Re: [CentOS] ipsec vpn client advice
Have you tried vpnc? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] large numbers of linux system user for postfix
On Nov 8, 2010, at 2:30 AM, ahmad riza h nst wrote: hello, i need to setup a mail server with postfix + dovecot + webmin + virtualmin + virtual user with linux system user. the virtual user may reach to thousands user from several hundreds virtual domains. what i concern is large numbers of linux system user which used in these setup, is it good or bad? maybe somebody would share their experience about this setup ? any links would be good. postfix 2.6.7 dovecot 2.0.6 centos 5.x webmin + virtualmin thank you. -- http://blog.rizahnst.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I run Postfix 2.6.7 in a similar fashion (virtual domains/users/etc) and it works fine on CentOS 5.5 (even with SELinux enabled). Dovecot on the other hand threw up some errors in /var/log/audit/audit.log so I had to make a custom SELinux module to get it to work properly. Other than that you should be set. -Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Downgrade libgcc gcc packages (is there a clean way)
Hello all, I have been tasked with fixing one of our CentOS boxes by somehow downgrading the libgcc and gcc packages to a specific version (Required by the Oracle Grid Control client). Normally I'd just remove and reinstall the packages however removing libgcc is no fun as I found out the hard way it breaks pretty much every package including rpm yum. Is there an elegant way to downgrade the currently installed libgcc gcc packages? Thanks, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Downgrade libgcc gcc packages (is there a clean way)
Machine is running 5.3 and somehow both packages got updated to libgcc-4.1.2-48.el5 when they need to be libgcc-4.1.2-44.el5. The DBAs here perform the Oracle Grid Control client install however they said it will not install it if detects an incorrect package version. Thanks again, Dan -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Hakan Koseoglu Sent: Monday, August 09, 2010 1:12 PM To: CentOS mailing list Subject: Re: [CentOS] Downgrade libgcc gcc packages (is there a clean way) On 9 August 2010 19:06, Dan Burkland dburk...@nmdp.org wrote: I have been tasked with fixing one of our CentOS boxes by somehow downgrading the libgcc and gcc packages to a specific version (Required by the Oracle Grid Control client). Normally I'd just remove and reinstall the packages however removing libgcc is no fun as I found out the hard way it breaks pretty much every package including rpm yum. Is there an elegant way to downgrade the currently installed libgcc gcc packages? Which specific version? Can't you You get away with the compat packages? The rest should be compatible. -- Hakan (m1fcj) - http://www.hititgunesi.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Disable sendmail and configure mailx to use an external Postfix server?
Is there anyway I can disable sendmail on my various machines and configure mailx on them to utilize my Postfix SMTP server? Thanks, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] operation on the client is slow when openldap servers are down
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of XUFENG Sent: Thursday, June 10, 2010 3:54 AM To: centos@centos.org Subject: [CentOS] operation on the client is slow when openldap servers are down Hi List, OS: centos5.3 x86_64 OpenLDAP is installed using yum. I find that when all the ldap servers are down and offline, the operations on the client is slow. When I try to do `ls` on the directories on the client as root, it waits there for some seconds.(root is not local account not via ldap) But when I power on the openldap servers, it is much better. The configuration on the client: [r...@ ~]# cat /etc/ldap.conf base dc=,dc=com timelimit 1 bind_timelimit 1 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm uri ldaps://auth1.xa..com:636 ldaps://auth2.xa..com:636 ssl on tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/cacert.pem pam_password md5 bind_policy soft [r...@ ~]# cat /etc/openldap/ldap.conf URI ldaps://auth1.xa..com:636 ldaps://auth2.xa..com:636 BASE dc=,dc=com TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT demand [r...@ ~]# cat /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases:files nisplus Any suggestions? I don't know for sure if this will help any but have you tried nscd to cache results? -Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] newer (2.7) Postfix RPM packages for RH
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Rohan Sheth Sent: Thursday, May 27, 2010 1:10 PM To: CentOS mailing list Subject: Re: [CentOS] newer (2.7) Postfix RPM packages for RH Running postfix 2.7.0 on about 7 machines with CentOS 5.5 from source works just fine. Extremely happy with it serving up all sorts of mail. Running it with dovecot 1.2.11 and having a blast. --Rohan -Original Message- Rohan, Are you using the Dovecot RPMs supplied from http://atrpms.net/name/dovecot/? Also do you have SELINUX set to enforcing on your mail server? I tried running that RPM and notices several actions were blocked by SELinux. While I could always create my own module, I'd rather not :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] release of 5.5? (filesystem troubles)
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Karanbir Singh Sent: Friday, May 14, 2010 6:17 AM To: CentOS mailing list Subject: Re: [CentOS] release of 5.5? (filesystem troubles) On 05/14/2010 12:02 PM, Eero Volotinen wrote: 5.5 isnt 'out' yet, were working on getting it to a release stage by close of play today. err: looks like 5.5 image is downloadable from: Till such time as centos/5/ points to 5.5/ we strongly discourage people from installing those isos.At the moment that switch has not happened, and most sensible people will hold out the next 8 - 10 hrs - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Thanks for the heads up; I'm excited to hopefully get some testing completed this weekend :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrading to 2.6.32
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of James Pearson Sent: Sunday, May 02, 2010 5:54 PM To: CentOS mailing list Subject: Re: [CentOS] Upgrading to 2.6.32 mailli...@gmail.com wrote: dag, thanks for the article. I'm tempted to rebuild a 2.6.18 kernel without the patches that disable fs-cache. It's hard to tell if Redhat abandoned it because it was unstable or because it was too much trouble to maintain something they thought might never make the mainline kernel. I believe the FS-Cache code wasn't removed from the RHEL 5.x kernels - it was just the fsc option that was disabled in the kernel mount options and also disabled in nfs-utils (mount.nfs) as well. It would be quite easy to remove this kernel patch and rebuild a kernel (and rebuild nfs-utils, or use a version of mount.nfs from 5.2)- however, the FS-Cache code in these kernels is now quite old and very likely to be buggy - RedHat has not updated the kernel code to match the mainline kernels since 5.2 Personally, I would wait for CentOS 6 - but even then, FS-Cache is currently classed as a 'preview' technology in the RHEL 6.0 beta James Pearson ___ Thanks for the informative post; I was a bit puzzled at first after reading the previous postings regarding this topic as I have seen the FS-Cache: Loaded message every time I log in as a user whose home directory has been automounted. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Release 6?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Paul Stuffins Sent: Wednesday, March 31, 2010 12:49 PM To: CentOS mailing list Subject: Re: [CentOS] Release 6? thus Paul Stuffins spake: Has RedHat even released RHEL6? Nope. But it's all over town that Red Hat might conduct one or more public (!) beta tests of RHEL within the next several weeks (mind Red Hat Summit in June). I didn't think they had, hence no CentOS6. I have actually just been reading a thread about RHEL6 on LinuxQuestions.org and they are saying that it is looking like a release of RHEL6 will turn up at the end of this year as RH are hammering through bugs that have, apparently, been in Fedora since Fedora 7. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I better get my RHCE taken soon then:) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] /mnt/sysimage/dev folder in rescue mode
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Nicolas Thierry-Mieg Sent: Thursday, March 25, 2010 8:55 AM To: CentOS mailing list Subject: Re: [CentOS] /mnt/sysimage/dev folder in rescue mode Mogens Kjaer wrote: If I boot C5 from DVD in rescue mode, chroot to /mnt/sysimage, and try to do a grub-install /dev/sda it will fail because the /dev folder is empty (in the chroot environment). Until now I've then created the missing nodes manually, but is there a smarter way of doing this? Some devfs that needs to be mounted on top of /dev? won't this work? grub-install --root-directory=/mnt/sysimage ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Once fully booted into the rescue environment I do the following: a) mount /dev/sda1 /mnt/sysimage/ (replace /dev/sda1 with your root partition or logvol) b) mount -o bind /dev /mnt/sysimage/dev c) mount -o bind /sys /mnt/sysimage/sys d) mount -o bind /proc /mnt/sysimage/proc e) chroot /mnt/sysimage Regards, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] generate certiciate help
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Miguel Medalha Sent: Thursday, March 25, 2010 10:57 AM To: CentOS mailing list Subject: Re: [CentOS] generate certiciate help Maybe this will help: http://www.ibm.com/developerworks/lotus/library/ls- Certification_Authority/index.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos CentOS provides a wrapper script that allows a user to easily create their own CA. To create your own CA perform the following steps: 1) /etc/pki/tls/misc/CA -newca (respond to all prompts) 2) Now that your CA is created, you can now generate cert requests by performing the following command: /etc/pki/tls/misc/CA -newreq 3) With the request now created, sign it by running /etc/pki/tls/misc/CA -sign Move the newly created key cert files to the designated directory and reference their location in your app configuration. Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sed help
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Paul Heinlein Sent: Tuesday, March 09, 2010 11:08 AM To: CentOS mailing list Subject: Re: [CentOS] sed help On Tue, 9 Mar 2010, chloe K wrote: Hi Can I know how to use sed to substitue 2 instead of 1 at the same time? eg: sed 's/pchloe.com/abc.com/ ; /192.92.123.5/10.10.0.3/g' orgfile newfile sed \ -e 's/pchloe\.com/abc.com/g' \ -e 's/192\.92\.123\.5/10.10.0.3/g' \ orgfile newfile -- Paul Heinlein heinl...@madboa.com http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos You can also use semi colons for example: sed 's/pchloe.com/abc.com/; s/192.92.123.5/10.10.0.3/g' orgfile newfile Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] strange su behavior
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Uwe Kiewel Sent: Monday, March 08, 2010 2:17 PM To: centos@centos.org Subject: [CentOS] strange su behavior -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have a strange su hehavior on a CentOS 5.4 32Bit installation in a VMware ESXi virtualizied environment: If I am root and want to change the user to a non-root user, the system prompts me for a password: [r...@halifax ~]# useradd test00 [r...@halifax ~]# su - test00 We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: [tes...@halifax ~]$ logout [r...@halifax ~]# su - test00 [tes...@halifax ~]$ logout [r...@halifax ~]# At this test procedure I just hit the enter key at the password promt. Do you have any idea for this behavoir? I expect to do so from root to any account _without_ being prompted for the password. Thanks, Uwe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLlVsjAAoJENs3frmum9swFTwH/1ulj7ZRETV/fAt/0NztXsn5 NJ7szhb+CPDxQCM49RdN6c8OUcZReVZsP1sTPCTiu6kvuNPm7vPhminuecIOEXA/ GUZC/6nS9YcHlFUbmO7nxpP2bbJHrrO2r9s4JdWftHP0YQUADNad9AN/jAQHd032 0xfp/vtAkj2PfIBt/J6h3taVwxx3Epb4gY2wuWYLRcJyDuzJLLD25OJVAOxuUaik RkNcpfiZM3Japq6Mb3kUGlYkdLf4+xxPCC/pwdVVC2fzSUVK9asmqq0pbu6KQfTc Lv5WwS6ENmY6eBbO5IcpILtC+LwBayjU50RWByaFl4uMcfQd9F9uVAdmnLW8/8c= =TNjq -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Have you tried just running su without the dash and space before the username? (For example: su test00). If not try that and let us know if you receive the same result. Regards, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Nux Sent: Friday, March 05, 2010 1:51 PM To: centos@centos.org Subject: Re: [CentOS] Intrusion Detection On Thu, 4 Mar 2010, Dan Burkland wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Try OSSEC, seems nice. Thank you all for your suggestions, I have been evaluating OSSEC so far and like it quite a bit. I just need to figure out how to get it to email me nightly reports of all modifications to the file system every night like I did with AIDE. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Intrusion Detection
Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP Server Access Problem
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Craig White Sent: Monday, February 22, 2010 6:25 PM To: CentOS mailing list Subject: Re: [CentOS] LDAP Server Access Problem On Mon, 2010-02-22 at 07:47 -0600, Dan Burkland wrote: I can confirm that indeed ldaps still works fine as I recently implemented such a setup on my network a few months ago (OpenLDAP). doing a new setup using methodologies that have already been tagged as deprecated seems to be a really bad idea. Even though it currently works, you can be certain that at some point down the road, it will cease to work... that is what deprecated means. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I am well aware of that, it was my first OpenLDAP setup :) Hopefully sooner rather than later I'll be able to migrate my systems to use TLS over 389 instead of SSL over 636. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP Server Access Problem
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Craig White Sent: Monday, February 22, 2010 12:23 AM To: CentOS mailing list Subject: Re: [CentOS] LDAP Server Access Problem On Sun, 2010-02-21 at 22:48 -0700, Paul R. Ganci wrote: Hi All, I am at my wits end. I have a LDAP server setup on a machine (the names are changed to protect the innocent) example.mydomain.com running CentOS 5.4 and LDAP version 2.3.43-3. If I issue a ldapsearch command while logged onto the LDAP server host I get a valid response back. For example: ldapsearch -x -LLL -H ldaps://example.mydomain.com:636 (uid=joker) \ sn uid dn: uid=joker,ou=People,dc=mydomain,dc=com uid: joker sn: Nicholson Everything works as expected. However if I try the same command from a remote machine remote.mydomain.com the command just hangs. I can not find a log entry anywhere that indicates something is wrong. I have checked the obvious things I can check. For example I know that port 636 is open: /etc/rc.d/init.d/iptables status | grep 636 110 ACCEPT tcp -- 0.0.0.0/0208.139.195.124 state NEW,ESTABLISHED tcp dpt:636 111 ACCEPT udp -- 0.0.0.0/0208.139.195.124 state NEW,ESTABLISHED udp dpt:636 I have enabled access via /etc/hosts.allow: cat /etc/hosts.allow | grep slapd slapd: ALL I can see the server running and listening on port 636: netstat -l | grep ldaps tcp0 0 *:ldaps *:* LISTEN tcp0 0 *:ldaps *:* LISTEN ps auxww | grep slapd ldap 21865 0.0 0.2 467976 5860 ?Ssl 19:54 0:02 /usr/sbin/slapd -h ldap:/// ldaps:/// -u ldap I am missing something very obvious. Can anyone offer any clues? Thanks. ldap ssl is deprecated but should actually still work. Do you actually have to specify the port number? I don't think so... -H ldaps://example.mydomain.com should be sufficient The preferred method is TLS (via standard -h ldap://example.mydomain.com uri notation) Note that ldap 'client' applications like ldapsearch use /etc/openldap/ldap.conf so I would suspect that the 'certificates' used by the 2 machines are different. add -d 256 (or even higher debug level) to the ldapsearch command for debugging - I'm not going to hazard any actual guesses. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos --- I can confirm that indeed ldaps still works fine as I recently implemented such a setup on my network a few months ago (OpenLDAP). Make sure the clocks on both machines are in sync as that will cause problems with the certs for example if cert was generated in the future. Also, what was your process in creating certificates for your LDAP infrastructure? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NFS client firewall config?
NFSv4 support is already compiled into the CentOS kernel so no extra installation is necessary. To force NFSv4 on the server set the following options in /etc/sysconfig/nfs: a) MOUNTD_NFS_V2=no b) MOUNTD_NFS_V3=no c) RPCNFSDARGS=-N 2 -N 3 Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Clustering apache
I'm a greenhorn when it comes to clustering in RHEL/CentOS and recently setup an active/standby clustering using Apache Heartbeat. It seems to be a good entry step into clustering however after testing it I was disappointed in that the resource manager does not start httpd on node2 if httpd on node1 is dead (only starts httpd on node2 if the heartbeat daemon on node1 is dead). Is there anyway to achieve this setup if not with Heartbeat with some sort of other HA solution? Thank you! Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Clustering apache
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Les Mikesell Sent: Wednesday, February 17, 2010 10:37 AM To: centos@centos.org Subject: Re: [CentOS] Clustering apache On 2/17/2010 10:27 AM, Dan Burkland wrote: I'm a greenhorn when it comes to clustering in RHEL/CentOS and recently setup an active/standby clustering using Apache Heartbeat. It seems to be a good entry step into clustering however after testing it I was disappointed in that the resource manager does not start httpd on node2 if httpd on node1 is dead (only starts httpd on node2 if the heartbeat daemon on node1 is dead). Is there anyway to achieve this setup if not with Heartbeat with some sort of other HA solution? You can write your own service test(s) that would trigger failover (or just restart the failed service...). Just do a 'service heartbeat stop' if you want the primary to hand off to the backup quickly. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Thank you all for your replies. In researching linux clustering more so I have discovered several other applications out there (primarily pacemaker, openais, and corosync). While I want to use pacemaker as my resource manager I am confused about openais corosync. Is OpenAIS legacy and corosync the new current iteration? Thanks again for your help! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.....?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of JohnS Sent: Wednesday, February 10, 2010 1:31 AM To: CentOS mailing list Subject: Re: [CentOS] Anyone using Active Driectory auth with Centos 5.4.? On Tue, 2010-02-09 at 14:21 -0700, Craig White wrote: On Tue, 2010-02-09 at 18:08 +, Joseph L. Casale wrote: This looks like the way to go, I don't like the username /pass stored in plain text but maybe if I create a special group that doesn't really have any privileges this would work, geez AD is just plain bad...lol, Thanks. I guess you think insecure would be better? If I understand your need, you want to make AD insecure, so please enable anonymous binds so you don't need a user/pass to make the query:) Or program your own auth backend that binds with the intended creds asking for auth:) Oh, and do this w/o tls/ssl because you want it insecure:) seems to me that permitting an anonymous bind to LDAP is inherently more secure than requiring a user/password combination so I don't think that your explanation is exactly true. In Microsoft's view, the only systems querying LDAP would be systems automatically passing the authentication. Craig Yes it is true, you have to have that for it to work correctly. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I apologize if this has been mentioned before but one option would be to use Apache's Kerberos module for authentication. See the modules sourceforge page here -- http://modauthkerb.sourceforge.net/configure.html Regards, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
From: centos-boun...@centos.org [centos-boun...@centos.org] On Behalf Of Ross Walker [rswwal...@gmail.com] Sent: Tuesday, February 09, 2010 4:08 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2) On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: That RID map feature of samba is great. Forgot about that, AFAIK, you can do that w/ SFU pam mods. I have two Samba servers left that I want to get rid of:) You can do it with SFU, but SFU doesn't create UID/GIDs for existing users, you have to do those manually. Then there is the whole issue of maintaining those IDs over a long period of time. Also with RID mapping I can map different domains into different ID ranges. 10 - 19 first domain 20 - 29 second domain And so on. You know you don't need the full Samba install to setup a winbind-NIS server, just the Samba client will do. Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs have a smb.conf and winbind running. NIS is only as secure as the network it runs on. If it bumps against public networks (unsecure wifi so on) use 802.11 authentication. -Ross ___ For anybody wanting to know how to go the LDAP Route I found an interesting article in the linux.com archives http://www.linux.com/archive/feed/40983 Thanks again guys for your input. Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
From: centos-boun...@centos.org [centos-boun...@centos.org] On Behalf Of Jeff [jlar...@gmail.com] Sent: Sunday, February 07, 2010 9:20 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2) On Fri, Feb 5, 2010 at 6:25 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: Wbinfo -u wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok? getent doesn't need to return data for this to work, just wbinfo. It's likely the issue I spoke of, aside from the winbind entries in smb.conf that allow local logon. Take my advice: yum erase samba == uber happiness Get ldap working, no interop issues with the old samba version in rhel and newer ms servers. Plus you will be using something forward compatible that a txt edit could likely fix in the event something drastic changed in the schema and search filters for example had to change. +1 We've been using nss_ldap against AD for years. It's never a problem. Jeff ___ Version 3.4.5 of Samba did end up resolving the issue I was having and now AD users can login to the box. I am however interested in going the LDAP route mainly for the forward compatability reason stated by Jeff. Is there anything special I need to do on the DC for the LDAP authentication to work? Thanks, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Christopher Chan Sent: Thursday, February 04, 2010 10:59 PM To: centos@centos.org Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2) On Friday, February 05, 2010 12:45 PM, Dan Burkland wrote: I am indeed using winbind. While I am not new to CentOS I am a greenhorn when it comes to Winbind. What log is considered the main Winbind log? (perhaps /var/log/samba/winbind.log?) Also. I have posted my smb.conf on pastebin: http://centos.pastebin.com/f5b4406a7 Does either 'wbinfo -u' or 'wbinfo -g' work for you? If they do, do you have entries in nsswitch.conf for winbind? Hey All, Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd. Are you using winbind? What do the logs for winbind say? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Wbinfo -u wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok? Thanks again guys, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
Hey All, Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd. Thanks for your input, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
I am indeed using winbind. While I am not new to CentOS I am a greenhorn when it comes to Winbind. What log is considered the main Winbind log? (perhaps /var/log/samba/winbind.log?) Also. I have posted my smb.conf on pastebin: http://centos.pastebin.com/f5b4406a7 Thanks again for your help, Dan From: centos-boun...@centos.org [centos-boun...@centos.org] On Behalf Of Christopher Chan [christopher.c...@bradbury.edu.hk] Sent: Thursday, February 04, 2010 10:30 PM To: centos@centos.org Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2) On Friday, February 05, 2010 12:20 PM, Dan Burkland wrote: Hey All, Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd. Are you using winbind? What do the logs for winbind say? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kerberos integration in directory server
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of nimmerm...@chello.at Sent: Wednesday, January 27, 2010 6:29 AM To: centos@centos.org Subject: [CentOS] Kerberos integration in directory server -Original Message- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of nimmermehr at chello.at Sent: Tuesday, January 26, 2010 6:23 AM To: centos at centos.org Subject: [CentOS] Kerberos integration in directory server Hi, Got some issues regarding Kerberos and Directory Server and hope someone can help me out. Used these for the configiruation : http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch- kerberos.html http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html Server : CentOS 5.4 with Kerberos and Directory Server installed Client : CentOS 5.4 I use putty to connect to the client, which authenticates against the server. Using Kerberos or LDAP worked perfectly (using system-config- authentication on the client for configuration) The only thing that doesn't seem to work is the kerberized version of the login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket for that ? If I activate kerberos AND ldap in system-config- authentication it fails : Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user unknown Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1 Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error retrieving information about user testuser Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user testuser from 192.168.0.1 port 1142 ssh2 I followed the instructions here : http://directory.fedoraproject.org/wiki/Howto:Kerberos Maybe I just didn't get it ;) Thanks in advance, Peter ___ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are some items you may want to verify you have included in your system-auth config file. Auth sufficient pam_krb5.so use_first_pass Auth sufficient pam_unix.so nullok try_first_pass Account sufficient pam_ldap.so Account required pam_unix.so Password sufficient pam_krb5.so Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok Session optionalpam_keyinit.so revoke Session optionalpam_krb5.so Dan Just to see if I understood it correctly : It is mandatory that every LDAP-User has a functional Kerberos-login (user and PW). Is it possible for such a user to access a server that only has ldap for authentication and checks against the LDAP-Server ? About testing : How can I check if the information is pulled out of ldap ? Thanks in advance :) Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos If you are utilizing Kerberos on the authentication part of the process then you need the user to exist in LDAP also as Kerberos cannot hold Unix account information (UID #, GID#, etc). I'm not too certain on where Directory Server stores its log files but you should be able to check there for lookups for username around the time of attempted login. Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kerberos integration in directory server
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of nimmerm...@chello.at Sent: Tuesday, January 26, 2010 6:23 AM To: centos@centos.org Subject: [CentOS] Kerberos integration in directory server Hi, Got some issues regarding Kerberos and Directory Server and hope someone can help me out. Used these for the configiruation : http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html http://www.redhat.com/docs/manuals/dir-server/8.1/install/index.html Server : CentOS 5.4 with Kerberos and Directory Server installed Client : CentOS 5.4 I use putty to connect to the client, which authenticates against the server. Using Kerberos or LDAP worked perfectly (using system-config- authentication on the client for configuration) The only thing that doesn't seem to work is the kerberized version of the login via LDAP on the directory Server. Shouldn't I get a Kerberos ticket for that ? If I activate kerberos AND ldap in system-config-authentication it fails : Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): check pass; user unknown Jan 25 13:24:59 monarch sshd[3947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1 Jan 25 13:24:59 monarch sshd[3947]: pam_succeed_if(sshd:auth): error retrieving information about user testuser Jan 25 13:25:01 monarch sshd[3947]: Failed password for invalid user testuser from 192.168.0.1 port 1142 ssh2 I followed the instructions here : http://directory.fedoraproject.org/wiki/Howto:Kerberos Maybe I just didn't get it ;) Thanks in advance, Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos My setup is a tad different than yours in that I integrated MIT Kerberos with OpenLDAP. While our configurations are different I'm sure you're trying for kerberized logins (System authenticates against Kerberos and pulls account information from LDAP). If so here are some items you may want to verify you have included in your system-auth config file. Authsufficient pam_krb5.so use_first_pass Authsufficient pam_unix.so nullok try_first_pass Account sufficient pam_ldap.so Account requiredpam_unix.so Password sufficient pam_krb5.so Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authok Session optionalpam_keyinit.so revoke Session optionalpam_krb5.so Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] rsyslog v3 RPM for CentOS/RHEL
Hello all, I have been doing some research on integrating rsyslog with GSSAPI authentication. I have discovered that the current version of rsyslog available in the repository does not support GSSAPI. I am wondering if any of you bright individuals out there have been discovered an rsyslog v3 RPM. If worse comes to worse I can always make my own RPM however this would greatly save me some time. Thanks all, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] RHCE
I realize this is a CentOS mailing list but because it is based directly on RHEL, I would assume there are a few individuals who frequent the list that have passed the RHCE exam. I plan on taking the exam this March and was wondering if there are any tips you RHCEs out there could provide that may help me. Thanks! Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHCE
Currently I work in the helpdesk however I run a virtualized CentOS network at home where all my testing takes place (Apache, BIND, MIT Kerberos w/ LDAP integration, OpenLDAP, NFSv4 with krb auth, Puppet). I am planning on taking the rapid track course which sounds like an invaluable refresher. Thanks for all of the recommendations, I appreciate it. Regards, Dan Burkland -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Michel van Deventer Sent: Tuesday, December 29, 2009 12:55 PM To: CentOS mailing list Subject: Re: [CentOS] RHCE On Tue, 2009-12-29 at 12:06 -0600, Dan Burkland wrote: I realize this is a CentOS mailing list but because it is based directly on RHEL, I would assume there are a few individuals who frequent the list that have passed the RHCE exam. I plan on taking the exam this March and was wondering if there are any tips you RHCEs out there could provide that may help me. Well, there's at least one RHCE (and RHCA) on this list :) But we (and you when you take the exam) are not allowed to talk about it. If you haven't booked it yet, try to get the 'rapid track' course with exam, it takes you through the whole system and gets you up to speed on a lot of subjects you might not be using everyday (I do not know what you are doing for a job, but I can imagine that you don't use every aspect of RHEL (or CentOS) on a daily basis). If you are VERY experienced you can try to take the exam without preparation, it is performance based as Red Hat calls it. See http://www.redhat.com/certification/rhce/ for more information and some prep questions. Regards, Michel (RHCE #804006422520400) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kerberos + NFSv4 difficulties
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Miguel Di Ciurcio Filho Sent: Thursday, December 03, 2009 5:37 AM To: CentOS mailing list Subject: Re: [CentOS] Kerberos + NFSv4 difficulties Dan Burkland wrote: d. SECURE_NFS = yes Uncomment this lines for a more much more verbose logging in /etc/sysconfig/nfs: RPCGSSDARGS=-vvv RPCSVCGSSDARGS=-vvv a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs' c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab? Double check your /etc/krb5.keytab. On the server it must have the nfs/server.exemple.net key and on the client it must have nfs/client.exemple.net. In idmapd.conf, leave it as the default: [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch Believe me, I've tried to understand[1] why Domain must be localdomain but I've no been lucky. Regards, Miguel [1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX iptables to make sure that neither are interfering with this. Thanks again for the help! Dan Burkland NMDP Helpdesk Technician 3001 Broadway Street N. E. Suite 100, Minneapolis, MN 55413-1753 Phone (612) 362-3411 Toll Free: (800) 526-7809 Ext. 8123 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kerberos + NFSv4 difficulties
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Dan Burkland Sent: Thursday, December 03, 2009 11:44 AM To: CentOS mailing list Subject: Re: [CentOS] Kerberos + NFSv4 difficulties -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Miguel Di Ciurcio Filho Sent: Thursday, December 03, 2009 5:37 AM To: CentOS mailing list Subject: Re: [CentOS] Kerberos + NFSv4 difficulties Dan Burkland wrote: d. SECURE_NFS = yes Uncomment this lines for a more much more verbose logging in /etc/sysconfig/nfs: RPCGSSDARGS=-vvv RPCSVCGSSDARGS=-vvv a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials for 'nfs' c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine) credentials d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab? Double check your /etc/krb5.keytab. On the server it must have the nfs/server.exemple.net key and on the client it must have nfs/client.exemple.net. In idmapd.conf, leave it as the default: [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch Believe me, I've tried to understand[1] why Domain must be localdomain but I've no been lucky. Regards, Miguel [1] http://linux-nfs.org/pipermail/nfsv4/2009-September/011369.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ I made the requested changes and when I start the nfs services (/etc/init.d/nfs start) I get the same error messages. I made sure that I have used kinit nfs/nfs.example.net -k -t /etc/krb5.keytab and verified that the principle was loaded by using klist. I have disabled SELINUX iptables to make sure that neither are interfering with this. Thanks again for the help! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ I finally figured out what the heck was causing the problem, it was the following line in my /etc/hosts file: 127.0.0.1 localhost localhost.localdomain nfs.example.net nfs Once I removed the nfs.example.net nfs entries the rpc.svcgssd service started fine. Regards, Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Kerberos + NFSv4 difficulties
Hey All,
I recently have been trying to setup an NFSv4 share that utilizes Kerberos. My
experience in general with NFS is very slim however I feel like I am very close
to getting this project completed. Currently I have the following things in
place:
1) NFS server nfs.example.net (VM#2) - Running CentOS 5.4 with all of the
latest updates and NFS-related packages
2) Kerberos KDC running on Kerberos.example.net (VM#1) - Running CentOS 5.4
with all of the latest updates
3) NFS client nfs-client.example.net (VM#3) - Running CentOS 5.4 with all of
the latest updates
Before I give you the error message I receive when I enable NFS, I'll first
describe my setup process.
1) Verified Kerberos works on all machines by attempting a kinit testuser
which worked properly.
2) Verified that the clocks on all machines represent the same time
(synced using a local NTP server)
3) Created a service principle for nfs.example.net by performing the
following commands on the nfs.example.net machine: - (Performed on NFS server)
a. kadmin (Logged in as an admin principle)
b. addprinc -randkey nfs/nfs.example.net
c. ktadd -e des-cbc-crc:normal nfs/nfs.example.net
d. quit
e. kinit nfs/nfs.example.net -k -t /etc/krb5.keytab
f. klist to verify
4) Edited /etc/idmapd.conf with the following changes: - (Performed on
NFS server)
a. changed Nobody-{User,Group} to nfsnobody
b. changed Domain to nfs.example.net
5) Mkdir /nfs/ - (Performed on NFS server)
6) Added the following to /etc/exports - (Performed on NFS server)
a. /nfs gss/krb5p(rw,sync,fsid=0)
7) exportfs -rv - (Performed on NFS server)
8) Verified all relevant nfs services were stopped - (Performed on NFS
server)
9) Uncommented and made the following changes to /etc/sysconfig/nfs -
(Performed on NFS server)
a. MOUNTD_NFS_V1=no
b. MOUNTD_NFS_V2=no
c. RPCNFSDARGS=-N 2 -N 3 -U
d. SECURE_NFS = yes
10) /etc/init.d/portmap start; /etc/init.d/rpcidmapd start; /etc/init.d/nfs
start - (Performed on NFS server)
11) And I receive the following output when the nfs service starts:
a. Starting RPC svcgssd: FAILED
b. Starting NFS Services: OK
c. Starting NFS quotas: OK
d. Starting NFS daemon: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4
state recovery directory
e. NFSD: starting 90-second grace period
f. Starting NFS mountd: OK
12) I then checked /var/log/messages to find the following log entries:
a. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: ERROR: GSS-API: error in
gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more
information - No principal in keytab matches desired name
b. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: Unable to obtain credentials
for 'nfs'
c. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: unable to obtain root (machine)
credentials
d. Dec 2 12:16:51 nfs rpc.svcgssd[6018]: do you have a keytab entry for
nfs/your.host@YOUR.REALM in /etc/krb5.keytab?
I seem to be stuck at this point and would appreciate your insight.
Thank you,
Dan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Spacewalk or Puppet?
If you guys would be so kind would you mind emailing some examples of some puppet policies? It would really be beneficial to me :) Thanks again for the all replies! Dan Burkland -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Karanbir Singh Sent: Wednesday, November 04, 2009 8:34 AM To: CentOS mailing list Subject: Re: [CentOS] Spacewalk or Puppet? On 11/04/2009 02:18 PM, Marcus Moeller wrote: We had massive performance issues with Puppet 0.25 and Mogrel/Webrick. Right, I dont think that the default out of the box setup with Webrick is meant to scale much beyond 100 or so machines, but its trivial to setup nginx based proxy in front of multiple mongrels and have that handle the load. Anything 500 nodes needs specific consideration, but then at that level you have both the time and the interest to fix the specific issues. Concerning Ruby you should at least be familiar with quoting/escaping and scopes. I think the puppet DSL is slightly different from ruby in that way. Just working with the language guide for puppet is enough to keep things going. Its only when you get down to lower level embedded templates with erb that it might help knowing a bit of ruby, but I do honestly think most people can do almost everything on puppet without any ruby experience. There are not so may packages that needs to be installed on client side (about 10) How about the server side? puppet is still a single package on that end too. but in conclusion you will get functionalities like remote-commands through osad and monitoring. The package upgrades could be handled with errata and update management easily. with puppet you get the ability to carry role based nagios definitions in sync with the role definition - which almost means zero nagios configuration. So what that means is that when I define what my webserver-type1 should look like and what configs its needs and what policy it needs to implement I can also define, at the same place, what sort of monitoring would be needed against those components. Then when I apply webserver-type1 to any specific machine, I get the nagios configs for free. And the fact that puppet runs in a definite manner, it can make for a reactive monitoring system in itself ( although I prefer to use tools like monit / god for that - specially for time critical services ). PS: Your email client is broken. Its not preserving thread sanity. Not a problem here. Interestingly for your email : Message-ID: g1m1yig5etitfc1rxzjezwjv4x.pena...@mail.gmail.com The headers contain no References or in-reply-to headers on the copy that came through to me ( your most recent one does have References set ). So not sure what mailclient you are using, but its a bit random on its headers. - KB -- Karanbir Singh London, UK| http://www.karan.org/ | twitter.com/kbsingh ICQ: 2522219 | Yahoo IM: z00dax | Gtalk: z00dax GnuPG Key : http://www.karan.org/publickey.asc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Spacewalk or Puppet?
Mark, What would you recommend for a larger environment then? Dan Burkland NMDP Helpdesk Technician 3001 Broadway Street N. E. Suite 100, Minneapolis, MN 55413-1753 Phone (612) 362-3411 Toll Free: (800) 526-7809 Ext. 8123 -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of m.r...@5-cent.us Sent: Tuesday, November 03, 2009 1:29 PM To: CentOS mailing list Subject: Re: [CentOS] Spacewalk or Puppet? I am a little new to managing large numbers of CentOS/RHEL servers and was wondering what you experienced sysadmins prefer, Spacewalk or Puppet? If you look at recent posts, you'll know my opinion of Spacewalk (not high, for large values of not, and small values of high). mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Spacewalk or Puppet?
I am a little new to managing large numbers of CentOS/RHEL servers and was wondering what you experienced sysadmins prefer, Spacewalk or Puppet? Thanks, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.3 on X86_64: yum installs both i386 and x86_64 packages
I have no idea why the packages are installed along with the x86_64 ones however I add excludepkgs=*.i386 *.i686 to yum.conf and it cakes care of that. Dan Burkland -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Mathieu Baudier Sent: Wednesday, October 14, 2009 3:09 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.3 on X86_64: yum installs both i386 and x86_64 packages Out of pure curiosity: Does anybody know why both i386 and x86_64 are installed by default? On other x86_64 platforms I rather tend to cherrypick the i386 packages and install them on a case by case basis. On Wed, Oct 14, 2009 at 06:49, Vnpenguin vnpeng...@vnoss.org wrote: I removed all i?86 on my x86_64 servers. No problem. -- http://vnoss.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 5.3 LDAP problem.
I experienced the same problem and found a solution. In your /etc/ldap.conf file (which I had the ldap.conf in /etc/openldap symlinked to), add the following line to the bottom of the file: nss_initgroups_ignoreusers root,haldaemon,dbus,ldap,sshd (any other group that is locally stored and used by applications go here) Regards, Dan -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Benjamin Donnachie Sent: Tuesday, September 29, 2009 10:37 AM To: centos@centos.org Subject: [CentOS] CentOS 5.3 LDAP problem. I currently have about eight servers running a mixture of CentOS x86_64 v5.2 and v5.3 but none with the very latest updates. They all obtain their authentication information over LDAP and to avoid the starting message bus hang problem[1], nscd is set to soft failure. However, yesterday I set up a new CentOS v5.3 server with the latest updates, but it refuses to get beyond Starting message bus if I have ldap as an option in nsswitch.conf. The LDAP server is hosted on two separate machines and this machine has an identical set up to the others - including soft failure in the nscd config. If I remove all references to ldap from nsswitch.conf I can get the machine to boot. I can then add those entries back, start nscd and getent works fine. However, when I start samba it then starts to fail stating that it cannot find a users unix account - which is clearly incorrect! To compound matters, ssh now seems to be locking up; freezing after requesting a password and eventually dropping connection. As I am working off-site for the test of the week I cannot post any further information at the moment, however, I think that the installed kernel had a September 2009 compile date. Does anyone know of any reason why the latest updates could be causing this behaviour? I have been unable to find anything relevant in the list archives or in the forums. I am under pressure to get this server working and I don't want to be forced to install Windows, so any advice would be appreciated. Many thanks, Ben [1] http://bugs.centos.org/view.php?id=2047 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Storing Kerberos database in OpenLDAP
I went ahead and gave the MIT Kerberos LDAP backed option a try. So far it seems to work quite well and nothing has crashed (yet :)). I'm going to run this setup for a couple weeks and see if I can break it. Regards, Dan Burkland From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of mbneto Sent: Monday, September 28, 2009 8:02 AM To: CentOS mailing list Subject: [CentOS] Any known problems with kernel-2.6.18-164.el5.x86_64 / x86_64 / 3ware? Hi, I have a server that is running centos 5.3 x86_64 that until last week was running fine. With no error messages in console and in /var/log/messages the server simply stops responding. After a reboot everything is fine. The only change (that I could find) but that was not active before the first incident/reboot was the update of the kernel and friends. The server (is this can help) is a intel quad core, 8GB RAM , 3 x 1TB disks (raid mirror with 2 active / 1 spare via 3ware controller) Any known problem with the kernel-2.6.18-164.el5.x86_64? (I am assuming that this would be the only thing that could cause the problem due to the lack of other messages. Regards. yum.log Sep 24 12:13:48 Updated: openssl-0.9.8e-12.el5.x86_64 Sep 24 12:13:49 Updated: mysql-5.0.77-3.el5.x86_64 Sep 24 12:13:49 Updated: nspr-4.7.5-1.el5_4.x86_64 Sep 24 12:13:49 Updated: openssl-0.9.8e-12.el5.i686 Sep 24 12:13:49 Installed: libXrender-0.9.1-3.1.i386 Sep 24 12:13:49 Installed: freetype-2.2.1-21.el5_3.i386 Sep 24 12:13:51 Installed: fontconfig-2.4.1-7.el5.i386 Sep 24 12:13:52 Updated: mysql-5.0.77-3.el5.i386 Sep 24 12:13:52 Installed: libjpeg-6b-37.i386 Sep 24 12:13:52 Installed: 2:libpng-1.2.10-7.1.el5_3.2.i386 Sep 24 12:13:52 Updated: openssh-4.3p2-36.el5.x86_64 Sep 24 12:13:52 Updated: gnutls-1.4.1-3.el5_3.5.x86_64 Sep 24 12:13:52 Installed: keyutils-1.2-1.el5.x86_64 Sep 24 12:13:52 Installed: cairo-1.2.4-5.el5.i386 Sep 24 12:13:52 Installed: libtiff-3.8.2-7.el5_3.4.i386 Sep 24 12:13:53 Installed: atk-1.12.2-1.fc6.i386 Sep 24 12:13:53 Installed: libXfixes-4.0.1-2.1.i386 Sep 24 12:13:53 Updated: lftp-3.7.11-4.el5.x86_64 Sep 24 12:13:53 Installed: trousers-0.3.1-4.el5.x86_64 Sep 24 12:13:53 Updated: ecryptfs-utils-75-5.el5.x86_64 Sep 24 12:13:53 Installed: libXcursor-1.1.7-1.1.i386 Sep 24 12:13:53 Installed: libXft-2.1.10-1.1.i386 Sep 24 12:13:53 Installed: pango-1.14.9-5.el5.centos.i386 Sep 24 12:13:53 Installed: libXrandr-1.1.1-3.1.i386 Sep 24 12:13:54 Updated: nspr-4.7.5-1.el5_4.i386 Sep 24 12:13:54 Installed: libXinerama-1.0.1-2.1.i386 Sep 24 12:13:54 Installed: gnutls-1.4.1-3.el5_3.5.i386 Sep 24 12:13:54 Updated: openssh-clients-4.3p2-36.el5.x86_64 Sep 24 12:13:54 Updated: openssh-server-4.3p2-36.el5.x86_64 Sep 24 12:13:55 Updated: mysql-server-5.0.77-3.el5.x86_64 Sep 24 12:13:56 Updated: 1:nfs-utils-1.0.9-42.el5.x86_64 Sep 24 12:13:56 Updated: dnsmasq-2.45-1.1.el5_3.x86_64 Sep 24 12:13:57 Updated: openssl-devel-0.9.8e-12.el5.x86_64 Sep 24 12:13:57 Updated: mysql-devel-5.0.77-3.el5.x86_64 Sep 24 12:13:57 Updated: mysql-devel-5.0.77-3.el5.i386 Sep 24 12:14:04 Installed: kernel-2.6.18-164.el5.x86_64 Sep 24 12:14:04 Updated: kernel-headers-2.6.18-164.el5.x86_64 Sep 24 12:14:04 Installed: 1:cups-libs-1.3.7-8.el5_3.6.i386 Sep 24 12:14:05 Installed: gtk2-2.10.4-20.el5.i386 Sep 24 12:14:05 Installed: trousers-0.3.1-4.el5.i386 Sep 24 12:14:05 Updated: ecryptfs-utils-75-5.el5.i386 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Storing Kerberos database in OpenLDAP
Hi all, I have created a project for myself in that I would like to store an MIT Kerberos database inside LDAP (Using OpenLDAP). I have found some relevant results but most of them are extremely outdated and unreliable. I did however recently find an article for Ubuntu that was up to date however it wasn't focused on CentOS/Red hat-based distros. Has anybody found something like this https://help.ubuntu.com/9.04/serverguide/C/kerberos-ldap.html in regards to the topic discussed earlier? Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
