Bug#1066094: squidguard: Squidguard does not work with default squid apparmor profile

[Marco Gaiarin]

> I think we need an apparmor config file for squidguard.

I suppose the same. Surely better then adding squidguard data to the squid
apparmor profiles, as suggested by ubuntu bug.


> I never have
> written such a config, but perhaps you have an example of such a config
> file?

No, sorry: never done nothing on apparmor before this; to disable the
profile i've simply followed the debian wiki:

https://wiki.debian.org/AppArmor/HowToUse


> Otherwise I need some time for testing to resolve this problem.

If you provide some test apparmor profile i can try it and provide feedback.

Thanks to you!

Bug#1066094: squidguard: Squidguard does not work with default squid apparmor profile

[Marco Gaiarin]

Package: squidguard
Version: 1.6.0-2
Severity: normal

Dear Maintainer,

i've tried to use as 'usual' squidguard in my squid configuration, but squid 
simply
start filling logs (syslog and squid's cache.log) with:

2024/03/01 14:22:59 kid1| Starting new helpers
2024/03/01 14:22:59 kid1| helperOpenServers: Starting 1/10 'squidGuard' 
processes
2024/03/01 14:22:59 kid2| ipcCreate: /usr/bin/squidGuard: (13) 
Permission denied
2024/03/01 14:22:59 kid2| WARNING: redirector #Hlpr175 exited

after fiddling a bit, i've found that the guilty is apparmor squid profile (so,
i've not clear if this is a squidguard or a squid bug, indeed ;-).


I've simply done:

aa-disable /etc/apparmor.d/usr.sbin.squid

and now squid (and squidguard) run as expected.


I've also looked around and seems that there's an ubuntu bug opened:

https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1787409


Thanks.

-- System Information:
Debian Release: 11.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-28-amd64 (SMP w/2 CPU threads)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages squidguard depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  libc6  2.31-13+deb11u8
ii  libdb5.3   5.3.28+dfsg1-0.8
ii  libldap-2.4-2  2.4.57+dfsg-3+deb11u1

Versions of packages squidguard recommends:
ii  liburi-perl  5.08-1
ii  libwww-perl  6.52-1
ii  squid4.13-10+deb11u3

Versions of packages squidguard suggests:
pn  ldap-utils  
pn  squidguard-doc  

-- Configuration Files:
/etc/squidguard/squidGuard.conf.default [Errno 2] File o directory non 
esistente: '/etc/squidguard/squidGuard.conf.default'

-- debconf information:
  squidguard/dbreload: true

Bug#913310: nfs-common: Systemd does not correctly read /etc/default/nfs-common

[Marco Gaiarin]

Mandi! Ben Hutchings
  In chel di` si favelave...

> What is the actual problem you are trying to solve?

digging harder on my email folders... in october 2018 i was trying to
make NFSv4 work in a Samba/AD/Kerberos environment.

Probably after that i've found a way to circumvent the need, probably
switching to CIFS.

Some more hint on samba mailing list thread starting at:

https://lists.samba.org/archive/samba/2018-October/218969.html
https://lists.samba.org/archive/samba/2018-November/219218.html


Sorry, i don't remember more...

Bug#983633: debian-installer: Debian installer (also doc) misses info about that is using screen in serial terminal installation, and info about shortcut keys...

[Marco Gaiarin]

Package: debian-installer
Severity: minor


I've recently installed an ARM system via serial terminal (but i suppose
this is not ARM specific, all serial installation as OOB system is the same)
and was unable to switch 'virtual console' that are listed on the first row
of the screen.

After looking and asking around i've finally found that installer in serial
terminal mode use 'screen', and so it was sufficient to use screen keybind.

But this is NOT reported on debian-installer manual, nor on a 'welcome'
screen.

Could be added? Thanks.

Bug#978395: sympa: Debconf upgrade script does not take into account on mounted arc subdir

[Marco Gaiarin]

Package: sympa
Version: 6.2.40~dfsg-1+deb10u1
Severity: normal

Dear Maintainer,

I've tried to upgrade sympa, and lead to debocnf error because i've mounted a 
filesystem
for 'arc' subdir:

 root@mail:~# df -h
 File system Dim. Usati Dispon. Uso% Montato su
 /dev/loop1  2,9G  1,9G904M  68% /
 /dev/loop11 9,8G  744M8,6G   8% /home
 /dev/loop12 4,9G  1,6G3,1G  35% /var/lib/sympa/arc

and debconf complain that cannot chown 'lost+found' dir (and indeed is true).

I've tried to modify the postinst script, and at last i've commented the guilty 
find,
let debconf to end:

 --- /var/lib/dpkg/info/sympa.postinst.dist 2020-12-10 14:39:54.0 
+0100
 +++ /var/lib/dpkg/info/sympa.postinst  2020-12-26 23:01:15.342509840 +0100
 @@ -221,9 +221,9 @@
  
  # It's better to search files and directories with wrong owner/group and fix
  # them instead of recursively doing it, even if it's not needed (see #630384)
 -find /var/spool/sympa /var/lib/sympa \
 -\( -not -user sympa -or -not -group sympa \) \
 --exec chown sympa:sympa {} \;
 +#find /var/spool/sympa /var/lib/sympa \
 +#\( -not -user sympa -or -not -group sympa \) -not -name 'lost+found' \
 +#-exec chown sympa:sympa {} \;
  
  # Fix permissions on CGI wrappers
  chown sympa:sympa /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi \

I think a better find have to be setup, but i was not able to do that...


Thanks.

-- System Information:
Debian Release: 10.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.18-14-pve (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sympa depends on:
ii  adduser3.118
ii  ca-certificates20200601~deb10u1
ii  dbconfig-common2.0.11+deb10u1
ii  debconf [debconf-2.0]  1.5.71
ii  exim4-daemon-heavy [mail-transport-agent]  4.92-8+deb10u4
ii  fonts-font-awesome 5.0.10+really4.7.0~dfsg-1
ii  libarchive-zip-perl1.64-1
ii  libc6  2.28-10
ii  libcgi-fast-perl   1:2.13-1
ii  libcgi-pm-perl 4.40-1
ii  libclass-singleton-perl1.5-1
ii  libcrypt-eksblowfish-perl  0.009-2+b5
ii  libcrypt-openssl-x509-perl 1.8.12-1
ii  libcrypt-smime-perl0.25-1+b1
ii  libdatetime-format-mail-perl   0.4030-1
ii  libdbd-csv-perl0.5300-1
ii  libdbd-mysql-perl  4.050-2
ii  libdbd-pg-perl 3.7.4-3
ii  libdbd-sqlite3-perl1.62-3
ii  libdbi-perl1.642-1+deb10u1
ii  libfcgi-perl   0.78-2+b3
ii  libfile-copy-recursive-perl0.44-1
ii  libfile-nfslock-perl   1.29-1
ii  libhtml-format-perl2.12-1
ii  libhtml-stripscripts-parser-perl   1.03-2
ii  libhtml-tree-perl  5.07-2
ii  libintl-perl   1.26-2
ii  libio-stringy-perl 2.111-3
ii  libjs-jquery   3.3.1~dfsg-3
ii  libjs-jquery-migrate-1 1.4.1-1
ii  libjs-jquery-minicolors2.2.6+dfsg-3
ii  libjs-jquery-ui1.12.1+dfsg-5
ii  libmail-dkim-perl  0.54-1
ii  libmailtools-perl  2.18-1
ii  libmime-charset-perl   1.012.2-1
ii  libmime-encwords-perl  1.014.3-2
ii  libmime-lite-html-perl 1.24-3
ii  libmime-tools-perl 5.509-1
ii  libnet-cidr-perl   0.19-1
ii  libnet-dns-perl1.19-1
ii  libnet-ldap-perl   1:0.6500+dfsg-1
ii  libnet-netmask-perl1.9104-1
ii  libregexp-common-perl  2017060201-1
ii  libsoap-lite-perl  1.27-1
ii  libtemplate-perl   2.27-1+b1
ii  libterm-progressbar-perl   2.22-1
ii  libunicode-linebreak-perl  0.0.20190101-1
ii  libxml-libxml-perl 2.0134+dfsg-1
ii  lsb-base   10.2019051400
ii  mhonarc2.6.19-2
ii  perl   5.28.1-6+deb10u1
ii  rsyslog [system-log-daemon]8.1901.0-1
ii  sqlite33.27.2-3+deb10u1

Versions of packages sympa recommends:
ii  apache2-suexec-custom [apache2-suexec]  2.4.38-3+deb10u4
ii  

Bug#971090: asterisk: syslog logging print double linees, one with colouring escapes...

[Marco Gaiarin]

Package: asterisk
Version: 1:16.2.1~dfsg-1+deb10u2
Severity: minor

Dear Maintainer,

I've just installed asterisk in buster, and i've enabled syslog logging, 
adding/decommenting
in 'logger.conf' the row:

syslog.local0 => notice,warning,error   

After that, i found in syslog the asterisk row (as expected), but most of the 
row are
dupes, and one of them have ANSI colour escaping code, an example:

Sep 27 09:02:06 vpbxlpb1 asterisk[363]: NOTICE[1337]: chan_sip.c:24888 
in handle_response_peerpoke: Peer '213' is now Reachable. (92ms / 200ms)
Sep 27 09:02:06 vpbxlpb1 asterisk[363]: [Sep 27 09:02:06] 
#033[1;33mNOTICE#033[0m[1337]: 
#033[1;37mchan_sip.c#033[0m:#033[1;37m24888#033[0m 
#033[1;37mhandle_response_peerpoke#033[0m: Peer '213' is now Reachable. (92ms / 
200ms)

I've removed 'notice' from syslog row, and now double lines seems not appear 
anymore,
but probably because i've not so frequent warnings and errors. ;-)


Could be that these lines come from systemd? Anyway, using ANSI colour code in 
syslog is
really a bad thing. ;-)

Thanks.

-- System Information:
Debian Release: 10.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-11-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages asterisk depends on:
ii  adduser  3.118
ii  asterisk-config  1:16.2.1~dfsg-1+deb10u2
ii  asterisk-core-sounds-en  1.6.1-1
ii  asterisk-modules 1:16.2.1~dfsg-1+deb10u2
ii  libc62.28-10
ii  libcap2  1:2.25-2
ii  libedit2 3.1-20181209-1
ii  libjansson4  2.12-1
ii  libpopt0 1.16-12
ii  libsqlite3-0 3.27.2-3
ii  libssl1.11.1.1d-0+deb10u3
ii  libsystemd0  241-7~deb10u4
ii  liburiparser10.9.1-1
ii  libuuid1 2.33.1-0.1
ii  libxml2  2.9.4+dfsg1-7+b3
ii  libxslt1.1   1.1.32-2.2~deb10u1
ii  lsb-base 10.2019051400

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm 2.03-1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:16.2.1~dfsg-1+deb10u2
ii  sox  14.4.2+git20190427-1

Versions of packages asterisk suggests:
pn  asterisk-dahdi   
ii  asterisk-dev 1:16.2.1~dfsg-1+deb10u2
pn  asterisk-doc 
pn  asterisk-ooh323  
pn  asterisk-opus
pn  asterisk-vpb 

-- no debconf information

Bug#946829: Patch works!

[Marco Gaiarin]

I can confirm that patch works as expected.

Patch does not apply cleanly on my SA (3.4.2-1~deb9u2) but only for
cosmetic differences, attached a patch that wok on SA 3.4.2-1~deb9u2.


Thanks!

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''  http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
  http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--- Greylisting.pm.orig	2019-12-19 11:27:35.535866138 +0100
+++ Greylisting.pm	2019-12-19 11:30:59.132703809 +0100
@@ -21,6 +21,7 @@
 
 use strict;
 use Mail::SpamAssassin::Plugin;
+use Mail::SpamAssassin::Util qw(untaint_var);
 use NetAddr::IP;
 use File::Path qw(mkpath);
 our @ISA = qw(Mail::SpamAssassin::Plugin);
@@ -71,9 +72,25 @@
 }
 Mail::SpamAssassin::Plugin::dbg("GREYLISTING: called function");
 
-$optionhash  =~ s/;/,/g;
+#$optionhash  =~ s/;/,/g;
 # This is safe, right? (users shouldn't be able to set it in their config)
-%option=eval $optionhash;
+#%option=eval $optionhash;
+
+# ... no, evaling random strings is not safe!!!
+# Ditch eval and parse hash string manually to maintain backwards compatibility
+$optionhash =~ s/^\s*\(\s*//;
+$optionhash =~ s/\s*\)\s*$//;
+foreach my $opt (split(/\s*;\s*/, $optionhash)) {
+   my @vals = split(/\s*=>\s*/, $opt, 2);
+   next unless defined $vals[1];
+   # Sanitize away quotes and any unneeded characters, then untaint
+   foreach (@vals) {
+   s/[^\w\/-]//gs;
+   $_ = untaint_var($_);
+   }
+   $option{$vals[0]} = $vals[1];
+}
+
 $self->{'rangreylisting'}=1;
 
 foreach my $reqoption (qw ( method greylistsecs dontgreylistthreshold

Bug#946829: Added upstream.

[Marco Gaiarin]

https://sourceforge.net/p/sa-exim/bugs/3/

Bug#946829: sa-exim: After upgrade SA: GREYLIST_ISWHITE skipped, insecure dependencies

[Marco Gaiarin]

Package: sa-exim
Version: 4.2.1-16
Severity: normal

Dear Maintainer,

After upgrading SA (security update, 3.4.2-1~deb9u2) i got on logs a flood of:

 Dec 16 10:04:53 vdmpp1 spamd[15196]: rules: failed to run GREYLIST_ISWHITE 
test, skipping:
 Dec 16 10:04:53 vdmpp1 spamd[15196]:  (Insecure dependency in eval while 
running with -T switch at 
/usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm line 76.
 Dec 16 10:04:53 vdmpp1 spamd[15196]: )

probably, the security changes added into the upgraded SA 'broke' something on 
sa-exim.

-- System Information:
Debian Release: 9.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sa-exim depends on:
ii  debconf [debconf-2.0]1.5.61
ii  exim4-daemon-heavy [exim4-localscanapi-2.0]  4.89-2+deb9u6
ii  libc62.24-11+deb9u4
ii  libnetaddr-ip-perl   4.079+dfsg-1+b1
ii  spamc3.4.2-1~deb9u2

Versions of packages sa-exim recommends:
ii  perl  5.24.1-3+deb9u5

Versions of packages sa-exim suggests:
ii  spamassassin  3.4.2-1~deb9u2

-- debconf information:
  sa-exim/purge_spool: false

Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.

[Marco Gaiarin]

Mandi! Hugo Lefeuvre
  In chel di` si favelave...

> thanks for your time. I have done some more tests myself and went ahead
> with the upload, I hope everything will be fine now. Sorry for the trouble.

I canconfirm that now the bug is solved.


Thanks!

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''  http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
  http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Bug#928647: Solved...

[Marco Gaiarin]

Looking at similar traouble with OpenVPN, i've found:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876979

and a similar solution seems to work also for arpwatch, eg it is needed
to create the file:

/etc/systemd/system/arpwatch.service.d/after-network-online.conf

With the content:

[Unit]
After=network-online.target
Wants=network-online.target

Bug#928647: arpwatch: systemd start arpwatch before interfaces...

[Marco Gaiarin]

Package: arpwatch
Version: 2.1a15-2+b1
Severity: normal

Dear Maintainer,

I've just upgraded some little servers used as firewalls to stretch.

On reboot 'arpwatch' does not start up, and on logs i catch:

 May  7 18:32:41 fouc arpwatch: bad interface eth0: eth0: no IPv4 address 
assigned - assuming unconfigured interface
 May  7 18:32:41 fouc arpwatch[556]: Starting Ethernet/FDDI station monitor 
daemon: (chown arpwatch /var/lib/arpwatch/eth0.dat) arpwatch-eth0.
 May  7 18:32:41 fouc arpwatch: pcap open eth0: eth0: That device is not up
 May  7 18:32:42 fouc arpwatch: bad interface eth0.3: SIOCGIFADDR: eth0.3: No 
such device - assuming unconfigured interface
 May  7 18:32:42 fouc arpwatch[556]: Starting Ethernet/FDDI station monitor 
daemon: (chown arpwatch /var/lib/arpwatch/eth0.3.dat) arpwatch-eth0.3.
 May  7 18:32:42 fouc arpwatch: bad interface vlan99: SIOCGIFADDR: vlan99: No 
such device - assuming unconfigured interface
 May  7 18:32:42 fouc arpwatch[556]: Starting Ethernet/FDDI station monitor 
daemon: (chown arpwatch /var/lib/arpwatch/vlan99.dat) arpwatch-vlan99.
 May  7 18:32:42 fouc arpwatch: bad interface vlan11: SIOCGIFADDR: vlan11: No 
such device - assuming unconfigured interface
 May  7 18:32:42 fouc arpwatch[556]: Starting Ethernet/FDDI station monitor 
daemon: (chown arpwatch /var/lib/arpwatch/vlan11.dat) arpwatch-vlan11.
 May  7 18:32:42 fouc arpwatch: bad interface vlan22: SIOCGIFADDR: vlan22: No 
such device - assuming unconfigured interface
 May  7 18:32:42 fouc arpwatch[556]: Starting Ethernet/FDDI station monitor 
daemon: (chown arpwatch /var/lib/arpwatch/vlan22.dat) arpwatch-vlan22.
 May  7 18:32:42 fouc arpwatch: bad interface vlan191: SIOCGIFADDR: vlan191: No 
such device - assuming unconfigured interface
 May  7 18:32:42 fouc arpwatch[556]: Starting Ethernet/FDDI station monitor 
daemon: (chown arpwatch /var/lib/arpwatch/vlan191.dat) arpwatch-vlan191.
 May  7 18:32:42 fouc arpwatch: pcap open eth0.3: eth0.3: No such device exists 
(SIOCGIFHWADDR: No such device)
 May  7 18:32:42 fouc arpwatch: pcap open vlan99: vlan99: No such device exists 
(SIOCGIFHWADDR: No such device)
 May  7 18:32:42 fouc arpwatch: pcap open vlan11: vlan11: No such device exists 
(SIOCGIFHWADDR: No such device)
 May  7 18:32:42 fouc arpwatch: pcap open vlan22: vlan22: No such device exists 
(SIOCGIFHWADDR: No such device)
 May  7 18:32:42 fouc arpwatch: pcap open vlan191: vlan191: No such device 
exists (SIOCGIFHWADDR: No such device)

Seems to me simply that 'arpwatch' get started by systemd *BEFORE* interfaces 
get bought up, so simply does not find it.

After system booted, a:

systemctl restart arpwatch

make arpwatch work again.


For now, i've added that on /etc/rc.local.


Thanks.

-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages arpwatch depends on:
ii  adduser 3.115
ii  libc6   2.24-11+deb9u4
ii  libpcap0.8  1.8.1-3

arpwatch recommends no packages.

arpwatch suggests no packages.

-- Configuration Files:
/etc/arpwatch.conf changed:
eth0-Q
eth0.3  -Q
vlan99  -m root
vlan11  -m root
vlan22  -m root
vlan191 -m root


-- no debconf information

Bug#660223: Reproducible?

[Marco Gaiarin]

> Are you able to reproduce this bug on latest jessie
> (2:4.2.14+dfsg-0+deb8u11) or latest stretch (2:4.5.16+dfsg-1)? This
> would be good if you tested it on latest buster (2:4.9.4+dfsg-3, -2 is ok).

Ahem, no, sorry.

I've switched all the infrastructure to AD (using debian/samba! ;-), so
no more openldap here...

Bug#914536: lua-cyrussasl: Package built only for lua 5.1

[Marco Gaiarin]

Package: lua-cyrussasl
Version: 1.0.0-6
Severity: important

Dear Maintainer,

your package seems built only for lua 5.1, so does not work with lua 5.2.

Please, rebuild it also for lua 5.2 (and lua 5.3, indeed), or at least
rename it 'lua5.1-cyrussasl'.

Thanks.

-- System Information:
Debian Release: 8.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lua-cyrussasl depends on:
ii  libc6  2.19-18+deb8u10
ii  libsasl2-2 2.1.26.dfsg1-13+deb8u1
ii  multiarch-support  2.19-18+deb8u10

lua-cyrussasl recommends no packages.

lua-cyrussasl suggests no packages.

-- no debconf information

Bug#913310: nfs-common: Systemd does not correctly read /etc/default/nfs-common

[Marco Gaiarin]

Package: nfs-common
Version: 1:1.3.4-2.1
Severity: important

Dear Maintainer,

I'm trying to play with NFSv4 with my just-installed or just-upgraded stretch 
system.

I've found that:

a) is impossible to set daemons flags in /etc/default/nfs-common, because 
systemd does not read it.

b) it is not possible to restart nfs common daemon, because nfs-common is 
disabled (and this seems intended)
 and nfs-client is a target, so seems can be run only at boot.
 [probably this is a consequence of a)]

For a), seems that the 'nfs-config' systemd stanza correctly build up 
'/run/sysconfig/nfs-utils' environment files, but
then, there's no 'EnvironmentFile=' row in 'nfs-client' and 'nfs-server' so 
environment varialbles are not read.


Thanks.

-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
104   tcp111  portmapper
103   tcp111  portmapper
102   tcp111  portmapper
104   udp111  portmapper
103   udp111  portmapper
102   udp111  portmapper
1000111   udp996  rquotad
1000112   udp996  rquotad
1000111   tcp996  rquotad
1000112   tcp996  rquotad
151   udp  41830  mountd
151   tcp  34919  mountd
152   udp  55161  mountd
152   tcp  35583  mountd
153   udp  40521  mountd
153   tcp  59835  mountd
133   tcp   2049  nfs
134   tcp   2049  nfs
1002273   tcp   2049
133   udp   2049  nfs
134   udp   2049  nfs
1002273   udp   2049
1000211   udp  46276  nlockmgr
1000213   udp  46276  nlockmgr
1000214   udp  46276  nlockmgr
1000211   tcp  35009  nlockmgr
1000213   tcp  35009  nlockmgr
1000214   tcp  35009  nlockmgr
-- /etc/default/nfs-common --
NEED_STATD=no
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
RPCGSSDOPTS="-v"
-- /etc/idmapd.conf --
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
Domain = ad.fvg.lnf.it
Local-Realm = AD.FVG.LNF.IT
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch,static
GSS-Methods = nsswitch,static
[Static]
vdmpp1$@AD.FVG.LNF.IT = root
-- /etc/fstab --

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nfs-common depends on:
ii  adduser  3.115
ii  init-system-helpers  1.48
ii  keyutils 1.5.9-9
ii  libc62.24-11+deb9u3
ii  libcap2  1:2.25-1
ii  libcomerr2   1.43.4-2
ii  libdevmapper1.02.1   2:1.02.137-2
ii  libevent-2.0-5   2.0.21-stable-3
ii  libgssapi-krb5-2 1.15-1+deb9u1
ii  libk5crypto3 1.15-1+deb9u1
ii  libkeyutils1 1.5.9-9
ii  libkrb5-31.15-1+deb9u1
ii  libmount12.29.2-1+deb9u1
ii  libnfsidmap2 0.25-5.1
ii  libtirpc10.2.5-1.2
ii  libwrap0 7.6.q-26
ii  lsb-base 9.20161125
ii  rpcbind  0.2.3-0.6
ii  ucf  3.0036

Versions of packages nfs-common recommends:
ii  python  2.7.13-2

Versions of packages nfs-common suggests:
pn  open-iscsi  
pn  watchdog

Versions of packages nfs-kernel-server depends on:
ii  init-system-helpers  1.48
ii  keyutils 1.5.9-9
ii  libblkid12.29.2-1+deb9u1
ii  libc62.24-11+deb9u3
ii  libcap2  1:2.25-1
ii  libsqlite3-0 3.16.2-5+deb9u1
ii  libtirpc10.2.5-1.2
ii  libwrap0 7.6.q-26
ii  lsb-base 9.20161125
ii  netbase  5.4
ii  ucf  3.0036

-- Configuration Files:
/etc/default/nfs-common changed:
NEED_STATD=no
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
RPCGSSDOPTS="-v"


-- no debconf information

Bug#901529: cups: SystemGroup options cannot work with account/group NSS providers if don't enumerate groups

[Marco Gaiarin]

Package: cups
Version: 1.7.5-11+deb8u2
Severity: normal

Dear Maintainer,

I've found that setting 'SystemGroup' opton in cups-files.conf does not work
if the NSS provider does not enumerate group (eg, 'getent group '
does not return the list of users).

Some examples:

a) using winbind nss providers. My user is correctly in 'printops' group:

root@vdmsv1:~# id gaio
uid=1(gaio) gid=10513(domain users) gruppi=10513(domain 
users),11001(sir),10999(unixadm),10998(printops),5001(BUILTIN\users),5000(BUILTIN\administrators)

but if i check 'printops' groups there's no 'gaio' users:

root@vdmsv1:~# getent group printops
printops:x:10998:

and this is normal, Samba team suggest to disable users and group
enumeration for performance reasons.


b) using pam_groups (eg /etc/security/group.conf) to assign some local
 groups to users:

gaio@vdmsv1:~$ id
uid=1(gaio) gid=10513(domain users) gruppi=10513(domain 
users),4(adm),20(dialout),24(cdrom),25(floppy),46(plugdev),5000(BUILTIN\administrators),5001(BUILTIN\users),10998(printops),10999(unixadm),11001(sir)

but still no group enumeration:

gaio@vdmsv1:~$ getent group lpadmin
lpadmin:x:119:

and this is again normal, pam_groups add group membership dynamically on
logon (pam auth context).


In both way, eg, trying to use 'printops' group or 'lpadmin' group as
SystemGroup does not work, eg i can login to CUPS web interface with user
gaio, but without '@SYSTEM' privileges.

-- System Information:
Debian Release: 8.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cups depends on:
ii  cups-client1.7.5-11+deb8u2
ii  cups-common1.7.5-11+deb8u2
ii  cups-core-drivers  1.7.5-11+deb8u2
ii  cups-daemon1.7.5-11+deb8u2
ii  cups-filters   1.0.61-5+deb8u3
ii  cups-ppdc  1.7.5-11+deb8u2
ii  cups-server-common 1.7.5-11+deb8u2
ii  debconf [debconf-2.0]  1.5.56+deb8u1
ii  ghostscript9.06~dfsg-2+deb8u6
ii  libavahi-client3   0.6.31-5
ii  libavahi-common3   0.6.31-5
ii  libc-bin   2.19-18+deb8u10
ii  libc6  2.19-18+deb8u10
ii  libcups2   1.7.5-11+deb8u2
ii  libcupscgi11.7.5-11+deb8u2
ii  libcupsimage2  1.7.5-11+deb8u2
ii  libcupsmime1   1.7.5-11+deb8u2
ii  libcupsppdc1   1.7.5-11+deb8u2
ii  libgcc11:4.9.2-10+deb8u1
ii  libstdc++6 4.9.2-10+deb8u1
ii  libusb-1.0-0   2:1.0.19-1
ii  lsb-base   4.1+Debian13+nmu1
ii  poppler-utils  0.26.5-2+deb8u4
ii  procps 2:3.3.9-9+deb8u1

Versions of packages cups recommends:
ii  avahi-daemon 0.6.31-5
ii  colord   1.2.1-1+b2
ii  cups-filters [ghostscript-cups]  1.0.61-5+deb8u3
ii  printer-driver-gutenprint5.2.10-3

Versions of packages cups suggests:
pn  cups-bsd   
pn  cups-pdf   
pn  foomatic-db-compressed-ppds | foomatic-db  
ii  hplip  3.14.6-1+deb8u1
ii  printer-driver-hpcups  3.14.6-1+deb8u1
ii  smbclient  2:4.5.12+dfsg-2+deb9u2~bpo8+1
ii  udev   215-17+deb8u7

-- debconf information:
* cupsys/backend: lpd, socket, usb, snmp, dnssd
* cupsys/raw-print: true

Bug#888512: clamav-daemon: Clamd suddenly eat up all file descriptors, 'Too many open files' error

[Marco Gaiarin]

> This is an issue in daily.cld 24256+ (released around this morning).

I've searched extensively with google, but found nothing apart some old
similar trouble dated 2015 or later... sorry...


> A workaround is described here:
> http://lists.clamav.net/pipermail/clamav-users/2018-January/005715.html

I confirm, workaround works. Thanks.

Bug#888512: clamav-daemon: Clamd suddenly eat up all file descriptors, 'Too many open files' error

[Marco Gaiarin]

Package: clamav-daemon
Version: 0.99.2+dfsg-0+deb8u2
Severity: important

Dear Maintainer,

Today, in my servers (at least 3 servers), starting from circa 9.00 local
time (Europe/Rome) clamav stop working, like:

 Jan 26 12:57:02 lupus freshclam[2423]: Received signal: wake up
 Jan 26 12:57:02 lupus freshclam[2423]: ClamAV update process started at Fri 
Jan 26 12:57:02 2018
 Jan 26 12:57:02 lupus freshclam[2423]: WARNING: Your ClamAV installation is 
OUTDATED!
 Jan 26 12:57:02 lupus freshclam[2423]: WARNING: Local version: 0.99.2 
Recommended version: 0.99.3
 Jan 26 12:57:02 lupus freshclam[2423]: DON'T PANIC! Read 
http://www.clamav.net/documents/upgrading-clamav
 Jan 26 12:57:02 lupus freshclam[2423]: main.cld is up to  date (version: 
58,sigs: 4566249, f-level: 60, builder: sigmgr)
 Jan 26 12:57:02 lupus freshclam[2423]: daily.cld is up to date (version: 
24257, sigs: 1835982, f-level: 63, builder: neo)
 Jan 26 12:57:02 lupus freshclam[2423]: bytecode.cld is up to date (version: 
319, sigs: 75, f-level: 63, builder: neo)
 Jan 26 13:01:23 lupus clamd[2479]: ERROR: accept() failed:
 Jan 26 13:01:23 lupus clamd[2479]: ERROR: accept() failed:
 [...]
 Jan 26 13:01:23 lupus clamd[2479]: ERROR: accept() failed:
 Jan 26 13:01:23 lupus clamd[2479]: LibClamAV Error: cli_gentempfd: Can't 
create temporary file /tmp/clamav-6587ca997bc2adfefc247ee13543538e.tmp: Too 
many open files

Doing repetedly (after a restart):

 root@lupus:~# ls -1 /proc/$(pidof clamd)/fd/ |wc -l
 159

it is clear that clamav does not close anymore file descriptors, and sooner
or later eats all of that.

I've tried to cleanup database, but nothing changed.

See also:
https://bugzilla.clamav.net/show_bug.cgi?id=12017


Thanks.

-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
---
LogFile = "/var/log/clamav/clamav.log"
StatsHostID = "auto"
StatsEnabled disabled
StatsPEDisabled = "yes"
StatsTimeout = "10"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups disabled
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "6"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "1"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "1"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
ScanOnAccess disabled
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---
StatsHostID disabled
StatsEnabled disabled
StatsTimeout disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled

Bug#819717: ntopng crash and restart with error *** stack smashing detected ***

[Marco Gaiarin]

Ciao Ludovico.

> If you are still experiencing the issue, would you be able to provide me with 
> a
> traffic capture that would cause the issue when replayed on an network
> interface?
> And/or maybe install ntopng-dbgsym, capture the failure inside gdb, and send 
> me
> a stack trace? (command: "thread apply all bt") 

Ahem, i've completely forgot about this bug report. ;(


In the meantime i've changed hardware that run my firewalls (and also
ntopng) and probably many more things.
Now ntopng run flawlessy...

When i've fired up that bug, i've just upgraded my firewalls from
wheezy to jessie, and from ntop to ntopng. I don't know if both the
tools share some files/dirs/database/... and so this can be the source
of trouble.


Anyway, sorry. I think you can safely close the bug. Thanks.

Bug#869182: php-common: Trouble running phpsessionclean.service on a LXC Container...

[Marco Gaiarin]

Package: php-common
Version: 1:49
Severity: normal


I've setup a LXC stretch container in a Proxmox virtualization cluster, and
after installing apache/PHP i've start to have in logs of the container rows
like:

 Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset 
devices.list: Operation not permitted
 Jul 21 10:09:14 vglpi systemd[24929]: phpsessionclean.service: Failed at step 
NETWORK spawning /usr/lib/php/sessionclean: Permission denied
 Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Main process 
exited, code=exited, status=225/NETWORK
 Jul 21 10:09:14 vglpi systemd[1]: Failed to start Clean php session files.
 Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Unit entered failed 
state.
 Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed with result 
'exit-code'.
 Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset 
devices.list: Operation not permitted
 Jul 21 10:39:14 vglpi systemd[24948]: phpsessionclean.service: Failed at step 
NETWORK spawning /usr/lib/php/sessionclean: Permission denied
 Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Main process 
exited, code=exited, status=225/NETWORK
 Jul 21 10:39:14 vglpi systemd[1]: Failed to start Clean php session files.
 Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Unit entered failed 
state.
 Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed with result 
'exit-code'.

and, on the same time, on the host that run the container:

 Jul 21 10:09:14 tessier kernel: [22515856.189072] audit: type=1400 
audit(1500624554.627:384): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none
 Jul 21 10:09:14 tessier kernel: [22515856.189077] audit: type=1400 
audit(1500624554.627:385): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none
 Jul 21 10:09:14 tessier kernel: [22515856.189082] audit: type=1400 
audit(1500624554.627:386): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none
 Jul 21 10:09:14 tessier kernel: [22515856.189085] audit: type=1400 
audit(1500624554.627:387): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none
 Jul 21 10:39:14 tessier kernel: [22517656.161803] audit: type=1400 
audit(1500626354.625:388): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none
 Jul 21 10:39:14 tessier kernel: [22517656.161808] audit: type=1400 
audit(1500626354.625:389): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none
 Jul 21 10:39:14 tessier kernel: [22517656.161812] audit: type=1400 
audit(1500626354.625:390): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none
 Jul 21 10:39:14 tessier kernel: [22517656.161815] audit: type=1400 
audit(1500626354.625:391): apparmor="DENIED" operation="file_lock" 
profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" 
sock_type="dgram" protocol=0 addr=none

I've tried to run the script by hand, as root, and no error appears
(on container and on host).

For now, i've disabled the service:

root@vglpi:~# systemctl disable phpsessionclean


Thanks.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.21-1-pve (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages php-common depends on:
ii  init-system-helpers  1.48
ii  psmisc   22.21-2.1+b2
ii  sed  4.4-1

php-common recommends no packages.

php-common suggests no packages.

-- no debconf information

Bug#772154: closed by Mathieu Parent <math.par...@gmail.com> (Re: Bug#772154: process_usershare_file: stat of/var/lib/samba/usershares/netlogo failed. No such file or directory)

[Marco Gaiarin]

> > I missing the first time :  Can't find include file /etc/samba/smb.conf.
> > whats loading, uh.. whats not loading there.

Sorry, forgot to specify: in smb.conf i've a:

include = /etc/samba/smb.conf.%m

that i use to enable debugging for specific host: eg, for 'testparm' %m
is '', and the file tipically does not exist at all.


> > But if this Marco, is the Marco Gaiarin with GPG : 240A3D66  ;-)  then i say
> > close.  i know its you Marco :-p
> > Marco hase moved to debian stretch.  ;-)

I confirm. Bug closed, or better, ignored. ;-)

Bug#687149: Still here in jessie!

[Marco Gaiarin]

> Because it is not a bug in spamassassin and due to the age of the
> report I am reassigning this ticket to the sa-exim package.

OK.

Looking at the bug (i think i've missed some old messages, or probably
i've simply forgot about them...) seems that there's a more specific
bug in sa-exim fired up, with patch and marked as solved:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760860

so i think this bug can be marked duplicate of #760860 and closed.


Sorry for the fuss.

Bug#687149: Still here in jessie!

[Marco Gaiarin]

Control: reopen -1
Tags: jessie
Version: 3.4.0-6


Ahem, this little annoying bug is still here in jessie.

Attached current patch for jessie.
--- /tmp/spamassassin	2015-01-31 00:00:00.0 +0100
+++ /etc/cron.daily/spamassassin	2017-01-04 09:40:08.701957763 +0100
@@ -36,7 +36,7 @@
 if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile ]; then
 env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
 --chuid debian-spamd:debian-spamd --start \
---exec /usr/bin/sa-compile -- --quiet
+--exec /usr/bin/sa-compile -- --quiet > /dev/null 2>&1
 
 # Fixup perms -- group and other should be able to
 # read and execute, but never write.  Works around
@@ -78,7 +78,7 @@
 # got updates!
 env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
 --chuid debian-spamd:debian-spamd --start \
---exec /usr/bin/spamassassin -- --lint 2>&1 || die_with_lint
+--exec /usr/bin/spamassassin -- --lint > /dev/null 2>&1 || die_with_lint
 do_compile
 reload
 ;;

Bug#754339: Bug confirmation...

[Marco Gaiarin]

I've just upgraded to jessie, (samba/winbind 2:4.2.14+dfsg-0+deb8u2),
and i can confirm the bug.

Directory (on TMPFS) /run/samba/winbindd_privileged have correct
permission but is empty:

 root@rita:~# ls -la /run/samba/winbindd_privileged/
 totale 0
 drwxr-x--- 2 root winbindd_priv  40 gen  3 12:43 .
 drwxr-xr-x 6 root root  480 gen  5 15:15 ..

while directory /var/lib/samba/winbindd_privileged have incorrect
permission, and the pipe get created within:

 root@rita:~# ls -la /var/lib/samba/winbindd_privileged/
 totale 8
 drwxr-x--- 2 root root 4096 gen  5 15:15 .
 drwxr-xr-x 7 root root 4096 gen 11 15:18 ..
 srwxrwxrwx 1 root root0 gen  5 15:15 pipe


Fixing the permission solves the trouble, of course.


Thanks.

Bug#821811: Still bug present... and 'client ipc signing' reported as not valid option...

[Marco Gaiarin]

I've tried to update to latest version, 2:3.6.6-6+deb7u10, but as
previous version after some hours/days all client refuse to
authenticate users, seems to me because was not able to update the
machine account password (so join get invalid).

Also, a note, as stated in subject, testparm say me that 'client ipc
signing' is a invalid option, and this sound strange to me, because
that option are cited in changelog.


Anyway, rolled back to 2:3.6.6-6+deb7u7 (pre-badlock), now all work as
expected.


Thanks.

Bug#821811: Another confirmation...

[Marco Gaiarin]

I manage some samba 3.6 network on wheezy, and i can confirm this bug:
i was forced to rollback to pre-badlock samba version, because, sooner
or later, all clients (windows 7 pro) refuse the user logon.

Error it is not everitime the same. I get (sorry for italian... damned
microsoft that translate log messages!):

 May  5 16:31:16 GIUSEPPE microsoft-windows-security-auditing[failure] 4625 
Accesso di un account non riuscito.Soggetto:#011ID 
sicurezza:#011#011S-1-5-18#011Nome account:#011#011GIUSEPPE$#011Dominio 
account:#011#011ACPN#011ID accesso:#011#0110x3e7Tipo di 
accesso:#011#011#0117Account il cui accesso non  riuscito:#011ID 
sicurezza:#011#011S-1-0-0#011Nome account:#011#011ramona#011Dominio 
account:#011#011ACPNInformazioni sull'errore:#011Motivo 
dell'errore:#011#011%2304#011Stato:#011#011#0110xc18d#011Stato 
secondario:#011#0110x0Informazioni sul processo:#011ID processo 
chiamante:#0110x228#011Nome processo 
chiamante:C:\Windows\System32\lsass.exeInformazioni di rete:#011Nome 
workstation:#011GIUSEPPE#011Indirizzo di rete di origine:#011-#011Porta di 
origine:#011#011-Informazioni di autenticazione dettagliate:#011Processo di 
accesso:#011#011Negotiat#011Pacchetto di 
autenticazione:#011Negotiate#011Servizi transitati:#011-#011Nome pacchetto 
(solo NTLM):#011-#011Lunghezza chiave:#011#0110Questo evento viene generato 
quando una richiesta diaccesso non ha esito positivo. Viene generato nel 
computerin cui  stato tentato l'accesso.Il campo Soggetto indica l'account 
nel sistema l
 May  5 16:31:16 GIUSEPPE netlogon[error] 3210 Autenticazione non riuscita con 
\\RITA, un controller didominio di Windows per il dominio ACPN, pertanto 
possibile che le richieste di accesso vengano negate.L<92>impossibilit 
di autenticare pu essere dovuta al mancatoriconoscimento di un altro 
computer connesso alla stessarete tramite lo stesso nome o la stessa password 
perl<92>account di questo computer. Se questo messaggio vienevisualizzato di 
nuovo, contattare l'amministratore disistema.

(eg, roughly 'trust relationshipt not valid'), but also:

 May  5 17:42:27 GIUSEPPE netlogon[error] 5783 L'installazione della sessione 
sul controller di dominio diWindows NT o di Windows 2000 \\RITA per il dominio 
ACPN nonrisponde.  La chiamata RPC corrente effettuata da Netlogonsu \\GIUSEPPE 
a \\RITA  stata annullata.

(eg, roughly 'domain not found').


Note that if i remove the trust relationship on the workstation, and then i
rejoin it, the join work. But still there's no auth at subsequent
reboot (eg, join works but is ineffective).

I've tried all combination of:

ntlm auth = 
server signing = 
client signing = 
client ipc signing = 

but nothing work.


Thanks.

Bug#820982: Trouble with joined win7pro client...

[Marco Gaiarin]

I've updated some of my wheezy/samba3 networks, hit the 'i cannot talk
to myself' bug, and so added:

client ipc signing = no

to solve. But after some days, as stated by Vladislav Kurz, i've
started to get errors about trust relationships failed or domain
controller not avaliable.

I've testet *ALL* combination of:

ntlm auth = 
server signing = 
client signing = 
client ipc signing = 

and i've done may time the unjoin and rejoin operation of the client,
nothing changed.

I've reverted to old package:

apt-get install samba=2:3.6.6-6+deb7u7 samba-common=2:3.6.6-6+deb7u7 
winbind=2:3.6.6-6+deb7u7 libwbclient0=2:3.6.6-6+deb7u7 
smbclient=2:3.6.6-6+deb7u7 libnss-winbind=2:3.6.6-6+deb7u7 
libpam-winbind=2:3.6.6-6+deb7u7 samba-common-bin=2:3.6.6-6+deb7u7 
samba-doc=2:3.6.6-6+deb7u7

and samba get back at work as expected.


I hope on u10... but as Vladislav say, i'm asking if there's also some
registry tweaks to update client-side...


Thanks.

Bug#821069: samba: Client and server side signing mismatches after upgrade...

[Marco Gaiarin]

Package: samba
Version: 2:3.6.6-6+deb7u9
Followup-For: Bug #821069

I prefere to reply to this bug, but also client cannot logon to the domain
so clearly this is a duplicate of bug #820982.

As stated in #820982, the culprit came from a mismatch in ''signing''
between clent and server. Some command line sessions:


BEFORE UPGRADE:

root@lupus:~# net rpc testjoin
Join to 'SVCORSI' is OK

root@lupus:~# testparm > /tmp/smb.conf.before
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "enable privileges" option is deprecated
Can't find include file /etc/samba/smb.conf.
Processing section "[printers]"
Processing section "[baleno]"
Processing section "[print$]"
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[wpkg]"
Processing section "[larpch]"
Processing section "[Users]"
Processing section "[Media]"
Processing section "[Software]"
Processing section "[web]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions


AFTER UPGRADE:

root@lupus:~# net rpc testjoin
Connection failed: NT_STATUS_ACCESS_DENIED
Join to domain 'SVCORSI' is not valid: NT_STATUS_ACCESS_DENIED
root@lupus:~# net -d 10 rpc testjoin
INFO: Current debug levels:
  all: 10
[...]
Connecting to 10.5.7.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 16384
SO_RCVBUF = 16384
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
Substituting charset 'UTF-8' for LOCALE
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
Cannot connect to server (anonymously).  Error was NT_STATUS_ACCESS_DENIED
lang_tdb_init: /usr/share/samba/it_IT.UTF-8.msg: File o directory non esistente
Connection failed: NT_STATUS_ACCESS_DENIED
Join to domain 'SVCORSI' is not valid: NT_STATUS_ACCESS_DENIED
return code = -1

Note the 'cli_negprot: SMB signing is mandatory and the server doesn't
support it.'.
But also note that, whitout notice, a default opton changed:


root@lupus:~# testparm > /tmp/smb.conf.after
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "enable privileges" option is deprecated
Can't find include file /etc/samba/smb.conf.
Processing section "[printers]"
Processing section "[baleno]"
Processing section "[print$]"
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[wpkg]"
Processing section "[larpch]"
Processing section "[Users]"
Processing section "[Media]"
Processing section "[Software]"
Processing section "[web]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

root@lupus:~# diff -ud /tmp/smb.conf.before /tmp/smb.conf.after
--- /tmp/smb.conf.before2016-04-15 17:32:57.062343755 +0200
+++ /tmp/smb.conf.after 2016-04-15 17:35:46.310718374 +0200
@@ -9,6 +9,7 @@
syslog = 0
log file = /var/log/samba/log.%m
time server = Yes
+   client signing = required
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script = /usr/sbin/smbldap-useradd "%u"


eg, now 'client signing = required'.


Instead of adding 'client signing = no' as stated in bug #820982, i've
added:
server signing = auto

for now, and all works as expected; but i've to experiment a bit with the
suggested:

server signing = mandatory
ntlm auth = no

before implementing it.


A little note: debconf of the samba3 upgrade does not warn about the upgrade
as the samba4 upgrade in jessie, so users can get even more confused about.

Thanks.

-- System Information:
Debian Release: 7.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages samba depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg   1.16.17
ii  libacl12.2.51-8
ii  libattr1   1:2.4.46-8
ii  libc6  2.13-38+deb7u10
ii  libcap21:2.22-1.2
ii  libcomerr2 1.42.5-1.1+deb7u1
ii  libcups2   1.5.3-5+deb7u6
ii  libgssapi-krb5-2   1.10.1+dfsg-5+deb7u7
ii  libk5crypto3   1.10.1+dfsg-5+deb7u7
ii  libkrb5-3  1.10.1+dfsg-5+deb7u7
ii  libldap-2.4-2  

Bug#625796: Bug still here...

[Marco Gaiarin]

Just upgraded to jessie:

 tank:~# apt-cache show arpwatch | grep ^Version:
 Version: 2.1a15-1.3

Bug is still here.

Bug#819717: ntopng crash and restart with error *** stack smashing detected ***

[Marco Gaiarin]

Package: ntopng
Version: 1.2.1+dfsg1-1.1
Severity: normal

Dear Maintainer,

I've just installed 'ntopng', but roughly 4-6 times/hour, the daemon bombs
out with the error at subject.

I've tried to limit the number of interfaces to listen to, but nothing
changed.

Attached, an excerption of syslog.

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ntopng depends on:
ii  init-system-helpers  1.22
ii  libc62.19-18+deb8u3
ii  libgcc1  1:4.9.2-10
ii  libgeoip11.6.2-4
ii  libhiredis0.10   0.11.0-4
ii  libjson-c2   0.11-4
ii  libluajit-5.1-2  2.0.3+dfsg-3
ii  libndpi1a1.5.0-1
ii  libpcap0.8   1.6.2-2
ii  librrd4  1.4.8-1.2
ii  libsqlite3-0 3.8.7.1-1+deb8u1
ii  libstdc++6   4.9.2-10
ii  libzmq3  4.0.5+dfsg-2+deb8u1
ii  ntopng-data  1.2.1+dfsg1-1.1
ii  redis-server 2:2.8.17-1+deb8u3

ntopng recommends no packages.

Versions of packages ntopng suggests:
ii  geoip-database-contrib  1.17+nmu1

-- Configuration Files:
/etc/default/ntopng changed:
INTERFACES="eth0 eth0.3"
HTTP_PORT=3000
ADD_ARGS=""


-- no debconf information
Apr  1 12:30:01 tank sh[27592]: *** stack smashing detected ***: 
/usr/sbin/ntopng terminated
Apr  1 12:30:01 tank sh[27592]: === Backtrace: =
Apr  1 12:30:01 tank sh[27592]: 
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb712b773]
Apr  1 12:30:01 tank sh[27592]: 
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb71bbb85]
Apr  1 12:30:01 tank sh[27592]: 
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfcb3a)[0xb71bbb3a]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(_fini+0x0)[0xb770e174]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0xf61c)[0xb76da61c]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0x18f54)[0xb76e3f54]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0x27347)[0xb76f2347]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0x2efd2)[0xb76f9fd2]
Apr  1 12:30:01 tank sh[27592]: 
/usr/lib/i386-linux-gnu/libluajit-5.1.so.2(+0x65ff)[0xb75bb5ff]
Apr  1 12:30:01 tank sh[27592]: 
/usr/lib/i386-linux-gnu/libluajit-5.1.so.2(lua_pcall+0x44)[0xb75fed24]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0x33015)[0xb76fe015]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0x10413)[0xb76db413]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0x106c3)[0xb76db6c3]
Apr  1 12:30:01 tank sh[27592]: /usr/sbin/ntopng(+0x106fc)[0xb76db6fc]
Apr  1 12:30:01 tank sh[27592]: 
/lib/i386-linux-gnu/i686/cmov/libpthread.so.0(+0x6efb)[0xb73c8efb]
Apr  1 12:30:01 tank sh[27592]: 
/lib/i386-linux-gnu/i686/cmov/libc.so.6(clone+0x5e)[0xb71aaede]
Apr  1 12:30:01 tank sh[27592]: === Memory map: 
Apr  1 12:30:01 tank sh[27592]: ae50-ae59 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: ae59-ae60 ---p  00:00 0
Apr  1 12:30:01 tank sh[27592]: ae70-ae90 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: ae90-aea0 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: aeafe000-aeaff000 ---p  00:00 0
Apr  1 12:30:01 tank sh[27592]: aeaff000-af2ff000 rwxp  00:00 0 
 [stack:27610]
Apr  1 12:30:01 tank sh[27592]: af2ff000-af30 ---p  00:00 0
Apr  1 12:30:01 tank sh[27592]: af30-afb0 rwxp  00:00 0 
 [stack:27609]
Apr  1 12:30:01 tank sh[27592]: afb0-afb25000 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: afb25000-afc0 ---p  00:00 0
Apr  1 12:30:01 tank sh[27592]: afc3e000-afcfe000 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: afcfe000-afcff000 ---p  00:00 0
Apr  1 12:30:01 tank sh[27592]: afcff000-b04ff000 rwxp  00:00 0 
 [stack:27605]
Apr  1 12:30:01 tank sh[27592]: b04ff000-b050 ---p  00:00 0
Apr  1 12:30:01 tank sh[27592]: b050-b0d0 rwxp  00:00 0 
 [stack:27604]
Apr  1 12:30:01 tank sh[27592]: b0d0-b0e0 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: b0e09000-b0ee9000 rw-p  00:00 0
Apr  1 12:30:01 tank kernel: [63254.162285] device eth0.3 left promiscuous mode
Apr  1 12:30:01 tank sh[27592]: b0ee9000-b0efc000 r-xp  08:01 146471
 /lib/i386-linux-gnu/i686/cmov/libresolv-2.19.so
Apr  1 12:30:01 tank sh[27592]: b0efc000-b0efd000 r--p 00012000 08:01 146471
 /lib/i386-linux-gnu/i686/cmov/libresolv-2.19.so
Apr  1 12:30:01 tank sh[27592]: b0efd000-b0efe000 rw-p 00013000 08:01 146471
 /lib/i386-linux-gnu/i686/cmov/libresolv-2.19.so
Apr  1 12:30:01 tank sh[27592]: b0efe000-b0f0 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: b0f0-b0f25000 rw-p  00:00 0
Apr  1 12:30:01 tank sh[27592]: 

Bug#760393: Some feedback...

[Marco Gaiarin]

> > Machine survive with wheezy kernel for a week, so seems to me that
> > firmware upgrade (and/or wheezy kernel upgrades ;) cure the trouble.

> It'd be appreciated if you can inform the version of running kernel
> and version of upgraded firmware.
> This may be helpful to those having the same hardware.

It is true, i was sure i've just post on that bug the info, but...
clearly no.

The controller was (is):

 Smart Array 641 in Slot 3
   Bus Interface: PCI
   Slot: 3
   Serial Number: P92270P9SSC1BM
   RAID 6 (ADG) Status: Disabled
   Controller Status: OK
   Hardware Revision: B
   Firmware Version: 2.34
   Rebuild Priority: Low
   Expand Priority: Low
   Surface Scan Delay: 15 secs
   Surface Scan Mode: Idle
   Post Prompt Timeout: 0 secs
   Cache Board Present: True
   Cache Status: OK
   Cache Ratio: 100% Read / 0% Write
   Total Cache Size: 64 MB
   Total Cache Memory Available: 32 MB
   No-Battery Write Cache: Disabled
   Battery/Capacitor Count: 0
   SATA NCQ Supported: False

so was firmware 2.34, now upgraded to latest (2.84).


Kernel was (is) linux-image-3.2.0-4-686-pae, version 3.2.68-1+deb7u4.

Bug#760393: Some feedback...

[Marco Gaiarin]

I've finally decomissioned the server, so i've get some time (and
courage ;) to upgrade controller firmware to latest version (2.84) and
do some test (server was off network, but with service online and with
clamscan running on a loop continuously).

Machine survive with wheezy kernel for a week, so seems to me that
firmware upgrade (and/or wheezy kernel upgrades ;) cure the trouble.

Probably the server will be trashed, anyway...

Bug#816601: squid3: After last LTS upgrade, squid crash with 'assertion failed: forward.cc:298: "fd == server_fd"' error

[Marco Gaiarin]

Package: squid3
Version: 3.1.6-1.2+squeeze6
Severity: important


After applying the last 'squeeze-lts' update, eg upgrading to,
3.1.6-1.2+squeeze6, squid3 start to complain about the error on subject:

'assertion failed: forward.cc:298: "fd == server_fd"

in cache.log; normally squid ''resume'' from that error (probably,
restarting), but sooner or later die.

No other error happen on cache.log, nor there's change in configuration
before and after the upgrade.


Thanks.

-- System Information:
Debian Release: 6.0.10
  APT prefers squeeze-lts
  APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable-updates'), (500, 
'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages squid3 depends on:
ii  adduser   3.112+nmu2 add and remove users and groups
ii  libc6 2.11.3-4+deb6u11   Embedded GNU C Library: Shared lib
ii  libcap2   1:2.19-3   support for getting/setting POSIX.
ii  libcomerr21.41.12-4+deb6u2   common error description library
ii  libdb4.8  4.8.30-2   Berkeley v4.8 Database Libraries [
ii  libexpat1 2.0.1-7+squeeze2   XML parsing C library - runtime li
ii  libgcc1   1:4.4.5-8  GCC support library
ii  libgssapi-krb5-2  1.8.3+dfsg-4squeeze11  MIT Kerberos runtime libraries - k
ii  libk5crypto3  1.8.3+dfsg-4squeeze11  MIT Kerberos runtime libraries - C
ii  libkrb5-3 1.8.3+dfsg-4squeeze11  MIT Kerberos runtime libraries
ii  libldap-2.4-2 2.4.23-7.3+deb6u2  OpenLDAP libraries
ii  libltdl7  2.2.6b-2   A system independent dlopen wrappe
ii  libpam0g  1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii  libsasl2-22.1.23.dfsg1-7 Cyrus SASL - authentication abstra
ii  libstdc++64.4.5-8The GNU Standard C++ Library v3
ii  libxml2   2.7.8.dfsg-2+squeeze16 GNOME XML library
ii  logrotate 3.7.8-6Log rotation utility
ii  lsb-base  3.2-23.2squeeze1   Linux Standard Base 3.2 init scrip
ii  netbase   4.45   Basic TCP/IP networking system
ii  squid3-common 3.1.6-1.2+squeeze6 A full featured Web Proxy cache (H

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf (no description available)
ii  smbclient2:3.5.6~dfsg-3squeeze13 command-line SMB/CIFS clients for 
pn  squid-cgi  (no description available)
ii  squidclient  3.1.6-1.2+squeeze6  A full featured Web Proxy cache (H

-- Configuration Files:
/etc/squid3/squid.conf changed [not included]

-- no debconf information

Bug#811402: isc-dhcp-server: dhcpd now look at /etc/dhcpd.conf for config file...

[Marco Gaiarin]

Package: isc-dhcp-server
Version: 4.1.1-P1-15+squeeze9
Severity: important


I've upgraded the package using squeeze-lts, but the newer version does not
start, complaining about:

Jan 15 08:21:55 opitergium dhcpd: Can't open /etc/dhcpd.conf: No such 
file or directory

Seems to me a packaging error, the config file is on /etc/dhcp/dhcpd.conf!

I've quickly fixed with a simbolic link, but i thing that need to be
repackaged...

-- System Information:
Debian Release: 6.0.10
  APT prefers squeeze-lts
  APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable-updates'), (500, 
'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-server depends on:
ii  debconf [debconf-2. 1.5.36.1 Debian configuration management sy
ii  debianutils 3.4  Miscellaneous utilities specific t
ii  isc-dhcp-common 4.1.1-P1-15+squeeze9 common files used by all the isc-d
ii  libc6   2.11.3-4+deb6u8  Embedded GNU C Library: Shared lib
ii  lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip

isc-dhcp-server recommends no packages.

Versions of packages isc-dhcp-server suggests:
pn  isc-dhcp-server-ldap   (no description available)

-- Configuration Files:
/etc/dhcp/dhcpd.conf changed [not included]

-- debconf information:
  isc-dhcp-server/config_warn:
  isc-dhcp-server/interfaces: eth0

Bug#658120: Applied RH patch and works!!!

[Marco Gaiarin]

I've tried Ubuntu patch but does not apply cleanly, probably is old...

I've applied insted the RH one (plain patch on:


http://pkgs.fedoraproject.org/cgit/cdrkit.git/plain/cdrkit-1.1.9-efi-boot.patch

) and recompiled cdrkit 1.1.11-3 sources: compile flawlessy and works as 
expected.


Please, add this patch!!!

Bug#658120: Another patch source...

[Marco Gaiarin]

I'm asking too to add EFI boot support; another patch (but, probably
the same) came from RH-based distro:


http://pkgs.fedoraproject.org/cgit/cdrkit.git/tree/cdrkit-1.1.9-efi-boot.patch

Please, add EFI boot support! Thanks.

Bug#799259: cups-filters: Messy dependencies between cups-filters and foomatic-filters...

[Marco Gaiarin]

Mandi! Till Kamppeter
  In chel di` si favelave...

Only two note.

> 2. beh with standard permissions only works with backends with
> standard permissions. root-only backends (with executable bit only
> for root) only work through beh if one assigns the same root-only
> permissions to beh, making also normal backends used through beh
> running as root. Any suggestions for handling this permission
> problem are welcome.

This ''permission mess'' on cups backend is another story, and another
bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702227

really, i've not understood why there's permission restriction, and how
circumvent it.
I admit that using ''chained backend'' is not a common setup, but cups
support it, while seems that breaks their ''security model''.

It is at least not clear. Probably is an upstream thing, but...


> As a quick solution on the side of the distribution I would split
> the binary packages of foomatic-filters to have one containing
> foomatic-rip (for the rare non-CUPS printing system users) and one
> containing beh (for the rare cups+beh users).

Consider also to simply add a row on README.Debian or something like
that: 'beh' is a very simply perl script, with no exotic perl deps, so
probably some row that explain how to download and install perl will
suffices, at least for now.


Thanks.

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Bug#799259: cups-filters: Messy dependencies between cups-filters and foomatic-filters...

[Marco Gaiarin]

> Indeed, it seems that you can't. I can confirm that cups and
> foomatic-filters are not coinstallable, at least since jessie.

Many thanks for the info.

> Till: should 'beh' be shipped in cups-filters too, or is there an
> alternative to it between cups and cups-filters. Alternatively, should
> we split 'beh' off foomatic-filters?

And also for that, whatever option you choose. ;-)

Bug#799259: cups-filters: Messy depenedencies between cups-filters and foomatic-filters...

[Marco Gaiarin]

Package: cups-filters
Version: 1.0.61-5+deb8u1
Severity: normal

Dear Maintainer,

i've just installed my first 'jessue' server, and trying to configure CUPS
i've it a trouble.

