passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)

[Jonathan McKeown]

On Friday 28 September 2007 16:29, Brian A. Seklecki wrote:
> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
> (PKI).
>
> All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP,
> interactive shell, SFTP, etc.) can be tied into LDAP either directly or
> via PAM.
>
> As for password change, I don't know if anyone has a passwd(1) binary
> that properly changes the LDAP password attribute -- if there is and its
> out there, it requires ACL insanity.

The passwd(1) program was rewritten some time ago to use PAM, but a test was 
left in which prevents it doing so. I have asked, both on this list and on 
freebsd-hackers in the last few weeks, whether there is any reason other than 
historical to leave this test in, and been deafened by the silence. There are 
a couple of PRs either open or suspended regarding this issue.

I diked out the whole switch statement and replaced it with a single printf, 
and it works for changing LDAP passwords. I haven't thoroughly tested to see 
if it causes any other problems.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: usb serial convertor

[Jonathan McKeown]

On Monday 01 October 2007 03:41, The Longs wrote:
> I'm trying to get Gregs temperature controlled fridge to work, but the
> catch is that the laptop I'm using doesn't have a serial port. I'm hoping I
> can use a usb to serial convertor and tell the program to look at the usb
> port for the temperature probes, but I am lost as to how to do this.

A supported USB-to-serial converter will appear as a serial port. For example 
I use a Bafo BF-810 converter which is driven by uplcom(4), and in turn 
ucom(4) which presents /dev/cuaU0 and /dev/ttyU0.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)

[Jonathan McKeown]

On Monday 01 October 2007 20:29, Brian A. Seklecki wrote:
> On Mon, 1 Oct 2007, Jonathan McKeown wrote:
> > The passwd(1) program was rewritten some time ago to use PAM, but a test
> > was left in which prevents it doing so. I have asked, both on this list
> > and on freebsd-hackers in the last few weeks, whether there is any reason
> > other than historical to leave this test in, and been deafened by the
> > silence. There are a couple of PRs either open or suspended regarding
> > this issue.
> >
> > I diked out the whole switch statement and replaced it with a single
> > printf, and it works for changing LDAP passwords. I haven't thoroughly
> > tested to see if it causes any other problems.
>
> Does it log in as the LDAP user or the PAM super-user to do the attribute
> change?  I'll check out the source...but that's great news.  ~BAS

From what I remember you have to add some additional configuration in the 
pam_ldap config file - pam_password exop seems to ring a bell - which tells 
pam_ldap to use the RFC3062 Password Modify extended operation. I think it 
does it as the user who owns the password so you need something like

access to attrs=userPassword
by self write
by * auth

in slapd.conf.

I was actually fiddling with this to try and get pam_pGINA working: if anyone 
has had any joy with that I'd be interested to hear about it.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Separating Mail from Security Output and Daily Run Output

[Jonathan McKeown]

On Friday 19 October 2007 03:24, Michael K. Smith - Adhost wrote:
> Hello All:
>
> Is there a way on the server side to have the output from the Security
> Run and the Daily Run to go to separate email addresses?  We have a
> gihugic number of servers sending everything to a single address and I'd
> like to be able to parse out the Security reports by "from" address
> rather than using other, less reliable filters in my various email
> clients.

Set

daily_output="daily_user"
daily_status_security_output="security_user"

in /etc/periodic.conf (replacing daily_user and security_user with the 
respective email addresses).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: tar Ignoring out-of-order file What Does that Mean?

[Jonathan McKeown]

On Tuesday 30 October 2007 16:02, Martin McCormick wrote:
>   I need to modify the first installation image for a
> headless installation of Freebsd6.2. The file in question is:
>
> 6.2-RELEASE-i386-disc1.iso
>
>   Thanks to a helpful member of the list

[that was me - I'm glad I was of some help]

>   I found out that tar works on unpacking these images and it
> mostly does on this one, but there is a complaint I get from tar
> that I haven't found on other images. If I do a
>
> tar tvf 6.2-RELEASE-i386-disc1.iso
>
> Here is what happens while looking at the contents list:
>
> 0   44232 Jan 12  2007 RELNOTES.HTM lr-xr-xr-x  1 0  0
> 0 Jan 12  2007 stand -> /rescue lr-xr-xr-x  1 0  0   0
> Jan 12  2007 sys -> usr/src/systar: Ignoring out-of-order file
>
> -r--r--r--  1 0  0   22916 Jan 12  2007 RELNOTES.TXT

I haven't taken any steps at all to verify this, but just looking at
the error message it would appear that it's ignoring sys, which is a
symlink to usr/src/sys. I wonder if it's encountering sys, trying to
create the soft link and finding that usr/src/sys doesn't exist to be
linked to because it hasn't been unpacked yet? That may be the meaning
of the message about an out-of-order file.

> It appears that the entire image unpacks except for the
> ignored file. If one tries the extraction with
>
> tar xf 6.2-RELEASE-i386-disc1.iso
>
> The complaint about the out-of-order file is the only indication
> that anything is wrong.

If it is indeed sys that's not being created, it's a symlink to a
directory rather than a file or link to a file. If the root of the CD
doesn't contain a directory called sys which softlinks to usr/src/sys,
it should be possible to correct the error by doing

ln -s usr/src/sys sys

in the root of the unpacked CD filesystem.

>   In looking at the man page for tar, nothing jumps out at
> me  as to how to end up with the proper file structure that
> mkisofs can put back in to an image to put on a CDROM.
>
>   My thanks for any suggestions as I may be needing to do
> one of these installs in a day or so and it would be nice to
> know that all the image is there.

I may have missed your deadline in that case - sorry, I've been on
holiday.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: shell programming

[Jonathan McKeown]

On Friday 09 November 2007 20:02, Eric Crist wrote:
> On Nov 9, 2007, at 11:46 AM, Bill Banks wrote:
> > I'm  writing a backup script. I need to get the day of the week into
> > a variable. How can I do it?
>
> Well, it depends on what you're using.  If you're using sh, see `man
> date`.  If you're using perl, it's quite complicated.

Not really:

use POSIX 'strftime';
my $day_of_week = strftime '%A', localtime;

POSIX has always been a core module. To see this in action from a commandline,

perl -MPOSIX=strftime -le 'print strftime q/%A/, localtime'

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Ports with GUI configs

[Jonathan McKeown]

On Monday 12 November 2007 17:48, Erik Trulsson wrote:
> On Mon, Nov 12, 2007 at 03:26:00PM +, Ashley Moran wrote:
>> I've lost count of the number of times I've come back to a big
>> install to find it hanging on a config screen.  Possibly I'm missing
>> something.
[snip]
>> What is the best way to pre-configure GUI-configured ports?  For example, 
>> if I want to script an installation of several ports.
>
> 'make config-recursive' to pop up all the config-dialogs before you
> start building[...]

I discovered this recently. My big irritation, having decent bandwidth at work 
and a dialup at home, was fetching ``all'' the required sources for an 
overnight build on my laptop, finding in the morning that a dialog had popped 
up during the night and stopped the build, selecting a non-standard option 
and restarting only to find that it brought in a bunch more dependencies - 
over my phone line.

I now run make config-recursive repeatedly until dialogs stop appearing, then 
fetch, then build. This recently cut down a build of X.org and KDE from a 
week (wall time) to less than 24 hours - from memory I ran make 
config-recursive three or four times on x11/kde3 alone.

(Oh, I also got ADSL which helped with the downloads).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

apache port knobs - WITH_APACHE2 deprecated?

[Jonathan McKeown]

This is (I hope) a quick and easy question.

I want to ensure that any ports which depend on Apache will depend on 2.0 
rather than try to bring in 1.3.

I used to do this by putting WITH_APACHE2 in /etc/make.conf.

bsd.apache.mk says WITH_APACHE2 is deprecated.

What is it deprecated in favour of, or is that a secret?

(Sorry for the snarky tone but I've spent most of today trying to find a clear 
answer).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache port knobs - WITH_APACHE2 deprecated?

[Jonathan McKeown]

On Thursday 15 November 2007 19:39, Philip M. Gollucci wrote:
> Jonathan McKeown wrote:
> > This is (I hope) a quick and easy question.
> >
> > I want to ensure that any ports which depend on Apache will depend on 2.0
> > rather than try to bring in 1.3.
> >
> > I used to do this by putting WITH_APACHE2 in /etc/make.conf.
> >
> > bsd.apache.mk says WITH_APACHE2 is deprecated.
>
> $ grep apache /etc/make.conf
> APACHE_PORT=www/apache22

Thanks. I wondered about that while looking through bsd.apache.mk but wasn't 
confident enough (nor did I have enough spare time) to experiment. I must 
offer a patch to the makefile/documentation.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Ports with GUI configs

[Jonathan McKeown]

On Saturday 17 November 2007 02:06, Chad Perrin wrote:
> On Fri, Nov 16, 2007 at 02:11:57PM -0500, Chuck Robey wrote:
> > prominently display the actual meaning of the word being set.  The only
> > reason to make the list binary is to force everyone to use the
> > (basically database technology) tool to manipulate the keywords, thus
> > stopping folks from misconstruing the meanings.  That's my only reason
> > for that, and there are certainly other ways to go about it, so as long
> > as whatever is suggested requires folks to see the commonly accepted
> > definition when they set the list, I don't care how it's done.  The list
> > could as easily be encrypted, I guess, that would also cause the same
> > work flow, in somewhat the same reasoning as we use for forcing folks to
> > use "vipw" to change the pasword list.

I haven't read the discussion on -ports, but I hope the rest of your (Chuck 
Robey's) arguments are better founded than this one.

No-one forces anyone to use vipw(8). You can, for example, edit
/etc/master.passwd or a copy of it with any editor you like, and then run 
pwd_mkdb(8) to install your changes. vipw just gives you file locking (plus 
sanity checks and an automatic call to pwd_mkdb).

> I think "forcing" anyone to anything is a *bad idea*.  Period.  You're
> talking about placing arbitrary limits on what the user can see if he or
> she wants to understand what's going on "under the hood".  With that kind
> of treatment, I would never have learned as much about FreeBSD as I know
> as quickly as I did.

I agree.

> I, for one, would probably refuse to use such a system once I learned
> enough about the basics to want to know what it's doing.  The moment I
> figured out it was designed specifically to obscure some aspect of its
> operation from the user, I'd look for something else to use instead.
> There are very good reasons for this -- reasons like security, curiosity,
> and just plain good manners.
>
> > Please consider that we'll get another chance to argue this out when I
> > have the software ready, so we don't need to settle it now.  I don't
> > want this to continue to pollute the -questions list.

I'm not at all sure what problem you're trying to solve here. If I know I need 
to change the defaults on a port, I generally know why and what the 
implications are; if I don't, the defaults are generally what I need anyway.

As far as I can see, you want to remove a deal of flexibility from the ports 
system, in favour of introducing a compulsory scheme of configuration hints. 
You say you want to move ports configuration from port install time to system 
compile time - which in itself is, in my view, an unrealistic objective: it 
will break the first time a new port has an option which can't be determined 
on the basis of an existing keyword. Not only that, but it means that as soon 
as I install a single port (Perl, for example), I would have to run the 
complete ports-tree configuration routine.

I'm sorry to leap on board and prolong the agony at this late stage, but I 
wanted to add another datum point, particularly given the rather dismissive

> > I personally felt we'd sufficiently discussed this to death, but
> > now there's 2 different folks who want to tear it apart some more.
> > If you're bored of this, tell me, and I will drag these folks
> > either into private discussions, or maybe onto the ports list.
> > Tell me if you've heard enough of this .

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: One Laptop Per Child

[Jonathan McKeown]

[Ted Mittelstaedt's words, heavily edited for brevity. Ted, please shout if I 
haven't caught the sense of what you're saying]

> Well, I know it's been a week since this came up but I'll toss in my
> $0.02 here.  I've been against this project since I heard about it.
> Fortunately, it appears to be failing.

> IMHO what these kids need are connections to the Internet and the
> knowledge store on the Internet, not a laptop. What a laptop that
> isn't networked to the Internet is going to do to help them I cannot
> guess.

> The idea of this project seems to have been to just dump a lot of
> laptops into these kids hands and trust that the network fairies
> will magically fly out and connect all of them to something they can
> use.

> The other problem of course is that laptops are more fragile than a
> desktop that is fixed, and very subject to theft, much more than a
> desktop.

> I suppose they figure ... the kid will be able to come up with the
> $10-$20 monthly equivalent to keep the internet connection to the
> thing going?  Assuming they even have a phone at all?

As I understand it, the OLPC project has produced an extremely robust laptop 
which can be human-powered. A group of these laptops will automatically form 
a wireless mesh network and make use, collectively, of any Internet 
connectivity that's available to any one of them. In sub-Saharan Africa, that 
may well be through cellular data. (Satellite is available too, but a lot 
more expensive).

Look at  to see a social 
project by a cellular provider in South Africa which is putting telephone 
access within reach (both geographically and financially) of traditional 
rural communities. Note the statistic that Vodacom's cellular network covers 
93% of South Africa's population. Note also that this is being done, not as a 
free handout, but by creating a (slightly subsidised) business opportunity 
for local people, which is being seized with both hands. People don't need to 
be handed everything on a plate.

Now consider what a community can do when it can pool the cost of Internet 
connectivity - or what a force multiplier this is for government, 
non-governmental or even business intervention: this potentially reduces the 
problem of providing decent bandwidth to every farm and hut in rural Africa 
(or any other developing area) to a much simpler matter of wiring a few 
central points and letting the mesh networks take over the distribution.

> It would have been better to try creating a project that would
> produce a turnkey Internet network deployment that would be able to
> be dropped into any school anywhere, even if such a school consisted
> of a hut in the middle of a desert with a hole out back as the
> bathroom, no electricity, no running water, no telephone lines
> within 100 miles.

As far as I can see, the only bit of this equation OLPC isn't achieving is 
providing the Internet connectivity - and to be honest, I think that bit has 
to depend on local circumstances anyway. I think it deserves to succeed.

Jonathan (a sysadmin in urban South Africa)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD 7/OpenLDAP: Howto change passwords

[Jonathan McKeown]

On Monday 26 November 2007 17:11, O. Hartmann wrote:
> Hello,
>
> trying to change passwords on a client machine for a LDAP authenticated
> user always fails due to the original passwd() command is not capable of
> changing passwords remotely.
> Their is a suggested patch, but is there an "official" way to do?

Hi Oliver

I've asked this question several times, here and on -hackers, with no very 
helpful response. I checked for PRs and several have been filed at various 
times and are in various different states.

As far as I can tell, the changes necessary to make passwd(1) work with the 
PAM infrastructure were made some years ago, but were diked out by a switch 
statement which appears to prevent a change to anything but /etc/passwd or 
NIS/YP. This switch relies on a set of constants which are themselves 
commented in the source as being ``bogus''.

The answer to our question may well be something like ``historical reasons'' 
or ``Principle of Least Astonishment'', but please, someone...

Is there a sound reason not to remove this guard statement and allow passwd(1) 
to change passwords in accordance with a PAM policy, as it is coded to do?

I've already offered to submit a patch if necessary: it hardly even needs a 
knowledge of C to fix this one - simply remove a switch statement and replace 
it with a simple printf.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: looking for online text editor

[Jonathan McKeown]

On Tuesday 04 December 2007 22:14, David Banning wrote:
> >  running the java filemanager - same goes for attempting to run
> >  mindterm-ssh. Is there some plain text editor program
> >  out there that will allow me to simply login and edit my files in
> >  plain text - (not a gui html editor) ?
> >
> >I use putty to ssh to remote servers and use vi to edit files once
> >logged in to the server.
>
> But putty has be installed on the machine you are working on, right?

Not necessarily. When you go to the download site for putty and click on 
the .exe (), 
Windows will ask you whether you want to download the program or run it. Tell 
Windows to run it. It may give you the odd warning but eventually it should 
start up a putty window. (It's possible even this can be locked down tight on 
a Windows box - but usually it isn't blocked).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Where is the next uid from adduser pulled from?

[Jonathan McKeown]

On Wednesday 12 December 2007 20:04, Andrew Pantyukhin wrote:
> On Wed, Dec 12, 2007 at 12:00:06PM -0500, Francisco Reyes wrote:
> > I have scripts to add new users. However, after that any port that
> > installs a user creates it with a UID after the ones I made.
> >
> > For example I want all employees to have uids starting at 5000, but I
> > would like too port installed uids to be 2000 and up. After I add some
> > users (ie say last user is 5008), the next port that installs a user and
> > doesn't specify uid.. then will get 5009.
> >
> > Tried looking for the adduser program, but could not find adduser.c
>
> It's pw(8) that selects default uids and it just takes the last
> one (numerically) and uses the next one.
>
> Create a placeholder user with uid 5000 and let ports use uids
> 5000+, but when creating new users, specify uids manually (both
> pw and adduser allow that).

Alternatively, create/edit /etc/pw.conf including

minuid 2000
maxuid 4999
reuseuids yes

This will cause automatic uses of pw(8) (such as port installations) to use 
uids between 2000 and 4999, and to ``fill in the gaps''.

When adding a user by hand, use

pw -C /dev/null

to tell pw to ignore pw.conf(5) and get the default behaviour (which is to use 
the uid one higher than the highest ever used).

adduser(8) should just DTRT, but you can make sure by adding to the flags -u 
uid_start which will use the next available uid after uid_start (which it 
identifies by testing each uid in turn for existence, not by just using pw 
usernext).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: kde3 build problems

[Jonathan McKeown]

On Wednesday 10 September 2008 06:55:18 joeb wrote:
> I believe kde3 is obsolete.  I Just did kde4 and it worked.
>

That's most definitely not the case. KDE4 is still for early adopters, and 
KDE3 will continue to be supported as the ``conservative'' stable version for 
a while, according to .

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Netprint perl script from Handbook doesn't work

[Jonathan McKeown]

On Wednesday 24 September 2008 17:12:36 Dan Nelson wrote:
> In the last episode (Sep 24), Andy Kosela said:
> > The netprint perl script provided in the Handbook (9.4.3.2) is not
> > working.. or am I missing something:
> >
> > plotinus:~> cat new.txt | lp.sh
> > Can't contact 10.10.21.12: Address family not supported by protocol
> > family at /usr/local/libexec/netprint line 21.
>
> Can you telnet to that ip address ("telnet 10.10.21.12 9100", or
> whatever port you're using)?
>
> > plotinus:> cat /usr/local/libexec/netprint
> > #!/usr/bin/perl
> > #
> > #  netprint - Text filter for printer attached to network
> > #  Installed in /usr/local/libexec/netprint
> > #
> > $#ARGV eq 1 || die "Usage: $0  ";
> >
> > $printer_host = $ARGV[0];
> > $printer_port = $ARGV[1];
> >
> > require 'sys/socket.ph';
> >
> > ($ignore, $ignore, $protocol) = getprotobyname('tcp');
> > ($ignore, $ignore, $ignore, $ignore, $address)
> >= gethostbyname($printer_host);
> >
> > $sockaddr = pack('S n a4 x8', &AF_INET, $printer_port, $address);
> >
> > socket(PRINTER, &PF_INET, &SOCK_STREAM, $protocol)
> >
> >|| die "Can't create TCP/IP stream socket: $!";
> >
> > connect(PRINTER, $sockaddr) || die "Can't contact $printer_host: $!";
> > while () { print PRINTER; }
> > exit 0;
>
> Wow.  That's a really complicated way to say
>
>   #! /bin/sh
>   nc $1 $2

It's also ugly (and very old-fashioned) Perl. Starting at (and replacing) the 
require 'sys/socket.ph' line (which is Perl 4, I think), it should look more 
like this (with appropriate error-checking added):

use Socket;
my $proto = getprotobyname('tcp');
socket(my $socket, PF_INET, SOCK_STREAM, $proto);
my $sock_in = sockaddr_in($printer_port, inet_aton($printer_host));
connect($socket, $sock_in);

Although this rewrite removes the need, if you want in general to ignore some 
of the return values of a function returning a list, the usual way is to 
assign to undef:

(undef, undef, undef, undef, $address) = gethostbyname($printer_host);

Although when you're throwing away that many, it makes more sense to index the 
returned list in the same way you would index an array:

$address = (gethostbyname($printer_host))[4] # returns 5th element

I really should submit a doc patch for this (incorporating Dan's sterling 
suggestion of nc $1 $2).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Cannot create custom FreeBSD 7.0 install CD for serial console

[Jonathan McKeown]

On Wednesday 01 October 2008 22:25:21 Carl wrote:
> Jeremy Chadwick wrote:
> > On Wed, Oct 01, 2008 at 02:41:03AM -0700, Carl wrote:
> >> I've been trying to create a modified FreeBSD 7.0 install CD that will
> >> allow me to do installations entirely via the serial console on a
> >> headless system. Lots of digging on the Internet, reading the handbook,
> >> and I've gotten nowhere fast.
> >
> > Try this:
> >
> > http://jdc.parodius.com/freebsd/pxeboot_serial_install.html
>
> I was already aware of that solution, but it's not for me. There are
> times when I need to do the install and setting up a DHCP server et al
> is not viable. Installing FreeBSD via the network has no benefits for me
> and I will not be trying to install remotely. All I need is to be able
> to do a simple install using the local serial console because a keyboard
> and monitor is not practical in the situation. Can anyone tell me where
> the mistake is in my process?

Look back through the list archives: Martin McCormick and I had a long 
discussion about this about a year ago (I think at least some of it ended up 
on this list).

Here's an extract from one of the messages:

On a system running 6.2-RELEASE, with a 6.2-RELEASE Disc 1 in the CD drive but 
not mounted:

mkdir serialcd

tar xvfC /dev/acd0 serialcd

These two commands created a directory tree in serialcd containing most of the 
contents of the CD. There was a ``tar ignoring out-of-order file'' error, and 
when I mounted the CD and ran

diff -qr  /cdrom serialcd

it reported that RELNOTES.TXT differed - in fact the version in the serialcd 
directory turned out to have zero length. [I suspect you could probably do 
this comparison quicker with mtree, and I never did bother to fix it or find 
out why it was happening]

I edited serialcd/boot/loader.conf to include the line

console="comconsole"

I then ran

mkisofs -J -r -b boot/cdboot -no-emul-boot -o serialcd.iso serialcd

and got an ISO image, serial.iso, which is about 600MB.

The only drawback with this method is that the serial console only cuts in 
just before the boot menu. I suspect that if you wanted to have a serial 
console for every stage of the boot you would need to mess about with the 
ramdisk image on the CD.

HTH
Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: mysql rc script failure - correction: most installed rc scripts not running manually

[Jonathan McKeown]

On Thursday 02 October 2008 01:59:18 Da Rock wrote:
> On Wed, 2008-10-01 at 12:53 +0200, Erik Trulsson wrote:
> > On Wed, Oct 01, 2008 at 08:39:47PM +1000, Da Rock wrote:
> > >
> > > So are you saying I can't start a script manually without enabling it
> > > in rc.conf? I was not under that impression... I thought it could be
> > > started manually for testing before setting it for automatic startup-
> > > based on my reading in the handbook and man pages.
> >
> > Yes, you can.  Use forcestart/forcestop instead of start/stop when
> > running the rc script if you do not have it enabled in rc.conf.  This is
> > documented in rc(8) (and is very easily overlooked if you don't know what
> > you are looking for.)
>
> Well thank you both for that piece of information, I had overlooked
> that. I did end up using it that way, but I was still unaware that it
> was mandatory.

The problem with forcestart is that it ignores any errors that may occur. The 
better option for a manual start is onestart, which simply bypasses the test 
for the option being enabled but still fails on any other error (missing 
dependencies, startup problems etc).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: root | su

[Jonathan McKeown]

On Friday 24 October 2008 23:59, Jos Chrispijn wrote:
> [Jeremy Chadwick said]
> > You're trying to solve a social (possibly personal?) problem with
> > technology.  Simply put, this is a bad idea.
>
> Yep, I think that is .true.
>
> > I would highly recommend you either talk to "the idiot" and explain to
> > him why what he's doing is improper or foolish, or simply pull his root
> > access entirely.  If this is a work-related incident, talk to your boss
> > about it if at all possible (but see below).  If you call the shots,
> > simply yank their access.
>
> The idiot is the boss himself and acts like an unguided missile.
> Just investigating before I give him a wake-up call. And that is exactly
> what I will do...
>
> > Food for thought.  Cheers!
>
> Love it, thanks for sharing (everyone)!

I'm coming to this discussion a bit late, and in general it's true that you 
can't limit root's ability to read files, execute programs, fiddle with 
settings etc. What you can do, which has limited usefulness but might fit 
your specific case, is temporarily prevent root from using su to log in as 
another user without knowing their password.

If you comment out (or remove entirely, which may slow down the other user 
even more, if they're unfamiliar with pam) the line

authsufficient  pam_rootok.so   no_warn

in /etc/pam.d/su, root has to meet the same requirements as any other user  
before using su.

Of course there's nothing to stop someone with root access from editing this 
file, but now the problem user has to actively subvert a measure that's been 
taken by another sysadmin - which may provide a better starting-point for a 
conversation about what they're up to.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OT: Shell Script using Awk

[Jonathan McKeown]

On Sunday 02 November 2008 03:21:55 David Allen wrote:
> My apologies for asking on this list, but I'm stuck without Perl and need
> to use awk to generate a report.
>
> I'm working with a large data set spread across multiple files, but to
> keep things simple, say I have A Very Long String that containing records,
> each delimited by a single space.  I need to print those records in
> columnar format, but with only 7 columns per line:
>
> record1  record2  record3  record4  record5  record6  record7
> record08 record09 record10 record11 record12 record13 record14

Are you dead set on using awk(1)?

Because my first thought would be rs(1).

cat inputfile | rs 0 7

To turn your space-separated entries into 7 columns. You may need some 
fiddling about (to avoid running out of memory, space on the line, etc).

This is one of my top three sadly-neglected BSD commands everyone should know 
more about, along with lam(1) and jot(1).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Broken quoting (was Re: XFCE4)

[Jonathan McKeown]

On Monday 03 November 2008 08:38:07 joeb wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> FBSD1 wrote:
> > What port names need to be installed to create a XFCE4 desktop
>
> environment?
>
> > I was looking for a mega port like kde3 has but could not identify one.
> > Thanks in advance.
>
> I'm going to rake a random guess: x11-wm/xfce4 ?
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to [EMAIL PROTECTED]
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Eitan Adler
> Sent: Monday, November 03, 2008 12:14 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED] ORG
> Subject: Re: XFCE4
>
> Thank you for your random guess, but research of the ports system seem to
> indicate a whole suite of ports are needed to build a complete working
> environment.
> Waiting for a real user to fill in the details of what combination of ports
> they used to build their XFCE4 desktop.

I don't know whether it's you or your email client, but your quoting is 
hideously broken. Please fix it.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Broken quoting (was Re: XFCE4)

[Jonathan McKeown]

On Monday 03 November 2008 16:17:20 Bob McConnell wrote:

[Jonathan to joeb via freebsd-questions]
> > I don't know whether it's you or your email client, but your quoting
> > is hideously broken. Please fix it.
>
> It's his email client. Microsoft Lookout will no longer do standard
> quoting and forces top posting of replies. I am also required to use it
> by our IT department policies and have to manually reformat each message
> I reply to. There used to be an option that could be set to get angle
> bracket quoting, but that disappeared in the update from MS-Office 2000
> to 2003.
>
> The top line, "-Original Message-", is the clue that he is using
> the Microsoft client. That is its standard separator for all replies.
> Yes, it is a major pain. I really do prefer Thunderbird.

I'm used to seeing the original message starting with its headers in the 
Outlook style - that's not what's confusing me here.

joeb, I don't mean to be rude but I find your posts hard to read (and I've 
seen others comment so as well), because instead you somehow end up with the 
original headers AFTER the original message, which is unexpected, and your 
response after that again - looking as though it belongs to the original 
header block.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: eps to jpg conversion - which program?

[Jonathan McKeown]

On Friday 07 November 2008 21:19, Polytropon wrote:
> On Fri, 07 Nov 2008 13:36:51 +0100, Laszlo Nagy <[EMAIL PROTECTED]> 
wrote:

> A batch solution is simple:
>
>   #!/bin/sh
>   for f in *eps; do
>   convert ${f} `basename ${f} .eps`.jpg
>   done

You can also save yourself repeated calls to basename by using

for f in *eps; do
convert ${f%.eps}.jpg
done

Look under parameter expansion in the manpage for sh(1) (or bash(1) if you 
have bash installed). As far as I can tell csh/tcsh doesn't support this 
useful feature.

Essentially, a Bourne-type shell with parameter expansion expands 
${variable#prefix} or ${variable%suffix} to $variable with the prefix or 
suffix, respectively, removed.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: recommendation word processer for xfce

[Jonathan McKeown]

On Saturday 08 November 2008 13:55, Jerry wrote:
> On Fri, 7 Nov 2008 16:28:00 -0700
>
> Chad Perrin <[EMAIL PROTECTED]> wrote:
> >. . . or, as someone else pointed out, one could just learn to scroll
> >to the end before typing.  It's not that difficult -- even in Outlook.
>
>  works like a charm also. It is amazing what people will
> bitch at. The same people who will spend days attempting to get a video
> card fully functional will find placing the cursor at the end of an
> email message too daunting of a task.

The best response to the issue of Outlook and top-posting I've seen recently 
was on the London Perlmongers mailing list - although I should warn that some 
may find this offensive.


...
...
...
...
...
...
...
...
...
...


"The last I checked, cursor keys worked in Outlook just fine without any
third-party hacks, so there is no reason for top-posting just because the
cursor happens to be there. It's a bit like crapping in your pants because
that's where your arse happens to be." -- Peter Corlett, london.pm

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: scripting text replacement

[Jonathan McKeown]

On Sunday 09 November 2008 00:02:11 Giorgos Keramidas wrote:
> On Sat, 8 Nov 2008 19:43:52 +0100, bsd <[EMAIL PROTECTED]> wrote:
 >
> > I have a file containing a list of items like that:
> >
> > line1item1 line1item2 line1item3
> > line2item1 line2item2 line2item3
> > …400 times
> >
> > I need to insert this into another text file using printf() items should
> > be converted into variable looping… like that:
> >
> > printf "Bla bla bla $1 bla bla $2 bla bla $3 bla bla $2"

> A little more detail about the "Bla bla" part may be important in our
> effort to help you effectively.  What you seem to describe above may be
> trivial to do with awk(1):

More detail definitely needed. When you say insert into another text file, do 
you mean you want to create an output file in which each line is identical 
bar the four parameters from the first file (in other words your bla bla bla 
is the same for every input line) (in which case a simple awk '{printf}' will 
meet the need), or are you actually doing a merge of two files where bla bla 
bla represents the text from the next line of the other input file and 
changes from line to line?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Release schedules

[Jonathan McKeown]

I've been biting my tongue about this because I'm not sure that I can offer 
any help or useful suggestions, but here goes...

What on earth is going on with release scheduling?

FreeBSD 7.1-RELEASE, according to the scheduling page at www.freebsd.org, 
should have had a Release Candidate published two months ago, on 13 
September. Instead we're still on a Beta - BETA-2, which isn't mentioned in 
the original schedule. The todo list which has appeared on the website in 
previous releases isn't available this time, so I can't even get a feel for 
the likely cause of the holdup.

As I said, I hate to stand on the sidelines and heckle when I'm not doing 
anything to contribute to the release, but the timetable has slipped badly 
and I don't feel I can find information about the reasons or the revised 
timings. What exactly is going on, and is there anything a busy sysadmin, 
poor in time, bandwidth and C skills, can do to help with either the release 
itself or the apparent scheduling/communication issues?

(I've sent this to -questions rather than -stable because it seems to be an 
ongoing problem with the timetabling of releases.)

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Release schedules

[Jonathan McKeown]

On Wednesday 12 November 2008 14:01:47 Roland Smith wrote:
> On Wed, Nov 12, 2008 at 12:59:24PM +0200, Jonathan McKeown wrote:
> > I've been biting my tongue about this because I'm not sure that I can
> > offer any help or useful suggestions, but here goes...
> >
> > What on earth is going on with release scheduling?
>
> Two words: volunteer project

Oh, I fully understand that, which is why I also asked whether there's 
anything I can do to help, with my meagre abilities and resources. This 
wasn't intended to demean the efforts of the release team at all; it was more 
a plea for better communication when delays start to accumulate.

> I would propose to do away with the release schedule altogether, or make
> it very succinct;
>
>   next release: when it's done.

Yes - but is it not possible to estimate (and as a long-suffering sysadmin, I 
know I'm on shaky ground here after some of the estimated schedules I've 
given my management and my users!) roughly how far off we are? Even the old 
todo list on the website offered some guide.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: host based authetication with OpenLDAP and FreeBSD

[Jonathan McKeown]

On Friday 14 November 2008 14:32, O. Hartmann wrote:
> Hello,
> I have a OT question and maybe some of the FreeBSD server admins here
> can help me out.
[snip]
> Having nss_ldap and pam_ldap installed on every single FreeBSD
> server/box which is capable of being accessed I found in etc/ldap.conf
> the tags 'pam_filter' and  'pam_check_host_attr'. Setting latter to
> 'yes' implies having the 'host' attribute in each user's object located
> in OpenLDAP's DIT for the specific domain. But objectClass=account seems
> to conflict with objectClass=organizationalPeople which is a must in our
> configuration, so the host attribute is not of any further investigation.

Did you not like the answer I gave you in April when you asked essentially the 
same question?

http://lists.freebsd.org/pipermail/freebsd-questions/2008-April/174152.html

For posterity (again) the extensibleObject auxiliary objectClass was 
introduced for precisely this reason - so that you could add any attribute 
the server knows about to an existing object which otherwise couldn't hold 
it.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: php5 Only IE Users can View Pages.

[Jonathan McKeown]

On Friday 14 November 2008 19:36, Martin McCormick wrote:
>   I inherited a mrtg application thatnow is running on a
> FreeBSD6.3 system. Clients report that one can see the php pages
> when using Internet Explorer but not other browsers that should
> display the pages. Those customers see raw code.
>
>   Any suggestion as to what I should be looking for?

Hi Martin

Bear in mind I'm answering off the top of my head, so you may need to do some 
digging.

I have a feeling that Internet Explorer ignores the Content-Type header from 
the server and displays what it thinks you should see. If the server is not 
configured with a MIME type for .php, the default with Apache is to send the 
pages with a MIME type of text/plain.

Internet Explorer will ignore this, interpret the page as HTML and display it, 
whereas almost every other browser will obey the server's instruction and 
therefore display the raw HTML as plain text without any interpretation.

Check whether Apache has an

AddType application/x-httpd-php .php

line or similar in the config file.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ascii text format

[Jonathan McKeown]

On Friday 21 November 2008 12:49:16 pwn wrote:
> algouth this is not a freebsd specific text, i need to format some texts
> under freebsd for they appear in the center of the page when opened in a
> browser, but i dont want to use HTML for format them, i just want to add
> tabulation to my *.txt.
> what software/tool can i use for format my *.txt? there is command on
> VIM like "set textwidth" but this is not suitable for me. any help i
> appreciate.
> i add an example on a temporary host for make sure all understand.
> (i need to format the text for he appear like the example good.txt)
> http://one.xthost.info/temphost/good.txt
> http://one.xthost.info/temphost/bad.txt

You seem to be fighting against your tools rather than working with them - the 
browser will strip out your whitespace and reflow your text anyway unless you 
prevent it somehow ( tags?) so you might be better off just using 
HTML/CSS to control the format.

However, you could look at various tools for processing text, depending 
exactly what you're trying to do: the manpages for fmt, groff, and pr might 
all offer some ideas.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: process always running

[Jonathan McKeown]

On Thursday 27 November 2008 15:46:58 Dominik Meister wrote:
> Hi
>
> Gian Paolo Buono [Thu, Nov 27, 2008 at 02:05:44PM +0100]:
> > there is a method in freebsd for  restart process whenever it terminates
> > ? I use in linux respawn in inittab...
>
> One possibility that comes to mind is using daemontools [0]. Should be
> in ports but there are probably easier ways to achieve this.

I've never tried it, but according to the manpage for init(8) you can get the 
same effect as a respawn entry in a sysV inittab by putting the command 
in /etc/ttys. Perhaps someone who's done it could comment?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: NTP Client synchronization with a Windows 2003/2008

[Jonathan McKeown]

On Tuesday 13 October 2009 18:44:57 Jon Radel wrote:
> Jacques Henry wrote:
> > I commented the commands involved and nothing changed... (with only 10
> > minutes of time difference)
>
> The 19 minutes between when I sent my suggestions and you responded is
> hardly enough time to see if ntpd was slewing the time.  Slewing 587
> seconds takes days.
>
> > I even tried to "force" the sync:
> >
> > U450XA0A0800650>nstop ntp
> > U450XA0A0800650>ntpd -x -n -q -c /var/ntp.conf
> > U450XA0A0800650>nstart ntp
>
> Are you sure that -x in there, telling ntpd to not step unless the
> offset is over 600 sec, doesn't override what you're trying to do with
> the -q?  How about you try simple:
>
> ntpdate the_windows_server
>
> and see what that does?  After that look in /var/log/messages.
>
> >  In fact I am still quite convinced that the MS implementation isn't
> > totally compliant with the client...
>
> Could be, but ntpq was showing that your ntpd was accepting time data
> from the Windows server at least on some level.

Alternatively, from the commandline try

ntpd -g -q -c /etc/ntp.conf

The -g flag allows ntpd to set the clock once regardless of the offset and 
the -q causes it to quit after setting the time.

In /etc/rc.conf, all you should need is

ntpd_enable="YES"
ntpd_sync_on_start="YES"

The second option adds -g to the ntpd flags, allowing it to set the clock at 
startup and continue running.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: NTP Client synchronization with a Windows 2003/2008

[Jonathan McKeown]

On Wednesday 14 October 2009 18:04:41 Jacques Henry wrote:

> > Alternatively, from the commandline try
> >
> > ntpd -g -q -c /etc/ntp.conf
> >
> > The -g flag allows ntpd to set the clock once regardless of the offset
> > and the -q causes it to quit after setting the time.
>
> I tried this command without success...  I can see the NTP packets (client
> and server) but the clock is never set

Are you running with an elevated securelevel?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Why is sendmail is part of the system and not a package?

[Jonathan McKeown]

On Monday 26 October 2009 21:29:27 Yuri wrote:
> It's in /usr/sbin/sendmail.
>
> How many people actually use it? Very few.
> Why isn't it moved to ports?

What is this anti-sendmail obsession people have?

Almost everyone I've ever spoken to about why they dislike sendmail trots out 
a bunch of cliches based on sendmail 8.8. People, we're up to sendmail 8.14 
now. Get over it!

Just as a matter of interest, if you want to rip sendmail out of the base 
system, which MTA would you like to replace it with? Or are you suggesting 
the system ship with no way to handle mail?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Merging Related Information from 2 Tables

[Jonathan McKeown]

On Thursday 29 October 2009 20:44:12 Martin McCormick wrote:
> Giorgos Keramidas writes:
> > You should use a Perl or Python script, and a hash...
> >
> > If you show us a few sample lines from the input file and how you want
> > the output to look, it shouldn't be too hard to quickly hack one of those
> > together.

The alternative is to use join(1).

>   A records look like:
>
> hydrogen.cis.osu. 43200   IN  A   192.168.2.123
>
> Text or TXT records look similar [...]
>
> hydrogen.cis.osu. 5   IN  TXT "cordell-north,009,192.168.2.123"

This will work well since the default join field is the first field in the 
line.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Why is sendmail is part of the system and not a package?

[Jonathan McKeown]

On Thursday 29 October 2009 21:58:54 Lars Eighner wrote:
> On Thu, 29 Oct 2009, Ruben de Groot wrote:
> > sendmail is NOT a legacy application. It's actively being developed
> > ON FreeBSD. Actually, the maintainer(s) are doing a great job
>
> Bullshit.
>
> Why does sendmail call up the internet during boot?  If it needs to know
> who it is, why can't it look in hosts?  Since it cannot be trusted to send
> mail, what does it need to know from the internet?  It has been horribly
> broken for the 15 years or so that I have run FBSD, and this m4 stuff is a
> pile of crap.  There is no documentation whatsoever.  Unless you buy a book
> from O'Reilly and line the pockets of the "maintainer(s)."  Why can't it be
> a option to configure the system without it?  Not any money in that, is
> there?

This is exactly the sort of ill-informed religious rant that always comes up 
when sendmail is discussed, and makes me wonder why some people are so 
vehemently anti-sendmail that they feel the need to say things which are only 
marginally true if that.

My laptop boots quite happily without an Internet connection, so it's simply 
not true to say that sendmail always calls the Internet during boot.

Have a look at /usr/share/sendmail/cf/README, and 
at /usr/src/contrib/sendmail/doc/op (where you can make the sendmail 
operations guide in a variety of formats including pdf) and you'll realise 
that your claim that there's no documentation is also flat-out false. I've 
got the Bat book (in fact I've got *looks at bookshelf* the 2nd and 3rd 
editions). I almost never look at them any more because I can find what I 
need in the documentation provided with sendmail.

No-one is asking you to use sendmail, or even to like it, but please don't lie 
about it; and if you don't want sendmail in the base system, do as several 
people have suggested, pull your finger out and do the work to fix it.

Jonathan
(Just in case, I should probably point out explicitly that, as usual, I don't 
speak for my employer: this is an entirely personal opinion).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: [] confession...

[Jonathan McKeown]

On Tuesday 24 November 2009 09:15:43 Gary Kline wrote:
>   it's time to come clean an admit that i have never taken
>   advantage of the option that lets you press [???], then press
>   other keys in order so the result is like pressing multiple
>   keys at once.
>
>   i have never made a big deal over having but one useful hand
>   simply because in my line as a hacker, one hand was enough.
>   programming at 95mph was never the goal.  everybody on this
>   list has learned that forethought and planning beat typing
>   speed!  ---still, when my shoulder began to dislocate in 1999,
>   typing thr number-shift keys [like '*', '&', '^', and the rest
>   became harder [*].  i'm ready to set up the multi-key stuff that's
>   built in to at least KDE.
>
>   appreciate a  pointer to a url or tutorial on this...  and/or
>   to know what this feature is even called.  it's time to get
>   practical.  i am stubborn, just not particular stupid.  maybe
>   "slow" :_)

If you're using KDE3.5, look for Regional and Accessibility|accessibility 
under the Control Centre.

There are two options, and I think the one you need is called sticky-keys, 
which makes the modifier keys (shift, alt, ctrl) ``stay pressed'' until you 
press another key. In other words, you can type the old three-fingered salute 
by pressing and releasing ctrl, pressing and releasing alt, and then pressing 
and releasing del.

There's also an option called ``lock sticky keys''. If you choose this, the 
sequence of separate press-releases:

shift a b

results in Ab (the shift only applies to the next key pressed)

whereas the sequence

shift shift a b c shift d

results in ABCd (double-shift locks shift key on until it's pressed again).

(The other options, slow keys and bounce keys, apply if muscle control is 
impaired and cause a key to have to be held for a set time before it 
registers, and released for a certain time before registering a second 
key-press).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: upgraded to 8, no mouse is broken

[Jonathan McKeown]

On Friday 11 December 2009 08:17:06 Polytropon wrote:
> On Thu, 10 Dec 2009 21:38:04 -0700 (MST), Warren Block  
wrote:
> > Please
> > see the Handbook section on X11 configuration instead:
> >
> > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x-config.html
>
> Just a side question: 5.4.2 Note 2 § 5 states:
>
>   You will have to reboot your machine to force
>   hald to read this file.
>
> which refers to /usr/local/etc/hal/fdi/policy/x11-input.fdi
> that re-enables Ctrl+Alt+Backspace to kill X.
>
> Is it really, really needed to reboot the machine? Can't
> HAL just be restarted? I always thought "reboot to make
> a minor setting work" was the domain of "Windows"...

At the risk of me-tooing, I also wondered about this.

It seems insane to have to restart the OS and hardware to reread a config 
file.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: 8.0: OpenSSL stat()'s NLS 500+ times causing extreme system load

[Jonathan McKeown]

On Tuesday 15 December 2009 23:24:16 Linda Messerschmidt wrote:
> On Tue, Dec 15, 2009 at 12:53 PM, Dan Nelson  
wrote:
> > It's defined in src/lib/libc/Makefile, so you should be able to remove
> > that line, rebuild libc and reinstall, and see whether your performance
> > issue goes away.
>
> I tried that and as you predicted, all the bogus stat calls went away.
>
> Unfortunately the performance issue did not. :(  Back to the drawing
> board for me!
>
> Upon further inspection, it seems as though for each check, Nagios
> spawns a process that spawns a process that spawns a process that runs
> the check.  I did "ktrace -i -t w -p (nagiospid)" on Nagios for 30
> seconds and the ktrace output contained records from 2365 different
> processes spawned in that 30 seconds.  During that time, I would
> expect about 800 checks to have run, so it does seem like it's right
> at 3 processes per check.
>
> I just don't think the system can keep up with all that fork()ing
> without going all out; it's just a limit of the Nagios plugin
> architecture.

You've probably already spotted this, but this behaviour is documented in 
largeinstallationtweaks.html:

``Normally Nagios will fork() twice when it executes host and service checks. 
This is done to (1) ensure a high level of resistance against plugins that go 
awry and segfault and (2) make the OS deal with cleaning up the grandchild 
process once it exits. The extra fork() is not really necessary, so it is 
skipped when you enable this option. As a result, Nagios will itself clean up 
child processes that exit (instead of leaving that job to the OS). This 
feature should result in significant load savings on your Nagios 
installation.''

It can also be enabled separately in nagios's main config file - 
child_processes_fork_twice is the option to look for.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: black hole test

[Jonathan McKeown]

On Wednesday 16 December 2009 22:05:06 Peter Wemm wrote:
> Daignostic message to trace mailing list processing, please ignore.

You have heard of freebsd-test@ , haven't you?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Using Install CD To Prepare Hard Disk

[Jonathan McKeown]

On Friday 14 March 2008 00:49, Tim Daneliuk wrote:
> Chuck Swiger wrote:
> > On Mar 13, 2008, at 3:28 PM, Tim Daneliuk wrote:
> >> I would like to use the CD install menus to only prepare the hard
> >> disk (Partition, Label, Format) without actually installing anything on
> >> the drive.  Can this be done?
> >
> > There should be a "(W)rite" option on the various pages which let you at
> > least partition the drive without installing the software.
>
> Yup that was the magic - I missed it entirely.  The option appears
> in the label editor menu...
>
> Thanks!

From memory, isn't it also possible to do this by going into the Configuration 
menu rather than entering the Standard installation?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: List replies

[Jonathan McKeown]

On Saturday 22 March 2008 06:33, Da Rock wrote:
> On Fri, 2008-03-21 at 22:38 -0500, Paul Schmehl wrote:
> > --On March 22, 2008 1:10:40 PM +1000 Da Rock
> >
> > <[EMAIL PROTECTED]> wrote:
> > > On Sat, 2008-03-22 at 02:58 +0100, Erik Trulsson wrote:
> > >> On Sat, Mar 22, 2008 at 10:35:57AM +1000, Da Rock wrote:
> > >> > This may have been suggested or discussed before, but is there a
> > >> > reason why the reply-to on this list isn't the list itself instead
> > >> > of the person who posted? Ie reply-to: freebsd-questions@freebsd.org
> > >>
> > >> Because many people who ask questions here are not subscribed to the
> > >> list and thus would not see any answers that were sent only to the
> > >> list.
> > >
> > > Well that certainly explains it, but it does surprise me. I thought
> > > you'd have to subscribe to post.
> >
> > And *I* thought it was proper etiquette to only reply to the list.
>
> Me too.

This discussion takes place regularly on every mailing list in existence. The 
main arguments against it seem to be that a) it might trash an existing 
reply-to header and make it impossible to send an individual reply; b) in the 
event of user error it fails safely - list reply ends up going to an 
individual - rather than the potentially catastrophic 
private-reply-to-publically-archived-mailing-list failure. Google for 
reply-to munging considered harmful for more argument on both sides.

As regards copying the original recipients, this list specifically requests 
it: check the regular posting titled ``how to get best results from 
freebsd-questions'', particularly para VII.6.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: freebsd

[Jonathan McKeown]

On Sunday 30 March 2008 14:25, computer tech wrote:
> Secondly I am currently doing my systems page on my website and currently
> doing network based systems and the operating system would be FreeBSD and a
> few other distributions of linux

This is the second time I've seen this misunderstanding (FreeBSD and other 
distributions of Linux) on this list in a matter of hours.

FreeBSD is not a distribution of Linux: it's a separate operating system, 
descended from one of the branches of Unix - the OS, originally from Bell 
Labs, which has sired many others and inspired many more, including Linux.

There is a lot more to Unix and Unix-like operating systems - even just the 
freely-available ones - than only Linux.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: building a distribution server

[Jonathan McKeown]

On Saturday 05 April 2008 04:23, Steel City Phantom wrote:
> i have about 10 production servers that i want to upgrade to bsd 7 and
> update all their ports in one shot.  the problem is the down time.  im
> wrapping up upgrading a 6.3 to 7 and its taken over 7 hours so far.  thats
> way too long for our machines to be down.

> the biggest slow down is the downloading of files.  just sitting watching
> things i would say 70% of the time is downloading files.  is there a way
> where i can build a distribution server that has everything i could
> possibly need to upgrade a machine from any 6.x to 7.0 and redo all the
> ports on that machine and have a cron job keep everything up to date on
> that server and when i upgrade a new machine, it simply goes to my internal
> distribution server to get the files.

I have a fast machine which has the source and ports trees on it. It also has 
the kernel configurations for all the machines I use (GENERIC, SMP, and two 
others, IPFWD for a firewall which does IP forwarding and SERIAL for a box 
which has a multiport serial card in it).

That box doesn't do anything else.

In its /etc/make.conf is the line

KERNCONF=GENERIC SMP IPFWD SERIAL

which has the effect of building all four kernels but installing the 
first-mentioned. Other boxes have their KERNCONF set in make.conf and only 
need to make installkernel after the build box has finished to get the 
appropriate one.

It also has a full ports tree and I have created the directory
/usr/ports/packages (it gets messy if you don't).

All the other boxes mount /usr/src, /usr/obj and /usr/ports over NFS. They all 
use portupgrade which is configured to use /usr/bin/false to fetch packages 
instead of /usr/bin/fetch. They are also configured to build ports locally 
but store distfiles and packages on the NFS server.

When I build and install a port, I use

portupgrade -NRPp

which upgrades ports, installing if necessary and building requirements as 
well (-N -R). It checks for a package in /usr/ports/packages (-P); if it 
can't find it it checks the 'Net using /usr/bin/false (which of course fails 
immediately) and then builds from source, creating a package at the end (-p).

This means each port gets downloaded once, and then built once if it can be 
packaged - but it also deals with ports that can't be packaged, like 
sysutils/screen.

By not using -P you can also build the port separately with different options 
on different machines.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: [7.0] Openldap client

[Jonathan McKeown]

On Friday 11 April 2008 16:03, Konrad Heuer wrote:
> On Fri, 11 Apr 2008, [EMAIL PROTECTED] wrote:
>
> > fetch: http://www.padl.com/download/nss_ldap-257.tar.gz: size mismatch:
> > expected 229242, actual   229299
> >
> > Anyone, can tell me, how to install openldap client on Freebsd 7-Stable ?
>
> I do not know why /usr/ports/net/nss_ldap/distinfo contains a different
> file size (and probably inappropriate checksums), but you can just edit
> /usr/ports/net/nss_ldap/distinfo and put in what you find (start with size
> only, later by using md5 and sha256 utilities in /sbin to calculate
> checksums after the file has been fetched /usr/ports/distfiles).

Check  - the most recent checkin 
message (2007-12-16) states that the original author rerolled the distfile 
without making any changes.

There are at least a couple of ports where distributors sometimes repackage 
the source tarball and don't bother to change the version number because they 
haven't changed anything else. You can either choose to ignore, or manually 
change, the filesize and checksum, or just bring the ports tree up to date 
and try again.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: useradd & adduser

[Jonathan McKeown]

On Thursday 17 April 2008 08:35, Ruel Luchavez wrote:
> Hello,
>
> I keep on thinking guys what is the difference between useradd & adduser
> command?

Ruel

You really need to start reading the documentation. FreeBSD is about the best 
documented operating system and environment there is, and the Handbook will 
tell you just about everything you need to know.

If you keep coming to freebsd-questions and expecting to be spoon-fed answers 
you've obviously made no effort to look for, people will start to lose 
patience.

The main difference between useradd and adduser is that useradd doesn't exist 
(at least, not on any of the FreeBSD boxes I'm running which range from 4.9 
(hideous legacy cruft) to 6.3).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pw create home dir issue

[Jonathan McKeown]

On Tuesday 22 April 2008 12:54, Unga wrote:
> --- Peter Boosten <[EMAIL PROTECTED]> wrote:
> >
> > I use [pw] without the slash:
> >
> > adduser -d /home -q -s /usr/local/bin/rzsh
> >
> > Works like charm
>
> There is no keyword adduser to the pw(8) :)

From the manpage:

 The first one or two keywords provided to pw on the command line provide
 the context for the remainder of the arguments.  The keywords user and
 group may be combined with add, del, mod, show, or next in any order.
 (For example, showuser, usershow, show user, and user show all mean the
 same thing.)  This flexibility is useful for interactive scripts calling
 pw for user and group database manipulation. 

Please verify that what you're saying is right before posting: people rely on 
this list.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?

[Jonathan McKeown]

On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
> O. Hartmann wrote:
> > Jonathan Chen wrote:
> >> On Tue, Apr 29, 2008 at 10:07:44AM +, O. Hartmann wrote:
> >>> Hello out there,
> >>> my question may sound a bit weird, but the situation is as follows:
> >>>
> >>> I use OpenLDAP 2.4 for authetication purposes within our lab's net
> >>> and every user's account is of the objectclass 'posixAccount'. As we
> >>> know, this class does not contain the attribute 'host', which belongs
> >>> to structural class 'account' and both posixAccount and account  are
> >>> of type structural and therefore can not be mixed.
> >>
> >> Is there really such a rule?

It's true that an object can only belong to one structural class (although it 
can belong to many auxiliary classes).

I use the auxiliary class extensibleObject, which allows you to add any 
attribute to an LDAP object. My user accounts have three object classes: 
inetOrgPerson (the structural class), posixAccount and extensibleObject. The 
rules for the first two are still enforced, but I am able to add the Host: 
attribute.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?

[Jonathan McKeown]

On Wednesday 30 April 2008 16:43, David Robillard wrote:
> > On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
>
> [ --- 8< --- SNIP! --- 8< --- ]
>
> > It's true that an object can only belong to one structural class
> > (although it can belong to many auxiliary classes).
> >
> > I use the auxiliary class extensibleObject, which allows you to add any
> > attribute to an LDAP object. My user accounts have three object classes:
> > inetOrgPerson (the structural class), posixAccount and extensibleObject.
> > The rules for the first two are still enforced, but I am able to add the
> > Host: attribute.
> >
> > Jonathan
>
> That sounds very interesting Jonathan. Could you please share with us
> the complete LDIF data used to create such a user?

This is live from my LDAP server:

# jfm, group, hst.org.za
dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za
objectClass: posixGroup
gidNumber: 1001
cn: jfm

# jfm, people, hst.org.za
dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
sn: McKeown
cn: Jonathan McKeown
uidNumber: 1001
gidNumber: 1001
mail: [EMAIL PROTECTED]
loginShell: /usr/local/bin/bash
host: charlotte.hst.org.za
host: clare.hst.org.za
uid: jfm
homeDirectory: /home/jfm

There is, of course, also a userPassword attribute in the user account. (You 
didn't expect me to show you that, did you?!)

Using posixGroup, the attribute for adding additional members to a group is 
memberUid.

There's a bit more to getting this all working: configuring slapd.conf with 
appropriate schemas, installing and configuring pam_ldap and nss_ldap, and 
setting up PAM correctly. I can go into excruciating detail if you like...

My only irritation is that although passwd(1) in 6.3 has the code within it to 
allow it to be controlled by PAM, it's all currently diked out, so that you 
can't use passwd(1) transparently with LDAP users. (As far as I know this 
hasn't changed in 7.0).

inetOrgPerson gives you a huge number of optional fields for other 
information, up to and including a JPEG photo. It inherits from 
organizationalPerson which inherits from person, so you need to combine all 
three sets of attributes to get the complete spec for inetOrgPerson (note the 
only MUST attributes are sn and cn from person):

NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (   audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 )

NAME 'organizationalPerson'
DESC 'RFC2256: an organizational person'
SUP person
STRUCTURAL
MAY (   title $ x121Address $ registeredAddress $
destinationIndicator $
preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $
internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l )

NAME 'person'
DESC 'RFC2256: a person'
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description )

We're hardly using any of these, but it seemed to make more sense to build it 
in, in case.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Question about a recent installation

[Jonathan McKeown]

On Tuesday 06 May 2008 00:08, Mario Vazquez wrote:
> I have been using different Linux distributions for some years, and decided
> to give FreeBSD a try.  The install was successful, but have a question
> about how the root account is made.  Found that the root folder was created
> with the user/group privileges root:wheel.  Is not that a kind of security
> risk?  I know that usually only the account used by the administrator is
> the one, in addition to root, that belongs to the wheel group.  But also I
> know that sometimes admins get lazy and give for limited time extra
> privileges just to allow someone to do something, and that's where the
> danger can come.  Btw, that's just my opinion.

Not sure why it would be a security risk. wheel is the group for people who 
are allowed to su to root, so you should probably expect members of group 
wheel to have (or be able to get) root privs anyway.

I'm not sure whether by ``root folder'' you mean / or /root , but in either 
case the wheel group doesn't have write access, at least on my system,and 
root's umask is 022, so created files aren't writable by members of wheel 
either.

Lazy admins, of course, are a security risk. No-one should ever be given more 
privileges than they need, and as others have pointed out, sudo is a good 
answer to this problem. (In fact the first four ports that go on every box I 
set up, before I even think about what the box is for, are www/lynx, 
sysutils/screen, ports-mgmt/portupgrade and security/sudo ).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: chmod operation on directories / files

[Jonathan McKeown]

On Wednesday 07 May 2008 13:56, Zbigniew Szalbot wrote:

> How do I chmod separately files and directories?
>
> If I use chmod -R 644 then it will go through all the subdirectories
> assigning everything 644 permissions, directories including.

Use the symbolic form for permissions and use X, which is true if any of the 
execute bits is currently set, or if the argument is a directory.

chmod -R =r,u+w,+X .

(set read for all, add user write, add all execute bits if required) should 
give you 644 on files, 755 on directories and executables.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: slapd won't start with nss_ldap.conf

[Jonathan McKeown]

On Friday 09 May 2008 14:36, Robert Fitzpatrick wrote:
> On a FreeBSD 6.1 with openldap-server-2.3.39, I have setup nss_ldap and
> pam_ldap, but cannot get slapd to start as long as I have nss_ldap.conf
> present, it just hangs and nothing in the messages or debug logs. I just
> copied ldap.conf to nss_ldap.conf, see contents below.

To try and identify the problem, can I ask - when you say slapd doesn't start, 
how long have you waited?

There is a chicken-and-egg problem with slapd on a host which is running 
nss_ldap. To start a process, the system has to adopt the user and group 
privileges of the process owner, which means enumerating all the groups for 
that user from every source of group information - including LDAP on a system 
running nss_ldap.

So, to start slapd, the system needs the group info for user ldap - from 
slapd. It times out and retries a few times, and eventually starts slapd 
using the group information from /etc/passwd and /etc/group, but the timeout 
and retry options by default take several minutes.

The delay can be even longer depending how many other services are being 
started first and therefore how many nss_ldap lookup timeouts occur during 
boot.

There are a number of possible solutions depending which version of nss_ldap 
you're running - searching for nss_ldap bind_policy nss_reconnect_tries will 
produce a number of suggestions and ``problem reports''.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: slapd won't start with nss_ldap.conf

[Jonathan McKeown]

On Friday 09 May 2008 23:09, Robert Fitzpatrick wrote:
> On Fri, 2008-05-09 at 22:44 +0200, Jonathan McKeown wrote:
> > On Friday 09 May 2008 14:36, Robert Fitzpatrick wrote:
> > > On a FreeBSD 6.1 with openldap-server-2.3.39, I have setup nss_ldap and
> > > pam_ldap, but cannot get slapd to start as long as I have nss_ldap.conf
> > > present, it just hangs and nothing in the messages or debug logs. I
> > > just copied ldap.conf to nss_ldap.conf, see contents below.
> >
> > So, to start slapd, the system needs the group info for user ldap - from
> > slapd. It times out and retries a few times, and eventually starts slapd
> > using the group information from /etc/passwd and /etc/group, but the
> > timeout and retry options by default take several minutes.
>
> Seems my core problem is something wrong with the openldap setup on that
> box. I had taken the slave ldap server up to 2.3.41 and it was not
> having this slapd/nss_ldap startup problem. I don't know if it is bad
> with a synrepl slave earlier version that the master, but I just didn't
> want to mess with the master until it proved OK and all seems perfectly
> great on the slave except my boot order issue

It depends what else you upgraded while changing the openldap server. Earlier 
versions of nss_ldap had much shorter timeouts, I believe, which means the 
problem only manifested itself after a certain version of nss_ldap.

> Thanks for the response, and yes, the openldap list owner finally
> rejected my message and gave me the pointer to start slapd with the
> owner and group by id instead of name. After reading the start script to
> get the owner and group by id in the rc.conf file, I am now starting the
> process in that way. While doing that I realize that I can handle boot
> order by name of the file and gave it a prefix of 001.

Errr, not sure what you're talking about here: man rcorder will tell you the 
normal way to control startup order on a recent FreeBSD. I think you'd have 
to be doing something rather unusual to force the old behaviour you seem to 
be talking about... As far as starting up with a numeric id rather than a 
user name, I'm not sure that will stop the lookup of group information which 
is actually causing the problem.

Good luck.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Ports best practice (was Re: Imagemagick port seems broken....)

[Jonathan McKeown]

On Tuesday 13 May 2008 01:04, Johan  Dowdy wrote:
> Just as a best practice you might want to consider running a weekly cvsup
> out of cron.

I'm not sure I'd call this best practice in all cases, having taken over a 
network where every server OS install, and every port, used whatever had been 
the latest and greatest that day (at one stage I think I was running every 
release from 4.8 to 6.0, plus a couple of boxes running given snapshots of 
-STABLE).

I can do without the irritation of having to check, every time I log in to a 
different machine, whether the command I'm about to run or the config file 
I'm about to edit supports the option I'm hoping to use.

I now have most of the servers running the same OS release, and running the 
same version of each port, all installed from a central build server with 
locally-built packages where possible.

When something needs to be upgraded, we follow a documented procedure to make 
sure that there are no problems or regressions and that everything stays more 
or less in step.

Yes, it means our ports tree is often three months or so out of date. You'd be 
surprised how seldom that causes a problem. You'd be astonished how much 
easier it makes my life knowing every setup is the same.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Unexepcted behavior from read and cat

[Jonathan McKeown]

On Monday 12 May 2008 20:59, Paul Schmehl wrote:
> I created a small list of IPs that I wanted to do digs on (because I'm lazy
> and don't want to do them one at a time.)
[snip]
> WTF?  Why do these utilities, which usually read all the lines in a file
> now only work once when run through dig?  Is there a way to feed dig a list
> of IPs and have it return each and every one of them?
>
> I tried dig +short -x -f iplist, but that returns nothing at all.
>
> Sure, I can edit the file and prepend +short -x to each line, but by then I
> might as well just do them individually.
>
> What am I missing?

The comedy solution:

lam -s '-x ' trydata | xargs dig +short

Any other ways to do this?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Unexepcted behavior from read and cat

[Jonathan McKeown]

On Tuesday 13 May 2008 18:23, Jonathan McKeown wrote:
>
> The comedy solution:
>
> lam -s '-x ' trydata | xargs dig +short

and of course I meant iplist, not trydata: this was a cut'n'paste, and trydata 
is my scratch test data filename (often providing input to a script called 
try. Why isn't it called testdata?)

J
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Unexepcted behavior from read and cat

[Jonathan McKeown]

[respecting Time's arrow]

On Tuesday 13 May 2008 20:55, Johan Dowdy wrote:
>
> On 5/12/08 1:55 PM, "RW" <[EMAIL PROTECTED]> wrote:
> >
> > cat iplist | xargs -n1 dig +short -x
>
> I think this one wins for brevity.

It can be made shorter:

http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Now what would you expect this to print out?

[Jonathan McKeown]

On Monday 19 May 2008 11:46, Jonathan Chen wrote:
> On Mon, May 19, 2008 at 01:49:35AM -0700, Garrett Cooper wrote:
> > Riddle for the day for folks that have source trees... what would you
> > expect this to print out (ask yourself the question and then execute the
> > command)?
> >
> >  find /usr/src -name Makefile -or -name '*.mk' -print
> >
> > The expected output and what actual output differed in my mind, but maybe
> > somebody else can "shed some light" on the logic behind what happened
>
> It's a problem that catches many young players with find(1). One has
> to remember from reading the man-page that all directives have an
> implicit AND operator on it; and that includes the "-print" directive.
> So to get what you want, you have to introduce brackets:
>
> find /usr/src \( -name Makefile -or -name '*.mk' \) -print

Or, slightly bizarrely, just leave the -print off altogether - as the manpage 
says,

If none of -exec, -ls, -print0, or -ok is specified, the given
expression shall be effectively replaced by ( given expression ) -print.

[Note the parens around given expression]

I forget where I saw this quote first, but the last five words always make me 
think of the find command:

Real Programmers consider "what you see is what you get" to be just as
bad a concept in Text Editors as it is in women. No, the Real Programmer
wants a "you asked for it, you got it" text editor - complicated, cryptic,
powerful, unforgiving, dangerous.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Now what would you expect this to print out?

[Jonathan McKeown]

On Tuesday 20 May 2008 02:41, RW wrote:
> On Mon, 19 May 2008 21:46:03 +1200
>
> Jonathan Chen <[EMAIL PROTECTED]> wrote:
> > On Mon, May 19, 2008 at 01:49:35AM -0700, Garrett Cooper wrote:
> > > Riddle for the day for folks that have source trees... what would
> > > you expect this to print out (ask yourself the question and then
> > > execute the command)?
> > >
> > >  find /usr/src -name Makefile -or -name '*.mk' -print
> > >
> > > The expected output and what actual output differed in my mind, but
> > > maybe somebody else can "shed some light" on the logic behind what
> > > happened
> >
> > It's a problem that catches many young players with find(1). One has
> > to remember from reading the man-page that all directives have an
> > implicit AND operator on it; and that includes the "-print" directive.
> > So to get what you want, you have to introduce brackets:
> >
> > find /usr/src \( -name Makefile -or -name '*.mk' \) -print
>
> Why does that make a difference, when print always evaluates to true?
>
> x AND true   =   x
>
> so
>
> (a OR b) AND true   =   a OR b
>  a OR (b AND true)  =   a OR b

It makes a difference (as in programming) because -print is used for its 
side-effect rather than its value, and the binding order influences when the 
side-effect happens.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Now what would you expect this to print out?

[Jonathan McKeown]

On Tuesday 20 May 2008 16:44, RW wrote:
> On Tue, 20 May 2008 11:33:50 +0200
>
> Jonathan McKeown <[EMAIL PROTECTED]> wrote:
> > On Tuesday 20 May 2008 02:41, RW wrote:
> > > On Mon, 19 May 2008 21:46:03 +1200
> > >
> > > Jonathan Chen <[EMAIL PROTECTED]> wrote:
> > > > find /usr/src \( -name Makefile -or -name '*.mk' \) -print
> > >
> > > Why does that make a difference, when print always evaluates to
> > > true?
> > >
> > > x AND true   =   x
> > >
> > > so
> > >
> > > (a OR b) AND true   =   a OR b
> > >  a OR (b AND true)  =   a OR b
> >
> > It makes a difference (as in programming) because -print is used for
> > its side-effect rather than its value, and the binding order
> > influences when the side-effect happens.
>
> That's still a bit counter-intuitive because in normal programming
> languages the binding order modifies side-effects via the evaluation
> order. And in both cases the evaluation order would be expected to be
> left-to-right, with -print running last.

Yes. I'm actually talking rubbish. find evaluates its argument expression 
left-to-right, and the ``precedence'' actually applies to term grouping 
rather than evaluation order. (This does affect the outcome, but not in the 
way I glibly said it did).

What I should have said is that like a lot of programming languages, find is 
lazy when it comes to Boolean expressions: when it gets a TRUE in an -or or a 
FALSE in an -and, the value of the whole expression must be TRUE or FALSE 
respectively, regardless of what the remaining terms are, so why bother 
evaluating them? (It's usually referred to as short-circuiting).

> I guess what you are saying is that the side-effect of print is based-on
> a Boolean "running-value". And without the brackets, the first test  has
> been evaluated, but not yet ORed into that "running-value", by the time
> that print runs.

That's not quite how it works. Rewriting

find /usr/src -name Makefile -or -name '*.mk' -print

using extra parens to emphasise the implicit grouping, and including the 
implicit -and, gives:

find /usr/src -name Makefile -or \( -name '*.mk' -and -print \)

in other words, an -or with two terms, one of which happens to be an 
expression.

If -name Makefile is true, the -or is satisfied, so nothing else is evaluated, 
and find goes on to the next filename.

Otherwise, the expression in the second term has to be evaluated. If -name 
'*.mk' is false, the -and is satisfied (which also satisfies the -or) and 
find moves to the next filename. If it's true, the -and can't be satisfied 
without evaluating the -print. The end result is that only files matching 
'*.mk' are printed.

Rewriting the other case,

find /usr/src \( -name Makefile -or -name '*.mk' \) -and -print

If the first expression is false, the -and is satisfied and the -print is not 
evaluated. If the first expression is true (meaning either of the -name 
arguments is true), then the -and can't be satisfied without evaluating the 
-print.

The last case is

find /usr/src -name Makefile -or -name '*.mk'

find quickly analyses this, finds no output action, and converts it to the 
second form above, internally placing parens around the whole expression and 
an -and -print after it.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

rc script REQUIRE-ing a service on another host

[Jonathan McKeown]

We had a power failure last night, and this morning I found that imapproxyd 
(running on a webserver which provides webmail) had failed to start because 
it depends on imapd (running on the mailserver, a different host), and 
imapproxyd had won the startup race.

I need to prevent the race by making one service depend on another service 
running remotely. While I sketch out some horribly untidy fix, can the 
Lazyweb tell me if there is already a neat solution for this?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Flaming mailing lists (was Re: Why Clang)

[Jonathan McKeown]

On Wednesday 20 June 2012 12:59:51 Stephen Cook wrote:
> On 6/19/2012 4:06 PM, Anonymous Remailer (austria) wrote:

[snip childish invective]

> I'm a relative newcomer. Are the FreeBSD mailing lists always this
> flame-y? I realize that this particular post might be trolling / satire

No, they aren't. And I notice that whoever is primarily responsible for it 
isn't even prepared to sign his own name to his tirades - he (or she) is 
using anonymous remailers. (Irritatingly this makes him difficult to 
killfile - it turns out there's at least one recent legitimate post that's 
been sent through a similar remailer so I can't just toss them all away).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Flaming mailing lists (was Re: Why Clang)

[Jonathan McKeown]

On Friday 22 June 2012 07:04:35 Bernt Hansson wrote:
>
>
> I want to whish all a very mery Midsummer's Eve and Midsummer's Day
>
> http://en.wikipedia.org/wiki/Midsummer#Sweden

I appreciate the sentiment but it's midwinter here ;)

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Established method to enable suid scripts?

[Jonathan McKeown]

On Wednesday 11 May 2011 04:19:29 Devin Teske wrote:
>
> The reason that the suid bit doesn't work on scripts (shell, perl, or
> otherwise) is because these are essentially text files that are interpreted
> by their associated interpreter. It is the interpreter itself that must be
> suid.

I'm pretty sure that's not the case, although I'm open to correction.

The reason the system ignores the suid bit on a script is because of what 
would happen when it's executed:

1) the script is read from a file called  and the system notices 
that it needs to be interpreted by another program.

2) that program is launched and told to re-open the file named  and 
execute its contents with suid privilege.

The problem is a race condition: there's no guarantee that the filename opened 
by the interpreter in step 2 is the same file the user executed in step 1.

There are two common ways round this: ignore the suid bit; or arrange within 
the OS to pass a handle to the original file rather than a filename so that 
the script can't be changed out from under the interpreter.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Established method to enable suid scripts?

[Jonathan McKeown]

On Thursday 12 May 2011 16:13:50 Chris Telting wrote:
> On 05/11/2011 07:14, Jerry McAllister wrote:
> > On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote:
> >> I've googled for over an hour.
> >>
> >> I'm not looking to get into a discussion on security or previous bugs
> >> that are currently fixed.  Suid in and of itself is a security issue.
> >> But if you are using suid it it should work; I don't want to use a
> >> kludge and I don't want to use sudo.  I'm hoping it's a setting that is
> >> just disabled by default.
> >
> > My understanding is that in general the system does not allow SUID
> > on scripts.   The way I have gotten around that (a long time ago)
> > was to create a small binary that exec's the script and making
> > the binary SUID.
>
> Well it's all hacks and in my not so humble option like chasing your
> tail.  The assumption is that if someone creates an executable
> (assumption is programming is C) they are more credible not to make
> mistakes.  That's a fallacy and just plain nuts.  And I'm an interpreted
> language snob saying that.  Suid is either allowable or not and should
> be a sysctl and apply equally to binaries and scripts.  Yet another
> thing to add to my project list.  Anyone know of an established patch
> for fix this freebsd issue or am I yet again going to have to create my
> own?

Have you appreciated the issue with suid on scripts? It's nothing at all to do 
with whether someone writing a compiled language is a better programmer than 
someone writing an interpreted language.

When the OS launches a binary, the file containing the program is opened once.

When the OS launches an interpreted program, the file is opened once to find 
out which interpreter to run, and then the interpreter is told to re-open the 
same filename - whose contents might meanwhile have changed.

I'll say that again. It is inherently insecure to run an interpreted program 
set-uid, because the filename is opened twice and there's no guarantee that 
someone hasn't changed the contents of the file addressed by that name 
between the first and second open.

It's one thing to tell people they need to be careful with suid because it has 
security implications. Deliberately introducing a well-known security hole 
into the system would in my view be dangerous and wrong.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Established method to enable suid scripts?

[Jonathan McKeown]

On Thursday 12 May 2011 17:26:49 Chris Telting wrote:
> On 05/12/2011 07:57, Jonathan McKeown wrote:
> >
> > I'll say that again. It is inherently insecure to run an interpreted
> > program set-uid, because the filename is opened twice and there's no
> > guarantee that someone hasn't changed the contents of the file addressed
> > by that name between the first and second open.
> >
> > It's one thing to tell people they need to be careful with suid because
> > it has security implications. Deliberately introducing a well-known
> > security hole into the system would in my view be dangerous and wrong.
>
> That race condition bug was fixed in ancient times. Before Freebsd or
> Linux ever existed I believe. It's a meme that just won't die.  People
> accepted mediocrity in old commercial versions of Unix.  I personally am
> unsatisfied by kludges.

That seems somewhat unlikely given, as someone else pointed out upthread, that 
Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, 
suggesting that they often aren't. Yes, there are ways to avoid this race 
condition - the usual one is to pass a handle on the open file to the 
interpreter, rather than closing it and reopening it.

This fix is not present in every Unix or Unix-like OS. In particular (although 
I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the 
best of my knowledge. Whether there's a reason for that other than lack of 
developer time I don't know.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: 'Using the Packages System' international

[Jonathan McKeown]

On Tuesday 16 August 2011 12:13:24 Amanda Lynn wrote:
> Hi!
[snip]
> Regards,
> Amanda Lynn
> +(360) 488-0303

Google the phone number. This has cropped up here before iirc - I'm not sure 
exactly what the scam is, but scam it is.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cat sort(1) sort floating point numbers?

[Jonathan McKeown]

On Monday 03 October 2011 14:05:42 Anton Shterenlikht wrote:
> I tried sorting a file with a column of floating
> point numbers (below) with sort(1) -n. However,
> the numbers seem to have been sorted by the first
> digit only.

sort -g

Due to the GNU project's obsession with info (), you 
can't readily find this out from the manpage - but the info documentation 
available on the web for coreutils describes the difference between -g 
and -n:

[when using -n] Neither a leading ‘+’ nor exponential notation is recognized. 
To compare such strings numerically, use the --general-numeric-sort (-g) 
option.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Which OS for notebook

[Jonathan McKeown]

On Tuesday 05 October 2010 13:31:08 Carmel wrote:

> I have been tooling around with FreeBSD for a year or so now and I find
> it incredible that there is virtually no support for modern hardware;
> i.e., drivers for 'N' protocol devices. That one factor alone, and there
> are others, precludes me from seriously thinking about installing
> FreeBSD on a new laptop. The one PC that I have FreeBSD installed on is
> connected via Ethernet cable to my LAN. Once that PC is replaced by
> year's end with a more powerful, and wireless enabled unit, I am afraid
> my experiment with FreeBSD will come to a close. At present it
> certainly will not support the wireless card installed, and I am not
> even sure if it will support all of the other hardware either.
>
> I realize that at this point someone will inevitably chime in and play
> the "blame the manufacturers" whine. If that were factually correct,
> then no one else would be able to supply drivers and support for
> hardware that FreeBSD has left orphaned.
>
> The bottom line is that FreeBSD, if it is to continue to be considered
> a viable alternative operating system, must stay current in today's
> market. Many posts that I have viewed on other forums seem to feel that
> FreeBSD is sadly, whether do to bad choices such as those related to GPL
> licenses, or failure to properly gage today's market trends, is slipping
> into an abyss.

So. What's the connection between freebsd.u...@seibercom.net, 
carmel...@hotmail.com and ges...@yahoo.com, who all post through 
scorpio.seibercom.net, and who all have remarkably similar views on why 
FreeBSD is a pile of rubbish?

And in terms of keeping my killfile reasonably effective, is there any easy 
way to filter out /all/ the sockpuppets at once? Or do I just need to keep 
adding them one at a time?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Which OS for notebook

[Jonathan McKeown]

On Tuesday 05 October 2010 15:47:36 Pierre-Luc Drouin wrote:
> On Tue, Oct 5, 2010 at 9:31 AM, Jonathan McKeown  wrote:
> > On Tuesday 05 October 2010 13:31:08 Carmel wrote:
> > > I have been tooling around with FreeBSD for a year or so now and I find
> > > it incredible that there is virtually no support for modern hardware;
> > > i.e., drivers for 'N' protocol devices.
[snip]
> > > I realize that at this point someone will inevitably chime in and play
> > > the "blame the manufacturers" whine. If that were factually correct,
> > > then no one else would be able to supply drivers and support for
> > > hardware that FreeBSD has left orphaned.
> >
> > So. What's the connection between freebsd.u...@seibercom.net,
> > carmel...@hotmail.com and ges...@yahoo.com, who all post through
> > scorpio.seibercom.net, and who all have remarkably similar views on why
> > FreeBSD is a pile of rubbish?
> >
> > And in terms of keeping my killfile reasonably effective, is there any
> > easy way to filter out /all/ the sockpuppets at once? Or do I just need
> > to keep adding them one at a time?
> >
> Well, according to me FreeBSD works very well on desktops (except for
> CUDA), but I agree that its usage is extremely limited for laptops and
> netbooks. If I can't use ACPI or wireless on my laptop/netbook, I don't
> really see the point... Over the past 6 years I have tried many times to
> use FreeBSD on my laptops/netbooks but these problems always made me fall
> back to Linux... I still use FreeBSD as the only OS on my desktop computers
> though...

I'm not disputing that there are things not supported on/by FreeBSD that it 
would be nice to see working. I'm just getting bored with hearing very 
similar whinges, posted from multiple email addresses but apparently all from 
the same person: look at

http://lists.freebsd.org/pipermail/freebsd-questions/2009-December/209946.html

and then

http://lists.freebsd.org/pipermail/freebsd-questions/2009-December/209966.html

Both messages are sent from carmel_ny at hotmail.com. They have the identical 
ascii-art flag in the sigblock. One is signed Carmel (carmel at hotmail.com), 
the other Jerry (gesbbb at yahoo.com).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Glue records (was Re: ATTN GARY KLINE)

[Jonathan McKeown]

On Friday 05 November 2010 09:28:27 Ian Smith wrote:
> But you don't always have any control of what parent nameservers do;
> eg we do DNS for a .com but both NS are in .au so DNS reports always
> whinge about lack of glue

They should be whingeing about lack of clue (their own) unless I'm horribly 
wrong about how DNS works.

When a nameserver delegates a zone, it's not responsible for any of that 
zone's records any more, with two exceptions. It provides NS records to 
indicate which nameservers /are/ responsible, and it retains responsibility 
for the A records of nameservers inside the zone - and only those 
nameservers. (That's glue.)

There's no way a .com nameserver should be providing A records for hosts in 
the .au zone.

> nonetheless it works, though only after a hunt down through the .au
> servers, until cached.

Yes, this is exactly what /should/ happen. Only the .au servers (or servers 
they delegate to) are authoritative for hosts in the .au zone.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Glue records (was Re: ATTN GARY KLINE)

[Jonathan McKeown]

On Friday 05 November 2010 22:51:01 Robert Bonomi wrote:
> > From owner-freebsd-questi...@freebsd.org  Fri Nov  5 02:26:31 2010
> > From: Jonathan McKeown 
> > To: freebsd-questions@freebsd.org
> > Date: Fri, 5 Nov 2010 10:27:38 +0200
> > Subject: Glue records (was Re: ATTN GARY KLINE)
> >
> > When a nameserver delegates a zone, it's not responsible for any of that
> > zone's records any more, with two exceptions. It provides NS records to
> > indicate which nameservers /are/ responsible, and it retains
> > responsibility for the A records of nameservers inside the zone - and
> > only those nameservers. (That's glue.)
> >
> > There's no way a .com nameserver should be providing A records for hosts
> > in the .au zone.
>
> sure there is.
>
>Domain:  foo.com  (an aussie company)
>   nameservers   ns1.alicesprings.au, ns2.umelbourneatperth.au

I think we're agreeing violently ;) The nameservers for the .com zone, when 
asked about foo.com, should reply with the hostnames of the two nameservers. 
It shouldn't reply with their IP addresses; the only nameservers that can do 
that are the ones serving the .au zone or the alicesprings.au and 
umelbourneatperth.au zones.

> They're still wrong to bw whinging about a lack o glue records.
> glue is needed _only_ when the nameserver is _in_ the domain it is the
> authoritative servr for.
>
> So, in the above frivolous example, foo.com does *NOT* need any glue
> records, but if ns1.alicesprings.au is an authoritative server for
> alicesprings.au, then *it* needs a glue record for that domain.

Well, the glue record will be ``above the cut'': if .au delegates 
alicesprings.au, it's the .au nameserver that provides the A record for 
ns1.alicesprings.au; but, yes.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Shopping cart other than OSCommerce?

[Jonathan McKeown]

On Thursday 09 December 2010 01:07:38 Kevin Kinsey wrote:
> Chuck Swiger wrote:
> > You don't magically get immunity from SQL injection by using
> > JDBC or EOF or whatever, but using bound variables in queries rather
> > than feeding user input into raw SQL, or invoking stored procedures
> > or user-defined functions instead will mitigate one of the more
> >
>  > common security problems.
>
> And these practices are "Good Practice" in any language, including
> PHP.  I think a big part of PHP's problem was [... documentation]

I don't think it was just documentation. Perl, for example, comes with a 
standard way to access databases, DBI, which has good practices like binding 
variables in queries, escaping of input and output and so on, baked in.

PHP comes with builtin functions for accessing MySQL databases, which do 
nothing at all to help the programmer make sensible decisions and follow best 
practice.

There are database abstraction modules for PHP as far as I know, but if 
someone decides not to use them, is it still as hard as it was to do things 
safely using the builtin mysql_* functions?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: a perl question

[Jonathan McKeown]

On Tuesday 04 January 2011 12:32:00 S Mathias wrote:
> cat asdf.txt
> bla-bla
> bla-bla
> bla[XYZ]
> importantthing
> another important thing
> [/XYZ]
> bla-bla
> bla-bla
> [XYZ]
> yet another thing
> hello!
> [/XYZ]
> bla-bla
> etc.
> $ SOMEPERLMAGIC asdf.txt > output.txt
> $ cat output.txt
> importantthing
> another important thing
> yet another thing
> hello!

This could mean almost anything (witness another response which excludes lines 
containing blah or XYZ, which gives the desired output on your test input).

Are you actually trying to extract all the lines inside [XYZ]...[/XYZ] tags?

are the tags guaranteed not to occur on the lines you need to extract, as they 
appear here?

Because (all on one line)

perl -ne 'print if ($check = m{\[XYZ\]} .. m{\[/XYZ\]}) > 1 and 
$check !~ /E0$/' asdf.txt >output.txt

produces the same output as you have above for the test input. (The .. range 
operator in scalar context is true as soon as the left-hand expression is 
true, and false as soon as the right-hand expression is true. It returns 1 
each time it becomes true, incrementing integers as it stays true, and 
appends E0 to the last number as it becomes false, which lets you exclude 
both endpoints).

Jonathan

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Just wanted to install vim - had to spend entire day building X11

[Jonathan McKeown]

On Monday 10 January 2011 15:02:35 Ed Smith wrote:
> This seems bizarre.  Logically, it would seem better to do a split like
> vim (bare vim - what you would expect) and xvim (vim with X11) similar
> to how emacs does emacs/xemacs.

Er, no. xemacs is a fork of emacs. emacs has X-related dependencies unless you 
make it WITHOUT_X11.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: problem with shell script

[Jonathan McKeown]

On Wednesday 12 January 2011 17:58:33 David Scheidt wrote:
>
> ps ax | grep [s]lapd | wc -l
>
> The [] creates a one-character class that doesn't match the regex.  Easier
> to type and grep should be a bit faster. 

And you can save another process by using

ps ax | grep -c '[s]lapd'

Although as others have pointed out, you can also use pgrep.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Warning - FreeBSD (*BSD) entanglement in Linux ecosystem

[Jonathan McKeown]

On Wednesday 22 August 2012 15:41:05 David Jackson wrote:
> So this is clearly not about "portability", FreeBSD is free to implement
> these software interfaces to assure that software is portable to FreeBSD.

Really? You make software portable by writing it to one environment and then 
changing every other environment to suit the software?

I'm not sure software portability means what you think it means.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cksum entire dir??

[Jonathan McKeown]

On Wednesday 12 September 2012 08:31:45 Matthew Seaman wrote:
> On 12/09/2012 00:14, Polytropon wrote:
> > % cksum 
[snip]
>
> That will give you a checksum on the directory inode -- file names and
> associated metadata only, not file content.
[snip]
> Generally I find the best test for differences between old and new
> copies of a filesystem is 'rsync -avx -n ...'

Wouldn't suitable applications of mtree(8) also do what's wanted?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cksum entire dir??

[Jonathan McKeown]

On Wednesday 12 September 2012 22:29:45 Gary Kline wrote:

>   how, with mtree, could I tell  whether dir1 == dir2 or not?

From the manpage:

``The mtree utility compares the file hierarchy rooted in the
current directory against a specification read from the standard
input.  Messages are written to the standard output for any files
whose characteristics do not match the specifications, or which
are missing from either the file hierarchy or the specification.''

So you run mtree twice, once against dir1 with the -c option to output the 
specification for the directory tree to stdout (which you can capture to a 
file, or pipe straight into the second invocation) and once against dir2 with 
the output of the first one as input (either in a pipeline, or by using -f 
with the filename of the captured output).

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: building and installing world on two separate machines

[Jonathan McKeown]

On Monday 04 September 2006 08:25, Dave wrote:
> Hello,
> I have a machine that i want to upgrade from 5.x to 6.1. I've got a 6.1
> world built on a much faster system and would like to just install it on
> this machine. I thought about nfs, but i have to drop to single user mode
> to do the make installworld and won't have nfs available. Is there a way i
> can install this already compiled world on the slower box without having to
> remake it?

I do this across all my servers, by nfs-mounting /usr/src and /usr/obj from 
the build server on the target server before dropping it to single-user mode: 
the filesystems stay mounted and I just

cd /usr/src
make installworld

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD installer (was Re: Newbie Experience #2)

[Jonathan McKeown]

On Monday 11 September 2006 15:56, Jud wrote:
> everyone who uses FreeBSD knows that a "better" (meaning,
> at least to many folks, more simplified and graphical)
> installer would be nice  

Perhaps as an option. The problem is that you need to install a graphical 
environment to run a graphical installer. Simplicity means different things 
to different people, too.

I set up new and replacement servers, using commodity hardware for cost 
reasons, for our various offices around South Africa. I used to have a KVM 
switch with a spare monitor and keyboard in my office for doing the 
installations, or if I was going elsewhere to install delivered hardware or 
update an existing box, we needed to arrange a spare screen and keyboard at 
the location.

I now have a slightly-adjusted installation CD (I downloaded the disc 1 and 2 
ISO images from Freebsd.org, unpacked disc 1 onto a hard drive and edited 
boot/loader.conf, adding the line
console="comconsole"
then made a new ISO and burned to a fresh CD labelled ``disc 1- serial'').

Now the only time my servers get a screen/keyboard connected is to configure 
the BIOS when they are first unpacked. Otherwise the basic install is done 
from the serial boot CD with my laptop as a serial terminal, up to the point 
where I can ssh to the box and start customising, adding packages etc. From 
my point of view it doesn't get simpler than that.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Newbie Experience

[Jonathan McKeown]

On Tuesday 12 September 2006 15:05, Jeff Rollin wrote:
> That was my point, that BSD was rewritten from the ground up to avoid AT&T
> patents. So whilst some might consider BSD "real unix", it's really only
> "emulating" V7 with Berkeley extensions.

My understanding was that it was copyright rather than patents - and that the 
main reason for the settlement of the case between AT&T and BSD/University of 
California was that when they started comparing code, there was actually more 
Berkeley code in AT&T Unix than the other way round.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Using PC as serial terminal on running system

[Jonathan McKeown]

I'm using my laptop and tip(1) as a serial terminal. This is working well when 
a machine is booted with the laptop connected to its serial port. However, I 
need to be able to connect the laptop to a machine which was booted without a 
serial console.

I've set the ttyd0 line in /etc/ttys and sigHUPed init. The machine is still 
not recognising the presence of the ``serial terminal'' - the getty(1) 
process on the server is not bound to a controlling terminal and nothing is 
appearing in the tip(1) screen on the laptop.

I've also tried fiddling about with conscontrol, adding ttyd0 on the server - 
still no difference.

Have I missed a trick somewhere, or do I really need to reboot the server to 
get it to recognise a PC connected as a serial terminal?

(Connection is laptop - USB - BAFO 810 USB/serial adapter - null-modem cable - 
server)

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Newbie Experience

[Jonathan McKeown]

On Thursday 14 September 2006 01:21, Kevin Brunelle wrote:
> As for the GNU tools, yes most sysadmins use some of them (although not
> always).  I know that BSD tar handles gzip and bzip2 just fine ( -z and -j
> respectively).  So I know I wouldn't download gtar just for that feature.

In fact, as I discovered a few days ago (after all, how often does one read 
tar(1)'s manpage?), you only need to use -z and -j when creating a tar 
archive. bsdtar(1) recognises bzip2 and gzip compression on reading an 
archive and handles them automatically.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Newbie Experience

[Jonathan McKeown]

On Thursday 14 September 2006 08:40, Chad Leigh -- Shire.Net LLC wrote:
> On Sep 14, 2006, at 12:29 AM, Jonathan McKeown wrote:
> >
> > In fact, as I discovered a few days ago (after all, how often does
> > one read tar(1)'s manpage?), you only need to use -z and -j when
> > creating a tar archive. bsdtar(1) recognises bzip2 and gzip
> > compression on reading an archive and handles them automatically.  
>
> old habits die hard
>
> :-0

Exactly. I wondered, when I saw the entry in tar(1)'s manpage, how many other 
little tricks I don't know because I just do it the old way. If I ever get a 
supply of tuits (round ones are best, apparently), I might start re-reading 
the documentation for things I already know how to do, just to find out what 
I'm missing.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Using PC as serial terminal on running system

[Jonathan McKeown]

On Wednesday 13 September 2006 14:59, Jonathan McKeown wrote:
> I'm using my laptop and tip(1) as a serial terminal. This is working well
> when a machine is booted with the laptop connected to its serial port.
> However, I need to be able to connect the laptop to a machine which was
> booted without a serial console.
>
> I've set the ttyd0 line in /etc/ttys and sigHUPed init. The machine is
> still not recognising the presence of the ``serial terminal'' - the
> getty(1) process on the server is not bound to a controlling terminal and
> nothing is appearing in the tip(1) screen on the laptop.

OK, creating a line in /etc/ttys for cuad0 seems to have worked. Will that 
cause problems later? I assume the problem is that the tip(1) process (or 
possibly the USB-serial adapter) is not DTRT with respect to carrier. Is 
there any other way round this?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: USB IrDA Adapter

[Jonathan McKeown]

On Saturday 30 September 2006 13:58, Luchezar Petkov wrote:

> I really need your help. I've just brought my first USB IrDA
> adapter to conncect my phone (Sony Ericsson K300i) to my computer.
> It is recognized by FreeBSD (6.2 beta 1) ::
> ugen0: Prolific Technology Inc. USB-Serial Controller, rev
> 1.10/3.00, addr 2
> --
> addr 1: OHCI root hub, SiS
> uhub1
> addr 2: USB-Serial Controller, Prolific Technology Inc.
> ugen0
> 
> And... What to do now? How to take the pictures from my photo
> camera? How to put files on my phone? I don't know what to do..
> Any ideas?

It sounds like the adapter is trying to present itself as a serial port. The 
Prolific Technology USB-Serial controller needs the uplcom(4) driver either 
compiled into the kernel or loaded as a module.

Try (as root)

kldload uplcom

and then plugging your adapter in. You should see a message about ucom rather 
than ugen, and the devices should be something like

/dev/ttyU0
/dev/cuaU0

as the tty and callout devices for the adapter.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: no specifc dhcpd port found

[Jonathan McKeown]

On Wednesday 04 October 2006 23:46, Noah wrote:
> Hi there,
>
> I am unable to find the dhcpd port in /usr/ports
>
> where should  I be looking?
>
> # find /usr/ports -name dhcp\*

I find the easiest way to search for ports is

# cd /usr/ports
# make search name=dhcp | grep -A2 '^Port:'

This finds every port whose name includes the string dhcp, and then gives the 
Port: line and the two following it in each response. This drops the 
Maintainer:, B-deps:, R-deps:, and Web: lines, giving you something like:

Port:   dhcp-agent-0.41
Path:   /usr/ports/net/dhcp-agent
Info:   A portable UNIX Dynamic Host Configuration suite
--
Port:   dhcp6-20040903a
Path:   /usr/ports/net/dhcp6
Info:   KAME DHCP6 client and server
--
Port:   dhcpdump-1.7
Path:   /usr/ports/net/dhcpdump
Info:   Decode and diagnose sniffed DHCP packets
--
Port:   dhcping-1.2
Path:   /usr/ports/net/dhcping
Info:   Send DHCP request to DHCP server for monitoring purposes
--
Port:   isc-dhcp3-client-3.0.1.r14_6
Path:   /usr/ports/net/isc-dhcp3-client
Info:   The ISC Dynamic Host Configuration Protocol client
--
Port:   isc-dhcp3-devel-3.0.1.r14_6
Path:   /usr/ports/net/isc-dhcp3-devel
Info:   The ISC Dynamic Host Configuration Protocol API
--
Port:   isc-dhcp3-relay-3.0.1.r14_6
Path:   /usr/ports/net/isc-dhcp3-relay
Info:   The ISC Dynamic Host Configuration Protocol relay
--
Port:   isc-dhcp3-server-3.0.1.r14_6
Path:   /usr/ports/net/isc-dhcp3-server
Info:   The ISC Dynamic Host Configuration Protocol server
--
Port:   wide-dhcp-1.4.0.6_2
Path:   /usr/ports/net-mgmt/wide-dhcp
Info:   Dynamic Host Configuration Protocol, WIDE Implementation

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Removing removable ATA hard drives

[Jonathan McKeown]

I recently bought a drive caddy for an ATA hard drive. The unit is in two 
parts: a cassette, into which can be fitted a standard ATA hard drive, and a 
carrier permanently fitted into a standard drive bay. The carrier includes a 
power keyswitch for the drive bay.

I installed it, brought the box (running 4.9) back up, and then switched on 
the power to the drive. FreeBSD didn't recognise the drive even after an 
atacontrol reinit of the channel.

I then dropped the box and brought it back up with the keyswitch for the drive 
in the ON position. It now recognises the drive (could this be 
BIOS-related?).

Is it safe to simply switch the power to the drive off using the keyswitch and 
then remove the cassette with the server running but the drive bay powered 
down? Do I need to do anything other than ensure that the drive is unmounted 
at the time?

And having done that, if I replace the drive and then reapply power using the 
keyswitch, would I need to do anything to get FreeBSD to notice the return of 
the device?

I'm reluctant to experiment any more than I have done: the server the drive 
bay has been fitted to is our live fileserver, with 120GB of user data on two 
drives on the other ATA channel.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Removing removable ATA hard drives

[Jonathan McKeown]

On Thursday 05 October 2006 10:38, Olivier Nicole wrote:
> Hi,
>
> > I'm reluctant to experiment any more than I have done: the server
> > the drive bay has been fitted to is our live fileserver, with 120GB
> > of user data on two drives on the other ATA channel.
>
> I know I would take time to install the drive bay in a test machine,
> with an old disk and play with it until I am 100% confident on the way
> to mount and dismount your disk... Whatever others can say.

Yes, so would I normally but I'm under pressure for a quick fix to this and a 
number of other issues, as you might guess from the OS version on the server: 
I'm trying to impose order on a bunch of inherited and undocumented servers 
running (at least) 4.7-release, 4.9-release, 4.9-stable, 5.2-release, 
5.4-release-p6, plus Red Hat 6.0 and WinNT 4.0 SP6a.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Removing removable ATA hard drives

[Jonathan McKeown]

On Thursday 05 October 2006 11:00, Olivier Nicole wrote:

[Power down a drive bay using its built-in keyswitch and pull the disk without 
dropping the whole box]
> Unless you need to move that disk from one machine to another, fix it
> in your server, keep the tray for future testing when you will have
> more time... (if we ever have more time in the present life :)

I should probably have said: we don't currently have offsite backups (we've 
exceeded the capacity of our tape device and our budget), and the quick-fix 
solution is dumping to this hard drive and then pulling it out and taking it 
home. As such the removability is key to its intended function. I can't keep 
dropping the main fileserver to fiddle with it, and the alternative in terms 
of testing is to set up another box with the particular 4.9-STABLE snapshot 
running on this server (to eliminate OS version-related variable effects).

I'm hoping some kind person here will save me the trouble by saying, from 
experience, either ``yes, you're on the right track but you need to do x, y 
and z before pulling/replacing the drive cassette'', or ``no, run away 
screaming before your server room goes down in flames''.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Removing removable ATA hard drives

[Jonathan McKeown]

On Thursday 05 October 2006 10:34, Jonathan McKeown wrote:
> I recently bought a drive caddy for an ATA hard drive. The unit is in two
> parts: a cassette, into which can be fitted a standard ATA hard drive, and
> a carrier permanently fitted into a standard drive bay. The carrier
> includes a power keyswitch for the drive bay.
>
> I installed it, brought the box (running 4.9) back up, and then switched on
> the power to the drive. FreeBSD didn't recognise the drive even after an
> atacontrol reinit of the channel.
>
> I then dropped the box and brought it back up with the keyswitch for the
> drive in the ON position. It now recognises the drive (could this be
> BIOS-related?).

OK, having got to this point and with some trepidation, I started fiddling. 
The removable drive is on ATA channel 1 along with a CD writer.

> Is it safe to simply switch the power to the drive off using the keyswitch
> and then remove the cassette with the server running but the drive bay
> powered down? Do I need to do anything other than ensure that the drive is
> unmounted at the time?
>
> And having done that, if I replace the drive and then reapply power using
> the keyswitch, would I need to do anything to get FreeBSD to notice the
> return of the device?

So far doing an atacontrol detach 1, powering down the drive with the 
keyswitch, removing it and doing an atacontrol attach 1 to get my CD back, 
seems to work without problems. Adding the drive back in, powering it up and 
then doing an atacontrol reinit 1 also seems to work without problems.

Potentially slightly less safe, I guess, simply powering the drive off and 
doing an atacontrol reinit 1 seems to work.

Does anyone have any horror stories or awful warnings before I make this part 
of my backup procedure?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: cheapskate webmail interface

[Jonathan McKeown]

The Subject: header has gradually grown to:

> Subject: Re: RE : Re: RE : Re: RE : Re: RE : Re: cheapskate webmail 
interface

Please, please, edit it or use an email client that does. It's in danger of 
getting silly now.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ports adding users

[Jonathan McKeown]

This is, I guess, a philosophical question.

Twice in the last couple of weeks I have been bitten by ports adding users or 
groups. In setting up my laptop, I created my user account in sysinstall 
without creating my group. My ~ was created with the GID corresponding to my 
UID, but in building KDE, comms/gnokii used pw groupadd and was allocated 
`my' GID, resulting in my ~ being group-owned by gnokii.

More seriously, we are moving our user accounts into LDAP and I now have a 
problem on a server where I installed net/isc-dhcp3-server before configuring 
pam_ldap and nss_ldap. As a result the dhcpd user (in /etc/passwd) and one of 
my user accounts (in LDAP) have the same UID and GID. Disentangling these is 
going to be... interesting.

After some digging about, I see I can effectively reserve a block of UIDs/GIDs 
by starting my UID numbering at (1001 + x), and creating /etc/pw.conf with

reuseuids yes
reusegids yes

to use the UIDs/GIDs between 1000 and (1000 + x) (otherwise pw just allocates 
a UID/GID higher than any in use, which puts it right back in my reserved 
range). Perhaps I should also set the maxuid/maxgid options too, just in 
case?

That's one option.

Another is to expect dozens of busy port maintainers to cover for me by 
reserving UIDs/GIDs instead of creating random users.

Another is to arrange somehow that the ports infrastructure provide a pw.conf 
which can be used when pw is called by ports, that limits the range of 
UIDs/GIDs that a port can be allocated so that it doesn't overlap with the 
range generally used for user accounts.

Thoughts?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ports adding users

[Jonathan McKeown]

On Friday 13 October 2006 21:54, Lowell Gilbert wrote:

> The convention is, indeed, that users get UIDs from 1000 up.  This
> doesn't seem to be explicitly described anywhere I can find at the
> moment, but it is implemented in adduser(8) -- and the porter's
> handbook requires hard-coded UIDs and GIDs to be under 1000 (but
> strongly recommends using pw(8) unless there is an important reason
> not to do so).

Yes. The reality of using pw(8) at port installation time, though, is that the 
port-created user will get a uid above 1000 - in fact a uid higher than the 
highest one currently in use, so I can't even just leave a gap in uid 
numbering for port-created users. This caught me out.

> A lot of your problem, though, is that you're trying to combine the
> UID (and GID) space of different machines, that have collisions.  The
> fact that some of those were created by ports isn't really important;
> the problem is that the UID maps were created independently and now
> need to be combined.

No, this isn't the main problem, which is that without some serious 
forethought (and an awareness of the issue), installing a port can screw up 
my user management by (quite correctly, as you point out above) using one of 
``my'' uids rather than a block set aside for ports which want a uid but 
don't need to reserve a specific one.

More to the point, it can do this at some point in the future, when I decide 
to install a new port on one server and then have to remember to mark that 
uid as used throughout my network.

> I'm not sure there's a perfect solution, other than planning ahead.

Agreed. I think my planning ahead is going to take the form I proposed 
originally, of adding an /etc/pw.conf (so that ports using pw(8) will use 
that configuration) forcing allocation within a given uid/gid range, and 
ensure that I only use numbers outside that range for real users.

I mentioned this on the list because I was Astonished (in the POLA sense) to 
find that my human users and ports-created (effectively system) users were 
not separated in any way by default, indeed were jumbled together in the 
sequence of uids/gids. I always like to create a permanent record of things 
that trip me up!

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

mimedefang with LDAP-enabled sendmail

[Jonathan McKeown]

I'm hoping someone can point me in the right direction. I'm running 6.1 (the 
security branch) with a recently-updated ports tree (1 September).

I have modified /etc/make.conf to change the options for the system sendmail, 
by adding these lines:

SENDMAIL_CFLAGS = -I/usr/local/include -DSASL=2 -DLDAPMAP
SENDMAIL_LDFLAGS = -L/usr/local/lib
SENDMAIL_LDADD = -lsasl2 -lldap -llber

I have added the necessary ports and rebuilt world: when I run 
ldd /usr/libexec/sendmail/sendmail, I get
libutil.so.5 => /lib/libutil.so.5 (0x28107000)
libwrap.so.4 => /usr/lib/libwrap.so.4 (0x28113000)
libssl.so.4 => /usr/lib/libssl.so.4 (0x2811a000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x28148000)
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x2823a000)
libldap-2.3.so.2 => /usr/local/lib/libldap-2.3.so.2 (0x2824f000)
liblber-2.3.so.2 => /usr/local/lib/liblber-2.3.so.2 (0x2827f000)
libc.so.6 => /lib/libc.so.6 (0x2828a000)

and sendmail -d0.1 -bt http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: mimedefang with LDAP-enabled sendmail

[Jonathan McKeown]

On Sunday 15 October 2006 22:19, Jonathan McKeown wrote:
> sendmail -d0.1 -bt 
> Version 8.13.6
>  Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
> MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
> PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB
> USE_LDAP_INIT XDEBUG
>
> When I try to build and install mail/mimedefang from ports (version is
> 2.57), I get (modulo wrapping)
>
> cc -O2 -fno-strict-aliasing -pipe  -pthread -o mimedefang mimedefang.o
> drop_privs_threaded.o utils.o rm_r.o syslog-fac.o /usr/lib/libmilter.a
> -lpthread
>
> /usr/lib/libmilter.a(errstring.o)(.text+0xd6): In function `sm_errstring':
> : undefined reference to `ldap_err2string'

The undefined reference is apparently in libmilter.a and it seems (Google 
again) that the ldap_err2string symbol comes from the openldap library. Is it 
possible that the build of libmilter is not picking up libldap 
from /usr/local/lib?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: mimedefang with LDAP-enabled sendmail

[Jonathan McKeown]

On Monday 16 October 2006 16:54, Jonathan McKeown wrote:
> On Sunday 15 October 2006 22:19, Jonathan McKeown wrote:
> > sendmail -d0.1 -bt  >
> > Version 8.13.6
> >  Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
> > MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS
> > PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB
> > USE_LDAP_INIT XDEBUG
> >
> > When I try to build and install mail/mimedefang from ports (version is
> > 2.57), I get (modulo wrapping)
> >
> > cc -O2 -fno-strict-aliasing -pipe  -pthread -o mimedefang mimedefang.o
> > drop_privs_threaded.o utils.o rm_r.o syslog-fac.o /usr/lib/libmilter.a
> > -lpthread
> >
> > /usr/lib/libmilter.a(errstring.o)(.text+0xd6): In function `sm_errstring':
> > : undefined reference to `ldap_err2string'
>
> The undefined reference is apparently in libmilter.a and it seems (Google
> again) that the ldap_err2string symbol comes from the openldap library. Is
> it possible that the build of libmilter is not picking up libldap
> from /usr/local/lib?

OK, this seems to be the same problem that was reported in (at least) PR 
ports/95646 <http://www.freebsd.org/cgi/query-pr.cgi?pr=95646> and PR 
ports/95647 (both ports which would not build with an LDAP-enabled core 
sendmail).

The solution proposed in ports/95646 was to make the various Sendmail LDAP 
options in /etc/make.conf invisible to libmilter.

This certainly works - it prevents a build of libmilter passing the LDAP flags 
through to libsm at this line in the build of /usr/src/lib/libmilter:

cc -O2 -fno-strict-aliasing -pipe  
-I/usr/src/lib/libmilter/../../contrib/sendmail/src 
-I/usr/src/lib/libmilter/../../contrib/sendmail/include -I. -DNOT_SENDMAIL 
-Dsm_snprintf=snprintf -D_THREAD_SAFE -DNETINET6 -I/usr/local/include 
-DSASL=2  -c /usr/src/lib/libmilter/../../contrib/sendmail/libsm/errstring.c

libsm/errstring.c refers to ldap_err2string in a conditional testing on 
LDAPMAP. ldap_err2string is declared in the #included /usr/local/lib/ldap.h. 
(I didn't search for where it's defined).

It looks as though the problem is less with ports, and more with a subtle 
breakage of the core sendmail when built with LDAP - specifically in building 
libsm/errstring.c as part of the libmilter build.

Is pretending that LDAPMAP is not set while compiling libmilter the right 
solution?

Should the necessary changes to /etc/make.conf be documented somewhere or even 
automated in some way?

I have spent five days trying to solve this. I have rewritten 
my /etc/make.conf as follows:

WANT_OPENLDAP_SASL=true
SENDMAIL_CFLAGS  = -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS = -L/usr/local/lib
SENDMAIL_LDADD   = -lsasl2
.if ${.CURDIR} != /usr/src/lib/libmilter
SENDMAIL_CFLAGS  += -DLDAPMAP
SENDMAIL_LDADD   += -lldap -llber
.endif

This works but it Just Feels Wrong.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Base sendmail: undefined symbol in libmilter when -DLDAPMAP set in make.conf

[Jonathan McKeown]

This summarises the conversation I have had with myself on the list over the 
last few days: I'm not sure whether this is really a question or a potential 
PR.

I am running FreeBSD-6.1-RELEASE-p5 (cvsup on 6 September).

One of the source files for a rebuild of /usr/src/contrib/sendmail/libmilter 
is /usr/src/contrib/sendmail/libsm/errstring.c.

If SENDMAIL_CFLAGS in /etc/make.conf contains -DLDAPMAP (and SENDMAIL_LDADD 
contains "-lldap -llber") when libmilter is rebuilt, LDAPMAP enables a 
conditional compilation in errstring.c of a call to ldap_err2string.

The resulting libmilter.a contains an undefined reference to that symbol, 
which prevents building some ports which use milters (at least 
mail/mimedefang as per my experience, mail/sentinel as per PR ports/95647 and 
security/amavisd-milter as per PR ports/95646).

There is a suggested fix under ports/95646, which is to ensure that when 
building libmilter, the SENDMAIL_CFLAGS and SENDMAIL_LDADD do *not* contain 
-DLDAPMAP and -lldap -llber respectively.

I have used the following in /etc/make.conf to do this:

SENDMAIL_CFLAGS  = -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS = -L/usr/local/lib
SENDMAIL_LDADD   = -lsasl2
.if ${.CURDIR} != /usr/src/lib/libmilter
SENDMAIL_CFLAGS  += -DLDAPMAP
SENDMAIL_LDADD   += -lldap -llber
.endif

It appears to work but it does seem... less than elegant.

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Auto Create home directory

[Jonathan McKeown]

On Friday 27 October 2006 14:19, Ansar Mohammed wrote:
> Hello,
> I have a network based on FreeBSD and I have a centralized ldap server
> running OpenLDAP. I am using ldapeditor (http://www.ldapeditor.com
>  ) to manage the accounts. However, ldapeditor
> is a Windows program and it does not have a way to auto create user home
> directories. How can I auto create home directories?

I installed security/pam_mkhomedir from ports and added

sessionrequired/usr/local/lib/pam_mkhomedir.so

to the session stanzas of the relevant files in /etc/pam.d

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"