rhce-log-030423.txt

--- Log opened Wed Apr 23 19:55:10 2003 -!- sweeper [~mbroome@moya.trilug.org] has joined #trilug-rhce -!- Topic for #trilug-rhce: Next meeting - Wed April 23 -- right here in IRC, 8pm -!- Topic set by jeremyp [] [Tue Apr 22 14:32:05 2003] [Users #trilug-rhce] [@ChanServ] [ jbroomeLUG] [ jimstigator] [ nardac] [ Sinner_] [ Tribot] [ gmontag ] [ jeremyp ] [ jtate ] [ Nat_RH] [ sweeper] -!- Irssi: #trilug-rhce: Total of 11 nicks [1 ops, 0 halfops, 0 voices, 10 normal] -!- Channel #trilug-rhce created Sun Apr 6 17:01:25 2003 -!- Irssi: Join to #trilug-rhce was synced in 1 secs -!- ovrclokd [~lisa@moya.trilug.org] has joined #trilug-rhce < ovrclokd> hi all... < sweeper> ovrclokd: hi : < jtate> Hello < Tribot> que tal, jtate -!- ccw [~ccw@durham-ar1-4-64-250-023.durham.dsl-verizon.net] has joined #trilug-rhce < ccw> waves to the crowd -!- RedWolfe [~root@durham-ar1-4-64-250-023.durham.dsl-verizon.net] has joined #trilug-rhce < ccw> waves to RedWOlfe < ccw> wonders at the "silence". < ovrclokd> isn't that a depeche mode song? < ovrclokd> no, wait, that's "enjoy the silence"... < jtate> <- recovering from the shockwaves * sweeper is running a little late and just switched to the laptop so he can eat dinner while on irc < ccw> S & G had the "Sound of ..." * RedWolfe waves < ccw> actually waves to RedWolfe. < jtate> How do you do what you just did sweeper and RedWolfe? < ccw> So, what the suject for today. Networking 3 of 2 ? < sweeper> you type "/me ...." < jtate> How do you get it to show up in italics and junk. -!- cybertooth [~cybertoot@rdu163-124-248.nc.rr.com] has joined #trilug-rhce * jtate tries out this trick. < jtate> coo. < cybertooth> what trick :-( < ovrclokd> isn't it still networking 2 of 2? 3 of 2 is next week... < sweeper> jtate: yeah, coo :) < ovrclokd> cybertooth: the /me trick. < jtate> typing /me * cybertooth tries this too * cybertooth you learn something old everyday! -!- jtower [~jason@moya.trilug.org] has joined #trilug-rhce * cybertooth says you learn something old everyday! < sweeper> ovrclokd: yep, I the format is that the IRC *after* the class is a Q&A for the class (for stuff that didn't get covered in enough detail) < ovrclokd> does that mean we're teaching a new dog old tricks? ;) * ovrclokd is punchy tonight < ccw> Then to day in networking 3 of 2 (of 4) < cybertooth> I though Mr. Broom did quite a good job < sweeper> ccw: too many numbers. :) I think it's Q&A for 2 of 2 (of 3) * ccw shouts "Here! Here!" < RedWolfe> Huh? "Where WHere?" < ovrclokd> i'm sorry i missed it! i was in toronto for work. * ccw points at Mr. Broom. "There! There!" < sweeper> cybertooth: thanks! it wasn't as polished as I had hoped, but that's what I get for procrastinating * ovrclokd picks up an "e", dusts it off, and puts it back on the end of mr. broome's name < cybertooth> Well I dont' think your supposed to do more than run the meeting and present "the red hat way" (tm) * sweeper points out that he spells Broome B-R-O-O-M-E. just for the record :) < sweeper> cybertooth: good enough. so any questions from 2 of 2 of 3? < ovrclokd> sweeper: doesn't that mean you should be sweepere? ;) < ccw> It has been pointed out to me that that should have been "Hear! Hear!". (How very 18th cent.) < sweeper> I still plan on updating my presntation to make it purdy and add a few things. Real Soon Now :) < sweeper> ovrclokd: *grin* < RedWolfe> Sweepere: you did a good job. * ccw adds an "e" to his transcript ... < ovrclokd> cybertooth: what's your real name? i went to update the syllabus for your class and realized i only knew your nick < jtate> whois cybertooth < jtate> tribot: whois cybertooth < Tribot> well, cybertooth is the amazing and incredible Jon Carnes < sweeper> ovrclokd: btw, I made a note that cybertooth is Jon Carnes. I should give that to you :) < cybertooth> No really... Im just amazing. < RedWolfe> He's quite a Mailman < sweeper> He's quite a Sendmailman < ovrclokd> cybertooth: no, you're pretty incredible, too. < sweeper> ... but not incredibly pret * sweeper wonders if that was out loud < ovrclokd> so, if we don't have quetsions about 2 of 2, anybody want to volunteer for the kernel svcs and config presentation? * sweeper also wishes I could spell pretty. would have been funnier * jtate has never actually compiled the kernel * jtate but has done plenty of module manipulation and initrd generation < cybertooth> Does anyone really think that we will have to recompile a kernel for the examine? < cybertooth> If so, they better give us one d*mn fast machine. * ovrclokd has recompiled a kernel (and if i can do it, it can't be THAT hard!) < jtate> I've recompiled SRPMS of the kernel. < jtate> After today's glitch using LDAP, I could do a small pres on that with you next week cybertooth. < jtate> Maybe since that's meeting 9 I'd better volunteer for that. < cybertooth> jtate: if you want I'll setup a date/time and you can do a whole class on LDAP < jtate> Not sure if I can do a whole class on it. < cybertooth> LDAP is one of those much requested classes for TriLUG to dol. < cybertooth> s/dol/do/ < jtate> Be happy to help < jtate> As long as I can get hotgrits to help on it. < cybertooth> Yeah, we keep hitting up hotgrits to do it, but so far he's dodged it everytime. < RedWolfe> Tribot: whois hotgrits < Tribot> somebody said hotgrits was fantabulous Mark Turner, http://www.markturner.net, N4JMT, of Siteseers fame, who needs a job. < jtate> I wonder if there's a kernel module for mounting ldap directories yet. I.e mout -t ldap binddn='thisandthat' /mount/ldap. < ovrclokd> jtate: i think recompiling SRPMS of the kernel is all they'd expect us to do these days... < ccw> hello, tribot < Tribot> hola, ccw < jtate> s/mout/mount/ < sweeper> cybertooth: I doubt we'll have to recompile the kernel in the exam, but item 19 of the prep guide mentions building the kernel from source. there could be questions about it, I s'pose < jtate> Tribot is hispanic today. < jtate> make menuconfig < sweeper> the exam prep is at http://www.redhat.com/training/rhce/examprep.html < jtate> Yeah, put me down to lead meeting 9 < jtate> I'm very interested in meeting 10. Would like to set up my linux server as a gateway/router rather than using this dlink thing that freezes about twice a week. < sweeper> jtate: "user and host security"? you got it < cybertooth> Get a linksys. < RedWolfe> Be able to install kernel sources and development tools needed in order to rebuild the Linux kernel. Be able to configure, build, and install the Linux kernel and modules from source, and Understand LILO and GRUB elements, boot sequence, and configuration. < cybertooth> Didn't Sinner_ give a talk on user and host security last year? < ovrclokd> jtate: thank you! i'll update the syllabus and add you to meeting 9. < cybertooth> I think the most well have to deal with is modules. * RedWolfe quotes from the prep guide < cybertooth> I've rebuilt a lot of kernels. It's not hard. it's just a PITA. -!- Nat_RH [~Nat@rdu74-184-217.nc.rr.com] has quit [Read error: 104 (Connection reset by peer)] < RedWolfe> I used to build a lot of kernels, it is a PITA most of the time < sweeper> any other volunteers for upcoming meeting presentations? search http://www.trilug.org/~lisa/syllabus.html for "Anonymous Coward" to see what's available < jtate> Does anyone have a RHCE prep book that they'd recommend? < jtower> sweeper: i'll volunteer for #10 if no one else wants to do it. i'm not the end-all be-all wizard of routing and firewalls but i'm passable < RedWolfe> I don't feel secure enough to lead any of the remaining nights < jtower> jtate: the books from redhat press, thought not RHCE books per se, seem to be very good overall < jtower> networking and system administration is a good example < jtate> http://www.amazon.com/exec/obidos/tg/detail/-/0072224851/qid=1051144308/sr=8-1/ref=sr_8_1/002-2871299-9576033?v=glance&s=books&n=507846 Lists an RHCE book plus the one jtower mentioned for 70 bucks. < ovrclokd> jtower: sounds good to me. it's not like any of us are experts (except maybe jon and jeremy...) < sweeper> jtower: no need to be a wizard (heh, I just covered sendmail in front of the amazing Sendmailman :) ovrclokd will put you down for "Routers, Firewalls, Clusters and Troubleshooting" < jtower> jtate: if you want to borrow my copy you're welcome to it. * nardac must depart... he has worked too long today and must eat... < nardac> i'll read the logs later :) < nardac> hope to attend my first meeting next wed. -!- nardac [~kiasoft@216-187-195-43.dsl.btitelecom.net] has quit [] < RedWolfe> someone remind me, what were the "other RedHat networks services" that we covered? * RedWolfe slaps RedWolfe around with a small 50lb Unix Manual < sweeper> RedWolfe: NTP was the main one. I also mentioned innd NNTP server, but really only said the name < RedWolfe> Ouch! < jtate> A good article on the "NEW" items in RH 9 http://www.gurulabs.com/RedHatLinux9-review.html < jtate> Don't everyone go and read it at once. < jtate> :) < jtate> Question about NTP. < jtate> If NTP is running, and there's a hole poked into iptables at port 123. Are you running a server? < jtate> Can you limit who connects via some configuration file declarations? < jtate> What's the step-tickers file for? < sweeper> jtate: I *think* there's a difference between running as an ntp server and ntp client. < sweeper> just running ntp daemon to sync you time is running as a client and shouldn't be accepting incoming connections < ccw> step tickers are for the initial setting of a server/client time. < sweeper> /etc/ntp/step-tickers is the file that's used by the init script to initially set the time (one time) < jtate> Well, I've got a small network. I'd like to use one server to sync with tick.navy.gov.mil (or whatever) and the other servers sync with that one. < jtate> So what's it supposed to look like? < ccw> servers provide time to other clients. The server and the client program are the same. < sweeper> take a look at /etc/rc.d/init.d/ntpd to see how step-tickers is used in calling ntpdate < jtate> so if 10.2.2.2 is syncing over its external interface to time.trilug.org, then the other servers only need to have server 10.2.2.2 in their ntp.conf files to sync with that server? < cybertooth> I think it's also fairly easy to setup your box to allow ntpdate from your local network. < RedWolfe> (a `cat step-tickers` is used to append the names onto the ntpdate command) < RedWolfe> jtate: something like that. :) < ccw> basically, being a server is a configuration option. i.e. The program doesn't have "nopeer" and "noserver" on < jtate> redwolfe: Actually it's a sed -e 's/\*.*$//g' < ccw> the default restrictions. (Although, it might have nopeer by itself.) < RedWolfe> (it used to be a cat, I think?) < cybertooth> Just read the scroll back on the whos-doing-what presentation... (was on a phone call) < ccw> one may have multiple step tickers and the NTP program will pick which one provides the "best" < ccw> time and use that. < cybertooth> You don't *have* to be an expert to present. You can simply read the Red Hat doc's from RH9 on the topic and use that. < sweeper> cybertooth: yep, that's what I did < cybertooth> But... the best way to learn is to present. < ccw> jtate: that is correct. < cybertooth> So... think about what you are weakest in, and present that. < cybertooth> You don't have to be mr. expert, just lead the discussion. < ccw> ct: that might help you but will it help US? < cybertooth> Well, I'm pretty comfortable with every topic but kickstart - and that one was already done. < jtate> Here is my ntp.conf: < jtate> restrict default ignore < jtate> restrict 127.0.0.1 < jtate> server 127.127.1.0 < jtate> fudge 127.127.1.0 stratum 10 < jtate> driftfile /etc/ntp/drift < jtate> broadcastdelay 0.008 < jtate> authenticate yes < jtate> keys /etc/ntp/keys < jtate> restrict tock.usno.navy.mil mask 255.255.255.255 nomodify notrap noquery < jtate> server tock.usno.navy.mil < jtate> restrict time.windows.com mask 255.255.255.255 nomodify notrap noquery < jtate> server time.windows.com < jtate> restrict clock2.redhat.com mask 255.255.255.255 nomodify notrap noquery < jtate> server clock2.redhat.com < jtate> restrict ntp.cmr.gov mask 255.255.255.255 nomodify notrap noquery < jtate> server ntp.cmr.gov < jtate> restrict 152.3.250.1 mask 255.255.255.255 nomodify notrap noquery < jtate> server 152.3.250.1 < jtate> restrict 152.3.250.2 mask 255.255.255.255 nomodify notrap noquery < jtate> server 152.3.250.2 < jtate> restrict time.trilug.org mask 255.255.255.255 nomodify notrap noquery < jtate> server time.trilug.org < jtate> I figure one of the best ways to get back at microsoft is to use its servers as much as possible. < cybertooth> ccw: look within yourself for the answer. < ccw> restrict default ignore is a no-no in polite ntp society if you're getting time from the net... < jtate> That's the default that RH uses. < jtate> What does that mean? < jeremyp> Evening folks. < ccw> btw, time.windows.com goes through a really wierd topography inside MS. < jtate> Hey j: < cybertooth> Hola, uncle Jeremy < ccw> jtate: if you're getting time from the web it is polite to let the people on the outside < ccw> see what you're doing. -!- Nat_RH [~Nat@rdu74-184-217.nc.rr.com] has joined #trilug-rhce < jtate> Ahh, so what should that be: restrict default accept? < ccw> try "restrict default notrust nopeer noserver notrap" instead. < ovrclokd> hi jeremy! < sweeper> jeremyp: hi. how was the concert? < ccw> s/noserver/noserve/ < jtate> And if I want this machine to be an ntp server? < ccw> btw, default mask is 255.255.255.255 ... < jtate> so all those mask lines are redundant? < cybertooth> WW alert. * jtate doesn't know what a WW alert is < cybertooth> West Wing just started. Sorry got hooked over the winter. < ccw> You should say: default notrust nopeer lowpriotrap nomodify < jeremyp> Sorry, was reading scrollback. sweeper: it was pretty good, it was short too which was good :) < jtate> You can come over and watch it on my TiVO. < ccw> jtate: you will need restrict statements for your outside servers that say: nomodify lowpriotrap < jtate> What does lowpriotrap mean? < ccw> do NOT put noquery on your outside servers. THey might want to see what you're doing if < jtate> I tried reading the ntp documentation, but it was too verbose. < ccw> they have a problem < jeremyp> So, jtate is leading meeting 9 then? Thanks for volunteering, Joseph. < jtate> No Prob jeremyp. < ccw> there is a mechanism for getting stats that is a "trap". They normally run fairly high < ccw> within the program. lowpriotrap makes them lower in priority. < jeremyp> I'd volunteer for meeting 7 - kernel services -- but I'm planning a major system downtime that day so I don't know for sure if I can make the meeting or not < jtate> Ok, so I've removed the noquery lines. I'll add lowpriotrap. < ccw> It also cuts down on the denial of service attack effect. < jeremyp> Compiling the kernel is not as hard as it used to be though. Especially if you use menuconfig or xconfig. < sweeper> ccw: is the trap an snmp trap? < ccw> sweeper: no, it is an internal program function. < jtate> so one shouldn't have notrap and lowpriotrap on the same line right? < ccw> jate: you need the restrict <server> nomodify lowpriotrap ... just leave out the noquery < ccw> jate: correct, notrap precludes lowpriotrap < jeremyp> wow, I'm clueless as to what this conversation is talking about -- are we configuring NTP? (Guess I skimmed the scrollback too fast!) < jtate> Ok. I just had notrap on the server lines. < jtate> Yep. < ccw> jeremyp: yes, NTP from udel. < ccw> I put notrap on just the default. < jtate> restrict tock.usno.navy.mil nomodify lowpriotrap < jtate> server tock.usno.navy.mil < jtate> restrict time.windows.com nomodify lowpriotrap < jtate> server time.windows.com < jtate> restrict clock2.redhat.com nomodify lowpriotrap < jtate> server clock2.redhat.com < jtate> restrict ntp.cmr.gov nomodify lowpriotrap < jtate> server ntp.cmr.gov < jtate> restrict 152.3.250.1 nomodify lowpriotrap < jtate> server 152.3.250.1 < jtate> restrict 152.3.250.2 nomodify lowpriotrap < jtate> server 152.3.250.2 < jtate> restrict time.trilug.org nomodify lowpriotrap < jtate> server time.trilug.org < jtate> This is the line that RH suggests you modify for local synchronization: < jtate> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap < jtate> Does that look right? < ccw> that will work but pick ONE time server from each network... < cybertooth> Have you guys heard of tripaste? < ovrclokd> jeremyp: and jtower is leading meeting 10 < jtate> Ok, removed 152.3.250.2 < ovrclokd> we still need somebody to cover 7 and 8... < ccw> do NOT use 152.3.250.x, that server is not correctly configured and is subject to attack. < ccw> Use clock1.unc.edu. < cybertooth> I thought we had someone for 7? < jeremyp> Well I just said that I could do 7, but I'm hesitant to commit to it now due to work stuff < jtate> I wish someone would post a sample config file that I could just tweak rather than having to essentially pull this stuff out of a hat. (Not saying that ccw is a hat mind you). * ccw doesn't mind being that particular hat ... * ccw is mildly obsessive about NTP... < jtate> Evidently I need to file a bug with RH about it's bogus default config file. < jeremyp> ccw: we've noticed ;-) * ccw grins < cybertooth> If I'm not a disaster after the next meeting... I'll think about volunteering for the 7th. < cybertooth> How is that for certainty! < jeremyp> cybertooth: you sure about that? :) < ccw> RH used to configure the "local" clock as at stratum 0. I wouldn't trust their "expertise". < jtate> Well, I can't blame them. I think I read all of ntp.org's documentation, and came out with no additional information. < ccw> jtate: another good time source is {tick,tock}.usnogps.navy.mil (pick one). < jtate> Did I mention that the documentation was verbose? < jtate> I've already got a navy.mil source though. * ccw read the code ... < ccw> jtate: different network and different atomic clock ... < jtate> Ahh. Didn't have that kind of time. < ovrclokd> jeremyp: sorry, i thought your intent was that you'd like to do it, but couldn't! < ccw> both are MILnet and will disappear from time to time ... < jtate> Well, hopefully I have enough servers now that that won't be a problem. < jtate> I don't have a nist.gov source, but I suppose that's ok. < cybertooth> jeremyp: how about you commit to doing it, and if you can't I'll stand in for you (as your second)! < jeremyp> ovrclokd: right, that's what I meant. I'd like to do it, but I don't want to commit to it < jtate> Time.windows.com references time.nist.gov. < jeremyp> cybertooth: that might work < ccw> jtate: also, time.nist.gov or time-{a,b}.nist.gov... time is via Alternet time-{a,b} is via ATT < jtate> Ok. I'll be setting up clients tomorrow that sync with the server I'm setting up. I'll let you know how I make out. < ccw> I personally wouldn't use time.windows.com because I can't see how they've configured their server. < jtate> Is there a way to dial down the trust on any given server? < ccw> Nor would I use any server that I can't examine their configuration. < jtate> you mean ntpq -p? < ccw> jate: not exactly. You can put "prefer" on other servers... < jtate> Or do you do something more advanced? < jtate> Do you put prefer on the restrict line or the server line? < ccw> I usually use: ntpdc <server> and make queries... < jtate> Ahh. < ccw> jate: server line... < jtate> If you could spoof the clock at time.windows.com you could throw off a lot of systems. Most XP machines sync with that server exclusively. < ccw> i.e.: server tick.usno.navy.mil prefer nomodify lowpriotrap < jtate> Not to mention all the W2K and NT machines. < jtate> Can you prefer more than one server? < jeremyp> I don't think NT4 does time synching without a 3rd party or add-on app < jeremyp> Dude, I can't believe the only technical comment I've made so far tonight has been on Windows NT. Gah! < ccw> jtate: I'll bet they're using their own Windows server code and it's awful... < jtate> I thought it was a service pack upgrade. Oh well. Doesn't matter. Nobody will be running NT by the end of the year. < jeremyp> NT4 has a "net time" command but that doesn't use NTP afaik * jtate bets they're running bsd like they did with hotmail. < ccw> jeremyp: you're right. But you can sync to PDSs. < jtate> ccw: can you prefer more than one server? < ccw> jtate: the code is written to optimize three servers. It will pick the "best" three if < ccw> you give it more... < ovrclokd> jeremyp: they're going to take away your linux guru card... < jeremyp> What we did with NT4 was have the clients sync to the PDC, and the PDC ran 3rd party NTP software < jeremyp> But see, there are reasons I don't know anything newer than NT4. Switched over to doing Linux full-time around when w2k came out :) < jtate> ccw: cool. < jtate> Thanks for the help. < ccw> jeremyp: that's what I do with my NT4 and Win2K servers. * ccw is glad to help ... * jtate enjoys the last of his IBC with a big Aaaahhhh < ccw> Udel NTP binaries are available for Windows. Do not use anything below V4. tho. Buffer overrun holes... * ovrclokd has to go practice for her recorder performance on sunday * cybertooth has to do that doddy that dads do... * ccw wonders where OC is playing and what for ... -!- cybertooth [~cybertoot@rdu163-124-248.nc.rr.com] has left #trilug-rhce ["Client Exiting"] < ccw> jtate: missed the q about more that one prefer. Yes, it will pick the best one... < ovrclokd> ccw: recorder consort is playing on sunday for the uu fellowship service * ccw nods. Wade Ave? < jtate> Actually I just remembered that tomorrow will be reconfiguring postfix and cyrus-imap (which I wish there were standard RH packages for by the way). < RedWolfe> OClokd plays recorder? at UUFR? < jtate> Thanks ccw. < ovrclokd> ccw: no, chapel hill < RedWolfe> Community Church? * ccw found RW's recorder book in the attic last week ... < ccw> s/book/books/ < jtate> Is anyone interested in car pooling to the meeting next wednesday? < RedWolfe> (one of them at least) < ovrclokd> jtate: i'll be going from northwest durham - where are you? < ccw> from Durham ... < ovrclokd> redwolfe: not all the time, just this sunday < RedWolfe> (sora southwest durham here) < jtate> 55 and cornwallis. < jtate> Just west of the park. < ccw> We go by there on the way ... meet in parking lot at Miami and Alexander??? < ovrclokd> jtate: should be do-able. i'll shoot you an email. < jtate> That would work CCW. < ccw> OC. Can meet us and we'll take the MiniVan... < ovrclokd> ccw: sounds like fun! < ovrclokd> okay, 'nite all... < jtate> Night. < RedWolfe> (seats 4) -!- ovrclokd [~lisa@moya.trilug.org] has left #trilug-rhce [] < ccw> Seats for four unless we put in the seats in the shed ... < RedWolfe> back in the van < jeremyp> jtate: I could also give you a ride there if you end up needing one, but you'd be on your own on the way back :) < jeremyp> (I work in Durham and live in Raleigh) < jtate> I think we've got it set up. Thanks though Jeremy. * jtate heads to console the wife about dinner that didn't turn out quite the way she wanted. -!- jtate [~jtate@rdu74-181-041.nc.rr.com] has left #trilug-rhce [] * RedWolfe sneaks away for a smoke -!- RedWolfe [~root@durham-ar1-4-64-250-023.durham.dsl-verizon.net] has quit ["using sirc version 2.211+KSIRC/1.1"] * ccw yawns and waves bye... -!- ccw [~ccw@durham-ar1-4-64-250-023.durham.dsl-verizon.net] has left #trilug-rhce ["Client Exiting"] * sweeper waves bye to whomever is left ... --- Log closed Wed Apr 23 21:50:16 2003 Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!