Re: [CentOS] Strange Kernel for Centos 5.5

[Natxo Asenjo]

On Sat, Feb 12, 2011 at 3:38 AM, Drew  wrote:
>> RHEL and CentOS have much, much tighter basic privilege handling. The
>> complexity of the NTFS ACL structure, for example, is so frequently
>> mishandled that it's often ignored and simply dealt with as
>> "Administrator". The result is privilege escalation chaos.
>
> And how is the user-group-world permissions system any better?
>
> I work daily with both *nix & NTFS ACL's and given the choice I prefer
> NTFS' for the finer grained control.
>
> You want to create a folder in which user A & B have access to but
> nobody else? In *nix you create a group that both those users belong
> to and set the folder to use that group's permissions. In NTFS you set
> the ACL's so those two users have (almost) full access to the folder.
> Simple enough.

in unix you can use acls as well. See getacl/setacl. No sweat.

Anyway, neither in windows nor in unix/linux you want to specify
permissions on a per user level. Always groups. If the user leaves the
company and the permissions are on a per user level you need to start
all over again. If on a per group level, just disable/remove the user
from the group and it keeps working for the rest of members.

Bonus points if you enable your helpdesk group to administer the groups
and the children folders so you no longer have to waste any time with
this boring stuff.

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Strange Kernel for Centos 5.5

[Natxo Asenjo]

On Sat, Feb 12, 2011 at 2:09 PM, Christopher Chan
 wrote:
> On Saturday, February 12, 2011 09:02 PM, Natxo Asenjo wrote:

>> Anyway, neither in windows nor in unix/linux you want to specify
>> permissions on a per user level. Always groups. If the user leaves the
>> company and the permissions are on a per user level you need to start
>> all over again. If on a per group level, just disable/remove the user
>> from the group and it keeps working for the rest of members.
>
> And what do you do when you have cases that a user needs access to these
> set of files/directories but not all the files/directories the group has
> access to?

If you are in such a scenario, then you have not planned your folder
structure well enough :-)

What do you do when you have thousands of users in your company? Do
you keep individual permissions or do you use group permissions?

I know what I'd rather do, specially if I need to audit that folder
structure.

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] network bound disk encryption bond interface not working

[Natxo Asenjo]

hi,

running 8.5 I cannot get to automatically unlock the luks container on a
dell poweredge 740.

This is the setup. The clevis client has bound a tang server:

# clevis luks list  -d /dev/sdb2
1: tang '{"url":"http://10.x.x.200"}'

This sdb2 is the boot device.

dracut config:

kernel_cmdline="bond=bond0:eno1,eno2:mode=4,miimon=100
ip=10.xx.x.1::10.xx.x.254:255.255.255.0::bond0:none  "
omit_dracutmodules+="ifcfg"

After a reboot, I see that the tang server receives a post from this ip,
and sends a 200 back:

16:45:02.247838 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
TCP (6), length 60)
10.xx.x.200.80 > 10.xx.x.1.46374: Flags [S.], cksum 0x391b
(incorrect -> 0x0686), seq 2182485757, ack 3195393805, win 28960,
options [mss 1460,sackOK,TS val 329378980 ecr 3156670178,nop,wscale
7], length 0
16:45:02.248057 IP (tos 0x0, ttl 63, id 8950, offset 0, flags [DF],
proto TCP (6), length 52)
10.xx.x.1.46374 > 10.xx.x.200.80: Flags [.], cksum 0xa58d
(correct), ack 1, win 229, options [nop,nop,TS val 3156670178 ecr
329378980], length 0
16:45:02.248191 IP (tos 0x0, ttl 63, id 8951, offset 0, flags [DF],
proto TCP (6), length 448)
10.xx.xx.1.46374 > 10.xx.x.200.80: Flags [P.], cksum 0x134d
(correct), seq 1:397, ack 1, win 229, options [nop,nop,TS val
3156670178 ecr 329378980], length 396: HTTP, length: 396
POST /rec/BMZ0nj7Ecn79Au8t24041JoChXk HTTP/1.1
Host: 10.xx.x.200
User-Agent: curl/7.61.1
Accept: */*
Content-Type: application/jwk+json
Content-Length: 230


{"alg":"ECMR","crv":"P-521","kty":"EC","x":"ARUMMnBG_wm8o3KuHk9qnEPbft1M7SMSlHkFHiSD0dDZSegvIZARe8U1V6lsaYZGSJ8mPBvI-NlUUc4yrdF3naaz","y":"ANQwwFFAEzl6UWiDrv37Pr8yTuWdwlDwq_QR0Q9TNP34_fsJAZ-y3oJv0uIoat6KLhPylWTjAY_jJIblOzWhQZpW"}
16:45:02.248215 IP (tos 0x0, ttl 64, id 58644, offset 0, flags [DF],
proto TCP (6), length 52)
10.xxx.xx.200.80 > 10.xx.x.1.46374: Flags [.], cksum 0x3913
(incorrect -> 0xa3fb), ack 397, win 235, options [nop,nop,TS val
329378980 ecr 3156670178], length 0
16:45:02.282326 IP (tos 0x0, ttl 64, id 58645, offset 0, flags [DF],
proto TCP (6), length 69)
10.xx.x.200.80 > 10.x.x.1.46374: Flags [P.], cksum 0x3924
(incorrect -> 0xe3fa), seq 1:18, ack 397, win 235, options [nop,nop,TS
val 329379014 ecr 3156670178], length 17: HTTP, length: 17
HTTP/1.1 200 OK


So basically, it should unlock, but it's not unlocking.

Does anyone have experience with bond interfaces and nbde on 8/9?

TIA.

-- 
regards,
Natxo
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] cfengine vs. puppet

[Natxo Asenjo]

On Fri, Aug 27, 2010 at 5:15 PM, Les Mikesell  wrote:
> cfengine has a bit more cross-platform capability, but note that CentOS
> supplies a 2.x release where the project has moved on to 3.x with wildly
> different syntax, and a native windows build is only available in the
> commercial version.

cfengine 2.x will be with us for years to come. It works great, it's
easy to deploy, easy to use and has few dependencies.

Cfengine3 is interesting, but I'll wait until Campi an Bauer write the
3rd edition of "Automating Linux and Unix System Administration" ;-)
(the $40 I spent on Automating Linux and Unix System Administration,
Second Edition by Campi and Bauer have made my life so much easier:
thanks guys!).

As to the windows build: no-one prevents you from building it yourself
and running it, it is not that difficult:
http://blog.zzamboni.org/installing-cfengine-on-windows-7-under-cygwin.
You could even (gasp) consider buying the commercial version, Windows
shops are used to paying for software anyways ;-)

No experience with puppet, though. I am happy with cfengine already :-)

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Interpreting logwatch

[Natxo Asenjo]

On Wed, Sep 8, 2010 at 6:17 PM, Bill Campbell  wrote:

> I think it's a mistake to discount any attacks involving php as
> the vast majority of the systems I have had to clean up after
> cracks have been compromised through php vulnerabilities, usually
> in conjunction with weak user level passwords.
>
> IHMO, admin tools like phpMyAdmin, webmin, and usermin should be
> carefully restricted, preferably only accessible via a private
> LAN, not from the public internet.  Use a VPN to access from the
> public internet if necessary.  We don't install usermin in most
> cases as I have seen it used to exploit security bugs on old SuSE
> systems that permit root access.

Last time I checked, webmin and usermin were written in Perl ;-), no php there.

If you're running a web app with a known vulnerability and it's
available from the internet, then you're in trouble, that's for sure.

--
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] looking for cool, post-install things to do on a centos 5.5 system

[Natxo Asenjo]

On Fri, Sep 17, 2010 at 9:39 AM, Robert P. J. Day  wrote:
>
>
>  logging utilities?  intrusion detection?  monitoring?  anything that
> leaps to mind that i can use to fill up a few more hours.  i'm already
> thinking of showing how to build and boot a new kernel.  other ideas?
> thanks.

sysadmins should now really know about configuration management tools.
So show them how to bootstrap an infrastructure with kickstart and
cfengine (or puppet or chef or ...)

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] excel parser (preferably perl)?

[Natxo Asenjo]

On Tue, Oct 19, 2010 at 12:13 AM, Les Mikesell  wrote:
> I'm getting tired of converting spreadsheets that someone else updates
> to csv so my perl scripts can push the data into a mysql database.  Is
> there a better way?  I haven't had much luck with
> perl-Spreadsheet-ParseExcel (and find it odd that yum prefers the .32
> version from epel over .57 from rpmforge anyway).  Is the current CPAN
> version better?  Or the equivalent java tools?  Or maybe a scripted
> OpenOffice conversion would be possible.

No idea about the csv from excel, but I have had good experiences with
Text::CSV_XS.

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos and Bridging

[Natxo Asenjo]

On Sat, Nov 27, 2010 at 6:23 AM, Nico Kadel-Garcia  wrote:
> On Fri, Nov 26, 2010 at 3:00 PM, Alan Hodgson  wrote:
>> On November 26, 2010 11:25:06 am Nico Kadel-Garcia wrote:
>>> KVM, itself, was unusable in my testing due to the "bridged network"
>>> mishandling and its complete lack of a concept of failover for network
>>> issues, particularly pair bonding for the server itself. PXE for the
>>> clients was unusable, and it ran like a dyslexic on too many opiates,
>>> slow, twitchy, and unpredicatable.
>>
>> The UI in RHEL 5/CentOS 5 is definitely very limited, but KVM does work with
>> all these things under the hood. In particular KVM seems to run fine on top 
>> of
>> a simple host bridge, which can in turn rely on a bonded interface. I have 
>> had
>> no problems with boot support, although I confess I don't use PXE - DHCP and
>> kickstart over the LAN work fine, though.
>
> It is not merely "limited".
>
> PXE is very common for server installations of brand new hardware, or
> for remote KVM managed hardware, to avoid having to pop a CD in it.
> It's well undertood, and I got nowhere, even with it for KVM. (VMWare
> and Xen worked fine.)

interesting. I have a working home lab with KVM and I bootstrap all my
vm's from pxe, both win and lin. So I know it works fine. Not managed
from the virtual machine manager, though. Next year I will be evaluating
it, and it has better support pxe :)

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)

[Natxo Asenjo]

On Mon, Dec 13, 2010 at 11:02 PM, Adam Tauno Williams
 wrote:
> On Mon, 2010-12-13 at 14:49 -0700, Warren Young wrote:
>> On 12/13/2010 9:37 AM, Les Mikesell wrote:
>> > On 12/13/2010 10:14 AM, Sven Aluoor wrote:



>> > Perl is probably the easiest next step for someone who has shell
>> > scripting experience.
>> Seconded.
>
> -1 Perl is a withering dinosaur.

Comments like this one show you know nothing about modern Perl.

>> Don't be distracted by the Perl 6 noise.  Perl 6 has been "coming" for a
>> decade now,
>
> +1
>
> I expect by the time P6 arrives very few people will care;  Perl has
> been fading for a long time.

http://blog.timbunce.org/2008/03/08/perl-myths/

now, are we done spreading FUD about Perl yet? If you do not like it,
do not use it. A lot more people like it than you think possible,
shocking ain't it.

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)

[Natxo Asenjo]

On Tue, Dec 14, 2010 at 11:18 AM, David Sommerseth
 wrote:
> On 13/12/10 17:32, Lamar Owen wrote:
>> On Monday, December 13, 2010 11:14:24 am Sven Aluoor wrote:
>>> What programming language should I learn?
>>
>> Python.  You can find useful examples of python code throughout CentOS, 
>> beginning the yum itself.  Get yourself a copy of 'Dive into Python' (can be 
>> had as a free download, legalling) and, well, dive into python!
>
> I completely agree!  Python is really worth looking at.  And a lot of
> the tools on RHEL/CentOS are written in Python.
>
> 
>
> I see quite some people suggest Perl.  I've been in that camp as well,
> but I personally find Python much more intuitive than Perl, and also a
> lot more consistent.  Perl is truly like paint, you can splash the
> colours around just like you want.  The learning curve for Perl is quite
> higher than Python in my experience.

Did you learn Perl first? Then learning something else on top of that
is easier. Programming languages share lots of concepts.

>
> "Dive into Python" helped me to really get started, and it went fast
> with this book.

Modern Perl: http://www.onyxneon.com/books/modern_perl/ is also free
to download as a pdf file. Great book to get started.

> Python enforces you to be more consistent, which is not a bad thing if
> you want to understand better what you are doing in the very beginning.
>  Later on Perl, Ruby, C#, Java, C/C++ might be a good alternatives, as
> they probably are much stronger in a lot of fields for more complex tasks.

use strict;
use warnings;

if you write Perl and do not use that, you will have problems, yes.

> But remember each tool has its own use case.  You don't need a hammer
> when you have screws.  It's the same with programming languages.  And
> Python and Perl are often used as the "Swiss Army Knife".  Useful for a
> lot of ad-hoc and not too heavy routine tasks, but you won't rely on it
> when going hunting in the wilderness.

well, Perl helps me daily on the wilderness of my job. I do not
understand the analogy, but it probably is my fault ;-)

>
> kind regards,
>
> David Sommerseth

-- 
regards,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)

[Natxo Asenjo]

On Tue, Dec 14, 2010 at 9:55 PM, Kwan Lowe  wrote:
> On Tue, Dec 14, 2010 at 2:41 PM, Les Mikesell  wrote:
>> On 12/14/2010 1:16 PM, Adam Tauno Williams wrote:
>>>
>>>
>>> Personally I've banned Perl from the network primarily because of the
>>> maintenance disaster that is CPAN.
>>
>> And your perfectly maintained public source of equivalent functionality
>> is in what language?
>>
>> But, you should rarely if ever use CPAN code directly in Centos for the
>> same reasons you wouldn't drop a stock upstream kernel every few days.
>> Most of what you are likely to need are packaged - and maintained - in
>> EPEL or rpmforge.
>
> :)
> Thank goodness for CPAN2RPM.  I use it quite often for the occasional
> package that is not in the default repos.

shhh, do not spoil the ideas that Perl and the CPAN are dreadful beasts
and horrible to maintain ;-)

http://www.slideshare.net/davorg/perl-in-rpmland-presentation

As to debian based distributions, the Perl support there is excellent
and if a module is not available from the repositories, creating your
own package is quite trivial with dh-make-perl.

It kind of gets boring to see Perl attacked for no reason. The problem
is: if you do not counter the claims, they show up in Google and then
people will think Perl is bad. So this is why one has to set it
straight.

It is quite funny that when pythonistas come accross 'bad python', they
say: oh, they *clearly* do not understand the language, that is why this
code is bad. So: why would it be different in any other language?

> As to Perl.. though it still is my preferred language for getting
> things done (mainly because I understand it that I first think out
> problems in Perl then convert to other languages), I have seen some
> bad, really bad Perl code..

of course. Have you seen really bad (C|Python|Visual Basic|shell|.*)? I
guess so too. Will that have to do with the coder of with the language?

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] automated remote cloning

[Natxo Asenjo]

On Mon, Jan 3, 2011 at 1:55 PM, Kwan Lowe  wrote:
> On Sat, Jan 1, 2011 at 6:50 AM, Geoff Galitz  wrote:

[knip]

>> Any pointers to good automated solutions?
>
> Do you use cfengine or puppet in your environment?  If you install the
> base packages via post installation scripts, you can use cfengine to
> layer on specific host identities (hostname, IP, configuration,
> packages, etc.).  With either of these tools you can import
> configurations from a running host and then layer them back to a new
> host.  There is some considerable setup to get it to that point, but
> lots of scripts available online so much of the work is done.

+1 on cfengine. (Kikckstart|Jumpstart|Fai) + cfengine = admin nirvana.

This also applies to puppet/chef/whatever. Just use management software.

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Adding Update repository at install time

[Natxo Asenjo]

On Tue, Dec 4, 2012 at 9:50 PM, Robert Moskowitz  wrote:
> This is easy with Fedora, as the various 'common' repos are listed and
> all I have to do is change the URL
>
> Anyway, I am doing a netinstall of Centos 6.3 i386 from my local repo.
> I also have the updates repo.  How can I add the updates repo so that I
> get it up to snuff right away (like I have been doing with Fedora for
> quite some time)?

You can use the --cost option in the repo section
(http://fedoraproject.org/wiki/Anaconda/Kickstart#repo).

This works for me:

repo --name="Centos" --baseurl=http://host/mrepo/centos6-i386/RPMS.os --cost=100
repo --name="Centos updates"
--baseurl=http://host/mrepo/centos6-i386/RPMS.updates --cost=100

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Adding Update repository at install time

[Natxo Asenjo]

On Tue, Dec 4, 2012 at 10:42 PM, Robert Moskowitz  wrote:
>
> On 12/04/2012 04:27 PM, Natxo Asenjo wrote:

>>> Anyway, I am doing a netinstall of Centos 6.3 i386 from my local repo.
>>> I also have the updates repo.  How can I add the updates repo so that I
>>> get it up to snuff right away (like I have been doing with Fedora for
>>> quite some time)?
>>
>> You can use the --cost option in the repo section
>> (http://fedoraproject.org/wiki/Anaconda/Kickstart#repo).
>>
>> This works for me:
>>
>> repo --name="Centos" --baseurl=http://host/mrepo/centos6-i386/RPMS.os
>> --cost=100
>> repo --name="Centos updates"
>> --baseurl=http://host/mrepo/centos6-i386/RPMS.updates --cost=100
>
>
> I am in the install at the selection of which type of install (I chose Web
> Server). So 'Add Additional software repositories' does not have any cost
> item in the dialog box.
>
> Do I just name the repo "Centos updates" and point to my URL?

I'm sorry, I am afraid I misunderstood the question. I thought you
wanted to modify a kickstart file, my mistake (for me netinstalls
equal pxe and unattended, but it does not have to be).

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Questions on making a kickstart cfg

[Natxo Asenjo]

On Fri, Dec 7, 2012 at 8:28 PM, Robert Moskowitz  wrote:
> So I took the anaconda cfg, commented out the partition/disk pieces and
> ran it off my repo server and it almost worked.
>
> Little things like not including things I had done on network setup.  No
> first boot  :)
>
> So now I am reading up on building a kickstart cfg
>
> http://wiki.centos.org/TipsAndTricks/KickStart
> http://www.centos.org/docs/5/html/5.2/Installation_Guide/s1-kickstart2-howuse.html

those sites are a bit outdated. This one is much more actual:

http://fedoraproject.org/wiki/Anaconda/Kickstart

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] home directory server performance issues

[Natxo Asenjo]

On Mon, Dec 10, 2012 at 6:37 PM, Matt Garman  wrote:
> I’m looking for advice and considerations on how to optimally setup
> and deploy an NFS-based home directory server.  In particular: (1) how
> to determine hardware requirements, and (2) how to best setup and
> configure the server.  We actually have a system in place, but the
> performance is pretty bad---the users often experience a fair amount
> of lag (1--5 seconds) when doing anything on their home directories,
> including an “ls” or writing a small text file.

I know this is the centos forum, however, if you are still in a
testing fase, then I can recommend you try solaris derivatives like
nexenta or omnios. The NFS server performance in linux is simple not
the same as on those using the same hardware. You get too true acls
(no posix, but nfsv4 acls, comparable to those in ntfs),
deduplication, compression, and snapshots (ZFS!).

Nexenta is free as in beer up to 18TB and has a great web interface,
omnios is just free but you need to know how to use solaris.

If you stay with the linux nfs servers, look into the io scheduler
setting of the disks. I managed to double the performance of a
proliant raid controller (don't remember which model, sorry) by
changing the standard cfq to noop. Shortly after that I came across
nexenta and moved all our NFS loads there. Later we got a netapp
cluster, but the nexenta filers are still kicking around.

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] fixing partition alignment ?

[Natxo Asenjo]

On Wed, Dec 12, 2012 at 4:36 PM, Laurent Wandrebeck
 wrote:
> Hi there,
>
> I've discovered that most of the hard drives used in our cluster got
> misaligned partitions, thus crippling perfs. Is there any way to fix
> that without having to delete/recreate properly aligned partitions, then
> format it and refill disks ?
> I'd be glad not to have to toy with moving several 10s of TB disk by
> disk :D (most disks are JBOD as we're using a fault tolerant network
> FS, moosefs not to name it).
>  wasn't helpful, unfortunately.
> Drives are ext4, driven by C6 x86_64.

boot the server with a gparted livecd / pxe ; move the partitions
around with an offset of 1MB at the start of the disk/volume. I do not
know if this trick will work with lvm, in this case you need to move
the data around and recreate the volumes with the correct offset.

Have fun!

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Off-Topic: Low Power Hardware

[Natxo Asenjo]

On Mon, Jan 14, 2013 at 10:03 PM, John R Pierce  wrote:
> On 1/14/2013 7:24 AM, Phil Dobbin wrote:
>> Looking at the specs for N40Ls though put me off because they're rated
>> at 150W. Or am I missing something here?
>
> that may be the PSU rating, but 55W active is more typical, and thats
> with 4 3TB 7200rpm SATA drives.
>
> btw, those AMD Neo CPUs are no slouches, they seem quite a bit faster
> than the equivalent Intel Atom processors.
>
> I have a N40L with 8GB ram and 4 x 3TB running FreeNAS off a 4GB USB
> stick (internal), runs quite nicely.   8.1TB (binary) usable with ZFS
> raidz...   its functioning as my home SMB and Media server, I get a
> consistent 80MB/second reading/writing large files from a windows
> desktop -> freeNAS using windows file sharing over gigE, thats about as
> good as it gets (the SATA drive on my desktop formatted NTFS probably
> isn't much faster).

+1 on the setup. ,I have it with 10GB ram (I found out that this ram
block: Corsair XMS3 CMX8GX3M1A1333C9 also works in the HP N40L, so in
theory you could go to 16GB ram, 8GB cost me €30).

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Off-Topic: Low Power Hardware

[Natxo Asenjo]

On Tue, Jan 15, 2013 at 12:30 AM, John R Pierce  wrote:
> On 1/14/2013 2:54 PM, Natxo Asenjo wrote:
>> +1 on the setup. ,I have it with 10GB ram (I found out that this ram
>> block: Corsair XMS3 CMX8GX3M1A1333C9 also works in the HP N40L, so in
>> theory you could go to 16GB ram, 8GB cost me €30).
>
> yeah, I found out they could take 2 x 8GB about 30 hours after I'd
> placed my order for 2x4GB 
>
> hmm, that PN isn't ECC, did you use non-ECC memory?   I'm kind of a
> stickler for using ECC on servers, helps prevent bit errors from
> creeping in.

for a home server I'm willing to take the chance ...

--
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] weird issue with qemu-kvm network...

[Natxo Asenjo]

On Sat, Feb 2, 2013 at 2:12 AM, James Hogarth  wrote:

> If you need bonding or vlans it becomes more complicated ;-)

LOL. We have been testing this (bonding *and* vlans).

Once you understand how it works it makes sense, but you need to
understand it first and most people researching this are probably used
to the fantastic vmware tooling that keeps it all hidden.

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] routing problem?

[Natxo Asenjo]

hi,

at home I have setup a kvm virtualization lab. I have a layer 3
switch, a host with 3 nics and centos 6.3.

In the layer 3 switch I have setup a couple of vlans: vlan 1
(default), 5 (quarantaine) and 10 (out-of-band-management).

nic0 is configured in the switch as a trunk interface that sees all
vlans. nic2 is an access port on vlan 5 and nic1 is not yet in the
picture ;-)

eth0 is bridged to br0. It also has the host default gateway. I have
also created eth0.5, br0.5, eth0.10 and br0.10 interfaces to add vm's
to vlan 5 and 10 and that works, I can successfully create vms and
assign them to br0.5 or br0.10 and they get ip's from a dchp server in
the correct network and their traffic is correctly routed in the
switch (inter vlan routing works). I can access the vms from my
workstation on on vlan 1.

Now I configure eth2 with an ip address in the range of vlan 5 (in the
switch it is an access port in vlan 5). This is the ifcfg-eth2 file:

DEVICE="eth2"
HWADDR="00:15:17:51:B8:AB"
IPV6INIT="no"
BOOTPROTO=none
MTU="1500"
NM_CONTROLLED="no"
ONBOOT="yes"
IPADDR=192.168.5.10
NETMASK=255.255.255.0
# GATEWAY=192.168.5.254

The GATEWAY parameter is now commented out, but it does not matter.

The interface on the virtualization host comes up all right. But I
cannot access it from my workstation on vlan 1 when accessing it to
vlan 5.

>From the virtualization host I can reach the switch vlan 5 interface
which is its gateway. From the switch I can also ping the interface
eth2.

The routing table on the virt host:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.5.0 0.0.0.0 255.255.255.0   U 0  00 eth2
192.168.0.0 0.0.0.0 255.255.255.0   U 0  00 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003   00 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 1016   00 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 1018   00 br_v10
169.254.0.0 0.0.0.0 255.255.0.0 U 1020   00 br_v5
0.0.0.0 192.168.0.254   0.0.0.0 UG0  00 br0

Do you have any tips on how to reach vlan 5 on the virt host from vlan 1?
--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] routing problem?

[Natxo Asenjo]

On Sun, Feb 10, 2013 at 11:51 PM, Gordon Messmer  wrote:
> On 02/08/2013 07:39 AM, Natxo Asenjo wrote:
>> Do you have any tips on how to reach vlan 5 on the virt host from vlan 1?
>
> Not without the configuration from your switch.
>
> The most likely problem is this:  Your workstation is sending traffic to
> 192.168.5.10.  The switch sends it through VLAN 5 to eth2 on your
> virtualization host.  The host replies to that traffic using the correct
> address, but through interface eth0, since that is the only interface
> with a route to the workstation.  Those packets would go to the default
> gateway.  Either your switch or your default gateway may be doing
> ingress filtering, or reverse path filtering, or stateful firewalling.
> Any of those would block the reply traffic, and at least one of them is
> very likely in place by default on either an L3 switch or a router.
>
> What you're attempting to do is called multi-homing, and it's fairly
> complicated to do on Linux.  You need to have multiple default routes,
> and you need the kernel to select the default route based on the
> addresses of the packets that it sends.  That involves making multiple
> routing tables, tagging packets pre-routing, and using ip rules to
> select the appropriate routing table.  Shorewall will simplify this if
> you use it to build your firewall rules.

thanks for the tips. Indeed, multi-homing needs 'advanced routing'
(yeah right) so I needed to add vlan info to the rt_tables file and
then create a rules-eth2 and route-eth2 files.

Now I can reach both nics from my workstation (finally ;-) ).

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] More on Re: Really changing the hostname

[Natxo Asenjo]

hi,

On Fri, Feb 15, 2013 at 8:34 PM,   wrote:

> Here's another question: you're building it via kickstart - are you
> getting the hostname via dhcp?
>
> We've got a perl script to create a ks file dynamically, depending on what
> option we want (server, desktop, etc), and we get the name via dhcp, and
> put that in.

would you mind sharing that script? Just made me curious.

Thanks,

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] add CA to centos clients

[Natxo Asenjo]

hi,

I need to deploy an internal CA to our hosts. Fedora is planning
something I could use now
http://fedoraproject.org/wiki/Features/SharedSystemCertificates but it
is not there yet ;-)

I already have a deploying infrastructure (cfengine), so my question
is: what files do I need to move around for a systemwide installation?

The obvious start point will be /etc/PKI/ but in there in a random
client I already see some problems:

ls -l /etc/pki/
total 28
drwxr-xr-x. 6 root root 4096 Aug 23 06:55 CA
drwxr-xr-x. 4 root root 4096 Mar 13  2012 dovecot
drwxr-xr-x. 2 root root 4096 Mar 11  2012 java
drwxr-xr-x. 2 root root 4096 Feb  8 10:46 nssdb
drwxr-xr-x. 2 root root 4096 Oct 25 23:06 rpm-gpg
drwx--. 2 root root 4096 Jun 22  2012 rsyslog
drwxr-xr-x. 5 root root 4096 Oct 25 23:07 tls

For ldap queries, I need to add it in /etc/openldap/certs and run
cacertdir_rehash.

But there are lots of other apps that have their own configuration.

I guess I am not the first to have to do this, but google found little
info about this. Have you guys gone through such a project and would
you care sharing your solutions?

Thanks!
--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] add CA to centos clients

[Natxo Asenjo]

On Sun, Feb 17, 2013 at 10:13 PM, John R Pierce  wrote:
> On 2/17/2013 11:00 AM, Natxo Asenjo wrote:
>> I need to deploy an internal CA to our hosts.
>
> you say a CA, then you talk about PKI, and finally LDAP which is a
> Directory Server.   these things are all interrelated, but remain three
> separate entities.

sure, still to use stuff all the apps need to have the right CA cert info.

> For a fullblown LDAP directory server, you might want to look at the 389
> project, http://port389.org/wiki/Main_Page ... this is available for
> CentOS6 via the EPEL repository.389 started as a fork of the old
> Netscape Directory Server.
>
> 389 has been integrated with the "Dogtag" CA system as FreeIPA but I
> believe this is more focused towards being a Windows Active Directory
> replacement.

thanks, I think I did not express myself well enough.

We already have a ipa realm for our centos hosts and it indeed has a
built-in CA (dogtag).

The problem is we have other hosts *not* in the realm and they need to
use services with this internal CA. And they need to use them without
warnings about how unsafe this unknown CA is.

So for ldap clients, you drop the ca-cert in a directory and the ldap
tools do not complain. The same goes for java tools,
mozilla/thunderbird, chrome, ...

So the question is: where do you add the CA information in
centos/redhat servers for those kinds of applications?

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Not installing avahi in a kickstart install

[Natxo Asenjo]

On Sun, Mar 3, 2013 at 10:52 PM, Robert Moskowitz  wrote:
>
> On 03/03/2013 04:39 PM, Reindl Harald wrote:
>>
>> Am 03.03.2013 22:35, schrieb Robert Moskowitz:
>>> In the packages section of my kickstart I have:
>>>
>>> -avahi
>>>
>>> and I am still getting avahi and all of its rpms installed.  I don't
>>> want avahi on my servers, how do I specify in a kickstart to NOT install it?
>> do not install packages which requires avahi?
>> which they are?
>>
>> try "yum remove avahi" and see what it lists after install
>>
> The list is too long.  It includes firstboot!  Easier just to disable it
> after install as I have been doing.  Just thought I could prevent it
> from installing in the first place.  I can put a %post in to turn it off
> at least.

yes, that was my conclusion too. If you run a centos desktop (like I
do), it simply wants to remove the whole gnome ;-).

So we have cfengine stop the avahi-daemon service plus if the
avahi-daemon process is running for whatever reason it gets stopped.

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] kickstart %pre vda/sda troubles

[Natxo Asenjo]

hi,

The problem: for kvm/qemu disks are /dev/vdx devices when using the
virtio driver. For vmware, drives are /dev/sdx devices. For hp
servers, /dev/ccisss/whatever (sorry, no proliant with an array
controller handy to check it).

in order to just have one kickstart script to maintain I am trying to
use the %pre section but getting a bit stuck. This is what I have:

%pre
if [ -b /dev/sda ]
then
zerombr
clearpart --all
bootloader --location=mbr --timeout=0 --driveorder=sda
--append="crashkernel=auto rhgb quiet"
part /boot --fstype=ext4 --size=500
part pv.008002 --grow --size=1
volgroup vg_host --pesize=4096 pv.008002
logvol / --fstype=ext4 --name=lv_root --vgname=vg_host --grow
--size=1024 --maxsize=51200
logvol swap --name=lv_swap --vgname=vg_host --grow --size=512 --maxsize=1024
fi
elif [ -b /dev/vda ]
then
zerombr
clearpart --all
bootloader --location=mbr --timeout=0 --driveorder=vda
--append="crashkernel=auto rhgb quiet"
clearpart --linux --drives=vda
part /boot --fstype=ext4 --size=500 --ondisk=vda
part pv.008002 --grow --size=1 --ondisk=vda
volgroup vg_host --pesize=4096 pv.008002
logvol / --fstype=ext4 --name=lv_root --vgname=vg_host --grow
--size=1024 --recommended
logvol swap --name=lv_swap --vgname=vg_host --grow --size=512 --maxsize=1024
fi
else
echo unknown disk
fi

But when kickstarting a guest on a kvm host, I get this error:

the kickstart configuration file is missing required information that
anaconda cannot promtp for. Please add the following sections and try
again: Bootloader configuration.

If I swith to another virtual terminal, I see this: Device vda not
found. But it's there, I can see it with ls -l, it is a block device

Has anybody implemented something like this and is willing to share it?

TIA,
--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] kickstart %pre vda/sda troubles

[Natxo Asenjo]

lets reply to myself then ;-)

%pre
#!/bin/bash

if [ -b /dev/vda ] ; then
echo "bootloader --location=mbr --timeout=0 --driveorder=vda
--append="crashkernel=auto rhgb quiet"" > /tmp/diskinfo
echo "clearpart --linux --drives=vda" >> /tmp/diskinfo
echo "part /boot --fstype=ext4 --size=500" >> /tmp/diskinfo
echo "part pv.008002 --grow --size=1" >> /tmp/diskinfo
echo "volgroup vg_host --pesize=4096 pv.008002" >> /tmp/diskinfo
echo "logvol / --fstype=ext4 --name=lv_root --vgname=vg_host
--grow --size=1024" --recommended >> /tmp/diskinfo
echo "logvol swap --name=lv_swap --vgname=vg_host --grow
--size=512 --maxsize=1024" >> /tmp/diskinfo

elif [ -b /dev/sda ] ; then
echo "bootloader --location=mbr --timeout=0 --driveorder=sda
--append="crashkernel=auto rhgb quiet"" > /tmp/diskinfo
echo "clearpart --linux --drives=sda" >> /tmp/diskinfo
echo "part /boot --fstype=ext4 --size=500" >> /tmp/diskinfo
echo "part pv.008002 --grow --size=1" >> /tmp/diskinfo
echo "volgroup vg_host --pesize=4096 pv.008002" >> /tmp/diskinfo
echo "logvol / --fstype=ext4 --name=lv_root --vgname=vg_host
--grow --size=1024" --recommended >> /tmp/diskinfo
echo "logvol swap --name=lv_swap --vgname=vg_host --grow
--size=512 --maxsize=1024" >> /tmp/diskinfo
fi

%end

as seen in 
http://fedoraproject.org/wiki/Anaconda/Kickstart#Chapter_4._Pre-installation_Script
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] kickstart %pre vda/sda troubles

[Natxo Asenjo]

On Mon, Mar 11, 2013 at 12:45 AM, Gordon Messmer  wrote:
> On 03/10/2013 08:14 AM, Natxo Asenjo wrote:
>> lets reply to myself then ;-)
>
> I missed your first message.  I've put a copy of my centos 6 kickstart
> here in case there are any ideas you think are good ones:
> http://pastebin.com/rJEnsdvw

nice examples with bash functions ;-)

Thanks!

-- 
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

hi,

this is not the same as http://bugs.centos.org/view.php?id=6298

I can login with ssh but not with freenx

With 6.3 this worked, I just spinned some new servers and now I can no
longer use freenx.

in /var/log/messages:

pr  3 22:05:11 testthuis nxserver[3435]: (nx) Failed login for user=admin
from IP=192.168.0.160
Apr  3 22:06:01 testthuis nxserver[3619]: (nx) Failed login for user=admin
from IP=192.168.0.160
Apr  3 22:06:52 testthuis nxserver[3818]: (nx) Failed login for user=admin
from IP=192.168.0.160

in /var/log/nx/nxserver.log:

-- NX SERVER START: -c /usr/bin/nxserver - ORIG_COMMAND=
-- NX SERVER START:  - ORIG_COMMAND=
Info: Using fds #4 and #3 for communication with nxnode.
HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)
NX> 105 hello NXCLIENT - Version 3.2.0
NX> 134 Accepted protocol: 3.2.0
NX> 105 SET SHELL_MODE SHELL
NX> 105 SET AUTH_MODE PASSWORD
NX> 105 login
NX> 101 User: admin
NX> 102 Password:
Info: Closing connection to slave with pid 3761.
NX> 404 ERROR: wrong password or login
NX> 999 Bye

My node.conf file is a copy of the node.conf.sample file, nothing changed.
I do not want to use the nx database authentication but our ldap (ipa)
authentication., this has always worked until now.

I have temporarily set selinux in permissive mode but no difference.

Can anyone else reproduce this? At work we have a mirror, so I tried at
home with a manually installed centos and internet upgrades. No difference.

TIA,
--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

hi,

Thanks for taking the time to reply.

As stated in my message I can log in from ssh. And yes, the password is the
same, I have verified it numerous times.

So no, that is not the problem. And as I wrote in my first message, this
has always worked until 6.4. That is why I was asking if anyone else is
having this same problem with a new installed 6.4.

nx is unfortunately very difficult to debug.

--
Groeten,
natxo


On Wed, Apr 3, 2013 at 10:26 PM, Craig White  wrote:

>
> On Apr 3, 2013, at 1:16 PM, Natxo Asnjo wrote:
>
> > hi,
> >
> > this is not the same as http://bugs.centos.org/view.php?id=6298
> >
> > I can login with ssh but not with freenx
> >
> > With 6.3 this worked, I just spinned some new servers and now I can no
> > longer use freenx.
> >
> > in /var/log/messages:
> >
> > pr  3 22:05:11 testthuis nxserver[3435]: (nx) Failed login for user=admin
> > from IP=192.168.0.160
> > Apr  3 22:06:01 testthuis nxserver[3619]: (nx) Failed login for
> user=admin
> > from IP=192.168.0.160
> > Apr  3 22:06:52 testthuis nxserver[3818]: (nx) Failed login for
> user=admin
> > from IP=192.168.0.160
> >
> > in /var/log/nx/nxserver.log:
> >
> > -- NX SERVER START: -c /usr/bin/nxserver - ORIG_COMMAND=
> > -- NX SERVER START:  - ORIG_COMMAND=
> > Info: Using fds #4 and #3 for communication with nxnode.
> > HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not
> detected)
> > NX> 105 hello NXCLIENT - Version 3.2.0
> > NX> 134 Accepted protocol: 3.2.0
> > NX> 105 SET SHELL_MODE SHELL
> > NX> 105 SET AUTH_MODE PASSWORD
> > NX> 105 login
> > NX> 101 User: admin
> > NX> 102 Password:
> > Info: Closing connection to slave with pid 3761.
> > NX> 404 ERROR: wrong password or login
> > NX> 999 Bye
> >
> > My node.conf file is a copy of the node.conf.sample file, nothing
> changed.
> > I do not want to use the nx database authentication but our ldap (ipa)
> > authentication., this has always worked until now.
> >
> > I have temporarily set selinux in permissive mode but no difference.
> >
> > Can anyone else reproduce this? At work we have a mirror, so I tried at
> > home with a manually installed centos and internet upgrades. No
> difference.
> 
> seems pretty obvious that the issue is here…
>
> > NX> 404 ERROR: wrong password or login
>
> So the first question is can you SSH into the NX server system as user
> 'admin' with the same password? If you can then the problem is in
> /etc/pam.d/ but my money is that you can't and the issue isn't nx at all.
>
> Craig
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

I have bumped the logging to debug level:

HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)
NX> 105 hello NXCLIENT - Version 3.2.0
NX> 134 Accepted protocol: 3.2.0
NX> 105 SET SHELL_MODE SHELL
NX> 105 SET AUTH_MODE PASSWORD
NX> 105 login
NX> 101 User: admin
NX> 102 Password:
Info: Auth method: ssh NXSERVER - Version 3.2.0-74-SVN OS (GPL, using
backend: not detected)
Usage: nxserver 
--passwd: Change password
ssh_exchange_identification: Connection closed by remote host
expect: spawn id exp5 not open
while executing
"expect {
"Are you sure you want to continue connecting (yes/no)?" { send "yesr" }
"assword*:"  { sleep 0.3; send -- "$passwordr" }
"Permission..."
("while" body line 2)
invoked from within
"while {1} {
expect {
"Are you sure you want to continue connecting (yes/no)?" { send "yesr" }
"assword*:"  { sleep 0.3; send -- "$passwordr" }
..."
(file "/usr/bin/nxnode-login" line 69)
FREENX> 716 Slave mode failed to start.
Info: Closing connection to slave with pid 6358.

NX> 404 ERROR: wrong password or login
NX> 999 Bye

Is it asking me to change the password?

