Re: [CentOS] Apache/Active Directory authentication

[Michael B Allen]

On Thu, Mar 17, 2011 at 6:18 AM, John Hodrien  wrote:
> On Wed, 16 Mar 2011, Michael B Allen wrote:
>> I don't know what the official view is on going through a CNAME but I
>> think that is probably a dubious practice. The proper way to handle
>> this scenario would be to add another servicePrincipalName value for
>> HTTP/www.friendly and a corresponding keytab entry for
>> HTTP/www.friendly@KRB-REALM.
>
> Dubious why?  If I go with your method at the very least I now need more
> records in AD for machines that don't exist, and I'm guessing I'll be creating
> them by being a domain administrator, which is inconvenient in large
> organisations.
>
> I'm assuming I'll also be needing to add A records for these domains.
> Kerberos surely won't be a fan of there not being a PTR record, so I assume
> you'd need multiple PTR records.  Is this really the path you're suggesting
> going down?  I'm genuinely interested here, I'm not having a dig.

Hi John,

Arguably it's not the end-of-the-world to go though CNAMEs. If it
works for you, then don't let me deter you.

But you do realize that it requires the client to have logic to see
"ah, the record returned is a CNAME so let's use this name to build
the principal instead"? And I would not be surprised to see some
scenario where the client actually tried to get a ticket with the
supplied name and than fell-back to using the CNAME in which case you
have extra DNS and Kerberos traffic. If at some point someone wants to
use another HTTP client from a cron job or some Java app, is that
client going to handle the CNAME correctly?

What happends if the client application needs the original princpal
name for some reason? It will get what the CNAME points to. That could
be weird for the app or a developer. And then if you move the website
to another server the principal name is now suddenly different?

CNAMEs in general are dubious. And not just for Kerberos.

Also short names are dubios. Is it a NetBIOS name or does the client
have a proper DNS search suffix configured? And in the later case it
takes extra DNS queries to get the name.

Why have all this extra indirection on top of an already fickle protocol?

Regarding PTR records, I don't think kerberos would have any problem
without them. Actually I seem to recall that once upon a time old
Kerberos clients used to automatically try PTR lookups to get the
primary hostname first but that practice has long since been ruled bad
and clients no longer do it. That might be what you're thinking of.

If you're going to have user's trying to use a site with a certain
hostname, IMO you should just have a proper A and PTR records. Yeah,
it can work without. But not always and it can be a burden for users
to figure out the problem and for admins to add the necessary SPN, A
and PTR records, get rid of the CNAME, wait for the cache to clear,
purge all the old tickets, etc.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security updates?

[Sorin Srbu]

>-Original Message-
>From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
>Of Timothy Murphy
>Sent: Friday, March 18, 2011 1:33 AM
>To: centos@centos.org
>Subject: Re: [CentOS] security updates?
>
>However, I don't think people who ask reasonable questions politely
>should be castigated for doing so.

To my eyes it looked very much like a "when will it be done"-post yet again.
Maybe I was too harsh, maybe not. I'll just ignore those posts in the future.
Let's leave it at that.

-- 
/Sorin


smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] security updates?

[Alain Péan]

Le 18/03/2011 01:32, Timothy Murphy a écrit :
> I don't think the OP did ask when 5.6 would be ready.
> What he/she said, IIRC, was that Karanbir had suggested
> that 5.6 would be out last week,
> and he/she was asking if there had been a problem.

This is exactly the point. I can add that all my CentOS servers are on 
an internal network, that I can consider as secure, so the release of 
5.6 is not critical for me. I can wait for next week, or the week after, 
or even after, no problem for me.
But indeed, as Karanbir suggested that the release of 5.6 was almost 
ready, I was just asking for news a week after.

> This seems a perfectly reasonable question to me.

To me too...

> However, I don't think people who ask reasonable questions politely
> should be castigated for doing so.

Yes. And my opinion is that a "Community project" should inform its 
community on a regular basis, at least once a week. I don't ask for news 
every hours.

Alain

-- 
==
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/Active Directory authentication

[John Hodrien]

On Fri, 18 Mar 2011, Michael B Allen wrote:

> Hi John,
>
> Arguably it's not the end-of-the-world to go though CNAMEs. If it
> works for you, then don't let me deter you.

Indeed it does, and it was the only way I could see you /could/ do this.
Especially if you're not a domain admin.  I'm still not clear your method
/can/ work.  Are you saying you've done it this way and it does?  With
multiple A records if I do:

ssh 10.0.0.1

Which kerberos credential will the remote side use?

With the CNAME approach, there's no ambiguity.

> But you do realize that it requires the client to have logic to see
> "ah, the record returned is a CNAME so let's use this name to build
> the principal instead"?

MIT kerberos suggests it uses this to figure out the SPN:

gethostbyaddr(gethostbyname(host))

Surely that wouldn't care how I'd done it?  That requires the PTR record, and
that it points back to the name of the pricipal you want to use.  With
multiple PTR records to the same IP I can't work out how this is going to end.
Will it round-robin and simply work because the remote end has all of them?

Clearly sometimes there's not even a domain name to start with.  You can quite
merrily do "ssh 10.0.0.1" and get a kerberised login.  With multiple PTRs to a
single IP, I can only assume you'll round-robin through the credentials.  So
when you add an A and PTR record and forget to add the principal, kerberos
logins will fail 1/N of the time.

> And I would not be surprised to see some scenario where the client actually
> tried to get a ticket with the supplied name and than fell-back to using the
> CNAME in which case you have extra DNS and Kerberos traffic. If at some
> point someone wants to use another HTTP client from a cron job or some Java
> app, is that client going to handle the CNAME correctly?

As far as I can tell, the client will be blissfully unaware.

> What happends if the client application needs the original princpal
> name for some reason? It will get what the CNAME points to. That could
> be weird for the app or a developer. And then if you move the website
> to another server the principal name is now suddenly different?

Yes.  But why would the developer care about the service principal name?  It's
not often you're that introspective, you're normally more interested in the
client's principal.

> CNAMEs in general are dubious. And not just for Kerberos.

I think that's a little harsh.  CNAMEs seem to be unloved for reasons I'm not
fully convinced by.  What is so bad about CNAMEs?

> Also short names are dubios. Is it a NetBIOS name or does the client
> have a proper DNS search suffix configured? And in the later case it
> takes extra DNS queries to get the name.

AD always creates both short and FQDN forms of principals, I assume it's as
you guessed because of a NetBIOSism, or because it's a cruft that can often
fix broken setups.  I don't know, I only ever use the FQDN form.

> Why have all this extra indirection on top of an already fickle protocol?

I haven't actually found kerberos to be too fickle at all.

> Regarding PTR records, I don't think kerberos would have any problem
> without them.

As far as I knew MIT kerberos doesn't work at all without them, due to the way
it calculates service principals.  Certainly if you have a pair of A records
for the same IP, and the PTR record points to the name that doesn't match the
service principal it all will not work.

> Actually I seem to recall that once upon a time old Kerberos clients used to
> automatically try PTR lookups to get the primary hostname first but that
> practice has long since been ruled bad and clients no longer do it. That
> might be what you're thinking of.

AD 2003 doesn't work correctly if the PTR record doesn't match the service
principal, even if there's also an A record that does.  As far as I'm aware
the same is true for MIT kerberos.

> If you're going to have user's trying to use a site with a certain
> hostname, IMO you should just have a proper A and PTR records. Yeah,
> it can work without. But not always and it can be a burden for users
> to figure out the problem and for admins to add the necessary SPN, A
> and PTR records, get rid of the CNAME, wait for the cache to clear,
> purge all the old tickets, etc.

But are you suggesting multiple PTR records for the same IP?  That's normally
considered bad DNS practice isn't it, never mind kerberos practice?

I'm just not sure I see any advantage in using multiple A and PTR records.

Thanks for the discussion though, it's really not something I'd overly thought
about before.  There never seems to be enough googlable advice on using
kerberos out there.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] creating a htpasswd file for certain urls

[Agnello George]

H All

I am in a kind of fix , i  got a website ( beta.somesite.com ) .. that
need to be password protected , however there are two URLs that
should be allowed to all with out password access. Ona cent os box 5.5
i am running apache .

the entire site needs passwd protection except for the  Below  Urls .

http://beta.somesite.com/wp-content/uploads/2011/03/large_1990782-e1299229617964.jpg

http://beta.somesite.com/?cat=592&feed=rss2


Your advice will be of great help

--
Regards
Agnello D'souza
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Add repo for xfig package

[hersh parikh]

Hi All

We want to install packages like xfig and transfig on centos 5.5. We found rpms 
available but them but it seems there are lot of dependencies for these 
packages. So we would like to setup yum repo for this. Can anyone suggest 
trusted baseurl for yum repo?

Regards
Hersh


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPV6 - request for info

[Adam Tauno Williams]

On Fri, 2011-03-18 at 08:18 +0530, Rajagopal Swaminathan wrote:
> Greetings,
> I am trying to wrap my head around on this topic.
> Was wondering : Just as there is some scope for mapping ipv4 directly
> into IPV6 space, Is there a MAC ID or some kind of WWID has also been
> taken into consideration?



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Replace NIS by Active Directory

[MOKRANI Rachid]

Hi,

I'm looking a wiki or share experience for replace NIS authentication by
an existing Active directory Server (W2003). The problem is on the
management of id and gid. 
 
How to move 1000 actual NIS users to AD ?
How to keep the same id and gid for this 1000 users ?
What's happen with nfs linux server and acess with gid and/id ?  
Use the same user/password for linux and Windows clients
authentification?
 

We test a solution who work very well. It's Centrify comercial software
http://www.centrify.com/directcontrol/overview.asp . But we are looking
a freeware solution. (kerberos ? openldap ? pam ? ...)
 
Does someone has already successfully replace NIS by Ad authentification
with freeware solution ?
 
Regards.
__
Notre adresse de messagerie évolue pour plus de simplicité vers : 
prenom@ifpen.fr. La racine @ifpenergiesnouvelles.fr reste néanmoins active. 

Our e-mail address is changing to firstname.surn...@ifpen.fr. Nevertheless, 
messages sent to the domain @ifpenergiesnouvelles.fr will still be delivered.  

Ce message (et toutes ses pièces jointes éventuelles) est confidentiel et 
établi à l'intention exclusive de ses destinataires. Toute utilisation de ce 
message non conforme à sa destination, toute diffusion ou toute publication, 
totale ou partielle, est interdite, sauf autorisation expresse. IFP Energies 
nouvelles décline toute responsabilité au titre de ce message.
This message and any attachments (the message) are confidential and intended 
solely for the addressees. Any unauthorised use or dissemination is prohibited. 
IFP Energies nouvelles should not be liable for this message.

Visitez notre site Web / Visit our web site : www.ifpenergiesnouvelles.fr / 
www.ifpenergiesnouvelles.com
__
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[John Hodrien]

On Fri, 18 Mar 2011, MOKRANI Rachid wrote:

> Hi,
>
> I'm looking a wiki or share experience for replace NIS authentication by
> an existing Active directory Server (W2003). The problem is on the
> management of id and gid. 
> 
> How to move 1000 actual NIS users to AD ?

Create matching accounts in AD.  This is standard Active Directory stuff,
there really aren't any gotchas I can think of.

> How to keep the same id and gid for this 1000 users ?

Make sure the SFU attributes have the correct values.  You can do all this
through LDAP as far as I know.  Alternatively remap all your UIDs/GIDs and
switch to a RID mapping scheme instead.  You need to think about how you're
planning on working in the future.

> What's happen with nfs linux server and acess with gid and/id ?

It works exactly the same as it does now.

> Use the same user/password for linux and Windows clients
> authentification?

Feel free to use windbind or pam_krb5 for authentication, both easy to setup.
You'll need nss_ldap with pam_krb5, but winbind can do the whole bag.

> Does someone has already successfully replace NIS by Ad authentification
> with freeware solution ?

Probably the easiest it to use winbind, but we use nss_ldap and pam_krb5.
There's plenty of documentation on how to do this out there.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Alain Péan]

Le 18/03/2011 13:31, MOKRANI Rachid a écrit :
> Hi,
>
> I'm looking a wiki or share experience for replace NIS authentication by
> an existing Active directory Server (W2003). The problem is on the
> management of id and gid.

Here is a very good blog, scott Lowe, where I f found precise 
informations how to set up ldap/kerberos authentication over
Active Directory :
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

If you have windows 2003 R2, the schema has already unix attibutes (id, 
gid, user's home...) compliant with POSIX.
You have to add the windows component 'unix identity management', no 
more SFU. It will appear a tab in user properties (users and computers 
management console) for 'unix attributes'.

> How to move 1000 actual NIS users to AD ?
> How to keep the same id and gid for this 1000 users ?
> What's happen with nfs linux server and acess with gid and/id ?
> Use the same user/password for linux and Windows clients
> authentification?

NFS will work if you add the windows component 'Microsoft Services for 
NFS'. If you still have NIS accounts on linux servers, the accounts 
should be indeed the same, with same id/gid.

To create your 1000 accounts, you can use vbs scripts. See for example 
the very good book from O'Reilly 'Active Directory', or same author 
(Allen) 'Active Directory cookbook'. It is something in the lines :

"objUser.msSFU30NisDomain = "AD_domain"
objUser.uidNumber = intUid
objUser.gidNumber = intGid
objUser.loginShell = strShell
objUser.homeDirectory = strHome

objUser.SetInfo"

> We test a solution who work very well. It's Centrify comercial software
> http://www.centrify.com/directcontrol/overview.asp . But we are looking
> a freeware solution. (kerberos ? openldap ? pam ? ...)

The solution outlined in Scott Lowe blog is both standard and free (use 
both kerberos and ldap + samba).

>
> Does someone has already successfully replace NIS by Ad authentification
> with freeware solution ?

Yes, I did on CentOS.

Regards,
Alain
>
> Regards.
>


-- 
==
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Dvorkin, Asya]

Hi,

Check out Likewise open.  I think this is what you are looking for.

http://www.likewise.com/products/likewise_open/

" Likewise Open is the open source foundation for Likewise Enterprise that 
joins Linux, UNIX, and Mac OS systems to Microsoft Active Directory to securely 
authenticate non-Windows users with AD credentials."

Asya

On Mar 18, 2011, at 8:31 AM, MOKRANI Rachid wrote:

Hi,

I'm looking a wiki or share experience for replace NIS authentication by
an existing Active directory Server (W2003). The problem is on the
management of id and gid.

How to move 1000 actual NIS users to AD ?
How to keep the same id and gid for this 1000 users ?
What's happen with nfs linux server and acess with gid and/id ?
Use the same user/password for linux and Windows clients
authentification?


We test a solution who work very well. It's Centrify comercial software
http://www.centrify.com/directcontrol/overview.asp . But we are looking
a freeware solution. (kerberos ? openldap ? pam ? ...)

Does someone has already successfully replace NIS by Ad authentification
with freeware solution ?

Regards.
__
Notre adresse de messagerie évolue pour plus de simplicité vers : 
prenom@ifpen.fr. La racine 
@ifpenergiesnouvelles.fr reste néanmoins active.

Our e-mail address is changing to 
firstname.surn...@ifpen.fr. Nevertheless, 
messages sent to the domain @ifpenergiesnouvelles.fr will still be delivered.

Ce message (et toutes ses pièces jointes éventuelles) est confidentiel et 
établi à l'intention exclusive de ses destinataires. Toute utilisation de ce 
message non conforme à sa destination, toute diffusion ou toute publication, 
totale ou partielle, est interdite, sauf autorisation expresse. IFP Energies 
nouvelles décline toute responsabilité au titre de ce message.
This message and any attachments (the message) are confidential and intended 
solely for the addressees. Any unauthorised use or dissemination is prohibited. 
IFP Energies nouvelles should not be liable for this message.

Visitez notre site Web / Visit our web site : 
www.ifpenergiesnouvelles.fr / 
www.ifpenergiesnouvelles.com
__
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Alain Péan]

Le 18/03/2011 14:06, Dvorkin, Asya a écrit :

Hi,

Check out Likewise open.  I think this is what you are looking for.

http://www.likewise.com/products/likewise_open/

" Likewise Open is the open source foundation for Likewise Enterprise 
that joins Linux, UNIX, and Mac OS systems to Microsoft Active 
Directory to securely authenticate non-Windows users with AD credentials."


Asya



But the free edition use hash to generate id and gid, not the POSIX 
compliant id and gid already included in 2003 R2. The non free version 
do it. It is not in my opinion the solution you would like to use...


Alain

--
==
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Nico Kadel-Garcia]

On Fri, Mar 18, 2011 at 8:31 AM, MOKRANI Rachid  wrote:
> Hi,
>
> I'm looking a wiki or share experience for replace NIS authentication by
> an existing Active directory Server (W2003). The problem is on the
> management of id and gid.
>
> How to move 1000 actual NIS users to AD ?
> How to keep the same id and gid for this 1000 users ?
> What's happen with nfs linux server and acess with gid and/id ?
> Use the same user/password for linux and Windows clients
> authentification?

> We test a solution who work very well. It's Centrify comercial software
> http://www.centrify.com/directcontrol/overview.asp . But we are looking
> a freeware solution. (kerberos ? openldap ? pam ? ...)
>
> Does someone has already successfully replace NIS by Ad authentification
> with freeware solution ?

The amount of time burned setting up the migration, which is otherwise
done manually to configure uid's and gid's consistently, very much
justifies the purchase of a single Centrify license for an "adnisd"
server. Get *that* running, switch your NIS to point to that, and
you've done all the hard integration work. That more than justifies
the cost of a license or a pair of licenses.

It can otherwise be done manually, but the data entry time wasted for
your engineers well justifies the price of a Centrify license or two.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Ross Walker]

On Mar 18, 2011, at 8:31 AM, "MOKRANI Rachid"  wrote:

> Hi,
> 
> I'm looking a wiki or share experience for replace NIS authentication by
> an existing Active directory Server (W2003). The problem is on the
> management of id and gid. 
> 
> How to move 1000 actual NIS users to AD ?
> How to keep the same id and gid for this 1000 users ?
> What's happen with nfs linux server and acess with gid and/id ?  
> Use the same user/password for linux and Windows clients
> authentification?
> 
> 
> We test a solution who work very well. It's Centrify comercial software
> http://www.centrify.com/directcontrol/overview.asp . But we are looking
> a freeware solution. (kerberos ? openldap ? pam ? ...)
> 
> Does someone has already successfully replace NIS by Ad authentification
> with freeware solution ?

Instead of replacing NIS I extended it.

I setup a winbind box that did RID mapping from AD and exported those into NIS 
maps, sans passwords.

I then setup Kerberos on all boxes to authenticate against AD, samba managed 
the keytab files.

With this I got auto UID/GID generation, my AD users and groups automatically 
appear and disappear from the NIS maps and I can use those maps for multiple 
platforms.

Simple, yet effective.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Add repo for xfig package

[Nicolas Thierry-Mieg]

hersh parikh wrote:
> Hi All
>
> We want to install packages like xfig and transfig on centos 5.5. We
> found rpms available but them but it seems there are lot of dependencies
> for these packages. So we would like to setup yum repo for this. Can
> anyone suggest trusted baseurl for yum repo?

xfig and transfig are in centos 5, why don't you just use the regular 
centos repo?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] rpm split

[Janez Kosmrlj]

Hi,
I have a custom rpm for our application. The problem is that it grew old and
fat. It's about 30 MB. So i would like to split it into two parts. One big
part that almost never changes and one smaller part that is changed more
frequently. But i don't know how to write the spec file so a simple yum
update will install both packages and it won't create any problems.

Any suggestions?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[John Hodrien]

On Fri, 18 Mar 2011, Nico Kadel-Garcia wrote:

> It can otherwise be done manually, but the data entry time wasted for
> your engineers well justifies the price of a Centrify license or two.

What do you mean by manually?  Can't this all be done with ypcat, ldapmodify
and a shell script?  After which, you are entirely liberated from NIS.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Nico Kadel-Garcia]

On Fri, Mar 18, 2011 at 10:42 AM, John Hodrien  wrote:
> On Fri, 18 Mar 2011, Nico Kadel-Garcia wrote:
>
>> It can otherwise be done manually, but the data entry time wasted for
>> your engineers well justifies the price of a Centrify license or two.
>
> What do you mean by manually?  Can't this all be done with ypcat, ldapmodify
> and a shell script?  After which, you are entirely liberated from NIS.
>
> jh

In theory, yes. In practice I've done that. Getting the buy-in
from the Active Directory owners to manually run ldapmodify against
their hosts can be politically painful. The nice GUI from Centrify,
that has the NIS import facility, does a pretty good job, and can be
very helpful to remind you that mixed case groups and usernames are
problematic, that some systems don't deal well with non-alphanumeric
characters such as '_' or '-', that the default maximum group or
username is 8 characters, that there's a maximum number of characters
in an NIS or POSIX compatible line such as a group membership list and
they need to be split up to multiple entries with the same gid, etc.,
etc., etc.

It gets very expensive in engineering time, very fast, especially if
people have been "clever" and already created correspondence between
AD groups and NIS groups or users of various sorts, but weren't
consistent about their naming schemes.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Alain Péan]

Le 18/03/2011 16:07, Nico Kadel-Garcia a écrit :


... that the default maximum group or username is 8 characters,...


It was the case with solaris, but fortunately not on Linux. I don't 
remember what is the maximum length, but I think it could be up to 128 
characters...

Alain

-- 
==
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] creating a htpasswd file for certain urls

[Jason Slack-Moehrle]

>I am in a kind of fix , i  got a website ( beta.somesite.com ) .. that
>need to be password protected , however there are two URLs that
>should be allowed to all with out password access. Ona cent os box 5.5
>i am running apache .
>
>the entire site needs passwd protection except for the  Below  Urls .
>
>http://beta.somesite.com/wp-content/uploads/2011/03/large_1990782-e1299229
>617964.jpg
>
>http://beta.somesite.com/?cat=592&feed=rss2

With my limited knowledge could a ReWrite rule work here?

Maybe if these 2 URL's are requested, ReWrite to a URL that isn't password
protected that can get you to the same place these 2 could?

Anything else, Rewrite to a URL that is password protected that could get
you to a central point?

I am just thinking out loud conceptually. Maybe others could shed some
light as well.

-Jason


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] creating a htpasswd file for certain urls

[James Hogarth]

>>the entire site needs passwd protection except for the  Below  Urls .
>>
>>http://beta.somesite.com/wp-content/uploads/2011/03/large_1990782-e1299229
>>617964.jpg
>>
>>http://beta.somesite.com/?cat=592&feed=rss2
>
> With my limited knowledge could a ReWrite rule work here?
>

Take a look at the  element in the apache configuration documentation.

James
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] modprobe :: not finding existing .ko

[Adrian Sevcenco]

Hi! I try to load an module that it is found in curent
/lib/modules/`uname -r` tree ...
root@sevcenco: ~ # ls -l /lib/modules/`uname 
-r`/kernel/drivers/crypto/padlock-*
-rwxr--r-- 1 root root 14296 Mar 16 19:37 
/lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
-rwxr--r-- 1 root root 10808 Mar 16 19:37 
/lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko


but if i try :
root@sevcenco: ~ # modprobe -v padlock-aes.ko
FATAL: Module padlock_aes.ko not found.

notice the change from - to _
Any idea about this?
or more abstract:
have anyone succeed to use padlock (via) hardware with openssl (or other 
software) in centos?


Thanks,
Adrian



smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] creating a htpasswd file for certain urls

[Jerry McAllister]

On Fri, Mar 18, 2011 at 08:25:24AM -0700, Jason Slack-Moehrle wrote:

> 
> >I am in a kind of fix , i  got a website ( beta.somesite.com ) .. that
> >need to be password protected , however there are two URLs that
> >should be allowed to all with out password access. Ona cent os box 5.5
> >i am running apache .
> >
> >the entire site needs passwd protection except for the  Below  Urls .
> >
> >http://beta.somesite.com/wp-content/uploads/2011/03/large_1990782-e1299229
> >617964.jpg
> >
> >http://beta.somesite.com/?cat=592&feed=rss2
> 
> With my limited knowledge could a ReWrite rule work here?
> 
> Maybe if these 2 URL's are requested, ReWrite to a URL that isn't password
> protected that can get you to the same place these 2 could?
> 
> Anything else, Rewrite to a URL that is password protected that could get
> you to a central point?

I don't think it needs to be so tricky.   Just put the stuff that
no password is required outside of the directory tree of the stuff
that does have a password requirement.   

You may need an additional link to make it easy for your viewers
to find it.

Something like this directory tree: 

   _Doc Root_
  /  \
 /\
/  \
 htpasswd in here->  _password required_ _no password required_
 ||
_other pw required stuff__other no pw required stuff

You don't have to have your whole Document_Root tree password controlled.
Just decide what needs to go in where.

jerry
>   
> I am just thinking out loud conceptually. Maybe others could shed some
> light as well.
> 
> -Jason
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[Brunner, Brian T.]

centos-boun...@centos.org wrote:
> Hi! I try to load an module that it is found in curent
> /lib/modules/`uname -r` tree ...
> root@sevcenco: ~ # ls -l /lib/modules/`uname
> -r`/kernel/drivers/crypto/padlock-*
> -rwxr--r-- 1 root root 14296 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
> -rwxr--r-- 1 root root 10808 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko
> 
> but if i try :
> root@sevcenco: ~ # modprobe -v padlock-aes.ko
> FATAL: Module padlock_aes.ko not found.
> 
> notice the change from - to _
> Any idea about this?
> or more abstract:
> have anyone succeed to use padlock (via) hardware with openssl (or
> other software) in centos?
> 
> Thanks,
> Adrian

Thought: Link your padlock-aes.ko to also exist as padlock_aes.ko
Does modprobe now find the files?

Are there aliases in modprobe.conf that (in effect) map - to _ in module
names?

Insert spiffy .sig here:
Life is complex: it has both real and imaginary parts.

//me
***
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the system manager. This footnote also confirms that this
email message has been swept for the presence of computer viruses.
www.Hubbell.com - Hubbell Incorporated**

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[Nicolas Thierry-Mieg]

Adrian Sevcenco wrote:
> Hi! I try to load an module that it is found in curent
> /lib/modules/`uname -r` tree ...
> root@sevcenco: ~ # ls -l /lib/modules/`uname
> -r`/kernel/drivers/crypto/padlock-*
> -rwxr--r-- 1 root root 14296 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
> -rwxr--r-- 1 root root 10808 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko

I notice you're using the elrepo-provided ml kernel, not the centos one.

> but if i try :
> root@sevcenco: ~ # modprobe -v padlock-aes.ko
> FATAL: Module padlock_aes.ko not found.
>
> notice the change from - to _
> Any idea about this?

I don't think that's relevant.
man modprobe says:
note that for convenience, there is  no  difference  between  _ and - in 
module names.

Do you get anything in dmesg after the failure?


> or more abstract:
> have anyone succeed to use padlock (via) hardware with openssl (or other
> software) in centos?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[Akemi Yagi]

On Fri, Mar 18, 2011 at 9:03 AM, Adrian Sevcenco
 wrote:
> Hi! I try to load an module that it is found in curent
> /lib/modules/`uname -r` tree ...
> root@sevcenco: ~ # ls -l /lib/modules/`uname
> -r`/kernel/drivers/crypto/padlock-*
> -rwxr--r-- 1 root root 14296 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
> -rwxr--r-- 1 root root 10808 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko
>
> but if i try :
> root@sevcenco: ~ # modprobe -v padlock-aes.ko
> FATAL: Module padlock_aes.ko not found.

When using the modprobe command, you need to omit the ".ko" part.

Akemi
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[James Pearson]

Adrian Sevcenco wrote:
> Hi! I try to load an module that it is found in curent
> /lib/modules/`uname -r` tree ...
> root@sevcenco: ~ # ls -l /lib/modules/`uname 
> -r`/kernel/drivers/crypto/padlock-*
> -rwxr--r-- 1 root root 14296 Mar 16 19:37 
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
> -rwxr--r-- 1 root root 10808 Mar 16 19:37 
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko
> 
> but if i try :
> root@sevcenco: ~ # modprobe -v padlock-aes.ko
> FATAL: Module padlock_aes.ko not found.
> 
> notice the change from - to _
> Any idea about this?
> or more abstract:
> have anyone succeed to use padlock (via) hardware with openssl (or other 
> software) in centos?

Have you run 'modprobe -a' since installing the modules?

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replace NIS by Active Directory

[Nico Kadel-Garcia]

On Fri, Mar 18, 2011 at 11:19 AM, Alain Péan
 wrote:
> Le 18/03/2011 16:07, Nico Kadel-Garcia a écrit :
>
> 
> ... that the default maximum group or username is 8 characters,...
> 
>
> It was the case with solaris, but fortunately not on Linux. I don't
> remember what is the maximum length, but I think it could be up to 128
> characters...
>
> Alain

Well, yes. Centrify reasonably says "are you sure about this" when
you try to set such long names, and can even mangle the names into the
shorter structure for you. (I don't recommend this.)

The boobytraps arise when someone's login in Active Directory is, for
example, "NKadel", and you have your NIS/LDAP/whatever mapping think
that your home directory and username is "NKadel", but your old NIS
setup thought your login name was "nkadel".

This way lies mixed case support madness, which is why "just write a
shell script with ldapmodify" gets. nastier than you might
realize.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[Stephen Harris]

On Fri, Mar 18, 2011 at 04:23:18PM +, James Pearson wrote:
> Have you run 'modprobe -a' since installing the modules?

ITYM "depmod -a"

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[Adrian Sevcenco]

On 03/18/2011 06:22 PM, Akemi Yagi wrote:

On Fri, Mar 18, 2011 at 9:03 AM, Adrian Sevcenco
  wrote:

Hi! I try to load an module that it is found in curent
/lib/modules/`uname -r` tree ...
root@sevcenco: ~ # ls -l /lib/modules/`uname
-r`/kernel/drivers/crypto/padlock-*
-rwxr--r-- 1 root root 14296 Mar 16 19:37
/lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
-rwxr--r-- 1 root root 10808 Mar 16 19:37
/lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko

but if i try :
root@sevcenco: ~ # modprobe -v padlock-aes.ko
FATAL: Module padlock_aes.ko not found.


When using the modprobe command, you need to omit the ".ko" part.

ufff ... i just copy pasted the file name :((
root@sevcenco: ~ # modprobe -v padlock-aes
insmod /lib/modules/2.6.38-0.el5.elrepo/kernel/crypto/aes_generic.ko
insmod /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko

Thanks for help :)
Adrian



smime.p7s
Description: S/MIME Cryptographic Signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] creating a htpasswd file for certain urls

[John Doe]

From: Jason Slack-Moehrle 

>> I am in a kind of fix , i  got a website ( beta.somesite.com ) ..  that
>> need to be password protected , however there are two URLs  that
>> should be allowed to all with out password access. Ona cent os box  5.5
>> i am running apache .
>> the entire site needs passwd  protection except for the  Below  Urls .

Google ("apache protect pages except page") says:
http://snipplr.com/view/28785/htaccess-password-protect-your-entire-site-except-certain-pages/


JD


  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[m . roth]

Adrian Sevcenco wrote:
> Hi! I try to load an module that it is found in curent
> /lib/modules/`uname -r` tree ...
> root@sevcenco: ~ # ls -l /lib/modules/`uname
> -r`/kernel/drivers/crypto/padlock-*
> -rwxr--r-- 1 root root 14296 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
> -rwxr--r-- 1 root root 10808 Mar 16 19:37
> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko
>
> but if i try :
> root@sevcenco: ~ # modprobe -v padlock-aes.ko
> FATAL: Module padlock_aes.ko not found.

Here's a question: what kernel are you running? The most current CentOS
5.5 is 2.6.18-194.32.1.el5, while you're pointing to 2.6.38-0, unless I
misunderstand how the elrepo modules are installed.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] creating a htpasswd file for certain urls

[Agnello George]

On Fri, Mar 18, 2011 at 10:07 PM, John Doe  wrote:
> From: Jason Slack-Moehrle 
>
>>> I am in a kind of fix , i  got a website ( beta.somesite.com ) ..  that
>>> need to be password protected , however there are two URLs  that
>>> should be allowed to all with out password access. Ona cent os box  5.5
>>> i am running apache .
>>> the entire site needs passwd  protection except for the  Below  Urls .
>
> Google ("apache protect pages except page") says:
> http://snipplr.com/view/28785/htaccess-password-protect-your-entire-site-except-certain-pages/
>
>



i think  the above link would of worked  , but i was able to fix the
first part of my problem :



DirectoryIndex index.php
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Basic
AuthName "beta.somesite.com "
AuthUserFile /var/www/html/projects/beta.somesite.com/.htpasswd
Require valid-user
SetEnvIf request_uri "/wp-content" allow_all   #  this works perfectly
#SetEnvIf request_uriregex '/?cat=592&feed=rss2' allow_all
## this does not work ??!!
Satisfy any
Order allow,deny
Allow from env=allow_all



but the other part of my problem (
http://beta.somesite.com/?cat=592&feed=rss2  )  which is basically
params , which i am unable to allow for rss feeds .




-- 
Regards
Agnello D'souza
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/Active Directory authentication

[Michael B Allen]

On Fri, Mar 18, 2011 at 6:25 AM, John Hodrien  wrote:
> On Fri, 18 Mar 2011, Michael B Allen wrote:
>
>> Hi John,
>>
>> Arguably it's not the end-of-the-world to go though CNAMEs. If it
>> works for you, then don't let me deter you.
>
> Indeed it does, and it was the only way I could see you /could/ do this.
> Especially if you're not a domain admin.  I'm still not clear your method
> /can/ work.  Are you saying you've done it this way and it does?  With
> multiple A records if I do:
>
> ssh 10.0.0.1
>
> Which kerberos credential will the remote side use?
>
> With the CNAME approach, there's no ambiguity.
>
>> But you do realize that it requires the client to have logic to see
>> "ah, the record returned is a CNAME so let's use this name to build
>> the principal instead"?
>
> MIT kerberos suggests it uses this to figure out the SPN:
>
> gethostbyaddr(gethostbyname(host))

Hi John,

Actually I think this practice is now considered poor behavior. I look
at a lot of packet captures and I don't recall seeing PTR lookups. At
least not from Windows clients. Also I recall there was a discussion
about this on the Kerberos list and the verdict from one of the MIT
chaps was that it was actually not desirable to use PTR lookups.

> Surely that wouldn't care how I'd done it?  That requires the PTR record, and
> that it points back to the name of the pricipal you want to use.  With
> multiple PTR records to the same IP I can't work out how this is going to end.
> Will it round-robin and simply work because the remote end has all of them?

True. You cannot have multiple PTR records for an IP. I did not mean
to suggest that you could.

> Clearly sometimes there's not even a domain name to start with.  You can quite
> merrily do "ssh 10.0.0.1" and get a kerberised login.  With multiple PTRs to a
> single IP, I can only assume you'll round-robin through the credentials.  So
> when you add an A and PTR record and forget to add the principal, kerberos
> logins will fail 1/N of the time.

Well you should not use an IP at all really because IPs change. But if
the client is remotely sophisticated it should be able to do a PTR
lookup and try that name.

>
>> And I would not be surprised to see some scenario where the client actually
>> tried to get a ticket with the supplied name and than fell-back to using the
>> CNAME in which case you have extra DNS and Kerberos traffic. If at some
>> point someone wants to use another HTTP client from a cron job or some Java
>> app, is that client going to handle the CNAME correctly?
>
> As far as I can tell, the client will be blissfully unaware.
>
>> What happends if the client application needs the original princpal
>> name for some reason? It will get what the CNAME points to. That could
>> be weird for the app or a developer. And then if you move the website
>> to another server the principal name is now suddenly different?
>
> Yes.  But why would the developer care about the service principal name?  It's
> not often you're that introspective, you're normally more interested in the
> client's principal.

For very simple scenarios you probably would not care. But here could
be numerous reasons for wanting to know the name of the service you're
talking to.

>> CNAMEs in general are dubious. And not just for Kerberos.
>
> I think that's a little harsh.  CNAMEs seem to be unloved for reasons I'm not
> fully convinced by.  What is so bad about CNAMEs?
>
>> Also short names are dubios. Is it a NetBIOS name or does the client
>> have a proper DNS search suffix configured? And in the later case it
>> takes extra DNS queries to get the name.
>
> AD always creates both short and FQDN forms of principals, I assume it's as
> you guessed because of a NetBIOSism, or because it's a cruft that can often
> fix broken setups.  I don't know, I only ever use the FQDN form.
>
>> Why have all this extra indirection on top of an already fickle protocol?
>
> I haven't actually found kerberos to be too fickle at all.

Kerberos requires that clients have access to the KDC, it depends
heavily on DNS, stale tickets can cause cryptic errors until clients
purge credential caches, etc. It's a great protocol conceptually. But
in practice it's not super robust. It can be difficult to track down
the source of issues. We had a customer who couldn't figure a Kerberos
issue for days. They had checked the time on the machine and thought
it was correct but it was actually off by exactly 12 hours. Meaning it
was set to like 2:43 AM when it was really 2:43 PM.

>> Regarding PTR records, I don't think kerberos would have any problem
>> without them.
>
> As far as I knew MIT kerberos doesn't work at all without them, due to the way
> it calculates service principals.  Certainly if you have a pair of A records
> for the same IP, and the PTR record points to the name that doesn't match the
> service principal it all will not work.

My business is all about integrating non-Windows systems into WIndows
environments so I don't look 

[CentOS] Apache/Active Directory authentication

[R P Herrold]

On Fri, 18 Mar 2011, Michael B Allen wrote:

> True. You cannot have multiple PTR records for an IP. I did not mean
> to suggest that you could.

Not saying you are wrong here, but have you an RFC reference 
to this effect?  We previously held this belief from our prior 
practice, but cannot find a clear prohibition of such.  As 
such our DNS zonefile management code does not enforce such a 
limitation presently

Considering the issue from the other side, there is nothing 
that requires simplicity if implementation of a client that 
says it can accept only a single PTR, rather than an array of 
replies and then walking the reverses

-- Russ herrold
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modprobe :: not finding existing .ko

[Ned Slider]

On 18/03/11 16:49, m.r...@5-cent.us wrote:
> Adrian Sevcenco wrote:
>> Hi! I try to load an module that it is found in curent
>> /lib/modules/`uname -r` tree ...
>> root@sevcenco: ~ # ls -l /lib/modules/`uname
>> -r`/kernel/drivers/crypto/padlock-*
>> -rwxr--r-- 1 root root 14296 Mar 16 19:37
>> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-aes.ko
>> -rwxr--r-- 1 root root 10808 Mar 16 19:37
>> /lib/modules/2.6.38-0.el5.elrepo/kernel/drivers/crypto/padlock-sha.ko
>>
>> but if i try :
>> root@sevcenco: ~ # modprobe -v padlock-aes.ko
>> FATAL: Module padlock_aes.ko not found.
> 
> Here's a question: what kernel are you running? The most current CentOS
> 5.5 is 2.6.18-194.32.1.el5, while you're pointing to 2.6.38-0, unless I
> misunderstand how the elrepo modules are installed.
>

That's not an elrepo kmod, it's an elrepo kernel (kernel-ml) he is running:

http://elrepo.org/tiki/kernel-ml
http://elrepo.org/linux/kernel/el5/

Elrepo also provide the latest stable (currently 2.6.38) and latest long 
term (2.6.35.11) kernels from upstream built and packaged for RHEL5. 
These aren't recommended for production use but may prove useful for 
testing hardware and/or troubleshooting purposes.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/Active Directory authentication

[Michael B Allen]

On Fri, Mar 18, 2011 at 2:58 PM, R P Herrold  wrote:
> On Fri, 18 Mar 2011, Michael B Allen wrote:
>
>> True. You cannot have multiple PTR records for an IP. I did not mean
>> to suggest that you could.
>
> Not saying you are wrong here, but have you an RFC reference
> to this effect?  We previously held this belief from our prior
> practice, but cannot find a clear prohibition of such.  As
> such our DNS zonefile management code does not enforce such a
> limitation presently
>
> Considering the issue from the other side, there is nothing
> that requires simplicity if implementation of a client that
> says it can accept only a single PTR, rather than an array of
> replies and then walking the reverses

Hello R,

No, I do not have a citation and theoretically having multiple PTR
records for an IP might actually be quite reasonable. However, I would
imagine it would be fairly limited to things like clusters or servers
that should have the outward appearance of being identical. For
something like kerberos with HTTP servers doing virtual hosting (like
what John and I have been discussing in this thread), I suspect
multiple PTRs for the web server would create quite a mess.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpm split

[Joseph L. Casale]

Tried sending this a while ago, but looks like mailman blocked it?

>But i don't know how to write the spec file so a simple yum update will
>install both packages and it won't create any problems.

A few options here, create a %{name} .spec with:

# This is part one, or the main component
%description
%files
...

%package part_two
Requires: %{name}
...
%description part_two
Smaller part of %{name}
%files part_two
...

Check an example out, one I was using recently to build another was:
https://git.icinga.org/?p=icinga-core.git;a=blob_plain;f=icinga.spec;hb=HEAD

Hth,
jlc

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Safe/sane tempfile creation?

[Dr. Ed Morbius]

I'm used to Debian-based distros which have a tempfile(1) utility for
safely and sanely creating temporary files.

There isn't a comperable utility for RHEL/CentOS systems.

I've been exercising Google-fu looking for a good robust tempfile
generation idiom, but haven't turned one up yet.

Hence this appeal to the lazyweb.

-- 
Dr. Ed Morbius, Chief Scientist /|
  Robot Wrangler / Staff Psychologist| When you seek unlimited power
Krell Power Systems Unlimited|  Go to Krell!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Safe/sane tempfile creation?

[John R. Dennison]

On Fri, Mar 18, 2011 at 06:33:14PM -0700, Dr. Ed Morbius wrote:
> I'm used to Debian-based distros which have a tempfile(1) utility for
> safely and sanely creating temporary files.
> 
> There isn't a comperable utility for RHEL/CentOS systems.

Sure there is.  mktemp; contained within the package with the
same name.



John

-- 
 trying to play sturgeon while it's under attack is apparently not fun.


pgpTH3XP0QNs7.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache/Active Directory authentication

[Nico Kadel-Garcia]

On Fri, Mar 18, 2011 at 2:36 PM, Michael B Allen  wrote:
> On Fri, Mar 18, 2011 at 6:25 AM, John Hodrien  wrote:

>> Surely that wouldn't care how I'd done it?  That requires the PTR record, and
>> that it points back to the name of the pricipal you want to use.  With
>> multiple PTR records to the same IP I can't work out how this is going to 
>> end.
>> Will it round-robin and simply work because the remote end has all of them?
>
> True. You cannot have multiple PTR records for an IP. I did not mean
> to suggest that you could.

You *shouldn't*. But there's nothing in Bind or ther other common DNS
architectures that enforces this practice, and I'm afraid that it's
quite common for poorly configured systems that support dynamic DNS to
permit this. It's why I give admins of Active Directory based systems
such a hard time and try to insist that they allow me at least one
location that I can do actual zone transfers, to detect multiple PTR's
for one IP address, or the same hostname having multiple PTR's that
point to it.

The old "mkrdns" tool used to be fabulous for detecting, configuring,
and correctly handling multiple A records and notifying you of their
existence: I still appreciate its simplicity and robustness.

 Nico Kadel-Garcia 

>
>> Clearly sometimes there's not even a domain name to start with.  You can 
>> quite
>> merrily do "ssh 10.0.0.1" and get a kerberised login.  With multiple PTRs to 
>> a
>> single IP, I can only assume you'll round-robin through the credentials.  So
>> when you add an A and PTR record and forget to add the principal, kerberos
>> logins will fail 1/N of the time.
>
> Well you should not use an IP at all really because IPs change. But if
> the client is remotely sophisticated it should be able to do a PTR
> lookup and try that name.
>
>>
>>> And I would not be surprised to see some scenario where the client actually
>>> tried to get a ticket with the supplied name and than fell-back to using the
>>> CNAME in which case you have extra DNS and Kerberos traffic. If at some
>>> point someone wants to use another HTTP client from a cron job or some Java
>>> app, is that client going to handle the CNAME correctly?
>>
>> As far as I can tell, the client will be blissfully unaware.
>>
>>> What happends if the client application needs the original princpal
>>> name for some reason? It will get what the CNAME points to. That could
>>> be weird for the app or a developer. And then if you move the website
>>> to another server the principal name is now suddenly different?
>>
>> Yes.  But why would the developer care about the service principal name?  
>> It's
>> not often you're that introspective, you're normally more interested in the
>> client's principal.
>
> For very simple scenarios you probably would not care. But here could
> be numerous reasons for wanting to know the name of the service you're
> talking to.
>
>>> CNAMEs in general are dubious. And not just for Kerberos.
>>
>> I think that's a little harsh.  CNAMEs seem to be unloved for reasons I'm not
>> fully convinced by.  What is so bad about CNAMEs?
>>
>>> Also short names are dubios. Is it a NetBIOS name or does the client
>>> have a proper DNS search suffix configured? And in the later case it
>>> takes extra DNS queries to get the name.
>>
>> AD always creates both short and FQDN forms of principals, I assume it's as
>> you guessed because of a NetBIOSism, or because it's a cruft that can often
>> fix broken setups.  I don't know, I only ever use the FQDN form.
>>
>>> Why have all this extra indirection on top of an already fickle protocol?
>>
>> I haven't actually found kerberos to be too fickle at all.
>
> Kerberos requires that clients have access to the KDC, it depends
> heavily on DNS, stale tickets can cause cryptic errors until clients
> purge credential caches, etc. It's a great protocol conceptually. But
> in practice it's not super robust. It can be difficult to track down
> the source of issues. We had a customer who couldn't figure a Kerberos
> issue for days. They had checked the time on the machine and thought
> it was correct but it was actually off by exactly 12 hours. Meaning it
> was set to like 2:43 AM when it was really 2:43 PM.
>
>>> Regarding PTR records, I don't think kerberos would have any problem
>>> without them.
>>
>> As far as I knew MIT kerberos doesn't work at all without them, due to the 
>> way
>> it calculates service principals.  Certainly if you have a pair of A records
>> for the same IP, and the PTR record points to the name that doesn't match the
>> service principal it all will not work.
>
> My business is all about integrating non-Windows systems into WIndows
> environments so I don't look at what MIT is doing much. Windows
> clients do not use PTR lookups to build SPNs so our code does not
> either.
>
>>> Actually I seem to recall that once upon a time old Kerberos clients used to
>>> automatically try PTR lookups to get the primary hostname 

Re: [CentOS] Cannot %include in CentOS 5.5 kickstart

[whitivery]

whitivery  wrote:

>whitivery  wrote:
>
>>whitivery  wrote:
>>
>>>Patrick Lists
>>> wrote:
>>>
On 03/10/2011 08:14 AM, whitivery wrote:
> # This does not work
> %include /tmp/drvdisk
>
> # This works
> #driverdisk
> --source=nfs:10.0.4.157:/srv/cobbler/RHEL5.5_x86_402_409_410_DD.img
>
>
> %packages
> @base
> @core
>
> %pre --erroronfail
>
> echo "driverdisk
> --source=nfs:10.0.4.157:/srv/cobbler/RHEL5.5_x86_402_409_410_DD.img">
> /tmp/drvdisk

Although lacking a good caffeine fix the only difference I notice with 
some examples is that they do this:

%include /tmp/drvdisk.sh
.
.
.
%pre
echo "driverdisk --source=nfs:10.1.2.3:/foo/image.img" > /tmp/drvdisk.sh

Notice the usage of ".sh" in the drvdisk.sh filename?
>>>
>>>Thanks for the idea - but it didn't make any difference.  I even did chmod
>>>+x on the created file.  I'm suspecting it's something specific to the
>>>driverdisk command, I'll play around if I get a chance and see if
>>>including other things works as expected - in my previous 4.4 work I never
>>>used a driver disk.
>>
>>Today I tried including something other than driverdisk (I put the
>>partitioning commands in an include file), and it works fine.  So it's
>>something specific to the driverdisk command.
>
>Today I tried HTTP instead of NFS for driver disk access.  It made no
>difference - works fine when directly in the kickstart file, fails when
>attempt to %include it.

Today I found out that this has never worked, and will not be changed in
any existing RHEL/CentOS version.  See:
http://www.redhat.com/archives/kickstart-list/2011-March/msg8.html


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Safe/sane tempfile creation?

[Dr. Ed Morbius]

on 20:35 Fri 18 Mar, John R. Dennison (j...@gerdesas.com) wrote:
> On Fri, Mar 18, 2011 at 06:33:14PM -0700, Dr. Ed Morbius wrote:
> > I'm used to Debian-based distros which have a tempfile(1) utility for
> > safely and sanely creating temporary files.
> > 
> > There isn't a comperable utility for RHEL/CentOS systems.
> 
>   Sure there is.  mktemp; contained within the package with the
>   same name.

My error.

Thank you.

-- 
Dr. Ed Morbius, Chief Scientist /|
  Robot Wrangler / Staff Psychologist| When you seek unlimited power
Krell Power Systems Unlimited|  Go to Krell!


signature.asc
Description: Digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos