[CentOS] md5 passwords?

[Scott Ehrlich]

On a C4.4 system, I want to add md5 passwords for the grub boot menu to 
prevent users from making selections other than the default boot options.


I also want to add md5 passwords when attempting single user mode boots 
(may be answered by first request).


The same for C5 systems.


Thanks.

Scott
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

a quick and dirty hack to 'fix' the problem in a large scale -- RE: [CentOS] Nic order detection

[Guolin Cheng]

Les and Michael,

There are a few ways to workaround the NIC detection issue. Each has its
own advantages and limits.

The first method is: suppose you or your team have full control of
running kernel on your hundreds/thousands of boxes, your can then build
some NIC drivers statically in the kernel -- these statically built NIC
drivers will be detected as eth0 without glitches -- then leave other
different NIC types on the same box still in dynamic kernel modules
status. It works greatly if you know all the types of primary network
NIC. Typically e100, tg3, etc. and you have already standardized the 2nd
NIC on the boxes to one or two brands like e1000.

The second method is: suppose you or your team can not control
rebuilding of kernel, or at least you have no full control, but you
really know the types of primary/secondary NICs combinations on all the
Linux boxes in your kingdom. Then you can try the following hack:

 You can try to add/change lines in /lib/modules/`uname -r`/modules.dep
file according to your NICs combinations -- always load the drivers
according to your predefined order. For example:

.../e1000.ko: .../tg3.ko .../3c59x.ko .../e100.ko .../forcedeth.ko
.../forcedeth.ko: .../tg3.ko

The above means to load the module at left, system will first load
modules at right! So tg3|3c59x|e100|forcedeth always load before e1000,
and tg3 load before forcedeth. The same idea can be applied to all NIC
combination types your have and can be set only once and applied to all
your linux boxes if you set it up correctly. The side-effect is: you
have waste few hundreds Kilobytes memory, but who cares?

There are also other tricks I tried before, some works and some not. But
I think the above should probably work for most general cases.

Have a good weekend.

--Guolin


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Michael D. Kralka
Sent: Thursday, January 10, 2008 6:52 AM
To: CentOS mailing list
Subject: Re: [CentOS] Nic order detection

Les Mikesell wrote:
> I do have the ifcfg-ethX files for the 2 interfaces that are currently
> active, but since the machines were built by image copies of a master
> disk, they do not have HWADDR address entries.  A person on-site with
> access to the console adjusted them if they didn't come up right the
> first time, but they seem to shift around on each reboot.  Will adding
> the HWADDR entry nail them down even if it doesn't match the nic type
> specified in modprobe.conf?  Can someone point me to the code where
this
> happens?  Until recently the machines were running centos 3.x and this
> seems to be a difference in behavior.

As already pointed out, yes adding HWADDR will "nail them down" and the
entries in modprobe.conf don't mean much. If you (or a script) execute
"modprobe eth0" it will load the appropriate module. Unfortunately, this
is not how CentOS 5 loads drivers.

With CentOS 5, udev is used to load the drivers by looking at the
"modalias" file found for each device under the /sys directory (search
for them, there are many). For PCI devices, the modalias includes the 4
16-bit PCI ID values, the PCI device type, and some other information.

Unfortunately, udev tries to be clever and loads drivers in parallel. As
a result, if there are NICs that use different drivers, the order that
the NICs are assigned ethX interfaces is left to the whim of the Linux
scheduler (i.e. is non-deterministic). Devices using the same driver
will always be assigned interface names in the same relative ordering.
If they all use the same driver, they will always be assigned the same
names, without having to fuss with the HWADDR option (this is due to how
drivers enumerate PCI devices).

In reality, HWADDR doesn't force the kernel to assign the desired
interface to each device. It simply "cleans up" after udev by renaming
the interfaces from what the kernel assigned to each NIC to the
interfaces you expect. Search for "rename_device" in ifup-eth and
network-functions, both found in the /etc/sysconfig/network-scripts
directory.

Cheers,
Michael
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] PHP 5.2.5 when ?

[Santa Claus]

Hi

>> When (some) expected rpm package for the upgrade php to version
5.2.5(CentOS4)
?
>ummm ... the answer is probably never.

It is not clear why Red Hat (and CentOS too), so weak responds to changes of
important packages.
In this case the question: how to upgrade to PHP 5.2.5 correctly?

1. make ... etc.
2. or go search rpms/rpm in private repositories (for example:
http://www.jasonlitka.com/2007/11/16/upgrading-to-php-525-on-rhel-and-centos/
)?

-- 
wbr
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PHP 5.2.5 when ?

[John R Pierce]

Santa Claus wrote:
It is not clear why Red Hat (and CentOS too), so weak responds to 
changes of important packages.

In this case the question: how to upgrade to PHP 5.2.5 correctly?


If its really not clear, you're totally missing the whole *point* of RHEL.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-announce Digest, Vol 35, Issue 4

[centos-announce-request]

Send CentOS-announce mailing list submissions to
[EMAIL PROTECTED]

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CESA-2008:0032 Important CentOS 3 i386 libxml2 -  security
  update (Tru Huynh)
   2. CESA-2008:0032 Important CentOS 3 x86_64 libxml2  - security
  update (Tru Huynh)
   3. CESA-2008:0039 Moderate CentOS 3 i386 postgresql  - security
  update (Tru Huynh)
   4. CESA-2008:0039 Moderate CentOS 3 x86_64   postgresql - security
  update (Tru Huynh)
   5. CESA-2008:0032 Important CentOS 3 ia64 libxml2 -  security
  update (Pasi Pirhonen)
   6. CESA-2008:0039 Moderate CentOS 3 ia64 postgresql  - security
  update (Pasi Pirhonen)
   7. CESA-2008:0032 Important CentOS 4 ia64 libxml2 -  security
  update (Pasi Pirhonen)
   8. CESA-2008:0038 Moderate CentOS 4 ia64 postgresql  - security
  update (Pasi Pirhonen)
   9. CESA-2008:0032 Important CentOS 3 s390(x) libxml2 - security
  update (Pasi Pirhonen)
  10. CESA-2008:0032 Important CentOS 4 s390(x) libxml2 - security
  update (Pasi Pirhonen)
  11. CESA-2008:0039 Moderate CentOS 3 s390(x)  postgresql -
  security update (Pasi Pirhonen)
  12. CESA-2008:0038 Moderate CentOS 4 s390(x)  postgresql -
  security update (Pasi Pirhonen)


--

Message: 1
Date: Fri, 11 Jan 2008 15:30:01 +0100
From: Tru Huynh <[EMAIL PROTECTED]>
Subject: [CentOS-announce] CESA-2008:0032 Important CentOS 3 i386
libxml2 -   security update
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"

CentOS Errata and Security Advisory CESA-2008:0032

libxml2 security update for CentOS 3 i386:
https://rhn.redhat.com/errata/RHSA-2008-0032.html

The following updated file has been uploaded and is currently syncing to
the mirrors:

i386:
updates/i386/RPMS/libxml2-2.5.10-8.i386.rpm
updates/i386/RPMS/libxml2-devel-2.5.10-8.i386.rpm
updates/i386/RPMS/libxml2-python-2.5.10-8.i386.rpm

source:
updates/SRPMS/libxml2-2.5.10-8.src.rpm

You may update your CentOS-3 i386 installations by running the command:

yum update libxml2\*

Tru
-- 
Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : 
http://lists.centos.org/pipermail/centos-announce/attachments/20080111/5a983f77/attachment-0001.bin

--

Message: 2
Date: Fri, 11 Jan 2008 15:31:07 +0100
From: Tru Huynh <[EMAIL PROTECTED]>
Subject: [CentOS-announce] CESA-2008:0032 Important CentOS 3 x86_64
libxml2 - security update
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"

CentOS Errata and Security Advisory CESA-2008:0032

libxml2 security update for CentOS 3 x86_64:
https://rhn.redhat.com/errata/RHSA-2008-0032.html

The following updated file has been uploaded and is currently syncing to
the mirrors:

x86_64:
updates/x86_64/RPMS/libxml2-2.5.10-8.i386.rpm
updates/x86_64/RPMS/libxml2-2.5.10-8.x86_64.rpm
updates/x86_64/RPMS/libxml2-devel-2.5.10-8.x86_64.rpm
updates/x86_64/RPMS/libxml2-python-2.5.10-8.x86_64.rpm

source:
updates/SRPMS/libxml2-2.5.10-8.src.rpm

You may update your CentOS-3 x86_64 installations by running the command:

yum update libxml2

Tru
-- 
Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : 
http://lists.centos.org/pipermail/centos-announce/attachments/20080111/00e0692c/attachment-0001.bin

--

Message: 3
Date: Fri, 11 Jan 2008 15:31:56 +0100
From: Tru Huynh <[EMAIL PROTECTED]>
Subject: [CentOS-announce] CESA-2008:0039 Moderate CentOS 3 i386
postgresql  - security update
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"

CentOS Errata and Security Advisory CESA-2008:0039

postgresql security update for CentOS 3 i386:
https://rhn.redhat.com/errata/RHSA-2008-0039.html

The following updated file has been uploaded and is currently syncing to
the mirrors:

i386:
updates/i386/RPMS/rh-postgresql-7.3.21-1.i386.rpm
updates/i386/RPMS/rh-postgresql-contrib-7.3.21-1.i386.rpm
updates/i386/RPMS/rh-postgresql-devel-7.3.21-1.i386.rpm
update

Re: [CentOS] md5 passwords?

[mups . cp]

Use grub-md5-crypt to generate the md5 hash.
After edit /boot/grub/grub.conf and insert password --md5 your_hash_here
With this option users couldn't edit grub options, so they couldn't
neither boot in single user because they should provide the password
in this case.


On Jan 12, 2008 6:01 AM, Scott Ehrlich <[EMAIL PROTECTED]> wrote:
> On a C4.4 system, I want to add md5 passwords for the grub boot menu to
> prevent users from making selections other than the default boot options.
>
> I also want to add md5 passwords when attempting single user mode boots
> (may be answered by first request).
>
> The same for C5 systems.
>
>
> Thanks.
>
> Scott
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: a quick and dirty hack to 'fix' the problem in a large scale -- RE: [CentOS] Nic order detection

[Michael D. Kralka]

Guolin Cheng wrote:
> Les and Michael,

I am going to bite my tongue and not ask to you refrain from top posting.

As your subject suggests, you are proposing a quick and dirty hack to
deal with interface assignment to physical NICs. Why bother with a quick
and dirty hack when a sensible solution exists within the distribution?
I see this a bad advice and hope no one follows it.

> There are a few ways to workaround the NIC detection issue. Each has its
> own advantages and limits.
> 
> The first method is: suppose you or your team have full control of
> running kernel on your hundreds/thousands of boxes, your can then build
> some NIC drivers statically in the kernel -- these statically built NIC
> drivers will be detected as eth0 without glitches -- then leave other
> different NIC types on the same box still in dynamic kernel modules
> status. It works greatly if you know all the types of primary network
> NIC. Typically e100, tg3, etc. and you have already standardized the 2nd
> NIC on the boxes to one or two brands like e1000.

Although this may "work", I have just signed up for a lifetime of
chasing kernel versions. Every time RHEL/CentOS release a new kernel to
fix a bug or security vulnerability, I must recompile the kernel. How
does this make sense if I have hundreds/thousands of boxes to to keep up
to date? I'd rather "yum update" on all the boxes (which is easy to do)

> The second method is: suppose you or your team can not control
> rebuilding of kernel, or at least you have no full control, but you
> really know the types of primary/secondary NICs combinations on all the
> Linux boxes in your kingdom. Then you can try the following hack:
> 
>  You can try to add/change lines in /lib/modules/`uname -r`/modules.dep
> file according to your NICs combinations -- always load the drivers
> according to your predefined order. For example:
> 
> .../e1000.ko: .../tg3.ko .../3c59x.ko .../e100.ko .../forcedeth.ko
> .../forcedeth.ko: .../tg3.ko

Although this may "work", it is another accident waiting to happen. This
is a generated file and it is almost never a good idea to modify an
generated file; one will get burned. I install a shiny new module that
is not delivered as part of the kernel (drbd perhaps), and the
post-install script runs "depmod -a" (a sensible thing to do); now I
have just blown away the manual changes. Or ever time I install a new
kernel (whether I am foolishly[1] building my own or using the
distribution kernels), I have to remember to make this change. The worst
part about this is that the effects will not be visible until the next
time the server is rebooted (say 6 months when there is a power
failure); the network interface assignment will be wrong. Good luck
hunting down that problem in a pinch!

[1]  Don't get me wrong, there is a time and a place for building custom
kernels; this is just not one of them.

> The above means to load the module at left, system will first load
> modules at right! So tg3|3c59x|e100|forcedeth always load before e1000,
> and tg3 load before forcedeth. The same idea can be applied to all NIC
> combination types your have and can be set only once and applied to all
> your linux boxes if you set it up correctly. The side-effect is: you
> have waste few hundreds Kilobytes memory, but who cares?

The problem is not the wasted memory, it's the fragility of its design.

> There are also other tricks I tried before, some works and some not. But
> I think the above should probably work for most general cases.

Why resort to "tricks" when there is a perfectly good solution supported
by the distribution? I've learned that it never pays to be clever. When
resorting to neat little tricks to get things to work, they get
forgotten, or worse when someone else must look into a problem, they
spend most of the time trying to understand the clever way things are
set up. When stability is a main concern, boring is always better.

Cheers,
Michael

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: a quick and dirty hack to 'fix' the problem in a large scale -- RE: [CentOS] Nic order detection

[Les Mikesell]

Michael D. Kralka wrote:


Why resort to "tricks" when there is a perfectly good solution supported
by the distribution? I've learned that it never pays to be clever. When
resorting to neat little tricks to get things to work, they get
forgotten, or worse when someone else must look into a problem, they
spend most of the time trying to understand the clever way things are
set up. When stability is a main concern, boring is always better.


The problem is that the disk images are made in one location and swapped 
into place in others, by someone who knows hardware, not linux, so for a 
new machine we won't know the hardware address ahead of time.  When I 
first realized that the NICs were detected in a different order I added 
a script that tried to bring them all up, look for link, assign an ip 
address and ping the associated router to figure out which 2 were in use 
and which address they should have.  However I did not realize (and I 
still don't see this documented anywhere...) that the device names would 
be non-deterministic or that they could be renamed after the kernel 
assigns a name.  I can probably tweak the script to pick up the mac 
address and include it in the ifcfg-ethX files to nail things down. 
But, I see something about adding udev rules for persistent names so 
this is probably going to change again.


--
  Les Mikesell
   [EMAIL PROTECTED]



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Out of disk space at 2 GB?

[Scott Ehrlich]

On an ext3 filesystem, what would cause the system to claim it is out of 
disk space for a program writing information to disk, when df -h shows 
ample GB available and the file is being written to local disk rather than 
an nfs-mounted filesystem?


I believe the hard drive is good.

Ideas welcome.

Thanks.

Scott
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Out of disk space at 2 GB?

[mouss]

Scott Ehrlich wrote:
> On an ext3 filesystem, what would cause the system to claim it is out of
> disk space for a program writing information to disk, when df -h shows
> ample GB available and the file is being written to local disk rather
> than an nfs-mounted filesystem?
> 
> I believe the hard drive is good.
> 
> Ideas welcome.


check that it is not out if inodes.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] service nfs start hangs on CentOS 4

[William L. Maltby]

On Fri, 2008-01-11 at 20:12 +0100, Frank Büttner wrote:
> Frank Büttner schrieb:
> > Milton Calnek schrieb:
> >>
> >>
> >> Frank Büttner wrote:
> >>> [EMAIL PROTECTED] schrieb:
> > Hello when I try to start nfs the command hangs.
> > I have found out, that the problem is, that I set an IP address at 
> > /etc/exports
> > sample:
> > /var/foo XXX.XXX.XXX(some rights)
> >

>  You might want to make sure that the portmap daemon is running.
> 
>  /etc/init.d/portmap status
> 
>   will tell you if it is runnning. If it is not..fire it up.
> 

> After long waiting I get an RPC timeout error

What's in your /etc/hosts.{allow | deny}? Even if portmap is running,
these files need to have the correct contents.

E.g. mine have

# hosts.allow   This file describes the names of the hosts which are
#   allowed to use the local INET services, as decided
#   by the '/usr/sbin/tcpd' server.
#
ALL: 192.168.2. 127.0.0.


# hosts.denyThis file describes the names of the hosts which are
#   *not* allowed to use the local INET services, as decided
#   by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In
# particular you should know that NFS uses portmap!
ALL: ALL

> 

HTH
-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Out of disk space at 2 GB?

[Les Mikesell]

Scott Ehrlich wrote:
On an ext3 filesystem, what would cause the system to claim it is out of 
disk space for a program writing information to disk, when df -h shows 
ample GB available and the file is being written to local disk rather 
than an nfs-mounted filesystem?


I believe the hard drive is good.

Ideas welcome.


If the application is old it might not have been compiled with large 
file support.


--
  Les Mikesell
   [EMAIL PROTECTED]
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [solved]service nfs start hangs on CentOS 4

[Frank Büttner]

William L. Maltby schrieb:
snip

these files need to have the correct contents.

E.g. mine have

# hosts.allow   This file describes the names of the hosts which are
#   allowed to use the local INET services, as decided
#   by the '/usr/sbin/tcpd' server.
#
ALL: 192.168.2. 127.0.0.


# hosts.denyThis file describes the names of the hosts which are
#   *not* allowed to use the local INET services, as decided
#   by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In
# particular you should know that NFS uses portmap!
ALL: ALL





HTH

This both files are empty.

After long try I found the problem.:)
I was an dead name server entry at /etc/resolv.conf.
After remove it, nfs works how it shut do.

Thanks for all help.


smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Sean Carolan]

sure, I use webmin's LDAP Users and Groups module on every network
server that I maintain. It's perfect for my needs.


Yes, this is exactly what I'm trying to do.  It would be perfect for our 
needs too.



The first question that occurs to me is if you did all that. When you do
'getent passwd' does each user in LDAP show up? Remember that if you
still have a user in /etc/passwd and in LDAP (which would be a fatal
setup), they would actually appear twice.


Yep, each user shows up one time when I run 'getent passwd'.  I'm 
thinking that perhaps there is a problem in my /etc/ldap.conf since this 
is what it appears webmin is using to bind to the LDAP server.  Here's a 
copy of that file if it's any help.



#host 127.0.0.1
#base dc=domain,dc=com

suffix  "dc=domain,dc=com"
#rootbinddn "cn=Admin,dc=domain,dc=com"

uri ldap://127.0.0.1/
pam_password exop

ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=domain,dc=com
nss_base_shadow ou=People,dc=domain,dc=com
nss_base_group  ou=Group,dc=domain,dc=com
nss_base_hosts  ou=Hosts,dc=domain,dc=com

scope one

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] md5 passwords?

[Barry Brimer]

On a C4.4 system, I want to add md5 passwords for the grub boot menu to 
prevent users from making selections other than the default boot options.


I also want to add md5 passwords when attempting single user mode boots (may 
be answered by first request).


The same for C5 systems.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos command to monitor a process for exit

[William L. Maltby]

On Fri, 2008-01-11 at 16:06 -0800, Bill Campbell wrote:
> On Sat, Jan 12, 2008, mouss wrote:
> >Les Mikesell wrote:
> >> Jerry Geis wrote:
> >>> Is there a command that will monitor a process for exiting (crash or
> >>> normal exit) and
> >>> then execute another command based on the said process no longer being
> >>> active?
> >>>
> >>> Or is there a "wrapper" command that runs a process and when that
> >>> process exists
> >>> due to crashing or just exiting normally) that another process can be
> >>> run.
> >>>
> >> 
> >> Why not use a shell script as a wrapper?  If you don't put something in
> >> the background with an & on the line, the next line will execute when/if
> >> the program started on the current line exits.  There are nearly always
> >> other copies of the shell running anyway so you get shared-text
> >> efficiency.  If you just want to keep restarting the same program,
> >> something like this should run forever.
> >> 
> >> while :
> >>  do
> >>   my_program
> >>  done
> >> 
> >
> >This has two issues (at least):
> >- if the program is a daemon, it returns immediately, so the scrpit will
> >try to start the program again and again
> >- if the script gets a signal, it will be killed. back to start.
> 
> If you use ``kill -0 pid'' it shouldn't affect the running process, and
> will return success ($? = 0) if the process is running, and fail otherwise.
> 
> A fairly standard way of checking things like this is:
> 
> pidfile=/var/run/progname.pid
> progname_signal() {
>   [ -f $progname_pidfile ] && kill -$1 `cat $progname_pidfile`
> }
> if progname_signal 0
> then
>   echo is running
> else
>   echo not running
> fi
> 
> Bill

ISTM that the trap command could be quite useful in this scenario. "man
bash", under built-in commands. One can analyze various returns,
timestamp to prevent runaway restarting, etc.

I've used it in the (far distant) past to great advantage.

> 

HTH
-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [solved]service nfs start hangs on CentOS 4

[William L. Maltby]

On Sat, 2008-01-12 at 16:07 +0100, Frank Büttner wrote:
> William L. Maltby schrieb:
> snip
> > these files need to have the correct contents.
> > 
> > E.g. mine have
> > 
> > # hosts.allow   This file describes the names of the hosts which are
> > #   allowed to use the local INET services, as decided
> > #   by the '/usr/sbin/tcpd' server.
> > #
> > ALL: 192.168.2. 127.0.0.
> > 
> > 
> > # hosts.denyThis file describes the names of the hosts which are
> > #   *not* allowed to use the local INET services, as decided
> > #   by the '/usr/sbin/tcpd' server.
> > #
> > # The portmap line is redundant, but it is left to remind you that
> > # the new secure portmap uses hosts.deny and hosts.allow.  In
> > # particular you should know that NFS uses portmap!
> > ALL: ALL
> > 
> >> 
> > 
> > HTH
> This both files are empty.
> 
> After long try I found the problem.:)
> I was an dead name server entry at /etc/resolv.conf.
> After remove it, nfs works how it shut do.

That is good to hear. If you have any exposure to the 'Net or some
untrusted users on you local net, it would be good to have some rules in
the /etc/hosts.{allow | deny}.

> 

-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [solved]service nfs start hangs on CentOS 4

[Frank Büttner]

William L. Maltby schrieb:

That is good to hear. If you have any exposure to the 'Net or some
untrusted users on you local net, it would be good to have some rules in
the /etc/hosts.{allow | deny}.






This was done by iptables:)
Only allowed host can connect to the system, packages form other host 
are simply dropt.


smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Out of disk space at 2 GB?

[Joshua Gimer]

By default 5% of the disk is going to be allocated for use by the root  
user. If you are seeing as a non root user that the disk is full, but  
when you become root you are able to write files, then this could be  
your issue. You can change the amount of blocks that are allocated for  
root, but using the -m switch with tune2fs.


Just a thought
Joshua Gimer

On Jan 12, 2008, at 7:49 AM, Les Mikesell wrote:


Scott Ehrlich wrote:
On an ext3 filesystem, what would cause the system to claim it is  
out of disk space for a program writing information to disk, when  
df -h shows ample GB available and the file is being written to  
local disk rather than an nfs-mounted filesystem?

I believe the hard drive is good.
Ideas welcome.


If the application is old it might not have been compiled with large  
file support.


--
 Les Mikesell
  [EMAIL PROTECTED]
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Craig White]

On Sat, 2008-01-12 at 09:11 -0600, Sean Carolan wrote:
> > sure, I use webmin's LDAP Users and Groups module on every network
> > server that I maintain. It's perfect for my needs.
> 
> Yes, this is exactly what I'm trying to do.  It would be perfect for our 
> needs too.
> 
> > The first question that occurs to me is if you did all that. When you do
> > 'getent passwd' does each user in LDAP show up? Remember that if you
> > still have a user in /etc/passwd and in LDAP (which would be a fatal
> > setup), they would actually appear twice.
> 
> Yep, each user shows up one time when I run 'getent passwd'.  I'm 
> thinking that perhaps there is a problem in my /etc/ldap.conf since this 
> is what it appears webmin is using to bind to the LDAP server.  Here's a 
> copy of that file if it's any help.

not really, have you run system-config-authentication ? That also
configures pam & nss which are necessary items.

If each user shows only once AND they are in /etc/passwd and LDAP, then
it would be a clear indication that the underlying system isn't
configured to find users/groups/passwords in LDAP at all. If each user
has been removed from /etc/passwd, then it may very well be working.

Configuring Webmin's LDAP Users and Groups is only possible when you
have configured the underlying system first, can actually do command
line add/remove/delete ldap users and can authenticate as an LDAP user
to various systems such as ssh. At that point, Webmin's configuration
becomes obvious. It is not reasonable to expect Webmin to supply the
understanding of LDAP that the administrator cannot accomplish without
Webmin.

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Sean Carolan]

not really, have you run system-config-authentication ? That also
configures pam & nss which are necessary items.


Yes, I have and unfortunately when the 'ldap' tags are added to 
/etc/nsswitch.conf the system won't allow me to authenticate, su or sudo 
at all!




If each user shows only once AND they are in /etc/passwd and LDAP, then
it would be a clear indication that the underlying system isn't
configured to find users/groups/passwords in LDAP at all. If each user
has been removed from /etc/passwd, then it may very well be working.


I'm hesitant to remove users from /etc/passwd and rely on LDAP for 
authentication before I'm sure it is working.  Can you not have the 
system attempt first to authenticate users via LDAP, then fall back to 
pam_unix if that doesn't work?



Configuring Webmin's LDAP Users and Groups is only possible when you
have configured the underlying system first, can actually do command
line add/remove/delete ldap users and can authenticate as an LDAP user
to various systems such as ssh. At that point, Webmin's configuration
becomes obvious. It is not reasonable to expect Webmin to supply the
understanding of LDAP that the administrator cannot accomplish without
Webmin.


This is where I'm stuck.  As soon as I try to turn on the system 
authentication by editing /etc/pam.d/system_auth and /etc/nsswitch.conf 
the system becomes unusable.   Try to run "su -" and it just sits there 
and hangs.  I know it's my own fault for not configuring it right, I 
just wish the available documentation gave some detailed examples. 
There is so much incorrect and incomplete information out there on the 
web that I'm not sure what to try.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Craig White]

On Sat, 2008-01-12 at 10:44 -0600, Sean Carolan wrote:
> > not really, have you run system-config-authentication ? That also
> > configures pam & nss which are necessary items.
> 
> Yes, I have and unfortunately when the 'ldap' tags are added to 
> /etc/nsswitch.conf the system won't allow me to authenticate, su or sudo 
> at all!
> 
> > 
> > If each user shows only once AND they are in /etc/passwd and LDAP, then
> > it would be a clear indication that the underlying system isn't
> > configured to find users/groups/passwords in LDAP at all. If each user
> > has been removed from /etc/passwd, then it may very well be working.
> 
> I'm hesitant to remove users from /etc/passwd and rely on LDAP for 
> authentication before I'm sure it is working.  Can you not have the 
> system attempt first to authenticate users via LDAP, then fall back to 
> pam_unix if that doesn't work?
> 
> > Configuring Webmin's LDAP Users and Groups is only possible when you
> > have configured the underlying system first, can actually do command
> > line add/remove/delete ldap users and can authenticate as an LDAP user
> > to various systems such as ssh. At that point, Webmin's configuration
> > becomes obvious. It is not reasonable to expect Webmin to supply the
> > understanding of LDAP that the administrator cannot accomplish without
> > Webmin.
> 
> This is where I'm stuck.  As soon as I try to turn on the system 
> authentication by editing /etc/pam.d/system_auth and /etc/nsswitch.conf 
> the system becomes unusable.   Try to run "su -" and it just sits there 
> and hangs.  I know it's my own fault for not configuring it right, I 
> just wish the available documentation gave some detailed examples. 
> There is so much incorrect and incomplete information out there on the 
> web that I'm not sure what to try.

#1 - Don't hand edit system-auth and nsswitch.conf by hand and also run
system-config-authentication...the processes are mutually defeating.
Just use system-config-authentication as it is designed to make the
changes to both of those files and also /etc/ldap.conf as it sees fit.
It works.

#2 - You probably need to add the following lines to /etc/ldap.conf to
smooth things...

timelimit 30
bind_timelimit 30
bind_policy soft
nss_initgroups_ignoreusers root,ldap

This will solve your issues with 'su -' and the length of time it takes.

I previously gave you links to CentOS documentation (which was lifted
from RHEL) which discusses Red Hat's integration for using LDAP to
authenticate. I also gave you the link to openldap.org administrator
guide for using LDAP and I think I directed you to Gerald Carter's book
which simplifies it. There also is information on TLDP web site.

If you are dismayed by the lack of detailed information on the web, it's
only because:
- LDAP wasn't designed to do authentication in the first place
- There is no one way to do authentication via LDAP, but rather a lot of
methodologies.
- LDAP is a tool that merely seeks to provide responsive usage to an
ever increasing set of RFC's. Authentication is but one of thing that
LDAP provides. The expectation that the usage of LDAP to accomplish a
task should be apparent is like expecting GIMP to make you an artist.

Start with 'test' users that don't exist in /etc/passwd until you get
confidence.

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos command to monitor a process for exit

[Daniel de Kok]

On 1/10/08, Jerry Geis <[EMAIL PROTECTED]> wrote:
> Is there a command that will monitor a process for exiting (crash or
> normal exit) and
> then execute another command based on the said process no longer being
> active?

If you want something simple, the wait(1) command can block until some
process specified by its PID terminates.

-- Daniel
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Sendmail and the $h (solved)

[Jason Pyeron]

I feel dirty after trolling throught the .cf file.

Plussed addresses will not work w/ procmail if there is a typo in the
sendmail.mc



Works:

/etc/mail/sendmaill.mc
  Addr 0 1  2 3  4 5  6 7  8 9  A B  C D  E F 0 2 4 6 8 A C E
          
0610    --0a 4645 4154 5552 4528 6d61 -.FEATURE(ma
0620  7371 7565 7261 6465 5f65 6e76 656c 6f70 squerade_envelop
0630  6529 0a--       e).-


Does not work (note the space before the new line):

/etc/mail/sendmaill.mc.bad
  Addr 0 1  2 3  4 5  6 7  8 9  A B  C D  E F 0 2 4 6 8 A C E
          
0600     0a46 4541 5455 5245 286d --.FEATURE(m
0610  6173 7175 6572 6164 655f 656e 7665 6c6f asquerade_envelo
0620  7065 2920 0a--      pe) .---

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Sr. Consultant10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited. 



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail and the $h (solved)

[Ignacio Vazquez-Abrams]

On Sat, 2008-01-12 at 13:32 -0500, Jason Pyeron wrote:
> I feel dirty after trolling throught the .cf file.
> 
> Plussed addresses will not work w/ procmail if there is a typo in the
> sendmail.mc

> Does not work (note the space before the new line):

Yeah, m4 is psychotic that way.

-- 
Ignacio Vazquez-Abrams <[EMAIL PROTECTED]>

PLEASE don't CC me; I'm already subscribed
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Sean Carolan]

Thanks for your patience, Craig.   So I took your advice and started
with a fresh install of CentOS 5, and followed the instructions in the
documentation exactly as they are written.  I got this far:

[EMAIL PROTECTED] migration]# ./migrate_all_online.sh
Enter the X.500 naming context you wish to import into: [dc=domain,dc=com]
Enter the hostname of your LDAP server [ldap]: server.domain.com
Enter the manager DN: [cn=manager,dc=domain,dc=com]:
Enter the credentials to bind with:
Do you wish to generate a DUAConfigProfile [yes|no]? no

Importing into dc=domain,dc=com...

Creating naming context entries...
Migrating groups...
Migrating hosts...
Migrating networks...
Migrating users...
Migrating protocols...
Migrating rpcs...
Migrating services...
Migrating netgroups...
Migrating netgroups (by user)...
Migrating netgroups (by host)...
ldap_bind: Invalid credentials (49)
Importing into LDAP...
ldap_bind: Invalid credentials (49)
/usr/bin/ldapadd: returned non-zero exit status: saving failed LDIF to
/tmp/nis.ldif.Hh9210

I will go and read all of the links you sent me, but it's very
frustrating to follow even a simple tutorial for the OS and have it
not work.  Because I have little experience with LDAP I don't know
whether it's a problem with the documentation, or human error.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Craig White]

On Sat, 2008-01-12 at 17:00 -0600, Sean Carolan wrote:
> Thanks for your patience, Craig.   So I took your advice and started
> with a fresh install of CentOS 5, and followed the instructions in the
> documentation exactly as they are written.  I got this far:
> 
> [EMAIL PROTECTED] migration]# ./migrate_all_online.sh
> Enter the X.500 naming context you wish to import into: [dc=domain,dc=com]
> Enter the hostname of your LDAP server [ldap]: server.domain.com
> Enter the manager DN: [cn=manager,dc=domain,dc=com]:
> Enter the credentials to bind with:
> Do you wish to generate a DUAConfigProfile [yes|no]? no
> 
> Importing into dc=domain,dc=com...
> 
> Creating naming context entries...
> Migrating groups...
> Migrating hosts...
> Migrating networks...
> Migrating users...
> Migrating protocols...
> Migrating rpcs...
> Migrating services...
> Migrating netgroups...
> Migrating netgroups (by user)...
> Migrating netgroups (by host)...
> ldap_bind: Invalid credentials (49)
> Importing into LDAP...
> ldap_bind: Invalid credentials (49)
> /usr/bin/ldapadd: returned non-zero exit status: saving failed LDIF to
> /tmp/nis.ldif.Hh9210
> 
> I will go and read all of the links you sent me, but it's very
> frustrating to follow even a simple tutorial for the OS and have it
> not work.  Because I have little experience with LDAP I don't know
> whether it's a problem with the documentation, or human error.

Just so we're clear here, you are actually trying to learn two distinct
things simultaneously, how to use LDAP and how to use LDAP to
authenticate. They are not the same thing. If you knew how to use LDAP,
adding authentication to the knowledge base would be relatively trivial.
Likewise, if you knew how to use LDAP, configuring Webmin would be
relatively trivial.

I can tell you that Gerald Carter's book makes the entire process
painless but you are going to do it your way and I respect that to a
point...but ask that you recognize that you do so at the peril of
massive frustration.

invalid credentials (error 49) is what you get when the binddn you are
using doesn't work. To do a live add, it presumes that you have already
created the password with the slappasswd command and entered that value
for the password as rootbinddn in slapd.conf and that you are telling
migrate_all_online.sh to use that exact same rootbinddn.

Make sense?

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Is there any problem with updates repo ?????

[Manuel Enrique Chavez Manzano]

when I tried to update my centos i got this message 
why???

Setting up repositories
base  100% |=| 1.1 kB
00:00 
updates   100% |=|  951 B
00:00 
addons100% |=|  951 B
00:00 
extras100% |=| 1.1 kB
00:00 
Determining fastest mirrors
Reading repository metadata in from local files
primary.xml.gz100% |=| 834 kB
00:00 
## 2400/2400
primary.xml.gz100% |=|  87 kB
00:00 
http://mirror.centos.org/centos/5/updates/i386/repodata/primary.xml.gz:
[Errno -1] Metadata file does not match checksum
Trying other mirror.
Error: failure: repodata/primary.xml.gz from updates: [Errno 256] No
more mirrors to try.


-- 
"Nuestra recompensa se encuentra en el esfuerzo y no en el resultado.
Un esfuerzo total es una victoria completa".
Mahatma Gandhi
  (@ @)
   |--o00o-(_)-o00o--|
   |Manuel Enrique Chávez Manzano|
   |[EMAIL PROTECTED]  | 
   |[EMAIL PROTECTED] |
   |GNU/LINUX User   |
   |#424754  |
   |Using CentOS 5   |
   |---ooo--ooo--|


signature.asc
Description: Esta parte del mensaje está firmada	digitalmente
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Sean Carolan]

> Just so we're clear here, you are actually trying to learn two distinct
> things simultaneously, how to use LDAP and how to use LDAP to
> authenticate. They are not the same thing. If you knew how to use LDAP,
> adding authentication to the knowledge base would be relatively trivial.
> Likewise, if you knew how to use LDAP, configuring Webmin would be
> relatively trivial.

Thank you for the info.  I understand that LDAP and authentication are
not the same thing.  We use LDAP within our organization for storing
other types of data but most of the staff do not like to deal with it.
 In fact some team members were opposed to using LDAP for
authentication, now I understand why!  It seems to be a pain in the
ass to learn how to use and configure.

> I can tell you that Gerald Carter's book makes the entire process
> painless but you are going to do it your way and I respect that to a
> point...but ask that you recognize that you do so at the peril of
> massive frustration.

At this point I am leaning toward using kerberos instead.  It took me
20 minutes to get a working kerberos server installation up and
running, and I can now easily add new users and authenticate them,
manage tickets, etc.  Now I understand what you meant about LDAP not
being designed for authentication.  Thank you again for your time,
Craig.  This was a good learning experience for me.

thanks

Sean
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Craig White]

On Sat, 2008-01-12 at 17:49 -0600, Sean Carolan wrote:
> > Just so we're clear here, you are actually trying to learn two distinct
> > things simultaneously, how to use LDAP and how to use LDAP to
> > authenticate. They are not the same thing. If you knew how to use LDAP,
> > adding authentication to the knowledge base would be relatively trivial.
> > Likewise, if you knew how to use LDAP, configuring Webmin would be
> > relatively trivial.
> 
> Thank you for the info.  I understand that LDAP and authentication are
> not the same thing.  We use LDAP within our organization for storing
> other types of data but most of the staff do not like to deal with it.
>  In fact some team members were opposed to using LDAP for
> authentication, now I understand why!  It seems to be a pain in the
> ass to learn how to use and configure.
> 
> > I can tell you that Gerald Carter's book makes the entire process
> > painless but you are going to do it your way and I respect that to a
> > point...but ask that you recognize that you do so at the peril of
> > massive frustration.
> 
> At this point I am leaning toward using kerberos instead.  It took me
> 20 minutes to get a working kerberos server installation up and
> running, and I can now easily add new users and authenticate them,
> manage tickets, etc.  Now I understand what you meant about LDAP not
> being designed for authentication.  Thank you again for your time,
> Craig.  This was a good learning experience for me.

sure but for less than $20 and 2-3 hours, you can master LDAP and be the
envy of all the guys in your office and the object of affection for all
the ladies.

;-)

kerberos is actually a more secure authentication system because
passwords don't continually cross the network.

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] ERROR during HTTP install from a Centos mirror

[fred smith]

Hi!

I'm trying to install centos 5.1 as a http installation from a centos
mirror.

i've done it before with Fedora, figured I could do it with Centos, too,
but every time I try it, it goes all the way thru Anaconda to the point
of entering the root password, then I get an error about not being
able to find the repodata.

I note that the section in the "upstream" manuals about network installs
imply (without ever being extremely specific) that you would have your
own server with the files on it. Is this some limitation that prevents
us from using a centos mirror instead?

Anyway, I've tried with two mirrors. when it asked me for the system
name and the path to the directory, I entered this (for one of the
tries):

www.gtlib.gatech.edu
/pub/centos/5.1/os/i386

and for the other mirror

mirror.rhsmith.umd.edu
/pub/centos/5.1/os/i386

in the two lines of the form.

Is this right? (the manuals aren't really really terribly explicit).

Thanks!

-- 
 Fred Smith -- [EMAIL PROTECTED] -
The Lord is like a strong tower. 
 Those who do what is right can run to him for safety.
--- Proverbs 18:10 (niv) -


pgpmeLUVZMTvk.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ERROR during HTTP install from a Centos mirror

[Akemi Yagi]

On Jan 12, 2008 5:03 PM, fred smith <[EMAIL PROTECTED]> wrote:

> www.gtlib.gatech.edu
> /pub/centos/5.1/os/i386
>
> and for the other mirror
>
> mirror.rhsmith.umd.edu
> /pub/centos/5.1/os/i386
>
> in the two lines of the form.
>
> Is this right? (the manuals aren't really really terribly explicit).

They both look correct to me.  But you may be having some network /
connection issue to the servers.  Take a look at the mirror list and
find the one that gives you a stable and fast connection.  It may not
necessarily be physically closest to you.

http://www.centos.org/modules/tinycontent/index.php?id=13

Another thing you might want to consider as an option is to try a
minimal type install and later yum install other packages as needed.

Akemi
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ERROR during HTTP install from a Centos mirror

[Craig White]

On Sat, 2008-01-12 at 20:03 -0500, fred smith wrote:
> Hi!
> 
> I'm trying to install centos 5.1 as a http installation from a centos
> mirror.
> 
> i've done it before with Fedora, figured I could do it with Centos, too,
> but every time I try it, it goes all the way thru Anaconda to the point
> of entering the root password, then I get an error about not being
> able to find the repodata.
> 
> I note that the section in the "upstream" manuals about network installs
> imply (without ever being extremely specific) that you would have your
> own server with the files on it. Is this some limitation that prevents
> us from using a centos mirror instead?
> 
> Anyway, I've tried with two mirrors. when it asked me for the system
> name and the path to the directory, I entered this (for one of the
> tries):
> 
> www.gtlib.gatech.edu
> /pub/centos/5.1/os/i386
> 
> and for the other mirror
> 
> mirror.rhsmith.umd.edu
> /pub/centos/5.1/os/i386
> 
> in the two lines of the form.
> 
> Is this right? (the manuals aren't really really terribly explicit).

I would expect it to work as you had it though...
- I would use /pub/centos/5/os/i386
- I would use the same boot disc, i.e.

http://www.gtlib.gatech.edu/pub/centos/5/isos/i386/CentOS-5.1-i386-bin-1of6.iso
  to boot the computer

but either way, it should have worked though I thought that the Georgia
Tech web server was quite slow to respond...perhaps anaconda is just
timing out.

as with your path (5.1), the repodata directory is indeed there...

http://www.gtlib.gatech.edu/pub/centos/5/os/i386/repodata/

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Ross S. W. Walker]

In fact Kerberos and LDAP are two great tastes that go well together.

Keep user information and authorization information in LDAP while keep user 
authentication information in Kerberos.

Later you could try to keep Kerberos authentication information in LDAP with 
Heimdel (spelling?) Kerberos (like MS AD does) though many purists feel this 
compromises the whole Kerberos security principal. Maybe it does, but it sure 
makes for easy redundancy.

-Ross


- Original Message -
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To: CentOS mailing list 
Sent: Sat Jan 12 18:49:31 2008
Subject: Re: [CentOS] Howto for LDAP authentication with replication

> Just so we're clear here, you are actually trying to learn two distinct
> things simultaneously, how to use LDAP and how to use LDAP to
> authenticate. They are not the same thing. If you knew how to use LDAP,
> adding authentication to the knowledge base would be relatively trivial.
> Likewise, if you knew how to use LDAP, configuring Webmin would be
> relatively trivial.

Thank you for the info.  I understand that LDAP and authentication are
not the same thing.  We use LDAP within our organization for storing
other types of data but most of the staff do not like to deal with it.
 In fact some team members were opposed to using LDAP for
authentication, now I understand why!  It seems to be a pain in the
ass to learn how to use and configure.

> I can tell you that Gerald Carter's book makes the entire process
> painless but you are going to do it your way and I respect that to a
> point...but ask that you recognize that you do so at the peril of
> massive frustration.

At this point I am leaning toward using kerberos instead.  It took me
20 minutes to get a working kerberos server installation up and
running, and I can now easily add new users and authenticate them,
manage tickets, etc.  Now I understand what you meant about LDAP not
being designed for authentication.  Thank you again for your time,
Craig.  This was a good learning experience for me.

thanks

Sean
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

__
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Nicolas Sahlqvist]

On 1/13/08, Ross S. W. Walker <[EMAIL PROTECTED]> wrote:
>
> In fact Kerberos and LDAP are two great tastes that go well together.
>
> Keep user information and authorization information in LDAP while keep user
> authentication information in Kerberos.
>
> Later you could try to keep Kerberos authentication information in LDAP with
> Heimdel (spelling?) Kerberos (like MS AD does) though many purists feel this
> compromises the whole Kerberos security principal. Maybe it does, but it
> sure makes for easy redundancy.
>
> -Ross
>
>
> - Original Message -
> From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> To: CentOS mailing list 
> Sent: Sat Jan 12 18:49:31 2008
> Subject: Re: [CentOS] Howto for LDAP authentication with replication
>
> > Just so we're clear here, you are actually trying to learn two distinct
> > things simultaneously, how to use LDAP and how to use LDAP to
> > authenticate. They are not the same thing. If you knew how to use LDAP,
> > adding authentication to the knowledge base would be relatively trivial.
> > Likewise, if you knew how to use LDAP, configuring Webmin would be
> > relatively trivial.
>
> Thank you for the info.  I understand that LDAP and authentication are
> not the same thing.  We use LDAP within our organization for storing
> other types of data but most of the staff do not like to deal with it.
>  In fact some team members were opposed to using LDAP for
> authentication, now I understand why!  It seems to be a pain in the
> ass to learn how to use and configure.
>
> > I can tell you that Gerald Carter's book makes the entire process
> > painless but you are going to do it your way and I respect that to a
> > point...but ask that you recognize that you do so at the peril of
> > massive frustration.
>
> At this point I am leaning toward using kerberos instead.  It took me
> 20 minutes to get a working kerberos server installation up and
> running, and I can now easily add new users and authenticate them,
> manage tickets, etc.  Now I understand what you meant about LDAP not
> being designed for authentication.  Thank you again for your time,
> Craig.  This was a good learning experience for me.
>
> thanks
>
> Sean
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> __
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Howto for LDAP authentication with replication

[Sean Carolan]

> sure but for less than $20 and 2-3 hours, you can master LDAP and be the
> envy of all the guys in your office and the object of affection for all
> the ladies.
>
> ;-)
>
> kerberos is actually a more secure authentication system because
> passwords don't continually cross the network.

I do plan to get some books and read up on this some more.  Thank you
again for all the suggestions.  The centos mailing list seems like a
good resource with some smart people on it.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Can TFTPD run in a chroot jail?

[Eric B.]

Hi,

I've been struggling with this problem for the last couple of hours and am 
nowhere near solving the problem.  I am trying to run a tftp server in a 
chroot jail.  Now perhaps I am being paranoid, but I would like to have it 
launched from within its own jail even if it supposedly does a chroot itself 
and runs with a parameterizable user.

I downloaded the atftp-server package and tried to set up my own tftpd jail. 
I copied over the linked libs to the proper place, the /etc/passwd, 
/etc/groups, /etc/hosts, /etc/nsswitch.conf, /etc/resolv, /etc/services 
files.  I even created the dev/null device and set up syslog to read from 
the jail/dev/log device.

However, I can't seem to launch it from within the jail.  It works fine when 
I try from the regular prompt, but when I try to launch from within the 
jail, I doesn't want to start:

[EMAIL PROTECTED] tftpd]# /usr/sbin/chroot  /chroot/tftpd/ 
 /usr/sbin/atftpd --daemon --no-fork

in /var/log/messages:
Jan 12 23:09:02 apollo atftpd[17479]: atftpd: udp/tftp, unknown service


So it apparently is unable to read my /chroot/tftpd/etc/services file.  If I 
set the port number manually:
[EMAIL PROTECTED] tftpd]# /usr/sbin/chroot  /chroot/tftpd/ 
 /usr/sbin/atftpd --daemon --no-fork --port 69 -user eric.eric

Jan 12 23:16:05 apollo atftpd[17556]: atftpd: can't change identity to 
eric.eric, exiting.


I know the tftpd daemon is able to read the /chroot/tftpd/etc/ directory as 
it is properly reading my /etc/localtime file (if i remove /etc/localtime 
the logged timestamp changes).

Can anyone point me in the right direction as to things to try?  I've tried 
everything I can think of, and even then some things, but just can't figure 
it out...

Thanks!

Eric



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Out of disk space at 2 GB?

[Fajar Priyanto]

On Saturday 12 January 2008 21:23:13 Scott Ehrlich wrote:
> On an ext3 filesystem, what would cause the system to claim it is out of
> disk space for a program writing information to disk, when df -h shows
> ample GB available and the file is being written to local disk rather than
> an nfs-mounted filesystem?

It's a long shot, maybe the impossing filesize limit is the program itself 
such as apache's 2GB limit?
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
10:02:09 up 1 day, 14:00, 2.6.22-14-generic GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.


signature.asc
Description: This is a digitally signed message part.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] "find" switch to find files of a certain size?

[Fajar Priyanto]

On Thursday 10 January 2008 23:21:55 [EMAIL PROTECTED] wrote:
> Is there a switch in "find" (or some other command besides find) that'll
> let you find files larger than a specified size?
>
> My file system is 88% full and I'd like to see where the biggest space
> hoggers are.

I also found this on the net:
du /path/to/anywhere/* -hs | grep [0-9]M | sort -rn | head -20

It will sort the space usage of each directories.
HTH,
-- 
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 
http://linux2.arinet.org
10:15:48 up 1 day, 14:14, 2.6.22-14-generic GNU/Linux 
Let's use OpenOffice. http://www.openoffice.org
The real challenge of teaching is getting your students motivated to learn.


signature.asc
Description: This is a digitally signed message part.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ERROR during HTTP install from a Centos mirror

[fred smith]

On Sat, Jan 12, 2008 at 06:18:51PM -0700, Craig White wrote:
> On Sat, 2008-01-12 at 20:03 -0500, fred smith wrote:
> > Hi!
> > 
> > I'm trying to install centos 5.1 as a http installation from a centos
> > mirror.
> > 
> > i've done it before with Fedora, figured I could do it with Centos, too,
> > but every time I try it, it goes all the way thru Anaconda to the point
> > of entering the root password, then I get an error about not being
> > able to find the repodata.
> > 
> > I note that the section in the "upstream" manuals about network installs
> > imply (without ever being extremely specific) that you would have your
> > own server with the files on it. Is this some limitation that prevents
> > us from using a centos mirror instead?
> > 
> > Anyway, I've tried with two mirrors. when it asked me for the system
> > name and the path to the directory, I entered this (for one of the
> > tries):
> > 
> > www.gtlib.gatech.edu
> > /pub/centos/5.1/os/i386
> > 
> > and for the other mirror
> > 
> > mirror.rhsmith.umd.edu
> > /pub/centos/5.1/os/i386
> > 
> > in the two lines of the form.
> > 
> > Is this right? (the manuals aren't really really terribly explicit).
> 
> I would expect it to work as you had it though...
> - I would use /pub/centos/5/os/i386
> - I would use the same boot disc, i.e.
> 
> http://www.gtlib.gatech.edu/pub/centos/5/isos/i386/CentOS-5.1-i386-bin-1of6.iso
>   to boot the computer
> 
> but either way, it should have worked though I thought that the Georgia
> Tech web server was quite slow to respond...perhaps anaconda is just
> timing out.
> 
> as with your path (5.1), the repodata directory is indeed there...
> 
> http://www.gtlib.gatech.edu/pub/centos/5/os/i386/repodata/
> 
> Craig

Well. tried it yet again, using the  rhsmith.edu site (for not the
first time) and it's working this time. I followed your suggestion
of using centos/5 instead of centos/5.1.

Thanks!


-- 
 Fred Smith -- [EMAIL PROTECTED] -
The Lord detests the way of the wicked 
  but he loves those who pursue righteousness.
- Proverbs 15:9 (niv) -


pgptxqKoyrseC.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] "find" switch to find files of a certain size?

[Bill Campbell]

On Sun, Jan 13, 2008, Fajar Priyanto wrote:
>On Thursday 10 January 2008 23:21:55 [EMAIL PROTECTED] wrote:
>> Is there a switch in "find" (or some other command besides find) that'll
>> let you find files larger than a specified size?
>>
>> My file system is 88% full and I'd like to see where the biggest space
>> hoggers are.
>
>I also found this on the net:
>du /path/to/anywhere/* -hs | grep [0-9]M | sort -rn | head -20
>

I usually use something like:

find /mountpoint -xdev -size +1 > someplacenotfull

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

Our Foreign dealings are an Open Book, generally a Check Book.
Will Rogers
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: a quick and dirty hack to 'fix' the problem in a large scale-- RE: [CentOS] Nic order detection

[Guolin Cheng]

Michael,

 There are no points to argue about which are the best 'official' ways
which just like a war between vi or Emacs before. I may be stupid but
any methods fix users' problem are the best ones. I've tried the
official 'rename' or udev ways before, but finally I gave up and end up
the two ways I've mentioned. Espectially the seconds, it works perfectly
when I rerolled my Centos 5.0 and 5.1 initrd.img files for custom
Kickstart installation in a really large scale.

Good luck and have a new year.

--Guolin




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Michael D. Kralka
Sent: Saturday, January 12, 2008 5:41 AM
To: CentOS mailing list
Subject: Re: a quick and dirty hack to 'fix' the problem in a large
scale-- RE: [CentOS] Nic order detection

Guolin Cheng wrote:
> Les and Michael,

I am going to bite my tongue and not ask to you refrain from top
posting.

As your subject suggests, you are proposing a quick and dirty hack to
deal with interface assignment to physical NICs. Why bother with a quick
and dirty hack when a sensible solution exists within the distribution?
I see this a bad advice and hope no one follows it.

> There are a few ways to workaround the NIC detection issue. Each has
its
> own advantages and limits.
> 
> The first method is: suppose you or your team have full control of
> running kernel on your hundreds/thousands of boxes, your can then
build
> some NIC drivers statically in the kernel -- these statically built
NIC
> drivers will be detected as eth0 without glitches -- then leave other
> different NIC types on the same box still in dynamic kernel modules
> status. It works greatly if you know all the types of primary network
> NIC. Typically e100, tg3, etc. and you have already standardized the
2nd
> NIC on the boxes to one or two brands like e1000.

Although this may "work", I have just signed up for a lifetime of
chasing kernel versions. Every time RHEL/CentOS release a new kernel to
fix a bug or security vulnerability, I must recompile the kernel. How
does this make sense if I have hundreds/thousands of boxes to to keep up
to date? I'd rather "yum update" on all the boxes (which is easy to do)

> The second method is: suppose you or your team can not control
> rebuilding of kernel, or at least you have no full control, but you
> really know the types of primary/secondary NICs combinations on all
the
> Linux boxes in your kingdom. Then you can try the following hack:
> 
>  You can try to add/change lines in /lib/modules/`uname
-r`/modules.dep
> file according to your NICs combinations -- always load the drivers
> according to your predefined order. For example:
> 
> .../e1000.ko: .../tg3.ko .../3c59x.ko .../e100.ko .../forcedeth.ko
> .../forcedeth.ko: .../tg3.ko

Although this may "work", it is another accident waiting to happen. This
is a generated file and it is almost never a good idea to modify an
generated file; one will get burned. I install a shiny new module that
is not delivered as part of the kernel (drbd perhaps), and the
post-install script runs "depmod -a" (a sensible thing to do); now I
have just blown away the manual changes. Or ever time I install a new
kernel (whether I am foolishly[1] building my own or using the
distribution kernels), I have to remember to make this change. The worst
part about this is that the effects will not be visible until the next
time the server is rebooted (say 6 months when there is a power
failure); the network interface assignment will be wrong. Good luck
hunting down that problem in a pinch!

[1]  Don't get me wrong, there is a time and a place for building custom
kernels; this is just not one of them.

> The above means to load the module at left, system will first load
> modules at right! So tg3|3c59x|e100|forcedeth always load before
e1000,
> and tg3 load before forcedeth. The same idea can be applied to all NIC
> combination types your have and can be set only once and applied to
all
> your linux boxes if you set it up correctly. The side-effect is: you
> have waste few hundreds Kilobytes memory, but who cares?

The problem is not the wasted memory, it's the fragility of its design.

> There are also other tricks I tried before, some works and some not.
But
> I think the above should probably work for most general cases.

Why resort to "tricks" when there is a perfectly good solution supported
by the distribution? I've learned that it never pays to be clever. When
resorting to neat little tricks to get things to work, they get
forgotten, or worse when someone else must look into a problem, they
spend most of the time trying to understand the clever way things are
set up. When stability is a main concern, boring is always better.

Cheers,
Michael

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.

[CentOS] LIMITING NUMBER OF KERNEL VERSIONS RETAINED

[Chris Geldenhuis]

Hi

Some time ago there was a discussion on the above subject. I have 
scanned the past few month's mailing list archives and cannot find the 
relevant mail(s).


Could somebody please repost the solution or point me at the correct 
resource.


I would also appreciate advice on how to do this on a RHEL4 server being 
updated with up2date.


Is it safe just to delete the old kernel and initrd files from the boot 
partition and the grub conf file?


TIA

ChrisG
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos