Re: ACL inheritance, group supervisors, rwX access
also sprach Marc Schiffbauer [EMAIL PROTECTED] [2004.10.27.0037 +0200]: That would indeed be a nice feature. How can I drop users CAPs on login? Are there such things as user capabilities without SELinux or GrSecurity or RSBAC? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Returned mail
--- The message cannot be delivered to the following address. --- [EMAIL PROTECTED]Mailbox unknown or not accepting mail. 550 5.1.1 No such local user: 20rwk Reporting-MTA: [EMAIL PROTECTED] Final-Recipient: rfc822;[EMAIL PROTECTED] Action: failed Status: 5.1.1 Diagnostic-Code: X-Notes; Cannot route mail to user ([EMAIL PROTECTED]). ---BeginMessage--- See the attached file for details. File attachment: message_details.pif The file attached to this email was removed because the file name is not allowed. Zalacznik zostal usuniety, poniewaz posiadal niedozwolony format.---End Message---
long delays with LDAP nss/pam
We run a big cluster, managed by FAI, using LDAP and NFS to provide users with homogenous environments across all nodes. All machines run sarge, and slapd is tunnelled via SSL for security purposes. Read-only access to the passwd/group directory is anonymous. All nodes are running nscd. While this worked beautifully last week, I returned this week to find everything taking ages. ls /home takes about 3 seconds before listing the directories (libnss apparently takes so long to map uid-login), even when there are only 10 directories at the moment (the cluster is still in beta). Furthermore, logging in takes between 2 and 10 seconds. If I tune in to the slapd debug output, I can see it working big time and accessing millions of keys. This was not the case last week, or slapd was about 100 times faster then. The only change I can remember was adding a new group and placing a bunch of people in there. This should not have the aforementioned effect really. Has anyone experienced the above before? What could be the reason? How can I fix this? Would this post have been better over at -user? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: long delays with LDAP nss/pam
On Wed, 2004-10-27 at 17:43, martin f krafft wrote: [...] Has anyone experienced the above before? What could be the reason? How can I fix this? [...] nscd stopped running? Either that or your LDAP Indexes need tweaking. -- Donovan Baarda [EMAIL PROTECTED] http://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: long delays with LDAP nss/pam
also sprach Donovan Baarda [EMAIL PROTECTED] [2004.10.27.0955 +0200]: nscd stopped running? No, I think I verified that in all cases. Either that or your LDAP Indexes need tweaking. Does anyone have a good set I could use as a basis. I am completely new to LDAP... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
nscd: Was Re: long delays with LDAP nss/pam
On Wed, 2004-10-27 at 17:55, Donovan Baarda wrote: [...] nscd stopped running? Sorry to subvert a thread like this, but has anyone else decided that nscd is pretty much essential for all systems, regardless of nss, or local nameservers? It seems without it there is _no_ dns caching of any kind (except for apps like squid that explicitly have it). If you ping, every single ping packet triggers an nslookup. Even if you have a local caching name server, the UDP traffic on the loopback interface hurts. If you don't have a local dns cache, it really hurts. Is there any reason why nscd should not be installed on a system? -- Donovan Baarda [EMAIL PROTECTED] http://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nscd: Was Re: long delays with LDAP nss/pam
also sprach Donovan Baarda [EMAIL PROTECTED] [2004.10.27.1007 +0200]: Is there any reason why nscd should not be installed on a system? It's often a pain to use if you make frequent changes? It's got a weird caching policy that I can't seem to control the way I interpret it? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: apt-get upgrade
On Mon, Oct 25, 2004 at 09:20:26AM +1300, Johnno wrote: dpkg package is install, any ideas? One main suggestion: use an appropriate list, you are OT here. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: long delays with LDAP nss/pam
martin f krafft wrote: also sprach Donovan Baarda [EMAIL PROTECTED] [2004.10.27.0955 +0200]: nscd stopped running? No, I think I verified that in all cases. Either that or your LDAP Indexes need tweaking. Does anyone have a good set I could use as a basis. I am completely new to LDAP... my advice would be to check the new group you just added last week and see if there are attributes in any of those entries which are not indexed -- as a general rule of thumb, I think it's advisable to attach an index to just about every attribute that you might ever use when looking someone/something up -- here's what we've got: # Indexing options index default eq index uid index sn index gidNumber index uidNumber index gecos index loginshell index homeDirectory index cn index mail index objectClass eq and (depending on your version of openldap) don't forget to stop the directory, run slapindex and then restart after any changes you may make to your index options good luck, ~c -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nscd: Was Re: long delays with LDAP nss/pam
On Wed, 27 Oct 2004, martin f krafft wrote: also sprach Donovan Baarda [EMAIL PROTECTED] [2004.10.27.1007 +0200]: Is there any reason why nscd should not be installed on a system? It's often a pain to use if you make frequent changes? It's got a weird caching policy that I can't seem to control the way I interpret it? It causes security headaches as well, because you never know when it got a stale cache? If you don't need it, don't use it. The same goes for lwresd, and other caches. Although lwresd at least expires things in a predictable way (i.e. it follows the DNS caching times). -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: long delays with LDAP nss/pam
also sprach charlie derr [EMAIL PROTECTED] [2004.10.27.1519 +0200]: index default eq [...] index objectClass eq ^^ that's the default anyway. Thanks for your tips. It's starting to make sense. and (depending on your version of openldap) don't forget to stop the directory, run slapindex and then restart after any changes you may make to your index options oh, i did not know about slapindex. I will try this when I return to the cluster tomorrow. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Your partner will love you for this.
Show your partner how much you care! Enlarge your penis 3 - 5 inches today! http://www.galdiobover.com/9/4/index.php?ai=7790com=35; 45cSL45Y5652u008XS1Then he had horns, fire was leaping up from around his feet, with his trident pointed at Michael. I had committed myself to doing it when I sent for the rifle.the only time in my life that I have been important enough for this to happen to me.609115600 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Reports on Postfix + Amavis + SpamAssassin
Hello everyone: I need an advice on reporting in web pages (MRTG-Like) the activities of a mail system build on Postfix + Amamisd-new + Spamassassin. Any clue? I'm using Debian Sarge. As you can read, I'm not a native speaker. ;-) Saludos, Federico Lazcano - Soporte Técnico [EMAIL PROTECTED] -- Hardtec S.R.L. Dorrego 2406 - Rosario TE: 0341-486 http://www.hardtec.com.ar http://www.hardtec.com.ar/
Re: Reports on Postfix + Amavis + SpamAssassin
Am Mi, 2004-10-27 um 14.56 schrieb Federico Lazcano: Hello everyone: I need an advice on reporting in web pages (MRTG-Like) the activities of a mail system build on Postfix + Amamisd-new + Spamassassin. Any clue? I'm using Debian Sarge. $ apt-cache show mailgraph Package: mailgraph Architecture: all Version: 1.8-1 Depends: debconf, libfile-tail-perl, librrds-perl Recommends: httpd Filename: pool/main/m/mailgraph/mailgraph_1.8-1_all.deb Size: 15130 MD5sum: aae91b2657e84379624e9ebdf9fc5503 Description: Mail statistics RRDtool frontend for Postfix Mailgraph is a very simple mail statistics RRDtool frontend for Postfix that produces daily, weekly, monthly and yearly graphs of received/sent and bounced/rejected mail. As you can read, I'm not a native speaker. ;-) Saludos, Federico Lazcano - Soporte Técnico [EMAIL PROTECTED] -- Hardtec S.R.L. Dorrego 2406 - Rosario TE: 0341-486 http://www.hardtec.com.ar http://www.hardtec.com.ar/
Re: Reports on Postfix + Amavis + SpamAssassin
Hi Federico, I need an advice on reporting in web pages (MRTG-Like) the activities of a mail system build on Postfix + Amamisd-new + Spamassassin. Any clue? How about isoqlog for postfix? Not sure if a graphical version of analysis for SA and amavis-new is available. -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Reports on Postfix + Amavis + SpamAssassin
I know some RRDTool graphs: amavis-stats - Virus statistics RRDtool frontend for Amavis couriergraph - Mail statistics RRDtool frontend for Courier-{POP,IMAP} mailgraph - Mail statistics RRDtool frontend for Postfix They are installable for unstable. Hope these help :) El Miércoles, 27 de Octubre de 2004 14:56, Federico Lazcano escribió: Hello everyone: I need an advice on reporting in web pages (MRTG-Like) the activities of a mail system build on Postfix + Amamisd-new + Spamassassin. Any clue? I'm using Debian Sarge. As you can read, I'm not a native speaker. ;-) Saludos, Federico Lazcano - Soporte Técnico [EMAIL PROTECTED] -- Hardtec S.R.L. Dorrego 2406 - Rosario TE: 0341-486 http://www.hardtec.com.ar http://www.hardtec.com.ar/
Re: long delays with LDAP nss/pam
Be careful with indexing and slapindex. Slapindex is supposed to be run when the slapd daemon is down, or the db is in read-only mode. From the 'slapindex' man page: LIMITATIONS Your slapd(8) should not be running (at least, not in read-write mode) when you do this to ensure consistency of the database. On 27/10/04 09:43 +0200, martin f krafft wrote: We run a big cluster, managed by FAI, using LDAP and NFS to provide users with homogenous environments across all nodes. All machines run sarge, and slapd is tunnelled via SSL for security purposes. Read-only access to the passwd/group directory is anonymous. All nodes are running nscd. While this worked beautifully last week, I returned this week to find everything taking ages. ls /home takes about 3 seconds before listing the directories (libnss apparently takes so long to map uid-login), even when there are only 10 directories at the moment (the cluster is still in beta). Furthermore, logging in takes between 2 and 10 seconds. If I tune in to the slapd debug output, I can see it working big time and accessing millions of keys. This was not the case last week, or slapd was about 100 times faster then. The only change I can remember was adding a new group and placing a bunch of people in there. This should not have the aforementioned effect really. Has anyone experienced the above before? What could be the reason? How can I fix this? Would this post have been better over at -user? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! -- -- Ted Knab Chester, Maryland 21619 USA -- See you at LISA in Atlanta. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: long delays with LDAP nss/pam
also sprach Theodore Knab [EMAIL PROTECTED] [2004.10.27.2100 +0200]: Be careful with indexing and slapindex. Thanks for the heads-up! I will make sure that slapindex gets enough intelligence so that it will refuse to index a running database. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature