Bug#881850: libc6:amd64: Intel Compiler not compatible with glibc 2.24-9 and newer

2017-11-15 Thread Bas van der Vlies 
Subject: libc6:amd64: Intel Compiler not compatible with glibc 2.24-9  and newer
Package: libc6
Version: 2.24-11+deb9u1
Tags: patch
Severity: important

Program compiled with intel compilers produce wrong results in combo with 
glibc-2.24-9 and newer, see:
 * 
https://software.intel.com/en-us/articles/intel-compiler-not-compatible-with-glibc-224-9-and-newer
 


De proposed solution with LD_BIND_NOW=1 does not work for all (hardened) 
binaries. This incompatibility between
Intel compilers and glibc causes serious problems on our clusters

There is an patch available for the 2.24 branch, see:
 * 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=609ccf8ca804e0c65afad74fe5c6d867c3552dbb
 



Regards


-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1), LANGUAGE=en_US 
(charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages libc6:amd64 depends on:
ii  libgcc1  1:6.3.0-18

libc6:amd64 recommends no packages.

Versions of packages libc6:amd64 suggests:
ii  debconf [debconf-2.0]  1.5.61
pn  glibc-doc  
ii  libc-l10n  2.24-11+deb9u1
ii  locales2.24-11+deb9u1

-- debconf information excluded

Bug#782505: libxrender

2015-04-13 Thread Bas van der Vlies 
This is an serious bug. we just hit this on our clusters and receive a lot of 
errors. We rebuild the security package and delete the offending files and put 
it in our local debian repository. So we can update the package in our systems. 
This security fix for stable should not have been released.

regards
---
Bas van der Vlies
| Operations, Support & Development | SURFsara | Science Park 140 | 1098 XG  
Amsterdam
| T +31 (0) 20 800 1300  | bas.vandervl...@surfsara.nl | www.surfsara.nl |


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#638436: autofs5-ldap: Make LDAP search level for master_map configurable

2011-08-19 Thread Bas van der Vlies 
Package: autofs5-ldap
Version: 5.0.4-3.2
Severity: normal

All our automount maps are under one dn: 
ou=automount,ou=lisa,dc=hpcv,dc=sara,dc=nl. If autofs starts it produce a lot 
of errors:
{{{
Aug 19 11:38:54 gb-r7n2 automount[5730]: Starting automounter version 5.0.4, 
master map ou=lisa,ou=automount,dc=hpcv,dc=sara,dc=nl
Aug 19 11:38:54 gb-r7n2 automount[5730]: using kernel protocol version 5.01
Aug 19 11:38:54 gb-r7n2 automount[5730]: connected to uri 
ldaps://cua.irc.sara.nl
Aug 19 11:38:54 gb-r7n2 automount[5730]: syntax error in map near [ * 
-fstype=nfs,rw,hard,intr,vers=3,noacl fs6,fs7: ]
Aug 19 11:38:54 gb-r7n2 automount[5730]: syntax error in map near [ wiltest 
-fstype=nfs,rw,vers=3,hard,intr,acl fs8: ]
Aug 19 11:38:54 gb-r7n2 automount[5730]: syntax error in map near [ victormk 
-fstype=nfs,rw,vers=3,hard,intr,acl fs8: ]A
...
}}}

The function lookup_read_maste() in modules/lookup_ldap.c use a default scope 
level:
 * scope = LDAP_SCOPE_SUBTREE;

if a change it to. The problems are gone:
 * scope = LDAP_SCOPE_ONE;

There is no way to adjust the LDAP scope level in the /etc/default/autofs.  Can 
there be an option added to adjust the SCOPE level for the master map?




-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.41-sara1 (SMP w/8 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages autofs5-ldap depends on:
ii  autofs5   5.0.4-3.2  kernel-based automounter for Linux
ii  libc6 2.11.2-10  Embedded GNU C Library: Shared lib
ii  libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries

autofs5-ldap recommends no packages.

autofs5-ldap suggests no packages.

-- Configuration Files:
/etc/autofs_ldap_auth.conf [Errno 13] Permission denied: 
u'/etc/autofs_ldap_auth.conf'

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#615960: cfengine3: processes are always restarted when cfengine daemons are started via init script

2011-03-01 Thread Bas van der Vlies 
Package: cfengine3
Version: 3.1.4~1
Severity: important
Tags: patch

When the cfengine daemon are started via the init script the process check for 
cfengine fails due the fact that
the init script sets the enviroment variable COLUMNS to 80. This setting 
truncated the ps output and cfengine
can not check the name of the processes and the checked processes are restarted 
everytime cf-agent runs.

I have added this to the init.d script:
{{{
unset TERM
unset COLUMNS
export TERM COLUMNS
}}}

After this everything works as expected, also see:
 * https://cfengine.com/bugtracker/view.php?id=495

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.28-sara1 (SMP w/8 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages cfengine3 depends on:
ii  libacl1 2.2.49-4 Access control list shared library
ii  libattr11:2.4.44-2   Extended attribute shared library
ii  libc6   2.11.2-10Embedded GNU C Library: Shared lib
ii  libdb4.84.8.30-2 Berkeley v4.8 Database Libraries [
ii  libpcre38.02-1.1 Perl 5 Compatible Regular Expressi
ii  libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries

cfengine3 recommends no packages.

cfengine3 suggests no packages.

-- Configuration Files:
/etc/default/cfengine3 changed [not included]
/etc/init.d/cfengine3 changed [not included]

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#482541: cron: major performance issue with initgroups

2010-04-23 Thread Bas van der Vlies 

Hi Christian,

 Just close it. I did some modifications to nsswitch.conf and the pam_ldap 
stack. I do not use the PADL ldap software anymore. I switch to nslcd.


Regards

On 22-04-10 23:42, Christian Kastner wrote:

Hi Bas,

Bas van der Vlies wrote:

First a brief description of our setup:
 - +/- 800 nodes installed with debian
 - more then 4000 users and each user has its own group
 - 2 LDAP servers (master/slave) setup


This is what i encountered when cron runs a script. This script is started
on each node and it does an initgroups call. This call have i huge impact
on our LDAP servers. It fetches all the groups and will find out if the
user is a member of the group. This can be useful for all users except
root.


I don't consider this a bug - cron is doing here exactly what it is
expected to do. I agree that the call to initgroups() is redundant, but
there might actually be (broken?) code relying on this.

The heart of this issue is simply performance. Are you using NSS, nscd
etc? Other bug reports mentioning performance issues with cron which
were related to a specific version of libpam-ldap, so that could be a
cause, too.


I can make a patch that is skip this check for root user or we can
add environment variable to /etc/crontab:
  SKP_INITGROUPS=root


I think this could be achieved much more easily via NSS with the
following setting in nsswitch.conf:

nss_initgroups_ignoreusers root

I don't use NSS, so I cannot vouch for this. But looking at #457200,
this approach might even be more beneficial to you than changing cron's
source.

Please let me know if you disagree with my assessment. Otherwise, I'd
like to close this bug.


Thanks,
Christian




--
************
*  Bas van der Vliese-mail: b...@sara.nl   *
*  SARA - Academic Computing Services   Amsterdam, The Netherlands *




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#573300: Report the debian patches to cfengine3 maintainers

2010-03-10 Thread Bas van der Vlies 

On 10-03-10 15:07, Antonio Radici wrote:

On Wed, Mar 10, 2010 at 02:13:05PM +0100, Bas van der Vlies wrote:

Package: cfengine3
Version: 3.0.3
Severity: wishlist

Just a remark. You have made some patches that still are not fixed in a new 
release of cfengine (3.0.4 for now). I you have fixed something why do you not 
mail it to the maintainers?



Hi,
at the moment I don't have the list of all patches but as far as I
remember all of them were submitted to the proper mailing list (except
the debian specific FHS patch).

Unfortunately upstream doesn't seem to use a bugtracking mechanism, I
will submit them again.

Cheers
Antonio


Dear Antonio,

 They have a bugtracking system and i have checked the trunk version and 
the typo's and cf-monitord.pid fix are still vaild. I just filled in a 
report in the cfengine bug system and one is already applied.


Regards

--
************
*  Bas van der Vliese-mail: b...@sara.nl   *
*  SARA - Academic Computing Services   Amsterdam, The Netherlands *




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#573300: Report the debian patches to cfengine3 maintainers

2010-03-10 Thread Bas van der Vlies 
Package: cfengine3
Version: 3.0.3
Severity: wishlist

Just a remark. You have made some patches that still are not fixed in a new 
release of cfengine (3.0.4 for now). I you have fixed something why do you not 
mail it to the maintainers?

regards



-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages cfengine3 depends on:
ii  libc6   2.7-18lenny2 GNU C Library: Shared libraries
ii  libdb4.64.6.21-11Berkeley v4.6 Database Libraries [
ii  libpcre37.6-2.1  Perl 5 Compatible Regular Expressi
ii  libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries

cfengine3 recommends no packages.

cfengine3 suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#506732: cfengine2: Package removal does not work

2008-11-24 Thread Bas van der Vlies 
Package: cfengine2
Version: 2.2.8-2
Severity: important
Tags: patch


I forgot to inform the maintainer, but packag removal does not work anymore for 
this version.
It is fixed in the trunk version of cfengine2


-- patch ---
diff -ruN cfengine-2.2.8-old/src/package.c cfengine-2.2.8/src/package.c
--- cfengine-2.2.8-old/src/package.c2008-07-13 09:33:45.0 +0200
+++ cfengine-2.2.8/src/package.c2008-11-24 10:25:39.478319896 +0100
@@ -1194,7 +1194,12 @@
 
  int DPKGPackageList (char *package, char *version, enum cmpsense cmp, struct 
Item **pkglist)
   {
   -   return 0; /* not implemented yet */
   +   /* Rather than re-checking packages, assume the package name is
   +  installed since the DPKGPackageCheck was positive.  This is
   +  possible since Cfengine+dpkg doesn't support granular version
   +  install/removes */
   +   AppendItem(pkglist,package,"");
   +   return 1;
}
 
  /*/

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.27.6-sara1 (SMP w/8 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages cfengine2 depends on:
ii  debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii  debianutils   2.30   Miscellaneous utilities specific t
ii  libc6 2.7-16 GNU C Library: Shared libraries
ii  libdb4.6  4.6.21-11  Berkeley v4.6 Database Libraries [
ii  libssl0.9.8   0.9.8g-14  SSL shared libraries
ii  lsb-base  3.2-20 Linux Standard Base 3.2 init scrip
ii  perl  5.10.0-17  Larry Wall's Practical Extraction 

cfengine2 recommends no packages.

cfengine2 suggests no packages.

-- debconf information:
  cfengine2/run_cfservd: true
  cfengine2/run_cfexecd: true
  cfengine2/run_cfenvd: true



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#428829: Patch to add md5crypt password support

2008-07-11 Thread Bas van der Vlies 

I have made an patch suitable for dpatch. Can this be applied?


--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

#! /bin/sh /usr/share/dpatch/dpatch-run
## 07_md5crypt_support.dpatch by  <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad cpu-1.4.3~/src/include/util/hash.h cpu-1.4.3/src/include/util/hash.h
--- cpu-1.4.3~/src/include/util/hash.h  2003-09-27 04:27:01.0 +0200
+++ cpu-1.4.3/src/include/util/hash.h   2008-07-11 11:45:49.391685473 +0200
@@ -49,12 +49,14 @@
 #define PASSWORD_SIZE 128
   
 /* hash_t should have a one-to-one correspondence with hashes */
+/* HVB added H_MD5CRYPT */
 typedef enum {
   H_SHA1 = 0,
   H_SSHA1,
   H_MD5,
   H_SMD5,
   H_CRYPT,
+  H_MD5CRYPT,
   H_CLEAR,
   H_UNKNOWN,
 } hash_t;
diff -urNad cpu-1.4.3~/src/plugins/ldap/ld.c cpu-1.4.3/src/plugins/ldap/ld.c
--- cpu-1.4.3~/src/plugins/ldap/ld.c2004-01-12 05:47:37.0 +0100
+++ cpu-1.4.3/src/plugins/ldap/ld.c 2008-07-11 11:45:49.391685473 +0200
@@ -478,6 +478,9 @@
 case H_CRYPT:
   return ldap_hashes[H_CRYPT];
   break;
+case H_MD5CRYPT: /* HvB */
+  return ldap_hashes[H_CRYPT];
+  break;
 case H_CLEAR:
   /* FIXME: this should work so that the prefix is returned for the
  correct hash but the password doesn't get encrypted */
diff -urNad cpu-1.4.3~/src/util/hash.c cpu-1.4.3/src/util/hash.c
--- cpu-1.4.3~/src/util/hash.c  2008-07-11 11:10:12.0 +0200
+++ cpu-1.4.3/src/util/hash.c   2008-07-11 11:45:49.391685473 +0200
@@ -50,6 +50,7 @@
   "md5",
   "smd5",
   "crypt",
+  "md5crypt",
   "clear",
   NULL
 };
@@ -140,6 +141,11 @@
   char * passphrase = NULL;
   size_t plen = 0;
 
+  /*
+   * HvB
+  */
+  char md5salt[32];
+
   if ( password == NULL )
 return NULL;
 
@@ -185,9 +191,20 @@
fprintf(stderr, "Your c library is missing 'crypt'\n");
 #endif
break;
+
+  case H_MD5CRYPT: /* HvB */
+#ifdef HAVE_LIBCRYPT
+   snprintf(md5salt, sizeof(md5salt),"$1$%s", cgetSalt());
+   temp = crypt(password, md5salt);
+#else
+   fprintf(stderr, "Your c library is missing 'crypt'\n");
+#endif
+   break;
+
   case H_CLEAR:
temp = password;
break;
+
   default:
fprintf(stderr, "getHash: Unknown hash type.\n");
return NULL;
diff -urNad cpu-1.4.3~/src/util/hash.c.orig cpu-1.4.3/src/util/hash.c.orig
--- cpu-1.4.3~/src/util/hash.c.orig 1970-01-01 01:00:00.0 +0100
+++ cpu-1.4.3/src/util/hash.c.orig  2008-07-11 11:10:12.0 +0200
@@ -0,0 +1,412 @@
+/*
+ This file is part of CPU
+ (C) 2003 Blake Matheny (and other contributing authors)
+
+ CPU is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published
+ by the Free Software Foundation; either version 2, or (at your
+ option) any later version.
+
+ CPU is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with CPU; see the file COPYING.  If not, write to the
+ Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+*/
+
+/**
+ * hasing routines
+ * @author Blake Matheny
+ * @file hash.c
+ **/
+#include 
+#include 
+#include 
+#include 
+#ifdef HAVE_CRYPT_H
+#include 
+#endif
+#include "util/hash.h"
+#ifdef HAVE_CRACK_H
+#include 
+#endif
+#ifndef crypt
+extern char *crypt(const char *key, const char *salt);
+#endif
+
+char salt[] = "$1$";
+char csalt[] = "";
+const char rstring[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQR"
+  "[EMAIL PROTECTED]&*()_+{}|:\"<>?`-=[];',./";
+const double rlen = 93.00;
+
+const char * hashes[] = {
+  "sha1",
+  "ssha1",
+  "md5",
+  "smd5",
+  "crypt",
+  "clear",
+  NULL
+};
+
+char *
+CPU_getpass ( const char * prompt )
+{
+  struct termios old, new;
+  char * tmp_pass = NULL;
+  int i = 0;
+
+  fprintf(stdout,

Bug#481077: libnss-ldapd: Versions 0.6.3 has the same problem

2008-06-16 Thread Bas van der Vlies 

Again thanks for this excellent info.

Arthur de Jong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


This behaviour is expected. The "getent group" requests result in a
combination of setgrent(), getgrent() and endgrent() calls. These calls
work with a single call to nslcd. If the supplied buffer (by Glibc) is too
small the information from the existing request is reused.

For "getent group lisa" this is a call to getgrnam() which is a single
stateless request to nslcd. In this case, if the buffer is too small the
old request is discarded and a new one is started (the function is
stateless).

So in this situation the message is harmless. From the nscd side it isn't
easy to determine whether or not the closed connection is harmless so I
don't know of a better way to handle this. One solution could be for the
client to read the rest of the response anyway.

- --
- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIVkorVYan35+NCKcRAuIWAJoDe9jag2+UEt0cUb8OSGP7cp3HbQCfSCEN
xKegyrxJxuGp2NUdopv9Vvs=
=9+0v
-END PGP SIGNATURE-



--
--

*              *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481077: libnss-ldapd: Versions 0.6.3 has the same problem

2008-06-16 Thread Bas van der Vlies 
Package: libnss-ldapd
Version: 0.6.3
Followup-For: Bug #481077

Just installed this version on a node and still get:
 - error writing to client

The strange thing that i do not get this errors with:
 - getent group 

But if i do a :
 - getent group lisa

The error shows up, but not everything i execute this command.

{{{
nslcd: [0115be] DEBUG: connection from pid=19334 uid=31000 gid=31010
nslcd: [0115be] DEBUG: nslcd_group_byname(lisa)
nslcd: [0115be] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [0115be] DEBUG: ldap_result(): end of results
nslcd: [5ba861] DEBUG: connection from pid=19335 uid=31000 gid=31010
nslcd: [5ba861] DEBUG: nslcd_group_byname(lisa)
nslcd: [5ba861] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [5ba861] DEBUG: ldap_result(): end of results
nslcd: [398c89] DEBUG: connection from pid=19335 uid=31000 gid=31010
nslcd: [398c89] DEBUG: nslcd_group_byname(lisa)
nslcd: [398c89] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [398c89] DEBUG: ldap_result(): end of results
nslcd: [4fe9f9] DEBUG: connection from pid=19335 uid=31000 gid=31010
nslcd: [4fe9f9] DEBUG: nslcd_group_byname(lisa)
nslcd: [4fe9f9] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [4fe9f9] DEBUG: ldap_result(): end of results
nslcd: [b5af5c] DEBUG: connection from pid=19335 uid=31000 gid=31010
nslcd: [b5af5c] DEBUG: nslcd_group_byname(lisa)
nslcd: [b5af5c] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [1226bb] DEBUG: connection from pid=19335 uid=31000 gid=31010
nslcd: [1226bb] DEBUG: nslcd_group_byname(lisa)
nslcd: [1226bb] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [b5af5c] error writing to client
nslcd: [1226bb] DEBUG: ldap_result(): end of results
nslcd: [34b6a8] DEBUG: connection from pid=19336 uid=31000 gid=31010
nslcd: [34b6a8] DEBUG: nslcd_group_byname(lisa)
nslcd: [34b6a8] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [233c99] DEBUG: connection from pid=19336 uid=31000 gid=31010
nslcd: [233c99] DEBUG: nslcd_group_byname(lisa)
nslcd: [233c99] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [34b6a8] error writing to client
nslcd: [6ab60f] DEBUG: connection from pid=19336 uid=31000 gid=31010
nslcd: [233c99] error writing to client
nslcd: [6ab60f] DEBUG: nslcd_group_byname(lisa)
nslcd: [6ab60f] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [574095] DEBUG: connection from pid=19336 uid=31000 gid=31010
nslcd: [6ab60f] error writing to client
nslcd: [574095] DEBUG: nslcd_group_byname(lisa)
nslcd: [574095] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [0c57b1] DEBUG: connection from pid=19336 uid=31000 gid=31010
nslcd: [0c57b1] DEBUG: nslcd_group_byname(lisa)
nslcd: [0c57b1] DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl",
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: [574095] error writing to client
nslcd: [0c57b1] DEBUG: ldap_result(): end of results
}}}



-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.25.3-sara1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libnss-ldapd depends on:
ii  adduser3.102 Add and remove users and groups
ii  debconf [debconf-2.0]  1.5.11etch1   Debian configuration management sy
ii  libc6  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libkrb53   1.4.4-7etch5  MIT Kerberos runtime libraries
ii  libldap-2.4-2  2.4.7-6.1 OpenLDAP libraries
ii  libsasl2-2 2.1.22.dfsg1-8Authentication abstraction library

Versions of packages libnss-ldapd recommends:
ii  libpam-ldap180-1.7   Pluggable Authentication Module al
ii  nscd   2.3.6.ds1-13etch5 GNU C Library: Name Service Cache 

-- debconf information:
  libnss-ldapd/ldap-base: dc=hpcv,dc=sara,dc=nl
  libnss-ldapd/nsswitch: shadow
  libnss-ldapd/ldap-binddn:
  libnss-ldapd/ldap-uris: ldaps://cua.irc.sara.nl ldaps://ldap.cua.sara.nl
  libnss-ldapd/ldap-rootbinddn:



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#482541: cron: major performance issue with initgroups

2008-05-23 Thread Bas van der Vlies 
Package: cron
Version: 3.0pl1-100
Severity: important


First a brief description of our setup:
 - +/- 800 nodes installed with debian
 - more then 4000 users and each user has its own group
 - 2 LDAP servers (master/slave) setup


This is what i encountered when cron runs a script. This script is started 
on each node and it does an initgroups call. This call have i huge impact 
on our LDAP servers. It fetches all the groups and will find out if the 
user is a member of the group. This can be useful for all users except 
root.

I can make a patch that is skip this check for root user or we can 
add environment variable to /etc/crontab:
 SKP_INITGROUPS=root

Regards


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.14-sara1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages cron depends on:
ii  adduser3.102 Add and remove users and groups
ii  debianutils2.17  Miscellaneous utilities specific t
ii  libc6  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libpam0g   0.79-5Pluggable Authentication Modules l
ii  libselinux11.32-3SELinux shared libraries
ii  lsb-base   3.1-23.2etch1 Linux Standard Base 3.1 init scrip

Versions of packages cron recommends:
ii  postfix [mail-transport-agent 2.3.8-2+b1 A high-performance mail transport 

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481076: libnss-ldapd: Can not contact LDAP servers messages

2008-05-22 Thread Bas van der Vlies 
BTW it give always problems with the failover line. I have defined two 
openldap servers in nss-ldapd.conf:

 uri ldaps://cua.irc.sara.nl
 uri ldaps://ldap.cua.sara.nl


--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481076: libnss-ldapd: Can not contact LDAP servers messages

2008-05-19 Thread Bas van der Vlies 

Arthur de Jong wrote:

On Wed, 2008-03-19 at 15:47 +0100, Bas van der Vlies wrote:

We have installed nslcd on out 800 node cluster and once in a while we
get these message from some nodes:

Mar 19 15:17:47 gb-r3n8 nslcd[3236]: failed to bind to LDAP server
ldaps://ldap.cua.sara.nl: Can't contact LDAP server: Operation now in
progress


The problem is most likely that calling connect() to the LDAP server
failed with the error EINPROGRESS (Operation now in progress). Probably
because the number of connection to the server is too large.

If you have a large cluster, having too many connections to the LDAP
server may be a problem. If that is the case this problem may be
mitigated by using the threads keyword introduced in release 0.6.2
(setting it to something lower than the default 5).


I have made a calculation and and have increased the open files to
8192 and we have 2 server for this cluster. So 5 * 800 = 4000 is only
2000 connections per server. Must be enough


The error itself is a bit weird because this should only happen when the
socket is in non-blocking mode. Since OpenLDAP has control over the
socket I suspect this may be a bug in OpenLDAP. You also appear to be
using OpenLDAP from stable which is much older than the current version
in unstable/testing.

Again thanks for the explanation. This error mostly occurs we i restart the 
slapd servers. Then i client tries forever to connect to a slapd-server. We 
have Round Robin DNS  setup. The only way to stop this is to restart the 
nslcd daemon.


Do you mean the client libraries or the slapd version?



Versions of packages libnss-ldapd depends on:
ii  grap   1.39-2program for typesetting graphs


Btw, I'm a bit puzzled how this dependency ended up in libnss-ldapd.


When i compiled it on our debian system it was needed for the man page.



--
--

*      *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481077: nslcd: error writing to client

2008-05-16 Thread Bas van der Vlies 


On May 16, 2008, at 3:02 PM, Arthur de Jong wrote:


On Fri, 2008-05-16 at 10:01 +0200, Bas van der Vlies wrote:

Just a thought i have read the changelog and news for version 0.6.2
and it says it has a fix for groups with a lot members. but is that
for groupOfUniqueNames with uniqueMembers?


Some of the fixes are for both uniqueMember and memberUid attributes
(some general improvements) but most of the improvements were for
the uniqueMember attribute.


Thanks for the explanation


On Fri, 2008-05-16 at 13:28 +0200, Petter Reinholdtsen wrote:
I have a similar problem, and this patch bring the read buffer in nss
up to the same size as the write buffer in nslcd.  No idea why it
helps.


The reason that the read buffer in the NSS part needs to be so big is
because it has to be able to contain one whole group entry (with all
members). This is because of the retry mechanism in NSS (if the read
buffer is full, retries will fail). The default buffer size in 0.6.2  
is

32k, enough for about 2500 members (not having too many too long
usernames).

I had thought that this was a good enough upper limit but apparently
there are environments out there with many more users per group. What
would be a reasonable upper limit?

can this be configurable in nss-ldapd.conf. I assume if you increase  
more memory is used and it is only needed in environments where there  
are many group members




On Fri, 2008-05-16 at 10:01 +0200, Bas van der Vlies wrote:

I also get a lot of these messages in my slapd.log:
 - May 16 09:57:50 slave2 slapd[32681]: <= bdb_equality_candidates:
(uniqueMember) not indexed

That is strange because i do not use this attribute at all.


By default nss-ldapd will try to look up both the uniqueMember and
memberUid attributes and use those in searches. To disable
the uniqueMember attribute in nss-ldapd, currently the best solution
is to map it to something unknown, e.g.:
 map group uniqueMember disabled



Another solution would be to just create the index in slapd.conf:
 index groupOfUniqueNames uniqueMember
(rerun slapdindex and fix ownership of database files)



Again thanks for you explanation. I will use the one for nslcd. The  
other one is more complicated to implement on our LDAP-cluster ;)




--
Bas van der Vlies
[EMAIL PROTECTED]






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481077: nslcd: error writing to client

2008-05-16 Thread Bas van der Vlies 


On May 16, 2008, at 1:28 PM, Petter Reinholdtsen wrote:



Does this patch help?

thanks, Have just installed the patch and did some testing. The  
strange thing is that it is now fixed for the root user. I only saw it  
once. When i run it without the patch i get it every time when i do  
the command:

 - getent group lisa


When i run it as ordinary user, eg bas. I still get the error message.  
I have check ulimits but could not find anything weird


--
Bas van der Vlies
[EMAIL PROTECTED]






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481077: Acknowledgement (nslcd: error writing to client)

2008-05-16 Thread Bas van der Vlies 
Just a thought i have read the changelog and news for version 0.6.2 and it 
says it has a fix for groups with a lot members. but is that for 
groupOfUniqueNames with uniqueMembers?


In our situation we use posixGroup with memberUID.

I also get a lot of these messages in my slapd.log:
 - May 16 09:57:50 slave2 slapd[32681]: <= bdb_equality_candidates: 
(uniqueMember) not indexed



That is strange because i do not use this attribute at all.




--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481077: nslcd: error writing to client

2008-05-13 Thread Bas van der Vlies 
Package: libnss-ldapd
Version: 0.6.2
Severity: normal


We have unix groups with a lot of members > 1300.  The follwoing command 
produce the error message:
 - getent group lisa

nslcd -d:
{{{
nslcd: DEBUG: connection from pid=20530 uid=31000 gid=31010
nslcd: DEBUG: nslcd_group_byname(lisa)
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", 
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: DEBUG: connection from pid=20530 uid=31000 gid=31010
nslcd: DEBUG: nslcd_group_byname(lisa)
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", 
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: error writing to client
nslcd: DEBUG: connection from pid=20530 uid=31000 gid=31010
nslcd: DEBUG: nslcd_group_byname(lisa)
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", 
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: error writing to client
nslcd: DEBUG: connection from pid=20530 uid=31000 gid=31010
nslcd: DEBUG: nslcd_group_byname(lisa)
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", 
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: error writing to client
nslcd: DEBUG: connection from pid=20530 uid=31000 gid=31010
nslcd: DEBUG: nslcd_group_byname(lisa)
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", 
filter="(&(objectClass=posixGroup)(cn=lisa))")
nslcd: error writing to client
nslcd: DEBUG: ldap_result(): end of results
}}}


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.14-sara1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libnss-ldapd depends on:
ii  debconf [debconf-2.0]  1.5.11etch1   Debian configuration management sy
ii  libc6  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libkrb53   1.4.4-7etch5  MIT Kerberos runtime libraries
ii  libldap2   2.1.30-13.3   OpenLDAP libraries
ii  libsasl2-2 2.1.22.dfsg1-8Authentication abstraction library

Versions of packages libnss-ldapd recommends:
ii  libpam-ldap   180-1.7Pluggable Authentication Module al
pn  nscd   (no description available)

-- debconf information:
* libnss-ldapd/ldap-base: dc=hpcv,dc=sara,dc=nl
* libnss-ldapd/nsswitch: passwd, group, shadow, netgroup
  libnss-ldapd/ldap-binddn:
  libnss-ldapd/ldap-rootbinddn:
* libnss-ldapd/ldap-uris: ldaps://cua.irc.sara.nl



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481076: libnss-ldapd: Can not contact LDAP servers messages

2008-05-13 Thread Bas van der Vlies 
Package: libnss-ldapd
Version: 0.6
Severity: important

We have installed nslcd on out 800 node cluster and once in a while we get 
these message from some nodes:
{{{
Mar 19 15:17:47 gb-r3n8 nslcd[3236]: failed to bind to LDAP server 
ldaps://ldap.cua.sara.nl: Can't contact LDAP server: Operation now in progress 
Mar 19 15:17:47 gb-r3n8 nslcd[3236]: no available LDAP server found, sleeping 4 
seconds 
Mar 19 15:17:49 gb-r3n8 nslcd[3236]: failed to bind to LDAP server 
ldaps://cua.irc.sara.nl: Can't contact LDAP server: Operation now in progress 
Mar 19 15:17:49 gb-r3n8 nslcd[3236]: failed to bind to LDAP server 
ldaps://ldap.cua.sara.nl: Can't contact LDAP server: Operation now in progress 
Mar 19 15:17:49 gb-r3n8 nslcd[3236]: no available LDAP server found 
Mar 19 15:17:51 gb-r3n8 nslcd[3236]: failed to bind to LDAP server 
ldaps://cua.irc.sara.nl: Can't contact LDAP server: Operation now in progress 
Mar 19 15:17:51 gb-r3n8 nslcd[3236]: failed to bind to LDAP server 
ldaps://ldap.cua.sara.nl: Can't contact LDAP server: Operation now in progress 
Mar 19 15:17:51 gb-r3n8 nslcd[3236]: no available LDAP server found 
}}}

It will fail forever till i restart the nslcd daemon:
{{{
Mar 19 15:17:56 gb-r3n8 nslcd[3236]: caught signal SIGTERM (15), shutting down 
Mar 19 15:17:56 gb-r3n8 nslcd[3236]: version 0.6 bailing out 
Mar 19 15:17:56 gb-r3n8 nslcd[32672]: version 0.6 starting 
Mar 19 15:17:56 gb-r3n8 nslcd[32672]: accepting connections 
Mar 19 15:18:00 gb-r3n8 nslcd[32672]: connected to LDAP server 
ldaps://cua.irc.sara.nl 
Mar 19 15:18:00 gb-r3n8 nslcd[32672]: connected to LDAP server 
ldaps://cua.irc.sara.nl 
Mar 19 15:18:00 gb-r3n8 nslcd[32672]: connected to LDAP server 
ldaps://cua.irc.sara.nl 
Mar 19 15:18:00 gb-r3n8 nslcd[32672]: connected to LDAP server 
ldaps://cua.irc.sara.nl 
Mar 19 15:18:00 gb-r3n8 nslcd[32672]: connected to LDAP server 
ldaps://cua.irc.sara.nl 
}}}

Is this a known problem? It does not occur often.

Regards

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.14-sara1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libnss-ldapd depends on:
ii  debconf [debconf-2.0]  1.5.11etch1   Debian configuration management sy
ii  grap   1.39-2program for typesetting graphs
ii  libc6  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libkrb53   1.4.4-7etch5  MIT Kerberos runtime libraries
ii  libldap2   2.1.30-13.3   OpenLDAP libraries
ii  libsasl2-2 2.1.22.dfsg1-8Authentication abstraction library

Versions of packages libnss-ldapd recommends:
ii  libpam-ldap   180-1.7Pluggable Authentication Module al
pn  nscd   (no description available)

-- debconf information:
* libnss-ldapd/ldap-base: dc=hpcv,dc=sara,dc=nl
* libnss-ldapd/nsswitch: passwd, group, shadow, netgroup
  libnss-ldapd/ldap-binddn:
  libnss-ldapd/ldap-rootbinddn:
* libnss-ldapd/ldap-uris: ldaps://cua2.irc.sara.nl ldaps://cua1.irc.sara.nl



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#479770: libnss-ldapd: can not use netgroup names in /etc/passwd file

2008-05-08 Thread Bas van der Vlies 

Arthur de Jong wrote:

On Thu, 2008-05-08 at 08:43 +0200, Bas van der Vlies wrote:
I have found the problem.  I am using 'memberNisNetgroup' atrribute. If i 
use the 'nisNetgroupTriple' attribute it is working.  In NIS you can 
specifiy groups and triples to nisnetgroup. So the padl nss-ldap library 
handles this correctly and nss-ldapd/netgroup utility  only parses the 
'nisNetgroupTriple' attribute.


Actually, the way I read rfc2307, a nisNetgroup object has the following
possible member-like attributes:
  nisNetgroupTriple
which may only contain (user, host, domain) triples
  memberNisNetgroup
which contain references to other netgroups that are a part of this
netgroup
nss-ldapd should parse entries like this. So having triples in the
memberNisNetgroup attribute isn't supported.

If you also have the triples in the memberNisNetgroup (and you really
want to keep that), you could add
  map netgroup nisNetgroupTriple memberNisNetgroup
to /etc/nss-ldapd.conf. This is a bit of a hack and not really
recommended. It's better to fix the contents of the directory.

This setup may give you warnings about unparseable triples (where
references to other netgroups are entered) and will result in more LDAP
lookups that you would expect (for each triplet it will also try a
lookup as netgroup).


Arthur,

 Thanks for the explanation. I have  ported memberNisNetgroup to 
nisNetgroupTriple. In NIS you can mix those and i did not read the rfc's 
and libnss-ldap is also misleading that is support this setup.


regards


--
--

*                  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#479770: libnss-ldapd: can not use netgroup names in /etc/passwd file

2008-05-07 Thread Bas van der Vlies 

Arthur de Jong wrote:

On Tue, 2008-05-06 at 19:05 +0200, Bas van der Vlies wrote:

Just found out there is a 'netgroup'' command here is the info:

# netgroup -u bas
#
no output

nslcd: DEBUG: connection from pid=5383 uid=0 gid=0
nslcd: DEBUG: nslcd_netgroup_byname(bas)
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", filter="(& 
(objectClass=nisNetgroup)(cn=bas))")

nslcd: DEBUG: connection from pid=5383 uid=0 gid=0
nslcd: DEBUG: nslcd_netgroup_byname((-,bas,-))
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", filter="(& 
(objectClass=nisNetgroup)(cn=\28-,bas,-\29))")


I guess this is a bug in nss-ldapd. It seems the getnetgrent() function
is used for more than just looking up a netgroup by name (or perhaps the
NSS internal function by that name is overloaded). I'll try to dig into
this a little.

Just to get everything clear, sorry_lisa is a name of a netgroup on
your system? Also, could you send me your /etc/nsswitch.conf and
indicate where the bas user is configured (LDAP, /etc/passwd
otherwise)?

Yes 'sorry_lisa' is a netgroup on my systeem and  a rather big one. So i 
also create a netgroup 'bas' with some test some users.


I have found the problem.  I am using 'memberNisNetgroup' atrribute. If i 
use the 'nisNetgroupTriple' attribute it is working.  In NIS you can 
specifiy groups and triples to nisnetgroup. So the padl nss-ldap library 
handles this correctly and nss-ldapd/netgroup utility  only parses the 
'nisNetgroupTriple' attribute.







--
--
****************
*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#479770: Info received (libnss-ldapd: can not use netgroup names in /etc/passwd file)

2008-05-07 Thread Bas van der Vlies 

Just tried versions 0.6.2 and still encounter the same problems.

--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#479770: libnss-ldapd: can not use netgroup names in /etc/passwd file

2008-05-06 Thread Bas van der Vlies 

Just found out there is a 'netgroup'' command here is the info:

# netgroup -u bas
#
no output

nslcd: DEBUG: connection from pid=5383 uid=0 gid=0
nslcd: DEBUG: nslcd_netgroup_byname(bas)
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", filter="(& 
(objectClass=nisNetgroup)(cn=bas))")

nslcd: DEBUG: connection from pid=5383 uid=0 gid=0
nslcd: DEBUG: nslcd_netgroup_byname((-,bas,-))
nslcd: DEBUG: myldap_search(base="dc=hpcv,dc=sara,dc=nl", filter="(& 
(objectClass=nisNetgroup)(cn=\28-,bas,-\29))")


Regards


--
Bas van der Vlies
[EMAIL PROTECTED]






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#479770: libnss-ldapd: can not use netgroup names in /etc/passwd file

2008-05-06 Thread Bas van der Vlies 
Package: libnss-ldapd
Version: 0.6.2
Severity: important


in the passwd file i have the following entry:
[EMAIL PROTECTED]::/usr/sara/bin/sorry.sh

When an user is added to this nis group it gets a messag that he must
contact our helpdesk.

If i add my loginname to this group:
 finger bas

testtm.irc.sara.nl:/etc 
root# finger bas
Login: bas  Name: Bas van der Vlies
Directory: /home/basShell: /bin/bash
On since Tue May  6 17:24 (CEST) on pts/1 from fun.ka.sara.nl (messages
off)
No mail.
No Plan.

this incorrect it must display Shell: /usr/sara/bin/sorry.sh

When i install libnss-ldap it is correct:
{{{
testm.irc.sara.nl:/etc 
root# finger -m bas   
Login: bas  Name: Bas van der Vlies
Directory: /home/basShell: /usr/sara/bin/sorry.sh
On since Tue May  6 17:24 (CEST) on pts/1 from fun.ka.sara.nl (messages
off)
No mail.
No Plan.
}}}

Is this a bug or is my configuration wrong?

Regards


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.8-sara2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libnss-ldapd depends on:
ii  debconf [debconf-2.0]  1.5.11etch1   Debian configuration management sy
ii  libc6  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libkrb53   1.4.4-7etch5  MIT Kerberos runtime libraries
ii  libldap2   2.1.30-13.3   OpenLDAP libraries
ii  libsasl2-2 2.1.22.dfsg1-8Authentication abstraction library

Versions of packages libnss-ldapd recommends:
ii  libpam-ldap   180-1.7Pluggable Authentication Module al
pn  nscd   (no description available)

-- debconf information:
  libnss-ldapd/ldap-bindpw: (password omitted)
  libnss-ldapd/ldap-rootbindpw: (password omitted)
  libnss-ldapd/ldap-base: dc=hpcv,dc=sara,dc=nl
  libnss-ldapd/nsswitch: netgroup
  libnss-ldapd/ldap-binddn:
  libnss-ldapd/ldap-rootbinddn:
  libnss-ldapd/ldap-uris: ldaps://cua.irc.sara.nl ldaps://ldap.cua.sara.nl



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#465586: cfengine2: Bug in the Debian cfengine package section

2008-02-14 Thread Bas van der Vlies 

Morten Werner Forsbring wrote:

Bas van der Vlies <[EMAIL PROTECTED]> writes:


When i want to install deb packages with cfengine2 it will always install
the package with statements like:

package:
  ipython action=install


Can you please elaborate a bit? What do you expect and what does
happen / not happen?



ofcourse

I just want that the ipython package is installed. It will install the 
package, but with out this patch it will install everytime cfengine is run:


dpkg -l ipython:
 ii  ipython0.7.2-5enhanced interactive Python shell

now i run cfagent:
*
 Main Tree Sched: packages pass 1 @ Thu Feb 14 09:05:58 2008
*

Package: ipython
Something impossible happened... ('grep' exited abnormally).
Package manager will be invoked as /etc/cfengine/global/debian/install_pkg
BuildCommandLine(): Adding package 'ipython' to the list.
cfengine:ldapn1: Installing package(s) using 
'/etc/cfengine/global/debian/install_pkg ipython'



This patch fixes 3 things we do not get this line anymore:
 - Something impossible happened... ('grep' exited abnormally).
 - And does try to install the package again
 - i can now also remove packages without specifying a version
   packages:
ipython action=remove

   gives an error:
package: ipython
Something impossible happened... ('grep' exited abnormally).


Just to make clear this line must be added:
 - if ((pp = cfpopen_sh(VBUFF, "r")) == NULL)



fix included:
-/*
- * HvB : Changed cfopen to cfopen_sh
-*/
-if ((pp = cfpopen_sh(VBUFF, "r")) == NULL)
+if ((pp = cfpopen (VBUFF, "r")) == NULL)
{
Verbose ("Could not execute APT-command (apt-cache policy).\n");
return 0;
@@ -768,7 +765,6 @@


In the next email to this bug you say:


The patch must be cfpopen must be replace by cfpopen_sh ;-)


So what you want is the following,

| diff -ruN cfengine-2.2.3.orig/src/package.c
| cfengine-2.2.3/src/package.c
| --- cfengine-2.2.3.orig/src/package.c   2007-11-21 18:20:01.0 +0100
| +++ cfengine-2.2.3/src/package.c2008-02-13 23:13:13.0 +0100
| @@ -734,7 +734,7 @@
|  snprintf (VBUFF, CF_BUFSIZE, "/usr/bin/apt-cache policy %s 2>&1 | grep -v " \
|"\"W: Unable to locate package \"", package);
|
| -if ((pp = cfpopen_sh(VBUFF, "r")) == NULL)
| +if ((pp = cfpopen (VBUFF, "r")) == NULL)
| {
| Verbose ("Could not execute APT-command (apt-cache).\n");
| return 0;

right?


- Werner



--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#465586: The patch is wrong

2008-02-13 Thread Bas van der Vlies 

Hello,

 The patch must be cfpopen must be replace by cfpopen_sh ;-)

Sorry for the confusion.

--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#465586: cfengine2: Bug in the Debian cfengine package section

2008-02-13 Thread Bas van der Vlies 
Package: cfengine2
Version: 2.2.3-2
Severity: important
Tags: patch



When i want to install deb packages with cfengine2 it will always install
the package with statements like:

package:
ipython action=install


fix included:
-/*
- * HvB : Changed cfopen to cfopen_sh
-*/
-if ((pp = cfpopen_sh(VBUFF, "r")) == NULL)
+if ((pp = cfpopen (VBUFF, "r")) == NULL)
{
Verbose ("Could not execute APT-command (apt-cache policy).\n");
return 0;
@@ -768,7 +765,6 @@


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.22.5-sara1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages cfengine2 depends on:
ii  debconf [debconf-2.0] 1.4.30.13  Debian configuration management sy
ii  debianutils   2.8.4  Miscellaneous utilities specific t
ii  libc6 2.3.2.ds1-22sarge6 GNU C Library: Shared libraries an
ii  libdb4.2  4.2.52-18  Berkeley v4.2 Database Libraries [
ii  libssl0.9.7   0.9.7e-3sarge5 SSL shared libraries
ii  perl  5.8.4-8sarge6  Larry Wall's Practical Extraction 

-- debconf information:
  cfengine2/run_cfservd: true
  cfengine2/run_cfexecd: true
  cfengine2/run_cfenvd: true



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#422242: /usr/bin/qprof has shell syntax errors

2007-05-04 Thread Bas van der Vlies 
Package: qprof
Version: 0.5.2-4
Severity: important
Tags: patch


the shell script /usr/bin/qprof has syntax erros from some options. It
has a space what is not allowed in shell syntax, eg:
 QPROF_BUFFER_SIZE= ${OPTARG}

--- /usr/bin/qprof  2006-10-29 04:12:35.0 +0100
+++ qprof   2007-05-04 15:28:28.0 +0200
@@ -26,7 +26,7 @@
   r) export QPROF_REAL=1 ;;
   v) export QPROF_VIRTUAL=1 ;;
   i) export QPROF_INTERVAL=${OPTARG} ;;
-  b) export QPROF_BUFFER_SIZE= ${OPTARG} ;;
+  b) export QPROF_BUFFER_SIZE=${OPTARG} ;;
   g) 
  case ${OPTARG} in
  function|line|instruction) export QPROF_GRANULARITY=${OPTARG};;
@@ -41,7 +41,7 @@
   e) export QPROF_HW_EVENT=${OPTARG} ;;
   o) export QPROF_FILE=${OPTARG} ;;
   s) export QPROF_STACK=1 ;;
-  q) export QDIR= ${OPTARG} ;;
+  q) export QDIR=${OPTARG} ;;
   *) echo "Invalid option."
 exit 1;;
   esac


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.11-sara1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages qprof depends on:
ii  libc6   2.3.6.ds1-13 GNU C Library: Shared libraries

qprof recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#401048: The version of systemconfigurator is out dated

2006-11-30 Thread Bas van der Vlies 


On Nov 30, 2006, at 5:20 PM, dann frazier wrote:


severity 401048 wishlist
thanks

On Thu, Nov 30, 2006 at 03:40:00PM +0100, Bas van der Vlies wrote:

Package: systemconfigurator
Version: 2.0.10-1
Severity: important


requests for version updates are wishlist


oke


This version is being replaced by 2.2.2 and that version is released
in march 2005. Can this old version be updated to this release?


Though this version difference looks large, it actually isn't very
significant - 2.2.0 & 2.2.1 were never released, and the 2.0.10
debian package included the few debian-specific changes that were
added in upstream 2.2.2.

Thanks for the info. I did not check that. I only saw the version  
mismatch ;-)




--
Bas van der Vlies
[EMAIL PROTECTED]





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#401048: The version of systemconfigurator is out dated

2006-11-30 Thread Bas van der Vlies 
Package: systemconfigurator
Version: 2.0.10-1
Severity: important

This version is being replaced by 2.2.2 and that version is released
in march 2005. Can this old version be updated to this release?


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.29-xen-sara3
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages systemconfigurator depends on:
ii  libappconfig-perl 1.56-2 Perl module for configuration file
ii  libnet-netmask-perl   1.9012-2   parse, manipulate and lookup IP ne
ii  perl  5.8.8-6.1  Larry Wall's Practical Extraction 

systemconfigurator recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#397882: cpu: Enhancement to support inetOrgPerson Schema

2006-11-10 Thread Bas van der Vlies 
Package: cpu
Version: 1.4.3-8
Severity: wishlist
Tags: patch


I use the following classes for a user:
 USER_OBJECT_CLASS  = inetOrgPerson,posixAccount,top
 USER_CN_STRING = cn


We use also phpldapadmin package for creating users. So we have
a command line utility and graphical one. 

Standard cpu uses the unix account name (uid) as RDN. This works as
desired if we also set USER_CN_STRING to uid.

At our site we use 'cn' as RDN and then cpu fails because it use the unix
account name to add/modify/delete the user.

I have added an extra option to cpu:
 -C /--cn_value=

When set use this value voor cn,, eg:
cpu usermod -cn_value "Bas van der Vlies" bas

Now it uses cn="Bas van der Vlies" insetad of cn="bas" as RDN.

Here are the patches:
Index: trunk/cpu/src/include/plugins/ldap/ldap.h
===
--- trunk/cpu/src/include/plugins/ldap/ldap.h (revision 2393)
+++ trunk/cpu/src/include/plugins/ldap/ldap.h (revision 2397)
@@ -91,4 +91,5 @@
   char *  dn;
   char *  cn;
+  char *  cn_value;  /* HvB hack use this value for cn */
   char *  gid;
   char *  exec;  /* post {un}install exec script */
Index: trunk/cpu/src/plugins/ldap/commandline.c
===
--- trunk/cpu/src/plugins/ldap/commandline.c (revision 2396)
+++ trunk/cpu/src/plugins/ldap/commandline.c (revision 2397)
@@ -42,4 +42,5 @@
 {"addfile", 1, 0, 'a'},
 {"cn", 1, 0, 'A'},
+{"cn_value", 1, 0, 'C'},
 {"userbase", 1, 0, 'b'},
 {"groupbase", 1, 0, 'B'},
@@ -328,4 +329,6 @@
  break;
  case 'C':
+ globalLdap->cn_value = strdup (optarg);
+ break;
  case 'M':
  default:
@@ -761,6 +764,17 @@
 }
   if (operation != CAT)
+{
+/* HvB 
 globalLdap->dn = buildDn ((operation > 2) ? GROUPADD : USERADD,
  globalLdap->passent->pw_name);
+*/
+globalLdap->dn = buildDn ((operation > 2) ? GROUPADD : USERADD, 
+   ldapGetCn());
+
+/* HvB */
+#if DEBUG
+printf("HvB globalLdap->dn = %s\n", globalLdap->dn);
+#endif
+}
 
   if (globalLdap->add_file != NULL)
@@ -878,5 +892,6 @@
   "\t-2, -2   : If specified, use LDAPv2\n"
   "\t-a addfile, --addfile=file   : File to use for additional 
attrs\n"
-  "\t-A cn, --cn=cn   : Comman Name Prefix\n"
+  "\t-A cn, --cn=cn   : Comman Name Prefix (cn)\n"
+  "\t-C , --cn_value=value  : Use this value in LDAP 
query cn=value\n"
   "\t-b base, --userbase=base : Base DN for users\n"
   "\t-B group_base, --groupbase=base  : Base DN for groups\n"
Index: trunk/cpu/src/plugins/ldap/ld.c
===
--- trunk/cpu/src/plugins/ldap/ld.c (revision 2393)
+++ trunk/cpu/src/plugins/ldap/ld.c (revision 2397)
@@ -438,5 +438,9 @@
   char *temp;
 
-  if (globalLdap->first_name && globalLdap->last_name)
+  if (globalLdap->cn_value)
+{
+  temp = globalLdap->cn_value;
+}
+  else if (globalLdap->first_name && globalLdap->last_name)
 {
   slen =
@@ -456,4 +460,7 @@
 temp = globalLdap->passent->pw_name;
 
+#ifdef DEBUG
+  printf("HvB ldapGetCn value = %s\n", temp);
+#endif
   return temp;
 }
Index: trunk/cpu/src/plugins/ldap/user.c
===
--- trunk/cpu/src/plugins/ldap/user.c (revision 2393)
+++ trunk/cpu/src/plugins/ldap/user.c (revision 2397)
@@ -33,4 +33,7 @@
 ldapUserAdd (LDAP * ld)
 {
+#ifdef DEBUG
+  fprintf(stderr, "HvB dn = %s\n", globalLdap->dn); 
+#endif
   if (ldapUserCheck (LDAP_MOD_ADD, ld) < 0)
 {
@@ -38,4 +41,5 @@
   return -1;
 }
+
   if (ldap_add_s (ld, globalLdap->dn, userMod) != LDAP_SUCCESS)
 {
@@ -66,4 +70,7 @@
 {
   newdn = buildDn (USERMOD, globalLdap->new_username);
+  /*
+  printf("HvB newdn = %s\n", newdn);
+  */
   if (newdn == NULL)
return -1;
@@ -80,4 +87,7 @@
   globalLdap->passent->pw_name = globalLdap->new_username;
   newdn = buildDn (USERADD, globalLdap->new_username);
+  /*
+  printf("HvB newdn = %s\n", newdn);
+  */
   globalLdap->dn = newdn;
 }



-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.13.2-sara1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#331639: portmap: Command line options suggestions

2005-10-04 Thread Bas van der Vlies 
Package: portmap
Version: 5-9
Severity: wishlist

Portmap can handle the '-i' option. You have to specify an address.
Personally i want to specify an interface instead of an ip-address, eg:
 -i eth0

You can only specifiy one address. It is more convieniant to specify 
multiple addresses or interfaces:
 -i eth0 -i lo0

So that it easily yo setup an NIS-server that only listents to those
interfaces and not others.

Another handy option is the '-x' to exclude interfaces/ip-address for
binding:
-x eth1


Regards

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.13.2-fs
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages portmap depends on:
ii  libc6   2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libwrap07.6.dbs-8Wietse Venema's TCP wrappers libra

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329371: acknowledged by developer (Re: Bug#329371: nis: ypbind/ypserv and broadcast option)

2005-09-27 Thread Bas van der Vlies 

Mark Brown wrote:

On Mon, Sep 26, 2005 at 07:43:07PM +0200, Bas van der Vlies wrote:





Could you try configuring hosts.{allow,deny} for portmap to prevent
access to portmap via the infiniband network (if that is possible).
Doing something like:

   portmap: 192.168.

in hosts.allow and

   pormap: ALL

in hosts.deny on the servers should I think do the trick (again,
untested so this may not work).



Thanks for all the info. With this the client messages are gone. So your 
idea about the portmap daemon is true ;-) Is this an feature or a bug in 
the pormap daemon? The portmap daemon hsa an option to listen to an 
interface but you can only list one interface ;-(


I now only get the ypserv: refused connect from 10.0.17.130 this i can 
not prevent because this is a NIS-server and in the ypbind.conf:

 ypserver localhost

Is this also related to portmap or does ypbind secretly an broadcast 
what triggers the same bug/feature as above.


Regards







--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329371: acknowledged by developer (Re: Bug#329371: nis: ypbind/ypserv and broadcast option)

2005-09-26 Thread Bas van der Vlies 

Mark Brown wrote:

On Fri, Sep 23, 2005 at 09:04:19AM +0200, Bas van der Vlies wrote:


After reading your mail i have now configured both ypserv files: (see 
attachments)



OK, I'm stumped.  Your securenets configuration looks like it will do
what you're looking for and the ypserv logs you provided in the other
report appear to show it doing just what you asked for.  Would it be
possible for you to capture trace of ypbind finding the wrong server?

After an day of debugging and restarting some servers. I have a strace 
of binding to the wrong server. Hopefully t is enough.


gb-r8n1# ypwhich
ib-r7n15.irc.sara.nl
gb-r8n1# ypcat passwd
No such map passwd.byname. Reason: Internal NIS error


ypserv.securenets:
# Always allow access for localhost
255.0.0.0   127.0.0.0

# Only 192.168.160.0 network
#
255.255.252.0   192.168.16.0
~

ypserv.conf:
# This is the default - restrict access to the shadow password file,
# allow access to all others.
*: *   : shadow.byname: port
*: *   : passwd.adjunct.byname : port

# Default access is allow everybody on each interface
#*: *   : *: none

# New SARA syntax from Debian NIS maintainer, BvdV thanks
#
127.0.0.1   : * : * : none
192.168.16.0/255.255.252.0  : * : * : none
#10.0.16.0/255.255.252.0: * : * : none

# This an bug in ypbind localhost, so list all ypservers
#
10.0.17.130 : * : * : none
145.100.29.212  : * : * : none
145.100.29.214  : * : * : none

# Deny the rest
#
*   : * : * : deny


Regards



--
--

*      *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

Pinging all active server.
[{fd=4, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND, 
revents=POLLIN|POLLRDNORM}, {fd=5, 
events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 2, -1) = 1
recvmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(845), 
sin_addr=inet_addr("127.0.0.1")}, 
msg_iov(1)=[{"}\321UV\0\0\0\0\0\0\0\2\0\1\206\247\0\0\0\2\0\0\0\1\0\0"..., 
8800}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, ...}, 
msg_flags=0}, 0) = 52
write(2, "ypbindproc_domain_2_svc (elsacaf"..., 34ypbindproc_domain_2_svc 
(elsacafe)) = 34
write(2, "\n", 1
)   = 1
write(2, "Pinging all active server.", 26Pinging all active server.) = 26
write(2, "\n", 1
)   = 1
sendto(7, "%$e\202\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0\1\0\0"..., 52, 0, 
{sa_family=AF_INET, sin_port=htons(666), sin_addr=inet_addr("192.168.16.19")}, 
16) = 52
poll([{fd=7, events=POLLIN, revents=POLLERR}], 1, 1000) = 1
recvmsg(7, {msg_name(16)={sa_family=AF_INET, sin_port=htons(666), 
sin_addr=inet_addr("192.168.16.19")}, 
msg_iov(1)=[{"%$e\202\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0\1\0\0"..., 
52}], msg_controllen=44, {cmsg_len=44, cmsg_level=SOL_IP, cmsg_type=, ...}, 
msg_flags=MSG_ERRQUEUE}, MSG_ERRQUEUE) = 52
write(2, "Server for domain \'elsacafe\' doe"..., 44Server for domain 
'elsacafe' doesn't answer.) = 44
write(2, "\n", 1
)   = 1
close(7)= 0
write(2, "do_broadcast() for domain \'elsac"..., 46do_broadcast() for domain 
'elsacafe' is called) = 46
write(2, "\n", 1
)   = 1
uname({sys="Linux", node="ib-r8n1.irc.sara.nl", ...}) = 0
geteuid32() = 0
getegid32() = 0
getgroups32(32, [0])= 1
gettimeofday({1127756111, 931571}, NULL) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 6
setsockopt(6, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0
ioctl(6, SIOCGIFCONF, {96, {{"lo", {AF_INET, inet_addr("127.0.0.1")}}, {"ib0", 
{AF_INET, inet_addr("10.0.17.135")}}, {"eth0", {AF_INET, 
inet_addr("192.168.17.135")) = 0
ioctl(6, SIOCGIFFLAGS, 0xbfd08f1c)  = 0
ioctl(6, SIOCGIFFLAGS, 0xbfd08f1c)  = 0
ioctl(6, SIOCGIFBRDADDR, 0xbfd08f1c)= 0
ioctl(6, SIOCGIFFLAGS, 0xbfd08f1c)  = 0
ioctl(6, SIOCGIFBRDADDR, 0xbfd08f1c)= 0
sendto(6, "_\256\177o\0\0\0\0\0\0\0\2\0\1\206\240\0\0\0\2\0\0\0\5"..., 112, 0,

Bug#329382: nis: ypbind and honor ypserver localhost

2005-09-26 Thread Bas van der Vlies 

Mark Brown wrote:

On Fri, Sep 23, 2005 at 08:49:31AM +0200, Bas van der Vlies wrote:


I have run ypserv in debug mode: Personally i find the securenet line 
strange.



There was a bug in the logging which I believe has since been fixed.



ypproc_domain_nonack("elsacafe") [From: 10.0.17.130:3127]
refused connect from 10.0.17.130
   -> OK.



This is the ypbind process on the local machine looking for a server as
far as I can tell rather than something that the server is doing for
itself.  This is perfectly normal behaviour if it is configured to
broadcast for a server except that once it's found a server it's really
not supposed to broadcast again (though if you stop and start ypserv to
turn on debugging it is of course possible for this to happen).

In an earlier mail you wrote:



This is the ib0 interface. I have also tried the "-local-only" flag for
ypbind but that did not stop the messages.



-local-only affects the RPC services offered by ypbind rather than how
it communicates with the server.

The upshot of all this is that as far as I can see ypserv itself is
doing what's asked of it: it's knocking back discovery attempts from a
broadcasting ypbind as asked.  The only question I can see is why ypbind
is trying to discover a server.



This is an trace about the yserver/ybind localhost:

syslog:
  Sep 26 15:02:19 gb-r7n15 ypserv[3416]: refused connect from
  10.0.17.130:1056 to procedure ypproc_domain_nonack (elsacafe,;0)

If i stop ypbind it does not show this message. Just to make sure it is 
ypbind.


ypserv (strace -p 3416 2>&1 | grep 10.0.17.120)
 sendmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1056), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"8\362S-\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1"..., 
28}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 28
recvmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1056), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"i\326\352\372\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0"..., 
8800}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 92
sendmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1056), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"i\326\352\372\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
28}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 28
recvmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1056), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"w\301\230\36\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0"..., 
8800}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 96
sendmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1056), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"w\301\230\36\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
28}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 28
recvmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1057), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"kH\254\202\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0\2"..., 
8800}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 96
sendmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1057), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"kH\254\202\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
28}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 28
recvmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1057), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"1$\27F\0\0\0\0\0\0\0\2\0\1\206\244\0\0\0\2\0\0\0\2\0\0"..., 
8800}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 92
sendmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(1057), 
sin_addr=inet_addr("10.0.17.130")}, 
msg_iov(1)=[{"1$\27F\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1"..., 
28}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, 
...}, msg_flags=0}, 0) = 28


ypbind:
  see attachement



--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

execve("/usr/sbin/ypbind", ["ypbind&quo

Bug#329371: acknowledged by developer (Re: Bug#329371: nis: ypbind/ypserv and broadcast option)

2005-09-23 Thread Bas van der Vlies 

Mark Brown wrote:

On Thu, Sep 22, 2005 at 02:49:10PM +0200, Bas van der Vlies wrote:


It is still an bug and maybe it is correlated with the other one. Or can 
nis not handle two interfaces  with broadcast mode?



Could you please describe your entire current configuration, including
the ypserv.conf and ypserv.securenets from the server and the
ypbind.conf from the client?  Feel free to send them by private e-mail
if you are concerned about having the entire configuration appear in the
bug log.

Oke we have an cluster of 275 nodes and all nodes has two internal 
networks:

 eth0 -  system administration network
 ib0  - infiniband network for MPI-programs

I have serveral NIS-servers and it is dynamic, we can add or remove 
servers. That is why i want the broadcast option.


The eth0 (192.168.16.0) is allowed to connect to the NIS-servers and ib0 
( 10.0.168.0 ) not.


The hostname of the machine is the ib-interface.

After reading your mail i have now configured both ypserv files: (see 
attachments)

 - ypserv.conf
 - ypserv.securenets



To be honest, you're probably better off explicitly configuring the
server or servers to use on the clients than trying to use the broadcast
option.  This is especially true given that you're running on stable and
something like this is unlikely to be addressed in the stable release
(though of course if we can work out what's going on it will be looked
at for the next release).

 I will consider it. As the remark about Debian stable we usually 
backport programs from testing/unstable to Sarge if it fixes errors or 
improves functionality.


Regards


PS) I have run in ypserv in debug mode zie bug Bug#329382



--
--

*          *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

#
# ypserv.conf   In this file you can set certain options for the NIS server,
#   and you can deny or restrict access to certain maps based
#   on the originating host.
#
#   See ypserv.conf(5) for a description of the syntax.
#

# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.

# Host   : Domain  : Map  : Security
#
# *  : *   : passwd.byname: port/mangle   
# *  : *   : passwd.byuid : port/mangle   

# This is the default - restrict access to the shadow password file,
# allow access to all others.
*: *   : shadow.byname: port
*: *   : passwd.adjunct.byname : port

# Default access is allow everybody on each interface
#*: *   : *: none

# New SARA syntax from Debian NIS maintainer, BvdV thanks
#
127.0.0.1   : * : * : none
192.168.16.0/255.255.252.0  : * : * : none
#10.0.16.0/255.255.252.0: * : * : none

# This an bug in ypbind localhost, so list all ypservers
#
#10.0.17.130: * : * : none
145.100.29.212  : * : * : none
145.100.29.214  : * : * : none

# Deny the rest
#
*   : * : * : deny
#
# securenetsThis file defines the access rights to your NIS server
#   for NIS clients (and slave servers - ypxfrd uses this
#   file too). This file contains netmask/network pairs.
#   A clients IP address needs to match with at least one
#   of those.
#
#   One can use the word "host" instead of a netmask of
#   255.255.255.255. Only IP addresses are allowed in this
#   file, not hostnames.
#
# USE ypserv.conf this file does NOT work for US BvdV 22/Sep/2005
#
# Always allow access for localhost
255.0.0.0   127.0.0.0

# And the eth0 network
#
255.255.252.0   192.168.16.0

Bug#329371: acknowledged by developer (Re: Bug#329371: nis: ypbind/ypserv and broadcast option)

2005-09-22 Thread Bas van der Vlies 

Mark,



 I have switched from ypserv.securenets to ypserv.conf and the problem 
still exists ;-( The ypbind broadcast clients gets once in an while the 
wrong nis server name and uses an interface that is not allowed in the 
ypserv.conf, eg:


gb-r7n15 (192.168.17.130) and ib-r7n15 (10.0.17.130)
# New SARA syntax from Debian NIS maintainer, BvdV thanks
#
127.0.0.1   : * : * : none
192.168.16.0/255.255.252.0  : * : * : none

# Deny the rest
#
*   : * : * : deny

--- client broadcast, yp.conf:
domain elsacafe broadcast

On gb-r8n1 (192.168.17.135) en ib-r8n1 (10.0.17.135)

# /etc/init.d/nis restart
# ypwhich
ib-r7n15  <- This not allowed!!


Sylog gb-r7n15:
 Sep 22 14:40:01 gb-r7n15 ypserv[23579]: refused connect from
 10.0.17.135:997 to procedure ypproc_all (elsacafe,group.byname;-1)


It is still an bug and maybe it is correlated with the other one. Or can 
nis not handle two interfaces  with broadcast mode?



Regards
--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329371: acknowledged by developer (Re: Bug#329371: nis: ypbind/ypserv and broadcast option)

2005-09-22 Thread Bas van der Vlies 

Debian Bug Tracking System wrote:



On our NIS servers we only allow binding to eth0 interface, ypserv.conf:
 # Always allow access for localhost
 255.0.0.0   127.0.0.0
 255.255.252.0   192.168.16.0 (eth0)



That's not the documented format for ypserv.conf.  It should say
something more like (untested, so it may need some modification):

  127.0.0.0/8:*:*:none
  192.168.16.0/255.255.252.0:*:*:none
  *:*:*:deny

for what you seem to be looking for.  Please see the manual page for
ypserv.conf or look at the commented entries in the default ypserv.conf
for examples.



The example you sent me works ;-) The only change is this line:
127.0.0.0/8:*:*:none must be 127.0.0.1:*:*:none

Thanks a lot it is an bit confusing that there are two config files 
where we can specify access rules. In one config it works as desired an 
in the other not. Will the ypserv.securenets file be obsoleted in the 
future?




Thanks a lot for the info
--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329371: acknowledged by developer (Re: Bug#329371: nis: ypbind/ypserv and broadcast option)

2005-09-22 Thread Bas van der Vlies 

Debian Bug Tracking System wrote:


On Wed, Sep 21, 2005 at 02:53:54PM +0200, root wrote:



On our NIS servers we only allow binding to eth0 interface, ypserv.conf:
 # Always allow access for localhost
 255.0.0.0   127.0.0.0
 255.255.252.0   192.168.16.0 (eth0)



That's not the documented format for ypserv.conf.  It should say
something more like (untested, so it may need some modification):

  127.0.0.0/8:*:*:none
  192.168.16.0/255.255.252.0:*:*:none
  *:*:*:deny

for what you seem to be looking for.  Please see the manual page for
ypserv.conf or look at the commented entries in the default ypserv.conf
for examples.



Sorry but mentioned the wrong file i use 'ypserv.securenets'. I shall 
try your suggestion. For this file it is the right format but does not work.


Thanks


--
--

*          *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#329382: nis: ypbind and honor ypserver localhost

2005-09-21 Thread Bas van der Vlies 
Package: nis
Version: 3.13-2
Severity: normal

These host has also 2 network interfaces:
  eth0 192.168.17.130
  ib0  10.0.17.130
 
In /etc/yp.conf i have the following line
ypserver localhost

In ypserv.securenets:
 # Always allow access for localhost
  255.0.0.0   127.0.0.0

 # eth0 network 
 255.255.252.0   192.168.16.0


It binds to the localhost:
 # ypwhich
 localhost

In the syslog file i get a lot of message that i do not expect:
  Sep 21 15:45:05 gb-r7n15 ypserv[20744]: refused connect from
  10.0.17.130:2164 to procedure ypproc_domain_nonack (elsacafe,;0)

This is the ib0 interface. I have also tried the "-local-only" flag for
ypbind but that did not stop the messages.

-- Package-specific info:

NIS domain: elsacafe 


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.11-sarahypt2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages nis depends on:
ii  debconf 1.4.30.13Debian configuration management sy
ii  libc6   2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libgdbm31.8.3-2  GNU dbm database routines (runtime
ii  libslp1 1.0.11a-2OpenSLP libraries
ii  make3.80-9   The GNU version of the "make" util
ii  netbase 4.21 Basic TCP/IP networking system
ii  portmap 5-9  The RPC portmapper
ii  sysvinit2.86.ds1-1   System-V like init

-- debconf information:
* nis/not-yet-configured:
* nis/domain: testcafe


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#302363: Can not update debian packages via cfrun/cfservd

2005-04-01 Thread Bas van der Vlies 
This ithe fix that i received from the cfengine mailing list. It is in 
the cfengine subversion  tree.

Diff for /trunk/src/popen.c between version 12 and 44
--- trunk/src/popen.c   2005/02/01 18:24:32 12
+++ trunk/src/popen.c   2005/03/10 21:07:35 44
@@ -75,6 +75,8 @@
 {
 return NULL;
 }
+
+ signal(SIGCHLD,SIG_DFL);
  if (pid == 0)
 {
--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#302363: Can not update debian packages via cfrun/cfservd

2005-04-01 Thread Bas van der Vlies 
I have found the problem in cfservd.c:
(i use kernel 2.6)
signal(SIGCHLD,SIG_IGN);
replaced it by:
/* HvB && WdJ */
signal(SIGCHLD,SIG_DFL);
Now i can update the packages on the node via cfrun/cfservd
--
--

*      *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#302363: cfengine2: Can not update debian packages via cfrun/cfservd

2005-03-31 Thread Bas van der Vlies 
Package: cfengine2
Version: 2.1.13-1
Severity: important


I am running an debian-testing cluster and i update the cluster with the
following commands on the client


control:
#cfrunCommand = ( "/usr/sbin/cfagent" )
cfrunCommand = ( "/etc/cfengine/cfagent.sh" )

An script Upgrade_debian:
 #!/bin/sh

 export DEBIAN_FRONTEND="noninteractive"

 apt-get update
 apt-get -y dist-upgrade
 apt-get clean




On the master node:
cfrun_nodes -DUPGRADE

This used to work with cfengine2 version 2.10. Now 2.13 is installed i
get the following errors:
::ade_debian: Get:33 ftp://ftp.sara.nl sarge/main xpdf 3.00-13 [1276B]
cfengine::ade_debian: Get:34 ftp://ftp.sara.nl sarge/main xpdf-utils 3.00-13 
[1239kB]
cfengine::ade_debian: Get:35 ftp://ftp.sara.nl sarge/main xpdf-reader 3.00-13 
[656kB]
cfengine::ade_debian: Get:36 ftp://ftp.sara.nl sarge/main xpdf-common 3.00-13 
[56.2kB]
cfengine::ade_debian: Get:37 ftp://ftp.sara.nl sarge/main udev 0.056-1 [244kB]
cfengine::ade_debian: Can't ignore signal CHLD, forcing to default.
cfengine::ade_debian: E: Waited, for /usr/sbin/dpkg-preconfigure --apt but it 
wasn't there
cfengine::ade_debian: E: Failure running script /usr/sbin/dpkg-preconfigure 
--apt
cfengine::ade_debian: Fetched 25.5MB in 4s (6270kB/s)
cfengine:: Finished script /etc/cfengine/cf_files/scripts/Upgrade_debian


For the completness the error is:  
Can't ignore signal CHLD, forcing to default


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.6-sara1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages cfengine2 depends on:
ii  debconf 1.4.30.11Debian configuration management sy
ii  debianutils 2.8.4Miscellaneous utilities specific t
ii  libc6   2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libdb4.24.2.52-18Berkeley v4.2 Database Libraries [
ii  libssl0.9.7 0.9.7e-2 SSL shared libraries
ii  perl5.8.4-8  Larry Wall's Practical Extraction 

-- debconf information:
  cfengine2/run_cfservd: true
  cfengine2/run_cfexecd: true
  cfengine2/run_cfenvd: true


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#296870: acknowledged by developer (Bug#296870: fixed in cfengine2 2.1.13-1)

2005-03-21 Thread Bas van der Vlies 
Debian Bug Tracking System wrote:
This is an automatic notification regarding your Bug report
#296870: cfengine2: can not handle files greater then 2GB,
which was filed against the cfengine2 package.
It has been closed by one of the developers, namely
Morten Werner Olsen <[EMAIL PROTECTED]>.
Their explanation is attached below.  If this explanation is
unsatisfactory and you have not received a better one in a separate
message then please contact the developer, by replying to this email.
Debian bug tracking system administrator
(administrator, Debian Bugs database)
Received: (at 296870-close) by bugs.debian.org; 21 Mar 2005 17:08:14 +
From [EMAIL PROTECTED] Mon Mar 21 09:08:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DDQNy-0002ak-00; Mon, 21 Mar 2005 09:08:14 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DDQI5-0005dy-00; Mon, 21 Mar 2005 12:02:09 -0500
From: Morten Werner Olsen <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#296870: fixed in cfengine2 2.1.13-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 21 Mar 2005 12:02:09 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: cfengine2
Source-Version: 2.1.13-1
We believe that the bug you reported is fixed in the latest version of
cfengine2, which is due to be installed in the Debian FTP archive:
cfengine2-doc_2.1.13-1_all.deb
  to pool/main/c/cfengine2/cfengine2-doc_2.1.13-1_all.deb
cfengine2_2.1.13-1.diff.gz
  to pool/main/c/cfengine2/cfengine2_2.1.13-1.diff.gz
cfengine2_2.1.13-1.dsc
  to pool/main/c/cfengine2/cfengine2_2.1.13-1.dsc
cfengine2_2.1.13-1_i386.deb
  to pool/main/c/cfengine2/cfengine2_2.1.13-1_i386.deb
cfengine2_2.1.13.orig.tar.gz
  to pool/main/c/cfengine2/cfengine2_2.1.13.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Morten Werner Olsen <[EMAIL PROTECTED]> (supplier of updated cfengine2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Format: 1.7
Date: Mon, 21 Mar 2005 16:29:15 +0100
Source: cfengine2
Binary: cfengine2-doc cfengine2
Architecture: source i386 all
Version: 2.1.13-1
Distribution: unstable
Urgency: medium
Maintainer: Andrew Stribblehill <[EMAIL PROTECTED]>
Changed-By: Morten Werner Olsen <[EMAIL PROTECTED]>
Description: 
 cfengine2  - Tool for configuring and maintaining network machines
 cfengine2-doc - HTML and Info documentation for cfengine2
Closes: 290943 296870
Changes: 
 cfengine2 (2.1.13-1) unstable; urgency=medium
 .
   * New upstream release.
  * Fixes cfagent problem with missing update.conf. Closes: #290943
   * Removed patches/100_strlcpy_create.
   * Now compiling with the -D_FILE_OFFSET_BITS=64. Closes: #296870
   * Changed build-depends from automake1.8 to automake1.9.
Just to inform you the HostRange bug is also fixed by 2.1.13.
Bug #291986 can be closed
--
--

*                  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#296870: cfengine2: can not handle files greater then 2GB

2005-03-02 Thread Bas van der Vlies 
Andrew Stribblehill wrote:
Quoting Bas van der Vlies <[EMAIL PROTECTED]> (2005-02-25 10:55:41 GMT):
Package: cfengine2
Version: 2.1.11-1
Severity: important
In our environment we tidy up directories after the completion of an
job. This fails because we have files  greater then 2GB. We get these
error message:
can't stat 8gr8_add.prededisp 
  (/scratch/bws-data/200404792/8gr8/124/125/8gr8_add.prededisp)

This can be solved by recompiling cfengine with LARGE_FILE_SUPPORT:
-D_FILE_OFFSET_BITS=64
Can this be fixed?

Sure. Can you send me a patch, just to show me precisely where to
apply this -D flag?
Thanks.
Here it is:
 Using LFS
For using LFS in user programs, the programs have to use the LFS API. 
This involves recompilation and changes of programs. The API is 
documented in the glibc manual (the libc info pages) which can be read 
with e.g. "info libc".

In a nutshell for using LFS you can choose either of the following:
* Compile your programs with "gcc -D_FILE_OFFSET_BITS=64". This 
forces all file access calls to use the 64 bit variants. Several types 
change also, e.g. off_t becomes off64_t. It's therefore important to 
always use the correct types and to not use e.g. int instead of off_t. 
For portability with other platforms you should use getconf LFS_CFLAGS 
which will return -D_FILE_OFFSET_BITS=64 on Linux platforms but might 
return something else on e.g. Solaris. For linking, you should use the 
link flags that are reported via getconf LFS_LDFLAGS. On Linux systems, 
you do not need special link flags.
* Define _LARGEFILE_SOURCE and _LARGEFILE64_SOURCE. With these 
defines you can use the LFS functions like open64 directly.
* Use the O_LARGEFILE flag with open to operate on large files.

And here s an link to the documentation:
http://www.suse.de/~aj/linux_lfs.html
--
--

*                  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#296870: cfengine2: can not handle files greater then 2GB

2005-02-25 Thread Bas van der Vlies 
Package: cfengine2
Version: 2.1.11-1
Severity: important


In our environment we tidy up directories after the completion of an
job. This fails because we have files  greater then 2GB. We get these
error message:
can't stat 8gr8_add.prededisp 
   (/scratch/bws-data/200404792/8gr8/124/125/8gr8_add.prededisp)

This can be solved by recompiling cfengine with LARGE_FILE_SUPPORT:
-D_FILE_OFFSET_BITS=64

Can this be fixed?

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-dell9
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages cfengine2 depends on:
ii  debconf 1.4.30.11Debian configuration management sy
ii  debianutils 2.8.4Miscellaneous utilities specific t
ii  libc6   2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libdb4.24.2.52-18Berkeley v4.2 Database Libraries [
ii  libssl0.9.7 0.9.7e-2 SSL shared libraries
ii  perl5.8.4-6  Larry Wall's Practical Extraction 

-- debconf information:
  cfengine2/run_cfservd: true
  cfengine2/run_cfexecd: true
  cfengine2/run_cfenvd: true


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#294032: debconf: Cannot install/update packages via cfrun/cfengine

2005-02-08 Thread Bas van der Vlies 
I have fixed it cfservd was running directly the binary 
/usr/sbin/cfagent. I have replace this by an shellscript:
  /etc/cfengine/cfagent.sh

This works because the shellscript has its own file descriptors.
Regards
--
--

*  *
*  Bas van der Vlies e-mail: [EMAIL PROTECTED]  *
*  SARA - Academic Computing Servicesphone:  +31 20 592 8012   *
*  Kruislaan 415 fax:+31 20 6683167*
*  1098 SJ Amsterdam   *
*  *

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#294032: debconf: Cannot install/update packages via cfrun/cfengine2

2005-02-07 Thread Bas van der Vlies 
Package: debconf
Version: 1.4.30.11
Severity: important


I currently run an 275 node debian cluster and i cannot install/upgrade
packages on the iwhole system anymore. The way i do it is via cfengine/cfrun.
So there is no tty's attached to the session. When i login on a node 
via ssh everything works as expected.

The following command was enough to update the whole cluster (Used by us
for several years):
   cfrun_nodes -DUPGRADE

UPGRADE is translated to this script:
  export DEBIAN_FRONTEND="noninteractive"
  apt-get update
  apt-get -y dist-upgrade
  apt-get clean

This fails with the following error message: (cfrun_nodes one
-DUPGRADE):
 cfengine::ade_debian: D02: fork/exec 
/var/lib/dpkg/info/flex.postinst ( )
 cfengine::ade_debian: ++ '[' '!' 1 ']'
 cfengine::ade_debian: ++ '[' -z 1 ']'
 cfengine::ade_debian: + db_capb
 cfengine::ade_debian: + _db_cmd 'CAPB '
 cfengine::ade_debian: + echo 'CAPB '
 cfengine::ade_debian: /var/lib/dpkg/info/flex.postinst: line 35: 3: Bad
   file descriptor


I have adjusted the upgrade script and add this line:
  unset DEBCONF_REDIR

Then this error is displayed:
cfengine::ade_debian: D02: fork/exec
 /var/lib/dpkg/info/flex.postinst ( )
 cfengine::ade_debian: ++ '[' '!' 1 ']'
 cfengine::ade_debian: ++ '[' -z '' ']'
 cfengine::ade_debian: ++ exec
 cfengine::ade_debian: ++ DEBCONF_REDIR=1
 cfengine::ade_debian: ++ export DEBCONF_REDIR
 cfengine::ade_debian: + db_capb
 cfengine::ade_debian: + _db_cmd 'CAPB '
 cfengine::ade_debian: + echo 'CAPB '
 cfengine::ade_debian: CAPB
 cfengine::ade_debian: + local 'IFS=
 cfengine::ade_debian: '
 cfengine::ade_debian: + local _LINE
 cfengine::ade_debian: + read -r _LINE
 cfengine::ade_debian: dpkg: error while cleaning up:
 cfengine::ade_debian:  subprocess post-installation script returned
error exit status 1

This hangs in the read -r _LINE. I have these errors for all the
packages that used debconf.  Is this an bug or did i miss something?

Regards



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-dell9
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages debconf depends on:
ii  debconf-i18n  1.4.30.11  full internationalization support 
ii  perl-base 5.8.4-5The Pathologically Eclectic Rubbis

-- debconf information:
* debconf/frontend: Noninteractive
* debconf/priority: critical


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#291986: cfengine2: HostRange bug

2005-01-24 Thread Bas van der Vlies 
Package: cfengine2
Version: 2.1.10-2
Severity: normal


HostRange fails with multiple digits in hostname, eg: gb-r7n15

groups:
TEST_CLUSTER = HostRange(gb-r7n,15-19) )


control:
actionsequence = ( shellcommands )


shellcommands:
TEST_CLUSTER::
"/bin/echo yes"


-

On host gb-r7n15 it will fail because the function FuzzyHostMatch
determines the wrong basename for this host: gb-r instead of gb-r7n.

This causes the function to exit and not set the class TEST_CLUSTER.

Here is the patch that solves the problem:

diff -ruN cfengine-2.1.10-old/src/item.c cfengine-2.1.10/src/item.c
--- cfengine-2.1.10-old/src/item.c  2004-08-13 10:59:52.0 +0200
+++ cfengine-2.1.10/src/item.c  2005-01-24 14:06:18.0 +0100
@@ -1039,6 +1039,7 @@
   Debug("SRDEBUG in FuzzyHostMatch(): %s vs %s\n",s2,s1);
   args = SplitStringAsItemList(s1,',');
   sp = s2;
+  char host_basename[CF_MAXVARSIZE];
   
   for (sp = s2+strlen(s2)-1; sp > s2; sp--)
  {
@@ -1060,40 +1061,34 @@
  }
   sscanf(sp,"%ld",&cmp);
   Debug("SRDEBUG extracted int %d\n",cmp,sp);
-  
+
+  /* HvB basename is */
+  strncpy(host_basename, s2, strlen(s2) - strlen(sp));
+  Debug("SRDEBUG host basename is  %s\n",host_basename,sp);
+
   if ( cmp < 0 )
  { 
  Debug("SRDEBUG FuzzyHostMatch() failed: %s doesn't have an int in it's 
domain name\n",s2);
  return 1;
  }
+
   sscanf(args->next->name,"%ld-%ld",&start,&end);
-  
   if ( cmp < start || cmp > end )
  { 
  Debug("SRDEBUG FuzzyHostMatch() failed: %ld is not in 
(%ld..%ld)\n",cmp,start,end);
  return 1;
  }
-  
   Debug("SRDEBUG FuzzyHostMatch() %s is in (%ld..%ld)\n",s2,start,end);
-  
-  for (sp = s2; sp < s2+strlen(s2); sp++ )
- {
- if ( isdigit((int)*sp) )
-{
-*sp = '\0';
-break;
-}
- }
-  Debug("SRDEBUG extracted basename %s\n",s2);
-  Debug("SRDEBUG basename check: %s vs %s...\n",s2,args->name);
-  
-  if ( strcmp(s2,args->name) != 0 )
+
+
+  Debug("SRDEBUG host basename check: %s vs %s...\n",host_basename,args->name);
+  if ( strcmp(host_basename,args->name) != 0 )
  {
  Debug("SRDEBUG FuzzyHostMatch() failed: basename %s does not match 
%s\n",s2,args->name);
  return 1;
  }
-
   Debug("SRDEBUG basename matches\n");
+
   Debug("SRDEBUG FuzzyHostMatch() succeeded\n");
   return 0;
 }



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1-dell9
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages cfengine2 depends on:
ii  debconf 1.4.30.11Debian configuration management sy
ii  debianutils 2.8.4Miscellaneous utilities specific t
ii  libc6   2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libdb4.24.2.52-17Berkeley v4.2 Database Libraries [
ii  libssl0.9.7 0.9.7e-2 SSL shared libraries
ii  perl5.8.4-5  Larry Wall's Practical Extraction 

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]