Re: need a newline between paragraphs....
Gary Kline wrote: > PS: is there any one-liner to add back one newline between > paragraphs? That depends a lot on how you define paragraph. If they all start with tabs, something like: sed '/^<^VTAB>/ i\ \<^VTAB> ' myfile Where you use ^VTAB to insert some literals tabs on the commandline. I couldn't seem to convince sed to insert an empty line, but I didn't play around with it all that long. If you need more sophisticated paragraph detection (like based on the previous line not being some number of characters or some kind of period to capital letter thing or something), you're going to spend a lot more time mucking through it. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpUdCgaJ96xC.pgp Description: PGP signature
Re: need a newline between paragraphs....
Gary Kline wrote: > some several weeks ago, i got the appended perl code sent that > takes a very long txt file and diving by ``Chapter NN'' puts > the long file into seperate files, 01 to 66. trouble is that > it is hard to read by eyes without a space between paragraphs. > > it's easy for grep to remove all newlines. How do i add them > back? [...] > # We've read at least one chapter heading. > while (<>) { > chomp; > $fh = newchapter($1) if /$regex/; > next if /^#/; It looks like this line of code is killing the blank lines. If you delete the line and re-run the program, you should be good to go. If you don't have the original anymore, it'll be a lot harder and much less accurate. > print $fh "$_"; > } Good luck, -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgp51hzqyX77C.pgp Description: PGP signature
Re: ldap and pam-mkhomedir, anyone know how to set directory ownership to the ldap user logging in ??
Craig Butler wrote: > Currently I have got pam authenticating against ldap and mkhomedir > creating the home directories, but they are created owned as root:wheel > and the user can't write to their own home directory -- I have read the > man page for pam_mkhomedir, the only way I see it working at the moment > is setting an insecure umask in the pam definition > > Any ideas on how I can get them owned by the ldap user signing in ? It should "Just Work". Do you have the accounts properly configured in /etc/nsswitch.conf? If you: getent passwd USER For the account whose home directory isn't being created correctly? Do you see the entry? -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpdVmY1iejNt.pgp Description: PGP signature
Re: FBSD 7.2 - ports blocked but no firewall
Gene wrote: > I'm running 7.2 GENERIC and installed the unrealirc port. I've started it up > and can connect from localhost just fine. But when attempting to connect from > the outside world (eg. from another box on the lan) I get connection refused. > > I've tried both with and without ipfilter running (with appropriate rule). > Other ports are reachable including a non-standard port used for ssh. > > The question: Could there be any reason that port 6667 might be blocked? > (Unrealircd questions can be taken up elsewhere). It's possible you've configured Unrealircd to only listen on localhost and not on "*". Look for something like: | listen *:6697 | { | ... | }; And make sure it's "*" and not "127.0.0.1". -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpvPG6ZUs2mH.pgp Description: PGP signature
Re: passing options thru '/etc/rc.d/foo start'
Tom Worster wrote: > thanks, Mel, that's good to know. > > i think your suggestion of modifying rc.conf will turn out to be a tidy > solution for me. You could also just put: sshd_flags="-o X11Forwarding=no" into your /etc/rc.conf file. Pretty much all of the rc.d scripts support the use of NAME_flags being defined in /etc/rc.conf, which are passed as extra commandline arguments to the daemon. You should generally check /etc/defaults/rc.conf to see what you might be clobbering. A small number of scripts may override this feature from the library, breaking this method, but it's pretty widely supported. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpdLHTVAM3EC.pgp Description: PGP signature
Re: sudo script not executing
bsd wrote: > I have an sh script that is called by the "www" process which has a > shell that defaults to /sbin/nologin > > I have configured the sudoers file with these settings: > > www ALL=(www) NOPASSWD: /usr/local/bin/postfixadmin-domain- > postdeletion.sh > > > And It does not seem to be able to execute? > > > > Sorry, user www is not allowed to execute '/usr/local/bin/ > > postfixadmin-mailbox-postdeletion.sh y...@test.com test.com' as www on > > newmail.rmm.fr > > . > > > > > The file I am trying to delete is also owned by a non privileged > user? ?? The user www is www, so you shouldn't need to sudo to run as that account. Did you mean to setup the rule for the postfix user? Or a postfix target account? That said, I think what you typed should have worked. You shouldn't have seen "www is not allowed to execute ... as www", because your sudoers file says otherwise. Assuming your account has full sudo, what do you see if you type: $ sudo -u www sudo -l Hopefully, because of the NOPASSWD in there, you won't have to produce www's password. Is your script (postfixadmin-domain-postdeletion.sh) readable and executable by user www? Do you have any trailing characters or something on the line with your sudo rule which might make sudo think you've typed a literal command with arguments instead of a command that can be run with arbitrary arguments? -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgphSFQguJkgd.pgp Description: PGP signature
Re: script to send out a dozen letters?
Gary Kline wrote: > if there are tools to do this, please point me at them, but i > want to send out a snail and/or email|HTML|whatever to a handful > of companies that i hope to find online. > > I'm guessing the inside address would me something like > > Company Name > Address > Company Email > > Attn Mr. Smith: > > [my canned letter] > > > i forget if the inside address is before the recipient > address--I *think* so. is there a way of having date output > the format "15 August, 2009" rather than my usual, 15aug09? > > I am pretty sure these people are most accustomed to GUI/html > mail, so is there a way of invoking evo with html capability? > > if there are web pointers on this, puleeze clue me in! Here's a script I whipped up a year or two ago that sends out e-mails. You could definitely tweak it to find/replace a LaTeX template and send it directly to the printer (circa the `| sendmail` line). See the included readme (excuse the twiki formatting). While it was written for bash, it may run under /bin/sh (but I make no claims). It's really straightforward. I would die a little inside if it were used to send HTML e-mail, but there's nothing to stop you from writing HTML (by hand) into the template (or saving a message out of your GUI MUA of choice into a flat file and using that as your template). -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley #! /bin/bash if [ -z "$1" ] || [ -z "$2" ] || [ "x$1" == "x--help" ]; then printf "Usage:\n\t${0} data_file template_file [cc1 [cc2 ... ]]\n" exit 1 fi data="$1" shift template="$1" shift exec 0<${data} read line FIELDS="$(echo $line | tr ';' ' ')" while read line ; do column=1 SCRIPT="" email="" for field_title in $FIELDS ; do datum=$(echo "$line" | cut '-d;' "-f${column}") SCRIPT="${SCRIPT:+${SCRIPT};}s:$field_title:$datum:" column=$(($column + 1)) if [ "$field_title" = "EMAIL" ] ; then email="$datum" fi done printf "Mailing %s... " "$email" sed "$SCRIPT" "$template" | sendmail "$email $@" || { echo "Something error happened" ; continue; } printf "Success!\n" done ---+ Overview The =automail= script allows you to send templated e-mails to a list of recipients. This is particularly useful during hiring. ---+ Usage The =automail= script is installed on hal. ---++ The Data File You must prepare a file with the data that will be used to fill in the templates. The first line of this file includes the case-sensitive field names, separated by semi-colons. Each subsequent line is a data record. One e-mail will be sent for each data record in the file. *Example:* EMAIL;LNAME;FNAME;FOOD ccow...@rescomp.berkeley.edu;Cowart;Chris;Bananas keen...@rescomp.berkeley.edu;Keenan;Parms;Ice Cream jerem...@rescomp.berkeley.edu;Jeremy;Weinstein;Rabbit Food Call this file ~/email_data. *Note:* The only column title with special meaning is "EMAIL" and it *must* appear in the data file. All other columns follow brain-dead substitutions and do not affect the behavior of the automailer. ---++ The Template File Here, you compose your e-mail. Note you must conform to RFC822 (Here's a summary of the relevant points): * You must include the To, From, Cc, and Subject headers. * Headers must be properly formatted (=Name: Contents Can Have Spaces=) * The headers end with a blank line. There must be a blank line before you begin your message. *Example:* From: The Party Planning Committee To: FNAME LNAME Subject: The Potluck Hello FNAME, Please remember to bring FOOD to the potluck. Thanks, The Party Planning Committee Call this file ~/email_template. *Note:* * Column titles (see The Data File section) will be substituted with the current record's column contents. The address in the EMAIL column will receive a copy of the message. * Including a Cc or Bcc header in the template will *NOT* affect who receives a copy of the message. *Warning:* The recipient will receive the message AS-IS. __Bcc Headers will not be filtered__. ---++ Sending the Message After you declare the data file and template file (in that order), you may add e-mail addresses to the command line (e.g., hir...@rescomp.berkeley.edu). Note that other than the recipient address, no addresses (Bcc or Cc) are parsed from your message's headers. As such, if you have cc or bcc recipients, you must declare them here. Note also that declaring recipients here does *not* affect the To/From/Cc/Bcc headers in the actual e-mail message. =automail ~/email_data ~/email_template cc_address1 bcc_address2= pgpDcx8BT5o1z.pgp Description: PGP signature
Re: limit to number of files seen by ls?
John Almberg wrote: > Which is why I'm starting to think that (a) my problem is different > or (b) I'm so clueless that there isn't any problem at all, and I'm > just not understanding something (most likely scenario!) It looks to me like the thread began assuming that you must be typing `ls *` in order to run into problems. I think we'll have better luck helping you if you tell us exactly what it is you're typing when you observe the problem. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpRRYgwUaZNY.pgp Description: PGP signature
torrents.freebsd.org
Hello, I'm currently trying to setup a bittorrent tracker to distribute files, such as patches, to users when they're stuck behind our captive portal. My experience over the last several weeks is that the software is flaky, the documentation is poor, and no projects are being actively maintained (or at least, projects in the FreeBSD ports tree). I'm getting the feeling that you need to be a member of an elite, invitation-only group that performs heavy customizations every time a tracker is installed. I found net-p2p/bnbt and I thought it was the way to go. I somehow managed to get it setup in the dev environment, load some torrents to be tracked, and away we went. When I tried to reproduce this success in our testing environment, I failed miserably. I can no longer figure out what I did to get bnbt to load the torrents (apparently it was more complicated than just dropping them off in the allowed_dir). I discovered from a ktrace that bnbt is indeed scanning my allowed_dir on startup and periodically after that, but it won't list the torrents in the web interface, and it tells clients "requested download is not authorized for use with this tracker". I'm hoping to find somebody who's successfully running bnbt for some pointers. If nothing else, I'd love to get in touch with the operators of torrents.freebsd.org to find out what they're doing. Thanks for any help, -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpL1Mud44fTt.pgp Description: PGP signature
Re: An adage for gmirror users
Reid Linnemann wrote: > Written by Wojciech Puchar on 06/03/09 15:58>> > > i simply have in crontab a script running once per hour: > > > > #!/bin/sh > > /sbin/gmirror status|grep -q DEGRADED && \\ > > mail -s "gmirror failure" myphonenum...@mygsmoperator.pl > Surely you jest! You presume that I have access to cheap, unrestrictive > communications technology ;) In the US, ISPs prevent clients routing > their own mail and text messages are outrageously expensive with our > cell carriers! Seriously though, that's a good idea. Maybe I could have > it wall the message and/or put it in /etc/motd to get my attention. Or simply put daily_status_gmirror_enable="YES" in /etc/periodic.conf and watch your dailies. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpNhFuYbZjq1.pgp Description: PGP signature
Re: Is this a gmirror bug?
Wojciech Puchar wrote: > > I've seen this kind of thing appear in my df output: > > linprocfs 4 4 0 100%/proc > > > > /dev/mirror/gm0d 4058062 -377792 4111210 -10%/tmp > > > > /dev/mirror/gm0e 15231278 -113942 14126718-1%/var > > > > /dev/ad10s3e121487580 4 111768570 0%/v3 > > > > /dev/ad8s3e 121487580 4 111768570 0%/v2 > > > > /dev/ad6s3e 121487580 4 111768570 0%/v1 > > > > /dev/ad4s3e 121487580 4 111768570 0%/v0 > > > > > > > > It's showing that two partitions in my gm0 partition are below 0% > > capacity. This is clearly wrong, but what does it mean? > > > it has nothing to do with gmirror - no matter if it's virtual disk (gm0 > that case) or physical, partition or not, it's just block device to UFS. > > definitely it is some problem but with UFS here. > > unmount this filesystems and do fsck_ffs -y on them Nothing is wrong. 10% of the disk space is reserved for the superuser. The 10% free mark is what shows as 0% in df. If you're negative, it means you've tapped into the super-user reserve. This is not good, because it means you've lost a lot of the FS-level optimizations from UFS. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgp4eFf8CObOK.pgp Description: PGP signature
Re: Why so many ports have run-dependencies on non-system gcc versions?
Yuri wrote: > When I tried to delete gcc-4.3.4_20090517 I got this message: > pkg_delete: package 'gcc-4.3.4_20090517' is required by these other packages > and may not be deinstalled: > blas-1.0_3 > cgnslib-2.5.3_1 > fftw3-3.2 > fftw3-float-3.2_1 > fr-med-2.3.5 > getdp-1.2.1_7 > gmsh-2.3.1 > lapack-3.2.1 > libofa-0.9.3_3 > libsamplerate-0.1.7_1 > octave-3.0.5_1 > suitesparse-3.3.0 > > When I tried to delete gcc-4.2.5_20090325 I got this: > pkg_delete: package 'gcc-4.2.5_20090325' is required by these other packages > and may not be deinstalled: > pdftk-1.41 > > Why all these ports depend on gcc? > They may want to compile with different gcc therefore incurring the > build-dependency. > But why I can't now uninstall those gccs? Looks like they are all > run-dependency. gcc provides a shared library that some applications link to. Take for example: ccowart dev-aux bin $ ldd sabcmd sabcmd: libsablot.so.70 => /usr/local/lib/libsablot.so.70 (0x2807f000) libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28148000) libexpat.so.6 => /usr/local/lib/libexpat.so.6 (0x2823d000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x2825d000) libm.so.5 => /lib/libm.so.5 (0x28352000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x28367000) libc.so.7 => /lib/libc.so.7 (0x28372000) I can see this as being a real reason why a particular gcc needs to be around at runtime. Look at the dynamic linking information with ldd. If it doesn't depend on a file provided by those versions of gcc, it's probably an inaccuracy in the port's dependency list. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpkstk5I4cJX.pgp Description: PGP signature
Re: PAM/ldap_pam/NFSv4: How let users of a speicific group log into a specific box?
[dropping -current from CC] O. Hartmann wrote: > A simple capability of selecting users into a specific group. Members of > such a group should then log into a set of specific hosts. > Infrastructure is FreeBSD 8.0-CURRENT/amd64 and some 7.2-STABLE boxes > (acting as server) as well as OpenLDAP backend. [...] > Can anybody help or do have hints? > > Please remember I do not belon g to the 'questions' list, so please put > me into your mail-cc. I use the pam_require module from ports for this purpose. | account sufficient /usr/local/lib/pam_require.so root @mygroup | account required/usr/local/lib/pam_ldap.so This allows the user root and members of mygroup to have accounts on the box. Control falls through to pam_ldap, which is configured with "pam_check_host_attr yes", which also grants accounts to any user with a matching "Host: " attribute in their entry. If I have a machine mybox.example.com, and uid=ccowart,ou=People,dc=example,dc=com has the attribute: Host: mybox.example.com Then the user ccowart can login to the box without being in mygroup. Regardless of the host attributes, mygroup members can login. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpul6JU4wA7f.pgp Description: PGP signature
Re: RES: Cant setup carp as BACKUP
Ricardo Augusto de Souza wrote: > Anyone know how do i 'force' a carp to be backup? > I set a advskew higher than the master but it comes up as master. Is there a host-based or network-based firewall blocking the carp protocol? In ipfw, you would need: /sbin/ipfw add allow carp from $SOME_IP to 224.0.0.18 in via $SOME_INT For me: | ccowart wifi-aux-1 / $ ifconfig vlan91 | vlan91: flags=8943 metric 0 mtu 1500 | options=3 | ether 00:1d:09:29:a7:f5 | inet 10.9.64.2 netmask 0xf000 broadcast 10.9.79.255 | media: Ethernet autoselect (1000baseTX ) | status: active | vlan: 91 parent interface: bce1 | ccowart wifi-aux-1 / $ ifconfig carp11 | carp11: flags=49 metric 0 mtu 1500 | inet 10.9.64.1 netmask 0x | carp: BACKUP vhid 11 advbase 1 advskew 100 | ccowart wifi-aux-1 / $ ifconfig carp21 | carp21: flags=49 metric 0 mtu 1500 | inet 10.9.64.1 netmask 0x | carp: MASTER vhid 21 advbase 1 advskew 0 | ccowart wifi-aux-1 / $ sudo tcpdump -i vlan91 proto carp | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | listening on vlan91, link-type EN10MB (Ethernet), capture size 96 bytes | 14:06:36.009984 IP 10.9.64.3 > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid | 11, prio 0, authtype none, intvl 1s, length 36 | 14:06:36.143937 IP 10.9.64.2 > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid | 21, prio 0, authtype none, intvl 1s, length 36 | 14:06:37.012025 IP 10.9.64.3 > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid | 11, prio 0, authtype none, intvl 1s, length 36 | 14:06:37.146003 IP 10.9.64.2 > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid | 21, prio 0, authtype none, intvl 1s, length 36 Use tcpdump on your parent interfaces to see if you're seeing the multicast traffic. Make sure your firewalls allow this traffic. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpemncxpua5v.pgp Description: PGP signature
Re: Run script on boot, as ordinary user
Nerius Landys wrote: > So there's cron. Is there anything that lets an ordinary user start > his/her programs at bootup of the system? And then run a script when > the system is shutting down? I'm familiar with /etc/rc.d/, but that's > not really what I'm looking for. I gave my friends access to my > FreeBSD server and I want to let them start for example Apache and/or > MySQL on higher ports running as their own user. Each user could create an entry in their crontab using the @reboot keyword. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgp22bm6MQb1u.pgp Description: PGP signature
Re: how to deceive programs as if I were a local user?
Ruben de Groot wrote: > On Thu, Apr 23, 2009 at 04:32:29PM +0900, Kouichiro Iwao typed: > > Hi. > > > > I'm going to connect to the remote server with nxclient. > > But, net/linux-nx-client does't work with non-local (NIS or LDAP) account. > > > > Connecting the remote server, nxclient says "connection error" and > > I found out that it caused by nxssh. > > > > If nxssh was executed by a NIS account, nxssh says, > > [m...@trueno ~]$ nxssh > > You don't exist, go away! > > > > How to deceive programs as if I were a user in /etc/master.passwd? > > I don't know anything of nxssh, but it sounds like a pam issue. This error means the program tried to look up some name information for your UID number and failed. You need to configure the data source in /etc/nsswitch.conf: group: files cache ldap passwd: files cache ldap -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpfcq6FgaN0i.pgp Description: PGP signature
Re: IPFW/Dummynet/Bridging with VLAN trunks?
Howard Jones wrote: > I'm trying to use Dummynet+IPFW and bridging to make a packet shaper > that runs across multiple VLANs. So my intended set up is: > > [users]->[Aggregate Switch]=>[FreeBSD]=>[Upstream Switch (with IP > interfaces for each vlan)]->The World > > where -> is a single VLAN, and => is a tagged dot1q trunk. The aim is to > drop the FreeBSD box in the middle, in one trunked uplink, and cover all > the VLANs downstream of that. > > Should this work? > > In practice, the bridging seems to work OK, but as soon as I add rules > to match traffic passing through and apply it to pipes, everything > stops. I can use tcpdump's vlan option to filter traffic on em0, em1 or > bridge0 and it does show only traffic for that vlan, so tags are being > preserved... > > Ideally, I'd like to use the dot1q tag in ipfw rules directly, and avoid > ip ranges, but I don't think that's possible. Is there some special > incantation to make ipfw vlan-aware? > > Has anyone else done this successfully? This is how I do it: ipfw pipe 1 all from any to any in via vlan20 ipfw pipe 2 all from any to any in via vlan40 But in my configuration, bridge0 has members vlan20 and vlan40. I would create a separate bridge with vlan21 and vlan41. I don't think ipfw can filter on dot1q tags yet, though. There was a lot of layer 2 filtering capability in a patch floating around for 8-CURRENT, but I'm not sure of its status, nor whether dot1q filtering was implemented. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpZHyHXxvV8v.pgp Description: PGP signature
Re: IPFW missing feature
KES wrote: > , Lowell. > > ?? ?? 16 ?? 2009 ?., 15:22:31: > > LG> KES writes: > >>> The tablearg feature provides the ability to use a value, looked up in >>> the table, as the argument for a rule action, action parameter or rule >>> option. This can significantly reduce number of rules in some >>> configura- >>> tions. If two tables are used in a rule, the result of the second >>> (des- >>> tination) is used. The tablearg argument can be used with the >>> following >>> actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto >>> action parameters: tag, untag, rule options: limit, tagged. >>> >>> >>> Why tablearg cannot be used with setfib? > > LG> Because tables are a feature of IPFW, and the FIB isn't. > > setfib is also feature of ipfw. see man: > > setfib fibnum > The packet is tagged so as to use the FIB (routing table) fibnum > in any subsequent forwarding decisions. Initially this is limited > to the values 0 through 15. See setfib(8). Processing continues > at the next rule. > > There is no any difficulties to use 'tablearg' as 'fibnum' > > ipfw add 3 setfib 2 all from 192.168.0.0/16 to any in recv > ipfw add 3 setfib tablearg all from table() to any in recv > > but now this is not mistake to write 'setfib tablearg'. IPFW just > replace tablearg in rule with 0 > It seems like a bug. because of it MUST work in proper way or DO NOT > work at all. IMHO I use tablearg with netgraph. For example, ipfw add netgraph tablearg all from 'table(9)' to any in When I run ipfw show, I see: 02380 408 60358 netgraph tablearg ip from any to table(9) in KES, do you mean to say that when you run `ipfw show' the rule is echoed back to you as: setfib 0 all from table() to any in recv instead of tablearg? If that's the case, it sounds like ipfw is parsing the rule incorrectly. If tablearg isn't supported by setfib, I would expect a syntax error to be thrown and not a different rule being inserted into your ruleset. If this is the behavior you're seeing, you should run it by the folks on the -net mailing list. That would also be a good place to ask about future plans to support this feature. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgp9RVXkdJwBy.pgp Description: PGP signature
Re: Logcheck dependency hell
n j wrote: > could anyone help me what command should I use to find out which > logcheck-required port _exactly_ is trying to install half of the X > libraries? The Makefile says: | BUILD_DEPENDS= docbook-to-man:${PORTSDIR}/textproc/docbook-to-man | RUN_DEPENDS=lockfile:${PORTSDIR}/mail/procmail \ | bash:${PORTSDIR}/shells/bash So I'll bet some money that it's docbook. Does it improve if you add these to /etc/make.conf: | NO_GUI=YES | WITHOUT_GUI=YES | WITHOUT_X11=YES | WITHOUT_XPM=YES -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpQaocuzRcOT.pgp Description: PGP signature
Re: nss_ldap SSL/TLS problems..
Arjun Singh wrote: > I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. > > I installed all of the latest versions of openldap24-server, > openldap24-client, nss_ldap, and pam_ldap. > > When I do any sort of ldapsearch or 'getent passwd' or anything, everything > works perfectly. The only time I have trouble is when I'm logging in via > SSH..then it gets really weird. > > 1.) When I log in as a user in LDAP only and give the incorrect password > first and then supply the correct password, everything works fine. If the > user is in wheel, I can sudo. > 2.) When I log in as the same user and give only the correct password the > first time, it hangs for roughly 45 seconds and then lets me in. Even though > this user is in wheel, it says that the user is not in the sudoers file. > > Here are the log messages I get in auth.log that correspond to the events > above: > > sshd[54031]: pam_ldap: error trying to bind as user "uid=user..(cut)..." > (Invalid credentials) # This is the incorrect pw > sshd[54029]: error: PAM: authentication error for user from localhost > #Incorrect pw > sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable > # correct pw > sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port > 32935 ssh2 #correct pw > > When I enter just the right password, the first time, I get this in the log: > > sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port > 51972 ssh2 > sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server > > Again, when SSL/TLS are disabled, I get normal log output and none of the > weird stuff above.. > > I turned on debugging in nss_ldap.conf and found that each time I gave only > the correct password (corresponding with the 45 second hang) I found this in > the debug output: > > ...bunch of normal looking output... > ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 > ldap_chkResponseList returns ld 0x801b31480 NULL > ldap_int_select > read1msg: ld 0x801b31480 msgid 5 all 0 > ber_get_next > TLS trace: SSL3 alert write:fatal:bad record mac <--- what is the cause of > this? > ldap_free_connection 1 0 > ldap_free_connection: actually freed > ldap_err2string > ldap_result ld 0x801b31480 msgid 5 > wait4msg ld 0x801b31480 msgid 5 (timeout 3000 usec) > wait4msg continue ld 0x801b31480 msgid 5 all 0 > ** ld 0x801b31480 Connections: > ** ld 0x801b31480 Outstanding Requests: >Empty > ld 0x801b31480 request count 0 (abandoned 0) > ** ld 0x801b31480 Response Queue: >Empty > > I get the above regardless of whether I'm using start_tls or ssl. > > If you have any insight, it'd be really useful. I've spent tons of time > scouring lists for help and haven't found anything yet.. I don't have any more insight into the problem other than to say we've had some similar issues in our environment. Initial password-based logins do not have groups initialized, but SSH key logins and /bin/login logins have groups initialized successfully. We were piloting nscd on some of our 7.0 boxes. It turns out that enabling nscd was a successful workaround. We have since enabled it on the rest of our 7.0 installations. Anyone out there have ideas? -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgp9oeSAgHp3M.pgp Description: PGP signature
Re: How to do ping really quiet?
KES wrote: > Thx. This help, but seems ugly. Because of I can miss other maybe > usefull errors (( > ping -q ya.ru 2>/dev/null > > Any other suggestions? ping -q ya.ru 2>&1 1>/dev/null | grep -v 'ping: sendto: No route to host' >&2 Send ping stderr to stdout, throw away ping stdout, use grep to suppress the error you don't care about, and optionally, write any other error messages to stderr (mostly useful if this is wrapped up in some kind of function that may or may not have its stdout redirected). -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpal09kyEInq.pgp Description: PGP signature
Re: Secondary DNS or BSD Server space
[dropping -questions as a Cc] Gary Kline wrote: > On Fri, Dec 19, 2008 at 10:23:55AM +0700, Outback Dingo wrote: >> i have space on a freebsd system in the states, i could do secondary for >> anybody, and we could create a new service, with a web based management >> facility >> its plainly a dns backup for us and a backup secondary failover web site for >> extremely low traffic, if you guys want to picth in, we can bring something >> together > > Count me in. i'll do whatever i can with my servers. I'm running an authoritative nameserver and a webserver out of a datacenter in Fremont, CA, US for personal use. I'd be interested in getting in on this too. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley pgpAI1cWnkXub.pgp Description: PGP signature