pQd's questions

How can I change a login of a user in samba4 based domain?

I've tried reading the samba-tool man page, but it does not seem to show anything that i could use.

I can type

echo bbr > /proc/sys/net/ipv4/tcp_congestion_control

to change the congestion control algorithm for the TCP connections running over IPv4, but how do I do it for those arriving over IPv6?

Does the above command set it for both?

in my setup ISC DHCPD 4.3.1 hands out ip addresses only to list of pre-defined hosts, whose mac <> ip association is explicitly entered in the config file.

once in a while there'll be DHCP request coming from a host that is not listed in the config. in logs i see:

May 23 08:29:33 myserver dhcpd: DHCPDISCOVER from 51:24:30:1a:27:ce via eth0.201: network 10.1.10.0/24: no free leases

how can i convince the DHCPD to log the host-name provided by the host trying to obtain the ipv4 address?

i've tried these, just to see if i can get any additional logging, defined both in global scope or subnet but neither gave me any entry in the log:

if not (known or static) {
 log(error, 
  concat("client is neither known nor static ", binary-to-ascii (16, 8, ":",substring (hardware, 1, 6))  ));
}

log (error,
  concat ("Lease request from ",
  binary-to-ascii(16, 8, ":",substring(hardware,1, 6)))
);

logging of that type works fine for known hosts, but looks like handling of the "no free leases" event happens before any logging action is taken.

thanks in advance for help!

Debian Stretch will likely be released in the middle of this year.

mysql-server-5.x will no longer be available and is replaced with mariadb-server-10.1. i don't feel i'm ready for the big step and moving to MariaDB, i'd prefer to stay with mysql 5.6 or - even better - 5.7. what would you recommend - using 5.7 from debian's unstable repository? going with the oracle-provided packages? some other options?

thanks!

let's say i have two office spaces in a multi-tenant building. landlord was kind enough to provide me with copper cat 6 cable connecting both of the disjoint spaces.

i could just attach network switches at both ends and create a flat L2 network. but i'd like to be sure that other tenants cannot easily tap into the cable and eavesdrop on the traffic passing between two of my offices.

what solution would you propose here? ideally it should provide a transparent L2 connectivity and handle few hundreds of mbit/s. i'd prefer off-the-shelf devices that can be easily replaced.

with encrypted home-plug gear or wireless access points providing wpa2-psk - seems like the encryption hardware is available.

some of my ideas:

• use proper hardware ethernet encryption device like this; unfortunately those seem to be quite expensive
• put two linux servers on both ends of the connection and run openvpn on them to provide transparent l2 bridge with encryption of traffic crossing the 'untrusted' segment

thanks for any suggestions!

i've run into a network problem which i cannot solve. on a few computers running windows 8.1 and communicating with linux http server tcp connections dangle on the windows side instead of being properly closed.

after response [fragmented into few, acknowledged by windows, tcp packets] linux server - 10.14.11.59 - sends a tcp packet containing FIN and ACK flags set.

this is acknowledged by the windows machine - 10.14.10.195 - with packet having only the ACK flag set.

linux re-sends packets with FIN and ACK flags few times while windows machine - for some reason still keeps the connection open; packets with the RST flag are never sent by the windows machine.

if that happens windows application waits and eventually times out. this happens randomly somewhere between 10-50% of attempts.

traffic between both machines is unfiltered; host-based firewalls were off. to avoid potential problems i've disabled tcp offloading on on linux, and windows. additionally on windows the following were run and machine was rebooted:

netsh int tcp set global chimney=disabled
netsh int tcp set global autotuninglevel=disabled
netsh int tcp set global rss=disabled

packet capture: here.

any thoughts will be appreciated!

geoip-enabled authoritative dns server is quite easy to find - bind9 with patch can do it, powerdns as well. but the problem starts when server receives DNS query from global public resolvers like google's 8.8.8.8. the request might come from ip in completely different geolocation location than the actual user. queries from google can carry that information.

do you have any experience with running servers that handle edns-client-subnet and provide answers depending on the geolocation of the client? what [reasonably stable] open source dns servers provide that functionality?

i've found so far one - gdnsd.org but i'm curious to hear about your experience and alternatives.

thanks!

in the environment where windows client computers are used to run putty to connect to multiple linux servers i'm considering moving away from password based authentication and using public/private key pairs with pass-phrases.

using ssh-agent would be nice, but at the same time i'd like it to 'forget' the pass-phrases after given period of inactivity.

it seems that putty's pageant does not provide such feature; what would you suggest as alternative? solutions that i'm considering:

• patching pageant code [might be tricky, code is probably quite rusty and project - sadly - stagnant]
• writing small custom application using GetLastInputInfo and killing pageant if the machine was idle for more than let's say 15 minutes [ yes, there'll be separate policy for locking the desktops as well ]
• using alternative ssh client and ssh agent. any suggestions?

thanks!

Do you know any 'Debian way' of setting up multiple MySQL instances on a single server? The server would receive data replicated from multiple remote databases.

I could use scripts like mysqlsandbox but I prefer to stick to Debian packages and would like to be able to upgrade the setup without much complications in the future. Another solution is mysqlmanager - it works with MySQL 5.1 but it's deprecated and not released anymore with 5.5.

So what's the 'best practice' of running multiple MySQL instances on a single Debian server?

for some reason i need to start apache2 only after mysql is running on one of the servers.

i've tried:

• renaming scripts in /etc/rc2.d to give S0Xmysql lower number than S0Yapache2 - but it did not help.
• editing /etc/init.d/apache2 and adding Required-Start $mysql

but still when i watch the screen at the bootup i see

INIT: Entering runlevel: 2
...
Starting web server: apache2Action 'start' failed.

and only then

Starting MySQL database server: mysqld

thx

i'm thinking about using dynamic routing [ OSPF or RIP ] via OpenVPN tunnels. right now i have few offices connected in full mesh, but this is not scalable solution as we add more locations. i would like to avoid situation when plenty of internal traffic is affected if one of two vpn termination points that i plan to use is down.

do you have similar configuration working in production? if so - what routing daemon did you use - quagga? something else? did you encounter any problems?

thanks!

i'm looking for some handy program/script to which i can pump data via stdin and which can present me some basic statistics of input data. for instance - provided with set of values separated by new line character i would like to get:

• average for all values
• average for data except 5% smallest and 5% largest values
• standard deviation

yes - i know, can be done with bash or awk, but maybe you already know something handy?

ps.

i'm perfectly aware of 'big cannons' like octave, r and some other - but i need something much simpler.

thanks

Aligning partitions to start at real physical sector of ssds / stripped raids / 4kB drives is a 'good thing to do', but I've run into a problems when trying to do it for a truecrypt partition that will contain ext3 on it. Or so it seems.

When drive in question is partitioned properly and formatted with ext3 I get very reasonable write speeds around 70-80MB/s, but when I put truecrypt and ext3 on the top of it write performance becomes very unstable and goes between 1-25MB/s with very high io-wait. On the same server I don't have any performance issues with ext3 on the top of truecrypt on regular 512B-sector 500GB sata disks. So my best guess is that iowaits are caused by misalignment but I cannot really find reliable information on how to calculate optimal partition beginning. I've tried to start it at 128 logical sector, I've also tried 8132 sector as suggested here but both gave me very bad and unstable performance.

Do you have any experience with similar setup? Thanks!

ps - quote from truecrypt forum: When I encrypted the partition with Truecrypt, I only got 8Mbyte/sec because it does not place the start of the volume at sector 8192, but instead it places the volume at the end of the track which 8192 belongs to. I have 63 sectors per track, so sector 8192 is the second sector of the 130th track. Truecrypt started its volume at the end of this track (sector number 8252), which is 60 sectors too far. So the solution was to move the partition back by 60 sectors, so the partition started at 8132 instead of 8192. This caused the first sector of the Truecrypt volume to be located at the magic sector 8192.

my current setup - i use bunch of sip hard-phones around few offices. all devices have two sip accounts configured - one on internal sip proxy [for calls between the branches], another - at 3rd party voip providers [ since it's in different countries - those are different providers, but that's irrelevant ].

i was thinking about terminating sip calls on something like asterisk/freeswitch server and having all sip-devices log on just once to such server[s] - mostly to provide things like voicemail, groupcalls, redirections etc. it seems perfectly doable but there is one problem - i cannot find examples how to prepare for nat/no nat. for calls routed to from/to 3rd party voip operator - i'll need handling for nat/stun etc, but for handling of internal calls - i do not want any nat, all traffic should go via vpns to different branches.

can you provide me some hints how to configure it? any tutorials?

thanks!

i have almost out-of-the-box windows 2003 server which is also domain name server for some users. should i be worried of 5th of may's deployment of dnssec on root name servers ?

i have already run:

dnscmd /Config /EnableEDnsProbes 1

thanks a lot!

ps. my firewalls / network infrastructure do not block udp packets > 512B

my result from ripe test:

Announced buffer size: 1280 bytes

Measured buffer size: 1259 bytes

EDNS enabled: yes

DNSSEC enabled: no

Your resolver does not have DNSSEC enabled.

Note: There will always be a difference between the announced and measured buffer size because of the algorithm used. However this difference should not exceed 300 bytes.

ps #2

this is active directory server so it has dns service which is authoritative dns server for some internal dns zone [not used in public internet]. this server is also used as recursive name server for some internal users.

i'm interested how do you write your complex packet-filtering rulesets on linux router acting as firewall. one with default-drop policy.

i usually go with such approach [ just an artificial example ]:

iptables -F ; iptables -X; iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -N FORWARD_machineA
iptables -A FORWARD_machineA -d $machineA -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD_machineA -d $machineA -s $machineB -p tcp --dport 3306 -j ACCEPT
iptables -A FORWARD_machineA -d $machineA -j DROP
iptables -A FORWARD_machineA -s $machineA -d $machineC -p tcp --dport 2 -j ACCEPT
iptables -A FORWARD_machineA -s $machineA -j REJECT

iptables -N FORWARD_machineB
iptables -A FORWARD_machineB -d $machineB -s $machineA -p tcp --dport 3306 -j ACCEPT
iptables -A FORWARD_machineB -d $machineB -j DROP
iptables -A FORWARD_machineB -s $machineB -d $machineC -p tcp --dport 2 -j ACCEPT
iptables -A FORWARD_machineB -s $machineB -j REJECT

iptables -N FORWARD_machineC
iptables -A FORWARD_machineC -d $machineC -s $machineA -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD_machineC -d $machineC -s $machineB -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD_machineC -d $machineC -j DROP
iptables -A FORWARD_machineC -s $machineC -j REJECT

iptables -A FORWARD -s $machineA -j FORWARD_machineA
iptables -A FORWARD -d $machineA -j FORWARD_machineA

iptables -A FORWARD -s $machineB -j FORWARD_machineB
iptables -A FORWARD -d $machineB -j FORWARD_machineB

iptables -A FORWARD -s $machineC -j FORWARD_machineC
iptables -A FORWARD -d $machineC -j FORWARD_machineC

this works fine, but is far from perfect: for instance if i add two servers in different subnets that need to communicate - rules need to be added both in chains for machineA and machineB.

in this case i'm mostly interested in manageability / readability - so there is no need for special performance optimization [ eg minimising average number of rule-lookups ].

ps: similar question, but that's not answers i'm looking for.

thanks!

silly one,

do you have any problems with rsync'ing large [ >4GB ] files under modern linux? [ 32bit, 64bit, large file support turned on ]? i've done some tests on my own between 2 64bit boxes and didn't have any problems transferring 6-10GB files. to make test thorough i altered files, run rsync again, checked md5... - all seems ok.

but after i saw this bug report i got a bit worried. i did some searching but have not found any confirmation of the problem.

thanks for your thoughts!

edit: file system: ext3, reiserfs

how can i ensure that if new version of configuration file is downloaded via puppet from master repository to one of managed servers relevant service is restarted.

typical scenario - let's say there is new munin or apache config. puppet client discovers it, overwrites local files... and... - how to make sure service is restarted / reloaded ?

thanks a lot!

what do i risk [besides obvious - cc number getting stolen] when buying ssl certificate for https use from one of many rapidssl resellers rather then directly from rapidssl ? disproportion in prices seem quite high: 10$ vs 79$ per year.

where's the catch? do you have any experience with any of resellers? thanks!

I'm about to deploy ~25 servers running Debian. The machines will have different roles - web servers, Java appservers, proxies, MySQL boxes. The environment will probably not grow much in the future - maybe 2-5 more servers in next 2 years.

I'll probably use fai for system installation, but I'm unsure if it's worth to add also cfengine or puppet centralized configuration management for such small scale.

Does configuration management make sense for an environment this size?