Re: Network config
On 08/02/2017 06:56 PM, Zenaan Harkness wrote: > > I've preferred a static networking config for years, and resolvconf > works well in this situation - but once resolvconf is configured, > I've always put the dns setting in /etc/networks/interfaces I agree with this as well. If you want to use static configuration and want resolvconf installed, you need to use the dns-* options in /etc/network/interfaces. resolvconf will then update your /etc/resolv.conf file with those options. If you change /etc/resolv.conf manually, resolvconf will override those settings periodically. The alternative is to simply uninstall resolvconf and set your DNS settings manually. > - the > only time I put an entry in /etc/resolv.conf is when I'm testing > stuff or doing a quick hack. > > Static network configs are quicker and give that sense of control - > if the gui is down I can still fix things, and my knowledge applies > in both gui and console scanerios. Configuration in /etc/network/interfaces only works when NetworkManager isn't installed, which it typically is in GUI environments. If you don't have it installed in your GUI environment then yes, it works in both. If NetworkManager is installed then the nmcli command should be used and you shouldn't do any configuration in /etc/network/interfaces (although loopback is typically still controlled through this file). Thanks, Joshua Schaeffer
Re: DHCP isn't updating DNS
> You should consider moving towards "standard", but "interim"'s not a > problem for now. > https://deepthought.isc.org/article/AA-01091/0/ISC-DHCP-support-for-Standard-DDNS.html I've actually made a few changes since I've posted this in trying to figure this out and I did change to standard. This appears to have not made any difference. DNS is still not getting updated, but I will definitely keep the setting at standard. > >> allowclient-updates; > > I would recommend denying client-updates. This tells clients that they > can do the DNS update themselves. Given that you're trying TSIGs below, > that would mean deploying keys to all the clients etc etc. Better to > "deny client-updates" and centralise the work through the DHCP server. This was also a change I made. I definitely do not want (and do not allow) clients to update DNS, so I changed this to deny. > > > Some other options I have are "update-static-leases on" (Make sure DNS > is updated even for hosts with a static address) "update-optimization > on" (Actually, for debugging purposes, I had that off for a while. If > it's off the DNS will be updated every time. If it's on, then the DNS > won't be updated if the lease hasn't changed. If you're changing from > 'interim' to 'standard' you definitely want this off to ensure the > records get changed). I saw these as well when I reread through the dhcpd.conf man page, but haven't tried them yet. I'll give that a go. > > I'm assuming you've cut something out of your config here, but given the > config above, there's nothing that applies the DDNS settings to hosts. > The ddns-* settings should apply to everything in their current scope > and below (so, if you've put them in your subnet6 block, for example, > that should be fine). Yes I didn't include my entire conf file as it is a little long. Here is my subnet6 declaration that I've been focusing on: subnet6 2620:5:e000:201e::/64 { default-lease-time2419200; max-lease-time2419200; # LDAP Servers. pool6 { allow members of "ldap_servers"; range6 2620:5:e000:201e:0:1::/96; } # Kerberos Servers. pool6 { allow members of "krb5_servers"; range6 2620:5:e000:201e:0:2::/96; } # DHCP Servers. pool6 { allow members of "dhcp_servers"; range6 2620:5:e000:201e:0:3::/96; } # Puppet Servers. pool6 { allow members of "puppet_servers"; range6 2620:5:e000:201e:0:4::/96; } # DNS Servers. pool6 { allow members of "dns_servers"; range6 2620:5:e000:201e:0:5::/96; } # Catch-all DHCP group. pool6 { range6 2620:5:e000:201e:0:d::/96; } } In particular I've been testing with a client that gets added to the "dhcp_servers" class. I know the classification works as the client actually gets an IP address in the the range specified, I just can't get DHCP to update the DNS servers with the and PTR records. Since all my subnet's use the same ddns-* settings I don't specify this at the subnet or pool level, I just leave it in the top scope. Thanks for your response, Joshua Schaeffer
DHCP isn't updating DNS
I'm having trouble getting my DHCPv6 server to update DNS and I'm not sure what I'm missing. From what I can tell I have everything setup and have tried numerous changes to the config file without success. Here is my named.conf.local file. I've tried allowing updates with both the update-policy and allow-update commands as well as through a key and just by IP address, but as far as I can tell the DHCP server isn't even attempting to communicate with the DNS server: root@blldns01:~# cat /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; include "/etc/bind/Kddns--rrs.+157+1.private"; include "/etc/bind/Kddns-ptr-rrs.+157+1.private"; key DHCP_UPDATER { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret "=="; }; zone "appendata.net" in { type master; notify yes; file "/var/lib/bind/db.appendata.net"; allow-update { 2620:5:e000:201e::4:1; }; #allow-update { key DHCP_UPDATER; }; #update-policy { #grant "ddns--rrs" self * TXT DHCID; #}; }; zone "0.0.0.e.5.0.0.0.0.2.6.2.IP6.ARPA" in { type master; notify yes; file "/var/lib/bind/db.2620.5.e000"; allow-update { 2620:5:e000:201e::4:1; }; #allow-update { key DHCP_UPDATER; }; #update-policy { #grant "ddns-ptr-rrs" self * PTR TXT DHCID; #}; }; In my dhcpd6.conf file I have my zones specified and have tried including the key file, declaring the key directly in the file, and simply not using the keys and just using IP based authentication. None of it has worked so far. I've also tried using primary and primary6 with the actual IP address in my zone declarations, but this hasn't made any difference: # # DDNS SETTINGS # # # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-updateson; ddns-update-styleinterim; allowclient-updates; ddns-domainname"appendata.net."; ddns-rev-domainname"ip6.arpa."; do-forward-updateson; # Include keys used to securely communicate with the DNS server. include"/etc/keys/Kddns--rrs.+157+1.private"; include"/etc/keys/Kddns-ptr-rrs.+157+1.private"; key DHCP_UPDATER { algorithmHMAC-MD5.SIG-ALG.REG.INT; secret"XXX=="; }; # Configuring zones for ddns-updates. zone appendata.net. { primaryns1-int.appendata.net; #primary62620:5:e000::a1; #keyDHCP_UPDATER;# DNS key for RR's. } zone 0.0.0.e.5.0.0.0.0.2.6.2.ip6.arpa. { primaryns1-int.appendata.net; #primary62620:5:e000::a1; #keyDHCP_UPDATER;# PTR DNS key for RR's. } I've tried putting various options and declarations in different scopes, but none of it has worked. The DHCP server gives out an IP address just fine, but it doesn't look like it is even trying to update the and PTR records. Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Solicit message from fe80::216:3eff:fe32:2d49 port 546, transaction ID 0x9D08B00 Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Picking pool address 2620:5:e000:201e:0:1:b41e:f2fe Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Advertise NA: address 2620:5:e000:201e:0:1:b41e:f2fe to client with duid 00:01:00:01:21:0a:2b:43:00:16:3e:32:2d:49 iaid = 1043475785 valid for 2419200 seconds Jul 25 10:22:56 blldhcp01 dhcpd[1489]: Sending Advertise to fe80::216:3eff:fe32:2d49 port 546 Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Request message from fe80::216:3eff:fe32:2d49 port 546, transaction ID 0x6C757900 Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Reply NA: address 2620:5:e000:201e:0:1:b41e:f2fe to client with duid 00:01:00:01:21:0a:2b:43:00:16:3e:32:2d:49 iaid = 1043475785 valid for 2419200 seconds Jul 25 10:22:57 blldhcp01 dhcpd[1489]: Sending Reply to fe80::216:3eff:fe32:2d49 port 546 And there is nothing in DNS's logs, even when set to DEBUG. Can anybody see what I'm missing. If I sniff the wire I can see that there isn't any communication between my DHCP and DNS servers, so I don't think its a firewall setting as its not even getting that far. Thanks, Joshua Schaeffer
dhclient doesn't send DHCP options
Anybody seen this issue where dhclient does not send the user-class option in it's solicit message. I have a minimal dhclient.conf file and when I start dhclient I can see that option 15 isn't sent: root@blldhcptest01:~# cat /etc/dhcp/dhclient.conf senduser-class"dhcp server"; requesttime-offset, host-name, dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn; do-forward-updatesoff; root@blldhcptest01:~# dhclient -6 -pf /run/dhclient6.eth0.pid -I eth0 -d -v -cf /etc/dhcp/dhclient.conf Internet Systems Consortium DHCP Client 4.3.3 Copyright 2004-2015 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on Socket/eth0 Sending on Socket/eth0 PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. XMT: X-- IA_NA 3e:1e:cd:ff XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on eth0, interval 1030ms. RCV: Advertise message on eth0 from fe80::216:3eff:fe11:10ab. RCV: X-- IA_NA 3e:1e:cd:ff RCV: | X-- starts 1500753449 RCV: | X-- t1 - renew +0 RCV: | X-- t2 - rebind +0 RCV: | X-- [Options] RCV: X-- Server ID: 00:01:00:01:21:04:51:d0:00:16:3e:11:10:ab IA_NA status code NoAddrsAvail: "No addresses available for this interface." And I don't see the option in the packet: No. TimeSourceDestination Protocol Length Info 2 1.640863fe80::216:3eff:fe1e:cdff ff02::1:2 DHCPv6 116Solicit XID: 0x7ea155 CID: 00010001210664ed00163e1ecdff Frame 2: 116 bytes on wire (928 bits), 116 bytes captured (928 bits) Ethernet II, Src: Xensourc_1e:cd:ff (00:16:3e:1e:cd:ff), Dst: IPv6mcast_01:00:02 (33:33:00:01:00:02) Internet Protocol Version 6, Src: fe80::216:3eff:fe1e:cdff (fe80::216:3eff:fe1e:cdff), Dst: ff02::1:2 (ff02::1:2) User Datagram Protocol, Src Port: 546 (546), Dst Port: 547 (547) DHCPv6 Message type: Solicit (1) Transaction ID: 0x7ea155 Client Identifier Option: Client Identifier (1) Length: 14 Value: 00010001210664ed00163e1ecdff DUID: 00010001210664ed00163e1ecdff DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jul 22, 2017 13:33:01.0 MDT Link-layer address: 00:16:3e:1e:cd:ff Option Request Option: Option Request (6) Length: 6 Value: 001700180027 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Requested Option code: Fully Qualified Domain Name (39) Elapsed time Option: Elapsed time (8) Length: 2 Value: Elapsed time: 0 ms Identity Association for Non-temporary Address Option: Identity Association for Non-temporary Address (3) Length: 12 Value: 3e1ecdff0e101518 IAID: 3e1ecdff T1: 3600 T2: 5400 I have classes defined on my DHCP server that requires the user-class option and because it isn't being sent it can't match the client to any class and as such returns a NoAddrsAvail status code is returned. Anybody encountered this before and know how to fix it? Thanks, Joshua Schaeffer
Re: NTP.conf pool vs server
On Wed, Jun 7, 2017 at 9:06 AM, Greg Wooledge <wool...@eeg.ccf.org> wrote: > I largely agree with Gene. The man pages are incredibly silly. They > don't tell you how to do the Most Basic Common Thing. Instead they > talk about "type s and r addresses" and "a preemptable association > is mobilized" and "mobilizes a persistent symmetric-active mode > association" and "type b and m addresses" and other such gibberish. > That is one of the ideas behind the info pages. Man pages have always been technically oriented and are generally very focused. They don't really offer context. Now, I'm not saying that info pages accomplish this (some do, some don't), but that was one of the original ideas behind info pages, is to be more real world and comprehensive. There are trade offs to both approaches. You typically get a dichotomy of groups about man pages and documentation in general. Some people prefer the more technical nature of the man pages, while others find it frustrating. Can be further exacerbated by the fact that people tell other people to RTFM, but even reading a man page top to bottom doesn't help when it actually comes to setting up a piece of software (as you probably experienced yourself). In general man pages are more helpful when you already understand the software in question and are looking for specific information. Thanks, Joshua Schaeffer
Re: Debian hardware compatibility
I don't think you'll have any issue with that set of hardware. If you've never done water cooling before then you'll be very happy with your H80i purchase. I have a Corsair Hydro H100i in both my Linux and Windows boxes and absolutely love them. I'll never do anything but CPU water cooling anymore. Also I would recommend the 850 Evo vs the 850 Pro. The pro's are typically more expensive and only offer slightly better write performance [1]. I've bought over 10 850 Evo's over the last few years and never been dissatisfied with any of them. Just my personal opinion, but thought I would mention it. Thanks, Joshua Schaeffer [1] http://ssd.userbenchmark.com/Compare/Samsung-850-Pro-256GB-vs-Samsung-850-Evo-250GB/2385vs2977 On Wed, Apr 19, 2017 at 3:57 AM, Dan Purgert <d...@djph.net> wrote: > John Elliot V wrote: > > This is a multi-part message in MIME format. > > --50ECA958FA859516FB3191E9 > > Content-Type: text/plain; charset=utf-8 > > Content-Transfer-Encoding: 7bit > > > > I'm getting a new workstation. Proposed specs are here: > > > > https://au.pcpartpicker.com/list/7MCfjc > > > > I tried to find out if my new hardware would run Debian stable, but > > couldn't confirm. > > > > CPU is Intel Core i7-7700K on an Asus STRIX Z270F mobo. I'm planning to > > drive two monitors from the onboard graphics controller, one via DVI the > > other via HDMI. > > > > Will Debian (w/ KDE Plasma) run on my new kit, does anybody know? > > > > I don't see anything that screams "linux incompatibility" on that list. > Might have some "fun" with the graphics, but then I've not kept up on > Intel's offerings in that regard. > > > -- > |_|O|_| Registered Linux user #585947 > |_|_|O| Github: https://github.com/dpurgert > |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281 > >
Re: Encrypted RAID1 for storage with Debian Jessie
As already stated LUKS and mdadm are a good combination. I too use these in all my recent systems. I Create RAID volumes, then LVM, then cryptsetup: = + mdamd + + | + +LVM + + | + + LUKS + + | + +ext4+ = I can't speak to your system being on USB, but in general you can just do something like the following: $mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda /dev/sdb $mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdc /dev/sdd $mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sde /dev/sdf If you want to use LVM then you create the PV, VG, and LV: $pvcreate /dev/md0 $pvcreate /dev/md1 $pvcreate /dev/md2 $vgcreate vg_data1 /dev/md0 $vgcreate vg_data2 /dev/md1 $vgcreate vg_data3 /dev/md2 $lvcreate vg_data1 -n lv_data1 -L $lvcreate vg_data2 -n lv_data2 -L $lvcreate vg_data3 -n lv_data3 -L Then create your LUKS partition: $cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data1 vg_data1-lv_data1_crypt $cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data2 vg_data2-lv_data2_crypt $cryptsetup -v --verify-passphrase luksFormat /dev/mapper/lv_data3 vg_data3-lv_data3_crypt Then create your filesystem and mount them: $mkfs.ext4 /dev/mapper/vg_data1-lv_data1_crypt $mkfs.ext4 /dev/mapper/vg_data2-lv_data2_crypt $mkfs.ext4 /dev/mapper/vg_data3-lv_data3_crypt $mount -t ext4 /dev/mapper/vg_data1-lv_data1_crypt /mnt/data1 $mount -t ext4 /dev/mapper/vg_data2-lv_data2_crypt /mnt/data2 $mount -t ext4 /dev/mapper/vg_data3-lv_data3_crypt /mnt/data3 One of my systems looks like this. On this particular system I only encrypt home and swap: $jschaeffer@zipmaster07 ~ $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:00 111.8G 0 disk \sda1 8:10 100M 0 part /boot/efi \sda2 8:20 250M 0 part \md0 9:00 250M 0 raid1 /boot \sda3 8:30 111.5G 0 part \md1 9:10 111.4G 0 raid1 \vg_sys1-lv_var1 (dm-1) 252:1055G 0 lvm /var \vg_sys1-lv_tmp1 (dm-2) 252:20 4G 0 lvm /tmp \vg_sys1-lv_swap1 (dm-3) 252:30 6G 0 lvm \vg_sys1-lv_swap1_crypt (dm-5) 252:50 6G 0 crypt [SWAP] \vg_sys1-lv_root1 (dm-4) 252:40 46.4G 0 lvm / sdb 8:16 0 111.8G 0 disk \sdb1 8:17 0 100M 0 part \sdb2 8:18 0 250M 0 part \md0 9:00 250M 0 raid1 /boot \sdb3 8:19 0 111.5G 0 part \md1 9:10 111.4G 0 raid1 \vg_sys1-lv_var1 (dm-1) 252:1055G 0 lvm /var \vg_sys1-lv_tmp1 (dm-2) 252:20 4G 0 lvm /tmp \vg_sys1-lv_swap1 (dm-3) 252:30 6G 0 lvm \vg_sys1-lv_swap1_crypt (dm-5) 252:50 6G 0 crypt [SWAP] \vg_sys1-lv_root1 (dm-4) 252:40 46.4G 0 lvm / sdc 8:32 0 931.5G 0 disk \sdc1 8:33 0 100M 0 part \sdc2 8:34 0 931.4G 0 part \vg_home1-lv_home1 (dm-0) 252:00 850G 0 lvm \vg_home1-lv_home1_crypt (dm-6) 252:60 850G 0 crypt /home sr011:01 3.8G 0 rom Thanks, Joshua Schaeffer On Wed, Apr 19, 2017 at 3:11 AM, tv.deb...@googlemail.com < tv.deb...@googlemail.com> wrote: > On 19/04/2017 05:06, commentsab...@riseup.net wrote: > >> Hello, >> >> Is there an easy way to attach several pair of RAID1 disks (with full >> disk encryption) to a Debian Jessie system? >> >> Here is a picture of what I'm trying to achieve: http://imgur.com/vF7IqX2 >> >> I am building a home backup system, I have different type of data to >> backup (work, family, random stuff - hence the three pairs in the >> picture). The system (Debian Jessie) will be on a USB key. >> >> It's a backup system on a budget that I'd like to have up and running >> within a couple of weeks, I know that ZFS (with FreeNAS for instance) >> can achieve similar goals but it's out of budget ; I also know that work >> is being done on BTRFS about encryption but it's not ready for prime >> time yet. >> >> Always state the obvious so : >> >> - the idea behind having the SYSTEM on a independent USB drive is to >> ha
Other's opinions about best/safest method to migrate LUN's while online
Howdy all, We are planning on migrating several LUN's we have on an oracle box to a new NetApp all flash storage backend. We've gone through a few tests ourselves to ensure that we don't cause impact to the box and everything has been successful so far. The server will remain up during the migration and we are not planning on bring down any services. I just wanted to see if others had any similar experience and wouldn't mind sharing. Particularly, does anyone see any steps that might cause impact, halt the box, or cause path's to fail where the storage itself becomes unavailable. This is our current high level steps: 1. Zone the host to include the new HA NetApp pair *[no impact, no server changes, only SAN fabric additions (very safe)]* 2. Create a volume on the destination HA NetApp pair *[no impact, no server changes (very safe)]* 3. Validate the portset on NetApp to include the destination HA pair *[no impact, no changes, verification only (very safe)]* 4. Add reporting nodes to LUN *[no impact, no server changes, NetApp additions only (very safe)]* 5. LUN scan each HBA individually ($echo "- - -" > /sys/class/scsi_host/host3/scan && sleep 5 && echo "- - -" > /sys/class/scsi_host/host4/scan) *[Should not cause impact (generally safe)]* 6. Validate that 8 new non-optimized paths now appear on the server ($multipath -ll) *[no impact, command does not make changes (very safe)]* 7. Validate the new paths are secondary ($sanlun lun show -p -v) *[no impact, command does not make changes (very safe)]* 8. Perform the NetApp LUN move *[no impact, no server changes (very safe)]* 9. Remove the reporting nodes from LUN *[no impact, no server changes, NetApp deletion only (generally safe)]* 10. Validate the 8 original paths are now failed ($multipath -ll) *[no impact, command does not make changes (very safe)]* 11. Validate that Linux automatically sees 4 optimized paths among the 8 new paths ($sanlun lun show -p -v) *[no impact, command does not make changes (very safe)]* 12. Delete the failed paths (echo 1 > /sys/block/sdX/device/delete) *[Should not cause impact (generally safe)]* My only concern is related to part of some Red Hat documentation I came across [1] that states the following: "interconnect scanning is not recommended when the system is under memory pressure. To determine the level of memory pressure, run the command vmstat 1 100; interconnect scanning is not recommended if free memory is less than 5% of the total memory in more than 10 samples per 100. It is also not recommended if swapping is active (non-zero si and so columns in the vmstat output). The command free can also display the total memory." These oracle boxes typically have all their memory used (I see the cached 39G). [root@oraspace01 ~]# free -g total used free sharedbuffers cached Mem: 188187 1 0 0 39 -/+ buffers/cache:147 41 Swap: 79 0 79 I'm not an oracle DBA so I don't know a lot of specifics about their inter-workings, but from what I understand some oracle systems/processes can use all the memory a machine has, no matter how much you give it. I've seen ZFS and VMWare do this as well. They claim a large amount of memory, but aren't using it until they actually need it. It's more efficient and allows for higher throughput and processing. So the fact that free thinks the machine is low on memory isn't really an issue for me, I'm just concerned with the documentation shown earlier. Does anyone know if running a scan on the SCSI bus while the system thinks there isn't much available memory would cause issues? Has anyone done similar types of migrations (doesn't have to be with NetApp). In essence all we are doing is presenting additional paths temporarily, moving the storage, then deleting the old paths. Is there a better way to delete paths? A rescan of the SCSI bus only adds paths (at least from what I found and read). Anybody have some nifty or cleaver step to add that makes things easier/safer/better/faster/etc? Thanks, Joshua Schaeffer [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Online_Storage_Reconfiguration_Guide/scanning-storage-interconnects.html
Re: How to change where PXE booting looks for files with UEFI
On Fri, Apr 7, 2017 at 12:31 PM, David Niklaswrote: > As someone who is curious about PXE, did you ever figure this out? > > Unfortunately I was not able to spend too much time on this and have not yet figured out how to set UEFI PXE booting options like where to look for files. If I figure this out I will post a reply to the list. Thanks, Joshua
Re: GPU advice for Debian stretch?
I've used the following cards over the years without any issues in my Linux boxes. They are typically higher end (at least at the time the series was relevant) because I buy them for my Windows gaming machine, then when I upgrade the graphic card I put the now old card in my main Linux workstation: - Geforce GTX 680 - Radeon HD 6970 - Radeon HD 4670 However, Almost any discrete, modern, mainline card (Geforce or ATI) will work. If you want to use proprietary drives then just check the manufacturers website if that particular card has a Linux driver for download. I haven't video card shopped in a bit, but last I checked Geforce typcially provides good drivers for their cards on Linux and FreeBSD. I believe ATI typically works closer with the opensource community and sends their changes to the appropriate groups, but also has drivers available for direct download. There are also a lot of sites that offer compatibility databases. One of these might be useful to you: - https://wiki.debian.org/Hardware - http://www.linux-drivers.org/ If you are looking for an exact answer of "Card *XYZ* works in Debian Stretch with package *ABC*" then I don't have an answer for you. Could you provide a little more detail about your requirements, like what you plan to use the card for. Do you do any video editing, gaming, movie playback, multi-monitor support, etc? Also, what is your price range? Are you sold on using AMD? Any physical size requirements of the card? Personally, right now, I use Geforce, not because they are necessarily better or worst then ATI, but mostly for their shadow play technology, and I feel their Linux support is better. There was a time when ATI was better at multi-monitor support, but I think Geforce is pretty adequate at the moment for up to 4 monitors. Anyway, without more information I would recommend one of the following: - Radeon R7 250 - Radeon R7 350 or 360 - GTX 950 or 960 In my limited searching I also saw the Radeon 7750 come up, but disclaimer, I know nothing about this card, so can't really recommend it. Looked decent though. Once you find a card then perhaps somebody can tell you if that exact card has any issue with Debian Stretch. Thanks, Joshua Schaeffer On Wed, Apr 5, 2017 at 6:51 AM, Martin Read <zen75...@zen.co.uk> wrote: > I'm currently using an AMD "APU" system with integrated Radeon HD6530D > graphics (yes, that's a component from 2011; the computer still works > fine). This is kind of awkward when considering moving to stretch: > > * The DKMS-support package for the fglrx proprietary driver will not be > available for stretch. > * The radeon free driver *still* isn't on par with fglrx on my hardware. > fglrx gave me OpenGL 4.4; radeon gives me 3.3 and visibly inferior > performance. > * The amdgpu free driver (which I'm guessing won't be in stretch except > via backports anyway) doesn't support my hardware. > > I don't have the money to replace my computer right now, so I'm looking at > the number-and-letter soup of PCI Express discrete graphics cards. Any > recommendations? Not looking for some all-singing all-dancing thing with > seventeen fans, just something that - with the drivers available for > stretch - will get me at least as much performance and capability as my > current chip achieves with its proprietary driver. > >
Re: Systemd services (was Re: If Linux Is About Choice, Why Then ...)
On Mon, Apr 3, 2017 at 10:14 AM, Kevin O'Gormanwrote: > >> To see a list of your available targets (assuming no major local changes), >> use this command: >> >> $ find /lib/systemd/ -name '*.target' >> >> > Are you sure? On my system, this produces nothing at all. But the > directory > exists and is populated. > What version of systemd do you have installed? #systemd --version
Re: Wan/Lan problem
I'm going to join the fray and take a crack at this. I'll try to help as best I can to resolve the situation in your current setup, but I would like to say that I agree with what others have posted and would say that this is a little (but not too much) unorthodox. Typically desktop, server, application, and personal machines are put behind the router in the IPv4 paradigm. We then use NATing to allow multiple machines onto the interwebs. However I only say it is somewhat unorthodox, as dedicated network equipment is often given external IP addresses. It just look like you are using your Linux box as network equipment and as a personal machine. I'm going to focus on questions concerning when both NIC's are up, seeing as this is probably the desired end result. On Wed, Mar 29, 2017 at 9:51 AM, Mike McClain <mike.junk...@copper.net> wrote: > > > > When eth0 is up and eth1 up, > > > the Linux box can not access the web. > > > the Win2K box can access the web. > > > the Linux box can not access the Win2K shares. > > > 'ping ATTrouter' fails. > > > 'ping -Ieth0 ATTrouter' works. > > 1. What does a traceroute show on the Windows box? 2. What does a tcpdump or wireshark output of a ping to 99.188.244.1 show on both Linux and Windows? 3. What happens when you remove the 192.168.1/24 route? Does the Linux box then have internet access? Does the Windows box lose internet access? 4. A quick way to start to narrow down where the problem or problems exist is to completely disable your firewall and perform your tests again. If any of them succeed then you know it has something to do with netfilter. I'll try to look at your config more and see if I can spot anything in particular. Thanks, Joshua Schaeffer
Re: UID mismatch across systems
On 03/26/2017 06:27 PM, Ross Boylan wrote: The main practical problem is with backups, restores and copies that use numeric ids instead of names. This includes taking a disk that was used on one system and using it in another. Beyond that, I had a general sense that the mismatched ids could cause trouble. You're right, I'm not likely to be doing things like ssh'ing after having assumed a system account id or sharing files owned by system ids over NFS. So it may be just the backup/copying that's an issue. Yes, I hadn't thought about backing up a system and then restoring on another system. Just a suggestion, but in the case of backups that are restored on another system you would probably *not* want backup the numeric ids. Rsync actually behaves like this by default and falls back to numeric ids. You have to specify the --numeric-ids flag in order for it to preserve all IDs. From rsync(1) man page: --numeric-ids With this option rsync will transfer numeric group and user IDs rather than using user and group names and mapping them at both ends. By default rsync will use the username and groupname to determine what ownership to give files. The special uid 0 and the special group 0 are never mapped via user/group names even if the --numeric-ids option is not specified. If a user or group has no name on the source system or it has no match on the destination system, then the numeric ID from the source sys‐ tem is used instead. Rsync also has capabilities to map users and groups with the --usermap and --groupmap options. See the man page for details of these options as well. So by default rsync may be doing what you are looking for (or at least map the ids for you so that you don't have to go through the hassle of synchronizing all your systems) by backing up the system and attempting to restore it to the correct user by name first then by ID. Of course this assumes you are using rsync. Other backup programs (and there are aplenty) may do the opposite by default. I was planning on using kerberos. Partly that's because I thought NFSv4 needed it anyway. It is required if you use sec=krb5, krb5i, or krb5p. sec=sys doesn't do any integrity checking, authentication, or encryption and Kerberos is not required for these exports. Right now I use LDAP and Kerberos for authentication and authorization (authn/authz). Kerberos handles the authn portion and actually uses LDAP as its backend. LDAP handles authz portion. I'm also in the process of setting up my NFSv4 server with krb5p security. Let me know if you have any questions on that. I mean ids < 1000. 1000+ seems to be for users on my systems. On my systems it's 100-124 that have the problems. Sorry, typo, I did in fact mean ids less than 1000. Are you saying there is a way to change the uid/gid of a process that is already running from the outside? Does usermod do that if you change the uid? My concern is that if I change file uids existing processes will gag and, worst case, the system becomes non-functional even on reboot.* This seems particularly acute with systemd. I know I can shutdown most services, change ids, and restart them. But I have the impression that the ones associated with systemd, and maybe some others like messagebus, are essential and have to be left running. And I am accessing the systems via ssh, and so changing the ssh u/gid seems especially dicey. *It just occurred to me I could temporarily make permissions more permissive, or add group permissions, to avoid getting locked out. Ross No, I was just saying to create a new account in LDAP (this would be the new synchronized account) and then just change ownership of the files owned by the old account with chown. Your concerns are valid for accounts like systemd and daemon, and unfortunately I don't have any experience with this as I don't synchronize these types of accounts. Thanks, Joshua Schaeffer
Re: Thin Client
On 03/26/2017 12:29 PM, Brian wrote: Off of Ebay. Doesn't everyone? :) I think the statement has been changed or is changing to: "Off of Amazon. Doesn't everyone?" :> (no wars please just a joke).
Re: SSH Access Issue
On 03/26/2017 08:30 AM, Cindy-Sue Causey wrote: In the case I'm thinking, it's about manually adding multiple lines to a file that I'm not completely remembering just now. Gut is saying it's /etc/network/interfaces. Mine's almost empty so I don't have an example to confirm that. Typically user's put a second gateway option in the /etc/network/interface file (which you talk about in the next paragraph). This usually results in not understanding what the gateway does. What I encountered wasn't about declaring different values for gateway, either. For whatever reasons due to innate [functionality], it becomes a fail even if you declare the same gateway value for that line within each new, separate block of declarations. Success is found by declaring it once then omitting that line within any other new blocks added over time. While I've never put duplicate gateway information in /etc/network/interfaces I, at one point when learning about networking and setting it up in Debian, had put a gateway for each subnet in the interfaces file (which is incorrect and resulted in an error). A gateway, often called a "gateway of last resort" tells the system how to reach subnets that it is not attached to. That is the point of the gateway; it is the one place the system can send packets to when it doesn't know where to go. If you defined two gateways (meaning if this was allowed) you would be back to square one, the system wouldn't know which gateway to send the packet to. Defining two gateways could be an incorrect way of saying you are defining two routes (most likely static routes). Between my setup and cognition, I've never had anything stable enough to test if it matters which block that gateway is declared. I've wondered if it matters that it be in the first block, or if it just needs to show up somewhere in that file. I was consciously putting it in the first block because that seemed to be the *logical* thing to do k/t having touched on programming 20 years ago at a local tech school. I hadn't really thought about this myself. I've always defined the gateway under the interface that is attached to the subnet where the gateway resides. A.K.A. if I have two networks: auto eth0 iface inet eth0 static address 192.168.0.2/24 auto eth1 iface inet eth1 static address 10.1.10.2/24 And my gateway of last resort was on the 192.168.0 subnet then I would define the gateway under that interface auto eth0 iface inet eth0 static address 192.168.0.2/24 gateway 192.168.0.1 It never occurred to me to see if it could be put anywhere in the file. My hunch is it can and I guess I could take the 60 seconds to test it, but I'll leave that to more adventurous people. Thanks, Joshua Schaeffer
Re: UID mismatch across systems
On 03/25/2017 03:03 PM, Boylan, Ross wrote: The problem is that I can't convert to using a shared directory when different systems assign different uids to the same named user. In other words, to get to the shared accounts solution I must already have solved the problem of mismatching ids. Not entirely true, NFSv4 has the ability to map uid/gid between systems with the rpc.idmapd program, which uses the idmapd.conf configuration files. The problems are mostly with system users, and I've seen some advice indicating such users don't normally go in LDAP. So excluding would reduce the problem, for LDAP, but also leave lots of unsynchronized ids. What is the issue of unsynchronized system ids? Are you allowing login of these system ids? Are they also sharing a filesystem (NFS, CIFS, etc) for these system ids? My assumption is that when you say shared directory you are talking about $HOME for a normal user. If that's not the case then it sounds like you are using an old technique where many systems mount shared filesystems to /usr, /usr/share, /opt, etc. I haven't seen that in years as disks are quite large enough to handle the space needed for these directories. I'm not sure how much a problem it the mismatches are for NFSv4; I believe it allows user/kerberos based authentication, but I'm not sure what that means for the uids of the files. Mismatched ids in NFSv4 will result in a uid/gid of -1, which translates to something like 4294967295 (I don't think that's the exact number but it's close to 2^32) when you run an ls -l on the NFS mount point. LDAP is my go to solution for synchronized authorization and central account management (I do not use it for authentication, but that is my own personal preference). I advocate it, but I know some people prefer simpler solutions depending on the situation. A company of 10 systems can easily avoid all of the management, hardware, upkeep, etc of LDAP and use something like NIS, Puppet, etc or use no central management at all. I guess I'm not understanding the core problem. I never put system ids (including root) into LDAP, only user's ids. Typing this out, it occurred to me that I am assuming you mean a system id is an id of >1000 (in Debian). If you are talking about some generic account that is not an actual system ID, but is not used by a specific user, then yes you have to find a way to synchronize and/or transfer the account. I would simply create the account in LDAP and then transfer all ownership of processes and files to that new account (as you already stated). Thanks, Joshua Schaeffer
Re: Samba domain provisioning tools issues provisioning error on clean Jessie install
The observation: It does seem like maybe that file shouldn't exist at the beginning if it's causing that kind of thing where the immediate, successful fix is to delete it. Like I said, though.. that's an "uneducated" observation. Perhaps there's a necessary evil of it pre-existing. Perhaps maybe (maybe not) there's a conscious intention that it's easier to delete that file per that error message *if* that error occurs versus the headaches that might result if that file was not in place for most other users universally. *?* :) This is certainly reasonable. The file exists because you install the Samba package which installs a default smb.conf file. My initial assumption is that it would indeed cause more issues to not be there, then to be there and require to delete it before provisioning a new domain. Perhaps a more complex/time consuming solution would be to enhance the guess function that is performed when a domain is provisioned. I've never been involved with Samba development so I have no clue what effort this would take. ERROR(): Provision failed - *ProvisioningError: guess_names*: 'server role=standalone server' in /etc/samba/smb.conf must match chosen server role 'active directory domain controller'! Please remove the smb.conf file and let provision generate it That is also an upstream issue versus a Debian issue. The question: If I get a wild hair later and get a chance to attempt this, do you mind if I "borrow" your domain name there? I don't have anything to test with otherwise. I've attempted samba in the past, but I don't think it's installed right now so this would be attempted from a clean install. Sure, feel free use the domain for testing. I do own the rights to the name and the domain itself so you wouldn't be able to do anything public with it :).
Samba domain provisioning tools issues provisioning error on clean Jessie install
Ahoy all, I'm experiencing an issue when installing Samba on a fresh Debian Jessie install and looking to see if others have encountered this issue, if there is an obvious fix/dependency I'm missing, or if a bug should be reported. *Problem description* After a clean install of Debian Jessie and making sure all packages are updated, I installed samba and then ran the samba-tool to provision a new domain. I get the following error: root@firebat-vm:~# samba-tool domain provision --use-rfc2307 --interactive Realm [HARMONYWAVE.COM]: HARMONYWAVE.COM Domain [HARMONYWAVE]: harmonywave Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL DNS forwarder IP address (write 'none' to disable forwarding) [10.1.30.2]: 10.1.30.2 Administrator password: Retype password: *ERROR(): Provision failed - ProvisioningError: guess_names: 'realm =' was not specified in supplied /etc/samba/smb.conf. Please remove the smb.conf file and let provision generate it* File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 434, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 2022, in provision sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS)) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 603, in guess_names raise ProvisioningError("guess_names: 'realm =' was not specified in supplied %s. Please remove the smb.conf file and let provision generate it" % lp.configfile) I remove the /etc/samba/smb.conf file as the error suggests and then run the exact same command again and it provisions successfully. I just think that a clean install of Jessie should not throw this error the first time it is run. I've Googled and found a few pages and both Ubuntu and Debian bugs related to this exact error message, but it seems that most of them are related to upgrading the Samba package or after reboots, not when running the samba-tool utility. After some further testing I found that I can just remove the /etc/samba/smb.conf file immediately after installing Samba and before running the samba-tool utility. It appears that the mere fact that an smb.conf file exists is the issue. Obviously this issue isn't that critical as the error tells you the problem and even how to fix it, it just seems odd that after a fresh install a provision does not work correctly, especially since it specifically asks for the realm. *Steps to reproduce* 1. Install a clean OS of Debian Jessie 2. Upgrade all packages (apt-get update && apt-get -y dist-upgrade) 3. Install samba (apt-get install samba) 4. Run the samba-tool utility (samba-tool domain provision --use-rfc2307 --interactive) and answer the questions asked by the script. *TL;DR* I guess the main question is: "Is a user expected to remove the smb.conf file before running the samba-tool utility to provision a domain? If so, I have not seen this in any documentation (Debian, Samba, Ubuntu or otherwise). Should this be considered a bug? The domain provision process expects that if the smb.conf file exists it is already setup for the domain being provisioned." Thanks, Joshua Schaeffer
How to change where PXE booting looks for files with UEFI
Ahoy, I've been learning how to setup PXE booting to install an OS image on a 100% UEFI system (CSM completely disabled). I use Debian 8 as my DHCP server (ISC DHCP) and as my TFTP server (tftpd-hpa). I also use the Debian netboot installer to provide the PXE environment including the bootnetx64.efi file (I use it to serve pxelinux.0 as well). I'm able to get to menu screens with PXE on UEFI and BIOS, but I have to have specific files in certain directories for UEFI and I don't know how to change the defaults. With BIOS I'm able to control the directories and files that are served by changing the pxelinux.cfg/default file. For BIOS I put my debian-installer directory (which contains the boot screen, menus, etc) under gtk. So I just have lines like this in my pxelinux.cfg/default file: path gtk/debian-installer/amd64/boot-screens/ default gtk/debian-installer/amd64/boot-screens/vesamenu.c32 However, I can't figure out how to tell UEFI to look in specific directories. Instead I've been left with just having to create a symlink from the default directory that bootnetx64.efi looks in to point to the actual directory that my GRUB files exist. How do you configure UEFI PXE booting to use different directories then the defaults? Let me try to explain what I'm seeing a little better: This is my TFTP server. The base directory is /srv/tftp: root@broodwar:/srv/tftp/pxeboot# ls -l total 48208 -rw-r--r-- 1 tftp tftp 435712 Mar 15 10:38 bootnetx64.efi drwxr-xr-x 1 tftp tftp4 Sep 28 11:10 centos drwxr-xr-x 1 tftp tftp4 Sep 28 11:10 debian drwxr-xr-x 1 tftp tftp8 Sep 28 11:16 fedora drwxr-xr-x 1 tftp tftp 120 Sep 17 10:04 gtk -rw-r--r-- 1 tftp tftp 116624 Sep 28 09:30 ldlinux.c32 -rw-r--r-- 1 tftp tftp25372 Sep 30 10:40 memdisk -rw-r--r-- 1 tftp tftp 29360128 Sep 13 2016 mini.iso -rw-r--r-- 1 tftp tftp 19370928 Sep 13 2016 netboot.tar.gz drwxr-xr-x 1 tftp tftp 16 Sep 28 11:17 opensuse -rw-r--r-- 1 tftp tftp42988 Sep 13 2016 pxelinux.0 drwxr-xr-x 1 tftp tftp 248 Sep 30 10:31 pxelinux.cfg drwxr-xr-x 1 tftp tftp 20 Sep 28 11:17 ubuntu drwxr-xr-x 1 tftp tftp 32 Sep 30 09:40 windows drwxr-xr-x 1 tftp tftp 52 Sep 17 10:04 xen You can see that under the base directory I have a pxeboot directory which can serve both pxelinux.0 and bootnetx64.efi. I also have a gtk folder which is where the debian-installer folder resides under (this has items like my boot screens and menus as well as GRUB related files for UEFI). So, when booting via BIOS I tell my pxelinux.cfg file to look under the gtk folder as shown above. bootnetx64.efi however is looking for the following files: - debian-installer/amd64/grub/x86_64-efi/command.lst - debian-installer/amd64/grub/x86_64-efi/fs.lst - debian-installer/amd64/grub/x86_64-efi/crypto.lst - debian-installer/amd64/grub/x86_64-efi/terminal.lst - debian-installer/amd64/grub/grub.cfg I know this because this is what is reported in the tftp log files. I have to have a symlink called debian-installer in my root directory (/srv/tftp/debian-installer) pointing to my gtk folder (srv/tftp/pxeboot/gtk/debian-installer). root@broodwar:/srv/tftp/pxeboot# ls -l .. total 4 drwxr-xrwx 1 tftp tftp 128 Jan 23 15:24 cisco_config lrwxrwxrwx 1 root root 29 Mar 15 12:34 debian-installer -> pxeboot/gtk/debian-installer/ drwxr-xr-x 1 tftp tftp 242 Mar 15 12:33 pxeboot How do I tell bootnetx64.efi to just look directly in that folder instead of looking at the default location? Thanks, Joshua
Re: good LDAP resources
LDAP can be very difficult to learn if you are just starting out with it, but also very powerful. There may be other faster solutions then a manual setup, but I found that I learned the most by doing all of it manually. On Red Hat based systems, I believe their IPA solution is quite good. It uses LDAP and Kerberos and does most of the leg work for you. I have no idea if any of that is compatible with Debian based systems (I don't think it is). Anyway here are a lot of the resources I used when learning, configuring, and setting up my authentication system: * * http://debian-handbook.info/browse/wheezy/sect.ldap-directory.html * http://ubuntuforums.org/showthread.php?t=1421998 * http://www.openldap.org/lists/openldap-technical/201401/msg00140.html * https://help.ubuntu.com/community/GnuTLS * https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/115967 * help.ubuntu.com/community/OpenLDAPServer <https://help.ubuntu.com/community/OpenLDAPServer> * http://www.openldap.org/doc/admin24/guide.html * https://help.ubuntu.com/community/Kerberos * http://www.openldap.org/lists/openldap-technical/201201/msg00140.html * slapd-config(5) * *http://www.zytrax.com/books/ldap/* <http://www.zytrax.com/books/ldap/ch6/#security> * http://www.zytrax.com/books/ldap/ch7/#overview * http://www.zytrax.com/books/ldap/ape/config.html#olcsyncprovconfig * http://www.cyberciti.biz/faq/how-do-i-rotate-log-files/ * https://www.ietf.org/rfc/rfc2307.txt * https://tools.ietf.org/id/draft-howard-rfc2307bis-02.txt * There's plenty more out there as well. If you want I can send you my own setup guide, which I built over the years from all these resources (and probably many more I never recorded), just keep in mind that doc is specific to myself and my business and it involves setting up OpenLDAP not just for authentication but for almost anything. I also don't use OpenLDAP for authentication only authorization. I use MIT Kerberos for auth (which uses OpenLDAP as its backend). To be more specific to your question of "good resources" I would say as a subset of all the links above the below are the best ones to start with: *http://debian-handbook.info/browse/wheezy/sect.ldap-directory.html ***help.ubuntu.com/community/OpenLDAPServer <https://help.ubuntu.com/community/OpenLDAPServer> **http://www.zytrax.com/books/ldap/ As one last suggestion/comment/remark, I would suggest setting up OpenLDAP as your implementation of LDAP and would use PPolicy to authn/authz over TLS. If you don't want to send passwords over the wire then use Kerberos for the authentication component. Thanks, Joshua Schaeffer On 02/25/2017 03:16 PM, bri...@aracnet.com wrote: I need to set-up some sort of password server for a small network so that i don't have to set-up accounts on every machine. It looks like LDAP is the best way to do that. Is it ? I've been looking at the LDAP how-to's and even tried to turn things on using one of them, but I can't quite get things working. Can someone point me to a good resource as to how to make it work ? Thanks!
Re: hotpluggable member of a bridge
Interesting, thanks for the explanation. On Thu, Jan 5, 2017 at 9:32 AM, Reco <recovery...@gmail.com> wrote: > Hi. > > On Thu, 5 Jan 2017 09:19:35 -0700 > Joshua Schaeffer <jschaeffer0...@gmail.com> wrote: > > > > > > > > > > A sample configuration would be: > > > > > > allow-ovs br0 > > > iface br0 inet4 static > > > address … > > > netmask … > > > ovs_type OVSBridge > > > > > > allow-br0 eth0 > > > iface eth0 inet6 auto > > > ovs_type OVSPort > > > ovs_bridge br0 > > > > > > allow-hotplug usb0 > > > iface usb0 inet6 auto > > > ovs_type OVSPort > > > ovs_bridge br0 > > > > > > Reco > > > > > > > > Pardon my ignorance, can you explain why you set an IPv4 address on your > > bridge and an IPv6 address on your bridge interfaces? I've never seen > this > > before and would like to know what this accomplishes. Perhaps its a typo > as > > I thought IPv4 was just set with "inet" and IPv6 was set with "inet6". > > It's simple, although isn't obvious from this abridged example. > I need a single IPv4 for both interfaces, so I set it on a bridge. > I don't need distinct IPv4 on ports, so I don't set it there. > > Bridged interfaces retain their MACs, so they would get different IPv6 > ULAs, which are provided by radvd from the different host. > And I don't need these IPv6 either. > > So, I can do: > > allow-br0 eth0 > iface eth0 inet manual > ovs_type OVSPort > ovs_bridge br0 > > And get myself all kinds of unneeded trouble, or I can do: > > allow-br0 eth0 > iface eth0 inet6 auto > autoconf 0 > accept_ra 0 > ovs_type OVSPort > ovs_bridge br0 > > Barring this IPv4/IPv6 difference, there should be no noticeable > outcome between 'inet manual' and 'inet6 auto'. > > Reco > >
Re: hotpluggable member of a bridge
> > > A sample configuration would be: > > allow-ovs br0 > iface br0 inet4 static > address … > netmask … > ovs_type OVSBridge > > allow-br0 eth0 > iface eth0 inet6 auto > ovs_type OVSPort > ovs_bridge br0 > > allow-hotplug usb0 > iface usb0 inet6 auto > ovs_type OVSPort > ovs_bridge br0 > > Reco > > Pardon my ignorance, can you explain why you set an IPv4 address on your bridge and an IPv6 address on your bridge interfaces? I've never seen this before and would like to know what this accomplishes. Perhaps its a typo as I thought IPv4 was just set with "inet" and IPv6 was set with "inet6". Thanks, Joshua Schaeffer
Re: Rebuilding Debian package from source
> > > I doubt it's possible to make build paths containing spaces work correctly > in the general case, even if the original poster does manage to hack > it up this one time. My advice would be to stop attempting to use a > directory with a space in its name as part of a build setup. It's doomed. > > Go to know. I will not use spaces in the future. I was able to get the package rebuilt by following this guide: https://wiki.debian.org/BuildingAPackage Which, incidentally, does not use spaces in its base directory. Thanks, Joshua Schaeffer
Re: Rebuilding Debian package from source
Test... "Build Test" is the directory I downloaded everything into (a.k.a. it was the directory I was in when I ran apt-get source nginx-extras) jschaeffer@mutalisk:~/Build Test$ pwd /home/jschaeffer/Build Test jschaeffer@mutalisk:~/Build Test$ ls -l total 2004 drwxr-xr-x 1 jschaeffer jschaeffer154 Sep 18 19:02 nginx-1.6.2-5+deb8u2 -rw-r--r-- 1 jschaeffer jschaeffer 609344 Jun 1 12:36 nginx_1.6.2-5+deb8u2.debian.tar.xz -rw-r--r-- 1 jschaeffer jschaeffer 2873 Jun 1 12:36 nginx_1.6.2-5+deb8u2.dsc -rw-r--r-- 1 jschaeffer jschaeffer 3692 Sep 18 19:14 nginx_1.6.2-5+deb8u2-harm_amd64.build -rw-r--r-- 1 jschaeffer jschaeffer 621532 Sep 18 19:14 nginx_1.6.2-5+deb8u2-harm.debian.tar.xz -rw-r--r-- 1 jschaeffer jschaeffer 2051 Sep 18 19:14 nginx_1.6.2-5+deb8u2-harm.dsc -rw-r--r-- 1 jschaeffer jschaeffer 804164 Sep 17 2014 nginx_1.6.2-5+deb8u2.orig.tar.gz jschaeffer@mutalisk:~/Build Test$ ls -l nginx-1.6.2-5+deb8u2/ total 596 drwxr-xr-x 1 jschaeffer jschaeffer246 Sep 18 19:11 auto -rw-r--r-- 1 jschaeffer jschaeffer 236013 Sep 16 2014 CHANGES -rw-r--r-- 1 jschaeffer jschaeffer 359556 Sep 16 2014 CHANGES.ru drwxr-xr-x 1 jschaeffer jschaeffer180 Sep 18 18:50 conf -rwxr-xr-x 1 jschaeffer jschaeffer 2369 Sep 16 2014 configure drwxr-xr-x 1 jschaeffer jschaeffer 68 Sep 18 18:50 contrib drwxr-xr-x 1 jschaeffer jschaeffer 1476 Sep 18 18:59 debian drwxr-xr-x 1 jschaeffer jschaeffer 36 Sep 18 18:50 html -rw-r--r-- 1 jschaeffer jschaeffer 1397 Sep 16 2014 LICENSE drwxr-xr-x 1 jschaeffer jschaeffer 14 Sep 18 18:50 man -rw-r--r-- 1 jschaeffer jschaeffer 49 Sep 16 2014 README drwxr-xr-x 1 jschaeffer jschaeffer 46 Sep 18 18:50 src drwxr-xr-x 1 jschaeffer jschaeffer 40 Sep 18 19:02 Test jschaeffer@mutalisk:~/Build Test$ ls -l nginx-1.6.2-5+deb8u2/Test/ total 0 drwxr-xr-x 1 jschaeffer jschaeffer 12 Sep 18 19:13 nginx-1.6.2-5+deb8u2 jschaeffer@mutalisk:~/Build Test$ ls -l nginx-1.6.2-5+deb8u2/Test/nginx-1.6.2-5+deb8u2/ total 0 drwxr-xr-x 1 jschaeffer jschaeffer 20 Sep 18 19:14 debian On Mon, Sep 19, 2016 at 4:59 AM, Zoltán Hermann <zoltan...@gmail.com> wrote: > Hello, > > "cp: cannot stat ‘Test/nginx-1.6.2-5+deb8u2/auto’: No such file or > directory" > > Test or Build Test ? > > Greetings > Zoltán > > > > > Joshua Schaeffer <jschaeffer0...@gmail.com> ezt írta (2016. szeptember > 19., hétfő): > > I'm trying to rebuild the nginx-extras package from Jessie and I'm > running into an error when I run debuild. I want to add a module to Nginx. > I've just been following this to rebuild the package: > https://raphaelhertzog.com/2010/12/15/howto-to-rebuild-debian-packages/ > > > > Here is what I've done: > > > > Downloaded the source using apt. > > > > apt-get source nginx-extras > > > > Built the dependencies for the package > > > > apt-get build-dep nginx-extras > > > > Updated the debian/rules file to include my module > > Added my module to the debian/modules directory > > Ran debuild to compile the package. > > > > debuild -us -uc > > > > When I run the debuild command I get an error about no > Test/nginx-1.6.2-5_deb8u2/auto directory existing. As the error suggests it > doesn't exist, but I'm not sure how to fix it. Creating the directory just > leads to another error. Would anybody be able to tell me why I'm getting > this error and how to fix it. I do have devscripts installed on the machine. > > > > jschaeffer@mutalisk:~/Build Test/nginx-1.6.2-5+deb8u2$ debuild -us -uc > > ... > > make[1]: Entering directory '/home/jschaeffer/Build > Test/nginx-1.6.2-5+deb8u2' > > dh_testdir > > mkdir -p /home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2/ > debian/build-full > > cp -Pa /home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2/auto > /home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2/debian/build-full/ > > cp: cannot stat ‘Test/nginx-1.6.2-5+deb8u2/auto’: No such file or > directory > > cp: will not create hard link > > ‘Test/nginx-1.6.2-5+deb8u2/debian/build-full/Build’ > to directory ‘Test/nginx-1.6.2-5+deb8u2/debian/build-full/Build’ > > debian/rules:141: recipe for target 'config.arch.full' failed > > make[1]: *** [config.arch.full] Error 1 > > make[1]: Leaving directory '/home/jschaeffer/Build > Test/nginx-1.6.2-5+deb8u2' > > debian/rules:117: recipe for target 'build' failed > > make: *** [build] Error 2 > > dpkg-buildpackage: error: debian/rules build gave error exit status 2 > > debuild: fatal error at line 1376: > > dpkg-buildpackage -rfakeroot -D -us -uc failed >
Rebuilding Debian package from source
I'm trying to rebuild the nginx-extras package from Jessie and I'm running into an error when I run debuild. I want to add a module to Nginx. I've just been following this to rebuild the package: https://raphaelhertzog.com/2010/12/15/howto-to-rebuild-debian-packages/ Here is what I've done: 1. Downloaded the source using apt. * apt-get source nginx-extras 2. Built the dependencies for the package * apt-get build-dep nginx-extras 3. Updated the debian/rules file to include my module 4. Added my module to the debian/modules directory 5. Ran debuild to compile the package. * debuild -us -uc When I run the debuild command I get an error about no Test/nginx-1.6.2-5_deb8u2/auto directory existing. As the error suggests it doesn't exist, but I'm not sure how to fix it. Creating the directory just leads to another error. Would anybody be able to tell me why I'm getting this error and how to fix it. I do have devscripts installed on the machine. jschaeffer@mutalisk:~/Build Test/nginx-1.6.2-5+deb8u2$ debuild -us -uc ... make[1]: Entering directory '/home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2' dh_testdir mkdir -p /home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2/debian/build-full cp -Pa /home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2/auto /home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2/debian/build-full/ *cp: cannot stat ‘Test/nginx-1.6.2-5+deb8u2/auto’: No such file or directory* cp: will not create hard link ‘Test/nginx-1.6.2-5+deb8u2/debian/build-full/Build’ to directory ‘Test/nginx-1.6.2-5+deb8u2/debian/build-full/Build’ debian/rules:141: recipe for target 'config.arch.full' failed make[1]: *** [config.arch.full] Error 1 make[1]: Leaving directory '/home/jschaeffer/Build Test/nginx-1.6.2-5+deb8u2' debian/rules:117: recipe for target 'build' failed make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 debuild: fatal error at line 1376: dpkg-buildpackage -rfakeroot -D -us -uc failed
Re: sssd can't find sudo users
I figured this out. Found this in slapd's log: Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=0 BIND dn="" method=128 Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=0 RESULT tag=97 err=0 text= Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=1 SRCH base="ou=SUDOers,dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(objectClass=sudoRole)(cn=defaults))" Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=2 SRCH base="ou=SUDOers,dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(objectClass=sudoRole)(|(sudoUser=jschaeffer)(sudoUser=%jschaeffer)(sudoUser=%#5000)(sudoUser=%administrator)(sudoUser=%sftp-users)(sudoUser=%wheel)(sudoUser=%#4000)(sudoUser=%#4001)(sudoUser=%#4002)(sudoUser=ALL)))" Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=2 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=3 SRCH base="ou=SUDOers,dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))" Feb 20 23:27:19 baneling slapd[22588]: conn=1058 op=3 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required I didn't have my /etc/ldap/ldap.conf file using start_tls so it wouldn't connect with TLS. I updated the URI parameter in the file to: URI ldap://baneling.harmonywave.com/starttls And it works now. Thanks, Joshua
Re: sssd can't find sudo users
Opps, typo in the subject. On 02/20/2016 09:47 PM, Joshua Schaeffer wrote: I setup an SSO environment using Debian 8 systems. I have a Kerberos server which uses LDAP as its backend. I have users and groups created in OpenLDAP. The SSO environment seems to be working correctly. I installed SASL, GSSAPI, and SSSD on a test client. I can see my users and groups using getent from my test client and I can log into the server (locally and through SSH). I also have sudo-ldap installed and I'm trying to get SSSD to lookup my sudo users in LDAP, but I can seem to get this to work. I keep getting a "user is not in the sudoers file. This incident will be reported." error. My configuration for the test client is below: root@korhal: cat /etc/sssd/sssd.conf [sssd] config_file_version= 2 services= nss,pam domains= HARMONYWAVE [nss] debug_level= 5 filter_users= root filter_groups= root #fallback_homedir= /home/%u [pam] [domain/HARMONYWAVE] debug_level= 5 auth_provider= krb5 chpass_provider= krb5 krb5_server= immortal.harmonywave.com krb5_realm= HARMONYWAVE.COM cache_credentials= false access_provider= simple id_provider= ldap ldap_uri= ldap://baneling.harmonywave.com ldap_tls_reqcert= demand ldap_tls_cacert= /etc/ssl/certs/ca.harmonywave.com.pem ldap_search_base= dc=harmonywave,dc=com ldap_id_use_start_tls= true ldap_sasl_mech= GSSAPI ldap_user_search_base= ou=People,dc=harmonywave,dc=com ldap_group_search_base= ou=Group,dc=harmonywave,dc=com ldap_user_object_class= posixAccount ldap_user_name= uid ldap_fullname= cn ldap_user_home_directory= homeDirectory ldap_group_object_class= posixGroup ldap_group_name= cn ldap_sudo_search_base= ou=SUDOers,dc=harmonywave,dc=com sudo_provider= ldap Getent shows that it can find me, my group, and that I am part of the wheel group: root@korhal:/home/jschaeffer# getent passwd jschaeffer jschaeffer:*:5000:5000:Joshua Schaeffer:/home/jschaeffer:/bin/bash root@korhal:/home/jschaeffer# getent group jschaeffer jschaeffer:*:5000:jschaeffer root@korhal:/home/jschaeffer# getent group wheel wheel:*:4002:jschaeffer I have the wheel group in OpenLDAP: root@korhal:/home/jschaeffer# ldapsearch -LLL -Y GSSAPI -H ldap://baneling.harmonywave.com -b ou=SUDOers,dc=harmonywave,dc=com SASL/GSSAPI authentication started SASL username: jschaef...@harmonywave.com SASL SSF: 56 SASL data security layer installed. dn: ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers dn: cn=%wheel,ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoCommand: ALL dn: cn=defaults,ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Add default sudoOptions's here When I try to run any command with sudo it fails: jschaeffer@korhal:~$ sudo ls [sudo] password for jschaeffer: jschaeffer is not in the sudoers file. This incident will be reported. Any help would be appreciated. Thanks, Joshua
sssd can't fine sudo users
I setup an SSO environment using Debian 8 systems. I have a Kerberos server which uses LDAP as its backend. I have users and groups created in OpenLDAP. The SSO environment seems to be working correctly. I installed SASL, GSSAPI, and SSSD on a test client. I can see my users and groups using getent from my test client and I can log into the server (locally and through SSH). I also have sudo-ldap installed and I'm trying to get SSSD to lookup my sudo users in LDAP, but I can seem to get this to work. I keep getting a "user is not in the sudoers file. This incident will be reported." error. My configuration for the test client is below: root@korhal: cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services= nss,pam domains = HARMONYWAVE [nss] debug_level = 5 filter_users= root filter_groups = root #fallback_homedir = /home/%u [pam] [domain/HARMONYWAVE] debug_level = 5 auth_provider = krb5 chpass_provider = krb5 krb5_server = immortal.harmonywave.com krb5_realm = HARMONYWAVE.COM cache_credentials = false access_provider = simple id_provider = ldap ldap_uri= ldap://baneling.harmonywave.com ldap_tls_reqcert= demand ldap_tls_cacert = /etc/ssl/certs/ca.harmonywave.com.pem ldap_search_base= dc=harmonywave,dc=com ldap_id_use_start_tls = true ldap_sasl_mech = GSSAPI ldap_user_search_base = ou=People,dc=harmonywave,dc=com ldap_group_search_base = ou=Group,dc=harmonywave,dc=com ldap_user_object_class = posixAccount ldap_user_name = uid ldap_fullname = cn ldap_user_home_directory= homeDirectory ldap_group_object_class = posixGroup ldap_group_name = cn ldap_sudo_search_base = ou=SUDOers,dc=harmonywave,dc=com sudo_provider = ldap Getent shows that it can find me, my group, and that I am part of the wheel group: root@korhal:/home/jschaeffer# getent passwd jschaeffer jschaeffer:*:5000:5000:Joshua Schaeffer:/home/jschaeffer:/bin/bash root@korhal:/home/jschaeffer# getent group jschaeffer jschaeffer:*:5000:jschaeffer root@korhal:/home/jschaeffer# getent group wheel wheel:*:4002:jschaeffer I have the wheel group in OpenLDAP: root@korhal:/home/jschaeffer# ldapsearch -LLL -Y GSSAPI -H ldap://baneling.harmonywave.com -b ou=SUDOers,dc=harmonywave,dc=com SASL/GSSAPI authentication started SASL username: jschaef...@harmonywave.com SASL SSF: 56 SASL data security layer installed. dn: ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers dn: cn=%wheel,ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoCommand: ALL dn: cn=defaults,ou=SUDOers,dc=harmonywave,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Add default sudoOptions's here When I try to run any command with sudo it fails: jschaeffer@korhal:~$ sudo ls [sudo] password for jschaeffer: jschaeffer is not in the sudoers file. This incident will be reported. Any help would be appreciated. Thanks, Joshua