Little note: i've found in past year (and debian version) some trouble
handling some printer: it is normally due to firmware or driver (windows
driver) bugs, but in some case i use the 'beh' backend (backend error
handler, 
http://www.linuxfoundation.org/collaborate/workgroups/openprinting/database/backenderrorhandler)
to cure or at least circumvent that trouble.

Normally, on older debian revision, beh get installed by default. Not on
jessie.

Looking on file search:


https://packages.debian.org/search?searchon=contents=beh=path=stable=any

i've found that the 'beh' backend is in the 'foomatic-filters' package.
Good.

But:
 root@brucaliffo:/tmp/mailto# LANG=C apt-get install foomatic-filters
 Reading package lists... Done
 Building dependency tree   
 Reading state information... Done
 The following packages will be REMOVED:
   cups cups-filters printer-driver-gutenprint
 The following NEW packages will be installed:
   foomatic-filters
 0 upgraded, 1 newly installed, 3 to remove and 0 not upgraded.
 Need to get 159 kB of archives.
 After this operation, 2673 kB disk space will be freed.
 Do you want to continue? [Y/n] 

Not so good. The trouble seems to come from a dependency mess, eg:

 root@brucaliffo:/tmp/mailto# apt-cache show cups | egrep 
"^(Depends|Recommends|Conflicts):"
 Depends: libavahi-client3 (>= 0.6.16), libavahi-common3 (>= 0.6.16), libc6 (>= 
2.16), libcups2 (= 1.7.5-11+deb8u1), libcupscgi1 (>= 1.4.2), libcupsimage2 (>= 
1.4.0), libcupsmime1 (>= 1.4.0), libcupsppdc1 (>= 1.4.0), libgcc1 (>= 1:4.1.1), 
libstdc++6 (>= 4.1.1), libusb-1.0-0 (>= 2:1.0.8), debconf (>= 1.2.9) | 
debconf-2.0, libc-bin (>= 2.13), cups-core-drivers (>= 1.7.5-11+deb8u1), 
cups-daemon (>= 1.7.5-11+deb8u1), poppler-utils (>= 0.12), procps, ghostscript 
(>= 9.02~), lsb-base (>= 3.2-14~), cups-common (>= 1.7.5-11+deb8u1), 
cups-server-common (>= 1.7.5-11+deb8u1), cups-client (>= 1.7.5-11+deb8u1), 
cups-ppdc, cups-filters (>= 1.0.24-3~)
 Recommends: avahi-daemon, colord, cups-filters (>= 1.0.42) | foomatic-filters 
(>= 4.0), printer-driver-gutenprint, cups-filters (>= 1.0.36) | 
ghostscript-cups (>= 9.02~)
 root@brucaliffo:/tmp/mailto# apt-cache show cups-filters | egrep 
"^(Depends|Recommends|Conflicts):"
 Depends: libc6 (>= 2.15), libcups2 (>= 1.7.0), libcupsfilters1 (>= 1.0.58), 
libcupsimage2 (>= 1.4.0), libfontconfig1 (>= 2.11), libfontembed1 (>= 1.0.31), 
libgcc1 (>= 1:4.1.1), libijs-0.35 (>= 0.35), liblcms2-2 (>= 2.2+git20110628), 
libpoppler46 (>= 0.26.5), libqpdf13 (>> 5.0.0~), libstdc++6 (>= 4.1.1), 
cups-filters-core-drivers (>= 1.0.61-5+deb8u1), bc, ghostscript (>= 9.02~)
 Recommends: colord
 Conflicts: foomatic-filters, ghostscript-cups
 root@brucaliffo:/tmp/mailto# apt-cache show foomatic-filters | egrep 
"^(Depends|Recommends|Conflicts):"
 Depends: libc6 (>= 2.14), libdbus-1-3 (>= 1.0.2), debconf (>= 0.5) | 
debconf-2.0, ucf (>= 0.30)
 Recommends: cups-client | lpr | lprng | rlpr, ghostscript, cups | enscript | 
a2ps | mpage, poppler-utils (>= 0.11.2), colord

eg, cups both depends and recommend 'cups-filters', cups-filters conflicts
with foomatic-filters and foomatic-filters recommends cups.


Seems so strange to me... how can i install the 'beh' backend?


Thanks.

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cups-filters depends on:
ii  bc 1.06.95-9
ii  cups-filters-core-drivers  1.0.61-5+deb8u1
ii  ghostscript9.06~dfsg-2+deb8u1
ii  libc6  2.19-18+deb8u1
ii  libcups2   1.7.5-11+deb8u1
ii  libcupsfilters11.0.61-5+deb8u1
ii  libcupsimage2  1.7.5-11+deb8u1
ii  libfontconfig1 2.11.0-6.3
ii  libfontembed1  1.0.61-5+deb8u1
ii  libgcc11:4.9.2-10
ii  libijs-0.350.35-10
ii  liblcms2-2 2.6-3+b3
ii  libpoppler46   0.26.5-2
ii  libqpdf13  5.1.2-2
ii  libstdc++6 4.9.2-10

Versions of packages cups-filters recommends:
ii  colord  1.2.1-1+b2

Versions of packages cups-filters suggests:
pn  foomatic-db-compressed-ppds | foomatic-db  

-- no debconf information

Bug#659261: linux: Re: [linux-headers-3.2.0-1-common] Dangling symlink to Kbuild

[Marco Gaiarin]

 The 'scripts' symlinks break if you make /usr/src a symlink to
 somewhere else.  Don't do that.

AARRGGHH! Sorry!!! I've really not minded about the /usr/src link,
that, it is true, i do on /var/src.

Again, sorry... ;(((

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#760303: squid3: squid 3.3.8-1.2 segfaults during initscript start/restart

[Marco Gaiarin]

Package: squid3
Version: 3.4.8-6
Followup-For: Bug #760303

Dear Maintainer,

I confirm mee too the bug, using c-ical 0.3.5 and squidclamav
recompiled/repackaged from latest source:

 root@brucaliffo:~# dpkg -l | grep icap
 ii  c-icap 1:0.3.5-0gaio1   
amd64ICAP server implementation
 ii  libc-icap-mod-squidclamav  6.12-0gaio1  
amd64ICAP Antivirus Service for c-icap
 ii  libicapapi-dev 1:0.3.5-0gaio1   
amd64ICAP API library development files
 ii  libicapapi31:0.3.5-0gaio1   
amd64ICAP API library

my current relevant squid configuration:

 root@brucaliffo:~# grep -v ^# /etc/squid3/conf.d/80extension.conf | grep -v ^$
 url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/guard/squidGuard.conf
 url_rewrite_children 10
 icap_enableon
 adaptation_send_client_ip  on
 adaptation_send_username   on
 icap_preview_enableon
 icap_preview_size  5 MB
 icap_service   service_av_req reqmod_precache bypass=1 
icap://localhost:1344/squidclamav
 icap_service   service_av_resp respmod_precache bypass=1 
icap://localhost:1344/squidclamav
 adaptation_service_set class_av_req service_av_req
 adaptation_service_set class_av_resp service_av_resp
 adaptation_access  class_av_req deny CONNECT
 adaptation_access  class_av_req allow all
 adaptation_access  class_av_resp deny CONNECT
 adaptation_access  class_av_resp allow all

I hope also i on a point release with the patch that solve this trouble.

Thanks.

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages squid3 depends on:
ii  adduser  3.113+nmu3
ii  libc62.19-18
ii  libcap2  1:2.24-8
ii  libcomerr2   1.42.12-1.1
ii  libdb5.3 5.3.28-9
ii  libecap2 0.2.0-3
ii  libexpat12.1.0-6+b3
ii  libgcc1  1:4.9.2-10
ii  libgssapi-krb5-2 1.12.1+dfsg-19
ii  libk5crypto3 1.12.1+dfsg-19
ii  libkrb5-31.12.1+dfsg-19
ii  libldap-2.4-22.4.40+dfsg-1
ii  libltdl7 2.4.2-1.11
ii  libnetfilter-conntrack3  1.0.4-1
ii  libnettle4   2.7.1-5
ii  libpam0g 1.1.8-3.1
ii  libsasl2-2   2.1.26.dfsg1-13
ii  libstdc++6   4.9.2-10
ii  libxml2  2.9.1+dfsg1-5
ii  logrotate3.8.7-1+b1
ii  lsb-base 4.1+Debian13+nmu1
ii  netbase  5.3
ii  squid3-common3.4.8-6

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf   none
ii  smbclient2:4.1.17+dfsg-2
pn  squid-cginone
pn  squid-purge  none
ii  squidclient  3.4.8-6
pn  ufw  none
pn  winbindd none

-- Configuration Files:
/etc/squid3/squid.conf changed [not included]

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659261: linux: Re: [linux-headers-3.2.0-1-common] Dangling symlink to Kbuild

[Marco Gaiarin]

Package: linux-headers-3.16.0-4-common
Version: 3.16.7-ckt11-1
Followup-For: Bug #659261

Dear Maintainer,

I've still found that trouble on current kernel version for jessie.

Seems to me that relative links is the culprit. I've quickly fixed with:

cd /usr/src/linux-headers-3.16.0-4-common
rm scripts; ln -s /usr/lib/linux-kbuild-3.16/scripts .

cd /usr/src/linux-headers-3.16.0-4-amd64
rm scripts; ln -s /usr/lib/linux-kbuild-3.16/scripts .

(yes, the bug apply also to linux-headers-3.16.0-4-amd64).


After that, my modules (Oracle VirtualBox debian packages) compile
flawlessy.


Thanks.

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#793196: squidguard: /usr/sbin/update-squidguard does not run, now the shell of the 'proxy' user is invalid

[Marco Gaiarin]

Package: squidguard
Version: 1.5-4
Severity: important

Dear Maintainer,

I've installed and configured squidguard, adding some loca custom lists and
some lists from common repository.

But squidguard does not run, and squid3 ''crash'' because of repeated
failures of the redirector.

After fiddling a bit, i've found that database get not built, because the
script /usr/sbin/update-squidguard cannot run the update process:

 root@brucaliffo:~# bash -x /usr/sbin/update-squidguard 
 + set -e
 + '[' 0 -gt 0 ']'
 + CONFDIR=/etc/squidguard
 + CONFOLD=/etc/squid
 + CONFFILE=squidGuard.conf
 + DATADIR=
 + DBVFILE=
 + DB_ACT=
 + DB_OLD=
 + REBUILD=y
 + INITRUN=
 + test '!' -e /etc/squidguard/squidGuard.conf
 + '[' '!' -z ']'
 + test -d /etc/squidguard
 + test '!' -e /etc/squidguard/squidGuard.conf
 + chown proxy:proxy /etc/squidguard/squidGuard.conf
 + chmod 0640 /etc/squidguard/squidGuard.conf
 ++ grep '^dbhome' /etc/squidguard/squidGuard.conf
 ++ cut '-d ' -f2
 + DATADIR=/var/lib/squidguard/db
 + DBVFILE=/var/lib/squidguard/db/../dbversion
 + '[' '!' -z ']'
 + test -d /var/lib/squidguard/db
 ++ ls -1 /var/lib/squidguard/db
 ++ wc -l
 + '[' 4 -eq 0 ']'
 + chown -R proxy:proxy /var/lib/squidguard/db
 + find /var/lib/squidguard/db -type d
 + xargs chmod 2750
 + '[' '!' -z ']'
 ++ squidGuard -v
 ++ sed 's/.*DB\ \(.*\):.*/\1/'
 + DB_ACT=5.3.28
 + '[' '!' -z ']'
 + '[' y = y ']'
 + echo 'Rebuild SquidGuard database - this can take a while.'
 Rebuild SquidGuard database - this can take a while.
 + su - proxy -c 'squidGuard  -C all'
 This account is currently not available.

After fiddling a bit, i've found the culprit: now the shell of the 'proxy'
user is invalid:

 root@brucaliffo:~# getent passwd proxy
 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

A simple patch solves the trouble. Attached.

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages squidguard depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  libc6  2.19-18
ii  libdb5.3   5.3.28-9
ii  libldap-2.4-2  2.4.40+dfsg-1

Versions of packages squidguard recommends:
ii  liburi-perl  1.64-1
ii  libwww-perl  6.08-1
ii  squid3   3.4.8-6

Versions of packages squidguard suggests:
ii  ldap-utils  2.4.40+dfsg-1
pn  squidguard-doc  none

-- Configuration Files:
/etc/squidguard/squidGuard.conf.default [Errno 13] Permesso negato: 
u'/etc/squidguard/squidGuard.conf.default'

-- debconf information:
  squidguard/dbreload: true
--- /usr/sbin/update-squidguard.orig	2015-07-22 11:59:24.239042429 +0200
+++ /usr/sbin/update-squidguard	2015-07-22 12:00:19.403036392 +0200
@@ -91,7 +91,7 @@
 # rebuild database if needed
 if [ $REBUILD = y ]; then
   echo Rebuild SquidGuard database - this can take a while.  2
-  su - proxy -c squidGuard ${VBPAR} -C all
+  su -s /bin/sh -c 'squidGuard ${VBPAR} -C all' - proxy
   # update info file with Berkeley DB version
   echo ${DB_ACT}  ${DBVFILE}
   [ ! -z $VERBOSE ]  echo Rebuild done.  2

Bug#785130: Newer version available, new upstream mantainer

[Marco Gaiarin]

Package: clamav-unofficial-sigs
Version: 3.7.2-2

As announced in sanesecurity_announce list:


https://www.freelists.org/post/sanesecurity_announce/Download-Script-eXtremeSHOK,1

project got a new mantainer and got version 4:

https://github.com/extremeshok/clamav-unofficial-sigs


Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779133: Ok, solved, but still a strange thing...

[Marco Gaiarin]

After updating also the NFS server, after fiddling a bit with NFS
parameters, after hitting my head around the room... i've found a
solution.

AFAIK NFSv3 use a ''nonstandard'' ACL mechanism that works well only
for POSIX ACL, while NFSv4 use a more complex one, suited to take into
account different ACL schemas.
I use POSIX ACL, so NFSv3 is well suited for me.

Simply i've had in /etc/fstab:

dixie:/srv/wviola/sources /srv/wviola/sources nfs acl   0   0

and worked perfeclty[1] just before rebooting the NFS client machine.
Now i was forced to put instead:

dixie:/srv/wviola/sources /srv/wviola/sources nfs nfsvers=3,acl 0   0

so seems to me that ''something'' changed the default NFS version from
3 to 4.


Trying to downgrade lead me to the suspect that the guilty is not the
kernel; but really i've gone back on upgrade history and found nothing
related to NFS of mount upgraded recently...


Boh...


[1]: i was sure because i've a cron script that hourly try to mangle ACLs,
 and never complained about missing ACL before the reboot...


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#779133: linux-image-3.2.0-4-amd64: After latest security upgrade, acl on NFS exported share stop working

[Marco Gaiarin]

Package: src:linux
Version: 3.2.65-1+deb7u2
Severity: important

Dear Maintainer,

I've just upgrade this server with the lates security packages, most notably 
the latest kernel. This server act as a NFS *client*
mounting nfs shares with ACL.

After rebooting the box, shares get mounted but without ACL, and whithout any 
error/warning.

On source server (also a debian wheezy) and filesystem nothing changed, and ACL 
are correctly there.


Thanks.

-- Package-specific info:
** Version:
Linux version 3.2.0-4-amd64 (debian-ker...@lists.debian.org) (gcc version 4.6.3 
(Debian 4.6.3-14) ) #1 SMP Debian 3.2.65-1+deb7u2

** Command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-4-amd64 
root=UUID=b9da6c4b-9450-4a85-9ff3-30210ce219cd ro quiet

** Tainted: O (4096)
 * Out-of-tree module has been loaded.

** Kernel log:
[5.460114] [TTM] Initializing DMA pool allocator
[5.460139] [drm] radeon: 16M of VRAM memory ready
[5.460141] [drm] radeon: 512M of GTT memory ready.
[5.460166] [drm] GART: num cpu pages 131072, num gpu pages 131072
[5.461029] [drm] radeon: ib pool ready.
[5.481520] [drm] PCIE GART of 512M enabled (table at 0x3708).
[5.481554] radeon :0f:02.0: WB disabled
[5.481558] [drm] fence driver on ring 0 use gpu addr 0xb000 and cpu 
addr 0x880037034000
[5.481562] [drm] Supports vblank timestamp caching Rev 1 (10.10.2010).
[5.481564] [drm] Driver supports precise vblank timestamp query.
[5.481580] [drm] radeon: irq initialized.
[5.481650] [drm] Loading R100 Microcode
[5.522851] platform radeon_cp.0: firmware: agent loaded radeon/R100_cp.bin 
into memory
[5.523391] [drm] radeon: ring at 0xB0001000
[5.523414] [drm] ring test succeeded in 1 usecs
[5.523832] [drm] ib test succeeded in 0 usecs
[5.524069] [drm] No TV DAC info found in BIOS
[5.524072] [drm] No valid Ext TMDS info found in BIOS
[5.524111] [drm] Radeon Display Connectors
[5.524113] [drm] Connector 0:
[5.524115] [drm]   VGA
[5.524117] [drm]   DDC: 0x60 0x60 0x60 0x60 0x60 0x60 0x60 0x60
[5.524119] [drm]   Encoders:
[5.524121] [drm] CRT1: INTERNAL_DAC1
[5.524123] [drm] Connector 1:
[5.524124] [drm]   DVI-I
[5.524126] [drm]   HPD2
[5.524128] [drm]   DDC: 0x6c 0x6c 0x6c 0x6c 0x6c 0x6c 0x6c 0x6c
[5.524130] [drm]   Encoders:
[5.524131] [drm] CRT2: INTERNAL_DAC2
[5.524133] [drm] DFP2: INTERNAL_DVO1
[5.561093] [drm] fb mappable at 0xD004
[5.561095] [drm] vram apper at 0xD000
[5.561097] [drm] size 786432
[5.561098] [drm] fb depth is 8
[5.561100] [drm]pitch is 1024
[5.561177] fbcon: radeondrmfb (fb0) is primary device
[6.039650] Console: switching to colour frame buffer device 128x48
[6.047151] fb0: radeondrmfb frame buffer device
[6.047153] drm: registered panic notifier
[6.047159] [drm] Initialized radeon 2.16.0 20080528 for :0f:02.0 on 
minor 0
[6.551594] EXT3-fs (md0): using internal journal
[6.764051] loop: module loaded
[7.320640] it87: Found IT8718F chip at 0x290, revision 1
[7.320650] it87: VID is disabled (pins used for GPIO)
[7.320824] it87 it87.656: Detected broken BIOS defaults, disabling PWM 
interface
[7.332092] md: md1 stopped.
[7.354889] md: bindsdb2
[7.368900] md: bindsda2
[7.370264] md/raid1:md1: active with 2 out of 2 mirrors
[7.370290] md1: detected capacity change from 0 to 10001842176
[7.385703]  md1: unknown partition table
[7.532131] md: md2 stopped.
[7.533581] md: bindsdb5
[7.533728] md: bindsda5
[7.567358] md/raid1:md2: active with 2 out of 2 mirrors
[7.567386] md2: detected capacity change from 0 to 50001346560
[7.581088]  md2: unknown partition table
[7.846632] md: md3 stopped.
[7.848571] md: bindsdb6
[7.848753] md: bindsda6
[7.883843] md/raid1:md3: active with 2 out of 2 mirrors
[7.883867] md3: detected capacity change from 0 to 500082
[7.885668]  md3: unknown partition table
[8.115196] md: md4 stopped.
[8.116543] md: bindsdb7
[8.116716] md: bindsda7
[8.208678] md/raid1:md4: active with 2 out of 2 mirrors
[8.208706] md4: detected capacity change from 0 to 184048746496
[8.210441]  md4: unknown partition table
[8.828770] Adding 4883644k swap on /dev/md3.  Priority:-1 extents:1 
across:4883644k 
[9.374570] kjournald starting.  Commit interval 5 seconds
[9.374593] EXT3-fs (md1): mounted filesystem with ordered data mode
[9.444277] SGI XFS with ACLs, security attributes, realtime, large 
block/inode numbers, no debug enabled
[9.444608] SGI XFS Quota Management subsystem
[9.463478] XFS (md2): Mounting Filesystem
[9.560922] XFS (md2): Ending clean mount
[9.604153] XFS (md4): Mounting Filesystem
[9.750919] XFS (md4): Ending clean mount
[   10.964268] e1000e :04:00.0: irq 68 for MSI/MSI-X
[   11.068055] e1000e :04:00.0: irq 68 for MSI/MSI-X
[   11.069273] 

Bug#779133: Reverted back, still NO ACL... Boh...

[Marco Gaiarin]

I've downloaded, installed by hand the previous kernel, and rebooted the
server.

After that:

 invernomuto:~# uname -a
 Linux invernomuto 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64 GNU/Linux

so i'm using the old kernel, but still ACL on NFS does not work...


So i've downloaded from snapshot the kernel that run the NFS server,
and now:

 invernomuto:~# uname -a
 Linux invernomuto 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2+deb7u2 x86_64 GNU/Linux

but still with that kernel ACL is missing... i'm confused...


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#740718: rkhunter: i18n db update of lang en keyword NETWORK_PROMISC_NO_IP missing

[Marco Gaiarin]

Package: rkhunter
Version: 1.4.0-1
Followup-For: Bug #740718

Dear Maintainer,

just upgraded to wheezy, i can confirm the bug, at every daily run i get:

 Error: Invalid display - keyword cannot be found: Display line: display --to 
LOG --type INFO NETWORK_PORTS_DISABLE_PATHS
 Error: Invalid display - keyword cannot be found: Display line: display --to 
LOG --type INFO NETWORK_PORTS_DISABLE_PATHS

I've simply fixed that adding to /var/lib/rkhunter/db/i18n/en something
like:

NETWORK_PORTS_DISABLE_PATHS:Don't bother me.

Thanks.

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages rkhunter depends on:
ii  binutils   2.22-8+deb7u2
ii  debconf [debconf-2.0]  1.5.49
ii  file   5.11-2+deb7u7
ii  net-tools  1.60-24.2
ii  perl   5.14.2-21+deb7u2
ii  ucf3.0025+nmu3

Versions of packages rkhunter recommends:
ii  exim4-daemon-light [mail-transport-agent]  4.80-7+deb7u1
ii  iproute1:3.16.0-2~bpo70+1
pn  lsof   none
ii  lynx   2.8.8dev.12-2
ii  unhide 20110113-4
ii  wget   1.13.4-3+deb7u2

Versions of packages rkhunter suggests:
ii  bsd-mailx [mailx] 8.1.2-0.2006cvs-1+deb7u1
pn  libdigest-whirlpool-perl  none
ii  liburi-perl   1.60-1
ii  libwww-perl   6.04-1
ii  mailx 1:20071201-3
pn  powermgmt-basenone
pn  tripwire  none

-- Configuration Files:
/etc/default/rkhunter changed [not included]

-- debconf information:
  rkhunter/apt_autogen:
  rkhunter/cron_daily_run: yes
  rkhunter/cron_db_update: yes


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775939: ntop: segfault in libntop-4.99.3

[Marco Gaiarin]

Package: ntop
Version: 3:4.99.3+ndpi5517+dfsg3-1
Severity: normal

Caro Ludovico,

I've just upgraded a firewall from squeeze (using ntop from backports) to
wheezy, and now (keeping the same config) ntop run for about a minute, then
sigsev (even not accessing at all the web interface):

  Jan 21 11:12:15 tank kernel: [59862.329359] ntop[11288]: segfault at 30 ip 
b755d440 sp b1707e10 error 6 in libntop-4.99.3.so[b7529000+7d000]

Say me if more info are needed. Thanks.

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ntop depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  libc6  2.13-38+deb7u6
ii  libgdbm3   1.8.3-11
ii  libgeoip1  1.4.8+dfsg-3
ii  libpcap0.8 1.3.0-1
ii  libpython2.7   2.7.3-6+deb7u2
ii  librrd41.4.7-2
ii  net-tools  1.60-24.2
ii  ntop-data  3:4.99.3+ndpi5517+dfsg3-1
ii  passwd 1:4.1.5.1-1
ii  python-mako0.7.0-1.1
ii  zlib1g 1:1.2.7.dfsg-13

ntop recommends no packages.

Versions of packages ntop suggests:
pn  graphviz  none
ii  gsfonts   1:8.11+urwcyr1.0.7~pre44-4.2

-- Configuration Files:
/etc/default/ntop changed:
ENABLED=1
GETOPT=-n 0 --no-interface-merge \
--http-server 10.5.1.254:3000 --refresh-time 300

/etc/ntop/protocol.list changed:
FTP=ftp|ftp-data,PROXY=3128|8080,HTTP=http|www|https,DNS=name|domain,Mail=pop-2|pop-3|kpop|pop3s|smtp|imap|imap2|imaps,SNMP=snmp|snmp-trap,SSH=ssh,RDP=3389,ICA=1494|1604,VNC=5800-5806|5900-5906,DB=mysql|postgresql|1521,SecureLOG=720,Messenger=1863|5000|5001|5190-5193,Jabber=5222|5223


-- debconf information:
  ntop/admin_password_again: (password omitted)
  ntop/admin_password: (password omitted)
  ntop/password_mismatch:
* ntop/user: ntop
  ntop/password_empty:
* ntop/password_reset: false
* ntop/interfaces: eth0,eth0.3


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#695004: squid3: segfault on external_acl, i can confirm it!

[Marco Gaiarin]

Package: squid3
Version: 3.1.20-2.2+deb7u2
Followup-For: Bug #695004

Caro Luigi,

I've had previously commented bug #486211, and i don't know if they are the
same, but surely the trouble came from 'external_acl'.
In that comment i say that in two similar system depicted the trouble, the
other no: clearly, only on the troubling one i've defined my 'skype' ACL...


I've in use an ACL to prevent skype use, apart some hosts (with fixed IP) or
by some users (some group membership).

My configuration is:

  auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=SANVITO 
--require-membership-of=SANVITO\\domusers
  auth_param ntlm children 5

  external_acl_type check_ntgroup %LOGIN /usr/lib/squid3/wbinfo_group.pl
  acl auth_required proxy_auth REQUIRED
  acl CONNECT method CONNECT
  acl block_skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
  acl users_skype external check_ntgroup ispac ced dirammre
  acl skype src /etc/squid3/lists/skype.list
  acl apertura time MTWHF 08:00-18:00

  http_access allow CONNECT block_skype apertura skype
  http_access allow CONNECT block_skype apertura auth_required users_skype
  http_access deny CONNECT block_skype apertura

With this setup, everytime i try to access Skype (or, indeed, an https site
using ip literal) squid require me auth, seems to accept it but refuse to
connect.

After testing all pieces of tools (eg, /usr/bin/ntlm_auth and
/usr/lib/squid3/wbinfo_group.pl) and found it working, i've finally
correlated the missing access with the sigsev, founding it fully
reproducible.

So, i've tried substituting ACL:
  http_access allow CONNECT block_skype apertura auth_required users_skype
with:
  http_access allow CONNECT block_skype apertura auth_required

and now skype works, ans squid does not sigsev.


Setting debug to 9 for external ACL i can see in cache.log:

 2015/01/21 16:41:07.920| aclMatchExternal: acl=check_ntgroup
 2015/01/21 16:41:07.920| aclMatchExternal: check_ntgroup(gaio ispac ced 
dirammre) = lookup needed
 2015/01/21 16:41:07.920| aclMatchExternal: gaio ispac ced dirammre: 
entry=@0, age=0
 2015/01/21 16:41:07.920| aclMatchExternal: gaio ispac ced dirammre: queueing 
a call.
 2015/01/21 16:41:07.920| aclMatchExternal: gaio ispac ced dirammre: return 
-1.
 2015/01/21 16:41:07.920| externalAclLookup: lookup in 'check_ntgroup' for 
'gaio ispac ced dirammre'
 2015/01/21 16:41:07.920| externalAclLookup: looking up for 'gaio ispac ced 
dirammre' in 'check_ntgroup'.
 2015/01/21 16:41:07.920| externalAclLookup: will wait for the result of 'gaio 
ispac ced dirammre' in 'check_ntgroup' (ch=0x7fc85b0128c8).
 2015/01/21 16:41:07.997| externalAclHandleReply: reply=OK
 2015/01/21 16:41:07.997| external_acl_cache_add: Adding 'gaio ispac ced 
dirammre' = 1
 2015/01/21 16:41:07.997| aclMatchExternal: acl=check_ntgroup
 2015/01/21 16:41:07.997| aclMatchExternal: check_ntgroup = 1
 2015/01/21 16:41:11| Starting Squid Cache version 3.1.20 for 
x86_64-pc-linux-gnu...

so, squid run correctly the external ACL script and only AFTER that hang.

Trying to put all ACL in debug mode, i've hit:

 2015/01/21 17:24:05.849| ACL::FindByName 'users_skype'
 2015/01/21 17:24:05.849| ACLChecklist::asyncInProgress: 0x7f330a6df098 async 
set to 1
 2015/01/21 17:24:05.849| aclmatchAclList: async=1 nodeMatched=0 
async_in_progress=1 lastACLResult() = 0 finished() = 0
 2015/01/21 17:24:05.926| ACLChecklist::asyncInProgress: 0x7f330a6df098 async 
set to 0
 2015/01/21 17:24:05.926| ACLChecklist::preCheck: 0x7f330a6df098 checking 
'http_access allow CONNECT block_skype apertura auth_required users_skype'
 2015/01/21 17:24:05.926| ACLList::matches: checking CONNECT
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'CONNECT'
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'CONNECT' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| ACLList::matches: checking block_skype
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'block_skype'
 2015/01/21 17:24:05.926| aclRegexData::match: checking '151.49.25.89:443'
 2015/01/21 17:24:05.926| aclRegexData::match: looking for 
'^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'
 2015/01/21 17:24:05.926| aclRegexData::match: match 
'^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' found in '151.49.25.89:443'
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'block_skype' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| ACLList::matches: checking apertura
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'apertura'
 2015/01/21 17:24:05.926| aclMatchTime: checking 1044 in 0-0, weekbits=0
 2015/01/21 17:24:05.926| aclMatchTime: checking 1044 in 480-1080, weekbits=3e
 2015/01/21 17:24:05.926| ACL::ChecklistMatches: result for 'apertura' is 1
 2015/01/21 17:24:05.926| ACLList::matches: result is true
 2015/01/21 17:24:05.926| ACLList::matches: checking auth_required
 2015/01/21 17:24:05.926| ACL::checklistMatches: checking 'auth_required'
 

Bug#772154: process_usershare_file: stat of /var/lib/samba/usershares/netlogo failed. No such file or directory

[Marco Gaiarin]

Package: samba
Version: 2:3.6.6-6+deb7u4
Severity: minor


After upgrading from debian squeeze to debian wheezy (samba version
3.6.6-6+deb7u4; but i get the same thing on a newly installed debian wheezy
server), i can see on the logs many row like:

 [2014/11/29 09:29:07.026230,  0] param/loadparm.c:9114(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/netlogo failed. No 
such file or directory

note that:

1) i've no 'usershares' defined in smb.conf:

 root@armitage:~# testparm | grep usershare
 Load smb config files from /etc/samba/smb.conf
 rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
 Can't find include file /etc/samba/smb.conf.
 Processing section [printers]
 Processing section [print$]
 Processing section [netlogon]
 Processing section [larpch]
 Processing section [homes]
 Processing section [profiles]
 Processing section [wpkg]
 Processing section [Users]
 Loaded services file OK.
 Server role: ROLE_DOMAIN_BDC
 Press enter to see a dump of your service definitions

2) note the missing last character, eg '/var/lib/samba/usershares/netlogo'
and not '/var/lib/samba/usershares/netlogon'.

Apart log flood, all works as expected, it is only annoying.

Thanks.

(reported upstream as https://bugzilla.samba.org/show_bug.cgi?id=10987)

-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages samba depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg   1.16.15
ii  libacl12.2.51-8
ii  libattr1   1:2.4.46-8
ii  libc6  2.13-38+deb7u6
ii  libcap21:2.22-1.2
ii  libcomerr2 1.42.5-1.1
ii  libcups2   1.5.3-5+deb7u4
ii  libgssapi-krb5-2   1.10.1+dfsg-5+deb7u2
ii  libk5crypto3   1.10.1+dfsg-5+deb7u2
ii  libkrb5-3  1.10.1+dfsg-5+deb7u2
ii  libldap-2.4-2  2.4.31-1+nmu2
ii  libpam-modules 1.1.3-7.1
ii  libpam-runtime 1.1.3-7.1
ii  libpam0g   1.1.3-7.1
ii  libpopt0   1.16-7
ii  libtalloc2 2.0.7+git20120207-1
ii  libtdb11.2.10-2
ii  libwbclient0   2:3.6.6-6+deb7u4
ii  lsb-base   4.1+Debian8+deb7u1
ii  procps 1:3.3.3-3
ii  samba-common   2:3.6.6-6+deb7u4
ii  update-inetd   4.43
ii  zlib1g 1:1.2.7.dfsg-13

Versions of packages samba recommends:
ii  logrotate  3.8.1-4
ii  tdb-tools  1.2.10-2

Versions of packages samba suggests:
pn  ctdb  none
pn  ldb-tools none
ii  openbsd-inetd [inet-superserver]  0.20091229-2
ii  smbldap-tools 0.9.10-0gaio3.1

-- debconf information:
  samba/run_mode: daemons
  samba-common/title:


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#658707: samba: NTLM CRAP authentication for workstation fails with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

[Marco Gaiarin]

Package: winbind
Version: 2:3.6.6-6+deb7u4
Followup-For: Bug #658707


I can confirm that this bug is present on wheezy, i've just upgraded from
squeeze to wheezy and hit that.

Googling around about that lead me to:
[1] http://www.packetfence.org/bugs/view.php?id=1318
and so to:
[2] https://lists.samba.org/archive/samba/2011-September/163991.html

but i've tried to dig around samba git repository to found the patch that
[1] say supposed fixed in 3.6.8, but i've not found it.


Someone can help me? Thanks.


-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages winbind depends on:
ii  adduser   3.113+nmu3
ii  dpkg  1.16.15
ii  libc6 2.13-38+deb7u6
ii  libcap2   1:2.22-1.2
ii  libcomerr21.42.5-1.1
ii  libgssapi-krb5-2  1.10.1+dfsg-5+deb7u2
ii  libk5crypto3  1.10.1+dfsg-5+deb7u2
ii  libkrb5-3 1.10.1+dfsg-5+deb7u2
ii  libldap-2.4-2 2.4.31-1+nmu2
ii  libpam0g  1.1.3-7.1
ii  libpopt0  1.16-7
ii  libtalloc22.0.7+git20120207-1
ii  libtdb1   1.2.10-2
ii  libwbclient0  2:3.6.6-6+deb7u4
ii  lsb-base  4.1+Debian8+deb7u1
ii  samba-common  2:3.6.6-6+deb7u4
ii  zlib1g1:1.2.7.dfsg-13

Versions of packages winbind recommends:
pn  libnss-winbind  none
pn  libpam-winbind  none

winbind suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#760754: Debian freeradius consider all files in modules/ folder, also *.dpkg-* ones...

[Marco Gaiarin]

Package: freeradius
Version: 2.1.12+dfsg-1.2

I've just upgrade from squeeze to wheezy, and after upgrading
freeradius the service does not start.

After fiddling a bit with log and '-X' mode, i've found the culprit:
the upgrade process create two *.dpkg-dist files on modules/ subfolder,
file that i've modify to suit my needs.
But the daemon read *all* the file in modules/ dir, also the *.dpkg-*
ones, and this clearly can be a bit confusing for freeradius
(specifically: there was an ldap file and a ldap.dkpg-dist with wrong
parameters).

I think, as other debian package, only files with a specific extension
have to be read (*.conf?), or at least that sources of trouble have to
be added to debian documentation (README.Debian and something like
that).

Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#760393: Kernel 3.2 hang on a HP ProLiant ML350 G4p, Smart Array 641 controller

[Marco Gaiarin]

Package: linux-image-3.2.0-4-686-pae
Version: 3.2.60-1+deb7u3


I've just upgrade a server as in subject from squeeze to wheezy: the
server run squeeze for years, without troubles or unexpected
reboots/failures.

Upgrade went well, but after rebooting to the new kernel system became
instable and hang ''randomly'' after some hours or some days (2-3 max).

Clearly, the server is in production and on a remote location. ;(

I've managed to reboot it on the old 2.6 kernel, and the server is now
stable as before, so i suppose is a kernel trouble.

Some sparse info:

1) server hang because /var ''desappear''; i've managed to go on
 console, and what i see is only some gereric error like:

task : blocked for more than 120 seconds.
echo 0  /proc/sgs/kernel/hung_task_timeout_secs disables this 
message.

no PANIC or something like that.

2) /var is a XFS filesystem.

3) because my log is on /var, i've no more info to provide...


Attached the boot log of the two kernels; the only strage thing i note
is:
 Aug 12 13:59:03 rita kernel: [1.231468] HP CISS Driver (v 3.6.26)
 Aug 12 13:59:03 rita kernel: [1.231583] cciss :09:02.0: PCI IRQ 72 - 
rerouted to legacy IRQ 16
 Aug 12 13:59:03 rita kernel: [1.231665] cciss :09:02.0: Controller 
reports max supported commands of 0, an obvious lie. Using 16.  Ensure that 
firmware is up to date.

But i don't know if is related.


Say me if more info are needed. Thanks.


rita-2.6-good.klog.gz
Description: Binary data


rita-3.2-bad.klog.gz
Description: Binary data

Bug#751484: c-icap: installing a recompiled c-icap on debian wheezy ends in a broken system

[Marco Gaiarin]

Mandi! Mathieu Parent
  In chel di` si favelave...

  Seems to me a dupe of #743202 ...
 No this is a regression of #743202. This comes from the bashism
 IFS=$'\n'. I have not found a solution yet. Patch welcome (a workaound
 is to use #!/bin/bash as shebang).

Ok; anyway the culprit came from:

for variable in `egrep -v '^[[:space:]]*(#|$)' $CONFFILE | 
awk '{print $1}'`; do
value=`grep ^$variable $CONFFILE | head -n1 | awk 
'{print $2}'`

if [ -n $value ]; then
export config_$variable=$value
fi
done

but, effectively the only config options used as a avariables are 
config_PidFile,
config_CommandsSocket, config_User and config_Group, that does not make 
trouble, 
because the value is clearly have no space.

Why not simply substitute with:

for variable in PidFile CommandsSocket User Group; do
value=`grep ^$variable $CONFFILE | head -n1 | awk 
'{print $2}'`

if [ -n $value ]; then
export config_$variable=$value
fi
done

?! I think can fix and simplify all the stuff.


PS: also, i suppose that c-icap.conf is caseless on options name, so
probably it is safe to put all the variable in lower or UPPER case, eg:

for variable in PIDFILE COMMANDSSOCKET USER GROUP; do
value=`grep -i ^$variable $CONFFILE | head -n1 | awk 
'{print $2}'`

if [ -n $value ]; then
export config_$variable=$value
fi
done

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#743202: c-icap: /etc/init.d/c-icap does not work if there's an option in c-icap.conf with a dot

[Marco Gaiarin]

Package: c-icap
Version: 1:0.3.3-0gaio1
Severity: important

I've recompiled c-icap in wheezy, without further modification.

I've also compiled and i'm using 'squidclamav', and i've hit a little
trouble (too verbose log), that squidclamav author say me to insert in
c-icap.conf, right after the squidclamav module load, the entry:

squidclamav.PreviewSize 1024

but when i tried to restart the service i got:

root@lupus:~# /etc/init.d/c-icap start
/etc/init.d/c-icap: 65: export: config_squidclamav.PreviewSize: bad 
variable name

After fiddling a bit, i've understood that the trouble came from the
/etc/init.d/c-icap script, that try to export some variables bult from
c-icap.conf file, and fail with the new one (presumibly for the dot).

I've done a simple modification to the script:

root@lupus:~# diff -ud /etc/init.d/c-icap~ /etc/init.d/c-icap
--- /etc/init.d/c-icap~ 2014-03-12 08:07:27.0 +0100
+++ /etc/init.d/c-icap  2014-03-31 14:40:57.0 +0200
@@ -58,7 +58,7 @@
config_Group=c-icap
 
if [ -f $CONFFILE ]; then
-   for variable in `egrep -v '^[[:space:]]*(#|$)' $CONFFILE | 
awk '{print $1}'`; do
+   for variable in `egrep -v '^[[:space:]]*(#|$)' $CONFFILE | 
awk '{print $1}' | egrep -v '\.'`; do
value=`grep ^$variable $CONFFILE | head -n1 | awk 
'{print $2}'`
 
if [ -n $value ]; then

and clearly now works, but i don't know if there's a better way...


More info on:

https://github.com/darold/squidclamav/issues/17


Thanks.

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages c-icap depends on:
ii  adduser  3.113+nmu3
ii  libc62.13-38+deb7u1
ii  libdb5.1 5.1.29-5
ii  libicapapi3  1:0.3.3-0gaio1
ii  lsb-base 4.1+Debian8+deb7u1

c-icap recommends no packages.

Versions of packages c-icap suggests:
pn  libc-icap-module  none
ii  squid33.1.20-2.2

-- Configuration Files:
/etc/c-icap/c-icap.conf changed [not included]
/etc/default/c-icap changed [not included]
/etc/init.d/c-icap changed [not included]

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#486211: Squid3 crashed with Segfault

[Marco Gaiarin]

Package: squid3
Version: 3.1.20-2.2
Followup-For: Bug #486211


I've just upgraded two servers from squeeze to wheezy, and i've hit this
bug in one of that. I repeatedlt receive:

 Mar 25 12:33:02 kaa kernel: [943353.343797] squid3[16919]: segfault at 58 ip 
7fd34cea2396 sp 7fff192e1b60 error 4 in squid3[7fd34ccaf000+301000]
 Mar 25 12:33:02 kaa squid[40048]: Squid Parent: child process 16919 exited due 
to signal 11 with status 0

roughly 5-10 time at distance of some minutes, then nothing for hour... and
happens roughly 10-50 times at day.

Both server (kaa and lupus) are 64bit debian wheezy. lupus seems does not
have that trouble; configuration are roughly the same.

The only difference between kaa and lupus, is that kaa is a
medium-heavy-loaded server, while lupus does little job, so seems
''load-related''.


Say me if more info are needed... thanks.

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages squid3 depends on:
ii  adduser   3.113+nmu3
ii  libc6 2.13-38+deb7u1
ii  libcap2   1:2.22-1.2
ii  libcomerr21.42.5-1.1
ii  libdb5.1  5.1.29-5
ii  libexpat1 2.1.0-1+deb7u1
ii  libgcc1   1:4.7.2-5
ii  libgssapi-krb5-2  1.10.1+dfsg-5+deb7u1
ii  libk5crypto3  1.10.1+dfsg-5+deb7u1
ii  libkrb5-3 1.10.1+dfsg-5+deb7u1
ii  libldap-2.4-2 2.4.31-1+nmu2
ii  libltdl7  2.4.2-1.1
ii  libpam0g  1.1.3-7.1
ii  libsasl2-22.1.25.dfsg1-6+deb7u1
ii  libstdc++64.7.2-5
ii  libxml2   2.8.0+dfsg1-7+nmu2
ii  logrotate 3.8.1-4
ii  lsb-base  4.1+Debian8+deb7u1
ii  netbase   5.0
ii  squid3-common 3.1.20-2.2

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf   none
ii  smbclient2:3.6.6-6+deb7u2
pn  squid-cginone
ii  squidclient  3.1.20-2.2
pn  ufw  none

-- Configuration Files:
/etc/squid3/squid.conf changed [not included]

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741979: sympa: Missing it.mo file

[Marco Gaiarin]

Package: sympa
Version: 6.1.11~dfsg-5
Severity: normal


Simply i've found that in (at lewast this) version of sympa the 'it.mo'
message catalog file is missing from the archive, eg the file:

/usr/lib/sympa/locale/it/LC_MESSAGES/sympa.mo

does not exist in the .deb archive, so italian translation does not
''work''.

Thanks.

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sympa depends on:
ii  adduser3.113+nmu3
ii  ca-certificates20130119
ii  dbconfig-common1.8.47+nmu1
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg   1.16.12
ii  exim4-daemon-heavy [mail-transport-agent]  4.80-7
ii  libarchive-zip-perl1.30-6
ii  libc6  2.13-38+deb7u1
ii  libcgi-fast-perl   5.14.2-21+deb7u1
ii  libcgi-pm-perl 3.61-2
ii  libdbd-mysql-perl  4.021-1+b1
ii  libdbd-pg-perl 2.19.2-2
ii  libdbd-sqlite3-perl1.37-1
ii  libdbd-sybase-perl 1.14-1
ii  libdbi-perl1.622-1
ii  libfcgi-perl   0.74-1+b1
ii  libfile-copy-recursive-perl0.38-1
ii  libhtml-format-perl2.10-1
ii  libhtml-stripscripts-parser-perl   1.03-1
ii  libhtml-tree-perl  5.02-1
ii  libintl-perl   1.20-1
ii  libio-stringy-perl 2.110-5
ii  libmailtools-perl  2.09-1
ii  libmime-charset-perl   1.009.2-1
ii  libmime-encwords-perl  1.012.4-1
ii  libmime-lite-html-perl 1.23-1.1
ii  libmime-tools-perl 5.503-1
ii  libmsgcat-perl 1.03-5+b2
ii  libnet-ldap-perl   1:0.4400-1
ii  libnet-netmask-perl1.9016-1
ii  libregexp-common-perl  2011121001-1
ii  libtemplate-perl   2.24-1
ii  libterm-progressbar-perl   2.13-1
ii  libunicode-linebreak-perl  0.0.20120401-1
ii  libxml-libxml-perl 2.0001+dfsg-1
ii  lsb-base   4.1+Debian8+deb7u1
ii  mhonarc2.6.18-2
ii  perl   5.14.2-21+deb7u1
ii  perl-modules [libcgi-pm-perl]  5.14.2-21+deb7u1
ii  rsyslog [system-log-daemon]5.8.11-3
ii  sqlite33.7.13-1+deb7u1

Versions of packages sympa recommends:
ii  apache2-suexec 2.2.22-13+deb7u1
pn  doc-base   none
ii  libapache2-mod-fcgid   1:2.3.6-1.2+deb7u1
ii  libcrypt-ciphersaber-perl  0.61-4
ii  libfile-nfslock-perl   1.21-1
ii  libio-socket-ssl-perl  1.76-2
ii  libmail-dkim-perl  0.39-1
ii  libsoap-lite-perl  0.714-1
ii  locales2.13-38+deb7u1
ii  logrotate  3.8.1-4
ii  mysql-server   5.5.35+dfsg-0+wheezy1

Versions of packages sympa suggests:
ii  apache2-mpm-prefork [httpd-cgi]  2.2.22-13+deb7u1
pn  libauthcas-perl  none
pn  libdbd-oracle-perl   none
pn  libtext-wrap-perlnone
ii  openssl  1.0.1e-2+deb7u4

-- Configuration Files:
/etc/sympa/topics.conf changed [not included]

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741019: php5-ffmpeg: module emit '[NULL @ 0x1f02280] Value 4707126720094797824.000000 for parameter 'probesize' out of range' errors and sigsev

[Marco Gaiarin]

Package: php5-ffmpeg
Version: 0.6.0-2.2
Severity: important


I've just updated two of my servers that run a webapp, WViola:

http://code.google.com/p/wviola/

after upgrading, a php script (cli) that use heavily php5-ffmpeg start to
sigsev:

 Mar  7 13:30:44 baloo kernel: [ 6954.637368] php[25138]: segfault at 8 ip 
7f815e00a14d sp 7fff8e24b190 error 4 in ffmpeg.so[7f815e006000+9000]
 Mar  7 14:00:44 baloo kernel: [ 8754.083901] php[31779]: segfault at 8 ip 
7f65c8ada14d sp 7fff7dc27870 error 4 in ffmpeg.so[7f65c8ad6000+9000]

and produce the output:

 [NULL @ 0x2d6c080] Value 4707126720094797824.00 for parameter 'probesize' 
out of range
 [NULL @ 0x2d6c080] Value 4707126720094797824.00 for parameter 
'analyzeduration' out of range
 [NULL @ 0x2d6c080] Value 4697254411347427328.00 for parameter 'indexmem' 
out of range
 [NULL @ 0x2d6c080] Value 4703785510416416768.00 for parameter 'rtbufsize' 
out of range
 [NULL @ 0x2d6c080] Value -4616189618054758400.00 for parameter 
'fpsprobesize' out of range
 [NULL @ 0x2d6c080] Value 4607182418800017408.00 for parameter 
'f_err_detect' out of range
 [NULL @ 0x2d6c080] Value 4607182418800017408.00 for parameter 'err_detect' 
out of range
 [NULL @ 0x2d6cba0] Value 4686111960511545344.00 for parameter 'b' out of 
range
 [NULL @ 0x2d6cba0] Value 4683532506232782848.00 for parameter 'ab' out of 
range
 [NULL @ 0x2d6cba0] Value 4705844345939427328.00 for parameter 'bt' out of 
range
 [NULL @ 0x2d6cba0] Value 4617315517961601024.00 for parameter 'me_method' 
out of range
 [NULL @ 0x2d6cba0] Value 4622945017495814144.00 for parameter 'g' out of 
range
 [NULL @ 0x2d6cba0] Value 4611686018427387904.00 for parameter 'qmin' out 
of range
 [NULL @ 0x2d6cba0] Value 4629418941960159232.00 for parameter 'qmax' out 
of range
 [NULL @ 0x2d6cba0] Value 4613937818241073152.00 for parameter 'qdiff' out 
of range
 [NULL @ 0x2d6cba0] Value -4616189618054758400.00 for parameter 'wpredp' 
out of range
 [NULL @ 0x2d6cba0] Value 4607182418800017408.00 for parameter 'bug' out of 
range
 [...]

the only thing i make a note is that i use 'debian multimedia' repository.

Thanks.

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5-ffmpeg depends on:
ii  libapache2-mod-php5 [phpapi-20100525]  5.4.4-14+deb7u8
ii  libavcodec53   7:0.10.3-dmo1
ii  libavformat53  7:0.10.3-dmo1
ii  libc6  2.13-38+deb7u1
ii  libswscale28:1.0.8-dmo1
ii  php5-cli [phpapi-20100525] 5.4.4-14+deb7u8

Versions of packages php5-ffmpeg recommends:
ii  php5-gd  5.4.4-14+deb7u8

php5-ffmpeg suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#738588: closed by Jeremy Lainé jeremy.la...@m4x.org (Bug#738588: fixed in asterisk 1:11.8.0~dfsg-1)

[Marco Gaiarin]

 Source: asterisk
 Source-Version: 1:11.8.0~dfsg-1
 We believe that the bug you reported is fixed in the latest version of
 asterisk, which is due to be installed in the Debian FTP archive.

...some hope that this fix will backported to wheezy, eg on some next
point release?

Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#687149: cron.daily maintenance/upgrade script emit warnings...

[Marco Gaiarin]

 I will tag this ticket as squeeze since it seems to only apply to
 the Squeeze 6 version.

This is true.

Sorry but i'm a bit late in debian versions, so i've started in these
days the upgrate to wheezy, and still no one with a SA setup.

I've only do some test and noted that newer SA use a dedicated users,
not 'nobody'.


So, please, wait some time and i will comment this bug, and adding a
specific one for the 'SA_UPDATE_OPTS' variable to manage
plugin/external repository.

Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#740729: rkhunder cron.daily emit errors: Error: Invalid display - keyword cannot be found: Display line: display --to LOG --type INFO NETWORK_PORTS_DISABLE_PATHS

[Marco Gaiarin]

Package: rkhunter
Version: 1.4.0-1

By some days, rkhunter daily cron script emit a mail like:

 Date: Tue, 04 Mar 2014 14:04:54 +0100
 From: root root@localdomain
 To: root@localdomain
 Subject: [rkhunter] eraldo.localdomain - Daily report

 Error: Invalid display - keyword cannot be found: Display line: display --to 
LOG --type INFO NETWORK_PORTS_DISABLE_PATHS
 Error: Invalid display - keyword cannot be found: Display line: display --to 
LOG --type INFO NETWORK_PORTS_DISABLE_PATHS

looking around with google, seems that there's a ''incompatibilities''
between the db (updated by cron scripts) and the language file (AFAIK,
provided by package).

I'm seeking some feedback... thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#687149: cron.daily maintenance/upgrade script emit warnings...

[Marco Gaiarin]

  Sep 10 11:34:23.133 [15754] warn: Couldn't get Connecting IP header 
  X-SA-Exim-Connect-IP for message 1347269660@lint_rules, skipping 
  greylisting call
 Is this still a problem for you?  There have been a number of package

Ahem, i'm still mostly on squeeze, and all of my spamassassin
installation ws not just migrated to wheezy.
So... i cannot reply. ;-)


 the bug should be reassigned to exim4 as an exim problem.

No, it is not exim4 trouble, better a sa-exim trouble, but i think it
is generic, so robably other SA plugin (not only sa-exim) could trigger
that...


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#738588: 'smsq' SMS helper missing from Asterisk 1.8 till sid: missing dependencies?

[Marco Gaiarin]

Package: asterisk
Version: 1:1.8.13.1~dfsg1-3+deb7u3

I've upgraded my squeeze home server to wheezy, and after some weeks
i've noted that SMS in asterisk stop working.

After some fiddling, i've found that simply the 'smsq' SMS queue helper
is missing from the packages; i've tried using 'packages.debian.org'
and seems missing from wheezy (asterisk 1.8) till unstable, while is
present in asterisk 1.6 (squeeze).

I've simply done:

 apt-get source asterisk
 apt-get build-dep asterisk

then:

 cd asterisk-1.8.13.1~dfsg1/utils/
  some trial and error, and some googling ... 
 POPT_LIB=-lpopt make smsq
 strip smsq
 cp smsq /usr/sbin/

and smsq compile and run as expected; clearly i've had (previously,
indeed) installed libpopt-dev package, so seems to me that simply
asterisk got a missing dependencies on libpopt-dev, and so smsq does
not compile.


Considering the easy fix, could be backported to stable and so forth?


Thanks


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708615: Smokeping email's date are in current locale

[Marco Gaiarin]

Package: smokeping
Version: 2.3.6-5+squeeze1


Smokeping email about network trouble start with the 'Date:' files
written in current locale, eg (in italian):

 Date: ven,  5 apr 2013 14:57:10 +0200

(ven(erdì) = friday, apr(ile) = april).

This confuse most MUA, and indeed is a RFC violation, AFAIK.


Thanks.


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)

[Marco Gaiarin]

  Ok for 'jasmine', but 'beh' is a rather ''standard'' backend, that i
  use extensively for some ''broken'' printers or print servers... very
  useful if you don't want to be called on saturday morning at home...
 Is 'beh' not working correctly when used as printer backend?

?! Sorry, i've really not understood your question...

'beh' (in package foomatic-filters) it is a simple perl script that
change the behaviour of the cups queue management: some printers
(mostly USB, but also some networked one) are broken, reply to cups
backend in some strange way and cups (correctly) disable the queue (put
the printer queue in pause).
'beh' simply ignore backend error, do some retry, and then discard the
print.

It is some sort of ''last resort'' for  some situation, but because
restarting a printer queue is a privileged operation, it is very handy
in a 'non-personal computing' setup.


 Quoting Till on that one:
  access (files, network resources). Opening up the permissions so that lp
  can run the backends makes the backends stop working. What alwyas works
  would be setting the wrapper backends 750 root.root, but this can lead to
  some non-root backends being run as root.

also 'jasmine' backend is a perl script, but to make it run i do:

cd /usr/lib/cups/backend-available
chown .lp dnssd http ipp lpd serial usb
chmod 751 dnssd http ipp lpd
chmod 554 serial usb

and all the printer, eg:

neuromante:~# grep jasmine /etc/cups/printers.conf
DeviceURI jasmine:ipp://arcdisanmarc/ipp
DeviceURI jasmine:ipp://arcoiris/ipp
DeviceURI jasmine:socket://i3pps-1:9102
DeviceURI jasmine:ipp://elladan/printer
DeviceURI jasmine:ipp://elrohir/printer
DeviceURI jasmine:socket://hp4000
DeviceURI jasmine:socket://hpljp2055-1
DeviceURI jasmine:socket://hpljp2055-2
DeviceURI jasmine:socket://hpljp3015-1
DeviceURI jasmine:ipp://kmmc4650dn/ipp
DeviceURI jasmine:socket://i3pps-1:9103
DeviceURI jasmine:socket://10.5.1.235
DeviceURI jasmine:ipp://sscx4833fd-1/printer

works like a charme. My currently permission setup is:

neuromante:~# ls -la /usr/lib/cups/backend
totale 400
drwxr-xr-x  2 root root  4096  3 mar 20.23 .
drwxr-xr-x 10 root root  4096 22 dic  2009 ..
-rwxr-xr-x  1 root root  7250  6 mar  2012 beh
-rwx--  1 root root 22320 18 giu  2010 cups-pdf
-rwxr-x--x  2 root lp   18352 12 gen 18.11 dnssd
-rwxr-xr-x  1 root root 16968  3 dic  2011 hp
-rwxr-xr-x  1 root root  8393  3 dic  2011 hpfax
-rwxr-x--x  3 root lp   48160 12 gen 18.11 http
-rwxr-x--x  3 root lp   48160 12 gen 18.11 ipp
-rwxr-x---  1 root lp   20395  5 nov 12.01 jasmine
-rwxr-x--x  2 root lp   44056 12 gen 18.11 lpd
-rwxr-xr-x  1 root root  4988  2 nov 19.14 mailto
-r-xr-xr-x  2 root root 30728 12 gen 18.11 parallel
lrwxrwxrwx  1 root root21  5 feb 20.28 smb - ../../../bin/smbspool
-r-xr-xr-x  2 root root 26544 12 gen 18.11 snmp
-r-xr-xr-x  2 root root 34824 12 gen 18.11 socket
-r-xr-xr--  2 root lp   43016 12 gen 18.11 usb

'jasmine' cointain the password for the mysql db, so it is 750.


 So, as I would rather not try to fix something not broken for most standard 
 Debian uses, and as I haven't been convinced that fixing that is an 
 improvement over the current situation, I'm hereby tagging this bug as 
 wontfix.

Probably i'm missing something. But i'm only trying to understand...


PS: there's some sort of doc, manual, HOWTO, REDAME... that explain
 backend permission setup?


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#702248: Non-optimal boot priority/dependency of service 'cups'

[Marco Gaiarin]

 One-line patch attached.

Many thanks.


I've not reboot the server (and so, test your fix) but i've checked the
boot dependencies before and afer running the 'insserv -v' command, and
they are correctly taken into account. So should work.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)

[Marco Gaiarin]

 As far as I can tell, all chained configurations that go through cups are 
 working correctly, so that's definitely a minor issue for standard use cases.

Ok for 'jasmine', but 'beh' is a rather ''standard'' backend, that i
use extensively for some ''broken'' printers or print servers... very
useful if you don't want to be called on saturday morning at home...


 @Till: do you have an opinion on this bug ? I tend to think that as the 
 default chaining through cups works, it's not worth fixing, but I'd welcome 
 your input there.

I've a question: why (for example...) the 'ipp' backend have
permission:

gaio@eraldo:~$ ls -la /usr/lib/cups/backend/ipp
-rwxr--r-- 3 root root 43328 15 gen 04.08 /usr/lib/cups/backend/ipp

744 root.root? It really brake the CUPS security model to have it
root.lp, 754 (or 750)?

Probably i don't know CUPS (and indeed it is true ;), but i don't
understood why the 'lp' group have to not execute the backend... while
for example the 'socket' backend:

gaio@eraldo:~$ ls -la /usr/lib/cups/backend/socket 
-r-xr-xr-x 2 root root 29988 15 gen 04.08 /usr/lib/cups/backend/socket

it is even executable by everyone?


I restate: i'm an ignorant, but seems to me that simply backend
permission is a mess... ;-)))


Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#702227: Permission of the backend too strict for a backend chain (beh, jasmine)

[Marco Gaiarin]

Package: cups
Version: 1.4.4-7+squeeze2

If i need to chain some backend, eg because i need the Backend Error
Handler (beh, in the package 'foomatic-filters') or the 'jasmine'
backend (http://jasmine.berlios.de/dokuwiki/doku.php, non packaged)
i've found that the second backend cannot be launched.

Seems to me that cups drop privilege running the first backend as user
'lp', but some of the backend (eg, ipp) are set as 750 root.root, so
cannot get executed.

I've simply done (trying to disrupt original permission as little as
possible, so probably these permission are still wrong):

cd /usr/lib/cups/backend-available
chown .lp dnssd http ipp lpd serial usb
chmod 751 dnssd http ipp lpd
chmod 554 serial usb

but at every cups upgrade owner and mode of the backend get restored,
and chained backend stop to work.


I hope that this things can be fixed, or at least explained a bit in a
README.Debian.


Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#702248: Non-optimal boot priority/dependency of service 'cups'

[Marco Gaiarin]

Package: cups
Version: 1.4.4-7+squeeze2


To permit an effective management of the printer queue, i've setup in
/etc/cups/cups-files.conf a line like:

SystemGroup printops

where 'printops' is a group in my LDAP setup (slapd,
libnss/libpam-ldapd).

Every time i reboot a server, cups complain in error_log about:

E [25/Feb/2013:18:24:28 +0100] Unknown SystemGroup printops on line 
17 of /etc/cups/cups-files.conf.

and start in an ''half-working'' way, eg daemon run but does not work;
i have to restart cups to get it back.

So, i think that cups service have to boot-depend on slapd/nslcd
services.


Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#687149: Again new patch...

[Marco Gaiarin]

 I would not be opposed to an *option* to ignore all errors.  But it
 should not be the default.

Only a little note, to say that after some more test seems that the
''offending'' command that have to be redirected are only two:

gaio@lily:~/conf/spamassassin$ diff -ud spamassassin.squeeze spamassassin
--- spamassassin.squeeze2012-12-03 18:05:41.516864040 +0100
+++ spamassassin2012-12-03 18:05:25.540863905 +0100
@@ -29,7 +29,7 @@
 # Compile, if rules have previously been compiled, and it's possible
 if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
 -a -d /var/lib/spamassassin/compiled ]; then
-sa-compile --quiet
+sa-compile --quiet  /dev/null 21
 # Fixup perms -- group and other should be able to
 # read and execute, but never write.  Works around
 # sa-compile's failure to obey umask.
@@ -61,12 +61,12 @@
 
 # Update
 umask 022
-sa-update
+sa-update $SA_UPDATE_OPTS
 
 case $? in
 0)
 # got updates!
-spamassassin --lint || die_with_lint
+spamassassin --lint  /dev/null 21 || die_with_lint
 do_compile
reload
 ;;


'spamassassin --lint  /dev/null 21 || die_with_lint' i think it is
plausible, because if 'spamassassin --lint', they are recalled without
any redirection, so sysadmin got the info.

'sa-compile --quiet  /dev/null 21' probably have to be digged
better, and handled with more care (also the exit status...).


Not related, see the 'sa-update $SA_UPDATE_OPTS', where
'$SA_UPDATE_OPTS' are defined on /etc/default/spamassassin to load
additional rules (rulesemporium, but does not care).


Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#693981: smb_acl_to_posix: ACL is invalid for set (Invalid argument)

[Marco Gaiarin]

Package: samba
Version: 2:3.5.6~dfsg-3squeeze8


After migrate some server from lenny to squeeze (better later then
ever...) i've hit this bug:

https://bugzilla.samba.org/show_bug.cgi?id=7509

it is very annoying, an so i'll hope the patch will be added to the
next squeeze point release.


Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#692480: pam-auth-config, lib(pam|nss)-ldapd broke again 'pam' authentication in postgres.

[Marco Gaiarin]

Package: postgresql-common
Version: 113+squeeze1

An old issue come back, see:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217891


I've just migrated from lenny to squeeze (better later then ever... ;),
and so moved from lib(pam|nss)-ldap and custom /etc/pam.d/common-*
files to lib(pam|nss)-ldapd, nslcd and pam-auth-update.

After doing that, pam, auth does not work anymore in postgres, i got:

Nov  5 09:00:00 dixie unix_chkpwd[28119]: check pass; user unknown
Nov  5 09:00:00 dixie unix_chkpwd[28119]: password check failed for 
user (aleggi)
Nov  5 09:00:00 dixie .5.2.219(1308) authentication: 
pam_unix(postgresql:auth): authentication failure; logname= uid=110 euid=110 
tty= ruser= rhost=  user=aleggi
Nov  5 09:00:00 dixie unix_chkpwd[28120]: could not obtain user info 
(aleggi)

After fiddling a bit, i've created /etc/pam.d/postgresql with inside:

auth required   pam_ldap.so minimum_uid=1000
account requiredpam_ldap.so minimum_uid=1000
password required   pam_deny.so
session requiredpam_permit.so

I don't need/use /etc/(passwd|shadow) auth, so i've used only ldap, and
i've disabled session because i don't need session management in
postgres, and because the culprit seems to come from here.


Feel free to ask more feedback, it was a production server and so... i
need a quick fix. ;)


Thanks.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#687149: Again new patch...

[Marco Gaiarin]

Mandi! Bob Proulx
  In chel di` si favelave...

 Please, one thread for each bug.  This is a different problem and it
 should have a different bug ticket.

I consider the ''bug'' as: «squeeze /etc/cron.daily/spamassassin is a
bit more verbose/annoying then lenny one», and sa-exim only a ''side
effect'' of that.


   http: GET http://daryl.dostech.ca/sa-update/asf/1387911.tar.gz request 
  failed: 404 Not Found: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN 
  htmlhead title404 Not Found/title /headbody h1Not Found/h1 
  pThe requested URL /sa-update/asf/1387911.tar.gz was not found on this 
  server./p hr addressApache/2.2.6 (Fedora) Server at daryl.dostech.ca 
  Port 80/address /body/html
 But it is an error.  It should not be silenced simply by redirecting
 errors to /dev/null.  Instead the root cause of the problem should be
 addressed and fixed.

Probably i've understimated this, but i think that cronjobs have (to
try) to be as quiter as possible, because are mostly unreadable and
confusing.


 Therefore I am opposed to this patch being included.  It doesn't fix
 the problem but is just ignoring it.

Mine was only a proposal.

AFAI've understood the script, it try insted to ''pass over'' to catch
errors, and if an error occur, restart the update with ''--lint'' to
make a better informative ''log''.
All my ''example patch'' say that, other than error, there's also some
warnings (or not so understood errors ;).


I don't know very well SA, so i don't know if the error handling are
excellent or poor, and so, if the warning can be safely ignored (as
i've done in my patch) or taken into account.


For me, give to the users the choice to ignore warnings or send them,
eg, redirecting all output of scripts to a file, check if it was empty
and eventually send to the user (better, filtering with a regexp).

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it  tel +39-0434-842711  fax +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#687149: Again new patch...

[Marco Gaiarin]

One more redirection, by some day, the update script emit:

 http: GET http://daryl.dostech.ca/sa-update/asf/1387911.tar.gz request failed: 
404 Not Found: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead 
title404 Not Found/title /headbody h1Not Found/h1 pThe requested 
URL /sa-update/asf/1387911.tar.gz was not found on this server./p hr 
addressApache/2.2.6 (Fedora) Server at daryl.dostech.ca Port 80/address 
/body/html

generated by sa-update.

PS: $SA_UPDATE_OPTS is a variable i've defined on
 /etc/default/spamassassin.
--- /tmp/spamassassin	2012-09-10 11:46:09.597794514 +0200
+++ /etc/cron.daily/spamassassin	2012-09-21 12:14:23.0 +0200
@@ -29,7 +29,7 @@
 # Compile, if rules have previously been compiled, and it's possible
 if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
 -a -d /var/lib/spamassassin/compiled ]; then
-sa-compile --quiet
+sa-compile --quiet  /dev/null 21
 # Fixup perms -- group and other should be able to
 # read and execute, but never write.  Works around
 # sa-compile's failure to obey umask.
@@ -43,9 +43,9 @@
 reload() {
 # Reload
 if which invoke-rc.d /dev/null 21; then
-	invoke-rc.d spamassassin reload  /dev/null
+	invoke-rc.d spamassassin reload  /dev/null 21
 else
-	/etc/init.d/spamassassin reload  /dev/null
+	/etc/init.d/spamassassin reload  /dev/null 21
 fi
 if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
 run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
@@ -61,12 +61,12 @@
 
 # Update
 umask 022
-sa-update $SA_UPDATE_OPTS
+sa-update $SA_UPDATE_OPTS  /dev/null 21
 
 case $? in
 0)
 # got updates!
-spamassassin --lint || die_with_lint
+spamassassin --lint  /dev/null 21 || die_with_lint
 do_compile
 	reload
 ;;

Bug#687149: New patch.

[Marco Gaiarin]

Ops, i've forgot a redirect also for sa-compile.

Attached a new patch.
--- /tmp/spamassassin	2012-09-10 11:46:09.597794514 +0200
+++ /etc/cron.daily/spamassassin	2012-09-13 12:14:33.0 +0200
@@ -29,7 +29,7 @@
 # Compile, if rules have previously been compiled, and it's possible
 if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
 -a -d /var/lib/spamassassin/compiled ]; then
-sa-compile --quiet
+sa-compile --quiet  /dev/null 21
 # Fixup perms -- group and other should be able to
 # read and execute, but never write.  Works around
 # sa-compile's failure to obey umask.
@@ -43,9 +43,9 @@
 reload() {
 # Reload
 if which invoke-rc.d /dev/null 21; then
-	invoke-rc.d spamassassin reload  /dev/null
+	invoke-rc.d spamassassin reload  /dev/null 21
 else
-	/etc/init.d/spamassassin reload  /dev/null
+	/etc/init.d/spamassassin reload  /dev/null 21
 fi
 if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
 run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
@@ -66,7 +66,7 @@
 case $? in
 0)
 # got updates!
-spamassassin --lint || die_with_lint
+spamassassin --lint  /dev/null 21 || die_with_lint
 do_compile
 	reload
 ;;

Bug#687149: cron.daily maintenance/upgrade script emit warnings...

[Marco Gaiarin]

Package: spamassassin
Version: 3.3.1-1


Really, i don't know if this is a SA bug or a sa-exim bug, so feel free
to move de bug where appropriate.

Indeed, i don't know if this is a real bug... ;)
sa-exim plugin, at every spamassassin restart, print a row like:

Sep 10 11:34:23.133 [15754] warn: Couldn't get Connecting IP header 
X-SA-Exim-Connect-IP for message 1347269660@lint_rules, skipping greylisting 
call

AFAI've understood, this is a side effect of how the sa-exim module are
initialized, not a bug.

Anyway, migrating from lenny to squeeze, /etc/cron.daily/spamassassin
script start to complain every day about that; looking at lenny script,
seems to me that all restart command to SA are redirected to /dev/null
(STDOUT and STDERR).
Squeeze version have one more, SA call, with --lint.

Anyway, this little patch solve all the trouble.

Hope this help, thanks.

--- /tmp/spamassassin	2012-09-10 11:46:09.597794514 +0200
+++ /etc/cron.daily/spamassassin	2012-09-10 11:36:22.0 +0200
@@ -43,9 +43,9 @@
 reload() {
 # Reload
 if which invoke-rc.d /dev/null 21; then
-	invoke-rc.d spamassassin reload  /dev/null
+	invoke-rc.d spamassassin reload  /dev/null 21
 else
-	/etc/init.d/spamassassin reload  /dev/null
+	/etc/init.d/spamassassin reload  /dev/null 21
 fi
 if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
 run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
@@ -66,7 +66,7 @@
 case $? in
 0)
 # got updates!
-spamassassin --lint || die_with_lint
+spamassassin --lint  /dev/null 21 || die_with_lint
 do_compile
 	reload
 ;;

Bug#660223: Confirmation, but probably need to be reassigned...

[Marco Gaiarin]

 Since the original bug was reported against the squeeze version of nslcd
 it probably affects winbind 2:3.5.6~dfsg-3squeeze7. Marco, can you
 confirm the version of winbind?

Ops, sorry, i've forgot to wrote it down. 2:3.5.6~dfsg-3squeeze7, yes.

Tnx.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#669235: Incorrect/unoptimal ACL prevent nss/shadow to work with anonymous bind

[Marco Gaiarin]

Package: slapd
Version: 2.4.23-7.2

[I still use the slapd.conf file, not cn=schema, but i think that it is
the same...]

The default configuration file slapd.conf (supplied/handled by debconf
on /etc/ldap/, or provided as example on 
/usr/share/doc/slapd/examples/slapd.conf)
usa an unoptimal ACL:

 access to attrs=userPassword,shadowLastChange
by dn=@ADMIN@ write
by anonymous auth
by self write
by * none

this ACL prevent the anonymous (read) access to 'shadowLastChange',
preventing nss (i've tested libnss-ldap and libnss-ldaps/nslcd, it is
the same), if configured to use anonymous bind, to correctly handle
password expiration saved on LDAP.
With libnss-ldap, you can set 'rootbinddn', with libnss-ldaps/nslcd you
are forced to bind with sufficient privileges.

I think that 'shadowLastChange' is an information that does't need more
privacy then others Shadow* ones, so i propose this new ACL:

 access to attrs=userPassword
by dn=@ADMIN@ write
by anonymous auth
by self write
by * none
 access to attrs=shadowLastChange
by dn=@ADMIN@ write
by self write
by * read

Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#643970: Confirmation, but probably need to be reassigned...

[Marco Gaiarin]

I can confirm this, i've also the logs hogged by error like these.
I can confirm also that seems a ''client'' problem, not server one.

But after some test, and after blame the wrong client (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660223), i've stopped
'winbind' daemon and error desappeared. Restarted, and come back.

So, for me this bug can be merged with #660223, and reassigned to
winbind.

Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#625796: Bug confirmation, was not on lenny, added by squeeze

[Marco Gaiarin]

I can confirm this bug, and i can confirm that was not present on
lenny's arpwatch version, appeared only on squeeze (2.1a15-1.1).

As possible, i've worked out the trouble at switch level, modifying the
configuration and removing at the source unwanted traffic.

But there's no possible to do that generally, and i've had to disable
arpwatch on some server to prevent logfile hog, because i've a ''duble
LAN configuration, one on a phisical interface (eth0) and one on a vlan
over that (eth0.666).


I hope it will be fixed soon.


I don't know if there's some iptables rule that are able to filter
VLAN-ed ARP request on the main interface, without breaking all the ARP
resolution protocol. ;-)

Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#432701: Some inconsistencies in pam configuration...

[Marco Gaiarin]

Mandi! Christoph Berg
  In chel di` si favelave...

 The solution here might be to ship /etc/pam.d/postgresql in
 postgresql-common. Otoh, there is an other file that should take
 care of pam entries in pg_hba.conf. pam auth works here without the
 extra file, but it might make sense to provide it anyway. I'll do some
 research and report back here.

Oh, i've forget about this bug, really.

I'm now on lenny, switching to squeeze, and seems to me that
/etc/pam.d/postgresql are no more needed.

But probably because i've found that it is true that pam_unix are ''nss
enabled'', but some things (eg, password expiration) does not work, so
i've switched on using pam_ldap on every context.

Really, now i use 'pam-auth-update' on squeeze.


For me, you can safely close this issue. Sorry, i completely forgot
about them. ;(



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#660223: Nonfatal connection trouble with ldapi:///

[Marco Gaiarin]

Mandi! Arthur de Jong
  In chel di` si favelave...

 Can you provide some more details on your nslcd.conf? Also, can you

 uid nslcd
 gid nslcd
 uri ldapi:///
 base dc=corsi,dc=sv,dc=lnf,dc=it
 binddn cn=admin,dc=corsi,dc=sv,dc=lnf,dc=it
 bindpw ops! ;)


 include the output of nslcd -d while this is happening?

It is hard to match debug output and syslog, because the debug output
are not timestamped, but i've got on debug:

 nslcd: [138641] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [138641] DEBUG: nslcd_passwd_byname(assemblaggio1)
 nslcd: [138641] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=assemblaggio1)))
 nslcd: [138641] DEBUG: ldap_result(): end of results
 nslcd: [7ff521] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [7ff521] DEBUG: nslcd_passwd_byname(autonomia1)
 nslcd: [7ff521] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=autonomia1)))
 nslcd: [7ff521] DEBUG: ldap_result(): end of results
 nslcd: [3dbd3d] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [3dbd3d] DEBUG: nslcd_passwd_byname(monica)
 nslcd: [3dbd3d] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=monica)))
 nslcd: [3dbd3d] DEBUG: ldap_result(): end of results
 nslcd: [7b8ddc] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [7b8ddc] DEBUG: nslcd_passwd_byname(oggettistica)
 nslcd: [7b8ddc] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=oggettistica)))
 nslcd: [7b8ddc] DEBUG: ldap_result(): end of results
 nslcd: [eaf087] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [eaf087] DEBUG: nslcd_passwd_byname(ceramica)
 nslcd: [eaf087] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=ceramica)))
 nslcd: [eaf087] DEBUG: ldap_result(): end of results
 nslcd: [221a70] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [221a70] DEBUG: nslcd_passwd_byname(cultura1)
 nslcd: [221a70] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=cultura1)))
 nslcd: [221a70] DEBUG: ldap_result(): end of results
 nslcd: [16dde9] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [16dde9] DEBUG: nslcd_passwd_byname(monet)
 nslcd: [16dde9] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=monet)))
 nslcd: [16dde9] DEBUG: ldap_result(): end of results
 nslcd: [06c83e] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [06c83e] DEBUG: nslcd_passwd_byname(giotto)
 nslcd: [06c83e] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=giotto)))
 nslcd: [06c83e] DEBUG: ldap_result(): end of results
 nslcd: [4fd4a1] DEBUG: connection from pid=1508 uid=0 gid=0
 nslcd: [4fd4a1] DEBUG: nslcd_passwd_byname(botticelli)
 nslcd: [4fd4a1] DEBUG: myldap_search(base=dc=corsi,dc=sv,dc=lnf,dc=it, 
filter=((objectClass=posixAccount)(uid=botticelli)))
 nslcd: [4fd4a1] DEBUG: ldap_result(): end of results

(that, indeed, seems to me normal) and on syslog the infamous:

 Apr 16 17:26:42 mouse slapd[1869]: connection_read(46): no connection! 
 Apr 16 17:27:44 mouse slapd[1869]: connection_read(43): no connection! 
 Apr 16 17:27:44 mouse slapd[1869]: connection_read(43): no connection! 


After updating my (last) i386 server, i can confirm this on amd64 and
i386 architecture; the amd64 was fresh installed, i386 upgraded from
lenny.

Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#660223: Nonfatal connection trouble with ldapi:///

[Marco Gaiarin]

Package: nslcd
Version: 0.7.15+squeeze1

I'm moving from debian lenny to debian squeeze, and from lib(pam|nss)-ldap
to lib(pam|nss)-ldapd.

I've configured nslcd.conf using:

uri ldapi:///

and authentication access (binddn/bindpw) and now i've the logs flowed
by message like:

 Feb 17 14:51:16 kaa slapd[1846]: connection_read(17): no connection!
 Feb 17 14:51:16 kaa slapd[1846]: connection_read(17): no connection!
 Feb 17 14:51:17 kaa slapd[1846]: connection_read(17): no connection!
 Feb 17 14:51:17 kaa slapd[1846]: connection_read(17): no connection!
 Feb 17 14:51:21 kaa nslcd[1901]: [4b7f08] error writing to client: Broken pipe
 Feb 17 14:51:25 kaa slapd[1846]: connection_read(40): no connection!
 Feb 17 14:51:25 kaa slapd[1846]: connection_read(40): no connection!

looking on google for the slapd message, lead me to, for esample, to:

http://www.openldap.org/lists/openldap-software/200811/msg00079.html

so seems that nslcd do the wrong thing not unbinding before
disconnection; i thnk, i hope, that the 'error writing to client:
Broken pipe' of nslcd is a consequence of that.


Anyway, all seems to work well. Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#614786: A different solution/approach...

[Marco Gaiarin]

I've hit the same issue switching from lenny/asterisk1.6 from backport
to squeeze/asterisk1.6 ''mainline'', but i've found a different
solution, i think.

Digging around the web, i've found a page (sorry, i've lost the link)
that, roughly, say that the newer bluetooth daemon plugin setup are
loosely configured and bluetoothd load plugin that are not so useful,
plugin that tend to confuse/complicate the setup.

Anyway (i really understand very little of that things...), i've follow
the advice to disable unused modules, adding to
/etc/bluetooth/main.conf:

DisablePlugins = network,input,pnat

(probably even better DisablePlugins = network,input,pnat,hal), i've
restarted bluetoothd and... asterisk connect to the phone flawlessy.


Just i'm here, i make another little note.
I've seen that on machine reboot, asterisk have no chan_mobile loaded;
if i restart asterisk, the module are loaded fine.
I've supposed that, on boot sequence, asterisk start before bluetoothd,
so probably chan_mobile refuse to load.

I've added 'bluetooth' to 'Should-Start:' on /etc/init.d/asterisk,
really i've not rebooted the box after that, so probably i've not fixed
this issue.


Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#512590: Newer set of italian voices out

[Marco Gaiarin]

Here:

http://www.voip.ammdomus.it/index.php?option=com_contentview=articleid=9:vociasterisk142220110907catid=3:set-voci-asterisk-1-4-xItemid=4

http://www.voip.ammdomus.it/voci-italiane-asterisk/voci-rel-1-4/10-download-voci-asterisk-extra-1-4-11-20110915

(in italian) can be found the newer set of italian voices for asterisk.

I hope can be repackaged for debian. Thanks.

PS: see also bug #553399 .



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#315035: I this that this bug can be safely closed...

[Marco Gaiarin]

...i use ldapi:/// in smbldap-tools in lenny, with no trouble at all,
so i think that this bug can be safely closed.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#617798: Securiteinfo databases changed, script are no more compatible, package on lenny-backports need update

[Marco Gaiarin]

Package: clamav-unofficial-sigs
Version: 3.3-2~bpo50+1


I'm using clamav-unofficial-sigs on lenny, from lenny-backports, and
triying to use the newer lists from SecuritèInfo:


http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml

I've tried to use the new lists, adding to
/etc/clamav-unofficial-sigs.conf the lists:

si_dbs=
   honeynet.hdb
   securiteinfoelf.hdb   
   securiteinfosh.hdb
   securiteinfopdf.hdb   
   securiteinfooffice.hdb
   securiteinfohtml.hdb
   securiteinfodos.hdb
   securiteinfobat.hdb
   securiteinfo.hdb


as the link above suggest, but i get only:

 Clamscan reports SecuriteInfo securiteinfoelf.hdb database integrity tested 
BAD - SKIPPING
 Clamscan reports SecuriteInfo securiteinfosh.hdb database integrity tested BAD 
- SKIPPING
 Clamscan reports SecuriteInfo securiteinfopdf.hdb database integrity tested 
BAD - SKIPPING
 Clamscan reports SecuriteInfo securiteinfooffice.hdb database integrity tested 
BAD - SKIPPING
 Clamscan reports SecuriteInfo securiteinfohtml.hdb database integrity tested 
BAD - SKIPPING
 Clamscan reports SecuriteInfo securiteinfodos.hdb database integrity tested 
BAD - SKIPPING
 Clamscan reports SecuriteInfo securiteinfobat.hdb database integrity tested 
BAD - SKIPPING

Asking feedback from SecuritèInfo staff, i've had the reply:

  that's not good, script is too old. Please update it from
  http://www.sanesecurity.com/download_scripts_linux.htm

So i'm firing this bug. Thanks.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#609440: madwifi-source: Debian Lenny Madwifi and Hostapd stability issues

[Marco Gaiarin]

 used in future. Unfortunately ath5k doesn't yet work in accesspoint
 mode, but that is apparently coming soon.

I can confirm this bug.

But i've switched, roughly one year ago, to the kernel in backport
(linux-image-2.6.32-bpo.5-686) and i've recompiled hostapd from testing
(1:0.6.10-2), switching to ath5k and all works flawlessy, no more
stability troubles.

I suggest to do that, or switch directly to squeeze.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#599908: [Pkg-clamav-devel] Bug#599908: clamav return errors on corrupted PDF

[Marco Gaiarin]

Mandi! Michael Tautschnig
  In chel di` si favelave...

 Thanks for reporting this issue; from your report I guess that this is 
 perfectly
 reproducible and you can probably just use clamscan to reproduce the problem.
 Could you do a clamscan --debug YOUR_FILE and send the output? I think this
 should not disclose and private information.

Really, really, strange.

I've buld up a script that weekly scan most of my disk space with
clamav, and move on quarantine infected files.

The script lastly execute:

 nice -20 clamscan --quiet --infected --stdout --no-summary --recursive \
--max-filesize=50M --max-scansize=250M --exclude=/.inbox
--exclude-dir=/srv/users/.cestino --exclude-dir=/srv/media/.cestino
--log=/tmp/sysscan.log.HOOPjNpC --max-dir-recursion=1000 /home
/srv/users /srv/media

and check return code, if different from 0 or 1 bump an error.


But if i try to scan manually the file:

 mouse:~# clamscan --stdout --no-summary --recursive --max-filesize=50M 
--max-scansize=250M /srv/users/OVCI/cose vecchie/Recupero pc Ale Giardina dopo 
furto/normale/842-98_SP500_GE.pdf; echo $?
 /srv/users/OVCI/cose vecchie/Recupero pc Ale Giardina dopo 
furto/normale/842-98_SP500_GE.pdf: OK
 0

work well. Boh.


Anyway i attach the ''debug run'', hoping will be useful.

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it  tel +39-0434-842711  fax +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


clamdebug.log.gz
Description: Binary data

Bug#599908: clamav return errors on corrupted PDF

[Marco Gaiarin]

Package: clamav
Version: 0.96.3+dfsg-2~volatile1


After upgrading to 0.96.3+dfsg-1~volatile1 (and same thing for this
0.96.3+dfsg-2~volatile1) from volatile repository on a debian lenny,
clamav start to exit with and error status (not 0 or 1) and print some
warning:

 LibClamAV Error: cli_writen: write error: Bad address
 LibClamAV Error: cli_pdf: failed to write output file
 /srv/users/OVCI/cose vecchie/Recupero pc Ale Giardina dopo 
furto/normale/842-98_SP500_GE.pdf: Can't write to file ERROR
 /srv/users/OVCI/cose vecchie/Recupero pc Ale Giardina dopo 
furto/normale/842-98_SP500_GE.pdf:Zone.Identifier: OK

Looking at the file seems to that is simply a corrupted PDF:

 g...@lily:~$ evince 842-98_SP500_GE.pdf
 Error: PDF file is damaged - attempting to reconstruct xref table...
 Error: Top-level pages object is wrong type (null)
 Error: Couldn't read page catalog
 Error: PDF file is damaged - attempting to reconstruct xref table...
 Error: Top-level pages object is wrong type (null)
 Error: Couldn't read page catalog

This is an example of one server, but have some half-dozen servers, some i386,
some amd64, all with this trouble.

Probably something changed in libclamav in the PDF area, but i think it
is wrong to return error for a corrupted file.


I'm looking around in my server to find a .pdf that i'm sure does not
contain sensitive data, but for now i've not found it.

If the offending pdf are needed, please say me and i'll send in
private.


Thanks.

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it  tel +39-0434-842711  fax +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#589019: Ok, added upstream.

[Marco Gaiarin]

https://sourceforge.net/tracker/?func=detailaid=3037155group_id=6663atid=106663

Many thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#589019: pam_group does not support NSS groups...

[Marco Gaiarin]

Mandi! Steve Langasek
  In chel di` si favelave...

 Ah - have read the upstream post now, and understand that this is about
 adding users to groups based on whether they're already a member of another
 group.

Yes.


 That doesn't make sense to me, frankly; I think it makes more sense to grant
 the *original* group access to the resources on the system.  So I'm not

I've tried to setup pam_group on some server debian-based i manage.
On some of these i need to lend log-watching permission (eg, group
''adm'') to some unrestricted user, possibly without using complex sudo
setups (they have to read, not execute something).

pam_group works, but i've to list explicitly all users i need, insted
of using the LDAP/Samba group they belong to.
This is and error-prone task, and i can easily forgot some users in
pam_group list...


Also... AFAI've understood, pam_group support add local group to
nisgroup because as the time was written the NIS technology was the
''leader'' in complex networks setup, lead position now gone.
I think that adding network group users to a local group is a perfectly
good option, as was for netgroups.


 inclined to take this patch before it's been applied upstream.

Ok, the best way is:

http://sourceforge.net/tracker/?group_id=6663atid=106663

or there's a better one?


Many thanks.

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it  tel +39-0434-842711  fax +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#589019: pam_group does not support NSS groups...

[Marco Gaiarin]

Package: libpam-modules
Version: 1.0.1-5+lenny1
Severity: wishlist
Tags: patch

pam_group support NIS netgroups to assign (local) group to (indeed)
netgroups.
But today NIS setup are really uncommon, and enable the NIS netgroup
''layer'' (objectclasses) and stuffs in LDAP only to manage this...

Please, consider patching pam_group debian package to include support
for NSS group.
Googling around i've found these patches (that seems to me the same):

https://bugs.launchpad.net/ubuntu/+source/pam/+bug/297408
http://www.redhat.com/archives/pam-list/2009-December/msg0.html

Thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#442214: [Pkg-aide-maintainers] Bug#442214: Still this on lenny...

[Marco Gaiarin]

Mandi! Hannes von Haugwitz
  In chel di` si favelave...

 Marc has recently uploaded the latest version to lenny-backports.
 Please try this version and provide feedback if that solves your problem.

I've simply updated to the backport version, and let the weekend pass.

No, same problem, i hit modifications on syslog and exim logs, as
before.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#578861: -T option incorrectly split parameters

[Marco Gaiarin]

Package: smbldap-tools
Version: 0.9.4-1


The '-T' parameter suffer some bugs, by the way of how smbldap-tools
handle parsing.

1) help and manpage say that -T parameter can have a list of email
 comma separated, but:

smbldap-usermod -T cristina,someaccount...@gmail.com cristina
failed to modify entry: mailRoutingAddress: multiple values provided at 
/usr/sbin/smbldap-usermod line 617.

2) if i have to reset the email forwarding, i have to use:

smbldap-usermod -T , cristina

 if i use -T  does nothing.


Both trouble arise from the fact that mailRoutingAddress are
single-valued, so have to take a string and not an array as input.


Quick patch/hack attached, that probably have to be adapted also for
smbldap-useradd (i've not tested).
--- smbldap-usermod.orig	2010-04-23 10:02:56.0 +0200
+++ smbldap-usermod	2010-04-23 10:09:11.0 +0200
@@ -398,9 +398,10 @@
 $mailobj = 1;
 }
 
-if ($tmp= $Options{'T'}) {
+if (defined($tmp= $Options{'T'})) {
 my $action= '';
 my @old;
+my $suserMailTo;
 # action si + or - for adding or deleting an entry
 if ($tmp =~ s/^([+-])+\s*//) {
 	$action= $1;
@@ -414,7 +415,8 @@
 } elsif ($action eq '-') {
 	@userMailTo = list_minus(\...@old, \...@usermailto);
 }
-push(@mods, 'mailRoutingAddress', [ @userMailTo ]);
+$suserMailTo = join(',', @userMailTo);
+push(@mods, 'mailRoutingAddress' = $suserMailTo );
 $mailobj = 1;
 }
 if ($mailobj) {

Bug#442214: Still this on lenny...

[Marco Gaiarin]

I'm hitting this bug on lenny, aide 0.13.1-10.

Clearly i've:

COMMAND=update
COPYNEWDB=ifnochange

But still sporadically i got:

 ---
 Added files:
 ---
 added: /var/log/exim4/mainlog.2.gz
 added: /var/log/exim4/rejectlog.2.gz
 added: /var/log/syslog.2.gz
 added: /var/log/user.log.2.gz

 ---
 Removed files:
 ---
 removed: /var/log/ntop/access.log.4.gz
 removed: /var/log/exim4/mainlog.10.gz
 removed: /var/log/exim4/rejectlog.10.gz
 removed: /var/log/user.log.4.gz

 ---
 Changed files:
 ---
 changed: /var/log/exim4/mainlog
 changed: /var/log/exim4/rejectlog
 changed: /var/log/exim4/mainlog.1
 changed: /var/log/exim4/rejectlog.1
 changed: /var/log/syslog
 changed: /var/log/syslog.1
 changed: /var/log/user.log.1
 changed: /var/log/user.log
 changed: /var/log/syslog.7.gz


But if i look at /var/log/exim4 now (after some hours...):

 tank:~# ls -la /var/log/exim4/
 totale 2784
 drwxr-s---  2 Debian-exim adm4096  8 apr 06:34 .
 drwxr-xr-x 13 rootroot   4096  8 apr 06:34 ..
 -rw-r-  1 Debian-exim adm   87293  8 apr 09:22 mainlog
 -rw-r-  1 Debian-exim adm  552522  8 apr 06:34 mainlog.1
 -rw-r-  1 Debian-exim adm   88305 30 mar 06:34 mainlog.10.gz
 -rw-r-  1 Debian-exim adm  101723  7 apr 06:33 mainlog.2.gz
 -rw-r-  1 Debian-exim adm   66851  6 apr 06:33 mainlog.3.gz
 -rw-r-  1 Debian-exim adm   79894  5 apr 06:33 mainlog.4.gz
 -rw-r-  1 Debian-exim adm   75787  4 apr 06:34 mainlog.5.gz
 -rw-r-  1 Debian-exim adm   85616  3 apr 06:34 mainlog.6.gz
 -rw-r-  1 Debian-exim adm  118557  2 apr 06:34 mainlog.7.gz
 -rw-r-  1 Debian-exim adm  104152  1 apr 06:34 mainlog.8.gz
 -rw-r-  1 Debian-exim adm  112329 31 mar 06:34 mainlog.9.gz
 -rw-r-  1 Debian-exim adm   0  5 feb 17:41 paniclog
 -rw-r-  1 Debian-exim adm   87683  8 apr 09:22 rejectlog
 -rw-r-  1 Debian-exim adm  458763  8 apr 06:27 rejectlog.1
 -rw-r-  1 Debian-exim adm   77745 30 mar 06:33 rejectlog.10.gz
 -rw-r-  1 Debian-exim adm   87661  7 apr 06:30 rejectlog.2.gz
 -rw-r-  1 Debian-exim adm   56135  6 apr 06:31 rejectlog.3.gz
 -rw-r-  1 Debian-exim adm   65614  5 apr 06:29 rejectlog.4.gz
 -rw-r-  1 Debian-exim adm   59657  4 apr 06:33 rejectlog.5.gz
 -rw-r-  1 Debian-exim adm   77438  3 apr 06:30 rejectlog.6.gz
 -rw-r-  1 Debian-exim adm   91157  2 apr 06:30 rejectlog.7.gz
 -rw-r-  1 Debian-exim adm   79454  1 apr 06:33 rejectlog.8.gz
 -rw-r-  1 Debian-exim adm   97203 31 mar 06:25 rejectlog.9.gz

/var/log/exim4/mainlog.10.gz are there, could be simply that last run
of aide (not this night, but last night) got scheduled between log
rotation?

Speaking clearly: seems to me that the trouble here arise when aide got
scheduled not before, not after but *between* a log rotation task.
This mangle the ANF and ARF rules, and next run bump this message.
I got these aide messages mostly on weekends (where weekly rotation
occur and probably load on machine is bigger), but also appears
randomly on workdays.
Note that i use aide on my firewalls, old (PII/PIII) box with not so
much horsepower, so probably on 'modern' and performant hardware this
could be very tricky to trigger.


/etc/cron.daily/aide seems too complicated for my scripting skills,
there's an easy way to make sure aide does not run between log
rotation?


Many thanks.

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it  tel +39-0434-842711  fax +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568855: Proposed configuration of sa-exim exclusions/overrides can get better...

[Marco Gaiarin]

Package: sa-exim
Version: 4.2.1-11

In /usr/share/doc/sa-exim/README.gz the readme correctly proposed to
add some exclusions/overrides that prevent spamassassin run against
locally generated or 'trusted' senders.

I was caming from an old, mosly sarge based setup, and i moved from the
header-type exclusion to acl variable exclusion, but found that what
proposed on file above, section:

EXIM4 INTEGRATION / NOT SCANNING YOUR OWN MAILS

does not work very well, scan every local generated email.

After some exim documentation reeding (ok, and a bit of google ;) i've
added in main section of exim4.conf:

acl_not_smtp = acl_check_local_mail

and on acl section:

acl_check_local_mail:
  warn
set acl_m0  = do-not-scan

  accept

With this setup again sa-exim stop to check ocal submitted email.

Also this remove the flooding of:

Can only handle IPv4 addresses; skipping greylisting call for message

from spamd, because seems that the only source of ipv6 traffic, at
least in italy, are localhost. ;-)


Many thanks.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568259: Race condition in smbldap-tools when stopping nscd

[Marco Gaiarin]

Package: smbldap-tools
Version: 0.9.4-1


Description of the bug and proposed patch upstream.

https://gna.org/bugs/?13098



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#519551: Confirmation and patch.

[Marco Gaiarin]

I an confirm the bug, moving from etch to lenny really confuse me, and
i think this can be really considered a security bug.
[if i reset a password to a shared/simple one i suppose using '-B' that the
user will change it, but they are not forced to do so...]

Easy patch, i hope will be integrated soon.

-- 
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it  tel +39-0434-842711  fax +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--- smbldap-passwd.orig	2010-02-01 15:25:45.0 +0100
+++ smbldap-passwd	2010-02-01 15:22:03.0 +0100
@@ -222,13 +222,13 @@
 	}
 	}
 	if ($force_update_samba_passwd == 1) {
-		# To force a user to change his password:
-		# . the attribut sambaPwdLastSet must be != 0
+		# To force a user to change his password (in samba = 3.2):
+		# . the attribut sambaPwdLastSet must be == 0
 		# . the attribut sambaAcctFlags must not match the 'X' flag
 		my $winmagic = 2147483647;
 		my $valacctflags = [U];
 		push(@mods, 'sambaPwdMustChange' = 0);
-		push(@mods, 'sambaPwdLastSet' = $winmagic);
+		push(@mods, 'sambaPwdLastSet' = 0);
 		push(@mods, 'sambaAcctFlags' = $valacctflags);
 		}
 	# Let's change nt/lm passwords
--- smbldap-useradd.orig	2010-02-01 15:16:40.0 +0100
+++ smbldap-useradd	2010-02-01 15:22:16.0 +0100
@@ -429,10 +429,10 @@
 	if (defined($tmp = $Options{'B'})) {
 	if ($tmp != 0) {
 		$valpwdmustchange = 0;
-		# To force a user to change his password:
-		# . the attribut sambaPwdLastSet must be != 0
+		# To force a user to change his password (in samba = 3.2):
+		# . the attribut sambaPwdLastSet must be == 0
 		# . the attribut sambaAcctFlags must not match the 'X' flag
-		$valpwdlastset=$winmagic;
+		$valpwdlastset= 0;
 		$valacctflags = [U];
 	} else {
 		$valpwdmustchange = $winmagic;
--- smbldap-usermod.orig	2010-02-01 15:01:02.0 +0100
+++ smbldap-usermod	2010-02-01 15:08:28.0 +0100
@@ -494,8 +494,8 @@
 if ($samba == 1) {
 	if ($tmp != 0) {
 	$_sambaPwdMustChange=0;
-	# To force a user to change his password:
-	# . the attribut sambaPwdLastSet must be != 0
+	# To force a user to change his password (in samba = 3.2):
+	# . the attribut sambaPwdLastSet must be == 0
 	# . the attribut sambaAcctFlags must not match the 'X' flag
 	my $_sambaAcctFlags;
 	my $flags = $user_entry-get_value('sambaAcctFlags');
@@ -509,8 +509,8 @@
 		push(@mods, 'sambaAcctFlags' = $_sambaAcctFlags);
 	}
 	my $_sambaPwdLastSet = $user_entry-get_value('sambaPwdLastSet');
-	if ($_sambaPwdLastSet == 0) {
-		push(@mods, 'sambaPwdLastSet' = $winmagic);
+	if ($_sambaPwdLastSet != 0) {
+		push(@mods, 'sambaPwdLastSet' = 0);
 	}
 	} else {
 	$_sambaPwdMustChange=$winmagic;