--
Groeten,
natxo


On Wed, Apr 3, 2013 at 10:34 PM, Natxo Asenjo wrote:

> hi,
>
> Thanks for taking the time to reply.
>
> As stated in my message I can log in from ssh. And yes, the password is
> the same, I have verified it numerous times.
>
> So no, that is not the problem. And as I wrote in my first message, this
> has always worked until 6.4. That is why I was asking if anyone else is
> having this same problem with a new installed 6.4.
>
> nx is unfortunately very difficult to debug.
>
> --
> Groeten,
> natxo
>
>
> On Wed, Apr 3, 2013 at 10:26 PM, Craig White wrote:
>
>>
>> On Apr 3, 2013, at 1:16 PM, Natxo Asnjo wrote:
>>
>> > hi,
>> >
>> > this is not the same as http://bugs.centos.org/view.php?id=6298
>> >
>> > I can login with ssh but not with freenx
>> >
>> > With 6.3 this worked, I just spinned some new servers and now I can no
>> > longer use freenx.
>> >
>> > in /var/log/messages:
>> >
>> > pr  3 22:05:11 testthuis nxserver[3435]: (nx) Failed login for
>> user=admin
>> > from IP=192.168.0.160
>> > Apr  3 22:06:01 testthuis nxserver[3619]: (nx) Failed login for
>> user=admin
>> > from IP=192.168.0.160
>> > Apr  3 22:06:52 testthuis nxserver[3818]: (nx) Failed login for
>> user=admin
>> > from IP=192.168.0.160
>> >
>> > in /var/log/nx/nxserver.log:
>> >
>> > -- NX SERVER START: -c /usr/bin/nxserver - ORIG_COMMAND=
>> > -- NX SERVER START:  - ORIG_COMMAND=
>> > Info: Using fds #4 and #3 for communication with nxnode.
>> > HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not
>> detected)
>> > NX> 105 hello NXCLIENT - Version 3.2.0
>> > NX> 134 Accepted protocol: 3.2.0
>> > NX> 105 SET SHELL_MODE SHELL
>> > NX> 105 SET AUTH_MODE PASSWORD
>> > NX> 105 login
>> > NX> 101 User: admin
>> > NX> 102 Password:
>> > Info: Closing connection to slave with pid 3761.
>> > NX> 404 ERROR: wrong password or login
>> > NX> 999 Bye
>> >
>> > My node.conf file is a copy of the node.conf.sample file, nothing
>> changed.
>> > I do not want to use the nx database authentication but our ldap (ipa)
>> > authentication., this has always worked until now.
>> >
>> > I have temporarily set selinux in permissive mode but no difference.
>> >
>> > Can anyone else reproduce this? At work we have a mirror, so I tried at
>> > home with a manually installed centos and internet upgrades. No
>> difference.
>> 
>> seems pretty obvious that the issue is here…
>>
>> > NX> 404 ERROR: wrong password or login
>>
>> So the first question is can you SSH into the NX server system as user
>> 'admin' with the same password? If you can then the problem is in
>> /etc/pam.d/ but my money is that you can't and the issue isn't nx at all.
>>
>> Craig
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

I have removed nx and freenx, installed the nomachine packages and
everything *just works*.

I very much would prefer to use freenx, though.
--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

hi,

thanks for taking the time to reply.

Yes, I copied the client key. I have followed the wiki instructions except

ENABLE_PASSDB_AUTHENTICATION="1"

and adding the users to it with nxserver --adduser

because we are not interested in that, we use ldap users and that has
worked since like for ever, I no longer remember.


--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

hi,

thanks for replying.

I live in The Netherlands, so I suppose the mirror was automatically chosen
in Europe at least. Sorry, I did not pay attention to that. Is there a
logfile where I can look that up? in yum.log I can only see that packages
get installed/removed.

--
Groeten,
natxo


On Wed, Apr 3, 2013 at 11:26 PM,  wrote:

> Natxo Asenjo wrote:
> > I have removed nx and freenx, installed the nomachine packages and
> > everything *just works*.
> >
> > I very much would prefer to use freenx, though.
> > --
> Could there have been some crypto as the problem? Where did you install
> from (remembering US idiot crypto export regs).
>
>   mark
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

1st hit on google centos freenx: http://wiki.centos.org/HowTos/FreeNX

in /var/log/secure I just see this:

Apr  3 23:58:55 testthuis sshd[3803]: Accepted publickey for nx from
192.168.0.160 port 57095 ssh2
Apr  3 23:58:55 testthuis sshd[3803]: pam_unix(sshd:session): session
opened for user nx by (uid=0)
Apr  3 23:58:59 testthuis sshd[3803]: pam_unix(sshd:session): session
closed for user nx


--
Groeten,
natxo


On Wed, Apr 3, 2013 at 11:43 PM, Les Mikesell  wrote:

> On Wed, Apr 3, 2013 at 4:35 PM, Natxo Asenjo 
> wrote:
> >
> > thanks for taking the time to reply.
> >
> > Yes, I copied the client key. I have followed the wiki instructions
> except
> >
> > ENABLE_PASSDB_AUTHENTICATION="1"
> >
> > and adding the users to it with nxserver --adduser
> >
> > because we are not interested in that, we use ldap users and that has
> > worked since like for ever, I no longer remember.
>
> What wiki instructions?   I just 'yum install freenx'  and copy the
> key to the client.   I assumed the real  logins (after the
> key-authenticated nx user) went through pam.   Are you seeing anything
> failing in /var/log/secure?
>
> --
>Les Mikesell
>   lesmikes...@gmail.com
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

hi,

is it possible for someone to spin a new vm with centos 6.4 and the gnome
desktop environment, then install freenx and nx and confirm that it works
or that it does (or does not) work?

That would be very helpful.

--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

thanks for your input

--
Groeten,
natxo


On Fri, Apr 5, 2013 at 1:43 PM, Scot P. Floess  wrote:

>
> All,
>
> As a side note, I just spun up a bare metal box and it is running FreeNX
> just fine against KDE for me...  I hadn't tried GNOME - but seems to work
> for me...
>
> On Fri, 5 Apr 2013, Natxo Asenjo wrote:
>
> > hi,
> >
> > is it possible for someone to spin a new vm with centos 6.4 and the gnome
> > desktop environment, then install freenx and nx and confirm that it works
> > or that it does (or does not) work?
> >
> > That would be very helpful.
> >
> > --
> > Groeten,
> > natxo
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
> Scot P. Floess RHCT  (Certificate Number 605010084735240)
> Chief Architect FlossWare  http://sourceforge.net/projects/flossware
> http://flossware.sourceforge.net
> https://github.com/organizations/FlossWare
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Directory Server vs just plain old LDAP server

[Natxo Asenjo]

On Sun, Apr 28, 2013 at 12:55 PM, James Hogarth wrote:

> Look at IPA for your directory services...
>
> Makes management very simple and adds kerberos capabilities as well :)
>  On 27 Apr 2013 19:09, "aurfalien"  wrote:
>
>
+1

--
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] freenx not working with newly installed centos 6.4

[Natxo Asenjo]

On Wed, Apr 3, 2013 at 10:16 PM, Natxo Asenjo wrote:

Following up a bit late on this, I found out the issue with the failing
freenx sessions centos 6.4.

We have a growing freeipa infrastructure (http://freeipa.org), using the
identity management solution delivered by RHEL. ,A colleague installed a
host and before joining it to the domain, installed freenx. It worked. So
that made me think that the problem was not with freenx but with freeipa.

Indeed, a joined host to a freeipa domain gets a few options on its ssh
client and server config files:

# diff ssh_config ssh_config.ipa
48a49,52
> GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
> PubkeyAuthentication yes
> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h


# diff sshd_config sshd_config.ipa
81d80
< GSSAPIAuthentication yes
97d95
< UsePAM yes
139a138,143
> KerberosAuthentication no
> PubkeyAuthentication yes
> UsePAM yes
> GSSAPIAuthentication yes
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

If we revert the ssh_config and sshd_config files and join the hosts,
freenx works again.

We lose the known_hosts integration but we already were doing that witch
cfengine. For other environments this could be an issue.

I will contact the freeipa guys about this issue, but provided freenx is
not a part of RHEL, I do not think they will see this as their problem.

We'll see.

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Instalación de Nomachine

[Natxo Asenjo]

2013/6/21 Ian :
> Perdón por el idioma.

esta lista es en inglés. No postee en español aquí.

> Estoy intentando instalar Nomachine en un CentOS 6.4 y no lo logro, tengo 
> problemas con la autenticación. Conoceis algún manual claro y conciso?
> Muchas gracias

http://www.nomachine.com/installation.php

Be aware the free version will only let you use 3 sessions. If you
require more, you need to either pay for the complete version or use
freenx:

http://wiki.centos.org/HowTos/FreeNX

hth,

--
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DL380g8 - smart array B320i - CentOS 6.4

[natxo asenjo]

On 06/26/2013 10:29 PM, Marcelo Roccasalva wrote:

> You need a license from HP to access your hard disks... Stupid, but real...

wow, just, wow. If this is true I will advise against buying any HP 
server kit whenever we need to buy new servers.

-- 
groet,
natxo


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DL380g8 - smart array B320i - CentOS 6.4

[natxo asenjo]

On 07/01/2013 10:30 PM, Nathan Duehr wrote:

> I wish you good tidings, and may you always be the smartest person with the 
> "Best l33t GOLD level VAR EVAR !!1!"

LOL

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] change sudoers remotely

[natxo asenjo]

On 07/08/2013 10:32 PM, Tim Dunphy wrote:
> hello list,
>
>   I've been asked to give someone sudo rights across an entire environment
> without the benefit of something like puppet or chef or cfengine et al.

another option is using ldap, so you can specify who can do what in the 
ldap tree.

The IPA project (included in centos as ipa-server and ipa-client) fixes 
all this for you:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/sudo.html

Having said this, the question to manage an environment without 
management tools is peculiar. You need to have a way to introduce 
changes in a safe, tested, repetitive way. Denying you the possibility 
of doing this is not best practices and you should point this a a risk 
in your project.

-- 
groet,
natxo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] samba: check password with AD without joining domain?

[Natxo Asenjo]

Do you require samba or do you just want linux users to authenticate to AD?

Samba when configured to work in a domain must be joined to the AD
domain. By the way, unless the admins have changed the defaults, any
authenticated user can join up to 10 hosts to an AD domain (search
ms-DS-MachineAccountQuota on your favorite search engine).

If you want your linux hosts to login using AD credentials, I haven't
tried it yet, but using sssd with msktutil should work with some trial
and error:

http://theblitzbit.com/2013/04/08/make-red-hat-talk-to-windows/

instead of using the samba bits, use msktutil, works much better (rpms
in repoforge). The rest should be the same.
--
Groeten,
natxo


On Thu, Aug 15, 2013 at 7:00 PM, Les Mikesell  wrote:
> Is there a way to get samba to authenticate against an AD without
> having to join that domain (which needs admin credentials)?I don't
> want any of the automatic user creation or mapping stuff from winbind,
> just a password check instead of having to maintain a local password.
>
> I can get that effect via kerberos for normal linux logins by using
> authconfig-tui, checking kerberos, and filling in the domain/kdc
> details.Local users still have to be added to the linux system,
> but where the user names match they can authenticate with their domain
> password.   But, samba doesn't work that way.  Even though the
> authconfig program modifies the smb.conf file, it doesn't seem to work
> without joining the domain.  Is it possible to make it just
> authenticate via kerberos but otherwise use the local account details
> for the matching user?
>
> --
>Les Mikesell
>  lesmikes...@gmail.com
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LVM RAID0 and SSD discards/TRIM

[natxo asenjo]

On 08/21/2013 11:42 PM, Joakim Ziegler wrote:
> So, can anyone confirm that discards work on ext4 a LVM RAID0 of two
> SSDs with CentOS 6.4 or the latest ElRepo kernel for Centos 5.8?
>
> This should be a fairly simple question, either it works or it doesn't...
>

hi,

First hit: https://www.google.com/search?q=ssd%20rhel

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nfs4, idmapd, users with same name, different uid?

[natxo asenjo]

On 08/27/2013 12:01 AM, Les Mikesell wrote:
> Is idmapd supposed to work where users have different uid numbers on
> the nfsv4 server and client? It seems to show the right names for
> ownership on the client side, but if I automount a home directory,
> that user doesn't have permission to enter it, and if I change
> permission to allow access and create a new file, it shows on the
> server as owned by the uid number for the user on the client (and
> wrong on the server).
>
> Everything works like it would on nfs v3  where the uid numbers are
> the same on the client and server, but what's the point of the
> rpcidmapd daemon if it doesn't actually map the ids?
>

for nfsv4 it is my understanding you need a central user store like ldap 
or nis (but don't use nis) or synchronize your password file to 
eternity. I do not have a centos nfs server (or a linux one, for that 
matter, what I want from nfsv4 are mainly the extended acls and those 
are not there until somebody wakes up and merges the richacl patch into 
the mainstream kernel), only clients, but they work fine using nfsv4 to 
both netapp  as zfs (omnios) filers.

Both the clients as the filers are configured to lookup up users in ldap 
(ipa in our case).

I have no experience with idmapd in linux, but in solaris and netapp it 
gets ugly quite easily :-)

-- 
groet,
natxo




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nfs4, idmapd, users with same name, different uid?

[natxo asenjo]

On 08/28/2013 06:04 PM, Barbara Krasovec wrote:
> On 8/28/13 11:29 AM, natxo asenjo wrote:

>> for nfsv4 it is my understanding you need a central user store like ldap
>> or nis (but don't use nis) or synchronize your password file to
>> eternity. I do not have a centos nfs server (or a linux one, for that
>> matter, what I want from nfsv4 are mainly the extended acls and those
>> are not there until somebody wakes up and merges the richacl patch into
>> the mainstream kernel), only clients, but they work fine using nfsv4 to
>> both netapp  as zfs (omnios) filers.
>>
>> Both the clients as the filers are configured to lookup up users in ldap
>> (ipa in our case).
>>
>> I have no experience with idmapd in linux, but in solaris and netapp it
>> gets ugly quite easily :-)
>>
> It also works with same UID-s on server/client, just setting the
> domainname in idmapd.conf. Ldap is not obligatory.

that's why I wrote 'synchronize your password file to eternity' ;-)

But really, don't do that, use a central store. Much easier unless you 
have a very very tiny network (but those tend to grow unexpectedly).

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nfs4, idmapd, users with same name, different uid?

[natxo asenjo]

On 08/28/2013 08:24 PM, Les Mikesell wrote:

> This is a very tiny subset (mostly) of a corporate network where the
> larger things are handled by active directory.  But, for various
> non-technical reasons I don't want these machines to have to  'join'
> AD.  Kerberos will sort-of work without joining, but doesn't seem
> usable for exporting samba shares - and then anyone added locally
> wouldn't work without the uid matching anyway.   Is there a way to set
> up an LDAP server with a few local users but that mostly does a proxy
> to AD?   And if I did, would users be able to map their home
> directories as samba shares with the authentication it provides
> without joining AD?

you could install the IdM solution and create a cross realm trust
between both domains. Not trivial, but would do what you want to
accomplish.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/

You would need cooperation from your AD admins though. That might be a
problem in some environments.

It is quite a big project, though.


-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/12/2013 12:03 PM, Timothy Murphy wrote:
> I recently, perhaps foolishly, changed over a remote server
> from sendmail/procmail to postfix/amavis/spamassassin/clamd ,
> and I'm finding it difficult to configure this setup.

migrating is always a pain.

> The CentOS document 
> explicitly says that its instructions may not work in CentOS-6.
> Does anyone know of reasonably simple postfix documentation
> for CentOS-6?

no. Maybe you can write one after you figure it out :-)

> I've been amazed how bad the postfix documentation is.
> It actually seems to be worse that sendmail documentation,
> which I thought established a record for this sort of thing.
> The official documentation at
> 
> is ludicrously wordy, with every conceivable option
> listed in random order.

let me disagree with you.

Postfix's target audience is not the average joe user but e-mail 
administrators. It is assumed you know some stuff about how smtp e-mail 
works.

With that in mind, its documentation is simple, to the point and accurate.

For simple scenarios, you go to the 'General configuration' bullet 
points. In there you even have standard configuration examples:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html

Once you have that figured out, then you can go on to other configs, 
like the content inspection, integration with other data sources, 
performance problems, etc. It does make sense once you approach it with 
an e-mail admin hat on.

If what you want is an appliance that handles this stuff but hides it 
all under the hood from you, maybe you should be looking at commercial 
offerings like barracuda. It is nothing to be ashamed of to buy stuff 
that works and has support when something goes wrong. Handling e-mail 
for a company without understanding how it works internally can be 
stressing.

Also, the postfix mailing list is the best place to ask postfix questions

-- 
Groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/12/2013 11:39 PM, Timothy Murphy wrote:
> Patrick Lists wrote:
>
>> Read "Postfix: The Definitive Guide" or "The Book of Postfix". Years ago
>> I read the first and used it to setup multiple domains with virtual
>> accounts. Works perfectly to this day. Also heard good things about the
>> 2nd book. Both should give you ample knowledge how to setup Postfix.
>
> I'm sure you are right.
> But I don't really want to _learn_ about postfix,
> I just want to use it.

I am sure you can find consultants where you live willing to help you do 
just that.

If you do not want to RTFM, then you'll have to pay someone to do it for 
you :-)

-- 
groet,
natxo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/13/2013 12:56 PM, Timothy Murphy wrote:

> If you upgrade from CentOS-5 to CentOS-6,
> which I imagine the vast majority of people did,
> then sendmail remains the current MTA.

that's a lot to assume. Most people I know professionally do not upgrade 
their rhel/centos servers. The debian crowd does, but they do have much 
shorter release cycles :-)

> However, this is only a tiny point,
> since the document mentions "yum remove sendmail" as an alternative.
>
>>> Firstly, after following the instructions meticulously,
>>> I found that I could not send out mail
>>> because (according to /var/log/maillog)
>>> the From address was
>>> tim@localhost.localdomain , and this was
>>> rejected by the recipient host or rather his ISP.
>>> ---
>>>   MAIL FROM domain
>>> does not exist
>>> (in reply to MAIL FROM command)
>>> ---
>>> I cured this by adding
>>> tim t...@gayleard.eu
>>> to /etc/hosts .
>>> I don't know if this is the best way to go about it?

That is a very odd hosts file entry :-). From man 5 hosts, section EXAMPLES:

127.0.0.1   localhost
192.168.1.10foo.mydomain.org   foo
192.168.1.13bar.mydomain.org   bar

>> This is typically caused by having your hostname set to localhost (or
>> loaclhost.localdomain). Your hostname should reflect your fqdn.
>
> If you mean $myhostname in /etc/postfix/main.cf then that is not the cause;
> it was set to my fqdn.
> Also it is set in /etc/sysconfig/network.
> And it is the name given by "uname -a".
> I'm not sure where else it can be given?

unless your fqdn is in DNS or in your hosts file, postfix does not know 
about that:

http://www.postfix.org/postconf.5.html#myhostname

So in order to find out what postfix thinks $myhostname is in its 
default settings, try this:

# postconf -d | grep myhostname

If you set a fqdn in myhostname, then you will not have that problem.

>>> After correcting this, I found my email was still rejected,
>>> with the message "Blacklisted by Spamhaus"!
>>> I read in 
>>> that 'the reason is simply that you need to turn on "SMTP
>>> Authentication"'
>
>> The bit at the top of the Spamhaus link says it all really - as a matter
>> of *policy*, Spamhaus and/or your ISP has decided that you shouldn't be
>> sending email direct from that IP address as it's residential / dynamic
>> / whatever. Either way, as a result 90% of the internet is going to
>> reject your mail. You will need to relay all outbound email through your
>> ISPs smarthost to achieve any sort of deliverability.
>
> Exactly.
> So perhaps this should be mentioned in the CentOS document
> ?
>

that is nothing postfix/centos specific, IMO. Trying to run an MTA on a 
dial-up host is an exercise in futility. You may agree of disagree 
whether this is fair, but it is a fact. So if someone adds a warning in 
the wiki about that, fine, but it has nothing to do with centos or postfix.

If you want to have a test postfix server with an acceptable IP address, 
get yourself a vm on any cloud provider. Then you will not be blocked 
unless you start spamming :-) . Those vm's are very affordable (from 
5$/month on).

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/13/2013 01:37 PM, Timothy Murphy wrote:
> natxo asenjo wrote:
>
>> Postfix's target audience is not the average joe user but e-mail
>> administrators. It is assumed you know some stuff about how smtp e-mail
>> works.
>
> I wonder if that is, or should be, any longer the case?
> I would have guessed that many, perhaps the majority, of CentOS users
> are now running home networks rather than commercial sites.
> I realise that RedHat may not be particularly interested in these people,
> but I would have thought CentOS should be.

this is certainly not my case. I do run centos (even in my laptop) but
my main use is professional. And frankly, I do not know anyone in my
personal environment with a linux computer (tablets/phones don't count).

>> Once you have that figured out, then you can go on to other configs,
>> like the content inspection, integration with other data sources,
>> performance problems, etc. It does make sense once you approach it with
>> an e-mail admin hat on.
>
> I'm not an "email admin" except by necessity.
> If in fact it takes say two days of reading to setup postfix
> then I would revert to sendmail,
> which has been working perfectly for me for years.
> (Incidentally, having now setup postfix/amavis/clamd/spamassassin
> it does not seem to me to have any advantages - at least in my case -
> over sendmail/procmail/spamassassin .
> I've been told it is much better, but nobody has told me why.)

maybe you should not have switched then. The main advantage of postfix
above sendmail is that it is now more common. Sendmail has this
reputation of being hard, so no one wants to start using it now. The
pool of sendmail admins is dwindling fast.

>> maybe you should be looking at commercial
>> offerings like barracuda. It is nothing to be ashamed of to buy stuff
>> that works and has support when something goes wrong. Handling e-mail
>> for a company without understanding how it works internally can be
>> stressing.
>
> As I have said, I am not a company.
> I think I run a fairly typical home network,
> a setup that I would guess is going to become steadily more popular
> as the number of devices on a local network in the average household grows:
> laptops, TVs, smart phones, printers, etc.

somehow I doubt that most families will start installing a centos server
to handle their e-mail. Everybody is happy to hand it off to gmail
nowadays, so they just configure that. As to the other devices, they
just need network connectivity, and the access points take care of that.

Most people I know are happy to get a NAS device to keep their stuff 
centrally
and for downloading stuff from newsgroups/bittorrent. They are not in
the least interested in a mail server. But maybe the people you know are
:-)

>> Also, the postfix mailing list is the best place to ask postfix questions
>
> I did ask the same two questions on that newsgroup/mailing-list
> and got no response.
> As you say, it seems to be the haunt of commercial or company email admins.

well, yes, those are the people using postfix after all :-)

I went to check what you posted there, and I can see the problem with
myhostname:

myhostname = alfred.gayleard.eu

but that host does not exist:

$ host alfred.gayleard.eu
Host alfred.gayleard.eu not found: 3(NXDOMAIN)

This means it does not exist in dns. My guess is it does not exist in
your hosts file either.

-- 
groet,
natxo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/13/2013 03:59 PM, Timothy Murphy wrote:
> natxo asenjo wrote:

> If you mean myhostname in /etc/postfix/main.cf
> then as I just said it is set to the fqdn.
> Also I should point out that sendmail has been working perfectly there,
> without any such messages in /var/log/maillog .

obviosly sendmail is not postfix, is it? Or does sendmail have a config
on /etc/postfix/main.cf?

>> Trying to run an MTA on a
>> dial-up host is an exercise in futility. You may agree of disagree
>> whether this is fair, but it is a fact.
>
> It may be a fact, but it is a totally irrelevant one in this context,
> since I am not "running an MTA on a dial-up host".
> I have a perfectly standard broadband connection
> (admittedly a little flaky in Italy).

Broadband consumer connections are 'dial-up'.

That is why it was it blocked by spamhaus policy.

>> If you want to have a test postfix server with an acceptable IP address,
>> get yourself a vm on any cloud provider. Then you will not be blocked
>> unless you start spamming :-) . Those vm's are very affordable (from
>> 5$/month on).
>
> This suggestion, like others along the same lines,
> seems more or less crazy to me.
> Why on earth should I want to get a VM on a cloud provider?
> I have perfectly good internal and external IP addresses
> (the latter thanks to dyndns).

obviously not to send email directly which is what you were trying to
do. When having such an ip no mx server will accept messages from you
directly. That is why you need to relay to your e-mail provider.

The fact that you state you use dyndns proves do not understand how smtp
servers work. No mx server will talk to your dyndns mta directly
*except* your isp's mta.

> As I have said, I have postfix/amavis working perfectly now.
> But it was much more time-consuming than it should have been,
> due in my opinion to very bad documentation,
> or possibly lack of documentation for someone setting up a home network.

or lack of knowledgde on your part on how smtp servers work. Everything
is possible.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/13/2013 04:34 PM, Timothy Murphy wrote:
> natxo asenjo wrote:
>
>> I do run centos (even in my laptop) but
>> my main use is professional. And frankly, I do not know anyone in my
>> personal environment with a linux computer (tablets/phones don't count).
>
> I can't parse this.
> You are saying you are running centos on a laptop,
> but don't know anyone running a "linux" computer.

on my personal environment, no. On my professional life, all the time.

> Do you mean that all the people you know are running Windows or MacOS?
> Or do you mean you don't know anyone with a laptop?

o god.

> Incidentally, I'm not running CentOS on a laptop,
> if that was your implication.
> I run Fedora (and Windows) on all the laptops I own.
>
> Most people I know have laptops and smart phones;
> only the youngest use their smart phones for email.
>
>> The main advantage of postfix
>> above sendmail is that it is now more common. Sendmail has this
>> reputation of being hard, so no one wants to start using it now. The
>> pool of sendmail admins is dwindling fast.
>
> Possibly.
> I changed because CentOS-6 changed to postfix as default,
> and I would generally follow the default on any system I was using.
> That does not alter the fact that the changeover was more difficult
> or at least more time-consuming than it should have been,
> due in my opinion to bad documentation.

The fact you do not understand the documentation does not mean it is
bad. The default postfix in centos does basically nothing. Because there
is no standard setting for postfix (it is too versatile), e-mail
administrators are expected to know what they are doing. If you do not
want to spend the time learning that, just use your isp e-mail or one of
the free and numerous cloud e-mail providers.

> I don't agree with everything in
> <http://stevelosh.com/blog/2013/09/teach-dont-tell/>
> but I certainly think he is on the right side of the fence.
>
>> somehow I doubt that most families will start installing a centos server
>> to handle their e-mail. Everybody is happy to hand it off to gmail
>> nowadays, so they just configure that.
>
> Are they?
> I would say that most people I know have misgivings about gmail.
>
>> Most people I know are happy to get a NAS device to keep their stuff
>> centrally
>> and for downloading stuff from newsgroups/bittorrent. They are not in
>> the least interested in a mail server. But maybe the people you know are
>> :-)
>
> Yes, we obviously live in different universes.
> I don't know anyone who downloads newsgroups to a NAS device.

you obviosly have never heard of nzb. Never mind.

>>>> Also, the postfix mailing list is the best place to ask postfix
>>>> questions
>>>
>>> I did ask the same two questions on that newsgroup/mailing-list
>>> and got no response.
>>> As you say, it seems to be the haunt of commercial or company email
>>> admins.
>>
>> well, yes, those are the people using postfix after all :-)
>>
>> I went to check what you posted there, and I can see the problem with
>> myhostname:
>>
>> myhostname = alfred.gayleard.eu
>>
>> but that host does not exist:
>>
>> $ host alfred.gayleard.eu
>> Host alfred.gayleard.eu not found: 3(NXDOMAIN)
> ---
> [tim@rose ~]$ dig gayleard.eu
>
> ;; ANSWER SECTION:
> gayleard.eu.3600IN  A   79.51.59.112

that is the host *gayleard.eu*, not *alfread.gayleard.eu* which incidentally
was your myhostname declaration.

Do you see the difference? Your host alfred.gayleard.eu does NOT exist.
And your mx record is mail.gayleard.eu, why don't you use that in your
myhostname declaration?

-- 
groet,
natxo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[Natxo Asenjo]

On Sep 13, 2013 7:02 PM, "Les Mikesell"  wrote:
>
> On Fri, Sep 13, 2013 at 10:18 AM, natxo asenjo 
wrote:
> >
> > The fact you do not understand the documentation does not mean it is
> > bad.
>
> It is pretty good evidence that swapping it as the default because
> 'sendmail is hard' was misguided, though.  Sendmail works and isn't
> particularly hard if you stick to the sendmail.mc settings and
> milters.

Hardly.

Postfix works and isn't particularly hard if you take the time to read and
understand the docs.

The point is, an mta is something you need to set up. Be it sendmail, exim,
postfix or exchange.

> >The default postfix in centos does basically nothing. Because there
> > is no standard setting for postfix (it is too versatile), e-mail
> > administrators are expected to know what they are doing.
>
> Everyone needs to send mail.  Lots of unix/linux programs are
> configured to hand off to sendmail whether you do it personally or
> not.  Postfix comes with enough sendmail emulation to accept that
> mail, but then what?

then you set it up. Nothing shocking here. This is a normal step in
provisioning a host. It's like not specifying an alias for the local root
account to send system messages somewhere else where they get read. and the
local root account accumulates messages nobody reads. Then you login to run
some maintenance and the first thing you see is 2 unread messages.

 > > If you do not
> > want to spend the time learning that, just use your isp e-mail or one of
> > the free and numerous cloud e-mail providers.
>
> Exactly.  But where is the concise how-to to make that work?

RTFM :-)

It is not that hard:
http://www.postfix.org/BASIC_CONFIGURATION_README.html'What delivery
method: direct or indirect'.

Or http://lmgtfy.com/?q=postfix+how+to+send+mail+through+isp if you think
the docs are hard to find, then you get a link to the postfix.org site
http://www.postfix.org/SOHO_README.html where you can read 'Enabling SASL
authentication in the Postfix SMTP/LMTP client' to relay e-mail to another
server with authentication enabled. Very easily explained.

Of course you can always find an obscure howto somewhere on the net and
then complain that it does not work. I prefer to stick with the official
docs.

Running an internet facing stmp server is another matter. But running
postfix with a smarthost is a piece of cake.

-- 

groet,

natxo






I mean, simpler than

relayhost = yourispmta.domain.tld

 is hard to find, isn't it?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/13/2013 11:52 PM, Les Mikesell wrote:
> On Fri, Sep 13, 2013 at 1:19 PM, Natxo Asenjo  wrote:
>>>>>
>>>> The fact you do not understand the documentation does not mean it is
>>>> bad.
>>>
>>> It is pretty good evidence that swapping it as the default because
>>> 'sendmail is hard' was misguided, though.  Sendmail works and isn't
>>> particularly hard if you stick to the sendmail.mc settings and
>>> milters.
>>
>> Hardly.
>>
>> Postfix works and isn't particularly hard if you take the time to read and
>> understand the docs.
>
> Neither was sendmail.
>
>> I mean, simpler than
>>
>> relayhost = yourispmta.domain.tld
>>
>>   is hard to find, isn't it?
>
> No, but it won't work with gmail...

and where is in the centos wiki or in the redhat documentation or in the 
sendmail documentation the info to accomplish that? Do you care to give 
me a url to those (un)official sources? In the sendmail doc I can find 
how to use tls and certificates, but so can I in the postfix docs. There 
is no copy paste settings for gmail to accept my email.

 > I don't think it would even work  with Comcast any more.

I do not use comcast but the above method works perfectly on my 
broadband cable connection in The Netherlands (UPC). In fact, I do not 
even have to authenticate because I am allowed to simply relay from my 
home ip.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up postfix under CentOS-6

[natxo asenjo]

On 09/14/2013 09:08 AM, John R Pierce wrote:
> On 9/14/2013 12:00 AM, natxo asenjo wrote:
>> and where is in the centos wiki or in the redhat documentation or in the
>> sendmail documentation the info to accomplish that? Do you care to give
>> me a url to those (un)official sources? In the sendmail doc I can find
>> how to use tls and certificates, but so can I in the postfix docs. There
>> is no copy paste settings for gmail to accept my email.
>
> you'll probably find that info in the gmail help site.

exactly, not in the postfix docs.

I was not really asking for the info :-), just pointing out that it is 
not something postifx/sendmail specific.

Thanks anyway.

-- 
groet,
natxo

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] dracut ipv6 fixed ip

[Natxo Asenjo]

hi,

we have successfully implemented at tang/clevis environment for
automatically entering luks keys and booting hosts without operator
intervention.

Now we would like to use this as well on ipv6 networks, but I do not seem
to get it to work.

I have already posted this issue to the dracut devs github issue tracker (
https://github.com/dracutdevs/dracut/issues/554) but no response so far.
Maybe here I will get an aswer.

I have tried these combinations but none works
(/etc/dracut.conf.d/1_static.conf)

kernel_cmdline="ip=[fd0c:fc8a::xx::2] netmask=64
gateway=[fd0c:fc8a::xx::1] nameserver=[fd7a:f141::xx::11]"
omit_dracutmodules+="ifcfg"

kernel_cmdline="ip=[fd0c:fc8a::xx::2] netmask=/64
gateway=[fd0c:fc8a::xx::1] nameserver=[fd7a:f141::xx::11]"
omit_dracutmodules+="ifcfg"

kernel_cmdline="ip=[fd0c:fc8a::xx::2]::[fd0c:fc8a:xxx:xx::1]:64:::none::[mac:address]
nameserver=[fd7a:f141::xx::11]"

kernel_cmdline="ip=[fd0c:fc8a::xx::2]::[fd0c:fc8a::xx::1]:64::eno1:none
nameserver=[fd7a:f141::xxx::11]"

With the first two I get an unbootable system (system halted) (sorry, I did
not take a foto of the error), the latest two do boot but never contact the
tang server so I need to manually enter the luks key.

On the ipv6 gateway there comes no ipv6 traffic from the dracut client
while on the luks password prompt. Once the system is booted, I can decrypt
fine sing the clevis tools and ipv6 (no firewall issue).
We are working arround the issue booting clevis in dracut with a ipv4
address and natting the http client to the tang servers on the gateway, but
this is suboptimal and makes us maintain an ipv4 presence we neither need
nor want.

Am I missing something obvious in the dracut conf file maybe? Anyone
experience with something similar?

Thanks in advance.

--
regards,
Natxo
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dracut ipv6 fixed ip

[Natxo Asenjo]

On Mon, Apr 1, 2019 at 11:12 AM Natxo Asenjo  wrote:

> kernel_cmdline="ip=[fd0c:fc8a::xx::2]::[fd0c:fc8a:xxx:xx::1]:64:::none::[mac:address]
> nameserver=[fd7a:f141::xx::11]"
>

for future reference,  maybe:

kernel_cmdline="ip=[fd0c:fc8a::xx::2]::[fd0c:fc8a:xxx:xx::1]:64:::none::[mac:address]
nameserver=fd7a:f141::xx::11"

Coherent, not so much, but it works. One stuff less running in ipv4.

--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager on servers

[Natxo Asenjo]

hi,


On Mon, Feb 10, 2020 at 8:55 AM Nicolas Kovacs  wrote:

> Hi,
>
> 
> On servers though, one of the first post-installation steps I performed
> was to
> get rid of Network-Manager and all its components. The servers I'm working
> on
> are relatively small-scale and have from one to four network interfaces.
> Each
> interface has a corresponding configuration in
> /etc/sysconfig/network-scripts,
> and that's it. From there, I rarely - if ever - touch it. In all my
> setups,
> NetworkManager is merely a useless layer of abstraction, and I like
> sticking to
> the KISS principle and shave off useless layers.
>

Interesting philosophical discussion but using centos means you need to go
with whatever red hat decides, so if they say so, then you have few options.

I must admit I have long refused to use networkmanager, but since centos 7
it has been rock solid. And as we use config tools (salt right now, but it
is the same with the rest of the competition) I do not really care what
they use to abstract the network configuration as long as it works. And
work it does, so everybody is happy.

Another huge selling point is that it is what cockpit uses to configure the
network interfaces, and cockpit is really nice for less advanced users. So
our more junior people can get their feet wet using cockpit, and we can
automate everything using configuration management, and both tools use the
same api so nobody gets left behind.

Tab completion makes it easy to use, too ;-)

In the end, my take is: whoever comes after me needs to understand whatever
we were doing, so let's just sitck with what the vendor provides (regarding
the operating system) and use best of breed tooling to manage it (which may
or may not be what the OS vendor recommends, but can fit better the
business's requirements).

--
regards from the sunny Netherlands,
natxo
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] centos 6.2 mirror no yum grouplist

[Natxo Asenjo]

hi,

I have created a 6.2 local repository in our lan and it works fine for
packages.

However, when trying to use the yum groups, I get this:

# yum grouplist
Loaded plugins: fastestmirror, security
Setting up Group Process
Loading mirror speeds from cached hostfile
Error: No group data available for configured repositories

I have tried downloading one comps.xml file (I have tried both with
http://mirror.centos.org/centos/6.2/os/i386/repodata/e9226c33fcd943a60c7a631c67895c01e61f4e62577c37e971cfe61de32239ff-c6-i386-comps.xmland
with
http://mirror.centos.org/centos/6.2/os/i386/repodata/cffddde71947e5fe5a7ce5b77b36decb71afe14b09e3160eba4b4acdd90daa9f-c6-i386-comps.xml.gz)
and rebuilding the repo with createrepo -g /path/to/xml /path/to/rpms, but
after cleaning the yum cache and remaking the cache on the client I still
have the same error.

I am obviously doing something wrong, but I do not see what. Any hints
greatly appreciated

The repos are created with mrepo, in case this is important.

Any hints greatly appreciated.
--
Groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FreeIPA on Centos 6

[Natxo Asenjo]

On Wed, Jun 27, 2012 at 8:39 AM, James Hogarth wrote:

> > Named segfaulted here and there, and when the master instance failed,
> > takeover didn't work for whatever reason.
> >
>
> I have four IPAs replicating together across two DCs with full DNS and CA
> integration plus using it for sudo management as well fully stable.
>
> Have never seen the behaviour you describe and there is no 'master' to take
> over from since it is multi master so no take over even exists much
> less is required
>

+1.

IPA is a very nice addition to the linux environment. And getting better
all the time :-)

Finally we can deploy a secure, trusted network without having to hack 20
different software pieces together. TUV has really nailed this one.

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FreeIPA on Centos 6

[Natxo Asenjo]

On Wed, Jun 27, 2012 at 11:15 AM, Boris Epstein wrote:

> On Wed, Jun 27, 2012 at 2:39 AM, James Hogarth  >wrote:
>
> > > Named segfaulted here and there, and when the master instance failed,
> > > takeover didn't work for whatever reason.
> > >
> >
> > I have four IPAs replicating together across two DCs with full DNS and CA
> > integration plus using it for sudo management as well fully stable.
> >
> > Have never seen the behaviour you describe and there is no 'master' to
> take
> > over from since it is multi master so no take over even exists much
> > less is required
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
> Thanks. What's DC in this context?
>
> Boris.
>

datacenters?

--
groeten,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] libre office

[Natxo Asenjo]

On Wed, Jul 11, 2012 at 11:50 AM, Fernando Cassia  wrote:

> On Wed, Jul 11, 2012 at 1:25 AM, John R Pierce 
> wrote:
> > LibreOffice was created when Oracle bought Sun, a bunch of the core
> > developers quit and started their own project,
>
> BS if you ask me...
> Oracle bought Sun in APRIL 2009.
>

[knip oracle/sun contributions to OSS projects]

As far as I am concerned, any OSS project can be forked. This has happened
here and TUV is just eating its own dogfood using LO instead of OO.org.

Nothing shocking, really. Most informed people know how much Oracle has
contributed to OSS, but also how it has tried 'monetize' other stuff
(thinking java here, with the recent android controversy). They routinely
profit from other people's work (their unbreakeble linux distribution is
not truly theirs, is it?).

Sometimes it makes more sense to open source stuff, sometimes it doesn't.
You win some, you lose some. Business as usual.

Mr Shuttleworth has obviously his own agenda on the discussion. He is the
first one to have stuff forked for no (apparently) good reason (unity)
instead of cooperiting with upstream.

just my 2 cents.

-- 
groet,
natxo
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos