Re: [CentOS] [WTA] Automatically blocking on failed login

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
>Of David Suhendrik
>Sent: Monday, May 24, 2010 6:55 PM
>To: CentOS mailing list
>Subject: [CentOS] [WTA] Automatically blocking on failed login
>
>Hello All,
>I had problems with the security server, the server is frequently attacked 
>using
>bruteforce attacks. Is there an application that can perform automatic 
>blocking when
>there are failed login to the ports smtp, pop3 port, and others?

Why don't you try the Smoothwall firewall appliance and its Guardian Active 
Response (GAR)-mod, and set this up around your perimeter?

GAR is able to add temporary firewall rules to drop connection 
attempts/attacks under a configurable period of time and works in conjunction 
with Snort.

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [WTA] Automatically blocking on failed login

[Mr Gabriel]

Maybe he should go with Centos based solution, because moving what ever 
services are on his box to a smooth wall instance, is going to be murder!

I would still suggest fail2ban, I have hundreds of attempts against my server 
farm all day everyday, and the fail2ban scripts really help to stop my services 
being tied up denying logins or crashing, because each ip only gets three 
strikes, and is out, and that's across all servers. Also, my traffic logs are 
more accurate, and my average load dropped a bit too.
---
Kind Regards,
Mr Gabriel (bberry mail)

-Original Message-
From: "Sorin Srbu" 
Date: Tue, 25 May 2010 09:22:39 
To: 'CentOS mailing list'
Subject: Re: [CentOS] [WTA] Automatically blocking on failed login

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [WTA] Automatically blocking on failed login

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf
>Of Mr Gabriel
>Sent: Tuesday, May 25, 2010 9:34 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] [WTA] Automatically blocking on failed login
>
>Maybe he should go with Centos based solution, because moving what ever
>services are on his box to a smooth wall instance, is going to be murder!
>
>I would still suggest fail2ban, I have hundreds of attempts against my
server farm all
>day everyday, and the fail2ban scripts really help to stop my services
being tied up
>denying logins or crashing, because each ip only gets three strikes, and is
out, and
>that's across all servers. Also, my traffic logs are more accurate, and my
average
>load dropped a bit too.

That depends on what he has on the current machine(s). YMMV, as always. 8-)

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [WTA] Automatically blocking on failed login

[David]

Hi All,
Sorry for long answer..
I would like to use CentOS for all. I've a transparent firewall (CentOS 
+ iptables) and I want to use it as a filter.
I've been using iptables on the server machine (not in transparent 
firewall), and I want to get the job done by the firewall.
Is it possible if my firewall to do this task? while being attacked is 
different computer?

--
Best regards,
David
http://blog.pnyet.web.id


On 05/25/2010 02:34 PM, Mr Gabriel wrote:
> Maybe he should go with Centos based solution, because moving what ever 
> services are on his box to a smooth wall instance, is going to be murder!
>
> I would still suggest fail2ban, I have hundreds of attempts against my server 
> farm all day everyday, and the fail2ban scripts really help to stop my 
> services being tied up denying logins or crashing, because each ip only gets 
> three strikes, and is out, and that's across all servers. Also, my traffic 
> logs are more accurate, and my average load dropped a bit too.
> ---
> Kind Regards,
> Mr Gabriel (bberry mail)
>
> -Original Message-
> From: "Sorin Srbu"
> Date: Tue, 25 May 2010 09:22:39
> To: 'CentOS mailing list'
> Subject: Re: [CentOS] [WTA] Automatically blocking on failed login
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Unable to download the kickstart file ?

[sync]

Hi,all:

Today I tried installating few machines with kickstart file through NFS. But
somehow it didn't worked and got error message "Unable to download the
kickstart file".


I have tested the nfs share mounting from other server and it worked fine.
But somehow while trying to  install a
fresh machine with ks file through NFS is giving this error message.

Please look in to this and let me know if there is something I need to
configure before starting the installation.

Thanks in advance ~
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to download the kickstart file ?

[Eero Volotinen]

2010/5/25 sync :
> Hi,all:
>
> Today I tried installating few machines with kickstart file through NFS. But
> somehow it didn't worked and got error message "Unable to download the
> kickstart file".
>
>
> I have tested the nfs share mounting from other server and it worked fine.
> But somehow while trying to  install a fresh machine with ks file through
> NFS is giving this error message.
>
> Please look in to this and let me know if there is something I need to
> configure before starting the installation.

Make sure that NFS server access control is not blocking access to
file. See /etc/exports for more info.

--
Eero,
RHCE
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [WTA] Automatically blocking on failed login

[Tom Yates]

On Tue, 25 May 2010, David wrote:

> I would like to use CentOS for all. I've a transparent firewall (CentOS 
> + iptables) and I want to use it as a filter. I've been using iptables 
> on the server machine (not in transparent firewall), and I want to get 
> the job done by the firewall. Is it possible if my firewall to do this 
> task? while being attacked is different computer?

sort of, yes.  after some investigation and thought, i decided to protect 
my ssh servers with rate-limiting, using iptables.

rate-limiting doesn't care whether a login succeeded or failed, it just 
detects repeated attempts to connect from the same source address to the 
same destination port, and blocks any past the first two in a rolling 
60-second window (both parameters are of course configurable).  this makes 
it suitable for use on the firewall rather than the endpoint, and i 
suspect it can be extended to IMAP and similar services (though mail 
clients that wish to continually make new connections rather than keeping 
existing ones open and reusing them will run into problems).

for sshd, analysis of last week's logs shows that the number of connection 
attempts rejected this way each day varies from 2,200 to 82,000, while the 
number of failed logins on sshd varies daily from 2 to 25 - so you can see 
that this is somewhere between 99% and 99.997% effective at preventing 
people from getting as far as a password-guessing attack.  server load has 
*substantially* decreased.

if this is of interest to you i wrote it the details up at 
http://www.teaparty.net/technotes/ssh-rate-limiting.html .


-- 

   Tom Yates  -  http://www.teaparty.net
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Centos 5.4 to 5.5 fails to update lvm2 (needs newer device-mapper?)

[C R Ritson]

Updating from centos 5.4 to 5.5 using an update rather than a rebuild, I get 
the following complaint from yum:-
  lvm2-2.02.56-8.el5_5.1.x86_64 from setup has depsolving problems
  --> Missing Dependency: device-mapper >= 1.02.39-1 is needed by package 
lvm2-2.02.56-8.el5_5.1.x86_64 (setup)

This is from a local mirror, so checking the upstream feed in case the 
mirroring is incomplete I see the following:-

The updates directory http://mirror.centos.org/centos-5/5/updates/x86_64/RPMS/ 
contains no device-mapper package, just:-
  lvm2-2.02.56-8.el5_5.1.x86_64.rpm

The install directory http://mirror.centos.org/centos-5/5/os/x86_64/CentOS/ 
contains contains newer copies of both device-mapper and lvm2 than was current 
for centos 5.4:-
  device-mapper-1.02.39-1.el5.x86_64.rpm
  lvm2-2.02.56-8.el5.x86_64.rpm

What is the right solution? To copy the missing RPM into our local mirror? 
There is a redhat bug report that may relate... 
https://rhn.redhat.com/errata/RHBA-2010-0368.html as does the earlier 
https://rhn.redhat.com/errata/RHBA-2010-0298.html report.

Chris Ritson (Computing Officer and School Safety Officer)

Room 707, Claremont Tower,EMAIL: c.r.rit...@ncl.ac.uk
School of Computing Science,  PHONE: +44 191 222 8175
Newcastle University, FAX  : +44 191 222 8232
Newcastle upon Tyne, UK NE1 7RU.  WEB  : http://www.cs.ncl.ac.uk/


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [WTA] Automatically blocking on failed login

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf
>Of Tom Yates
>Sent: Tuesday, May 25, 2010 11:19 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] [WTA] Automatically blocking on failed login
>
>if this is of interest to you i wrote it the details up at
>http://www.teaparty.net/technotes/ssh-rate-limiting.html .

Nice!
-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SATA hotswap

[Kay Diederichs]

Jakub Jedelský schrieb:
> Hi all,
> 
> I changed a bad disk (automaticly disabled from software raid1 and
> system for I/O error) in one of our servers and now have problem with
> adding new one to system without reboot. Does anybody have an experience
> with this? Or is it possible? :) We're using hotswap AXX6DRV3G for 6
> SATA disks from Intel connected directly to MB (S5520HC from Intel too).
> There is AHCI as driver (enabled in bios), no HW raid.
> I found, something like that
> 
> echo "0 0 0" >/sys/class/scsi_host/host/scan
> 
> but it found only sda disk which is already running..
> Using CentOS 5.5, x86_64.
> 
> Thanks for your ideas and replies ... and excuse my english please :)
> -- 
> Jakub Jedelský
> e-mail/jabber: jakub.jedel...@gmail.com
> 
> http://dev.stderr.cz
> 
> 
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

same mobo (Intel S5520HC) here, and also BIOS configured such that the
AHCI driver is being used.
I noted the same as you: hotswap does not seem to work - detecting a new
disk appears to need a cold start.
(I did not try to play with something like echo "0 0 0"
>/sys/class/scsi_host/host/scan )

Hotswap does work on all my non-S5520HC mobos that have AHCI, though.

HTH,
Kay

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 5.4 to 5.5 fails to update lvm2 (needs newer device-mapper?)

[Karanbir Singh]

On 05/25/2010 10:49 AM, C R Ritson wrote:
> The updates directory 
> http://mirror.centos.org/centos-5/5/updates/x86_64/RPMS/ contains no 
> device-mapper package, just:-
> The install directory http://mirror.centos.org/centos-5/5/os/x86_64/CentOS/ 
> contains contains newer copies of both device-mapper and lvm2 than was 
> current for centos 5.4:-
> What is the right solution? To copy the missing RPM into our local mirror? 
> There is a redhat bug report that may relate... 
> https://rhn.redhat.com/errata/RHBA-2010-0368.html as does the earlier 
> https://rhn.redhat.com/errata/RHBA-2010-0298.html report.


The right solution is to fix your yum configs. There are no 'install' 
and 'updates' directories. There is the 'os' repository and things that 
have updated FROM that 'os' repository in the updates repository. In 
other workds, the updates is an extension to - not replacement of the 
'os' repository, if you disable your 'os' repo, your yum configs are broken.

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LSI software raid with centos 5.4

[CList]

>> I have been trying to install CentOS 5.4 on a Intel SR1530SHS, Intel
S3200SH
>> mainboard.. It has a 3 x 1TB sata hotswap drives with LSI software raid
>> onboard.
>
> fake-raid alert!
>
>> I had configured the LSI to have Sata0 and Sata1 with raid 1 and the
third
>> drive as a hotspare drive.
>
> Okay...
>
>> Format the harddisk and installation was a breeze. The server rebooted
into
>> a blank screen and the cursor just keep blinking.
>
> Drivers for the LSI fake-raid not included in initrd maybe?
>> 
>> Please advise.
>
> Reinstall and use md raid?

Will I lose the hotswap capability?

wL

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to download the kickstart file ?

[sync]

On Tue, May 25, 2010 at 5:03 PM, Eero Volotinen wrote:

> 2010/5/25 sync :
> > Hi,all:
> >
> > Today I tried installating few machines with kickstart file through NFS.
> But
> > somehow it didn't worked and got error message "Unable to download the
> > kickstart file".
> >
> >
> > I have tested the nfs share mounting from other server and it worked
> fine.
> > But somehow while trying to  install a fresh machine with ks file through
> > NFS is giving this error message.
> >
> > Please look in to this and let me know if there is something I need to
> > configure before starting the installation.
>
> Make sure that NFS server access control is not blocking access to
> file. See /etc/exports for more info.
>

Well , I tried to use the following command to check that NFS mounted
directory in the server:
r...@xxx ~: showmount -e localhost
/instsvr  *

Then I could also mount that share directory in the server .

So I thought the NFS Server access control is no  problem . isn't it ?

>
> --
> Eero,
> RHCE
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Samba3x daily logged errors with Win7 clients

[Steve Snyder]

In the course of upgrading from CentOS 5.4 to CentOS 5.5 I changed from 
using the samba (v3.0.x) packages to the samba3x (v3.3.8) packages, 
mostly because the newer version was said to better support Win7.  The 
Samba server services Linux, WinXP, and Win7 clients.

Now I get many, many errors logged to the Samba logs shortly after 3:00 
AM, but only from the Win7 clients.  I get roughly 430 sets of these 
messages in a twenty-second (!) period:

[2010/05/25 03:17:36,  1] smbd/service.c:make_connection_snum(748)
   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED

These errors are never seen in the Samba logs that track the Linux and 
WinXP clients, only the Win7 clients.  I don't run virus scans or 
anything else (that I know of) on the Win7 machines in the middle of the 
night, but I do have the usual cron jobs running on the CentOS server 
around that time.  Could be related to log rotation or something like that?

I haven't seen a loss of connectivity, but then I don't use the client 
machines at 3:15AM.  If there is a brief connection failure I wouldn't 
know it.

I used my old (Samba 3.0.x) config file, user definitions and password 
database when I made the switch to the new (Samba 3.3.8) server and the 
newer code didn't seem to have any complaints with them.  The client 
shares seem to work without any problems.

Any thoughts on what could be generating all these errors?

Thanks.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Unable to execute a script , Permission denied

[Jatin Davey]

Hi

I have a linux box which has CentOS running in it. I logged into the box 
using root and wrote a script in the /home/proc_threads directory. saved 
the file and quit. I changed the file permissions such that any user 
could execute it using the "chmod 777 filename" command.

When i log out and log in as a non-root user i was not able to execute 
the script though.

Could some one please help in this regard. I am a newbie to linux.

Thanks
Jatin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LSI software raid with centos 5.4

[Chan Chung Hang Christopher]

CList wrote:
>>> I have been trying to install CentOS 5.4 on a Intel SR1530SHS, Intel
> S3200SH
>>> mainboard.. It has a 3 x 1TB sata hotswap drives with LSI software raid
>>> onboard.
>> fake-raid alert!
>>
>>> I had configured the LSI to have Sata0 and Sata1 with raid 1 and the
> third
>>> drive as a hotspare drive.
>> Okay...
>>
>>> Format the harddisk and installation was a breeze. The server rebooted
> into
>>> a blank screen and the cursor just keep blinking.
>> Drivers for the LSI fake-raid not included in initrd maybe?
>>> Please advise.
>> Reinstall and use md raid?
> 
> Will I lose the hotswap capability?
> 

That depends on the controller and driver...

Just what LSI board is this? A 3ware board or megaraid or what?!?!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Jakub Jedelsky]

On 25.5.2010 14:27, Jatin Davey wrote:
> Hi
>
> I have a linux box which has CentOS running in it. I logged into the box 
> using root and wrote a script in the /home/proc_threads directory. saved 
> the file and quit. I changed the file permissions such that any user 
> could execute it using the "chmod 777 filename" command.
>
> When i log out and log in as a non-root user i was not able to execute 
> the script though.
>
> Could some one please help in this regard. I am a newbie to linux.
>
> Thanks
> Jatin
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   

Hi,

have another users access to /home/proc_threads directory? :) Don't you
call any functions from script which can be executed only by root..?
Send us the exact error which you get after execute your script as an
user.. If it is a bash script, you can debug it with "-x" option..

Excuse my english :)

Jakub J.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[kalinix]

On Tue, 2010-05-25 at 17:57 +0530, Jatin Davey wrote:

> Hi
> 
> I have a linux box which has CentOS running in it. I logged into the box 
> using root and wrote a script in the /home/proc_threads directory. saved 
> the file and quit. I changed the file permissions such that any user 
> could execute it using the "chmod 777 filename" command.
> 
> When i log out and log in as a non-root user i was not able to execute 
> the script though.
> 
> Could some one please help in this regard. I am a newbie to linux.
> 
> Thanks
> Jatin
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


Maybe wrong SElinux context?




Calin

Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857

=
Like winter snow on summer lawn, time past is time gone.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[James Hogarth]

On 25 May 2010 13:27, Jatin Davey  wrote:
> Hi
>
> I have a linux box which has CentOS running in it. I logged into the box
> using root and wrote a script in the /home/proc_threads directory. saved
> the file and quit. I changed the file permissions such that any user
> could execute it using the "chmod 777 filename" command.
>
> When i log out and log in as a non-root user i was not able to execute
> the script though.
>
> Could some one please help in this regard. I am a newbie to linux.
>
> Thanks
> Jatin
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

1) Does the non-root user have access to the /home/proc_threads directory?
2) Is your home partition mounted noexec?

James
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Jatin Davey]

On 5/25/2010 6:20 PM, Jakub Jedelsky wrote:

On 25.5.2010 14:27, Jatin Davey wrote:

Hi

I have a linux box which has CentOS running in it. I logged into the box
using root and wrote a script in the /home/proc_threads directory. saved
the file and quit. I changed the file permissions such that any user
could execute it using the "chmod 777 filename" command.

When i log out and log in as a non-root user i was not able to execute
the script though.

Could some one please help in this regard. I am a newbie to linux.

Thanks
Jatin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
   


Hi,

have another users access to /home/proc_threads directory? :) Don't 
you call any functions from script which can be executed only by root..?
Send us the exact error which you get after execute your script as an 
user.. If it is a bash script, you can debug it with "-x" option..


Excuse my english :)

Jakub J.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
   

Here is the script that i am trying to execute as a non-root user:

#!/bin/sh
ps -C java -o thcount > /home/proc_threads/tempfile
awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile

here is the output when i try to execute as a non-root user:

./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
awk: cmd. line:1: fatal: cannot open file `/home/proc_threads/tempfile' 
for reading (Permission denied)


Thanks
Jatin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Jakub Jedelsky]

On 25.5.2010 14:57, Jatin Davey wrote:
> On 5/25/2010 6:20 PM, Jakub Jedelsky wrote:
>> On 25.5.2010 14:27, Jatin Davey wrote:
>>> Hi
>>>
>>> I have a linux box which has CentOS running in it. I logged into the box 
>>> using root and wrote a script in the /home/proc_threads directory. saved 
>>> the file and quit. I changed the file permissions such that any user 
>>> could execute it using the "chmod 777 filename" command.
>>>
>>> When i log out and log in as a non-root user i was not able to execute 
>>> the script though.
>>>
>>> Could some one please help in this regard. I am a newbie to linux.
>>>
>>> Thanks
>>> Jatin
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>   
>>
>> Hi,
>>
>> have another users access to /home/proc_threads directory? :) Don't
>> you call any functions from script which can be executed only by root..?
>> Send us the exact error which you get after execute your script as an
>> user.. If it is a bash script, you can debug it with "-x" option..
>>
>> Excuse my english :)
>>
>> Jakub J.
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>   
> Here is the script that i am trying to execute as a non-root user:
>
> #!/bin/sh
> ps -C java -o thcount > /home/proc_threads/tempfile
> awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile
>
> here is the output when i try to execute as a non-root user:
>
> ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
> awk: cmd. line:1: fatal: cannot open file
> `/home/proc_threads/tempfile' for reading (Permission denied)
>
> Thanks
> Jatin
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   

...and what are permissions of /home/proc_threads/tempfile? It seems,
that users can't write to it.. Try 'chmod o+w /home/proc_threads/tempfile'
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[James Bensley]

How are you trying to execute the script, "./my script" or "sh ./my_script"?

-- 
Regards,
James.

http://www.jamesbensley.co.cc/ - There are only 10 kinds of people in
the world, those who understand trinary, those who don't understand
trinary and those who don't understand trinary.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SATA hotswap

[Karanbir Singh]

On 05/21/2010 03:12 PM, Robert Heller wrote:
> I didn't need to do anything special when inserting disks into my
> (cheap) 4x 2.5" SATA hot swap bay.  Just inserted the drive and the
> HAL/udev deamon pick it up all on its own. My motherboard is a
> nVidia-based:

What sata 4 bay cage are you using ?

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Bowie Bailey]

Jatin Davey wrote:
> Here is the script that i am trying to execute as a non-root user:
>
> #!/bin/sh
> ps -C java -o thcount > /home/proc_threads/tempfile
> awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile
>
> here is the output when i try to execute as a non-root user:
>
> ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
> awk: cmd. line:1: fatal: cannot open file
> `/home/proc_threads/tempfile' for reading (Permission denied)

The script is running, but the 'awk' line is failing to read
/home/proc_threads/tempfile.  What are the permissions on that file and
directory?


$ ls -ld /home/proc_threads

$ ls -l /home/proc_threads/tempfile

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Jatin Davey]

On 5/25/2010 6:44 PM, Bowie Bailey wrote:
> Jatin Davey wrote:
>
>> Here is the script that i am trying to execute as a non-root user:
>>
>> #!/bin/sh
>> ps -C java -o thcount>  /home/proc_threads/tempfile
>> awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile
>>
>> here is the output when i try to execute as a non-root user:
>>
>> ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
>> awk: cmd. line:1: fatal: cannot open file
>> `/home/proc_threads/tempfile' for reading (Permission denied)
>>  
> The script is running, but the 'awk' line is failing to read
> /home/proc_threads/tempfile.  What are the permissions on that file and
> directory?
>
>
>  $ ls -ld /home/proc_threads
>
>  $ ls -l /home/proc_threads/tempfile
>
>

Thanks all

I finally figured out that the tempfile that i was creating did not have 
proper permissions for the script to write into. Now i have fixed it 
using the chmod command and it is working fine.

Thanks
Jatin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[James Hogarth]

On 25 May 2010 14:14, Bowie Bailey  wrote:
> Jatin Davey wrote:
>> Here is the script that i am trying to execute as a non-root user:
>>
>> #!/bin/sh
>> ps -C java -o thcount > /home/proc_threads/tempfile
>> awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile
>>
>> here is the output when i try to execute as a non-root user:
>>
>> ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
>> awk: cmd. line:1: fatal: cannot open file
>> `/home/proc_threads/tempfile' for reading (Permission denied)
>
> The script is running, but the 'awk' line is failing to read
> /home/proc_threads/tempfile.  What are the permissions on that file and
> directory?
>
>
>    $ ls -ld /home/proc_threads
>
>    $ ls -l /home/proc_threads/tempfile
>
> --
> Bowie
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Looks like it is failing before the awk...

For that script to run the directory will need to be writeable by the
user running the script...

chmod o+w /home/proc_threads will do if you don't care for security of
the file/directory... or arrange the group of the user running the
script to be able to write to the directory instead.

James
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Stop annoying kernel message

[José Christian Iñiguez Bonilla]

Hi Everyone!

This is my problem: I´m using Nagios tool to monitor my servers with Cent OS 5, 
and I recently added the script for check nfs. This script makes an rpc request 
in the server, but every time that script makes this request, I have this 
message in /var/log/messages: "kernel: svc: unknown version (0)"

I´m not sure if this message is only a message or a problem that I have to fix. 
Could you guys help me to stop this annoying message??

Thanks in advance!

Best Regards
  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Les Mikesell]

Bowie Bailey wrote:
> Jatin Davey wrote:
>> Here is the script that i am trying to execute as a non-root user:
>>
>> #!/bin/sh
>> ps -C java -o thcount > /home/proc_threads/tempfile
>> awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile
>>
>> here is the output when i try to execute as a non-root user:
>>
>> ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
>> awk: cmd. line:1: fatal: cannot open file
>> `/home/proc_threads/tempfile' for reading (Permission denied)
> 
> The script is running, but the 'awk' line is failing to read
> /home/proc_threads/tempfile.  What are the permissions on that file and
> directory?
> 
> 
> $ ls -ld /home/proc_threads
> 
> $ ls -l /home/proc_threads/tempfile
> 

Unless you have some other use for the contents of tempfile, you could use a 
pipeline instead to avoid any permissions issue.

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Whit Blauvelt]

On Tue, May 25, 2010 at 05:57:46PM +0530, Jatin Davey wrote:

> I have a linux box which has CentOS running in it. I logged into the box 
> using root and wrote a script in the /home/proc_threads directory. saved 
> the file and quit. I changed the file permissions such that any user 
> could execute it using the "chmod 777 filename" command.

What are the permissions on the directory itself?

Best,
Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SATA hotswap

[Robert Heller]

At Tue, 25 May 2010 14:22:56 +0100 CentOS mailing list  
wrote:

> 
> On 05/21/2010 03:12 PM, Robert Heller wrote:
> > I didn't need to do anything special when inserting disks into my
> > (cheap) 4x 2.5" SATA hot swap bay.  Just inserted the drive and the
> > HAL/udev deamon pick it up all on its own. My motherboard is a
> > nVidia-based:
> 
> What sata 4 bay cage are you using ?

This one from NewEgg:

SNT SNT-SATA1842B 4 x 2.5" HDD in 1 x 5.25" bay SAS / SATA 2.5" Hot Swap 
Backplane RAID cage
http://www.newegg.com/Product/Product.aspx?Item=N82E16817993017

It takes up a single 5.25" bay, has a 4-pin molex power connector, and
holds 4 2.5" SATA drives, with front panel access.

I have two Seagate 180GB (ST9160827AS) drives (RAID1) and a Hitachi 120GB
(HTS54161) drive (backup disk). The 4th bay is presently empty.

(my Motherboard is this:
ASRock K10N78 AM2+/AM2 NVIDIA GeForce 8200 ATX AMD Motherboard
http://www.newegg.com/Product/Product.aspx?Item=N82E16813157159
I have a Semperon 1-core processor and 2gig of RAM.
)

Just set the BIOS to 'AHCI' mode, added irqpoll to the kernel params
(needed to get the kernel to properly talk to the controller),
and it just works, both CentOS 4.8 (32-bit [inherited from my previous
PIII system]) and CentOS 5.x (64-bit xen).

> 
> - KB
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>

-- 
Robert Heller -- Get the Deepwoods Software FireFox Toolbar!
Deepwoods Software-- Linux Installation and Administration
http://www.deepsoft.com/  -- Web Hosting, with CGI and Database
hel...@deepsoft.com   -- Contract Programming: C/C++, Tcl/Tk

 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to download the kickstart file ?

[Eero Volotinen]

2010/5/25 sync :
>
>
> On Tue, May 25, 2010 at 5:03 PM, Eero Volotinen 
> wrote:
>>
>> 2010/5/25 sync :
>> > Hi,all:
>> >
>> > Today I tried installating few machines with kickstart file through NFS.
>> > But
>> > somehow it didn't worked and got error message "Unable to download the
>> > kickstart file".
>> >
>> >
>> > I have tested the nfs share mounting from other server and it worked
>> > fine.
>> > But somehow while trying to  install a fresh machine with ks file
>> > through
>> > NFS is giving this error message.
>> >
>> > Please look in to this and let me know if there is something I need to
>> > configure before starting the installation.
>>
>> Make sure that NFS server access control is not blocking access to
>> file. See /etc/exports for more info.
>
> Well , I tried to use the following command to check that NFS mounted
> directory in the server:
> r...@xxx ~: showmount -e localhost
> /instsvr  *
>
> Then I could also mount that share directory in the server .
>
> So I thought the NFS Server access control is no  problem . isn't it ?

hard to say, since NFS is a bit problematic.

how about trying kickstart file over http ?


--
Eero,
RHCE
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Bob Beers]

On Tue, May 25, 2010 at 9:42 AM, Les Mikesell  wrote:
> Bowie Bailey wrote:
>> Jatin Davey wrote:
>>> Here is the script that i am trying to execute as a non-root user:
>>>
>>> #!/bin/sh
>>> ps -C java -o thcount > /home/proc_threads/tempfile
>>> awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile
>>>
>>> here is the output when i try to execute as a non-root user:
>>>
>>> ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
>>> awk: cmd. line:1: fatal: cannot open file
>>> `/home/proc_threads/tempfile' for reading (Permission denied)
>>
>> The script is running, but the 'awk' line is failing to read
>> /home/proc_threads/tempfile.  What are the permissions on that file and
>> directory?
>>
>>
>>     $ ls -ld /home/proc_threads
>>
>>     $ ls -l /home/proc_threads/tempfile
>>
>
> Unless you have some other use for the contents of tempfile, you could use a
> pipeline instead to avoid any permissions issue.

If you don't mind, I would like to see the pipeline equivalent. :)

I used an array in a similar situation, (to avoid creating tmp file)
 but maybe that does not scale?
For this case, maybe something like this? ...

#!/bin/sh
OLD=$IFS
IFS=$'\n' R_PS=($(ps -C java -o thcount))
IFS=$OLD
# R_PS is now an array, each element is one line of the ps output

for (( i = 0; i < ${#r_...@]}; i++ )) ; do
   # Sum the desired arguments
done
echo $total


-Bob
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Bowie Bailey]

Bob Beers wrote:
> On Tue, May 25, 2010 at 9:42 AM, Les Mikesell  wrote:
>   
>> Bowie Bailey wrote:
>> 
>>> Jatin Davey wrote:
>>>   
 Here is the script that i am trying to execute as a non-root user:

 #!/bin/sh
 ps -C java -o thcount > /home/proc_threads/tempfile
 awk ' { total += $1 } END { print total } ' /home/proc_threads/tempfile

 here is the output when i try to execute as a non-root user:

 ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
 awk: cmd. line:1: fatal: cannot open file
 `/home/proc_threads/tempfile' for reading (Permission denied)
 
>>> The script is running, but the 'awk' line is failing to read
>>> /home/proc_threads/tempfile.  What are the permissions on that file and
>>> directory?
>>>
>>>
>>> $ ls -ld /home/proc_threads
>>>
>>> $ ls -l /home/proc_threads/tempfile
>>>
>>>   
>> Unless you have some other use for the contents of tempfile, you could use a
>> pipeline instead to avoid any permissions issue.
>> 
>
> If you don't mind, I would like to see the pipeline equivalent. :)
>   

ps -C java -o thcount | awk ' { total += $1 } END { print total } '


-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[m . roth]

Bowie wrote:
> Bob Beers wrote:
>> On Tue, May 25, 2010 at 9:42 AM, Les Mikesell 
>> wrote:
>>> Bowie Bailey wrote:
 Jatin Davey wrote:

> Here is the script that i am trying to execute as a non-root user:
>
> #!/bin/sh
> ps -C java -o thcount > /home/proc_threads/tempfile
> awk ' { total += $1 } END { print total } '
> /home/proc_threads/tempfile
>
> here is the output when i try to execute as a non-root user:
>
> ./javathreads: line 2: /home/proc_threads/tempfile: Permission denied
> awk: cmd. line:1: fatal: cannot open file
> `/home/proc_threads/tempfile' for reading (Permission denied)
>
 The script is running, but the 'awk' line is failing to read
 /home/proc_threads/tempfile.  What are the permissions on that file
 and
 directory?

 $ ls -ld /home/proc_threads
 $ ls -l /home/proc_threads/tempfile

>>> Unless you have some other use for the contents of tempfile, you could
>>> use a pipeline instead to avoid any permissions issue.
>>>
>> If you don't mind, I would like to see the pipeline equivalent. :)
>>
> ps -C java -o thcount | awk ' { total += $1 } END { print total } '

Now, as dearly as I love awk,
ps -C java --no-heading | wc -l

  mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Bowie Bailey]

m.r...@5-cent.us wrote:
> Bowie wrote:
>   
>> ps -C java -o thcount | awk ' { total += $1 } END { print total } '
>> 
>
> Now, as dearly as I love awk,
> ps -C java --no-heading | wc -l
>   

You are counting processes, the original is counting threads.

$ ps -C java -o thcount | awk ' { total += $1 } END { print total } '
29

$ ps -C java --no-heading | wc -l
1

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[m . roth]

> m.r...@5-cent.us wrote:
>> Bowie wrote:
>>
>>> ps -C java -o thcount | awk ' { total += $1 } END { print total } '
>>>
>>
>> Now, as dearly as I love awk,
>> ps -C java --no-heading | wc -l
>>
>
> You are counting processes, the original is counting threads.
>
> $ ps -C java -o thcount | awk ' { total += $1 } END { print total } '
> 29
>
> $ ps -C java --no-heading | wc -l
> 1

So?
$ ps -C java -o thcount --no-heading | wc -l

mark "shorter is us"

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[m . roth]

> m.r...@5-cent.us wrote:
>> Bowie wrote:
>>
>>> ps -C java -o thcount | awk ' { total += $1 } END { print total } '
>>>
>>
>> Now, as dearly as I love awk,
>> ps -C java --no-heading | wc -l
>>
>
> You are counting processes, the original is counting threads.
>
> $ ps -C java -o thcount | awk ' { total += $1 } END { print total } '
> 29
>
> $ ps -C java --no-heading | wc -l
> 1

Oh, I take that back - I see what's going on, a and yeah, you're right.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Les Mikesell]

On 5/25/2010 9:55 AM, m.r...@5-cent.us wrote:
>> m.r...@5-cent.us wrote:
>>> Bowie wrote:
>>>
 ps -C java -o thcount | awk ' { total += $1 } END { print total } '

>>>
>>> Now, as dearly as I love awk,
>>> ps -C java --no-heading | wc -l
>>>
>>
>> You are counting processes, the original is counting threads.
>>
>> $ ps -C java -o thcount | awk ' { total += $1 } END { print total } '
>> 29
>>
>> $ ps -C java --no-heading | wc -l
>> 1
>
> Oh, I take that back - I see what's going on, a and yeah, you're right.
>

How about:
ps H -C java |wc -l

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[Bowie Bailey]

Les Mikesell wrote:
> On 5/25/2010 9:55 AM, m.r...@5-cent.us wrote:
>   
>>> m.r...@5-cent.us wrote:
>>>   
 Bowie wrote:

 
> ps -C java -o thcount | awk ' { total += $1 } END { print total } '
>
>   
 Now, as dearly as I love awk,
 ps -C java --no-heading | wc -l

 
>>> You are counting processes, the original is counting threads.
>>>
>>> $ ps -C java -o thcount | awk ' { total += $1 } END { print total } '
>>> 29
>>>
>>> $ ps -C java --no-heading | wc -l
>>> 1
>>>   
>> Oh, I take that back - I see what's going on, a and yeah, you're right.
>>
>> 
>
> How about:
> ps H -C java |wc -l

Almost, but you're off by one...  :)

ps H -C java --no-headers | wc -l

-- 
Bowie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to execute a script , Permission denied

[m . roth]

Les wrote:
> On 5/25/2010 9:55 AM, m.r...@5-cent.us wrote:
>>> m.r...@5-cent.us wrote:
 Bowie wrote:

> ps -C java -o thcount | awk ' { total += $1 } END { print total } '

 Now, as dearly as I love awk,
 ps -C java --no-heading | wc -l
>>>
>>> You are counting processes, the original is counting threads.
>>>
>>> $ ps -C java -o thcount | awk ' { total += $1 } END { print total } '
>>> 29
>>>
>>> $ ps -C java --no-heading | wc -l
>>> 1
>>
>> Oh, I take that back - I see what's going on, a and yeah, you're right.
>
> How about:
> ps H -C java |wc -l

No joy. On one of our servers, if I do that, I show three processes, but
if I use the thread count flag, I get
THCNT
   63
   59
   62
and the original poster wanted the total threadcount.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LSI software raid with centos 5.4

[CList]

 I have been trying to install CentOS 5.4 on a Intel SR1530SHS, Intel
>> S3200SH
 mainboard.. It has a 3 x 1TB sata hotswap drives with LSI software raid
 onboard.
>>> fake-raid alert!
>>>
 I had configured the LSI to have Sata0 and Sata1 with raid 1 and the
>> third
 drive as a hotspare drive.
>>> Okay...
>>>
 Format the harddisk and installation was a breeze. The server rebooted
>> into
 a blank screen and the cursor just keep blinking.
>>> Drivers for the LSI fake-raid not included in initrd maybe?
 Please advise.
>>> Reinstall and use md raid?
>> 
>> Will I lose the hotswap capability?
>> 
> That depends on the controller and driver...
>
> Just what LSI board is this? A 3ware board or megaraid or what?!?!

It should be an Intel MegaSR

Regards
wL



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: Strange Email Problem

[Susan Day]

On Sat, May 22, 2010 at 1:02 PM, Bart Schaefer wrote:

> On Sat, May 22, 2010 at 6:42 AM, Chris Geldenhuis
>  wrote:
> >
> > The records that Richard was talking about was not that of your actual
> > mail, but the Domain Name Service (DNS) records required to find the
> > destination server and for that server to look up your server to verify
> > that the mail comes from a valid address.
>
> Right so far ...
>
> > I recall a discussion earlier
> > this month about the root DNS servers being updated to a new version of
> > DNS software that would increase the size of the DNS records. This would
> > then take a while to filter through the "tree" of DNS servers and
> > eventually software that could not handle these larger records would
> fail.
>
> You're thinking of the DNSSEC changes to add security information to
> the packets.  That should only affect software that actually asks for
> DNSSEC packets, which presumably excludes any software that isn't
> prepared to handle those responses.
>
> I'm not familiar with the qmail bug that was previously mentioned, but
> from the description it appears to be related to CNAME records, not to
> DNSSEC.
>
>
> Oops.Forgot to clean this up. The problem was that named shut down and I
didn't catch it.
Susan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

Just a follow up note: We've got the same problem again on another fresh
install. Totally different hardware - so the hardware hypothesis bites the
dust. Since other people aren't seeing this, the remaining suspect is our
configuration files. We're using an smbpasswd backed, and in both these
cases moved configuration files over from working Redhat systems for this.

How that can explain the strange breakage (see the long discussion following
the original post for details) is still beyond me. It should break it, or it
shouldn't, and when it breaks it smbd should be able to give some message as
to why ... but it doesn't.

I wonder if the more recent X version of Samba is likely to work better, or
of the breakage here is related to using smbpasswd?

Whit

On Thu, May 20, 2010 at 09:21:28AM -0400, Whit Blauvelt wrote:

> We've got a fresh CentOS 5.4 box, and the only glitch so far is that
> /etc/init.d/smb doesn't start smbd. It claims it does - shows "[ok]" - but
> only nmbd ends up running. Even setting a higher debugging level in the smbd
> flags, nothing logs or shows on the console as to why smbd is immediatly
> quitting.
> 
> To make it stranger, doing this works fine:
> 
>   . /etc/init.d/functions
>   daemon smbd -D
> 
> That's the core of how the /etc/init.d/smb file is set up to start it.
> Except from there it's not working - despite the reported "[ok]".
> 
> Anyone seen this, or have advice on how to debug it?
> 
> Thanks,
> Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Looking for Linux variant of chairgun

[Rudi Ahlers]

Hi,

Does anyone know of a good Linux alternative to Chairgun (
http://www.chairgun.com/), which is used with air riffles?

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] User Mode Linux

[Matt]

Is anyone using 'user mode linux' to create virtual centos servers
under a master centos server?  Is there a package for this?  Is xen or
something a better way to go?

Matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] User Mode Linux

[Eero Volotinen]

2010/5/25 Matt :
> Is anyone using 'user mode linux' to create virtual centos servers
> under a master centos server?  Is there a package for this?  Is xen or
> something a better way to go?

openvz is very similar http://openvz.org

anyway, xen and kvm provides better isolation and memoryprotection,
but also some more overhead.



--
Eero,
RHCE
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] User Mode Linux

[Stephen Harris]

On Tue, May 25, 2010 at 02:55:27PM -0500, Matt wrote:
> Is anyone using 'user mode linux' to create virtual centos servers
> under a master centos server?  Is there a package for this?  Is xen or
> something a better way to go?

I use it all the time.  I've written a tonne of my own wrapper scripts
to help manage the process and they kinda work.  I can build and deploy
a new server in minutes.  

You need to be careful of UML, though.  The kernel must _not_ allow
loadable modules, otherwise you have no host security at all.  This
may limit it for general purpose stuff.   Performance isn't necessarily
that good, either.

I actually wrote up some basic investigation a couple of months back
where I looked at
   1. RedHat (ahem, sorry, CentOS!) 5.4 64bit Xen
   2. CentOS 5.4 64bit KVM
   3. Citrix XenServer 5.5
   4. VMware ESXi 4.0
   5. VirtualBox 2.2
   6. VMware Server (version unknown)
   7. User Mode Linux (2.6.20.7 based kernel)

The writeup is at
  http://sweh.livejournal.com/362994.html


-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Looking for Linux variant of chairgun

[Simon Billis]

Hi,

> Does anyone know of a good Linux alternative to Chairgun
> (http://www.chairgun.com/), which is used with air riffles?

I don't know of a linux alternative, but you could run this under wine I
would think.

Rgds

Simon.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

Finally, a clue!

Upgraded from the stock smbd version from the 5.4 iso to 3.0.33-3.28.el5,
and now an error message makes it into /var/log/messages:

May 24 15:29:12 xyz smbd[2674]: [2010/05/24 15:29:12, 0] 
lib/messages.c:message_init(132) 
May 24 15:29:12 xyz smbd[2674]:   ERROR: Failed to initialise messages database 

Anyone know what that's about? It's only from the invocation attempts that
dependably fail (like "service smb start"), not from those (like "smbd -D")
that dependably work.

Regards,
Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unable to download the kickstart file ?

[Clint Dilks]

On 25/05/10 22:40, sync wrote:



On Tue, May 25, 2010 at 5:03 PM, Eero Volotinen > wrote:


2010/5/25 sync mailto:jian...@gmail.com>>:
> Hi,all:
>
> Today I tried installating few machines with kickstart file
through NFS. But
> somehow it didn't worked and got error message "Unable to
download the
> kickstart file".
>
>
> I have tested the nfs share mounting from other server and it
worked fine.
> But somehow while trying to  install a fresh machine with ks
file through
> NFS is giving this error message.
>
> Please look in to this and let me know if there is something I
need to
> configure before starting the installation.

Make sure that NFS server access control is not blocking access to
file. See /etc/exports for more info.


Well , I tried to use the following command to check that NFS mounted 
directory in the server:

r...@xxx ~: showmount -e localhost
/instsvr  *

Then I could also mount that share directory in the server .

So I thought the NFS Server access control is no  problem . isn't it ?


--
Eero,
RHCE
___
CentOS mailing list
CentOS@centos.org 
http://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
   

How are you calling the kick start file, could it be a DNS issue?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Looking for Linux variant of chairgun

[John R Pierce]

Rudi Ahlers wrote:
> Hi, 
>
> Does anyone know of a good Linux alternative to Chairgun 
> (http://www.chairgun.com/), which is used with air riffles?

should be pretty easy to reproduce the math in something like Gnu Octave.

y = y0 + x * tan(theta) - g*x^2/(2*(v*cos(theta))^2)

gives height Y at distance X for initial velocity v and firing angle 
theta.   etc etc.   there are heuristics for approximating air friction 
(ignored in the above equation), see
http://en.wikipedia.org/wiki/Ballistic_coefficient
and
http://en.wikipedia.org/wiki/Trajectory_of_a_projectile#Trajectory_of_a_projectile_with_air_resistance

for more detailed math...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Having trouble with LDAP Authentication...

[Andy Akins]

I¹ve google and searched, and have had very little luck...

I have:

1. Installed all the packages.
2. Configured and have running OpenLDAP.
3. Migrated my passwd/shadow/group/hosts files into the directory
4. Tested the directory using ldapsearch
5. Installed LAM (web interface to LDAP authentication)
6. Added a user using LAM.
7. Confirmed user is in directory.
8. Confirmed user is not in /etc/passwd
9. Confirmed using ³getent passwd | grep username² that the user is listed.
10. Confirmed using ³getent passwd² shows two records for each user except
ldap-only users (one for /etc/passwd, one for LDAP).

However,

³id username²

Returns unknown user

And trying to log in as username at either the terminal or ssh fails, and
upon examining the logs, the error message says unknown user.

I configured /etc/pam.d/system-auth using authcongfig-tui, adding only the
pam_mkhomedir.so line (and I tried it without that line as well).

Everything seems right ­ but its not working. Can anyone offer any
suggestions as to where I should be looking? If necessary, I¹ll post my
/etc/openldap/slapd.conf, /etc/openldap/ldap.conf, /etc/pam.d/system-auth,
and /etc/nsswitch.conf files ­ I just didn¹t want to send them if not
necessary.

Any help or suggestions would be appreciated. Thanks!

-- 
Andy Akins
Director of Development

NICUSA, Tennessee ­ A Partnership with Tennessee.gov
Phone: (615) 313-0305
Email: a...@egovtn.org

Visit www.tn.gov - the official website of the State of Tennessee

*
CONFIDENTIALITY NOTICE:
This email and any attachments are confidential. If you are not
the intended recipient, you do not have permission to disclose,
copy, distribute, or open any attachments. If you have received
this email in error, please notify us immediately by returning
it to the sender and deleting this copy from your system.
  Thank you. NIC, Inc., Tennessee
*




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

Following up, that appears to be /var/cache/samba/messages.tdb it can't
intialize. Which sits there with the same permissions on the not-working
CentOS 5.4 systems as on the working Redhat 5.4 systems. Now what could
create a problem for that when started from "/etc/init.d/smb start" but not
from "sh /etc/init.d/smb start" or "smbd -D"?

All ideas are welcome. I'm seeing with the Google that Samba has long been
fragile about this stuff - but haven't found the fix yet.

Whit

On Tue, May 25, 2010 at 04:56:30PM -0400, Whit Blauvelt wrote:

> May 24 15:29:12 xyz smbd[2674]: [2010/05/24 15:29:12, 0] 
> lib/messages.c:message_init(132) 
> May 24 15:29:12 xyz smbd[2674]:   ERROR: Failed to initialise messages 
> database 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Robert Heller]

At Tue, 25 May 2010 15:11:45 -0400 CentOS mailing list  
wrote:

> 
> Just a follow up note: We've got the same problem again on another fresh
> install. Totally different hardware - so the hardware hypothesis bites the
> dust. Since other people aren't seeing this, the remaining suspect is our
> configuration files. We're using an smbpasswd backed, and in both these
> cases moved configuration files over from working Redhat systems for this.

Wondering aloud: where the smbpasswd *data* files copied?  If so how,
exactly? And from what version of samba were the smbpasswd *data*
created with?  And are the permissions of the smbpasswd *data* what they
should be?  Just guessing, but if there is some broken about the
smbpassword database files, this *could* explain some level of problem,
although I would more like suspect that smbd with just never run, rather
that start and die under *some* conditions, unless those conditions
relate to something like library search paths or something odd. 

> 
> How that can explain the strange breakage (see the long discussion following
> the original post for details) is still beyond me. It should break it, or it
> shouldn't, and when it breaks it smbd should be able to give some message as
> to why ... but it doesn't.
> 
> I wonder if the more recent X version of Samba is likely to work better, or
> of the breakage here is related to using smbpasswd?
> 
> Whit
> 
> On Thu, May 20, 2010 at 09:21:28AM -0400, Whit Blauvelt wrote:
> 
> > We've got a fresh CentOS 5.4 box, and the only glitch so far is that
> > /etc/init.d/smb doesn't start smbd. It claims it does - shows "[ok]" - but
> > only nmbd ends up running. Even setting a higher debugging level in the smbd
> > flags, nothing logs or shows on the console as to why smbd is immediatly
> > quitting.
> > 
> > To make it stranger, doing this works fine:
> > 
> >   . /etc/init.d/functions
> >   daemon smbd -D
> > 
> > That's the core of how the /etc/init.d/smb file is set up to start it.
> > Except from there it's not working - despite the reported "[ok]".
> > 
> > Anyone seen this, or have advice on how to debug it?
> > 
> > Thanks,
> > Whit
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>   
>  

-- 
Robert Heller -- Get the Deepwoods Software FireFox Toolbar!
Deepwoods Software-- Linux Installation and Administration
http://www.deepsoft.com/  -- Web Hosting, with CGI and Database
hel...@deepsoft.com   -- Contract Programming: C/C++, Tcl/Tk



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Having trouble with LDAP Authentication...

[Paul Heinlein]

On Tue, 25 May 2010, Andy Akins wrote:


 8. Confirmed user is not in /etc/passwd
 9. Confirmed using “getent passwd | grep username” that the user is listed.
10. Confirmed using “getent passwd” shows two records for each user except
ldap-only users (one for /etc/passwd, one for LDAP).

However,

“id username”

Returns unknown user


Before the heavy troubleshooting starts, double-check that nscd is 
installed, configured, and working. You might want to restart it to 
make sure.


Second -- and I personally hate this, though I can attest it sometimes 
works -- rebooting the machine will sometimes fix this. In particular, 
I've see the nss_ldap stuff have trouble in TLS environments when the 
server cert (or the CA that signed it) wasn't present at boot time.


The next step would be to run something like

  strace -o /tmp/getent.trace getent passwd username
  strace -o /tmp/id.trace id username

I'd identify where id is trying to locate user info and make sure it 
looks like the same place getent is using.


On my CentOS systems, I note that id uses read() to access nscd while 
getent uses recvmsg(). I'm unsure if that difference would cause the 
problem, but it might be a place to look if you've got SELinux logs 
auditing things.


--
Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Robert Heller]

At Tue, 25 May 2010 17:26:26 -0400 CentOS mailing list  
wrote:

> 
> Following up, that appears to be /var/cache/samba/messages.tdb it can't
> intialize. Which sits there with the same permissions on the not-working
> CentOS 5.4 systems as on the working Redhat 5.4 systems. Now what could
> create a problem for that when started from "/etc/init.d/smb start" but not
> from "sh /etc/init.d/smb start" or "smbd -D"?
> 
> All ideas are welcome. I'm seeing with the Google that Samba has long been
> fragile about this stuff - but haven't found the fix yet.

Was this file *copied* from the Redhat 5.4 system(s) or created fresh
under CentOS?


> 
> Whit
> 
> On Tue, May 25, 2010 at 04:56:30PM -0400, Whit Blauvelt wrote:
> 
> > May 24 15:29:12 xyz smbd[2674]: [2010/05/24 15:29:12, 0] 
> > lib/messages.c:message_init(132) 
> > May 24 15:29:12 xyz smbd[2674]:   ERROR: Failed to initialise messages 
> > database 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>   
>   

-- 
Robert Heller -- Get the Deepwoods Software FireFox Toolbar!
Deepwoods Software-- Linux Installation and Administration
http://www.deepsoft.com/  -- Web Hosting, with CGI and Database
hel...@deepsoft.com   -- Contract Programming: C/C++, Tcl/Tk

 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] User Mode Linux

[Les Mikesell]

On 5/25/2010 3:08 PM, Stephen Harris wrote:
> On Tue, May 25, 2010 at 02:55:27PM -0500, Matt wrote:
>> Is anyone using 'user mode linux' to create virtual centos servers
>> under a master centos server?  Is there a package for this?  Is xen or
>> something a better way to go?
>
> I use it all the time.  I've written a tonne of my own wrapper scripts
> to help manage the process and they kinda work.  I can build and deploy
> a new server in minutes.
>
> You need to be careful of UML, though.  The kernel must _not_ allow
> loadable modules, otherwise you have no host security at all.  This
> may limit it for general purpose stuff.   Performance isn't necessarily
> that good, either.
>
> I actually wrote up some basic investigation a couple of months back
> where I looked at
> 1. RedHat (ahem, sorry, CentOS!) 5.4 64bit Xen
> 2. CentOS 5.4 64bit KVM
> 3. Citrix XenServer 5.5
> 4. VMware ESXi 4.0
> 5. VirtualBox 2.2
> 6. VMware Server (version unknown)
> 7. User Mode Linux (2.6.20.7 based kernel)
>
> The writeup is at
>http://sweh.livejournal.com/362994.html

Good article, but kind of outdated already - and doesn't mention the 
free vmware converter tool to move guests from physical machines to 
vmware or between esxi/server/portable image types which is one of the 
nicer points.  If reinstalling the base OS is an option and you have a 
windows box to run the client, VMware ESXi is a good choice as the host 
even though the free version doesn't give you the nifty cloning features.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

On Tue, May 25, 2010 at 05:38:59PM -0400, Robert Heller wrote:

> Wondering aloud: where the smbpasswd *data* files copied?  If so how,
> exactly? And from what version of samba were the smbpasswd *data*
> created with?  And are the permissions of the smbpasswd *data* what they
> should be?  Just guessing, but if there is some broken about the
> smbpassword database files, this *could* explain some level of problem,
> although I would more like suspect that smbd with just never run, rather
> that start and die under *some* conditions, unless those conditions
> relate to something like library search paths or something odd. 

Fair questions. The smbdpasswd data files were copied from Redhat Samba
Version 3.0.33-3.15.el5_4 (to CentOS Samba Version 3.0.33-3.28.el5). The
UIDs in the second field were hand edited (to no discernable effect). The
users (only two) can log on fine to these systems once smbd has been started
(e.g. with "smbd -D"). 

What I'm finding in comparing a working Redhat 5.4 system is that smbd
starts up with a link through /proc/[smbd pid]/fd which then includes a
bunch of stuff including:

lrwx-- 1 root root 64 May 25 17:45 9 -> /var/cache/samba/messages.tdb

Now, when smbd is started as "smbd -D" on CentOS there is no /proc/[pid] set
up for it. There is for nmbd, from the init.d/smb file's running, a
/proc/[nmbd pid]/fd set up although that doesn't use messages.tbd.

Just where in all that the real problem is I can't say yet. Could it be in
setting up the /proc/[pid] directory for smbd? Or in connecting that
directory once set up to /var/cache/samba/messages.tdb? And what's that even
used for, if smbd runs just fine without it? 

Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

On Tue, May 25, 2010 at 05:47:00PM -0400, Robert Heller wrote:

> Was this file *copied* from the Redhat 5.4 system(s) or created fresh
> under CentOS?

If you mean /etc/init.d/smb, it's CentOS's version. The entire difference
between the two, just for the record, is:

# diff smb /etc/init.d/smb
10a11
> echo $PATH > path.txt
37c38
< RETVAL=0
---
> echo $PATH >> path.txt
38a40
> RETVAL=0

where "smb" is RH's version and /etc/init.d/smb is Cent's. I can't quite
imagine that a difference between overwriting or appending path.txt is at
the root of what I'm seeing though.

Thanks,
Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

On Tue, May 25, 2010 at 06:05:34PM -0400, Whit Blauvelt wrote:

> where "smb" is RH's version and /etc/init.d/smb is Cent's. I can't quite
> imagine that a difference between overwriting or appending path.txt is at
> the root of what I'm seeing though.

Correction: that wasn't a virgin version of Cent's. More in a moment.

Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

On Tue, May 25, 2010 at 06:09:40PM -0400, Whit Blauvelt wrote:

> Correction: that wasn't a virgin version of Cent's. More in a moment.

This gets more bizarre. To a virgin version of Cent's /etc/init.d/smb - it's
a perfect match:

 # diff ./smb /etc/init.d/smb
 # 

That's right, no diff!

Yet if I run ./smb - the Redhat version, identical but for where it sits, it
starts smbd with no problem. But /etc/init.d/smb of course still fails. Both
are rwxr-xr-x 1 root root. So: same file contents, same file permissions and
ownership, same invocation, and the one in /etc/init.d fails.

On two different CentOS systems.

WTF?

Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Todd Denniston]

Whit Blauvelt wrote, On 05/25/2010 06:05 PM:
> On Tue, May 25, 2010 at 05:47:00PM -0400, Robert Heller wrote:
> 
>> Was this file *copied* from the Redhat 5.4 system(s) or created fresh
>> under CentOS?
> 
> If you mean /etc/init.d/smb, it's CentOS's version. The entire difference
> between the two, just for the record, is:
> 
> # diff smb /etc/init.d/smb
> 10a11
>> echo $PATH > path.txt
> 37c38
> < RETVAL=0
> ---
>> echo $PATH >> path.txt
> 38a40
>> RETVAL=0
> 
> where "smb" is RH's version and /etc/init.d/smb is Cent's. I can't quite
> imagine that a difference between overwriting or appending path.txt is at
> the root of what I'm seeing though.
> 

I have not been following this thread closely, but perhaps Robert was pointing 
at SELINUX and the
need to keep the SE permissions intact as you copy/edit the file.

i.e. you may need to:
A) restorecon /etc/init.d/smb and any other samba files that you have 
copied/edited.
B) look in one of the /var/log/ files for selinux messages when you are 
starting samba.

Good luck.
-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Rudi Ahlers]

On Wed, May 26, 2010 at 12:17 AM, Whit Blauvelt  wrote:

> On Tue, May 25, 2010 at 06:09:40PM -0400, Whit Blauvelt wrote:
>
> > Correction: that wasn't a virgin version of Cent's. More in a moment.
>
> This gets more bizarre. To a virgin version of Cent's /etc/init.d/smb -
> it's
> a perfect match:
>
>  # diff ./smb /etc/init.d/smb
>  #
>
> That's right, no diff!
>
> Yet if I run ./smb - the Redhat version, identical but for where it sits,
> it
> starts smbd with no problem. But /etc/init.d/smb of course still fails.
> Both
> are rwxr-xr-x 1 root root. So: same file contents, same file permissions
> and
> ownership, same invocation, and the one in /etc/init.d fails.
>
> On two different CentOS systems.
>
> WTF?
>
> Whit
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Maybe it's on a bad inode?

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Les Mikesell]

On 5/25/2010 5:09 PM, Whit Blauvelt wrote:
> On Tue, May 25, 2010 at 06:05:34PM -0400, Whit Blauvelt wrote:
>
>> where "smb" is RH's version and /etc/init.d/smb is Cent's. I can't quite
>> imagine that a difference between overwriting or appending path.txt is at
>> the root of what I'm seeing though.
>
> Correction: that wasn't a virgin version of Cent's. More in a moment.

Try changing:
daemon smbd $SMBDOPTIONS
to
  strace -f smbd $SMBDOPTIONS
and run it in the way that fails.  If there's not enough left on the 
screen to see why it died, try
  strace -f smbd $SMBOPTION 2>/tmp/smblog
and look at the file reading backwards to find a fatal error.

I'm still very curious about why it would work when run with 'sh'.

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Brunner, Brian T.]

WTE?
do
printenv > dot.slash.env 
add to /etc/init.d/smb
printenv > ~/init.d.smb.env
then execute /etc/init.d/smb

There has got to be a difference between the two environments causing
identical scripts to behave differently depending on how they're
executed.

unless

PATH searches . before other directories, *and* there is a file in
/etc/init.d or ~ that causes different behavior.

(hint, make sure . is last in your PATH, if it's there at all.  Security
breach can exploit a misplaced PATH . )

> -Original Message-
> From: centos-boun...@centos.org 
> [mailto:centos-boun...@centos.org] On Behalf Of Whit Blauvelt
> Sent: Tuesday, May 25, 2010 6:18 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Odd failure of smbd to start from 
> init.d - CentOS 5.4
> 
> On Tue, May 25, 2010 at 06:09:40PM -0400, Whit Blauvelt wrote:
> 
> > Correction: that wasn't a virgin version of Cent's. More in 
> a moment.
> 
> This gets more bizarre. To a virgin version of Cent's 
> /etc/init.d/smb - it's a perfect match:
> 
>  # diff ./smb /etc/init.d/smb
>  # 
> 
> That's right, no diff!
> 
> Yet if I run ./smb - the Redhat version, identical but for 
> where it sits, it starts smbd with no problem. But 
> /etc/init.d/smb of course still fails. Both are rwxr-xr-x 1 
> root root. So: same file contents, same file permissions and 
> ownership, same invocation, and the one in /etc/init.d fails.
> 
> On two different CentOS systems.
> 
> WTF?
> 
> Whit
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
***
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the system manager. This footnote also confirms that this
email message has been swept for the presence of computer viruses.
www.Hubbell.com - Hubbell Incorporated**

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Having trouble with LDAP Authentication...

[Ryan Manikowski]

On 5/25/2010 5:16 PM, Andy Akins wrote:

I've google and searched, and have had very little luck...

I have:

   1. Installed all the packages.
   2. Configured and have running OpenLDAP.
   3. Migrated my passwd/shadow/group/hosts files into the directory
   4. Tested the directory using ldapsearch
   5. Installed LAM (web interface to LDAP authentication)
   6. Added a user using LAM.
   7. Confirmed user is in directory.
   8. Confirmed user is not in /etc/passwd
   9. Confirmed using "getent passwd | grep username" that the user is
  listed.
  10. Confirmed using "getent passwd" shows two records for each user
  /except/ ldap-only users (one for /etc/passwd, one for LDAP).


However,

"id username"

Returns unknown user

And trying to log in as username at either the terminal or ssh fails, 
and upon examining the logs, the error message says unknown user.


I configured /etc/pam.d/system-auth using authcongfig-tui, adding only 
the pam_mkhomedir.so line (and I tried it without that line as well).


Everything /seems/ right -- but its not working. Can anyone offer any 
suggestions as to where I should be looking? If necessary, I'll post 
my /etc/openldap/slapd.conf, /etc/openldap/ldap.conf, 
/etc/pam.d/system-auth, and /etc/nsswitch.conf files -- I just didn't 
want to send them if not necessary.


Any help or suggestions would be appreciated. Thanks!

--
Andy Akins
Director of Development

NICUSA, Tennessee -- A Partnership with Tennessee.gov
Phone: (615) 313-0305
Email: a...@egovtn.org

Visit www.tn.gov - the official website of the State of Tennessee

*
CONFIDENTIALITY NOTICE:
This email and any attachments are confidential. If you are not
the intended recipient, you do not have permission to disclose,
copy, distribute, or open any attachments. If you have received
this email in error, please notify us immediately by returning
it to the sender and deleting this copy from your system.
  Thank you. NIC, Inc., Tennessee
*




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
   


We'll assume you've properly configured your OpenLDAP server and can 
query the directory and whatever user/group accounts you have created 
are valid.


Now, you make no statements regarding the system that you are attempting 
to authenticate from. Run 'authconfig-tui' from the console/terminal and 
ensure the ldap server is specified.


See this page 
(http://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-client) 
and concern yourself with the 2 screenshots for now. You can tweak the 
manual settings to your hearts content but ONLY need to set the options 
contained in the screenshots to at least get LDAP auth working.


Make sure you leave an '*' next to 'Local authentication is sufficient' 
as well so the system continues to auth local accounts. Placing a '*' 
next to 'Cache Information' will enable nscd.




Ryan Manikowski
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

Hi Brian,

I've been all over the environment comparisons before, I think. The question
currently is:

What can be the difference between 

"/home/smb restart" - which works, and
"/etc/init.d/smb restart" - which fails

when a diff between the two smb files shows no difference? 

This is with both of them run from the same (bash) root shell, by hand.
Those should have _exactly_ the same environments aside from the PWD envar,
right? - unless there's something magical about how init.d scripts run just
if they find themselves run from /etc/init.d rather than elsewhere. Maybe
there is.

The smb file sources /etc/init.d/functions, but I can't find anything there
that obviously cares whether the smb file sourcing it is run from
/etc/init.d. Am I missing something? Also sourced are /etc/sysconfig/samba -
which is the same in any case, and the same on working RH systems; and
/etc/sysconfig/network - which differs in machine name, and in that ipv6 is
set "on" for CentOS but not RH - but that shouldn't make a script care if
it's started from /etc/init.d or elsewhere. 

Best,
Whit

On Tue, May 25, 2010 at 06:24:43PM -0400, Brunner, Brian T. wrote:
> WTE?
> do
> printenv > dot.slash.env 
> add to /etc/init.d/smb
> printenv > ~/init.d.smb.env
> then execute /etc/init.d/smb
> 
> There has got to be a difference between the two environments causing
> identical scripts to behave differently depending on how they're
> executed.
> 
> unless
> 
> PATH searches . before other directories, *and* there is a file in
> /etc/init.d or ~ that causes different behavior.
> 
> (hint, make sure . is last in your PATH, if it's there at all.  Security
> breach can exploit a misplaced PATH . )
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Jerry Franz]

On 05/25/2010 04:11 PM, Whit Blauvelt wrote:
> Hi Brian,
>
> I've been all over the environment comparisons before, I think. The question
> currently is:
>
> What can be the difference between
>
> "/home/smb restart" - which works, and
> "/etc/init.d/smb restart" - which fails
>
> when a diff between the two smb files shows no difference?
>

Are you running with SELinux on?

-- 
Benjamin Franz
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

Les,

At risk of clogging mail boxes, see below, and note this line in the middle:

open("/var/cache/samba/messages.tdb", O_RDWR|O_CREAT, 0600) = -1 EACCES 
(Permission denied)

Now, if I copy that modified smb file elsewhere and run it, for one
difference output stops without returning to prompt at:

[pid  5525] fcntl(20, F_GETFL)  = 0 (flags O_RDONLY)
[pid  5525] fcntl(20, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
[pid  5525] fcntl(21, F_GETFL)  = 0x1 (flags O_WRONLY)
[pid  5525] fcntl(21, F_SETFL, O_WRONLY|O_NONBLOCK) = 0
[pid  5525] select(21, [19 20], NULL, NULL, NULL

and if I ctrl-C it there I get:

 
strace: ptrace(PTRACE_CONT,1,133): Input/output error
Process 5526 detached
strace: ptrace(PTRACE_CONT,1,133): Input/output error
Process 5525 detached

but smbd is then running. 

Also running it from outside /etc/init.d gives a _lot_ of lines which aren't
in the output below, which look like:

fcntl(14, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=404, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=404, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=404, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=404, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=404, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=404, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=456, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=456, len=1}) = 0
fcntl(14, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=512, len=1}) = 0

So there is something about how the same file, from the same root shell,
behaves from a different location in the file tree. As for the permissions
on /var/cache/samba/, they are the same on the CentOS 5.4 and Redhat 5.4:

drwxr-xr-x 5 root root

The messages.tbd file there is -rw--- 1 root root on both Redhat and
CentOS, and changing it to be more permissive does not fix the problem.

Here's the strace starting it from /etc/init.d/smb:

# ./smb restart
Shutting down SMB services:[FAILED] ( 
-- wasn't running )
Shutting down NMB services:[  OK  ]
Starting SMB services: execve("/usr/sbin/smbd", ["smbd", "-D"], [/* 20 vars 
*/]) = 0
brk(0)  = 0x2b04bb416000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2b04ae987000
uname({sys="Linux", node="r2d2.eis.local", ...}) = 0
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=37268, ...}) = 0
mmap(NULL, 37268, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2b04ae988000
close(3)= 0
open("/usr/lib64/libldap-2.3.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\\277\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=238568, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2b04ae992000
mmap(NULL, 2333936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2b04aeb88000
mprotect(0x2b04aebc, 2097152, PROT_NONE) = 0
mmap(0x2b04aedc, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x38000) = 0x2b04aedc
close(3)= 0
open("/usr/lib64/liblber-2.3.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2400\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=56776, ...}) = 0
mmap(NULL, 2152168, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2b04aedc2000
mprotect(0x2b04aedcf000, 2097152, PROT_NONE) = 0
mmap(0x2b04aefcf000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x2b04aefcf000
close(3)= 0
open("/usr/lib64/libgssapi_krb5.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\222\0\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=188328, ...}) = 0
mmap(NULL, 2283888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2b04aefd
mprotect(0x2b04aeffc000, 2097152, PROT_NONE) = 0
mmap(0x2b04af1fc000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2c000) = 0x2b04af1fc000
close(3)= 0
open("/usr/lib64/libkrb5.so.3", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\221\1\0\0\0\0\0"..., 
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=611280, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2b04af1fe000
mmap(NULL, 2706624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 
0x2b04af1ff000
mprotect(0x2b04af29, 2097152, PROT_NONE) = 0
mmap(0x2b04af49, 16384, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x91000) = 0x2b04af49
close(3)= 0
open("/usr/lib64/

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

On Tue, May 25, 2010 at 06:23:02PM -0400, Todd Denniston wrote:
> I have not been following this thread closely, but perhaps Robert was 
> pointing at SELINUX and the
> need to keep the SE permissions intact as you copy/edit the file.
> 
> i.e. you may need to:
> A) restorecon /etc/init.d/smb and any other samba files that you have 
> copied/edited.

It doesn't work with the smb file which is virgin, as installed by CentOS.

> B) look in one of the /var/log/ files for selinux messages when you are 
> starting samba.

There are no lines in any log file with both "selinux" combined with either
"mbd" or "samba". Plus selinux is just in advisory mode if not specifically
configured to be in the way, isn't it?

> Good luck.

I'll take it if I can. Thanks.

Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Whit Blauvelt]

On Tue, May 25, 2010 at 04:33:53PM -0700, Jerry Franz wrote:

> Are you running with SELinux on?

Now there's a good question, it turns out. I'd assumed CentOS followed the
pattern of most distros in having it not be in strictest mode
out-of-the-box, but in /etc/selinux/config:

SELINUX=enforcing

I can see where to turn it off in /etc/selinux/config. But what's the step
to get it to restart, other than rebooting the system? Reload a module?

And I'd point out that _nothing_ about smbd was being logged previously,
until upgrading samba from the CentOS 5.4 version to the current version
started throwing this error:

May 25 19:22:26 xyz smbd[5455]: [2010/05/25 19:22:26, 0] 
lib/messages.c:message_init(132) 
May 25 19:22:26 xyz smbd[5455]:   ERROR: Failed to initialise messages database 

Isn't selinux supposed to be competent enough to log events that it
presents? There's nothing from it in anything under /var/log. So if selinux
is causing this whole problem, it's pretty incompetent at it. Anything worth
blocking is certainly worth logging, right?

Whit


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Robert Heller]

At Tue, 25 May 2010 18:05:34 -0400 CentOS mailing list  
wrote:

> 
> On Tue, May 25, 2010 at 05:47:00PM -0400, Robert Heller wrote:
> 
> > Was this file *copied* from the Redhat 5.4 system(s) or created fresh
> > under CentOS?
> 
> If you mean /etc/init.d/smb, it's CentOS's version. The entire difference
> between the two, just for the record, is:
> 
> # diff smb /etc/init.d/smb
> 10a11
> > echo $PATH > path.txt
> 37c38
> < RETVAL=0
> ---
> > echo $PATH >> path.txt
> 38a40
> > RETVAL=0
> 
> where "smb" is RH's version and /etc/init.d/smb is Cent's. I can't quite
> imagine that a difference between overwriting or appending path.txt is at
> the root of what I'm seeing though.

I meant the .tlb (or whatever it is file) under /var/

> 
> Thanks,
> Whit
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>   
>   

-- 
Robert Heller -- Get the Deepwoods Software FireFox Toolbar!
Deepwoods Software-- Linux Installation and Administration
http://www.deepsoft.com/  -- Web Hosting, with CGI and Database
hel...@deepsoft.com   -- Contract Programming: C/C++, Tcl/Tk

 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Whit Blauvelt]

On Tue, May 25, 2010 at 07:55:12PM -0400, Whit Blauvelt wrote:
> On Tue, May 25, 2010 at 04:33:53PM -0700, Jerry Franz wrote:
> 
> > Are you running with SELinux on?

You were right Jerry! 

echo 0 > /selinux/enforce

and then /etc/init.d/smb restart works! Thank you much Jerry!

Now why doesn't that fine piece of government work, selinux, do something
standard and useful like log when it's instituting breakage?? I get that
it's doing it "for your own good," but what good is it if it doesn't tell
you what it's doing? The _first place_ I looked when we ran into this
problem was the logs. Nada. Zilch.

Programs that try to be smarter than the root user are annoying enough.
Programs that do that and don't try to educate the root user while they're
doing it are worse. There are standards for logging. Selinux is ignoring
them. If it's going to be breaking stuff by default, and failing to log the
breakage by default, that's not remotely good. Yet that's how CentOS
installs it. Are we downstream of some Redhat brilliance here?

Pardon my English,
Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Les Mikesell]

Whit Blauvelt wrote:
> On Tue, May 25, 2010 at 07:55:12PM -0400, Whit Blauvelt wrote:
>> On Tue, May 25, 2010 at 04:33:53PM -0700, Jerry Franz wrote:
>>
>>> Are you running with SELinux on?
> 
> You were right Jerry! 
> 
> echo 0 > /selinux/enforce
> 
> and then /etc/init.d/smb restart works! Thank you much Jerry!
> 
> Now why doesn't that fine piece of government work, selinux, do something
> standard and useful like log when it's instituting breakage?? I get that
> it's doing it "for your own good," but what good is it if it doesn't tell
> you what it's doing? The _first place_ I looked when we ran into this
> problem was the logs. Nada. Zilch.
> 
> Programs that try to be smarter than the root user are annoying enough.
> Programs that do that and don't try to educate the root user while they're
> doing it are worse. There are standards for logging. Selinux is ignoring
> them. If it's going to be breaking stuff by default, and failing to log the
> breakage by default, that's not remotely good. Yet that's how CentOS
> installs it. Are we downstream of some Redhat brilliance here?

I would have looked at selinux first for any "odd failure", but I thought it 
related to the process itself and couldn't see any way that the process would 
be 
different when started as "sh /etc/init.d/smb restart" than simply 
/etc/init.d/smb restart.  Is it?

-- 
  Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Ross Walker]

On May 25, 2010, at 8:25 PM, Whit Blauvelt  wrote:

> On Tue, May 25, 2010 at 07:55:12PM -0400, Whit Blauvelt wrote:
>> On Tue, May 25, 2010 at 04:33:53PM -0700, Jerry Franz wrote:
>>
>>> Are you running with SELinux on?
>
> You were right Jerry!
>
> echo 0 > /selinux/enforce
>
> and then /etc/init.d/smb restart works! Thank you much Jerry!
>
> Now why doesn't that fine piece of government work, selinux, do  
> something
> standard and useful like log when it's instituting breakage?? I get  
> that
> it's doing it "for your own good," but what good is it if it doesn't  
> tell
> you what it's doing? The _first place_ I looked when we ran into this
> problem was the logs. Nada. Zilch.
>
> Programs that try to be smarter than the root user are annoying  
> enough.
> Programs that do that and don't try to educate the root user while  
> they're
> doing it are worse. There are standards for logging. Selinux is  
> ignoring
> them. If it's going to be breaking stuff by default, and failing to  
> log the
> breakage by default, that's not remotely good. Yet that's how CentOS
> installs it. Are we downstream of some Redhat brilliance here?

Selinux alerts are in /var/log/audit/audit.log

The problem is if smbd doesn't create the messages.tdb file then it  
won't have the selinux rights.

That file can be deleted and will be recreated on smbd start, it's  
just a cache file.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Whit Blauvelt]

On Tue, May 25, 2010 at 07:46:56PM -0500, Les Mikesell wrote:

> I would have looked at selinux first for any "odd failure", but I thought it 
> related to the process itself and couldn't see any way that the process would 
> be 
> different when started as "sh /etc/init.d/smb restart" than simply 
> /etc/init.d/smb restart.  Is it?

That selinux would prevent a normal init.d startup of a common daemon like
smbd, but allow the same startup in several other ways ... okay, I've never
studied selinux. I usually run Ubuntu on servers. I've pretty much literally
inherited a bunch of RH-based servers to admin (coworker sadly died), and
we're adding more to run in parallel, so CentOS was obvious (RH-the-firm
being so badly run it took staff days over the phone just to buy a single
new license from them). Of course AppArmour can also get in the way, but at
least it logs such actions, so it's obvious if you need to reconfig or turn
it off.

I'm solidly impressed with this list. Nothing like it for Ubuntu, and back
when Gentoo was my preferred server distro there was more noise surrounding
that too. It shows that the interest in CentOS is entirely professional. So
that's a strong upside.

But if someone can tell me why selinux thinks it's sane to block
"/etc/init.d/smb start" while leaving "sh /etc/init.d/smb start" and even
/some/random/dir/smb start" wide open ... I just can't believe some happy
hacker at NSA thought that would count as a security scheme. Really, I'd
like to know how this is supposed to be useful.

Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Whit Blauvelt]

On Tue, May 25, 2010 at 08:52:58PM -0400, Ross Walker wrote:

> Selinux alerts are in /var/log/audit/audit.log

Thank you for that. Cryptic, but there it is.

> The problem is if smbd doesn't create the messages.tdb file then it  
> won't have the selinux rights.

I don't follow you. What else could have ever created the messages.tbd file?
These were virgin OS installs. Whatever's in /var/cache/samba, at the time
that smbd wouldn't run - which is right of the bat or at least as soon as it
mattered to us, after our config was in place - is there only because either
the CentOS install, or samba itself in trying to start it from
/etc/init.d/smb, put it there. What else could have ever created
messages.tbd than smbd?

If selinux's real complaint is that it doesn't like the files in /etc/samba
being copied in from another system, that would make some sense - except
that I'm not finding any mention of any of those files in the audit logs.
And that still doesn't say why it starts having a problem with
/var/cache/samba/messages.tbd. Does it?

> That file can be deleted and will be recreated on smbd start, it's  
> just a cache file.

So in theory if I'd nuked that file smbd would have been happy?

Then why was it also happy with "sh /etc/init.d/smb start" but not
"/etc/init.d/smb start". I'm happy to become more educated on this. But if
invoking a major daemon startup that selinux wants to block is as easy as
that, selinux is window dressing, not security.

What am I missing about how that's anything like useful?

Regards,
Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Jason Pyeron]

 

> -Original Message-
> From: centos-boun...@centos.org 
> [mailto:centos-boun...@centos.org] On Behalf Of Whit Blauvelt
> Sent: Tuesday, May 25, 2010 21:27
> To: CentOS mailing list
> Subject: Re: [CentOS] Odd failure of smbd to start from 
> init.d - CentOS 5.4 - it's that fine SELinux
> 
> On Tue, May 25, 2010 at 07:46:56PM -0500, Les Mikesell wrote:
> 
> > I would have looked at selinux first for any "odd failure", but I 
> > thought it related to the process itself and couldn't see 
> any way that 
> > the process would be different when started as "sh /etc/init.d/smb 
> > restart" than simply /etc/init.d/smb restart.  Is it?
> 
> That selinux would prevent a normal init.d startup of a 
> common daemon like smbd, but allow the same startup in 
> several other ways ... okay, I've never studied selinux. I 
> usually run Ubuntu on servers. I've pretty much literally 
> inherited a bunch of RH-based servers to admin (coworker 
> sadly died), and we're adding more to run in parallel, so 
> CentOS was obvious (RH-the-firm being so badly run it took 
> staff days over the phone just to buy a single new license 
> from them). Of course AppArmour can also get in the way, but 
> at least it logs such actions, so it's obvious if you need to 
> reconfig or turn it off.
> 
> I'm solidly impressed with this list. Nothing like it for 
> Ubuntu, and back when Gentoo was my preferred server distro 
> there was more noise surrounding that too. It shows that the 
> interest in CentOS is entirely professional. So that's a 
> strong upside.
> 
> But if someone can tell me why selinux thinks it's sane to 
> block "/etc/init.d/smb start" while leaving "sh 
> /etc/init.d/smb start" and even /some/random/dir/smb start" 
> wide open ... I just can't believe some happy hacker at NSA 

If you look at it as the two different commands, then they may have different
permissions, owners, contexts, etc...

/bin/sh vs /etc/init.d/smb

I am just logically guessing here but ...

> thought that would count as a security scheme. Really, I'd 
> like to know how this is supposed to be useful.
> 
> Whit
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 




--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Jay Leafey]

Whit Blauvelt wrote:



Then why was it also happy with "sh /etc/init.d/smb start" but not
"/etc/init.d/smb start". I'm happy to become more educated on this. But if
invoking a major daemon startup that selinux wants to block is as easy as
that, selinux is window dressing, not security.

What am I missing about how that's anything like useful?



As I understand it, the two different methods of invocation could 
involve different SELinux contexts.  Under one of them the process could 
be less constrained than the other.  If you want details, you'll have to 
look elsewhere, I'm just another seeker!


I've found that running the SELinux troubleshoter has been very helpful. 
 SELinux can be a royal pain, particularly with software not written 
with it in mind (cough*Oracle*cougn).  I try to discourage the "just 
turn off SELinux" mindset... it sorta reminds me of the excuses for NOT 
using seat belts.


In your case, there should have been AVC errors showing up in the audit 
log related to smbd.  Using restorecon to fix up the security context on 
the files in /etc/samba might have resolved the issue quickly... but I 
guess the trick is having run across it before, eh?


"The best cure for mistakes is experience.
The best source of experience is mistakes." - YMMV
--
Jay Leafey - jay.lea...@mindless.com
Memphis, TN


smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Ross Walker]

On May 25, 2010, at 9:44 PM, Whit Blauvelt  wrote:

> On Tue, May 25, 2010 at 08:52:58PM -0400, Ross Walker wrote:
>
>> Selinux alerts are in /var/log/audit/audit.log
>
> Thank you for that. Cryptic, but there it is.
>
>> The problem is if smbd doesn't create the messages.tdb file then it
>> won't have the selinux rights.
>
> I don't follow you. What else could have ever created the  
> messages.tbd file?
> These were virgin OS installs. Whatever's in /var/cache/samba, at  
> the time
> that smbd wouldn't run - which is right of the bat or at least as  
> soon as it
> mattered to us, after our config was in place - is there only  
> because either
> the CentOS install, or samba itself in trying to start it from
> /etc/init.d/smb, put it there. What else could have ever created
> messages.tbd than smbd?

I was under the impression that the config might have been copied in  
including what might be in /var/cache/samba, but if it wasn't then  
maybe it was the joining the machine to the domain, which also creates  
a messages.tdb file.

> If selinux's real complaint is that it doesn't like the files in / 
> etc/samba
> being copied in from another system, that would make some sense -  
> except
> that I'm not finding any mention of any of those files in the audit  
> logs.
> And that still doesn't say why it starts having a problem with
> /var/cache/samba/messages.tbd. Does it?

Best guess is joining the machine to the domain under root context  
caused the cache files to be created under the root context.

>> That file can be deleted and will be recreated on smbd start, it's
>> just a cache file.
>
> So in theory if I'd nuked that file smbd would have been happy?

Yup, in fact I don't know why the cache files that don't need to  
persist aren't removed on service shutdown.

> Then why was it also happy with "sh /etc/init.d/smb start" but not
> "/etc/init.d/smb start". I'm happy to become more educated on this.  
> But if
> invoking a major daemon startup that selinux wants to block is as  
> easy as
> that, selinux is window dressing, not security.

When passing the script into a shell run under root context the script  
was actually run under root context, when executing the script  
directly (invoking the shell indirectly) it ran under smbd context.

Selinux is there to help prevent what happens within a security  
context, but running things as root can accidentally elevate a  
program's context.

Maybe sudo can help here?

> What am I missing about how that's anything like useful?

Selinux is a strange beast, but it's one of those things once you set  
it right you can pretty much forget it.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Whit Blauvelt]

On Tue, May 25, 2010 at 10:03:38PM -0400, Jason Pyeron wrote:

> If you look at it as the two different commands, then they may have different
> permissions, owners, contexts, etc...
> 
> /bin/sh vs /etc/init.d/smb
> 
> I am just logically guessing here but ...

Let me follow your logic here. So the extra selinux labels differentiate
what /bin/sh, as a shell, calling the /etc/init.d/smb script, can do from
what /etc/init.d/smb, which in its first line invokes /bin/sh to run it, can
do. Okay, that sort of makes sense.

So with selinux, in general any script that selinux would stop from running
due to the script's own extra selinux file tags can be run if Evil Intruder
simply invokes the same script with its shell first - sh or perl or python
or whatever? That counts as security? Through what? The obscurity of this
devious workaround?

Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Todd Denniston]

Whit Blauvelt wrote, On 05/25/2010 11:09 PM:
> On Tue, May 25, 2010 at 10:03:38PM -0400, Jason Pyeron wrote:
> 
>> If you look at it as the two different commands, then they may have different
>> permissions, owners, contexts, etc...
>>
>> /bin/sh vs /etc/init.d/smb
>>
>> I am just logically guessing here but ...
> 
> Let me follow your logic here. So the extra selinux labels differentiate
> what /bin/sh, as a shell, calling the /etc/init.d/smb script, can do from
> what /etc/init.d/smb, which in its first line invokes /bin/sh to run it, can
> do. Okay, that sort of makes sense.
> 
> So with selinux, in general any script that selinux would stop from running
> due to the script's own extra selinux file tags can be run if Evil Intruder
> simply invokes the same script with its shell first - sh or perl or python
> or whatever? That counts as security? Through what? The obscurity of this
> devious workaround?
> 

At least for some of us delving into what and how selinux is working is recipe 
for brain explosions. :)
but there are some like Daniel J Walsh & Stephen Smalley who seem to be able to 
manage the deep
diving into that system.
I am not sure if it is proper to ask RHEL/CentOS questions in the fedora list, 
but there is a
selinux list hosted for fedora where some of the folks with the non exploding 
brains hang out:
https://admin.fedoraproject.org/mailman/listinfo/selinux
you could at least ask there about a RHEL specific list, I don't see a list 
specific to CentOS:
http://www.centos.org/modules/tinycontent/index.php?id=16

I see Daniel's emails on fedora users and fedora test lists quite often, and he 
is reasonably
personable in his suggestions, solutions and explanations (at least to my 
opinion).

If you get an answer that helps, please drop a URL pointer line back on this 
thread.
-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Whit Blauvelt]

On Tue, May 25, 2010 at 09:09:33PM -0500, Jay Leafey wrote:

> In your case, there should have been AVC errors showing up in the
> audit log related to smbd.  Using restorecon to fix up the security
> context on the files in /etc/samba might have resolved the issue
> quickly... but I guess the trick is having run across it before, eh?

Thoughtful advice. Thanks. Is there some method to duplicate basic
configuration files across selinux servers without running restorecon for
each set of files that's copied over - that is, to copy them with their
selinux labels intact? 

>From this limited example, it looks like selinux gets in the way of standard
administrative tasks, yet wouldn't be in the way at all of anyone who'd
acquired a shell within which they could run another shell and with that
call whatever program they like.

I was just reading a review by Freeman Dyson of physicist Steven Weinberg's
new book, Lake Views. Dyson is impressed by Weinberg's argument that for
defense we often go to "glorified technologies" which don't really do for us
what we expect. For example, mounted knights, which were the expensive high
tech approach to war of their time, more often than not lost to peasants
with pikes. The list goes on from there, right up to the present.

In it's modest way, selinux would fit right into that record. It's complex
and shiney and expensive to maintain (hell, it's competitor is even called
"AppArmour" - armour?). But is it as essentially useless in real combat as
mounted knights were against a line of men with spears? Or as today's
wishful and extravagant missile defense?

Best,
Whit
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4

[Gordon Messmer]

On 05/25/2010 04:39 PM, Whit Blauvelt wrote:
> On Tue, May 25, 2010 at 06:23:02PM -0400, Todd Denniston wrote:
>> i.e. you may need to:
>> A) restorecon /etc/init.d/smb and any other samba files that you have 
>> copied/edited.
>
> It doesn't work with the smb file which is virgin, as installed by CentOS.

"restorecon" fixes the SELinux context of the file.  Most other forms of 
repair (short of removing and reinstalling the package) will not do 
that.  If the context is correct, you should not get the errors that you 
saw.

"restorecon -v" is instructive in telling you whether or not anything 
needed to be fixed.  "ls -lZ" will show you the context which is 
currently set.

>> B) look in one of the /var/log/ files for selinux messages when you are 
>> starting samba.
>
> There are no lines in any log file with both "selinux" combined with either
> "mbd" or "samba". Plus selinux is just in advisory mode if not specifically
> configured to be in the way, isn't it?

Look in /var/log/audit/audit.log.  Specifically, watch for lines 
containing "AVC".
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Gordon Messmer]

On 05/25/2010 06:44 PM, Whit Blauvelt wrote:
>
> And that still doesn't say why it starts having a problem with
> /var/cache/samba/messages.tbd. Does it?

That's simply the first file which was denied by policy.  If that one 
had been removed, the next one would have caused problems.

>> That file can be deleted and will be recreated on smbd start, it's
>> just a cache file.
>
> So in theory if I'd nuked that file smbd would have been happy?

No.  With that file removed, smbd probably wouldn't have been able to 
write to the directory.  If it was able to, it probably would have run 
into trouble with the next file.  If smbd started up in the context 
which was configured for it, everything would work normally.  If smbd 
started up in the "unconfined" context, everything would work normally 
(but not benefit from SELinux security).  The problem appears to be that 
smbd was starting in some other context, which you haven't shared.

> Then why was it also happy with "sh /etc/init.d/smb start" but not
> "/etc/init.d/smb start". I'm happy to become more educated on this. But if
> invoking a major daemon startup that selinux wants to block is as easy as
> that, selinux is window dressing, not security.

Your misunderstanding seems to be that SELinux is not intended to 
prevent an attacker who has root privileges on your system from starting 
smbd.  Instead, it is intended to confine the smbd that the system's 
administrator is running from taking actions which are not allowed by 
policy.

That is to say that SELinux does not "want" to block smbd from running. 
  SELinux is intended to describe the access that system daemons like 
smbd should have in greater detail than mere filesystem access, and to 
confine smbd to that behavior.  Whatever you did caused smbd to start up 
in some other context (but not unconfined), and was thus confining smbd 
to the behavior that was appropriate for some other process.  It should 
be obvious why that would cause problems.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Gordon Messmer]

On 05/25/2010 08:36 PM, Whit Blauvelt wrote:
>
> Thoughtful advice. Thanks. Is there some method to duplicate basic
> configuration files across selinux servers without running restorecon for
> each set of files that's copied over - that is, to copy them with their
> selinux labels intact?

Usually if you copy them directly to their destination, they'll have the 
correct context.  If you copy it to a different location first (like 
/home/) and then move it into place, it'll have the context that it got 
when it was created (like user_home_t).

I use bcfg2 to manage configuration files, for instance, and I don't 
believe that any SELinux contexts are broken as a result.

>> From this limited example, it looks like selinux gets in the way of standard
> administrative tasks, yet wouldn't be in the way at all of anyone who'd
> acquired a shell within which they could run another shell and with that
> call whatever program they like.

No, it wouldn't, and it's not intended to.  It is intended to confine 
your system daemons so that an attacker cannot overflow a buffer and 
execute arbitrary shell code (for instance).
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Gordon Messmer]

On 05/25/2010 08:09 PM, Whit Blauvelt wrote:
>
> So with selinux, in general any script that selinux would stop from running
> due to the script's own extra selinux file tags can be run if Evil Intruder
> simply invokes the same script with its shell first - sh or perl or python
> or whatever? That counts as security? Through what? The obscurity of this
> devious workaround?

Similarly, suppose I have a script (/usr/local/bin/example) with 
permission 0700.  Now, if Evil Intruder simply copies the script 
elsewhere and changes its permissions, he can read and execute the script!

Similarly, if I have Firefox running as userA, then userB cannot read 
its memory.  However, if userB runs Firefox, he can read that process' 
memory!

You're being silly.  SELinux confines the daemons that the administrator 
starts so that they don't take actions that aren't allowed by policy. 
If an attacker gains access to the system with a higher set of 
privileges than the confined daemon, OF COURSE he can run the daemon 
with higher privileges.  That doesn't negate the value of YOUR ability 
to DECREASE the privileges available to the daemons that run on your 
systems.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

[Les Mikesell]

Gordon Messmer wrote:
> 
> No.  With that file removed, smbd probably wouldn't have been able to 
> write to the directory.  If it was able to, it probably would have run 
> into trouble with the next file.  If smbd started up in the context 
> which was configured for it, everything would work normally.  If smbd 
> started up in the "unconfined" context, everything would work normally 
> (but not benefit from SELinux security).  The problem appears to be that 
> smbd was starting in some other context, which you haven't shared.
> 
>> Then why was it also happy with "sh /etc/init.d/smb start" but not
>> "/etc/init.d/smb start". I'm happy to become more educated on this. But if
>> invoking a major daemon startup that selinux wants to block is as easy as
>> that, selinux is window dressing, not security.
> 
> Your misunderstanding seems to be that SELinux is not intended to 
> prevent an attacker who has root privileges on your system from starting 
> smbd.  Instead, it is intended to confine the smbd that the system's 
> administrator is running from taking actions which are not allowed by 
> policy.

That still doesn't explain why there is a difference in smbd's context when its 
parent is an explicitly started shell vs. the implict one that starts when the 
script file is executed.  Isn't the context associated with the program itself, 
not its parent?  Is this documented anywhere?

> That is to say that SELinux does not "want" to block smbd from running. 
>   SELinux is intended to describe the access that system daemons like 
> smbd should have in greater detail than mere filesystem access, and to 
> confine smbd to that behavior.  Whatever you did caused smbd to start up 
> in some other context (but not unconfined), and was thus confining smbd 
> to the behavior that was appropriate for some other process.  It should 
> be obvious why that would cause problems.

 From what he has posted so far the "whatever he did" was starting smbd 
directly 
from a root command line or running the init script with 'sh' or 'bash'.   Why 
would that give a different context than running the init script with the sh.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos