Re: [CentOS] No suspend after update
On Wed, Feb 21, 2024 at 10:40 PM Michel Lind wrote: > > Rebooted back into 388 and it's running fine again. > > > > So it looks like my stability is getting worse for me with each update ... > > > > I'm getting worried about hanging onto 388. > > > The currently booted kernel will never get swapped out when you are > updating, so this should not be a concern. Have you reported your issues > on JIRA though? Well it just happened with 388 too. Coming out of suspend (power button), the network didn't come up. Tried gracefully closing terminals and logging out but it hanged up. After about 5 minutes Wayland did log out but then it got really hard stuck (no mouse or keyboard) on some kind of half-baked gdm screen. Had to hold the power button down for a while. Come up ok back into 388 ok. Here's /var/log/messages starting from previous suspend. Trouble starts around first 15:50:05 timestamp. https://www.ioplex.com/~miallen/CentOSSuspendFailLenovoT14-03-15-2024.txt Names have been changed to protect the guilty. I'm going to remove this after a day or so so download it now if you're interested. Hopefully it helps someone figure out what's going on. I'm not doing anything exotic. I don't have lots of crap installed. I'm not watching videos or listening to tunes. Just coding java over NFS in terminators. Do you have a link to instructions for posting to Jira? I've been writing C and Java since the 1900's so I might actually be able to get the diagnostics you really want. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No suspend after update
On Fri, Jan 12, 2024 at 10:57 PM Michael B Allen wrote: > Done. Thanks. Hopefully whatever the bug is will get worked out at > some point ... Just FYI I updated to 5.14.0-410. The login screen appeared for 2 seconds and then it dropped to console with: Failed to start: Crash recovery kernel arming Tried to reboot but it hang on the splash screen. The console shows "Failed to start ..." for all services like ModemManager and so on. Rebooted back into 388 and it's running fine again. So it looks like my stability is getting worse for me with each update ... I'm getting worried about hanging onto 388. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No suspend after update
On Fri, Jan 12, 2024 at 4:53 PM Bill Gee wrote: > > I have two suggestions about how to keep - for a while - the 388 kernel. > > First - Use DNF to remove the bad kernels. Then when a new one comes in > it will take one of those slots. > > Second - Increase the number of installed kernels. That change is in > yum.conf. Done. Thanks. Hopefully whatever the bug is will get worked out at some point ... Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No suspend after update
On Wed, Jan 10, 2024 at 11:57 PM Michael B Allen wrote: > > Just updated CentOS 9 Stream on a Lenovo T17 Gen 4 Intel and now it > won't suspend with the following error: ... > [ 72.805437] Freezing of tasks failed after 20.006 seconds (1 tasks > refusing to freeze, wq_busy=0): > [ 72.805450] task:NFSv4 callback state:I stack:0 pid:2191 > ppid:2 flags:0x4000 FYI After reverting to 5.14.0-388 yesterday, stability is restored. I can consistently suspend and resume without issues. In hindsight, kernel 391 was also giving me issues. My wired network would sporadically fail to come up after suspend. No amount of fiddling would restore. Only rebooting. I have not seen that behavior with 388 either. This would suggest an issue with networking / suspend between 388 and 391. Q: If I update, am I going to lose kernel 388? How can I persist that one specific kernel indefinitely and still be able to update the rest of the system? Mike # grubby --info=ALL | grep ^kernel kernel="/boot/vmlinuz-5.14.0-404.el9.x86_64" kernel="/boot/vmlinuz-5.14.0-391.el9.x86_64" kernel="/boot/vmlinuz-5.14.0-388.el9.x86_64" kernel="/boot/vmlinuz-0-rescue-aaab5fbe787947ec94b3c7574b9d41e6" # grubby --default-kernel /boot/vmlinuz-5.14.0-388.el9.x86_64 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] No suspend after update
Just updated CentOS 9 Stream on a Lenovo T17 Gen 4 Intel and not it won't suspend with the following error: [ 52.604998] Restarting kernel threads ... done. [ 52.605111] OOM killer enabled. [ 52.605111] Restarting tasks ... done. [ 52.606604] random: crng reseeded on system resumption [ 52.616014] thermal thermal_zone9: failed to read out thermal zone (-61) [ 52.791625] PM: suspend exit [ 52.791733] PM: suspend entry (s2idle) [ 52.797260] Filesystems sync: 0.005 seconds [ 52.797579] Freezing user space processes ... (elapsed 0.001 seconds) done. [ 52.799127] OOM killer disabled. [ 52.799128] Freezing remaining freezable tasks ... [ 72.805437] Freezing of tasks failed after 20.006 seconds (1 tasks refusing to freeze, wq_busy=0): [ 72.805450] task:NFSv4 callback state:I stack:0 pid:2191 ppid:2 flags:0x4000 [ 72.805453] Call Trace: [ 72.805454] [ 72.805456] __schedule+0x21b/0x550 [ 72.805463] schedule+0x2d/0x70 [ 72.805466] nfs41_callback_svc+0x186/0x190 [nfsv4] [ 72.805508] ? __pfx_autoremove_wake_function+0x10/0x10 [ 72.805512] ? __pfx_nfs41_callback_svc+0x10/0x10 [nfsv4] [ 72.805536] kthread+0xdd/0x100 [ 72.805538] ? __pfx_kthread+0x10/0x10 [ 72.805539] ret_from_fork+0x29/0x50 [ 72.805543] Kernel: 5.14.0-404.el9.x86_64 How do I boot the previous kernel? Holding Shift down does nothing. Pressing escape brings up some kind of emergency screen that has no options other than to "Press any key to exit". Is CentOS 9 Stream considered stable enough to use as an everyday desktop? Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apps moving to laptop display when switching KVM
UPDATE: Apparently this is a long-standing and pervasive issue in the mutter package: https://gitlab.gnome.org/GNOME/mutter/-/issues/1419 https://gitlab.gnome.org/GNOME/mutter/-/issues/230#note_1551972 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2092 https://gitlab.gnome.org/GNOME/mutter/-/issues/1418 https://bugs.launchpad.net/ubuntu/+source/mutter/+bug/1778983 https://bugs.launchpad.net/ubuntu/+source/compiz/+bug/1574251 https://bugs.launchpad.net/ubuntu/+source/mutter/+bug/1927948 The second link has an explanation that sounds plausible. The issue can occur under a wide range of circumstances from suspend-resume (which I have since witnessed) or just locking the screen and not just when KVM switching a KVM. Unfortunately there is zero activity on the issue. Mike On Sun, Nov 26, 2023 at 9:44 PM Michael B Allen wrote: > > So I installed CentOS Stream 9 on a new Lenovo T14 Gen 4 Intel. > > I have a 4x1 HDMI KVM with external monitor. > > When switching the KVM, apps move between displays / workspaces in erratic > ways. > > More specifically, when switching out, apps on the external display > usually move to the laptop display. > > This sorta makes sense for a laptop with an external display. > When the external display is disconnected, you want to have access to the > apps. > > But for a KVM, the desired behavior is that the apps do NOT move. > When switching back, I want all apps (terminals) to be where they were > when I switched out. > > After much searching, I have found NO discussion of this issue. > > Is this a scenario that is even supposed to work? > > The KVM worked perfectly with the Windows 11 install that come with > the machine (apps on the external display did not move when switching > the KVM). > > Questions: > > Is there a GNOME window manager configuration that does not move apps > when it senses the HDMI connection has changed? > > I actually had this mostly working with a Dell laptop running a RHEL 9 > clone and selecting Xorg on the GDM screen. > Apps were not moved when switching out (although depending on > particular circumstances they could when switching back). > > Where should I be asking about this? > A freedesktop.org list? > > Where is the code that moves windows in reaction to a change in displays? > > Currently the only way to reliably switch the KVM without all of the > apps loosing their positions is to just suspend the machine before and > resume after. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Apps moving to laptop display when switching KVM
So I installed CentOS Stream 9 on a new Lenovo T14 Gen 4 Intel. I have a 4x1 HDMI KVM with external monitor. When switching the KVM, apps move between displays / workspaces in erratic ways. More specifically, when switching out, apps on the external display usually move to the laptop display. This sorta makes sense for a laptop with an external display. When the external display is disconnected, you want to have access to the apps. But for a KVM, the desired behavior is that the apps do NOT move. When switching back, I want all apps (terminals) to be where they were when I switched out. After much searching, I have found NO discussion of this issue. Is this a scenario that is even supposed to work? The KVM worked perfectly with the Windows 11 install that come with the machine (apps on the external display did not move when switching the KVM). Questions: Is there a GNOME window manager configuration that does not move apps when it senses the HDMI connection has changed? I actually had this mostly working with a Dell laptop running a RHEL 9 clone and selecting Xorg on the GDM screen. Apps were not moved when switching out (although depending on particular circumstances they could when switching back). Where should I be asking about this? A freedesktop.org list? Where is the code that moves windows in reaction to a change in displays? Currently the only way to reliably switch the KVM without all of the apps loosing their positions is to just suspend the machine before and resume after. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Desktop Over NFS Home Blocked By Firewalld
On Sun, Nov 22, 2020 at 7:34 AM Jonathan Billings wrote: > > On Nov 20, 2020, at 14:31, Michael B Allen wrote: > > > > Well I've managed to resolve the issue but I'm not entirely satisfied > > with the solution. Apparently firewalld and iptables are at least > > partially mutually exclusive such that changes to iptable have no > > effect. > > That’s not strictly true, at least with firewalld and iptables. You added > the iptables rule with -A (append). The firewalld rules add jump rules to > the input table and your rule simply was never reached, because traffic was > blocked in one of the earlier rules. This would be the case in any complex > iptables config too. Had you really wanted to test something with iptables, > use -I (insert) which puts it at the front of the rules. Obviously, the best > thing to do is to use firewalld tools with firewalld. Ah, very interesting. Despite using linux for as long as I have I don't recall ever realizing that. Very good to know. Thanks, Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Desktop Over NFS Home Blocked By Firewalld
On Fri, Nov 20, 2020 at 6:37 PM Gordon Messmer wrote: > > On 11/20/20 1:26 PM, Michael B Allen wrote: > > Thanks for the inputs but my problem has nothing to do with NFS. > > > Do you think that because you saw "krbupdate" in /etc/services? > > The problem you've described is definitely an NFSv3 problem. The > connections causing the client to hang are portmap connections. They're > dynamic, and don't necessarily conform to /etc/services. > > The lesson to learn, here, is that /etc/services maps names to numbers, > but it does NOT map numbers to names. Port numbers aren't reserved > simply because there is a mapping to them in /etc/services. Hi Gordon, You're right! My mistake. I removed the Source Port rule and did the following instead: # firewall-cmd --add-service=nfs3 --permanent # firewall-cmd --reload This fixed the hanging issue (and probably other stuff I haven't run into yet). So even though NFS worked fine just doing the usual file related ops in a terminal, apparently my client is old enough that it's still doing NFSv3 whereas CentOS 7 has moved on to NFSv4 and that incompatibility was responsible for the desktop / libreoffice hanging issue. Much thanks. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Desktop Over NFS Home Blocked By Firewalld
On Fri, Nov 20, 2020 at 2:52 PM Chris Schanzle wrote: > > On 11/20/20 2:31 PM, Michael B Allen wrote: > > On Fri, Nov 20, 2020 at 2:06 PM Michael B Allen wrote: > >> Apparently I don't know how to do "that" because this: > >> > >> # iptables -A INPUT -p tcp --sport 760 -m conntrack --ctstate > >> NEW,ESTABLISHED -j ACCEPT > >> > >> still doesn't allow the traffic through (not that I would want to > >> allow an --sport rule anyway but I'd just like to confirm that this > >> traffic is indeed responsible). What am I doing wrong here? I've also > >> tried simpler rules without conntrack or cstate but it's still not > >> getting through. > >> > >> Incidentally I added kerberos and kadmin firewalld services without > >> effect either. > > Well I've managed to resolve the issue but I'm not entirely satisfied > > with the solution. Apparently firewalld and iptables are at least > > partially mutually exclusive such that changes to iptable have no > > effect. If I add a Source Port rule using the Firewalld GUI to allow > > source port 760, it resolves the issue. But it seems pretty dubious to > > allow traffic from any particular source port. The service using port > > 760 is krbupdate but there isn't a lot of information about it on the > > net. It doesn't look like destination ports are a range because they > > have changed from 41285 and 46167. There must be something on the > > CentOS 7 side broadcasting info about what ports to use. What a PITA. > > I can't log into a desktop with an nfs home dir without punching a > > reverse hole in my firewall? That shouldn't be. 99% of people will > > just drop the pants on their machine. > > > > Mike > > You didn't state what version of NFS you're using. We're still on nfsv3. > What you're describing looks like an issue with locked. Thanks for the inputs but my problem has nothing to do with NFS. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Desktop Over NFS Home Blocked By Firewalld
On Fri, Nov 20, 2020 at 2:06 PM Michael B Allen wrote: > Apparently I don't know how to do "that" because this: > > # iptables -A INPUT -p tcp --sport 760 -m conntrack --ctstate > NEW,ESTABLISHED -j ACCEPT > > still doesn't allow the traffic through (not that I would want to > allow an --sport rule anyway but I'd just like to confirm that this > traffic is indeed responsible). What am I doing wrong here? I've also > tried simpler rules without conntrack or cstate but it's still not > getting through. > > Incidentally I added kerberos and kadmin firewalld services without > effect either. Well I've managed to resolve the issue but I'm not entirely satisfied with the solution. Apparently firewalld and iptables are at least partially mutually exclusive such that changes to iptable have no effect. If I add a Source Port rule using the Firewalld GUI to allow source port 760, it resolves the issue. But it seems pretty dubious to allow traffic from any particular source port. The service using port 760 is krbupdate but there isn't a lot of information about it on the net. It doesn't look like destination ports are a range because they have changed from 41285 and 46167. There must be something on the CentOS 7 side broadcasting info about what ports to use. What a PITA. I can't log into a desktop with an nfs home dir without punching a reverse hole in my firewall? That shouldn't be. 99% of people will just drop the pants on their machine. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Desktop Over NFS Home Blocked By Firewalld
On Fri, Nov 20, 2020 at 12:18 PM Frank Cox wrote: > > On Fri, 20 Nov 2020 12:07:40 -0500 > Michael B Allen wrote: > > > So TCP src 760 to 41285. What's that? > > Apparently "that" is what you need to allow in order for your desktop to work. > > What it is actually doing, I'm not sure. Google tells me that port 760 has > something to do with Kerberos registration. Apparently I don't know how to do "that" because this: # iptables -A INPUT -p tcp --sport 760 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT still doesn't allow the traffic through (not that I would want to allow an --sport rule anyway but I'd just like to confirm that this traffic is indeed responsible). What am I doing wrong here? I've also tried simpler rules without conntrack or cstate but it's still not getting through. Incidentally I added kerberos and kadmin firewalld services without effect either. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Desktop Over NFS Home Blocked By Firewalld
On Fri, Nov 20, 2020 at 11:19 AM Frank Cox wrote: > > So firewalld is blocking something that the Fedora desktop needs. What > > is it? What services do I need to add to firewalls? > > https://www.cyberciti.biz/faq/enable-firewalld-logging-for-denied-packets-on-linux/ Hi Frank, Thanks for that tip. Here's what I get: Nov 20 12:03:15 goose kernel: FINAL_REJECT: IN=enp4s0 OUT= MAC=c8:1snip8:00 SRC=192.168.1.46 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48746 DF PROTO=TCP SPT=760 DPT=41285 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 20 12:03:18 goose kernel: FINAL_REJECT: IN=enp4s0 OUT= MAC=c8:1snip8:00 SRC=192.168.1.46 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55190 DF PROTO=TCP SPT=760 DPT=41285 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 20 12:03:21 goose kernel: FINAL_REJECT: IN=enp4s0 OUT= MAC=c8:1snip8:00 SRC=192.168.1.46 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31389 DF PROTO=TCP SPT=760 DPT=41285 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 20 12:03:24 goose kernel: FINAL_REJECT: IN=enp4s0 OUT= MAC=c8:1snip8:00 SRC=192.168.1.46 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21119 DF PROTO=TCP SPT=760 DPT=41285 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 20 12:03:26 goose kernel: FINAL_REJECT: IN=enp4s0 OUT= MAC=c8:1snip8:00 SRC=192.168.1.46 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63694 DF PROTO=TCP SPT=760 DPT=41285 WINDOW=29200 RES=0x00 SYN URGP=0 So TCP src 760 to 41285. What's that? Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Desktop Over NFS Home Blocked By Firewalld
Hi, Just installed CentOS 7 that serves a home dir automounted over nfs. SELinux is disabled. If I go to the client (oldish version of Fedora) doing su - username works fine and the nfs export is mounted and I can see all files and everything seems well. But trying to actually login to the desktop from the client machine does not work. It starts to login but then just hangs with a black screen. Trying to just launch libreoffice --writer from a terminal as the nfs mounted user also hangs on the spash screen. If I then go to the server and 'systemctl stop firewalld', the desktop instantly logs in fine and libreoffice works from the term. So firewalld is blocking something that the Fedora desktop needs. What is it? What services do I need to add to firewalld? Thanks, Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fwd: CentOS on new Dell
Just to follow through, I installed Fedora F24 on this new Dell E7470 and after dnf upgrade everything works. Originally the Fedora Live testdrive did not work completely (wireless choked and the external HDMI connection would hang the machine) but after installing to disk and updating (kernel when from 4.5 to 4.8) everything just worked. External display was recognised correctly and it installed my printer and printed a test page no problem. So Dell E7470 works great with F24. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Fwd: CentOS on new Dell
On Mon, Oct 24, 2016 at 8:11 PM, Milos Blazevic wrote: > I've seen the thread(s) you started on CentOS mailing list about Dell and > ThinkPad > laptops and running Centos on 'em. > > Not sure if you've seen my question, but I'm considering to purchase a > laptop, run EL7 on it, and I'm weighing between the Thinkpad and Latitude, so: > > What was it to make you opt for E7470 over, say, Carbon X1? According to > RedHat's Hardware compatility list Carbon models are certified, > while none of the Dell's aren't. > > Also, have you given up on CentOS over Fedora? I'd love to hear how's CentOS > 7 support for E7470 hardware. Hi Milos, The Thinkpad T series and Latitude are *very* similar computers. They are both business "ultrabooks" with a 1600x1080 display option, nice keyboards (not "chicklet" style), a trackpoint and trackpad and RJ-45 builtin. I bought a Dell Latitude E7470 over the Lenovo for several reasons. One is this comment which is worth mentioning again: On Fri, Sep 30, 2016 at 11:58 PM, Gordon Messmer wrote: > It's worth mentioning again that Dell is one of the companies doing the > development for the bits that don't work, and that those drivers are often > the ones that get Lenovo equipment going, too. Lenovo does not, to the best > of my knowledge, do any Linux development. Another reason is that I have heard about people having problems with Lenovo. Not just with software but with hardware malfunctions. I spoke to someone on the phone that had hardware problems with their new Thinkpad (although I suspect some of the problems could have been misdiagnosis by the user). After describing how nice the E7470 they're thinking about dumping their 1yo X250 and getting a Dell. As for the Carbon, that is a very different computer. The Carbon is an ultralight / thin Macbook-like machine with Windows so I have no advice for you there. I have not tried CentOS on the E7470 but I'm quite certain it would not work because I have tried the latest Fedora Live which is about 100 kernel revisions newer and even that doesn't completely work. Specifically, if I plug in an external display it freezes. My feeling is I need a newer display driver (and thus newer kernel). The only other issue I noticed was that wireless didn't work but it seems more like a glue issue and not necessarily a driver. Otherwise, suspend and everything else worked near as I can tell which is actually pretty impressive for a brand new machine. So, I am doing other things while this new E7470 ages like a fine wine. Or maybe I'll loose patience and just install Fedora and try a "vanilla" kernel package. Then maybe after a year or two CentOS 8 or whatever will run on it and then I can just run steady for 4+ years without getting pummeled by stupid updates and feature creep that you get with Fedora and Ubuntu or whatever the latest hot distro is. The E7470 is obviously a laptop of choice for business people. And that is the type of machine developers use. So chances of good compatibility are very high. You just have to give it time. I was watching Daredevil season 1 and they use Latitudes that look exactly like mine. And that was probably filmed in 2014. So the form factor at least has been around for a while which is good. Unfortunately I can't say the same thing about the show. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS on new Dell
On Thu, Oct 13, 2016 at 10:39 PM, John R Pierce wrote: > On 10/13/2016 7:10 PM, Rob Kampen wrote: >>> >>> Mmn, that didn't work. I dd'd the latest Fedora Live iso onto a USB >>> drive, put it into a brand spanking new Dell Latitude E7470, hit F12 >>> at Dell logo and got "Selected boot device failed". Do I need to make >>> it bootable using fdisk or some such? >> >> Not that I recall - a simple dd of the iso onto a usb stick just works see >> https://wiki.centos.org/HowTos/InstallFromUSBkey > > > some USB sticks don't seem to like to be boot devices, and I've never > figured out why. Sandisk stuff generally seems to work, and most all my > current USB sticks are Sandisk Ultra Fit (the really tiny ones, typically in > 16GB or 32GB). That was it. I was able to boot Fedora. I was using a 128GB USB 3.0 drive. I tried a lowly 8GB drive and it worked. Thanks, Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS on new Dell
On Thu, Sep 29, 2016 at 9:18 PM, John R Pierce wrote: > On 9/29/2016 5:55 PM, Michael B Allen wrote: >> >> It seems optical drives are gone. Do I boot the iso from USB or what's >> the procedure now? > > yup, put iso on USB, go to town. Mmn, that didn't work. I dd'd the latest Fedora Live iso onto a USB drive, put it into a brand spanking new Dell Latitude E7470, hit F12 at Dell logo and got "Selected boot device failed". Do I need to make it bootable using fdisk or some such? Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS on new Thinkpads
On Fri, Sep 30, 2016 at 11:58 PM, Gordon Messmer wrote: > It's worth mentioning again that Dell is one of the companies doing the > development for the bits that don't work, and that those drivers are often > the ones that get Lenovo equipment going, too. Lenovo does not, to the best > of my knowledge, do any Linux development. Well then that does it! I just ordered a Dell Latitude E7470. Thanks, Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS on new Thinkpads
Ok, I see a lot of nice answers here so I would like to try to refine this a little. After some research I was going to skip Lenovo. People are clearly having problems running Linux on Lenovos. I spoke with one person that had a really hard time with their X250. However, I think a lot of problems are caused by bleeding edge hardware. My feeling is it takes at least 1 year before the kernels have the necessary updates. Also, searching the Internet forums for problems is dubious because people who don't have problems don't say so on forums. But asking "is model XYZ known to work" is a good test as evidenced by these great responses. So I will ask again with some more specific details. The key features for me are: * 1080 display or 900 would be acceptable but definitely not 768 (this rules out Toshiba) * Good keyboard with mouse buttons (Lenovo has always had superior keyboards and fortunately that have recently resurrected mouse buttons, yeah!) * RJ-45 (this rules out a LOT of laptops including Dell) * Intel graphics / hardware The Lenovo T series meets these requirements. My only concern would be issues mentioned on this list and bleeding-edge issues. I know people have had a lot of problems with the trackpad, screen flickering and other things. But I think most of this can be blamed on bleeding-edge hardware compatibility. For example, I think the synaptics driver is almost always broken in the latest models (move the mouse and it deletes everything you've typed!) but if you uninstall it and use libinput it can work. So my thought is instead of getting the latest which would be T460, I could get the previous model which would be the T450. These are sold out on lenovo.com but they can still be had elsewhere (not sure about warranty which is hugely important though). So does anyone have any specific knowledge of the T450, T450s, T450p? I really appreciate all the answers. Hopefully this helps other folks too. Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS on new Thinkpads
On Fri, Sep 30, 2016 at 12:02 PM, Michael B Allen wrote: > * RJ-45 (this rules out a LOT of laptops including Dell) Correction. The Dell Latitude 14 7000 has RJ-45 on the back. It is very comparable to the Lenovo T460 actually. Anyone run CentOS successfully on either of these? Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS on new Thinkpads
Is anyone running CentOS on a newish Thinkpad? I have been using Linux as my primary workstation since about 97 and it seems like using Linux as a desktop has slipped over the years. After the Gnome desktop dumb-down, I have been nursing CentOS 6.8 on a 5 yo Toshiba. So I was hoping that someone has some recent real-world experience with new Thinkpads. So is anyone running a new Thinkpad? What model? Any problems with wireless or suspend or the touchpad? It seems optical drives are gone. Do I boot the iso from USB or what's the procedure now? Generally seeking new laptop advice. If Lenovo is not good is anyone using Toshiba? Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Google Chrome
I have been using CentOS on my laptop for a few days now and it works great! Great work-around for the Fedora GNOME 3 debacle. But I'm starting to miss Google Chrome pretty seriously. Firefox is just not what it once was. It's slow. Spell check is weak. Sometimes it straight up fails to display pages after going "back". There are numerous details like this that just make FF almost intolerable. And based on current browser usage statistics I don't think I'm the only one who sees the difference which means the problem is only going to get worse. Unfortunately Chrome is not available for CentOS 6.4: Error: Package: google-chrome-stable-31.0.1650.57-1.x86_64 (google-chrome) Requires: libstdc++.so.6(GLIBCXX_3.4.15)(64bit) This page [http://www.muktware.com/2013/02/google-says-red-hat-enterprise-linux-6-is-obsolete-updated/3970] claims: "Chrome, the browser in question here, is based on the open source project Chromium. Chromium developers seems to prefer the new C++11 for the obvious security reasons and ease of maintenance but it also means adopting a new toolchain and upgrading to GCC 4.6. This makes it hard to support those operating systems that ship with older C++ standard libraries. RHEL 6, among many others, is one such operating system." What is the safest path out of this problem? I am not particularly excited about running a package from a small third party. Particularly a browser. Is this situation really that bad? Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Saving Workspace State
Wait! It does work. I tried it before and it did not. Not sure if it was checking said option or $ gnome-session-save on the commandline but it just worked. Mike On Sun, Nov 17, 2013 at 3:05 PM, Michael B Allen wrote: > Is there a way to save the position and workspace locations of at > least terminals on logout? > > I want to have many workspaces with 2-3 terminals each for editing > code and scripts and ssh and so on. > > The System > Preferences > Startup Applications > Options > > Automatically remember running applications when logged out doesn't > work. And gnome-session-save doesn't work either. > > I used to use Fedora 14 and it saved the session state fine. But now I > cannot recall how to do it. I know GNOME 3 removed that code (the > GNOME developers now believe that the applications should remember > their own state) but I was hoping CentOS still has this capability. > > Is it possible to save GNOME desktop session state in CentOS 6? > > Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Saving Workspace State
Is there a way to save the position and workspace locations of at least terminals on logout? I want to have many workspaces with 2-3 terminals each for editing code and scripts and ssh and so on. The System > Preferences > Startup Applications > Options > Automatically remember running applications when logged out doesn't work. And gnome-session-save doesn't work either. I used to use Fedora 14 and it saved the session state fine. But now I cannot recall how to do it. I know GNOME 3 removed that code (the GNOME developers now believe that the applications should remember their own state) but I was hoping CentOS still has this capability. Is it possible to save GNOME desktop session state in CentOS 6? Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [SOLVED] Suspend Failure on Toshiba Portege R935
On Sun, Nov 17, 2013 at 2:12 AM, Michael B Allen wrote: > The problem is USB. I have an external keyboard+mouse connected by USB > and if I remove it I can successfully suspend and resume. If I plug in > a USB MIDI keyboard, again, I cannot suspend. So it seems any USB > connection breaks suspend. It seems I have fixed the problem! If I disable the following things in the BIOS, suspend / resume works: USB Legacy Emulation: disabled Bluetooth: disabled Web Camera: disabled Internal USB3.0 Controller: disabled I don't know which one was responsible. My guess would be USB 3.0. But it's 3 AM and I have to give up and declare victory. Hopefully someone finds this useful. Otherwise, sorry for the noise. Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Suspend Failure on Toshiba Portege R935
The problem is USB. I have an external keyboard+mouse connected by USB and if I remove it I can successfully suspend and resume. If I plug in a USB MIDI keyboard, again, I cannot suspend. So it seems any USB connection breaks suspend. And when I plug in the USB keyboad+mouse I get errors and the neither the keyboard or mouse works: usb 3-1: new high speed USB device number 16 using xhci_hcd usb 3-1: New USB device found, idVendor=0409, idProduct=005a usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 usb 3-1: configuration #1 chosen from 1 choice hub 3-1:1.0: USB hub found hub 3-1:1.0: 4 ports detected usb 3-1.4: new full speed USB device number 17 using xhci_hcd usb 3-1.4: New USB device found, idVendor=0557, idProduct=8021 usb 3-1.4: New USB device strings: Mfr=0, Product=0, SerialNumber=0 usb 3-1.4: configuration #1 chosen from 1 choice usb 3-1.4: ep 0x81 - rounding interval to 1024 microframes, ep desc says 2040 microframes xhci_hcd :00:14.0: Not enough bandwidth on HS bus for newly activated TT. xhci_hcd :00:14.0: Not enough bandwidth usb 3-1.4: can't set config #1, error -12 xhci_hcd :00:14.0: WARN Event TRB for slot 15 ep 0 with no TDs queued? So it seems I've at least isolated the issue a little. Any ideas as to how to go about fix it? Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Suspend Failure on Toshiba Portege R935
On Sun, Nov 17, 2013 at 1:10 AM, Michael B Allen wrote: > On Sat, Nov 16, 2013 at 11:14 PM, EGO.II-1 wrote: >> On 11/16/2013 10:04 PM, Michael B Allen wrote: >>> Broke affinity for irq 27 >> Found this onlinedon't know if it pertains to your issue, but check >> it out. >> >> https://www.centos.org/forums/viewtopic.php?t=3941 > > Unfortunately updating the BIOS did not fix the problem (even though > the problem is exactly as described in the post cited and the BIOS was > quite a few revisions behind). > > Note that suspend worked fine on this machine with the previous > install (Fedora 19). > > dmesg shows the same sequence of "now offline" and then immediately > "switching to UP code": > > sd 0:0:0:0: [sda] Stopping disk > sdhci-pci :01:00.0: PCI INT A disabled > ehci_hcd :00:1d.0: PCI INT A disabled > snd_hda_intel :00:1b.0: PCI INT A disabled > ehci_hcd :00:1a.0: PCI INT A disabled > e1000e :00:19.0: PCI INT A disabled > e1000e :00:19.0: PME# enabled > e1000e :00:19.0: wake-up capability enabled by ACPI > i915 :00:02.0: power state changed by ACPI to D3 > ACPI: Preparing to enter system sleep state S3 > Disabling non-boot CPUs ... > Broke affinity for irq 25 > CPU 1 is now offline > Broke affinity for irq 26 > CPU 2 is now offline > Broke affinity for irq 27 > Broke affinity for irq 30 > Broke affinity for irq 31 > CPU 3 is now offline > SMP alternatives: switching to UP code > > Are the "Broke affinity for irq" messages wrong or bad in some way? I have found something interesting. If I do: # init 1 so that virtually nothing is running, I can successfully suspend with: # echo mem > /sys/power/state So it seems something running is maybe stopping the suspend? I also noticed these error messages during suspend: btusb_bulk_complete: hci0 urb 88022a230200 failed to resubmit (19) btusb_intr_complete: hci0 urb 88022a2302c0 failed to resubmit (19) and then during resume: btusb 1-1.2:1.1: no reset_resume for driver btusb? It looks like the Bluetooth USB driver is touchy. I don't use Bluetooth. How do I go about disabling Bluetooth entirely w/ CentOS? It's been a long time since I've messed with modprobe.conf. Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Suspend Failure on Toshiba Portege R935
On Sat, Nov 16, 2013 at 11:14 PM, EGO.II-1 wrote: > On 11/16/2013 10:04 PM, Michael B Allen wrote: >> Broke affinity for irq 27 > Found this onlinedon't know if it pertains to your issue, but check > it out. > > https://www.centos.org/forums/viewtopic.php?t=3941 Unfortunately updating the BIOS did not fix the problem (even though the problem is exactly as described in the post cited and the BIOS was quite a few revisions behind). Note that suspend worked fine on this machine with the previous install (Fedora 19). dmesg shows the same sequence of "now offline" and then immediately "switching to UP code": sd 0:0:0:0: [sda] Stopping disk sdhci-pci :01:00.0: PCI INT A disabled ehci_hcd :00:1d.0: PCI INT A disabled snd_hda_intel :00:1b.0: PCI INT A disabled ehci_hcd :00:1a.0: PCI INT A disabled e1000e :00:19.0: PCI INT A disabled e1000e :00:19.0: PME# enabled e1000e :00:19.0: wake-up capability enabled by ACPI i915 :00:02.0: power state changed by ACPI to D3 ACPI: Preparing to enter system sleep state S3 Disabling non-boot CPUs ... Broke affinity for irq 25 CPU 1 is now offline Broke affinity for irq 26 CPU 2 is now offline Broke affinity for irq 27 Broke affinity for irq 30 Broke affinity for irq 31 CPU 3 is now offline SMP alternatives: switching to UP code Are the "Broke affinity for irq" messages wrong or bad in some way? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS as Development Laptop?
I'm in CentOS on the laptop now! But suspend doesn't work. Actually it looks like it works but it just immediately resumes. The log goes from CPU X is now offline straight into switching to UP ... Nov 16 21:54:53 boson kernel: CPU 1 is now offline Nov 16 21:54:53 boson kernel: Broke affinity for irq 26 Nov 16 21:54:53 boson kernel: CPU 2 is now offline Nov 16 21:54:53 boson kernel: Broke affinity for irq 27 Nov 16 21:54:53 boson kernel: CPU 3 is now offline Nov 16 21:54:53 boson kernel: SMP alternatives: switching to UP code Nov 16 21:54:53 boson kernel: microcode: CPU0 updated to revision 0x13, date = 2012-07-16 Nov 16 21:54:53 boson kernel: Enabling non-boot CPUs ... Nov 16 21:54:53 boson kernel: SMP alternatives: switching to SMP code Nov 16 21:54:53 boson kernel: Booting Node 0 Processor 1 APIC 0x1 Nov 16 21:54:53 boson kernel: microcode: CPU1 updated to revision 0x13, date = 2012-07-16 Nov 16 21:54:53 boson kernel: CPU1 is up Nov 16 21:54:53 boson kernel: Booting Node 0 Processor 2 APIC 0x2 Nov 16 21:54:53 boson kernel: microcode: CPU2 updated to revision 0x13, date = 2012-07-16 Nov 16 21:54:53 boson kernel: CPU2 is up Nov 16 21:54:53 boson kernel: Booting Node 0 Processor 3 APIC 0x3 Nov 16 21:54:53 boson kernel: microcode: CPU3 updated to revision 0x13, date = 2012-07-16 Nov 16 21:54:53 boson kernel: CPU3 is up Nov 16 21:54:53 boson kernel: ACPI: Waking up from system sleep state S3 How do I fix this? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS as Development Laptop?
Hi, Is CentOS good for a desktop machine? I have been using Fedora but the whole GNOME 3 debacle has me scrambling for something else. I have a few "minimal" CentOS servers but does anyone here use CentOS on their laptop? Does wireless and suspend work ok? Are there packages for the usual desktop stuff like libreoffice, sylpheed and so on? Machine is Toshiba Portege R935. It's about a year old so it's properly "aged". Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache/Active Directory authentication
On Wed, Mar 23, 2011 at 2:35 PM, John Hodrien wrote: > On Wed, 23 Mar 2011, Michael B Allen wrote: > >>> Yes, but using the machine principal you're able to request any number of >>> service principals that are SERVICENAME/. For this to work >>> in a >>> virtual hosting environment, you need multiple machine names (since we're >>> talking about making a number of HTTP/ principals). Whilst I >>> accept >> >> The "" of the principal does NOT have to match the actual >> machine name. You could create a User object called "alice" with >> servicePrincipalName values of HTTP/as1.busicorp.local, >> HTTP/mycomputer.net and HTTP/test1 and requesting tickets for any of >> those names will work just fine. AD just searches for an account with >> a servicePrincipalName value that matches the principal requested for >> the service ticket. >> >> Pedantic note: If you have the same servicePrincipalName value on more >> than one account, AD will actually choke and not return a ticket at >> all (because the request is ambiguous), there is no constraint in AD >> to stop people from accidentally adding the same SPN to multiple >> accounts and AD will not return any kind of meaningful error about it. > > Sure, but if you're not a domain admin, you've only got a machine principal, > and your own principal (which I can use to join machines to the domain). > Given those, and *not* a domain admin credential, how do you create those > principals? You do kinit -k with the keytab for the machine account and then an ldap_modify to add servicePrincipalName values for the desired principals. The machine account has permission sufficient to modify itself. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache/Active Directory authentication
On Tue, Mar 22, 2011 at 5:55 AM, John Hodrien wrote: > On Tue, 22 Mar 2011, Michael B Allen wrote: > >> Hi John, >> >> You would not have to create "dummy" machine records. The >> servicePrincipalName attribute on an AD account is multi-valued and >> clients can request and get a ticket for ANY principal in that list. >> So you only need one account. >> >> And you do not need special permissions if you have an existing keytab >> because you can use the keytab to authenticate with AD and add >> servicePrincipalName values to the account itself. At least in theory >> you can. I don't know if Samba's routine for adding HTTP SPNs is smart >> enough to know that it needs to not just add servicePrincipalName >> values but that it will also need to rebuild the keytab. > > Yes, but using the machine principal you're able to request any number of > service principals that are SERVICENAME/. For this to work in a > virtual hosting environment, you need multiple machine names (since we're > talking about making a number of HTTP/ principals). Whilst I accept The "" of the principal does NOT have to match the actual machine name. You could create a User object called "alice" with servicePrincipalName values of HTTP/as1.busicorp.local, HTTP/mycomputer.net and HTTP/test1 and requesting tickets for any of those names will work just fine. AD just searches for an account with a servicePrincipalName value that matches the principal requested for the service ticket. Pedantic note: If you have the same servicePrincipalName value on more than one account, AD will actually choke and not return a ticket at all (because the request is ambiguous), there is no constraint in AD to stop people from accidentally adding the same SPN to multiple accounts and AD will not return any kind of meaningful error about it. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Affordable KVM over IP switch
On Tue, Mar 22, 2011 at 10:34 AM, Devin Reade wrote: > Michael B Allen wrote: > >> Are there any KVM over IP switches that are not thousands of dollars? >> Ideally a 3-4 port switch for a few hundred seems reasonable to me. > > I can attest that the Adderlink iPEPS and iPEPS-DA are excellent units. > They're both in the 500-1000 range. They're intended for a single > machine, but as long as your access policies allow for it, putting > an electronic KVM switch (~$200) between multiple servers and the > iPEPS works well. > > You're not going to find much that is usable under that price range. > Some of the lower end solutions from other vendors are windows-IE-only. > The iPEPS uses encrypted VNC. Hi Devin, This is interesting. But can you switch consoles remotely using special keystokes? Or do you need to physically walk over and switch the conventional non-IP unit? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Affordable KVM over IP switch
Hello, Are there any KVM over IP switches that are not thousands of dollars? Ideally a 3-4 port switch for a few hundred seems reasonable to me. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache/Active Directory authentication
On Sat, Mar 19, 2011 at 4:28 AM, John Hodrien wrote: >> An HTTP client can authenticate with any principal in the service >> keytab and only one of their hostnames is going to have a PTR record. >> So I'm not sure I understand your claim here. > > Two A records, with PTR record pointing to the A record that didn't have a > service principal defined. MIT client tries to use valid A record, MIT > client > rejects the connection as it can't get a service principal for the PTR > directed A record. I'm not saying it *should* do this... > > In AD, the machine's only going to have service principals for the FQDN that > matches the machine name it was joined to the domain with. Creating these > additionaly service principals I think is something you can't trivially do > without being a domain admin, or perhaps creating dummy machine records. If > you're using AD for DNS as well, I think that could end up being a bit > exciting. Hi John, You would not have to create "dummy" machine records. The servicePrincipalName attribute on an AD account is multi-valued and clients can request and get a ticket for ANY principal in that list. So you only need one account. And you do not need special permissions if you have an existing keytab because you can use the keytab to authenticate with AD and add servicePrincipalName values to the account itself. At least in theory you can. I don't know if Samba's routine for adding HTTP SPNs is smart enough to know that it needs to not just add servicePrincipalName values but that it will also need to rebuild the keytab. And of course you do not have to use the Samba keytab at all really. In fact, if you're doing a lot of HTTP virtual hosting (which is really what we're talking about) you're probably better off just creating a separate service account, adding SPNs using setspn.exe and then build a keytab with principals for all of the SPNs with some tool like ktutil (ktpass.exe will not work though because it only sets one HTTP principal last I checked - it's a useless program). In our Plexcel product we have a routine that just queries AD for the latest KVNO and servicePrincipalName attribute and then generates a keytab with an entries for each servicePrincipalName value: http://www.ioplex.com/api/plexcel_gen_service_keytab.html This is largely used by the "setup" program of the Plexcel software for itself but it would be no less useful for just about anyting that needs a keytab from AD. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache/Active Directory authentication
On Fri, Mar 18, 2011 at 2:58 PM, R P Herrold wrote: > On Fri, 18 Mar 2011, Michael B Allen wrote: > >> True. You cannot have multiple PTR records for an IP. I did not mean >> to suggest that you could. > > Not saying you are wrong here, but have you an RFC reference > to this effect? We previously held this belief from our prior > practice, but cannot find a clear prohibition of such. As > such our DNS zonefile management code does not enforce such a > limitation presently > > Considering the issue from the other side, there is nothing > that requires simplicity if implementation of a client that > says it can accept only a single PTR, rather than an array of > replies and then walking the reverses Hello R, No, I do not have a citation and theoretically having multiple PTR records for an IP might actually be quite reasonable. However, I would imagine it would be fairly limited to things like clusters or servers that should have the outward appearance of being identical. For something like kerberos with HTTP servers doing virtual hosting (like what John and I have been discussing in this thread), I suspect multiple PTRs for the web server would create quite a mess. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache/Active Directory authentication
On Fri, Mar 18, 2011 at 6:25 AM, John Hodrien wrote: > On Fri, 18 Mar 2011, Michael B Allen wrote: > >> Hi John, >> >> Arguably it's not the end-of-the-world to go though CNAMEs. If it >> works for you, then don't let me deter you. > > Indeed it does, and it was the only way I could see you /could/ do this. > Especially if you're not a domain admin. I'm still not clear your method > /can/ work. Are you saying you've done it this way and it does? With > multiple A records if I do: > > ssh 10.0.0.1 > > Which kerberos credential will the remote side use? > > With the CNAME approach, there's no ambiguity. > >> But you do realize that it requires the client to have logic to see >> "ah, the record returned is a CNAME so let's use this name to build >> the principal instead"? > > MIT kerberos suggests it uses this to figure out the SPN: > > gethostbyaddr(gethostbyname(host)) Hi John, Actually I think this practice is now considered poor behavior. I look at a lot of packet captures and I don't recall seeing PTR lookups. At least not from Windows clients. Also I recall there was a discussion about this on the Kerberos list and the verdict from one of the MIT chaps was that it was actually not desirable to use PTR lookups. > Surely that wouldn't care how I'd done it? That requires the PTR record, and > that it points back to the name of the pricipal you want to use. With > multiple PTR records to the same IP I can't work out how this is going to end. > Will it round-robin and simply work because the remote end has all of them? True. You cannot have multiple PTR records for an IP. I did not mean to suggest that you could. > Clearly sometimes there's not even a domain name to start with. You can quite > merrily do "ssh 10.0.0.1" and get a kerberised login. With multiple PTRs to a > single IP, I can only assume you'll round-robin through the credentials. So > when you add an A and PTR record and forget to add the principal, kerberos > logins will fail 1/N of the time. Well you should not use an IP at all really because IPs change. But if the client is remotely sophisticated it should be able to do a PTR lookup and try that name. > >> And I would not be surprised to see some scenario where the client actually >> tried to get a ticket with the supplied name and than fell-back to using the >> CNAME in which case you have extra DNS and Kerberos traffic. If at some >> point someone wants to use another HTTP client from a cron job or some Java >> app, is that client going to handle the CNAME correctly? > > As far as I can tell, the client will be blissfully unaware. > >> What happends if the client application needs the original princpal >> name for some reason? It will get what the CNAME points to. That could >> be weird for the app or a developer. And then if you move the website >> to another server the principal name is now suddenly different? > > Yes. But why would the developer care about the service principal name? It's > not often you're that introspective, you're normally more interested in the > client's principal. For very simple scenarios you probably would not care. But here could be numerous reasons for wanting to know the name of the service you're talking to. >> CNAMEs in general are dubious. And not just for Kerberos. > > I think that's a little harsh. CNAMEs seem to be unloved for reasons I'm not > fully convinced by. What is so bad about CNAMEs? > >> Also short names are dubios. Is it a NetBIOS name or does the client >> have a proper DNS search suffix configured? And in the later case it >> takes extra DNS queries to get the name. > > AD always creates both short and FQDN forms of principals, I assume it's as > you guessed because of a NetBIOSism, or because it's a cruft that can often > fix broken setups. I don't know, I only ever use the FQDN form. > >> Why have all this extra indirection on top of an already fickle protocol? > > I haven't actually found kerberos to be too fickle at all. Kerberos requires that clients have access to the KDC, it depends heavily on DNS, stale tickets can cause cryptic errors until clients purge credential caches, etc. It's a great protocol conceptually. But in practice it's not super robust. It can be difficult to track down the source of issues. We had a customer who couldn't figure a Kerberos issue for days. They had checked the time on the machine and thought it was correct but it was actually off by exactly 12 hours. Meaning it was set to like 2:43 AM when it was really 2:43 PM. >> Regarding PTR records, I don't think ke
Re: [CentOS] Apache/Active Directory authentication
On Thu, Mar 17, 2011 at 6:18 AM, John Hodrien wrote: > On Wed, 16 Mar 2011, Michael B Allen wrote: >> I don't know what the official view is on going through a CNAME but I >> think that is probably a dubious practice. The proper way to handle >> this scenario would be to add another servicePrincipalName value for >> HTTP/www.friendly and a corresponding keytab entry for >> HTTP/www.friendly@KRB-REALM. > > Dubious why? If I go with your method at the very least I now need more > records in AD for machines that don't exist, and I'm guessing I'll be creating > them by being a domain administrator, which is inconvenient in large > organisations. > > I'm assuming I'll also be needing to add A records for these domains. > Kerberos surely won't be a fan of there not being a PTR record, so I assume > you'd need multiple PTR records. Is this really the path you're suggesting > going down? I'm genuinely interested here, I'm not having a dig. Hi John, Arguably it's not the end-of-the-world to go though CNAMEs. If it works for you, then don't let me deter you. But you do realize that it requires the client to have logic to see "ah, the record returned is a CNAME so let's use this name to build the principal instead"? And I would not be surprised to see some scenario where the client actually tried to get a ticket with the supplied name and than fell-back to using the CNAME in which case you have extra DNS and Kerberos traffic. If at some point someone wants to use another HTTP client from a cron job or some Java app, is that client going to handle the CNAME correctly? What happends if the client application needs the original princpal name for some reason? It will get what the CNAME points to. That could be weird for the app or a developer. And then if you move the website to another server the principal name is now suddenly different? CNAMEs in general are dubious. And not just for Kerberos. Also short names are dubios. Is it a NetBIOS name or does the client have a proper DNS search suffix configured? And in the later case it takes extra DNS queries to get the name. Why have all this extra indirection on top of an already fickle protocol? Regarding PTR records, I don't think kerberos would have any problem without them. Actually I seem to recall that once upon a time old Kerberos clients used to automatically try PTR lookups to get the primary hostname first but that practice has long since been ruled bad and clients no longer do it. That might be what you're thinking of. If you're going to have user's trying to use a site with a certain hostname, IMO you should just have a proper A and PTR records. Yeah, it can work without. But not always and it can be a burden for users to figure out the problem and for admins to add the necessary SPN, A and PTR records, get rid of the CNAME, wait for the cache to clear, purge all the old tickets, etc. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache/Active Directory authentication
On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien wrote: > On Mon, 14 Mar 2011, Michael B Allen wrote: > >> Hi Asya, >> >> You must set the servicePrincipalName attribute on the service account >> (MYSERVER$ in this case) to include all of the hostnames that will be >> used to access the web server which in this case would be at least >> "HTTP/myserver.server.com". One way to do this would be to use >> setspn.exe on a Windows client but if you really have no access to the >> Windows side as you say, you could use the Samba keytab to acquire >> credentials for doing the necessary LDAP add operation using some tool >> (maybe there is a Samba utility for this, I don't know) or program. > > That's not true, and I'm not even sure it's possible from samba (at least, I'm > not sure it *should* be possible). What's not true? That you can use the Samba keytab to acquire a ticket and perform an LDAP operation on it's own Computer account? It certainly is true. In fact Samba uses the keytab to authenticate with and at least query AD services on a regular basis to perform normal day-to-day operations. But from looking at you other response I wonder if "net ads keytab ADD HTTP" adds servicePrincipalName attribute values (I don't use Samba like that so I don't know). If is supposed to, and the AD account does not have them, then I agree, something is wrong and he should start over. It could be a replication issue. > I have a machine with an A record that matches the keytab entry ("real"). > The PTR > record for the IP goes back that the hostname. There's then a CNAME record > for the name used in reality for the web server ("friendly"). > > A client will access: > > https://www.friendly/kerberised > > Client correctly pulls down HTTP/real@KRB-REALM, and the authentication works > just fine. I don't know what the official view is on going through a CNAME but I think that is probably a dubious practice. The proper way to handle this scenario would be to add another servicePrincipalName value for HTTP/www.friendly and a corresponding keytab entry for HTTP/www.friendly@KRB-REALM. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache/Active Directory authentication
On Fri, Mar 11, 2011 at 3:50 PM, Dvorkin, Asya wrote: > [root@myserver conf]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- > 2 host/myserver.server@core.host.edu > 2 host/rmyserver.server@core.host.edu > 2 host/myserver.server@core.host.edu > 2 host/myser...@core.host.edu > 2 host/myser...@core.host.edu > 2 host/myser...@core.host.edu > 2 MYSERVER$@CORE.HOST.EDU > 2 MYSERVER$@CORE.HOST.EDU > 2 MYSERVER$@CORE.HOST.EDU > 2 http/myserver.server@core.host.edu > 2 http/myserver.server@core.host.edu > 2 http/myserver.server.com@CORE.HOSTEDU > 2 http/myser...@core.host.edu > 2 http/myser...@core.host.edu > 2 http/myser...@core.host.edu > > My problem is that I am getting an error message in apache logs: > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide > more information (No principal in keytab matches desired name) > > I looked in AD configuration and see that my server does not have appropriate > ServicePrincipalName for HTTP (only host). Hi Asya, You must set the servicePrincipalName attribute on the service account (MYSERVER$ in this case) to include all of the hostnames that will be used to access the web server which in this case would be at least "HTTP/myserver.server.com". One way to do this would be to use setspn.exe on a Windows client but if you really have no access to the Windows side as you say, you could use the Samba keytab to acquire credentials for doing the necessary LDAP add operation using some tool (maybe there is a Samba utility for this, I don't know) or program. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?
On Sun, Feb 20, 2011 at 6:58 PM, Ian Forde wrote: > On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote: >> Are you talking about the SAQC? I run all CC transactions through one >> CentOS VPS webserver (actually I have two servers that I periodically >> wipe out and alternate between every year or two). So I don't have POS >> terminals or any Windows PCs in the mix. We don't save any card holder >> data at all. So my SAQC was a breeze. I just had to add N/A for >> questions like the "do you run anti-virus software" and explain that >> everything goes through the one Linux machine for which no anti-virus >> software exists or is necessary. > > You're going to want to go to www.pcisecuritystandards.org for the full > scoop. I'd advise you to have your counsel examine the PCI DSS > documents. IANAL, but I recall from version 2.0 of the doc found at > https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf > (click-through agreement required) that, and I quote from page 7: "PCI > DSS applies wherever account data is stored, processed or transmitted". > > So it's not about saving data per se. Just the act of having it > transmitted to your systems may (again, IANAL) make PCI DSS apply. Hi Ian, Right. But a lot of the questions in the SAQC are like "9.7.a Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?". But if you don't save cardholder data, this simply does not apply to me. I think a lot of retailers probably have many employees using PCs to look at transaction details like names, the last 4 digits of the card number and so on. In this case, the methods for doing so need to be secured and the PCs being used need anti-virus updated regularly, etc. Since my webserver only sees CC data for the few seconds it takes for Authorize.Net to respond to the POST to their server, none of section 9 does even applies. If you're a retailer with 10 stores and 30 POS terminals, yeah, PCI compliance is a bigger job. If my CC transactions go through one webserver and no data is stored, I don't suspect this will be too difficult to handle myself. Although I'm not compliant yet. We'll see. I have to pass the scan first and right now it's complaining about things like SMTP listening on 2525, ssl cipher strength and blah, blah, blah. Presumably I just have to go through each and explain that something was backported, that running on 2525 is quite deliberate and fix things like permitted ciphers. Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?
On Fri, Feb 18, 2011 at 2:36 PM, wrote: > Hi, there, > > Michael B Allen wrote: >> >> Can someone recommend a good vulnerability scanning service? I just >> need the minimum for PCI compliance (it's a sort of credit card >> processing certification). > > "Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK. Hi Mark, Hackerguiardian is a commercial service (it's actually "COMODO CA Limited"). Their scan looks thorough. Obviously they're just matching up version numbers with CVE notices but I have a feeling most of these guys are going to be doing the same thing. I was just hoping one would be more sophisticated about the fact that ALL of their "Fail" items I've checked so far are things that were backported or fixed by Redhat. > The > *minimum* qualifications, I believe, are a 60 or 63 item questionaire; for > full PCI-DSS, it's something like 243 questions, and you need a full IT > dept. Are you talking about the SAQC? I run all CC transactions through one CentOS VPS webserver (actually I have two servers that I periodically wipe out and alternate between every year or two). So I don't have POS terminals or any Windows PCs in the mix. We don't save any card holder data at all. So my SAQC was a breeze. I just had to add N/A for questions like the "do you run anti-virus software" and explain that everything goes through the one Linux machine for which no anti-virus software exists or is necessary. > I would *very* strongly recommmend that you talk to the bank or agency > that's asking you for this, and ask them for recommendations. If you mean my merchant account service, they claim to be the largest Authorized.Net reseller, they sanity checked my SAQC and thought I would be ready for approval as soon as I get a good scan. So trustwave and Qualys ... I'll check them out. Thanks, Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Recommendation for a Good Vulnerability Scanning Service?
Hi, Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification). I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor. I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this? Thanks, Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos