From rgraves at carleton.edu Wed Dec 1 03:45:15 2010 From: rgraves at carleton.edu (Rich Graves) Date: Tue, 30 Nov 2010 21:45:15 -0600 (CST) Subject: [rhelv6-list] rhel6 xenU on rhel5.5 domU - live-migrate between minor CPU revs In-Reply-To: <20101119085804.GV2754@reaktio.net> Message-ID: <1381315687.102556.1291175115265.JavaMail.root@mail2.its.carleton.edu> Under the resolved topic "rhel6 xenU on rhel5.5 domU - no console," "Pasi K?rkk?inen" asked: > Did you file a bugzilla entry about the live migration issue? Still no, but I might have the answer. I just don't like it. My DNS/network issues were a red herring, caused a bug in our McAfee/Sidewinder firewall. RHEL6 sends back-to-back A and AAAA queries in separate packets, and the Sidewinder's DNS proxy only passes the former. Other OSes either send two queries in one packet or don't send them back-to-back with sequential TXIDs. However, one real problem with Xen live-migrate remains. It could be due to processor flags. I can fairly consistently migrate a guest from a X5680 processor (Nehalem2 Westmere) to a L5520 (original Nehalem), and usually from a 5160 (Core2 Duo) to a 5060 (Core Duo), but not the other way around. In contrast, all of my RHEL4 and RHEL5 guests are able to move *anywhere*, even between the 5060 and 5680, as long as basic things like NX are set the same in BIOS. Maybe the problem is that the newer RHEL6 kernel is too smart for its own good? Can I mask the newest flags somehow? The processor flags are: X5680 flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc ida arat pni est ssse3 cx16 sse4_1 sse4_2 popcnt lahf_lm X5520 flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc ida pni est ssse3 cx16 sse4_1 sse4_2 popcnt lahf_lm 5060 flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc pni cid cx16 lahf_lm 5160 flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl est tm2 xtpr -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529 From pasik at iki.fi Wed Dec 1 14:01:07 2010 From: pasik at iki.fi (Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?=) Date: Wed, 1 Dec 2010 16:01:07 +0200 Subject: [rhelv6-list] rhel6 xenU on rhel5.5 domU - live-migrate between minor CPU revs In-Reply-To: <1381315687.102556.1291175115265.JavaMail.root@mail2.its.carleton.edu> References: <20101119085804.GV2754@reaktio.net> <1381315687.102556.1291175115265.JavaMail.root@mail2.its.carleton.edu> Message-ID: <20101201140107.GF2754@reaktio.net> On Tue, Nov 30, 2010 at 09:45:15PM -0600, Rich Graves wrote: > Under the resolved topic "rhel6 xenU on rhel5.5 domU - no console," "Pasi K?rkk?inen" asked: > > > Did you file a bugzilla entry about the live migration issue? > > Still no, but I might have the answer. I just don't like it. > > My DNS/network issues were a red herring, caused a bug in our McAfee/Sidewinder firewall. RHEL6 sends back-to-back A and AAAA queries in separate packets, and the Sidewinder's DNS proxy only passes the former. Other OSes either send two queries in one packet or don't send them back-to-back with sequential TXIDs. However, one real problem with Xen live-migrate remains. > > It could be due to processor flags. I can fairly consistently migrate a guest from a X5680 processor (Nehalem2 Westmere) to a L5520 (original Nehalem), and usually from a 5160 (Core2 Duo) to a 5060 (Core Duo), but not the other way around. > > In contrast, all of my RHEL4 and RHEL5 guests are able to move *anywhere*, even between the 5060 and 5680, as long as basic things like NX are set the same in BIOS. Maybe the problem is that the newer RHEL6 kernel is too smart for its own good? Can I mask the newest flags somehow? > > The processor flags are: > > X5680 > flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc ida arat pni est ssse3 cx16 sse4_1 sse4_2 popcnt lahf_lm > > X5520 > flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc ida pni est ssse3 cx16 sse4_1 sse4_2 popcnt lahf_lm > > 5060 > flags : fpu tsc msr pae cx8 apic mtrr cmov pat clflush acpi mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc pni cid cx16 lahf_lm > > 5160 > flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl est tm2 xtpr > Xen has support for cpuid masking, but I'm not sure if EL5 Xen has that.. ie. it's at least in newer Xen versions. -- Pasi From rgraves at carleton.edu Wed Dec 1 18:15:37 2010 From: rgraves at carleton.edu (Rich Graves) Date: Wed, 1 Dec 2010 12:15:37 -0600 (CST) Subject: [rhelv6-list] rhel6 xenU on rhel5.5 domU - live-migrate between minor CPU revs Message-ID: <795989377.120695.1291227337316.JavaMail.root@mail2.its.carleton.edu> Details dumped to bugzilla 658720. It could be something else. It's also conceivable that a newer kernel on the dom0 could help, but I can't easily take that downtime for 2 weeks. This will be an interesting transition. I've got about 60 rhel4 and rhel5 guests, but have a short-term need for 2 rhel6 hosts. For at least the next few months, inability to live-migrate is not a critical problem... and even that could be mitigated by starting rhel6 guests on the newer host, allowing exactly one migrate per reboot. From carlopmart at gmail.com Thu Dec 2 13:29:48 2010 From: carlopmart at gmail.com (carlopmart) Date: Thu, 02 Dec 2010 14:29:48 +0100 Subject: [rhelv6-list] Is spice protocol supported under RHEL6? Message-ID: <4CF79F4C.2000005@gmail.com> Hi all, Somebody knows if it is possible to use spice protocol with windows kvm guests under RHEL6?? Besides installing spice-server and spice-client packages, do I need to install something else?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com From marco.shaw at gmail.com Thu Dec 2 13:53:10 2010 From: marco.shaw at gmail.com (Marco Shaw) Date: Thu, 2 Dec 2010 09:53:10 -0400 Subject: [rhelv6-list] Is spice protocol supported under RHEL6? In-Reply-To: <4CF79F4C.2000005@gmail.com> References: <4CF79F4C.2000005@gmail.com> Message-ID: Sorry, I don't know much about SPICE, but see some Windows clients here: http://spice-space.org/download.html Marco On Thu, Dec 2, 2010 at 9:29 AM, carlopmart wrote: > Hi all, > > ?Somebody knows if it is possible to use spice protocol with windows kvm > guests under RHEL6?? Besides installing spice-server and spice-client > packages, do I need to install something else?? > > Thanks. > -- > CL Martinez > carlopmart {at} gmail {d0t} com > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > -- *Microsoft MVP - Windows PowerShell https://mvp.support.microsoft.com/profile/Marco.Shaw *Co-Author - Sams Windows PowerShell Unleashed 2nd Edition *Blog - http://marcoshaw.blogspot.com From KCollins at chevron.com Thu Dec 2 16:59:47 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 2 Dec 2010 08:59:47 -0800 Subject: [rhelv6-list] Problem with ldap Message-ID: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net> I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to test on RHEL6 and have run into a problem. I figured out that I need pam_ldap and nss-pam-ldapd, but I am having some troubles getting things to work correctly. I think I have the /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing some strange behavior. As an example, I have an "oracle" ID in LDAP: # grep oracle /etc/passwd # getent passwd | grep ^oracle: oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # getent passwd oracle # ldapsearch -LLL -x "(uid=oracle)" dn: uid=oracle,ou=People,dc=afis,dc=sr uid: oracle cn: Oracle Owner objectClass: account objectClass: posixAccount objectClass: top userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio= loginShell: /usr/bin/sh uidNumber: 200 gidNumber: 200 homeDirectory: /oracle gecos: Oracle Owner I can't figure out why getent (or id, or groups, etc) can't resolve specific IDs from LDAP, but I can get obviously read the data... Any ideas? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jonathan.S.Harrison at sscgp.com Thu Dec 2 17:23:20 2010 From: Jonathan.S.Harrison at sscgp.com (Harrison, Jonathan) Date: Thu, 2 Dec 2010 11:23:20 -0600 Subject: [rhelv6-list] RHEL 6 Downloads Message-ID: When I sign into my RHN portal, I still see RHEL 6 Beta 2 as the only download option. What source has everyone else used to download the RHEL 6 final images? Jonathan -------------- next part -------------- An HTML attachment was scrubbed... URL: From bperkins at redhat.com Thu Dec 2 17:35:23 2010 From: bperkins at redhat.com (Brandon Perkins) Date: Thu, 02 Dec 2010 12:35:23 -0500 Subject: [rhelv6-list] RHEL 6 Downloads In-Reply-To: References: Message-ID: <4CF7D8DB.20806@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/10 12:23, Harrison, Jonathan wrote: > When I sign into my RHN portal, I still see RHEL 6 Beta 2 as the only download option. What source has everyone else used to download the RHEL 6 final images? > > Jonathan > > > > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From: https://rhn.redhat.com/rhn/software/downloads/SupportedISOs.do you should see up to (depending upon your subscriptions and entitlements) nine GA versions at the very top of the list with their associated parent channels: Red Hat Enterprise Linux Server (v. 6 for 32-bit x86) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10358 Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10486 Red Hat Enterprise Linux Server (v. 6 for IBM POWER) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10417 Red Hat Enterprise Linux Server (v. 6 for IBM System z) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10438 Red Hat Enterprise Linux Workstation (v. 6 for 32-bit x86) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10401 Red Hat Enterprise Linux Workstation (v. 6 for x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10550 Red Hat Enterprise Linux Client (v. 6 for 32-bit x86) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10342 Red Hat Enterprise Linux Client (v. 6 for 64-bit x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10454 Red Hat Enterprise Linux Compute Node (v. 6 for x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10470 Do not descend down the tree to the Beta versions in the child channels: Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86) Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64) Red Hat Enterprise Linux Server Beta (v. 6 IBM System z) Red Hat Enterprise Linux Workstation Beta (v.6 for 32-bit x86) Red Hat Enterprise Linux Workstation Beta (v.6 for x86_64) Thanks, Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz32NQACgkQhwQhj8l1t/ewvQCfZqbMk4KkoxgIRFRV78GloENK kmYAoKeIj2Xz11IlBDBaBFCt1sK9F0eV =lzML -----END PGP SIGNATURE----- From jclift at redhat.com Thu Dec 2 17:32:28 2010 From: jclift at redhat.com (Justin Clift) Date: Fri, 3 Dec 2010 04:32:28 +1100 Subject: [rhelv6-list] RHEL 6 Downloads In-Reply-To: References: Message-ID: <40017FB1-4A44-4CAB-A7B2-CFAE5C64C667@redhat.com> On 03/12/2010, at 4:23 AM, Harrison, Jonathan wrote: > When I sign into my RHN portal, I still see RHEL 6 Beta 2 as the only download option. What source has everyone else used to download the RHEL 6 final images? Hi Jonathan, You *might* be getting led astray by the main "Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64)" channel having a "Beta" sub channel under it. Kind of like this: Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64) <--- you should probably have this selected + ---- Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64) <--- but you have this one selected instead + ---- RHEL Server Supplementary (v. 6 64-bit x86_64) I'm kind of thinking you need to back up one level, out of the beta channel, then you should be ok. Does that help? Regards and best wishes, Justin Clift From Jonathan.S.Harrison at sscgp.com Thu Dec 2 17:32:54 2010 From: Jonathan.S.Harrison at sscgp.com (Harrison, Jonathan) Date: Thu, 2 Dec 2010 11:32:54 -0600 Subject: [rhelv6-list] RHEL 6 Downloads In-Reply-To: <4CF7D8DB.20806@redhat.com> References: <4CF7D8DB.20806@redhat.com> Message-ID: User interface comprehension failure. Thanks for nudge in the right direction. Why are the betas still listed now that final is available? -----Original Message----- From: Brandon Perkins [mailto:bperkins at redhat.com] Sent: Thursday, December 02, 2010 11:35 AM To: Harrison, Jonathan Cc: 'rhelv6-list at redhat.com' Subject: Re: [rhelv6-list] RHEL 6 Downloads -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/10 12:23, Harrison, Jonathan wrote: > When I sign into my RHN portal, I still see RHEL 6 Beta 2 as the only download option. What source has everyone else used to download the RHEL 6 final images? > > Jonathan > > > > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From: https://rhn.redhat.com/rhn/software/downloads/SupportedISOs.do you should see up to (depending upon your subscriptions and entitlements) nine GA versions at the very top of the list with their associated parent channels: Red Hat Enterprise Linux Server (v. 6 for 32-bit x86) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10358 Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10486 Red Hat Enterprise Linux Server (v. 6 for IBM POWER) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10417 Red Hat Enterprise Linux Server (v. 6 for IBM System z) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10438 Red Hat Enterprise Linux Workstation (v. 6 for 32-bit x86) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10401 Red Hat Enterprise Linux Workstation (v. 6 for x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10550 Red Hat Enterprise Linux Client (v. 6 for 32-bit x86) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10342 Red Hat Enterprise Linux Client (v. 6 for 64-bit x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10454 Red Hat Enterprise Linux Compute Node (v. 6 for x86_64) https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=10470 Do not descend down the tree to the Beta versions in the child channels: Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86) Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64) Red Hat Enterprise Linux Server Beta (v. 6 IBM System z) Red Hat Enterprise Linux Workstation Beta (v.6 for 32-bit x86) Red Hat Enterprise Linux Workstation Beta (v.6 for x86_64) Thanks, Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz32NQACgkQhwQhj8l1t/ewvQCfZqbMk4KkoxgIRFRV78GloENK kmYAoKeIj2Xz11IlBDBaBFCt1sK9F0eV =lzML -----END PGP SIGNATURE----- From prentice at ias.edu Thu Dec 2 17:45:22 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Thu, 02 Dec 2010 12:45:22 -0500 Subject: [rhelv6-list] Problem with ldap In-Reply-To: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4CF7DB32.403@ias.edu> Collins, Kevin [BEELINE] wrote: > I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to > test on RHEL6 and have run into a problem. > > > > I figured out that I need pam_ldap and nss-pam-ldapd, but I am having > some troubles getting things to work correctly. I think I have the > /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing > some strange behavior. > > > > As an example, I have an ?oracle? ID in LDAP: > > > > # grep oracle /etc/passwd > > > > # getent passwd | grep ^oracle: > > oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh > > > > # getent passwd oracle > > > > # ldapsearch -LLL -x "(uid=oracle)" > > dn: uid=oracle,ou=People,dc=afis,dc=sr > > uid: oracle > > cn: Oracle Owner > > objectClass: account > > objectClass: posixAccount > > objectClass: top > > userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio= > > loginShell: /usr/bin/sh > > uidNumber: 200 > > gidNumber: 200 > > homeDirectory: /oracle > > gecos: Oracle Owner > > > > I can?t figure out why getent (or id, or groups, etc) can?t resolve > specific IDs from LDAP, but I can get obviously read the data... > > > > Any ideas? > Kevin, I was configuring PAM/LDAP/NSS on RHEL6 for the first time yesrerday myself. After getting nscd and nslcd configured correctly, I was able to make this work, but then I switched to using sssd for my name services/PAM. SSSD appears to be the RH "blessed" method for handling this sort of stuff, and if you ever use authconfig, it will configure sssd to perform these functions. You should look into switching to sssd, to avoid RH utils from "fixing" things for you in the future. Have you tried using strace on getent to see what functions are being called and what errors are being reports? I would also turn on logging on your ldap server and do a tail -f while running getent to see if search being performed by 'getent passwd oracle' is being tranformed into something other than what your server needs to get a result. -- Prentice From KCollins at chevron.com Thu Dec 2 18:29:26 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 2 Dec 2010 10:29:26 -0800 Subject: [rhelv6-list] Problem with ldap In-Reply-To: <4CF7DB32.403@ias.edu> References: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4CF7DB32.403@ias.edu> Message-ID: <86E21A982A7C5249956350A6746108C201FA3FA9@CHVPKNTXC5M.chvpk.chevrontexaco.net> Thanks - I plan to look in to SSSD, but was trying to work my way from "known" towards "unknown" :) However, your reply hit one thing I forgot - I had not yet restarted nscd... that fixed the issue I was seeing and things appear to be working as expected now. Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal Sent: Thursday, December 02, 2010 9:45 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] Problem with ldap Collins, Kevin [BEELINE] wrote: > I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to > test on RHEL6 and have run into a problem. > > > > I figured out that I need pam_ldap and nss-pam-ldapd, but I am having > some troubles getting things to work correctly. I think I have the > /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing > some strange behavior. > > > > As an example, I have an ?oracle? ID in LDAP: > > > > # grep oracle /etc/passwd > > > > # getent passwd | grep ^oracle: > > oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh > > > > # getent passwd oracle > > > > # ldapsearch -LLL -x "(uid=oracle)" > > dn: uid=oracle,ou=People,dc=afis,dc=sr > > uid: oracle > > cn: Oracle Owner > > objectClass: account > > objectClass: posixAccount > > objectClass: top > > userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio= > > loginShell: /usr/bin/sh > > uidNumber: 200 > > gidNumber: 200 > > homeDirectory: /oracle > > gecos: Oracle Owner > > > > I can?t figure out why getent (or id, or groups, etc) can?t resolve > specific IDs from LDAP, but I can get obviously read the data... > > > > Any ideas? > Kevin, I was configuring PAM/LDAP/NSS on RHEL6 for the first time yesrerday myself. After getting nscd and nslcd configured correctly, I was able to make this work, but then I switched to using sssd for my name services/PAM. SSSD appears to be the RH "blessed" method for handling this sort of stuff, and if you ever use authconfig, it will configure sssd to perform these functions. You should look into switching to sssd, to avoid RH utils from "fixing" things for you in the future. Have you tried using strace on getent to see what functions are being called and what errors are being reports? I would also turn on logging on your ldap server and do a tail -f while running getent to see if search being performed by 'getent passwd oracle' is being tranformed into something other than what your server needs to get a result. -- Prentice _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From KCollins at chevron.com Thu Dec 2 20:17:17 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 2 Dec 2010 12:17:17 -0800 Subject: [rhelv6-list] selinux (not quite) disabled? Message-ID: <86E21A982A7C5249956350A6746108C201FA3FD7@CHVPKNTXC5M.chvpk.chevrontexaco.net> In testing RHEL6, I have noted that some directories show a "." (dot) at the end: # ls -ld /* | grep ^d dr-xr-xr-x. 2 root root 4096 Nov 24 16:29 /bin dr-xr-xr-x. 5 root root 1024 Nov 24 15:56 /boot drwxr-xr-x. 2 root root 4096 Jul 14 04:45 /cgroup drwxr-xr-x 20 root root 3700 Dec 2 12:04 /dev drwxr-xr-x. 120 root root 12288 Dec 2 12:04 /etc drwxr-xr-x. 2 root root 4096 Dec 4 2009 /home dr-xr-xr-x. 12 root root 4096 Dec 1 03:31 /lib dr-xr-xr-x. 9 root root 12288 Dec 1 16:06 /lib64 drwx------. 2 root root 16384 Nov 24 15:36 /lost+found drwxr-xr-x. 2 root root 4096 Dec 4 2009 /media drwxr-xr-x 2 root root 0 Dec 2 12:04 /misc drwxr-xr-x. 2 root root 4096 Dec 4 2009 /mnt drwxr-xr-x 2 root root 0 Dec 2 12:04 /net drwxr-xr-x. 6 root root 1024 Nov 30 15:30 /opt dr-xr-xr-x 185 root root 0 Dec 2 04:04 /proc drwxr-xr-x 7 root root 4096 Nov 11 11:04 /redhat dr-xr-x---. 27 root root 4096 Dec 2 11:50 /root dr-xr-xr-x. 2 root root 12288 Nov 24 16:29 /sbin drwxr-xr-x. 2 root root 4096 Nov 24 15:37 /selinux drwxr-xr-x. 2 root root 4096 Dec 4 2009 /srv drwxr-xr-x 13 root root 0 Dec 2 04:04 /sys drwxrwxrwt. 11 root root 1024 Dec 2 12:04 /tmp drwxr-xr-x. 3 root root 4096 Nov 24 15:54 /users drwxr-xr-x. 16 root root 4096 Nov 24 15:58 /usr drwxr-xr-x. 3 root root 4096 Dec 1 10:55 /util drwxr-xr-x. 26 root root 4096 Nov 24 15:58 /var It was my understanding that this is related to selinux, however we (currently) disable selinux via "selinux --disabled" in the kickstart file as well as adding "selinux=0" to the kernel command line: # getenforce Disabled # grep selinux /etc/grub.conf kernel /vmlinuz-2.6.32-71.el6.x86_64 ro root=/dev/mapper/vg00-lvol1 rd_LVM_LV=vg00/lvol1 rd_LVM_LV=vg00/lvol2 rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto audit=0 selinux=0 rhgb quiet # cat /proc/cmdline ro root=/dev/mapper/vg00-lvol1 rd_LVM_LV=vg00/lvol1 rd_LVM_LV=vg00/lvol2 rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=129M at 0M audit=0 selinux=0 rhgb quiet It would appear that selinux is disabled, except for the dots... anything I am missing? I have not seen this behavior on RHEL5... Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From notting at redhat.com Thu Dec 2 20:38:19 2010 From: notting at redhat.com (Bill Nottingham) Date: Thu, 2 Dec 2010 15:38:19 -0500 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <86E21A982A7C5249956350A6746108C201FA3FD7@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA3FD7@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <20101202203819.GA1112@nostromo.devel.redhat.com> Collins, Kevin [BEELINE] (KCollins at chevron.com) said: > In testing RHEL6, I have noted that some directories show a "." (dot) at > the end: It means the files/directories have a SELinux security label stored in an extended attribute - the attributes remain present on the filesystem even if SELinux is disabled. Bill From RJM002 at shsu.edu Thu Dec 2 20:43:45 2010 From: RJM002 at shsu.edu (Marti, Robert) Date: Thu, 2 Dec 2010 14:43:45 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <20101202203819.GA1112@nostromo.devel.redhat.com> References: <86E21A982A7C5249956350A6746108C201FA3FD7@CHVPKNTXC5M.chvpk.chevrontexaco.net>, <20101202203819.GA1112@nostromo.devel.redhat.com> Message-ID: <8FAC1E47484E43469AA28DBF35C955E4CC1E5EFF1D@EXMBX.SHSU.EDU> From: rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] Sent: Thursday, December 02, 2010 14:38 To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? Collins, Kevin [BEELINE] (KCollins at chevron.com) said: > In testing RHEL6, I have noted that some directories show a "." (dot) at > the end: It means the files/directories have a SELinux security label stored in an extended attribute - the attributes remain present on the filesystem even if SELinux is disabled. Bill ________ Really it's any extended attribute - ACL's included (if I remember right). From KCollins at chevron.com Thu Dec 2 21:36:17 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 2 Dec 2010 13:36:17 -0800 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E4CC1E5EFF1D@EXMBX.SHSU.EDU> References: <86E21A982A7C5249956350A6746108C201FA3FD7@CHVPKNTXC5M.chvpk.chevrontexaco.net>, <20101202203819.GA1112@nostromo.devel.redhat.com> <8FAC1E47484E43469AA28DBF35C955E4CC1E5EFF1D@EXMBX.SHSU.EDU> Message-ID: <86E21A982A7C5249956350A6746108C201FA3FF5@CHVPKNTXC5M.chvpk.chevrontexaco.net> So, how do I make it go away? :) Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert Sent: Thursday, December 02, 2010 12:44 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? From: rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] Sent: Thursday, December 02, 2010 14:38 To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? Collins, Kevin [BEELINE] (KCollins at chevron.com) said: > In testing RHEL6, I have noted that some directories show a "." (dot) at > the end: It means the files/directories have a SELinux security label stored in an extended attribute - the attributes remain present on the filesystem even if SELinux is disabled. Bill ________ Really it's any extended attribute - ACL's included (if I remember right). _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From RJM002 at shsu.edu Thu Dec 2 21:43:03 2010 From: RJM002 at shsu.edu (Marti, Robert) Date: Thu, 2 Dec 2010 15:43:03 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <86E21A982A7C5249956350A6746108C201FA3FF5@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA3FD7@CHVPKNTXC5M.chvpk.chevrontexaco.net>, <20101202203819.GA1112@nostromo.devel.redhat.com> <8FAC1E47484E43469AA28DBF35C955E4CC1E5EFF1D@EXMBX.SHSU.EDU>, <86E21A982A7C5249956350A6746108C201FA3FF5@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <8FAC1E47484E43469AA28DBF35C955E4CC1E5EFF1F@EXMBX.SHSU.EDU> Don't worry about it? :) Rob Marti ________________________________________ From: rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] [KCollins at chevron.com] Sent: Thursday, December 02, 2010 15:36 To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? So, how do I make it go away? :) Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert Sent: Thursday, December 02, 2010 12:44 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? From: rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] Sent: Thursday, December 02, 2010 14:38 To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? Collins, Kevin [BEELINE] (KCollins at chevron.com) said: > In testing RHEL6, I have noted that some directories show a "." (dot) at > the end: It means the files/directories have a SELinux security label stored in an extended attribute - the attributes remain present on the filesystem even if SELinux is disabled. Bill ________ Really it's any extended attribute - ACL's included (if I remember right). _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From Jonathan.S.Harrison at sscgp.com Thu Dec 2 21:56:49 2010 From: Jonathan.S.Harrison at sscgp.com (Harrison, Jonathan) Date: Thu, 2 Dec 2010 15:56:49 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? Message-ID: I believe that you can touch .autorelabel in / and then reboot to perform this action. I typically do this every time I set /etc/sysconfig/selinux to disabled. Jonathan >So, how do I make it go away? :) >Kevin >-----Original Message----- >From: rhelv6-list-bounces at redhat.com >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert >Sent: Thursday, December 02, 2010 12:44 PM >To: rhelv6-list at redhat.com >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >From: rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] >Sent: Thursday, December 02, 2010 14:38 >To: rhelv6-list at redhat.com >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >Collins, Kevin [BEELINE] (KCollins at chevron.com) said: >> In testing RHEL6, I have noted that some directories show a "." (dot) at >> the end: >It means the files/directories have a SELinux security label stored in an extended attribute - the attributes remain present on the filesystem even if SELinux is disabled. >Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: From KCollins at chevron.com Thu Dec 2 22:54:24 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 2 Dec 2010 14:54:24 -0800 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: Message-ID: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> That didn't seem to make any difference... :( From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Harrison, Jonathan Sent: Thursday, December 02, 2010 1:57 PM To: 'rhelv6-list at redhat.com' Subject: Re: [rhelv6-list] selinux (not quite) disabled? I believe that you can touch .autorelabel in / and then reboot to perform this action. I typically do this every time I set /etc/sysconfig/selinux to disabled. Jonathan >So, how do I make it go away? :) >Kevin >-----Original Message----- >From: rhelv6-list-bounces at redhat.com >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert >Sent: Thursday, December 02, 2010 12:44 PM >To: rhelv6-list at redhat.com >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >From: rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] >Sent: Thursday, December 02, 2010 14:38 >To: rhelv6-list at redhat.com >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >Collins, Kevin [BEELINE] (KCollins at chevron.com) said: >> In testing RHEL6, I have noted that some directories show a "." (dot) at >> the end: >It means the files/directories have a SELinux security label stored in an extended attribute - the attributes remain present on the filesystem even if SELinux is disabled. >Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: From Greg_Swift at aotx.uscourts.gov Fri Dec 3 00:02:47 2010 From: Greg_Swift at aotx.uscourts.gov (Greg_Swift at aotx.uscourts.gov) Date: Thu, 2 Dec 2010 18:02:47 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: Relabeling the filesystem actually just corrects the labeling, it does not remove the labeling, even if selinux is disabled. Effectively, this is a feature not a bug. All be it poorly documented. (apparently Mac uses @ instead of .) There is documentation in the coreutils info pages on ls: "Following the file mode bits is a single character that specifies whether an alternate access method such as an access control list applies to the file. When the character following the file mode bits is a space, there is no alternate acces method. When it is printing a character, then there is such a method. Gnu `ls` uses a `.' character to indicate a file with an SELinux security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a `+' character." Here is a summarized discussion from a blog by Dan Walsh (in comment section) on Managing FIle Context (http://danwalsh.livejournal.com/4208.html): q: i would like to know how to completely remove ALL file labels created by SELinux a: you can not remove labels it is part of SELinux system note: Dan did not state that, Anonymous did, and no one disagreed/corrected them. However there is a thread (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing context" where someone suggests this: find . -exec setfattr -h -x security.selinux '{}' \; -greg rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM: > > That didn?t seem to make any difference... :( > > From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] > On Behalf Of Harrison, Jonathan > Sent: Thursday, December 02, 2010 1:57 PM > To: 'rhelv6-list at redhat.com' > Subject: Re: [rhelv6-list] selinux (not quite) disabled? > > I believe that you can touch .autorelabel in / and then reboot to > perform this action. I typically do this every time I set /etc/ > sysconfig/selinux to disabled. > > Jonathan > > >So, how do I make it go away? :) > > >Kevin > > >-----Original Message----- > >From: rhelv6-list-bounces at redhat.com > >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert > >Sent: Thursday, December 02, 2010 12:44 PM > >To: rhelv6-list at redhat.com > >Subject: Re: [rhelv6-list] selinux (not quite) disabled? > > > >From: rhelv6-list-bounces at redhat.com [rhelv6-list- > bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] > >Sent: Thursday, December 02, 2010 14:38 > >To: rhelv6-list at redhat.com > >Subject: Re: [rhelv6-list] selinux (not quite) disabled? > > >Collins, Kevin [BEELINE] (KCollins at chevron.com) said: > >> In testing RHEL6, I have noted that some directories show a "." (dot) > at > >> the end: > > >It means the files/directories have a SELinux security label stored > in an extended attribute - the attributes remain present on the > filesystem even if SELinux is disabled. > > >Bill_______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From robinprice at gmail.com Fri Dec 3 00:37:16 2010 From: robinprice at gmail.com (robinprice at gmail.com) Date: Thu, 2 Dec 2010 19:37:16 -0500 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: Out of curiosity, why are people disabling SELinux in RHEL6? Is it because of habit from RHEL4 / RHEL5? I thought SELinux would be vastly improved for RHEL6 but it appears people are quick to disable it. I just want to know why. Also, it appears there are a lot more features in RHEL6 to help administer SELinux and the documentation for it is also pretty well done. ~rp On Thu, Dec 2, 2010 at 7:02 PM, wrote: > > Relabeling the filesystem actually just corrects the labeling, it does not > remove the labeling, even if selinux is disabled. > > Effectively, this is a feature not a bug. All be it poorly documented. > (apparently Mac uses @ instead of .) ?There is documentation in the > coreutils info pages on ls: > > "Following the file mode bits is a single character that specifies whether > an alternate access method such as an access control list applies to the > file. ?When the character following the file mode bits is a space, there is > no alternate acces method. ?When it is printing a character, then there is > such a method. > > Gnu `ls` uses a `.' character to indicate a file with an SELinux security > context, but no other alternate access method. > > A file with any other combination of alternate access methods is marked > with a `+' character." > > > Here is a summarized discussion from a blog by Dan Walsh (in comment > section) on Managing FIle Context > (http://danwalsh.livejournal.com/4208.html): > > q: i would like to know how to completely remove ALL file labels created by > SELinux > a: you can not remove labels it is part of SELinux system > > note: Dan did not state that, Anonymous did, and no one disagreed/corrected > them. > > > However there is a thread > (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing > context" where someone suggests this: > > find . -exec setfattr -h -x security.selinux '{}' \; > > -greg > > rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM: > >> >> That didn?t seem to make any difference... :( >> >> From: rhelv6-list-bounces at redhat.com > [mailto:rhelv6-list-bounces at redhat.com] >> On Behalf Of Harrison, Jonathan >> Sent: Thursday, December 02, 2010 1:57 PM >> To: 'rhelv6-list at redhat.com' >> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> I believe that you can touch .autorelabel in / and then reboot to >> perform this action. ?I typically do this every time I set /etc/ >> sysconfig/selinux to disabled. >> >> Jonathan >> >> >So, how do I make it go away? ?:) >> >> >Kevin >> >> >-----Original Message----- >> >From: rhelv6-list-bounces at redhat.com >> >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert >> >Sent: Thursday, December 02, 2010 12:44 PM >> >To: rhelv6-list at redhat.com >> >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> >> >From: rhelv6-list-bounces at redhat.com [rhelv6-list- >> bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] >> >Sent: Thursday, December 02, 2010 14:38 >> >To: rhelv6-list at redhat.com >> >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> >Collins, Kevin [BEELINE] (KCollins at chevron.com) said: >> >> In testing RHEL6, I have noted that some directories show a "." (dot) >> at >> >> the end: >> >> >It means the files/directories have a SELinux security label stored >> in an extended attribute - the attributes remain present on the >> filesystem even if SELinux is disabled. >> >> >Bill_______________________________________________ >> rhelv6-list mailing list >> rhelv6-list at redhat.com >> https://www.redhat.com/mailman/listinfo/rhelv6-list > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > From KCollins at chevron.com Fri Dec 3 00:38:22 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 2 Dec 2010 16:38:22 -0800 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA4068@CHVPKNTXC5M.chvpk.chevrontexaco.net> We don't see this in RHEL5, so apparently something has changed in selinux or how it is labelling. I'll follow up on the thread you mentioned. Thanks, Kevin -----Original Message----- From: Greg_Swift at aotx.uscourts.gov [mailto:Greg_Swift at aotx.uscourts.gov] Sent: Thursday, December 02, 2010 4:03 PM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com; rhelv6-list-bounces at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? Relabeling the filesystem actually just corrects the labeling, it does not remove the labeling, even if selinux is disabled. Effectively, this is a feature not a bug. All be it poorly documented. (apparently Mac uses @ instead of .) There is documentation in the coreutils info pages on ls: "Following the file mode bits is a single character that specifies whether an alternate access method such as an access control list applies to the file. When the character following the file mode bits is a space, there is no alternate acces method. When it is printing a character, then there is such a method. Gnu `ls` uses a `.' character to indicate a file with an SELinux security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a `+' character." Here is a summarized discussion from a blog by Dan Walsh (in comment section) on Managing FIle Context (http://danwalsh.livejournal.com/4208.html): q: i would like to know how to completely remove ALL file labels created by SELinux a: you can not remove labels it is part of SELinux system note: Dan did not state that, Anonymous did, and no one disagreed/corrected them. However there is a thread (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing context" where someone suggests this: find . -exec setfattr -h -x security.selinux '{}' \; -greg rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM: > > That didn?t seem to make any difference... :( > > From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] > On Behalf Of Harrison, Jonathan > Sent: Thursday, December 02, 2010 1:57 PM > To: 'rhelv6-list at redhat.com' > Subject: Re: [rhelv6-list] selinux (not quite) disabled? > > I believe that you can touch .autorelabel in / and then reboot to > perform this action. I typically do this every time I set /etc/ > sysconfig/selinux to disabled. > > Jonathan > > >So, how do I make it go away? :) > > >Kevin > > >-----Original Message----- > >From: rhelv6-list-bounces at redhat.com > >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert > >Sent: Thursday, December 02, 2010 12:44 PM > >To: rhelv6-list at redhat.com > >Subject: Re: [rhelv6-list] selinux (not quite) disabled? > > > >From: rhelv6-list-bounces at redhat.com [rhelv6-list- > bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] > >Sent: Thursday, December 02, 2010 14:38 > >To: rhelv6-list at redhat.com > >Subject: Re: [rhelv6-list] selinux (not quite) disabled? > > >Collins, Kevin [BEELINE] (KCollins at chevron.com) said: > >> In testing RHEL6, I have noted that some directories show a "." (dot) > at > >> the end: > > >It means the files/directories have a SELinux security label stored > in an extended attribute - the attributes remain present on the > filesystem even if SELinux is disabled. > > >Bill_______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From KCollins at chevron.com Fri Dec 3 00:41:30 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 2 Dec 2010 16:41:30 -0800 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA406B@CHVPKNTXC5M.chvpk.chevrontexaco.net> My response would be that a) I don't have time to investigate selinux changes/improvements since I barely have time to plan/test/execute an upgrade, b) yes, out of habit from previous versions and c) in an environment full of (mainly) Unix admins we try and keep things as Unix-y as possible. Kevin -----Original Message----- From: robinprice at gmail.com [mailto:robinprice at gmail.com] Sent: Thursday, December 02, 2010 4:37 PM To: Greg_Swift at aotx.uscourts.gov Cc: Collins, Kevin [BEELINE]; rhelv6-list at redhat.com; rhelv6-list-bounces at redhat.com Subject: Re: [rhelv6-list] selinux (not quite) disabled? Out of curiosity, why are people disabling SELinux in RHEL6? Is it because of habit from RHEL4 / RHEL5? I thought SELinux would be vastly improved for RHEL6 but it appears people are quick to disable it. I just want to know why. Also, it appears there are a lot more features in RHEL6 to help administer SELinux and the documentation for it is also pretty well done. ~rp On Thu, Dec 2, 2010 at 7:02 PM, wrote: > > Relabeling the filesystem actually just corrects the labeling, it does not > remove the labeling, even if selinux is disabled. > > Effectively, this is a feature not a bug. All be it poorly documented. > (apparently Mac uses @ instead of .) ?There is documentation in the > coreutils info pages on ls: > > "Following the file mode bits is a single character that specifies whether > an alternate access method such as an access control list applies to the > file. ?When the character following the file mode bits is a space, there is > no alternate acces method. ?When it is printing a character, then there is > such a method. > > Gnu `ls` uses a `.' character to indicate a file with an SELinux security > context, but no other alternate access method. > > A file with any other combination of alternate access methods is marked > with a `+' character." > > > Here is a summarized discussion from a blog by Dan Walsh (in comment > section) on Managing FIle Context > (http://danwalsh.livejournal.com/4208.html): > > q: i would like to know how to completely remove ALL file labels created by > SELinux > a: you can not remove labels it is part of SELinux system > > note: Dan did not state that, Anonymous did, and no one disagreed/corrected > them. > > > However there is a thread > (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing > context" where someone suggests this: > > find . -exec setfattr -h -x security.selinux '{}' \; > > -greg > > rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM: > >> >> That didn't seem to make any difference... :( >> >> From: rhelv6-list-bounces at redhat.com > [mailto:rhelv6-list-bounces at redhat.com] >> On Behalf Of Harrison, Jonathan >> Sent: Thursday, December 02, 2010 1:57 PM >> To: 'rhelv6-list at redhat.com' >> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> I believe that you can touch .autorelabel in / and then reboot to >> perform this action. ?I typically do this every time I set /etc/ >> sysconfig/selinux to disabled. >> >> Jonathan >> >> >So, how do I make it go away? ?:) >> >> >Kevin >> >> >-----Original Message----- >> >From: rhelv6-list-bounces at redhat.com >> >[mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert >> >Sent: Thursday, December 02, 2010 12:44 PM >> >To: rhelv6-list at redhat.com >> >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> >> >From: rhelv6-list-bounces at redhat.com [rhelv6-list- >> bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] >> >Sent: Thursday, December 02, 2010 14:38 >> >To: rhelv6-list at redhat.com >> >Subject: Re: [rhelv6-list] selinux (not quite) disabled? >> >> >Collins, Kevin [BEELINE] (KCollins at chevron.com) said: >> >> In testing RHEL6, I have noted that some directories show a "." (dot) >> at >> >> the end: >> >> >It means the files/directories have a SELinux security label stored >> in an extended attribute - the attributes remain present on the >> filesystem even if SELinux is disabled. >> >> >Bill_______________________________________________ >> rhelv6-list mailing list >> rhelv6-list at redhat.com >> https://www.redhat.com/mailman/listinfo/rhelv6-list > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > From RJM002 at shsu.edu Fri Dec 3 00:59:55 2010 From: RJM002 at shsu.edu (Marti, Robert) Date: Thu, 2 Dec 2010 18:59:55 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: SELinux scares people, to put it simply. Instead of fixing thinks to work with it, it gets disabled so no one has to deal with it. I'd rather fix it, but the normal complaint is lack of time to do it right. I normally set it to permissive mode and make a note to come back and address the issues later. So far later hasn't come. Sent from my iPhone On Dec 2, 2010, at 6:39 PM, "robinprice at gmail.com" wrote: > Out of curiosity, > > why are people disabling SELinux in RHEL6? Is it because of habit > from RHEL4 / RHEL5? I thought SELinux would be vastly improved for > RHEL6 but it appears people are quick to disable it. I just want to > know why. > > Also, it appears there are a lot more features in RHEL6 to help > administer SELinux and the documentation for it is also pretty well > done. > > ~rp > > On Thu, Dec 2, 2010 at 7:02 PM, wrote: >> >> Relabeling the filesystem actually just corrects the labeling, it does not >> remove the labeling, even if selinux is disabled. >> >> Effectively, this is a feature not a bug. All be it poorly documented. >> (apparently Mac uses @ instead of .) There is documentation in the >> coreutils info pages on ls: >> >> "Following the file mode bits is a single character that specifies whether >> an alternate access method such as an access control list applies to the >> file. When the character following the file mode bits is a space, there is >> no alternate acces method. When it is printing a character, then there is >> such a method. >> >> Gnu `ls` uses a `.' character to indicate a file with an SELinux security >> context, but no other alternate access method. >> >> A file with any other combination of alternate access methods is marked >> with a `+' character." >> >> >> Here is a summarized discussion from a blog by Dan Walsh (in comment >> section) on Managing FIle Context >> (http://danwalsh.livejournal.com/4208.html): >> >> q: i would like to know how to completely remove ALL file labels created by >> SELinux >> a: you can not remove labels it is part of SELinux system >> >> note: Dan did not state that, Anonymous did, and no one disagreed/corrected >> them. >> >> >> However there is a thread >> (http://osdir.com/ml/fedora-selinux/2009-07/msg00087.html) about "removing >> context" where someone suggests this: >> >> find . -exec setfattr -h -x security.selinux '{}' \; >> >> -greg >> >> rhelv6-list-bounces at redhat.com wrote on 12/02/2010 04:54:24 PM: >> >>> >>> That didn?t seem to make any difference... :( >>> >>> From: rhelv6-list-bounces at redhat.com >> [mailto:rhelv6-list-bounces at redhat.com] >>> On Behalf Of Harrison, Jonathan >>> Sent: Thursday, December 02, 2010 1:57 PM >>> To: 'rhelv6-list at redhat.com' >>> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >>> >>> I believe that you can touch .autorelabel in / and then reboot to >>> perform this action. I typically do this every time I set /etc/ >>> sysconfig/selinux to disabled. >>> >>> Jonathan >>> >>>> So, how do I make it go away? :) >>> >>>> Kevin >>> >>>> -----Original Message----- >>>> From: rhelv6-list-bounces at redhat.com >>>> [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Marti, Robert >>>> Sent: Thursday, December 02, 2010 12:44 PM >>>> To: rhelv6-list at redhat.com >>>> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >>> >>> >>>> From: rhelv6-list-bounces at redhat.com [rhelv6-list- >>> bounces at redhat.com] On Behalf Of Bill Nottingham [notting at redhat.com] >>>> Sent: Thursday, December 02, 2010 14:38 >>>> To: rhelv6-list at redhat.com >>>> Subject: Re: [rhelv6-list] selinux (not quite) disabled? >>> >>>> Collins, Kevin [BEELINE] (KCollins at chevron.com) said: >>>>> In testing RHEL6, I have noted that some directories show a "." (dot) >>> at >>>>> the end: >>> >>>> It means the files/directories have a SELinux security label stored >>> in an extended attribute - the attributes remain present on the >>> filesystem even if SELinux is disabled. >>> >>>> Bill_______________________________________________ >>> rhelv6-list mailing list >>> rhelv6-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/rhelv6-list >> >> _______________________________________________ >> rhelv6-list mailing list >> rhelv6-list at redhat.com >> https://www.redhat.com/mailman/listinfo/rhelv6-list >> > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From jsbillin at umich.edu Fri Dec 3 01:58:03 2010 From: jsbillin at umich.edu (Jonathan Billings) Date: Thu, 2 Dec 2010 20:58:03 -0500 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4068@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA4068@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <44FF8448-F8B8-4934-A014-A356C75C0868@umich.edu> On Dec 2, 2010, at 7:38 PM, Collins, Kevin [BEELINE] wrote: > We don't see this in RHEL5, so apparently something has changed in selinux or how it is labelling. I'll follow up on the thread you mentioned. Actually, I believe the difference is in the 'ls' output, a newer version of the coreutils package is installed in RHEL6, which has been updated to show the '.' for SELinux attributes on a file. Check out the info page for coreutils, specifically: info coreutils 'What information is listed' (compare with the info page from rhel5) -- Jonathan Billings College of Engineering - CAEN - Unix and Linux Support From smooge at gmail.com Fri Dec 3 02:26:10 2010 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 2 Dec 2010 19:26:10 -0700 Subject: [rhelv6-list] RHEL 6 Downloads In-Reply-To: References: <4CF7D8DB.20806@redhat.com> Message-ID: On Thu, Dec 2, 2010 at 10:32, Harrison, Jonathan wrote: > User interface comprehension failure. ?Thanks for nudge in the right direction. ?Why are the betas still listed now that final is available? > In N+1 months betas for RHEL-6U1 will show up for testing in channel. I believe that they will replace the ones there already. -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Let us be kind, one to another, for most of us are fighting a hard battle." -- Ian MacLaren From jussi_rhel6 at silvennoinen.net Fri Dec 3 06:51:33 2010 From: jussi_rhel6 at silvennoinen.net (Jussi Silvennoinen) Date: Fri, 3 Dec 2010 08:51:33 +0200 (EET) Subject: [rhelv6-list] [rhelv6-beta-list] fdisk vs parted In-Reply-To: References: Message-ID: > I notice in the online docs, there no mention of fdisk, I just wonder > has this been depreciated in favour of parted or does this have to do > with cylinder alignment? And the lack of GPT understanding. I'm pondering of making fdisk not available on my systems as we start to deploy rhel6. -- Jussi From john.haxby at gmail.com Fri Dec 3 11:06:01 2010 From: john.haxby at gmail.com (John Haxby) Date: Fri, 3 Dec 2010 11:06:01 +0000 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On 3 December 2010 00:59, Marti, Robert wrote: > SELinux scares people, to put it simply. Instead of fixing thinks to work > with it, it gets disabled so no one has to deal with it. I'd rather fix it, > but the normal complaint is lack of time to do it right. I normally set it > to permissive mode and make a note to come back and address the issues > later. So far later hasn't come. > > This is an argument I have sympathy with. However, just short of three years ago I decided enough was enough and I was going to get to grips with this thing on my laptop. So I left selinux enabled.when I installed whatever was the current Fedora at the time. As I recall, the only problem I had was with the web server I was running(*) Fixing that was a matter of ten minutes between me and google. Since that time I've picked up other selinux stuff incrementally ? I'm far from being an expert but I'm not afraid of selinux any more and I can make use of it after a fashion. (Fedora 14 has a problem with some 32 bit apps and selinux but I can live without dropbox for the moment.) jch * yes, on a laptop: you have problem with that? :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: From RJM002 at shsu.edu Fri Dec 3 12:34:52 2010 From: RJM002 at shsu.edu (Marti, Robert) Date: Fri, 3 Dec 2010 06:34:52 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: Right. I've got it enabled on my desktop and laptops. On servers though... Sent from my iPhone On Dec 3, 2010, at 5:08 AM, "John Haxby" > wrote: On 3 December 2010 00:59, Marti, Robert <RJM002 at shsu.edu> wrote: SELinux scares people, to put it simply. Instead of fixing thinks to work with it, it gets disabled so no one has to deal with it. I'd rather fix it, but the normal complaint is lack of time to do it right. I normally set it to permissive mode and make a note to come back and address the issues later. So far later hasn't come. This is an argument I have sympathy with. However, just short of three years ago I decided enough was enough and I was going to get to grips with this thing on my laptop. So I left selinux enabled.when I installed whatever was the current Fedora at the time. As I recall, the only problem I had was with the web server I was running(*) Fixing that was a matter of ten minutes between me and google. Since that time I've picked up other selinux stuff incrementally ? I'm far from being an expert but I'm not afraid of selinux any more and I can make use of it after a fashion. (Fedora 14 has a problem with some 32 bit apps and selinux but I can live without dropbox for the moment.) jch * yes, on a laptop: you have problem with that? :-) _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From Greg_Swift at aotx.uscourts.gov Fri Dec 3 14:16:13 2010 From: Greg_Swift at aotx.uscourts.gov (Greg_Swift at aotx.uscourts.gov) Date: Fri, 3 Dec 2010 08:16:13 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: i'm not saying I've succeeded in convincing people to let me run SELinux in enforcing anywhere, but think about the argument you just made: "I've got it [SELinux] enabled on my desktop and laptops", which while useful, aren't as ready of targets for hackers (we are talking Linux not Windows).. Desk/laptop environments are also more broad and varied in software that is run and the potential that you will run into SELinux issues (such as jch's dropbox issue). "on my servers though...[i have it disabled]..." However most servers are ready targets, with ports open and attractive to someone trying to break in. Servers tend to have a stable software configuration and use cases, leading to SELinux being easier to maintain in the long run since behavior patterns aren't as likely to change constantly. Yes, easier by comparison, and not saying its "easy". -greg rhelv6-list-bounces at redhat.com wrote on 12/03/2010 06:34:52 AM: > > Right. I've got it enabled on my desktop and laptops. On servers though... > > Sent from my iPhone > > On Dec 3, 2010, at 5:08 AM, "John Haxby" mailto:john.haxby at gmail.com>> wrote: > > > > On 3 December 2010 00:59, Marti, Robert < >RJM002 at shsu.edu> wrote: > SELinux scares people, to put it simply. Instead of fixing thinks to > work with it, it gets disabled so no one has to deal with it. I'd > rather fix it, but the normal complaint is lack of time to do it > right. I normally set it to permissive mode and make a note to come > back and address the issues later. So far later hasn't come. > > > This is an argument I have sympathy with. > > However, just short of three years ago I decided enough was enough > and I was going to get to grips with this thing on my laptop. So I > left selinux enabled.when I installed whatever was the current > Fedora at the time. > > As I recall, the only problem I had was with the web server I was > running(*) Fixing that was a matter of ten minutes between me and > google. Since that time I've picked up other selinux stuff > incrementally ? I'm far from being an expert but I'm not afraid of > selinux any more and I can make use of it after a fashion. (Fedora > 14 has a problem with some 32 bit apps and selinux but I can live > without dropbox for the moment.) > > jch > > > * yes, on a laptop: you have problem with that? :-) > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From feldt at nhn.ou.edu Fri Dec 3 15:17:41 2010 From: feldt at nhn.ou.edu (Andy Feldt) Date: Fri, 03 Dec 2010 09:17:41 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <1291389461.17003.17.camel@faramir> It is maybe a bit difficult to get started, but it is doable on a server as well. I am beginning a transition from Solaris 10 to RHEL6 for our main server and have found that it just takes dealing with each new issue once. Your best friend is the sealert -a command applied to the audit log. I have (so far) only had to make one local SELinux policy and had to make use of chcon in a few other situations. Admittedly, this is much easier because I am able to start from scratch with a system that will not be deployed until I am happy with it. But, I think that having SELinux running will be a considerable asset. Andy On Fri, 2010-12-03 at 08:16 -0600, Greg_Swift at aotx.uscourts.gov wrote: > i'm not saying I've succeeded in convincing people to let me run SELinux in > enforcing anywhere, but think about the argument you just made: > > "I've got it [SELinux] enabled on my desktop and laptops", which while > useful, aren't as ready of targets for hackers (we are talking Linux not > Windows).. Desk/laptop environments are also more broad and varied in > software that is run and the potential that you will run into SELinux > issues (such as jch's dropbox issue). > > "on my servers though...[i have it disabled]..." However most servers are > ready targets, with ports open and attractive to someone trying to break > in. Servers tend to have a stable software configuration and use cases, > leading to SELinux being easier to maintain in the long run since behavior > patterns aren't as likely to change constantly. Yes, easier by comparison, > and not saying its "easy". > > -greg > > rhelv6-list-bounces at redhat.com wrote on 12/03/2010 06:34:52 AM: > > > > > Right. I've got it enabled on my desktop and laptops. On servers > though... > > > > Sent from my iPhone > > > > On Dec 3, 2010, at 5:08 AM, "John Haxby" > mailto:john.haxby at gmail.com>> wrote: > > > > > > > > On 3 December 2010 00:59, Marti, Robert < > >RJM002 at shsu.edu> wrote: > > SELinux scares people, to put it simply. Instead of fixing thinks to > > work with it, it gets disabled so no one has to deal with it. I'd > > rather fix it, but the normal complaint is lack of time to do it > > right. I normally set it to permissive mode and make a note to come > > back and address the issues later. So far later hasn't come. > > > > > > This is an argument I have sympathy with. > > > > However, just short of three years ago I decided enough was enough > > and I was going to get to grips with this thing on my laptop. So I > > left selinux enabled.when I installed whatever was the current > > Fedora at the time. > > > > As I recall, the only problem I had was with the web server I was > > running(*) Fixing that was a matter of ten minutes between me and > > google. Since that time I've picked up other selinux stuff > > incrementally ? I'm far from being an expert but I'm not afraid of > > selinux any more and I can make use of it after a fashion. (Fedora > > 14 has a problem with some 32 bit apps and selinux but I can live > > without dropbox for the moment.) > > > > jch > > > > > > * yes, on a laptop: you have problem with that? :-) From notting at redhat.com Fri Dec 3 15:29:21 2010 From: notting at redhat.com (Bill Nottingham) Date: Fri, 3 Dec 2010 10:29:21 -0500 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <44FF8448-F8B8-4934-A014-A356C75C0868@umich.edu> References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA4068@CHVPKNTXC5M.chvpk.chevrontexaco.net> <44FF8448-F8B8-4934-A014-A356C75C0868@umich.edu> Message-ID: <20101203152920.GA28076@nostromo.devel.redhat.com> Jonathan Billings (jsbillin at umich.edu) said: > On Dec 2, 2010, at 7:38 PM, Collins, Kevin [BEELINE] wrote: > > We don't see this in RHEL5, so apparently something has changed in selinux or how it is labelling. I'll follow up on the thread you mentioned. > > Actually, I believe the difference is in the 'ls' output, a newer version of the coreutils package is installed in RHEL6, which has been updated to show the '.' for SELinux attributes on a file. Correct; the change is merely that ls is showing the SELinux label; the labels themeselves were there in earlier RHEL. Bill From RJM002 at shsu.edu Fri Dec 3 15:31:55 2010 From: RJM002 at shsu.edu (Marti, Robert) Date: Fri, 3 Dec 2010 09:31:55 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: Servers get weird applications that don't come with SELinux contexts, weird placement of files, etc... I rarely use anything on my laptops/desktop that isn't in the Fedora repos. On my servers, however, I have things like Oracle, Blackboard, dotCMS, an other apps that don't play nice -at all- with SELinux. Sure, fewer things change on a daily basis, but theres *far* more of a starting curve. Sent from my iPhone On Dec 3, 2010, at 8:48 AM, "Greg_Swift at aotx.uscourts.gov" wrote: > i'm not saying I've succeeded in convincing people to let me run SELinux in > enforcing anywhere, but think about the argument you just made: > > "I've got it [SELinux] enabled on my desktop and laptops", which while > useful, aren't as ready of targets for hackers (we are talking Linux not > Windows).. Desk/laptop environments are also more broad and varied in > software that is run and the potential that you will run into SELinux > issues (such as jch's dropbox issue). > > "on my servers though...[i have it disabled]..." However most servers are > ready targets, with ports open and attractive to someone trying to break > in. Servers tend to have a stable software configuration and use cases, > leading to SELinux being easier to maintain in the long run since behavior > patterns aren't as likely to change constantly. Yes, easier by comparison, > and not saying its "easy". > > -greg > > rhelv6-list-bounces at redhat.com wrote on 12/03/2010 06:34:52 AM: > >> >> Right. I've got it enabled on my desktop and laptops. On servers > though... >> >> Sent from my iPhone >> >> On Dec 3, 2010, at 5:08 AM, "John Haxby" > mailto:john.haxby at gmail.com>> wrote: >> >> >> >> On 3 December 2010 00:59, Marti, Robert <>> RJM002 at shsu.edu> wrote: >> SELinux scares people, to put it simply. Instead of fixing thinks to >> work with it, it gets disabled so no one has to deal with it. I'd >> rather fix it, but the normal complaint is lack of time to do it >> right. I normally set it to permissive mode and make a note to come >> back and address the issues later. So far later hasn't come. >> >> >> This is an argument I have sympathy with. >> >> However, just short of three years ago I decided enough was enough >> and I was going to get to grips with this thing on my laptop. So I >> left selinux enabled.when I installed whatever was the current >> Fedora at the time. >> >> As I recall, the only problem I had was with the web server I was >> running(*) Fixing that was a matter of ten minutes between me and >> google. Since that time I've picked up other selinux stuff >> incrementally ? I'm far from being an expert but I'm not afraid of >> selinux any more and I can make use of it after a fashion. (Fedora >> 14 has a problem with some 32 bit apps and selinux but I can live >> without dropbox for the moment.) >> >> jch >> >> >> * yes, on a laptop: you have problem with that? :-) >> _______________________________________________ >> rhelv6-list mailing list >> rhelv6-list at redhat.com >> https://www.redhat.com/mailman/listinfo/rhelv6-list >> >> _______________________________________________ >> rhelv6-list mailing list >> rhelv6-list at redhat.com >> https://www.redhat.com/mailman/listinfo/rhelv6-list From Greg_Swift at aotx.uscourts.gov Fri Dec 3 16:06:00 2010 From: Greg_Swift at aotx.uscourts.gov (Greg_Swift at aotx.uscourts.gov) Date: Fri, 3 Dec 2010 10:06:00 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: Obviously a server is likely to have more than just an out of the box configuration. But anyways... if i remember correctly, wasn't one of the changes in the RHEL6 SELinux the ability to section off where SELinux is enforcing versus not, so that it isn't an all or nothing thing? -greg "Marti, Robert" wrote on 12/03/2010 09:31:55 AM: > Servers get weird applications that don't come with SELinux > contexts, weird placement of files, etc... > > I rarely use anything on my laptops/desktop that isn't in the Fedora > repos. On my servers, however, I have things like Oracle, > Blackboard, dotCMS, an other apps that don't play nice -at all- with > SELinux. Sure, fewer things change on a daily basis, but theres > *far* more of a starting curve. > > Sent from my iPhone > > On Dec 3, 2010, at 8:48 AM, "Greg_Swift at aotx.uscourts.gov" > wrote: > > > i'm not saying I've succeeded in convincing people to let me run SELinux in > > enforcing anywhere, but think about the argument you just made: > > > > "I've got it [SELinux] enabled on my desktop and laptops", which while > > useful, aren't as ready of targets for hackers (we are talking Linux not > > Windows).. Desk/laptop environments are also more broad and varied in > > software that is run and the potential that you will run into SELinux > > issues (such as jch's dropbox issue). > > > > "on my servers though...[i have it disabled]..." However most servers are > > ready targets, with ports open and attractive to someone trying to break > > in. Servers tend to have a stable software configuration and use cases, > > leading to SELinux being easier to maintain in the long run since behavior > > patterns aren't as likely to change constantly. Yes, easier by comparison, > > and not saying its "easy". > > > > -greg > > > > rhelv6-list-bounces at redhat.com wrote on 12/03/2010 06:34:52 AM: > > > >> > >> Right. I've got it enabled on my desktop and laptops. On servers > > though... > >> > >> Sent from my iPhone > >> > >> On Dec 3, 2010, at 5:08 AM, "John Haxby" >> mailto:john.haxby at gmail.com>> wrote: > >> > >> > >> > >> On 3 December 2010 00:59, Marti, Robert < >>> RJM002 at shsu.edu> wrote: > >> SELinux scares people, to put it simply. Instead of fixing thinks to > >> work with it, it gets disabled so no one has to deal with it. I'd > >> rather fix it, but the normal complaint is lack of time to do it > >> right. I normally set it to permissive mode and make a note to come > >> back and address the issues later. So far later hasn't come. > >> > >> > >> This is an argument I have sympathy with. > >> > >> However, just short of three years ago I decided enough was enough > >> and I was going to get to grips with this thing on my laptop. So I > >> left selinux enabled.when I installed whatever was the current > >> Fedora at the time. > >> > >> As I recall, the only problem I had was with the web server I was > >> running(*) Fixing that was a matter of ten minutes between me and > >> google. Since that time I've picked up other selinux stuff > >> incrementally ? I'm far from being an expert but I'm not afraid of > >> selinux any more and I can make use of it after a fashion. (Fedora > >> 14 has a problem with some 32 bit apps and selinux but I can live > >> without dropbox for the moment.) > >> > >> jch > >> > >> > >> * yes, on a laptop: you have problem with that? :-) > >> _______________________________________________ > >> rhelv6-list mailing list > >> rhelv6-list at redhat.com > >> https://www.redhat.com/mailman/listinfo/rhelv6-list > >> > >> _______________________________________________ > >> rhelv6-list mailing list > >> rhelv6-list at redhat.com > >> https://www.redhat.com/mailman/listinfo/rhelv6-list From solarflow99 at gmail.com Fri Dec 3 20:07:43 2010 From: solarflow99 at gmail.com (solarflow99) Date: Fri, 3 Dec 2010 12:07:43 -0800 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On Fri, Dec 3, 2010 at 8:06 AM, wrote: > Obviously a server is likely to have more than just an out of the box > configuration. > > But anyways... if i remember correctly, wasn't one of the changes in the > RHEL6 SELinux the ability to section off where SELinux is enforcing versus > not, so that it isn't an all or nothing thing? ya, I think it is unconfined_t. Fedora has had it for a long time now. I sure wouldn't want to turn selinux off on a production server. From prentice at ias.edu Fri Dec 3 20:28:21 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Fri, 03 Dec 2010 15:28:21 -0500 Subject: [rhelv6-list] Problems with authconfig Message-ID: <4CF952E5.9060806@ias.edu> I'm still testing with Beta 6, so please forgive me if this problem has been fixed in 6. I searched bugzilla and couldn't find it list there. I'm trying to setup my LDAP authentication with SSSD in kickstart. Since kickstart just calls authconfig with the correct options, I figured I'd use the output of 'authconfig --help' to see what options I needed to do this, which shows this option: $ authconfig --help | grep cert --ldaploadcacert= load CA certificate from the URL However, this doesn't work: authconfig --update --ldaploadcert="/url/to/cert" ... Usage: authconfig [options] {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup} authconfig: error: no such option: --ldaploadcert The man page doesn't document the --ldaploadcert. So there are two things wrong: 1. The output of 'authconfig --help' is wrong 2. There should be a way to setup LDAP authentication without resorting to scripting it yourself in kickstart. (IMHO) -- Prentice From cmadams at hiwaay.net Fri Dec 3 20:50:32 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 3 Dec 2010 14:50:32 -0600 Subject: [rhelv6-list] Problems with authconfig In-Reply-To: <4CF952E5.9060806@ias.edu> References: <4CF952E5.9060806@ias.edu> Message-ID: <20101203205032.GE5664@hiwaay.net> Once upon a time, Prentice Bisbal said: > I'm trying to setup my LDAP authentication with SSSD in kickstart. Since > kickstart just calls authconfig with the correct options, I figured I'd > use the output of 'authconfig --help' to see what options I needed to do > this, which shows this option: "CA cert" != "cert" - the option is (all lower case but upper case for emphasis) --ldaploadCAcert, not --ldaploadcert. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From dxh at yahoo.com Fri Dec 3 21:13:13 2010 From: dxh at yahoo.com (Don Hoover) Date: Fri, 3 Dec 2010 13:13:13 -0800 (PST) Subject: [rhelv6-list] selinux (not quite) disabled? Message-ID: <361158.70381.qm@web120705.mail.ne1.yahoo.com> I am targeting RHEL6 for when we FINALLY turn SELinux on. Using the targeted policy it does not really cause much of an issue from what I can see in my testing. This will not affect any of our 'in-house' software, because its really only going to come into play for the stuff that is provided and targeted with the RHEL distro such as MySQL, APACHE etc and SELinux only comes into play there if you do something out of the defaults such as not using /var/www for apache etc..and its not hard to add additional paths into the apache contexts so they work. The redhat docs have been greatly improved now that there is the 'using confined services' manual that pretty much gives examples on how to manage all the 'targeted' applications and fix any issues that come up such as the above mentioned apache alternate location one. I say try it, and with just a little patience you can live with it and take advantage of the excellent protections it gives all the standard services. From gsgatlin at ncsu.edu Fri Dec 3 21:33:05 2010 From: gsgatlin at ncsu.edu (Gary Gatling) Date: Fri, 3 Dec 2010 16:33:05 -0500 (EST) Subject: [rhelv6-list] weird clock applet question on locations Message-ID: Hello, I am trying to change the default location in the clock applet from being Boston Ma. to Raleigh, NC. in RHEL 6 for our labs. I want to do this so that the weather icon shows up for any lab users and so that it shows the correct weather for my location in Raleigh. I installed a fresh machine and configured the panel the way I want it. I deleted Boston Ma. and added Raleigh, NC. by hand as I configured the panel. Then I ran: gconftool-2 --dump /apps/panel > my-panel-setup.entries and set up on a fresh install on another machine: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --load my-panel-setup.entries Everything is "almost" correct. My icons are all set up on the panel the way I want them. But when I click on the clock applet, it shows my location in Raleigh as a blinking red / white dot. When I hover over the analog clock in the GUI, a "set..." button pops up. When I click on the "set..." button it prompts me for the root password and then it changes the dot into a blue "house" icon. After this "set..." button has been clicked on the weather icon magically appears in the panel with the correct weather for my location. For "all" users on the system. (not just my account) Does anyone know how I can programattically do that with a command? /etc/localtime seems to be the same on both machines. I've looked at the sources to the gnome-panel rpm but its a lot of code and I can't seem to figure this one out on my own. :( Thanks for any ideas anyone has? Do you think it will be possible to do what I am trying to do? (change clock applet to show weather in Raleigh, NC.) Gary Gatling | ITECS Systems From KCollins at chevron.com Fri Dec 3 21:51:35 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 3 Dec 2010 13:51:35 -0800 Subject: [rhelv6-list] Problem with ldap In-Reply-To: <86E21A982A7C5249956350A6746108C201FA3FA9@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net><4CF7DB32.403@ias.edu> <86E21A982A7C5249956350A6746108C201FA3FA9@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA4105@CHVPKNTXC5M.chvpk.chevrontexaco.net> Related to this issue, do I still need /etc/ldap.conf or has /etc/pam_ldap.conf basically repalced that? -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Thursday, December 02, 2010 10:29 AM To: Prentice Bisbal; rhelv6-list at redhat.com Subject: Re: [rhelv6-list] Problem with ldap Thanks - I plan to look in to SSSD, but was trying to work my way from "known" towards "unknown" :) However, your reply hit one thing I forgot - I had not yet restarted nscd... that fixed the issue I was seeing and things appear to be working as expected now. Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal Sent: Thursday, December 02, 2010 9:45 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] Problem with ldap Collins, Kevin [BEELINE] wrote: > I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to > test on RHEL6 and have run into a problem. > > > > I figured out that I need pam_ldap and nss-pam-ldapd, but I am having > some troubles getting things to work correctly. I think I have the > /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing > some strange behavior. > > > > As an example, I have an ?oracle? ID in LDAP: > > > > # grep oracle /etc/passwd > > > > # getent passwd | grep ^oracle: > > oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh > > > > # getent passwd oracle > > > > # ldapsearch -LLL -x "(uid=oracle)" > > dn: uid=oracle,ou=People,dc=afis,dc=sr > > uid: oracle > > cn: Oracle Owner > > objectClass: account > > objectClass: posixAccount > > objectClass: top > > userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio= > > loginShell: /usr/bin/sh > > uidNumber: 200 > > gidNumber: 200 > > homeDirectory: /oracle > > gecos: Oracle Owner > > > > I can?t figure out why getent (or id, or groups, etc) can?t resolve > specific IDs from LDAP, but I can get obviously read the data... > > > > Any ideas? > Kevin, I was configuring PAM/LDAP/NSS on RHEL6 for the first time yesrerday myself. After getting nscd and nslcd configured correctly, I was able to make this work, but then I switched to using sssd for my name services/PAM. SSSD appears to be the RH "blessed" method for handling this sort of stuff, and if you ever use authconfig, it will configure sssd to perform these functions. You should look into switching to sssd, to avoid RH utils from "fixing" things for you in the future. Have you tried using strace on getent to see what functions are being called and what errors are being reports? I would also turn on logging on your ldap server and do a tail -f while running getent to see if search being performed by 'getent passwd oracle' is being tranformed into something other than what your server needs to get a result. -- Prentice _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From prentice at ias.edu Fri Dec 3 22:06:56 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Fri, 03 Dec 2010 17:06:56 -0500 Subject: [rhelv6-list] Problem with ldap In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4105@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net><4CF7DB32.403@ias.edu> <86E21A982A7C5249956350A6746108C201FA3FA9@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA4105@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4CF96A00.6000409@ias.edu> That depends: If you are using SSSD, you only need to configure the files in /etc/sssd. If you are using nss-pam-ldap, you need to configure /etc/pam_ldap.conf and /etc/nslcd.conf. If you used the openldap client programs (ldapsearch, ldapmodify, etc.), you will still need to configure /etc/openldap/ldap.conf. -- Prentice Collins, Kevin [BEELINE] wrote: > Related to this issue, do I still need /etc/ldap.conf or has /etc/pam_ldap.conf basically repalced that? > > -----Original Message----- > From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] > Sent: Thursday, December 02, 2010 10:29 AM > To: Prentice Bisbal; rhelv6-list at redhat.com > Subject: Re: [rhelv6-list] Problem with ldap > > Thanks - I plan to look in to SSSD, but was trying to work my way from "known" towards "unknown" :) > > However, your reply hit one thing I forgot - I had not yet restarted nscd... that fixed the issue I was seeing and things appear to be working as expected now. > > Kevin > > -----Original Message----- > From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal > Sent: Thursday, December 02, 2010 9:45 AM > To: rhelv6-list at redhat.com > Subject: Re: [rhelv6-list] Problem with ldap > > Collins, Kevin [BEELINE] wrote: >> I have been using pam/nss_ldap with RHEL3 thru RHEL5. I am starting to >> test on RHEL6 and have run into a problem. >> >> >> >> I figured out that I need pam_ldap and nss-pam-ldapd, but I am having >> some troubles getting things to work correctly. I think I have the >> /etc/pam_ldap.conf and /etc/nslcd.conf files correct, but I am seeing >> some strange behavior. >> >> >> >> As an example, I have an ?oracle? ID in LDAP: >> >> >> >> # grep oracle /etc/passwd >> >> >> >> # getent passwd | grep ^oracle: >> >> oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh >> >> >> >> # getent passwd oracle >> >> >> >> # ldapsearch -LLL -x "(uid=oracle)" >> >> dn: uid=oracle,ou=People,dc=afis,dc=sr >> >> uid: oracle >> >> cn: Oracle Owner >> >> objectClass: account >> >> objectClass: posixAccount >> >> objectClass: top >> >> userPassword:: e2NyeXB0fU5vX0xvZ2luKioqKio= >> >> loginShell: /usr/bin/sh >> >> uidNumber: 200 >> >> gidNumber: 200 >> >> homeDirectory: /oracle >> >> gecos: Oracle Owner >> >> >> >> I can?t figure out why getent (or id, or groups, etc) can?t resolve >> specific IDs from LDAP, but I can get obviously read the data... >> >> >> >> Any ideas? >> > > Kevin, > > I was configuring PAM/LDAP/NSS on RHEL6 for the first time yesrerday > myself. After getting nscd and nslcd configured correctly, I was able > to make this work, but then I switched to using sssd for my name > services/PAM. > > SSSD appears to be the RH "blessed" method for handling this sort of > stuff, and if you ever use authconfig, it will configure sssd to perform > these functions. You should look into switching to sssd, to avoid RH > utils from "fixing" things for you in the future. > > Have you tried using strace on getent to see what functions are being > called and what errors are being reports? I would also turn on logging > on your ldap server and do a tail -f while running getent to see if > search being performed by 'getent passwd oracle' is being tranformed > into something other than what your server needs to get a result. > > From nalin at redhat.com Fri Dec 3 22:07:43 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 3 Dec 2010 17:07:43 -0500 Subject: [rhelv6-list] Problem with ldap In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4105@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4CF7DB32.403@ias.edu> <86E21A982A7C5249956350A6746108C201FA3FA9@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA4105@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <20101203220743.GA25845@redhat.com> On Fri, Dec 03, 2010 at 01:51:35PM -0800, Collins, Kevin [BEELINE] wrote: > Related to this issue, do I still need /etc/ldap.conf or has > /etc/pam_ldap.conf basically repalced that? The short answer is that you should just need /etc/pam_ldap.conf for pam_ldap and /etc/nslcd.conf for nslcd (or /etc/sssd/sssd.conf for sssd). The /etc/openldap/ldap.conf file should still be used by the OpenLDAP libraries and command-line tools, though tools like pam_ldap and nslcd that provide their own configuration files will override any defaults that come from from /etc/openldap/ldap.conf with values from their own configurations, if they pick up defaults from it at all. The /etc/ldap.conf file _shouldn't_ be needed, but you may find places where someone thought that pulling some of the settings from it (host, base, uri, some TLS settings) while ignoring others (some TLS settings, connection timeouts, schema mapping) would work well enough. Mileage varies in those cases. HTH, Nalin From KCollins at chevron.com Fri Dec 3 22:43:43 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 3 Dec 2010 14:43:43 -0800 Subject: [rhelv6-list] Problem with ldap In-Reply-To: <20101203220743.GA25845@redhat.com> References: <86E21A982A7C5249956350A6746108C201FA3F83@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4CF7DB32.403@ias.edu> <86E21A982A7C5249956350A6746108C201FA3FA9@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA4105@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101203220743.GA25845@redhat.com> Message-ID: <86E21A982A7C5249956350A6746108C201FA410E@CHVPKNTXC5M.chvpk.chevrontexaco.net> Thanks. On close inspection I found that my old /etc/ldap.conf was almost identical to the /etc/pam_ldap.conf that I have been using in RHEL3 and RHEL5, with the exception of what I added. Kevin -----Original Message----- From: Nalin Dahyabhai [mailto:nalin at redhat.com] Sent: Friday, December 03, 2010 2:08 PM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] Problem with ldap On Fri, Dec 03, 2010 at 01:51:35PM -0800, Collins, Kevin [BEELINE] wrote: > Related to this issue, do I still need /etc/ldap.conf or has > /etc/pam_ldap.conf basically repalced that? The short answer is that you should just need /etc/pam_ldap.conf for pam_ldap and /etc/nslcd.conf for nslcd (or /etc/sssd/sssd.conf for sssd). The /etc/openldap/ldap.conf file should still be used by the OpenLDAP libraries and command-line tools, though tools like pam_ldap and nslcd that provide their own configuration files will override any defaults that come from from /etc/openldap/ldap.conf with values from their own configurations, if they pick up defaults from it at all. The /etc/ldap.conf file _shouldn't_ be needed, but you may find places where someone thought that pulling some of the settings from it (host, base, uri, some TLS settings) while ignoring others (some TLS settings, connection timeouts, schema mapping) would work well enough. Mileage varies in those cases. HTH, Nalin From richards at mailbox.sc.edu Fri Dec 3 23:14:49 2010 From: richards at mailbox.sc.edu (John E. Richards) Date: Fri, 03 Dec 2010 18:14:49 -0500 Subject: [rhelv6-list] Setup for SSSD winbind In-Reply-To: <86E21A982A7C5249956350A6746108C201FA410E@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On 12/3/10 5:43 PM, "Collins, Kevin [BEELINE]" wrote: > Thanks. On close inspection I found that my old /etc/ldap.conf was > almost identical to the /etc/pam_ldap.conf that I have been using in > RHEL3 and RHEL5, with the exception of what I added. > > Kevin > > -----Original Message----- > From: Nalin Dahyabhai [mailto:nalin at redhat.com] > Sent: Friday, December 03, 2010 2:08 PM > To: Collins, Kevin [BEELINE] I am trying to setup winbind for RHEL6. In RHEL5 I used the system-config-authentication GUI and it worked fine. I also tweaked the nssswitch.conf and smb.conf for other configurations, but the GUI setup worked without doing so. I have tried the GUI for RHEL6 and it appears to work; and the computer can join the domain. However, I cannot get user information from the ADS domain; wbinfo says it is not found; cannot log onto the computer with the ADS username/password. I have also used the authconfig command as it worked with RHEL 5. My ADS server is W 2008 server. I understand that the sssd service now does the work of the services in RHEL5. However, I cannot quite figure out how to use it. I have tried to follow the deployment guide, but can follow it. If someone can point me to the tasks I need to do in RHEL6 I would appreciate it. I would like to move to the SSSD if that is necessary. John *********************************************** John E. Richards Carolina Distinguished Professor Department of Psychology University of South Carolina Columbia, SC 29208 Dept Phone: 803 777 2079 Fax: 803 777 9558 Email: richards-john at sc.edu HTTP: jerlab.psych.sc.edu ************************************************* From KCollins at chevron.com Fri Dec 3 23:19:55 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 3 Dec 2010 15:19:55 -0800 Subject: [rhelv6-list] disable shadow in kickstart? Message-ID: <86E21A982A7C5249956350A6746108C201FA4114@CHVPKNTXC5M.chvpk.chevrontexaco.net> I have just confirmed that with no --enableshadow or --useshadow in my kickstart file, I am still ending up with a shadow-enabled system. There is no option listed to disable shadow, and the Installation Guide says "By default, passwords are normally encrypted and are not shadowed." Of course, this is about the 3rd or 4th item in the manual I have found to be completely wrong... Any ideas? I can always turn it off after kickstart, but would rather prevent it to begin with. Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From KCollins at chevron.com Fri Dec 3 23:36:54 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 3 Dec 2010 15:36:54 -0800 Subject: [rhelv6-list] Setup for SSSD winbind In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA410E@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA4116@CHVPKNTXC5M.chvpk.chevrontexaco.net> John, You should really not "hijack" a thread for a new topic. You would be better served starting a new thread for your problem rather than responding to an existing thread and changing the subject! Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of John E. Richards Sent: Friday, December 03, 2010 3:15 PM To: rhelv6-list at redhat.com Subject: [rhelv6-list] Setup for SSSD winbind On 12/3/10 5:43 PM, "Collins, Kevin [BEELINE]" wrote: > Thanks. On close inspection I found that my old /etc/ldap.conf was > almost identical to the /etc/pam_ldap.conf that I have been using in > RHEL3 and RHEL5, with the exception of what I added. > > Kevin > > -----Original Message----- > From: Nalin Dahyabhai [mailto:nalin at redhat.com] > Sent: Friday, December 03, 2010 2:08 PM > To: Collins, Kevin [BEELINE] I am trying to setup winbind for RHEL6. In RHEL5 I used the system-config-authentication GUI and it worked fine. I also tweaked the nssswitch.conf and smb.conf for other configurations, but the GUI setup worked without doing so. I have tried the GUI for RHEL6 and it appears to work; and the computer can join the domain. However, I cannot get user information from the ADS domain; wbinfo says it is not found; cannot log onto the computer with the ADS username/password. I have also used the authconfig command as it worked with RHEL 5. My ADS server is W 2008 server. I understand that the sssd service now does the work of the services in RHEL5. However, I cannot quite figure out how to use it. I have tried to follow the deployment guide, but can follow it. If someone can point me to the tasks I need to do in RHEL6 I would appreciate it. I would like to move to the SSSD if that is necessary. John *********************************************** John E. Richards Carolina Distinguished Professor Department of Psychology University of South Carolina Columbia, SC 29208 Dept Phone: 803 777 2079 Fax: 803 777 9558 Email: richards-john at sc.edu HTTP: jerlab.psych.sc.edu ************************************************* _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From richards at mailbox.sc.edu Fri Dec 3 23:40:00 2010 From: richards at mailbox.sc.edu (John E. Richards) Date: Fri, 03 Dec 2010 18:40:00 -0500 Subject: [rhelv6-list] Setup for SSSD winbind In-Reply-To: Message-ID: (sorry about the previous post; I forgot to delete all the other part of the thread) I am trying to setup winbind for RHEL6. In RHEL5 I used the system-config-authentication GUI and it worked fine. I also tweaked the nssswitch.conf and smb.conf for other configurations, but the GUI setup worked without doing so. I have tried the GUI for RHEL6 and it appears to work; and the computer can join the domain. However, I cannot get user information from the ADS domain; wbinfo says it is not found; cannot log onto the computer with the ADS username/password. I have also used the authconfig command as it worked with RHEL 5. My ADS server is W 2008 server. I understand that the sssd service now does the work of the services in RHEL5. However, I cannot quite figure out how to use it. I have tried to follow the deployment guide, but cannot follow it. If someone can point me to the tasks I need to do in RHEL6 I would appreciate it. I would like to move to the SSSD if that is necessary. John *********************************************** John E. Richards Carolina Distinguished Professor Department of Psychology University of South Carolina Columbia, SC 29208 Dept Phone: 803 777 2079 Fax: 803 777 9558 Email: richards-john at sc.edu HTTP: jerlab.psych.sc.edu ************************************************* From janfrode at tanso.net Sat Dec 4 11:28:56 2010 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Sat, 4 Dec 2010 12:28:56 +0100 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4020@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <20101204112856.GB7493@oc1046828364.ibm.com> On Fri, Dec 03, 2010 at 12:07:43PM -0800, solarflow99 wrote: > On Fri, Dec 3, 2010 at 8:06 AM, wrote: > > Obviously a server is likely to have more than just an out of the box > > configuration. > > > > But anyways... if i remember correctly, wasn't one of the changes in the > > RHEL6 SELinux the ability to section off where SELinux is enforcing versus > > not, so that it isn't an all or nothing thing? > > ya, I think it is unconfined_t. Fedora has had it for a long time > now. I sure wouldn't want to turn selinux off on a production server. > No, I believe the change is that you now can put domains in permissive mode. So it's no longer an all (SELINUX=enforcing) or nothing (SELINUX=permissive) setting any more, but now you can put f.ex. the webserver into permissive mode, without opening up everything. http://lwn.net/Articles/303216/ -jf From lowen at pari.edu Sat Dec 4 16:41:00 2010 From: lowen at pari.edu (Lamar Owen) Date: Sat, 4 Dec 2010 11:41:00 -0500 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: Message-ID: <201012041141.00361.lowen@pari.edu> On Friday, December 03, 2010 09:16:13 am Greg_Swift at aotx.uscourts.gov wrote: > i'm not saying I've succeeded in convincing people to let me run SELinux in > enforcing anywhere, but think about the argument you just made: > > "I've got it [SELinux] enabled on my desktop and laptops", which while > useful, aren't as ready of targets for hackers (we are talking Linux not > Windows).. Desk/laptop environments are also more broad and varied in > software that is run and the potential that you will run into SELinux > issues (such as jch's dropbox issue). As desktop use is probably going to involve web browsing (either on an intranet site, or the Internet), and perhaps PDF files enter the picture, and as those are the prime vectors for attacks, and as much personal information as can be swiped is the new target of data thieves, the desktop should be locked down tighter in many ways than the server. I don't care if my desktop gets rooted as much as I care whether a web/flash/PDF exploit just made off with banking/credit card/tax/other financial details and files. (Of course I do care if it gets rooted; but with a proper SELinux policy in place it would be possible to keep root away from my files, too, for that matter; I just care more if an identity thief meets success without rooting my desktop). SELinux is the ideal tool to keep PDF readers like Adobe Reader away from anything but PDF files and unable to write to anything except to save a file that doesn't already exist, or to only save things in certain places for triage/scanning. It's the ideal thing to keep Flash from even accessing ~/Documents, or for Firefox to only be able to write to .mozilla and maybe ~/Downloads, and not to be able to read from anywhere unless the user gives specific permission to do so. The desktop-oriented tools aren't quite up to the usability needs of that use case, unfortunately, although they are getting better. Yes, there will be issues that arise. But if SELinux can keep a Firefox/Opera/Chrome exploit from working, or better, from gaining root, then it's a win, even if it's inconvenient at times. I know the bias is typically towards servers as being the most attractive targets; no, at this point I think mobile is going to be the most attractive target, with desktops a close second and servers in third place. IMHO, of course, and YMMV. From phil at elrepo.org Sun Dec 5 17:19:25 2010 From: phil at elrepo.org (Phil Perry) Date: Sun, 05 Dec 2010 17:19:25 +0000 Subject: [rhelv6-list] ELRepo support for RHEL6 Message-ID: <4CFBC99D.7060507@elrepo.org> Dear List, The ELRepo Project would like to announce support for RHEL6. http://elrepo.org The ELRepo Project is a 3rd party repository providing updated device drivers for Red Hat Enterprise Linux (RHEL), versions 5 and 6. ELRepo uses Red Hat's Driver Update Programme to facilitate the packaging of updated drivers (kernel modules) in the form of kABI-compatible kmod packages. The main advantage of this technique is that updated drivers will function seamlessly across kernel updates where kABI-compatibility is retained, thus drivers do not need to be recompiled against each new kernel update. ELRepo currently has a number of kmod packages available for RHEL6, including DRBD, ndiswrapper, NVIDIA graphics drivers and a number of updated vendor NIC drivers from Intel and Realtek. We are currently working on porting more packages from our EL5 tree. The ELRepo Project would welcome feedback from RHEL users, either on our bug reporting site or our mailing lists: http://elrepo.org/bugs http://elrepo.org/tiki/MailingLists Thanks. The ELRepo Team. From solarflow99 at gmail.com Sun Dec 5 20:33:57 2010 From: solarflow99 at gmail.com (solarflow99) Date: Sun, 5 Dec 2010 12:33:57 -0800 Subject: [rhelv6-list] ELRepo support for RHEL6 In-Reply-To: <4CFBC99D.7060507@elrepo.org> References: <4CFBC99D.7060507@elrepo.org> Message-ID: Hi, nice work. I see a lot of those packages exist in rpmfusion already, is this supposed to different from epel? On Sun, Dec 5, 2010 at 9:19 AM, Phil Perry wrote: > Dear List, > > The ELRepo Project would like to announce support for RHEL6. > > http://elrepo.org > > The ELRepo Project is a 3rd party repository providing updated device > drivers for Red Hat Enterprise Linux (RHEL), versions 5 and 6. ELRepo uses > Red Hat's Driver Update Programme to facilitate the packaging of updated > drivers (kernel modules) in the form of kABI-compatible kmod packages. The > main advantage of this technique is that updated drivers will function > seamlessly across kernel updates where kABI-compatibility is retained, thus > drivers do not need to be recompiled against each new kernel update. > > ELRepo currently has a number of kmod packages available for RHEL6, > including DRBD, ndiswrapper, NVIDIA graphics drivers and a number of updated > vendor NIC drivers from Intel and Realtek. We are currently working on > porting more packages from our EL5 tree. > > The ELRepo Project would welcome feedback from RHEL users, either on our bug > reporting site or our mailing lists: > > http://elrepo.org/bugs > http://elrepo.org/tiki/MailingLists > > Thanks. > > The ELRepo Team. > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > From phil at elrepo.org Mon Dec 6 00:25:26 2010 From: phil at elrepo.org (Phil Perry) Date: Mon, 06 Dec 2010 00:25:26 +0000 Subject: [rhelv6-list] ELRepo support for RHEL6 In-Reply-To: References: <4CFBC99D.7060507@elrepo.org> Message-ID: <4CFC2D76.7070609@elrepo.org> On 05/12/10 20:33, solarflow99 wrote: > Hi, nice work. I see a lot of those packages exist in rpmfusion > already, is this supposed to different from epel? > Thanks. As I understand it, RPMFusion currently caters for Fedora, not RHEL, although I understand there might be some interest in supporting RHEL6 in the future. EPEL does support RHEL, but I see little/no package overlap with what ELRepo is doing. ELRepo specialises in a very small niche of kABI-tracking kmod packages aimed specifically at backporting updated kernel drivers for enhanced hardware support. This could be backporting a driver from upstream that provides functionality otherwise missing in RHEL (for example, DRBD in RHEL6), or providing (backporting) a newer version of an existing kernel driver that might provide a bug fix or support newer hardware revisions. ELRepo is not necessarily designed or intended for widespread usage. In an ideal world all your hardware will just work with RHEL. If the default kernel driver works for you then you should use it. It is only when it doesn't that you might need a package from ELRepo and even then we hope our packages eventually become deprecated as and when such functionality gets backported to future RHEL kernel releases. > > On Sun, Dec 5, 2010 at 9:19 AM, Phil Perry wrote: >> Dear List, >> >> The ELRepo Project would like to announce support for RHEL6. >> >> http://elrepo.org >> >> The ELRepo Project is a 3rd party repository providing updated device >> drivers for Red Hat Enterprise Linux (RHEL), versions 5 and 6. ELRepo uses >> Red Hat's Driver Update Programme to facilitate the packaging of updated >> drivers (kernel modules) in the form of kABI-compatible kmod packages. The >> main advantage of this technique is that updated drivers will function >> seamlessly across kernel updates where kABI-compatibility is retained, thus >> drivers do not need to be recompiled against each new kernel update. >> >> ELRepo currently has a number of kmod packages available for RHEL6, >> including DRBD, ndiswrapper, NVIDIA graphics drivers and a number of updated >> vendor NIC drivers from Intel and Realtek. We are currently working on >> porting more packages from our EL5 tree. >> >> The ELRepo Project would welcome feedback from RHEL users, either on our bug >> reporting site or our mailing lists: >> >> http://elrepo.org/bugs >> http://elrepo.org/tiki/MailingLists >> >> Thanks. >> >> The ELRepo Team. >> >> _______________________________________________ >> rhelv6-list mailing list >> rhelv6-list at redhat.com >> https://www.redhat.com/mailman/listinfo/rhelv6-list >> > From giallu at gmail.com Mon Dec 6 11:45:01 2010 From: giallu at gmail.com (giallu at gmail.com) Date: Mon, 6 Dec 2010 12:45:01 +0100 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <201012041141.00361.lowen@pari.edu> References: <201012041141.00361.lowen@pari.edu> Message-ID: On Sat, Dec 4, 2010 at 5:41 PM, Lamar Owen wrote: > As desktop use is probably going to involve web browsing (either on an intranet site, or the Internet), and perhaps PDF files enter the picture, and as those are the prime vectors for attacks, and as much personal information as can be swiped is the new target of data thieves, the desktop should be locked down tighter in many ways than the server. This is pretty funny, as I've seen several comments around of desktop users disabling SELinux because it's something really needed just on servers... -- Gianluca Sforna http://morefedora.blogspot.com http://identi.ca/giallu - http://twitter.com/giallu From prentice at ias.edu Mon Dec 6 14:10:17 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Mon, 06 Dec 2010 09:10:17 -0500 Subject: [rhelv6-list] disable shadow in kickstart? In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4114@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA4114@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4CFCEEC9.7030803@ias.edu> Kevin, Kickstart just calls the authconfig command, so any switch from the authconfig command will work in kickstart. I've also found that 'authconfig --help' shows different options than 'man authconfig'. 'authconfig --help' shows that there is a disable option for shadow, which is not listed in the man page: $ authconfig --help | grep shadow --enableshadow, --useshadow enable shadowed passwords by default --disableshadow disable shadowed passwords by default -- Prentice Collins, Kevin [BEELINE] wrote: > I have just confirmed that with no --enableshadow or --useshadow in my > kickstart file, I am still ending up with a shadow-enabled system. There > is no option listed to disable shadow, and the Installation Guide says > ?By default, passwords are normally encrypted and are not shadowed.? Of > course, this is about the 3^rd or 4^th item in the manual I have found > to be completely wrong... > > > > Any ideas? I can always turn it off after kickstart, but would rather > prevent it to begin with. > > > > Thanks, > > > > Kevin > https://www.redhat.com/mailman/listinfo/rhelv6-list From KCollins at chevron.com Mon Dec 6 18:06:08 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Mon, 6 Dec 2010 10:06:08 -0800 Subject: [rhelv6-list] nscd weirdness Message-ID: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net> I am seeing different output in the password field of the passwd output from 'getent' when I have nscd runnng versus when I don't: # ps -ef | grep -E 'nscd|nslcd' nscd 18126 1 0 09:42 ? 00:00:00 /usr/sbin/nscd nslcd 18206 1 0 09:44 ? 00:00:00 /usr/sbin/nslcd # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd stop Stopping nscd: [ OK ] # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # nscd -i passwd # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd start Starting nscd: [ OK ] # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh As you can see, I have tried flushing the passwd cache and restarting nscd with no luck. The backend in this case is LDAP - the problem does not appear when I am getting information from an ID in /etc/passwd. Any ideas? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From KCollins at chevron.com Mon Dec 6 17:39:47 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Mon, 6 Dec 2010 09:39:47 -0800 Subject: [rhelv6-list] disable shadow in kickstart? In-Reply-To: <4CFCEEC9.7030803@ias.edu> References: <86E21A982A7C5249956350A6746108C201FA4114@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4CFCEEC9.7030803@ias.edu> Message-ID: <86E21A982A7C5249956350A6746108C201FA41AA@CHVPKNTXC5M.chvpk.chevrontexaco.net> Thanks - that did exactly what I wanted. Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal Sent: Monday, December 06, 2010 6:10 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] disable shadow in kickstart? Kevin, Kickstart just calls the authconfig command, so any switch from the authconfig command will work in kickstart. I've also found that 'authconfig --help' shows different options than 'man authconfig'. 'authconfig --help' shows that there is a disable option for shadow, which is not listed in the man page: $ authconfig --help | grep shadow --enableshadow, --useshadow enable shadowed passwords by default --disableshadow disable shadowed passwords by default -- Prentice Collins, Kevin [BEELINE] wrote: > I have just confirmed that with no --enableshadow or --useshadow in my > kickstart file, I am still ending up with a shadow-enabled system. There > is no option listed to disable shadow, and the Installation Guide says > ?By default, passwords are normally encrypted and are not shadowed.? Of > course, this is about the 3^rd or 4^th item in the manual I have found > to be completely wrong... > > > > Any ideas? I can always turn it off after kickstart, but would rather > prevent it to begin with. > > > > Thanks, > > > > Kevin > https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From KCollins at chevron.com Mon Dec 6 18:49:32 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Mon, 6 Dec 2010 10:49:32 -0800 Subject: [rhelv6-list] system-auth vs password-auth Message-ID: <86E21A982A7C5249956350A6746108C201FA41E1@CHVPKNTXC5M.chvpk.chevrontexaco.net> Does anyone know why some of the PAM conf files in /etc/pam.d include password-auth while others include system-auth (which in previous versions was in almost all)? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From jclift at redhat.com Mon Dec 6 19:40:00 2010 From: jclift at redhat.com (Justin Clift) Date: Tue, 7 Dec 2010 06:40:00 +1100 Subject: [rhelv6-list] disable shadow in kickstart? In-Reply-To: <86E21A982A7C5249956350A6746108C201FA41AA@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA4114@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4CFCEEC9.7030803@ias.edu> <86E21A982A7C5249956350A6746108C201FA41AA@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: Just created a bug ticket about the man page not showing the same options as authconfig --help. https://bugzilla.redhat.com/show_bug.cgi?id=660444 That should lead to getting the man page updated at some point. :) On 07/12/2010, at 4:39 AM, Collins, Kevin [BEELINE] wrote: > Thanks - that did exactly what I wanted. > > Kevin > > -----Original Message----- > From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal > Sent: Monday, December 06, 2010 6:10 AM > To: rhelv6-list at redhat.com > Subject: Re: [rhelv6-list] disable shadow in kickstart? > > Kevin, > > Kickstart just calls the authconfig command, so any switch from the > authconfig command will work in kickstart. I've also found that > 'authconfig --help' shows different options than 'man authconfig'. > 'authconfig --help' shows that there is a disable option for shadow, > which is not listed in the man page: > > $ authconfig --help | grep shadow > --enableshadow, --useshadow > enable shadowed passwords by default > --disableshadow disable shadowed passwords by default > > > -- > Prentice From KCollins at chevron.com Mon Dec 6 19:53:10 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Mon, 6 Dec 2010 11:53:10 -0800 Subject: [rhelv6-list] disable shadow in kickstart? In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4114@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4CFCEEC9.7030803@ias.edu> <86E21A982A7C5249956350A6746108C201FA41AA@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA41FF@CHVPKNTXC5M.chvpk.chevrontexaco.net> I think the Installation Guide should be corrected for the fact that it says shadow is not enabled by default... Kevin -----Original Message----- From: Justin Clift [mailto:jclift at redhat.com] Sent: Monday, December 06, 2010 11:40 AM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] disable shadow in kickstart? Just created a bug ticket about the man page not showing the same options as authconfig --help. https://bugzilla.redhat.com/show_bug.cgi?id=660444 That should lead to getting the man page updated at some point. :) On 07/12/2010, at 4:39 AM, Collins, Kevin [BEELINE] wrote: > Thanks - that did exactly what I wanted. > > Kevin > > -----Original Message----- > From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Prentice Bisbal > Sent: Monday, December 06, 2010 6:10 AM > To: rhelv6-list at redhat.com > Subject: Re: [rhelv6-list] disable shadow in kickstart? > > Kevin, > > Kickstart just calls the authconfig command, so any switch from the > authconfig command will work in kickstart. I've also found that > 'authconfig --help' shows different options than 'man authconfig'. > 'authconfig --help' shows that there is a disable option for shadow, > which is not listed in the man page: > > $ authconfig --help | grep shadow > --enableshadow, --useshadow > enable shadowed passwords by default > --disableshadow disable shadowed passwords by default > > > -- > Prentice From KCollins at chevron.com Mon Dec 6 21:09:38 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Mon, 6 Dec 2010 13:09:38 -0800 Subject: [rhelv6-list] ext4 /boot Message-ID: <86E21A982A7C5249956350A6746108C201FA4212@CHVPKNTXC5M.chvpk.chevrontexaco.net> According to the Migration Planning Guide for RHEL6: The included version of the GRUB bootloader provides full support for ext4 partitions. The installer also allows you to place any /boot file system on an ext4 partition. Can anyone confirm this? My testing has proved otherwise... I specify everything except /boot as ext4 in my kickstart config file with no problems, but as soon as I make /boot ext4 I get a grub error at stage 1.5. I'm using an HP BL460 blade as my test server, with a cciss raid card... Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmadams at hiwaay.net Mon Dec 6 21:36:26 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 6 Dec 2010 15:36:26 -0600 Subject: [rhelv6-list] ext4 /boot In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4212@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA4212@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <20101206213626.GB10532@hiwaay.net> Once upon a time, Collins, Kevin [BEELINE] said: > Can anyone confirm this? My testing has proved otherwise... I specify > everything except /boot as ext4 in my kickstart config file with no > problems, but as soon as I make /boot ext4 I get a grub error at stage > 1.5. It works fine for me. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From solarflow99 at gmail.com Mon Dec 6 21:41:00 2010 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 6 Dec 2010 13:41:00 -0800 Subject: [rhelv6-list] ext4 /boot In-Reply-To: <20101206213626.GB10532@hiwaay.net> References: <86E21A982A7C5249956350A6746108C201FA4212@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101206213626.GB10532@hiwaay.net> Message-ID: works for me too. On Mon, Dec 6, 2010 at 1:36 PM, Chris Adams wrote: > Once upon a time, Collins, Kevin [BEELINE] said: >> Can anyone confirm this? My testing has proved otherwise... I specify >> everything except /boot as ext4 in my kickstart config file with no >> problems, but as soon as I make /boot ext4 I get a grub error at stage >> 1.5. > > It works fine for me. > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > From prentice at ias.edu Mon Dec 6 21:47:23 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Mon, 06 Dec 2010 16:47:23 -0500 Subject: [rhelv6-list] getent behavior Message-ID: <4CFD59EB.30701@ias.edu> I use LDAP for account information. On previous versions of RHEL, 'getent passwd' would dump a list of all accounts, both local and in LDAP. If addtional sources were listed in /etc/nsswitch.conf, it would show them, too, presumably. In RHEL6 (Beta 2), it only shows what's stored in /etc/passwd. If I want to see an account that's in LDAP, I can query a specific account like this: $ getent passwd prentice prentice:*:103808:103808::/home/prentice:/bin/bash I know LDAP is configured correctly based on the above output, and that I can login to an account that stored in LDAP. Everything else seems to work fine. Has anyone else noticed behavior like this? I'm using RHEL6 beta 2 still. -- Prentice From cmadams at hiwaay.net Mon Dec 6 21:51:07 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 6 Dec 2010 15:51:07 -0600 Subject: [rhelv6-list] getent behavior In-Reply-To: <4CFD59EB.30701@ias.edu> References: <4CFD59EB.30701@ias.edu> Message-ID: <20101206215107.GC10532@hiwaay.net> Once upon a time, Prentice Bisbal said: > I use LDAP for account information. On previous versions of RHEL, > 'getent passwd' would dump a list of all accounts, both local and in > LDAP. If addtional sources were listed in /etc/nsswitch.conf, it would > show them, too, presumably. > > In RHEL6 (Beta 2), it only shows what's stored in /etc/passwd. If I want > to see an account that's in LDAP, I can query a specific account like this: By default, when network authentication is configured, sssd is used (instead of the old pam_ldap/nss_ldap combo), and it has enumeration disabled by default. It is possible to change this in /etc/sssd/sssd.conf. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From KCollins at chevron.com Mon Dec 6 21:56:24 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Mon, 6 Dec 2010 13:56:24 -0800 Subject: [rhelv6-list] ext4 /boot In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA4212@CHVPKNTXC5M.chvpk.chevrontexaco.net><20101206213626.GB10532@hiwaay.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA4225@CHVPKNTXC5M.chvpk.chevrontexaco.net> Is your bootloader pointing to mbr or partition? Mine is partition... I will try mbr (I think I already did before), too. Also, are you using a cciss device driver? Thanks, Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of solarflow99 Sent: Monday, December 06, 2010 1:41 PM To: Chris Adams; rhelv6-list at redhat.com Subject: Re: [rhelv6-list] ext4 /boot works for me too. On Mon, Dec 6, 2010 at 1:36 PM, Chris Adams wrote: > Once upon a time, Collins, Kevin [BEELINE] said: >> Can anyone confirm this? My testing has proved otherwise... I specify >> everything except /boot as ext4 in my kickstart config file with no >> problems, but as soon as I make /boot ext4 I get a grub error at stage >> 1.5. > > It works fine for me. > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From pmeyer at themeyerfarm.com Mon Dec 6 22:22:51 2010 From: pmeyer at themeyerfarm.com (Phil Meyer) Date: Mon, 06 Dec 2010 15:22:51 -0700 Subject: [rhelv6-list] Crosspost: KVM live migrate RH6 to or from RH 5.5 Message-ID: <4CFD623B.8000404@themeyerfarm.com> We have been testing live migrations of KVM clients, successfully, on RHEL 5.5 and RHEL 6 separately. We have now mixed our test environment to get a LOE converting our existing servers to RHEL 6. Not good. Every attempt is met with: 'error: operation failed: failed to start listening VM' We have tried: 5.5 to 6, initiated from 5.5 host and from 6 host. 6 to 5.5 from 6 host and from 5.5 host. We have also tried both ways from a third host, with no impact. Here is a sample: [root at pxe2 ~]# virsh -c qemu+ssh://root at testhost1.mycompany.net/system migrate --live my_domain qemu+ssh://root at testhost2.mycompany.net/system error: operation failed: failed to start listening VM Again, this command works without fail as long as both servers are running the same version. Any ideas are appreciated. Thanks From KCollins at chevron.com Mon Dec 6 22:54:33 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Mon, 6 Dec 2010 14:54:33 -0800 Subject: [rhelv6-list] ext4 /boot In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4225@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA4212@CHVPKNTXC5M.chvpk.chevrontexaco.net><20101206213626.GB10532@hiwaay.net> <86E21A982A7C5249956350A6746108C201FA4225@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA423B@CHVPKNTXC5M.chvpk.chevrontexaco.net> Well, it appears that setting "bootloader --location mbr" fixed it. I'm not sure why that makes a difference, nor do I remember why I switched from mbr to partition many years ago... Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Monday, December 06, 2010 1:56 PM To: solarflow99; Chris Adams; rhelv6-list at redhat.com Subject: Re: [rhelv6-list] ext4 /boot Is your bootloader pointing to mbr or partition? Mine is partition... I will try mbr (I think I already did before), too. Also, are you using a cciss device driver? Thanks, Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of solarflow99 Sent: Monday, December 06, 2010 1:41 PM To: Chris Adams; rhelv6-list at redhat.com Subject: Re: [rhelv6-list] ext4 /boot works for me too. On Mon, Dec 6, 2010 at 1:36 PM, Chris Adams wrote: > Once upon a time, Collins, Kevin [BEELINE] said: >> Can anyone confirm this? My testing has proved otherwise... I specify >> everything except /boot as ext4 in my kickstart config file with no >> problems, but as soon as I make /boot ext4 I get a grub error at stage >> 1.5. > > It works fine for me. > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From lowen at pari.edu Mon Dec 6 23:29:05 2010 From: lowen at pari.edu (Lamar Owen) Date: Mon, 6 Dec 2010 18:29:05 -0500 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: Message-ID: <201012061829.06233.lowen@pari.edu> On Monday, December 06, 2010 06:45:01 am giallu at gmail.com wrote: > On Sat, Dec 4, 2010 at 5:41 PM, Lamar Owen wrote: > > > As desktop use is probably going to involve web browsing (either on an intranet site, or the Internet), and perhaps PDF files enter the picture, and as those are the prime vectors for attacks, and as much personal information as can be swiped is the new target of data thieves, the desktop should be locked down tighter in many ways than the server. > This is pretty funny, as I've seen several comments around of desktop > users disabling SELinux because it's something really needed just on > servers... Yeah, I know that's the 'conventional' wisdom, but, honestly, I have lots more personal data on my desktop than on any server, and it's under my normal user id. Using a separate user id to browse, read PDF's, etc from the user id to do online banking, while nice and safe, is rather inconvenient. Using a VM to do this is like reaching around your back to scratch your elbow. Now, using SELinux to do this is akin to trying to use a Dremel tool with a steel grinding burr to scratch your elbow, but with the right touch it can be done; just need user tools with the right touch. And, don't get me wrong, the current state of the Fedora tools is much much better than it used to be. SELinux has the potential (when set up properly) to make data theft of my personal data harder for web bugs, PDF bugs, and flash bugs to accomplish. Further, as the recent 'Koobface on Linux' flap shows, yeah, it might not root your box, but theft of personal data doesn't require root. And a run-once bot with enough intelligence can easily pick up a few things; further, it wouldn't be hard at all to get such a Java (could be flash, could be embedded in a PDF as Javascript; Java is just one way) worm to modify .bashrc (and other known start-on-login scripts) to download and start a fresh copy each time you log in. Worms, bots, and other assorted malware do not always require root to be damaging; SELinux can help protect ~/.bashrc (for one example) against overwrite by all but user-assigned and trusted programs (emacs, vi, kate, gedit, whatnot). We need a better configuration and troubleshooting interface so that the protections don't get in the way of the user, which is what happens now typically with SELinux, to where people say 'the fix was to put SELinux in permissive mode' which is patently wrong; workaround, yes, but that's not a fix. So, yeah, I'm definitely of the camp and mind that while Linux as a rule is more secure against rooting exploits for the most part, worms/bots/malware that don't require root and can happily run as a normal user (like the slow-brute-forcer ssh worms; I caught one doing its deed as a normal user on one machine, no rootkit, no root exploit, just a normal user cronjob and a hidden directory, and a successfully running 'bot' with a large password file....) could become a serious problem. User-ID-based access control is no longer enough to keep your (normal user) files safe from potential prying eyes. I know this: of all the Windows malware infections I've seen, the vast majority in the last six months have been web-based, either through a Javascript 'thing' or through a PDF. The last time one particular Windows box here got 'sploited with a PDF; the PDF in question was a technical specification summary for an older DWDM layer 1 network platform that I was troubleshooting; no anti-malware scanner I have flagged it, but viewing it in Adobe Reader resulted in a reproducible infection on Windows. I was using Okular on Linux, which read the file fine, but I needed the document on this particular Windows workstation (the management workstation for the DWDM gear) and it got rooted. Wasted half a day restoring things, when I needed to get a wave back up on the DWDM.... The last time I personally witnessed a web-based attempt (September 17th) was on my Linux desktop; it was the typical 'Windows web Security have detected Trojans on your C: Drive; please click here to fix' with the rather convincing 'Windows Explorer mock-up' skin; this was found on a _Linux_blog_ talking about installing a certain journalling filesystem on a certain Linux variant. I grabbed a screenshot of the ersatz 'Analysis Security' webpage made up to look like Windows Explorer if anyone wants a laugh....or maybe it's a wakeup call. From jclift at redhat.com Mon Dec 6 23:30:49 2010 From: jclift at redhat.com (Justin Clift) Date: Tue, 7 Dec 2010 10:30:49 +1100 Subject: [rhelv6-list] [virt-tools-list] Crosspost: KVM live migrate RH6 to or from RH 5.5 In-Reply-To: <4CFD65A9.5010008@redhat.com> References: <4CFD623B.8000404@themeyerfarm.com> <4CFD65A9.5010008@redhat.com> Message-ID: <2FF59E97-BC6B-4974-9596-5B375EFFB4D9@redhat.com> On 07/12/2010, at 9:37 AM, Cole Robinson wrote: >> Again, this command works without fail as long as both servers are >> running the same version. >> >> Any ideas are appreciated. My understanding of *live* migration, is that it does only work between the same versions of KVM. So, RHEL 5 -> RHEL 6 wouldn't be a go-er. Non-live migrations should work. I *think* the problem for live migration is with different versions of KVM having different capabilities regarding device, memory, graphics, and network state management (probably other bits too). From tremble at tremble.org.uk Tue Dec 7 06:56:30 2010 From: tremble at tremble.org.uk (Mark Chappell) Date: Tue, 7 Dec 2010 07:56:30 +0100 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <201012061829.06233.lowen@pari.edu> References: <201012041141.00361.lowen@pari.edu> <201012061829.06233.lowen@pari.edu> Message-ID: On 7 December 2010 00:29, Lamar Owen wrote: > We > need a better configuration and troubleshooting interface so that the protections don't get in the way of the user, which is > what happens now typically with SELinux, to where people say 'the fix was to put SELinux in permissive mode' which is > patently wrong; workaround, yes, but that's not a fix. In my experience, the fix is to move the audit logs to one side, switch to permissive mode, then try again. If that's fixed the issue then contacting the Fedora/Red Hat SELinux team through bugzilla (selinux-policy component) with the denials from the audit log generally results in a very fast fix (it'd be even faster for those of you in the US). Too many people just go "oh selinux - disable" as soon as they hit a problem, unfortunately this is also true of a number of Fedora's testers. The sealert/setroubleshoot daemons have made this process a lot simpler for end users, and even suggests which booleans and contexts may need changing. in the early days of Fedora when SELinux first arrived, things broke, and often. These days it's much better. If people start reporting problems with the policy I doubt it would take long before we had something that rarely ever broke, with programs gaining new functionality (and thus needing extra allow rules) being the general cause. Mark From crobinso at redhat.com Mon Dec 6 22:37:29 2010 From: crobinso at redhat.com (Cole Robinson) Date: Mon, 06 Dec 2010 17:37:29 -0500 Subject: [rhelv6-list] [virt-tools-list] Crosspost: KVM live migrate RH6 to or from RH 5.5 In-Reply-To: <4CFD623B.8000404@themeyerfarm.com> References: <4CFD623B.8000404@themeyerfarm.com> Message-ID: <4CFD65A9.5010008@redhat.com> On 12/06/2010 05:22 PM, Phil Meyer wrote: > We have been testing live migrations of KVM clients, successfully, on > RHEL 5.5 and RHEL 6 separately. > > We have now mixed our test environment to get a LOE converting our > existing servers to RHEL 6. > > Not good. > > Every attempt is met with: > > 'error: operation failed: failed to start listening VM' > > We have tried: > > 5.5 to 6, initiated from 5.5 host and from 6 host. > > 6 to 5.5 from 6 host and from 5.5 host. > > We have also tried both ways from a third host, with no impact. > > Here is a sample: > > [root at pxe2 ~]# virsh -c qemu+ssh://root at testhost1.mycompany.net/system > migrate --live my_domain qemu+ssh://root at testhost2.mycompany.net/system > > error: operation failed: failed to start listening VM > > Again, this command works without fail as long as both servers are > running the same version. > > Any ideas are appreciated. > > Thanks What is in /var/log/libvirt/qemu/$VMNAME.log on both the source and destination? Any errors from libvirt in /var/log/messages on either source or dest? - Cole From Paul.Seymour at barclayscapital.com Tue Dec 7 09:27:18 2010 From: Paul.Seymour at barclayscapital.com (Paul.Seymour at barclayscapital.com) Date: Tue, 7 Dec 2010 09:27:18 +0000 Subject: [rhelv6-list] mkdumprd - very slow Message-ID: Hello, Has anyone noticed mkdumprd hanging/very, very slow on RHEL6 ? Using modules: /lib/modules/2.6.32-71.el6.x86_64/kernel/fs/jbd2/jbd2.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/fs/mbcache.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/fs/ext4/ext4.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/lib/crc-t10dif.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/scsi/sd_mod.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/ata/ata_generic.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/md/dm-mod.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/md/dm-log.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/md/dm-region-hash.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/md/dm-mirror.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/md/dm-zero.ko /lib/modules/2.6.32-71.el6.x86_64/kernel/drivers/md/dm-snapshot.ko Also when trying to start kdump I get a "No crashkernel parameter specified for running kernel" message. Have tried with my old RH5 version "crashkernel=128M at 16M", and "crashkernel=auto". Maybe something to do with running on a low memory VM ? Thanks Paul _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barcap.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing. Barclays Capital is the investment banking division of Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group. _______________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Werner.Maes at icts.kuleuven.be Tue Dec 7 15:11:19 2010 From: Werner.Maes at icts.kuleuven.be (Werner Maes) Date: Tue, 7 Dec 2010 16:11:19 +0100 Subject: [rhelv6-list] file permissions contains dot in rhel6 Message-ID: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> hello Is there a way to remove the dot that you can see when you do an 'ls -al' on the filesystem (e.g. below) Apparently the . is to notify you that SELINUX is in control with no other access controls. : kstesthpc ~ 16:09#; ll total 108 -rw-------. 1 root root 23798 Nov 18 17:53 anaconda-ks.cfg -rw-r--r--. 1 root root 21932 Nov 18 17:53 install.log -rw-r--r--. 1 root root 7042 Nov 18 17:52 install.log.syslog Kind regards Werner Maes From lowen at pari.edu Tue Dec 7 15:17:43 2010 From: lowen at pari.edu (Lamar Owen) Date: Tue, 7 Dec 2010 10:17:43 -0500 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: References: Message-ID: <201012071017.43942.lowen@pari.edu> On Tuesday, December 07, 2010 01:56:30 am Mark Chappell wrote: > If > people start reporting problems with the policy I doubt it would take > long before we had something that rarely ever broke, with programs > gaining new functionality (and thus needing extra allow rules) being > the general cause. Agreed completely; bugs cannot be fixed if they're not reported. Yes, it does take some time. But since the OS is free, a little time to help improve is a small cost, IMHO. From prentice at ias.edu Tue Dec 7 15:26:02 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Tue, 07 Dec 2010 10:26:02 -0500 Subject: [rhelv6-list] getent behavior In-Reply-To: <20101206215107.GC10532@hiwaay.net> References: <4CFD59EB.30701@ias.edu> <20101206215107.GC10532@hiwaay.net> Message-ID: <4CFE520A.9080800@ias.edu> On 12/06/2010 04:51 PM, Chris Adams wrote: > Once upon a time, Prentice Bisbal said: >> I use LDAP for account information. On previous versions of RHEL, >> 'getent passwd' would dump a list of all accounts, both local and in >> LDAP. If addtional sources were listed in /etc/nsswitch.conf, it would >> show them, too, presumably. >> >> In RHEL6 (Beta 2), it only shows what's stored in /etc/passwd. If I want >> to see an account that's in LDAP, I can query a specific account like this: > > By default, when network authentication is configured, sssd is used > (instead of the old pam_ldap/nss_ldap combo), and it has enumeration > disabled by default. > > It is possible to change this in /etc/sssd/sssd.conf. Thanks. That fixed it. I'm still learning about SSSD, as I'm sure some other list members are, too. -- Prentice From RJM002 at shsu.edu Tue Dec 7 15:40:27 2010 From: RJM002 at shsu.edu (Marti, Robert J) Date: Tue, 7 Dec 2010 09:40:27 -0600 Subject: [rhelv6-list] selinux (not quite) disabled? In-Reply-To: <201012071017.43942.lowen@pari.edu> References: <201012071017.43942.lowen@pari.edu> Message-ID: <0419A31B-5B08-40E1-8DB3-309695235842@shsu.edu> Yes, I'm sure reporting SELinux errors to Oracle, etc. will do a lot of good. It's not the packaged software that causes problems, it's the third party stuff. That doesn't mean I'm not working on cleaning up the issues, it just means that everything isnt all kittens an bunnies. Sent from my iPhone On Dec 7, 2010, at 9:30 AM, "Lamar Owen" wrote: > On Tuesday, December 07, 2010 01:56:30 am Mark Chappell wrote: >> If >> people start reporting problems with the policy I doubt it would take >> long before we had something that rarely ever broke, with programs >> gaining new functionality (and thus needing extra allow rules) being >> the general cause. > > Agreed completely; bugs cannot be fixed if they're not reported. Yes, it does take some time. But since the OS is free, a little time to help improve is a small cost, IMHO. > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From john.haxby at gmail.com Tue Dec 7 17:51:17 2010 From: john.haxby at gmail.com (John Haxby) Date: Tue, 7 Dec 2010 17:51:17 +0000 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> Message-ID: On 7 December 2010 15:11, Werner Maes wrote: > > Is there a way to remove the dot that you can see when you do an 'ls -al' > on the filesystem (e.g. below) > Apparently the . is to notify you that SELINUX is in control with no other > access controls. > > >From "info ls": Following the file mode bits is a single character that specifies whether an alternate access method such as an access control list applies to the file. When the character following the file mode bits is a space, there is no alternate access method. When it is a printing character, then there is such a method. GNU `ls' uses a `.' character to indicate a file with an SELinux security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a `+' character. So no, there doesn't seem to be a way to hide this. jch -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Tue Dec 7 21:23:17 2010 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 7 Dec 2010 13:23:17 -0800 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> Message-ID: you don't need to hide this do you? what difference does it really make, few people would ever notice that little . at the end :) On Tue, Dec 7, 2010 at 7:11 AM, Werner Maes wrote: > hello > > Is there a way to remove the dot that you can see when you do an 'ls -al' on the filesystem (e.g. below) > Apparently the . is to notify you that SELINUX is in control with no other access controls. > > : kstesthpc ~ 16:09#; ll > total 108 > -rw-------. 1 root root 23798 Nov 18 17:53 anaconda-ks.cfg > -rw-r--r--. 1 root root 21932 Nov 18 17:53 install.log > -rw-r--r--. 1 root root ?7042 Nov 18 17:52 install.log.syslog > > Kind regards > > Werner Maes > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > From gsgatlin at ncsu.edu Tue Dec 7 22:50:32 2010 From: gsgatlin at ncsu.edu (Gary Gatling) Date: Tue, 7 Dec 2010 17:50:32 -0500 (EST) Subject: [rhelv6-list] [Solved] weird clock applet question on locations In-Reply-To: References: Message-ID: Hello, I did a little bit more digging and think I've found a solution to my question. (thank you diff) I wanted to share with the list in case other people want to customize their GNOME panel to have the local weather for all users. In my earlier email last week I left out some steps. To customize the panel for all users on a RHEL 6 system, do a fresh install. Log in to your fresh install as a regular user. Customize your panel how you would like it for all users. For example, at my site I add back the OpenOffice Writer, Impress, and Calc launchers. I also add a terminal launcher since most users are programmers. Line up everything how you want it to look on the panel. To customize the weather icon and location, next to locations click on the edit buton. Click on "Add" and add your city. If its a known city, it will automagically fill in the latitude and longitude for you. If its unknown I'm guessing you might need to type them in... I'm pretty sure you can add as many cities as you want if you need more than one. Next Click on the "set" buttton to make whatever the default location. You will be prompted for the root password. Next run this command as your regular user: gconftool-2 --dump /apps/panel > my-panel-setup.entries Next you need to edit this file. If there are any icons you added to the panel they will have names like object_0, object_1, etc. Find the lines that are like: objects/object_0/position and change numbers like 234 into 4 under "position" keys because you want relative positions rather than absolute pixel locations. (1, 2,and 3 are used already. 1 is the browser, 2 is the email launcher, and 3 is the new GNote app) Also, the "set" button will alter the contents of /etc/sysconfig/clock. For example, on my systems it changed from: ZONE="America/New York" to ZONE="America/New_York" So make a note of what that got changed to at this point. On the machines you want to clone the panel to, run this command as root: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --load my-panel-setup.entries Also, make sure that the file /etc/sysconfig/clock gets changed to the proper value. ( like sed 's at New York at New_York@' ) Now everyone logging into that machine will have the custom panel with the weather and temperature displayed for the local location you set up. :) I'm using Raleigh, NC. since thats where all our labs are. Also, here are some useful gconf strings I have found to change some settings back if you prefer the way the panel looked /acted in older RHEL / fedoras... /apps/panel/toplevels/top_panel/padding /apps/panel/toplevels/bottom_panel/padding I have set these to 2 so there isn't so much white space between the launchers and stuff. Useful if your users add lots of launchers and screen real estate it low. /apps/metacity/general/num_workspaces You can increase this if the 2 that are defaults in RHEL 6 aren't enough for the default users. It was 4 in RHEL 5. Cheers, Gary Gatling | ITECS Systems On Fri, 3 Dec 2010, Gary Gatling wrote: > > Hello, > > I am trying to change the default location in the clock applet from being > Boston Ma. to Raleigh, NC. in RHEL 6 for our labs. I want to do this so that > the weather icon shows up for any lab users and so that it shows the correct > weather for my location in Raleigh. > > I installed a fresh machine and configured the panel the way I want it. I > deleted Boston Ma. and added Raleigh, NC. by hand as I configured the panel. > Then I ran: > > gconftool-2 --dump /apps/panel > my-panel-setup.entries > > and set up on a fresh install on another machine: > > gconftool-2 --direct --config-source > xml:readwrite:/etc/gconf/gconf.xml.defaults --load my-panel-setup.entries > > Everything is "almost" correct. My icons are all set up on the panel the way > I want them. But when I click on the clock applet, it shows my location in > Raleigh as a blinking red / white dot. When I hover over the analog clock in > the GUI, a "set..." button pops up. When I click on the "set..." button it > prompts me for the root password and then it changes the dot into a blue > "house" icon. > > After this "set..." button has been clicked on the weather icon magically > appears in the panel with the correct weather for my location. For "all" > users on the system. (not just my account) > > Does anyone know how I can programattically do that with a command? > /etc/localtime seems to be the same on both machines. I've looked at the > sources to the gnome-panel rpm but its a lot of code and I can't seem to > figure this one out on my own. :( > > Thanks for any ideas anyone has? Do you think it will be possible to do what > I am trying to do? (change clock applet to show weather in Raleigh, NC.) > > Gary Gatling | ITECS Systems > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > From jean-yves at lenhof.eu.org Tue Dec 7 22:59:10 2010 From: jean-yves at lenhof.eu.org (Jean-Yves LENHOF) Date: Tue, 07 Dec 2010 23:59:10 +0100 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> Message-ID: <4CFEBC3E.8060508@lenhof.eu.org> Le 07/12/2010 22:23, solarflow99 a ?crit : > you don't need to hide this do you? what difference does it really > make, few people would ever notice that little . at the end :) Bad scripts ;-) Waiting for some specific output whithout a dot Regards, From Ville.Salmela at csc.fi Wed Dec 8 08:10:15 2010 From: Ville.Salmela at csc.fi (Ville Salmela) Date: Wed, 8 Dec 2010 10:10:15 +0200 Subject: [rhelv6-list] Allow users to update using packagekit Message-ID: Hi, I would like to create a rule to polkit to allow users to update their systems without root password. So when packagekit tells there are new updates user can just click update without giving root pw. There is no need to install new packages without priviledges, just keep the system up to date is enough. How can I do this? BR, Ville Salmela -------------- next part -------------- An HTML attachment was scrubbed... URL: From goetz.reinicke at filmakademie.de Wed Dec 8 11:12:10 2010 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Wed, 08 Dec 2010 12:12:10 +0100 Subject: [rhelv6-list] Hopefully I'm not blind, but ... Freeradius-Utils - radclient and radtest Message-ID: <4CFF680A.8040501@filmakademie.de> Hello, where can I find the Freeradius-Utils - radclient and radtest officially from Red Hat!? thx & cheers . G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6656 bytes Desc: S/MIME Cryptographic Signature URL: From tgc at statsbiblioteket.dk Wed Dec 8 11:34:48 2010 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Wed, 8 Dec 2010 12:34:48 +0100 Subject: [rhelv6-list] Hopefully I'm not blind, but ... Freeradius-Utils - radclient and radtest In-Reply-To: <4CFF680A.8040501@filmakademie.de> References: <4CFF680A.8040501@filmakademie.de> Message-ID: <4CFF6D58.5030909@statsbiblioteket.dk> G?tz Reinicke - IT-Koordinator wrote: > Hello, > > where can I find the Freeradius-Utils - radclient and radtest officially > from Red Hat!? > They're in the freeradius-utils package which is available from the Optional channel in RHN. -tgc From trotter at math.gatech.edu Wed Dec 8 12:18:06 2010 From: trotter at math.gatech.edu (William T. Trotter) Date: Wed, 08 Dec 2010 07:18:06 -0500 Subject: [rhelv6-list] Northbridge Error and K8 ECC error Message-ID: <1291810686.16095.17.camel@trotteroffice5> I've just joined this email group, so apologies if this question has been asked and answered. When I was running Rhel 6 beta, I was getting Northbridge errors and K8 ECC errors ... and was under the impression that these issues had been corrected in the final release. But I'm still getting them. Apended below are the console messages that come up in a terminal window where root is running: Message from syslogd at trotteroffice5 at Dec 8 07:12:41 ... kernel: Northbridge Error, node 1, core: 0 Message from syslogd at trotteroffice5 at Dec 8 07:12:41 ... kernel:K8 ECC error. I am pretty sure my hardware is ok. Any pointers would be appreciated. Also, if I've done a bad thing and revisited an old topic, I'll take my public lashing. Tom Trotter For what it's worth, this is RHEL 6.0 workstation, fully patched and updated. -- =============================== William T. Trotter School of Mathematics Georgia Institute of Technology Atlanta, Georgia 30332 =============================== From RJM002 at shsu.edu Wed Dec 8 12:32:35 2010 From: RJM002 at shsu.edu (Marti, Robert J) Date: Wed, 8 Dec 2010 06:32:35 -0600 Subject: [rhelv6-list] Allow users to update using packagekit In-Reply-To: References: Message-ID: I don't think there is a way to differentiate between install new and update current. Sent from my iPhone On Dec 8, 2010, at 2:11 AM, "Ville Salmela" > wrote: Hi, I would like to create a rule to polkit to allow users to update their systems without root password. So when packagekit tells there are new updates user can just click update without giving root pw. There is no need to install new packages without priviledges, just keep the system up to date is enough. How can I do this? BR, Ville Salmela _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From goetz.reinicke at filmakademie.de Wed Dec 8 12:37:21 2010 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Wed, 08 Dec 2010 13:37:21 +0100 Subject: [rhelv6-list] Hopefully I'm not blind, but ... Freeradius-Utils - radclient and radtest In-Reply-To: <4CFF6D58.5030909@statsbiblioteket.dk> References: <4CFF680A.8040501@filmakademie.de> <4CFF6D58.5030909@statsbiblioteket.dk> Message-ID: <4CFF7C01.8000504@filmakademie.de> Am 08.12.10 12:34, schrieb Tom G. Christensen: > G?tz Reinicke - IT-Koordinator wrote: >> Hello, >> >> where can I find the Freeradius-Utils - radclient and radtest officially >> from Red Hat!? >> > They're in the freeradius-utils package which is available from the > Optional channel in RHN. Thanks, got it. /G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6656 bytes Desc: S/MIME Cryptographic Signature URL: From jsbillin at umich.edu Wed Dec 8 13:27:21 2010 From: jsbillin at umich.edu (Jonathan S Billings) Date: Wed, 08 Dec 2010 08:27:21 -0500 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: <4CFEBC3E.8060508@lenhof.eu.org> References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> <4CFEBC3E.8060508@lenhof.eu.org> Message-ID: <4CFF87B9.7000505@umich.edu> On 12/07/2010 05:59 PM, Jean-Yves LENHOF wrote: > Bad scripts ;-) > Waiting for some specific output whithout a dot You might want to consider replacing the 'ls' in your script with the output of 'stat', since you can request the format of the output however you like. For example, 'stat --format "%A" filename' will produce the human readable access rights that you're looking for -- and if this is something being parsed by a script, you might end up having cleaner output to read. I don't see any documentation that indicates there's a way to make the new 'ls' output the access rights without the dot if the filesystem has SELinux attributes. -- Jonathan Billings College of Engineering - CAEN - Unix and Linux Support From Greg_Swift at aotx.uscourts.gov Wed Dec 8 14:20:31 2010 From: Greg_Swift at aotx.uscourts.gov (Greg_Swift at aotx.uscourts.gov) Date: Wed, 8 Dec 2010 08:20:31 -0600 Subject: [rhelv6-list] Allow users to update using packagekit In-Reply-To: References: Message-ID: however an alternate method would be to have the system update on a regular schedule via cron and disable the user notification daemon (can't recall the exact name at the moment). rhelv6-list-bounces at redhat.com wrote on 12/08/2010 06:32:35 AM: > I don't think there is a way to differentiate between install new > and update current. > > Sent from my iPhone > > > On Dec 8, 2010, at 2:11 AM, "Ville Salmela" > mailto:Ville.Salmela at csc.fi>> wrote: > > > > Hi, > > > > I would like to create a rule to polkit to allow users to update > > their systems without root password. So when packagekit tells there > > are new updates user can just click update without giving root pw. > > There is no need to install new packages without priviledges, just > > keep the system up to date is enough. > > > > How can I do this? From KCollins at chevron.com Wed Dec 8 16:54:39 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Wed, 8 Dec 2010 08:54:39 -0800 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: <4CFF87B9.7000505@umich.edu> References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> <4CFEBC3E.8060508@lenhof.eu.org> <4CFF87B9.7000505@umich.edu> Message-ID: <86E21A982A7C5249956350A6746108C201FA444F@CHVPKNTXC5M.chvpk.chevrontexaco.net> That's great for Linux, but it doesn't make for very portable scripting since stat is not on all flavors of Unix... :) -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Jonathan S Billings Sent: Wednesday, December 08, 2010 5:27 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] file permissions contains dot in rhel6 On 12/07/2010 05:59 PM, Jean-Yves LENHOF wrote: > Bad scripts ;-) > Waiting for some specific output whithout a dot You might want to consider replacing the 'ls' in your script with the output of 'stat', since you can request the format of the output however you like. For example, 'stat --format "%A" filename' will produce the human readable access rights that you're looking for -- and if this is something being parsed by a script, you might end up having cleaner output to read. I don't see any documentation that indicates there's a way to make the new 'ls' output the access rights without the dot if the filesystem has SELinux attributes. -- Jonathan Billings College of Engineering - CAEN - Unix and Linux Support _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From cmadams at hiwaay.net Wed Dec 8 17:01:19 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 8 Dec 2010 11:01:19 -0600 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: <86E21A982A7C5249956350A6746108C201FA444F@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> <4CFF87B9.7000505@umich.edu> <86E21A982A7C5249956350A6746108C201FA444F@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <20101208170119.GD3982@hiwaay.net> Once upon a time, Collins, Kevin [BEELINE] said: > That's great for Linux, but it doesn't make for very portable scripting > since stat is not on all flavors of Unix... :) Well, the output format of "ls" is hardly portable either, so you've already got to be scripting around that. You could always use perl... -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From notting at redhat.com Wed Dec 8 17:15:26 2010 From: notting at redhat.com (Bill Nottingham) Date: Wed, 8 Dec 2010 12:15:26 -0500 Subject: [rhelv6-list] Allow users to update using packagekit In-Reply-To: References: Message-ID: <20101208171525.GB8922@nostromo.devel.redhat.com> Ville Salmela (Ville.Salmela at csc.fi) said: > I would like to create a rule to polkit to allow users to update their systems without root password. So when packagekit tells there are new updates user can just click update without giving root pw. There is no need to install new packages without priviledges, just keep the system up to date is enough. > > How can I do this? You'd put something like (warning: untested, salt to taste): [User update perms] Identity=* Action=org.freedesktop.packagekit.system-update ResultAny=no ResultInactive=no ResultActive=yes (or auth_self) in /etc/polkit-1/localauthority/30-site.d/.pkla. Bill From KCollins at chevron.com Wed Dec 8 18:30:27 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Wed, 8 Dec 2010 10:30:27 -0800 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: <20101208170119.GD3982@hiwaay.net> References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be><4CFF87B9.7000505@umich.edu><86E21A982A7C5249956350A6746108C201FA444F@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101208170119.GD3982@hiwaay.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA4487@CHVPKNTXC5M.chvpk.chevrontexaco.net> Well, scripting around the "permission string" of ls -l is not something I typically do, but that string is pretty much the same on every platform I have worked on... until now :) But I would not be surprised to see this change breaking scripts that others have. Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Chris Adams Sent: Wednesday, December 08, 2010 9:01 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] file permissions contains dot in rhel6 Once upon a time, Collins, Kevin [BEELINE] said: > That's great for Linux, but it doesn't make for very portable scripting > since stat is not on all flavors of Unix... :) Well, the output format of "ls" is hardly portable either, so you've already got to be scripting around that. You could always use perl... -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From inode0 at gmail.com Wed Dec 8 18:42:16 2010 From: inode0 at gmail.com (inode0) Date: Wed, 8 Dec 2010 12:42:16 -0600 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: <86E21A982A7C5249956350A6746108C201FA4487@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> <4CFF87B9.7000505@umich.edu> <86E21A982A7C5249956350A6746108C201FA444F@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101208170119.GD3982@hiwaay.net> <86E21A982A7C5249956350A6746108C201FA4487@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On Wed, Dec 8, 2010 at 12:30 PM, Collins, Kevin [BEELINE] wrote: > Well, scripting around the "permission string" of ls -l is not something > I typically do, but that string is pretty much the same on every > platform I have worked on... until now :) > > But I would not be surprised to see this change breaking scripts that > others have. If the script wants a blank in that location it should already be doing something to account for the possibility that a + is there, so should be easy to modify to ignore the . too. John From KCollins at chevron.com Wed Dec 8 19:18:27 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Wed, 8 Dec 2010 11:18:27 -0800 Subject: [rhelv6-list] getent weirdness (was: nscd weirdness) In-Reply-To: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net> After further investigation, this seems to be an issue with getent. If the effective UID is not 0, it returns '*' as the passwd hash. This is not the behavior exhibited in previous versions, and explains why I see the issue from root when nscd is running - nscd does a setuid to the user 'nscd'. I checked this on another RHEL6 server that is resolving via NIS and it does *not* exhibit this behavior, so it has some relationship to LDAP. But, I can run ldapsearch and get back the passwd hash as any user (our LDAP allows anonymous read-only to all attributes). Now my suspicion is that this is caused by nss_ldap, which is different in RHEL6 since this is now part of nss-pam-ldapd. Any thoughts? Thanks, Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Monday, December 06, 2010 10:06 AM To: rhelv6-list at redhat.com Subject: [rhelv6-list] nscd weirdness I am seeing different output in the password field of the passwd output from 'getent' when I have nscd runnng versus when I don't: # ps -ef | grep -E 'nscd|nslcd' nscd 18126 1 0 09:42 ? 00:00:00 /usr/sbin/nscd nslcd 18206 1 0 09:44 ? 00:00:00 /usr/sbin/nslcd # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd stop Stopping nscd: [ OK ] # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # nscd -i passwd # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd start Starting nscd: [ OK ] # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh As you can see, I have tried flushing the passwd cache and restarting nscd with no luck. The backend in this case is LDAP - the problem does not appear when I am getting information from an ID in /etc/passwd. Any ideas? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From KCollins at chevron.com Thu Dec 9 00:04:35 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Wed, 8 Dec 2010 16:04:35 -0800 Subject: [rhelv6-list] getent weirdness (was: nscd weirdness) In-Reply-To: <86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C201FA453B@CHVPKNTXC5M.chvpk.chevrontexaco.net> I have narrowed this down to nslcd by using strace: [pid 7141] read(12, "\202\1\35\4\"uid=oracle,ou=People,dc=afis,dc=sr0\201\3660\17\4\3uid1\10 \4\6oracle0\24\4\2cn1\16\4\fOracle Owner0+\4\vobjectClass1\34\4\7account\4\fposixAccount\4\3top0&\4\fuserPa ssword1\26\4\24{crypt}No_Login*****0\33\4\nloginShell1\r\4\v/usr/bin/sh0 \22\4\tuidNumber1\5\4\0032000\22\4\tgidNumber1\5\4\0032000\32\4\rhomeDir ectory1\t\4\7/oracle0\27\4\5gecos1\16\4\fOracle Owner", 288) = 288 [pid 7141] select(1024, NULL, [6], NULL, {0, 0}) = 1 (out [6], left {0, 0}) [pid 7141] sendto(6, "\1\0\0\0\351\3\0\0\0\0\0\0\6\0\0\0oracle\1\0\0\0*\310\0\0\0\310\0\0\0\f \0\0\0Oracle Owner\7\0\0\0/oracle\v\0", 64, MSG_NOSIGNAL, NULL, 0) = 64 Notice the read() gets back the actual password data "{crypt}No_Login*****" but the sendto() is sending "*"? Now to research... Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Wednesday, December 08, 2010 11:18 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) After further investigation, this seems to be an issue with getent. If the effective UID is not 0, it returns '*' as the passwd hash. This is not the behavior exhibited in previous versions, and explains why I see the issue from root when nscd is running - nscd does a setuid to the user 'nscd'. I checked this on another RHEL6 server that is resolving via NIS and it does *not* exhibit this behavior, so it has some relationship to LDAP. But, I can run ldapsearch and get back the passwd hash as any user (our LDAP allows anonymous read-only to all attributes). Now my suspicion is that this is caused by nss_ldap, which is different in RHEL6 since this is now part of nss-pam-ldapd. Any thoughts? Thanks, Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Monday, December 06, 2010 10:06 AM To: rhelv6-list at redhat.com Subject: [rhelv6-list] nscd weirdness I am seeing different output in the password field of the passwd output from 'getent' when I have nscd runnng versus when I don't: # ps -ef | grep -E 'nscd|nslcd' nscd 18126 1 0 09:42 ? 00:00:00 /usr/sbin/nscd nslcd 18206 1 0 09:44 ? 00:00:00 /usr/sbin/nslcd # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd stop Stopping nscd: [ OK ] # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # nscd -i passwd # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd start Starting nscd: [ OK ] # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh As you can see, I have tried flushing the passwd cache and restarting nscd with no luck. The backend in this case is LDAP - the problem does not appear when I am getting information from an ID in /etc/passwd. Any ideas? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ville.Salmela at csc.fi Thu Dec 9 09:39:44 2010 From: Ville.Salmela at csc.fi (Ville Salmela) Date: Thu, 9 Dec 2010 11:39:44 +0200 Subject: [rhelv6-list] Allow users to update using packagekit In-Reply-To: <20101208171525.GB8922@nostromo.devel.redhat.com> References: <20101208171525.GB8922@nostromo.devel.redhat.com> Message-ID: > -----Original Message----- > From: Bill Nottingham > > Ville said: > > I would like to create a rule to polkit to allow users to update > their systems without root password. So when packagekit tells there are > new updates user can just click update without giving root pw. There is > no need to install new packages without priviledges, just keep the > system up to date is enough. > > > > How can I do this? > > You'd put something like (warning: untested, salt to taste): > > [User update perms] > Identity=* > Action=org.freedesktop.packagekit.system-update > ResultAny=no > ResultInactive=no > ResultActive=yes > > in /etc/polkit-1/localauthority/30-site.d/.pkla. Thanks, it works. br, Ville From clalance at redhat.com Tue Dec 7 15:21:36 2010 From: clalance at redhat.com (Chris Lalancette) Date: Tue, 7 Dec 2010 10:21:36 -0500 Subject: [rhelv6-list] [virt-tools-list] Crosspost: KVM live migrate RH6 to or from RH 5.5 In-Reply-To: <4CFD623B.8000404@themeyerfarm.com> References: <4CFD623B.8000404@themeyerfarm.com> Message-ID: <20101207152136.GE2875@localhost.localdomain> On 12/06/10 - 03:22:51PM, Phil Meyer wrote: > We have been testing live migrations of KVM clients, successfully, > on RHEL 5.5 and RHEL 6 separately. > > We have now mixed our test environment to get a LOE converting our > existing servers to RHEL 6. > > Not good. > > Every attempt is met with: > > 'error: operation failed: failed to start listening VM' > > We have tried: > > 5.5 to 6, initiated from 5.5 host and from 6 host. > > 6 to 5.5 from 6 host and from 5.5 host. > > We have also tried both ways from a third host, with no impact. > > Here is a sample: > > [root at pxe2 ~]# virsh -c > qemu+ssh://root at testhost1.mycompany.net/system migrate --live > my_domain qemu+ssh://root at testhost2.mycompany.net/system > > error: operation failed: failed to start listening VM > > Again, this command works without fail as long as both servers are > running the same version. Yes, as Justin mentioned, this is very, very difficult to implement and test, and hence we have declared it unsupported. -- Chris Lalancette From dxh at yahoo.com Thu Dec 9 16:37:51 2010 From: dxh at yahoo.com (Don Hoover) Date: Thu, 9 Dec 2010 08:37:51 -0800 (PST) Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap Message-ID: <387848.1229.qm@web120702.mail.ne1.yahoo.com> Has everyone seen the totally new pricing scheme for RHEL6? Gone are the days of simply having two versions of RHEL server. Now Redhat has decided they want to create a complicated pricing scheme where everything is a different tier and everything is an addon. Examples: * Pricing is now per-socket-pair, where on the RHEL5-based model, Advanced Platform was for any server with more sockets. * Advanced Platform (at $1500, or $2500 with premium support) previously came with Cluster and GFS, now Cluster is addtional and GFS is also additional. * Standard previously allowed 4 guests (plus hypervisor), whereas it now only allows one guest at the same pricing, support for 4 guests costs about 80% more. * Advanced Platform (at $1500, or $2500 with premium support) previously allowed unlimited guests, now it costs $3249 per socket-pair with This is TOTALLY CRAZY...for example: A virtualisation cluster, using 8-socket dual-core servers. On RHEL 5-era pricing, this was costing $1500 per server per year. With the new pricing, it would cost ($1999(unlimited guests)+$399(cluster)+$799(GFS))*4 processor pairs = $12788 per server per year, **********an 850% increase********** What is Redhat marketing smoking? Not to mention that frankly, I don't want to have to implement all the changes to my inventory system to keep track of all this crap to make sure I am paying for everything we are using. Do you ever think of that? Sorry...but even here at a fortune 50, $12k vs CENTOS will be an easy sell. From KCollins at chevron.com Thu Dec 9 16:54:51 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 9 Dec 2010 08:54:51 -0800 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> Message-ID: <86E21A982A7C5249956350A6746108C202022891@CHVPKNTXC5M.chvpk.chevrontexaco.net> Can you post a link, please? I am looking at the RedHat store (https://www.redhat.com/wapps/store/catalog.html) and I don't see quite the same thing... the prices do seem a bit higher but I don't see anything about separate costs for Cluster, GFS, etc. I do remember reading that they were changing the number of allowd virtual guests, which I was not happy about. Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Don Hoover Sent: Thursday, December 09, 2010 8:38 AM To: rhelv6-list at redhat.com Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap Has everyone seen the totally new pricing scheme for RHEL6? Gone are the days of simply having two versions of RHEL server. Now Redhat has decided they want to create a complicated pricing scheme where everything is a different tier and everything is an addon. Examples: * Pricing is now per-socket-pair, where on the RHEL5-based model, Advanced Platform was for any server with more sockets. * Advanced Platform (at $1500, or $2500 with premium support) previously came with Cluster and GFS, now Cluster is addtional and GFS is also additional. * Standard previously allowed 4 guests (plus hypervisor), whereas it now only allows one guest at the same pricing, support for 4 guests costs about 80% more. * Advanced Platform (at $1500, or $2500 with premium support) previously allowed unlimited guests, now it costs $3249 per socket-pair with This is TOTALLY CRAZY...for example: A virtualisation cluster, using 8-socket dual-core servers. On RHEL 5-era pricing, this was costing $1500 per server per year. With the new pricing, it would cost ($1999(unlimited guests)+$399(cluster)+$799(GFS))*4 processor pairs = $12788 per server per year, **********an 850% increase********** What is Redhat marketing smoking? Not to mention that frankly, I don't want to have to implement all the changes to my inventory system to keep track of all this crap to make sure I am paying for everything we are using. Do you ever think of that? Sorry...but even here at a fortune 50, $12k vs CENTOS will be an easy sell. _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From cmadams at hiwaay.net Thu Dec 9 17:17:52 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 9 Dec 2010 11:17:52 -0600 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <387848.1229.qm@web120702.mail.ne1.yahoo.com> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> Message-ID: <20101209171752.GC29478@hiwaay.net> Once upon a time, Don Hoover said: > Has everyone seen the totally new pricing scheme for RHEL6? For those of us on the Basic end, any pretense of support is gone as well (it is now "self-support"), but the price didn't change. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From linux at alteeve.com Thu Dec 9 17:26:21 2010 From: linux at alteeve.com (Digimer) Date: Thu, 09 Dec 2010 12:26:21 -0500 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <20101209171752.GC29478@hiwaay.net> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> <20101209171752.GC29478@hiwaay.net> Message-ID: <4D01113D.1040806@alteeve.com> On 12/09/2010 12:17 PM, Chris Adams wrote: > Once upon a time, Don Hoover said: >> Has everyone seen the totally new pricing scheme for RHEL6? > > For those of us on the Basic end, any pretense of support is gone as > well (it is now "self-support"), but the price didn't change. Doesn't that kind of defeat the point of paying for Red Hat vs using CentOS? I thought the whole idea of RHEL was the support... -- Digimer E-Mail: digimer at alteeve.com AN!Whitepapers: http://alteeve.com Node Assassin: http://nodeassassin.org From RJM002 at shsu.edu Thu Dec 9 17:34:52 2010 From: RJM002 at shsu.edu (Marti, Robert J) Date: Thu, 9 Dec 2010 11:34:52 -0600 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <4D01113D.1040806@alteeve.com> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> <20101209171752.GC29478@hiwaay.net> <4D01113D.1040806@alteeve.com> Message-ID: <9FBDB599-1A5D-41D6-B56B-B24C140EE1E7@shsu.edu> Support includes the yum repos. Getting things like 5.6 around a month faster than CentOS is a big deal. Up to you if it's worth it. Sent from my iPhone On Dec 9, 2010, at 11:28 AM, "Digimer" wrote: > On 12/09/2010 12:17 PM, Chris Adams wrote: >> Once upon a time, Don Hoover said: >>> Has everyone seen the totally new pricing scheme for RHEL6? >> >> For those of us on the Basic end, any pretense of support is gone as >> well (it is now "self-support"), but the price didn't change. > > Doesn't that kind of defeat the point of paying for Red Hat vs using > CentOS? I thought the whole idea of RHEL was the support... > > -- > Digimer > E-Mail: digimer at alteeve.com > AN!Whitepapers: http://alteeve.com > Node Assassin: http://nodeassassin.org > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Thu Dec 9 17:39:02 2010 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Thu, 9 Dec 2010 18:39:02 +0100 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <4D01113D.1040806@alteeve.com> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> <20101209171752.GC29478@hiwaay.net> <4D01113D.1040806@alteeve.com> Message-ID: <20101209183902.7987119c@python3.es.aed.lan> Digimer wrote : > On 12/09/2010 12:17 PM, Chris Adams wrote: > > Once upon a time, Don Hoover said: > >> Has everyone seen the totally new pricing scheme for RHEL6? > > > > For those of us on the Basic end, any pretense of support is gone as > > well (it is now "self-support"), but the price didn't change. > > Doesn't that kind of defeat the point of paying for Red Hat vs using > CentOS? I thought the whole idea of RHEL was the support... Well, you do still get access to RHN, the basic channels and all of the updates. Useful... if only it were cheaper or for the current price gave access to more (all?) channels. Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora release 14 (Laughlin) - Linux kernel 2.6.35.6-48.fc14.x86_64 Load : 0.40 0.36 0.25 From evilensky at gmail.com Thu Dec 9 17:42:51 2010 From: evilensky at gmail.com (Eugene Vilensky) Date: Thu, 9 Dec 2010 11:42:51 -0600 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <9FBDB599-1A5D-41D6-B56B-B24C140EE1E7@shsu.edu> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> <20101209171752.GC29478@hiwaay.net> <4D01113D.1040806@alteeve.com> <9FBDB599-1A5D-41D6-B56B-B24C140EE1E7@shsu.edu> Message-ID: Is the knowledge base behind a sign in link to enhance the value of said self support? Not that the KB was the best source of Linux info, but for RHEL-hwvendor specific issues it's been fairly useful. From prentice at ias.edu Thu Dec 9 18:25:45 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Thu, 09 Dec 2010 13:25:45 -0500 Subject: [rhelv6-list] file permissions contains dot in rhel6 In-Reply-To: References: <9F990792DAA5FF4F96FD0B95C9C44C0B0108765EE88E@ICTS-S-EXC1-CA.luna.kuleuven.be> <4CFF87B9.7000505@umich.edu> <86E21A982A7C5249956350A6746108C201FA444F@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101208170119.GD3982@hiwaay.net> <86E21A982A7C5249956350A6746108C201FA4487@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4D011F29.1040304@ias.edu> On 12/08/2010 01:42 PM, inode0 wrote: > On Wed, Dec 8, 2010 at 12:30 PM, Collins, Kevin [BEELINE] > wrote: >> Well, scripting around the "permission string" of ls -l is not something >> I typically do, but that string is pretty much the same on every >> platform I have worked on... until now :) >> >> But I would not be surprised to see this change breaking scripts that >> others have. > > If the script wants a blank in that location it should already be > doing something to account for the possibility that a + is there, so > should be easy to modify to ignore the . too. > > John I agree. Unless you provide more details, fixing your script to deal with the trailing period sounds trivial. -- Prentice From prentice at ias.edu Thu Dec 9 18:31:16 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Thu, 09 Dec 2010 13:31:16 -0500 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <20101209171752.GC29478@hiwaay.net> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> <20101209171752.GC29478@hiwaay.net> Message-ID: <4D012074.2010609@ias.edu> On 12/09/2010 12:17 PM, Chris Adams wrote: > Once upon a time, Don Hoover said: >> Has everyone seen the totally new pricing scheme for RHEL6? > > For those of us on the Basic end, any pretense of support is gone as > well (it is now "self-support"), but the price didn't change. > From my limited experience using RHEL/RHN (instead of RHL, Centos, etc.), basic support effectively was self-support. At least they're being honest now. -- Prentice From ruprech at jilau1.colorado.edu Thu Dec 9 18:48:19 2010 From: ruprech at jilau1.colorado.edu (Peter Ruprecht) Date: Thu, 09 Dec 2010 11:48:19 -0700 Subject: [rhelv6-list] LDAP and Samba question Message-ID: <4D012473.1070301@jilau1.colorado.edu> Hi, I'm trying to replicate a setup that worked fine in RHEL 5 on a new RHEL6 server. I need to set up samba to get authentication and other user info from a local openldap directory. But, I can't for the life of me get ldap to load the samba.schema file (part of the samba rpm). Here's part of my /etc/openldap/slapd.conf file: include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/collective.schema and the samba.schema file is where it should be: # ls -l /etc/openldap/schema/samba.schema -rw-r--r--. 1 root root 20221 Oct 13 10:38 /etc/openldap/schema/samba.schema But when I start slapd I see in its log that it reads all the include files except samba.schema. I hope I'm just doing something dumb; maybe one of you has a quick guess what that might be? Thanks! Peter Ruprecht From KCollins at chevron.com Thu Dec 9 19:23:21 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 9 Dec 2010 11:23:21 -0800 Subject: [rhelv6-list] getent weirdness (was: nscd weirdness) In-Reply-To: <86E21A982A7C5249956350A6746108C201FA453B@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA453B@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020228F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> I have found the root (no pun intended!) of this problem in the /usr/share/doc/nss-pam-ldapd-0.7.5/NEWS file included in the RPM: changes from 0.6.11 to 0.7.0 ---------------------------- ... ... * password hashes are no longer returned to non-root users (based on a patch by Alexander V. Chernikov) ... So, I can sort of see the point of this, but I think that this daemon should return what the calling user has access to. If the password hash is not protected, it can be via ACLs from the LDAP server or it can be mapped to a different value. At the very least, there should be an option to allow that behavior. Deciding to just say "no" seems wrong... Where this becomes interesting is the case where you run nslcd *and* nscd: since nscd runs as user 'nscd' (not root), root will never get the password hash either since the nss calls are routed via nscd. Not sure if anyone else cares since I have seen no replies, but I figured it's worth documenting. I will probably open a support case just to see what the response is. Thanks, Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Wednesday, December 08, 2010 4:05 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) I have narrowed this down to nslcd by using strace: [pid 7141] read(12, "\202\1\35\4\"uid=oracle,ou=People,dc=afis,dc=sr0\201\3660\17\4\3uid1\10 \4\6oracle0\24\4\2cn1\16\4\fOracle Owner0+\4\vobjectClass1\34\4\7account\4\fposixAccount\4\3top0&\4\fuserPa ssword1\26\4\24{crypt}No_Login*****0\33\4\nloginShell1\r\4\v/usr/bin/sh0 \22\4\tuidNumber1\5\4\0032000\22\4\tgidNumber1\5\4\0032000\32\4\rhomeDir ectory1\t\4\7/oracle0\27\4\5gecos1\16\4\fOracle Owner", 288) = 288 [pid 7141] select(1024, NULL, [6], NULL, {0, 0}) = 1 (out [6], left {0, 0}) [pid 7141] sendto(6, "\1\0\0\0\351\3\0\0\0\0\0\0\6\0\0\0oracle\1\0\0\0*\310\0\0\0\310\0\0\0\f \0\0\0Oracle Owner\7\0\0\0/oracle\v\0", 64, MSG_NOSIGNAL, NULL, 0) = 64 Notice the read() gets back the actual password data "{crypt}No_Login*****" but the sendto() is sending "*"? Now to research... Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Wednesday, December 08, 2010 11:18 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) After further investigation, this seems to be an issue with getent. If the effective UID is not 0, it returns '*' as the passwd hash. This is not the behavior exhibited in previous versions, and explains why I see the issue from root when nscd is running - nscd does a setuid to the user 'nscd'. I checked this on another RHEL6 server that is resolving via NIS and it does *not* exhibit this behavior, so it has some relationship to LDAP. But, I can run ldapsearch and get back the passwd hash as any user (our LDAP allows anonymous read-only to all attributes). Now my suspicion is that this is caused by nss_ldap, which is different in RHEL6 since this is now part of nss-pam-ldapd. Any thoughts? Thanks, Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Monday, December 06, 2010 10:06 AM To: rhelv6-list at redhat.com Subject: [rhelv6-list] nscd weirdness I am seeing different output in the password field of the passwd output from 'getent' when I have nscd runnng versus when I don't: # ps -ef | grep -E 'nscd|nslcd' nscd 18126 1 0 09:42 ? 00:00:00 /usr/sbin/nscd nslcd 18206 1 0 09:44 ? 00:00:00 /usr/sbin/nslcd # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd stop Stopping nscd: [ OK ] # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # nscd -i passwd # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd start Starting nscd: [ OK ] # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh As you can see, I have tried flushing the passwd cache and restarting nscd with no luck. The backend in this case is LDAP - the problem does not appear when I am getting information from an ID in /etc/passwd. Any ideas? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From ruprech at jilau1.colorado.edu Thu Dec 9 19:38:04 2010 From: ruprech at jilau1.colorado.edu (Peter Ruprecht) Date: Thu, 09 Dec 2010 12:38:04 -0700 Subject: [rhelv6-list] LDAP and Samba question In-Reply-To: <4D012473.1070301@jilau1.colorado.edu> References: <4D012473.1070301@jilau1.colorado.edu> Message-ID: <4D01301C.8050104@jilau1.colorado.edu> Peter Ruprecht wrote: > Hi, > > I'm trying to replicate a setup that worked fine in RHEL 5 on a new > RHEL6 server. I need to set up samba to get authentication and other > user info from a local openldap directory. > > But, I can't for the life of me get ldap to load the samba.schema file > (part of the samba rpm). > > Here's part of my /etc/openldap/slapd.conf file: > > include /etc/openldap/schema/corba.schema > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/duaconf.schema > include /etc/openldap/schema/dyngroup.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/java.schema > include /etc/openldap/schema/misc.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/openldap.schema > include /etc/openldap/schema/ppolicy.schema > include /etc/openldap/schema/samba.schema > include /etc/openldap/schema/collective.schema > > and the samba.schema file is where it should be: > > # ls -l /etc/openldap/schema/samba.schema > -rw-r--r--. 1 root root 20221 Oct 13 10:38 > /etc/openldap/schema/samba.schema > > But when I start slapd I see in its log that it reads all the include > files except samba.schema. I hope I'm just doing something dumb; maybe > one of you has a quick guess what that might be? > As always, just after posting, the answer becomes clear! It looks like the current RHEL version of openldap uses the cn=... files in /etc/openldap/slapd.d in addition to info in slapd.conf. The cn= files apparently need to be recreated using slaptest after changing slapd.conf. -Peter From prentice at ias.edu Thu Dec 9 20:02:25 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Thu, 09 Dec 2010 15:02:25 -0500 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <9FBDB599-1A5D-41D6-B56B-B24C140EE1E7@shsu.edu> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> <20101209171752.GC29478@hiwaay.net> <4D01113D.1040806@alteeve.com> <9FBDB599-1A5D-41D6-B56B-B24C140EE1E7@shsu.edu> Message-ID: <4D0135D1.4020105@ias.edu> Not *that* big a deal. On 12/09/2010 12:34 PM, Marti, Robert J wrote: > Support includes the yum repos. Getting things like 5.6 around a month faster than CentOS is a big deal. Up to you if it's worth it. > > Sent from my iPhone > > On Dec 9, 2010, at 11:28 AM, "Digimer" wrote: > >> On 12/09/2010 12:17 PM, Chris Adams wrote: >>> Once upon a time, Don Hoover said: >>>> Has everyone seen the totally new pricing scheme for RHEL6? >>> >>> For those of us on the Basic end, any pretense of support is gone as >>> well (it is now "self-support"), but the price didn't change. >> >> Doesn't that kind of defeat the point of paying for Red Hat vs using >> CentOS? I thought the whole idea of RHEL was the support... >> From David.Kinzel at encana.com Thu Dec 9 21:55:21 2010 From: David.Kinzel at encana.com (Kinzel, David) Date: Thu, 9 Dec 2010 14:55:21 -0700 Subject: [rhelv6-list] getent weirdness (was: nscd weirdness) In-Reply-To: <86E21A982A7C5249956350A6746108C2020228F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C201FA453B@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020228F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: What seems wrong is wanting the password hash to be given to regular users. Why? ________________________________ From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Thursday, December 09, 2010 12:23 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) I have found the root (no pun intended!) of this problem in the /usr/share/doc/nss-pam-ldapd-0.7.5/NEWS file included in the RPM: changes from 0.6.11 to 0.7.0 ---------------------------- ... ... * password hashes are no longer returned to non-root users (based on a patch by Alexander V. Chernikov) ... So, I can sort of see the point of this, but I think that this daemon should return what the calling user has access to. If the password hash is not protected, it can be via ACLs from the LDAP server or it can be mapped to a different value. At the very least, there should be an option to allow that behavior. Deciding to just say "no" seems wrong... Where this becomes interesting is the case where you run nslcd *and* nscd: since nscd runs as user 'nscd' (not root), root will never get the password hash either since the nss calls are routed via nscd. Not sure if anyone else cares since I have seen no replies, but I figured it's worth documenting. I will probably open a support case just to see what the response is. Thanks, Kevin Kevin This email communication and any files transmitted with it may contain confidential and or proprietary information and is provided for the use of the intended recipient only. Any review, retransmission or dissemination of this information by anyone other than the intended recipient is prohibited. If you receive this email in error, please contact the sender and delete this communication and any copies immediately. Thank you. http://www.encana.com From KCollins at chevron.com Thu Dec 9 22:28:30 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 9 Dec 2010 14:28:30 -0800 Subject: [rhelv6-list] getent weirdness (was: nscd weirdness) In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C201FA453B@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020228F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C202022932@CHVPKNTXC5M.chvpk.chevrontexaco.net> Did you miss the part where I said this impacts root? And regardless of why I want (or don't want) to do this, it should be my choice. I may have scripts that process the output of getent to check for expired users, etc that rely on getting the password hash. In NIS or a non-shadow environment, this is the case anyway. We primarily use SSO with kerberos (from AD), so our password hashes do not contain a password in (our) LDAP (not AD)... but they do contain strings that are used to denote the state of the user. Kevin -----Original Message----- From: Kinzel, David [mailto:David.Kinzel at encana.com] Sent: Thursday, December 09, 2010 1:55 PM To: Collins, Kevin [BEELINE]; rhelv6-list at redhat.com Subject: RE: [rhelv6-list] getent weirdness (was: nscd weirdness) What seems wrong is wanting the password hash to be given to regular users. Why? ________________________________ From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Thursday, December 09, 2010 12:23 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) I have found the root (no pun intended!) of this problem in the /usr/share/doc/nss-pam-ldapd-0.7.5/NEWS file included in the RPM: changes from 0.6.11 to 0.7.0 ---------------------------- ... ... * password hashes are no longer returned to non-root users (based on a patch by Alexander V. Chernikov) ... So, I can sort of see the point of this, but I think that this daemon should return what the calling user has access to. If the password hash is not protected, it can be via ACLs from the LDAP server or it can be mapped to a different value. At the very least, there should be an option to allow that behavior. Deciding to just say "no" seems wrong... Where this becomes interesting is the case where you run nslcd *and* nscd: since nscd runs as user 'nscd' (not root), root will never get the password hash either since the nss calls are routed via nscd. Not sure if anyone else cares since I have seen no replies, but I figured it's worth documenting. I will probably open a support case just to see what the response is. Thanks, Kevin Kevin This email communication and any files transmitted with it may contain confidential and or proprietary information and is provided for the use of the intended recipient only. Any review, retransmission or dissemination of this information by anyone other than the intended recipient is prohibited. If you receive this email in error, please contact the sender and delete this communication and any copies immediately. Thank you. http://www.encana.com From smooge at gmail.com Thu Dec 9 22:29:16 2010 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 9 Dec 2010 15:29:16 -0700 Subject: [rhelv6-list] getent weirdness (was: nscd weirdness) In-Reply-To: References: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C201FA453B@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020228F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On Thu, Dec 9, 2010 at 14:55, Kinzel, David wrote: > What seems wrong is wanting the password hash to be given to regular > users. > > Why? For many environments this is considered a secure information disclosure or security incident. I have been at several places where a user decided that using a for loop to get everything out of getent and then running crack/john was the best way to spend a weekend. While the newer hashes provided by RHEL-5/RHEL-6 take longer to crack you can still get a lot of easy fish over the weekend. [And if your system must use some old tools/databases for legacy applications.. you may be stuck with DES hashes for some or all users.. those are really quick to get.] -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Let us be kind, one to another, for most of us are fighting a hard battle." -- Ian MacLaren From KCollins at chevron.com Thu Dec 9 23:08:15 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 9 Dec 2010 15:08:15 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update Message-ID: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> I have been rebuilding the "ksh" RPM starting in RHEL5.0 (thru RHEL5.5) to change the behavior of he builtin "echo" command. This has never been an issue, I just plunk the rebuilt RPM file down in our local YUM repo, run createrepo and a 'yum update' will detect the package and install it, replacing the existing ksh package. For some reason I can't figure out, this is not working in RHEL6... I was able to rebuild it fine, but after putting everything in place, 'yum check-update' does not see it. The command I used to rebuild is: rpmbuild --define 'dist .el6' -bb ksh.spec I've tried re-running the createrepo, running 'yum clean all', etc... no luck. Info from the package: # rpm -qip /redhat/RedHatServer6/RHEL6.0/x86_64/rebuild/ksh-20100621-2.el6.x86_64.r pm Name : ksh Relocations: (not relocatable) Version : 20100621 Vendor: (none) Release : 2.el6 Build Date: Thu Dec 9 12:15:31 2010 Install Date: (not installed) Build Host: cpafisxc Group : System Environment/Shells Source RPM: ksh-20100621-2.el6.src.rpm Size : 1478609 License: CPL Signature : (none) URL : http://www.kornshell.com/ Summary : The Original ATT Korn Shell Description : KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShell is a shell programming language, which is upward compatible with "sh" (the Bourne Shell). Info from the installed package # rpm -qi ksh Name : ksh Relocations: (not relocatable) Version : 20100621 Vendor: Red Hat, Inc. Release : 2.el6 Build Date: Tue Jun 29 07:40:26 2010 Install Date: Tue Dec 7 14:10:48 2010 Build Host: ls20-bc2-13.build.redhat.com Group : System Environment/Shells Source RPM: ksh-20100621-2.el6.src.rpm Size : 1478609 License: CPL Signature : RSA/8, Mon Aug 16 10:39:17 2010, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. URL : http://www.kornshell.com/ Summary : The Original ATT Korn Shell Description : KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShell is a shell programming language, which is upward compatible with "sh" (the Bourne Shell). Any ideas would be helpful.... Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From gbailey at lxpro.com Thu Dec 9 23:18:03 2010 From: gbailey at lxpro.com (Greg Bailey) Date: Thu, 09 Dec 2010 16:18:03 -0700 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4D0163AB.7090400@lxpro.com> On 12/9/2010 4:08 PM, Collins, Kevin [BEELINE] wrote: > > I have been rebuilding the ?ksh? RPM starting in RHEL5.0 (thru > RHEL5.5) to change the behavior of he builtin ?echo? command. This has > never been an issue, I just plunk the rebuilt RPM file down in our > local YUM repo, run createrepo and a ?yum update? will detect the > package and install it, replacing the existing ksh package. > > For some reason I can?t figure out, this is not working in RHEL6... I > was able to rebuild it fine, but after putting everything in place, > ?yum check-update? does not see it. > > The command I used to rebuild is: > > rpmbuild --define 'dist .el6' -bb ksh.spec > > I?ve tried re-running the createrepo, running ?yum clean all?, etc... > no luck. > > Info from the package: > > # rpm -qip > /redhat/RedHatServer6/RHEL6.0/x86_64/rebuild/ksh-20100621-2.el6.x86_64.rpm > > > Name : ksh Relocations: (not relocatable) > > Version : 20100621 Vendor: (none) > > Release : 2.el6 Build Date: Thu Dec 9 12:15:31 2010 > > Info from the installed package > > # rpm -qi ksh > > Name : ksh Relocations: (not relocatable) > > Version : 20100621 Vendor: Red Hat, Inc. > > Release : 2.el6 Build Date: Tue Jun 29 07:40:26 2010 > > Any ideas would be helpful.... > Unless I'm missing something, the version you built and the Red Hat provided one are the same version/release combination, right? If that's the case, the one you just built wouldn't appear any "newer" than the one built by Red Hat, and there would be no upgrade required. -Greg From KCollins at chevron.com Thu Dec 9 23:20:52 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 9 Dec 2010 15:20:52 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <4D0163AB.7090400@lxpro.com> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D0163AB.7090400@lxpro.com> Message-ID: <86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net> But this has always worked before... I assumed that in this case maybe yum was looking at the build date or something of that nature to determine which package to install. -----Original Message----- From: Greg Bailey [mailto:gbailey at lxpro.com] Sent: Thursday, December 09, 2010 3:18 PM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On 12/9/2010 4:08 PM, Collins, Kevin [BEELINE] wrote: > > I have been rebuilding the "ksh" RPM starting in RHEL5.0 (thru > RHEL5.5) to change the behavior of he builtin "echo" command. This has > never been an issue, I just plunk the rebuilt RPM file down in our > local YUM repo, run createrepo and a 'yum update' will detect the > package and install it, replacing the existing ksh package. > > For some reason I can't figure out, this is not working in RHEL6... I > was able to rebuild it fine, but after putting everything in place, > 'yum check-update' does not see it. > > The command I used to rebuild is: > > rpmbuild --define 'dist .el6' -bb ksh.spec > > I've tried re-running the createrepo, running 'yum clean all', etc... > no luck. > > Info from the package: > > # rpm -qip > /redhat/RedHatServer6/RHEL6.0/x86_64/rebuild/ksh-20100621-2.el6.x86_64.r pm > > > Name : ksh Relocations: (not relocatable) > > Version : 20100621 Vendor: (none) > > Release : 2.el6 Build Date: Thu Dec 9 12:15:31 2010 > > Info from the installed package > > # rpm -qi ksh > > Name : ksh Relocations: (not relocatable) > > Version : 20100621 Vendor: Red Hat, Inc. > > Release : 2.el6 Build Date: Tue Jun 29 07:40:26 2010 > > Any ideas would be helpful.... > Unless I'm missing something, the version you built and the Red Hat provided one are the same version/release combination, right? If that's the case, the one you just built wouldn't appear any "newer" than the one built by Red Hat, and there would be no upgrade required. -Greg From jclift at redhat.com Thu Dec 9 23:28:04 2010 From: jclift at redhat.com (Justin Clift) Date: Fri, 10 Dec 2010 10:28:04 +1100 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D0163AB.7090400@lxpro.com> <86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com> On 10/12/2010, at 10:20 AM, Collins, Kevin [BEELINE] wrote: > But this has always worked before... I assumed that in this case maybe > yum was looking at the build date or something of that nature to > determine which package to install. Just as a general thought, what happens if you increment the package release number in a "sub release" fashion? Something like from this: ksh-20100621-2.el6.x86_64.rpm to this: ksh-20100621-2.1.el6.x86_64.rpm I don't know that would work, but if it does, it *might* fix the problem without blocking newer releases. (though you might not want those anyway) From KCollins at chevron.com Fri Dec 10 00:24:38 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 9 Dec 2010 16:24:38 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D0163AB.7090400@lxpro.com> <86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net> <2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com> Message-ID: <86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net> Yeah, I thought about that but then if an update comes out from RedHat with the same revision, I would likely not see that one (which I would want to see, so I can rebuild it to get any bug fixes). Kevin -----Original Message----- From: Justin Clift [mailto:jclift at redhat.com] Sent: Thursday, December 09, 2010 3:28 PM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com; Greg Bailey Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On 10/12/2010, at 10:20 AM, Collins, Kevin [BEELINE] wrote: > But this has always worked before... I assumed that in this case maybe > yum was looking at the build date or something of that nature to > determine which package to install. Just as a general thought, what happens if you increment the package release number in a "sub release" fashion? Something like from this: ksh-20100621-2.el6.x86_64.rpm to this: ksh-20100621-2.1.el6.x86_64.rpm I don't know that would work, but if it does, it *might* fix the problem without blocking newer releases. (though you might not want those anyway) From goetz.reinicke at filmakademie.de Fri Dec 10 08:16:32 2010 From: goetz.reinicke at filmakademie.de (=?ISO-8859-1?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Fri, 10 Dec 2010 09:16:32 +0100 Subject: [rhelv6-list] LDAP and Samba question In-Reply-To: <4D01301C.8050104@jilau1.colorado.edu> References: <4D012473.1070301@jilau1.colorado.edu> <4D01301C.8050104@jilau1.colorado.edu> Message-ID: <4D01E1E0.40606@filmakademie.de> Am 09.12.10 20:38, schrieb Peter Ruprecht: > Peter Ruprecht wrote: >> Hi, >> >> I'm trying to replicate a setup that worked fine in RHEL 5 on a new >> RHEL6 server. I need to set up samba to get authentication and other >> user info from a local openldap directory. >> >> But, I can't for the life of me get ldap to load the samba.schema file >> (part of the samba rpm). >> >> Here's part of my /etc/openldap/slapd.conf file: >> >> include /etc/openldap/schema/corba.schema >> include /etc/openldap/schema/core.schema >> include /etc/openldap/schema/cosine.schema >> include /etc/openldap/schema/duaconf.schema >> include /etc/openldap/schema/dyngroup.schema >> include /etc/openldap/schema/inetorgperson.schema >> include /etc/openldap/schema/java.schema >> include /etc/openldap/schema/misc.schema >> include /etc/openldap/schema/nis.schema >> include /etc/openldap/schema/openldap.schema >> include /etc/openldap/schema/ppolicy.schema >> include /etc/openldap/schema/samba.schema >> include /etc/openldap/schema/collective.schema >> >> and the samba.schema file is where it should be: >> >> # ls -l /etc/openldap/schema/samba.schema >> -rw-r--r--. 1 root root 20221 Oct 13 10:38 >> /etc/openldap/schema/samba.schema >> >> But when I start slapd I see in its log that it reads all the include >> files except samba.schema. I hope I'm just doing something dumb; >> maybe one of you has a quick guess what that might be? >> > > As always, just after posting, the answer becomes clear! It looks like > the current RHEL version of openldap uses the cn=... files in > /etc/openldap/slapd.d in addition to info in slapd.conf. The cn= files > apparently need to be recreated using slaptest after changing slapd.conf. I was faced with a similiar situation....and it is described in the migration manual :-) http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Migration_Planning_Guide/index.html#id2161468 /G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6656 bytes Desc: S/MIME Cryptographic Signature URL: From kmazurek at neotek.waw.pl Fri Dec 10 10:00:10 2010 From: kmazurek at neotek.waw.pl (Krzysztof Mazurek) Date: Fri, 10 Dec 2010 11:00:10 +0100 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <4D0135D1.4020105@ias.edu> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> <20101209171752.GC29478@hiwaay.net> <4D01113D.1040806@alteeve.com> <9FBDB599-1A5D-41D6-B56B-B24C140EE1E7@shsu.edu> <4D0135D1.4020105@ias.edu> Message-ID: CRAP - I have a feeling that it's worse than MS solutions.... Check: https://www.redhat.com/rhel/purchasing_guide.html There is no Advanced Server Option - so everything is purchased separately: Clustering, Load-Balancing, HA... First you buy RHEL Support in avg.: $1600 and then you Add options you need: High Availability $399/socket-pair Load Balancer $199/socket-pair Resilient Storage $799/socket-pair Scalable File System $199/socket-pair High Performance Network $199/socket-pair Smart Management $547 now multiply the sum with number of your servers ... RH shot itself in the foot.... Krzysztof From Dirk.Gfroerer at guh-software.de Fri Dec 10 10:28:11 2010 From: Dirk.Gfroerer at guh-software.de (Dirk Gfroerer) Date: Fri, 10 Dec 2010 11:28:11 +0100 Subject: [rhelv6-list] Redhat 6 New Pricing Scheme = crap In-Reply-To: <387848.1229.qm@web120702.mail.ne1.yahoo.com> References: <387848.1229.qm@web120702.mail.ne1.yahoo.com> Message-ID: <4D0200BB.5080506@guh-software.de> Interesting. If you want virtualization on your desktop machine and want more than one VM, you will have to put the server version on it. With RHEL 5 you could have up to four virtual machines on your desktop. Now you're not allowed to have more but one ... http://www.redhat.com/rhel/desktop/compare/ So that would mean an increase fromm $229 (if I recall correctly) to $1,199 (2-sockets with up to 4 virtual guests). Also sounds a little bit much to me ... Kind Regards, Dirk From john.haxby at gmail.com Fri Dec 10 10:33:16 2010 From: john.haxby at gmail.com (John Haxby) Date: Fri, 10 Dec 2010 10:33:16 +0000 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D0163AB.7090400@lxpro.com> <86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net> <2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com> <86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On 10 December 2010 00:24, Collins, Kevin [BEELINE] wrote: > Yeah, I thought about that but then if an update comes out from RedHat > with the same revision, I would likely not see that one (which I would > want to see, so I can rebuild it to get any bug fixes). > > If I want to make sure I get the new release from Red Hat (or anywhere else for that matter) I change the release from (in this case) "2%{dist}" to either "2.0.1%{dist}" or "2%{dist}.0.1". It's possible, but highly unlikely, that Red Hat would release a new version that is the same as either of those: they might go for "2.1%{dist}" or simply rebuild the same version for RHEL7 (that'll get the google searchers wondering). I've never come across a case where yum would use the build date or similar to determine a package is newer: the underlying RPM stuff uses only the epoch, release and version doesn't it? jch -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.haxby at gmail.com Fri Dec 10 10:40:07 2010 From: john.haxby at gmail.com (John Haxby) Date: Fri, 10 Dec 2010 10:40:07 +0000 Subject: [rhelv6-list] What happened to the "reply-to" header? Message-ID: Message to the list owners: The RHEL5 list and the RHEL6-beta lists both have a "reply-to" for the list but it's missing from the rhelv6-list. This has bitten me a couple of times recently and I only noticed _after_ I'd sent the message (apologies to those people who have received two almost identical messages from me). Any chance we can have the "reply-to" header back, please? jch -- Phear the Penguin -------------- next part -------------- An HTML attachment was scrubbed... URL: From prentice at ias.edu Fri Dec 10 15:50:17 2010 From: prentice at ias.edu (Prentice Bisbal) Date: Fri, 10 Dec 2010 10:50:17 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D0163AB.7090400@lxpro.com> <86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net> <2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com> Message-ID: <4D024C39.4060306@ias.edu> On 12/09/2010 06:28 PM, Justin Clift wrote: > On 10/12/2010, at 10:20 AM, Collins, Kevin [BEELINE] wrote: >> But this has always worked before... I assumed that in this case maybe >> yum was looking at the build date or something of that nature to >> determine which package to install. > > Just as a general thought, what happens if you increment the package > release number in a "sub release" fashion? > > Something like from this: > > ksh-20100621-2.el6.x86_64.rpm > > to this: > > ksh-20100621-2.1.el6.x86_64.rpm > > I don't know that would work, but if it does, it *might* fix the problem > without blocking newer releases. (though you might not want those > anyway) > I think this is exactly what the EXTRAVERSION variable in the spec file is for. -- Prentice From lowen at pari.edu Fri Dec 10 16:15:16 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 10 Dec 2010 11:15:16 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <201012101115.16878.lowen@pari.edu> On Thursday, December 09, 2010 06:08:15 pm Collins, Kevin [BEELINE] wrote: > For some reason I can't figure out, this is not working in RHEL6... I > was able to rebuild it fine, but after putting everything in place, 'yum > check-update' does not see it. 'EPOCH' is the nuclear sledgehammer in the RPM version scheme. As ugly as a solution using EPOCH to force newest version is, it works. And it has been used before, by Red Hat even, over the years. The other option is 'yum priorities.' From cmadams at hiwaay.net Fri Dec 10 16:28:27 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 10 Dec 2010 10:28:27 -0600 Subject: [rhelv6-list] SSSD and LDAP takes too long? Message-ID: <20101210162827.GC9675@hiwaay.net> I am trying to set up SSSD for LDAP access (since that appears to be the way forward). One thing I notice though is that lookups for users not in the cache take too long. An "unknown user" takes .013 seconds, but looking up a valid user for the first time takes .4-.6 seconds (I'm testing with "time id "). I cranked up the debugging, but I don't see any obvious errors, and the debug log timestamps are in seconds (so I can't see what took the time). I straced the backend process, and I see it calling fsync on the cache database file multiple times, and that sometimes takes as much as .1 seconds. I tried disabling caching, but (a) it doesn't appear to actual disable (the files are still there, and the cache records are still written), and (b) lookups take even longer (.7-1.1 seconds). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From Greg_Swift at aotx.uscourts.gov Fri Dec 10 16:30:46 2010 From: Greg_Swift at aotx.uscourts.gov (Greg_Swift at aotx.uscourts.gov) Date: Fri, 10 Dec 2010 10:30:46 -0600 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <201012101115.16878.lowen@pari.edu> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101115.16878.lowen@pari.edu> Message-ID: rhelv6-list-bounces at redhat.com wrote on 12/10/2010 10:15:16 AM: > > On Thursday, December 09, 2010 06:08:15 pm Collins, Kevin [BEELINE] wrote: > > For some reason I can't figure out, this is not working in RHEL6... I > > was able to rebuild it fine, but after putting everything in place, 'yum > > check-update' does not see it. > > 'EPOCH' is the nuclear sledgehammer in the RPM version scheme. As > ugly as a solution using EPOCH to force newest version is, it works. > And it has been used before, by Red Hat even, over the years. > and it is a sledge hammer. I've had instances where we were unable to update to newer packages because we put out a single package with an epoch, and the newer package didn't have one. Not sure if that was a bug or intended, nor if it is the same on RHEL 6, but it is something to watch for. From KCollins at chevron.com Fri Dec 10 16:57:58 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 08:57:58 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net><4D0163AB.7090400@lxpro.com><86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net><2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com><86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020229CD@CHVPKNTXC5M.chvpk.chevrontexaco.net> Corey, I think my concern is that if I change that, my check-update may not find package updates from RedHat... and I want to know about those. Thanks, Kevin -----Original Message----- From: Corey Kovacs [mailto:corey.kovacs at gmail.com] Sent: Thursday, December 09, 2010 7:53 PM To: Collins, Kevin [BEELINE] Subject: Re: [rhelv6-list] rebuilt package not showing selected for update Sorry, that should have read.... I've not done much with rhel6 yet.... Anyway, I just looked again and you haven't signed the package. Either sign it, or make sure your yum config has gpgcheck=0 and see if that works... Also, I must admit I am surprised that your stuff actually updated with identical names. You really should be changing the release in some way since you seem to be maintaining your own version anyway. I usually put an addition tag on, like ... rpmbuild --define 'dist .el6.beeline' -bb ksh.spec that way it's easier to identify which rpm's are yours on a system and not redhat's .... sort of good form..... -C On Fri, Dec 10, 2010 at 3:44 AM, Corey Kovacs wrote: > I've not done much with rhel6 year but have you signed the package? > > Just a thought.. > > -C > > > On Fri, Dec 10, 2010 at 12:24 AM, Collins, Kevin [BEELINE] > wrote: >> Yeah, I thought about that but then if an update comes out from RedHat >> with the same revision, I would likely not see that one (which I would >> want to see, so I can rebuild it to get any bug fixes). >> >> Kevin >> -----Original Message----- >> From: Justin Clift [mailto:jclift at redhat.com] >> Sent: Thursday, December 09, 2010 3:28 PM >> To: Collins, Kevin [BEELINE] >> Cc: rhelv6-list at redhat.com; Greg Bailey >> Subject: Re: [rhelv6-list] rebuilt package not showing selected for >> update >> >> On 10/12/2010, at 10:20 AM, Collins, Kevin [BEELINE] wrote: >>> But this has always worked before... I assumed that in this case maybe >>> yum was looking at the build date or something of that nature to >>> determine which package to install. >> >> Just as a general thought, what happens if you increment the package >> release number in a "sub release" fashion? >> >> Something like from this: >> >> ?ksh-20100621-2.el6.x86_64.rpm >> >> to this: >> >> ?ksh-20100621-2.1.el6.x86_64.rpm >> >> I don't know that would work, but if it does, it *might* fix the problem >> without blocking newer releases. ?(though you might not want those >> anyway) >> >> _______________________________________________ >> rhelv6-list mailing list >> rhelv6-list at redhat.com >> https://www.redhat.com/mailman/listinfo/rhelv6-list >> > From KCollins at chevron.com Fri Dec 10 17:00:55 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 09:00:55 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net><4D0163AB.7090400@lxpro.com><86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net><2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com><86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020229D0@CHVPKNTXC5M.chvpk.chevrontexaco.net> But I have never changed anything and it has always worked... I may just have to change my strategy. Your sub-point release idea is probably the next best answer. If anyone else knows more about how the packages are selected or identified for update, I would appreciate it. Thanks, Kevin From: John Haxby [mailto:john.haxby at gmail.com] Sent: Friday, December 10, 2010 2:33 AM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On 10 December 2010 00:24, Collins, Kevin [BEELINE] wrote: Yeah, I thought about that but then if an update comes out from RedHat with the same revision, I would likely not see that one (which I would want to see, so I can rebuild it to get any bug fixes). If I want to make sure I get the new release from Red Hat (or anywhere else for that matter) I change the release from (in this case) "2%{dist}" to either "2.0.1%{dist}" or "2%{dist}.0.1". It's possible, but highly unlikely, that Red Hat would release a new version that is the same as either of those: they might go for "2.1%{dist}" or simply rebuild the same version for RHEL7 (that'll get the google searchers wondering). I've never come across a case where yum would use the build date or similar to determine a package is newer: the underlying RPM stuff uses only the epoch, release and version doesn't it? jch -------------- next part -------------- An HTML attachment was scrubbed... URL: From lowen at pari.edu Fri Dec 10 17:02:30 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 10 Dec 2010 12:02:30 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <201012101202.30790.lowen@pari.edu> On Friday, December 10, 2010 11:30:46 am Greg_Swift at aotx.uscourts.gov wrote: > rhelv6-list-bounces at redhat.com wrote on 12/10/2010 10:15:16 AM: > > 'EPOCH' is the nuclear sledgehammer in the RPM version scheme. As > > ugly as a solution using EPOCH to force newest version is, it works. > > And it has been used before, by Red Hat even, over the years. > and it is a sledge hammer. I've had instances where we were unable to > update to newer packages because we put out a single package with an epoch, > and the newer package didn't have one. Not sure if that was a bug or > intended, nor if it is the same on RHEL 6, but it is something to watch > for. The other thought is renaming the package itself, and hard coding a provides that matches of the other package, with a conflicts: against the other package. Either way, once you commit to maintaining a custom package you are indeed committed to maintaining a custom package. Changing the name is less nuclear than EPOCH, but not by much. From amyagi at gmail.com Fri Dec 10 17:29:11 2010 From: amyagi at gmail.com (Akemi Yagi) Date: Fri, 10 Dec 2010 09:29:11 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229D0@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D0163AB.7090400@lxpro.com> <86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net> <2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com> <86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020229D0@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On Fri, Dec 10, 2010 at 9:00 AM, Collins, Kevin [BEELINE] wrote: > I may just have to change my strategy. Your sub-point release idea is > probably the next best answer. > If anyone else knows more about how the packages are selected or identified > for update, I would appreciate it. yum/rpm will find the latest version and install it. You can tell which version is newer by running the rpmdev-vercmp script. It is part of the rpmdevtools package (available from EPEL for el5, should work under el6). For example: $ rpmdev-vercmp xyzzy-2.1-1.el5 xyzzy-2.1-1.el5.custom 0:xyzzy-2.1-1.el5.custom is newer Your .custom version is newer than the distro one. $ rpmdev-vercmp xyzzy-2.1-2.el5 xyzzy-2.1-1.el5.custom 0:xyzzy-2.1-2.el5 is newer The distro has been updated, now it is newer. Akemi From KCollins at chevron.com Fri Dec 10 17:48:10 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 09:48:10 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net><4D0163AB.7090400@lxpro.com><86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net><2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com><86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C2020229D0@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net> Thanks, but if what you are saying is true, why is it not working? My build IS newer, so it should be being detected as such according to what you are saying. I've installed the rpmdevtools package, but how do I use the command in the case where both packages have the same name but are in 2 repos? I ran it against the actual RPM files and this is my result: # /usr/bin/rpmdev-vercmp /redhat/RedHatServer6/RHEL6.0/x86_64/rebuild/ksh-20100621-2.el6.x86_64.r pm /redhat/RedHatServer6/RHEL6.0/x86_64/install/Packages/ksh-20100621-2.el6 .x86_64.rpm 0:/redhat/RedHatServer6/RHEL6.0/x86_64/rebuild/ksh-20100621-2.el6.x86_64 .rpm is newer Thanks, Kevin -----Original Message----- From: Akemi Yagi [mailto:amyagi at gmail.com] Sent: Friday, December 10, 2010 9:29 AM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On Fri, Dec 10, 2010 at 9:00 AM, Collins, Kevin [BEELINE] wrote: > I may just have to change my strategy. Your sub-point release idea is > probably the next best answer. > If anyone else knows more about how the packages are selected or identified > for update, I would appreciate it. yum/rpm will find the latest version and install it. You can tell which version is newer by running the rpmdev-vercmp script. It is part of the rpmdevtools package (available from EPEL for el5, should work under el6). For example: $ rpmdev-vercmp xyzzy-2.1-1.el5 xyzzy-2.1-1.el5.custom 0:xyzzy-2.1-1.el5.custom is newer Your .custom version is newer than the distro one. $ rpmdev-vercmp xyzzy-2.1-2.el5 xyzzy-2.1-1.el5.custom 0:xyzzy-2.1-2.el5 is newer The distro has been updated, now it is newer. Akemi From KCollins at chevron.com Fri Dec 10 17:49:49 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 09:49:49 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net><201012101115.16878.lowen@pari.edu> Message-ID: <86E21A982A7C5249956350A6746108C2020229DE@CHVPKNTXC5M.chvpk.chevrontexaco.net> Where is EPOCH set? I don't see it anywhere in the spec file... Thanks, Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Greg_Swift at aotx.uscourts.gov Sent: Friday, December 10, 2010 8:31 AM To: Lamar Owen Cc: rhelv6-list at redhat.com; rhelv6-list-bounces at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update rhelv6-list-bounces at redhat.com wrote on 12/10/2010 10:15:16 AM: > > On Thursday, December 09, 2010 06:08:15 pm Collins, Kevin [BEELINE] wrote: > > For some reason I can't figure out, this is not working in RHEL6... I > > was able to rebuild it fine, but after putting everything in place, 'yum > > check-update' does not see it. > > 'EPOCH' is the nuclear sledgehammer in the RPM version scheme. As > ugly as a solution using EPOCH to force newest version is, it works. > And it has been used before, by Red Hat even, over the years. > and it is a sledge hammer. I've had instances where we were unable to update to newer packages because we put out a single package with an epoch, and the newer package didn't have one. Not sure if that was a bug or intended, nor if it is the same on RHEL 6, but it is something to watch for. _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From cmadams at hiwaay.net Fri Dec 10 18:24:51 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 10 Dec 2010 12:24:51 -0600 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <20101210182451.GE9675@hiwaay.net> Once upon a time, Collins, Kevin [BEELINE] said: > Thanks, but if what you are saying is true, why is it not working? My > build IS newer, so it should be being detected as such according to what > you are saying. "newer" does not include the date. It is a comparison of epoch, version, and release tags. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From KCollins at chevron.com Fri Dec 10 18:55:46 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 10:55:46 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net><4D0163AB.7090400@lxpro.com><86E21A982A7C5249956350A6746108C202022953@CHVPKNTXC5M.chvpk.chevrontexaco.net><2234151C-15F7-4980-B189-6D6699BDED3F@redhat.com><86E21A982A7C5249956350A6746108C202022970@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C2020229D0@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020229EE@CHVPKNTXC5M.chvpk.chevrontexaco.net> FYI, after just running a check-update I discovered that the rpmdevtools package is included with RHEL6 packages - no need for EPEL. -----Original Message----- From: Akemi Yagi [mailto:amyagi at gmail.com] Sent: Friday, December 10, 2010 9:29 AM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On Fri, Dec 10, 2010 at 9:00 AM, Collins, Kevin [BEELINE] wrote: > I may just have to change my strategy. Your sub-point release idea is > probably the next best answer. > If anyone else knows more about how the packages are selected or identified > for update, I would appreciate it. yum/rpm will find the latest version and install it. You can tell which version is newer by running the rpmdev-vercmp script. It is part of the rpmdevtools package (available from EPEL for el5, should work under el6). For example: $ rpmdev-vercmp xyzzy-2.1-1.el5 xyzzy-2.1-1.el5.custom 0:xyzzy-2.1-1.el5.custom is newer Your .custom version is newer than the distro one. $ rpmdev-vercmp xyzzy-2.1-2.el5 xyzzy-2.1-1.el5.custom 0:xyzzy-2.1-2.el5 is newer The distro has been updated, now it is newer. Akemi From lowen at pari.edu Fri Dec 10 18:58:15 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 10 Dec 2010 13:58:15 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229DE@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C202022949@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <201012101358.15497.lowen@pari.edu> On Friday, December 10, 2010 12:49:49 pm Collins, Kevin [BEELINE] wrote: > Where is EPOCH set? I don't see it anywhere in the spec file... See http://www.rpm.org/max-rpm-snapshot/s1-rpm-inside-tags.html at the heading "The epoch Tag" From KCollins at chevron.com Fri Dec 10 19:01:21 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 11:01:21 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <20101210182451.GE9675@hiwaay.net> References: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101210182451.GE9675@hiwaay.net> Message-ID: <86E21A982A7C5249956350A6746108C2020229EF@CHVPKNTXC5M.chvpk.chevrontexaco.net> Ok, but then why is the rpmdev-vercmp saying that my rebuilt package is newer? Yet it is still not being treated as newer by yum... I did the rebuild again, this time changing the "el6" to "el6.custom" and now check-update sees the rebuilt package as newer and available for update. My concern is that when Redhat releases "el6_1", my version might still be considered newer. Any idea how the "release" is compared? Thanks, Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Chris Adams Sent: Friday, December 10, 2010 10:25 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update Once upon a time, Collins, Kevin [BEELINE] said: > Thanks, but if what you are saying is true, why is it not working? My > build IS newer, so it should be being detected as such according to what > you are saying. "newer" does not include the date. It is a comparison of epoch, version, and release tags. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From KCollins at chevron.com Fri Dec 10 19:08:55 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 11:08:55 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <201012101358.15497.lowen@pari.edu> References: <86E21A982A7C5249956350A6746108C2020229DE@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101358.15497.lowen@pari.edu> Message-ID: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> Thanks... I don't want to walk that road :) -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Lamar Owen Sent: Friday, December 10, 2010 10:58 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On Friday, December 10, 2010 12:49:49 pm Collins, Kevin [BEELINE] wrote: > Where is EPOCH set? I don't see it anywhere in the spec file... See http://www.rpm.org/max-rpm-snapshot/s1-rpm-inside-tags.html at the heading "The epoch Tag" _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From amyagi at gmail.com Fri Dec 10 19:25:54 2010 From: amyagi at gmail.com (Akemi Yagi) Date: Fri, 10 Dec 2010 11:25:54 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229EF@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101210182451.GE9675@hiwaay.net> <86E21A982A7C5249956350A6746108C2020229EF@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On Fri, Dec 10, 2010 at 11:01 AM, Collins, Kevin [BEELINE] wrote: > Ok, but then why is the rpmdev-vercmp saying that my rebuilt package is > newer? Yet it is still not being treated as newer by yum... > > I did the rebuild again, this time changing the "el6" to "el6.custom" > and now check-update sees the rebuilt package as newer and available for > update. > > My concern is that when Redhat releases "el6_1", my version might still > be considered newer. Any idea how the "release" is compared? > > Thanks, > > Kevin I don't know how else I can explain but will do my best. $ rpmdev-vercmp 2.1-1.el6 2.1-1.el6.custom 0:2.1-1.el6.custom is newer $ rpmdev-vercmp 2.1-1.el6_1 2.1-1.el6.custom 0:2.1-1.el6_1 is newer Akemi From KCollins at chevron.com Fri Dec 10 19:40:16 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 11:40:16 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net><20101210182451.GE9675@hiwaay.net><86E21A982A7C5249956350A6746108C2020229EF@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020229F2@CHVPKNTXC5M.chvpk.chevrontexaco.net> So, are you saying that this tool is only comparing the strings and not looking at any packages? After a bit of playing, that would seem to be the case... which at least lets me test for what I think is a "smart" way to name my rebuild packages. Thanks, Kevin -----Original Message----- From: Akemi Yagi [mailto:amyagi at gmail.com] Sent: Friday, December 10, 2010 11:26 AM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On Fri, Dec 10, 2010 at 11:01 AM, Collins, Kevin [BEELINE] wrote: > Ok, but then why is the rpmdev-vercmp saying that my rebuilt package is > newer? Yet it is still not being treated as newer by yum... > > I did the rebuild again, this time changing the "el6" to "el6.custom" > and now check-update sees the rebuilt package as newer and available for > update. > > My concern is that when Redhat releases "el6_1", my version might still > be considered newer. Any idea how the "release" is compared? > > Thanks, > > Kevin I don't know how else I can explain but will do my best. $ rpmdev-vercmp 2.1-1.el6 2.1-1.el6.custom 0:2.1-1.el6.custom is newer $ rpmdev-vercmp 2.1-1.el6_1 2.1-1.el6.custom 0:2.1-1.el6_1 is newer Akemi From amyagi at gmail.com Fri Dec 10 19:47:47 2010 From: amyagi at gmail.com (Akemi Yagi) Date: Fri, 10 Dec 2010 11:47:47 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229F2@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net> <20101210182451.GE9675@hiwaay.net> <86E21A982A7C5249956350A6746108C2020229EF@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020229F2@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On Fri, Dec 10, 2010 at 11:40 AM, Collins, Kevin [BEELINE] wrote: > So, are you saying that this tool is only comparing the strings and not > looking at any packages? After a bit of playing, that would seem to be > the case... which at least lets me test for what I think is a "smart" > way to name my rebuild packages. rpmdev-vercmp is just a python script. So you can see how it works. :) Akemi From lowen at pari.edu Fri Dec 10 20:04:14 2010 From: lowen at pari.edu (Lamar Owen) Date: Fri, 10 Dec 2010 15:04:14 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229DE@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <201012101504.14229.lowen@pari.edu> On Friday, December 10, 2010 02:08:55 pm Collins, Kevin [BEELINE] wrote: > Thanks... I don't want to walk that road :) I *did* say it was the nuclear sledgehammer of packaging.... :-) As to release comparisons, IIRC, and it has been a while since I've reviewed it, the two releases are C locale (ASCII, essentially) compared. So f9>f10 for a straight ASCII compare. But this may have changed in the interim since I last needed that information. See http://fedoraproject.org/wiki/Packaging:NamingGuidelines#Package_Versioning From KCollins at chevron.com Fri Dec 10 20:12:21 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 12:12:21 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <201012101504.14229.lowen@pari.edu> References: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101504.14229.lowen@pari.edu> Message-ID: <86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net> Thanks - it looks like the rpmdev-vercmp command will allow me to check the sorting. -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Lamar Owen Sent: Friday, December 10, 2010 12:04 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On Friday, December 10, 2010 02:08:55 pm Collins, Kevin [BEELINE] wrote: > Thanks... I don't want to walk that road :) I *did* say it was the nuclear sledgehammer of packaging.... :-) As to release comparisons, IIRC, and it has been a while since I've reviewed it, the two releases are C locale (ASCII, essentially) compared. So f9>f10 for a straight ASCII compare. But this may have changed in the interim since I last needed that information. See http://fedoraproject.org/wiki/Packaging:NamingGuidelines#Package_Version ing _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From brilong at cisco.com Fri Dec 10 20:17:44 2010 From: brilong at cisco.com (Brian Long) Date: Fri, 10 Dec 2010 15:17:44 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101504.14229.lowen@pari.edu> <86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4D028AE8.9080507@cisco.com> On 12/10/10 3:12 PM, Collins, Kevin [BEELINE] wrote: > Thanks - it looks like the rpmdev-vercmp command will allow me to check > the sorting. Kevin, as soon as you add Epoch to the mix, you can forget updating to a Red Hat-built package if that package does not have an Epoch. Once you set the Epoch, you cannot update to an RPM without an Epoch without removing the RPM and re-installing the one without an Epoch. I would suggest using the other method of 2%{dist}.chevron.1 or 2.0.1%{dist}. Red Hat does not version RPMs with two dots, so as long as they release 2.1%{dist} or 3%{dist}, your RPM would be updated to the Red Hat version. /Brian/ From herrold at owlriver.com Fri Dec 10 20:18:40 2010 From: herrold at owlriver.com (R P Herrold) Date: Fri, 10 Dec 2010 15:18:40 -0500 (EST) Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229F2@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net><20101210182451.GE9675@hiwaay.net><86E21A982A7C5249956350A6746108C2020229EF@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020229F2@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: On Fri, 10 Dec 2010, Collins, Kevin [BEELINE] wrote: > So, are you saying that this tool is only comparing the strings and not > looking at any packages? After a bit of playing, that would seem to be > the case... which at least lets me test for what I think is a "smart" > way to name my rebuild packages. There was a minor change in the logic some years ago, but the comparison method of rpmvercmp.c has been quite stable see: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178798 This may be of interest as well: http://blog.client9.com/2010/04/comparing-rpm-version-strings-rpm.html which has a long set of comment about the edge cases by a author who knows those dark and twisty corners well http://client9.com/downloads/rpmvercmp.c is out there from that blogger as well A safe working rule is to do the NEVR [Name, Epoch, Version, Release] comparison step by step as string comparisons; within each sub-element of NEVR, every time a separator [a non-alpha, and non-numeral digit; with "." the most commonly one seen one] is encountered, treat it as a sub-element separator to signal the end of a STRING comparand Remember: We are not dealing with numbers (int's, floats, octals, hex's, whatever) here (with all the problems of leading or implied leading zeroes and radix markers) If a local package is present, rpm can query the package for its element values with the --qf sub-option Textually as when inferring values from a flat listing of a remote archive, NEVR elements may be approximated by counting back right to left separating by each hyphen, and in the case of Release, discarding the last two '.' separated elements REL=` echo "peach-3-4.src.rpm" | rev | awk -F- {'print $1'} | cut -d. -f3- | rev ` VER=` echo "peach-3-4.src.rpm" | rev | awk -F- {'print $2'} | rev ` NAM=` echo "peach-3-4.src.rpm" | rev | awk -F- {'print $3'} | rev ` and REL will end up with "4", VER with "3", NAM with "peach" -- sans the '"' of course, but shown here to emphasize that these may look like numbers but are not Epoch is the red-headed odd case, and is not customarily displayed in file listings for historical reasons apple-3-4.src.rpm is unequal to peach-3-4.src.rpm reason: Name "apple" < "peach" --------------------------- 1:apple-3-4.src.rpm also sometimes seen in the notation: apple-1:3-4.src.rpm -- the LHS of the colon back to the next non-decimal-numeral item is older (less) than 2:apple-3-4.src.rpm reason: Epoch "1" < "2" --------------------------- You mentioned what looked like a %{dist} suffix "el6" to "el6.custom" on a Release field, and that would cause a otherwise seemingly otherwise identical package rebuild from the same sources, but with %{dist} NOT %{nil} to compare as a later item than the one with the nil dist tag [I understand you did a manual .spec file edit, but defining the 'dist' field is perhaps a better way to manage this, as most SRPMs from Red Hat derived space carry variants of this] able-1-2.src.rpm is older than able-1-2.custom.src.rpm -- Russ herrold From KCollins at chevron.com Fri Dec 10 20:33:35 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 12:33:35 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: References: <86E21A982A7C5249956350A6746108C2020229DD@CHVPKNTXC5M.chvpk.chevrontexaco.net><20101210182451.GE9675@hiwaay.net><86E21A982A7C5249956350A6746108C2020229EF@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020229F2@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020229F7@CHVPKNTXC5M.chvpk.chevrontexaco.net> Thanks for the details - it is a lot to digest, but in general makes sense. Related to "dist", this is what I did: rpmbuild --define 'dist .el6.custom' -bb ksh.spec Where previously I would define dist as ".el6" or whatever the distribution happened to be. Kevin -----Original Message----- From: R P Herrold [mailto:herrold at owlriver.com] Sent: Friday, December 10, 2010 12:19 PM To: Collins, Kevin [BEELINE] Cc: rhelv6-list at redhat.com Subject: rebuilt package not showing selected for update On Fri, 10 Dec 2010, Collins, Kevin [BEELINE] wrote: > So, are you saying that this tool is only comparing the strings and not > looking at any packages? After a bit of playing, that would seem to be > the case... which at least lets me test for what I think is a "smart" > way to name my rebuild packages. There was a minor change in the logic some years ago, but the comparison method of rpmvercmp.c has been quite stable see: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178798 This may be of interest as well: http://blog.client9.com/2010/04/comparing-rpm-version-strings-rpm.html which has a long set of comment about the edge cases by a author who knows those dark and twisty corners well http://client9.com/downloads/rpmvercmp.c is out there from that blogger as well A safe working rule is to do the NEVR [Name, Epoch, Version, Release] comparison step by step as string comparisons; within each sub-element of NEVR, every time a separator [a non-alpha, and non-numeral digit; with "." the most commonly one seen one] is encountered, treat it as a sub-element separator to signal the end of a STRING comparand Remember: We are not dealing with numbers (int's, floats, octals, hex's, whatever) here (with all the problems of leading or implied leading zeroes and radix markers) If a local package is present, rpm can query the package for its element values with the --qf sub-option Textually as when inferring values from a flat listing of a remote archive, NEVR elements may be approximated by counting back right to left separating by each hyphen, and in the case of Release, discarding the last two '.' separated elements REL=` echo "peach-3-4.src.rpm" | rev | awk -F- {'print $1'} | cut -d. -f3- | rev ` VER=` echo "peach-3-4.src.rpm" | rev | awk -F- {'print $2'} | rev ` NAM=` echo "peach-3-4.src.rpm" | rev | awk -F- {'print $3'} | rev ` and REL will end up with "4", VER with "3", NAM with "peach" -- sans the '"' of course, but shown here to emphasize that these may look like numbers but are not Epoch is the red-headed odd case, and is not customarily displayed in file listings for historical reasons apple-3-4.src.rpm is unequal to peach-3-4.src.rpm reason: Name "apple" < "peach" --------------------------- 1:apple-3-4.src.rpm also sometimes seen in the notation: apple-1:3-4.src.rpm -- the LHS of the colon back to the next non-decimal-numeral item is older (less) than 2:apple-3-4.src.rpm reason: Epoch "1" < "2" --------------------------- You mentioned what looked like a %{dist} suffix "el6" to "el6.custom" on a Release field, and that would cause a otherwise seemingly otherwise identical package rebuild from the same sources, but with %{dist} NOT %{nil} to compare as a later item than the one with the nil dist tag [I understand you did a manual .spec file edit, but defining the 'dist' field is perhaps a better way to manage this, as most SRPMs from Red Hat derived space carry variants of this] able-1-2.src.rpm is older than able-1-2.custom.src.rpm -- Russ herrold From KCollins at chevron.com Fri Dec 10 20:36:19 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 12:36:19 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <4D028AE8.9080507@cisco.com> References: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101504.14229.lowen@pari.edu><86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D028AE8.9080507@cisco.com> Message-ID: <86E21A982A7C5249956350A6746108C2020229F8@CHVPKNTXC5M.chvpk.chevrontexaco.net> Brian, I agree that epoch is not something I want to use. Do you think it makes more sense to do "2%{dist}.chevron" or "2%{dist}.chevron.1"? Thanks, Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Brian Long Sent: Friday, December 10, 2010 12:18 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On 12/10/10 3:12 PM, Collins, Kevin [BEELINE] wrote: > Thanks - it looks like the rpmdev-vercmp command will allow me to check > the sorting. Kevin, as soon as you add Epoch to the mix, you can forget updating to a Red Hat-built package if that package does not have an Epoch. Once you set the Epoch, you cannot update to an RPM without an Epoch without removing the RPM and re-installing the one without an Epoch. I would suggest using the other method of 2%{dist}.chevron.1 or 2.0.1%{dist}. Red Hat does not version RPMs with two dots, so as long as they release 2.1%{dist} or 3%{dist}, your RPM would be updated to the Red Hat version. /Brian/ _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From brilong at cisco.com Fri Dec 10 21:11:03 2010 From: brilong at cisco.com (Brian Long) Date: Fri, 10 Dec 2010 16:11:03 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229F8@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101504.14229.lowen@pari.edu><86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D028AE8.9080507@cisco.com> <86E21A982A7C5249956350A6746108C2020229F8@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4D029767.5060302@cisco.com> On 12/10/10 3:36 PM, Collins, Kevin [BEELINE] wrote: > Brian, > > I agree that epoch is not something I want to use. Do you think > it makes more sense to do "2%{dist}.chevron" or "2%{dist}.chevron.1"? If there's ever the chance you would rebuild one of Red Hat's RPMs more than once and wanted upgrades to work, you should use the second form. This way you can change 2%{dist}.chevron.1 to 2%{dist}.chevron.2 and upgrades will work. /Brian/ From KCollins at chevron.com Fri Dec 10 21:36:14 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Fri, 10 Dec 2010 13:36:14 -0800 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <4D029767.5060302@cisco.com> References: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101504.14229.lowen@pari.edu><86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net><4D028AE8.9080507@cisco.com><86E21A982A7C5249956350A6746108C2020229F8@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D029767.5060302@cisco.com> Message-ID: <86E21A982A7C5249956350A6746108C2020229FD@CHVPKNTXC5M.chvpk.chevrontexaco.net> The only reason I would rebuild is if they release an update, in which case I think I would be covered... but I may use the 2nd form anyway, since as soon as I say I'll never need something will come up where I do :) Thanks, Kevin -----Original Message----- From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Brian Long Sent: Friday, December 10, 2010 1:11 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] rebuilt package not showing selected for update On 12/10/10 3:36 PM, Collins, Kevin [BEELINE] wrote: > Brian, > > I agree that epoch is not something I want to use. Do you think > it makes more sense to do "2%{dist}.chevron" or "2%{dist}.chevron.1"? If there's ever the chance you would rebuild one of Red Hat's RPMs more than once and wanted upgrades to work, you should use the second form. This way you can change 2%{dist}.chevron.1 to 2%{dist}.chevron.2 and upgrades will work. /Brian/ _______________________________________________ rhelv6-list mailing list rhelv6-list at redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list From Frank.Swasey at uvm.edu Fri Dec 10 22:46:35 2010 From: Frank.Swasey at uvm.edu (Francis Swasey) Date: Fri, 10 Dec 2010 17:46:35 -0500 Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <86E21A982A7C5249956350A6746108C2020229F8@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101504.14229.lowen@pari.edu><86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D028AE8.9080507@cisco.com> <86E21A982A7C5249956350A6746108C2020229F8@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <4D02ADCB.1050401@uvm.edu> I believe you will have better luck if you replace the dot's with underscores -- as 2%{dist}_chevron or 2%{dist}_chevron_1 As the dot's are used to delineate (or have been in RHEL4 and RHEL5 package names) where rpm should stop looking when doing which is newer comparisons. Frank On 12/10/2010 3:36 PM, Collins, Kevin [BEELINE] wrote: > Brian, > > I agree that epoch is not something I want to use. Do you think > it makes more sense to do "2%{dist}.chevron" or "2%{dist}.chevron.1"? > > Thanks, > > Kevin > > -----Original Message----- > From: rhelv6-list-bounces at redhat.com > [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Brian Long > Sent: Friday, December 10, 2010 12:18 PM > To: rhelv6-list at redhat.com > Subject: Re: [rhelv6-list] rebuilt package not showing selected for > update > > On 12/10/10 3:12 PM, Collins, Kevin [BEELINE] wrote: >> Thanks - it looks like the rpmdev-vercmp command will allow me to > check >> the sorting. > > Kevin, as soon as you add Epoch to the mix, you can forget updating to a > Red Hat-built package if that package does not have an Epoch. Once you > set the Epoch, you cannot update to an RPM without an Epoch without > removing the RPM and re-installing the one without an Epoch. > > I would suggest using the other method of 2%{dist}.chevron.1 or > 2.0.1%{dist}. Red Hat does not version RPMs with two dots, so as long > as they release 2.1%{dist} or 3%{dist}, your RPM would be updated to the > Red Hat version. > > /Brian/ > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list at redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900) From herrold at owlriver.com Fri Dec 10 23:25:32 2010 From: herrold at owlriver.com (R P Herrold) Date: Fri, 10 Dec 2010 18:25:32 -0500 (EST) Subject: [rhelv6-list] rebuilt package not showing selected for update In-Reply-To: <4D02ADCB.1050401@uvm.edu> References: <86E21A982A7C5249956350A6746108C2020229F0@CHVPKNTXC5M.chvpk.chevrontexaco.net> <201012101504.14229.lowen@pari.edu><86E21A982A7C5249956350A6746108C2020229F5@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D028AE8.9080507@cisco.com> <86E21A982A7C5249956350A6746108C2020229F8@CHVPKNTXC5M.chvpk.chevrontexaco.net> <4D02ADCB.1050401@uvm.edu> Message-ID: On Fri, 10 Dec 2010, Francis Swasey wrote: > I believe you will have better luck if you replace the dot's with underscores > -- as > > 2%{dist}_chevron or 2%{dist}_chevron_1 > > As the dot's are used to delineate (or have been in RHEL4 and RHEL5 package > names) where rpm should stop looking when doing which is newer comparisons. ehh? the RPM rpmvercmp code does not 'stop looking' in such cases; "." has no such 'magic' meaning as a delimiter -- Russ herrold From Mc_Kiernan at Oeconomist.com Tue Dec 14 17:24:31 2010 From: Mc_Kiernan at Oeconomist.com (Mc Kiernan Daniel Kian) Date: Tue, 14 Dec 2010 09:24:31 -0800 Subject: [rhelv6-list] OpenOffice Math Ceases to Cause Symbols to Be Rendered after RHEL Up-Date Message-ID: <4D07A84F.9040608@Oeconomist.com> Prior to my migrating from RHEL 5.5 to 6.0, when I used characters U+22b3, U+22b5, U+227b, U+227f, U+2280 in formulae coded within OpenOffice Math (the formula editor) of OpenOffice 3.2.1, the document displayed these when viewed in OpenOffice, and an exported PDF displayed these when viewed with Acrobat readers. Now, when the very same version of OpenOffice is used in RHEL 6.0, these character becomes invisible both in .ODTs and in .PDFs. This problem obtains, in fact, whether I use the distribution of OpenOffice supplied by OpenOffice.org or that provided by Red Hat. I don't know whether this problem obtains from changes in fontconfig, from a change in the installed set of fonts, or from some other source. That documentation and discussion which I have encountered of fontconfig does not clearly distinguish character-wise fallback from wholesale substitution of one font for another, let alone provide a clear guide as to how to diagnose my present problem. From adapremont at colorframe.cl Wed Dec 15 07:43:22 2010 From: adapremont at colorframe.cl (Arturo d'Apremont A.) Date: Wed, 15 Dec 2010 04:43:22 -0300 Subject: [rhelv6-list] list Message-ID: From john.haxby at gmail.com Wed Dec 15 11:28:58 2010 From: john.haxby at gmail.com (John Haxby) Date: Wed, 15 Dec 2010 11:28:58 +0000 Subject: [rhelv6-list] OpenOffice Math Ceases to Cause Symbols to Be Rendered after RHEL Up-Date In-Reply-To: <4D07A84F.9040608@Oeconomist.com> References: <4D07A84F.9040608@Oeconomist.com> Message-ID: Second attempt: why haven't we got a reply-to header in the list yet? All the other RH lists have this. Sigh. On 14 December 2010 17:24, Mc Kiernan Daniel Kian wrote: > Prior to my migrating from RHEL 5.5 to 6.0, when I used characters U+22b3, > U+22b5, U+227b, U+227f, U+2280 in formulae coded within OpenOffice Math (the > formula editor) of OpenOffice 3.2.1, the document displayed these when > viewed in OpenOffice, and an exported PDF displayed these when viewed with > Acrobat readers. > > Now, when the very same version of OpenOffice is used in RHEL 6.0, these > character becomes invisible both in .ODTs and in .PDFs. This problem > obtains, in fact, whether I use the distribution of OpenOffice supplied by > OpenOffice.org or that provided by Red Hat. > > I don't know whether this problem obtains from changes in fontconfig, from > a change in the installed set of fonts, or from some other source. > > I think it's a straightforward bug in OOo: those characters are perfectly OK outside a formula, and they're visible when you're editing the formula, they're just not visible when it's rendered on the page. jch -------------- next part -------------- An HTML attachment was scrubbed... URL: From goetz.reinicke at filmakademie.de Thu Dec 16 09:07:35 2010 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Thu, 16 Dec 2010 10:07:35 +0100 Subject: [rhelv6-list] MAYDAY ... very strange network breakdown/freeze with new servers and RH EL 6 x86_64 Message-ID: <4D09D6D7.3040408@filmakademie.de> Good morning, yesterday I got two identical new servers for running RH EL 6. I did a basic installation with all defaults to the software selection, the disk setup (LVM, ext4,...). After registration, I did an yum update. The current kernel is 2.6.32-71.7.1.el6.x86_64. The onboard LAN is 2 x 1 GBit/s Intel 82574L The servers Tech spec can be seen here: https://www.thomas-krenn.com/de/server-systeme/technisches-datenblatt/frame.only_content/key.6957.html At installationtime I set the lan configuration to DHCP and changed it later with the system-config-network tool to static IP and DNS/gateway settings. Now I'm faced with the problem, that the LAN connection freezes after a couple of minutes and I cant restart the network service. And there are a lot off errors and dropped packages/frames. I checked/configured both interfaces in both servers (eth0 and eth1), one at a time. I reinstalled one server, thinking that may be something was broken during installation. I checked the install dvd. I attached a screenshot I grabbed from my remote KVM console to show the ifconfig output. Maybe it is an unsupported nic? Or known bug? or something else? Any hint and help is very welcome! Best Regards *<:-) . G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: Bildschirmfoto 2010-12-16 um 09.28.18.png Type: image/png Size: 43474 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Bildschirmfoto 2010-12-16 um 09.52.08.png Type: image/png Size: 69484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6656 bytes Desc: S/MIME Cryptographic Signature URL: From lists at brimer.org Thu Dec 16 14:24:22 2010 From: lists at brimer.org (Barry Brimer) Date: Thu, 16 Dec 2010 08:24:22 -0600 (CST) Subject: [rhelv6-list] MAYDAY ... very strange network breakdown/freeze with new servers and RH EL 6 x86_64 In-Reply-To: <4D09D6D7.3040408@filmakademie.de> References: <4D09D6D7.3040408@filmakademie.de> Message-ID: > yesterday I got two identical new servers for running RH EL 6. > > I did a basic installation with all defaults to the software selection, > the disk setup (LVM, ext4,...). After registration, I did an yum update. > > The current kernel is 2.6.32-71.7.1.el6.x86_64. > > The onboard LAN is 2 x 1 GBit/s Intel 82574L > > The servers Tech spec can be seen here: > https://www.thomas-krenn.com/de/server-systeme/technisches-datenblatt/frame.only_content/key.6957.html > > > At installationtime I set the lan configuration to DHCP and changed it > later with the system-config-network tool to static IP and DNS/gateway > settings. > > Now I'm faced with the problem, that the LAN connection freezes after a > couple of minutes and I cant restart the network service. And there are > a lot off errors and dropped packages/frames. I would look in dmesg. Does this happen with the older kernel that you installed with the system? I would also use a LiveCD and see if the same thing occurs. From goetz.reinicke at filmakademie.de Thu Dec 16 14:26:06 2010 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Thu, 16 Dec 2010 15:26:06 +0100 Subject: [rhelv6-list] SOLVED ... very strange network breakdown/freeze with new servers and RH EL 6 x86_64 In-Reply-To: <4D09D6D7.3040408@filmakademie.de> References: <4D09D6D7.3040408@filmakademie.de> Message-ID: <4D0A217E.5040700@filmakademie.de> Am 16.12.10 10:07, schrieb G?tz Reinicke - IT-Koordinator: > Good morning, > > yesterday I got two identical new servers for running RH EL 6. > > I did a basic installation with all defaults to the software selection, > the disk setup (LVM, ext4,...). After registration, I did an yum update. > > The current kernel is 2.6.32-71.7.1.el6.x86_64. > > The onboard LAN is 2 x 1 GBit/s Intel 82574L > > The servers Tech spec can be seen here: > https://www.thomas-krenn.com/de/server-systeme/technisches-datenblatt/frame.only_content/key.6957.html > > > At installationtime I set the lan configuration to DHCP and changed it > later with the system-config-network tool to static IP and DNS/gateway > settings. > > Now I'm faced with the problem, that the LAN connection freezes after a > couple of minutes and I cant restart the network service. And there are > a lot off errors and dropped packages/frames. <...> Adding 'pcie_aspm=off' to the boot options seams to solve that issue. /G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Gesch?ftsf?hrer: Prof. Thomas Schadt -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6656 bytes Desc: S/MIME Cryptographic Signature URL: From curtis at telus.net Thu Dec 16 14:44:57 2010 From: curtis at telus.net (Curtis Rempel) Date: Thu, 16 Dec 2010 07:44:57 -0700 Subject: [rhelv6-list] MAYDAY ... very strange network breakdown/freeze with new servers and RH EL 6 x86_64 In-Reply-To: References: <4D09D6D7.3040408@filmakademie.de> Message-ID: <68669BC8-D52A-45E1-848B-C3E3C598D025@telus.net> On 2010-12-16, at 7:24 AM, Barry Brimer wrote: >> yesterday I got two identical new servers for running RH EL 6. >> >> I did a basic installation with all defaults to the software selection, >> the disk setup (LVM, ext4,...). After registration, I did an yum update. >> >> The current kernel is 2.6.32-71.7.1.el6.x86_64. >> >> The onboard LAN is 2 x 1 GBit/s Intel 82574L >> >> The servers Tech spec can be seen here: >> https://www.thomas-krenn.com/de/server-systeme/technisches-datenblatt/frame.only_content/key.6957.html >> >> >> At installationtime I set the lan configuration to DHCP and changed it >> later with the system-config-network tool to static IP and DNS/gateway >> settings. >> >> Now I'm faced with the problem, that the LAN connection freezes after a >> couple of minutes and I cant restart the network service. And there are >> a lot off errors and dropped packages/frames. > > I would look in dmesg. Does this happen with the older kernel that you installed with the system? I would also use a LiveCD and see if the same thing occurs. > It seems to be related to a bug filed on RHEL 5.5: https://bugzilla.redhat.com/show_bug.cgi?id=632650 Though I haven't read the filing in detail, it's probably worth looking for related info in the report. From Mc_Kiernan at Oeconomist.com Fri Dec 17 03:36:39 2010 From: Mc_Kiernan at Oeconomist.com (Mc Kiernan Daniel Kian) Date: Thu, 16 Dec 2010 19:36:39 -0800 Subject: [rhelv6-list] OpenOffice Math Ceases to Cause Symbols to Be Rendered after RHEL Up-Date In-Reply-To: References: <4D07A84F.9040608@Oeconomist.com> Message-ID: <4D0ADAC7.9040702@Oeconomist.com> On 12/15/2010 03:27 AM, John Haxby wrote: > >> Prior to my migrating from RHEL 5.5 to 6.0, when I used characters >> U+22b3, U+22b5, U+227b, U+227f, U+2280 in formulae coded within >> OpenOffice Math (the formula editor) of OpenOffice 3.2.1, the >> document displayed these when viewed in OpenOffice, and an >> exported PDF displayed these when viewed with Acrobat readers. >> >> Now, when the very same version of OpenOffice is used in RHEL 6.0, >> these character becomes invisible both in .ODTs and in .PDFs. >> This problem obtains, in fact, whether I use the distribution of >> OpenOffice supplied by OpenOffice.org or that provided by Red Hat. >> >> I don't know whether this problem obtains from changes in >> fontconfig, from a change in the installed set of fonts, or from >> some other source. > > > I think it's a straightforward bug in OOo: those characters are > perfectly OK outside a formula, and they're visible when you're > editing the formula, they're just not visible when it's rendered on > the page. I have file an issue report (116132) with OpenOffice: The developer looking at he issue reports that it is not reproduced on Solaris or on Suse 11. I ask others on this list to see if the problem is reproducable on their systems (try rendering a`?`b in an OpenOffice document), and if so then to chime-in at the report, in order to move the status from "unconfirmed". My thanks to those of you who do. From adapremont at colorframe.cl Fri Dec 17 17:09:49 2010 From: adapremont at colorframe.cl (Arturo d'Apremont A.) Date: Fri, 17 Dec 2010 14:09:49 -0300 Subject: [rhelv6-list] (no subject) Message-ID: From adapremont at colorframe.cl Sat Dec 18 17:58:59 2010 From: adapremont at colorframe.cl (Arturo d'Apremont A.) Date: Sat, 18 Dec 2010 14:58:59 -0300 Subject: [rhelv6-list] (no subject) Message-ID: <3b5ab2f434709513fd27d6c34c139ec6.squirrel@webmail.colorframe.cl> From traxtopel at gmail.com Mon Dec 20 08:22:31 2010 From: traxtopel at gmail.com (Grant Williamson) Date: Mon, 20 Dec 2010 09:22:31 +0100 Subject: [rhelv6-list] EL6 and T410(nvidia) Message-ID: <4D0F1247.6010606@gmail.com> All, anyone on this list using EL6 on a Lenovo T410, which has an nvidia graphics card. I am hearing reports from colleagues that the default nouveau driver just locks up at GDM. Anyone else seeing this issue, or have a bugzilla already open? From KCollins at chevron.com Thu Dec 23 16:42:17 2010 From: KCollins at chevron.com (Collins, Kevin [BEELINE]) Date: Thu, 23 Dec 2010 08:42:17 -0800 Subject: [rhelv6-list] getent weirdness (was: nscd weirdness) - SOLVED (not so much) In-Reply-To: <86E21A982A7C5249956350A6746108C2020228F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> References: <86E21A982A7C5249956350A6746108C201FA41C3@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C201FA44A9@CHVPKNTXC5M.chvpk.chevrontexaco.net><86E21A982A7C5249956350A6746108C201FA453B@CHVPKNTXC5M.chvpk.chevrontexaco.net> <86E21A982A7C5249956350A6746108C2020228F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> Message-ID: <86E21A982A7C5249956350A6746108C2020232F1@CHVPKNTXC5M.chvpk.chevrontexaco.net> Just as a follow-up for future list readers, I thought I would post a summary of the case I opened with Redhat on this. The response essentially boiled down to: Regardless of the fact that other passwd backends (files, NIS, etc) expose the password hash with getent (regardless of calling user), they don't see it as an issue that the backend for LDAP masks the password hash with '*'. The logic is that the hash is not used in pam_ldap authentication (an LDAP bind with password is). To the point that nslcd specifically DOES expose the hash when the user is root, but since nscd runs as non-root the root user can not see it either, was that you either a) don't run nscd or b) don't query a specific user - instead use enumeration since nscd doesn't handle enumeration. Rather than run ' getent passwd oracle' run 'getent passwd | grep ^oracle:'. I personally still think this crap - getent should have consistent behavior regardless of the backend... but I am tired of fighting this battle. Thanks, Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Thursday, December 09, 2010 11:23 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) I have found the root (no pun intended!) of this problem in the /usr/share/doc/nss-pam-ldapd-0.7.5/NEWS file included in the RPM: changes from 0.6.11 to 0.7.0 ---------------------------- ... ... * password hashes are no longer returned to non-root users (based on a patch by Alexander V. Chernikov) ... So, I can sort of see the point of this, but I think that this daemon should return what the calling user has access to. If the password hash is not protected, it can be via ACLs from the LDAP server or it can be mapped to a different value. At the very least, there should be an option to allow that behavior. Deciding to just say "no" seems wrong... Where this becomes interesting is the case where you run nslcd *and* nscd: since nscd runs as user 'nscd' (not root), root will never get the password hash either since the nss calls are routed via nscd. Not sure if anyone else cares since I have seen no replies, but I figured it's worth documenting. I will probably open a support case just to see what the response is. Thanks, Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Wednesday, December 08, 2010 4:05 PM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) I have narrowed this down to nslcd by using strace: [pid 7141] read(12, "\202\1\35\4\"uid=oracle,ou=People,dc=afis,dc=sr0\201\3660\17\4\3uid1\10 \4\6oracle0\24\4\2cn1\16\4\fOracle Owner0+\4\vobjectClass1\34\4\7account\4\fposixAccount\4\3top0&\4\fuserPa ssword1\26\4\24{crypt}No_Login*****0\33\4\nloginShell1\r\4\v/usr/bin/sh0 \22\4\tuidNumber1\5\4\0032000\22\4\tgidNumber1\5\4\0032000\32\4\rhomeDir ectory1\t\4\7/oracle0\27\4\5gecos1\16\4\fOracle Owner", 288) = 288 [pid 7141] select(1024, NULL, [6], NULL, {0, 0}) = 1 (out [6], left {0, 0}) [pid 7141] sendto(6, "\1\0\0\0\351\3\0\0\0\0\0\0\6\0\0\0oracle\1\0\0\0*\310\0\0\0\310\0\0\0\f \0\0\0Oracle Owner\7\0\0\0/oracle\v\0", 64, MSG_NOSIGNAL, NULL, 0) = 64 Notice the read() gets back the actual password data "{crypt}No_Login*****" but the sendto() is sending "*"? Now to research... Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Wednesday, December 08, 2010 11:18 AM To: rhelv6-list at redhat.com Subject: Re: [rhelv6-list] getent weirdness (was: nscd weirdness) After further investigation, this seems to be an issue with getent. If the effective UID is not 0, it returns '*' as the passwd hash. This is not the behavior exhibited in previous versions, and explains why I see the issue from root when nscd is running - nscd does a setuid to the user 'nscd'. I checked this on another RHEL6 server that is resolving via NIS and it does *not* exhibit this behavior, so it has some relationship to LDAP. But, I can run ldapsearch and get back the passwd hash as any user (our LDAP allows anonymous read-only to all attributes). Now my suspicion is that this is caused by nss_ldap, which is different in RHEL6 since this is now part of nss-pam-ldapd. Any thoughts? Thanks, Kevin From: rhelv6-list-bounces at redhat.com [mailto:rhelv6-list-bounces at redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Monday, December 06, 2010 10:06 AM To: rhelv6-list at redhat.com Subject: [rhelv6-list] nscd weirdness I am seeing different output in the password field of the passwd output from 'getent' when I have nscd runnng versus when I don't: # ps -ef | grep -E 'nscd|nslcd' nscd 18126 1 0 09:42 ? 00:00:00 /usr/sbin/nscd nslcd 18206 1 0 09:44 ? 00:00:00 /usr/sbin/nslcd # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd stop Stopping nscd: [ OK ] # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # nscd -i passwd # getent passwd oracle oracle:No_Login*****:200:200:Oracle Owner:/oracle:/usr/bin/sh # service nscd start Starting nscd: [ OK ] # getent passwd oracle oracle:*:200:200:Oracle Owner:/oracle:/usr/bin/sh As you can see, I have tried flushing the passwd cache and restarting nscd with no luck. The backend in this case is LDAP - the problem does not appear when I am getting information from an ID in /etc/passwd. Any ideas? Thanks, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Fri Dec 24 12:42:16 2010 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Fri, 24 Dec 2010 13:42:16 +0100 Subject: [rhelv6-list] Bind chroot mess in RHEL6 Message-ID: <20101224134216.218c0826@python3.es.aed.lan> Hi, Is it just me, or is the way the whole bind/named chroot is done in RHEL6 is now real ugly and messy? The init script checks a whole bunch of stuff and uses "mount --bind" all over the place to make various files and directories available under the /var/named/chroot/ tree. After a simple bind-chroot install and "service named start" : # cat /etc/mtab /dev/vda1 / ext4 rw 0 0 proc /proc proc rw 0 0 sysfs /sys sysfs rw 0 0 devpts /dev/pts devpts rw,gid=5,mode=620 0 0 tmpfs /dev/shm tmpfs rw,rootcontext="system_u:object_r:tmpfs_t:s0" 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 /etc/named /var/named/chroot/etc/named none rw,bind 0 0 /var/named /var/named/chroot/var/named none rw,bind 0 0 /etc/named.conf /var/named/chroot/etc/named.conf none rw,bind 0 0 /etc/named.rfc1912.zones /var/named/chroot/etc/named.rfc1912.zones none rw,bind 0 0 /etc/rndc.key /var/named/chroot/etc/rndc.key none rw,bind 0 0 /usr/lib64/bind /var/named/chroot/usr/lib64/bind none rw,bind 0 0 /etc/named.iscdlv.key /var/named/chroot/etc/named.iscdlv.key none rw,bind 0 0 Yuck! Maybe it works with all of the defaults, but when changing things slightly (file locations, directories used), it gets very fragile. Not to mention that by default you get this utterly confusing empty path as a side-effect of mouning /var/named on a sub-directory if itself : /var/named/chroot/var/named/chroot/var/named Sorry for the rant. I think I'll now consider not using the chroot feature anymore since my DNS servers have the DNS service as their only service and selinux in enforcing mode. I'll also use this as an excuse to have another look around at other DNS daemons : 'tis the season to be switchy! Matthias -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora release 14 (Laughlin) - Linux kernel 2.6.35.6-48.fc14.x86_64 Load : 0.01 0.14 0.50 From kirbyzhou at sogou-inc.com Tue Dec 28 11:05:56 2010 From: kirbyzhou at sogou-inc.com (Kirby Zhou) Date: Tue, 28 Dec 2010 19:05:56 +0800 Subject: [rhelv6-list] Does RHELv6 support Block Migration for KVM? Message-ID: <02f601cba67f$36629980$a327cc80$@sogou-inc.com> Does RHELv6 support Block Migration for KVM? Since qemu-kvm-0.12.2, it supports a function named "Block Migration". So we can do live-migration without shared storage. Does RHELv6 support that feature? Regards, Kirby Zhou from SOHU-RD +86-10-6272-8261