changing the source address of an ICMP TTL exceeded message

[Guy Antony Halse]

Hi

I've got two FreeBSD routers that act as redundant backups of each other
using VRRP.  Both these machines bind their own interfaces for
administration purposes and the VRRP handles which one binds the gateway
address.

My problem is that, because the admin interface is bound before the gateway
one, when I traceroute through the router I see the address of the admin
interface rather than the gateway.

So what I need to do is change the source address in the ICMP TTL exceeded
messages that get sent out from the router to the gateway address.  vrrpd
lets me execute arbitary scripts when it becomes master/slave, so this
shouldn't be a problem.

The question is how do I actually change the source address?

Thanks,
- Guy
-- 
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: [EMAIL PROTECTED]   Web: http://mombe.org/  IRC: [EMAIL PROTECTED]
*** ANSI Standard Disclaimer ***   J.A.P.H

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

DHCP and multiple vlans

[Guy Antony Halse]

I'm trying to configure a FreeBSD 5.1-RELEASE system to act as the default
gateway for several virtual lans.  I've got two NICs in the box, one which
supplies the uplink, and one which has about 40 vlan(4) vlans on it.

I was trying to run isc-dhcp3's dhcrelay to relay DHCP messages to our DHCP
server when I ran into a problem.  Only the first ten vlans (vlan0 through
vlan9) are serviced by dhcrelay.

I originally thought that this was a dhcrelay limitation, so I tried using
the wide-dhcp relay as well.  The same problem occurs, but with a useful
error message if I try and configure more than ten vlans:

 [EMAIL PROTECTED]:~# relay -d vlan1 vlan2 vlan3 vlan4 vlan5 vlan6 vlan7 vlan8 vlan9
 ^C 
 [EMAIL PROTECTED]:~# relay -d vlan1 vlan2 vlan3 vlan4 vlan5 vlan6 vlan7 vlan8 vlan9 
vlan10
 relay[15320]: can't open bpf in open_if()
 [EMAIL PROTECTED]:~#

It appears to me that there is a limit of ten bpf devices somewhere.  This
is backed up by what I see in dhcrelay.

So the question is how do I overcome this limitation?

In FreeBSD 4.x you used to specify the number of BPF devices in the kernel
configuration pseudo-device line.  That doesn't appear to be the case now.

I tried creating more BPF devices in /dev - I now have 80 /dev/bpf* entries,
but that didn't help.

Any assistance would be appreciated.

- Guy
-- 
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: [EMAIL PROTECTED]   Web: http://mombe.org/  IRC: [EMAIL PROTECTED]
*** ANSI Standard Disclaimer ***   J.A.P.H

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

FreeBSD + winbindd + PAM

[Guy Antony Halse]

I've been trying for a couple of weeks to get FreeBSD + winbindd + PAM
working, without success.  I'm hoping that someone here has bumped into my
problem before and has some advice to give.

My current setup is winbindd from Samba 2.8.8a on both FreeBSD 4.8-RELEASE
and 5.1-BETA.  I've configured Samba with the following options: syslog,
nocups, utmp, msdfs, quota, recycle, audit, winbind, wbauth.  On the
5.1-BETA box, I've also added the WITH_WINBIND_NSS=yes option.

My smb.conf has the following entries:

[global]
  workgroup = ICT
  netbios name = VARK
  security = domain
  password server = MADAM EVE
  encrypt passwords = yes
  winbind separator = .
  winbind uid = 1-2
  winbind gid = 1-2
  winbind enum users = yes
  winbind enum groups = yes
  template shell = /usr/local/bin/ftponly
  template homedir = /tmp/raid/%D.%U


I run winbindd, and set a domain admin password using wbinfo -A.  With this
I can successfully enumerate the domain's users and groups:

[EMAIL PROTECTED]:~$ wbinfo -u | wc -l
 675

On the 5.1-BETA box, I've edited nsswitch.conf to include winbindd and can
see winbindd users with pw(8).

[EMAIL PROTECTED]:~$ pw usershow ICT.admingah
ICT.admingah:*:10004:10013::0:0:Guy Antony 
Halse:/tmp/raid/ICT.admingah:/usr/local/bin/ftponly

I realise this won't work on anything prior to the commitment of the new
nsswitch implementation by Jacques A. Vidrine, so I haven't bothered to try
this on the 4.8-RELEASE box.

So far, so good.  Everything works as I want to to, so I moved on to trying
to get PAM authentication working.

The first thing I noticed was that the pam_winbind.so from the port was not
installed (I checked the Makefile for PAM-related options and saw none), so
I manually copied this file into /usr/local/lib/compat and ran ldconfig(8). 
I have subsequently tried /usr/lib/compat too, but that shouldn't matter.

I edited {pam.conf,pam.d/ftpd} to create entries for my FTP server, that
looked like:

auth requiredpam_nologin.so  no_warn
auth sufficient  pam_opie.so no_warn no_fake_prompts
auth requisite   pam_opieaccess.so   no_warn allow_local
auth sufficient  pam_winbind.so  debug try_first_pass
auth requiredpam_unix.so no_warn try_first_pass
account  sufficient  pam_winbind.so  debug
account  requiredpam_unix.so
session  requiredpam_permit.so

This is where things start falling apart for me.  Authentication always
fails, and I get the following in my logs:

Jun  4 09:07:07 vark ftpd[97485]: connection from omniscient (146.231.120.1)
Jun  4 09:07:15 vark pam_winbind[97485]: Could not retrive user's password
Jun  4 09:07:15 vark kernel: Jun  4 09:07:15 vark pam_winbind[97485]: Could not 
retrive user's password
Jun  4 09:07:15 vark ftpd[97485]: in _openpam_check_error_code(): 
pam_sm_authenticate(): unexpected return value 20
Jun  4 09:07:15 vark kernel: Jun  4 09:07:15 vark ftpd[97485]: in _openpam_check 
_error_code(): pam_sm_authenticate(): unexpected return value 20
Jun  4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient
Jun  4 09:07:15 vark kernel: Jun  4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM 
omniscient
Jun  4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient, ICT.admingah

This problem isn't just restricted to FTP.  If I try and set up PAM for
the login service, I get the same _openpam_check_error_code() error.

I've tried reducing my PAM config so that it was completely minimal,
consisting of only required pam_winbind.so lines, but this doesn't appear to
make a difference.

Using winbindd -i -d3, I've watched for connections to winbindd while PAM
authentication is happening, and no connections are ever logged by it. 
(They are when nsswitch is in use, and when I use wbinfo).

I've also tried recompiling the Samba suite with no optimizations (and
various stages of optimizations) as suggested by the pkg-message.  None of
this seems to make any difference to my problem whatsoever.


Anyone have any ideas as to how I can get this to work?

- Guy
-- 
Dept of Computer Science, Rhodes University, Grahamstown, South Africa
Email: [EMAIL PROTECTED]  Web: http://mombe.org/  IRC: [EMAIL PROTECTED]
*** ANSI Standard Disclaimer ***   J.A.P.H
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]