Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:07.pf
III. Impact By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash. IV. Workaround Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for All: Just to clarify on the syntax, since it's not actually mentioned in pf.conf(5): Per the PF FAQ, a rule: "scrub in all" or "scrub all" Implies "scrub in all fragment reassemble" as a default argument/flags to "scrub" when not are specified, and none of the other scrubbing options (no-df, random-id, etc.). This per observation of "pfctl -s all": $ sudo grep -i scrub /etc/pf.conf scrub in all $ sudo pfctl -s all | grep -i scrub scrub in all fragment reassemble Correct? To the credit of the FAQ Author, it does state "This is the default behavior when no fragment option is specified." ... but that still begs the question: "What are the default scrubbing options, other than fragment reassembly, when none are specified?" Might be useful to mention these things in the FAQ and the advisory. TIA, ~lava more details. Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Syslog-NG at Boot (WAS: Re: cvs commit: ports/sysutils/syslog-ng Makefile distinfo pkg-plist)
might expect to talk to it. I assume you put syslogng_enable="YES" into /etc/rc.conf? as well as syslogd_enable="NO". (Or, it might work just to change syslogd_program="/path/to/syslogngd" and not bother with changing anything else). --Alex Just to clarify, even the latest src/etc/rc.d/syslogd at: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/syslogd?rev=1.11&content-type=text/x-cvsweb-markup Specially hard-codes /usr/sbin/$program as the executable, thus setting: syslogd_program="/usr/local/sbin/syslog-ng" syslogd_flags="-p /var/run/syslog.pid" syslogd_enable="YES" Has no effect at startup. It starts the system syslogd(8). *HOWEVER*, after the boot process is complete, /etc/rc.d/syslogd begins to honor syslogd_program="" (start, stop, status). It's very strange. Perhaps a more rc(8) compliant syslog-ng.sh.example should be packaged up? ~lava On Thu, 7 Jul 2005, Roman Bogorodskiy wrote: novel 2005-07-07 18:57:24 UTC FreeBSD ports repository Modified files: sysutils/syslog-ng Makefile distinfo pkg-plist Log: - Update to 1.6.8 that fixes some bugs - Fix potential broke as authors move old versions to old/ directory - Make NOPORTDOCS work PR: 83102 Submitted by: Vsevolod Stakhov <[EMAIL PROTECTED]> Approved by:Vince Valenti (maintainer) Revision ChangesPath 1.27 +3 -2 ports/sysutils/syslog-ng/Makefile 1.19 +2 -2 ports/sysutils/syslog-ng/distinfo 1.3 +14 -14ports/sysutils/syslog-ng/pkg-plist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/cvs-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NAS advice?
On Tue, 14 Feb 2006, DAve wrote: (I am cross posting to FreeBSD questions and Bacula Users, I will not be cross posting replies) I've been crying for four years that we needed a decent backup system and I always got put off. "It's on order", "can you resubmit an updated equipment list". Yea, checks in the mail. So yesterday I am told that we have some equipment we got in another deal and I can have it to backup my NOC. I plan to run Bacula which I already have on some individual machines. I want to have Bacula clients on all my machines talking to a single machine running the Bacula director, hopefully using the NAS machines for storage. This is the equipment they threw at me, it is old, but amazingly, unused. One Dell Poweredge 750, 2.8ghz CPU, 1gb ram, 2 500gb SATA Maxtor drives(yuk!), CERC SATA controller. Be very careful here. I run OpenBSD with CMU RAIDFrame RAID-1 mirrors and FreeBSD 5.3 with GEOM/GMirror RAID-1 on this platform for embeded devices. It's rock-solid, except Dell phased the 750 for the 850 and went from ICH6 to ICH7 Intel Chipsets? Also, they're now OEM'ing Broadcom bge(4) based NICs instead of Intel em(4), so consider yourself lucky in a sense >:}. The point is that the 850 will only run the very latest FreeBSD 6.1-BETA1 snapshots contain support for the newer chips. ~lava ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited)
FYI, to bring this thread back to the list -- Forwarded message -- Date: Wed, 15 Feb 2006 20:53:59 -0500 (EST) From: Brian A. Seklecki <[EMAIL PROTECTED]> To: Jonathan Donaldson <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], Brian J. Creasy <[EMAIL PROTECTED]>, Chad Ziccardi <[EMAIL PROTECTED]>, Danny Howard <[EMAIL PROTECTED]>, Brad Bendy <[EMAIL PROTECTED]> Subject: Re: ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited) (fwd) On Wed, 15 Feb 2006, Jonathan Donaldson wrote: Take a look here: http://www.freebsd.org/cgi/getmsg.cgi?fetch=607312+0+/usr/local/www/db/text/2004/cvs-all/20041128.cvs-all Yea, I see it now. Sorry. I'm CC'ing the developer who commited the changes, and the the MFC. The man page needs to be updated, and it should mention your caveat. I got caught by your caveat with the one-link-down-at-boot. However, the code begins to work after bringing up the down link, as if it would if they were both active at boot, which is good. Where I got tripped up was that I thought that quote: "The node listens to flow control message from many hooks, and considers link failed if NGM_LINK_IS_DOWN is received.", Where "Flow Control Messages" I interrpted that as something on the wire like a STP/802.1q BPDU. Apparently, it's really an In-Kernel event related to the new ethernet link-state code in 6.x, or maybe just glorrified poll()'ing. Either way, it works well. Sorry for jumping the gun. ~lava P.S., in 7.0-CURRENT, there appears to be an import of the OpenBSD bridge(4) to relate the old-school "options BRIDGE" code. This one being 802.1q STP aware. When 7.x becomes release production, I suspect I'll end up using that instead since it works so well with NetBSD/OpenBSD for HA ethernet, plus I'd rather have a PVST+ Cisco switch make the packet forwarding the decisions >:} ~lava and then look here: http://fxr.watson.org/fxr/source/netgraph/ng_one2many.h?v=RELENG6 65 /* Algorithms for detecting link failure (XXX only one so far) */ 66 #define NG_ONE2MANY_FAIL_MANUAL 1 /* use enabledLinks[] array */ 67 #define NG_ONE2MANY_FAIL_NOTIFY 2 /* listen to flow control msgs */ so set your fail alg to 2 and see if you see the messages and failover... On Feb 15, 2006, at 8:11 PM, Brian A. Seklecki wrote: On Thu, 12 Jan 2006, Brian J. Creasy wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian A. Seklecki wrote: | | Johnathan's comments suggest that we may need to move to 6.x on the | production cluster. | | 6.x has been upgraded from a technology release to stable, and our goal | is stability. | | Brian: What are you thoughts so far on the 6.x experience? no complaints here.. though, i have it running only on my laptop and Okay. | As of Freebsd 6_0 (which is at RC1 now), the NG_ONE2MANY does | support the failure of a link which does not end up with 50% packet | loss. There is new code in the One2Many module that xmits a layer 2 "I'm | alive" broadcast out all links, as long as this is picked up on the | other links, then all interfaces are considered alive. If one of the | packets is not received, then after 2 x heartbeat duration that link is | considered "down". I have tested this in the 6.0 code and it works with | one caveat. When the server is brought up, both interfaces must be | connected and live, or for some reason, the failure algorithm never | seems to kick in. I saw exactly what you saw in 5.4 and newer with | regards to the 50% packet loss. Jonathan: I'm not sure where you got the info about this. Accoring to the NG_ONE2MANY(4) page in CVS -rHEAD (-CURRENT): "Currently, the valid settings for the xmitAlg field are NG_ONE2MANY_XMIT_ROUNDROBIN (default) or NG_ONE2MANY_XMIT_ALL. The only valid setting for failAlg is NG_ONE2MANY_FAIL_MANUAL; this is also the default setting." I have 6.1-BETA1 on a box right now and I've got my config setup for NG_ONE2MANY_XMIT_ROUNDROBIN + NG_ONE2MANY_FAIL_NOTIFY and I don't see any layer2 heartbeat related traffic (watching via tcpdump(8) on another machine in the same segment) Can you share what you saw? ~lava |> mission critical environment). |> - Xmit-All causes twice as much load on to be placed on the switch |> /fabric and switch CPU. |> | | As of Freebsd 6_0 (which is at RC1 now), the NG_ONE2MANY does | support the failure of a link which does not end up with 50% packet | loss. There is new code in the One2Many module that xmits a layer 2 "I'm | alive" broadcast out all links, as long as this is picked up on the | other links, then all interfaces are considered alive. If one of the | packets is not received, then after 2 x heartbeat duration that link is | considered "down&q
Re: ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited) (fwd)
-- Forwarded message -- Date: Wed, 15 Feb 2006 20:11:49 -0500 (EST) From: Brian A. Seklecki <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], Jonathan Donaldson <[EMAIL PROTECTED]>, Brian J. Creasy <[EMAIL PROTECTED]> Cc: Chad Ziccardi <[EMAIL PROTECTED]>, Danny Howard <[EMAIL PROTECTED]>, Brad Bendy <[EMAIL PROTECTED]> Subject: Re: ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited) (fwd) On Thu, 12 Jan 2006, Brian J. Creasy wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian A. Seklecki wrote: | | Johnathan's comments suggest that we may need to move to 6.x on the | production cluster. | | 6.x has been upgraded from a technology release to stable, and our goal | is stability. | | Brian: What are you thoughts so far on the 6.x experience? no complaints here.. though, i have it running only on my laptop and Okay. | As of Freebsd 6_0 (which is at RC1 now), the NG_ONE2MANY does | support the failure of a link which does not end up with 50% packet | loss. There is new code in the One2Many module that xmits a layer 2 "I'm | alive" broadcast out all links, as long as this is picked up on the | other links, then all interfaces are considered alive. If one of the | packets is not received, then after 2 x heartbeat duration that link is | considered "down". I have tested this in the 6.0 code and it works with | one caveat. When the server is brought up, both interfaces must be | connected and live, or for some reason, the failure algorithm never | seems to kick in. I saw exactly what you saw in 5.4 and newer with | regards to the 50% packet loss. Jonathan: I'm not sure where you got the info about this. Accoring to the NG_ONE2MANY(4) page in CVS -rHEAD (-CURRENT): "Currently, the valid settings for the xmitAlg field are NG_ONE2MANY_XMIT_ROUNDROBIN (default) or NG_ONE2MANY_XMIT_ALL. The only valid setting for failAlg is NG_ONE2MANY_FAIL_MANUAL; this is also the default setting." I have 6.1-BETA1 on a box right now and I've got my config setup for NG_ONE2MANY_XMIT_ROUNDROBIN + NG_ONE2MANY_FAIL_NOTIFY and I don't see any layer2 heartbeat related traffic (watching via tcpdump(8) on another machine in the same segment) Can you share what you saw? ~lava |> mission critical environment). |> - Xmit-All causes twice as much load on to be placed on the switch |> /fabric and switch CPU. |> | | As of Freebsd 6_0 (which is at RC1 now), the NG_ONE2MANY does | support the failure of a link which does not end up with 50% packet | loss. There is new code in the One2Many module that xmits a layer 2 "I'm | alive" broadcast out all links, as long as this is picked up on the | other links, then all interfaces are considered alive. If one of the | packets is not received, then after 2 x heartbeat duration that link is | considered "down". I have tested this in the 6.0 code and it works with | one caveat. When the server is brought up, both interfaces must be | connected and live, or for some reason, the failure algorithm never | seems to kick in. I saw exactly what you saw in 5.4 and newer with | regards to the 50% packet loss. | | |> What ng_one2many needs is a "Active-Standy" XMIT algorithm (STP BOFH's |> will think BLOCKING/FORWARDING). It could even be used on top of |> other NetGraph nodes like ng_fec or possibly (hopefully) ng_802.3ad >:} |> | - -- Brian J. Creasy Collaborative Fusion, Inc. 412.422.3463 x4020 [EMAIL PROTECTED] pgp public key: ~ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5F94E004 IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDxmXvDgwDm1+U4AQRAr3GAJ42+HcJFO595aZvljztWCkd+NWgvACeMQiu ILXLchBGR90TZTZHjn6DVCY= =68DY -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dell Powervault 120T / ADIC FastStor DLT D116
I just connected a Dell Powervault 120T to an Adaptec AHA-2944 HVD ("High
Voltage Differential") controller and the resulting dmesg indicates what
is probed by my RELENG_5_3 kernel:
ahc0: port 0xe400-0xe4ff mem
0xe9001000-0xe9001fff irq 5 at device 11.0 on pci0
sa1 at ahc1 bus 0 target 4 lun 0
sa1: Removable Sequential Access SCSI-3
device
sa1: 40.000MB/s transfers (40.000MHz, offset 32)
pass0 at ahc0 bus 0 target 0 lun 0
pass0: Removable Changer SCSI-2 device
pass0: 3.300MB/s transfers
For some reason, the tape changer is probing as pass(4) instead of ch(4).
Any ideas why? SCSI devices have a "device class" designation, IIRC.
However, I can't get useful debugging out of camcontrol(8) w/ recompiling
the kernel w/ DEBUG options.
I'm going to do that now, but any ideas would be appreciated.
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dell Powervault 120T / ADIC FastStor DLT D116
On Mon, 25 Jul 2005, Brian A. Seklecki wrote: For some reason, the tape changer is probing as pass(4) instead of ch(4). Any ideas why? SCSI devices have a "device class" designation, IIRC. Nevermind, someone had removed "device ch" from the kernel config (as well as uk(4), which explains pass(4) attachment) ch1 at ahc0 bus 0 target 0 lun 0 ch1: Removable Changer SCSI-2 device ch1: 3.300MB/s transfers ch1: 7 slots, 1 drive, 1 picker, 0 portals sa0 at ahc0 bus 0 target 1 lun 0 sa0: Removable Sequential Access SCSI-2 device sa0: 20.000MB/s transfers (10.000MHz, offset 8, 16bit) # amtapetype -f /dev/sa0 Writing 256 Mbyte compresseable data: 25 sec Writing 256 Mbyte uncompresseable data: 207 sec WARNING: Tape drive has hardware compression enabled Estimated time to write 2 * 1024 Mbyte: 1656 sec = 0 h 27 min wrote 454530 32Kb blocks in 1390 files in 13494 seconds (short write) [interrupt] ...more complete output amtapetype(1) to amanda-users@amanda.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls()
sql-5.0.3_2 The mysql shared extension for php php5-odbc-5.0.4_2 The odbc shared extension for php php5-openssl-5.0.3_2 The openssl shared extension for php php5-pcre-5.0.3_2 The pcre shared extension for php php5-pear-5.0.3_2 PEAR framework for PHP php5-pgsql-5.0.3_2 The pgsql shared extension for php php5-posix-5.0.3_2 The posix shared extension for php php5-session-5.0.3_2 The session shared extension for php php5-simplexml-5.0.3_2 The simplexml shared extension for php php5-soap-5.0.3_2 The soap shared extension for php php5-sqlite-5.0.3_2 The sqlite shared extension for php php5-sysvmsg-5.0.3_2 The sysvmsg shared extension for php php5-sysvsem-5.0.3_2 The sysvsem shared extension for php php5-sysvshm-5.0.3_2 The sysvshm shared extension for php php5-tokenizer-5.0.3_2 The tokenizer shared extension for php php5-xml-5.0.3_2The xml shared extension for php php5-zlib-5.0.3_2 The zlib shared extension for php php4box# php public_html/functions.php -e ldap ldap_connect ldap_close ldap_bind ldap_unbind ldap_read ldap_list ldap_search ldap_free_result ldap_count_entries ldap_first_entry ldap_next_entry ldap_get_entries ldap_first_attribute ldap_next_attribute ldap_get_attributes ldap_get_values ldap_get_values_len ldap_get_dn ldap_explode_dn ldap_dn2ufn ldap_add ldap_delete ldap_modify ldap_mod_add ldap_mod_replace ldap_mod_del ldap_errno ldap_err2str ldap_error ldap_compare ldap_sort ldap_rename ldap_get_option ldap_set_option ldap_first_reference ldap_next_reference ldap_set_rebind_proc php5 box$ php functions.php -e ldapldap_connect ldap_close ldap_bind ldap_unbind ldap_read ldap_list ldap_search ldap_free_result ldap_count_entries ldap_first_entry ldap_next_entry ldap_get_entries ldap_first_attribute ldap_next_attribute ldap_get_attributes ldap_get_values ldap_get_values_len ldap_get_dn ldap_explode_dn ldap_dn2ufn ldap_add ldap_delete ldap_modify ldap_mod_add ldap_mod_replace ldap_mod_del ldap_errno ldap_err2str ldap_error ldap_compare ldap_sort ldap_get_option ldap_set_option ldap_parse_result ldap_first_reference ldap_next_reference ldap_rename ldap_set_rebind_proc -- ~ TIA, Brian A. Seklecki Collaborative Fusion, Inc. [EMAIL PROTECTED] 412-422-3463 x 4018 1710 Murray Avenue, Suite 320 Pittsburgh, PA 15217 l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [PHP] FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls()
result: -r
configure:5684: checking for BSD-compatible nm
configure:5720: result: nm
configure:5723: checking for a sed that does not truncate output
configure:5805: result: /usr/bin/sed
configure:5808: checking whether ln -s works
configure:5812: result: yes
configure:5819: checking how to recognise dependent libraries
configure:6001: result: pass_all
configure:6013: checking command to parse nm output
configure:6097: cc -c -O -pipe -march=pentium3 conftest.c >&5
configure:6100: $? = 0
configure:6104: nm conftest.o \| sed -n -e 's/^.*[
]\([ABCDGISTW][ABCDGISTW]*\)[ ][ ]*\(\)\([_A-Za-z][_A-
Za-z0-9]*\)$/\1 \2\3 \3/p' \> conftest.nm
configure:6107: $? = 0
configure:6159: cc -o conftest -O -pipe -march=pentium3 conftest.c
conftstm.o >&5
configure:6162: $? = 0
configure:6206: result: ok
configure:6215: checking how to run the C preprocessor
configure:6241: cc -E conftest.c
configure:6247: $? = 0
configure:6274: cc -E conftest.c
configure:6271:28: ac_nonexistent.h: No such file or directory
configure:6280: $? = 1
configure: failed program was:
#line 6270 "configure"
#include "confdefs.h"
#include
configure:6317: result: cc -E
configure:6332: cc -E conftest.c
configure:6338: $? = 0
configure:6365: cc -E conftest.c
configure:6362:28: ac_nonexistent.h: No such file or directory
configure:6371: $? = 1
configure: failed program was:
#line 6361 "configure"
#include "confdefs.h"
#include
configure:6411: checking for ANSI C header files
configure:6425: cc -E conftest.c
configure:6431: $? = 0
configure:6518: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
configure:6521: $? = 0
ac_cv_func_ldap_start_tls_s=no
From php_ldap.h:
#if LDAP_API_VERSION > 2000
PHP_FUNCTION(ldap_start_tls);
#endif
From ldap.c:
#ifdef HAVE_LDAP_START_TLS_S
PHP_FE(ldap_start_tls,
NULL)
#endif
#ifdef HAVE_LDAP_START_TLS_S
/* {{{ proto bool ldap_start_tls(resource link)
Start TLS */
PHP_FUNCTION(ldap_start_tls)
{
zval **link;
ldap_linkdata *ld;
int rc, protocol = LDAP_VERSION3;
if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &link) ==
FAILURE) {
WRONG_PARAM_COUNT;
}
ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, link, -1, "ldap link",
le_link);
if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION,
&protocol)) != LDAP_SUCCESS) ||
((rc = ldap_start_tls_s(ld->link, NULL, NULL)) !=
LDAP_SUCCESS)
) {
php_error_docref(NULL TSRMLS_CC, E_WARNING,"Unable to
start TLS: %s", ldap_err2string(rc));
RETURN_FALSE;
} else {
RETURN_TRUE;
}
}
/* }}} */
#endif
On Fri, 2 Sep 2005, Rasmus Lerdorf wrote:
Brian A. Seklecki wrote:
Firstly, sorry if this is the wrong list. There are thousands of forums
and PHP5 related MLs, but nothing FBSD specific.
Second, I wouldn't post if this wasn't happening on two completely
different FBSD boxes.
For whatever reason, the php4 and php5 from FreeBSD ports refuses to
properly configure SSL/TLS support for the LDAP module.
Can't you just build from the PHP tarball instead? Seems like a messed
up port to me. I use FreeBSD all day, every day and haven't seen this
problem. But I also don't use the ports.
-Rasmus
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [PHP] FreeBSD php{4,5} w/ LDAP + SSL/TLS ldap_start_tls()
Okay, problem fixed:
1) cd /usr/{ports,pkgsrc}/{net/php5-ldap,databases/php-ldap} on
{Free,Net}BSD respectively
2) sudo make configure
3) sudo vim
On FreeBSD
work/php-5.0.4/ext/ldap/config.h or..
work/php-4.4.0/ext/ldap/config.h
on NetBSD:
work/php-5.0.4/ext/ldap/config.h
4) Change:
/* Define to 1 if you have the `ldap_start_tls_s' function. */
/* #undef HAVE_LDAP_START_TLS_S */
To:
#define HAVE_LDAP_START_TLS_S 1
5) sudo make install
6) carry on pretending that your employee data is secure
$ cat ~/public_html/testtls.php
[0] [EMAIL PROTECTED]:/$ php ~/public_html/testtls.php
I see it!
7) ...sit around on your day off and try to determine how the following
piece of code from configure.sh was [ever] supposed to determine if
ldap_start_tls_s() was a valid function w/o including arguments
-I/usr/local/include, -L/usr/local/lib to gcc(1) or #including ldap.h or
lber.h, and wonder who is responsible >:}
*cough*
http://chora.php.net/diff.php/php-src/ext/ldap/config.m4?php=3c934ff67902f7c5ce419c901b82c77e&r1=1.23&r2=1.24&ty=h&num=10
*cough* ... 8-) ...i dunno, maybe it "just works(r)" on Linux >:}
| /* confdefs.h. */
|
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define COMPILE_DL_LDAP 1
| #define HAVE_LDAP 1
| #define HAVE_3ARG_SETREBINDPROC 1
| /* end confdefs.h. */
| /* Define ldap_start_tls_s to an innocuous variant, in case
declares ldap_start_tls_s.
|For example, HP-UX 11i declares gettimeofday. */
| #define ldap_start_tls_s innocuous_ldap_start_tls_s
| /* System header to define __stub macros and hopefully few prototypes,
| which can conflict with char ldap_start_tls_s (); below.
| Prefer to if __STDC__ is defined, since
| exists even on freestanding compilers. */
|
| #ifdef __STDC__
| # include
| #else
| # include
| #endif
|
| #undef ldap_start_tls_s
|
| /* Override any gcc2 internal prototype to avoid an error. */
| #ifdef __cplusplus
| extern "C"
| {
| #endif
| /* We use char because int might match the return type of a gcc2
|builtin and then its argument prototype would still apply. */
| char ldap_start_tls_s ();
| /* The GNU C library defines this for functions which it implements
| to always fail with ENOSYS. Some functions are actually named
| something starting with __ and the normal name is an alias. */
| #if defined (__stub_ldap_start_tls_s) || defined
(__stub___ldap_start_tls_s)
| choke me
| #else
| char (*f) () = ldap_start_tls_s;
| #endif
| #ifdef __cplusplus
| }
| #endif
|
| int
| main ()
| {
| return f != ldap_start_tls_s;
| ;
| return 0;
| }
~BAS
On Sat, 3 Sep 2005, Brian A. Seklecki wrote:
Rasmus / all:
I'll revert to that as path of last resort. The FreeBSD port mechanism for
installing php extensions is administratively superior to maintaining source
installations manually. Apache/PHP/LDAP/SSL/SQL cocktails on anything other
than Linux are way too convuluted to not be using Ports, especially with the
number of security advisories that come out. Without the XML vulnerability
checklist from 'portaudit', you might as well grab your ankles.
Anyway, It's not FreeBSD ports. The damn configure script in
php{4,5}???/ext/ldap/ per the following:
Update: The problem persists elsewhere than FreeBSD 5.3/i386. It's also
happening on a NetBSD/i386 host with a -current (cvs -rHEAD)
pkgsrc/databases/{,php-ldap-}openldap/
Okay, I traced it down:
in /usr/ports/net/php5-ldap/work/php-5.0.4/ext/ldap/configure ->
conftest -> ldap_start_tls_s();
ldap_start_tls_s return false -> ac_cv_func_ldap_start_tls_s=no in config.log
config.log -> ldap.h -> #undef HAVE_LDAP_START_TLS_S
config.c -> HAVE_LDAP_START_TLS_S -> PHP_FE(ldap_start_tls, NULL)
...therefore ldap_start_tls isn't registered. The question is why the
conftest.c in GNU autoconf is failing with:
configure:5048: cc -o conftest -O -pipe -march=pentium3 conftest.c >&5
/var/tmp//cc63HySI.o(.text+0x12): In function `main':
: undefined reference to `ldap_start_tls_s'
...Which is odd since:
php4$ grep -ir ldap_start_tls_s lib/*
Binary file lib/libldap-2.2.so matches
Binary file lib/libldap-2.2.so.7 matches
Binary file lib/libldap.a matches
Binary file lib/libldap.so matches
Binary file lib/libldap_r-2.2.so matches
Binary file lib/libldap_r-2.2.so.7 matches
Binary file lib/libldap_r.a matches
Binary file lib/libldap_r.so matches
Binary file lib/pam_ldap.so matches
php4$ grep -ir ldap_start_tls_s include/*
include/ldap.h:ldap_start_tls_s LDAP_P((
include/php/main/php_config.h:/* Define if you have the ldap_start_tls_s
function. */
include/php/main/php_config.h:/* #undef HAVE_LDAP_START_TLS_S */
$ nm lib/libldap-2.2.so.7|grep -i start_tls
0002b770 T ldap_start_tls_s
and...
ph
Re: mgsql periodic script? running vacuumdb?
On Thu, 9 Jun 2005, Lane wrote:
Hello,
I recently installed postgresql 8.0 on FreeBSD 5.4 and I've noticed the
following message in the "daily run output":
vacuuming...
Password:
vacuumdb: could not connect to database template1: fe_sendauth: no password
I'm assuming you found /usr/local/etc/periodic/daily
Just going through the lists looking for something and saw that no one
ever answered you ... sux ... >:{
Anyway, "pkg_info -L postgres*" would have helped you, too.
~BAS
supplied
Errors were reported during vacuum.
I know how to fix the promblem (i.e. ~/.pgpass) but what I don't understand is
who or what is invoking vacuumdb.
The message appears in the output generated from the scripts
at /etc/periodic/daily but there is no reference to vacuumdb in any of those
scripts.
Who's doing this?
Thanks,
Lane
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
periodic(8) / daily bsdlabel / fdisk / softraid*
All: I just realized that the stock perdiodic scripts dont backup fdisk/disklabel output. I'm taken back a bit; NetBSD and OpenBSD have always done this (archive to /var/backup). We backup the password and group files, but not system info. Obviously, RAID can mitigate the need for this, but imagine a DRP scenario where you have to recover a host to an offsite warm/cold failover facility from off-site tape backups. You can get your vendor to provide identical hardware, but without disk parition/slice info, how are you going to recover your disks? It's bad enough we don't have a unified way to talk to RAID controllers yet...the least we can do is try. We should probably also backup gmirror/gvinum config outputs... *sigh* ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
220.backup-bsdlabels (WAS: Re: periodic(8) / daily bsdlabel / fdisk / softraid*)
Here's a basic script to accomplish this. No support for checking
geom/gmirror/vinum configurations. RAIDFrame's raidctl(8) has a nice
"-G" flag:
"-G dev Generate the configuration of the RAIDframe device in a
format suitable for use with the -c or -C options."
Maybe someone more intimate with these 3 RAID APIs on FBSD can offer some
insight.
Obviously, this script will need to be re-written to do sanity checks
especially with secure file operations. NetBSD has a nice function in
/etc/security called migrate_file() {...} for safely rotating. And lines
42 and 44 are just ugly.
Also, do non-i386/amd64 platforms support fdisk(8)? I know NetBSD uses
sunlabel(8)+disklabel(8) on Sparc64?
But this does what I need it to do. Given a solid off-site tape backup of
/var, I can recover /var/backup/(fdisk|disklabel) to a temp machine, and
recovery my slices.
In the event of a complete system loss, I can use fdisk(8) output to
verify that the number of sectors on my hardward or software RAID
meta-device match as they were previously on the newly created RAID.
PR is misc/86388!
http://digitalfreaks.org/~lavalamp/220.backup-bsdlabels
Thanks all!
~BAS
-
#!/bin/sh
#
# $FreeBSD: src/etc/periodic/daily/220.backup-bsdlablels**
#
# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_backup_bsdlabels_enable" in
[Yy][Ee][Ss])
bak=/var/backups
disks=`sysctl -n kern.disks`
if [ -z "$disks" ]; then
echo '$daily_backup_disklabels_enable" is set but no disk probed
by kernel.' \
"perhaps NFS diskless client."
rc = 2
else
for i in $disks; do
# first order of business is to check for an existing
backup-backup
if [ -f $bak/fdisk.$i.bak ] ; then
rc=1
echo "rotating $bak/fdisk.$i.bak"
cp -p $bak/fdisk.$i.bak $bak/fdisk.$i.bak2 || rc=3
fi
echo "backing up fdisk for $i"
fdisk $i > "$bak/fdisk.$i.bak" 2>/dev/null || rc=3
# again exept now we have to get a list of
patitions/slices
# sparc64 can have...9 hopefully slices on a sunlabel?
part_slices=$(echo /dev/${i}s[0-9])
for j in $(echo "$part_slices" | sed 's/\/dev\///'); do
if [ -f $bak/disklabel.${j}.bak ] ; then
rc=1
echo "rotating $bak/disklabel.${j}.bak"
cp -p $bak/disklabel.${j}.bak
$bak/disklabel.${j}.bak2 || rc=3
fi
echo "backing up disklabel for ${j}"
disklabel /dev/${j} > "$bak/disklabel.${j}.bak"
2>/dev/null || rc=3
done
done
fi;;
*) rc=0;;
esac
On Tue, 20 Sep 2005, Brian A. Seklecki wrote:
All:
I just realized that the stock perdiodic scripts dont backup fdisk/disklabel
output. I'm taken back a bit; NetBSD and OpenBSD have always done this
(archive to /var/backup). We backup the password and group files, but not
system info.
Obviously, RAID can mitigate the need for this, but imagine a DRP scenario
where you have to recover a host to an offsite warm/cold failover facility
from off-site tape backups. You can get your vendor to provide identical
hardware, but without disk parition/slice info, how are you going to recover
your disks?
It's bad enough we don't have a unified way to talk to RAID controllers
yet...the least we can do is try.
We should probably also backup gmirror/gvinum config outputs...
*sigh*
~BAS
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dell PowerEdge w/ Intel AFT / Broadcom BASP
All: This may be better for freebsd-cluster@freebsd.org, but that list is kind of ghost town, and this question is more a standards-based: Does anyone deploy Dell Poweredge in a HA configuration utilizing these features? http://www.intel.com/network/connectivity/resources/technologies/load_balancing.htm http://www1.us.dell.com/content/topics/global.aspx/power/en/ps1q03_bhutani?c=us&cs=555&l=en&s=biz http://www.broadcom.com/drivers/faq_drivers.php#55 Do we know what underlying standards and protocols compose these "technologies"? 802.3ad, Cisco FEC? Intel AFT claims to provide redundancy over a "team" of NICs. ALB claims link aggregation; but they don't specify if they're doing it in hardware or sofware (see Below) Broadcom BASP claims the same, given different terminology and vendor. I'm looking for a "fault tolerant" configuration for a HA cluster. "Load balancing" and/or "link aggregation" is not required. I need to be able to "team" two NICs into one Virtual NIC. Each NIC connects to two redundant managed switches, on which the connecting switch ports exist in the same VLAN (which is then ISL/802.1q trunked between them). Essentially the same ethernet segment. I see ng_one2many(4), but the man page doesn't really state what standard that uses. It seems to be all in-kernel magic (LACP and 802.3.ad aren't mentioned in the man page); will this meet the above requirements? There were some ng_one2many(4) patches a while back to add more intellegence, (FEC/802.3ad heartbeat like control protocol) http://marc.theaimsgroup.com/?t=10769597742&r=1&w=2 ...but no mention of them ever being commited. I see ng_fec(4) also, but I don't think that Cisco Ethernet Channel can occur between two switches and one server (correct me if I'm wrong). I question the Hardware v.s. Software issue on the Intel NICs becase the Dell PowerEdges Severs that happen to have Intel NIC Chipsets using em(4) (many have Broadcom), seem to automatically try to "team" NICs when they're connected to unmanaged PowerConnect switches, breaking ng_one2many logic. They constantly alternate MAC addresses between the primary ethernet, the secondary ethernet, and a 3rd 1-byte-off Virtual MAC. This automatic attempt to team seems like a hardware feature. If it was a software feature, in theory it wouldn't try to team w/o being instructed to? On the other hand, *managed* Dell PowerConnect switches feature something called "LAG", which the docs describe as 802.3ad / LACP. I haven't tried ng_one2many on non-Dell or Dell Managed switches to see if the MAC address "bouncing" problem persists, but I'll try that today. So the big question: *) Is the Windows/Linux-only software for configuring "teams" of NICs, described in the URLs below, designed to configure a hardware level feature that might have more intellegent link failure detection than ng_many2one? (I.e., other than just lost carrier, say, STP storm detection or excessive packet error thresholds). Or is it software? *) If it is a hardware feature, could our em(4) driver be adapted or could it possibly be configured using OpenManage via the Intel IPMI/DMI/SMI whatever? *) Can Cisco FEC or 802.3ad provide reundancy between two switches and one server w/ two NICs? Will NetGraph ever have a 802.3ad module? *) What combination of Switch and NIC related teaming / failover technology are known to be compatible with FreeBSD ? TIA, ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: fxp0 problem with 6Beta?
What do the outputs of "ifconfig fpx0", "arp -an", "tcpdump -i fxp0 -n" and "netstat -s" look like? ~BAS On Wed, 5 Oct 2005, Bdrawyah wrote: I have a small LAN at home consisting of 192.168.0.5 (a single PIII) which runs 5.4 stable and 192.168. 0.7 (a dual PIII) which runs 6Beta4 connected with a Netgear router at 192.168.0.1. 192.168.0.7 has nothing on it, no firewall even, aside from 6Beta (with debugging turned off in the kernel) and cvsup. From 192.168.0.7 I can find and login to 192.168.0.5 and external computers using ssh. From 192.168.0.5 I can login to external computers using ssh but there is no sign of 192.168.0.7, pinging fails and the Netgear router can't see it. Any suggestions? Below is dmesg for 192.168.0.7 Copyright (c) 1992-2005 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.0-BETA4 #0: Sun Sep 11 16:48:29 BST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/BOX7BRUCE Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel Pentium III (731.02-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x683 Stepping = 3 Features=0x383fbff real memory = 536870912 (512 MB) avail memory = 515887104 (491 MB) MPTable: FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 1 cpu1 (AP): APIC ID: 0 ioapic0: Changing APIC ID to 8 ioapic0: Assuming intbase of 0 ioapic0 irqs 0-23 on motherboard npx0: [FAST] npx0: on motherboard npx0: INT 16 interface cpu0 on motherboard cpu1 on motherboard pcib0: pcibus 0 on motherboard pci0: on pcib0 agp0: mem 0xf800-0xfbff at device 0.0 on pci0 pcib1: at device 1.0 on pci0 pci1: on pcib1 pcib2: at device 30.0 on pci0 pci2: on pcib2 fxp0: port 0x5400-0x543f mem 0xfdc0-0xfdc00fff,0xfdd0-0xfd df irq 18 at device 2.0 on pci2 miibus0: on fxp0 inphy0: on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:02:a5:53:cb:3f ahc0: port 0x5000-0x50ff mem 0xfde0-0xfde00fff irq 19 at device 7.0 on pci2 ahc0: [GIANT-LOCKED] aic7892: Ultra160 Wide Channel A, SCSI Id=7, 32/253 SCBs pci2: at device 11.0 (no driver attached) isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x6460-0x646f at device 31.1 on pci0 ata0: on atapci0 ata1: on atapci0 uhci0: port 0x6440-0x645f irq 19 at device 31.2 on pci0 uhci0: [GIANT-LOCKED] usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered pci0: at device 31.3 (no driver attached) pci0: at device 31.5 (no driver attached) pmtimer0 on isa0 orm0: at iomem 0xc-0xc7fff,0xc8000-0xc97ff,0xe-0xe on isa0 atkbdc0: at port 0x60,0x64 on isa0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: model IntelliMouse, device ID 3 fdc0: at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 ppc0: at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/13 bytes threshold ppbus0: on ppc0 plip0: on ppbus0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A vga0: at port 0x3c0-0x3df iomem 0xa-0xb on isa0 unknown: can't assign resources (port) unknown: can't assign resources (port) unknown: can't assign resources (port) unknown: can't assign resources (port) unknown: can't assign resources (memory) unknown: can't assign resources (port) unknown: can't assign resources (irq) Timecounters tick every 1.000 msec acd0: CDROM at ata0-master PIO4 Waiting 5 seconds for SCSI devices to settle da0 at ahc0 bus 0 target 0 lun 0 da0: Fixed Direct Access SCSI-3 device da0: 160.000MB/s transfers (80.000MHz, offset 127, 16bit), Tagged Queueing Enabled da0: 8678MB (17773524 512 byte sectors: 255H 63S/T 1106C) SMP: AP CPU #1 Launched! Trying to mount root from ufs:/dev/da0s1a ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: fxp0 problem with 6Beta?
On Wed, 5 Oct 2005, Bdrawyah wrote: What do the outputs of "ifconfig fpx0", "arp -an", "tcpdump -i fxp0 -n" and "netstat -s" look like? ~BAS arp -an ? (192.168.0.1) at 00:0f:b5:16:dd:b6 on fxp0 [ethernet] You should see an ARP entry for .07 from .05 and vice versa when you ping each other (regardless if the ICMP makes it or not) tcpdump -i fxp0 -n tcpdump: (no devices found) /dev/bpf0: Permission denied This command will produce much more interesting results if you run it as root or via sudo(8). ...unless that error indicates that you compiled w/o BPF. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: fxp0 problem with 6Beta?
-- Should have read man tcpdump prior to running it! As root: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 23:10:40.704329 802.1d config 8000.00:0f:b5:16:dd:b6.8001 root 8000.00:0f:b5:16: What you want to do is run this on one machine while you try to ping that machine (on which are running) from another machine. Something strange going on in your network if your clients aren't ARP'ing each other. What kind of router did you say? Maybe reset to defaults if the problem persists? ~BAS dd:b6 pathcost 0 age 0 max 6 hello 2 fdelay 0 23:10:42.704385 802.1d config 8000.00:0f:b5:16:dd:b6.8001 root 8000.00:0f:b5:16: dd:b6 pathcost 0 age 0 max 6 hello 2 fdelay 0 23:10:44.704501 802.1d config 8000.00:0f:b5:16:dd:b6.8001 root 8000.00:0f:b5:16: dd:b6 pathcost 0 age 0 max 6 hello 2 fdelay 0 ^C 3 packets captured 3 packets received by filter 0 packets dropped by kernel l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dell PowerEdge w/ Intel AFT / Broadcom BASP
For the record on this, Dell claims that AFT/ALB is entirely software based. On Wed, 5 Oct 2005, Brian A. Seklecki wrote: All: This may be better for freebsd-cluster@freebsd.org, but that list is kind of ghost town, and this question is more a standards-based: Does anyone deploy Dell Poweredge in a HA configuration utilizing these features? http://www.intel.com/network/connectivity/resources/technologies/load_balancing.htm http://www1.us.dell.com/content/topics/global.aspx/power/en/ps1q03_bhutani?c=us&cs=555&l=en&s=biz http://www.broadcom.com/drivers/faq_drivers.php#55 Do we know what underlying standards and protocols compose these "technologies"? 802.3ad, Cisco FEC? Intel AFT claims to provide redundancy over a "team" of NICs. ALB claims link aggregation; but they don't specify if they're doing it in hardware or sofware (see Below) Broadcom BASP claims the same, given different terminology and vendor. I'm looking for a "fault tolerant" configuration for a HA cluster. "Load balancing" and/or "link aggregation" is not required. I need to be able to "team" two NICs into one Virtual NIC. Each NIC connects to two redundant managed switches, on which the connecting switch ports exist in the same VLAN (which is then ISL/802.1q trunked between them). Essentially the same ethernet segment. I see ng_one2many(4), but the man page doesn't really state what standard that uses. It seems to be all in-kernel magic (LACP and 802.3.ad aren't mentioned in the man page); will this meet the above requirements? There were some ng_one2many(4) patches a while back to add more intellegence, (FEC/802.3ad heartbeat like control protocol) http://marc.theaimsgroup.com/?t=10769597742&r=1&w=2 ...but no mention of them ever being commited. I see ng_fec(4) also, but I don't think that Cisco Ethernet Channel can occur between two switches and one server (correct me if I'm wrong). I question the Hardware v.s. Software issue on the Intel NICs becase the Dell PowerEdges Severs that happen to have Intel NIC Chipsets using em(4) (many have Broadcom), seem to automatically try to "team" NICs when they're connected to unmanaged PowerConnect switches, breaking ng_one2many logic. They constantly alternate MAC addresses between the primary ethernet, the secondary ethernet, and a 3rd 1-byte-off Virtual MAC. This automatic attempt to team seems like a hardware feature. If it was a software feature, in theory it wouldn't try to team w/o being instructed to? On the other hand, *managed* Dell PowerConnect switches feature something called "LAG", which the docs describe as 802.3ad / LACP. I haven't tried ng_one2many on non-Dell or Dell Managed switches to see if the MAC address "bouncing" problem persists, but I'll try that today. So the big question: *) Is the Windows/Linux-only software for configuring "teams" of NICs, described in the URLs below, designed to configure a hardware level feature that might have more intellegent link failure detection than ng_many2one? (I.e., other than just lost carrier, say, STP storm detection or excessive packet error thresholds). Or is it software? *) If it is a hardware feature, could our em(4) driver be adapted or could it possibly be configured using OpenManage via the Intel IPMI/DMI/SMI whatever? *) Can Cisco FEC or 802.3ad provide reundancy between two switches and one server w/ two NICs? Will NetGraph ever have a 802.3ad module? *) What combination of Switch and NIC related teaming / failover technology are known to be compatible with FreeBSD ? TIA, ~BAS l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
LDAP + PAM + pam_groupdn (revisited)
Did anyone every get this combination working? Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? When you look at a postGroup entity, the multi-value attribute is memberUid! Is there *any* way at all get debugging information out of PAM libraries, or is it just so insanely esoteric that it's not an option? My favorite thing about PADL's documentation by far is the lack of examples. ~BAS >:} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited)
This should be so insanely easy. I'm relatively certain this a FreeBSD PAM specific issue. From "LDAP system administration [electronic resource] / Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003." in ldap.conf and nss_ldap.conf -- # Group to enforce membership of pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com # Group member attribute pam_member_attribute memberUid --- ...and then in LDAP, have an object, *ANY* object will function as a "group", as long as it supports a multi-value attribute, in this case memberUid such as a posixGroup: # groupName, posixGroups, priv, root, dn dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com cn: cfdev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 ...this result returned by the same search I'm asking PAM to do: $ ldapsearch -D "cn=bofh,dc=root,dc=com" -b dc=root,dc=com -H ldap://ldapserver -Z -W "(objectClass=posixGroup)" Then adjust for PAM in SSHD: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so #session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass ...when I change "account ..pam_ldap.so" to sufficient, it allows users in who aren't in the required group (as it should if the check fails). When I change it to required, it doesn't let them in, but there isn't a single useful debugging error message. How could something so widely used as PAM make it into the wild without hooks for debugging? ~BAS On Thu, 6 Oct 2005, Brian A. Seklecki wrote: Did anyone every get this combination working? Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? When you look at a postGroup entity, the multi-value attribute is memberUid! Is there *any* way at all get debugging information out of PAM libraries, or is it just so insanely esoteric that it's not an option? My favorite thing about PADL's documentation by far is the lack of examples. ~BAS >:} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [ldap] Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited)
right! ...from pam_ldap(5): PAM CONFIGURATION It is possible to configure some aspects of pam_ldap on a per-service basis, in the PAM configuration file (this is usually /etc/pam.conf; for PAM implementations based on Linux-PAM, per-service files in /etc/pam.d are also supported). [..] debug: This option is recognized by pam_ldap but is presently ignored. ~bas AA [A On Thu, 6 Oct 2005, Jeff Saxton wrote: you can run pam modules in debug mode: "The last option listed in a PAM configuration line supplies any additional arguments that should be passwd toe the module upon invocation. debug Enables generation of debugtging information either to standard output or via the syslogd daemon" Good luck Brian A. Seklecki wrote: This should be so insanely easy. I'm relatively certain this a FreeBSD PAM specific issue. From "LDAP system administration [electronic resource] / Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003." in ldap.conf and nss_ldap.conf -- # Group to enforce membership of pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com # Group member attribute pam_member_attribute memberUid --- ...and then in LDAP, have an object, *ANY* object will function as a "group", as long as it supports a multi-value attribute, in this case memberUid such as a posixGroup: # groupName, posixGroups, priv, root, dn dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com cn: cfdev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 ...this result returned by the same search I'm asking PAM to do: $ ldapsearch -D "cn=bofh,dc=root,dc=com" -b dc=root,dc=com -H ldap://ldapserver -Z -W "(objectClass=posixGroup)" Then adjust for PAM in SSHD: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so #session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass ...when I change "account ..pam_ldap.so" to sufficient, it allows users in who aren't in the required group (as it should if the check fails). When I change it to required, it doesn't let them in, but there isn't a single useful debugging error message. How could something so widely used as PAM make it into the wild without hooks for debugging? ~BAS On Thu, 6 Oct 2005, Brian A. Seklecki wrote: Did anyone every get this combination working? Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? When you look at a postGroup entity, the multi-value attribute is memberUid! Is there *any* way at all get debugging information out of PAM libraries, or is it just so insanely esoteric that it's not an option? My favorite thing about PADL's documentation by far is the lack of examples. ~BAS >:} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message. -- Jeff Saxton SenSage, Inc. 55 Hawthorne Street Suite 700 San Francisco, CA 94105 Phone: 415.808.5900 Fax:415.371.1385 Direct: 415-808-5921 Cell: 415-640-6392 mailto:[EMAIL PROTECTED] Enterprise Security Analytics SenSage, the leading provider of enterprise security analytics, offers unparalleled performance and a scalable means for organizations to centrally aggregate, efficiently analyze, dynamically monitor and cost-effectivel
Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited)
Ahhh. Cheeky bastards. You sit around and think "group" for 18 hours with regard to POSIX Groups. Then it comes time to sit down and configure "group membership" login restriction. But really, they are entirely unrelated concepts. It even says in the man page: "Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed." Right? Right? But... "pam_groupdn" has absolutely nothing to do with whether the DN/RND of the user trying to authenticate contains an attribute "uid=user1", which matches a "memberUid" multi-value attribute in any object type "posixGroup". This is simply not what the code checks. That would make too much sense to use the symantics of UNIX / POSIX to make this determination. I.e., "You're in that UNIX group, you can login." Instead, it checks to see if the entire DN of authenticating user/DN is in SOME/ANY multi-value attribute defined by "pam_member_attribute". That explains why the authors of "LDAP System Administration" go to the trouble of creating an entirely different "ou=Hosts" (which, once again, is an entirely ambiguous name) for containing "host/group" objects (which are really supposed to be used for DNS!) with "member:" attributes for this purpose. What's more, the values of your "pam_member_attribute", in this case "memberUid", but really should be, "memberDN", must be the entire DN and not an RDN. For example: memberDN: cn=Keyser Soze,ou=People,o=priv,dc=root,dc=com but this won't work (RDN?): memberDN: uid=ksoze,ou=People,o=priv,dc=root,dc=com [snip] $ ldapsearch blah blah # dev, posixGroups, priv, root, com dn: cn=dev,ou=posixGroups,o=priv,dc=root,dc=com cn: dev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: cn=Keyser Soze,ou=People,o=priv,dc=root,dc=com memberUid: cn=Am Biguity,ou=People,o=priv,dc=root,dc=com Of course, this isn't explained anywhere in the man page and has probably lead to unfathomable ammounts of similar confusion previously. One would naturally thing "Oh, excellent, POSIX groups as ACLs for restricting access to groups of machines", but no >:} A better name would be "Cluster ACL" or "Host ACL" or "ACL Group" "HostGroup Object". Another option would be some kind of ldap.conf(5) style regular expression you could use to convert/match a POSIX ACL into a "pam_groupdn". That would be nice and dirty and would keep par. Good times, good times. And now to go submit a send-pr(1) to the FreeBSD port maintainer with a patch to pam_ldap.5, pray it gets commited back upstream, and then drink myself blind in the left eye so I can never read another LDAP man page. ~BAS On Thu, 6 Oct 2005, Brian A. Seklecki wrote: This should be so insanely easy. I'm relatively certain this a FreeBSD PAM specific issue. From "LDAP system administration [electronic resource] / Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003." in ldap.conf and nss_ldap.conf -- # Group to enforce membership of pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com # Group member attribute pam_member_attribute memberUid --- ...and then in LDAP, have an object, *ANY* object will function as a "group", as long as it supports a multi-value attribute, in this case memberUid such as a posixGroup: # groupName, posixGroups, priv, root, dn dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com cn: cfdev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 ...this result returned by the same search I'm asking PAM to do: $ ldapsearch -D "cn=bofh,dc=root,dc=com" -b dc=root,dc=com -H ldap://ldapserver -Z -W "(objectClass=posixGroup)" Then adjust for PAM in SSHD: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session
Re: Acroread7 with Firefox
On Thu, 2005-10-06 at 19:56, Beecher Rintoul wrote: > Has anyone gotten acroread to work with Firefox? I have linuxpluginwrapper > and > acroread7 installed. In addition both Java and Flash are installed and work. Did you configure libmap? Once you install linuxpluginwrapper, you have to cp(1) one of the following: %%EXAMPLESDIR%%/libmap.conf-FreeBSD6 %%EXAMPLESDIR%%/libmap.conf-FreeBSD5-stable %%EXAMPLESDIR%%/libmap.conf-FreeBSD5-current %%EXAMPLESDIR%%/libmap.conf-FreeBSD4.x ...to /etc Then restart mozilla/firefox/galeon/ephiphany. Then in the URL check "about:plugins" What version of FreeBSD? Firefox? Linux Emul/Compat? are you using. ~BAS > I have tried both the plugin install script and symlinking the plugin to > browser plugins, but when I do about:plugins in Firefox it doesn't show up. I > tried google but I couldn't find anything helpful. Acroread7 does work as a > standalone. Am I missing something? > > TIA, > > Beech ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Stale dependency problem
[EMAIL PROTECTED] pkgdb -F ---> Checking the package registry database Stale dependency: php4-overload-4.3.10_2 -> php4-4.3.10_2 (lang/php4): cannot convert nil into String New dependency? (? to help): Backup your /var/db/pkg if you wish. tar(1) it up. Blow away the dependency wih control D, then answer "Yes" to all. You can alway re-force-create the dependencies later with the pkg tools "-f" flags. You really can't break anything here. ~BAS When I do '?', I get this: New dependency? (? to help): ? [Enter] to skip, [Ctrl]+[D] to delete, [.][Enter] to abort, [Tab] to complete Now I'm lost. Can anyone give me a hint to start with? Regards, -- Ugo -> Please don't send a copy of your reply by e-mail. I read the list. -> Please avoid top-posting, long signatures and HTML, and cut the irrelevant parts in your replies. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security risk associated with a NIC's promiscuous mode?
On Fri, 7 Oct 2005, John Conover wrote: Is there any security risk associated with a NIC's promiscuous mode IF you're on a switched LAN, you'll only see traffic destined for MACs that the switched has learned on your port (your NICs), plus multi/broadcast. Unless you configure switch "mirroring" or trunking. ~BAS while running tcpdump and/or arpwatch? Thanks, John -- John Conover, [EMAIL PROTECTED], http://www.johncon.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pam_rootok(8) + pam.d/sudo symlink to pam.d/su
Every reference(1) to configuring PAM and sudo(8) (in my case, for LDAP), suggests just symlinking [/usr/local/]etc/pam.d/sudo to /etc/pam.d/su However, when I do that, all wheel-group users are automatically passing auth requirements due to: authsufficient pam_rootok.so no_warn ...which I assume is happening because sudo(8) is running SUID root? ---s--x--x 2 root wheel 105264 Aug 19 12:36 /usr/local/bin/sudo* ...the problem is, that confuses the visudo(8),sudoers(5) policy by effectivly adding: %wheelALL=(ALL) NOPASSWD: ALL Is this correct? If so, the docs should probably be updated. 1.: http://sudo.rtin.bz/sudo/install.html http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/pam-config.html http://netbsd.org/guide/en/chap-pam.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pam_rootok(8) + pam.d/sudo symlink to pam.d/su
sudo-1.6.8.9 via Ports. Is there any way to set PAM to trace/debug it's decision making process? ~BAS On Fri, 7 Oct 2005, Dag-Erling Smørgrav wrote: "Brian A. Seklecki" <[EMAIL PROTECTED]> writes: However, when I do that, all wheel-group users are automatically passing auth requirements due to: authsufficient pam_rootok.so no_warn ...which I assume is happening because sudo(8) is running SUID root? No, unless sudo is broken. What sudo implementation are you using? DES -- Dag-Erling Smørgrav - [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pam_rootok(8) + pam.d/sudo symlink to pam.d/su
On Fri, 7 Oct 2005, Dag-Erling Smørgrav wrote: No, unless sudo is broken. What sudo implementation are you using? PAM doesn't cache authentication information does it? This "use_first_pass" argument to modulesn't couldn't be getting in the way? You know, this would be solved by including pam.d/* templates in the pam_ldap/nss_ldap package or maintaining a web repository. Anyway, aside from ranting, Here's the deal: [EMAIL PROTECTED]:/root# rm -rf /var/run/sudo/* ...then: client$ ssh [EMAIL PROTECTED] Password: Welcome to FreeBSD! [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ su - Password: [EMAIL PROTECTED]:~# ^D [EMAIL PROTECTED]:~$ sudo bash [EMAIL PROTECTED]:~# ^D ...not good. Now, /usr/local/etc/pam.d/sudo is a symlink to /etc/pam.d/su /etc/pam.d/su is stock, which "includes" /etc/pam.d/system, which basically mirrors /etc/pam.d/sshd (which is ideal, because SUDO isn't going to check the root password, it's going to check the user's password): # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient pam_ldap.so try_first_pass authrequiredpam_unix.so no_warn try_first_pass nullok # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account sufficient pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_lastlog.so no_fail session sufficient pam_ldap.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass ~BAS DES -- Dag-Erling Smørgrav - [EMAIL PROTECTED] l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: fxp0 problem with 6Beta?
Be sure to CC: the list on these responses. Someone else may have ideas. Your results below are indeed of concern. What you need to do is have two terminals open on either machine. One for ping'ing, one for watching tcpdump(8) on. You want to look for ARP "who-as" and "is at" packets on either side. Process of elimination: Q: On the same hardware this problem doesn't occur with an older version, correct? Q: Can you eliminate the router/switch combo as a variable by using a cross-over cable, temporarily? ~BAS On Sun, 2005-10-09 at 11:09, Bdrawyah wrote: > On Thu Oct 6 1:22 , 'Brian A. Seklecki' <[EMAIL PROTECTED]> sent: > > >Something strange going on in your network if your clients aren't ARP'ing > >each other. > > > > Sorry to trouble you again but I have been experimenting with arp -an and it > seems to me that after > boot up both 192.168.0.5 and 192.168.0.7 can only see the router 192.168.0.1. > When I ping from 192.168.0.7 to 0.1 arp -an sees only 0.1 but when I ping to > 0.5 and then arp -an I see > 0.5 correctly as well. > Isn't so successful pinging from 0.5 to 0.7 though; output from 0.5 below. > Does this suggest anything to you? > Thanks, > Bruce > > 501: $ arp -an > ? (192.168.0.1) at 00:0f:b5:16:dd:b6 on rl0 [ethernet] > [EMAIL PROTECTED] /usr/home/bruceh > 502: $ ping 192.168.0.1 > PING 192.168.0.1 (192.168.0.1): 56 data bytes > 64 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=0.865 ms > 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.771 ms > 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.768 ms > ^C > --- 192.168.0.1 ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.768/0.801/0.865/0.045 ms > [EMAIL PROTECTED] /usr/home/bruceh > 503: $ arp -an > ? (192.168.0.1) at 00:0f:b5:16:dd:b6 on rl0 [ethernet] > [EMAIL PROTECTED] /usr/home/bruceh > 504: $ ping 192.168.0.7 > PING 192.168.0.7 (192.168.0.7): 56 data bytes > ping: sendto: Host is down > ping: sendto: Host is down > ^C > --- 192.168.0.7 ping statistics --- > 8 packets transmitted, 0 packets received, 100% packet loss > [EMAIL PROTECTED] /usr/home/bruceh > 505: $ arp -an > ? (192.168.0.1) at 00:0f:b5:16:dd:b6 on rl0 [ethernet] > ? (192.168.0.7) at (incomplete) on rl0 [ethernet] > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: openssl vulnerability
And more importantly, does anyone care to start an informal list of quote "any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled." ~BAS On Tue, 11 Oct 2005, DW wrote: Hi, Does anybody know a command to tell which options I have compiled into my openssl? Is there a way to tell if I have SSL_OP_MSIE_SSLV2_RSA_PADDING in there before I go unnecessarily rebuilding and reinstall world on all my servers? Thanks, DW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited)
Re: http://lists.freebsd.org/pipermail/freebsd-questions/2005-October/100623.html First: This is all very preliminary from some testing over the weekend. Dell's reponse was that Intel's AFT/ALB was entirely software based. That left me with few options: 1) Try userland layer 3 failover (ugly) 2) Use ng_one2many However, ng_one2many only permits for two algorithms: NG_ONE2MANY_XMIT_ROUNDROBIN and NG_ONE2MANY_XMIT_ALL. However, none of these meet the need: - Round-Robin results in 50% packet loss if a hook/interface is lost (not acceptable in any mission critical environment). - Xmit-All causes twice as much load on to be placed on the switch /fabric and switch CPU. What ng_one2many needs is a "Active-Standy" XMIT algorithm (STP BOFH's will think BLOCKING/FORWARDING). It could even be used on top of other NetGraph nodes like ng_fec or possibly (hopefully) ng_802.3ad >:} Essentially, a single layer 3 IP address needs to be visible in a "switch fault tolerant" or "adapter fault tolerant" configuration. A userland-level daemon could be scripted, and it has been done before: http://lists.freebsd.org/pipermail/freebsd-isp/2003-November/001314.html So when a fail-over occurs, the layer IP 3 address moves from one layer 2 MAC address to another layer 2 MAC address on the same machine (and same subnet, same ethernet segment, just a different interface). TCP sockets should not be affected due to layer abstraction. This got me thinking about HSRP/VRRP. That protocol is designed strictly to move a layer 3 address between two different hosts. Excellent applications are Router/Firewall and VPN concentrator, as OpenBSD's carp(4) has implemented with the help of pfsync. I was experimenting with the OpenBSD variant and I realized that client hosts weren't seeing the usual warnings about MAC address changes. As of 3.7, OpenBSD's CARP shares a virtual MAC address between the hosts, Cisco's HSRP does not. Then I was thinking about the OpenBSD/NetBSD bridge(4) interface. If the host acting as the bridge wishes too, it can participate in the bridged networks by assigning a layer 3 address. The address isn't ifconfig(8)'d do the "bridge0" interface. Instead, it's assigned to the first interface included in the "bridge[0-9]", say fxp0. Further more, regardless of what network segment/port a host participating in a bridge(4)'d network resides, the ARP'd IP address of the OpenBSD/NetBSD host is persistently the MAC first physical interface ifconfig(8)'d with the IP. Plus OpenBSD/NetBSD bridge(4) supports 802.1d spanning tree >:} This is important. Spanning Tree as an alogirth could provide Intel AFT "Fault Tolerance" intelligence if the persistent layer2 address of a host was unchanged with the NIC interface change. The function of STP is to provide a loop free path to every layer2 MAC in a segment. But a STP enabled bridge(4) with an IP address assigned has a persistent MAC address associated with a layer 3 address! Therefore, the solution has been there all along. The attached diagram explains in greater detail. http://digitalfreaks.org/~lavalamp/OpenBSD_Bridge_AFT.png In this diagram, switch 0 is configured manually as the spanning tree root and switch 1 is the backup spanning tree root. By default, rl0 will be in BLOCKING and rl1 will being FORWARDING. However, as tcpdump(8) illustrates, regardless of which interface is the root port, ARP replys will always return the MAC if the bridge(4) member interface ifconfig(8)'d with the IP. rl0: flags=8943 mtu 1500 address: 00:50:fc:9d:24:d6 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.100.1 netmask 0xff00 broadcast 192.168.100.255 rl1: flags=8943 mtu 1500 address: 00:50:fc:9d:08:cd media: Ethernet autoselect (100baseTX full-duplex) status: active --- bridge0: flags=41 Configuration: priority 32768 hellotime 2 fwddelay 15 maxage 20 Interfaces: rl1 flags=b port 2 ifpriority 128 ifcost 55 forwarding rl0 flags=b port 1 ifpriority 128 ifcost 55 blocking Addresses (max cache: 100, timeout: 240): 00:01:63:bb:f7:c9 rl1 1 flags=0<> 00:0f:1f:c1:f2:b7 rl1 1 flags=0<> - # tcpdump -i rl1 -n arp 12:38:17.806885 arp who-has 192.168.100.1 tell 192.168.100.254 12:38:17.806951 arp reply 192.168.100.1 is-at 0:50:fc:9d:24:d6 12:38:17.806966 arp reply 192.168.100.1 is-at 0:50:fc:9d:24:d6 bs0#sh spanning-tree vlan 11 interface fa0/9 Spanning tree 11 is executing the IEEE compatible Spanning Tree protocol Bridge Identifier has priority 100, address 0001.63bb.f7c2 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag not set, detected flag not set, changes 54 Times: hold 1, topology change 35, notification 2
Re: ZFS Boot Support from Installer
On Mon, 2009-08-03 at 09:48 -0700, Tim Gustafson wrote: > Hi, > > I was wondering if there was a plan or time line in place to support > ZFS boot partitions in the installer. No one has gone near that stuff in years. We don't even have gmirror(8) creation support in there. Best not to use sysinst. The livefs image has all of the tools that you need to bootstrap a system. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ZFS Boot Support from Installer
On Fri, 2009-08-14 at 08:58 -0700, Tim Gustafson wrote: > then there's no reason that the functionality couldn't or shouldn't be > built into the installer. With a few machines, yes. Once you get to 5 or 6, start building your own custom internal ISOs, and maintain your configuration templates in SVN or use Puppet. I make the suggestions because you're asking about an advanced topic, so I gave you an honest answer. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bwi driver
On Fri, 2009-08-14 at 12:41 +, Eitan Adler wrote: > I have a Lenovo G530 laptop with a broadcom wireless card. > I downloaded the drivers referenced here: If the driver didn't attach because IBM chose some exotic OEM PCI ID, then the grep wont find it. You really should post the full pciconf(8) and dmesg(8) for us, as well as kldstat(8) -v. uname(1) -a would also be helpful. ~BAS > However pciconf -lv|grep bwi produces no output and ifconfig does not > mention any wireless cards. > > What should I try now? > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Trying to make a mirror for a disconnected lab
On Tue, 2009-08-25 at 22:20 -0400, Duncan Hutty wrote: > > Q. ports/distfiles contains tarballs of multiple versions of each > software; I assume that I only need one version of each tarball. And > since this mirror as described comes to ~100GiB, how can I modify my For this you want portsclean(8) "-D" argument. Prunes out unused/unneeded distfiles. There's probably a way to do it with rsync based on date or whatnot; but it gets tricky. Every iteration of your sync script will bring back what you prune out. Q. ports/distfiles contains tarballs of multiple versions of each software; I assume that I only need one version of each tarball. And since this mirror as described comes to ~100GiB, how can I modify my rsync filter so I don't get anything more than either the latest tarball for each software package in distfiles or whichever version accords to the Makefiles provided by ports.tgz ~BAS > rsync filter so I don't get anything more than either the latest > tarball for each software package in distfiles or whichever version > accords to > the Makefiles provided by ports.tgz > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mfi(4) lockups and the adapter event log
> with linux-megacli showed TONS of messages. Trying to clear them using > linux-megacli seemed to cause a similar lockup, filled with command > timeouts, but no fatal firmware error. Also, does anyone know if the mfiutil(8) util in RELENG_8 has the ability to purge the event log? Man page 'clear' command nukes the volume configuration >:} We don't have RELENG_8 on a PowerEdge system yet. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Default list of exported variables in sh(1) - $HOSTNAME
> > SSH_CONNECTION > > FTP_PASSIVE_MODE > > EDITOR > > I suspect linux to set them from .profile files (even /etc/profile) and not > hardcoded in a shell or login program. The default skeletons Mel: You were right to some extent. However, the problem is more complicated (or less complicated, depending). First, FreeBSD's default php.ini doesn't have: $variables_order = "EGPCS", so $ENV[] array wasn't getting popualted at all. Second, Apache FreeBSD RC scripts inherit the user environment from sudo(8) unless you pass -H or -i flag/args E.x.:, % sudo -H -i -u root /usr/local/etc/rc.d/apache22 restart Compared to: $ su - Password: $ /usr/local/etc/rc.d/apache22 restart Result in completely different results in PHP's $_ENV[] Additionally, the results of "$ su -" differ completely from the shell environment that executes when rc(8) is first run at boot time. I may be better off using getenv() in PHP directly. ~BAS > in /usr/share/skel on FreeBSD does not set them. Neither > does /etc/login.conf. > I would set it in /etc/profile. > -- Brian A. Seklecki Collaborative Fusion, Inc. signature.asc Description: This is a digitally signed message part
Re: Default list of exported variables in sh(1) - $HOSTNAME
On Mon, 2008-12-29 at 12:05 -0900, Mel wrote: > > > I may be better off using getenv() in PHP directly. > > For portability yes, since it doesn't rely on EGPCS, but otherwise > they give the same results. Another option would be to pay the PHP people to add POSIX 1003.1-2001 gethostname(2). I'll ask on the lists. -- Brian A. Seklecki Collaborative Fusion, Inc. signature.asc Description: This is a digitally signed message part
Re: FreeBSD 7.0 reboots on Dell 2950
> mail# cd /usr/ports/sysutils/megarc > mail# make install clean > ===> megarc-1.51 is marked as broken: Running megarc seems to cause > memory corruption. We have a PR open on that - ports/130326: http://groups.google.com/group/lucky.freebsd.ports.bugs/browse_thread/thread/14c7c3b8261e8be7/f8cd79bbd9404609?lnk=raot&pli=1 ~BAS > *** Error code 1 > > Stop in /usr/ports/sysutils/megarc. > mail# > > Hm. Do I really need it? :-) IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: weird permissions on directories when installing ports through sudo
> lowering the umask of the person running sudo. > > This had the effect of truly screwing up many installed ports for me Maybe try "sudo -H -u root [command]" NetBSD Pkgsrc is nice in this respect because it has sudo(8) integration in the MKs. ~BAS signature.asc Description: This is a digitally signed message part
Re: weird permissions on directories when installing ports through sudo
> I didn't think this would do much, but gave it a try anyway > And it doesn't help. :/ I think i meant '-i' -- but I'd have to look at the patch`s interaction. I can't recreate the problem in the 1.6.x we're running in our internal release engineering. 1.7.x, and its associated backport, created the local brouhaha with groups credential crashing. Perhaps next time a -dev extension of the port should roll for a few months (6-9), especially given the history of sudo releng. ~BAS signature.asc Description: This is a digitally signed message part
Re: FreeBSD 7.1 on Dell PowerEdge 850
On Wed, 2009-03-18 at 14:10 -0500, Dean Weimer wrote: > Just wondering if anyone is running FreeBSD 7.1 on a Dell PowerEdge 850 > with SATA raid, I have 5.4 installed on one now, because there was a > problem with the Intel ich5 sata chipset on 6.x branch at the time I RAID on the 850 is rare, since the drives are fixed position non-hotswap (and the unit doesn't have a single other redundant component) Check the NYCBSDUG dmesg(8): http://www.nycbug.org/ If not there, then post it after you try. ~BAS PS. Its software assisted RAID, right, not some AMI/LSI/QLogic hack? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ubsec(4) and geli(4) Benchmarks (WAS: Re: freebsd encrypted hard disk? (fwd))
All: Has anyone bench-marked the performance improvements associated with various ubsec models in conjunction with OpenSSL cryptodev acceleration of geli(4) in the kernel? I have a sneaking suspicion that I'm a pilgrim on unholy land here. I'm precluding hifn(4), padlock(4), and gblx(4), which are nice for offsetting low power CPUs on embedded platforms, from my question, and assuming that the only supported SSL accelerator that will actually 'compliment', as oppose to 'hinder' a multi-core Xeon system, when offloaded, is ubsec(4)? Thoughts? ~BAS -- Forwarded message -- Date: Thu, 15 Jan 2009 18:33:30 +0100 (CET) From: Wojciech Puchar To: Roland Smith Cc: RW , freebsd-questions@freebsd.org Subject: Re: freebsd encrypted hard disk? > > It turns out that on a multi-core machine a geli thread is started on > each core for each disk (4 cores, two disks): and it is actually used when many transfers are done in parallel. my core2duo saturates (both cores 100% load) at about 100MB/s disk I/O ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail stop
On Mon, 2009-04-06 at 15:27 -0400, alexus wrote: > cannot stop jail mx. No jail id in /var/run $ uname -a There were problems with TTY code in older versions that would cause processes to get stuck, ghosting jails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: 6.2 STABLE to 6.2 RELEASE problem
On Mon, 2009-04-13 at 16:29 -0230, Philip van Ulden wrote: > One other weird thing is that it seems to mount /dev/md0 on > /var as well which doesn't look right. That code happens for some reason in /etc/rc.d/var. That's all I have for you. Your downgrade plan sounds very Linux/Windows'y. Binary upgrades in general. -- Brian A. Seklecki Collaborative Fusion, Inc. signature.asc Description: This is a digitally signed message part
Re: Configuring an IPv6 router to assign addresses
On Wed, 2009-05-06 at 14:30 +, af300...@gmail.com wrote: > Hi, > > I've found in the handbook how to start up a v6 router and some other > helpful links on this topic at the FreeBSD diary. However, I'm wondering, You want to the rtadvd(8) daemon. $ sudo grep -i rtadvd /etc/defaults/rc.conf rtadvd_enable="NO" # Set to YES to enable an IPv6 router rtadvd_interfaces=""# Interfaces rtadvd sends RA packets. To hand out DNS servers, you'll want DHCPv6, but most folks are okay with the DNS servers they're getting via IPv4 static/dhcp. I recommend purchasing ipvbook.ca. Great read. ~BAS > how do I configure the router to assign addresses to hosts. > > Thanks, > Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: filesystem: 12h to delete 32GB of data
On Wed, 2009-05-06 at 13:54 +0200, Olivier Mueller wrote: > -> it took about 12 hours to delete these 30GB of files and > sub-directories (smarty cache files: many small files in many dirs). Haven't you ever had the pleasure of running Sendmail on Solaris? :) Move this data store to a separate partition. When it comes time to burn the queue, stop the service, unmount the partition, newfs it, remount, restart svc. Long live Pisces v2. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: HyperThreading
On Wed, 2009-05-06 at 02:20 -0400, APseudoUtopia wrote: > Am I correct to assume that the above means that HTT is enabled? > There is nothing in my loader.conf, sysctl.conf, or kernel config file > related to hyperthreading. Yes, you are correct. Try: % sudo ps gauxww Or % sudo top You can see the currently assigned CPU for each proc/thread. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD on VMware ESXi
On Wed, 2009-05-06 at 13:44 +0300, Daniels Vanags wrote: > We moved Hard Disk Drives from HP ProLiant DL 385 G2 with 4GB RAM, AMD > Opteron processor to HP ProLiant DL 380 G5, 4GB RAM, Intel Xeon > processor. > > Disks contain FreeBSD Virtual Machines running in VMware ESXi Server. > When trying to boot, getting error: BTX halted. > > Please explain, how to start FreeBSD on different hardware. Well, assuming that HFUX's RAID, VMWare and Linux doesn't totally shit the bed from the hypervisor CPU type change, the VMs are controllable from the spiffy AJAX/.Net20 VMWare management console. There's plenty of debugging available from there. Presumably all of the virtual hardware presented to the VM will be the same, except the CPU details. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sun E250
On Mon, 2009-05-11 at 10:27 +0100, RAUL H C LOPES wrote: > Hello, > > We've got a Sun server E250 with a disk array Storedge A1000. We'd like > to Try a LiveCD on it? Also, does the Storedge A1000 require a special RAID controller or does it appear on the onboard HBA as a logical volume? In my experience, Sun has a limited set of RAID cards, but most RAIDs are DAS with a management interface (Ethernet mostly) ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Sun E250
On Mon, 2009-05-11 at 16:19 +0100, RAUL H C LOPES wrote: > Hi, > > No. the A1000 does not require any special RAID controller. > > Freebsd 7.2 is freezing after message: > Jumping to kernel entry at 0xc0078000 Okay, this erroneous behavior is happening much earlier than before the RAID controller probe. I would recommend asking about E250 support on freebsd-spar...@freebsd.org (CC'd) Make sure that you try this with a serial console attached to the unit. ~BAS > > I tried boot both with "bootonly" and "install" CDs. > > raul ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD 7.1 opencrypto --> kern.cryptodevallowsoft
On Tue, 2009-05-12 at 19:14 +0100, Brendan Kennedy wrote: > Hi All, > > I'm trying to test a hardware crypto driver, but want to run my tests > through the software driver first (and possibly use the software > driver to validate results). > I have set the following in my GENERIC conf file: > What does kldstat(8) / openssl(1) return? % sudo openssl engine (dynamic) Dynamic engine loading support $ openssl engine (cryptodev) BSD cryptodev engine (padlock) VIA PadLock (no-RNG, no-ACE) (dynamic) Dynamic engine loading support $ kldstat |egrep -i 'cry|ub' 33 0xc0e06000 25b78crypto.ko 71 0xc64c9000 4000 cryptodev.ko 81 0xc6546000 a000 ubsec.ko Return? ~BAS > device crypto > device enc > options IPSEC > > I have rebuilt the kernel, rebooted and set the > kern.cryptodevallowsoft kernel variable to 1: > > FreeBSD_26# sysctl -a | grep crypto > kern.cryptodevallowsoft: 1 > > However, when I try a test, I get the following: > > FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va 3des > cipher 3des keylen 24 > CIOCGSESSION: Invalid argument > FreeBSD_26# /usr/src/tools/tools/crypto/cryptotest -va des > cipher des keylen 8 > CIOCGSESSION: Invalid argument > > It seems the software crypto device is not available. Do I need to do > any other steps to enable it? Is there another config option that > makes sure it is build as part of Opencrypto framework? Do I need to > build some other software driver instead? > > Best Regards, > Brendan > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Legato Client for freeBSD 7
On Thu, 2009-06-11 at 10:29 +0200, Gian Paolo Buono wrote: > Hi, > I have a server running freeBSD7 that needs the legato backup client Legato is no more. Legato and RSA are now EMC. Time to upgrade to Bacula! ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: fsck
On Tue, 2009-06-16 at 22:36 +0300, Peter wrote: > When power goes down and file system gets corrupted and system becomes > unbootable I need to login to the machine via console and run APC upsd(8) can auto-run 'shutdown -hp now' for you when your UPS is almost discharged. Then you an set your ACPI settings to default to power on state when power is restored. You can get a APC Backups 350 for ~ $50 retail. -- Brian A. Seklecki Collaborative Fusion, Inc. signature.asc Description: This is a digitally signed message part
Re: SSO solution in ports?
On Thu, 2009-07-16 at 10:52 -0400, John Almberg wrote: > I am trying to build a set of web applications that are accessed > through a web portal that uses a Single Sign On (SSO) solution. Combine your SSO (LDAP mostly, Kerberos is a waking nightmare) with a 2FA/TFA (Second Factor Authentication) solution such as grid cards, FOBs, or an OTP password list. I recommend Entrust IdentityGuard. Our pam_radius works fine with it, and web application can run NSS functionality out of LDAP and PAM functionality out of Entrust's SOAP-XML Authentication API. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Restarting network & vlan interface = kernel memory corruption (if_vlan / conf/63700 redux)
[Originally from freebsd-hackers@ / Feb 2008; freebsd-net Jun 2010] All: pf conf/63700 got the ball rolling on fixing cloned/VLAN interface management with rc.d/netif, but a very specific problem still remains. For example, adding an alias to a VLAN and running: /etc/rc.d/netif restart && /etc/rc.d/routing restart is a failure. --- Take the following rc.conf(4) config: hostname="sexdrugsandunix" cloned_interfaces="vlan14" ifconfig_em0="up media 100baseTX mediaopt full-duplex -tso" ifconfig_vlan14="inet 1.2.3.4 netmask 255.255.255.128 vlan 14 vlandev em0 up" ifconfig_vlan14_alias0="inet 1.2.3.5 netmask 255.255.255.255" Change it to include a second alias without a reboot, instead run 'rc.d/netif restart', as works on a physical interface: hostname="sexdrugsandunix" cloned_interfaces="vlan14" ifconfig_em0="up media 100baseTX mediaopt full-duplex -tso" ifconfig_vlan14="inet 1.2.3.4 netmask 255.255.255.128 vlan 14 vlandev em0 up" ifconfig_vlan14_alias0="inet 1.2.3.5 netmask 255.255.255.255" ifconfig_vlan14_alias1="inet 1.2.3.6 netmask 255.255.255.255" The result will be: % ifconfig vlan14 [bsekle...@sureshot ~]$ ifconfig vlan14 vlan14: flags=8843 metric 0 mtu inet 1.2.3.6 netmask 0x broadcast 192.168.158.152 inet 1.2.3.5 netmask 0x broadcast 192.168.158.255 1) I'm not sure where the .152 broadcast comes from. ?! 2) The new _alias1= data is now in the primary IP slot 3) The primary IP is lost, there is no routable IP 4) The original _alias0= data is now in the 1st alias slot 5) rc.d/routing fails because the interface lacks a routable IP with a valid netmask/broadcast combination. --- Problem #1: rc.d/netif::network_stop() The core problem is that rc.d/netif::network_stop() never calls network.subr::clone_down() in the same way that rc.d/netif::network_start() calls network.subr::cloned_up() I'd speculate that this is a design decision not to destroy network interfaces that certain userland daemons (DHCP, RTADVD, BPF) may be strictly bound to; I disagree. Even if you explicitly pass your VLAN interface to rc.d/netif, a stop doesn't call 'ifconfig [VL] destory', and, when 'rc.d/netif start' is called later, SIOCSETVLAN results. jail-host-80:/home/bseklecki% sudo ifconfig vlan666 destroy jail-host-80:/home/bseklecki% sudo ifconfig vlan666 create inet 1.2.3.4 netmask 255.255.255.0 vlan 666 vlandev em0 jail-host-80:/home/bseklecki% sudo ifconfig vlan666 create inet 1.2.3.4 netmask 255.255.255.0 vlan 666 vlandev em0 ifconfig: create: bad value A simple rc.d/network_stop() patch could fix this problem if we can avoid bikeshedding. -- Problem #2: VLAN interface kernel data structures maintain configuration data after being destroyed and re-created %ifconfig vlan666 vlan666: flags=8843 metric 0 mtu 1500 options=3 ether 00:0c:29:a1:4b:9d inet 192.168.15.54 netmask 0xff00 broadcast 192.168.15.255 media: Ethernet 1000baseT status: active vlan: 666 parent interface: em0 %sudo ifconfig vlan666 destroy %sudo ifconfig vlan666 create %ifconfig vlan666 vlan666: flags=8843 metric 0 mtu 1500 options=3 ether 00:0c:29:a1:4b:9d !!**>> inet 192.168.15.54 netmask 0xff00 broadcast 192.168.15.255 <<**!! media: Ethernet 1000baseT status: active vlan: 666 parent interface: em0 Now, that's something you don't see very day!! NOTE: I can't get that persistent IP data problem to happen consistently, but its highly reproducible. I also have no idea on the fixes, I'll check this weekend, but I have a work-around. To avoid destroying your routing table after adding an alias to a VLAN interface in rc.conf(5), simply run: $ sudo /etc/rc.d/netif [VLAN] start DO NOT RESTART, and you should be okay. ~BAS References: http://lists.freebsd.org/pipermail/freebsd-hackers/2008-February/023440.html http://www.freebsd.org/cgi/query-pr.cgi?pr=63700&cat= (Circa 2004) http://lists.freebsd.org/pipermail/freebsd-net/2007-September/015447.html http://lists.freebsd.org/pipermail/freebsd-net/2010-June/025514.html -- Brian A. Seklecki Collaborative Fusion, Inc. signature.asc Description: This is a digitally signed message part
Re: Exabyte VXA tape drives - anyone using?
Run it through strace(1) and ktrace(1) in Linux and see what devices it
talks to in /dev and see if they can be emulated. It's probably talking
to /dev/ns{r,a}0 and /dev/ch0, depending on udev/autodev/
foo-bar-latest-greatest linux framework.
You might also check the Amanda/Bacula list archives.
~BAS
On Wed, 2007-06-27 at 12:09 -0400, Rob wrote:
> Linux emulation on FreeBSD? It's just a simple utility for operating
> & running
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: GEOM, Vinum difference
On Wed, 2007-08-22 at 08:51 +0400, Rakhesh Sasidharan wrote: > Lowell Gilbert wrote: > > > Rakhesh Sasidharan <[EMAIL PROTECTED]> writes: > > > >> I see that if I want to do disk striping/ concating/ mirroring, > >> FreeBSD offers the GEOM utilities and the Vinum LVM (which fits into > >> the GEOM architecture). Why do we have two different ways of doing the ... > definitely a difference. Thanks! > > Another (related) question: both gvinum and the geom utilities like > gmirror and gstripe etc provide for RAID0, RAID1, and RAID3. Any > advantages/ disadvantages of using one instead of the other? It depends greatly upon your application and needs. A common practice in a common 6-disk capable server is to use a RAID1 set of smaller capacity, faster speed/RPM disks for RAID1 for the "system" file systems, while using a combination of larger, slower disks in a RAID1 set, then RAID0'd together for both space, performance, and redundancy. RAID1+0. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: how to increase RAID space
UFS/FFS probably wont deal well with the underlying "logical"-physical
disk size changing (bytes/section, number of sectors, etc.). Even if it
was pure concatenation.
No, an LVM2/VxFS is needed.
Also, shops that can afford SAN and high end RAID tend to be able to
provision temp space to store media while they expand and re-create
volumes.
~BAS
On Wed, 2007-06-27 at 20:21 +1000, Norberto Meijome wrote:
> On Wed, 27 Jun 2007 17:07:32 +0700 (ICT)
> Olivier Nicole <[EMAIL PROTECTED]> wrote:
>
> > > that's what a volume manager (such as LVM2 in linux, Veritas Vol Mgr , and
> > > vinum (I think) in FBSD 4 ) do - they abstract the hardware storage
> > > layer.
> >
> > That is hardware RAID.
>
> yes, i realise you mentioned it . You'd imagine some raid card manufacturers
> would have something as flexible as LVM built into their cards by now... maybe
> someone does already.. ?
>
> _
> {Beto|Norberto|Numard} Meijome
>
> "Those who do not remember the past are condemned to repeat it."
>George Santayana
>
> I speak for myself, not my employer. Contents may be hot. Slippery when wet.
> Reading disclaimers makes you go blind. Writing them is worse. You have been
> Warned.
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
>
>
>
>
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: gmirror
The size colum can be human readable number (ex, "5g") and the offset can be the name of the previous partition. For the offset and size of the first and last partitions respectively use "*". Read the disklabel(8) man page for more details -- it is actually a real well written one. I wouldn't worry about exact replication -- the sector sizes and total sectors of the logical gmirror volume and the underlying phyiscal disk will always be different -- that's the nature of LVM. Just make them relatively close and match up the letters. ~~BAS On Wed, 2007-06-27 at 14:16 -0400, [EMAIL PROTECTED] wrote: > Quick question, I am configuring gmirror to mirror certain slices on my > hard drives.. I want to mirror /dev/ad0s1 (700M) to another drive.. I am > fine with configuring gmirror and getting it running but I am unsure of > how I create the BSD slices with bsdlabel -e.. > > When I do a bsdlabel -e /dev/ad0s1 I get: > > # /dev/ad0s1: > 8 partitions: > #size offsetfstype [fsize bsize bps/cpg] > a: 40960004.2BSD 2048 16384 25608 > c: 14297220unused0 0 # "raw" part, > don't edit > d: 1020122 4096004.2BSD 2048 16384 63760 > > When I initially create the mirror on the backup disk, I run a bsdlabel -e > /dev/mirror/gm0s1 and this is what it shows: > > # /dev/mirror/gm0s1: > 8 partitions: > #size offsetfstype [fsize bsize bps/cpg] > a: 1429705 16unused0 0 > c: 14297210unused0 0 # "raw" part, > don't edit > > My initial instinct was to mirror the bsdlabel output from ad0s1 but with > just the 16 offset for the 'a' slice coming out with: > > # /dev/mirror/gm0s1: > 8 partitions: > #size offsetfstype [fsize bsize bps/cpg] > a: 409584164.2BSD 2048 16384 25608 > c: 14297210unused0 0 # "raw" part, > don't edit > d: 1020122 4095844.2BSD 2048 16384 63760 > > Is my assumption correct? Or am I missing something here? > > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: CPU Monitoring Software
And for visual historical data, use MRTG. ~BAS On Fri, 2007-09-28 at 15:30 +0200, Dominique Goncalves wrote: > Hi, > > On 9/28/07, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > I was wanting to see what my servers utilize as far as memory, disk, cpu, > > etc. over a certain time period. Is there some software that I can use? > > I guess something like the 'top' command that gives an average output over > > a certain time. > > > > I downloaded sysstat for my linux boxes, but it does not want to compile > > under freebsd. > > What about using systat(1) ? :-) > It's already in the base system. > > HTH, > Regards. > > > Thanks. > > > > -- > > Scott Mayo > > System Administrator > > Bloomfield Schools > > > > Gun Control: Belief that violent predators willing to ignore laws against > > robbery, kidnapping, rape, and murder will obey a law telling them that > > they cannot do so with a gun. > > > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. Like Oracle, you can either understand OpenLDAP ACLs, or you have real work to do >:} Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* -- set to "debug 1" to get debugging info. Feel free to share error messages. ~BAS On Fri, 2007-09-28 at 10:54 +, O. Hartmann wrote: > Hello out there, > I have a problem with setting up an FreeBSD box as OpenLDAP server with > several services, like SAMBA, NFS. > > The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also > acting as OpenLDAP server. So far. OpenLDAP is up and running, using > TLS/SSL certificate. SAMBA is also up and running - but it never > connects to the OpenLDAP server due to an connection error, but this > shouldn't be the subject here, I have more basic questions about what > FreeBSD already has and what to install additionally. > > I want customers to log in on the FBSD box, so they sould log in > (authenticated via OpenLDAP), change their passwords and shells and > those user specifica should be updated on the LDAP server. > > I already installed pam_ldap-port but ran into trouble because FreeBSD's > nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server > (and not files). > Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, > especially if SSL/TLS come into play and I would like to ask those > herein administering those setups, especially within a hybrid NFS/SAMBA > fileservicing environment, where to find up to date > informationes/howto/tipps. > > Most websites and HowTo's I found were Linux related or, if related to > FreeBSD, outdated. > > Sorry beeing so unspecific, but the problem is complex (to me) so I > would better ask for those who are willing to help or give hints and tips. > > Thanks in advance and for your patience, > Oliver > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 6.2 amd64 ufs_dirbad
Can you post your dmesg(8) from /var/run/dmesg(8) so that we can see your SATA controller information? Can you try loading /usr/obj and /usr/src onto an alternate disk to see if the problem is controller/HBA/sata cable/disk related? ~BAS On Fri, 2007-09-28 at 10:33 -0700, Eric Osterweil wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > > I've been chasing my tail with a problem for a few days now and I'm > about to throw in the towel. I have a Tyan Thunder K8SR w/ 2 > amd64's, 6GB of mem, and a 250 GB SATA drive. > > I've been trying to get FreeBSD 6.2 amd64 on it. When I do the > install, if I try to put the ports on, it reliably crashes with a > ufs_dirbad. I can install w/o the ports. I found a ref to booting > with: > set hw.physmem="4G" > and that gets me through (w/ the ports). > > When I buildworld, I eventually get the same ufs_dirbad. > > I have swapped out the drive and tried a new one (same problem). > WHenever I reboot (at all) if I fsck I see lots of filesystem > errors. I just did a memtest86 over night, and found no problems. > > Can anyone help me out here? I can provide any other info that would > help. > > Thanks, > > Eric > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.5 (Darwin) > > iD8DBQFG/Tr8K/tq6CJjZQIRAjwKAJ48hBPeFwnSBQaykw7rJsNW49Rt3wCeO0HY > yxThKkuyCTPJOjfTw2KWsp4= > =syDq > -END PGP SIGNATURE- > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to restart a freezed tty?
On Sat, 2007-09-29 at 13:16 +0330, Bahman M. wrote: > Hi all, > > For some reason all the ttys are frozen up; I can switch between X and > them back and forth but not between the ttys themselves using ALT+Fn. Can you start new xterms? When you say 'frozen', do they "not accept keyboard input"? Is it possible scroll-lock is enabled? What about the TTY that you started Xorg from? Is this temporal? When did it start happening? Is there anything in /var/log/messages? Did you try: $ sudo pkill -HUP init ? ~BAS > I tried killing them; they terminate and restart but still > frozen. I don't believe the only way out is to restart the system. > > How to make ttys behave normally? I'd appreciate any idea. > FreeBSD 6.2-RELEASE-p7 > xorg-7.2 > fluxbox-1.0rc3_3 > > TIA, > > Bahman > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: using the date command
To set time: $ sudo /usr/sbin/ntpdate pool.ntp.org 29 Sep 23:48:31 ntpdate[9404]: adjust time server 66.250.45.2 offset 0.001289 sec To date info about your timezone settings: $ zdump /etc/localtime /etc/localtime Sat Sep 29 23:49:19 2007 EDT Options: $ ls /usr/shaoneinfo/ | egrep -v "^d" total 78 -rw-r--r-- 1 root wheel755 Aug 22 11:11 CET -rw-r--r-- 1 root wheel837 Aug 22 11:11 CST6CDT -rw-r--r-- 1 root wheel679 Aug 22 11:11 EET -rw-r--r-- 1 root wheel 56 Aug 22 11:11 EST -rw-r--r-- 1 root wheel837 Aug 22 11:11 EST5EDT [...] To set timezone: $ ln -s /share/zoneinfo/$WHATEVER /etc/localtime For you probably PST8PDT. For your best NTP experience, use OpenNTP from ports: /usr/ports/net/openntpd/ ~BAS On Sat, 2007-09-29 at 20:33 -0700, jekillen wrote: > Hello all; > I have built 4 machines and installed FreeBSD 6.0 in one and 6.2 > in the other three. They are all using the wrong date and time. > The last one (v6.2 on ecs mb with AMD64) is the worst. It is telling > me today is Jan 3 2003 PST (I am on the west coast and it is still PDT). > These machines are all web servers. So up until now this has not been > a big issue but a configuration of software is complaining that the > files > it creates have an older date than the files in the software bundle, > it is time to do something about it. So I am looking at man date and as > I interpret the instructions #date ccyymmddHHMM.ss (20079282027.00 or > 200709282027.00 for instance) is supposed to set the > clock to the current date. But when I run a command with the > current date and time in the above format I get the complaint that > the format string is wrong. > Can anyone be kind enough to give me a quick tutorial on this? > I will be looking seriously into using NTP, but for now I need to > get the date straight. I have entries in apache error log gener > ated by php scripts that are supposed to use its date command. > Thanks in advance for assistance. > Jeff K > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . You need to set a variety of settings there. What do they look like? Remember: pkg_info -L pam_ldap nss_ldap! Also, not sure about the TCP FIN_2 issue -- probably just the usual shakes and bangs with -current. ~BAS On Fri, 28 Sep 2007, O. Hartmann wrote: Thank you for responding. So, I'll feel free reporting my bad luck. This is a reference page I consulted for some hints, but without success: http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html First, OS ist the most recent FreeBSD 7.0. OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or anything else apart from default PAM_LDAP NSS_LDAP I renamed cached.conf to nscd.conf as suggested (for your information). In /etc/nsswitch.conf I changed # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also changed /etc/pam.d/sshd to this: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "sshd" service # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass Both configuration files for nss_ldap and pam_ldap respective got linked to /usr/localetc/openldap/ldap.conf, which looks like this: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASEdc=foo,dc=org #URIldapi:/// URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/ #SSL start_tls #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_CACERT#TLS_CERT #TLS_KEY #TLS_REQCERTallow #TLS_REQCERTdemand #TLS_CHECKPEER yes My /etc/rc.conf.local file has the following OpenLDAP specific entry: ### ### OpenLDAP Server ### ### slapd_enable="YES" #slapd_flags='-d 3 -4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"' slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.2.210 ldaps://192.168.2.210"' slapd_sockets="/var/run/openldap/ldapi" My OpenLDAP config file has SSL-certificates disabled. After the installation of nss_ldap the slapd server takes several decades of seconds to start. But it starts well and after it has initiated itself, I can do on the server a simple 'slapcat' and receive. But I can't access the LDAP server. Doing an 'id testuser' results in 'id not found'. On the console, I receive massively errors like this: TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18; tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, sending RST and removing tcpcb Well, I checked sockstat for a listening slapd and I found slapd listening on both loopback, local NIC adn on both ports 389 and 636. So what is wrong ? Regards, a desperate Oliver Brian A. Seklecki wrote: FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. Like Oracle, you can either understand OpenLDAP ACLs, or you have real work to do >:} Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* -- set to "debug 1" to get debugging info. Feel free to share error messages. ~BAS On Fri, 2007-09-28 at 10:54 +, O. Hartmann wrote:
Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)
Does it log in as the LDAP user or the PAM super-user to do the attribute
change? I'll check out the source...but that's great news. ~BAS
On Mon, 1 Oct 2007, Jonathan McKeown wrote:
On Friday 28 September 2007 16:29, Brian A. Seklecki wrote:
FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
(PKI).
All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP,
interactive shell, SFTP, etc.) can be tied into LDAP either directly or
via PAM.
As for password change, I don't know if anyone has a passwd(1) binary
that properly changes the LDAP password attribute -- if there is and its
out there, it requires ACL insanity.
The passwd(1) program was rewritten some time ago to use PAM, but a test was
left in which prevents it doing so. I have asked, both on this list and on
freebsd-hackers in the last few weeks, whether there is any reason other than
historical to leave this test in, and been deafened by the silence. There are
a couple of PRs either open or suspended regarding this issue.
I diked out the whole switch statement and replaced it with a single printf,
and it works for changing LDAP passwords. I haven't thoroughly tested to see
if it causes any other problems.
Jonathan
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fibre Channel Card Detection
We need to see your dmesg(8) output from /var/run/dmesg.boot and/or the output of "pciconf -v" / "scanpci" / "lspci" ~BAS ~BAS On Wed, 2007-10-03 at 11:34 -0700, Sean Murphy wrote: > I have a Qlogic PCIe Fibre Channel card installed in my FreeBSD 6.2 > Release server. I do not see it listed on boot up of the server. I > have also run dmesg with no luck. How do I find out if it is detected > and how would it be listed as. > > Thanks > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange df
The math is off because some space is reserved for UID 0 / root. Read these two man pages: ~BAS NEWFS(8) FreeBSD System Manager's Manual NEWFS(8) NAME newfs -- construct a new UFS1/UFS2 file system -m free-space The percentage of space reserved from normal users; the minimum free space threshold. The default value used is defined by MINFREE from , currently 8%. See tunefs(8) for more details on how to set this option. TUNEFS(8) NetBSD System Manager's ManualTUNEFS(8) NAME tunefs -- tune up an existing file system -m minfree This value specifies the percentage of space held back from nor- mal users; the minimum free space threshold. The default value is set during creation of the filesystem, see newfs(8). This value can be set to zero, however up to a factor of three in throughput will be lost over the performance obtained at a 5% threshold. Note that if the value is raised above the current usage level, users will be unable to allocate files until enough files have been deleted to get under the higher threshold. On Fri, 2007-10-05 at 12:12 +0200, Albert Shih wrote: > Hi all > > What's that mean ? > > Filesystem 1K-blocks UsedAvail Capacity Mounted on > /dev/ad4s1a50763069050 39797015%/ > devfs 110 100%/dev > /dev/ad4s1g 78017664 55539220 1623703277%/home > /dev/ad4s1e507630-8960 475980-2%/tmp > ^^ > > Regards. > > > > > -- > Albert SHIH > Observatoire de Paris Meudon > SIO batiment 15 > Heure local/Local time: > Ven 5 oct 2007 12:11:30 CEST > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Bind configuration in FreeBSD
You need to enable the service: $ sudo vi /etc/rc.conf >> named_enable="YES" :wq $ sudo /etc/rc.d/named restart The bind in-tree is 9.3.4 and the chroot is already setup for you by default. You don't want to go installing a bitrot version from Ports. ~BAS On Fri, 2007-10-05 at 12:08 +, dhaneshk k wrote: > but no message that it is starting or not . ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange df
On Fri, 2007-10-05 at 13:11 +0300, Ivailo Tanusheff wrote: > This seams as a wrong lable info. > Check: bsdlabel /dev/ad4s1 Oh wow, yea, I misread. That's really scarry -- normally the kernel would panic. I'm very surprised bsdlabel(8) let you write that to the disk. Does fsck(8) function? Did sysinstall do this? You probably want /tmp to be MFS anyway -- it's almost never a disk partition. Especially since you don't have /var on its own file system (/var/tmp) ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BASH as root shell (static linking)
On Sat, 2007-10-06 at 04:54 +1000, Jerahmy Pocott wrote: > Hello, > > I'm wanting to use BASH as my root shell, so I compiled a statically > linked > version then tried to log in with only / mounted. But I was locked > out because > elf.ld.so could not be found.. JP: Did: $ ldd /bin/bash Return anything? It should not. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Building a SAN using FreeBSD
On Sat, 2007-10-06 at 14:00 -0700, Don O'Neil wrote: > Anyone have any resources for building a FreeBSD based SAN device? IE, how > can I create an extendable file system using networked drives in muliple Spinnaker Networks, (spinnakernet.com), of Pittsburgh, Pennsylvania, a hardware company which builds network attached storage (NAS) servers. But they got gobbled up by NetApp =/ ~BAS > boxes without paying a billion dollars for someones expensive drive arrays. > > TIA! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: sudo doesn't log anything
On Wed, 2007-10-10 at 18:38 +0200, Nicolas Letellier wrote: > Pieter de Goeje a écrit : > > Sudo by default logs with facility 'local2' and priority 'notice'. Neither > > one > > is specified in your syslog.conf. > > To set the facility in sudoer(5): Defaultssyslog=auth Or local0-7 if you have a lot of action. ~BAS > Yes, it fix my problem ! > > Thanks very much ! > > Nicolas > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Install on new INTEL motherboard, can't find ATA devices
On Mon, 2007-10-22 at 15:13 -0400, Thomas David Rivers wrote: > I just got a new INTEL motherboard - chock full of these new-fangled > SATA connectors... and one "legacy" ATA connector. I moved a disk > drive from an older box to this new one.. > > The machine can boot from the disk drive, but then after the kernel > is up-and-running - it can't find the drive to mount the root file > system. Can you paste your complete /var/run/dmesg.boot from the boot kernel? Did you try a 7-PRERELEASE snapshot? Are there any modes to toggle in the BIOS? ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Live video streaming on FreeBSD?
> /usr/ports/multimedia/mencoder can encode/recode videos to many > different formats, including wmv9 and H.264. > > /usr/ports/multimedia/vlc contains a streaming server, IIRC. Do any of these support multicast? Cisco is pushing this big time with AVVID. -- Brian A. Seklecki <[EMAIL PROTECTED]> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Live video streaming on FreeBSD?
On Wed, 24 Oct 2007 17:35:34 +0300
Nikos Vassiliadis <[EMAIL PROTECTED]> wrote:
> On Wednesday 24 October 2007 17:03:57 Brian A. Seklecki wrote:
> > > /usr/ports/multimedia/mencoder can encode/recode videos to many
> > > differen
Well, no, its just that the 99% of the managed switches & routers out
there are going to ("need to") support multicast video delivery
they way they want.
~BAS
IMPORTANT: This message contains confidential information and is intended only
for the individual named. If the reader of this message is not an intended
recipient (or the individual responsible for the delivery of this message to an
intended recipient), please be advised that any re-use, dissemination,
distribution or copying of this message is prohibited. Please notify the
sender immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
release(8) environmental variables
As far as building goes, the variables in play are: DESTDIR, MAKEOBJDIRPREFIX, RELEASEDIR, CHROOTDIR, CVSROOT, EXTSRCDIR, EXTDOCDIR, BUIILDNAME, RELEASETAG, NODOC, NOPORTS, WORLD_FLAGS, LOCAL_SCRIPT For stage one of the release process, the following seem relevant: DESTDIR, MAKEOBJDIRPREFIX, RELEASEDIR For stage two: CHROOTDIR, CVSROOT, EXTSRCDIR, EXTDOCDIR, BUIILDNAME, RELEASETAG, NODOC, NOPORTS, WORLD_FLAGS, LOCAL_SCRIPT Do you guys prefer to set these in make.conf(5) or as exported environmental variables in the shell that spawn's make(1) ? ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ncftpput & ncftpget
To find out:
$ cd /usr/ports && egrep -i ncftp* {ftp,net}/*/PLIST*
~BAS
On Tue, 2007-10-30 at 08:48 -0400, Bill Banks wrote:
> What port should I make to get ncftpput?
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Virtualization
On Tue, 2007-10-30 at 09:03 -0400, Bart Silverstrim wrote: > I was curious with the information coming out regarding FreeBSD 7 what > option are available for virtualizing other OS's using FreeBSD as a host. Just jail(8) atm. VMWare wont issue keys for the last known-working of VMWare server/WS that ran on FreeBSD under Linux emulation. Their loss. ~BAS P.S. I'm considering using my bsd-appliance project to do an ultra-thing Xen hypervisor based on a NetBSD host. A kernel with IP, iSCSI, NFS etc. It can probably be done using less RAM than the ATI framebuffer robs. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Xorg and WSXGA
On Mon, 2007-10-29 at 23:36 -0700, Crist J. Clark wrote: > I finally dumped the CRT and bought a ridiculusly cheap 20" > LCD monitor. Works great except I'm having problems getting it > to go widescreen and use the full display area. > > I followed the instruction xinit -- -verbose 9 -logverbose 9 It should print out a list of modes that it _will_ validate. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: release(8) environmental variables
On Wed, 2007-10-31 at 13:54 +0200, Giorgos Keramidas wrote: > On 2007-10-30 18:02, "Brian A. Seklecki" <[EMAIL PROTECTED]> wrote: > > > > As far as building goes, the variables in play are: > > > > DESTDIR, MAKEOBJDIRPREFIX, RELEASEDIR, CHROOTDIR, CVSROOT, > > EXTSRCDIR, EXTDOCDIR, BUIILDNAME, RELEASETAG, NODOC, NOPORTS, > > WORLD_FLAGS, LOCAL_SCRIPT > > > > For stage one of the release process, the following seem relevant: > > > > DESTDIR, MAKEOBJDIRPREFIX, RELEASEDIR > > > > For stage two: > > > > CHROOTDIR, CVSROOT, EXTSRCDIR, EXTDOCDIR, BUIILDNAME, RELEASETAG, NODOC, > > NOPORTS, WORLD_FLAGS, LOCAL_SCRIPT > > > > Do you guys prefer to set these in make.conf(5) or as exported > > environmental variables in the shell that spawn's make(1) ? I ask because I noticed that the following variablkes do not get honored by "make release" that occurs inside the chroot() as spawned by "make release" (presumably during release.5) DESTDIR, MAKEOBJDIRPREFIX, RELEASEDIR For example, OBJs get sent right into $CHROOTDIR/usr/obj/, which really sucks. ~BAS > > make.conf is too invasive. I just set them in a shell script called > `bldenv.sh' and saved in the release-checkout area :) > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: release(8) environmental variables
really sucks.
I believe that's intentional, so re-running "make release" with
different CHROOTDIR values will produce consistently "similar" binaries.
I use LOCAL_SCRIPT to copy /etc/make.conf (well, /etc/src.conf) into place
inside the jail for the rebuild so that I can build a custom internal
release w/o certain subsystems (IPv6 or CSH, for example)
Is there a better way to do it?
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
iso.1 target and release(8) in RELENG_7 (WAS: Re: release(8) environmental variables)
Here's some fun -- I'm pretty sure this worked in RELENG_6: "make release" in /usr/src/release into RELEASEDIR=/opt/releasedir The rebuild completes (release.1 -> release.8), the kernels are built, the file system layout is prepared (ftp.1 -> cdrom.3), then (I think) the iso.1 target is called and the images are zero-bytes. Log excerpts below... Either I'm confused, I have my environmental variables set wrong, or this is broken. :) 1) My $LOCAL_SCRIPT properly copies mkisofs(1) and mkhybrid(1) into place in the $CHROOTDIR/usr/bin $ ls -al /opt/relchroot/usr/bin/mkisofs -r-xr-xr-x 1 root wheel 510712 Nov 1 02:13 /opt/relchroot/usr/bin/mkisofs 2) On the root of the system, I have to make /R a sylink to /opt/relchroot/R to make "make iso.1" succeed : # ls -al /R lrwxr-xr-x 1 root wheel 16 Oct 29 23:20 /R -> /opt/relchroot/R Other-wise: [EMAIL PROTECTED] /usr/src/release]# make iso.1 Creating ISO images... mkisofs: No such file or directory. Invalid node - /R/cdrom/bootonly *** Error code 2 Stop in /usr/src/release. 3) I don't see how $CHROOTDIR is used in /usr/src/release/Makefile at: iso.1: [...] Unless, when not run as a manual target outside of the chroot(), it runs in the chroot and /R is relative to $CHROOTDIR?. That would make sense of the error in the log excerpt below matched what I encounter on the command line as a manual run. I'm setting: # applies to build export DESTDIR=/opt/dest export MAKEOBJDIRPREFIX=/opt/obj export RELEASEDIR=/opt/release export CHROOTDIR=/opt/relchroot This is a shell script that runs nightly -- it worked in RELENG_6. ~BAS [...] Created /R/stage/floppies/boot.flp touch floppies.1 touch floppies.3 Setting up FTP distribution area 0 blocks 0 blocks touch ftp.1 Building CDROM live filesystem image 0 blocks 0 blocks 0 blocks 0 blocks 0 blocks 0 blocks 0 blocks 0 blocks 0 blocks Copy GENERIC kernel to boot area Setting up CDROM boot area touch cdrom.1 Building CDROM disc1 filesystem image 0 blocks 0 blocks Building CDROM disc2 filesystem image touch cdrom.2 Building bootonly CDROM filesystem image touch cdrom.3 Release done [...] On Wed, 2007-10-31 at 19:45 +0200, Giorgos Keramidas wrote: > On 2007-10-31 13:26, "Brian A. Seklecki" <[EMAIL PROTECTED]> wrote: > >>> really sucks. > >> > >> I believe that's intentional, so re-running "make release" with > >> different CHROOTDIR values will produce consistently "similar" binaries. > > > > I use LOCAL_SCRIPT to copy /etc/make.conf (well, /etc/src.conf) into place > > inside the jail for the rebuild so that I can build a custom internal > > release w/o certain subsystems (IPv6 or CSH, for example) > > > > Is there a better way to do it? > > LOCAL_SCRIPT sounds fine to me :) > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: rc: not working as expected? (round 2)
You can do a dry run as a non root user: $ rcorder /etc/rc.d/* /usr/local/etc/rc.d* 2>&1 | more ~BAS On Fri, 2008-10-10 at 12:19 -0300, Paul Halliday wrote: > (I mistakenly sent the last msg before finishing..) > > Or maybe an interpretation issue. > > I have a few startup scripts in rc.d and I am experiencing timing > issues. i.e. I need xyz to start before abc. > > Within xyz I tried: > > # REQUIRE: abc > > This didn't work so I tried: > > 100.xyz > 900.abc > > which doesn't appear to work either. > > What am I missing? > > Thanks. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Brian A. Seklecki <[EMAIL PROTECTED]> Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: cvsup.uk.freebsd.org down
Did it ever come back?
Someone with good BGP views should probably put all of the CVS/FTP/Rsync
mirrors in Nagios (with something reasonable like a 6 hour check interval)
and send reports to freebsd-www@ or so.
~BAS
On Mon, 8 Sep 2008, Paul Macdonald wrote:
I just noticed this cvs server is down
I've switched to cvsup2 which seems fine for now, I presume any updates to 2
are not dependent on cvsup.uk.freebsd being up?
thanks
Paul.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: cvsup mirrors
Or...contact the maintainer: http://www.dslreports.com/profile/191119 $ host cvsup1.ca.FreeBSD.org cvsup1.ca.FreeBSD.org is an alias for less.cogeco.net. less.cogeco.net has address 24.226.6.67 http://less.cogeco.net/ Many broken URLS. ~BAS On Fri, 12 Sep 2008, Michael P. Soulier wrote: I found this http://www.freebsd.org/doc/en/books/handbook/cvsup.html#CVSUP-MIRRORS and it lists one for me in Canada. cvsup1.ca.freebsd.org Unfortunately, it doesn't have RELENG_6 on it. cvsup says it's not there. Does the mirrors list need an update? Thanks, Mike -- Michael P. Soulier <[EMAIL PROTECTED]> "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: core Dumb during CVSUP
use csup, but at this stage, i'll wait untill portupgrade has finished to see if anything changes in that reguards. Well, you could ktrace(8) the binary and/or rebuild it with debugging symbols and bt the coredump ~BAS ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Check_CVSUp / PServer - Nagios Plugins?
Hey all: One of the big pitfalls of running a public CVS/CVSup/FTP mirror seems to be poor reporting on failed updates. I'd like add some Nagios monitoring to our project. For FTP and CVSUP rsyncs, I can have my cron(8)'d update scripts touch(1) a file if [ $? = 0 ]; then check them with libexec/nagios/check_file_age for mtime/utime. However, I'd also like to monitor the CVSup and PServer services as well at the protocol level. There do not seem to be any plugins in the public domain. Ideas: CVSUp: - php/perl/python bindings/libraries to talk cvsup protocol and maybe query a list of collections, plus the protocol version negotiated? - Is there maybe a way to exec() the cvsup(1)/csup(1) client in "list" mode? Does the protocol have a list operation? CVS Pserver: - Maybe just do a "cvs log src/Makefile" -- verifies that the protocol is active. SSH: - Duh FTP/RSYNC: - Yea Thougths? Discussion? l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Errors found in Freebsd
On Wed, 2008-10-22 at 13:04 +0200, Leon Swanepoel - MWEB wrote: > 2650 machines that are constantly running Ierrs. The bce,em,xl or any Yea -- call Dell and ask them why they started shipping crappy chips in the 9th gen. Probably to sell lots of PCI-E dual port addon cards, which is my suggestion to anyone who lives or dies by PowerEdge. -- Brian A. Seklecki <[EMAIL PROTECTED]> Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any help about FreeBSD & Dell's Troubleshooting Tool DSET
On Wed, 2008-11-12 at 16:01 +0100, VeeJay wrote: > There seemed to be a problem related to RAID controller on > one server. Screw Dell's diagnostics tools. Those are there to help psychology majors who got their MCSE and RHCE after they realized that all you can do with a psychology degree is teach psychology or serve coffee. Send us your screenshot. Nothing was attached. -- Brian A. Seklecki <[EMAIL PROTECTED]> Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any help about FreeBSD & Dell's Troubleshooting Tool DSET
On Wed, 2008-11-12 at 19:39 +0100, VeeJay wrote: > Hi Brian > > Thanks. I sent the attachment but FreeBSD List would not allow me to First order of business is to _not_ send it as a BMP. Use PNG instead, and post the URL and not the actual file: http://digitalfreaks.org/~lavalamp/20081023_server3_screen_dump.png --- Second order of business: "Unexpected sense code" on a PD (Physical Disk) suggests that one of your disks is bad / becoming bad. Check the enclosure -- likely it is flashing. Install MegaCli from ports, if you can. You can always reboot and use the BIOS menu to check the event log. If its not a bad disk, then something bizarre is happening. We'll want to know what firmware revision you're running on the controller, and on the disks (Dell disk firmware updates run from DOS) ~~BAS > send email of more than 200K in size. So, here it is... > > I hope you can figure out how to solve this issue... > > With best wishes > > VJ > > > On Wed, Nov 12, 2008 at 4:25 PM, Brian A. Seklecki > <[EMAIL PROTECTED]> wrote: > On Wed, 2008-11-12 at 16:01 +0100, VeeJay wrote: > > There seemed to be a problem related to RAID controller on > > one server. > > Screw Dell's diagnostics tools. > > Those are there to help psychology majors who got their MCSE > and RHCE > after they realized that all you can do with a psychology > degree is > teach psychology or serve coffee. > > Send us your screenshot. Nothing was attached. > > -- > Brian A. Seklecki <[EMAIL PROTECTED]> > Collaborative Fusion, Inc. > > > > > IMPORTANT: This message contains confidential information and > is intended only for the individual named. If the reader of > this message is not an intended recipient (or the individual > responsible for the delivery of this message to an intended > recipient), please be advised that any re-use, dissemination, > distribution or copying of this message is prohibited. Please > notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your > system. > > > > > > -- > Thanks! > > BR / vj -- Brian A. Seklecki <[EMAIL PROTECTED]> Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
PXE Boot - Silent kernel dmesg output
All: Has anyone experience a PXE boot problem on amd64 (Dell PowerEdge 850, 1850, DRAC4, DRAC5) where kernel dmesg output is suppressed on VGA Console? I've tried kernels, mfsroot, and pxeboot from 6.4-RC2, 6.3-PLX, 7.1-B2 builds. I've verified stock /boot/device.hints, /defaults/loader.conf, and /boot/loader.conf are in place on my NFS export. Here's a slightly ambiguous screenshot: http://people.collaborativefusion.com/~seklecki/pxe_lock.jpg Note: Its hard to tell, but the spindle has already become a block cursor. We used to see this in early 6.x days and assumed it was a bum bPXE configuration on the server-side; eventually mfsroot would get loaded and sysinstall(8) welcome would be the first thing displayed after the 2nd stage boot loader. Breaking out of the loader reveals: console="vidconsole" Very very strange... I'm going to have a look at tcpdump(8) on NFS reads to my export and determine if it is indeed actually reading loader.conf(5). However, the system-wide defaults w/o loader.conf + loader.rc + boot.conf shouldn't prohibit kernel VGA console output. -- Brian A. Seklecki <[EMAIL PROTECTED]> Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: No /boot/kernel/kernel
> FreeBSD/i386 boot > Default 0:ad(0,a)/boot/kernel/kernel > boot: > No /boot/kernel/kernel > > the same reappeared after i typed /boot/kernel.old/kernel. > WHAT DID WENT WRONG??? Any ideas? > _ Ugh 2nd stage boot loader should be given: Default: 0:ad(0,a)/boot/loader ~BAS signature.asc Description: This is a digitally signed message part
Re: Snow in my Server
On Fri, 2008-12-19 at 11:15 -0800, Casey Scott wrote: > Obviously downgrade to 6.0 on snow affected servers. Or rebuild all of your ports and melt the snow away. ~BAS -- Brian A. Seklecki Collaborative Fusion, Inc. signature.asc Description: This is a digitally signed message part
Re: Snow in my Server
On Fri, 2008-12-19 at 22:46 +0300, Jeff Laine wrote: > Just mv teh snowflakes to /dev/null ^_- $ sudo pkill -9 xsnow ~BAS -- Brian A. Seklecki Collaborative Fusion, Inc. signature.asc Description: This is a digitally signed message part
Default list of exported variables in sh(1) - $HOSTNAME
All:
I've got a fun problem ...
I'm having trouble tracking down where the default list of exported
variables is set for sh(1).
I've got a piece of PHP code that runs on GNU/Linux but not FreeBSD
because (I think) $HOSTNAME is exported by default.
The PHP CLI calls $_ENV["HOSTNAME"], which under GNU/Linux returns:
$ php -r 'print gethostbyaddr(gethostbyname($_ENV["HOSTNAME"]))'
soundwave.wscollaborativefusion.com
In HTTP/CGI mode, I can call $_SERVER[]. But $_ENV[] should work in both
CLI and HTTP mode.
However, because Apache is spawned from sh(1) from rc(8) and in FreeBSD
6.x, $HOSTNAME is not exported by default, which is what $_ENV[] uses
(getenv()):
$ uname -a
FreeBSD bdb00 6.3-RELEASE-p2
$ export
SSH_CLIENT
USER
MAIL
HOME
SSH_TTY
PAGER
ENV
LOGNAME
BLOCKSIZE
TERM
PATH
SHELL
SSH_CONNECTION
FTP_PASSIVE_MODE
EDITOR
---
Compare to:
linux$ uname -a
Linux soundwave 2.6.25.14-108.fc9.x86_64
linux$ bash --version
GNU bash, version 3.2.33(1)-release (x86_64-redhat-linux-gnu)
linux$ export|wc -l
52
linux$ export|grep -i host
declare -x HOSTNAME="soundwave"
It could be set in the sources for sh(1) or shells/bash, login(1),
possibly somehow related to PAM.
src/usr.bin/login/login.c has :
static int export(const char *s) {
* - Do not export certain variables. This list was taken from the
* Solaris pam_putenv(3) man page.
* Then export it.
static const char *noexport[] = {
"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
"IFS", "PATH", NULL
}..
$HOSTNAME not listed here
---
src/bin/sh/var.c has environment(){} and at least one other call to
getnamebyaddr()
Bash has set_machine_vars() in variables.c:
temp_var = set_if_not ("HOSTNAME", current_host_name);
-
There are also about 500 calls to getenv() in the PHP source code under
main/, however none explicitly for $HOSTNAME.
This is similar to bash, so unless the Redhat people are maintaining
lots of SRPM patches to Bash _and_ PHP, I'm prepared to isolate the
problem to FreeBSD and sh(1)/login(1)
Thoughts? (Happy holidays all!)
~BAS
--
Brian A. Seklecki
Collaborative Fusion, Inc.
signature.asc
Description: This is a digitally signed message part
pxeboot(8) NFS code breaks PIX/ASA policy
I'm PXE booting systems using the "dhcprelay" feature on a PIX 525 running 7.1(2). The TFTP process of retrieval of /tftoboot/pxeboot works fine, however once loaded NFS mount requests to the server fail per the following messages. In my config, all layer 4->7 packet "inspection" features are turned off. Any ideas why pxeboot would set the destination UDP port number to 0? It should be UDP/111 and UDP/2049, but alas TCPdump on the server shows nothing coming through. My work-around right now is to recompile pxeboot w/o NFS support and use TFTP file retrieval...which...sort of works. TIA, ~BAS -- Sep 05 2006 17:38:15: %PIX-4-54: Invalid transport field for protocol=UDP, from 192.168.129.130/1023 to 192.168.128.40/0 Sep 05 2006 17:38:19: %PIX-4-54: Invalid transport field for protocol=UDP, from 192.168.129.130/1023 to 192.168.128.40/0 According to Cisco: %PIX-4-54: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port Explanation This message appears when there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP. --- l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "...from back in the heady days when "helpdesk" meant nothing, "diskquota" meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PERC 5/E SAS RAID in Dell PowerEdge 1950/2950
On Sun, 11 Jun 2006, Brian A. Seklecki wrote: All: Does anyone have details about the new PERC 5/E SAS RAID controller Dell is (or will soon be) shipping in the 1950/2950? For the record, this is mfi(4). Yay! ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PERC 5/E SAS RAID in Dell PowerEdge 1950/2950
On Thu, 2006-09-07 at 20:07, ke han wrote: > On Sep 8, 2006, at 12:49 AM, Brian A. Seklecki wrote: > > > > > > > On Sun, 11 Jun 2006, Brian A. Seklecki wrote: > > > >> All: > >> > >> Does anyone have details about the new PERC 5/E SAS RAID > >> controller Dell > >> is (or will soon be) shipping in the 1950/2950? > >> > > > > For the record, this is mfi(4). > > Have you done an install of FreeBSD 6.1 on a 1950/2950? Does the > install kernel automatically recognize RAID arrays you have setup It finds the RAID controller fine. However, we're very concerned about the lack of a management CLI like ports/sysutils/megarc. It's the DRAC5 virtual USB keyboard that requires you sacrifice your moral integrity to obtain. A small price to pay, considering the client requires ActiveX and Java. Also I had some problems with if_bce.c < rev1.7. Media state confusion. ~BAS > with the PERC 5 bios? IOW, do I have to manually load some updated > module outside of the default 6.1 install and config? > > thanks, ke han > > > > > Yay! > > > > ~BAS > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions- > > [EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
