rhce-log-030409.txt

--- Log opened Wed Apr 09 19:47:38 2003 -!- sweeper [~mbroome@moya.trilug.org] has joined #trilug-rhce -!- Topic for #trilug-rhce: Next irc-meeting: Today @ 8:00 pm -!- Topic set by SinnerBOFH [] [Wed Apr 9 19:04:17 2003] [Users #trilug-rhce] [@ChanServ] [ cybertooth] [ Jester_] [ SinnerBOFH] [ Tribot] [ clotman ] [ jeremyp ] [ jtower ] [ sweeper ] -!- Irssi: #trilug-rhce: Total of 9 nicks [1 ops, 0 halfops, 0 voices, 8 normal] -!- Channel #trilug-rhce created Sun Apr 6 17:01:25 2003 -!- Irssi: Join to #trilug-rhce was synced in 1 secs < SinnerBOFH> hi sweeper < jeremyp> Evening folks. The freenode people do need more servers, especially in the US. < jeremyp> If you look at the 'motd' when you join, you'll see that most of the current servers are in places like Italy or Sweden. < jeremyp> Problem is it requires a lot of bandwidth, which few people have :/ < SinnerBOFH> how-dee jeremyp < SinnerBOFH> at EcolNet we have "solved" this issue by creating an in-house network of irc (and news and...) servers < cybertooth> Trilug should be able to host an irc server -!- Nat_RH [~Nat@rdu74-184-217.nc.rr.com] has joined #trilug-rhce < cybertooth> but as long as freenode works... < SinnerBOFH> it's not very bandwidh consuming, really < jeremyp> Well if we had a server for our own channels it wouldn't take much bandwidth, true. But hosting a freenode leaf would. < SinnerBOFH> we just really need #trilug #trilug-irc #trilug-bzf and #trilug-admin < jeremyp> From a sysadmin point of view though, we like using Freenode because if/when the TriLUG servers go down the sysadmins can still communicate easily < jeremyp> Since there's no dependence on any of the servers. < SinnerBOFH> what about hosting irc servers on home servers? < Jester_> I do that, but it's hard to link them with dynamic IPs < jeremyp> Freenode is still a heck of a lot more reliable than home servers. Seen how often Road Runner goes down? Ugh < cybertooth> You can link them via DNS with multiple entries in the DNS tables < SinnerBOFH> that's more or less what EcolNet does < jeremyp> Yeah but the IRC dameons still have to link to each other. If the IP changes you're up a creek (Netsplit!) < Jester_> Exactly < jeremyp> When Freenode netsplits it's usually due to connectivity problems, not server problems. And most of the freenode servers have good backbone connections. < jeremyp> I don't think you could really do much better. < SinnerBOFH> jeremyp: take a look at this (it takes a while to load) http://helvete.escomposlinux.org/ecolnet/ -!- ccw [~ccw@durham-ar1-4-64-250-023.durham.dsl-verizon.net] has joined #trilug-rhce < Jester_> Only reason to really set anything up would be to go with something more secure, like silc < SinnerBOFH> mmm, 8:00 pm < jeremyp> SinnerBOFH: cool < SinnerBOFH> time for refueling the drink < cybertooth> I'm getting a beer. < SinnerBOFH> jeremyp: as you see, the connections are mostly 128 Kbps home adsl systems < jeremyp> Jester_: yeah, security is an interesting idea. When we're discussing sysadmin stuff we have to be careful what we say, as who knows who's listening in * Nat_RH puts a glass to the monitor * SinnerBOFH knows nothing of invisible bots eavesdropping certaing irc channels... < ccw> Somehow, I suspect that if we know about it ... so do "they". < jeremyp> Yeah, like this: http://www.trilug.org/~jeremy/pisg/ -!- ovrclokd [~lisa@moya.trilug.org] has joined #trilug-rhce < ovrclokd> evening, all... < jeremyp> ovrclokd! Good evening -!- RedWolfe [~chatzilla@durham-ar1-4-64-250-023.durham.dsl-verizon.net] has joined #trilug-rhce < cybertooth> Lets let the bots start recording my password is .... < jeremyp> I just noticed last week that your license plate on your car says the same thing, ovrclokd :) < ovrclokd> sorry i'm late - in the middle of cooking dinner :( < SinnerBOFH> good evening ccw and ovrclokd and RedWolfe -!- [ECL]rock [~n@cpe-024-211-148-035.nc.rr.com] has joined #trilug-rhce < RedWolfe> Wolfe < SinnerBOFH> ovrclokd: no prob, still chit-chatting < jeremyp> Hey Rock. < ovrclokd> jeremyp: yup! :) 's mike's nickname for me (formatted for ncdmv) < SinnerBOFH> hi [ECL]rock < [ECL]rock> Hey < Tribot> salut, [ECL]rock < jeremyp> Hey, Tribot didn't greet me :/ < jtower> Tribot: insult jeremyp < Tribot> jeremyp is nothing but a festering accumulation of off-color jizzum. < ccw> waves to all. < jtower> there's your greeting < ovrclokd> anybody play with rhl9 yet? < cybertooth> I'm talking to you from it * jtower raises his hand < ovrclokd> cybertooth - neat! i would be, but haven't gotten my wireless card working yet. < jeremyp> Well I got it installed on my new desktop, but the freakin thing keeps crashing (not Linux's fault, some sort of hardware glitch) * Nat_RH has "played" with it * RedWolfe also raises hand < jtower> i've had no problems with it whatsoever * sweeper returns to the keyboard and starts reading the log to get caught up ... < cybertooth> It's nice, RH gets more intelligent with every release < ovrclokd> jtower: i think mine are a cisco firmware issue, hope to clear it up soon < [ECL]rock> no mp3 no dvd < [ECL]rock> no alsa < ovrclokd> rock: yeah, but you can fix that pretty easily < cybertooth> Read the list for howto add those < jeremyp> [ECL]rock: mp3/dvd stuff is not RH's fault, please don't blame them! -!- jtate [~jtate@rdu74-181-041.nc.rr.com] has joined #trilug-rhce * ovrclokd needs to go cook some zucchini, back in 5min < [ECL]rock> not blaming just discussing but on my machine it seems a little more than just find an rpm < jtate> Ok. I'm here. We can start now. < RedWolfe> BTW: Thanks for the CDs last week! < jeremyp> ovrclokd: okay, aren't you leading tonight's session though? :) < cybertooth> The menu-ing on RH gets simplier with each release - more like Windows < jeremyp> [ECL]rock: it's just one RPM for MP3 support in xmms < jeremyp> Hey jtate. We wouldn't have started without you :) < [ECL]rock> I have xmms working i am still trying to get xine, ogle or mplayer working < jtate> hehe. < SinnerBOFH> cybertooth: more like Debian you mean... < jeremyp> [ECL]rock: xine and mplayer work nicely with the freshrpms.net RPMs. Just install apt and apt-get them < jeremyp> Haven't tried ogle myself, can't recall if it's there too or not. < [ECL]rock> I have been working with with freshrpms they are not installing < cybertooth> SinnerBOFH: Not a Debian guy, but I hear it's nice. < jeremyp> [ECL]rock: you're using apt-get ? What error messages are you getting? < cybertooth> I downloaded 48Mb of errata for RH9 today < jeremyp> samba and glibc ? < [ECL]rock> missing alsa libraries < jeremyp> Ah, I can't comment on alsa, I thought we were talking about xine and mplayer < jtate> What all was in that errata? < [ECL]rock> I have not tried apt-get < SinnerBOFH> cybertooth: I'm a drakeguy myself. But I learned that MDK menues are Debian menus :) < RedWolfe> kernel and samba < cybertooth> jtate: a new kernel, new glibc, new sendmail, a lot of stuff! < jtower> a new kernel already? < SinnerBOFH> [ECL]rock: apt-get is great to solve rpm-dependency-hell < jtate> I've decided that no new install of mine will persist with sendmail on it. < [ECL]rock> Is there an rpm for apt-get < cybertooth> SinnerBOFH: I run drake on my main workstation, this laptop is my RHCE project laptop < SinnerBOFH> :) < RedWolfe> JTate: sendmail ain't so bad :-) < jeremyp> [ECL]rock: like I said originally, that's at freshrpms.net (the rpm is just "apt" with version stuff) < jtower> jtate: with rh9 you can actually deselect sendmail without breaking stuff < [ECL]rock> cools will try < SinnerBOFH> jtower: that's an improvement < jeremyp> I think it's http://freshrpms.net/apt/ < cybertooth> Sendmail still *rules* the internet though! < jtower> yeah, just like windows *rules* the desktop < jtate> I've uninstalled sendmail just fine in 7.3. < jeremyp> jtower: we don't have sendmail on any of the trilug servers (7.3 based) and it works fine < jtate> I can still sendmail -oi blah. < jeremyp> (using postfix) < Jester_> I uninstall sendmail just fine everytime I put a new machine together < cybertooth> yes, yes, I always recommend that folks use postfix < jtower> i mean that you can deselcet sendmail during installation, i don't think that was ever an option before < jtate> Well, after three straight remote exploits... < cybertooth> Still Sendmail works fine. < jtate> If you select individual packages it works ok. < cybertooth> If your worried about an exploit on a non mail server then simply set Sendmail to only listen to localhost. That is very easy to do. < cybertooth> ... and your mail still gets moved around properly. < jtower> ditto with postfix < SinnerBOFH> ...and direct all your users to use @hotmail.com < jeremyp> Except due to the nature of some of the exploits, you could still be hit if something like fetchmail retrieves a trojan'd email through a vulnerable sendmail. < jeremyp> (even if it is listening only on 127.0.0.1, or behind a firewall, or whatever) < jtate> question: in /etc/resolve.conf can you use more than one search domain? < RedWolfe> postfix may have an "easier" configuration, but its still another language to use and learn < SinnerBOFH> jtate: IIRC, no < ccw> jate: yes < jeremyp> The CERT advisories and RH errata were pretty clear that listening locally or being behind a firewall is NOT protection against the sendmail possible exploits < SinnerBOFH> ccw: really? explain,please * jeremyp will brb -- switching laundry < cybertooth> jtate: yes. < ccw> jtate: have you read the BOG < ccw> ...BOG? < sweeper> jtate: just checked the man page for "resolv.conf" ... yes, you can have more than one search domain < cybertooth> I am the DNS guru! < RedWolfe> (BOG = BIND Operations GUide) < sweeper> jtate: it says "The search list is currently limited to six domains with a total of 256 characters" < ccw> RW: BOG - BIND Operations Guide < cybertooth> jeremyp: listening only locally is protection against the exploit if there are no users that have local access < ccw> That is correct ... there's even a buffer check (now). < jtate> no I haven't read the BOG. < jtower> if it was written more than 15 years ago, cybertooth is the man to ask (sendmail, bind, etc) < jtate> Is there a plug in replacement for BIND yet? < ccw> BIND's first incantation was around 1985 ... < cybertooth> jtower: flattery will get you almost everywhere < SinnerBOFH> ccw: kwel! Now I can have really evil resolv.conf files *evil grin* < cybertooth> There are a lot of BIND replacements < jtower> cybertooth: i'm not sure whether i meant that as a compliment or an insult < jtate> are there any that are any good? < cybertooth> There are two that I know of that are fairly good, but the most recent BIND 9.x is totally re-written from the ground up with security in mind < cybertooth> The code base is totaly different from 8.x on down < jtate> So nevermind about the replacement? < ccw> Yeah, but BIND has had most of the bugs worked out by so many iterations ... < cybertooth> jtate: nevermind about the replacements. < jtower> there seem to be many replacements for caching nameservers, not so many for authoratitive < SinnerBOFH> on HAcking Linux exposed book they recommend BIND 9.x instead and recommend against any previous version < cybertooth> That's because 9.x was a total re-write with security as the primary concern < ccw> second that rec. < jtate> Right. I'll remember that when I go about installing a name server. < cybertooth> Also remember to put in a forwarders section < SinnerBOFH> cybertooth: it seems like you are citing the book :) < RedWolfe> overclokd is 16 mins idle < cybertooth> SinnerBOFH: Hell, I wrote the book < jtate> jtate sheepishly asks, what's a forwarders secton? < cybertooth> The default RH does not put a forwarders section in the conf file for BIND < sweeper> RedWolfe: she's in the kitchen. I told her you guys are just discussing sendmail and BIND :) < SinnerBOFH> cybertooth: which one is your alias? brian hatch? james lee? george kurtz? < sweeper> all this disucssion on BIND is making me thing about next week's class (since I'm the guy on the hook to present it) ... < ccw> forwarders aren't really that useful ... < SinnerBOFH> sweeper: I guess she's glad to not be here, with all this pain < cybertooth> The forwarders section tells BIND where to find information that it is not an authority for (and that is not currently in it's cache) < jtate> Ahh. Gotcha. < sweeper> last week ovrclokd presented TCP/IP Fundamentals, Samba, HTTP/Apache, and FTP (but didn't cover anonymous ftp) < SinnerBOFH> that was a very nice presentation BTW < jeremyp> RHL 9 no longer has the "anonftp" package btw. Since you can just configure it straight out of the vsftpd config file. < SinnerBOFH> any redhat-config-ftp tool? < jeremyp> (no extra packages / binaries/etc/ necessary) < SinnerBOFH> (not yet?) < cybertooth> Ask Chris Knowles how important "forwarders" are in BIND... you'll get an earful. < jeremyp> SinnerBOFH: don't think so. < sweeper> Email Delivery and Protocols was also originally on the schedule for last week, but that's a big topic: MTAs (sendmail, postfix, ?), protcols (POP, IMAP, ?). needs to be scheduled in another session < ccw> ct: aren't you mixing that up with root hints? < SinnerBOFH> sweeper: I agree. I thought that we had originaly schedulled "redhat services" in 2 sessions. ???? < sweeper> SinnerBOFH: we did/do have 2 sessions for network services, but that included 10 topics (!!) < cybertooth> ccw: no they both work similarly < sweeper> I think it's more realistic to cover about 4 per session, and Jeremy suggested adding automount to the NFS dicussion (which makes sense) < SinnerBOFH> maybe we need 3, then? < sweeper> SinnerBOFH: yeah, I think we need to add a 3rd network services class. < ovrclokd> back now. this is what happens when i don't look up from work and think about dinner until 7:15... < sweeper> probably best/easiest to insert it in after between the 2nd on and the following .. which would mean meeting 6 on 4/30 would be a 3rd network services class < sweeper> how's that sound? * SinnerBOFH likes it < ccw> except with forwarders you don't cache ... < sweeper> btw, the schedule has "Other Red Hat Linux Network Services". anybody have suggestions as to what those are? < cybertooth> ccw: no, no, no. You do cache with forwarders, that's the whole point. < cybertooth> ccw: do a dig and look at the lookup time useing the forwarder, then do it again, and this time it takes under 1ms to do the look-up because it's cached the info. < jtower> sweeper: NIS? < cybertooth> NIS should be done with NFS < cybertooth> Their both easy < jeremyp> Yeah NIS/NFS/automount all go together; they're not as hard as people think < jtate> Hmm. Other services? LPRng? < sweeper> jtower and cybertooth: ok, NIS. I'll add that to NFS along with automount < RedWolfe> (they're) < jtate> What about postgres < jeremyp> jtate: we already covered that in the session I did (printing) < RedWolfe> CUPS < jeremyp> RedWolfe: like I said, we already did printing. I don't think we have time to go into any more detail than what we did, if we want to get this done in a reasonable amount of time < jeremyp> jtate: is postgres on the RHCE? < sweeper> jtate: I would put LPRng under printing rather than networking (although the line is blurry) hmmm ... I don't see printing on the schedule, but I think jeremy covered it and lisa toughed on it < jtate> Doubt it. Probably need just a little bit of explanation on how to configure services. < jtate> How to turn them on, off, run levels, etc. < cybertooth> The new gui's make printing a non-brainer these days < jeremyp> We already did that (jason did at the first meeting) < jeremyp> (runlevels and chkconfig that is) < jeremyp> We really have enough to cover in the future without rehashing old things ya know :) < sweeper> cybertooth: definitely. not like "back in the day" ;) < ovrclokd> any volunteers for the 3rd network services session? < RedWolfe> what's the aggregate topics for it? * jeremyp pokes cybertooth < cybertooth> Okay < jtate> Sorry. Brain's not totally here tonight. < cybertooth> I'll go over NFS/NIS and touch on automount < jtate> XP's been in the crapper, and my wife's got a paper due tomorrow. < cybertooth> I hate automount, but it's not hard < sweeper> I could nominate ccw for the BIND part since at 20:20 he said "I am the DNS guru!" :) < jtate> To top it all off, my wireless keyboard is flaking out. < ovrclokd> hey, good point - no reason one person has to do the whole session. people could split up and each take one (or a group of) service(s) < ovrclokd> jtate: ouch... :( *sympathy* < RedWolfe> negative - Cybertooth claimed the DNS GURU title < jeremyp> I prefer the way we've been doing it, one person presenting per session. Let's not make this needlessly complex? < cybertooth> Bind is easy too. Should I do that with the NFS/NIS/Automount < ccw> no that was CT < cybertooth> No, lets make it needfully complex < sweeper> RedWolfe: doh! you are correct. sorry, cybertooth * sweeper can't read the back trace log and eat at the same time < jeremyp> cybertooth: heh < ccw> but I've been a DNS guru...not lately tho < cybertooth> I'll bow and let ccw do DNS < ccw> that's not exactly what I meant < sweeper> now look what I started :\ < ccw> I haven't messed with 9 yet. < cybertooth> I'm happy to do BIND too. I've been writing up a class for it < ccw> ccw can remember what he said from one moment to the next, too. < cybertooth> I'll simply expand the class to include NFS/NIS/Automount < jtate> What are the authentication methods on the exam? NIS? Kerberos? LDAP? < jtate> Should we go over them? < ccw> ct: want me to go over your notes? < cybertooth> PAM < jeremyp> Not sure if kerberos is on the exam or not. NIS certainly is < cybertooth> ccw: i'll put them out for public consumption/regurgetation next week sometime. < RedWolfe> NIS/NFS/RPC?/Automount/BIND/ whatelse? < ccw> Kerberos should be on it if it isn't... < ovrclokd> redwolfe: dhcp? squid? email delivery & protocols? < jtower> is dhcp on the menu? < ovrclokd> anonymous ftp? < ccw> should probably talk about /etc/host with BIND ... < cybertooth> Didn't ovrclokd cover dhcp last week -!- jimstigator [~jim@moya.trilug.org] has joined #trilug-rhce < cybertooth> ccw: yes and /etc/resolv.conf < jtate> xinetd? < RedWolfe> i thought that EMAIL was already in the current sched? < cybertooth> ccw: and /etc/nsswitch.conf < ovrclokd> cybertooth: nope. tcp/ip svcs, samba, apache/http, and basic ftp < sweeper> cybertooth: do you have a preference for giving a class next week (4/16) or 2 weeks later (4/30)? < cybertooth> I remember talking about dhcp during the tcp/ip section < cybertooth> 2 weeks later so I can procrastinate for 2 weeks. < ovrclokd> i did cover /etc/host and /etc/host.conf as part of tcp/ip svcs, tho < jtower> at the end i should be able to do a session on thin clients and/or diskless workstations, which would include dhcp, tftp, pxe, etc. < jtower> if anyone wants, that is < sweeper> we mentioned dhcp during a side discussion that had a life of it's own, but we didn't really cover clients, servers or config < cybertooth> jtower: sound great < ovrclokd> jtower: sounds good to me! < jtate> I tried to set up a DHCP server this week on 7.3 and failed miserably. < jtate> For whomever wants to know. < jtower> what errors did you get/ < jtate> It never started. < jtate> Is it supposed to run as a daemon or under xinetd? < cybertooth> jtate: sometimes the syntax is tough < sweeper> cybertooth: ok < jtower> stand alone daemon < jtower> the errors should have been logged < cybertooth> It may be that you needed to create some of the files that it was expecting to see < sweeper> so to kinda sum up we have two more networking services classes: (4/16) DHCP, Squid proxy, Email, other RHL networking svcs; (4/30) BIND, NFS, automount, NIS < cybertooth> The older versions used to not be able to create - only modify files that it used for it's database. < jtower> all you need is a valid /etc/dhcpd.conf, the others will be created automatically < jeremyp> sweeper: sounds good < cybertooth> jtower: that's the way it should be < jtower> is privoxy replacing squid? < jtate> heh. for some unknown reason there was no /etc/dhcpd.conf file. < jtower> thought squid was being depricated, but maybe i misread that somewhere < RedWolfe> jtower: they have different purposes < jtower> my bad, never mind < jeremyp> jtate: That could be your problem. No config file, da\emon does nothing? :) < sweeper> jtower: don't know, yet. hopefully I'll know by next Wednesday :) < jtate> Well, I created one and it still wouldn't start. < jtower> jtate: if you run 'service dhcpd start' it should tell you what is wrong < jeremyp> also check /var/log/messages < jtate> It said staring dhcpd: then went back to the prompt. < jtate> That I didn't do. < cybertooth> you can also startup dhcpd in debug mode. < sweeper> and if it doesn't tell you on the console/vty, it'll probably say in /var/log/messages < jtate> Don't have the machine in front of me right now. -!- davis [~davis@pixpat.austin.ibm.com] has joined #trilug-rhce < jeremyp> *always* check /var/log/messages when you're having problems with dameons. #1 troubleshooting step :) < davis> hello < Tribot> kon-nichi-wa, davis < RedWolfe> tribot: excuse < Tribot> RedWolfe: We had to turn off that service to comply with the CDA Bill. < jeremyp> (do we have a general troubleshooting session planned? That will be important for the exam) < jtate> Still doesn't answer my question of why there's no default dhcpd.conf file installed with the Redhat dhcpd packages. < jtate> Don't know if that's true for 8 or 9. < jtower> jtate: can;t have one by default, it all depends on your specific IP info < sweeper> jeremyp: the last class is titled "Routers, Firewalls, Clusters and Troubleshooting". not sure if that troubleshooting is general or specific to firewalls, etc. probably the latter < jtate> But you could have a stub. < jtate> That's what LDAP does. < jtower> a redhat-config-dhcpd would be nice though < cybertooth> jtower: then it would be *too* easy! < cybertooth> I think there is a webmin for dhcpd < jtower> cybertooth: they're trying to put us out of business!!! < jeremyp> cybertooth: yeah, but webmin is not the red hat way (tm) :) < cybertooth> jtower: what business? $120/year < cybertooth> jeremyp: know what you mean - just talking in general (to be helpful) * RedWolfe sings "My way is the company way. . . . " < jtower> considering my creative deductions i'm happy :) < jeremyp> cybertooth: understood. I like webmin; I set it up so our webmaster can give out accounts easily on the intranet web server without bugging me all the time < jtower> jeremyp: with no redhat-config-dhcpd there is no red hat way (tm) < cybertooth> jtower: not like a few years ago when I actually wrote off my RR connection as a business expense. < jeremyp> jtower: well, except for vim :) < jtate> I swear that Microsoft will be the death of me! < jtower> i swear that i will be the death of microsoft < cybertooth> MS's dhcpd works fairly well and is easy to setup. < sweeper> jtate: well ... yeah :) < jtower> cybertooth: i've had major problems with dhcpd on NT in the past. haven't used w2k though < cybertooth> MS's dhcpd will also do a ping test before handing out an IP - which really helps in on a network full of yabbo's < jtower> it would run out of leases and refuse to use expired ones < jtate> Windows could not start because the following file is missing or corrupt:\Windows\system32\config\system < cybertooth> jtower: like everythig MS you have to patch the living hell out of it before it is stable. < jtower> cybertooth: doesn't the ISC dhcp daemon do that too? < jtate> By the time it's patched there's nothing original left. < jtower> the ping thing i mean? < cybertooth> jtower: I'm sure it does now. I havent' setup a dhcp server on Linux in over a year. < jeremyp> cybertooth: what do you mean by "yabbo's" ? < jtower> i've never had a single problem with dhcpd on linux, knock on wood... < cybertooth> tribot what is a yabbo < Tribot> cybertooth: wish i knew < cybertooth> jtower: well there was the problem where you had to define 255.255.255.255 to the linux box as a valid route or dhcp would fail... < jtower> i've read about that but never experienced it in the wild, guess i'm lucky < cybertooth> yabbo's are folks who *think* they know what they are doing, and also *think* they are being helpful by setting up their own dhcp services in competition with your corporate server. < jtower> cybertooth: i did that once, i set up a dhcp server (on a cisco router) on my network. but clients were getting IPs that i did not define. turns out some idiot set the routers to forward broadcasts across the WAN < jtower> so workstations in smithfield were gettings addresses from a dhcp server in boone < cybertooth> jtower: ha ha - you gotta love that! :) < jtate> Question: I'm running LDAP for authentication on a 7.3 box. < RedWolfe> jtow:: was it at leas in a friendly administrative domain? < jtate> Now I'm trying to use sudo, but the new group I created with myself in it isn't being recognized. < jtower> RedWolfe: friendly but stupid :) < jtate> Probably because the group is also defined in /etc/groups huh? < sweeper> jtate: why is that? /etc/groups takes precedence? < jeremyp> The order depends on /etc/nsswitch.conf < jeremyp> "files" refers to /etc/passwd, group, hosts, etc < jtate> I think according to my /etc/pam.d/auth_config it's higher in the stack. < jeremyp> (other entries are ldap, nis, etc) < jeremyp> jtate: I thought you were talking about groups, not passwords. PAM has little to do with groups < jeremyp> Authorization and authentication are two separate things here < jtate> My bad. < jtate> Sorry. < jtate> I guess I'd forgotten about that nsswitch.conf file < jeremyp> But you understand the differnce? Things like /etc/group, permissions on files, etc, define who has access to what services, do things like UIDs, GIDs, etc... that's authorization < jtate> Something else to add to my kickstart %post script. < jeremyp> authentication is passwords, and is often what PAM deals with * sweeper browses "man nsswitch.conf" < jeremyp> (though PAM can do some other things) < jtate> Yes, I understand. I guess I forgot that PAM was the authentication module. < sweeper> wow, nsswitch.conf sure controls a lot of stuff. better remember it < jtate> Like I said, I'm not all here tonight. < jeremyp> authentication = proving you are who you say you are. authorization = what resources people have access to < cybertooth> sweeper: I'll cover nsswitch.conf in my talk < jeremyp> jtate: yeah, just thought it would be helpful to explain myself to others < sweeper> cybertooth: cool < jtate> I put a # infront of the wheel entry in /etc/group, and now I can sudo. < jtate> Thanks. < sweeper> it's called "Name Service Switch". I guess most of what it does is network related, but there are a number of non-network things, too (like groups, passwds) < jtate> In a networked environment, groups and password is networked: NIS, kerberos, etc. < jeremyp> sweeper: well, it is network related, because what it does is allow "name service" things (like group lookups) to happen over network services, instead of consulting the local files < jeremyp> like jtate is just talking about < cybertooth> sweeper: it determines the order in which various authentication systems are checked. < sweeper> jeremyp: yep, I get it < jtate> It's nice to have root in your local /etc/passwd file, so when all other networking is down, you can still log in. < jeremyp> so jtate may have been able to solve his group problem by changing nsswitch.conf to lookup NIS first (for the wheel group), though commenting it out in /etc/group worked because it went on to NIS < sweeper> cybertooth: isn't is authorization rather than authetication? (per jeremyp's discussion earlier) < jtate> Maybe some time spent on the nscd would be useful? < jeremyp> Yes, nsswitch.conf is related to authorization; PAM is for authentication stuff < jtate> jeremyp:LDAP, but yeah. < jeremyp> (though nsswitch.conf also controls DNS and other stuff0 * cybertooth is away: Opps... Daddy duty calls and I must away. * sweeper likes man pages .. gotta go read "man nsswitch.conf" on a box later than RHL 7.2 to see if it's changed ... < jeremyp> jtate: oops :) < jtate> No biggee. < jtate> Gonna attack kerberos tomorrow probably. < jeremyp> kerberos is pretty cool. I finally think I understand it (at least the basics) after playing around a lot last week. < jeremyp> Google on "kerberos FAQ" -- that site is really good < jeremyp> But it was actually the RHL manuals that got it working for me. * jeremyp pimps the RHL manuals again -- they've got great tech writers! < jeremyp> (The FAQ helped me really understand kerberos) < jeremyp> (but the manuals actually got it working...that's what counts!) < RedWolfe> are we/have we covered PAM? < sweeper> RedWolfe: PAM is in the "User and Host Security" class (the penultimate class .. unless we add more) < jtate> Not sure which would be better: remove the group from /etc/group or reorder nsswitch.conf. < jeremyp> Well, we discussed the 'authconfig' and /etc/pam.d/system-auth a little bit. But it will come up again in the NIS session < ovrclokd> rhl manuals rock. :) < jeremyp> (since NIS does both authentication and authorization, to bring up those a-words again...*grin* ) * sweeper pinps lisa's syllabus page: http://www.trilug.org/~lisa/syllabus.html < ovrclokd> saction < jtate> I'm not going to put root in LDAP, but I don't want it to have to go to LDAP when local lookup is nearly instantanesous. < jeremyp> yeah, I think local first makes sense < jeremyp> But I guess it depends on your network < jtate> I'll probably just use a different group for sudoers other than wheel is in order. < jeremyp> And having the "passwd" lookup (which really means user information, not actual passwords, remember) use files first is probably a good idea, so you can always login as root even if LDAP breaks * cybertooth is back (gone 00:06:39) < cybertooth> jeremyp: I believe you can specify in nsswitch to move on if an authentication type takes too long - then it moves to the next in the list < jeremyp> Yeah, there are some neat options like that. < jeremyp> Though what if your LDAP server is borked and returns wrong information, like a non-zero UID for root or something? Then what do you do to login? :) < jtate> jtate can't do the tricky pimping, but attempts to pimp directory_administrator for LDAP authentication setup and maintenance. < cybertooth> So you *could* lead with ldap, but if it is down, be prepared for some long waits for authentication. < jtate> boot from cd to rescue mode. < RedWolfe> boot "single"! < jtate> Yep. < cybertooth> knoppix rules < cybertooth> Anymore biz tonight? WW is on. < jeremyp> Well, single user is your last resort, yes. Not ideal for remote servers though. < jtate> cybertooth? Don't you have TiVO? < jeremyp> Tribot: what is WW? < Tribot> jeremyp: no idea < sweeper> cybertooth: WW is a rerun tonight (acording to TiVo) < cybertooth> jtate: I buy the TiVO after unc-tv lets me put a cluster in for them! < jeremyp> cybertooth: this crowd needs a better excuse than TV :) < jtate> If not what about the "Open Source alternatives?" < jtate> Bake your own TiVo. < cybertooth> jeremyp: Oh, I'm out of beer... bye! < jtower> jeremyp: yeah, like a good bzflag game :) < RedWolfe> West Wing *is* a repeat < jtate> Can't tell me you don't have enough spare computing around to make yourself one. < jtower> i thought he ment wayne's world < jeremyp> How much are TiVOs these days? Have people come up with a way to avoid paying the $10/month and have it still work right? < jtate> Stupid NTFS. < jeremyp> I was thinking it was some sort of wrestling thing :) < cybertooth> jeremyp: pay the $300 life time membership < ovrclokd> jeremyp: yeah, pay $X upfront and have it work right. < jeremyp> Aw, come on. Surely someone's reverse engineered the protocol :) < jtate> Get the replay if you don't want monthly fees. < Jester_> Do they only work with DirecTV? < cybertooth> jtate: isn't NTFS a form or wrestling? < jtate> No-one's going to do that. < jtate> Mostly. < sweeper> jeremyp: IIRC, the series 2 standalone in just under $400. lifetime subscription is about $300 < jtate> The hackers like hacking TiVO. If they hack the subscription protocol, TiVO will shut down the other hacking. < SinnerBOFH> cybertooth: NTFS is actualy a refined form of torture from the NW of the US of A < sweeper> Jester_: yes, the have a DirecTiVo version < jeremyp> So $700 for TV...wow. Yeah, cybertooth will need to put in some clusters :) < cybertooth> I saw an article that used TVguides site toload theinfo into their home-made tivo < RedWolfe> TiVo? sheesh < jtate> TiVo series 2 already is quite locked down. < sweeper> jeremyp: no, you still have to supply your own TV :) < Jester_> sweeper: No, the question was whether it works with anything else? Like cable? < jeremyp> sweeper: yeah, and cable service! < jeremyp> Jester_: the full TiVOs work with cable or off-air programming, yes. < jtate> I've got a usb ethernet adapter connected to my TiVO. No phone line at the house is a beautiful thing. * jtower is happy with his purchase of a TV card for his server < sweeper> Jester_: yes .. or maybe. there are 2 models - a standalone that works with cable and a directtivo that works with directtv. I have the series 2 SA < jtate> I've got several links to good sites, I just can't get to them right now. < jeremyp> Jester_: but the special "DirecTivo" version only works with DirecTV, and is cheaper (since it doesn't have the video compression codecs in it -- directv is already compressed) < [ECL]rock> I like bittorrent instead of tivo < jtate> If you've got DirectTV and a HD quality set, wait til this fall when you can get HD compatible DirecTiVO units. Drool. < Jester_> Ah, was just wondering how many of the features would be missing < Jester_> Since I've got the dang cable box -!- cybertooth [~cybertoot@rdu163-124-248.nc.rr.com] has left #trilug-rhce ["Client Exiting... Later amigos!"] * sweeper sweeper almost got a TV card for his server for $10 at work, but somebody beat him to it < jeremyp> Jester_: you still get the full programming info if you pay; it either connects to TiVo's home office via phone line, or your broadband Internet (via Ethernet) < jtate> I think I royally hozed my XP NTFS machine. < Jester_> jeremyp: But can it somehow switch channels if I ask it to record shows on multiple channels? < sweeper> [ECL]rock: bittorrent serves up video? (like the rest of the P2P networks, right?) < jeremyp> Jester_: yes, there's an IR flasher you can program and hook up < Jester_> jeremyp: Ah, no kidding... cool < [ECL]rock> i have found the enterprise episodes easily < jeremyp> Many VCRs come with IR flashers too, that's actually not that new a thing. It's just that many people don't bother to program them :) < jtate> www.cadsoft.de/vdr < jeremyp> Usually it just becomes one of those spare parts in the bottom of the drawer that people ignore :) < sweeper> Jester_: or, maybe, no. the standalone can only record one channel (unlike the directivo which can handle 2, I think) < Jester_> parabuthus, who is Jester_ < jtate> (Link from popular science) < Jester_> sweeper: I don't necessarily mean concurrently... more like serially < sweeper> Jester_: ah. then, yes. < sweeper> jtate: yeah, I have that issue. I want to build one ... but we only have one tv and limited space in the entertainment center. sigh. < jtate> I think the tower case is going to become less popular over the next while. < jtate> Towers don't fit well in Entertainment cases. < jtate> I've still got room in mine, but no desktop case. < jeremyp> Sorry for all the TiVo conversation here, we really should be directing that in #trilug < jeremyp> Anyone have any further RHCE-related questions or comments ? < sweeper> somewhere (probably /., maybe ars technica) I got to a web site about guys who put there entertainment PC in an old VCR chassis. very slick. DVD tray come out the slot. had a little LCD screen < jeremyp> Do we have the agendas for the next meeting finalized then ? < sweeper> jeremyp: nope. ovrclokd will update the syllabus with what we decided. we'll post it to the list so people can see the new dates < jeremyp> so we did end up adding a meeting then? That's what I wasn't clear on < sweeper> jeremyp: yep, I have the agendas (I posted them a wile back) < ovrclokd> sweeper: nope, not finalized? sounded pretty finalized to me? < jtate> Anyone know how to start a second X server? < sweeper> jeremyp < jeremyp> jtate: try "startx -- :1" when logged into a text VT < RedWolfe> sweeper: could ovrcloked put a ling from ~ direct to the syllabus? < sweeper> jeremyp: yes, we're adding a 3rd network services class on 4/30 and the rest of the class will get pushed out. < ovrclokd> redwolfe: yes, ovrclokd could. ;) < jeremyp> (that will get you an X session running on ctrl-alt-F8, or X display ":1" ) < jeremyp> sweeper: okay. < jeremyp> Can I ask that we try not to add any more sessions though? < RedWolfe> ovrcloked: pleas, would you? < sweeper> RedWolfe: <confused> what does "from ~ direct to the syllabus" mean? < jeremyp> We need to work hard to move quickly so this doesn't draw out forever. < RedWolfe> the $HOME page < jeremyp> RedWolfe: there is a link: see http://www.trilug.org/~lisa/ < ovrclokd> redwolfe: ask and you shall receive. go check ~. ;) < sweeper> jeremyp: hmmm. not sure we can cover the rest of the networking topics in one night ... < ovrclokd> jeremyp: you mean "any more after the 3rd networking session" right? < jeremyp> sweeper: I agree, but let's try to embargo new sessions from now on < jeremyp> This is just my thought, I want to get this over with and take the RHCE before I waste the money I have saved for it. :) Others may be on a different timetable < sweeper> jeremyp: agreed. we could also look over the future sessions and see if any can be collapsed (maybe?) < RedWolfe> Ovr: Merci beaucoup! * sweeper just looked over the syllabus and doesn't see much we can compress < jeremyp> Wait, I just noticed that meeting 8 has a lot of the stuff we've been talking about tongiht (LDAP, PAM, NIS) * RedWolfe should know better to ask thing in the manner he did. < jeremyp> So we don't really need the 3rd network services section -- except for the BIND part < ccw> I don't think tonight's coverage was rigorous enough. -!- cybertooth [~cybertoot@rdu163-124-248.nc.rr.com] has joined #trilug-rhce < sweeper> jeremyp: I'd still like to have a class that covers LDAP and PAM since we get it haphazardly via irc < cybertooth> I'm still looking forward to the LDAP class from Mr. Turner < jeremyp> sweeper: right, that's meeting 8, that's what I was saying < ovrclokd> jeremyp: you suggesting squeezing nfs/nis into meeting 8 and bind into next week's? < cybertooth> I was going to do all that at once < sweeper> but I think scrubbing the syllabus is in order ... I noticed that the current meeting 6 has s/w raid which was covered during meeting 2 < jeremyp> well, maybe our original plan is fine, but we can retool meeting 8 < jeremyp> we didn't really talk about software raid configuration with the md tools, only the Disk Druid GUI stuff though < sweeper> jeremyp: oh, ok. * sweeper has never setup software raid so doesn't know the extent of it < cybertooth> I dont' think for the RHCE you need to worry about sw-raid outside of setting it up via the installer. * ovrclokd thinks we should have additional meeting for nfs/nis/bind/automount, cybertooth presents, and then do everything else in meeting 8 as listed < jeremyp> well let's go with our current plan then (two more network services meetings, sweeper doing the next one, and cybertooth doing the follow one) * sweeper agrees with ovrclokd's plan < jeremyp> then we'll probably havce some other things we can add to meeting 8 when we get to it -!- clotman [~clotman@moya.trilug.org] has quit ["off to bed"] < ovrclokd> jeremyp: makes sense < jeremyp> There's always plenty of stuff to talk about with respect to security :) < cybertooth> The mysterious meeting 8... < jeremyp> "the meeting 8 my homework, teacher!" * ovrclokd giggles at jeremyp < jeremyp> By the way, regarding our previous discussion of Freenode's stability, there was just an interesting "Global Notice" sent out -- check your IRC client's "console" window < sweeper> someone (?) could put together a general troubleshooting talk and throw that into meeting 8 ... ? < cybertooth> His longing overtook him, and he could no longer keep quite about his longing ache for the mysterious meeting 8... < Jester_> Speaking of running an irc server, didja read the freenode news? * sweeper found that hitting ^D a few times exits from irssi and logs him out. thank goodnees for screen :0 * Nat_RH holds on as the freenode servers begin to crash < jeremyp> Jester_: see my comments three lines above yours :) < Jester_> jeremyp: Yeah, just saw it... sorry -!- [ECL]rock [~n@cpe-024-211-148-035.nc.rr.com] has quit [] < ovrclokd> cybertooth: stop it, man, yoiu < ovrclokd> you're scarin' me! < ovrclokd> (okay, who put the ' next to the enter key...) < Jester_> hehe < cybertooth> ovrclokd: damn bill gates and his ergonomit keyboard! < ovrclokd> cybertooth: damn bill gates, period. :) < Jester_> parabuthus saveall < Jester_> damn client < jeremyp> what is the signifigance of "parabuthus" ? < sweeper> tribot: who is parabuthus < Tribot> sweeper: i don't know < Nat_RH> jeremyp: Don't ask...u prob. don't wanna know :) < jeremyp> Nat_RH: a type of scorpion? huh? < Nat_RH> He is one with many animals < Jester_> jeremyp: Yes < Nat_RH> <----scared of all those critters! < Jester_> jeremyp: Added an infobot type script to it... trying to get the thing working < RedWolfe> 22:03 - ?bedtime? -!- cybertooth [~cybertoot@rdu163-124-248.nc.rr.com] has left #trilug-rhce ["Client Exiting... Later amigos!"] < jeremyp> RedWolfe: probably. < jeremyp> Thanks all -- good session tonight! * sweeper seconds the motion for bedtime < RedWolfe> sweeper: so, the syllabus will be adjusted and posted? < sweeper> RedWolfe: yep. ovrclokd will do it :) < sweeper> (I'll give her the info and the log from tonight's irc session) < RedWolfe> many thanks to Ovrcloked < RedWolfe> tribot: excuse < Tribot> RedWolfe: wrong polarity of neutron flow < SinnerBOFH> that's an excuse! < ovrclokd> redwolfe: you're welcome... :) < ovrclokd> have a good night, y'all! ;) * SinnerBOFH wonders what tool, aside from vi or emacs , people use to code < SinnerBOFH> g'night ovrclokd! see you tomorrow! < RedWolfe> Sinner, how about a compiler :-) < ovrclokd> sinnerbofh: see you tomorrow. if it only takes 1:45 then i should be able to get there a little early < ovrclokd> i'll call from the road and let you know how it's looking... < sweeper> SinnerBOFH: I use nedit as my editor (when I have X windows) < SinnerBOFH> ovrclokd: cool. drive safe! < ovrclokd> sinnerbofh: will do. thanks! -!- ovrclokd [~lisa@moya.trilug.org] has quit ["leaving"] < SinnerBOFH> sweeper: does it has syntax colouring & completion? < sweeper> SinnerBOFH: it has syntax highlighting and a pretty good macro language. don't think is has completion (completion of what?) < SinnerBOFH> of commands, variables and such < jtate> try eclipse.org < jtate> SinnerBOFH: try eclipse.org < SinnerBOFH> jtate: does it support php? < jtate> Don't think so. < jtate> That'd be sweet. < jtate> VI's got pretty nice syntax hiliting for PHP. < sweeper> SinnerBOFH: nope, no competion. it has really cool text selection and moving, including rectangular selections -!- jtower [~jason@moya.trilug.org] has left #trilug-rhce [] < jtate> The stock emacs one is lacking. < ccw> waves g'night < sweeper> fwiw, nedit is at nedit.org < SinnerBOFH> jtate: mmm, thanks, i'll look into it < SinnerBOFH> g'night ccw -!- ccw [~ccw@durham-ar1-4-64-250-023.durham.dsl-verizon.net] has quit ["Client Exiting"] * RedWolfe waves and gives g'nites to all < sweeper> g'night all < SinnerBOFH> g'night all me too --- Log closed Wed Apr 09 22:17:12 2003 Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!