jessie to run at boot time

[Felix Miata]

Alan McConnell composed on 2016-09-09 13:58 (UTC-0400):


Two days ago, my hard drive on my (now) discarded computer gave up the ghost.
After consideration, and advice from friends, I went out to Staples and bought
a Dell, with  Windoze installed.  I hooked up everything and Windoze boots
OK, my sound works, etc.



This morning I installed Jessie, and this time the install went well.  I could
put in partitions for / , /usr/, /boot, /var, /tmp, and put in a big swap
partition.  When I rebooted at the end of the install, I got my Windows again, 
which
pleased me, since I'd left it in, giving it 50 gig of my terabyte drive.



But I don't know how to get my new Jessie to boot!  Back when I had one of my
first Linuxes and MS-DOS on my system, one got a prompt: "L or M" as soon as
one turned on the computer.  Things are now more subtle I'm sure, and they are
too subtle for me!



So can someone who also has a dual-bootable system(with Windows 10 and Jessie)
please tell me how you choose, at boot-time, which of your systems you wish to
boot?


Booting Linux from W10's own boot menu might be the simplest:
http://neosmart.net/EasyBCD/
--
"The wise are known for their understanding, and pleasant
words are persuasive." Proverbs 16:21 (New Living Translation)

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata  ***  http://fm.no-ip.com/

Re: Using serial console as a poor mans IP kvm?

[Jarle Aase]

Hi,

I was just about to order some usb2serial hardware when I read this. 
Your suggestion will give fewer "moving parts" and is actually very 
simple to implement. I will loose the ability to do a cold boot, but it 
will probably not matter too much in my case, at least not for now.


I'll try it when I get the first server assembled. Thanks a lot!

Jarle

Den 09. sep. 2016 10:31, skrev to...@tuxteam.de:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Sep 08, 2016 at 10:26:59PM +0300, Jarle Aase wrote:

I want to set up a few servers at home. Unfortunately, as I live in
Bulgaria at the moment, the electric power is gone pretty often for
longer periods than my UPS'es can deal with. So my servers will have
to be started at least a few times every quarter.

[...]


That means that I need to reboot the servers relatively often, and
provide the luks passwords every time. Some times I am far away when
this happens [...]

An interesting alternative to the serial console thing is baking
in an SSH server into the initramfs. There are small SSH servers
built for that, like Dropbear.

Upside is that you don't need any additional hardware and it's
pretty well integrated into Debian. Downside is that you need
BIOS, the bootloader and initramfs working (with the serial you
at least get a chance to fix the bootloader remotely).

https://packages.debian.org/sid/dropbear-initramfs
https://wiki.debian.org/RescueInitramfs
https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/

Might be worth a try.

Regards
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlfSZVMACgkQBcgs9XrR2kZGNgCfZhrMlouUceQSVJgzimE+b2YG
GokAn0PpEqnw2lgmFiGTu554OQtpt9Wa
=AKQd
-END PGP SIGNATURE-

How to get Jessie to run at boot time

[Alan McConnell]

This one should be _real_ easy!

Two days ago, my hard drive on my (now) discarded computer gave up the ghost.
After consideration, and advice from friends, I went out to Staples and bought
a Dell, with  Windoze installed.  I hooked up everything and Windoze boots
OK, my sound works, etc.

This morning I installed Jessie, and this time the install went well.  I could
put in partitions for / , /usr/, /boot, /var, /tmp, and put in a big swap
partition.  When I rebooted at the end of the install, I got my Windows again, 
which
pleased me, since I'd left it in, giving it 50 gig of my terabyte drive.

But I don't know how to get my new Jessie to boot!  Back when I had one of my
first Linuxes and MS-DOS on my system, one got a prompt: "L or M" as soon as
one turned on the computer.  Things are now more subtle I'm sure, and they are
too subtle for me!

So can someone who also has a dual-bootable system(with Windows 10 and Jessie)
please tell me how you choose, at boot-time, which of your systems you wish to
boot?

TIA

Alan McConnell
 

Re: Is nagle disabled?

[Rob van der Putten]

Hi there


On 09/09/16 18:19, Stefan Monnier wrote:


I suggest you re-read https://en.wikipedia.org/wiki/Nagle's_algorithm
Nagle only kicks in when there are un-acknowledged packets.  So on the
first packet, there is no delay.  There will be a delay on the *second*
packet if it's small and we haven't yet received confirmation that the
first packet was received.


I thought I overlooked something. And this is it.
Thanks!


Regards,
Rob

[OT Consejo sobre portátil]

[Angel Vicente]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hola a todos. Espero que hayáis pasado un buen verano.

Voy a necesitar comprar un portátil para los estudios de mi hija.
Necesitaría algo de menos de 15'', ligero (es para llevarlo a la
universidad), que ande bien de memoria, y que pueda mover sin problemas
una Debian, esto es muy importante, necesita instalar Google Earth.

Ahora tenemos un Lenovo B560 de 15,6'' pero se me antoja un poco pesado
para trasladarlo todos los días.

He visto en PCComponentes alguna cosa de Asus de 11'' pero no sé...

Saludos y gracias de antemano


- -- 
Key fingerprint 01DC 0386 2B28 0A02 A270 E243 008B AABF 1822 9851
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlfS8z0ACgkQAIuqvxgimFGq0gD/R7CPil7KCRqvhcxdJbXR+2DL
HKxUdXlTaVrLGvd/SREA/RL4QlNf4F2kzGoe2K6AMDg0BMEwctivPO3RtON6GOmi
=56b6
-END PGP SIGNATURE-

Re: [resolved] FireFox broken,

[Mark Allums]

On 09/08/2016 01:54 PM, Brian wrote:

On Thu 08 Sep 2016 at 09:30:54 -0500, Mark Allums wrote:


On 09/07/2016 05:23 PM, Gene Heskett wrote:


Maybe this is related to libns3 that someone mention, but we have to get
it from unstable? On wheezy, how?

Thanks.

Cheers, Gene Heskett



Installing libnss3 from sid/unstable solved the problem of web sites
unavailable with a security-related error message for me.


As you say "My problem is not YouTube, that was just an example."

An example of what? A relationship between a "next" button not working
with PayPal and video viewing? Have we left the world of Flash?

Maybe you could post the URLs of two or three web sites which are now
available to you without security-related error messages which you had
trouble with before. Jessie users would be interested whether they too
have to install libnss3 from unstable.


[Good technical advice snipped].



It's not flash.  YouTube doesn't use Flash by default anymore.

One other example is:

https://apprenticealf.wordpress.com/

Mark Allums

Re: How to diagnose an "apt-get instal"l problem

[Greg Wooledge]

On Fri, Sep 09, 2016 at 10:18:22AM -0500, Richard Owlett wrote:
> As root I attempted to do
>   apt-get install mate-desktop-environment-core
> It began normally but terminated with a file not found message 
> before coming to the confirm installation step.

And the error message said...?

> To narrow down the problem source(s) I attempted to install a 
> different program.

Instead of reading the error.  *sigh*

> How can I diagnose what went wrong when I attempted "apt-get 
> install"?

By reading the error.

There is not enough information here to tell whether it was trying to
install a package that isn't physically included on your DVD, or
installing a package that exists but has an error in it, etc.

Re: Is nagle disabled?

[Stefan Monnier]

> I'm experimenting with TCP to see how long it takes to send a small amount
> of data from A to B. One would expect a latency of a few hundred
> milliseconds, but it's a few hundred microseconds instead. It is as if
> Nagle's algorithm has been disabled.

I suggest you re-read https://en.wikipedia.org/wiki/Nagle's_algorithm
Nagle only kicks in when there are un-acknowledged packets.  So on the
first packet, there is no delay.  There will be a delay on the *second*
packet if it's small and we haven't yet received confirmation that the
first packet was received.


Stefan

Re: [OT] Flash Player para linux "strikes back"

[Altair Linux]

Exactamente, son empresas que van por precio, es decir que quien
acepte cobrar mas barato es quien se lleva el trabajo. Y luego nos
encontramos con los desastres que nos encontramos.

Solo les importa lo que da dinero inmediato, sacrificando todo lo demas.

Aunque sepamos que el futuro esta en el uso de ciertas tecnologias,
quieren cosas que funcionen (y que funcionen ya). Tienen una forma de
pensar muy diferente (dan mucha importancia a cosas equivocadas) y
tienen nulo interes en evolucionar.

Re: Fim do OpenOffice?

[Helio Loureiro]

Isso é mais lenda urbana que realidade.  O projeto está morrendo for falta
de gente capacitada pra mexer no código.  Você acha realmente que alguém
vai pegar isso é continuar o trabalho?  Só porque é sofware livre o código
é fácil de ler e entender? É isso?

Parece a ideia de quem cria uma nova distro pra ter seu tema carregado por
padrão no wm.

./helio

-= sent via Android =-

On Sep 8, 2016 05:32, "Rodrigo Cunha"  wrote:

> Srs. essa ideia de fim de um projeto opensource é quase impossivel, uma
> vez que o código é livre, qualquer um pode reiniciar, pegar o código e
> colocar outro nome, etc, etc...
>
> Em 7 de setembro de 2016 16:07, Gilberto F da Silva  > escreveu:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On Tue, Sep 06, 2016 at 09:52:18AM -0300, jaitony souza wrote:
>> > Bom dia
>> > Era de se esperar com o surgimento do libre office e adoção de quase
>> todas
>> > as distribuições Linux por ele o OpenOffice até demorou muito pra morre
>> >
>> > Enviada por um dispositivo móvel
>> >
>> > Em 06/09/2016 09:46, "Nélio Macedo"  escreveu:
>>
>>   Melhor que haja somente uma suite forte para o Linux.
>>
>> - --
>>
>> Gilberto F da Silva - gfs1...@gmx.net - ICQ 136.782.571
>> Stela dato:2.457.639,295  Loka tempo:2016-09-07 16:05:14 Merkredo
>> - -==-
>> Faz o que tu queres..  há de ser tudo da lei!
>>  -- Raul Seixas
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2
>>
>> iEYEARECAAYFAlfQZXgACgkQJxugWtMhGw4ACQCfevEDGlnBSfVt72IBErPSoIjd
>> 8VYAoNMrK92jDpAAvDdo5BnTJJGas098
>> =055Q
>> -END PGP SIGNATURE-
>>
>>
>
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
>
>

How to diagnose an "apt-get instal"l problem

[Richard Owlett]

I was experimenting with a custom minimal install.
[ALL installs are from purchased DVDs as I have minimal 
connectivity.]
I installed Jessie (8.0.0) using expert mode on a machine set 
aside for experiments.
I explicitly chose no desktop environment. The install proceeded 
normally.


From the Description in Packages.gz, 
mate-desktop-environment-core appeared to be appropriate for my 
needs.


As root I attempted to do
  apt-get install mate-desktop-environment-core
It began normally but terminated with a file not found message 
before coming to the confirm installation step.


To narrow down the problem source(s) I attempted to install a 
different program. It proceeded normally to the confirm install 
question.


Suspecting a damaged/defective DVD I then attempted a fresh 
install to the same partition. This time I chose the lxde 
desktop. Installation proceeded to a fully functioning install.


I then used Synaptic to install mate-desktop-environment-core.
It apparently completed normally. [I've not researched what I 
have to do to switch desktops.]


How can I diagnose what went wrong when I attempted "apt-get 
install"?


TIA

icedove: failed to connect server x...@gmail.com

[mudongliang]

Dear all,

recently I suddenly failed to update my gmail account in 
icedove. When I tried to get messages from gmail account in icedove, it 
poped up one window : "Failled to connect server x...@gmail.com". There 
is no error for my other email, for example, hotmail, outlook.


How could I solve this problem?

--
My best regards to you.

 No System Is Safe!
 Dongliang Mu

Re: [OT] Flash Player para linux "strikes back"

[Camaleón]

El Fri, 09 Sep 2016 09:46:32 -0400, Miguel Matos escribió:

> El viernes, 9 de septiembre de 2016, Camaleón 
> escribió:

(...)

>> Pues cada vez se lo están poniendo más difícil a los complementos
>> (java, flash player) y me alegro porque son un coladero de bichos y no
>> hay nada que no se pueda hacer sin ellos. Antes se podía tirar de
>> Javascript pero ahora con html5, AJAX y demás churrimangas¹ ya no hay
>> excusa para hacer las cosas bien.
>>
>> De hecho, en España tenemos un problema gordo con la firma de
>> certificados vía web ya que la mayoría de administraciones usa una
>> aplicación cliente desarrollada en java (@firma²) y java ahora mismo
>> sólo funciona (a duras penas y si logras habilitarlo) con Firefox.
>> Espero que ya le estén buscando un sustituto :-)
>>
>> ¹Palabreja inventada
>> ²http://administracionelectronica.gob.es/es/ctt/clienteafirma
>>
> ¿Y qué hacen los informáticos que no presionan para hacer una
> actualización de dichas aplicaciones? Después de todo, el futuro de la
> Internet está en el grupo llamado HTML5/CSS3/JS5?

Desgraciadamente el grueso de los informáticos (al menos en España) 
pertenecen al sector de las "cárnicas" (grandes consultoras que trabajan 
para empresas que trabajan para la administración) a las que lo que menos 
les importa son los estándares pero "matan" por ahorrarse unos céntimos 
en un paquete de clips. Y claro, te puedes imaginar que quienes trabajan 
para semejante "animalico" muestre el mismo interés (es decir, ninguno) 
en hacer las cosas bien.

> Ah claro, ya olvidé de dónde escriben eso... no me extraña, lo que hace
> el cochino capital. No importa cuánto lo hagan, si les dicen que eso
> cuesta,
> ni de chiste pondrán una puya marrón. (algo así como 1 céntimo).

Exacto :-)

Saludos,

-- 
Camaleón

Re: [OT] Errores 400 en Squid3

[Camaleón]

El Fri, 09 Sep 2016 11:27:52 +0200, Laura Marzà Porcar escribió:

> Hola, como voy un poco perdida con estas incidencias, he probado a
> activar el modulo SSL por si iban por ahílos tiros, creo que lo he hecho
> bien porque ahora me aparece squid3 asi ('--enable-ssl'
> '--with-open-ssl=/etc/ssl/openssl.cnf'):
> 
> Squid Cache: Version 3.4.8 Debian linux configure options: 

(...)

Regla nº 1: no actives lo que no necesites :-)

Es decir, si no vas a usar (porque no necesitas que el tráfico cifrado 
pase por tu proxy) no lo actives, pero eso sólo lo puedes saber tú que 
eres la administradora del proxy.  

http://wiki.squid-cache.org/Features/HTTPS

> por suerte para mi todo siqgue funcionando, la mala noticia es que los
> errores siguen igual, y lo que no tengo claro es, una vez recompilado
> squid3 para habilitar SSL, si tengo que seguir con algun paso adicional
> para crear certificados o similar

Si no necesitas habilitar el tráfico seguro en tu proxy no lo hagas, y 
menos aún antes de tenerlo funcionando al 100% con el tráfico sin cifrar. 
Es mejor que primero resuelvas el problema sencillo y luego, si quieres o 
lo necesitas, te pongas con el tráfico cifrado.

Saludos,

-- 
Camaleón

Re: [OT] Errores 400 en Squid3

[Camaleón]

El Fri, 09 Sep 2016 11:46:38 +0200, Laura Marzà Porcar escribió:

Laura, tu cliente de correo no respeta las citas de los mensajes a los 
que responder, considera usar otro para usarlo en las listas de correos.

> el problema es que con este error, no carga las paginas, 

Peor no carga "algunas" páginas, es decir, no sucede con todas ¿no? :-?

> probé a eliminar las cookies de estas paginas con estos errores porque
> por algun foro lei que eso les solucionaba el problema, pero a mi no.. 
>:(.., además si salgo directa me carga bien la pagina, y lo que me
> inquieta mas, a través de una verison anterior de squid que tenia
> montada desde años me funciona:
> 
> Squid Cache: Version 2.7.STABLE9 configure options:  

(...)

Compara, por si te diera alguna pista, las opciones de compilación de la 
versión anterior con la que tienes actualmente. Si tienes instalado el 
binario de Debian podrás verlo en las fuentes del .deb.

Por otra parte, si has pasado de una versión anterior a una nueva, revisa 
los cambios entre las versiones porque se han introducido novedades:

http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#s5

Y también deberías revisar el registro de errores de squid 
(principalmente el "access.log") y considera aumentar el nivel de detalle 
de los registros internos del proxy por si te dieran más información.

> no, no es un proxy transparente (lo configuro a través de wpad,
> entiendo que asi no es transparente, no?),

Si tu proxy no realiza modificaciones en las respuestas / solicitudes que 
realizan los clientes, entonces actúa en modo transparente. El hecho de 
que uses un archivo de autonfiguración en los clientes para que no tengan 
que introducir datos de configuración y autentificación manualmente 
apunta hacia este tipo de configuraciones pero no tiene por qué estar 
vinculado su uso con un proxy transparente.

> respecto a lo de no cachear el trafico cifrado, he hecho mal activando
> el modulo SSL? Como puedo asegurarme si se está cacheando o no? o es
> porque me falta añadir certificados?

Ni mal ni bien, simplemente (y sólo si lo necesitas) tendrás que 
configurarlo correctamente porque squid no lo habilita de serie.

> pero no lo entiendo, yo he hecho una instalación mas o menos
> estándar, el resto del mundo no tiene problemas con estos errores? :)
> Muchas gracias por tu ayuda Saludos, Laura <--

Creo que aún no has comentado qué paquete has instalado, si el de Debian 
o lo has compilado manualmente de la web de squid :-)

Saludos,

-- 
Camaleón

Is nagle disabled?

[Rob van der Putten]

Hi there


I'm experimenting with TCP to see how long it takes to send a small 
amount of data from A to B. One would expect a latency of a few hundred 
milliseconds, but it's a few hundred microseconds instead. It is as if 
Nagle's algorithm has been disabled.



Regards,
Rob

[OT] Flash Player para linux "strikes back"

[Miguel Matos]

El viernes, 9 de septiembre de 2016, Camaleón  escribió:
> El Thu, 08 Sep 2016 17:50:08 -0400, Miguel Matos escribió:
>
>> El 6 de septiembre de 2016, 17:13, Eduardo Rios 
>> escribió:
>>
>>> El 05/09/16 a las 17:26, Camaleón escribió:
>
> (...)
>
 Pues mira, te cuento una anécdota de ayer mismo.
>
> (...)
>
>>> A mi me pasó algo parecido. Desinstalé flashplugin-nonfree... y probé
>>> ciertas páginas... Y al ver que me funcionaban sin él (ya usaban
>>> HTML5),
>>> pues lo dejé desinstalado :-)
>>>
>>> A ver si pronto con el Java puedo hacer lo mismo. :)
>
>> Pues mucho temo decir que con Java no podrán "hacer lo mismo". Puesto
>> que
>> Flash es mantenido por una sola empresa (y aunque Java también), la
>> diferencia es que la segunda lo necesitan empresas multivariantes: desde
>> negocios medianos hasta hospitales, bancos, empresas del gobierno, y
>> más. Y si ven un sitio que termina en .jsp cuando realizan una operación
>> con su usuario, ya sabrán de lo que hablo.
>
> (...)
>
> Pues cada vez se lo están poniendo más difícil a los complementos (java,
> flash player) y me alegro porque son un coladero de bichos y no hay nada
> que no se pueda hacer sin ellos. Antes se podía tirar de Javascript pero
> ahora con html5, AJAX y demás churrimangas¹ ya no hay excusa para hacer
> las cosas bien.
>
> De hecho, en España tenemos un problema gordo con la firma de
> certificados vía web ya que la mayoría de administraciones usa una
> aplicación cliente desarrollada en java (@firma²) y java ahora mismo sólo
> funciona (a duras penas y si logras habilitarlo) con Firefox. Espero que
> ya le estén buscando un sustituto :-)
>
> ¹Palabreja inventada
> ²http://administracionelectronica.gob.es/es/ctt/clienteafirma
>
> Saludos,
>
> --
> Camaleón
>
>
¿Y qué hacen los informáticos que no presionan para hacer una actualización
de dichas aplicaciones? Después de todo, el futuro de la Internet está en
el grupo llamado HTML5/CSS3/JS5?

Ah claro, ya olvidé de dónde escriben eso... no me extraña, lo que hace el
cochino capital. No importa cuánto lo hagan, si les dicen que eso cuesta,
ni de chiste pondrán una puya marrón. (algo así como 1 céntimo).

-- 
Ayuda para hacer preguntas inteligentes: http://is.gd/NJIwRz

Re: [OT] Flash Player para linux "strikes back"

[Camaleón]

El Thu, 08 Sep 2016 17:50:08 -0400, Miguel Matos escribió:

> El 6 de septiembre de 2016, 17:13, Eduardo Rios 
> escribió:
> 
>> El 05/09/16 a las 17:26, Camaleón escribió:

(...)

>>> Pues mira, te cuento una anécdota de ayer mismo.

(...)

>> A mi me pasó algo parecido. Desinstalé flashplugin-nonfree... y probé
>> ciertas páginas... Y al ver que me funcionaban sin él (ya usaban
>> HTML5),
>> pues lo dejé desinstalado :-)
>>
>> A ver si pronto con el Java puedo hacer lo mismo. :)

> Pues mucho temo decir que con Java no podrán "hacer lo mismo". Puesto
> que
> Flash es mantenido por una sola empresa (y aunque Java también), la
> diferencia es que la segunda lo necesitan empresas multivariantes: desde
> negocios medianos hasta hospitales, bancos, empresas del gobierno, y
> más. Y si ven un sitio que termina en .jsp cuando realizan una operación
> con su usuario, ya sabrán de lo que hablo.

(...)

Pues cada vez se lo están poniendo más difícil a los complementos (java, 
flash player) y me alegro porque son un coladero de bichos y no hay nada 
que no se pueda hacer sin ellos. Antes se podía tirar de Javascript pero 
ahora con html5, AJAX y demás churrimangas¹ ya no hay excusa para hacer 
las cosas bien.

De hecho, en España tenemos un problema gordo con la firma de 
certificados vía web ya que la mayoría de administraciones usa una 
aplicación cliente desarrollada en java (@firma²) y java ahora mismo sólo 
funciona (a duras penas y si logras habilitarlo) con Firefox. Espero que 
ya le estén buscando un sustituto :-)

¹Palabreja inventada
²http://administracionelectronica.gob.es/es/ctt/clienteafirma

Saludos,

-- 
Camaleón

Alquiler de Grúas Telescópicas - Servicios a Nivel Nacional

[Gerencia - Transporte Progaven]

estimados srs.

subscriber

queremos presentarle nuestra organización y tener la posibilidad de 
convertirnos en proveedores de logística de su empresa.

durante los ultimos 3 años hemos trabajado de la con la constructora norberto 
odebrecht y queriamos presentarles algunas de las imagenes y los casos de exito 
que hemos tenido.

  alquiler de 10 grúas telescópicas
proyecto: tren guarenas a caracas
[1]

  transporte extradimensionada vagones metro cable
proyecto: metrocable petare
[2]

  adicionalmente hemos trabajado realizando operaciones con odebrecht en los 
proyectos:
  linea de metro de caracas los teques tercer puente sobre el río orinoco 
segundo puente sobre el lago de maracaibo mantenimiento pista aereopuerto 
maiquetia

  nuestros principales servicios son:
  alquiler de grúas telescópicas coordinación logística a nivel nacional e 
internacional en gandolas contenedores desde los 4 principales puertos. 
alquiler de maquinas para la construcción  el siguiente es un vínculo por el 
cual puede proceder a descargar la presentación de nuestra empresa
  [3] logisven-presentacion-comercial.pdf

esperando su pronta respuesta y así crear un vínculo comercial de largo plazo 
entre nuestras organizaciones.un cordial saludo,

luis gonzalez
presidente  [4] merca...@logisven.com
  [5] www.logisven.com

logisven - coordinación logística y gruas
caracas, maracaibo, barquisimeto, san cristóbal, pto. cabello,
valencia, maracay, valles del tuy, la guaira, pto. la cruz,
guanta, pto. ordaz , san antonio, paraguachón

  nuestros servicios

  [6] [7]
  ¿ quienes somos?  somos una empresa con gran experiencia y trayectoria en 
logística en venezuela

  contáctenos  [8] www.logisven.com

merca...@logisven.com

  vinculos [9] misión y visión

  [10] nuestro modelo de negocio

  [11] cobertura geográfica[12] solicitud de cotización


 References:

1. u=5dd5b66
2. u=5dd5b67
3. u=5dd5b68
4. mailto:merca...@logisven.com
5. u=5dd5b69
6. u=5dd5b6a
7. u=5dd5b6b
8. u=5dd5b6c
9. u=5dd5b6d
10. u=5dd5b6e
11. u=5dd5b6f
12. u=5dd5b70

Re: Using serial console as a poor mans IP kvm?

[Eike Lantzsch]

On Freitag, 9. September 2016 08:15:37 PYT Tixy wrote:
> On Fri, 2016-09-09 at 08:46 +0300, Lars Noodén wrote:
> > I've used USB-to-serial adapters with the Prolific chipset.  They've
> > worked fine for me, in various models.  (I haven't tried FTDI and am
> > suspicious of them.)
> 
> And my experience is the opposite. I have genuine (there's apparently a
> lot of fakes) FTDI devices in pretty much daily use for many years
> without problems. This is using ser2net on a local network for accessing
> serial consoles on ARM based development boards. ser2net will be
> insecure telnet or raw port forwarding but if it's not exposed to the
> internet and you can ssh tunnel into the local network then that's a lot
> better. I've done that method for carrying on working with my boards
> whilst across the other side of the world. Of course, a means of power
> cycling devices is also essential.

I second that. I had many weird problems with PL2303 but never any on any OS* 
with FTDI FT232 chips.

[*] Debian-Linux, OpenBSD, OSX and MS-Windows 
-- 
Eike Lantzsch ZP6CGE

Re: libnss3, currently in testing

[Gene Heskett]

On Thursday 08 September 2016 19:02:31 Henrique de Moraes Holschuh wrote:

> On Thu, 08 Sep 2016, Gene Heskett wrote:
> > Has anyone an idea of a schedule of when that will put this security
> > update into the wheezy repo's?
>
> https://wiki.debian.org/LTS
>
> Please contact the Debian LTS people, and if this fix is not already
> in the priority queue, you could offer to sponsor the work required or
> something.
>
> > I believe this is why I cannot use the paypal account I just opened.
>
> Gene, may I humbly suggest you should get a new box for non-Linux-CNC
> work, and keep that wheezy box you use for Linux-CNC off the grid so
> that it doesn't become a liability in the future?

Liability?  Only if its destroyed on purpose by a malicious update. I 
have a router with dd-wrt reflashed into it.  No back doors.  And it 
stops _all_ the unfunny stuff. And according to the error message I get 
when I run firefox-esr from a terminal, SSL is missing.  But its not, FF 
just can't find it. IMO firefox-esr is a disaster despite the hype.

> You will be happier in the medium/long term after the investment in
> the new box pays itself off, Debian jessie should work much better
> overall for you for desktopish things (i.e. not Linux-CNC), and the
> rest of us will be happier even sooner because we will have less
> support requests related to oldstable to attend to[1] ;-)
>
> Paypal works just fine with firefox in a standard Debian 8.6 install.
>
> [1] Any work done for stable and unstable/testing _usually_ helps a
> lot more people than work done for oldstable.

I can appreciate that, but wheezy is supposed to have security support 
until sometime in 2018, but this gradual destruction of a formerly 
working system just to get folks to update smells an awful lot like 
fedora, and that rebuild your system every 30 days got old, very fast, 
so I bailed to mandrake all those years ago.  And now its happening 
again.  All I want is a system that Just Works(TM) and now it isn't.

Sometime today I'll see if I can figure out how to install the real 
mozilla firefox 48.something tarball.  Maybe even make it use the new 
flashplayer.so, now at major version 23 something. I already have them 
downloaded.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: Re: System in broken state after dpkg upgrade

[Laurent Bigonville]

Don Armstrong wrote:

That's basically because the policy wasn't fixed in time for the jessie
release (see #756729 and #771484). If you're using selinux on Debian, it
would probably be good to participate in the development of the default
policy and refpolicy packages.


Yes please

RE: [OT] Errores 400 en Squid3

[Laura Marzà Porcar]

> 
> "Your browser sent a request that this server could not understand.
> Request header field is missing ':' separator."
> 
> p.e.:
> http://www.sri.gob.ec/
> TCP_MISS/400 747 GET http://www.sri.gob.ec/ lmarza
> HIER_DIRECT/201.234.223.197 text/html

Este error podría no tener relación con el otro, más que nada por el 
"TCP_MISS/400" que se corresponde con el mensaje que recibes en el navegador. 
Podría ser un problema con el servidor remoto, que tenga alguna configuración 
concreta de cookies que no sabe gestionar squid y registra ese hecho pero si la 
página carga bien y se puede acceder al sitio, no le daría importancia. 

--> el problema es que con este error, no carga las paginas, probé a eliminar 
las cookies de estas paginas con estos errores porque por algun foro lei que 
eso les solucionaba el problema, pero a mi no.. :(.., además si salgo directa 
me carga bien la pagina, y lo que me inquieta mas, a través de una verison 
anterior de squid que tenia montada desde años me funciona:

Squid Cache: Version 2.7.STABLE9
configure options:  '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' 
'--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' 
'--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' 
'--enable-async-io' '--with-pthreads' 
'--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' 
'--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' 
'--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' 
'--enable-underscores' '--enable-referer-log' '--enable-useragent-log' 
'--enable-auth=basic,digest,ntlm,negotiate' 
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-carp' 
'--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' 
'i386-debian-linux' 'build_alias=i386-debian-linux' 
'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux' 'CFLAGS=-Wall 
-g -O2' 'LDFLAGS=' 'CPPFLAGS='
<--

> En otras:
> 
> "Bad Request - Invalid Header
> 
> HTTP Error 400. The request has an invalid header name."
> 
> Cuando me aparece este tipo de error, busco a donde lleva la pagina y 
> accedo directamente al https (en el ejemplo se ve mejor lo que quiero
> decir)

(...)

Normalmente los proxys no cachean el tráfico cifrado y squid no es una 
excepción. Asegúrate de que lo tienes bien configurado para esa configuración y 
si además se trata de un proxy transparente (los clientes no saben que salen a 
través de proxy) tendrás que hacer pasos adicionales (instalación de paquetes 
de certificados, redirecciones de iptables...).

--> no, no es un proxy transparente (lo configuro a través de wpad, entiendo 
que asi no es transparente, no?), respecto a lo de no cachear el trafico 
cifrado, he hecho mal activando el modulo SSL? Como puedo asegurarme si se está 
cacheando o no? o es porque me falta añadir certificados? 
<--

> He leído muchos posts de gente, pero no he conseguido localizar una 
> solución que me valga, algunos datos que creo que puedan interesar:
> 
> Debian:
> #lsb_release -a No LSB modules are available.
> Distributor ID: Debian Description:Debian GNU/Linux 8.4 (jessie)
> Release:8.4 Codename:   jessie
> 
> Apache (lei algo relacionado con este problema sobre apache y los 
> certificados, pero yo no tengo paginas alojadas en mi servidor) # 
> apache2ctl -v Server version: Apache/2.4.10 (Debian)
> Server built:   Jul 20 2016 07:07:13

Supongo que lo que dicen esos artículos es que necesitas los paquetes y 
bibliotecas de certificados si quieres que Squid gestione tráfico cifrado.

--> pero no lo entiendo, yo he hecho una instalación mas o menos estándar, el 
resto del mundo no tiene problemas con estos errores? :)
Muchas gracias por tu ayuda
Saludos, Laura
<--

Saludos,

--
Camaleón

RE: [OT] Errores 400 en Squid3

[Laura Marzà Porcar]

Hola Camaleón, no se por que pero no había visto tu respuesta hasta ahora, me 
pongo a revisar todo lo que me dices, gracias


Laura 



-Mensaje original-
De: Camaleón [mailto:noela...@gmail.com] 
Enviado el: jueves, 08 de septiembre de 2016 16:01
Para: debian-user-spanish@lists.debian.org
Asunto: Re: [OT] Errores 400 en Squid3

El Thu, 08 Sep 2016 09:33:02 +0200, Laura Marzà Porcar escribió:

> Buenos días,
> Monte un squid/3.4.8 en una Debian Jessie, en general funciona 
> correctamente, pero hay algo que se me escapa, ya que en algunas 
> páginas me dice "Bad Request", creo que están todos relacionados con 
> el mismo problema y con algo referente a seguridad, por el tipo de 
> contenido de las paginas que me dan errores.
> 
> en ocasiones el error es:
> 
> "Your browser sent a request that this server could not understand.
> Request header field is missing ':' separator."
> 
> p.e.:
> http://www.sri.gob.ec/
> TCP_MISS/400 747 GET http://www.sri.gob.ec/ lmarza
> HIER_DIRECT/201.234.223.197 text/html

Este error podría no tener relación con el otro, más que nada por el 
"TCP_MISS/400" que se corresponde con el mensaje que recibes en el navegador. 
Podría ser un problema con el servidor remoto, que tenga alguna configuración 
concreta de cookies que no sabe gestionar squid y registra ese hecho pero si la 
página carga bien y se puede acceder al sitio, no le daría importancia. 

> En otras:
> 
> "Bad Request - Invalid Header
> 
> HTTP Error 400. The request has an invalid header name."
> 
> Cuando me aparece este tipo de error, busco a donde lleva la pagina y 
> accedo directamente al https (en el ejemplo se ve mejor lo que quiero
> decir)

(...)

Normalmente los proxys no cachean el tráfico cifrado y squid no es una 
excepción. Asegúrate de que lo tienes bien configurado para esa configuración y 
si además se trata de un proxy transparente (los clientes no saben que salen a 
través de proxy) tendrás que hacer pasos adicionales (instalación de paquetes 
de certificados, redirecciones de iptables...).

> He leído muchos posts de gente, pero no he conseguido localizar una 
> solución que me valga, algunos datos que creo que puedan interesar:
> 
> Debian:
> #lsb_release -a No LSB modules are available.
> Distributor ID: Debian Description:Debian GNU/Linux 8.4 (jessie)
> Release:8.4 Codename:   jessie
> 
> Apache (lei algo relacionado con este problema sobre apache y los 
> certificados, pero yo no tengo paginas alojadas en mi servidor) # 
> apache2ctl -v Server version: Apache/2.4.10 (Debian)
> Server built:   Jul 20 2016 07:07:13

Supongo que lo que dicen esos artículos es que necesitas los paquetes y 
bibliotecas de certificados si quieres que Squid gestione tráfico cifrado.

Saludos,

--
Camaleón

RE: [OT] Errores 400 en Squid3

[Laura Marzà Porcar]

Hola, como voy un poco perdida con estas incidencias, he probado a activar el 
modulo SSL por si iban por ahílos tiros, creo que lo he hecho bien porque ahora 
me aparece squid3 asi ('--enable-ssl' '--with-open-ssl=/etc/ssl/openssl.cnf'):

Squid Cache: Version 3.4.8
Debian linux
configure options:  '--build=i586-linux-gnu' '--prefix=/usr' 
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-silent-rules' 
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' 
'--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' 
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' 
'--enable-removal-policies=lru,heap' '--enable-delay-pools' 
'--enable-cache-digests' '--enable-icap-client' 
'--enable-follow-x-forwarded-for' 
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
 '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' 
'--enable-auth-ntlm=fake,smb_lm' 
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
 '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' 
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-ssl' 
'--with-open-ssl=/etc/ssl/openssl.cnf' '--disable-translation' 
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' 
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' 
'--with-large-files' '--with-default-user=proxy' '--enable-build-info=Debian 
linux' '--enable-linux-netfilter' 'build_alias=i586-linux-gnu' 'CFLAGS=-g -O2 
-fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 
'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat 
-Werror=format-security'

por suerte para mi todo siqgue funcionando, la mala noticia es que los errores 
siguen igual, y lo que no tengo claro es, una vez recompilado squid3 para 
habilitar SSL, si tengo que seguir con algun paso adicional para crear 
certificados o similar

si alguien me puede orientar lo agadezco

Saludos, Laura 

-Mensaje original-
De: Laura Marzà Porcar [mailto:laura.ma...@servidir.es] 
Enviado el: jueves, 08 de septiembre de 2016 9:33
Para: debian-user-spanish@lists.debian.org
Asunto: [OT] Errores 400 en Squid3


Buenos días,
Monte un squid/3.4.8 en una Debian Jessie, en general funciona correctamente, 
pero hay algo que se me escapa, ya que en algunas páginas me dice "Bad 
Request", creo que están todos relacionados con el mismo problema y con algo 
referente a seguridad, por el tipo de contenido de las paginas que me dan 
errores.

en ocasiones el error es: 

"Your browser sent a request that this server could not understand.
Request header field is missing ':' separator."

p.e.:
http://www.sri.gob.ec/
TCP_MISS/400 747 GET http://www.sri.gob.ec/ lmarza HIER_DIRECT/201.234.223.197 
text/html


En otras:

"Bad Request - Invalid Header

HTTP Error 400. The request has an invalid header name."

Cuando me aparece este tipo de error, busco a donde lleva la pagina y accedo 
directamente al https (en el ejemplo se ve mejor lo que quiero decir)

p.e:
http://bancopopular.es/  --> pero aquí accedo correctamente: 
https://www2.bancopopular.es/empresasN o 
https://www2.bancopopular.es/particularesN
TCP_MISS/400 731 GET http://bancopopular.es/favicon.ico lmarza 
HIER_DIRECT/195.55.131.69 text/html

Tambien:
"400 - Bad Request"

p.e.
http://portal.lacaixa.es/ --> pero así accedo perfectamente: 
https://portal.lacaixa.es/ TCP_MISS/400 811 GET http://portal.lacaixa.es/ 
lmarza HIER_DIRECT/192.229.182.219 
text/html,application/xhtml+xml,application/xml

Otro:
"Bad request
Your browser sent a query this server could not understand. "

p.e:
http://www.ruralvia.com/
TCP_MISS/400 728 GET http://www.ruralvia.com/ lmarza HIER_DIRECT/195.53.82.136 
text/html


La configuración de SQUID3 es la siguiente le he eliminado los comentarios y 
algunas restricciones de acceso que no afectan en este caso para resumir 
líneas):

##

http_port 3128
tcp_outgoing_address [IP_SQUID]
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm 
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp 
--domain=MARINA --kerberos /usr/local/bin/squid_kerb_auth -d -s GSS_C_NO_NAME 
auth_param ntlm children 30 auth_param ntlm keep_alive off auth_param basic 
children 30 auth_param basic realm Servidor Proxy Dominio MARINA.LOCAL 
auth_param basic credentialsttl 2 hours acl SSL_ports port 443 acl SSL_ports 
port 8100
acl Safe_ports port 80  # http
acl Safe_ports port 20 21   # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl 

Re: Jessie & Fixed IP Address

[Cindy-Sue Causey]

On 9/8/16, Greg Wooledge  wrote:
> On Thu, Sep 08, 2016 at 06:08:04PM +0100, David wrote:
>> I am working with a Raspberry PI running Jessie and I'm not happy about
>> the solutions I found to change it from DHCP to a fixed IP address.
>>
>> Can I go back to the old method of editing /etc/network/interfaces
>
> If it's Debian Jessie, then yes, you can edit /etc/network/interfaces.
> Change the line that says something like "iface eth0 inet dhcp" to
> "iface eth0 inet static", and add indented lines below that for the
> address, netmask and gateway.  Then configure your /etc/resolv.conf
> file to point to some valid nameservers.
>
> If it's Raspbian Jessie, which is not the same as Debian Jessie, then
> all bets are off.


This is too cool. The whole deal with my... battling Wi-Fi and
Bluetooth right now just paid off again. Yesterday I learned something
appropriate for this that.. *DISCLAIMER*... may or may not be true.

What I read out on the Net said that, if you have two or more similar
entries in /etc/network/interfaces, you only declare "gateway" _one
time_ or you run into problems.** Rightly or wrongly, I currently
presume that declaration would be made in the first (top) block
(module) of declarations.

Additionally I'm not experienced enough at this to know if there are
instances where that declaration would be a different [number]. If
that situation exists, I could see that being an instance where you
WOULD make two declarations because they don't clash and would be
necessary declarations.

My purpose in jumping in here is to help prevent someone from hitting
unnecessary hair pulling roadblocks in the event anyone goes playing
around with these settings while they're being discussed. And again,
that may or may *not* be true, but it does sound reasonable enough to
share out loud.. :)

You know what, though, I did have two entries in there the other day.
And I found that tip because I was getting the "RTNETLINK answers:
File exists" error that led to that tip (k/t Raspberry Pi @
StackExchange). My firsthand experience is that tip leans towards
being true because I eliminated ALL my homespun entries and am now no
longer receiving *that* particular error message. *grin*

Cindy

-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with duct tape *

Re: Tableau de bord Mate

[Frédéric MASSOT]

Le 09/09/2016 à 08:35, Txo a écrit :
> Bonjour,
> 
> En ce moment Mate en Sid fait des siennes et chaque jour on perd quelque 
> chose. Caja depuis 2 jours est au abonnés absents. Passage à GTK3 
> serait responsable de tout ça.

MATE sur Debian est passé à GTK3 depuis la version 1.14, ici il s'agit
d'incompatibilité et d'API cassée entre les versions de GTK 3.

La version 1.15.4 de Caja corrige beaucoup de problème avec GTK 3.21 :

http://git.mate-desktop.org/caja/log/

https://github.com/mate-desktop/caja/issues/604
https://github.com/mate-desktop/caja/issues/627
https://github.com/mate-desktop/caja/issues/482

Les développeurs de Caja proposaient de pousser la version 1.15 dans
Debian, le mainteneur Debian préfère attendre la version 1.16


> Mon message n'est pas pour s’apitoyer sur le sort de ceux qui sont en 
> Sid (et l'ont bien cherché).

Debian passe à GTK 3.21, et il semble que GTK 3.21 soit le summum dans
la casse des API. Il n'y a pas que MATE de touché, j'ai un bug de copier
coller dans LibreOffice, j'ai vu aussi des rapports de bug qui touche
Firefox.

La roadmap de MATE pour la version 1.16 va en prendre un coup, les
développeurs passent leur temps à courir après les modifs de GTK3.

D'après les développeurs de GTK, la prochaine version stable sera la 3.22 :

https://blog.gtk.org/2016/09/01/versioning-and-long-term-stability-promise-in-gtk/



-- 
==
|  FRÉDÉRIC MASSOT   |
| http://www.juliana-multimedia.com  |
|   mailto:frede...@juliana-multimedia.com   |
| +33.(0)2.97.54.77.94  +33.(0)6.67.19.95.69 |
===Debian=GNU/Linux===

Re: Jessie & Fixed IP Address

[Joe]

On Fri, 09 Sep 2016 09:12:14 +0100
David  wrote:


> 
> Firstly an apology, I did not realise there was a Debian Jessie and a
> Raspbian Jessie.
> 
> I'm working with Raspbian Jessie.
> 

Debian is the root of many other distributions such as Knoppix and
Ubuntu, and many less famous.

Raspbian is one that rings bells because it is based on the ARM, which
probably no full-sized computer is these days (the Acorn Archimedes
series used it almost thirty years ago). The range of Debian packages
ported to the ARM RISC architecture is significantly smaller than those
for i386 and amd64, so some things have to be done differently. The
limitations of the system-on-chip which composes almost all of the Pi
hardware imposes further limitations, compared to general-purpose
desktop hardware or even laptop hardware. The relatively small storage
space available again imposes restrictions.

So Raspbian may well be quite different to a stock amd64 Jessie,
utilising many of the tricks of older days of computing to make the
best of limited hardware.

-- 
Joe

Re: Problems communicating with and between servers after upgrade - correction

[Clive Menzies]

Please ignore this last message about dovecot - my brain was scrambled. 
I hadn't installed it yet.



On 09/09/16 09:16, Clive Menzies wrote:

On 08/09/16 23:50, Clive Menzies wrote:

On 08/09/16 23:07, Clive Menzies wrote:
This nightmare of expanding problems has been going on for three 
days, since Monday afternoon. Never before have I questioned the 
decision to base our business (and our lives) on Debian and I remain 
a firm advocate. I also recognise that over successive releases, 
accommodating a plethora of configurations becomes harder and that 
at some point a step changes in the foundations of the system are 
required. I'm presuming that the transition to systemd from 
sysv-init was an essential step and understand that backwards 
compatibility becomes more challenging as time goes on.


Just when I thought life couldn't get anymore bizarre, dovecot-imapd 
and core have disappeared off server_M this morning along with the 
config files which had the cert info in. The mail on server_U is 
working fine. I've looked in the apt-log and there's no indication it 
was uninstalled which is not surprising because it was working fine in 
the early hours of this morning.




--
Clive Menzies
http://freecriticalthinking.org

Re: Problems communicating with and between servers after upgrade - correction

[Clive Menzies]

On 08/09/16 23:50, Clive Menzies wrote:

On 08/09/16 23:07, Clive Menzies wrote:
This nightmare of expanding problems has been going on for three 
days, since Monday afternoon. Never before have I questioned the 
decision to base our business (and our lives) on Debian and I remain 
a firm advocate. I also recognise that over successive releases, 
accommodating a plethora of configurations becomes harder and that at 
some point a step changes in the foundations of the system are 
required. I'm presuming that the transition to systemd from sysv-init 
was an essential step and understand that backwards compatibility 
becomes more challenging as time goes on.


Just when I thought life couldn't get anymore bizarre, dovecot-imapd and 
core have disappeared off server_M this morning along with the config 
files which had the cert info in. The mail on server_U is working fine. 
I've looked in the apt-log and there's no indication it was uninstalled 
which is not surprising because it was working fine in the early hours 
of this morning.


--
Clive Menzies
http://freecriticalthinking.org

Re: Jessie & Fixed IP Address

[David]

On Thu, 2016-09-08 at 12:42 -0500, Tim McDonough wrote:
> On 9/8/2016 12:08 PM, David wrote:
> > 
> > I am working with a Raspberry PI running Jessie and I'm not happy
> > about
> > the solutions I found to change it from DHCP to a fixed IP address.
> > 
> > Editing the file /etc/dhcpcd.conf does not seem to work correctly.
> > 
> > Can I go back to the old method of editing /etc/network/interfaces
> > 
> > Or is there a better way of setting a fixed IP on Jessie?
> 
> Raspbian Jessie (not Debian Jessie) uses systemd by default. I found
> the 
> following instructions worked well on my R-Pi 3 board:
> 
>  rry-pi/>
> 
> I too found it really confusing that many of the files we formerly
> used 
> to configure networking are still present but have no effect. I do
> not 
> know what all is involved in re-configuring to not use this newer
> method.
> 
> Tim
> 
Thank you for the replies.

Firstly an apology, I did not realise there was a Debian Jessie and a
Raspbian Jessie.

I'm working with Raspbian Jessie.

Having seen Tim's email I did some further searching and found some
suggestions which are to remove the daemon dhcpcd and edit the
/etc/network/interfaces file.

David.

Re: Using serial console as a poor mans IP kvm?

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Sep 08, 2016 at 10:26:59PM +0300, Jarle Aase wrote:
> I want to set up a few servers at home. Unfortunately, as I live in
> Bulgaria at the moment, the electric power is gone pretty often for
> longer periods than my UPS'es can deal with. So my servers will have
> to be started at least a few times every quarter.

[...]

> That means that I need to reboot the servers relatively often, and
> provide the luks passwords every time. Some times I am far away when
> this happens [...]

An interesting alternative to the serial console thing is baking
in an SSH server into the initramfs. There are small SSH servers
built for that, like Dropbear.

Upside is that you don't need any additional hardware and it's
pretty well integrated into Debian. Downside is that you need
BIOS, the bootloader and initramfs working (with the serial you
at least get a chance to fix the bootloader remotely).

https://packages.debian.org/sid/dropbear-initramfs
https://wiki.debian.org/RescueInitramfs
https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/

Might be worth a try.

Regards
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlfSZVMACgkQBcgs9XrR2kZGNgCfZhrMlouUceQSVJgzimE+b2YG
GokAn0PpEqnw2lgmFiGTu554OQtpt9Wa
=AKQd
-END PGP SIGNATURE-

Re: Using serial console as a poor mans IP kvm?

[Tixy]

On Fri, 2016-09-09 at 08:46 +0300, Lars Noodén wrote:
> I've used USB-to-serial adapters with the Prolific chipset.  They've
> worked fine for me, in various models.  (I haven't tried FTDI and am
> suspicious of them.)

And my experience is the opposite. I have genuine (there's apparently a
lot of fakes) FTDI devices in pretty much daily use for many years
without problems. This is using ser2net on a local network for accessing
serial consoles on ARM based development boards. ser2net will be
insecure telnet or raw port forwarding but if it's not exposed to the
internet and you can ssh tunnel into the local network then that's a lot
better. I've done that method for carrying on working with my boards
whilst across the other side of the world. Of course, a means of power
cycling devices is also essential.

-- 
Tixy

Tableau de bord Mate

[Txo]

Bonjour,

En ce moment Mate en Sid fait des siennes et chaque jour on perd quelque 
chose. Caja depuis 2 jours est au abonnés absents. Passage à GTK3 
serait responsable de tout ça.

Mon message n'est pas pour s’apitoyer sur le sort de ceux qui sont en 
Sid (et l'ont bien cherché).

J'ai dans mon tableau de bord (barre des tâches) des cercles avec un 
chiffre à l'intérieur. J'ai tôt vu ceux en rouge mais je viens de voir 
qu'il y en avait aussi en blanc peu visibles.

Le rouge a un 9 et ne varie pas, les blancs un 1 et un A (je sais, ce 
n'est pas un chiffre).

Si on clique dessus, aucun menu avec n'importe quel bouton de la souris. 
Pas plus avec un double-clic, rien ne se passe. 

Un matephile convaincu peut-il donner la clé de ce mystère ?

Merci.

-- 
-+-  Dominique Marin http://txodom.free.fr -+-
«Celui qui veut tout comprendre, risque de mourir de colère.»
-+- Proverbe arabe -+-

Re: Applet MATÉ

[Txo]

Le 02/09/2016 à 18:07, Yannick a écrit :
> Bonsoir,
> 
> Depuis environ 2 semaines j'ai mon applet "Bulletin météo 1.8.1" qui ne
> fonctionne plus.
> 
> Je suis sous Debian 8 bureau MATÉ Desktop environment 1.8.1
> 
> Ce que j'ai essayé
> Réinitialisation de l'applet (propriété et ou changement de lieu)
> Suppression et rajout
> 
> Qui peut me dire pourquoi cela ne marche plus subitement et
> éventuellement par quoi le remplacer.
> 
> Amitiés
> 
En Sid j'ai retrouvé les données au bout de quelques jours, il semble 
que c'est au niveau du serveur utilisé pour les données qu'il y ait 
eu une interruption.

-- 
-+-  Dominique Marin http://txodom.free.fr -+-
«Celui qui veut tout comprendre, risque de mourir de colère.»
-+- Proverbe arabe -+-