From joea at j4computers.com Mon Dec 1 08:48:56 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 01 Dec 2008 03:48:56 -0500 Subject: OES linux time drifts into the future. In-Reply-To: <4932A5EE.5010305@netlab1.oucs.ox.ac.uk> References: <49318DAE020000850005EF9A@FS-LIN-OES> <4931948D020000850005EF9E@FS-LIN-OES> <493274FB.4080800@netlab1.oucs.ox.ac.uk> <49325BA4020000850005EFAA@FS-LIN-OES> <4932A5EE.5010305@netlab1.oucs.ox.ac.uk> Message-ID: <49335EA8020000850005EFDD@FS-LIN-OES> > ------------ > Joe, > Linux host: we always ensure that it uses NTP and is spot on. > Linux guest: same thing > NW guest: ditto > > This is the case for any Linux kernel, host or guest. > The nohz option is for the Linux guest, though it may be stated > for a Linux host if you wish. This appeared in kernels 2.6.26 or so. > The purpose of being tickless was to reduce the interrupt rate, and > hence also the overhead of running the scheduler, from its extreme > value of 1000/sec (to make clients appear to be "crisp" at any cost) > to the tens/sec so that the modern CPU sleep states can be entered. > The Unix historical value has been 100. Green is good and all that jazz. > The problem with a tickless kernel has been that older VMware > workstation products were unaware of it and guest time was in very > serious trouble indeed. That's where the nohz option was required. > Today the versions I mentioned above seem to work fine for me in > quick tests. Yet, it is up to us to check our local environment. > Note: the forthcoming SLES 11 uses kernel 2.6.27, thus is tickless. > At best you can obtain OpenSUSE11 today; SLES 11 is still in closed > beta. > VMware Server 2.0 seems to be a little behind the finesse found in > VMware Workstation 6.5.x. > Joe D. Thanks for all the hints. Still the linux guest drifts forward badly. The host and the NetWare VM are accurate. I made the changes suggested in /boot/grub/menu.lst, kernel section, which currently reads: kernel (hd0,0)/boot/vmlinuz root=/dev/sda1 vga=0x332 selinux=0 splash=silent resume=/dev/sda2 elevator=cfq showopts clock=pit noapic nohz=on Is that correct/reasonable or in error? joe a. From ahidalgo at salud.unm.edu Mon Dec 1 13:52:20 2008 From: ahidalgo at salud.unm.edu (Al Hidalgo) Date: Mon, 01 Dec 2008 06:52:20 -0700 Subject: Ring time issues w/eDir 8.8.3 ftf2, 64 bit SLES 10 SP2, Dell 2850 Message-ID: <4933899C.4770.0087.0@salud.unm.edu> New 8.8.3 ftf2 server on 64 Bit SLES 10 SP2 running on a Dell 2850 (Not a VM), tree is a mix of 8.7.3.10ftf1 and 8.8.2, masters are on all on a single 8.7.3.10ftf1 SLES 10 box. kernel is: 2.6.16.60-0.33-smp #1 SMP Fri Oct 31 14:24:07 UTC 2008 x86_64 x86_64 x86_64 GNU/Linux On this new box any replica I add, iMon reports -Local Replica issued future time -0:01:06 (this time drifts up and down but always stays negative) and it never goes green but all other servers with a copy of the replica report no errors. Partition Continuity is good as seen in ConsoleOne and I have no problem adding and removing replicas. Server time is in sync and time through the tree looks in sync. I have even tried with the local clock stuff commented out, with using the clock=pit kernel parameter from TID 3858673 and have tried pointing straight to the public ntp pool. Nothing ever changes. Could I have bad hardware or is there a big in eDir? ntptime: ntp_gettime() returns code 0 (OK) time ccde6857.aaff1000 Mon, Dec 1 2008 6:42:47.667, (.667954), maximum error 107466 us, estimated error 546 us ntp_adjtime() returns code 0 (OK) modes 0x0 (), offset -42.000 us, frequency 48.860 ppm, interval 4 s, maximum error 107466 us, estimated error 546 us, status 0x1 (PLL), time constant 2, precision 1.000 us, tolerance 512 ppm, pps frequency 0.000 ppm, stability 512.000 ppm, jitter 200.000 us, intervals 0, jitter exceeded 0, stability exceeded 0, errors 0. ntpq -p: *uhldap.health.u 140.142.16.34 2 u 50 64 377 0.316 -0.283 0.105 +uh-ldap1.health 140.142.16.34 2 u 55 64 377 0.187 0.218 0.139 This is from the server in question on the partition in question (uh-idm1): Read/Write Replica .gwm.GrpWise.MC.HSC.UNMHSC. On 3 11/25/08 11:45:56 AM 0:00:10 0:00:10 Agent Summary, Agent Configuration, Agent Health Master Replica .mypw.PWS.MC.HSC.UNMHSC. On 1 11/25/08 11:45:56 AM 0:00:04 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .hsc-gwpri.Mail.Misc.HSC.UNMHSC. On 6 11/25/08 11:45:56 AM 0:00:02 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-ldap1.Portal.MC.HSC.UNMHSC. On 2 11/25/08 11:45:56 AM 0:00:05 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm.PWS.MC.HSC.UNMHSC. On 4 11/25/08 11:45:56 AM 0:00:04 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm1.PWS.MC.HSC.UNMHSC. On 5 11/25/08 11:45:56 AM 0:00:10 0:00:05 Agent Summary, Agent Configuration, Agent Health This is from the master replica server on the partition in question (mypw): Read/Write Replica .gwm.GrpWise.MC.HSC.UNMHSC. On 3 11/25/08 11:45:54 AM 0:00:00 0:00:10 Agent Summary, Agent Configuration, Agent Health Master Replica .mypw.PWS.MC.HSC.UNMHSC. On 1 11/25/08 11:45:54 AM 0:00:10 0:00:09 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .hsc-gwpri.Mail.Misc.HSC.UNMHSC. On 6 11/25/08 11:45:54 AM 0:00:08 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-ldap1.Portal.MC.HSC.UNMHSC. On 2 11/25/08 11:45:54 AM 0:00:07 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm.PWS.MC.HSC.UNMHSC. On 4 11/25/08 11:45:54 AM 0:00:06 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm1.PWS.MC.HSC.UNMHSC. On 5 11/25/08 11:45:54 AM 0:00:09 0:00:10 Agent Summary, Agent Configuration, Agent Health NetWare 1602.00 Directory Services Repair 10551.26, DS 10553.73 Log file for server ".UNMHSC2.LDAP.Misc.HSC" in tree "UNMHSC" Time synchronization and server status information Start: Tuesday, November 25, 2008 10:13:25 am Local Time ---------------------------+---------+---------+-----------+--------+------- DS.NLM Replica Time Time is Time Server name Version Depth Source in sync +/- ---------------------------+---------+---------+-----------+--------+------- .UHSOS.SrvsServers.UH.... 10553.73 -1 Primary Yes 0 .UHSHARE.SrvsServers.1... 10553.73 -1 Secondary Yes 0 .UHCTH.CTH.MC.HSC 10554.34 -1 Secondary Yes 0 .UHCSFAX.SrvsServers.1... 10411.02 -1 Secondary Yes 0 .UHAPPSERV.UH.MC.HSC 10554.34 -1 Secondary Yes 0 .UH-ZEN1.Zen.MC.HSC 10553.73 3 Secondary Yes 0 .UH-SEH.SEH.MC.HSC 10554.34 -1 Secondary Yes 0 .UH-MEDARTS.MedArts.MC... 10554.34 -1 Secondary Yes 0 .UH-IMAGE2.SrvsServers... 10553.73 -1 Secondary Yes 0 .uh-idm1.PWS.MC.HSC 20216.87 3 Non-NetWare Yes 0 .UH-GWRESTORE.test.MC.HSC 10554.34 -1 Secondary Yes 0 .uh-gw2.GrpWise.MC.HSC 20216.63 -1 Non-NetWare Yes 0 .uh-gw1.GrpWise.MC.HSC 10554.44 -1 Non-NetWare Yes 0 .uh-gw.GrpWise.MC.HSC 10554.31 -1 Non-NetWare Yes 0 .uh-gateway2.GrpWise.M... 20216.63 -1 Non-NetWare Yes 0 .UH-GATEWAY1.GrpWise.M... 10553.73 -1 NTP Yes 0 .UH-GATEWAY.GrpWise.MC... 10553.73 -1 NTP Yes 0 .uh-bhgw.GrpWise.MC.HSC 20216.63 -1 Non-NetWare Yes 0 .uh-1650gw1.GrpWise.MC... 10554.31 -1 Non-NetWare Yes 0 .MYMAIL1.GrpWise.MC.HSC 10553.73 -1 NTP Yes 0 .MYMAIL.GrpWise.MC.HSC 10554.44 -1 NTP Yes 0 .myhsc.VO.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .MC-SMINNOW.SrvsServer... 10554.34 -1 Secondary Yes 0 .MC-ICS.SrvsServers.16... 10553.73 -1 Secondary Yes 0 .HSC-STORAGE1.Servers.HSC 10552.79 -1 Primary Yes 0 .hsc-poalib.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-poa4.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .hsc-poa3.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-poa2.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-poa1.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .HSC-NMPDIC4.NMPDIC.De... 10553.73 -1 Secondary Yes 0 .HSC-MAIN.Servers.HSC 20216.51 -1 Secondary Yes 0 .hsc-mail6.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .HSC-LIBRARY1.Servers.... 10552.79 -1 Secondary Yes 0 .HSC-IPH.Institute for... 10552.79 -1 Secondary Yes 0 .hsc-iagate2.Mail.Misc... 10554.31 -1 Non-NetWare Yes 0 .hsc-iagate1.Mail.Misc... 20216.63 -1 Non-NetWare Yes 0 .hsc-iagate.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-homestore.Servers... 10554.31 -1 Non-NetWare Yes 0 .hsc-gwmta.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .HSC-GERIATRICS.Geriat... 10553.73 -1 Secondary Yes 0 .HSC-GATEWAY3.Mail.Mis... 10553.73 -1 Secondary Yes 0 .HSC-GATEWAY1.Mail.Mis... 10552.79 -1 Secondary Yes 0 .HSC-ACC.Servers.HSC 10553.73 -1 Secondary Yes 0 .gwwebacc1.Mail.Misc.HSC 10552.79 -1 Non-NetWare Yes 0 .gwweb6.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .gwweb5.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .CPHD.GrpWise.MC.HSC 10553.73 -1 Secondary Yes 0 .UHMAIN.UH.MC.HSC 10554.34 1 NTP Yes 0 .UNMHSC1.LDAP.Misc.HSC 10553.73 1 Reference Yes 0 .uh-idm.PWS.MC.HSC 10554.44 0 Non-NetWare Yes 0 .gwm.GrpWise.MC.HSC 20216.63 0 Non-NetWare Yes 0 .uh-ldap1.Portal.MC.HSC 10554.44 0 Non-NetWare Yes 0 .HSC-COMMON.Servers.HSC 10553.73 0 Secondary Yes 0 .unmhscl.LDAP.Misc.HSC 10554.34 0 Non-NetWare Yes 0 .hsc-gwpri.Mail.Misc.HSC 10554.34 0 Non-NetWare Yes 0 .mypw.PWS.MC.HSC 10554.44 0 Non-NetWare Yes 0 .UNMHSC2.LDAP.Misc.HSC 10553.73 0 Primary Yes 0 ---------------------------+---------+---------+-----------+--------+------- Al Hidalgo Enterprise Systems Support Analyst Information Technology University Hospitals/UNM Health Sciences Center ahidalgo at salud.unm.edu From joea at j4computers.com Mon Dec 1 14:31:31 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 01 Dec 2008 09:31:31 -0500 Subject: ntpdate, wasRe: OES linux time drifts into the future. In-Reply-To: <49335EA8020000850005EFDD@FS-LIN-OES> References: <49318DAE020000850005EF9A@FS-LIN-OES> <4931948D020000850005EF9E@FS-LIN-OES> <493274FB.4080800@netlab1.oucs.ox.ac.uk> <49325BA4020000850005EFAA@FS-LIN-OES> <4932A5EE.5010305@netlab1.oucs.ox.ac.uk> <49335EA8020000850005EFDD@FS-LIN-OES> Message-ID: <4933AEF3020000850005EFE1@FS-LIN-OES> Trying to set time using ntpdate -d -v local_timeserver via cron, every few minutes. Gives indication it runs, but time does not get set. Or re-set, as you prefer. Does that not work? joe a. From joea at j4computers.com Mon Dec 1 14:41:15 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 01 Dec 2008 09:41:15 -0500 Subject: ntpdate, wasRe: OES linux time drifts into the future. In-Reply-To: <4933AEF3020000850005EFE1@FS-LIN-OES> References: <49318DAE020000850005EF9A@FS-LIN-OES> <4931948D020000850005EF9E@FS-LIN-OES> <493274FB.4080800@netlab1.oucs.ox.ac.uk> <49325BA4020000850005EFAA@FS-LIN-OES> <4932A5EE.5010305@netlab1.oucs.ox.ac.uk> <49335EA8020000850005EFDD@FS-LIN-OES> <4933AEF3020000850005EFE1@FS-LIN-OES> Message-ID: <4933B13B020000850005EFE5@FS-LIN-OES> >>> On 12/1/2008 at 9:31 AM, "joea at j4computers.com" wrote: > Trying to set time using ntpdate -d -v local_timeserver via cron, every few > minutes. > > Gives indication it runs, but time does not get set. Or re-set, as you > prefer. > > Does that not work? > > joe a. No. Dilbert has just found the proper doc with says -d is debug mode and *does not* set the local clock. Sorry for the list clutter. joe a. From cmangiarelli at gmail.com Mon Dec 1 17:22:33 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Mon, 1 Dec 2008 12:22:33 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. Message-ID: I need to build a brand new OES2/SuSE server for an ifolder implementation. It is going to serve as a quick backup solution for some high level exec's who need files on their laptops backed up automatically. They may also employ the workgroup sharing piece of ifolder at a later date. Other than hardware redundancy, they have no plans at this time to make the system part of a larger environment (ie. there is a requirement that this server stand alone). My experience is mostly with some of the older Linux stuff but I have inheritied most of my current linux infrastructure which also has a lot of NetWare still. I would appreciate any pointers while going about installing this server. I know partitioning scheme and file systems have been talked about a lot and I've lost some of the details in the mire. My plans are to create a raid mirror for the OS (146GB total) and the remaining disks will be in a raid 5 array (about 1TB) to hold the production ifolder storage. In the first 146GB, I also need some additional ifolder storage space for testing and development (only production ifolders can go on the raid 5 array). Should I use LVM here? Would 46GB be enough for OES, 100GB for development ifolder storage? I assume all I need during the install is to create a new eDirectory tree which should create a CA (correct?). Other than eDirectory, iManager and the ifolder rpms, what else would I need or could possibly want available at install time? I appreciate any pointers here. All of my current linux servers are single task servers and are part of a larger edirectory tree so I had all the infrastructure available in the past to build a new server into my current environment. The requirement that this server stand alone is a little daunting knowing that it's been so long since I've setup a tree from scratch and never did it alone on Linux. -- Christopher Mangiarelli cmangiarelli at gmail.com From joe.doupnik at oucs.ox.ac.uk Mon Dec 1 17:36:53 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Mon, 01 Dec 2008 17:36:53 +0000 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: Message-ID: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From joea at j4computers.com Mon Dec 1 21:23:28 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 01 Dec 2008 16:23:28 -0500 Subject: rug error Message-ID: <49340F80020000850005EFF2@FS-LIN-OES> Trying to use rug to update oes1. Crashed after some 3.3 GB had been downloaded. Any way to simply start from where it left off? joe a. From joea at j4computers.com Mon Dec 1 22:20:45 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 01 Dec 2008 17:20:45 -0500 Subject: Red Carpet, update vs patch Message-ID: <49341CED020000850005EFF6@FS-LIN-OES> After crashing using rug and digging out of a full disk, due to reasons unknown, and getting system "stable", tried red carpet. Now confused by "update" vs "patch" and wondering which needs to be installed first. joe a. From joea at j4computers.com Mon Dec 1 23:25:51 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 01 Dec 2008 18:25:51 -0500 Subject: rug error In-Reply-To: <49340F80020000850005EFF2@FS-LIN-OES> References: <49340F80020000850005EFF2@FS-LIN-OES> Message-ID: <49342C2F020000850005EFFA@FS-LIN-OES> >>> On 12/1/2008 at 4:23 PM, "joea at j4computers.com" wrote: > Trying to use rug to update oes1. > > Crashed after some 3.3 GB had been downloaded. Any way to simply start > from where it left off? > > joe a. Matters not, used red-carpet. joe a. From joea at j4computers.com Mon Dec 1 23:26:36 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 01 Dec 2008 18:26:36 -0500 Subject: Red Carpet, update vs patch In-Reply-To: <49341CED020000850005EFF6@FS-LIN-OES> References: <49341CED020000850005EFF6@FS-LIN-OES> Message-ID: <49342C5C020000850005EFFE@FS-LIN-OES> >>> On 12/1/2008 at 5:20 PM, "joea at j4computers.com" wrote: > After crashing using rug and digging out of a full disk, due to reasons > unknown, and getting system "stable", tried red carpet. > > Now confused by "update" vs "patch" and wondering which needs to be > installed first. > > joe a. > Doing Updates make "patches" disappear. joe a. From joe.doupnik at oucs.ox.ac.uk Tue Dec 2 08:41:16 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Tue, 02 Dec 2008 08:41:16 +0000 Subject: rug error In-Reply-To: <49340F80020000850005EFF2@FS-LIN-OES> Message-ID: <20081202084116.EACB61E196@webmail219.herald.ox.ac.uk> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From joe.doupnik at oucs.ox.ac.uk Tue Dec 2 08:42:47 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Tue, 02 Dec 2008 08:42:47 +0000 Subject: Red Carpet, update vs patch In-Reply-To: <49341CED020000850005EFF6@FS-LIN-OES> Message-ID: <20081202084247.5B9641E195@webmail219.herald.ox.ac.uk> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From joea at j4computers.com Tue Dec 2 11:13:50 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Tue, 02 Dec 2008 06:13:50 -0500 Subject: rug error In-Reply-To: <20081202084116.EACB61E196@webmail219.herald.ox.ac.uk> References: <49340F80020000850005EFF2@FS-LIN-OES> <20081202084116.EACB61E196@webmail219.herald.ox.ac.uk> Message-ID: <4934D21E020000850005F002@FS-LIN-OES> >>> On 12/2/2008 at 3:41 AM, Joe Doupnik wrote: > In message <49340F80020000850005EFF2 at FS-LIN-OES> Novell LAN Interest Group > writes: >> Trying to use rug to update oes1. >> >> Crashed after some 3.3 GB had been downloaded. Any way to simply start > from where it left off? >> >> joe a. > --------- > Try > rug cc clear cache > rug refresh > rug lu > rug up > > Between these watch with top for the zmd stuff to finish > before giving the next command. > I am at a two-day event in Bracknell today and tomorrow > so checking email will be sporatic. You are welcome to attend > if you catch an early plane over. > Joe D. Thanks. It won't be possible this time. joe a. From joea at j4computers.com Tue Dec 2 11:15:45 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Tue, 02 Dec 2008 06:15:45 -0500 Subject: Red Carpet, update vs patch In-Reply-To: <20081202084247.5B9641E195@webmail219.herald.ox.ac.uk> References: <49341CED020000850005EFF6@FS-LIN-OES> <20081202084247.5B9641E195@webmail219.herald.ox.ac.uk> Message-ID: <4934D291020000850005F006@FS-LIN-OES> >>> On 12/2/2008 at 3:42 AM, Joe Doupnik wrote: > In message <49341CED020000850005EFF6 at FS-LIN-OES> Novell LAN Interest Group > writes: >> After crashing using rug and digging out of a full disk, due to reasons > unknown, and getting system "stable", tried red carpet. >> >> Now confused by "update" vs "patch" and wondering which needs to be > installed first. >> >> joe a. > --------- > I suggest sticking with command line rug. The GUI red carpet is > obsolete. > Joe D. I will share that info with a co worker, who is quite enamored with the GUI. joe a. From scummings at louisvilletech.edu Tue Dec 2 15:22:25 2008 From: scummings at louisvilletech.edu (Cummings, Steve) Date: Tue, 2 Dec 2008 10:22:25 -0500 Subject: FW: Practice Labs In-Reply-To: <00be01c943b7$af4635a0$0301a8c0@apcdesktop> References: <00be01c943b7$af4635a0$0301a8c0@apcdesktop> Message-ID: ________________________________________ From: novell-bounces at netlab1.oucs.ox.ac.uk [novell-bounces at netlab1.oucs.ox.ac.uk] On Behalf Of Stephen Cummings [automatedprocess at bellsouth.net] Sent: Monday, November 10, 2008 11:40 PM To: Novell Subject: Practice Labs I am writing to the group here to get a few questions answered. First, is there anyone out here that actually teaches the Linux SUSE 10 3064 course Second, if you do, do you have any labs that you could share with me to allow my students to gain more hands on experience with the chapters that we are covering. the book itself, labs are not really good for a student to get practice on. Once these questions are answered, I will definitely have many more. But this is just the door opener Thanks, Stephen Cummings A+, NET +, CNA 5x, 6x, CNE 5x, 6x, NAI, CNI, MCNE, LINUX + _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From petervl at gmail.com Tue Dec 2 21:58:25 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 2 Dec 2008 15:58:25 -0600 Subject: syslog-ng not working as syslog host for external devices ... Message-ID: <68b791330812021358see90ad1j5154d9923fdbee5e@mail.gmail.com> following this: http://www.novell.com/coolsolutions/feature/18044.html I'm trying to get syslog-ng on a SLES server to accept incoming syslogging from external devices (an ADTRAN dsu/csu, and some cisco switches). However, the document says to exit /etc/syslog-ng/syslog-ng.in and that file does not seem to exist on my SLES 10 SP2 box. So, I edited instead the file below. It does not appear that the ADTRAN unit has actually dumped anything to this server (which seems impossible) -- either that, or for whatever reason (because I have kludged up the conf file, perhaps??) syslog-ng just has not created any directories or accepted any logging. The firewall is off and I did make sure that syslog-ng is running. Is there anything obvious that I have missed, or something that I can try? modified contents of etc/syslog-ng/syslog-ng.conf.in # uncomment to process log messages from network: # udp(ip("192.168.0.203") port(514)); tcp(ip("192.168.0.203") port(5140) keep-alive(yes)); }; and then later: #this is for separating out network hosts into individual log files destination std { file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs (y\es) ); }; log { source(src); destination(std); }; -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From jgramse at utah.gov Tue Dec 2 22:20:18 2008 From: jgramse at utah.gov (Jim Gramse) Date: Tue, 02 Dec 2008 15:20:18 -0700 Subject: syslog-ng not working as syslog host for external devices ... In-Reply-To: <68b791330812021358see90ad1j5154d9923fdbee5e@mail.gmail.com> References: <68b791330812021358see90ad1j5154d9923fdbee5e@mail.gmail.com> Message-ID: <49355231.3F60.0076.0@utah.gov> I believe you may have a typo in the "create_dirs(y\es) >>> "Peter Van Lone" 12/2/2008 2:58 PM >>> following this: http://www.novell.com/coolsolutions/feature/18044.html I'm trying to get syslog-ng on a SLES server to accept incoming syslogging from external devices (an ADTRAN dsu/csu, and some cisco switches). However, the document says to exit /etc/syslog-ng/syslog-ng.in and that file does not seem to exist on my SLES 10 SP2 box. So, I edited instead the file below. It does not appear that the ADTRAN unit has actually dumped anything to this server (which seems impossible) -- either that, or for whatever reason (because I have kludged up the conf file, perhaps??) syslog-ng just has not created any directories or accepted any logging. The firewall is off and I did make sure that syslog-ng is running. Is there anything obvious that I have missed, or something that I can try? modified contents of etc/syslog-ng/syslog-ng.conf.in # uncomment to process log messages from network: # udp(ip("192.168.0.203") port(514)); tcp(ip("192.168.0.203") port(5140) keep-alive(yes)); }; and then later: #this is for separating out network hosts into individual log files destination std { file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs (y\es) ); }; log { source(src); destination(std); }; -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From petervl at gmail.com Tue Dec 2 22:25:51 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 2 Dec 2008 16:25:51 -0600 Subject: syslog-ng not working as syslog host for external devices ... In-Reply-To: <49355231.3F60.0076.0@utah.gov> References: <68b791330812021358see90ad1j5154d9923fdbee5e@mail.gmail.com> <49355231.3F60.0076.0@utah.gov> Message-ID: <68b791330812021425j70d25e01pce3df8e35f6426a5@mail.gmail.com> create_dirs(y\es) is exactly how it is shown in the cool solutions article -- unless maybe it's the space between dirs and the first ( I'll try that ... good catch, if that ends up being it! P On Tue, Dec 2, 2008 at 4:20 PM, Jim Gramse wrote: > I believe you may have a typo in the "create_dirs(y\es) > > >>>> "Peter Van Lone" 12/2/2008 2:58 PM >>> > following this: > > http://www.novell.com/coolsolutions/feature/18044.html > > I'm trying to get syslog-ng on a SLES server to accept incoming > syslogging from external devices (an ADTRAN dsu/csu, and some cisco > switches). However, the document says to exit > /etc/syslog-ng/syslog-ng.in and that file does not seem to exist on my > SLES 10 SP2 box. So, I edited instead the file below. It does not > appear that the ADTRAN unit has actually dumped anything to this > server (which seems impossible) -- either that, or for whatever reason > (because I have kludged up the conf file, perhaps??) syslog-ng just > has not created any directories or accepted any logging. The firewall > is off and I did make sure that syslog-ng is running. > > Is there anything obvious that I have missed, or something that I can try? > > modified contents of etc/syslog-ng/syslog-ng.conf.in > > # uncomment to process log messages from network: > # > udp(ip("192.168.0.203") port(514)); > tcp(ip("192.168.0.203") port(5140) keep-alive(yes)); > }; > > and then later: > > #this is for separating out network hosts into individual log files > destination std { > file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" > owner(root) group(root) perm(0600) dir_perm(0700) > create_dirs (y\es) > ); > }; > > log { > source(src); > destination(std); > }; > > > -- > When I do good, I feel good. When I do bad, I feel bad. That is my religion. > > -Abraham Lincoln > > http://www.the-brights.net > http://xkcd.com/167 > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From petervl at gmail.com Tue Dec 2 22:30:24 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 2 Dec 2008 16:30:24 -0600 Subject: syslog-ng not working as syslog host for external devices ... In-Reply-To: <68b791330812021425j70d25e01pce3df8e35f6426a5@mail.gmail.com> References: <68b791330812021358see90ad1j5154d9923fdbee5e@mail.gmail.com> <49355231.3F60.0076.0@utah.gov> <68b791330812021425j70d25e01pce3df8e35f6426a5@mail.gmail.com> Message-ID: <68b791330812021430w66622ae8p55b278aede14e542@mail.gmail.com> huh ... when I simply removed the space and made no other changes, the I get this below when I run SuSeconfig --module syslog-ng rp-syslog:/var/log # SuSEconfig --module syslog-ng Starting SuSEconfig, the SuSE Configuration Tool... Running module syslog-ng only Reading /etc/sysconfig and updating the system... Executing /sbin/conf.d/SuSEconfig.syslog-ng... Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: syntax error at 199 Parse error reading configuration file, exiting. (line 199) Please correct the //etc/syslog-ng/syslog-ng.conf.in file. Finished. On Tue, Dec 2, 2008 at 4:25 PM, Peter Van Lone wrote: > create_dirs(y\es) is exactly how it is shown in the cool solutions > article -- unless maybe it's the space between dirs and the first ( > > I'll try that ... good catch, if that ends up being it! > > P > > On Tue, Dec 2, 2008 at 4:20 PM, Jim Gramse wrote: >> I believe you may have a typo in the "create_dirs(y\es) >> >> >>>>> "Peter Van Lone" 12/2/2008 2:58 PM >>> >> following this: >> >> http://www.novell.com/coolsolutions/feature/18044.html >> >> I'm trying to get syslog-ng on a SLES server to accept incoming >> syslogging from external devices (an ADTRAN dsu/csu, and some cisco >> switches). However, the document says to exit >> /etc/syslog-ng/syslog-ng.in and that file does not seem to exist on my >> SLES 10 SP2 box. So, I edited instead the file below. It does not >> appear that the ADTRAN unit has actually dumped anything to this >> server (which seems impossible) -- either that, or for whatever reason >> (because I have kludged up the conf file, perhaps??) syslog-ng just >> has not created any directories or accepted any logging. The firewall >> is off and I did make sure that syslog-ng is running. >> >> Is there anything obvious that I have missed, or something that I can try? >> >> modified contents of etc/syslog-ng/syslog-ng.conf.in >> >> # uncomment to process log messages from network: >> # >> udp(ip("192.168.0.203") port(514)); >> tcp(ip("192.168.0.203") port(5140) keep-alive(yes)); >> }; >> >> and then later: >> >> #this is for separating out network hosts into individual log files >> destination std { >> file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" >> owner(root) group(root) perm(0600) dir_perm(0700) >> create_dirs (y\es) >> ); >> }; >> >> log { >> source(src); >> destination(std); >> }; >> >> >> -- >> When I do good, I feel good. When I do bad, I feel bad. That is my religion. >> >> -Abraham Lincoln >> >> http://www.the-brights.net >> http://xkcd.com/167 >> _______________________________________________ >> Novell mailing list >> Novell at netlab1.oucs.ox.ac.uk >> http://netlab1.usu.edu/mailman/listinfo/novell >> _______________________________________________ >> Novell mailing list >> Novell at netlab1.oucs.ox.ac.uk >> http://netlab1.usu.edu/mailman/listinfo/novell >> > > > > -- > When I do good, I feel good. When I do bad, I feel bad. That is my religion. > > -Abraham Lincoln > > http://www.the-brights.net > http://xkcd.com/167 > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From awleask at gmail.com Tue Dec 2 22:47:51 2008 From: awleask at gmail.com (Alister Leask) Date: Wed, 3 Dec 2008 11:47:51 +1300 Subject: OES 1 Linux Migration to OES2 Linux Message-ID: <397cc55b0812021447t73691eddw8ee9aee11758cb34@mail.gmail.com> I thought that this was a valid option in the latest Migration Utilities - but it seems not. Is there a trick I have missed to make it work, or is it totally manual? -- Alister Leask From awleask at gmail.com Tue Dec 2 22:57:23 2008 From: awleask at gmail.com (Alister Leask) Date: Wed, 3 Dec 2008 11:57:23 +1300 Subject: OES 1 Linux Migration to OES2 Linux In-Reply-To: <397cc55b0812021447t73691eddw8ee9aee11758cb34@mail.gmail.com> References: <397cc55b0812021447t73691eddw8ee9aee11758cb34@mail.gmail.com> Message-ID: <397cc55b0812021457y115099fep631a6b45192f429d@mail.gmail.com> Maybe I should clarify - I have a server running OES 1 Linux that is reaching the end of it's lease. We have a replacement server that will be running OES 2 Linux preferably. I need to migrate the entire server and it's identity, not just file system data... On Wed, Dec 3, 2008 at 11:47, Alister Leask wrote: > I thought that this was a valid option in the latest Migration Utilities - > but it seems not. > Is there a trick I have missed to make it work, or is it totally manual? > > -- > Alister Leask > -- Alister Leask From James.Taylor at eastcobbgroup.com Tue Dec 2 23:02:58 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Tue, 02 Dec 2008 18:02:58 -0500 Subject: OES 1 Linux Migration to OES2 Linux In-Reply-To: <397cc55b0812021457y115099fep631a6b45192f429d@mail.gmail.com> References: <397cc55b0812021447t73691eddw8ee9aee11758cb34@mail.gmail.com> <397cc55b0812021457y115099fep631a6b45192f429d@mail.gmail.com> Message-ID: <49357852020000750003E653@inet.eastcobbgroup.com> The migration stuff in OES2 is pretty weak. The migration utility in OES2SP1 is light years better. If you can hold of until the SP1 release, you will be much, much happier and you may even be successful. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Alister Leask" 12/2/2008 05:57 PM >>> Maybe I should clarify - I have a server running OES 1 Linux that is reaching the end of it's lease. We have a replacement server that will be running OES 2 Linux preferably. I need to migrate the entire server and it's identity, not just file system data... On Wed, Dec 3, 2008 at 11:47, Alister Leask wrote: > I thought that this was a valid option in the latest Migration Utilities - > but it seems not. > Is there a trick I have missed to make it work, or is it totally manual? > > -- > Alister Leask > -- Alister Leask _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From alandpearson at yahoo.com Tue Dec 2 23:02:00 2008 From: alandpearson at yahoo.com (Alan Pearson) Date: Tue, 2 Dec 2008 23:02:00 +0000 Subject: OES 1 Linux Migration to OES2 Linux In-Reply-To: <397cc55b0812021457y115099fep631a6b45192f429d@mail.gmail.com> References: <397cc55b0812021447t73691eddw8ee9aee11758cb34@mail.gmail.com> <397cc55b0812021457y115099fep631a6b45192f429d@mail.gmail.com> Message-ID: If it was an upgrade of the same server, it wouldn't be an issue. The OES1 -> OES2 upgrade works fine. How you move the identity from one server to another is tougher :( --- AlanP On 2 Dec 2008, at 22:57, Alister Leask wrote: > Maybe I should clarify - I have a server running OES 1 Linux that is > reaching the end of it's lease. We have a replacement server that > will be > running OES 2 Linux preferably. I need to migrate the entire server > and it's > identity, not just file system data... > > On Wed, Dec 3, 2008 at 11:47, Alister Leask wrote: > >> I thought that this was a valid option in the latest Migration >> Utilities - >> but it seems not. >> Is there a trick I have missed to make it work, or is it totally >> manual? >> >> -- >> Alister Leask >> > > > > -- > Alister Leask > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell From awleask at gmail.com Wed Dec 3 00:43:05 2008 From: awleask at gmail.com (Alister Leask) Date: Wed, 3 Dec 2008 13:43:05 +1300 Subject: OES 1 Linux Migration to OES2 Linux In-Reply-To: <49357852020000750003E653@inet.eastcobbgroup.com> References: <397cc55b0812021447t73691eddw8ee9aee11758cb34@mail.gmail.com> <397cc55b0812021457y115099fep631a6b45192f429d@mail.gmail.com> <49357852020000750003E653@inet.eastcobbgroup.com> Message-ID: <397cc55b0812021643s1ed0973brb1076a6388253bba@mail.gmail.com> On Wed, Dec 3, 2008 at 12:02, James Taylor wrote: > and you may even be successful. > LOL!! James and Alan - thanks for your comments. -- Alister Leask From petervl at gmail.com Wed Dec 3 03:58:06 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 2 Dec 2008 21:58:06 -0600 Subject: syslog-ng not working as syslog host for external devices ... In-Reply-To: <49355231.3F60.0076.0@utah.gov> References: <68b791330812021358see90ad1j5154d9923fdbee5e@mail.gmail.com> <49355231.3F60.0076.0@utah.gov> Message-ID: <68b791330812021958i5ccb79bo437c8421232b0ccb@mail.gmail.com> When I ran SuSeconfig --module syslog-ng again, I noticed this time errors (that were probably there the first time, but I did not notice): "rp-syslog:/var/log # SuSEconfig --module syslog-ng Starting SuSEconfig, the SuSE Configuration Tool... Running module syslog-ng only Reading /etc/sysconfig and updating the system... Executing /sbin/conf.d/SuSEconfig.syslog-ng... Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: syntax error at 199 Parse error reading configuration file, exiting. (line 199) Please correct the //etc/syslog-ng/syslog-ng.conf.in file. Finished" Line 199 as reported by gedit is the line: #this is for separating out network hosts into individual log files destination std { file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs (y\es) ); }; #the following line is 199: log { source(src); destination(std); }; Is there anything in particular about this line that I have gotten wrong? As far as I can tell it is right out of the example I worked from, but since I really do not understand the logic that is being used, or the particular rules of syntax, I'm not sure what the problem might be. From joe.doupnik at oucs.ox.ac.uk Wed Dec 3 08:40:17 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Wed, 03 Dec 2008 08:40:17 +0000 Subject: OES 1 Linux Migration to OES2 Linux In-Reply-To: <397cc55b0812021447t73691eddw8ee9aee11758cb34@mail.gmail.com> Message-ID: <20081203084017.BBAA114001@webmail222.herald.ox.ac.uk> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From nathan.broome at oberlin.edu Wed Dec 3 16:20:12 2008 From: nathan.broome at oberlin.edu (Nathan C. Broome) Date: Wed, 03 Dec 2008 11:20:12 -0500 Subject: syslog-ng not working as syslog host for external devices ... In-Reply-To: <68b791330812021958i5ccb79bo437c8421232b0ccb@mail.gmail.com> References: <68b791330812021358see90ad1j5154d9923fdbee5e@mail.gmail.com> <49355231.3F60.0076.0@utah.gov> <68b791330812021958i5ccb79bo437c8421232b0ccb@mail.gmail.com> Message-ID: <4936B1BC.3010805@oberlin.edu> Peter, That 'y/es' statement is a typo. At minimum, you have to define your source , destination, and log statements. The log statement uses the source, destination and filter (optional) statements that you've defined. so an example config might look like this: ------------------- source my-src { udp (ip(0.0.0.0) port(514)); }; destination my-dst { file("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group (syslog_users) perm(0660) dir_perm(0770) create_dirs(yes) ); }; log { source(my-src); destination(my-dst); }; ------------- Also, make sure you are allowing UDP 514 through the SuSEfirewall. It's helpful check to see if you are even getting packets from a source by doing a tcpdump. Sometimes I find myself blaming syslog-ng, when some other obstruction is really the problem. A very basic dump would be like: tcpdump 'host 192.168.1.1 and dst port 514' Hope that helps. Nathan Peter Van Lone wrote: > When I ran SuSeconfig --module syslog-ng again, I noticed this time > errors (that were probably there the first time, but I did not > notice): > > "rp-syslog:/var/log # SuSEconfig --module syslog-ng > Starting SuSEconfig, the SuSE Configuration Tool... > Running module syslog-ng only > Reading /etc/sysconfig and updating the system... > Executing /sbin/conf.d/SuSEconfig.syslog-ng... > Checking //etc/syslog-ng/syslog-ng.conf.SuSEconfig file: syntax error at 199 > Parse error reading configuration file, exiting. (line 199) > Please correct the //etc/syslog-ng/syslog-ng.conf.in file. > Finished" > > Line 199 as reported by gedit is the line: > > #this is for separating out network hosts into individual log files > destination std { > file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" > owner(root) group(root) perm(0600) dir_perm(0700) > create_dirs (y\es) > ); > }; > #the following line is 199: > log { > source(src); > destination(std); > }; > > Is there anything in particular about this line that I have gotten > wrong? As far as I can tell it is right out of the example I worked > from, but since I really do not understand the logic that is being > used, or the particular rules of syntax, I'm not sure what the problem > might be. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > From cmangiarelli at gmail.com Wed Dec 3 16:24:41 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Wed, 3 Dec 2008 11:24:41 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> Message-ID: At this point in time, is there a reason to install the 32bit version of OES2/SLES10SP1 or are most people using the 64bit version (assuming hardware support of course)? All of my current installs are 32bit but they were installed at a time where that was the norm. On Mon, Dec 1, 2008 at 12:36 PM, Joe Doupnik wrote: > In message > Novell LAN Interest Group writes: > > I need to build a brand new OES2/SuSE server for an ifolder > implementation. > > It is going to serve as a quick backup solution for some high level > exec's > > who need files on their laptops backed up automatically. They may also > > employ the workgroup sharing piece of ifolder at a later date. Other > than > > hardware redundancy, they have no plans at this time to make the system > part > > of a larger environment (ie. there is a requirement that this server > stand > > alone). My experience is mostly with some of the older Linux stuff but I > > have inheritied most of my current linux infrastructure which also has a > lot > > of NetWare still. I would appreciate any pointers while going about > > installing this server. > > > > I know partitioning scheme and file systems have been talked about a lot > and > > I've lost some of the details in the mire. My plans are to create a raid > > mirror for the OS (146GB total) and the remaining disks will be in a raid > 5 > > array (about 1TB) to hold the production ifolder storage. In the first > > 146GB, I also need some additional ifolder storage space for testing and > > development (only production ifolders can go on the raid 5 array). > Should I > > use LVM here? Would 46GB be enough for OES, 100GB for development > ifolder > > storage? > > > > I assume all I need during the install is to create a new eDirectory tree > > which should create a CA (correct?). Other than eDirectory, iManager and > > the ifolder rpms, what else would I need or could possibly want available > at > > install time? > > > > I appreciate any pointers here. All of my current linux servers are > single > > task servers and are part of a larger edirectory tree so I had all the > > infrastructure available in the past to build a new server into my > current > > environment. The requirement that this server stand alone is a little > > daunting knowing that it's been so long since I've setup a tree from > scratch > > and never did it alone on Linux. > > > ------------ > It is generally wiser to install more OES apps than you need at the > present, so that things remain synchronized and thus available if and > when needed. Toss in iPrint, NCP support, and so on. Later turn off > what you don't need. > OES2 happily creates its own tree with a proper CA and such. To see, > try it as an experiment, then go back and rebuild for real. > Joe D. > -- Christopher Mangiarelli cmangiarelli at gmail.com From James.Taylor at eastcobbgroup.com Wed Dec 3 16:33:34 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Wed, 03 Dec 2008 11:33:34 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> Message-ID: <49366E8E0200007500037ECF@inet.eastcobbgroup.com> I have been installing 64-bit OS on 64-bit hardware for everything I do. I have yet to run into a SLES10 supported 32-bit app that wouldn't run on 64-bit SLES10 with 32-bit compatibility installed. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Christopher Mangiarelli" 12/3/2008 11:24 AM >>> At this point in time, is there a reason to install the 32bit version of OES2/SLES10SP1 or are most people using the 64bit version (assuming hardware support of course)? All of my current installs are 32bit but they were installed at a time where that was the norm. On Mon, Dec 1, 2008 at 12:36 PM, Joe Doupnik wrote: > In message > Novell LAN Interest Group writes: > > I need to build a brand new OES2/SuSE server for an ifolder > implementation. > > It is going to serve as a quick backup solution for some high level > exec's > > who need files on their laptops backed up automatically. They may also > > employ the workgroup sharing piece of ifolder at a later date. Other > than > > hardware redundancy, they have no plans at this time to make the system > part > > of a larger environment (ie. there is a requirement that this server > stand > > alone). My experience is mostly with some of the older Linux stuff but I > > have inheritied most of my current linux infrastructure which also has a > lot > > of NetWare still. I would appreciate any pointers while going about > > installing this server. > > > > I know partitioning scheme and file systems have been talked about a lot > and > > I've lost some of the details in the mire. My plans are to create a raid > > mirror for the OS (146GB total) and the remaining disks will be in a raid > 5 > > array (about 1TB) to hold the production ifolder storage. In the first > > 146GB, I also need some additional ifolder storage space for testing and > > development (only production ifolders can go on the raid 5 array). > Should I > > use LVM here? Would 46GB be enough for OES, 100GB for development > ifolder > > storage? > > > > I assume all I need during the install is to create a new eDirectory tree > > which should create a CA (correct?). Other than eDirectory, iManager and > > the ifolder rpms, what else would I need or could possibly want available > at > > install time? > > > > I appreciate any pointers here. All of my current linux servers are > single > > task servers and are part of a larger edirectory tree so I had all the > > infrastructure available in the past to build a new server into my > current > > environment. The requirement that this server stand alone is a little > > daunting knowing that it's been so long since I've setup a tree from > scratch > > and never did it alone on Linux. > > > ------------ > It is generally wiser to install more OES apps than you need at the > present, so that things remain synchronized and thus available if and > when needed. Toss in iPrint, NCP support, and so on. Later turn off > what you don't need. > OES2 happily creates its own tree with a proper CA and such. To see, > try it as an experiment, then go back and rebuild for real. > Joe D. > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From mbrady at ingenuityieq.com Wed Dec 3 19:28:20 2008 From: mbrady at ingenuityieq.com (Mike Brady) Date: Wed, 03 Dec 2008 14:28:20 -0500 Subject: OES2 SP1 In-Reply-To: <49366E8E0200007500037ECF@inet.eastcobbgroup.com> References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <49366E8E0200007500037ECF@inet.eastcobbgroup.com> Message-ID: <49369782.DAFB.002D.0@ingenuityieq.com> It looks like the only way to upgrade an existing OES 2 Linux server to OES2 SP1 is a down server upgrade. This looks like a fairly scary process to me. Does it seem kind of nutty to anyone else that we cannot update to SP1 without taking the server down? I understand a reboot, but it seems like this stuff should be able to be done through the update channels. Also, I'm a little scared about all of the OES services, specifically iFolder 3.7. The docs are not clear if I can upgrade an existing OES2 server running iFolder 3.6 to SP1 running iFolder 3.7. -- Mike Brady From joea at j4computers.com Wed Dec 3 23:58:32 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Wed, 03 Dec 2008 18:58:32 -0500 Subject: OES linux time drifts into the future. Still. In-Reply-To: <49335EA8020000850005EFDD@FS-LIN-OES> References: <49318DAE020000850005EF9A@FS-LIN-OES> <4931948D020000850005EF9E@FS-LIN-OES> <493274FB.4080800@netlab1.oucs.ox.ac.uk> <49325BA4020000850005EFAA@FS-LIN-OES> <4932A5EE.5010305@netlab1.oucs.ox.ac.uk> <49335EA8020000850005EFDD@FS-LIN-OES> Message-ID: <4936D6D8020000850005F04E@FS-LIN-OES> After all else failed . . . tinker panic 0, commenting out drift file . . . resorted to saying /etc/init.d/xntpd restart in crontab every 5 minutes. Even so, while "time" stays reasonable, Timesync is only happy for a minute or two, then starts to show time drifting off again, till next time slam. Sigh. Perhaps less plutonium Marty?? Or perhaps this needs a dose of that famous Sony custom semiconductor doping agent, unobtainium? joe a. From joe.doupnik at oucs.ox.ac.uk Thu Dec 4 10:35:54 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Thu, 04 Dec 2008 10:35:54 +0000 Subject: OES2 SP1 In-Reply-To: <49369782.DAFB.002D.0@ingenuityieq.com> References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <49366E8E0200007500037ECF@inet.eastcobbgroup.com> <49369782.DAFB.002D.0@ingenuityieq.com> Message-ID: <20081204103554.4059114001@webmail222.herald.ox.ac.uk> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From Mark.Robinson at nds8.co.uk Thu Dec 4 11:46:08 2008 From: Mark.Robinson at nds8.co.uk (Mark Robinson) Date: Thu, 04 Dec 2008 11:46:08 +0000 Subject: OES2 SP1 Message-ID: <4937C300020000AD0000A5E6@mail2.nds8.com> Hmm, I actually have exactly the opposite opinion! Even when patching plain SLES I ALWAYS do a down server upgrade rather than patching through the channel. So much low level stuff gets replaced that I would prefer the server not to be running at the time... Mark ---------------------------- Mark Robinson NDS8 Novell Platinum Solution Provider Mobile: +44 (0) 7900 570 400 Office: +44 (0) 131 538 8202 Fax: +44 (0) 131 453 6522 www.nds8.co.uk >>> "Mike Brady" 12/03/08 7:29 PM >>> It looks like the only way to upgrade an existing OES 2 Linux server to OES2 SP1 is a down server upgrade. This looks like a fairly scary process to me. Does it seem kind of nutty to anyone else that we cannot update to SP1 without taking the server down? I understand a reboot, but it seems like this stuff should be able to be done through the update channels. Also, I'm a little scared about all of the OES services, specifically iFolder 3.7. The docs are not clear if I can upgrade an existing OES2 server running iFolder 3.6 to SP1 running iFolder 3.7. -- Mike Brady _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ***Scanned by M+ Guardian*** The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From smf34 at cam.ac.uk Thu Dec 4 12:15:15 2008 From: smf34 at cam.ac.uk (Simon Flood) Date: Thu, 04 Dec 2008 12:15:15 +0000 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> Message-ID: <4937C9D3.2050206@cam.ac.uk> On 03/12/2008 16:24, Christopher Mangiarelli wrote: > At this point in time, is there a reason to install the 32bit version of > OES2/SLES10SP1 or are most people using the 64bit version (assuming hardware > support of course)? All of my current installs are 32bit but they were > installed at a time where that was the norm. If you want to run IDM on the box then currently the server will need to be 32-bit. However other non-IDM servers in the tree can be 64-bit. Also be aware of things like backup agents - CA does not have a 64-bit agent for OES2 Linux so if you use ARCserve for Linux and want to be able to back up your data then install 32-bit. Hope this helps, Simon From Steven.Aitken at nds8.co.uk Thu Dec 4 13:03:06 2008 From: Steven.Aitken at nds8.co.uk (Steven Aitken) Date: Thu, 04 Dec 2008 13:03:06 +0000 Subject: OES linux time drifts into the future. Still. In-Reply-To: <4936D6D8020000850005F04E@FS-LIN-OES> References: <49318DAE020000850005EF9A@FS-LIN-OES> <4931948D020000850005EF9E@FS-LIN-OES> <493274FB.4080800@netlab1.oucs.ox.ac.uk> <49325BA4020000850005EFAA@FS-LIN-OES> <4932A5EE.5010305@netlab1.oucs.ox.ac.uk> <49335EA8020000850005EFDD@FS-LIN-OES> <4936D6D8020000850005F04E@FS-LIN-OES> Message-ID: <4937D50B.9F19.0007.1@nds8.co.uk> Sounds like you're using re-crystallised dilithium Joe :) For what its worth, I've *never* had an xntpd system I've been truly happy with in vmware & I take the following approach to get a server close enough for jazz...... use a clock = pmtmr line to boot the kernel disable xntpd & vmware tools time sync cron ntpdate to run often enough to keep the time in check. This can be a bit trial and error, but works. Pipe the output of ntpdate into a file and see how it drifts. Might be an interesting exercise to do some stats on the output files when trying different kernel modes lines too. Also, I would recommend switching away from vmware server onto the new esxi, which is now effectively free (without support mind you...) Cheers, Steve >>> "joea at j4computers.com" 03/12/2008 23:58 >>> After all else failed . . . tinker panic 0, commenting out drift file . . . resorted to saying /etc/init.d/xntpd restart in crontab every 5 minutes. Even so, while "time" stays reasonable, Timesync is only happy for a minute or two, then starts to show time drifting off again, till next time slam. Sigh. Perhaps less plutonium Marty?? Or perhaps this needs a dose of that famous Sony custom semiconductor doping agent, unobtainium? joe a. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ***Scanned by M+ Guardian*** The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From Mark.Robinson at nds8.co.uk Thu Dec 4 13:37:15 2008 From: Mark.Robinson at nds8.co.uk (Mark Robinson) Date: Thu, 04 Dec 2008 13:37:15 +0000 Subject: OES linux time drifts into the future. Message-ID: <4937DD0C020000AD0000A5FD@mail2.nds8.com> I know this is replying to the root of the thread, but I just wanted to explain. When you set up ntp, the time servers for initial sync get put into /etc/sysconfig/ntp as well as being put in as servers in ntp.conf. You can modify this file to use AUTO-2 which will pick the first 2 servers from ntp.conf. HTH Mark ---------------------------- Mark Robinson NDS8 Novell Platinum Solution Provider Mobile: +44 (0) 7900 570 400 Office: +44 (0) 131 538 8202 Fax: +44 (0) 131 453 6522 www.nds8.co.uk >>> "joea at j4computers.com" 11/29/08 11:46 PM >>> While chasing time issues on a couple of vm guests, I now find the oes linux box is drifting into the future. While there are a number of things I have found to try, I am stumped by a seeming simple ntp issue, which may be the root of the problem. When doing xntpd start, it says it is trying to get time from server "foo", instead of server "bar". "foo" is the name of the guest itself. "bar" is what is entered in /etc/ntp.conf and also in yast ntp client config area. No idea why it is saying this. joe a. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ***Scanned by M+ Guardian*** The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From jrd at netlab1.oucs.ox.ac.uk Thu Dec 4 13:58:02 2008 From: jrd at netlab1.oucs.ox.ac.uk (jrd) Date: Thu, 04 Dec 2008 13:58:02 +0000 Subject: OES linux time drifts into the future. In-Reply-To: <4937DD0C020000AD0000A5FD@mail2.nds8.com> References: <4937DD0C020000AD0000A5FD@mail2.nds8.com> Message-ID: <4937E1EA.1050507@netlab1.oucs.ox.ac.uk> Mark Robinson wrote: > I know this is replying to the root of the thread, but I just wanted to > explain. > > When you set up ntp, the time servers for initial sync get put into > /etc/sysconfig/ntp as well as being put in as servers in ntp.conf. > You can modify this file to use AUTO-2 which will pick the first 2 > servers from ntp.conf. > > HTH > Mark > > ---------------------------- > Mark Robinson > > NDS8 > Novell Platinum Solution Provider > > Mobile: +44 (0) 7900 570 400 > Office: +44 (0) 131 538 8202 > Fax: +44 (0) 131 453 6522 > > www.nds8.co.uk > ---------- Tastes vary. I edit /etc/ntp.conf directly, ignore /etc/sysconfig/ntp stuff, and have convinced SUSE to leave such user-edits intact. All my listed sources are brought into play. For Joe A.'s benefit, some hardware is just plain wierd and not worth using for such work. Having to turn off acpi support is a sign of this, but not proof positive. Joe D. From ahidalgo at salud.unm.edu Thu Dec 4 20:47:44 2008 From: ahidalgo at salud.unm.edu (Al Hidalgo) Date: Thu, 04 Dec 2008 13:47:44 -0700 Subject: Ring time issues w/eDir 8.8.3 ftf2, 64 bit SLES 10 SP2, Dell2850 In-Reply-To: <4933899C.4770.0087.0@salud.unm.edu> References: <4933899C.4770.0087.0@salud.unm.edu> Message-ID: <4937DF7D.4770.0087.0@salud.unm.edu> Ok, here is what I have figured out after multiple installs. 32 bit eDir 8.8.3 w/ftf2 runs fine on 64 bit SLES 10 SP2! 64 bit eDir 8.8.3 w/ftf2 on 64 bit SLES 10 SP2 has problems with ring sync as described in early posts. Al >>> On 12/1/2008 at 6:52 AM, "Al Hidalgo" wrote: New 8.8.3 ftf2 server on 64 Bit SLES 10 SP2 running on a Dell 2850 (Not a VM), tree is a mix of 8.7.3.10ftf1 and 8.8.2, masters are on all on a single 8.7.3.10ftf1 SLES 10 box. kernel is: 2.6.16.60-0.33-smp #1 SMP Fri Oct 31 14:24:07 UTC 2008 x86_64 x86_64 x86_64 GNU/Linux On this new box any replica I add, iMon reports -Local Replica issued future time -0:01:06 (this time drifts up and down but always stays negative) and it never goes green but all other servers with a copy of the replica report no errors. Partition Continuity is good as seen in ConsoleOne and I have no problem adding and removing replicas. Server time is in sync and time through the tree looks in sync. I have even tried with the local clock stuff commented out, with using the clock=pit kernel parameter from TID 3858673 and have tried pointing straight to the public ntp pool. Nothing ever changes. Could I have bad hardware or is there a big in eDir? ntptime: ntp_gettime() returns code 0 (OK) time ccde6857.aaff1000 Mon, Dec 1 2008 6:42:47.667, (.667954), maximum error 107466 us, estimated error 546 us ntp_adjtime() returns code 0 (OK) modes 0x0 (), offset -42.000 us, frequency 48.860 ppm, interval 4 s, maximum error 107466 us, estimated error 546 us, status 0x1 (PLL), time constant 2, precision 1.000 us, tolerance 512 ppm, pps frequency 0.000 ppm, stability 512.000 ppm, jitter 200.000 us, intervals 0, jitter exceeded 0, stability exceeded 0, errors 0. ntpq -p: *uhldap.health.u 140.142.16.34 2 u 50 64 377 0.316 -0.283 0.105 +uh-ldap1.health 140.142.16.34 2 u 55 64 377 0.187 0.218 0.139 This is from the server in question on the partition in question (uh-idm1): Read/Write Replica .gwm.GrpWise.MC.HSC.UNMHSC. On 3 11/25/08 11:45:56 AM 0:00:10 0:00:10 Agent Summary, Agent Configuration, Agent Health Master Replica .mypw.PWS.MC.HSC.UNMHSC. On 1 11/25/08 11:45:56 AM 0:00:04 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .hsc-gwpri.Mail.Misc.HSC.UNMHSC. On 6 11/25/08 11:45:56 AM 0:00:02 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-ldap1.Portal.MC.HSC.UNMHSC. On 2 11/25/08 11:45:56 AM 0:00:05 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm.PWS.MC.HSC.UNMHSC. On 4 11/25/08 11:45:56 AM 0:00:04 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm1.PWS.MC.HSC.UNMHSC. On 5 11/25/08 11:45:56 AM 0:00:10 0:00:05 Agent Summary, Agent Configuration, Agent Health This is from the master replica server on the partition in question (mypw): Read/Write Replica .gwm.GrpWise.MC.HSC.UNMHSC. On 3 11/25/08 11:45:54 AM 0:00:00 0:00:10 Agent Summary, Agent Configuration, Agent Health Master Replica .mypw.PWS.MC.HSC.UNMHSC. On 1 11/25/08 11:45:54 AM 0:00:10 0:00:09 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .hsc-gwpri.Mail.Misc.HSC.UNMHSC. On 6 11/25/08 11:45:54 AM 0:00:08 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-ldap1.Portal.MC.HSC.UNMHSC. On 2 11/25/08 11:45:54 AM 0:00:07 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm.PWS.MC.HSC.UNMHSC. On 4 11/25/08 11:45:54 AM 0:00:06 0:00:10 Agent Summary, Agent Configuration, Agent Health Read/Write Replica .uh-idm1.PWS.MC.HSC.UNMHSC. On 5 11/25/08 11:45:54 AM 0:00:09 0:00:10 Agent Summary, Agent Configuration, Agent Health NetWare 1602.00 Directory Services Repair 10551.26, DS 10553.73 Log file for server ".UNMHSC2.LDAP.Misc.HSC" in tree "UNMHSC" Time synchronization and server status information Start: Tuesday, November 25, 2008 10:13:25 am Local Time ---------------------------+---------+---------+-----------+--------+------- DS.NLM Replica Time Time is Time Server name Version Depth Source in sync +/- ---------------------------+---------+---------+-----------+--------+------- .UHSOS.SrvsServers.UH.... 10553.73 -1 Primary Yes 0 .UHSHARE.SrvsServers.1... 10553.73 -1 Secondary Yes 0 .UHCTH.CTH.MC.HSC 10554.34 -1 Secondary Yes 0 .UHCSFAX.SrvsServers.1... 10411.02 -1 Secondary Yes 0 .UHAPPSERV.UH.MC.HSC 10554.34 -1 Secondary Yes 0 .UH-ZEN1.Zen.MC.HSC 10553.73 3 Secondary Yes 0 .UH-SEH.SEH.MC.HSC 10554.34 -1 Secondary Yes 0 .UH-MEDARTS.MedArts.MC... 10554.34 -1 Secondary Yes 0 .UH-IMAGE2.SrvsServers... 10553.73 -1 Secondary Yes 0 .uh-idm1.PWS.MC.HSC 20216.87 3 Non-NetWare Yes 0 .UH-GWRESTORE.test.MC.HSC 10554.34 -1 Secondary Yes 0 .uh-gw2.GrpWise.MC.HSC 20216.63 -1 Non-NetWare Yes 0 .uh-gw1.GrpWise.MC.HSC 10554.44 -1 Non-NetWare Yes 0 .uh-gw.GrpWise.MC.HSC 10554.31 -1 Non-NetWare Yes 0 .uh-gateway2.GrpWise.M... 20216.63 -1 Non-NetWare Yes 0 .UH-GATEWAY1.GrpWise.M... 10553.73 -1 NTP Yes 0 .UH-GATEWAY.GrpWise.MC... 10553.73 -1 NTP Yes 0 .uh-bhgw.GrpWise.MC.HSC 20216.63 -1 Non-NetWare Yes 0 .uh-1650gw1.GrpWise.MC... 10554.31 -1 Non-NetWare Yes 0 .MYMAIL1.GrpWise.MC.HSC 10553.73 -1 NTP Yes 0 .MYMAIL.GrpWise.MC.HSC 10554.44 -1 NTP Yes 0 .myhsc.VO.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .MC-SMINNOW.SrvsServer... 10554.34 -1 Secondary Yes 0 .MC-ICS.SrvsServers.16... 10553.73 -1 Secondary Yes 0 .HSC-STORAGE1.Servers.HSC 10552.79 -1 Primary Yes 0 .hsc-poalib.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-poa4.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .hsc-poa3.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-poa2.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-poa1.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .HSC-NMPDIC4.NMPDIC.De... 10553.73 -1 Secondary Yes 0 .HSC-MAIN.Servers.HSC 20216.51 -1 Secondary Yes 0 .hsc-mail6.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .HSC-LIBRARY1.Servers.... 10552.79 -1 Secondary Yes 0 .HSC-IPH.Institute for... 10552.79 -1 Secondary Yes 0 .hsc-iagate2.Mail.Misc... 10554.31 -1 Non-NetWare Yes 0 .hsc-iagate1.Mail.Misc... 20216.63 -1 Non-NetWare Yes 0 .hsc-iagate.Mail.Misc.HSC 10554.31 -1 Non-NetWare Yes 0 .hsc-homestore.Servers... 10554.31 -1 Non-NetWare Yes 0 .hsc-gwmta.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .HSC-GERIATRICS.Geriat... 10553.73 -1 Secondary Yes 0 .HSC-GATEWAY3.Mail.Mis... 10553.73 -1 Secondary Yes 0 .HSC-GATEWAY1.Mail.Mis... 10552.79 -1 Secondary Yes 0 .HSC-ACC.Servers.HSC 10553.73 -1 Secondary Yes 0 .gwwebacc1.Mail.Misc.HSC 10552.79 -1 Non-NetWare Yes 0 .gwweb6.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .gwweb5.Mail.Misc.HSC 10554.34 -1 Non-NetWare Yes 0 .CPHD.GrpWise.MC.HSC 10553.73 -1 Secondary Yes 0 .UHMAIN.UH.MC.HSC 10554.34 1 NTP Yes 0 .UNMHSC1.LDAP.Misc.HSC 10553.73 1 Reference Yes 0 .uh-idm.PWS.MC.HSC 10554.44 0 Non-NetWare Yes 0 .gwm.GrpWise.MC.HSC 20216.63 0 Non-NetWare Yes 0 .uh-ldap1.Portal.MC.HSC 10554.44 0 Non-NetWare Yes 0 .HSC-COMMON.Servers.HSC 10553.73 0 Secondary Yes 0 .unmhscl.LDAP.Misc.HSC 10554.34 0 Non-NetWare Yes 0 .hsc-gwpri.Mail.Misc.HSC 10554.34 0 Non-NetWare Yes 0 .mypw.PWS.MC.HSC 10554.44 0 Non-NetWare Yes 0 .UNMHSC2.LDAP.Misc.HSC 10553.73 0 Primary Yes 0 ---------------------------+---------+---------+-----------+--------+------- Al Hidalgo Enterprise Systems Support Analyst Information Technology University Hospitals/UNM Health Sciences Center ahidalgo at salud.unm.edu _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joea at j4computers.com Sat Dec 6 17:22:18 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sat, 06 Dec 2008 12:22:18 -0500 Subject: OES linux time drifts into the future. In-Reply-To: <4937E1EA.1050507@netlab1.oucs.ox.ac.uk> References: <4937DD0C020000AD0000A5FD@mail2.nds8.com> <4937E1EA.1050507@netlab1.oucs.ox.ac.uk> Message-ID: <493A6E7A020000850005F0B3@FS-LIN-OES> . . . For Joe A.'s benefit, some hardware is just plain wierd and > not worth using for such work. Having to turn off acpi support is > a sign of this, but not proof positive. > Joe D. Using a Dell PE 2400. To some on the list, that qualifies as "weird", right there. I may try turning off acpi on the guest. The host seems to keep time just fine. As does the NW6.5 VM. Right now, I am making do by restarting xntpd via cron, every two minutes. That seems to keep timesync happy. Was not able to get time to actually reset, any other way, such as using ntpq or ntpd and options. joe a. From joea at j4computers.com Sun Dec 7 14:54:51 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 07 Dec 2008 09:54:51 -0500 Subject: SOT - VMware hosts on different subnets. Message-ID: <493B9D6B020000850005F0C3@FS-LIN-OES> I want to virtualize an additional server (OES1 Linux), on a VMware server (1.0.6) that currently hosts two guests (windows servers). The proposed guest is on a different subnet. I believe the host has only one NIC. The subnets are separated by a router. The existing guests and host, are on what is considered a DMZ. The proposed guest is in a "safe" area. Suggestions as to how this can be accomplished and maintain some reasonable margin of security? joe a. From joea at j4computers.com Sun Dec 7 15:01:37 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 07 Dec 2008 10:01:37 -0500 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <493B9D6B020000850005F0C3@FS-LIN-OES> References: <493B9D6B020000850005F0C3@FS-LIN-OES> Message-ID: <493B9F01020000850005F0CB@FS-LIN-OES> >>> On 12/7/2008 at 9:54 AM, "joea at j4computers.com" wrote: > I want to virtualize an additional server (OES1 Linux), on a VMware server > (1.0.6) that currently hosts two guests (windows servers). > > The proposed guest is on a different subnet. I believe the host has only > one NIC. > > The subnets are separated by a router. The existing guests and host, are on > what is considered a DMZ. The proposed guest is in a "safe" area. > > Suggestions as to how this can be accomplished and maintain some reasonable > margin of security? > > joe a. > Perhaps it is not necessary to add that the subnets are physically on different ports of the router, each subnet on a different switch. joe a. From jrd at netlab1.oucs.ox.ac.uk Sun Dec 7 16:30:45 2008 From: jrd at netlab1.oucs.ox.ac.uk (jrd) Date: Sun, 07 Dec 2008 16:30:45 +0000 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <493B9D6B020000850005F0C3@FS-LIN-OES> References: <493B9D6B020000850005F0C3@FS-LIN-OES> Message-ID: <493BFA35.6010501@netlab1.oucs.ox.ac.uk> joea at j4computers.com wrote: > I want to virtualize an additional server (OES1 Linux), on a VMware server (1.0.6) that currently hosts two guests (windows servers). > > The proposed guest is on a different subnet. I believe the host has only one NIC. > > The subnets are separated by a router. The existing guests and host, are on what is considered a DMZ. The proposed guest is in a "safe" area. > > Suggestions as to how this can be accomplished and maintain some reasonable margin of security? > > joe a. > --------- On nomenclature, subnets are connected by routers, as a matter of definition. That's the purpose in life of routers: to connect networks together. The VMware Server can provide a bridged connection to the world. That enables guests to use whatever IP number they wish to the wire. Protection is then to be done by each guest. Guest IP traffic is diverted to guests without entering the host's TCP/IP stack. Thus each guest has its own TCP/IP stack and address(es) and deals with traffic as if it were a separate box on the same wire as the host and other bridged guests. Yes, it is legal to have traffic for different IP networks travel along the same wire (else the Internet would have long ago consumed the remaining copper in the world). I hope this helps resolve the question you have. Joe D. From joea at j4computers.com Sun Dec 7 17:29:55 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 07 Dec 2008 12:29:55 -0500 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <493BFA35.6010501@netlab1.oucs.ox.ac.uk> References: <493B9D6B020000850005F0C3@FS-LIN-OES> <493BFA35.6010501@netlab1.oucs.ox.ac.uk> Message-ID: <493BC1C3020000850005F0CF@FS-LIN-OES> >>> On 12/7/2008 at 11:30 AM, jrd wrote: > joea at j4computers.com wrote: >> I want to virtualize an additional server (OES1 Linux), on a VMware server > (1.0.6) that currently hosts two guests (windows servers). >> >> The proposed guest is on a different subnet. I believe the host has only > one NIC. >> >> The subnets are separated by a router. The existing guests and host, are on > what is considered a DMZ. The proposed guest is in a "safe" area. >> >> Suggestions as to how this can be accomplished and maintain some reasonable > margin of security? >> >> joe a. >> > --------- > On nomenclature, subnets are connected by routers, as a matter > of definition. That's the > purpose in life of routers: to connect networks together. > The VMware Server can provide a bridged connection to the world. > That enables guests > to use whatever IP number they wish to the wire. Protection is then to > be done by each guest. > Guest IP traffic is diverted to guests without entering the host's > TCP/IP stack. Thus each guest has > its own TCP/IP stack and address(es) and deals with traffic as if it > were a separate box on the same > wire as the host and other bridged guests. Yes, it is legal to have > traffic for different IP networks > travel along the same wire (else the Internet would have long ago > consumed the remaining copper > in the world). > I hope this helps resolve the question you have. > Joe D. It helps. Since I would rather keep the subnets physically separate, I see a second NIC in the VMware box and a cable to the appropriate switch as the likely beginning of a solution. joe a. From randygrein at comcast.net Sun Dec 7 19:01:59 2008 From: randygrein at comcast.net (Randy Grein) Date: Sun, 7 Dec 2008 11:01:59 -0800 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <493BC1C3020000850005F0CF@FS-LIN-OES> References: <493B9D6B020000850005F0C3@FS-LIN-OES> <493BFA35.6010501@netlab1.oucs.ox.ac.uk> <493BC1C3020000850005F0CF@FS-LIN-OES> Message-ID: <5011EBDA-CAA1-4408-B70F-26B4F4E43644@comcast.net> Randy Grein, Master CNE, CCNA On Dec 7, 2008, at 9:29 AM, joea at j4computers.com wrote: >>>> On 12/7/2008 at 11:30 AM, jrd wrote: >> joea at j4computers.com wrote: >>> I want to virtualize an additional server (OES1 Linux), on a >>> VMware server >> (1.0.6) that currently hosts two guests (windows servers). >>> >>> The proposed guest is on a different subnet. I believe the host >>> has only >> one NIC. >>> >>> The subnets are separated by a router. The existing guests and >>> host, are on >> what is considered a DMZ. The proposed guest is in a "safe" area. >>> >>> Suggestions as to how this can be accomplished and maintain some >>> reasonable >> margin of security? >>> >>> joe a. >>> >> --------- >> On nomenclature, subnets are connected by routers, as a matter >> of definition. That's the >> purpose in life of routers: to connect networks together. >> The VMware Server can provide a bridged connection to the >> world. >> That enables guests >> to use whatever IP number they wish to the wire. Protection is then >> to >> be done by each guest. >> Guest IP traffic is diverted to guests without entering the host's >> TCP/IP stack. Thus each guest has >> its own TCP/IP stack and address(es) and deals with traffic as if it >> were a separate box on the same >> wire as the host and other bridged guests. Yes, it is legal to have >> traffic for different IP networks >> travel along the same wire (else the Internet would have long ago >> consumed the remaining copper >> in the world). >> I hope this helps resolve the question you have. >> Joe D. > > It helps. > > Since I would rather keep the subnets physically separate, I see a > second NIC in the VMware box and a cable to the appropriate switch > as the likely beginning of a solution. > > joe a. While I can embrace this solution keep in mind that router separation is not a security solution. It does, as I have tried unsuccessfully to point out to my manager make security rules easier to implement and enforce correctly. It also makes troubleshooting easier. Virtualization is a fine thing in moderation - but immoderately used creates just as many problems as it solves. From joea at j4computers.com Sun Dec 7 20:49:12 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 07 Dec 2008 15:49:12 -0500 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <5011EBDA-CAA1-4408-B70F-26B4F4E43644@comcast.net> References: <493B9D6B020000850005F0C3@FS-LIN-OES> <493BFA35.6010501@netlab1.oucs.ox.ac.uk> <493BC1C3020000850005F0CF@FS-LIN-OES> <5011EBDA-CAA1-4408-B70F-26B4F4E43644@comcast.net> Message-ID: <493BF078020000850005F0D8@FS-LIN-OES> >>> On 12/7/2008 at 2:01 PM, Randy Grein wrote: > > Randy Grein, Master CNE, CCNA > > On Dec 7, 2008, at 9:29 AM, joea at j4computers.com wrote: > > I do raise an eyebrow at this, from a security standpoint. I am concerned about "cross guest" exploits. Maybe the terms are not correct, but I you get the idea. Or already had it. But that is a hypothetical problem regardless of the DMZ/GreenZone issue. But I don't know of any issues. Does anyone? I think we'd have heard by now. joe a. From bbrush at gmail.com Mon Dec 8 05:59:22 2008 From: bbrush at gmail.com (Bill Brush) Date: Sun, 7 Dec 2008 23:59:22 -0600 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <493BF078020000850005F0D8@FS-LIN-OES> References: <493B9D6B020000850005F0C3@FS-LIN-OES> <493BFA35.6010501@netlab1.oucs.ox.ac.uk> <493BC1C3020000850005F0CF@FS-LIN-OES> <5011EBDA-CAA1-4408-B70F-26B4F4E43644@comcast.net> <493BF078020000850005F0D8@FS-LIN-OES> Message-ID: <167f4090812072159x670d4250xf5beffae04d13bf8@mail.gmail.com> AFAIK, there are no known cross-guest exploits and frankly I have no clue how one would even be possible, let alone practical. Bill On Sun, Dec 7, 2008 at 2:49 PM, joea at j4computers.com wrote: >>>> On 12/7/2008 at 2:01 PM, Randy Grein wrote: >> >> Randy Grein, Master CNE, CCNA >> >> On Dec 7, 2008, at 9:29 AM, joea at j4computers.com wrote: >> >> > > I do raise an eyebrow at this, from a security standpoint. I am concerned about "cross guest" exploits. Maybe the terms are not correct, but I you get the idea. Or already had it. > > But that is a hypothetical problem regardless of the DMZ/GreenZone issue. > > But I don't know of any issues. Does anyone? I think we'd have heard by now. > From petervl at gmail.com Mon Dec 8 06:05:06 2008 From: petervl at gmail.com (Peter Van Lone) Date: Mon, 8 Dec 2008 00:05:06 -0600 Subject: SLES time in VMware Message-ID: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> I've been looking into this recently, as I have a customer's SLES10 SP2 machine that is jumping forward in time (it's a VM in ESX3.5 update 2) Well, looking in one article (http://www.vmware.com/resources/techresources/1076) it suggests that SP2 machines in 3.5 should have VMI enabled for best time-keeping results. So, looking at this article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005701 I find myself wondering: is changing the kernel going to break anything, or cause some software to have updated libraries, or should this be pretty transparent to installed software? Also, looking at the instructions for adjusting time-keeping parameters when not on 3.5 update2, it suggests editing /boot/grub/grub.conf which does not exist. Should I simply put the clock=pmtmr option in the kernel line in menu.lst? Peter -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From petervl at gmail.com Mon Dec 8 06:23:39 2008 From: petervl at gmail.com (Peter Van Lone) Date: Mon, 8 Dec 2008 00:23:39 -0600 Subject: SLES time in VMware In-Reply-To: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> References: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> Message-ID: <68b791330812072223y6be234aw4ee50ec275d2effd@mail.gmail.com> Also -- I find that I cannot find the kernel-vmi package referenced in the second article link below. How does one check the customer center configuration, to be sure that the update server is correctly added, because when I follow the instructions below (using search in either online update or software management) I get no results at all: # Run Online Update in the YaST Control Center after successfully registering the SLES10 SP2 virtual machine with Novell. # In the Filter drop box, choose Search. # In the Search box, enter "kernel-vmi" and click Search. # Select the kernel-vmi/VMI-enabled kernel package for installation and click Accept to install the SLES10 SP2 VMI kernel. Do not choose the kernel-vmipae package unless you have a 32bit Intel processor and more than 4GB of RAM. # Accept any dependency updates if necessary. # After the kernel-vmi package is installed, close the YaST Control Center and restart the SLES10 SP2 32bit virtual machine. # At the grub boot screen, choose the new SLES10 SP2 VMI kernel. # After the SLES10 SP2 32bit virtual machine boots, open the console and run the dmesg | grep VMI command. # Verify that the following lines exist: Detected VMI ROM version 3.0 VMI Timer active On Mon, Dec 8, 2008 at 12:05 AM, Peter Van Lone wrote: > I've been looking into this recently, as I have a customer's SLES10 > SP2 machine that is jumping forward in time (it's a VM in ESX3.5 > update 2) > > Well, looking in one article > (http://www.vmware.com/resources/techresources/1076) it suggests that > SP2 machines in 3.5 should have VMI enabled for best time-keeping > results. > > So, looking at this article: > > http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005701 > > I find myself wondering: is changing the kernel going to break > anything, or cause some software to have updated libraries, or should > this be pretty transparent to installed software? > > Also, looking at the instructions for adjusting time-keeping > parameters when not on 3.5 update2, it suggests editing > /boot/grub/grub.conf which does not exist. Should I simply put the > clock=pmtmr option in the kernel line in menu.lst? > > > Peter > > > > > > -- > When I do good, I feel good. When I do bad, I feel bad. That is my religion. > > -Abraham Lincoln > > http://www.the-brights.net > http://xkcd.com/167 > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From joea at j4computers.com Mon Dec 8 11:22:54 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 08 Dec 2008 06:22:54 -0500 Subject: SLES time in VMware In-Reply-To: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> References: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> Message-ID: <493CBD3E020000850005F0DE@FS-LIN-OES> . . . > I find myself wondering: is changing the kernel going to break > anything, or cause some software to have updated libraries, or should > this be pretty transparent to installed software? > > Also, looking at the instructions for adjusting time-keeping > parameters when not on 3.5 update2, it suggests editing > /boot/grub/grub.conf which does not exist. Should I simply put the > clock=pmtmr option in the kernel line in menu.lst? > That's where I have put it. joe a. From Mark.Robinson at nds8.co.uk Mon Dec 8 11:26:06 2008 From: Mark.Robinson at nds8.co.uk (Mark Robinson) Date: Mon, 08 Dec 2008 11:26:06 +0000 Subject: SLES time in VMware In-Reply-To: <68b791330812072223y6be234aw4ee50ec275d2effd@mail.gmail.com> References: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> <68b791330812072223y6be234aw4ee50ec275d2effd@mail.gmail.com> Message-ID: <493D044E020000AD0001F481@mail2.nds8.com> In answer to your first question, clock=pmtmr in menu.lst should work well. You should also run ntp in the guest (pointed to comething other than the esx host). To get the VMI kernel you will need to be registered for updates. All the docs talk about it being part of SLES10 SP2, but it's not. No idea why not, but it's not! Once you're registered and subscribed to the update channels, a simple rug in kernel-vmi will work nicely. HTH Mark ---------------------------- Mark Robinson NDS8 Novell Platinum Solution Provider Mobile: +44 (0) 7900 570 400 Office: +44 (0) 131 538 8202 Fax: +44 (0) 131 453 6522 www.nds8.co.uk >>> On Monday, 08 December, 2008 at 6:23 AM, in message <68b791330812072223y6be234aw4ee50ec275d2effd at mail.gmail.com>, "Peter Van Lone" wrote: > Also -- > > I find that I cannot find the kernel-vmi package referenced in the > second article link below. How does one check the customer center > configuration, to be sure that the update server is correctly added, > because when I follow the instructions below (using search in either > online update or software management) I get no results at all: > > # > Run Online Update in the YaST Control Center after successfully > registering the SLES10 SP2 virtual machine with Novell. > # > In the Filter drop box, choose Search. > # > In the Search box, enter "kernel-vmi" and click Search. > # > Select the kernel-vmi/VMI-enabled kernel package for installation and > click Accept to install the SLES10 SP2 VMI kernel. Do not choose the > kernel-vmipae package unless you have a 32bit Intel processor and more > than 4GB of RAM. > # > Accept any dependency updates if necessary. > # > After the kernel-vmi package is installed, close the YaST Control > Center and restart the SLES10 SP2 32bit virtual machine. > # > At the grub boot screen, choose the new SLES10 SP2 VMI kernel. > # > After the SLES10 SP2 32bit virtual machine boots, open the console and > run the dmesg | grep VMI command. > # > Verify that the following lines exist: > > Detected VMI ROM version 3.0 > VMI Timer active > > On Mon, Dec 8, 2008 at 12:05 AM, Peter Van Lone wrote: > > I've been looking into this recently, as I have a customer's SLES10 > > SP2 machine that is jumping forward in time (it's a VM in ESX3.5 > > update 2) > > > > Well, looking in one article > > (http://www.vmware.com/resources/techresources/1076) it suggests that > > SP2 machines in 3.5 should have VMI enabled for best time-keeping > > results. > > > > So, looking at this article: > > > > > http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=disp > layKC&externalId=1005701 > > > > I find myself wondering: is changing the kernel going to break > > anything, or cause some software to have updated libraries, or should > > this be pretty transparent to installed software? > > > > Also, looking at the instructions for adjusting time-keeping > > parameters when not on 3.5 update2, it suggests editing > > /boot/grub/grub.conf which does not exist. Should I simply put the > > clock=pmtmr option in the kernel line in menu.lst? > > > > > > Peter > > > > > > > > > > > > -- > > When I do good, I feel good. When I do bad, I feel bad. That is my > religion. > > > > -Abraham Lincoln > > > > http://www.the-brights.net > > http://xkcd.com/167 > > > The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From peschmid at mpsomaha.org Mon Dec 8 13:29:00 2008 From: peschmid at mpsomaha.org (Patrick Schmidt) Date: Mon, 08 Dec 2008 07:29:00 -0600 Subject: Corrupt files on NSS volume Message-ID: <493CCCBC.664C.00E4.0@mpsomaha.org> We have a case where a large percentage of MS Office files (word .doc and Excel .xls files) are corrupt. If you open a .doc file you see nothing but rectangles. An Excel file shows a warning that it is not a valid Excel file. Open it anyway and the workbook is blank. M$'s tools for recovering corrupt files have not helped. We've been restoring backups but have not yet nailed down a time frame as to when this might have occurred. Most of these files are only accessed occasionally, which explains why they were not noticed until now -- but they are still important. I did to an nss /poolverify and rebuild to no avail. This is a pool hosted on an older Compaq SAN. There is another volume on the same pool that does not seem to have any corrupt files, and it also stores user data with a lot of Office documents. We have restored backups going back several months to a newly created volume on a newly created pool, and docs are corrupt on the backups too. It is a Netware 6.5 sp7 box, and we are using Galaxy for backup. Has anyone else seen something like this? Thanks -------------------------------------------------- Patrick Schmidt Millard Public Schools Network Support Specialist (402)715-6278 peschmid at mpsomaha.org --------------------------------------------------- From Steven.Aitken at nds8.co.uk Mon Dec 8 13:34:54 2008 From: Steven.Aitken at nds8.co.uk (Steven Aitken) Date: Mon, 08 Dec 2008 13:34:54 +0000 Subject: Corrupt files on NSS volume In-Reply-To: <493D227E0200000700014C90@mail2.nds8.com> References: <493D227E0200000700014C8D@mail2.nds8.com> <493D227E0200000700014C90@mail2.nds8.com> Message-ID: <493D227E0200000700014C90@mail2.nds8.com> I've seen this behaviour with client file caching enabled and always turn it, as well as level 2 oplocks off on the server. Check if they are enabled with: Set client file caching enabled Set level2 oplocks enabled Cheers, Steve -----Original Message----- From: "Patrick Schmidt" To: Novell LAN Interest Group To: Novell LAN Interest Group Sent: 08/12/2008 13:29:00 Subject: Corrupt files on NSS volume We have a case where a large percentage of MS Office files (word .doc and Excel .xls files) are corrupt. If you open a .doc file you see nothing but rectangles. An Excel file shows a warning that it is not a valid Excel file. Open it anyway and the workbook is blank. M$'s tools for recovering corrupt files have not helped. We've been restoring backups but have not yet nailed down a time frame as to when this might have occurred. Most of these files are only accessed occasionally, which explains why they were not noticed until now -- but they are still important. I did to an nss /poolverify and rebuild to no avail. This is a pool hosted on an older Compaq SAN. There is another volume on the same pool that does not seem to have any corrupt files, and it also stores user data with a lot of Office documents. We have restored backups going back several months to a newly created volume on a newly created pool, and docs are corrupt on the backups too. It is a Netware 6.5 sp7 box, and we are using Galaxy for backup. Has anyone else seen something like this? Thanks -------------------------------------------------- Patrick Schmidt Millard Public Schools Network Support Specialist (402)715-6278 peschmid at mpsomaha.org --------------------------------------------------- _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ***Scanned by M+ Guardian*** The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From Steven.Aitken at nds8.co.uk Mon Dec 8 13:34:54 2008 From: Steven.Aitken at nds8.co.uk (Steven Aitken) Date: Mon, 08 Dec 2008 13:34:54 +0000 Subject: Corrupt files on NSS volume In-Reply-To: <493D227E0200000700014C90@mail2.nds8.com> References: <493D227E0200000700014C8D@mail2.nds8.com> <493D227E0200000700014C90@mail2.nds8.com> Message-ID: <493D227E0200000700014C90@mail2.nds8.com> I've seen this behaviour with client file caching enabled and always turn it, as well as level 2 oplocks off on the server. Check if they are enabled with: Set client file caching enabled Set level2 oplocks enabled Cheers, Steve -----Original Message----- From: "Patrick Schmidt" To: Novell LAN Interest Group To: Novell LAN Interest Group Sent: 08/12/2008 13:29:00 Subject: Corrupt files on NSS volume We have a case where a large percentage of MS Office files (word .doc and Excel .xls files) are corrupt. If you open a .doc file you see nothing but rectangles. An Excel file shows a warning that it is not a valid Excel file. Open it anyway and the workbook is blank. M$'s tools for recovering corrupt files have not helped. We've been restoring backups but have not yet nailed down a time frame as to when this might have occurred. Most of these files are only accessed occasionally, which explains why they were not noticed until now -- but they are still important. I did to an nss /poolverify and rebuild to no avail. This is a pool hosted on an older Compaq SAN. There is another volume on the same pool that does not seem to have any corrupt files, and it also stores user data with a lot of Office documents. We have restored backups going back several months to a newly created volume on a newly created pool, and docs are corrupt on the backups too. It is a Netware 6.5 sp7 box, and we are using Galaxy for backup. Has anyone else seen something like this? Thanks -------------------------------------------------- Patrick Schmidt Millard Public Schools Network Support Specialist (402)715-6278 peschmid at mpsomaha.org --------------------------------------------------- _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ***Scanned by M+ Guardian*** The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From peschmid at mpsomaha.org Mon Dec 8 16:33:50 2008 From: peschmid at mpsomaha.org (Patrick Schmidt) Date: Mon, 08 Dec 2008 10:33:50 -0600 Subject: Corrupt files on NSS volume In-Reply-To: <493CCCBC.664C.00E4.0@mpsomaha.org> References: <493CCCBC.664C.00E4.0@mpsomaha.org> Message-ID: <493CF80F.664C.00E4.0@mpsomaha.org> Thank you for responding. We turned those off years ago. I even put those lines in startup.ncf so there is no ambiguity. I just confirmed that they are turned off. >>> "Patrick Schmidt" 12/8/2008 7:29 AM >>> We have a case where a large percentage of MS Office files (word .doc and Excel .xls files) are corrupt. If you open a .doc file you see nothing but rectangles. An Excel file shows a warning that it is not a valid Excel file. Open it anyway and the workbook is blank. M$'s tools for recovering corrupt files have not helped. We've been restoring backups but have not yet nailed down a time frame as to when this might have occurred. Most of these files are only accessed occasionally, which explains why they were not noticed until now -- but they are still important. I did to an nss /poolverify and rebuild to no avail. This is a pool hosted on an older Compaq SAN. There is another volume on the same pool that does not seem to have any corrupt files, and it also stores user data with a lot of Office documents. We have restored backups going back several months to a newly created volume on a newly created pool, and docs are corrupt on the backups too. It is a Netware 6.5 sp7 box, and we are using Galaxy for backup. Has anyone else seen something like this? Thanks -------------------------------------------------- Patrick Schmidt Millard Public Schools Network Support Specialist (402)715-6278 peschmid at mpsomaha.org --------------------------------------------------- _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From JMansfield at eircom.ie Mon Dec 8 14:18:01 2008 From: JMansfield at eircom.ie (JMansfield at eircom.ie) Date: Mon, 8 Dec 2008 14:18:01 -0000 Subject: No subject Message-ID: <7043276F9A35564B81DF86B3545B890F0205FF17@DNEXVS01.eircom.ie> Patrick, We have seen excel be very susceptible to network errors writing to disk. We ah d a fault open with MS for a year trying to get it solved during which they insisted that it was Netware that caused it. A company called Cimaware sells excelfix (http://www.cimaware.com/main/products/excelfix.php) which fixed the issue after which MS owned up to there being "issues" We have also seen files affected in the manner described by a piece of malware call worm.l.zip which opens all office type files and set their internal length to 0 in the file header. The first case is fixable using the package mentioned for the second we had to recover from tape. John John Mansfield eircom Senior Architect DR & IT Contingency 4-A-10,1HSQ St John's Road, Dn 8, Telephone 01-6008221 Email jmansfield at eircom.ie "Per ardua ad astra" "Through adversity to the Stars" Message: 23 Date: Mon, 08 Dec 2008 07:29:00 -0600 From: "Patrick Schmidt" Subject: Corrupt files on NSS volume To: Message-ID: <493CCCBC.664C.00E4.0 at mpsomaha.org> Content-Type: text/plain; charset=US-ASCII We have a case where a large percentage of MS Office files (word .doc and Excel .xls files) are corrupt. If you open a .doc file you see nothing but rectangles. An Excel file shows a warning that it is not a valid Excel file. Open it anyway and the workbook is blank. M$'s tools for recovering corrupt files have not helped. We've been restoring backups but have not yet nailed down a time frame as to when this might have occurred. Most of these files are only accessed occasionally, which explains why they were not noticed until now -- but they are still important. I did to an nss /poolverify and rebuild to no avail. This is a pool hosted on an older Compaq SAN. There is another volume on the same pool that does not seem to have any corrupt files, and it also stores user data with a lot of Office documents. We have restored backups going back several months to a newly created volume on a newly created pool, and docs are corrupt on the backups too. It is a Netware 6.5 sp7 box, and we are using Galaxy for backup. Has anyone else seen something like this? Thanks -------------------------------------------------- Patrick Schmidt Millard Public Schools Network Support Specialist (402)715-6278 peschmid at mpsomaha.org John Mansfield Senior Architect DR & IT Contingency 4-A-10, 1HSQ St John's Road, Dn 8, Telephone 6008221 Email jmansfield at eircom.ie "Per ardua ad astra" "Through adversity to the Stars" *************************************************************** The information contained in this e-mail and any files transmitted with it is confidential and may be subject to legal professional privilege. It is intended solely for the use of the addressee(s). If you are not the intended recipient of this e-mail, please note that any review, dissemination, disclosure, alteration, printing, copying or transmission of this e-mail and/or any file transmitted with it, is prohibited and may be unlawful. If you have received this e-mail by mistake, please promptly inform the sender by reply e-mail and delete the material. Whilst this e-mail message has been swept for the presence of computer viruses, eircom does not, except as required by law, represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, viruses, interception or interference. eircom Limited. Private Company Limited by Shares. Registered in Dublin. Registration Number 98789. Registered Office - 1 Heuston South Quarter, St. John?s Road, Dublin 8 *************************************************************** From ahidalgo at salud.unm.edu Mon Dec 8 16:37:42 2008 From: ahidalgo at salud.unm.edu (Al Hidalgo) Date: Mon, 08 Dec 2008 09:37:42 -0700 Subject: grub issues w/SLES 10 on Dell server Message-ID: <493CEADD.4770.0087.0@salud.unm.edu> I have a brand new Dell 2950 with a Perc 6 RAID controller and raid 5 configured that I am trying to get SLES 10 loaded. Towards the end of the install where it's trying to write the boot loader I get a Grub error 18 saying the Selected cylinder exceeds maximum supported by BIOS. I have installed several times trying different setups and every time I get the same error but I can use LILO instead and it works fine but I don't want to use lilo. Anyone ever seen this? I've never had problems with SLES 10 loading on modern Dell servers before. Thanks, Al Al Hidalgo Enterprise Systems Support Analyst Information Technology University Hospitals/UNM Health Sciences Center ahidalgo at salud.unm.edu From James.Taylor at eastcobbgroup.com Mon Dec 8 17:15:50 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Mon, 08 Dec 2008 12:15:50 -0500 Subject: grub issues w/SLES 10 on Dell server In-Reply-To: <493CEADD.4770.0087.0@salud.unm.edu> References: <493CEADD.4770.0087.0@salud.unm.edu> Message-ID: <493D0FF60200007500038683@inet.eastcobbgroup.com> Are you creating a separate /boot partition? I would expect that there could be problem if boot is in a large / partition. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Al Hidalgo" 12/8/2008 11:37 AM >>> I have a brand new Dell 2950 with a Perc 6 RAID controller and raid 5 configured that I am trying to get SLES 10 loaded. Towards the end of the install where it's trying to write the boot loader I get a Grub error 18 saying the Selected cylinder exceeds maximum supported by BIOS. I have installed several times trying different setups and every time I get the same error but I can use LILO instead and it works fine but I don't want to use lilo. Anyone ever seen this? I've never had problems with SLES 10 loading on modern Dell servers before. Thanks, Al Al Hidalgo Enterprise Systems Support Analyst Information Technology University Hospitals/UNM Health Sciences Center ahidalgo at salud.unm.edu _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From KPARRIS at ed.sc.gov Mon Dec 8 17:04:44 2008 From: KPARRIS at ed.sc.gov (Kevin Parris) Date: Mon, 08 Dec 2008 12:04:44 -0500 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <493B9D6B020000850005F0C3@FS-LIN-OES> References: <493B9D6B020000850005F0C3@FS-LIN-OES> Message-ID: <493D0D5D02000018004EF69F@sdecl2.sde.state.sc.us> That will require a second physical interface on the host. And we would hope your subnets are separated by a firewall (which has been carefully configured by an experienced administrator), not JUST a router. Once you put two systems inside one box, you have (obviously) reduced their security status with respect to each other - should one become compromised, the other is now an easier target than before (the separation represented by the firewall is no longer absolute). There were patches issued by VMware just within a year or so for issues that enabled certain activity within a guest to result in gaining control of the host- and thus all the other guests. There are two layers there - a hacker must find and compromise one system first, then figure out that it is a virtualized guest, then try the (now publically known, since patches were announced) weaknesses that did exist in VMware, and perhaps break through that layer too. The VMware technology is extremely good, but nothing is perfect. The choice of what resources to place together inside one box is more philosophical than technical - those who own and care about the resources must evaluate what level of risk exposure they are willing to accept, contrasted with how much investment they are prepared to make to regulate that exposure level. >>> "joea at j4computers.com" 12/07/08 9:54 AM >>> I want to virtualize an additional server (OES1 Linux), on a VMware server (1.0.6) that currently hosts two guests (windows servers). The proposed guest is on a different subnet. I believe the host has only one NIC. The subnets are separated by a router. The existing guests and host, are on what is considered a DMZ. The proposed guest is in a "safe" area. Suggestions as to how this can be accomplished and maintain some reasonable margin of security? joe a. From joe.doupnik at oucs.ox.ac.uk Mon Dec 8 14:25:22 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Mon, 08 Dec 2008 14:25:22 +0000 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <493BF078020000850005F0D8@FS-LIN-OES> References: <493B9D6B020000850005F0C3@FS-LIN-OES> <493BFA35.6010501@netlab1.oucs.ox.ac.uk> <493BC1C3020000850005F0CF@FS-LIN-OES> <5011EBDA-CAA1-4408-B70F-26B4F4E43644@comcast.net> <493BF078020000850005F0D8@FS-LIN-OES> Message-ID: <493D2E52.8030307@oucs.ox.ac.uk> joea at j4computers.com wrote: >>>> On 12/7/2008 at 2:01 PM, Randy Grein wrote: >> Randy Grein, Master CNE, CCNA >> >> On Dec 7, 2008, at 9:29 AM, joea at j4computers.com wrote: >> >> > > I do raise an eyebrow at this, from a security standpoint. I am concerned about "cross guest" exploits. Maybe the terms are not correct, but I you get the idea. Or already had it. > > But that is a hypothetical problem regardless of the DMZ/GreenZone issue. > > But I don't know of any issues. Does anyone? I think we'd have heard by now. > > joe a. ---------- It is not just hypothetical, it can occur through shared resources and coupling to host files. To happen though normally requires detailed actions on a subverted guest, and at that point the guest is toast. VMware does try hard to reduce the chances of this occurring, as we can see by reviewing their security fixes. You may wish to give VMware Server v2 a trial run for the latest code. You can dramatically reduce the toast/invasion damage part of things by using apparmor. Even if the bad guys get in by subverting an app their ability to do damage is restricted. This doesn't stop the usual username/password guessing game; other measures can greatly reduces the chances of that happening by repeated probes (done as part of my IPTables Brainshare presentation, voting is still open, hint hint). Overall, I think you are proceeding prudently, if only the host machine were a little more cooperative about virtualization. I am puzzled by your Linux guest being unable to keep time because Linux is normally robust about that. Joe D. From joe.doupnik at oucs.ox.ac.uk Mon Dec 8 17:39:57 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Mon, 08 Dec 2008 17:39:57 +0000 Subject: OES2/Linux -> OES2 SP1 /Linux, same box, it worked Message-ID: <493D5BED.9030305@oucs.ox.ac.uk> As many folks are now worrying about the same upgrade subject, going from OES2 to OES2 SP1 on Linux, I thought I would add a note that over the interval of about 2.5 hours today I: did a sector copy (dd command) of the o/s disk did an in-place upgrade from OES2 to OES2 SP1 did a full rug patch/update of this result did a recompile of mailman to accomodate the new system And it all worked! This list runs on mailman on that machine. The o/s upgrade was done by booting the server from the SLES10 SP2 CD1, reference the SLES10 SP2 DVD image over an http connection from a nearby server, simultaneously reference the OES2 SP1 iso file stored on this server's local disk farm. The keys are to choose the Upgrade option when SLES prompts for New/Upgrade/Other, and to include the OES2 SP1 iso as an add-on product at the same time. I would like to say that all this is a very pleasant surprize. But in truth I have done this several times on test gear, and those also worked fine. So I cheated by practicing. Oh yes, SP8 of NW 6.5 went on smoothly this morning, over SP7. It is also possible to do an identity migration from box to box, which I show in classes. Joe D. From Hatchellb at vvc.edu Mon Dec 8 17:45:15 2008 From: Hatchellb at vvc.edu (Brian Hatchell) Date: Mon, 08 Dec 2008 09:45:15 -0800 Subject: Enabling Universal Password In-Reply-To: <1d6cdac70811062027k1f445807k7ac3f5b382076cf0@mail.gmail.com> References: <490F61270200004E00043D5F@com-gwweb.hamk.fi> <490ED63A.2FC1.0024.0@vvc.edu> <1d6cdac70811062027k1f445807k7ac3f5b382076cf0@mail.gmail.com> Message-ID: <493CECB2.2FC1.0024.1@vvc.edu> Thanx to all. Getting ready to actually implement soon. Anyone have any more caveats? Brian Hatchell Network Manager Victor Valley College 760 245-4271 x2792 "A good plan, violently executed now, is better than a perfect plan next week." - General George S. Patton Check my Blog at http://gwcal.vvc.edu/mplusextranet/scp.dll/blog?user=hatchellb >>> On 11/6/2008 at 8:27 PM, in message <1d6cdac70811062027k1f445807k7ac3f5b382076cf0 at mail.gmail.com>, "Eric Rothweiler" wrote: Be on the latest eDir, NMAS, and Security Services patches that apply. When you create your Universal Password policy associate it with one user object then add a few more until you have confidence in what is going to be experienced. I would wait at least one password expiration cycle before going out to everyone if possible as the password expiration process may reveal problems not previously thought through. The good thing is at this point UP is pretty solid and simple, the earlier adopters (2 years ago) were the ones that took the pain. On Mon, Nov 3, 2008 at 1:45 PM, Brian Hatchell wrote: > I will be implementing this real soon to get password complexity > requirements enforced. > > Does anyone want to share details about 'gotchas' > > Brian Hatchell > Network Manager > Victor Valley College > 760 245-4271 x2792 > > "A good plan, violently executed now, is better than a perfect plan next > week." > > - General George S. Patton > > Check my Blog at > http://gwcal.vvc.edu/mplusextranet/scp.dll/blog?user=hatchellb > > > >>> On 11/3/2008 at 10:37 AM, in message < > 490F61270200004E00043D5F at com-gwweb.hamk.fi>, "Sami Kapanen" < > Sami.Kapanen at hamk.fi> wrote: > UP wins. > Be carefull with Universal Password, we had big issues when we turned it > on. > Read the docs about the password policies, as the normal password > restricstions won't apply anymore. > > -sk > > >>> "Scott Etienne" 11/03/08 6:59 PM >>> > Right now we have users who have to remember multiple passwords because we > didn't turn on universal password for any of our containers. My question is, > when we turn it on, which password wins, NDS/eDirectory or Universal > Password? > > What else should I know before trying it? > > Thank you, > > Scott Etienne > Network Engineer > Enesco, LLC > setienne at enesco.com > > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Brian Hatchell.vcf URL: From ahidalgo at salud.unm.edu Mon Dec 8 18:29:02 2008 From: ahidalgo at salud.unm.edu (Al Hidalgo) Date: Mon, 08 Dec 2008 11:29:02 -0700 Subject: grub issues w/SLES 10 on Dell server In-Reply-To: <493D0FF60200007500038683@inet.eastcobbgroup.com> References: <493CEADD.4770.0087.0@salud.unm.edu> <493D0FF60200007500038683@inet.eastcobbgroup.com> Message-ID: <493D04F2.4770.0087.0@salud.unm.edu> No, at first I just accepted the defaults, then I tried a few custom setups. The raid does have a couple of tera bytes though. Al >>> On 12/08/08 at 10:15 AM, "James Taylor" wrote: Are you creating a separate /boot partition? I would expect that there could be problem if boot is in a large / partition. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Al Hidalgo" 12/8/2008 11:37 AM >>> I have a brand new Dell 2950 with a Perc 6 RAID controller and raid 5 configured that I am trying to get SLES 10 loaded. Towards the end of the install where it's trying to write the boot loader I get a Grub error 18 saying the Selected cylinder exceeds maximum supported by BIOS. I have installed several times trying different setups and every time I get the same error but I can use LILO instead and it works fine but I don't want to use lilo. Anyone ever seen this? I've never had problems with SLES 10 loading on modern Dell servers before. Thanks, Al Al Hidalgo Enterprise Systems Support Analyst Information Technology University Hospitals/UNM Health Sciences Center ahidalgo at salud.unm.edu _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From cmangiarelli at gmail.com Mon Dec 8 19:16:52 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Mon, 8 Dec 2008 14:16:52 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: <4937C9D3.2050206@cam.ac.uk> References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> Message-ID: I'm just about to install the software on the server and have to decide how to partition it properly. I have two raid arrays (280GB mirrored and ~900GB raid5). Since NSS is not in the servers future, I want to have LVM2 available in case file system re-allocation is necessary. The ~900GB array is for ifolder data only so I figured that will be a LVM2 container and EXT3 filesystem mapped into the / somewhere once the server is online. Should LVM2 even be used on this single raid device? I could forsee a potential to add another drive and have the raid controller expand the array so then I could forsee a need to expand the filesystem to use that new space. The 280GB array is for the OS and some test ifolder space. I was thinking of doing: /boot @ 300MB LVM2 container for the rest: - 1 GB swap - 35 GB / - 20 GB /opt - 20 GB /var - ~200 GB for test iFolder space to be mapped into the / later. Or would a more simpler scheme be best? /boot @ 300MB LVM2 container for the rest: - 1 GB swap - 75 GB / - ~200 GB for test iFolder space to be mapped into the / later. I understand it's pretty much required to have /boot outside LVM, but is it mostly safe to place the rest inside? Should /tmp be a separate partition from /? -- Christopher Mangiarelli cmangiarelli at gmail.com From RGrein at tpchd.org Mon Dec 8 19:28:45 2008 From: RGrein at tpchd.org (Randy Grein) Date: Mon, 08 Dec 2008 11:28:45 -0800 Subject: SOT - VMware hosts on different subnets. In-Reply-To: <167f4090812072159x670d4250xf5beffae04d13bf8@mail.gmail.com> References: <493B9D6B020000850005F0C3@FS-LIN-OES> <493BFA35.6010501@netlab1.oucs.ox.ac.uk> <493BC1C3020000850005F0CF@FS-LIN-OES> <5011EBDA-CAA1-4408-B70F-26B4F4E43644@comcast.net> <493BF078020000850005F0D8@FS-LIN-OES> <167f4090812072159x670d4250xf5beffae04d13bf8@mail.gmail.com> Message-ID: <493D04ED.811E.0072.0@tpchd.org> Cross -guest exploit - how about the modified marioforever trojan? It appears to initially infect through clickjacking (at least, that seems to be how we got it) and then searches the local subnet for vulnerable Windows shares. Plant a copy and continue. My original thinking on this was that router segregation makes a poor firewall; multicasting & other tricks are well known methods to bypass the router. It should be blocked by the VMware host service, but that's a theory that may not always be correct. Randy Grein Sr. Network Engineer >>> "Bill Brush" 12/7/2008 9:59 PM >>> AFAIK, there are no known cross-guest exploits and frankly I have no clue how one would even be possible, let alone practical. Bill On Sun, Dec 7, 2008 at 2:49 PM, joea at j4computers.com wrote: >>>> On 12/7/2008 at 2:01 PM, Randy Grein wrote: >> >> Randy Grein, Master CNE, CCNA >> >> On Dec 7, 2008, at 9:29 AM, joea at j4computers.com wrote: >> >> > > I do raise an eyebrow at this, from a security standpoint. I am concerned about "cross guest" exploits. Maybe the terms are not correct, but I you get the idea. Or already had it. > > But that is a hypothetical problem regardless of the DMZ/GreenZone issue. > > But I don't know of any issues. Does anyone? I think we'd have heard by now. > _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ************************************************************************************* This e-mail and any attachments may contain confidential and privileged information. It has been scanned for viruses. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination, use, review, disclosure, or distribution of this information by a person other than the intended recipient is unauthorized and may be illegal. ************************************************************************************** From joea at j4computers.com Mon Dec 8 19:29:59 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 08 Dec 2008 14:29:59 -0500 Subject: SOT - VMware hosts on different subnets. Message-ID: <493D2F6C020000850005F0EC@FS-LIN-OES> >Overall, I think you are proceeding prudently, if only the host machine >were a little more cooperative about virtualization. I am puzzled by your Linux >guest being unable to keep time because Linux is normally robust about that. >Joe D. Different box, different site. I'll hunt up that thread to post more on that topic. joe a. From joe.doupnik at oucs.ox.ac.uk Mon Dec 8 19:32:09 2008 From: joe.doupnik at oucs.ox.ac.uk (jrd) Date: Mon, 08 Dec 2008 19:32:09 +0000 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> Message-ID: <493D7639.1050703@oucs.ox.ac.uk> Christopher Mangiarelli wrote: > I'm just about to install the software on the server and have to decide how > to partition it properly. I have two raid arrays (280GB mirrored and ~900GB > raid5). Since NSS is not in the servers future, I want to have LVM2 > available in case file system re-allocation is necessary. > > The ~900GB array is for ifolder data only so I figured that will be a LVM2 > container and EXT3 filesystem mapped into the / somewhere once the server is > online. Should LVM2 even be used on this single raid device? I could > forsee a potential to add another drive and have the raid controller expand > the array so then I could forsee a need to expand the filesystem to use that > new space. > > The 280GB array is for the OS and some test ifolder space. I was thinking > of doing: > /boot @ 300MB > LVM2 container for the rest: > - 1 GB swap > - 35 GB / > - 20 GB /opt > - 20 GB /var > - ~200 GB for test iFolder space to be mapped into the / later. > > Or would a more simpler scheme be best? > /boot @ 300MB > LVM2 container for the rest: > - 1 GB swap > - 75 GB / > - ~200 GB for test iFolder space to be mapped into the / later. > > I understand it's pretty much required to have /boot outside LVM, but is it > mostly safe to place the rest inside? Should /tmp be a separate partition > from /? > --------- A couple of comments. /boot needs under 24MB (look at an existing server to see this) and a monster swap is generally overkill Why bother with a volume manager in the first place? I cannot see why you wish to split /var and /opt in the first example. My operating philosophy: give the o/s enough room to expand, but put all user material and other valuables in other partitions/file systems. This keeps the o/s proper nicely confined to /boot, swap, /, nothing is huge, and all the other areas are mounted into this. The root partition (/) need not be particularly large, 5GB will hold everything at the start so give it more space than that but not the world. Keep all this very simple, avoid complexity (LVM2), don't add partitions without being forced into it. Joe D. From joea at j4computers.com Mon Dec 8 19:33:42 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 08 Dec 2008 14:33:42 -0500 Subject: SOT - VMware hosts on different subnets. Message-ID: <493D3043020000850005F0F4@FS-LIN-OES> >>>> "Kevin Parris" 12/08/08 12:23 PM >>> >That will require a second physical interface on the host. Seems to be the concensus >And we would hope your subnets are separated by a firewall (which >has been carefully configured by an experienced >administrator), not JUST a router. Heh. Well it *is* a firewall. The admin is "exerienced" (In a non Jimi Hendrix fashion (PR statement)), but how competent is another story. (yes, it is me). > The host is Vmware server 1.0.6, so it should not be too far behind. But looks at newer stuff is probably in order. joe a. From RGrein at tpchd.org Mon Dec 8 19:34:36 2008 From: RGrein at tpchd.org (Randy Grein) Date: Mon, 08 Dec 2008 11:34:36 -0800 Subject: Corrupt files on NSS volume In-Reply-To: <493D227E0200000700014C90@mail2.nds8.com> References: <493D227E0200000700014C8D@mail2.nds8.com> <493D227E0200000700014C90@mail2.nds8.com> <493D227E0200000700014C90@mail2.nds8.com> Message-ID: <493D064C.811E.0072.0@tpchd.org> Scary thing is these are enabled on Windows servers and disabling them is possible only with registry hacks. Randy Grein Sr. Network Engineer >>> "Steven Aitken" 12/8/2008 5:34 AM >>> I've seen this behaviour with client file caching enabled and always turn it, as well as level 2 oplocks off on the server. Check if they are enabled with: Set client file caching enabled Set level2 oplocks enabled Cheers, Steve -----Original Message----- From: "Patrick Schmidt" To: Novell LAN Interest Group To: Novell LAN Interest Group Sent: 08/12/2008 13:29:00 Subject: Corrupt files on NSS volume We have a case where a large percentage of MS Office files (word .doc and Excel .xls files) are corrupt. If you open a .doc file you see nothing but rectangles. An Excel file shows a warning that it is not a valid Excel file. Open it anyway and the workbook is blank. M$'s tools for recovering corrupt files have not helped. We've been restoring backups but have not yet nailed down a time frame as to when this might have occurred. Most of these files are only accessed occasionally, which explains why they were not noticed until now -- but they are still important. I did to an nss /poolverify and rebuild to no avail. This is a pool hosted on an older Compaq SAN. There is another volume on the same pool that does not seem to have any corrupt files, and it also stores user data with a lot of Office documents. We have restored backups going back several months to a newly created volume on a newly created pool, and docs are corrupt on the backups too. It is a Netware 6.5 sp7 box, and we are using Galaxy for backup. Has anyone else seen something like this? Thanks -------------------------------------------------- Patrick Schmidt Millard Public Schools Network Support Specialist (402)715-6278 peschmid at mpsomaha.org --------------------------------------------------- _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ***Scanned by M+ Guardian*** The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ************************************************************************************* This e-mail and any attachments may contain confidential and privileged information. It has been scanned for viruses. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination, use, review, disclosure, or distribution of this information by a person other than the intended recipient is unauthorized and may be illegal. ************************************************************************************** From ahidalgo at salud.unm.edu Mon Dec 8 19:35:58 2008 From: ahidalgo at salud.unm.edu (Al Hidalgo) Date: Mon, 08 Dec 2008 12:35:58 -0700 Subject: grub issues w/SLES 10 on Dell server In-Reply-To: <493D04F2.4770.0087.0@salud.unm.edu> References: <493CEADD.4770.0087.0@salud.unm.edu> <493D0FF60200007500038683@inet.eastcobbgroup.com> <493D04F2.4770.0087.0@salud.unm.edu> Message-ID: <493D14A5.4770.0087.0@salud.unm.edu> That worked! I created a separate 300MB /boot partition and that fixed the issue. Al >>> On 12/8/2008 at 11:29 AM, "Al Hidalgo" wrote: No, at first I just accepted the defaults, then I tried a few custom setups. The raid does have a couple of tera bytes though. Al >>> On 12/08/08 at 10:15 AM, "James Taylor" wrote: Are you creating a separate /boot partition? I would expect that there could be problem if boot is in a large / partition. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Al Hidalgo" 12/8/2008 11:37 AM >>> I have a brand new Dell 2950 with a Perc 6 RAID controller and raid 5 configured that I am trying to get SLES 10 loaded. Towards the end of the install where it's trying to write the boot loader I get a Grub error 18 saying the Selected cylinder exceeds maximum supported by BIOS. I have installed several times trying different setups and every time I get the same error but I can use LILO instead and it works fine but I don't want to use lilo. Anyone ever seen this? I've never had problems with SLES 10 loading on modern Dell servers before. Thanks, Al Al Hidalgo Enterprise Systems Support Analyst Information Technology University Hospitals/UNM Health Sciences Center ahidalgo at salud.unm.edu _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From cmangiarelli at gmail.com Mon Dec 8 19:42:58 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Mon, 8 Dec 2008 14:42:58 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: <493D7639.1050703@oucs.ox.ac.uk> References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> Message-ID: Well, I was going along with Novell's published documentation (admittedly for EVMS which I didn't want to use - http://www.novell.com/documentation/oes2/inst_oes_lx/index.html?page=/documentation/oes2/inst_oes_lx/data/bu4x508.html), but Novell recommends a 300MB boot and a 1GB swap. Since I have relative oodles of space, I'd rather not skimp and regret it later when I can't easily change partitioning schemes. In the past, we've split /var and /opt to avoid the / from filling to capacity with a rogue application (not common) or a logging issue (very common). For example, we didn't split /var/log off our esx hosts and the logs filled the / and killed the HA of the host. So, I thought using LVM2 would help but maybe I'm wrong. Maybe I'll just use a flat partitioning scheme and keep /var aside as I've seen that have problems in the past in my environment. On Mon, Dec 8, 2008 at 2:32 PM, jrd wrote: > Christopher Mangiarelli wrote: > >> I'm just about to install the software on the server and have to decide >> how >> to partition it properly. I have two raid arrays (280GB mirrored and >> ~900GB >> raid5). Since NSS is not in the servers future, I want to have LVM2 >> available in case file system re-allocation is necessary. >> >> The ~900GB array is for ifolder data only so I figured that will be a LVM2 >> container and EXT3 filesystem mapped into the / somewhere once the server >> is >> online. Should LVM2 even be used on this single raid device? I could >> forsee a potential to add another drive and have the raid controller >> expand >> the array so then I could forsee a need to expand the filesystem to use >> that >> new space. >> >> The 280GB array is for the OS and some test ifolder space. I was thinking >> of doing: >> /boot @ 300MB >> LVM2 container for the rest: >> - 1 GB swap >> - 35 GB / >> - 20 GB /opt >> - 20 GB /var >> - ~200 GB for test iFolder space to be mapped into the / >> later. >> >> Or would a more simpler scheme be best? >> /boot @ 300MB >> LVM2 container for the rest: >> - 1 GB swap >> - 75 GB / >> - ~200 GB for test iFolder space to be mapped into the / >> later. >> >> I understand it's pretty much required to have /boot outside LVM, but is >> it >> mostly safe to place the rest inside? Should /tmp be a separate partition >> from /? >> >> > --------- > A couple of comments. > /boot needs under 24MB (look at an existing server to see this) > and a monster swap is generally overkill > Why bother with a volume manager in the first place? > > I cannot see why you wish to split /var and /opt in the first example. > > My operating philosophy: give the o/s enough room to expand, but put > all user material and other valuables in other partitions/file systems. > This keeps the o/s proper nicely confined to /boot, swap, /, nothing is > huge, and all the other areas are mounted into this. The root partition (/) > need not be particularly large, 5GB will hold everything at the start so > give it more space than that but not the world. Keep all this very simple, > avoid complexity (LVM2), don't add partitions without being forced into it. > Joe D. > -- Christopher Mangiarelli cmangiarelli at gmail.com From joea at j4computers.com Mon Dec 8 19:53:56 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 08 Dec 2008 14:53:56 -0500 Subject: OES linux time drifts into the future. Message-ID: <493D3501020000850005F10C@FS-LIN-OES> >>>> "joea at j4computers.com" 12/06/08 12:31 PM >>> >>. . . For Joe A.'s benefit, some hardware is just plain wierd and >> not worth using for such work. Having to turn off acpi support is >> a sign of this, but not proof positive. >> Joe D. > >Using a Dell PE 2400. To some on the list, that qualifies as "weird", right there. > >I may try turning off acpi on the guest. The host seems to keep time just fine. As does the NW6.5 VM. > >Right now, I am making do by restarting xntpd via cron, every two minutes. That seems to keep timesync happy. Was not able >to get time to actually reset, any other way, such as using ntpq or ntpd and options. > >joe a. Even this does not seem to keep timesync happy 100% of the time. Sigh. Regarding this guest being odd. The only thing I can attest to, at this time, is that cron did not seem to work properly. I could do a crontab -e to try various things that worked fine on command line, yet, either did not work, or did not run at all, via cron. Manually killing cron and restarting seems to have solved that. But I have not rebooted since then. Oh, there is another oddity. I have several simple scripts, to start GroupWise agents (with --show), which work fine when invoked from command line. I put these in /etc/scripts and have them ln'd in /etc/init.d/rc3.d and /etc/init.d/rc5.d, as S91blah S92blah, which should work just fine. Don't seem to run on startup. I do have an S90startvnc, in there, and that runs fine on startup. Yet, I can say /etc/init.d/rc5.d/S9blah and they work fine. It might be worth copying off my data and reinstalling the base OS. I guess. joe a. From petervl at gmail.com Mon Dec 8 21:23:10 2008 From: petervl at gmail.com (Peter Van Lone) Date: Mon, 8 Dec 2008 15:23:10 -0600 Subject: Netware Backup options Message-ID: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> a few weeks ago, someone posted a link to a (heretofore unheard of by me) backup program that runs on Netware as well as win/lin. Apparently my search skills are as weak today as my memory often is in general, because I can neither locate that link nor remember the name of the company ... anyone (other than probably everyone) have better recall than I? Peter -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From bbrush at gmail.com Mon Dec 8 21:25:07 2008 From: bbrush at gmail.com (Bill Brush) Date: Mon, 8 Dec 2008 15:25:07 -0600 Subject: Netware Backup options In-Reply-To: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> References: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> Message-ID: <167f4090812081325s33f30760gdac7a85eac08625c@mail.gmail.com> Is this what you're remembering: http://sepsoftware.com/ ? Bill (Gmail search ftw!) On Mon, Dec 8, 2008 at 3:23 PM, Peter Van Lone wrote: > a few weeks ago, someone posted a link to a (heretofore unheard of by > me) backup program that runs on Netware as well as win/lin. > > Apparently my search skills are as weak today as my memory often is in > general, because I can neither locate that link nor remember the name > of the company ... > > anyone (other than probably everyone) have better recall than I? From Hatchellb at vvc.edu Mon Dec 8 21:26:12 2008 From: Hatchellb at vvc.edu (Brian Hatchell) Date: Mon, 08 Dec 2008 13:26:12 -0800 Subject: Netware Backup options In-Reply-To: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> References: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> Message-ID: <493D207F.2FC1.0024.1@vvc.edu> Folks: Anyone else having trouble with ZCM 10 services stopping weekly on SLES? Brian Hatchell Network Manager Victor Valley College 760 245-4271 x2792 "A good plan, violently executed now, is better than a perfect plan next week." - General George S. Patton Check my Blog at http://gwcal.vvc.edu/mplusextranet/scp.dll/blog?user=hatchellb >>> On 12/8/2008 at 1:23 PM, in message <68b791330812081323p5fdd525er804c33bc8af95b74 at mail.gmail.com>, "Peter Van Lone" wrote: a few weeks ago, someone posted a link to a (heretofore unheard of by me) backup program that runs on Netware as well as win/lin. Apparently my search skills are as weak today as my memory often is in general, because I can neither locate that link nor remember the name of the company ... anyone (other than probably everyone) have better recall than I? Peter -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Brian Hatchell.vcf URL: From petervl at gmail.com Mon Dec 8 21:30:09 2008 From: petervl at gmail.com (Peter Van Lone) Date: Mon, 8 Dec 2008 15:30:09 -0600 Subject: Netware Backup options In-Reply-To: <167f4090812081325s33f30760gdac7a85eac08625c@mail.gmail.com> References: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> <167f4090812081325s33f30760gdac7a85eac08625c@mail.gmail.com> Message-ID: <68b791330812081330t327efaa7ha46e15e2eb6311a7@mail.gmail.com> by gosh Bill, I think that is the beast! Thnx! -- and in answer to Darryl -- yes, I am looking for the same reason. Should be interesting to see how this plays out, in these tiny nets that have only one (NW) server, and no option or desire to add a windows backup server ... P On Mon, Dec 8, 2008 at 3:25 PM, Bill Brush wrote: > Is this what you're remembering: http://sepsoftware.com/ ? > > Bill > > (Gmail search ftw!) > > On Mon, Dec 8, 2008 at 3:23 PM, Peter Van Lone wrote: >> a few weeks ago, someone posted a link to a (heretofore unheard of by >> me) backup program that runs on Netware as well as win/lin. >> >> Apparently my search skills are as weak today as my memory often is in >> general, because I can neither locate that link nor remember the name >> of the company ... >> >> anyone (other than probably everyone) have better recall than I? > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From petervl at gmail.com Mon Dec 8 23:35:07 2008 From: petervl at gmail.com (Peter Van Lone) Date: Mon, 8 Dec 2008 17:35:07 -0600 Subject: SLES time in VMware In-Reply-To: <493CBD3E020000850005F0DE@FS-LIN-OES> References: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> <493CBD3E020000850005F0DE@FS-LIN-OES> Message-ID: <68b791330812081535jeaa5622vab2a97fc158c9d91@mail.gmail.com> huh -- putting clock=pmtmr in the kernel line in menu.lst caused a kernel panic on reboot. I had to go into safe mode and edit out the change. ??? On Mon, Dec 8, 2008 at 5:22 AM, joea at j4computers.com wrote: > . . . >> I find myself wondering: is changing the kernel going to break >> anything, or cause some software to have updated libraries, or should >> this be pretty transparent to installed software? >> >> Also, looking at the instructions for adjusting time-keeping >> parameters when not on 3.5 update2, it suggests editing >> /boot/grub/grub.conf which does not exist. Should I simply put the >> clock=pmtmr option in the kernel line in menu.lst? >> > > That's where I have put it. > > joe a. > > > > > > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From joea at j4computers.com Tue Dec 9 02:49:40 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Mon, 08 Dec 2008 21:49:40 -0500 Subject: SLES time in VMware In-Reply-To: <68b791330812081535jeaa5622vab2a97fc158c9d91@mail.gmail.com> References: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> <493CBD3E020000850005F0DE@FS-LIN-OES> <68b791330812081535jeaa5622vab2a97fc158c9d91@mail.gmail.com> Message-ID: <493D9674020000850005F128@FS-LIN-OES> >>> On 12/8/2008 at 6:35 PM, "Peter Van Lone" wrote: > huh -- putting clock=pmtmr in the kernel line in menu.lst caused a > kernel panic on reboot. > > I had to go into safe mode and edit out the change. > > ??? > I just checked an oes1 setup and that's where it is. maybe a kernel difference. ? joe a. From Rpd at co.mason.wa.us Tue Dec 9 06:08:43 2008 From: Rpd at co.mason.wa.us (Bob Deans) Date: Mon, 08 Dec 2008 22:08:43 -0800 Subject: Netware Backup options In-Reply-To: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> References: <68b791330812081323p5fdd525er804c33bc8af95b74@mail.gmail.com> Message-ID: <493D9AE4.6CD7.0020.0@co.mason.wa.us> You can download this software and try it free for 30 days. It backs up nss rights on netware and oes netware. http://www.sepusa.com/ I am testing it now. Robert Deans MCSE, CNE, CCENT, SECURITY+, Server+ LINUX+, NETWORK+, A+ IS Manager Mason County Washington 360-427-5503 >>> "Peter Van Lone" 12/8/2008 1:23 PM >>> a few weeks ago, someone posted a link to a (heretofore unheard of by me) backup program that runs on Netware as well as win/lin. Apparently my search skills are as weak today as my memory often is in general, because I can neither locate that link nor remember the name of the company ... anyone (other than probably everyone) have better recall than I? Peter -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the ( http://www.the/ )-brights.net http://xkcd.com/167 _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joe.doupnik at oucs.ox.ac.uk Tue Dec 9 09:03:48 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Tue, 09 Dec 2008 09:03:48 +0000 Subject: SLES time in VMware In-Reply-To: <493D9674020000850005F128@FS-LIN-OES> References: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> <493CBD3E020000850005F0DE@FS-LIN-OES> <68b791330812081535jeaa5622vab2a97fc158c9d91@mail.gmail.com> <493D9674020000850005F128@FS-LIN-OES> Message-ID: <493E3474.4080403@oucs.ox.ac.uk> joea at j4computers.com wrote: >>>> On 12/8/2008 at 6:35 PM, "Peter Van Lone" wrote: >> huh -- putting clock=pmtmr in the kernel line in menu.lst caused a >> kernel panic on reboot. >> >> I had to go into safe mode and edit out the change. >> >> ??? >> > > I just checked an oes1 setup and that's where it is. maybe a kernel difference. ? > > joe a. ----------- Likely hardware differences rather than kernel stuff. The selection of choice is clock=pit which is the lowest common denominator. Even VMware suggests this. Joe D. From Steven.Aitken at nds8.co.uk Tue Dec 9 11:43:44 2008 From: Steven.Aitken at nds8.co.uk (Steven Aitken) Date: Tue, 09 Dec 2008 11:43:44 +0000 Subject: SLES time in VMware In-Reply-To: <493E59F00200000700014C98@mail2.nds8.com> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> Message-ID: <493E59F00200000700014C98@mail2.nds8.com> There is a vmware knowledge base article that describes the best practices for linux timekeeping. Article number 1006427 will show you the recommended kernel lines for each distribution. Note that the redhat kernels include a divider line to reduce the standard 1000hz system timer back to 100hz. Not something that suse have included as yet, but in their defence they are the only distro to have a paravirtualised VMI kernel running on esx 3.5 Also note that the acpi_pm and pmtmr lines are synonimous - pmtmr "should be" depreciated.... Steve -----Original Message----- From: Joe Doupnik To: Novell LAN Interest Group Sent: 09/12/2008 09:03:48 Subject: Re: SLES time in VMware joea at j4computers.com wrote: >>>> On 12/8/2008 at 6:35 PM, "Peter Van Lone" wrote: >> huh -- putting clock=pmtmr in the kernel line in menu.lst caused a >> kernel panic on reboot. >> >> I had to go into safe mode and edit out the change. >> >> ??? >> > > I just checked an oes1 setup and that's where it is. maybe a kernel difference. ? > > joe a. ----------- Likely hardware differences rather than kernel stuff. The selection of choice is clock=pit which is the lowest common denominator. Even VMware suggests this. Joe D. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ***Scanned by M+ Guardian*** The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From petervl at gmail.com Tue Dec 9 13:11:26 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 07:11:26 -0600 Subject: SLES time in VMware In-Reply-To: <493E3474.4080403@oucs.ox.ac.uk> References: <68b791330812072205k75281a3fs7c1608f641413cea@mail.gmail.com> <493CBD3E020000850005F0DE@FS-LIN-OES> <68b791330812081535jeaa5622vab2a97fc158c9d91@mail.gmail.com> <493D9674020000850005F128@FS-LIN-OES> <493E3474.4080403@oucs.ox.ac.uk> Message-ID: <68b791330812090511g1e7f5379m15432e62666f772b@mail.gmail.com> On Tue, Dec 9, 2008 at 3:03 AM, Joe Doupnik wrote: >> I just checked an oes1 setup and that's where it is. maybe a kernel >> difference. ? I dunno -- perhaps I just fat-fingered it, or something? >> joe a. > > ----------- > Likely hardware differences rather than kernel stuff. The selection of > choice is clock=pit which is the lowest common denominator. Even VMware > suggests this. > Joe D. if you check the links that I provided in the first post, you would see that VMware in fact suggests the clock=pmtmr parameter, not clock=pit However, that is for SLES before sp2 -- sp2 is "recommended" and the suggestion is to use the VMI kernel. Perhaps the pmtmr parameter is somehow, now, incompatible? P From petervl at gmail.com Tue Dec 9 13:16:18 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 07:16:18 -0600 Subject: SLES time in VMware In-Reply-To: <493E59F00200000700014C98@mail2.nds8.com> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> Message-ID: <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> On Tue, Dec 9, 2008 at 5:43 AM, Steven Aitken wrote: > There is a vmware knowledge base article that describes the best > practices for linux timekeeping. Article number 1006427 will show you > the recommended kernel lines for each distribution. yes, this http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1006427&sliceId=1&docTypeID=DT_KB_1_1&dialogID=8830762&stateId=1%200%208834491 is the KB version of the whitepaper I linked to originally. > Note that the redhat kernels include a divider line to reduce the > standard 1000hz system timer back to 100hz. Not something that suse have > included as yet, but in their defence they are the only distro to have a > paravirtualised VMI kernel running on esx 3.5 > > Also note that the acpi_pm and pmtmr lines are synonimous - pmtmr > "should be" depreciated.... Where have you seen that acpi_pm is synonymous with pmtmr? Peter From petervl at gmail.com Tue Dec 9 13:46:19 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 07:46:19 -0600 Subject: SLES time in VMware In-Reply-To: <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> Message-ID: <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> I notice that TIDs suggest using an NTP server's IP address, in NTP.CONF I have always thought that a DNS name was better? Can I use, for example, ntp1.cs.wisc.edu (the server I often use with Netware for :123 time)? Or, what about using 0.us.pool.ntp.org instead of an ip address? Peter On Tue, Dec 9, 2008 at 7:16 AM, Peter Van Lone wrote: > On Tue, Dec 9, 2008 at 5:43 AM, Steven Aitken wrote: >> There is a vmware knowledge base article that describes the best >> practices for linux timekeeping. Article number 1006427 will show you >> the recommended kernel lines for each distribution. > > yes, this > > http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1006427&sliceId=1&docTypeID=DT_KB_1_1&dialogID=8830762&stateId=1%200%208834491 > > is the KB version of the whitepaper I linked to originally. > >> Note that the redhat kernels include a divider line to reduce the >> standard 1000hz system timer back to 100hz. Not something that suse have >> included as yet, but in their defence they are the only distro to have a >> paravirtualised VMI kernel running on esx 3.5 >> >> Also note that the acpi_pm and pmtmr lines are synonimous - pmtmr >> "should be" depreciated.... > > Where have you seen that acpi_pm is synonymous with pmtmr? > > Peter > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From joe.doupnik at oucs.ox.ac.uk Tue Dec 9 13:49:01 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Tue, 09 Dec 2008 13:49:01 +0000 Subject: SLES time in VMware In-Reply-To: <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> Message-ID: <493E774D.6070403@oucs.ox.ac.uk> Peter Van Lone wrote: > I notice that TIDs suggest using an NTP server's IP address, in NTP.CONF > > I have always thought that a DNS name was better? Can I use, for > example, ntp1.cs.wisc.edu (the server I often use with Netware for > :123 time)? Or, what about using 0.us.pool.ntp.org instead of an ip > address? > > Peter ----------- IP names work fine, provided the DNS server is working correctly. Joe D. From petervl at gmail.com Tue Dec 9 13:56:54 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 07:56:54 -0600 Subject: SLES time in VMware In-Reply-To: <493E774D.6070403@oucs.ox.ac.uk> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> <493E774D.6070403@oucs.ox.ac.uk> Message-ID: <68b791330812090556v48c818d0k64f89c477903320d@mail.gmail.com> On Tue, Dec 9, 2008 at 7:49 AM, Joe Doupnik wrote: > ----------- > IP names work fine, provided the DNS server is working correctly. excellent, thank you. Now, I'm trying to make sense of the recomendation in this tid: http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3858673&sliceId=1&docTypeID=DT_TID_1_1&dialogID=16038099&stateId=1%200%2016036285 where it says that after setting NTP values, one should "Wait for this server to show a reach of 377 by typing: ntpq -p (This may take 15-20 minutes.)" What does "reach" mean, and why would I want it to be 377 in particular? Below is the output of ntpq -p on my server: server1:/etc # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== caesar.cs.wisc. 128.105.201.11 2 u 60 64 17 53.261 -17708. 12636.0 It seems that as the reach value goes up, so does the offset -- is not a larger offset a bad thing? Peter From petervl at gmail.com Tue Dec 9 13:58:05 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 07:58:05 -0600 Subject: SLES time in VMware In-Reply-To: <68b791330812090556v48c818d0k64f89c477903320d@mail.gmail.com> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> <493E774D.6070403@oucs.ox.ac.uk> <68b791330812090556v48c818d0k64f89c477903320d@mail.gmail.com> Message-ID: <68b791330812090558i9b74e0k65ed428d9fb48c43@mail.gmail.com> now, the "reach" has reached the magical 377: rp-estore1:/etc # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== caesar.cs.wisc. 128.105.201.11 2 u 61 64 377 10.131 -47716. 26687.5 But look at offset -- should I be worried? P On Tue, Dec 9, 2008 at 7:56 AM, Peter Van Lone wrote: > On Tue, Dec 9, 2008 at 7:49 AM, Joe Doupnik wrote: >> ----------- >> IP names work fine, provided the DNS server is working correctly. > > excellent, thank you. > > Now, I'm trying to make sense of the recomendation in this tid: > > http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3858673&sliceId=1&docTypeID=DT_TID_1_1&dialogID=16038099&stateId=1%200%2016036285 > > where it says that after setting NTP values, one should "Wait for this > server to show a reach of 377 by typing: > ntpq -p > (This may take 15-20 minutes.)" > > What does "reach" mean, and why would I want it to be 377 in > particular? Below is the output of ntpq -p on my server: > > server1:/etc # ntpq -p > remote refid st t when poll reach delay offset jitter > ============================================================================== > caesar.cs.wisc. 128.105.201.11 2 u 60 64 17 53.261 -17708. 12636.0 > > It seems that as the reach value goes up, so does the offset -- is not > a larger offset a bad thing? > > Peter > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From joe.doupnik at oucs.ox.ac.uk Tue Dec 9 15:31:51 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Tue, 09 Dec 2008 15:31:51 +0000 Subject: SLES time in VMware In-Reply-To: <68b791330812090558i9b74e0k65ed428d9fb48c43@mail.gmail.com> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> <493E774D.6070403@oucs.ox.ac.uk> <68b791330812090556v48c818d0k64f89c477903320d@mail.gmail.com> <68b791330812090558i9b74e0k65ed428d9fb48c43@mail.gmail.com> Message-ID: <493E8F67.9030700@oucs.ox.ac.uk> Peter Van Lone wrote: > now, the "reach" has reached the magical 377: > > rp-estore1:/etc # ntpq -p > remote refid st t when poll reach delay offset jitter > ============================================================================== > caesar.cs.wisc. 128.105.201.11 2 u 61 64 377 10.131 -47716. 26687.5 > > > But look at offset -- should I be worried? > > P > > On Tue, Dec 9, 2008 at 7:56 AM, Peter Van Lone wrote: >> On Tue, Dec 9, 2008 at 7:49 AM, Joe Doupnik wrote: >>> ----------- >>> IP names work fine, provided the DNS server is working correctly. >> excellent, thank you. >> >> Now, I'm trying to make sense of the recomendation in this tid: >> >> http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3858673&sliceId=1&docTypeID=DT_TID_1_1&dialogID=16038099&stateId=1%200%2016036285 >> >> where it says that after setting NTP values, one should "Wait for this >> server to show a reach of 377 by typing: >> ntpq -p >> (This may take 15-20 minutes.)" >> >> What does "reach" mean, and why would I want it to be 377 in >> particular? Below is the output of ntpq -p on my server: >> >> server1:/etc # ntpq -p >> remote refid st t when poll reach delay offset jitter >> ============================================================================== >> caesar.cs.wisc. 128.105.201.11 2 u 60 64 17 53.261 -17708. 12636.0 >> >> It seems that as the reach value goes up, so does the offset -- is not >> a larger offset a bad thing? >> >> Peter -------------- Peter and the group, Decoding the above for you. st is stratum of the time giver, smaller is better when is how many seconds have elapsed since last sample poll is seconds between polls, minimum reach is (octal) bits representing successful time exchanges, 377 is eight (11 111 111) in a row Delay, offset, jitter are measured in milliesconds delay is the propagation delay from it to us offset is their time MINUS our time jitter is a running average of the scatter in time, including time rate errors proper Your data shows an offset of 17 seconds, very very far off, and the huge jitter reflects both a large rate error and noise. The old xntpd.nlm code will show a large jitter at first which shrinks by halves as each successful time exchange occurs. Modern ntp (version 4.x rather than 3.5) shows the proper jitter. If I may, can I refer readers to one of my ancient presentations on the subject: file jdp400.ppt in subdir bsuk2001 on http://netlab1.oucs.ox.ac.uk/ Overall, this particular machine is having a heck of a time trying to synchronize time. Joe D. From petervl at gmail.com Tue Dec 9 15:51:18 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 09:51:18 -0600 Subject: SLES time in VMware In-Reply-To: <493E8F67.9030700@oucs.ox.ac.uk> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> <493E774D.6070403@oucs.ox.ac.uk> <68b791330812090556v48c818d0k64f89c477903320d@mail.gmail.com> <68b791330812090558i9b74e0k65ed428d9fb48c43@mail.gmail.com> <493E8F67.9030700@oucs.ox.ac.uk> Message-ID: <68b791330812090751j254dfd4v3d3d17c89ee04b6@mail.gmail.com> thank you Joe, that was very helpful. So, does an offset of 23.990 mean our server is nearly 24 seconds ahead of the NTP server time? after adding (successfully this time) pmtmr and noapic to menu.lst, things look a little better: rp-estore1:~ # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== caesar.cs.wisc. 128.105.201.11 2 u 30 64 17 4.704 38.981 35.476 rp-estore1:~ # reach is only 17 in the example above, but the offset is better (38.981) and not growing nearly as fast as before. Am I correct in thinking that this looks better? Peter On Tue, Dec 9, 2008 at 9:31 AM, Joe R. Doupnik wrote: > Peter Van Lone wrote: >> >> now, the "reach" has reached the magical 377: >> >> rp-estore1:/etc # ntpq -p >> remote refid st t when poll reach delay offset >> jitter >> >> ============================================================================== >> caesar.cs.wisc. 128.105.201.11 2 u 61 64 377 10.131 -47716. >> 26687.5 >> >> >> But look at offset -- should I be worried? >> >> P >> >> On Tue, Dec 9, 2008 at 7:56 AM, Peter Van Lone wrote: >>> >>> On Tue, Dec 9, 2008 at 7:49 AM, Joe Doupnik >>> wrote: >>>> >>>> ----------- >>>> IP names work fine, provided the DNS server is working correctly. >>> >>> excellent, thank you. >>> >>> Now, I'm trying to make sense of the recomendation in this tid: >>> >>> >>> http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3858673&sliceId=1&docTypeID=DT_TID_1_1&dialogID=16038099&stateId=1%200%2016036285 >>> >>> where it says that after setting NTP values, one should "Wait for this >>> server to show a reach of 377 by typing: >>> ntpq -p >>> (This may take 15-20 minutes.)" >>> >>> What does "reach" mean, and why would I want it to be 377 in >>> particular? Below is the output of ntpq -p on my server: >>> >>> server1:/etc # ntpq -p >>> remote refid st t when poll reach delay offset >>> jitter >>> >>> ============================================================================== >>> caesar.cs.wisc. 128.105.201.11 2 u 60 64 17 53.261 -17708. >>> 12636.0 >>> >>> It seems that as the reach value goes up, so does the offset -- is not >>> a larger offset a bad thing? >>> >>> Peter > > -------------- > Peter and the group, > Decoding the above for you. > st is stratum of the time giver, smaller is better > when is how many seconds have elapsed since last sample > poll is seconds between polls, minimum > reach is (octal) bits representing successful time exchanges, 377 is > eight (11 111 111) in a row > Delay, offset, jitter are measured in milliesconds > delay is the propagation delay from it to us > offset is their time MINUS our time > jitter is a running average of the scatter in time, including > time rate errors proper > > Your data shows an offset of 17 seconds, very very far off, and the > huge jitter reflects both a large rate error and noise. The old xntpd.nlm > code will show a large jitter at first which shrinks by halves as each > successful time exchange occurs. Modern ntp (version 4.x rather than 3.5) > shows the proper jitter. > If I may, can I refer readers to one of my ancient presentations on the > subject: file jdp400.ppt in subdir bsuk2001 on > http://netlab1.oucs.ox.ac.uk/ > Overall, this particular machine is having a heck of a time trying to > synchronize time. > Joe D. > > > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From joe.doupnik at oucs.ox.ac.uk Tue Dec 9 16:09:42 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Tue, 09 Dec 2008 16:09:42 +0000 Subject: SLES time in VMware In-Reply-To: <68b791330812090751j254dfd4v3d3d17c89ee04b6@mail.gmail.com> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> <493E774D.6070403@oucs.ox.ac.uk> <68b791330812090556v48c818d0k64f89c477903320d@mail.gmail.com> <68b791330812090558i9b74e0k65ed428d9fb48c43@mail.gmail.com> <493E8F67.9030700@oucs.ox.ac.uk> <68b791330812090751j254dfd4v3d3d17c89ee04b6@mail.gmail.com> Message-ID: <493E9846.2090205@oucs.ox.ac.uk> Peter Van Lone wrote: > thank you Joe, that was very helpful. > > So, does an offset of 23.990 mean our server is nearly 24 seconds > ahead of the NTP server time? ---------- NTPQ values are in millisec, not seconds. 23.990 is about 24/1000's of a second. Here is my Win XP desktop as I type this message: ntpq> lpeer remote refid st t when poll reach delay offset jitter ============================================================================== +ntp0.cis.strath 193.62.22.74 2 u 67 256 377 14.066 -1.125 0.070 -dns0.rmplc.co.u 131.188.3.221 2 u 73 256 375 6.186 -2.248 0.186 +calx.pulsewidth 195.66.241.3 2 u 72 256 377 3.991 -0.325 0.039 -83.149.71.64 193.67.79.202 2 u 48 256 377 11.646 -0.256 0.069 *ams1.x31.com 193.79.237.14 2 u 109 256 377 10.375 -1.129 0.069 ntpq> Keep in mind that offset is a time Difference and not a time Rate. Offset is gradually absorbed by NTP to make our ticks occur on top of the other guy's tocks, even if they are going at the same rate. The max slew rate to do this is 500 parts per million: half a millisecond per second. Go figure how long it will take at the very quickest to absorb by slewing a 24 second offset. Offset is Them MINUS Us. The answer is 48000 seconds, longer in real life. It is a rendevous problem, a la shuttle + ISS. Jitter is noise plus clock Rate error, absolute valued. Big jitter means big trouble, rate errors result in perpetual trouble. Joe D. From joe.doupnik at oucs.ox.ac.uk Tue Dec 9 17:50:25 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Tue, 09 Dec 2008 17:50:25 +0000 Subject: SLES time in VMware In-Reply-To: <493E9846.2090205@oucs.ox.ac.uk> References: <493E59F00200000700014C95@mail2.nds8.com> <493E59F00200000700014C98@mail2.nds8.com> <68b791330812090516j607d6653x4b1b5a04c0a29bd4@mail.gmail.com> <68b791330812090546n2d7573cdsa39df3ed53f19534@mail.gmail.com> <493E774D.6070403@oucs.ox.ac.uk> <68b791330812090556v48c818d0k64f89c477903320d@mail.gmail.com> <68b791330812090558i9b74e0k65ed428d9fb48c43@mail.gmail.com> <493E8F67.9030700@oucs.ox.ac.uk> <68b791330812090751j254dfd4v3d3d17c89ee04b6@mail.gmail.com> <493E9846.2090205@oucs.ox.ac.uk> Message-ID: <493EAFE1.8000404@oucs.ox.ac.uk> Joe R. Doupnik wrote: > Peter Van Lone wrote: >> thank you Joe, that was very helpful. >> >> So, does an offset of 23.990 mean our server is nearly 24 seconds >> ahead of the NTP server time? > ---------- Reading this again, perhaps I misinterpreted your intent. Might this have resulted from notational convention, dot versus comma as numeric field separators? If so the likely default is to assume American form as the software originated there. Joe D. From petervl at gmail.com Tue Dec 9 19:34:59 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 13:34:59 -0600 Subject: SCMT - and tsa600 version Message-ID: <68b791330812091134j203d952cw84508e6c7778c2e6@mail.gmail.com> hmph! I just installed a new server (nw6.5 sp7)in a single server tree. The old server is NW6.0 sp2. All is good ... but, now trying to use the SCMT to migrate files from old to new. It says it is copying newer versions of files (tsa*, smdr, etc ...) over to the old server. I have reloaded all parts (smsstop and start) HOWEVER: when I try to migrate, it says the TSA600 version is 6.002 and should be 6.005. It also says it has copied it over, and all I have to do is unload/reload. But -- wait -- the SCMT tool does not even HAVE a TSA600 file to copy. So -- I assume this is because a NW 6 server is supposed to be SP5 -- is there any way to get TSA600 short of a long download of SP5? P -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From petervl at gmail.com Tue Dec 9 19:47:58 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 13:47:58 -0600 Subject: does NOWS include a license to use SLES? Message-ID: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> I could have sworn that I remember a Novell rep talk about this, and that with current maintenance on NOWS, you can have a certain number of SLES installs. I think didn't there used to be a formula for how many SLES you could have, depending on how many user licenses you had, something like that. But -- it is beggining to appear that NOWS (or, even, current maint on OES) does not bring with it a right to ANY SLES. Looking for confirmation on this. Also, if true: does anyone else see the non-sense in this policy? Also part II: so that means, essentially, if we get current with Novell by going to NOWS, AND we want to have a pure-web-application kinds of servers in addition to our OES type services, that we either have to: 1)belly up to the bar even more, or: 2)Install OES for everything, just leave some small stupid unused OES component in place, to justify that it is an "OES" server and not a SLES server. Good grief! P -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From mbrady at ingenuityieq.com Tue Dec 9 20:06:09 2008 From: mbrady at ingenuityieq.com (Mike Brady) Date: Tue, 09 Dec 2008 15:06:09 -0500 Subject: does NOWS include a license to use SLES? In-Reply-To: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> References: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> Message-ID: <493E89610200002D0000CE7B@mail.ingenuityieq.com> I believe that the GroupWise portion of NOWS gives you entitlement to SLES. Also, since OES rides on top of SLES, I can't see how you would get in trouble with Novell for running SLES without adding OES on top. You could always install the OES add on disk, but not configure anything if you are worried about it. That way you have technically "installed" OES on the machine, even if it is left in an unconfigured state. >>> On 12/9/2008 at 2:47 PM, in message <68b791330812091147r4c079325l2c5b452b3c868ac6 at mail.gmail.com>, "Peter Van Lone" wrote: I could have sworn that I remember a Novell rep talk about this, and that with current maintenance on NOWS, you can have a certain number of SLES installs. I think didn't there used to be a formula for how many SLES you could have, depending on how many user licenses you had, something like that. But -- it is beggining to appear that NOWS (or, even, current maint on OES) does not bring with it a right to ANY SLES. Looking for confirmation on this. Also, if true: does anyone else see the non-sense in this policy? Also part II: so that means, essentially, if we get current with Novell by going to NOWS, AND we want to have a pure-web-application kinds of servers in addition to our OES type services, that we either have to: 1)belly up to the bar even more, or: 2)Install OES for everything, just leave some small stupid unused OES component in place, to justify that it is an "OES" server and not a SLES server. Good grief! P -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From dtran at ssc.ucla.edu Tue Dec 9 20:12:42 2008 From: dtran at ssc.ucla.edu (Daniel Tran) Date: Tue, 9 Dec 2008 12:12:42 -0800 Subject: SCMT - and tsa600 version In-Reply-To: <68b791330812091134j203d952cw84508e6c7778c2e6@mail.gmail.com> References: <68b791330812091134j203d952cw84508e6c7778c2e6@mail.gmail.com> Message-ID: Get tsaup21 to install on your server. I don't think it requires sp5. /D -----Original Message----- From: novell-bounces at netlab1.oucs.ox.ac.uk [mailto:novell-bounces at netlab1.oucs.ox.ac.uk] On Behalf Of Peter Van Lone Sent: Tuesday, December 09, 2008 11:35 AM To: Novell LAN Interest Group Subject: SCMT - and tsa600 version hmph! I just installed a new server (nw6.5 sp7)in a single server tree. The old server is NW6.0 sp2. All is good ... but, now trying to use the SCMT to migrate files from old to new. It says it is copying newer versions of files (tsa*, smdr, etc ...) over to the old server. I have reloaded all parts (smsstop and start) HOWEVER: when I try to migrate, it says the TSA600 version is 6.002 and should be 6.005. It also says it has copied it over, and all I have to do is unload/reload. But -- wait -- the SCMT tool does not even HAVE a TSA600 file to copy. So -- I assume this is because a NW 6 server is supposed to be SP5 -- is there any way to get TSA600 short of a long download of SP5? P -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From petervl at gmail.com Tue Dec 9 20:17:37 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 14:17:37 -0600 Subject: SCMT - and tsa600 version In-Reply-To: References: <68b791330812091134j203d952cw84508e6c7778c2e6@mail.gmail.com> Message-ID: <68b791330812091217k6538d5f6ld0225a8d80f95b15@mail.gmail.com> a search of the download site for "tsaup21" produces nothing. Plus, a search there for tsa600 found 8 versions of nw6sp5 -- but no tsaup21 hmm On Tue, Dec 9, 2008 at 2:12 PM, Daniel Tran wrote: > Get tsaup21 to install on your server. > I don't think it requires sp5. > > /D > > -----Original Message----- > From: novell-bounces at netlab1.oucs.ox.ac.uk > [mailto:novell-bounces at netlab1.oucs.ox.ac.uk] On Behalf Of Peter Van > Lone > Sent: Tuesday, December 09, 2008 11:35 AM > To: Novell LAN Interest Group > Subject: SCMT - and tsa600 version > > hmph! > > I just installed a new server (nw6.5 sp7)in a single server tree. The > old server is NW6.0 sp2. > > All is good ... but, now trying to use the SCMT to migrate files from > old to new. It says it is copying newer versions of files (tsa*, smdr, > etc ...) over to the old server. I have reloaded all parts (smsstop > and start) HOWEVER: > > when I try to migrate, it says the TSA600 version is 6.002 and should > be 6.005. It also says it has copied it over, and all I have to do is > unload/reload. But -- wait -- the SCMT tool does not even HAVE a > TSA600 file to copy. > > So -- I assume this is because a NW 6 server is supposed to be SP5 -- > is there any way to get TSA600 short of a long download of SP5? > > P > > > > > > > -- > When I do good, I feel good. When I do bad, I feel bad. That is my > religion. > > -Abraham Lincoln > > http://www.the-brights.net > http://xkcd.com/167 > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From petervl at gmail.com Tue Dec 9 20:18:59 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 14:18:59 -0600 Subject: does NOWS include a license to use SLES? In-Reply-To: <493E89610200002D0000CE7B@mail.ingenuityieq.com> References: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> <493E89610200002D0000CE7B@mail.ingenuityieq.com> Message-ID: <68b791330812091218w6ef4bed7x5fbb5c32d48b8af8@mail.gmail.com> yes, I can just go ahead and install SLES, and usually support does not hassle. However, you can't register it in customer center, therefore cannot continue past the eval period to access updates. That's not ok in the long run ... P On Tue, Dec 9, 2008 at 2:06 PM, Mike Brady wrote: > I believe that the GroupWise portion of NOWS gives you entitlement to SLES. Also, since OES rides on top of SLES, I can't see how you would get in trouble with Novell for running SLES without adding OES on top. You could always install the OES add on disk, but not configure anything if you are worried about it. That way you have technically "installed" OES on the machine, even if it is left in an unconfigured state. > >>>> On 12/9/2008 at 2:47 PM, in message <68b791330812091147r4c079325l2c5b452b3c868ac6 at mail.gmail.com>, "Peter Van Lone" wrote: > > I could have sworn that I remember a Novell rep talk about this, and > that with current maintenance on NOWS, you can have a certain number > of SLES installs. I think didn't there used to be a formula for how > many SLES you could have, depending on how many user licenses you had, > something like that. > > But -- it is beggining to appear that NOWS (or, even, current maint on > OES) does not bring with it a right to ANY SLES. > > Looking for confirmation on this. > > Also, if true: does anyone else see the non-sense in this policy? > > Also part II: so that means, essentially, if we get current with > Novell by going to NOWS, AND we want to have a pure-web-application > kinds of servers in addition to our OES type services, that we either > have to: > > 1)belly up to the bar even more, or: > 2)Install OES for everything, just leave some small stupid unused OES > component in place, to justify that it is an "OES" server and not a > SLES server. > > Good grief! > > > P > > > > -- > When I do good, I feel good. When I do bad, I feel bad. That is my religion. > > -Abraham Lincoln > > http://www.the-brights.net > http://xkcd.com/167 > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From petervl at gmail.com Tue Dec 9 20:20:39 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 14:20:39 -0600 Subject: does NOWS include a license to use SLES? In-Reply-To: <493E89610200002D0000CE7B@mail.ingenuityieq.com> References: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> <493E89610200002D0000CE7B@mail.ingenuityieq.com> Message-ID: <68b791330812091220p6ba5fbbfye7ca5e951d92dc2c@mail.gmail.com> I guess I'll just have to go the OES route -- if I do not configure the OES components, am I still able to register the OES box with customer center? And then ... the update process is very different than for SLES/SLED, isn't it? Gah .. more to have to freaking learn for one customer. Ah, well ... P On Tue, Dec 9, 2008 at 2:06 PM, Mike Brady wrote: > I believe that the GroupWise portion of NOWS gives you entitlement to SLES. Also, since OES rides on top of SLES, I can't see how you would get in trouble with Novell for running SLES without adding OES on top. You could always install the OES add on disk, but not configure anything if you are worried about it. That way you have technically "installed" OES on the machine, even if it is left in an unconfigured state. > >>>> On 12/9/2008 at 2:47 PM, in message <68b791330812091147r4c079325l2c5b452b3c868ac6 at mail.gmail.com>, "Peter Van Lone" wrote: > > I could have sworn that I remember a Novell rep talk about this, and > that with current maintenance on NOWS, you can have a certain number > of SLES installs. I think didn't there used to be a formula for how > many SLES you could have, depending on how many user licenses you had, > something like that. > > But -- it is beggining to appear that NOWS (or, even, current maint on > OES) does not bring with it a right to ANY SLES. > > Looking for confirmation on this. > > Also, if true: does anyone else see the non-sense in this policy? > > Also part II: so that means, essentially, if we get current with > Novell by going to NOWS, AND we want to have a pure-web-application > kinds of servers in addition to our OES type services, that we either > have to: > > 1)belly up to the bar even more, or: > 2)Install OES for everything, just leave some small stupid unused OES > component in place, to justify that it is an "OES" server and not a > SLES server. > > Good grief! > > > P > > > > -- > When I do good, I feel good. When I do bad, I feel bad. That is my religion. > > -Abraham Lincoln > > http://www.the-brights.net > http://xkcd.com/167 > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From mrsmith at oconee.k12.ga.us Tue Dec 9 20:48:28 2008 From: mrsmith at oconee.k12.ga.us (Matt Smith) Date: Tue, 09 Dec 2008 15:48:28 -0500 Subject: does NOWS include a license to use SLES? In-Reply-To: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> References: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> Message-ID: <493E934B.E4C1.0068.0@oconee.k12.ga.us> Good luck finding this out. I checked into this very issue before renewing our license before the beginning of our last fiscal year. It was very difficult getting a straight answer. Finally, the answer I did get was that we were licensed for SLES, but only for "workgroup" purposes. I don't have a clear idea of what "workgroup" constitutes, but no one mentioned any sort of upper-bound limit on the number of machines we could license. Maybe we just haven't gotten there yet. -Matt >>> On 12/9/2008 at 2:47 PM, in message <68b791330812091147r4c079325l2c5b452b3c868ac6 at mail.gmail.com>, "Peter Van Lone" wrote: > I could have sworn that I remember a Novell rep talk about this, and > that with current maintenance on NOWS, you can have a certain number > of SLES installs. I think didn't there used to be a formula for how > many SLES you could have, depending on how many user licenses you had, > something like that. > > But -- it is beggining to appear that NOWS (or, even, current maint on > OES) does not bring with it a right to ANY SLES. > > Looking for confirmation on this. > > Also, if true: does anyone else see the non-sense in this policy? > > Also part II: so that means, essentially, if we get current with > Novell by going to NOWS, AND we want to have a pure-web-application > kinds of servers in addition to our OES type services, that we either > have to: > > 1)belly up to the bar even more, or: > 2)Install OES for everything, just leave some small stupid unused OES > component in place, to justify that it is an "OES" server and not a > SLES server. > > Good grief! From mbrady at ingenuityieq.com Tue Dec 9 20:55:00 2008 From: mbrady at ingenuityieq.com (Mike Brady) Date: Tue, 09 Dec 2008 15:55:00 -0500 Subject: does NOWS include a license to use SLES? In-Reply-To: <68b791330812091220p6ba5fbbfye7ca5e951d92dc2c@mail.gmail.com> References: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> <493E89610200002D0000CE7B@mail.ingenuityieq.com> <68b791330812091220p6ba5fbbfye7ca5e951d92dc2c@mail.gmail.com> Message-ID: <493E94D40200002D0000CE81@mail.ingenuityieq.com> I just logged onto the Novell Customer Center to check. Under "Novell Open Workgroup Suite", I have many entries, including SUSE Linux Enterprise Server 10. There is a Activation Code listed for the product, which I have used and know it works. Right now my "Purchase Used/Count is 1/35. Subscription is showing as ending June 2009. So I assume that means I am allowed up to 35 servers using that code. I actually have more than 1, so now I need to check and make sure they are registered properly, but that's a different topic. Based on what I am seeing here, this is Novell telling me it's totally OK for me to use SLES 10, even without OES. I have separate activation codes for OES. >>> On 12/9/2008 at 3:20 PM, in message <68b791330812091220p6ba5fbbfye7ca5e951d92dc2c at mail.gmail.com>, "Peter Van Lone" wrote: I guess I'll just have to go the OES route -- if I do not configure the OES components, am I still able to register the OES box with customer center? And then ... the update process is very different than for SLES/SLED, isn't it? Gah .. more to have to freaking learn for one customer. Ah, well ... P On Tue, Dec 9, 2008 at 2:06 PM, Mike Brady wrote: > I believe that the GroupWise portion of NOWS gives you entitlement to SLES. Also, since OES rides on top of SLES, I can't see how you would get in trouble with Novell for running SLES without adding OES on top. You could always install the OES add on disk, but not configure anything if you are worried about it. That way you have technically "installed" OES on the machine, even if it is left in an unconfigured state. > >>>> On 12/9/2008 at 2:47 PM, in message <68b791330812091147r4c079325l2c5b452b3c868ac6 at mail.gmail.com>, "Peter Van Lone" wrote: > > I could have sworn that I remember a Novell rep talk about this, and > that with current maintenance on NOWS, you can have a certain number > of SLES installs. I think didn't there used to be a formula for how > many SLES you could have, depending on how many user licenses you had, > something like that. > > But -- it is beggining to appear that NOWS (or, even, current maint on > OES) does not bring with it a right to ANY SLES. > > Looking for confirmation on this. > > Also, if true: does anyone else see the non-sense in this policy? > > Also part II: so that means, essentially, if we get current with > Novell by going to NOWS, AND we want to have a pure-web-application > kinds of servers in addition to our OES type services, that we either > have to: > > 1)belly up to the bar even more, or: > 2)Install OES for everything, just leave some small stupid unused OES > component in place, to justify that it is an "OES" server and not a > SLES server. > > Good grief! > > > P > > > > -- > When I do good, I feel good. When I do bad, I feel bad. That is my religion. > > -Abraham Lincoln > > http://www.the-brights.net > http://xkcd.com/167 > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From petervl at gmail.com Tue Dec 9 21:05:58 2008 From: petervl at gmail.com (Peter Van Lone) Date: Tue, 9 Dec 2008 15:05:58 -0600 Subject: does NOWS include a license to use SLES? In-Reply-To: <493E94D40200002D0000CE81@mail.ingenuityieq.com> References: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> <493E89610200002D0000CE7B@mail.ingenuityieq.com> <68b791330812091220p6ba5fbbfye7ca5e951d92dc2c@mail.gmail.com> <493E94D40200002D0000CE81@mail.ingenuityieq.com> Message-ID: <68b791330812091305u35956b97pd574ac74f883fa65@mail.gmail.com> On Tue, Dec 9, 2008 at 2:55 PM, Mike Brady wrote: > I just logged onto the Novell Customer Center to check. Under "Novell Open Workgroup Suite", I have many entries, including SUSE Linux Enterprise Server 10. There is a Activation Code listed for the product, which I have used and know it works. Right now my "Purchase Used/Count is 1/35. Subscription is showing as ending June 2009. So I assume that means I am allowed up to 35 servers using that code. I actually have more than 1, so now I need to check and make sure they are registered properly, but that's a different topic. Based on what I am seeing here, this is Novell telling me it's totally OK for me to use SLES 10, even without OES. I have separate activation codes for OES. > well that's great news ... I wonder if it's "official" policy or just a mess-up with Customer Center -- since nobody at Novell seems to know this answer. P From Simon.Shilton at acustica.co.uk Tue Dec 9 21:46:43 2008 From: Simon.Shilton at acustica.co.uk (Simon Shilton) Date: Tue, 09 Dec 2008 21:46:43 +0000 Subject: does NOWS include a license to use SLES? In-Reply-To: <68b791330812091305u35956b97pd574ac74f883fa65@mail.gmail.com> References: <68b791330812091147r4c079325l2c5b452b3c868ac6@mail.gmail.com> <493E89610200002D0000CE7B@mail.ingenuityieq.com> <68b791330812091220p6ba5fbbfye7ca5e951d92dc2c@mail.gmail.com> <493E94D40200002D0000CE81@mail.ingenuityieq.com> <68b791330812091305u35956b97pd574ac74f883fa65@mail.gmail.com> Message-ID: <493EE743020000AB00012F3B@dylan.trident.acustica.co.uk> I am on NOWS Small Business Edition 2 and have 2 activation codes for SLES 10 showing up each with a purchase count of 4, plus an OES 2 code with a purchase count of 4 not sure this clears things up, but its kind of interesting :-) cheers Simon >>> On 09 December 2008 at 21:05, in message <68b791330812091305u35956b97pd574ac74f883fa65 at mail.gmail.com>, "Peter Van Lone" wrote: On Tue, Dec 9, 2008 at 2:55 PM, Mike Brady wrote: > I just logged onto the Novell Customer Center to check. Under "Novell Open Workgroup Suite", I have many entries, including SUSE Linux Enterprise Server 10. There is a Activation Code listed for the product, which I have used and know it works. Right now my "Purchase Used/Count is 1/35. Subscription is showing as ending June 2009. So I assume that means I am allowed up to 35 servers using that code. I actually have more than 1, so now I need to check and make sure they are registered properly, but that's a different topic. Based on what I am seeing here, this is Novell telling me it's totally OK for me to use SLES 10, even without OES. I have separate activation codes for OES. > well that's great news ... I wonder if it's "official" policy or just a mess-up with Customer Center -- since nobody at Novell seems to know this answer. P _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From cmangiarelli at gmail.com Thu Dec 11 01:42:33 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Wed, 10 Dec 2008 20:42:33 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> Message-ID: Sigh, I wish Novell would make this easy. I apparently went ahead and installed the wrong patch levels. I didn't realize that Novell's links in the NCC would point me to the older software. Instead, I now got a SLES 10 SP1 + OES2 up and running but I can't install iFolder 3.7 cause you need to be at OES2 SP1 level. The documentation on Novell's website indicates that SLES10 SP2 is required for OES2 SP1 so not only do I need to patch OES2 but I also need to patch SLES10. I thought SLES10 SP2 wasn't supported under OES2 until OES2 SP2 was released? I read this all awhile back on the list but Novell's website seems to indicate otherwise. Are we suppose to install OES2 SP1 on top of SLES10 SP2? -- Christopher Mangiarelli cmangiarelli at gmail.com From cmangiarelli at gmail.com Thu Dec 11 02:33:24 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Wed, 10 Dec 2008 21:33:24 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> Message-ID: Oh great more drama. So I follow Novell's documentation about the update and it doesn't work. When it gets to the point of finding my existing installation for an update it doesn't find the partitions. According to the documentation, they say that means you are trying to install the 64bit version over the 32bit version. However, I am NOT trying to do that. I installed the system with the 64bit version and a cat /etc/SuSE-Release proves that. Looks like the upgrade mechanism is broken. Oh well, I don't have the time to deal with this buggy software so it looks like a system wipe and reinstall are in order. Flashbacks to windows anybody? What a mess this has been, I want my NW back. :P On Wed, Dec 10, 2008 at 8:42 PM, Christopher Mangiarelli < cmangiarelli at gmail.com> wrote: > Sigh, I wish Novell would make this easy. I apparently went ahead and > installed the wrong patch levels. I didn't realize that Novell's links in > the NCC would point me to the older software. Instead, I now got a SLES 10 > SP1 + OES2 up and running but I can't install iFolder 3.7 cause you need to > be at OES2 SP1 level. The documentation on Novell's website indicates that > SLES10 SP2 is required for OES2 SP1 so not only do I need to patch OES2 but > I also need to patch SLES10. I thought SLES10 SP2 wasn't supported under > OES2 until OES2 SP2 was released? I read this all awhile back on the list > but Novell's website seems to indicate otherwise. Are we suppose to install > OES2 SP1 on top of SLES10 SP2? > -- Christopher Mangiarelli cmangiarelli at gmail.com From joe.doupnik at oucs.ox.ac.uk Thu Dec 11 10:13:59 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Thu, 11 Dec 2008 10:13:59 +0000 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> Message-ID: <4940E7E7.70404@oucs.ox.ac.uk> Christopher Mangiarelli wrote: > Oh great more drama. So I follow Novell's documentation about the update > and it doesn't work. When it gets to the point of finding my existing > installation for an update it doesn't find the partitions. According to the > documentation, they say that means you are trying to install the 64bit > version over the 32bit version. However, I am NOT trying to do that. I > installed the system with the 64bit version and a cat /etc/SuSE-Release > proves that. Looks like the upgrade mechanism is broken. Oh well, I don't > have the time to deal with this buggy software so it looks like a system > wipe and reinstall are in order. Flashbacks to windows anybody? What a > mess this has been, I want my NW back. :P > > On Wed, Dec 10, 2008 at 8:42 PM, Christopher Mangiarelli < > cmangiarelli at gmail.com> wrote: > >> Sigh, I wish Novell would make this easy. I apparently went ahead and >> installed the wrong patch levels. I didn't realize that Novell's links in >> the NCC would point me to the older software. Instead, I now got a SLES 10 >> SP1 + OES2 up and running but I can't install iFolder 3.7 cause you need to >> be at OES2 SP1 level. The documentation on Novell's website indicates that >> SLES10 SP2 is required for OES2 SP1 so not only do I need to patch OES2 but >> I also need to patch SLES10. I thought SLES10 SP2 wasn't supported under >> OES2 until OES2 SP2 was released? I read this all awhile back on the list >> but Novell's website seems to indicate otherwise. Are we suppose to install >> OES2 SP1 on top of SLES10 SP2? >> > -------------------- Patching has been a problem, no question about that. Yet, in my experiences there has not been confusion about SP level, partly because I do ensure the box is subscribed to the appropriate channels before patching. As has been stated here many times, OES2 SP1 requires SLES 10 SP2. Earlier this week I did an in-place upgrade, likely what you did, of a production OES2/SLES10SP1 machine to result in an OES2 SP1 machine. It worked very smoothly, as had past experiments of the same kind. The starting point was a fully patched OES2 machine, with sundry additions. The process dealt with both SLES10SP2 and OES2SP1 material simultaneously, not one and then the other. What we ought NOT attempt at this time is piecemeal changes where the OES and Linux parts get out of step, and trying to do an in-place upgrade only through the patch channels. To me the worrisome bit of your story is the disappearing partitions. Might that have been a RAID array involved, such that a particular supplementary driver was needed at boot time? I have learned the hard way to totally avoid disk complexities for the o/s proper (no RAID, no volume manager), and to avoid file system complexities within /boot (do have a small /boot, of kind EXT2, thus no journal needing to be replayed when GRUB is too ignorant to do it). Joe D. From HPfeil at uca.edu Thu Dec 11 16:10:19 2008 From: HPfeil at uca.edu (Hans Pfeil) Date: Thu, 11 Dec 2008 10:10:19 -0600 Subject: OES2-LX Mint new Certificates Message-ID: <4940E709.6010.00BD.0@uca.edu> Hey all, going to mint new certificates for our OES2-LX box. Is "ndsconfig upgrade" all I need to do? I hope it's as simple as running PKIDIAG on the Netware side :) Thanks -Hans From joea at j4computers.com Thu Dec 11 16:38:18 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Thu, 11 Dec 2008 11:38:18 -0500 Subject: OES2-LX Mint new Certificates Message-ID: <4940FBAE020000850005F16C@FS-LIN-OES> There is AFAIK, no Linux equivalent to PKIDIAG. I don't recall, and could not find, what "ndsconfig upgrade" does. However, when I had to update certs on OES1, it was involved. I hacked out a script to automate it, as I had a number of them to do. I can send you the script if you like, or just post it, if that is desired. It will require some slight modification for OES2. Paths, I think. First, you have to use standard eDir tools to create and export the certs. Assuming you want to use home grown certs. joe a. >>> "Hans Pfeil" 12/11/08 11:18 AM >>> Hey all, going to mint new certificates for our OES2-LX box. Is "ndsconfig upgrade" all I need to do? I hope it's as simple as running PKIDIAG on the Netware side :) Thanks -Hans _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From sricketts at esitechadvisors.com Thu Dec 11 16:39:33 2008 From: sricketts at esitechadvisors.com (Steve Ricketts) Date: Thu, 11 Dec 2008 11:39:33 -0500 Subject: OES2-LX Mint new Certificates References: <4940FBAE020000850005F16C@FS-LIN-OES> Message-ID: <3E3EBD4AA56A9E4C8D04E2075088AD8D026005FA@exchange.esiindy.net> You can repair and recreate certs for OES2 in iManager now...easiest and closest way to PKIDiag that I've found :) Thanks, Steve ________________________________ From: novell-bounces at netlab1.oucs.ox.ac.uk on behalf of joea at j4computers.com Sent: Thu 12/11/2008 11:38 AM To: novell at netlab1.oucs.ox.ac.uk; HPfeil at uca.edu Subject: Re: OES2-LX Mint new Certificates There is AFAIK, no Linux equivalent to PKIDIAG. I don't recall, and could not find, what "ndsconfig upgrade" does. However, when I had to update certs on OES1, it was involved. I hacked out a script to automate it, as I had a number of them to do. I can send you the script if you like, or just post it, if that is desired. It will require some slight modification for OES2. Paths, I think. First, you have to use standard eDir tools to create and export the certs. Assuming you want to use home grown certs. joe a. >>> "Hans Pfeil" 12/11/08 11:18 AM >>> Hey all, going to mint new certificates for our OES2-LX box. Is "ndsconfig upgrade" all I need to do? I hope it's as simple as running PKIDIAG on the Netware side :) Thanks -Hans _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -------------------------------------------------------- ESI caring people. make IT happen. Steve Ricketts Novell Practice Manager / Systems Engineer 6855 Hillsdale court Indianapolis, IN 46250 mail: sricketts at esitechadvisors.com www: www.esitechadvisors.com telephone: 317.225.8281 fax: -------------------------------------------------------- This message contains confidential information and is intended only for novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, HPfeil at uca.edu. If you are not novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, HPfeil at uca.edu you should not disseminate, distribute or copy this e-mail. Please notify sricketts at esitechadvisors.com immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Steve Ricketts therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -------------------------------------------------------- From joe.doupnik at oucs.ox.ac.uk Thu Dec 11 17:01:29 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Thu, 11 Dec 2008 17:01:29 +0000 Subject: OES2-LX Mint new Certificates In-Reply-To: <3E3EBD4AA56A9E4C8D04E2075088AD8D026005FA@exchange.esiindy.net> References: <4940FBAE020000850005F16C@FS-LIN-OES> <3E3EBD4AA56A9E4C8D04E2075088AD8D026005FA@exchange.esiindy.net> Message-ID: <49414769.3050108@oucs.ox.ac.uk> Steve Ricketts wrote: > You can repair and recreate certs for OES2 in iManager now...easiest and closest way to PKIDiag that I've found :) > > Thanks, > Steve > > ________________________________ > > From: novell-bounces at netlab1.oucs.ox.ac.uk on behalf of joea at j4computers.com > Sent: Thu 12/11/2008 11:38 AM > To: novell at netlab1.oucs.ox.ac.uk; HPfeil at uca.edu > Subject: Re: OES2-LX Mint new Certificates > > > > There is AFAIK, no Linux equivalent to PKIDIAG. I don't recall, and could not find, what "ndsconfig upgrade" does. > > However, when I had to update certs on OES1, it was involved. I hacked out a script to automate it, as I had a number of them to do. I can send you the script if you like, or just post it, if that is desired. > > It will require some slight modification for OES2. Paths, I think. > > First, you have to use standard eDir tools to create and export the certs. Assuming you want to use home grown certs. > > joe a. > >>>> "Hans Pfeil" 12/11/08 11:18 AM >>> > Hey all, going to mint new certificates for our OES2-LX box. Is "ndsconfig upgrade" all I need to do? I hope it's as simple as running PKIDIAG on the Netware side :) > > Thanks > -Hans ---------- OES2 SP1, note the SP1, will recreate certs upon need whenever eDir starts. That is the "auto-pkidiag for Linux" feature, as pkidiag itself does not exist for Linux. Those of us happier with manual control can, as stated above, use iManager to do the deed. Brave souls are welcome to use openssl itself, and find all the nooks and crannies needing filling. At least SP1 tries to put most certs in one spot under /etc/ssl, but reactionary apps still insist upon squirreling away a personal copy. Java and relatives still isolate themselves and must be hand fed via undocumented mysterious keytools. SP1 users can also look in /opt/novell/eDirectory/sbin for a helper shell script. The think about Java is there are zillions of jre's about in the system, goodness knows which do what. ndsconfig upgrade is for upgrading NDS, not what I would touch lightly nor what I would use to fix certificates. Joe D. From geoffreycarman at gmail.com Thu Dec 11 17:26:14 2008 From: geoffreycarman at gmail.com (Geoffrey Carman) Date: Thu, 11 Dec 2008 12:26:14 -0500 Subject: OES2-LX Mint new Certificates In-Reply-To: <3E3EBD4AA56A9E4C8D04E2075088AD8D026005FA@exchange.esiindy.net> References: <4940FBAE020000850005F16C@FS-LIN-OES> <3E3EBD4AA56A9E4C8D04E2075088AD8D026005FA@exchange.esiindy.net> Message-ID: <993788ac0812110926j283a94faw9207082ca4a53c46@mail.gmail.com> Far be it for me to say something nice about iManager but the IMan plugins for eDir indexes and pki are quite nice! Of course if your certs for iman are bad and you cannot get in to iman to fix it with iman, that kind of sucks! The answer here is usually iman mobile but still a bad concept I think. On 12/11/08, Steve Ricketts wrote: > You can repair and recreate certs for OES2 in iManager now...easiest and > closest way to PKIDiag that I've found :) > > Thanks, > Steve > > ________________________________ > > From: novell-bounces at netlab1.oucs.ox.ac.uk on behalf of joea at j4computers.com > Sent: Thu 12/11/2008 11:38 AM > To: novell at netlab1.oucs.ox.ac.uk; HPfeil at uca.edu > Subject: Re: OES2-LX Mint new Certificates > > > > There is AFAIK, no Linux equivalent to PKIDIAG. I don't recall, and could > not find, what "ndsconfig upgrade" does. > > However, when I had to update certs on OES1, it was involved. I hacked out > a script to automate it, as I had a number of them to do. I can send you > the script if you like, or just post it, if that is desired. > > It will require some slight modification for OES2. Paths, I think. > > First, you have to use standard eDir tools to create and export the certs. > Assuming you want to use home grown certs. > > joe a. > >>>> "Hans Pfeil" 12/11/08 11:18 AM >>> > Hey all, going to mint new certificates for our OES2-LX box. Is "ndsconfig > upgrade" all I need to do? I hope it's as simple as running PKIDIAG on the > Netware side :) > > Thanks > -Hans > > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > -------------------------------------------------------- > > > ESI > caring people. make IT happen. > > Steve Ricketts > Novell Practice Manager / Systems Engineer > > 6855 Hillsdale court > Indianapolis, IN 46250 > mail: sricketts at esitechadvisors.com > www: www.esitechadvisors.com > telephone: 317.225.8281 > fax: > > -------------------------------------------------------- > > > > This message contains confidential information and is intended only for > novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, HPfeil at uca.edu. > If you are not novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, > HPfeil at uca.edu you should not disseminate, distribute or copy this e-mail. > Please notify sricketts at esitechadvisors.com immediately by e-mail if you > have received this e-mail by mistake and delete this e-mail from your > system. E-mail transmission cannot be guaranteed to be secure as information > could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. Steve Ricketts therefore does not accept liability for > any errors or omissions in the contents of this message, which arise as a > result of e-mail transmission. If verification is required please request a > hard-copy version. > -------------------------------------------------------- > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- Sent from my mobile device Geoffrey Carman geoffreycarman at gmail.com From HPfeil at uca.edu Thu Dec 11 17:46:54 2008 From: HPfeil at uca.edu (Hans Pfeil) Date: Thu, 11 Dec 2008 11:46:54 -0600 Subject: OES2-LX Mint new Certificates In-Reply-To: <993788ac0812110926j283a94faw9207082ca4a53c46@mail.gmail.com> References: <4940FBAE020000850005F16C@FS-LIN-OES> <3E3EBD4AA56A9E4C8D04E2075088AD8D026005FA@exchange.esiindy.net> <993788ac0812110926j283a94faw9207082ca4a53c46@mail.gmail.com> Message-ID: <4940FDAC.6010.00BD.0@uca.edu> Hey all, thanks for your valuable inputs. I mention "ndsconfig upgrade" because TID#3618399, How to move the Org CA to another server states that "ndsconfig upgrade" is the corresponding Linux command that accomplishes the same functionality as PKIDIAG. I personally don't know. Never ran ndsconfig upgrade before. Think I'll use iManager . We have 2.7.1. Let me get this squared away. In iManager > Novell Cert Server > Repair Default Certs and then just follow the wizard. Thanks -Hans >>> "Geoffrey Carman" 12/11/2008 11:26 AM >>> Far be it for me to say something nice about iManager but the IMan plugins for eDir indexes and pki are quite nice! Of course if your certs for iman are bad and you cannot get in to iman to fix it with iman, that kind of sucks! The answer here is usually iman mobile but still a bad concept I think. On 12/11/08, Steve Ricketts wrote: > You can repair and recreate certs for OES2 in iManager now...easiest and > closest way to PKIDiag that I've found :) > > Thanks, > Steve > > ________________________________ > > From: novell-bounces at netlab1.oucs.ox.ac.uk on behalf of joea at j4computers.com > Sent: Thu 12/11/2008 11:38 AM > To: novell at netlab1.oucs.ox.ac.uk; HPfeil at uca.edu > Subject: Re: OES2-LX Mint new Certificates > > > > There is AFAIK, no Linux equivalent to PKIDIAG. I don't recall, and could > not find, what "ndsconfig upgrade" does. > > However, when I had to update certs on OES1, it was involved. I hacked out > a script to automate it, as I had a number of them to do. I can send you > the script if you like, or just post it, if that is desired. > > It will require some slight modification for OES2. Paths, I think. > > First, you have to use standard eDir tools to create and export the certs. > Assuming you want to use home grown certs. > > joe a. > >>>> "Hans Pfeil" 12/11/08 11:18 AM >>> > Hey all, going to mint new certificates for our OES2-LX box. Is "ndsconfig > upgrade" all I need to do? I hope it's as simple as running PKIDIAG on the > Netware side :) > > Thanks > -Hans > > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > -------------------------------------------------------- > > > ESI > caring people. make IT happen. > > Steve Ricketts > Novell Practice Manager / Systems Engineer > > 6855 Hillsdale court > Indianapolis, IN 46250 > mail: sricketts at esitechadvisors.com > www: www.esitechadvisors.com > telephone: 317.225.8281 > fax: > > -------------------------------------------------------- > > > > This message contains confidential information and is intended only for > novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, HPfeil at uca.edu. > If you are not novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, > HPfeil at uca.edu you should not disseminate, distribute or copy this e-mail. > Please notify sricketts at esitechadvisors.com immediately by e-mail if you > have received this e-mail by mistake and delete this e-mail from your > system. E-mail transmission cannot be guaranteed to be secure as information > could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. Steve Ricketts therefore does not accept liability for > any errors or omissions in the contents of this message, which arise as a > result of e-mail transmission. If verification is required please request a > hard-copy version. > -------------------------------------------------------- > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- Sent from my mobile device Geoffrey Carman geoffreycarman at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From sricketts at esitechadvisors.com Thu Dec 11 17:48:10 2008 From: sricketts at esitechadvisors.com (Steve Ricketts) Date: Thu, 11 Dec 2008 12:48:10 -0500 Subject: OES2-LX Mint new Certificates Message-ID: <005b01c95bb8$a1e3cc14$5a01010a@esiindy.com> Yup thats it (Sent from my mobile, please excuse any typos.) -------------------------------------------------------- ESI caring people. make IT happen. Steve Ricketts Novell Practice Manager / Systems Engineer 6855 Hillsdale court Indianapolis, IN 46250 mail: sricketts at esitechadvisors.com www: www.esitechadvisors.com telephone: 317.225.8281 fax: -------------------------------------------------------- This message contains confidential information and is intended only for novell at netlab1.oucs.ox.ac.uk. If you are not novell at netlab1.oucs.ox.ac.uk you should not disseminate, distribute or copy this e-mail. Please notify sricketts at esitechadvisors.com immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Steve Ricketts therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -------------------------------------------------------- -----Original Message----- From: "Hans Pfeil" To: "Novell LAN Interest Group" Sent: 12/11/2008 12:47 PM Subject: Re: OES2-LX Mint new Certificates Hey all, thanks for your valuable inputs. I mention "ndsconfig upgrade" because TID#3618399, How to move the Org CA to another server states that "ndsconfig upgrade" is the corresponding Linux command that accomplishes the same functionality as PKIDIAG. I personally don't know. Never ran ndsconfig upgrade before. Think I'll use iManager . We have 2.7.1. Let me get this squared away. In iManager > Novell Cert Server > Repair Default Certs and then just follow the wizard. Thanks -Hans >>> "Geoffrey Carman" 12/11/2008 11:26 AM >>> Far be it for me to say something nice about iManager but the IMan plugins for eDir indexes and pki are quite nice! Of course if your certs for iman are bad and you cannot get in to iman to fix it with iman, that kind of sucks! The answer here is usually iman mobile but still a bad concept I think. On 12/11/08, Steve Ricketts wrote: > You can repair and recreate certs for OES2 in iManager now...easiest and > closest way to PKIDiag that I've found :) > > Thanks, > Steve > > ________________________________ > > From: novell-bounces at netlab1.oucs.ox.ac.uk on behalf of joea at j4computers.com > Sent: Thu 12/11/2008 11:38 AM > To: novell at netlab1.oucs.ox.ac.uk; HPfeil at uca.edu > Subject: Re: OES2-LX Mint new Certificates > > > > There is AFAIK, no Linux equivalent to PKIDIAG. I don't recall, and could > not find, what "ndsconfig upgrade" does. > > However, when I had to update certs on OES1, it was involved. I hacked out > a script to automate it, as I had a number of them to do. I can send you > the script if you like, or just post it, if that is desired. > > It will require some slight modification for OES2. Paths, I think. > > First, you have to use standard eDir tools to create and export the certs. > Assuming you want to use home grown certs. > > joe a. > >>>> "Hans Pfeil" 12/11/08 11:18 AM >>> > Hey all, going to mint new certificates for our OES2-LX box. Is "ndsconfig > upgrade" all I need to do? I hope it's as simple as running PKIDIAG on the > Netware side :) > > Thanks > -Hans > > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > -------------------------------------------------------- > > > ESI > caring people. make IT happen. > > Steve Ricketts > Novell Practice Manager / Systems Engineer > > 6855 Hillsdale court > Indianapolis, IN 46250 > mail: sricketts at esitechadvisors.com > www: www.esitechadvisors.com > telephone: 317.225.8281 > fax: > > -------------------------------------------------------- > > > > This message contains confidential information and is intended only for > novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, HPfeil at uca.edu. > If you are not novell at netlab1.oucs.ox.ac.uk, novell at netlab1.oucs.ox.ac.uk, > HPfeil at uca.edu you should not disseminate, distribute or copy this e-mail. > Please notify sricketts at esitechadvisors.com immediately by e-mail if you > have received this e-mail by mistake and delete this e-mail from your > system. E-mail transmission cannot be guaranteed to be secure as information > could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. Steve Ricketts therefore does not accept liability for > any errors or omissions in the contents of this message, which arise as a > result of e-mail transmission. If verification is required please request a > hard-copy version. > -------------------------------------------------------- > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- Sent from my mobile device Geoffrey Carman geoffreycarman at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From cmangiarelli at gmail.com Thu Dec 11 19:20:39 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 11 Dec 2008 14:20:39 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: <4940E7E7.70404@oucs.ox.ac.uk> References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> <4940E7E7.70404@oucs.ox.ac.uk> Message-ID: Well, I had a fully patched and working (sans ifolder) OES2+SLES10SP1 of the x64 variety. When I loaded the SLES10 SP2 CD and configured for the add-on product of OES2 SP1 (both of the x64 variety), I then went to upgrade and it interrogated my disks but found no upgradeable partitions. I'm at a loss to explain it cause I did everything to the letter according to the online documentation. While I do have hardware raid (1 mirrored array for OS, 1 raid5 array for ifolder data), my disk partitions were kept simple (no volume management per our earlier conversation). I had 3 primary partitions (/boot, swap, /) and 1 extended partition (/var/log, empty space for ifolder data). I can't explain it. I used the same ISO's to blow away the server and reinstall (once again) from scratch. I'm getting really good at operating the install now. :P P.S. I used ext3 for all my filesystems (including /boot). Is there a way to go back to ext2 on /boot without reinstalling? On Thu, Dec 11, 2008 at 5:13 AM, Joe Doupnik wrote: > Patching has been a problem, no question about that. Yet, in my > experiences there has not been confusion about SP level, partly because I > do ensure the box is subscribed to the appropriate channels before > patching. > As has been stated here many times, OES2 SP1 requires SLES 10 SP2. > Earlier this week I did an in-place upgrade, likely what you did, of a > production OES2/SLES10SP1 machine to result in an OES2 SP1 machine. It > worked > very smoothly, as had past experiments of the same kind. The starting point > was a fully patched OES2 machine, with sundry additions. The process dealt > with both SLES10SP2 and OES2SP1 material simultaneously, not one and then > the other. > What we ought NOT attempt at this time is piecemeal changes where > the OES and Linux parts get out of step, and trying to do an in-place > upgrade > only through the patch channels. > To me the worrisome bit of your story is the disappearing > partitions. > Might that have been a RAID array involved, such that a particular > supplementary > driver was needed at boot time? I have learned the hard way to totally > avoid > disk complexities for the o/s proper (no RAID, no volume manager), and to > avoid > file system complexities within /boot (do have a small /boot, of kind EXT2, > thus no journal needing to be replayed when GRUB is too ignorant to do it). > > Joe D. > -- Christopher Mangiarelli cmangiarelli at gmail.com From cmangiarelli at gmail.com Thu Dec 11 22:39:54 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 11 Dec 2008 17:39:54 -0500 Subject: Linux File System Question Message-ID: Now that I have an iFolder implementation up and running, it seems that by default Novell uses the local OS drive as a datastore and does not allow you to change that. I thought I was going to be able to specifically assign data storage inside the admin interface but all I can do is add additional chunks of space and iFolder automatically determines where it is going to store user data. Really bad design if you ask me but that's another story (My main production environment needs to teir storage. Ifolder has no way to assign users to specific storage in case some people pay for replicated san storage versus cheaper local dasd). Anyway, while you can give iFolder a big fat chunk of storage space, if that space gets used up through poor design or improper planning (or general oversight cause we are all too busy during the day to watch file system numbers), it can start to use the OS drive; filling that up too and crashing your server. My only recource seems to be to map a filesystem on top of that location in order to confine it to a partition which can't affect the OS. However, now that it's installed, I don't know how to get those files over to the new area intact. I'm guessing I would shut down apache > tar up the folder (/var/simias/data/simias/SimiasFiles) > delete the contents (making it an empty folder) > format my additional partition > map it onto that directory > untar the files back. This in theory should work but will it keep file permission, owners, and group ownership intact? -- Christopher Mangiarelli cmangiarelli at gmail.com From awleask at gmail.com Thu Dec 11 22:57:14 2008 From: awleask at gmail.com (Alister Leask) Date: Fri, 12 Dec 2008 11:57:14 +1300 Subject: Linux File System Question In-Reply-To: References: Message-ID: <397cc55b0812111457m111c5da7lfcdb4428dc4b29e5@mail.gmail.com> Christopher, you are pretty much correct as to your statements below - it pays to check this out before hitting production. When I did our iFolder server I added another LUN to the server and mounted it at /var/simias, IIRC. WRT to tiering your storage, I believe that there can be multiple iFolders servers. Maybe you could have one be the top tier and another a lower tier of storage. I am assuming that you can specify each users iFolder server of course. On Fri, Dec 12, 2008 at 11:39, Christopher Mangiarelli < cmangiarelli at gmail.com> wrote: > Now that I have an iFolder implementation up and running, it seems that by > default Novell uses the local OS drive as a datastore and does not allow > you > to change that. I thought I was going to be able to specifically assign > data storage inside the admin interface but all I can do is add additional > chunks of space and iFolder automatically determines where it is going to > store user data. Really bad design if you ask me but that's another story > (My main production environment needs to teir storage. Ifolder has no way > to assign users to specific storage in case some people pay for replicated > san storage versus cheaper local dasd). > > Anyway, while you can give iFolder a big fat chunk of storage space, if > that > space gets used up through poor design or improper planning (or general > oversight cause we are all too busy during the day to watch file system > numbers), it can start to use the OS drive; filling that up too and > crashing > your server. My only recource seems to be to map a filesystem on top of > that location in order to confine it to a partition which can't affect the > OS. However, now that it's installed, I don't know how to get those files > over to the new area intact. I'm guessing I would shut down apache > tar > up > the folder (/var/simias/data/simias/SimiasFiles) > delete the contents > (making it an empty folder) > format my additional partition > map it onto > that directory > untar the files back. This in theory should work but will > it keep file permission, owners, and group ownership intact? > > -- > Christopher Mangiarelli > cmangiarelli at gmail.com > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- Alister Leask From cmangiarelli at gmail.com Thu Dec 11 23:02:32 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 11 Dec 2008 18:02:32 -0500 Subject: Linux File System Question In-Reply-To: <397cc55b0812111457m111c5da7lfcdb4428dc4b29e5@mail.gmail.com> References: <397cc55b0812111457m111c5da7lfcdb4428dc4b29e5@mail.gmail.com> Message-ID: True, you can use separate ifolder servers with different storage connections and provision users to the server connected to the storage they paid for, but thats overkill in smaller environment where a single ifolder server would work (like this one). Oh well. What about tar restoring permissions? On Thu, Dec 11, 2008 at 5:57 PM, Alister Leask wrote: > Christopher, > > you are pretty much correct as to your statements below - it pays to check > this out before hitting production. > > When I did our iFolder server I added another LUN to the server and mounted > it at /var/simias, IIRC. > > WRT to tiering your storage, I believe that there can be multiple iFolders > servers. Maybe you could have one be the top tier and another a lower tier > of storage. I am assuming that you can specify each users iFolder server of > course. > > On Fri, Dec 12, 2008 at 11:39, Christopher Mangiarelli < > cmangiarelli at gmail.com> wrote: > > > Now that I have an iFolder implementation up and running, it seems that > by > > default Novell uses the local OS drive as a datastore and does not allow > > you > > to change that. I thought I was going to be able to specifically assign > > data storage inside the admin interface but all I can do is add > additional > > chunks of space and iFolder automatically determines where it is going to > > store user data. Really bad design if you ask me but that's another > story > > (My main production environment needs to teir storage. Ifolder has no > way > > to assign users to specific storage in case some people pay for > replicated > > san storage versus cheaper local dasd). > > > > Anyway, while you can give iFolder a big fat chunk of storage space, if > > that > > space gets used up through poor design or improper planning (or general > > oversight cause we are all too busy during the day to watch file system > > numbers), it can start to use the OS drive; filling that up too and > > crashing > > your server. My only recource seems to be to map a filesystem on top of > > that location in order to confine it to a partition which can't affect > the > > OS. However, now that it's installed, I don't know how to get those > files > > over to the new area intact. I'm guessing I would shut down apache > tar > > up > > the folder (/var/simias/data/simias/SimiasFiles) > delete the contents > > (making it an empty folder) > format my additional partition > map it > onto > > that directory > untar the files back. This in theory should work but > will > > it keep file permission, owners, and group ownership intact? > > > > -- > > Christopher Mangiarelli > > cmangiarelli at gmail.com > > _______________________________________________ > > Novell mailing list > > Novell at netlab1.oucs.ox.ac.uk > > http://netlab1.usu.edu/mailman/listinfo/novell > > > > > > -- > Alister Leask > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- Christopher Mangiarelli cmangiarelli at gmail.com From awleask at gmail.com Thu Dec 11 23:37:25 2008 From: awleask at gmail.com (Alister Leask) Date: Fri, 12 Dec 2008 12:37:25 +1300 Subject: Linux File System Question In-Reply-To: References: <397cc55b0812111457m111c5da7lfcdb4428dc4b29e5@mail.gmail.com> Message-ID: <397cc55b0812111537n21a8bda5x8750b655775b55e4@mail.gmail.com> I _*THINK*_ it does - I'm sure it would be a switch if it's not a default action. Actually it must do - tar is the original tape archive tool! On Fri, Dec 12, 2008 at 12:02, Christopher Mangiarelli < cmangiarelli at gmail.com> wrote: > True, you can use separate ifolder servers with different storage > connections and provision users to the server connected to the storage they > paid for, but thats overkill in smaller environment where a single ifolder > server would work (like this one). Oh well. > > What about tar restoring permissions? > > -- Alister Leask From cmangiarelli at gmail.com Fri Dec 12 01:13:53 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 11 Dec 2008 20:13:53 -0500 Subject: iFolder 3.7 - 3 issues after installation Message-ID: I just posted this on the Novell forums, but thought maybe somebody here is familiar with ifolder and may have run into these same issues after installation: I have a brand new ifolder 3.7 implementation running on OES2 SP1 / SLESL10 SP2. While the basics of ifolder are functioning, I have three issues with the implementation: 1. Sharing doesn't appear to be working. It is enabled on the global policy as well as on every user and group. However, the buttons on the windows client to add users are greyed out. 2. I have encryption turned on. When a person accesses the web interface and logs in, they can see all their ifolders; but when they click on one, it asks for their passphrase but doesn't seem to accept it. I've verified the passphrases are being typed correctly. 3. I can't seem to edit the LDAP search contexts via the web admin tool. When I attempt to add a new search DN, it throws me a weird ldap/java error. If I use Yast > OES > Install and Config, I can add new DNs fine, but would prefer to edit this via the web interface. Any idea's? I'm sorry, I don't have the exact error in front of me but I thought describing it might sound familiar to somebody else who had the same problem. -- Christopher Mangiarelli cmangiarelli at gmail.com From joe.doupnik at oucs.ox.ac.uk Fri Dec 12 10:11:45 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Fri, 12 Dec 2008 10:11:45 +0000 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <20081201173653.2D4C4186CB@webmail223.herald.ox.ac.uk> <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> <4940E7E7.70404@oucs.ox.ac.uk> Message-ID: <494238E1.3040608@oucs.ox.ac.uk> Christopher Mangiarelli wrote: > Well, I had a fully patched and working (sans ifolder) OES2+SLES10SP1 of the > x64 variety. When I loaded the SLES10 SP2 CD and configured for the add-on > product of OES2 SP1 (both of the x64 variety), I then went to upgrade and it > interrogated my disks but found no upgradeable partitions. I'm at a loss to > explain it cause I did everything to the letter according to the online > documentation. While I do have hardware raid (1 mirrored array for OS, 1 > raid5 array for ifolder data), my disk partitions were kept simple (no > volume management per our earlier conversation). I had 3 primary > partitions (/boot, swap, /) and 1 extended partition (/var/log, empty space > for ifolder data). I can't explain it. I used the same ISO's to blow away > the server and reinstall (once again) from scratch. I'm getting really good > at operating the install now. :P > > P.S. I used ext3 for all my filesystems (including /boot). Is there a way > to go back to ext2 on /boot without reinstalling? > ------------- Just to clarify, "no upgradable partitions" could mean two things. Either no partition of any description was found, or some were but the "upgradable" part showed nothing at all. The case of none at all. RAID controllers usually present a different controller interface than when dealing with individual drives. A matching driver is needed as the system boots. Your OES2 system will reveal that driver in file /etc/sysconfig/kernel. To use it on a new system you may have to have the driver on a floppy and add it as the installation boot occurs. /boot. EXT3 is the same on-disk as EXT2, but adds a journaling driver. Whether or not GRUB invokes that driver is an open question. So the booting may skip the journal, but we don't know that. For production servers we reinstall to get things right at the outset. iFolder3 data location. This is changable through the OES2 configuration portion of YaST. I have that location on an NSS volume, not within the o/s /var area. Since you enjoy practicing installations so much, maybe you should join an OES beta some year. We get to do one or two per day, nearly every day. I am doing it again with SLES 11 beta. Joe D. From mbrady at ingenuityieq.com Fri Dec 12 13:42:56 2008 From: mbrady at ingenuityieq.com (Mike Brady) Date: Fri, 12 Dec 2008 08:42:56 -0500 Subject: Linux File System Question In-Reply-To: References: Message-ID: <494224100200002D0000D105@mail.ingenuityieq.com> That exactly what I did with mine. I shut down everything, renamed the location where iFolder was stored, copied it all over to the new storage, created the mount point to replace where iFolder used to be, and rebooted. It worked great. Now, if iFolder fill's up, I just need to copy the data to a larger network or local storage device, and change the mount point to look at it. >>> On 12/11/2008 at 5:39 PM, in message , "Christopher Mangiarelli" wrote: Now that I have an iFolder implementation up and running, it seems that by default Novell uses the local OS drive as a datastore and does not allow you to change that. I thought I was going to be able to specifically assign data storage inside the admin interface but all I can do is add additional chunks of space and iFolder automatically determines where it is going to store user data. Really bad design if you ask me but that's another story (My main production environment needs to teir storage. Ifolder has no way to assign users to specific storage in case some people pay for replicated san storage versus cheaper local dasd). Anyway, while you can give iFolder a big fat chunk of storage space, if that space gets used up through poor design or improper planning (or general oversight cause we are all too busy during the day to watch file system numbers), it can start to use the OS drive; filling that up too and crashing your server. My only recource seems to be to map a filesystem on top of that location in order to confine it to a partition which can't affect the OS. However, now that it's installed, I don't know how to get those files over to the new area intact. I'm guessing I would shut down apache > tar up the folder (/var/simias/data/simias/SimiasFiles) > delete the contents (making it an empty folder) > format my additional partition > map it onto that directory > untar the files back. This in theory should work but will it keep file permission, owners, and group ownership intact? -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From sricketts at esitechadvisors.com Fri Dec 12 14:01:58 2008 From: sricketts at esitechadvisors.com (Steve Ricketts) Date: Fri, 12 Dec 2008 09:01:58 -0500 Subject: Linux File System Question In-Reply-To: <494224100200002D0000D105@mail.ingenuityieq.com> References: <494224100200002D0000D105@mail.ingenuityieq.com> Message-ID: <3E3EBD4AA56A9E4C8D04E2075088AD8D02899BF2@exchange.esiindy.net> I don't know if it is best practice or not but I do know with ifolder 3.6 you can redirect the datastore to another location..ie NSS Volume..but I believe this has to be done on install...I've done it at a client site but would have to go back and refer to my notes on it. I do remember the key there is making sure the wwwrun user and the wwwgroup has rights to that location. Steve -------------------------------------------------------- ESI caring people. make IT happen. Steve Ricketts Novell Practice Manager / Systems Engineer 6855 Hillsdale court Indianapolis, IN 46250 mail: sricketts at esitechadvisors.com www: www.esitechadvisors.com telephone: 317.225.8281 fax: -------------------------------------------------------- This message contains confidential information and is intended only for novell at netlab1.oucs.ox.ac.uk. If you are not novell at netlab1.oucs.ox.ac.uk you should not disseminate, distribute or copy this e-mail. Please notify sricketts at esitechadvisors.com immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Steve Ricketts therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -------------------------------------------------------- -----Original Message----- From: novell-bounces at netlab1.oucs.ox.ac.uk [mailto:novell-bounces at netlab1.oucs.ox.ac.uk] On Behalf Of Mike Brady Sent: Friday, December 12, 2008 8:43 AM To: Novell LAN Interest Group Subject: Re: Linux File System Question That exactly what I did with mine. I shut down everything, renamed the location where iFolder was stored, copied it all over to the new storage, created the mount point to replace where iFolder used to be, and rebooted. It worked great. Now, if iFolder fill's up, I just need to copy the data to a larger network or local storage device, and change the mount point to look at it. >>> On 12/11/2008 at 5:39 PM, in message , "Christopher Mangiarelli" wrote: Now that I have an iFolder implementation up and running, it seems that by default Novell uses the local OS drive as a datastore and does not allow you to change that. I thought I was going to be able to specifically assign data storage inside the admin interface but all I can do is add additional chunks of space and iFolder automatically determines where it is going to store user data. Really bad design if you ask me but that's another story (My main production environment needs to teir storage. Ifolder has no way to assign users to specific storage in case some people pay for replicated san storage versus cheaper local dasd). Anyway, while you can give iFolder a big fat chunk of storage space, if that space gets used up through poor design or improper planning (or general oversight cause we are all too busy during the day to watch file system numbers), it can start to use the OS drive; filling that up too and crashing your server. My only recource seems to be to map a filesystem on top of that location in order to confine it to a partition which can't affect the OS. However, now that it's installed, I don't know how to get those files over to the new area intact. I'm guessing I would shut down apache > tar up the folder (/var/simias/data/simias/SimiasFiles) > delete the contents (making it an empty folder) > format my additional partition > map it onto that directory > untar the files back. This in theory should work but will it keep file permission, owners, and group ownership intact? -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From cmangiarelli at gmail.com Fri Dec 12 14:15:16 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Fri, 12 Dec 2008 09:15:16 -0500 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: <494238E1.3040608@oucs.ox.ac.uk> References: <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> <4940E7E7.70404@oucs.ox.ac.uk> <494238E1.3040608@oucs.ox.ac.uk> Message-ID: Well when I did a show all partitions, it saw the "/" partition but the '/boot" partition was listed as unknown. The installation itself apparently finds my raid controller and lets me install to it so I'm at a loss to explain why a normal installation works just fine but an upgrade doesn't. Unfortunately, I don't have the luxury of rebuilding. There is the right way to do things and the corporate way of doing things. They would rather slam things in right away and fix it later when it breaks. Hmmm, I guess that would require a complete reinstall though. If I had the luxury of knowing what ifolder required prior to going live, then I could have mapped in appropriate space beforehand. Too bad this isn't spelled out in the documentation as an installation consideration. The webadmin portion of ifolder itself will not let me edit the default datastore. BTW, I never said I enjoyed installing SuSE, I just said I was getting good at it. If i had time to play with beta software, I wouldn't be slamming in this system to meet a corporate need. Apparently lack of planning on somebody else's part constitutes an emergency on mine. On Fri, Dec 12, 2008 at 5:11 AM, Joe Doupnik wrote: > Just to clarify, "no upgradable partitions" could mean two things. > Either no partition of any description was found, or some were but the > "upgradable" part showed nothing at all. > The case of none at all. RAID controllers usually present a > different > controller interface than when dealing with individual drives. A matching > driver is needed as the system boots. Your OES2 system will reveal that > driver in file /etc/sysconfig/kernel. To use it on a new system you may > have > to have the driver on a floppy and add it as the installation boot occurs. > /boot. EXT3 is the same on-disk as EXT2, but adds a journaling > driver. > Whether or not GRUB invokes that driver is an open question. So the booting > may > skip the journal, but we don't know that. For production servers we > reinstall > to get things right at the outset. > iFolder3 data location. This is changable through the OES2 > configuration > portion of YaST. I have that location on an NSS volume, not within the o/s > /var > area. > Since you enjoy practicing installations so much, maybe you should > join > an OES beta some year. We get to do one or two per day, nearly every day. I > am > doing it again with SLES 11 beta. > > Joe D. > -- Christopher Mangiarelli cmangiarelli at gmail.com From cmangiarelli at gmail.com Fri Dec 12 14:20:20 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Fri, 12 Dec 2008 09:20:20 -0500 Subject: Linux File System Question In-Reply-To: <3E3EBD4AA56A9E4C8D04E2075088AD8D02899BF2@exchange.esiindy.net> References: <494224100200002D0000D105@mail.ingenuityieq.com> <3E3EBD4AA56A9E4C8D04E2075088AD8D02899BF2@exchange.esiindy.net> Message-ID: In iFolder 3.7, you specify a place to install it to during installation. This location hosts various database files mapping the users to their files. It also creates a directory where default iFolder data will be stored. After installation is complete, you can configure other datastores to add space to your implementation. The iFolder service will use whatever datastore has the most space first which in most cases is probably a large datastore you put aside for ifolder in the first place. However, it doesn't consider the fact that you might fill that datastore and revert back to using the default datastore (which in my case is on the same partition as my OS). I'm going to try Mike's idea since he seems to have been in the same boat as myself before. On Fri, Dec 12, 2008 at 9:01 AM, Steve Ricketts < sricketts at esitechadvisors.com> wrote: > I don't know if it is best practice or not but I do know with ifolder > 3.6 you can redirect the datastore to another location..ie NSS > Volume..but I believe this has to be done on install...I've done it at a > client site but would have to go back and refer to my notes on it. I do > remember the key there is making sure the wwwrun user and the wwwgroup > has rights to that location. > > Steve > -- Christopher Mangiarelli cmangiarelli at gmail.com From joe.doupnik at oucs.ox.ac.uk Fri Dec 12 14:33:21 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Fri, 12 Dec 2008 14:33:21 +0000 Subject: Building a new OES2/SuSE server in a standalone tree. In-Reply-To: References: <4937C9D3.2050206@cam.ac.uk> <493D7639.1050703@oucs.ox.ac.uk> <4940E7E7.70404@oucs.ox.ac.uk> <494238E1.3040608@oucs.ox.ac.uk> Message-ID: <49427631.1030104@oucs.ox.ac.uk> Christopher Mangiarelli wrote: > Well when I did a show all partitions, it saw the "/" partition but the > '/boot" partition was listed as unknown. The installation itself apparently > finds my raid controller and lets me install to it so I'm at a loss to > explain why a normal installation works just fine but an upgrade doesn't. An in-place upgrade will typically show just the root (/) partition as an upgrade candidate, hiding /boot and others. That is what happens on my gear and in the end the scheme does update /boot with a new kernel. Overall, we keep in mind that an upgrade involves a somewhat different set of code, so things can break anew, and the procedures are much different (undo old stuff, versus slam on new stuff). Change is not always progress, etc. > Unfortunately, I don't have the luxury of rebuilding. There is the right > way to do things and the corporate way of doing things. They would rather > slam things in right away and fix it later when it breaks. > > Hmmm, I guess that would require a complete reinstall though. If I had the > luxury of knowing what ifolder required prior to going live, then I could > have mapped in appropriate space beforehand. Too bad this isn't spelled out > in the documentation as an installation consideration. The webadmin portion > of ifolder itself will not let me edit the default datastore. YaST will though, so a tool is available. We say this often, but it does not sink in until it happens to us (and I am no exception): build a test system to see what the heck is going on, think about it, then do a production installation. As usual, this is also the quickest way to being on line, versus trying to fix broken mysteries. > BTW, I never said I enjoyed installing SuSE, I just said I was getting good > at it. If i had time to play with beta software, I wouldn't be slamming in > this system to meet a corporate need. Apparently lack of planning on > somebody else's part constitutes an emergency on mine. Oh, let's not spoil the fun (quotes) now that you are getting good at this. Helping hands make the work go faster... Joe D. From TJohnson at lancaster.wnyric.org Fri Dec 12 15:24:19 2008 From: TJohnson at lancaster.wnyric.org (TJohnson at lancaster.wnyric.org) Date: Fri, 12 Dec 2008 10:24:19 -0500 Subject: Linux File System Question In-Reply-To: References: <494224100200002D0000D105@mail.ingenuityieq.com> <3E3EBD4AA56A9E4C8D04E2075088AD8D02899BF2@exchange.esiindy.net> Message-ID: I did setup an iFolder 3.6 test implementation and used NSS for the iFolder datastore and there is also a section in the iFolder 3.7 documentation specifically addressing prerequisites to using NSS for the datastore, the jist is make sure you have NSS setup before installing iFolder and there is some info regarding EVMS use for managing NSS volumes, special considerations for system devices on EVMS (a definite Joe D. no no ;-)). IIRC the config was pretty straight forward and worked well. if you are going the POSIX file system route then Mike's the man. T2 "Christopher Mangiarelli" "Novell LAN Interest Group" Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 09:29 AM Please respond to Novell LAN Interest Group In iFolder 3.7, you specify a place to install it to during installation. This location hosts various database files mapping the users to their files. It also creates a directory where default iFolder data will be stored. After installation is complete, you can configure other datastores to add space to your implementation. The iFolder service will use whatever datastore has the most space first which in most cases is probably a large datastore you put aside for ifolder in the first place. However, it doesn't consider the fact that you might fill that datastore and revert back to using the default datastore (which in my case is on the same partition as my OS). I'm going to try Mike's idea since he seems to have been in the same boat as myself before. On Fri, Dec 12, 2008 at 9:01 AM, Steve Ricketts < sricketts at esitechadvisors.com> wrote: > I don't know if it is best practice or not but I do know with ifolder > 3.6 you can redirect the datastore to another location..ie NSS > Volume..but I believe this has to be done on install...I've done it at a > client site but would have to go back and refer to my notes on it. I do > remember the key there is making sure the wwwrun user and the wwwgroup > has rights to that location. > > Steve > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164321937) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS From mbrady at ingenuityieq.com Fri Dec 12 16:03:14 2008 From: mbrady at ingenuityieq.com (Mike Brady) Date: Fri, 12 Dec 2008 11:03:14 -0500 Subject: Linux File System Question Message-ID: <494244F20200002D0000D169@mail.ingenuityieq.com> Christopher, did you upgrade from iFolder 3.6 or is this a fresh install? Just curois about your experience with 3.7 so far. We could take this conversation off-list too. Thanks. >>> "Christopher Mangiarelli" 12/12/08 9:29 AM >>> In iFolder 3.7, you specify a place to install it to during installation. This location hosts various database files mapping the users to their files. It also creates a directory where default iFolder data will be stored. After installation is complete, you can configure other datastores to add space to your implementation. The iFolder service will use whatever datastore has the most space first which in most cases is probably a large datastore you put aside for ifolder in the first place. However, it doesn't consider the fact that you might fill that datastore and revert back to using the default datastore (which in my case is on the same partition as my OS). I'm going to try Mike's idea since he seems to have been in the same boat as myself before. On Fri, Dec 12, 2008 at 9:01 AM, Steve Ricketts < sricketts at esitechadvisors.com> wrote: > I don't know if it is best practice or not but I do know with ifolder > 3.6 you can redirect the datastore to another location..ie NSS > Volume..but I believe this has to be done on install...I've done it at a > client site but would have to go back and refer to my notes on it. I do > remember the key there is making sure the wwwrun user and the wwwgroup > has rights to that location. > > Steve > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From mbrady at ingenuityieq.com Fri Dec 12 16:04:55 2008 From: mbrady at ingenuityieq.com (Mike Brady) Date: Fri, 12 Dec 2008 11:04:55 -0500 Subject: Linux File System Question Message-ID: <494245570200002D0000D172@mail.ingenuityieq.com> I am curious why you would want to use NSS for the filesystem for iFolder. Doesn't it just add a layer of unneeded complexity? It's very possible I am missing something here too, so feel free to educate me. Thanks. >>> 12/12/08 10:24 AM >>> I did setup an iFolder 3.6 test implementation and used NSS for the iFolder datastore and there is also a section in the iFolder 3.7 documentation specifically addressing prerequisites to using NSS for the datastore, the jist is make sure you have NSS setup before installing iFolder and there is some info regarding EVMS use for managing NSS volumes, special considerations for system devices on EVMS (a definite Joe D. no no ;-)). IIRC the config was pretty straight forward and worked well. if you are going the POSIX file system route then Mike's the man. T2 "Christopher Mangiarelli" "Novell LAN Interest Group" Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 09:29 AM Please respond to Novell LAN Interest Group In iFolder 3.7, you specify a place to install it to during installation. This location hosts various database files mapping the users to their files. It also creates a directory where default iFolder data will be stored. After installation is complete, you can configure other datastores to add space to your implementation. The iFolder service will use whatever datastore has the most space first which in most cases is probably a large datastore you put aside for ifolder in the first place. However, it doesn't consider the fact that you might fill that datastore and revert back to using the default datastore (which in my case is on the same partition as my OS). I'm going to try Mike's idea since he seems to have been in the same boat as myself before. On Fri, Dec 12, 2008 at 9:01 AM, Steve Ricketts < sricketts at esitechadvisors.com> wrote: > I don't know if it is best practice or not but I do know with ifolder > 3.6 you can redirect the datastore to another location..ie NSS > Volume..but I believe this has to be done on install...I've done it at a > client site but would have to go back and refer to my notes on it. I do > remember the key there is making sure the wwwrun user and the wwwgroup > has rights to that location. > > Steve > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164321937) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joe.doupnik at oucs.ox.ac.uk Fri Dec 12 16:14:28 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Fri, 12 Dec 2008 16:14:28 +0000 Subject: Linux File System Question In-Reply-To: <494245570200002D0000D172@mail.ingenuityieq.com> References: <494245570200002D0000D172@mail.ingenuityieq.com> Message-ID: <49428DE4.3040103@oucs.ox.ac.uk> Mike Brady wrote: > I am curious why you would want to use NSS for the filesystem for iFolder. Doesn't it just add a layer of unneeded complexity? It's very possible I am missing something here too, so feel free to educate me. Thanks. ---------- iFolder 3 data can be on POSIX or NSS file systems. The question then becomes just where we wish to stash user data, based on bulk, backups, possible viewing by sundry souls, and survival of disasters. In my case I move such things out of Linux o/s areas (/var...) and into separate user data space, which happens to be NSS for me. This gives me the space, the reassurance that sundry souls can't intrude, and longivity if the main o/s is replaced by any means at all. Nothing complicated about this. Joe D. From TJohnson at lancaster.wnyric.org Fri Dec 12 16:15:42 2008 From: TJohnson at lancaster.wnyric.org (TJohnson at lancaster.wnyric.org) Date: Fri, 12 Dec 2008 11:15:42 -0500 Subject: Linux File System Question In-Reply-To: <494245570200002D0000D172@mail.ingenuityieq.com> References: <494245570200002D0000D172@mail.ingenuityieq.com> Message-ID: Yes, after our testing I would have to agree that it did just add layer of complexity so when we do eventually roll it out we will be using a POSIX filesystem, any suggestions as to which filesystem, ext3, Reiser, our users are typically using many small files so I was thinking Reiser but I am not sure how iFolder obfuscates the filesystem? Thanks. Tim "Mike Brady" To Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 11:05 AM Please respond to Novell LAN Interest Group I am curious why you would want to use NSS for the filesystem for iFolder. Doesn't it just add a layer of unneeded complexity? It's very possible I am missing something here too, so feel free to educate me. Thanks. >>> 12/12/08 10:24 AM >>> I did setup an iFolder 3.6 test implementation and used NSS for the iFolder datastore and there is also a section in the iFolder 3.7 documentation specifically addressing prerequisites to using NSS for the datastore, the jist is make sure you have NSS setup before installing iFolder and there is some info regarding EVMS use for managing NSS volumes, special considerations for system devices on EVMS (a definite Joe D. no no ;-)). IIRC the config was pretty straight forward and worked well. if you are going the POSIX file system route then Mike's the man. T2 "Christopher Mangiarelli" "Novell LAN Interest Group" Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 09:29 AM Please respond to Novell LAN Interest Group In iFolder 3.7, you specify a place to install it to during installation. This location hosts various database files mapping the users to their files. It also creates a directory where default iFolder data will be stored. After installation is complete, you can configure other datastores to add space to your implementation. The iFolder service will use whatever datastore has the most space first which in most cases is probably a large datastore you put aside for ifolder in the first place. However, it doesn't consider the fact that you might fill that datastore and revert back to using the default datastore (which in my case is on the same partition as my OS). I'm going to try Mike's idea since he seems to have been in the same boat as myself before. On Fri, Dec 12, 2008 at 9:01 AM, Steve Ricketts < sricketts at esitechadvisors.com> wrote: > I don't know if it is best practice or not but I do know with ifolder > 3.6 you can redirect the datastore to another location..ie NSS > Volume..but I believe this has to be done on install...I've done it at a > client site but would have to go back and refer to my notes on it. I do > remember the key there is making sure the wwwrun user and the wwwgroup > has rights to that location. > > Steve > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164321937) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164343609) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS From James.Taylor at eastcobbgroup.com Fri Dec 12 16:33:52 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Fri, 12 Dec 2008 11:33:52 -0500 Subject: Linux File System Question In-Reply-To: References: <494245570200002D0000D172@mail.ingenuityieq.com> Message-ID: <49424C200200007500039023@inet.eastcobbgroup.com> I folder 3.7 doesn't obfuscate at all. It lists the files just as they are in the folder on the local machine. The only way around this I know of is to use encryption. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> 12/12/2008 11:15 AM >>> Yes, after our testing I would have to agree that it did just add layer of complexity so when we do eventually roll it out we will be using a POSIX filesystem, any suggestions as to which filesystem, ext3, Reiser, our users are typically using many small files so I was thinking Reiser but I am not sure how iFolder obfuscates the filesystem? Thanks. Tim "Mike Brady" To Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 11:05 AM Please respond to Novell LAN Interest Group I am curious why you would want to use NSS for the filesystem for iFolder. Doesn't it just add a layer of unneeded complexity? It's very possible I am missing something here too, so feel free to educate me. Thanks. >>> 12/12/08 10:24 AM >>> I did setup an iFolder 3.6 test implementation and used NSS for the iFolder datastore and there is also a section in the iFolder 3.7 documentation specifically addressing prerequisites to using NSS for the datastore, the jist is make sure you have NSS setup before installing iFolder and there is some info regarding EVMS use for managing NSS volumes, special considerations for system devices on EVMS (a definite Joe D. no no ;-)). IIRC the config was pretty straight forward and worked well. if you are going the POSIX file system route then Mike's the man. T2 "Christopher Mangiarelli" "Novell LAN Interest Group" Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 09:29 AM Please respond to Novell LAN Interest Group In iFolder 3.7, you specify a place to install it to during installation. This location hosts various database files mapping the users to their files. It also creates a directory where default iFolder data will be stored. After installation is complete, you can configure other datastores to add space to your implementation. The iFolder service will use whatever datastore has the most space first which in most cases is probably a large datastore you put aside for ifolder in the first place. However, it doesn't consider the fact that you might fill that datastore and revert back to using the default datastore (which in my case is on the same partition as my OS). I'm going to try Mike's idea since he seems to have been in the same boat as myself before. On Fri, Dec 12, 2008 at 9:01 AM, Steve Ricketts < sricketts at esitechadvisors.com> wrote: > I don't know if it is best practice or not but I do know with ifolder > 3.6 you can redirect the datastore to another location..ie NSS > Volume..but I believe this has to be done on install...I've done it at a > client site but would have to go back and refer to my notes on it. I do > remember the key there is making sure the wwwrun user and the wwwgroup > has rights to that location. > > Steve > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164321937) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164343609) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From cmangiarelli at gmail.com Fri Dec 12 16:34:38 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Fri, 12 Dec 2008 11:34:38 -0500 Subject: Linux File System Question In-Reply-To: References: <494245570200002D0000D172@mail.ingenuityieq.com> Message-ID: Mike, this was a new install. We used to have an old ifolder 2.x system on NW running but it was removed a few months ago to free up space for file storage on our department shared space. "Robbing from Peter to pay Paul" (basically, OMG we need space for dept shares, lets dismantle ifolder and give it to the shared drive... then a few months later, OMG we need ifolder working again). I decided to stick with POSIX myself for the ifolder data storage as I didn't want to complicate things with NSS. As for my moving the system, all looks good. First I shut down apache. Then I unmounted /var/simias/data/raid (this is where I have my secondary 900GB datastore mounted). Then I renamed /var/simias to /var/simias.old. I then mounted my 200GB of free space on my mirrored array to /var/simias. I copied my old data back to /var/simias from /var/simias.old. I fixed my raid5 mount point on /var/simias/data/raid5 (the rename of the parent pointed my mount point to the new simias.old directory). Remounted /var/simias/data/raid5. Restarted apache and now the ifolder admin interface reports about 190GB free on its default datastore so I think my OS is now insulated from accidentally filling the 900GB storage. Now if only I could fix those three things I posted in another thread and I would be done. No responses on the Novell forums and I even opened a ticket with NTS to get this fixed as I am under the gun here. -- Christopher Mangiarelli cmangiarelli at gmail.com From TJohnson at lancaster.wnyric.org Fri Dec 12 16:45:47 2008 From: TJohnson at lancaster.wnyric.org (TJohnson at lancaster.wnyric.org) Date: Fri, 12 Dec 2008 11:45:47 -0500 Subject: Linux File System Question In-Reply-To: <49424C200200007500039023@inet.eastcobbgroup.com> References: <494245570200002D0000D172@mail.ingenuityieq.com> <49424C200200007500039023@inet.eastcobbgroup.com> Message-ID: James, Thanks, I was not aware of that, do you know if that was the case for 3.6 as well? T2 "James Taylor" To Sent by: "Novell LAN Interest Group" novell-bounces at ne tlab1.oucs.ox.ac. cc uk Subject Re: Linux File System Question 12/12/2008 11:34 AM Please respond to Novell LAN Interest Group I folder 3.7 doesn't obfuscate at all. It lists the files just as they are in the folder on the local machine. The only way around this I know of is to use encryption. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> 12/12/2008 11:15 AM >>> Yes, after our testing I would have to agree that it did just add layer of complexity so when we do eventually roll it out we will be using a POSIX filesystem, any suggestions as to which filesystem, ext3, Reiser, our users are typically using many small files so I was thinking Reiser but I am not sure how iFolder obfuscates the filesystem? Thanks. Tim "Mike Brady" To Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 11:05 AM Please respond to Novell LAN Interest Group I am curious why you would want to use NSS for the filesystem for iFolder. Doesn't it just add a layer of unneeded complexity? It's very possible I am missing something here too, so feel free to educate me. Thanks. >>> 12/12/08 10:24 AM >>> I did setup an iFolder 3.6 test implementation and used NSS for the iFolder datastore and there is also a section in the iFolder 3.7 documentation specifically addressing prerequisites to using NSS for the datastore, the jist is make sure you have NSS setup before installing iFolder and there is some info regarding EVMS use for managing NSS volumes, special considerations for system devices on EVMS (a definite Joe D. no no ;-)). IIRC the config was pretty straight forward and worked well. if you are going the POSIX file system route then Mike's the man. T2 "Christopher Mangiarelli" "Novell LAN Interest Group" Sent by: novell-bounces at ne cc tlab1.oucs.ox.ac. uk Subject Re: Linux File System Question 12/12/2008 09:29 AM Please respond to Novell LAN Interest Group In iFolder 3.7, you specify a place to install it to during installation. This location hosts various database files mapping the users to their files. It also creates a directory where default iFolder data will be stored. After installation is complete, you can configure other datastores to add space to your implementation. The iFolder service will use whatever datastore has the most space first which in most cases is probably a large datastore you put aside for ifolder in the first place. However, it doesn't consider the fact that you might fill that datastore and revert back to using the default datastore (which in my case is on the same partition as my OS). I'm going to try Mike's idea since he seems to have been in the same boat as myself before. On Fri, Dec 12, 2008 at 9:01 AM, Steve Ricketts < sricketts at esitechadvisors.com> wrote: > I don't know if it is best practice or not but I do know with ifolder > 3.6 you can redirect the datastore to another location..ie NSS > Volume..but I believe this has to be done on install...I've done it at a > client site but would have to go back and refer to my notes on it. I do > remember the key there is making sure the wwwrun user and the wwwgroup > has rights to that location. > > Steve > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164321937) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164321937&m=346ad374d2a2&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164343609) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164343609&m=ddccd1edf35d&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164350095) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164350095&m=efb11274f4f5&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164350095&m=efb11274f4f5&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164350095&m=efb11274f4f5&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS From joe.doupnik at oucs.ox.ac.uk Fri Dec 12 16:54:39 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Fri, 12 Dec 2008 16:54:39 +0000 Subject: Linux File System Question In-Reply-To: References: <494245570200002D0000D172@mail.ingenuityieq.com> Message-ID: <4942974F.3020103@oucs.ox.ac.uk> TJohnson at lancaster.wnyric.org wrote: > Yes, after our testing I would have to agree that it did just add layer of > complexity so when we do eventually roll it out we will be using a POSIX > filesystem, any suggestions as to which filesystem, ext3, Reiser, our users > are typically using many small files so I was thinking Reiser but I am not > sure how iFolder obfuscates the filesystem? > > Thanks. > > Tim ----------- You will likely get a variety of responses. Here are mine. ReiserFS3 development is static, on the way out. When it breaks it does so in grand style, be prepared to wait long times or restore from backups. The subblock allocation "feature" turns out to be expensive, and can work only for files smaller than 4KB. I think it wise to not create new Reiser file systems. EXT3 is fine for desktops, not so fine for servers. It also will delay a reboot by very long times to do an unnecessary fsck. It is not all that smart about large directories nor about scattering things all over. There are many bugs, most small and unseen with desktop use. A recent discovery is the journal was not protected against self corrruption. GRUB likely cannot replay a journal if EXT3 is used on /boot. Don't put tens of thousands of files in one directory. XFS is often the file system of choice amongst experienced Unix/Linux system managers. It has all the mod cons, is quick and smart, and has no trouble with huge directories or huge files. There are two downsides to be aware of. One is GRUB has trouble dealing with /boot being within an XFS system, amongst many GRUB shortcomings. Put /boot on EXT2 and that's that. The second is a bug where dismounting an XFS system and quickly remounting it on another machine can result in problems due to the way cached metadata are flushed during a umount operation. This has been seen with clustering (thanks Tim and Mark), and I have submitted it as a formal bug within SLES 11 beta. No file system is free of bugs of some kind. As mentioned here many times, my selection of file systems is like this: /boot EXT2 / XFS /otherPOSIX XFS security NSS I choose XFS for non-/boot. It has behaved well in my usage on both servers and desktops, including inadvertant power failures and such. Some experienced SLES team people think similarly. My choice has nothing to do with community opinions nor vendor warm fuzzies; it relies instead upon dealing with technical matters as I understand them. Joe D. From TJohnson at lancaster.wnyric.org Fri Dec 12 17:10:31 2008 From: TJohnson at lancaster.wnyric.org (TJohnson at lancaster.wnyric.org) Date: Fri, 12 Dec 2008 12:10:31 -0500 Subject: Linux File System Question In-Reply-To: <4942974F.3020103@oucs.ox.ac.uk> References: <494245570200002D0000D172@mail.ingenuityieq.com> <4942974F.3020103@oucs.ox.ac.uk> Message-ID: Joe D., As always, excellent insight and information. I am definitely intrigued enough to give XFS a try on my test box and evaluate it for our SLES/OES2 SP1 tree roll out this summer. With regards to the XFS clustering issue if I am going to run iPrint in a clustered environment I would assume my best bet is to use ext3 over reiser because of the stagnant development? Once again thanks for sharing your insight. T2 "Joe R. Doupnik" To Sent by: Novell LAN Interest Group novell-bounces at ne tlab1.oucs.ox.ac. cc uk Subject Re: Linux File System Question 12/12/2008 11:54 AM Please respond to Novell LAN Interest Group TJohnson at lancaster.wnyric.org wrote: > Yes, after our testing I would have to agree that it did just add layer of > complexity so when we do eventually roll it out we will be using a POSIX > filesystem, any suggestions as to which filesystem, ext3, Reiser, our users > are typically using many small files so I was thinking Reiser but I am not > sure how iFolder obfuscates the filesystem? > > Thanks. > > Tim ----------- You will likely get a variety of responses. Here are mine. ReiserFS3 development is static, on the way out. When it breaks it does so in grand style, be prepared to wait long times or restore from backups. The subblock allocation "feature" turns out to be expensive, and can work only for files smaller than 4KB. I think it wise to not create new Reiser file systems. EXT3 is fine for desktops, not so fine for servers. It also will delay a reboot by very long times to do an unnecessary fsck. It is not all that smart about large directories nor about scattering things all over. There are many bugs, most small and unseen with desktop use. A recent discovery is the journal was not protected against self corrruption. GRUB likely cannot replay a journal if EXT3 is used on /boot. Don't put tens of thousands of files in one directory. XFS is often the file system of choice amongst experienced Unix/Linux system managers. It has all the mod cons, is quick and smart, and has no trouble with huge directories or huge files. There are two downsides to be aware of. One is GRUB has trouble dealing with /boot being within an XFS system, amongst many GRUB shortcomings. Put /boot on EXT2 and that's that. The second is a bug where dismounting an XFS system and quickly remounting it on another machine can result in problems due to the way cached metadata are flushed during a umount operation. This has been seen with clustering (thanks Tim and Mark), and I have submitted it as a formal bug within SLES 11 beta. No file system is free of bugs of some kind. As mentioned here many times, my selection of file systems is like this: /boot EXT2 / XFS /otherPOSIX XFS security NSS I choose XFS for non-/boot. It has behaved well in my usage on both servers and desktops, including inadvertant power failures and such. Some experienced SLES team people think similarly. My choice has nothing to do with community opinions nor vendor warm fuzzies; it relies instead upon dealing with technical matters as I understand them. Joe D. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 164354319) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=164354319&m=8553349ba500&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=164354319&m=8553349ba500&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=164354319&m=8553349ba500&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS From joe.doupnik at oucs.ox.ac.uk Fri Dec 12 17:32:01 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Fri, 12 Dec 2008 17:32:01 +0000 Subject: Linux File System Question In-Reply-To: References: <494245570200002D0000D172@mail.ingenuityieq.com> <4942974F.3020103@oucs.ox.ac.uk> Message-ID: <4942A011.4040009@oucs.ox.ac.uk> TJohnson at lancaster.wnyric.org wrote: > Joe D., > > As always, excellent insight and information. I am definitely intrigued > enough to give XFS a try on my test box and evaluate it for our SLES/OES2 > SP1 tree roll out this summer. > > With regards to the XFS clustering issue if I am going to run iPrint in a > clustered environment I would assume my best bet is to use ext3 over reiser > because of the stagnant development? > > Once again thanks for sharing your insight. > > T2 ----------- I think you have summarised it correctly. iPrint material is transitory, tends to be large-ish files rather than zillions of them, and the files are reproducable (re-printable). Cheap and cheerful EXT3 will be just dandy. Here is a small hint. When mounting a file system almost all support options to not update the atime field on files and directories. mount -o noatime,nodiratime ... This saves updating metadata just because we read a file/directory, but it also interferes with some apps which deal with times of last touch (atime). Normal directory listings show mtime, time of last modification. XFS supports both options, and I add one more, logbufs=8, to provide enough metadata journaling workspace for efficiency, like this mount -o noatime,nodiratime,logbufs=8 ... The logbufs part is icing on the cake; it can be omitted. We can specify these options in YaST | Partitioner | fstab options when creating file systems. They end up in /etc/fstab where we can further tinker with them. Hint #2 is we can't go wrong by doing a sync or three before dismounting a file system. Command sync says please flush memory buffers to disk, now thank you. Standard Unix lore says state sync; sync; sync to be triply safe. The semicolon is a logical end of line for shells, putting many commands onto one text line. SLES 11 beta now adds a sync command before dismounting files when shutting down a machine. man sync The reason for this lore is Unix used to not flush things well on the way down, journaling was primative at best, and pulling the power plug was a good way of clobbering a file system of that day. Joe D. From joea at j4computers.com Sat Dec 13 17:14:36 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sat, 13 Dec 2008 12:14:36 -0500 Subject: OES/SLES startup question. Message-ID: <4943A72C020000850005F1C3@FS-LIN-OES> In the SLES (9) startup sequence, isn't there some place one can stash startup scripts, to run after the stuff in /etc/init.d/rcx.d runs? I have some stuff that relies on a VNC screen running. Apparently, the vnc has not completed startup at the time "my stuff" runs. Here is an error message that is trapped: ************************ Warning: Running as root Xlib: connection to "localhost:5.0" refused by server Xlib: No protocol specified Error: Can't open display: localhost:5 ************************* Runs fine from command line, either from the VNC session or from a "normal" terminal screen, once VNC is known to be running. I have resorted to running the scripts via cron every minute. There is code to exit if already running. Suggestions? joe a. From joe.doupnik at oucs.ox.ac.uk Sat Dec 13 17:34:39 2008 From: joe.doupnik at oucs.ox.ac.uk (jrd) Date: Sat, 13 Dec 2008 17:34:39 +0000 Subject: OES/SLES startup question. In-Reply-To: <4943A72C020000850005F1C3@FS-LIN-OES> References: <4943A72C020000850005F1C3@FS-LIN-OES> Message-ID: <4943F22F.8090807@oucs.ox.ac.uk> joea at j4computers.com wrote: > In the SLES (9) startup sequence, isn't there some place one can stash startup scripts, to run after the stuff in /etc/init.d/rcx.d runs? > > I have some stuff that relies on a VNC screen running. Apparently, the vnc has not completed startup at the time "my stuff" runs. > > Here is an error message that is trapped: > > ************************ > Warning: Running as root > > Xlib: connection to "localhost:5.0" refused by server > Xlib: No protocol specified > > Error: Can't open display: localhost:5 > ************************* > > Runs fine from command line, either from the VNC session or from a "normal" terminal screen, once VNC is known to be running. > > I have resorted to running the scripts via cron every minute. There is code to exit if already running. > > Suggestions? > > joe a. ------------- Put your material into a proper start script within /etc/init.d. State what must be started before this script. Then chkconfig -a your-script. There is likely a sample start script in /etc/init.d, else crib from an existing one. You can add a few sleep(seconds) calls and such to be patient. man chkconfig, man insserv Here is the important section from my iptables script: ### BEGIN INIT INFO # Provides: iptables # Required-Start: network # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: # Description: IPTABLES IP filter ### END INIT INFO Be sensitive to $names referring to a translation table in /etc, but non-$ names are names of services proper. Joe D. From Mark.Robinson at nds8.co.uk Sun Dec 14 00:42:57 2008 From: Mark.Robinson at nds8.co.uk (Mark Robinson) Date: Sun, 14 Dec 2008 00:42:57 +0000 Subject: OES/SLES startup question. In-Reply-To: <4943A72C020000850005F1C3@FS-LIN-OES> References: <4943A72C020000850005F1C3@FS-LIN-OES> Message-ID: <49445691020000AD0001F864@mail2.nds8.com> Ok, you got me - I'm curious. What requires X??? ---------------------------- Mark Robinson NDS8 Novell Platinum Solution Provider Mobile: +44 (0) 7900 570 400 Office: +44 (0) 131 538 8202 Fax: +44 (0) 131 453 6522 www.nds8.co.uk >>> On Saturday, 13 December, 2008 at 5:14 PM, in message <4943A72C020000850005F1C3 at FS-LIN-OES>, "joea at j4computers.com" wrote: > In the SLES (9) startup sequence, isn't there some place one can stash > startup scripts, to run after the stuff in /etc/init.d/rcx.d runs? > > I have some stuff that relies on a VNC screen running. Apparently, the vnc > has not completed startup at the time "my stuff" runs. > > Here is an error message that is trapped: > > ************************ > Warning: Running as root > > Xlib: connection to "localhost:5.0" refused by server > Xlib: No protocol specified > > Error: Can't open display: localhost:5 > ************************* > > Runs fine from command line, either from the VNC session or from a "normal" > terminal screen, once VNC is known to be running. > > I have resorted to running the scripts via cron every minute. There is code > to exit if already running. > > Suggestions? > > joe a. > > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > ***Scanned by M+ Guardian*** > > The information contained in this email is intended for the person to whom it is addressed and may contain confidential and/or privileged information. You should not copy, retain, forward or disclose its contents to anyone else, or take any action based upon it, if it is not addressed to you personally. If the message is received by anyone other than the addressee, please notify the sender and delete the message. NDS8 does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. From joea at j4computers.com Sun Dec 14 13:33:35 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 14 Dec 2008 08:33:35 -0500 Subject: OES/SLES startup question. In-Reply-To: <49445691020000AD0001F864@mail2.nds8.com> References: <4943A72C020000850005F1C3@FS-LIN-OES> <49445691020000AD0001F864@mail2.nds8.com> Message-ID: <4944C4E0020000850005F1CF@FS-LIN-OES> >>> On 12/13/2008 at 7:42 PM, "Mark Robinson" wrote: > Ok, you got me - I'm curious. What requires X??? > > > > ---------------------------- > Mark Robinson > Using VNC to connect to a screen that is set up. Have GroupWise Agents started with the --show option, to display screens. Since running the agents with --show "can't be done" using the startup scripts installed when GW is installed, some one came up with the idea of using a VNC screen to display to. Works a treat, but you of course, have to use a vnc viewer to see them. Problem is, as noted, the scripts apparently have to be setup to run "late" in the startup process. I will experiment with Joe D's suggestions, but I am not hopeful. Mainly as it seems too complicated to get right via hacking. And the only way to test for success is to reboot the box. While this one is a VM, it still eats up time. (no reference to the time drift problem intended) joe a. From alandpearson at yahoo.com Sun Dec 14 14:40:57 2008 From: alandpearson at yahoo.com (Alan Pearson) Date: Sun, 14 Dec 2008 14:40:57 +0000 Subject: OES/SLES startup question. In-Reply-To: <4944C4E0020000850005F1CF@FS-LIN-OES> References: <4943A72C020000850005F1C3@FS-LIN-OES> <49445691020000AD0001F864@mail2.nds8.com> <4944C4E0020000850005F1CF@FS-LIN-OES> Message-ID: Silly question, on the groupwise agents.... Why not just install gwmon & use the web interfaces which give every bit as much info as the screens (gwmon to include all your agents in one place). While I'm sure the agent screens on NW were handy, I don't think they're that useful anymore. Just my 2p worth :) --- AlanP On 14 Dec 2008, at 13:33, joea at j4computers.com wrote: >>>> On 12/13/2008 at 7:42 PM, "Mark Robinson" >>>> wrote: >> Ok, you got me - I'm curious. What requires X??? >> >> >> >> ---------------------------- >> Mark Robinson >> > > > Using VNC to connect to a screen that is set up. Have GroupWise > Agents started with the --show option, to display screens. > > Since running the agents with --show "can't be done" using the > startup scripts installed when GW is installed, some one came up > with the idea of using a VNC screen to display to. Works a treat, > but you of course, have to use a vnc viewer to see them. > > Problem is, as noted, the scripts apparently have to be setup to run > "late" in the startup process. > > I will experiment with Joe D's suggestions, but I am not hopeful. > Mainly as it seems too complicated to get right via hacking. And > the only way to test for success is to reboot the box. While this > one is a VM, it still eats up time. (no reference to the time drift > problem intended) > > joe a. > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell From joea at j4computers.com Sun Dec 14 15:03:56 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 14 Dec 2008 10:03:56 -0500 Subject: OES/SLES startup question. In-Reply-To: References: <4943A72C020000850005F1C3@FS-LIN-OES> <49445691020000AD0001F864@mail2.nds8.com> <4944C4E0020000850005F1CF@FS-LIN-OES> Message-ID: <4944DA0C020000850005F1DD@FS-LIN-OES> >>> On 12/14/2008 at 9:40 AM, Alan Pearson wrote: > Silly question, on the groupwise agents.... > > Why not just install gwmon & use the web interfaces which give every > bit as much info as the screens (gwmon to include all your agents in > one place). > > While I'm sure the agent screens on NW were handy, I don't think > they're that useful anymore. > Just my 2p worth :) > > > --- > AlanP > Old dogs? It's almost that simple. joe a. From James.Taylor at eastcobbgroup.com Sun Dec 14 19:42:38 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Sun, 14 Dec 2008 14:42:38 -0500 Subject: OES/SLES startup question. In-Reply-To: <4944DA0C020000850005F1DD@FS-LIN-OES> References: <4943A72C020000850005F1C3@FS-LIN-OES> <49445691020000AD0001F864@mail2.nds8.com> <4944C4E0020000850005F1CF@FS-LIN-OES> <4944DA0C020000850005F1DD@FS-LIN-OES> Message-ID: <49451B5E0200007500039187@inet.eastcobbgroup.com> Simple doesn't even come close to describing what you're doing. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "joea at j4computers.com" 12/14/2008 10:03 AM >>> >>> On 12/14/2008 at 9:40 AM, Alan Pearson wrote: Old dogs? It's almost that simple. joe a. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From Simon.Shilton at acustica.co.uk Mon Dec 15 00:03:14 2008 From: Simon.Shilton at acustica.co.uk (Simon Shilton) Date: Mon, 15 Dec 2008 00:03:14 +0000 Subject: OES/SLES startup question. In-Reply-To: References: <4943A72C020000850005F1C3@FS-LIN-OES> <49445691020000AD0001F864@mail2.nds8.com> <4944C4E0020000850005F1CF@FS-LIN-OES> Message-ID: <49459EC2020000AB0001315C@dylan.trident.acustica.co.uk> or how about pointing GW8 web panels at your GW agent web interfaces? ou can even set up a GW admin folder with multiple panels, each pointing to a different agent and see the whole lot from one place. No VNC, no NoMachine, no SSH and no X server required. only snag I can see is if your POA dies :-) alternatively try NoMachine rather than VNC Simon >>> On 14 December 2008 at 14:40, in message , Alan Pearson wrote: Silly question, on the groupwise agents.... Why not just install gwmon & use the web interfaces which give every bit as much info as the screens (gwmon to include all your agents in one place). While I'm sure the agent screens on NW were handy, I don't think they're that useful anymore. Just my 2p worth :) --- AlanP On 14 Dec 2008, at 13:33, joea at j4computers.com wrote: >>>> On 12/13/2008 at 7:42 PM, "Mark Robinson" >>>> wrote: >> Ok, you got me - I'm curious. What requires X??? >> >> >> >> ---------------------------- >> Mark Robinson >> > > > Using VNC to connect to a screen that is set up. Have GroupWise > Agents started with the --show option, to display screens. > > Since running the agents with --show "can't be done" using the > startup scripts installed when GW is installed, some one came up > with the idea of using a VNC screen to display to. Works a treat, > but you of course, have to use a vnc viewer to see them. > > Problem is, as noted, the scripts apparently have to be setup to run > "late" in the startup process. > > I will experiment with Joe D's suggestions, but I am not hopeful. > Mainly as it seems too complicated to get right via hacking. And > the only way to test for success is to reboot the box. While this > one is a VM, it still eats up time. (no reference to the time drift > problem intended) > > joe a. > > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joea at j4computers.com Mon Dec 15 02:36:02 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 14 Dec 2008 21:36:02 -0500 Subject: OES/SLES startup question. In-Reply-To: <49451B5E0200007500039187@inet.eastcobbgroup.com> References: <4943A72C020000850005F1C3@FS-LIN-OES> <49445691020000AD0001F864@mail2.nds8.com> <4944C4E0020000850005F1CF@FS-LIN-OES> <4944DA0C020000850005F1DD@FS-LIN-OES> <49451B5E0200007500039187@inet.eastcobbgroup.com> Message-ID: <49457C42020000850005F1E9@FS-LIN-OES> >>> On 12/14/2008 at 2:42 PM, "James Taylor" wrote: > Simple doesn't even come close to describing what you're doing. > -jt > I was referring to the "why" the "netware style" screens are desired. Web consoles are nice, but it seems a lot more unequivocal to see a screen in action on the box itself. joe a. From joea at j4computers.com Mon Dec 15 02:37:49 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Sun, 14 Dec 2008 21:37:49 -0500 Subject: OES/SLES startup question. In-Reply-To: <49459EC2020000AB0001315C@dylan.trident.acustica.co.uk> References: <4943A72C020000850005F1C3@FS-LIN-OES> <49445691020000AD0001F864@mail2.nds8.com> <4944C4E0020000850005F1CF@FS-LIN-OES> <49459EC2020000AB0001315C@dylan.trident.acustica.co.uk> Message-ID: <49457CAD020000850005F1ED@FS-LIN-OES> >>> On 12/14/2008 at 7:03 PM, "Simon Shilton" wrote: > or how about pointing GW8 web panels at your GW agent web interfaces? ou can > even set up a GW admin folder with multiple panels, each pointing to a > different agent and see the whole lot from one place. No VNC, no NoMachine, > no SSH and no X server required. > > only snag I can see is if your POA dies :-) > > alternatively try NoMachine rather than VNC > Food for thought. Not everywhere I was thinking of adopting this scheme has GW8. joe a. From cmangiarelli at gmail.com Mon Dec 15 21:45:51 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Mon, 15 Dec 2008 16:45:51 -0500 Subject: Certs in OES2 Message-ID: Anybody got a concise, easy to understand, explanation on how certs work under OES2/SLES10? My iFolder system was up and running but now it's broken. The install created default server certs using the DNS name of the hostname of the server. However, my users need to use an english name (something that means something to them) to access their resources. I created a cname in DNS using the terminology I wanted and pointed it to the server's hostname. Even though the trusted root is in my webbrowser, it would still warn of site redirection. This is normal, however in the past I would create a third server cert using alt subject names for the resource in question using the server hostname, server ip, and resource common name. In NW, these certs are auto picked up by apps if they are pointed to the right certificate (ala. ldap for example) in edir. This doesn't seem to work on OES2. I'm honestly not sure what I did as I tried a bunch of stuff to get proper certs loaded. I used the YAST CA tool and that didn't work. I used the eDir iManager tools and those don't work. Now, whenever my server reboots it gets some self-signed certs (not even signed by my CA) in its /etc/ssl/servercerts directory. How do I get back to normal certs? How does the Yast CA tool interact with the iManager CA tools? I've tried all the tools in iManager for recreating defautl server certs. While in eDir I can see the normal SSL CertificateDNS/IP certs and they look good, the server is not using them. -- Christopher Mangiarelli cmangiarelli at gmail.com From A.Orde at leedsmet.ac.uk Tue Dec 16 12:42:56 2008 From: A.Orde at leedsmet.ac.uk (Orde, Angus) Date: Tue, 16 Dec 2008 12:42:56 -0000 Subject: restrict printing time-of-day Message-ID: <93ED589E60BA254F97435FE6C97F2C67048673CA@leedsmet-exch1.leedsmet.ac.uk> Hi folks, I have been asked if we can restrict printing for some CAD Lab plotters to only be available during the day (when staff are around). I don't think this is possible, at least not with the Netware 6.5sp7 NDPS/iPrint that we are using, but I thought I would check that I am not missing something. It is certainly not something that we have looked into before. Do any of you restrict times when printing is allowed/available? Can it be done with NDPS/iPrint? Or any 3rd party software? Thanks, Angus To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm From toomas.aas at raad.tartu.ee Tue Dec 16 13:58:37 2008 From: toomas.aas at raad.tartu.ee (Toomas Aas) Date: Tue, 16 Dec 2008 15:58:37 +0200 Subject: restrict printing time-of-day In-Reply-To: <93ED589E60BA254F97435FE6C97F2C67048673CA@leedsmet-exch1.leedsmet.ac.uk> References: <93ED589E60BA254F97435FE6C97F2C67048673CA@leedsmet-exch1.leedsmet.ac.uk> Message-ID: <4947B40D.2010004@raad.tartu.ee> Orde, Angus wrote: > I don't > think this is possible, at least not with the Netware 6.5sp7 NDPS/iPrint > that we are using, but I thought I would check that I am not missing > something. It is certainly not something that we have looked into > before. Quick and dirty idea - associate these printers with separate NDPS manager and load/unload it using cron. -- Toomas Aas From David.Sullivan at barnet.ac.uk Tue Dec 16 14:37:43 2008 From: David.Sullivan at barnet.ac.uk (David Sullivan) Date: Tue, 16 Dec 2008 14:37:43 -0000 Subject: restrict printing time-of-day In-Reply-To: <93ED589E60BA254F97435FE6C97F2C67048673CA@leedsmet-exch1.leedsmet.ac.uk> Message-ID: novell-bounces at netlab1.oucs.ox.ac.uk wrote: > Hi folks, > > I have been asked if we can restrict printing for some CAD > Lab plotters to only be available during the day (when staff > are around). I don't think this is possible, at least not > with the Netware 6.5sp7 NDPS/iPrint that we are using, but I > thought I would check that I am not missing something. It is > certainly not something that we have looked into before. > > Do any of you restrict times when printing is allowed/available? > Can it be done with NDPS/iPrint? > Or any 3rd party software? > If you can stick it on another subnet from the print server time based access lists are easy using Cisco IOS, may also be possible with other routers. David. ----------------------------------------------------------------------------- This communication may contain privileged or confidential information which is for the exclusive use of the intended recipient. If you are not the intended recipient, please note that you may not distribute or use this communication or the information it contains. If this e-mail has reached you in error, please delete it and any attachment. Internet communications are not secure and Barnet College does not accept legal responsibility for the content of this message. Any views or opinions expressed are those of the author and not necessarily those of Barnet College. Please note that Barnet college reserves the right to monitor the source/destinations of all incoming or outgoing e-mail communications. ----------------------------------------------------------------------------- From RGrein at tpchd.org Tue Dec 16 18:01:06 2008 From: RGrein at tpchd.org (Randy Grein) Date: Tue, 16 Dec 2008 10:01:06 -0800 Subject: restrict printing time-of-day In-Reply-To: <93ED589E60BA254F97435FE6C97F2C67048673CA@leedsmet-exch1.leedsmet.ac.uk> References: <93ED589E60BA254F97435FE6C97F2C67048673CA@leedsmet-exch1.leedsmet.ac.uk> Message-ID: <49477C62.811E.0072.0@tpchd.org> I could have sworn there was a knob for this somewhere, but no - at least not that I've found. It should be possible to schedule a command through NRM to stop and start printer input, but I can't find the syntax. Randy Grein Sr. Network Engineer >>> "Orde, Angus" 12/16/2008 4:42 AM >>> Hi folks, I have been asked if we can restrict printing for some CAD Lab plotters to only be available during the day (when staff are around). I don't think this is possible, at least not with the Netware 6.5sp7 NDPS/iPrint that we are using, but I thought I would check that I am not missing something. It is certainly not something that we have looked into before. Do any of you restrict times when printing is allowed/available? Can it be done with NDPS/iPrint? Or any 3rd party software? Thanks, Angus To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell ************************************************************************************* This e-mail and any attachments may contain confidential and privileged information. It has been scanned for viruses. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination, use, review, disclosure, or distribution of this information by a person other than the intended recipient is unauthorized and may be illegal. ************************************************************************************** From toomas.aas at raad.tartu.ee Wed Dec 17 09:59:54 2008 From: toomas.aas at raad.tartu.ee (Toomas Aas) Date: Wed, 17 Dec 2008 11:59:54 +0200 Subject: Encryption of local files Message-ID: <4948CD9A.8070401@raad.tartu.ee> Quick poll - what is everyone using for encrypting locally stored files on user workstations? We have a written policy which specifically states that all files should be kept on server but this is not always possible. I looked into EFS (our workstations are currently Windows XP SP2/SP3), but it seems to create some administration problems which cannot be centrally managed. Is there anything out there that integrates nicely with our existing environment (NW65SP7, eDir 8.7.3)? -- Toomas Aas -------------------------------------------------------- |arvutiv?rgu peaspetsialist | head specialist on computer networks| |Tartu Linnakantselei | Tartu City Office | skype: toomas_aas ----------------------------------- +372 736 1274 From petervl at gmail.com Thu Dec 18 15:00:09 2008 From: petervl at gmail.com (Peter Van Lone) Date: Thu, 18 Dec 2008 09:00:09 -0600 Subject: Certs in OES2 In-Reply-To: References: Message-ID: <68b791330812180700p5cd4f0f7o7a143ea1e8ce49a4@mail.gmail.com> yikes --- call Novell support, and then let us all know what fixed it, please? Peter On Mon, Dec 15, 2008 at 3:45 PM, Christopher Mangiarelli wrote: > Anybody got a concise, easy to understand, explanation on how certs work > under OES2/SLES10? > > My iFolder system was up and running but now it's broken. The install > created default server certs using the DNS name of the hostname of the > server. However, my users need to use an english name (something that means > something to them) to access their resources. I created a cname in DNS > using the terminology I wanted and pointed it to the server's hostname. > Even though the trusted root is in my webbrowser, it would still warn of > site redirection. This is normal, however in the past I would create a > third server cert using alt subject names for the resource in question using > the server hostname, server ip, and resource common name. In NW, these > certs are auto picked up by apps if they are pointed to the right > certificate (ala. ldap for example) in edir. This doesn't seem to work on > OES2. > > I'm honestly not sure what I did as I tried a bunch of stuff to get proper > certs loaded. I used the YAST CA tool and that didn't work. I used the > eDir iManager tools and those don't work. Now, whenever my server reboots > it gets some self-signed certs (not even signed by my CA) in its > /etc/ssl/servercerts directory. How do I get back to normal certs? How > does the Yast CA tool interact with the iManager CA tools? > > I've tried all the tools in iManager for recreating defautl server certs. > While in eDir I can see the normal SSL CertificateDNS/IP certs and they look > good, the server is not using them. > > -- > Christopher Mangiarelli > cmangiarelli at gmail.com > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > From cmangiarelli at gmail.com Thu Dec 18 15:22:16 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 18 Dec 2008 10:22:16 -0500 Subject: iFolder 3.7 - 3 issues after installation In-Reply-To: References: Message-ID: Even though nobody responded, I thought I would update in case other people walk my path. 1. Sharing doesn't work if you use passphrase-based encryption. In order to share ifolders, they have to be unencrypted. 2. Not sure what happened, but the problem fixed itself. 3. This problem is still unresolved so I've taken to making search DN changes either through Yast > OES Install and Config or editing /var/simias/data/simias/Simias.config directly. On Thu, Dec 11, 2008 at 8:13 PM, Christopher Mangiarelli < cmangiarelli at gmail.com> wrote: > I just posted this on the Novell forums, but thought maybe somebody here is > familiar with ifolder and may have run into these same issues after > installation: > > I have a brand new ifolder 3.7 implementation running on OES2 SP1 / SLESL10 > SP2. While the basics of ifolder are functioning, I have three issues with > the implementation: > > 1. Sharing doesn't appear to be working. It is enabled on the global > policy as well as on every user and group. However, the buttons on the > windows client to add users are greyed out. > > 2. I have encryption turned on. When a person accesses the web interface > and logs in, they can see all their ifolders; but when they click on one, it > asks for their passphrase but doesn't seem to accept it. I've verified the > passphrases are being typed correctly. > > 3. I can't seem to edit the LDAP search contexts via the web admin tool. > When I attempt to add a new search DN, it throws me a weird ldap/java > error. If I use Yast > OES > Install and Config, I can add new DNs fine, > but would prefer to edit this via the web interface. Any idea's? I'm > sorry, I don't have the exact error in front of me but I thought describing > it might sound familiar to somebody else who had the same problem. > -- Christopher Mangiarelli cmangiarelli at gmail.com From cmangiarelli at gmail.com Thu Dec 18 15:18:45 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 18 Dec 2008 10:18:45 -0500 Subject: Certs in OES2 In-Reply-To: <68b791330812180700p5cd4f0f7o7a143ea1e8ce49a4@mail.gmail.com> References: <68b791330812180700p5cd4f0f7o7a143ea1e8ce49a4@mail.gmail.com> Message-ID: Novell fixed the cert issue by deleting all certs in eDir and using "ndsconfig upgrade" from the linux command prompt. However, this reverted my server back to default certs which of course don't work well due to the site redirection issue mentioned below. I have not yet been able to get a resolution to that problem from Novell. As far as I can tell, the Yast CA is separate and unused after eDir is online and uses its CA to mint certs and saves them to the linux filesystem where OES apps are pointing to standard file locations (ie. /etc/ssl/servercerts). I have an idea on my site redirection link, but I am trying to figure out how to get a cert out of edir (.der/.pks12) format and into the formats for apache (.pem/.cert/.key). On Thu, Dec 18, 2008 at 10:00 AM, Peter Van Lone wrote: > yikes --- call Novell support, and then let us all know what fixed it, > please? > > Peter > > > On Mon, Dec 15, 2008 at 3:45 PM, Christopher Mangiarelli > wrote: > > Anybody got a concise, easy to understand, explanation on how certs work > > under OES2/SLES10? > > > > My iFolder system was up and running but now it's broken. The install > > created default server certs using the DNS name of the hostname of the > > server. However, my users need to use an english name (something that > means > > something to them) to access their resources. I created a cname in DNS > > using the terminology I wanted and pointed it to the server's hostname. > > Even though the trusted root is in my webbrowser, it would still warn of > > site redirection. This is normal, however in the past I would create a > > third server cert using alt subject names for the resource in question > using > > the server hostname, server ip, and resource common name. In NW, these > > certs are auto picked up by apps if they are pointed to the right > > certificate (ala. ldap for example) in edir. This doesn't seem to work > on > > OES2. > > > > I'm honestly not sure what I did as I tried a bunch of stuff to get > proper > > certs loaded. I used the YAST CA tool and that didn't work. I used the > > eDir iManager tools and those don't work. Now, whenever my server > reboots > > it gets some self-signed certs (not even signed by my CA) in its > > /etc/ssl/servercerts directory. How do I get back to normal certs? How > > does the Yast CA tool interact with the iManager CA tools? > > > > I've tried all the tools in iManager for recreating defautl server certs. > > While in eDir I can see the normal SSL CertificateDNS/IP certs and they > look > > good, the server is not using them. > -- Christopher Mangiarelli cmangiarelli at gmail.com From bbrush at gmail.com Thu Dec 18 15:33:07 2008 From: bbrush at gmail.com (Bill Brush) Date: Thu, 18 Dec 2008 09:33:07 -0600 Subject: iFolder 3.7 - 3 issues after installation In-Reply-To: References: Message-ID: <167f4090812180733j546aca12sde1d681d7ca4aa98@mail.gmail.com> Thank you for updating. I do anticipate a 3.7 upgrade in the near future. Bill On Thu, Dec 18, 2008 at 9:22 AM, Christopher Mangiarelli wrote: > Even though nobody responded, I thought I would update in case other people > walk my path. > From James.Taylor at eastcobbgroup.com Thu Dec 18 15:33:30 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Thu, 18 Dec 2008 10:33:30 -0500 Subject: iFolder 3.7 - 3 issues after installation In-Reply-To: References: Message-ID: <494A26FA0200007500040099@inet.eastcobbgroup.com> I saw your earlier posting, but I've been spending the last couple of weeks getting ifolder 3.7 working in an AD environment. What a bear. But it does work, finally. The docs for this are basically non-existent, so I plan on posting my procedures online when I get time. Question - I still haven't spent any time on setting up multiple context searches. What is the format of your simias.config file for context settings? -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Christopher Mangiarelli" 12/18/2008 10:22 AM >>> Even though nobody responded, I thought I would update in case other people walk my path. 1. Sharing doesn't work if you use passphrase-based encryption. In order to share ifolders, they have to be unencrypted. 2. Not sure what happened, but the problem fixed itself. 3. This problem is still unresolved so I've taken to making search DN changes either through Yast > OES Install and Config or editing /var/simias/data/simias/Simias.config directly. On Thu, Dec 11, 2008 at 8:13 PM, Christopher Mangiarelli < cmangiarelli at gmail.com> wrote: > I just posted this on the Novell forums, but thought maybe somebody here is > familiar with ifolder and may have run into these same issues after > installation: > > I have a brand new ifolder 3.7 implementation running on OES2 SP1 / SLESL10 > SP2. While the basics of ifolder are functioning, I have three issues with > the implementation: > > 1. Sharing doesn't appear to be working. It is enabled on the global > policy as well as on every user and group. However, the buttons on the > windows client to add users are greyed out. > > 2. I have encryption turned on. When a person accesses the web interface > and logs in, they can see all their ifolders; but when they click on one, it > asks for their passphrase but doesn't seem to accept it. I've verified the > passphrases are being typed correctly. > > 3. I can't seem to edit the LDAP search contexts via the web admin tool. > When I attempt to add a new search DN, it throws me a weird ldap/java > error. If I use Yast > OES > Install and Config, I can add new DNs fine, > but would prefer to edit this via the web interface. Any idea's? I'm > sorry, I don't have the exact error in front of me but I thought describing > it might sound familiar to somebody else who had the same problem. > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From James.Taylor at eastcobbgroup.com Thu Dec 18 15:36:31 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Thu, 18 Dec 2008 10:36:31 -0500 Subject: Certs in OES2 In-Reply-To: References: <68b791330812180700p5cd4f0f7o7a143ea1e8ce49a4@mail.gmail.com> Message-ID: <494A27AF02000075000400A6@inet.eastcobbgroup.com> You should be able to create custom certs from iManager and apache should use them. I did that for one of my servers during the beta for OES2, and it worked well. Did you specify to use eDir certs during the OES2 install? -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Christopher Mangiarelli" 12/18/2008 10:18 AM >>> Novell fixed the cert issue by deleting all certs in eDir and using "ndsconfig upgrade" from the linux command prompt. However, this reverted my server back to default certs which of course don't work well due to the site redirection issue mentioned below. I have not yet been able to get a resolution to that problem from Novell. As far as I can tell, the Yast CA is separate and unused after eDir is online and uses its CA to mint certs and saves them to the linux filesystem where OES apps are pointing to standard file locations (ie. /etc/ssl/servercerts). I have an idea on my site redirection link, but I am trying to figure out how to get a cert out of edir (.der/.pks12) format and into the formats for apache (.pem/.cert/.key). On Thu, Dec 18, 2008 at 10:00 AM, Peter Van Lone wrote: > yikes --- call Novell support, and then let us all know what fixed it, > please? > > Peter > > > On Mon, Dec 15, 2008 at 3:45 PM, Christopher Mangiarelli > wrote: > > Anybody got a concise, easy to understand, explanation on how certs work > > under OES2/SLES10? > > > > My iFolder system was up and running but now it's broken. The install > > created default server certs using the DNS name of the hostname of the > > server. However, my users need to use an english name (something that > means > > something to them) to access their resources. I created a cname in DNS > > using the terminology I wanted and pointed it to the server's hostname. > > Even though the trusted root is in my webbrowser, it would still warn of > > site redirection. This is normal, however in the past I would create a > > third server cert using alt subject names for the resource in question > using > > the server hostname, server ip, and resource common name. In NW, these > > certs are auto picked up by apps if they are pointed to the right > > certificate (ala. ldap for example) in edir. This doesn't seem to work > on > > OES2. > > > > I'm honestly not sure what I did as I tried a bunch of stuff to get > proper > > certs loaded. I used the YAST CA tool and that didn't work. I used the > > eDir iManager tools and those don't work. Now, whenever my server > reboots > > it gets some self-signed certs (not even signed by my CA) in its > > /etc/ssl/servercerts directory. How do I get back to normal certs? How > > does the Yast CA tool interact with the iManager CA tools? > > > > I've tried all the tools in iManager for recreating defautl server certs. > > While in eDir I can see the normal SSL CertificateDNS/IP certs and they > look > > good, the server is not using them. > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joea at j4computers.com Thu Dec 18 16:25:10 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Thu, 18 Dec 2008 11:25:10 -0500 Subject: Certs in OES2 Message-ID: <494A3318020000850005F22A@FS-LIN-OES> >As far as I can tell, the Yast CA is separate and unused after eDir is >online and uses its CA to mint certs and saves them to the linux filesystem >where OES apps are pointing to standard file locations (ie. >/etc/ssl/servercerts). > >I have an idea on my site redirection link, but I am trying to figure out >how to get a cert out of edir (.der/.pks12) format and into the formats for >apache (.pem/.cert/.key). Perhaps this will help you: See "Recreating Server Certificates on OES Linux" http://wiki.novell.com/index.php/Linux_pkidiag_process I can send you a script I used to automate the process. joe a. From cmangiarelli at gmail.com Thu Dec 18 16:55:05 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 18 Dec 2008 11:55:05 -0500 Subject: Certs in OES2 In-Reply-To: <494A3318020000850005F22A@FS-LIN-OES> References: <494A3318020000850005F22A@FS-LIN-OES> Message-ID: James, feel free to let me know how to do that. I used iManager to produce a certificate using alternate subject names, but right now I have no way to get that out of eDir and onto the server for Apache to use. Yes, I did specify to use edir certs, but all that does is export the default certs to the local filesystem. You do not get the option to add alternative subject names to the default ssl certs during install nor do the existing tools for creating default server certs let you make those alterations. It seems Novell only wants the default server certs to contain the server hostname and IP address. If you want to associate other hostnames or IP addresses, you have to create a custom cert and find a way to manually export them. Joe, I was told that the method Novell used was the preferred (read supported) method for recreating default server certificates in an OES2 world. I remember doing the manual process on my SLES9/OES1 servers but was told that Novell made changes to the newer software to avoid having users process complex commands to renew certs. However, that link does tell me how to use openssl to convert the pfx to pem files so that might help me a bit there. On Thu, Dec 18, 2008 at 11:25 AM, joea at j4computers.com wrote: > >As far as I can tell, the Yast CA is separate and unused after eDir is > >online and uses its CA to mint certs and saves them to the linux > filesystem > >where OES apps are pointing to standard file locations (ie. > >/etc/ssl/servercerts). > > > >I have an idea on my site redirection link, but I am trying to figure out > >how to get a cert out of edir (.der/.pks12) format and into the formats > for > >apache (.pem/.cert/.key). > > > Perhaps this will help you: > > See "Recreating Server Certificates on OES Linux" > http://wiki.novell.com/index.php/Linux_pkidiag_process > > I can send you a script I used to automate the process. > > joe a. > -- Christopher Mangiarelli cmangiarelli at gmail.com From cmangiarelli at gmail.com Thu Dec 18 16:57:27 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 18 Dec 2008 11:57:27 -0500 Subject: iFolder 3.7 - 3 issues after installation In-Reply-To: <494A26FA0200007500040099@inet.eastcobbgroup.com> References: <494A26FA0200007500040099@inet.eastcobbgroup.com> Message-ID:
On Thu, Dec 18, 2008 at 10:33 AM, James Taylor < James.Taylor at eastcobbgroup.com> wrote: > I saw your earlier posting, but I've been spending the last couple of weeks > getting ifolder 3.7 working in an AD environment. > What a bear. But it does work, finally. > The docs for this are basically non-existent, so I plan on posting my > procedures online when I get time. > > Question - I still haven't spent any time on setting up multiple context > searches. What is the format of your simias.config file for context > settings? > > -jt > > > James Taylor > The East Cobb Group, Inc. > 678-697-9420 > james.taylor at eastcobbgroup.com > http://www.eastcobbgroup.com > > > > >>> "Christopher Mangiarelli" 12/18/2008 10:22 AM > >>> > Even though nobody responded, I thought I would update in case other people > walk my path. > > 1. Sharing doesn't work if you use passphrase-based encryption. In order > to > share ifolders, they have to be unencrypted. > > 2. Not sure what happened, but the problem fixed itself. > > 3. This problem is still unresolved so I've taken to making search DN > changes either through Yast > OES Install and Config or editing > /var/simias/data/simias/Simias.config directly. > > On Thu, Dec 11, 2008 at 8:13 PM, Christopher Mangiarelli < > cmangiarelli at gmail.com> wrote: > > > I just posted this on the Novell forums, but thought maybe somebody here > is > > familiar with ifolder and may have run into these same issues after > > installation: > > > > I have a brand new ifolder 3.7 implementation running on OES2 SP1 / > SLESL10 > > SP2. While the basics of ifolder are functioning, I have three issues > with > > the implementation: > > > > 1. Sharing doesn't appear to be working. It is enabled on the global > > policy as well as on every user and group. However, the buttons on the > > windows client to add users are greyed out. > > > > 2. I have encryption turned on. When a person accesses the web interface > > and logs in, they can see all their ifolders; but when they click on one, > it > > asks for their passphrase but doesn't seem to accept it. I've verified > the > > passphrases are being typed correctly. > > > > 3. I can't seem to edit the LDAP search contexts via the web admin tool. > > When I attempt to add a new search DN, it throws me a weird ldap/java > > error. If I use Yast > OES > Install and Config, I can add new DNs fine, > > but would prefer to edit this via the web interface. Any idea's? I'm > > sorry, I don't have the exact error in front of me but I thought > describing > > it might sound familiar to somebody else who had the same problem. > -- Christopher Mangiarelli cmangiarelli at gmail.com From cparker at utah.gov Thu Dec 18 17:11:33 2008 From: cparker at utah.gov (Curtis Parker) Date: Thu, 18 Dec 2008 10:11:33 -0700 Subject: Brainshare 2009 is cancelled In-Reply-To: References: Message-ID: <494A21D5.694B.008B.1@utah.gov> Have you all seen the letter on the brainshare website? bummer. http://www.novell.com/brainshare Curtis Parker State of Utah, Department of Technology Services cparker at utah.gov 801-538-3551 From bbrush at gmail.com Thu Dec 18 17:14:33 2008 From: bbrush at gmail.com (Bill Brush) Date: Thu, 18 Dec 2008 11:14:33 -0600 Subject: Brainshare 2009 is cancelled In-Reply-To: <494A21D5.694B.008B.1@utah.gov> References: <494A21D5.694B.008B.1@utah.gov> Message-ID: <167f4090812180914q6a3f6bfcia2adc8676dc75a82@mail.gmail.com> Yep. Not only does it suck that it's cancelled, but it also sucks that it feeds all the doomcriers heralding Novell's imminent demise. :-/ Bill On Thu, Dec 18, 2008 at 11:11 AM, Curtis Parker wrote: > Have you all seen the letter on the brainshare website? bummer. > http://www.novell.com/brainshare > From James.Taylor at eastcobbgroup.com Thu Dec 18 17:16:55 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Thu, 18 Dec 2008 12:16:55 -0500 Subject: Certs in OES2 In-Reply-To: References: <494A3318020000850005F22A@FS-LIN-OES> Message-ID: <494A3F37020000750004010B@inet.eastcobbgroup.com> I'll check on this again when I get a chance. I don't recall all the details, so maybe I am remembering imperfectly. (I wouldn't want to admit I was wrong now, would I?) -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Christopher Mangiarelli" 12/18/2008 11:55 AM >>> James, feel free to let me know how to do that. I used iManager to produce a certificate using alternate subject names, but right now I have no way to get that out of eDir and onto the server for Apache to use. Yes, I did specify to use edir certs, but all that does is export the default certs to the local filesystem. You do not get the option to add alternative subject names to the default ssl certs during install nor do the existing tools for creating default server certs let you make those alterations. It seems Novell only wants the default server certs to contain the server hostname and IP address. If you want to associate other hostnames or IP addresses, you have to create a custom cert and find a way to manually export them. Joe, I was told that the method Novell used was the preferred (read supported) method for recreating default server certificates in an OES2 world. I remember doing the manual process on my SLES9/OES1 servers but was told that Novell made changes to the newer software to avoid having users process complex commands to renew certs. However, that link does tell me how to use openssl to convert the pfx to pem files so that might help me a bit there. On Thu, Dec 18, 2008 at 11:25 AM, joea at j4computers.com wrote: > >As far as I can tell, the Yast CA is separate and unused after eDir is > >online and uses its CA to mint certs and saves them to the linux > filesystem > >where OES apps are pointing to standard file locations (ie. > >/etc/ssl/servercerts). > > > >I have an idea on my site redirection link, but I am trying to figure out > >how to get a cert out of edir (.der/.pks12) format and into the formats > for > >apache (.pem/.cert/.key). > > > Perhaps this will help you: > > See "Recreating Server Certificates on OES Linux" > http://wiki.novell.com/index.php/Linux_pkidiag_process > > I can send you a script I used to automate the process. > > joe a. > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From James.Taylor at eastcobbgroup.com Thu Dec 18 17:17:27 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Thu, 18 Dec 2008 12:17:27 -0500 Subject: iFolder 3.7 - 3 issues after installation In-Reply-To: References: <494A26FA0200007500040099@inet.eastcobbgroup.com> Message-ID: <494A3F57020000750004010E@inet.eastcobbgroup.com> Thanks, -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Christopher Mangiarelli" 12/18/2008 11:57 AM >>>
On Thu, Dec 18, 2008 at 10:33 AM, James Taylor < James.Taylor at eastcobbgroup.com> wrote: > I saw your earlier posting, but I've been spending the last couple of weeks > getting ifolder 3.7 working in an AD environment. > What a bear. But it does work, finally. > The docs for this are basically non-existent, so I plan on posting my > procedures online when I get time. > > Question - I still haven't spent any time on setting up multiple context > searches. What is the format of your simias.config file for context > settings? > > -jt > > > James Taylor > The East Cobb Group, Inc. > 678-697-9420 > james.taylor at eastcobbgroup.com > http://www.eastcobbgroup.com > > > > >>> "Christopher Mangiarelli" 12/18/2008 10:22 AM > >>> > Even though nobody responded, I thought I would update in case other people > walk my path. > > 1. Sharing doesn't work if you use passphrase-based encryption. In order > to > share ifolders, they have to be unencrypted. > > 2. Not sure what happened, but the problem fixed itself. > > 3. This problem is still unresolved so I've taken to making search DN > changes either through Yast > OES Install and Config or editing > /var/simias/data/simias/Simias.config directly. > > On Thu, Dec 11, 2008 at 8:13 PM, Christopher Mangiarelli < > cmangiarelli at gmail.com> wrote: > > > I just posted this on the Novell forums, but thought maybe somebody here > is > > familiar with ifolder and may have run into these same issues after > > installation: > > > > I have a brand new ifolder 3.7 implementation running on OES2 SP1 / > SLESL10 > > SP2. While the basics of ifolder are functioning, I have three issues > with > > the implementation: > > > > 1. Sharing doesn't appear to be working. It is enabled on the global > > policy as well as on every user and group. However, the buttons on the > > windows client to add users are greyed out. > > > > 2. I have encryption turned on. When a person accesses the web interface > > and logs in, they can see all their ifolders; but when they click on one, > it > > asks for their passphrase but doesn't seem to accept it. I've verified > the > > passphrases are being typed correctly. > > > > 3. I can't seem to edit the LDAP search contexts via the web admin tool. > > When I attempt to add a new search DN, it throws me a weird ldap/java > > error. If I use Yast > OES > Install and Config, I can add new DNs fine, > > but would prefer to edit this via the web interface. Any idea's? I'm > > sorry, I don't have the exact error in front of me but I thought > describing > > it might sound familiar to somebody else who had the same problem. > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joe.doupnik at oucs.ox.ac.uk Thu Dec 18 17:24:10 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Thu, 18 Dec 2008 17:24:10 +0000 Subject: Certs in OES2 In-Reply-To: References: <494A3318020000850005F22A@FS-LIN-OES> Message-ID: <494A873A.4080106@oucs.ox.ac.uk> Christopher Mangiarelli wrote: > James, feel free to let me know how to do that. I used iManager to produce > a certificate using alternate subject names, but right now I have no way to > get that out of eDir and onto the server for Apache to use. Yes, I did > specify to use edir certs, but all that does is export the default certs to > the local filesystem. You do not get the option to add alternative subject > names to the default ssl certs during install nor do the existing tools for > creating default server certs let you make those alterations. It seems > Novell only wants the default server certs to contain the server hostname > and IP address. If you want to associate other hostnames or IP addresses, > you have to create a custom cert and find a way to manually export them. > > Joe, I was told that the method Novell used was the preferred (read > supported) method for recreating default server certificates in an OES2 > world. I remember doing the manual process on my SLES9/OES1 servers but was > told that Novell made changes to the newer software to avoid having users > process complex commands to renew certs. However, that link does tell me > how to use openssl to convert the pfx to pem files so that might help me a > bit there. ---------- The Other Joe here this time. If certs generated solely by the Novell CA (via iManager) are insufficient for some reason then I see a couple of alternatives. One is generate a Cert Request and have the Novell CA process/sign that for you. You then add it to /etc/ssl/servercerts and tell Apache which to use. The other is to generate your own using openSSL, even to the point of creating a new CA if needs be. See shell scripts CA.sh and CA.pl in /usr/share/ ssl/misc. Hunting for a very old presentation of mine on making your own: found it, here are screen scrapes of the several slides of interest: > Apache, SSL Certificate > Here there be tigers > SSL configuration is an opaque puzzle > There are three approaches > Cheat and create with minimal info > Slog through creating Certificate Authority et al. > Understand this stuff and do it properly > We show the first two > Before starting, make these two subdirectories: > mkdir /usr/local/apache2/conf/ssl.crt > mkdir /usr/local/apache2/conf/ssl.key > Making and using a Cert Auth > cd /usr/share/ssl/misc > cp CA myCA (or CA.sh to myCA.sh) > vi myCA change expiration days to longer, say 3365 > > ./myCA ?newca create new Cert Authority > Answer questions, cn must be IP name or number > ./myCA ?newreq cert request, answer same way > ./myCA ?signreq CA signs our cert request > > File newcert.pem is server?s certificate > File newreq.pem is server?s keys > Making and using a Cert Auth > cp newcert.pem /usr/local/apache2/conf/ssl.crt/server.crt > cp newreq.pem /usr/local/apache2/conf/ssl.key/server.key.org > > cd /usr/local/apache2/conf/ssl.key > > openssl rsa ?in server.key.org ?out server.key > (removes protective login when obtaining key at Apache startup) > > chmod 400 server.key protect plaintext key file Recall, the above is for separately stored certs, not using the common server kind now in /etc/ssl/servercerts. And the directory has changed. You can do just about any cert tweaking you wish with those scripts. Joe D. From cmangiarelli at gmail.com Thu Dec 18 18:43:59 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 18 Dec 2008 13:43:59 -0500 Subject: Certs in OES2 In-Reply-To: <494A873A.4080106@oucs.ox.ac.uk> References: <494A3318020000850005F22A@FS-LIN-OES> <494A873A.4080106@oucs.ox.ac.uk> Message-ID: To an extent, this is exactly what I am trying to do using the Novell CA instead of the Yast/Linux CA. However, while I know how to mint certs in iManager, I don't know yet how to export them and make them accessible to Apache. According to http://www.novell.com/documentation/ifolder3/ifolder37_admin/index.html?page=/documentation/ifolder3/ifolder37_admin/data/bx6m8rp.html, this will tell you how to configure ifolder/apache for external certs, but it didn't say how to get a Novell cert out of iManager/eDirectory and into the format that Apache expects. The link the other Joe provided might be the clue to the puzzle now I just need some time to sit down and do this. Stay tuned... On Thu, Dec 18, 2008 at 12:24 PM, Joe Doupnik wrote: > The Other Joe here this time. > If certs generated solely by the Novell CA (via iManager) are > insufficient > for some reason then I see a couple of alternatives. > One is generate a Cert Request and have the Novell CA process/sign that > for > you. You then add it to /etc/ssl/servercerts and tell Apache which to use. > The other is to generate your own using openSSL, even to the point of > creating a new CA if needs be. See shell scripts CA.sh and CA.pl in > /usr/share/ > ssl/misc. > Hunting for a very old presentation of mine on making your own: found > it, > here are screen scrapes of the several slides of interest: > -- Christopher Mangiarelli cmangiarelli at gmail.com From joe.doupnik at oucs.ox.ac.uk Thu Dec 18 18:52:47 2008 From: joe.doupnik at oucs.ox.ac.uk (jrd) Date: Thu, 18 Dec 2008 18:52:47 +0000 Subject: Certs in OES2 In-Reply-To: References: <494A3318020000850005F22A@FS-LIN-OES> <494A873A.4080106@oucs.ox.ac.uk> Message-ID: <494A9BFF.2090705@oucs.ox.ac.uk> Christopher Mangiarelli wrote: > To an extent, this is exactly what I am trying to do using the Novell CA > instead of the Yast/Linux CA. However, while I know how to mint certs in > iManager, I don't know yet how to export them and make them accessible to > Apache. According to > http://www.novell.com/documentation/ifolder3/ifolder37_admin/index.html?page=/documentation/ifolder3/ifolder37_admin/data/bx6m8rp.html, > this will tell you how to configure ifolder/apache for external certs, but > it didn't say how to get a Novell cert out of iManager/eDirectory and into > the format that Apache expects. The link the other Joe provided might be > the clue to the puzzle now I just need some time to sit down and do this. > Stay tuned... > --------- Have you poked the Novell CA via iManager and asked about the CA's properties. My memory suggests that it can offer to export any found in eDir. Sorry, I don't have a suitable connection at this moment to find the details. Joe D. From cmangiarelli at gmail.com Thu Dec 18 18:55:33 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 18 Dec 2008 13:55:33 -0500 Subject: Certs in OES2 In-Reply-To: <494A9BFF.2090705@oucs.ox.ac.uk> References: <494A3318020000850005F22A@FS-LIN-OES> <494A873A.4080106@oucs.ox.ac.uk> <494A9BFF.2090705@oucs.ox.ac.uk> Message-ID: Correct, but the iManager export routine appears to offer DER, BASE64, and PKC12 formats. On Thu, Dec 18, 2008 at 1:52 PM, jrd wrote: > Have you poked the Novell CA via iManager and asked about the CA's > properties. My memory suggests that it can offer to export any found in > eDir. Sorry, I don't have a suitable connection at this moment to find > the details. > > Joe D. > -- Christopher Mangiarelli cmangiarelli at gmail.com From joe.doupnik at oucs.ox.ac.uk Thu Dec 18 19:09:35 2008 From: joe.doupnik at oucs.ox.ac.uk (jrd) Date: Thu, 18 Dec 2008 19:09:35 +0000 Subject: Certs in OES2 In-Reply-To: References: <494A3318020000850005F22A@FS-LIN-OES> <494A873A.4080106@oucs.ox.ac.uk> <494A9BFF.2090705@oucs.ox.ac.uk> Message-ID: <494A9FEF.9060308@oucs.ox.ac.uk> Christopher Mangiarelli wrote: > Correct, but the iManager export routine appears to offer DER, BASE64, and > PKC12 formats. > > On Thu, Dec 18, 2008 at 1:52 PM, jrd wrote: > >> Have you poked the Novell CA via iManager and asked about the CA's >> properties. My memory suggests that it can offer to export any found in >> eDir. Sorry, I don't have a suitable connection at this moment to find >> the details. >> >> Joe D. ------------- I think openSSL can be used to do some of the conversion. I hate to say man openssl because our eyes glaze over, so try Google and similar. Joe D. From TJohnson at lancaster.wnyric.org Thu Dec 18 19:13:52 2008 From: TJohnson at lancaster.wnyric.org (TJohnson at lancaster.wnyric.org) Date: Thu, 18 Dec 2008 14:13:52 -0500 Subject: Certs in OES2 In-Reply-To: <494A9FEF.9060308@oucs.ox.ac.uk> References: <494A3318020000850005F22A@FS-LIN-OES><494A873A.4080106@oucs.ox.ac.uk><494A9BFF.2090705@oucs.ox.ac.uk> <494A9FEF.9060308@oucs.ox.ac.uk> Message-ID: A google for convert der to pem turned up this syntax for openssl: openssl x509 ?in ?inform PEM ?out ?outform DER I am assuming this to be reversed for DER to PEM. I seem to remember doing a lot of openssl a while back for a java app that was particular but one thing I will say is that it may be a little more complicated but it usually works as advertised. HTH T2 jrd To Sent by: Novell LAN Interest Group novell-bounces at ne tlab1.oucs.ox.ac. cc uk Subject Re: Certs in OES2 12/18/2008 02:09 PM Please respond to Novell LAN Interest Group Christopher Mangiarelli wrote: > Correct, but the iManager export routine appears to offer DER, BASE64, and > PKC12 formats. > > On Thu, Dec 18, 2008 at 1:52 PM, jrd wrote: > >> Have you poked the Novell CA via iManager and asked about the CA's >> properties. My memory suggests that it can offer to export any found in >> eDir. Sorry, I don't have a suitable connection at this moment to find >> the details. >> >> Joe D. ------------- I think openSSL can be used to do some of the conversion. I hate to say man openssl because our eyes glaze over, so try Google and similar. Joe D. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 165501258) is spam: Spam: http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=s Not spam: http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=n Forget vote: http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS Confidentiality Notice: This electronic mail transmission is intended for the personal and confidential use of the designated recipient(s) named above. This message may contain confidential student or personnel data or an attorney-client communication and as such is privileged and confidential. If you are not the intended recipient, you are hereby notified that you have received this message and any attached documents in error, that any review, dissemination/disclosure, copying, distribution, or taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please notify the sender immediately by e-mail and delete the original message and documents. Thank you for your cooperation. From cmangiarelli at gmail.com Thu Dec 18 19:24:39 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Thu, 18 Dec 2008 14:24:39 -0500 Subject: Certs in OES2 In-Reply-To: References: <494A3318020000850005F22A@FS-LIN-OES> <494A873A.4080106@oucs.ox.ac.uk> <494A9BFF.2090705@oucs.ox.ac.uk> <494A9FEF.9060308@oucs.ox.ac.uk> Message-ID: Woot, one step closer to done. I was able to get Apache to use a custom cert with alternate subject names. Assuming the trusted root of my ca is imported into the browser, I can give my users a meaningful URL without popping up a security warning now. The solution was to use iManager to custom create a new cert (I called it "SSL CertificateWEB"). I put in all of the names of the server (both fully qualified, short names, and IP's). Exported the cert from iManager in PKC12 format. Copied that to my OES2 server. Used "openssl pkcs12 -in sslwebcert.pfx -nodes -clcerts -out /etc/ssl/servercerts/sslwebcert.pem". Edited /etc/apache2/vhosts.d/vhost-ssl.conf to point to the new filename. Restarted apache2 daemon and walla... all good! Now, the next problem. While this is all well and good for web access, the iFolder install still displays security measures when connecting to the server. Apparently the software does not use IE's keystore so I have to hunt for this new location unless somebody else happens to know where it exists. On Thu, Dec 18, 2008 at 2:13 PM, wrote: > A google for convert der to pem turned up this syntax for openssl: openssl > x509 ?in ?inform PEM ?out file> ?outform DER I am assuming this to be reversed for DER to PEM. > > I seem to remember doing a lot of openssl a while back for a java app that > was particular but one thing I will say is that it may be a little more > complicated but it usually works as advertised. > > HTH > > T2 > > > > > jrd > .ox.ac.uk> To > Sent by: Novell LAN Interest Group > novell-bounces at ne > tlab1.oucs.ox.ac. cc > uk > Subject > Re: Certs in OES2 > 12/18/2008 02:09 > PM > > > Please respond to > Novell LAN > Interest Group > ucs.ox.ac.uk> > > > > > > > Christopher Mangiarelli wrote: > > Correct, but the iManager export routine appears to offer DER, BASE64, > and > > PKC12 formats. > > > > On Thu, Dec 18, 2008 at 1:52 PM, jrd wrote: > > > >> Have you poked the Novell CA via iManager and asked about the CA's > >> properties. My memory suggests that it can offer to export any found in > >> eDir. Sorry, I don't have a suitable connection at this moment to find > >> the details. > >> > >> Joe D. > ------------- > I think openSSL can be used to do some of the conversion. I hate to > say man openssl because our eyes glaze over, so try Google and similar. > Joe D. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > > -- > BEGIN-ANTISPAM-VOTING-LINKS > ------------------------------------------------------ > > Teach CanIt if this mail (ID 165501258) is spam: > Spam: > http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=s > Not spam: > http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=n > Forget vote: > http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=f > ------------------------------------------------------ > END-ANTISPAM-VOTING-LINKS > > Confidentiality Notice: This electronic mail transmission is intended for > the personal and confidential use of the designated recipient(s) named > above. This message may contain confidential student or personnel data or an > attorney-client communication and as such is privileged and confidential. If > you are not the intended recipient, you are hereby notified that you have > received this message and any attached documents in error, that any review, > dissemination/disclosure, copying, distribution, or taking of any action in > reliance on the contents of this information is strictly prohibited. If you > have received this transmission in error, please notify the sender > immediately by e-mail and delete the original message and documents. Thank > you for your cooperation. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- Christopher Mangiarelli cmangiarelli at gmail.com From James.Taylor at eastcobbgroup.com Thu Dec 18 22:32:52 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Thu, 18 Dec 2008 17:32:52 -0500 Subject: Certs in OES2 Message-ID: <494A89440200007500008742@inet.eastcobbgroup.com> I assume you are talking about ifolder3? The install imports the cert from the LDAPS interface. You probably need to configure your LDAP object for the server to use the custom cert object you created. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Christopher Mangiarelli" 12/18/08 2:37 PM >>> Woot, one step closer to done. I was able to get Apache to use a custom cert with alternate subject names. Assuming the trusted root of my ca is imported into the browser, I can give my users a meaningful URL without popping up a security warning now. The solution was to use iManager to custom create a new cert (I called it "SSL CertificateWEB"). I put in all of the names of the server (both fully qualified, short names, and IP's). Exported the cert from iManager in PKC12 format. Copied that to my OES2 server. Used "openssl pkcs12 -in sslwebcert.pfx -nodes -clcerts -out /etc/ssl/servercerts/sslwebcert.pem". Edited /etc/apache2/vhosts.d/vhost-ssl.conf to point to the new filename. Restarted apache2 daemon and walla... all good! Now, the next problem. While this is all well and good for web access, the iFolder install still displays security measures when connecting to the server. Apparently the software does not use IE's keystore so I have to hunt for this new location unless somebody else happens to know where it exists. On Thu, Dec 18, 2008 at 2:13 PM, wrote: > A google for convert der to pem turned up this syntax for openssl: openssl > x509 ?in ?inform PEM ?out file> ?outform DER I am assuming this to be reversed for DER to PEM. > > I seem to remember doing a lot of openssl a while back for a java app that > was particular but one thing I will say is that it may be a little more > complicated but it usually works as advertised. > > HTH > > T2 > > > > > jrd > .ox.ac.uk> To > Sent by: Novell LAN Interest Group > novell-bounces at ne > tlab1.oucs.ox.ac. cc > uk > Subject > Re: Certs in OES2 > 12/18/2008 02:09 > PM > > > Please respond to > Novell LAN > Interest Group > ucs.ox.ac.uk> > > > > > > > Christopher Mangiarelli wrote: > > Correct, but the iManager export routine appears to offer DER, BASE64, > and > > PKC12 formats. > > > > On Thu, Dec 18, 2008 at 1:52 PM, jrd wrote: > > > >> Have you poked the Novell CA via iManager and asked about the CA's > >> properties. My memory suggests that it can offer to export any found in > >> eDir. Sorry, I don't have a suitable connection at this moment to find > >> the details. > >> > >> Joe D. > ------------- > I think openSSL can be used to do some of the conversion. I hate to > say man openssl because our eyes glaze over, so try Google and similar. > Joe D. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > > > -- > BEGIN-ANTISPAM-VOTING-LINKS > ------------------------------------------------------ > > Teach CanIt if this mail (ID 165501258) is spam: > Spam: > http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=s > Not spam: > http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=n > Forget vote: > http://milton1.wnyric.org/canit/b.php?i=165501258&m=a4a79bc89af7&c=f > ------------------------------------------------------ > END-ANTISPAM-VOTING-LINKS > > Confidentiality Notice: This electronic mail transmission is intended for > the personal and confidential use of the designated recipient(s) named > above. This message may contain confidential student or personnel data or an > attorney-client communication and as such is privileged and confidential. If > you are not the intended recipient, you are hereby notified that you have > received this message and any attached documents in error, that any review, > dissemination/disclosure, copying, distribution, or taking of any action in > reliance on the contents of this information is strictly prohibited. If you > have received this transmission in error, please notify the sender > immediately by e-mail and delete the original message and documents. Thank > you for your cooperation. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From Simon.Shilton at acustica.co.uk Fri Dec 19 13:33:13 2008 From: Simon.Shilton at acustica.co.uk (Simon Shilton) Date: Fri, 19 Dec 2008 13:33:13 +0000 Subject: P2V OES migrate and upgrade In-Reply-To: References: <494A26FA0200007500040099@inet.eastcobbgroup.com> Message-ID: <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> I have a physical OES 1 server running iFolder 3.2, it only services about 6 users, and has around 20GB of stored data I would like to move it to a virtualised machine under VMware. I am thinking of an ID Transfer migration from OES to OES2 sp1. is this to risky to contemplate? or should it be ok? If it is ok, is there any advise on the SLES10 / OES 2 patterns to install during initial setup of the target server, there doesn't appear to be a "pre-migration server" type option as NW used to offer thanks Simon From joea at j4computers.com Fri Dec 19 14:02:55 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Fri, 19 Dec 2008 09:02:55 -0500 Subject: P2V OES migrate and upgrade In-Reply-To: <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> References: <494A26FA0200007500040099@inet.eastcobbgroup.com> <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> Message-ID: <494B633F020000850005F244@FS-LIN-OES> >>> On Fri, Dec 19, 2008 at 8:33 AM, "Simon Shilton" wrote: > I have a physical OES 1 server running iFolder 3.2, it only services about 6 > users, and has around 20GB of stored data > > I would like to move it to a virtualised machine under VMware. > > I am thinking of an ID Transfer migration from OES to OES2 sp1. > > is this to risky to contemplate? or should it be ok? > > If it is ok, is there any advise on the SLES10 / OES 2 patterns to install > during initial setup of the target server, there doesn't appear to be a > "pre-migration server" type option as NW used to offer > > thanks > Simon > I would suggest doing the upgrade before doing the migration. When that is operating acceptably, then virtualize. joe a. From joe.doupnik at oucs.ox.ac.uk Fri Dec 19 14:07:50 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Fri, 19 Dec 2008 14:07:50 +0000 Subject: P2V OES migrate and upgrade In-Reply-To: <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> References: <494A26FA0200007500040099@inet.eastcobbgroup.com> <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> Message-ID: <494BAAB6.3070205@oucs.ox.ac.uk> Simon Shilton wrote: > I have a physical OES 1 server running iFolder 3.2, it only services about 6 users, and has around 20GB of stored data > > I would like to move it to a virtualised machine under VMware. > > I am thinking of an ID Transfer migration from OES to OES2 sp1. > > is this to risky to contemplate? or should it be ok? > > If it is ok, is there any advise on the SLES10 / OES 2 patterns to install during initial setup of the target server, there doesn't appear to be a "pre-migration server" type option as NW used to offer > > thanks > Simon -------------- The identity transfer should work. There are things to pay attention to, however. Start with ensuring NTP time is proper on both boxes. Ensure server IP names are properly registered in the visible DNS servers. The transfer process first requests services to migrate. You need not do any, but you can choose say files to keep it happy and save you extra work. Once those finish the eDir transfer part begins. In the past this step has always resulted in eDir being removed and hidden on the source server. No longer; just reboot the source server and all is as before. After the eDir movement there starts changing IP number and host name. Beware: remote connections will break. Best to do this at the destination console, or login again and restart the GUI. Double check the number and name parts by opening a text mode window and look very carefully indeed. echo $HOSTNAME will show the old destination name until you login again, as that item is held in the user's login environment. /etc/HOSTNAME and /etc/hosts should have been updated though. The last step is to reboot the destination and up things come. What you will be going through is a combination of Novell's command line utilities fronted by the GUI plus my redesigns of the process during the beta phase. The material is drastically different than found in the public beta (aka beta 4). Bottom line: the source remains intact, you can do the whole thing over again. But if you do retry, then first clean out eDir objects with the destination name and afterward rebuild the destination server (don't just try to "fix" it). Joe D. From larry at ladyburd.com Fri Dec 19 14:37:00 2008 From: larry at ladyburd.com (Larry Burd) Date: Fri, 19 Dec 2008 09:37:00 -0500 Subject: ultra surf References: Message-ID: my son comes into my office with a jump drive. has a copy of ultrasurf on it. plugs it into the USB port, and he bypasses every web filter we have in place. completly defeats the sonicwall. the sonicwall doesn't even record any site he visited. I have tried to block every proxy site, but this ultrasurf program just baffles me, and I can't stop him. ultrareach.net is where he downloaded the program, which I have blocked. but once the program is on a jump drive, I can not stop my 15 yo boy from surfing. when he logs out, all the history and cookies are gone. there is not a trace. All the kids use this at school to defeat any and all high school web security. The teachers even use this so they can surf during lunch hour. It has become the biggest joke in school. They have a hall monitor lady who now stands in the computer room, and she watches the kids to make sure they don't use this program. Luckily people at my office do not know about this, or maybe they do. But I feel defeated. I haven't contacted sonicwall yet, but eventually I will have too. any body see this ? Larry From joe.doupnik at oucs.ox.ac.uk Fri Dec 19 14:38:17 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe Doupnik) Date: Fri, 19 Dec 2008 14:38:17 +0000 Subject: P2V OES migrate and upgrade In-Reply-To: <494BAAB6.3070205@oucs.ox.ac.uk> References: <494A26FA0200007500040099@inet.eastcobbgroup.com> <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> <494BAAB6.3070205@oucs.ox.ac.uk> Message-ID: <494BB1D9.4020305@oucs.ox.ac.uk> Joe R. Doupnik wrote: > Simon Shilton wrote: >> I have a physical OES 1 server running iFolder 3.2, it only services >> about 6 users, and has around 20GB of stored data >> >> I would like to move it to a virtualised machine under VMware. >> >> I am thinking of an ID Transfer migration from OES to OES2 sp1. >> >> is this to risky to contemplate? or should it be ok? >> >> If it is ok, is there any advise on the SLES10 / OES 2 patterns to >> install during initial setup of the target server, there doesn't >> appear to be a "pre-migration server" type option as NW used to offer >> >> thanks >> Simon > -------------- > The identity transfer should work. There are things to pay > attention to, > however. Start with ensuring NTP time is proper on both boxes. Ensure > server > IP names are properly registered in the visible DNS servers. > The transfer process first requests services to migrate. You need not > do any, but you can choose say files to keep it happy and save you extra > work. > Once those finish the eDir transfer part begins. In the past this step has > always resulted in eDir being removed and hidden on the source server. No > longer; just reboot the source server and all is as before. > After the eDir movement there starts changing IP number and host name. > Beware: remote connections will break. Best to do this at the destination > console, or login again and restart the GUI. Double check the number and > name parts by opening a text mode window and look very carefully indeed. > echo $HOSTNAME > will show the old destination name until you login again, as that item is > held in the user's login environment. /etc/HOSTNAME and /etc/hosts should > have been updated though. > The last step is to reboot the destination and up things come. > What you will be going through is a combination of Novell's command > line utilities fronted by the GUI plus my redesigns of the process during > the beta phase. The material is drastically different than found in the > public beta (aka beta 4). > Bottom line: the source remains intact, you can do the whole thing > over again. But if you do retry, then first clean out eDir objects with > the destination name and afterward rebuild the destination server (don't > just try to "fix" it). > Joe D. ----------- I need to annotate the above with the statement that this applies to OES2 SP1 as a destination, no relationship with OES2 no-SP as a destination. Please do use the SP1 level. The destination can be in a virtual machine. So can the source for that matter. In fact in my presentations/classes on the subject both are. Joe D. From Simon.Shilton at acustica.co.uk Fri Dec 19 14:38:53 2008 From: Simon.Shilton at acustica.co.uk (Simon Shilton) Date: Fri, 19 Dec 2008 14:38:53 +0000 Subject: P2V OES migrate and upgrade In-Reply-To: <494BAAB6.3070205@oucs.ox.ac.uk> References: <494A26FA0200007500040099@inet.eastcobbgroup.com> <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> <494BAAB6.3070205@oucs.ox.ac.uk> Message-ID: <494BB1FD020000AB00013444@dylan.trident.acustica.co.uk> thanks Joe sounds like I can give it a go, and I have nothing to loose? prior to migration I obviously need to install my target server, SLED 10 sp2 plus OES 2 sp 1 Are there any recommendations for SLED 2 install given that it will be used for OES 2 sp1 ifolder and nothing else? at present my ifolder server reports itself as OES-9-i386-SP2 + "online updates" and is a basic OES install with ifolder 3.2 and iManager plus ClamAV, not using NSS, with all files on Linux format partitions thanks Simon >>> On 19 December 2008 at 14:07, in message <494BAAB6.3070205 at oucs.ox.ac.uk>, "Joe R. Doupnik" wrote: Simon Shilton wrote: > I have a physical OES 1 server running iFolder 3.2, it only services about 6 users, and has around 20GB of stored data > > I would like to move it to a virtualised machine under VMware. > > I am thinking of an ID Transfer migration from OES to OES2 sp1. > > is this to risky to contemplate? or should it be ok? > > If it is ok, is there any advise on the SLES10 / OES 2 patterns to install during initial setup of the target server, there doesn't appear to be a "pre-migration server" type option as NW used to offer > > thanks > Simon -------------- The identity transfer should work. There are things to pay attention to, however. Start with ensuring NTP time is proper on both boxes. Ensure server IP names are properly registered in the visible DNS servers. The transfer process first requests services to migrate. You need not do any, but you can choose say files to keep it happy and save you extra work. Once those finish the eDir transfer part begins. In the past this step has always resulted in eDir being removed and hidden on the source server. No longer; just reboot the source server and all is as before. After the eDir movement there starts changing IP number and host name. Beware: remote connections will break. Best to do this at the destination console, or login again and restart the GUI. Double check the number and name parts by opening a text mode window and look very carefully indeed. echo $HOSTNAME will show the old destination name until you login again, as that item is held in the user's login environment. /etc/HOSTNAME and /etc/hosts should have been updated though. The last step is to reboot the destination and up things come. What you will be going through is a combination of Novell's command line utilities fronted by the GUI plus my redesigns of the process during the beta phase. The material is drastically different than found in the public beta (aka beta 4). Bottom line: the source remains intact, you can do the whole thing over again. But if you do retry, then first clean out eDir objects with the destination name and afterward rebuild the destination server (don't just try to "fix" it). Joe D. _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From Simon.Shilton at acustica.co.uk Fri Dec 19 14:47:29 2008 From: Simon.Shilton at acustica.co.uk (Simon Shilton) Date: Fri, 19 Dec 2008 14:47:29 +0000 Subject: ultra surf In-Reply-To: References: Message-ID: <494BB401020000AB00013449@dylan.trident.acustica.co.uk> Larry never come across this before reading stuff on site, looks like it is some form of proxy relay with the client connecting to their system from http://www.ultrareach.com/usercenter_en.htm "11. Some companies block port 9666, which is used by UltraSurf, how do I bypass it? A: 9666 is local port. We will add an option to let users set the port. " does this help? Simon >>> On 19 December 2008 at 14:37, in message , "Larry Burd" wrote: my son comes into my office with a jump drive. has a copy of ultrasurf on it. plugs it into the USB port, and he bypasses every web filter we have in place. completly defeats the sonicwall. the sonicwall doesn't even record any site he visited. I have tried to block every proxy site, but this ultrasurf program just baffles me, and I can't stop him. ultrareach.net is where he downloaded the program, which I have blocked. but once the program is on a jump drive, I can not stop my 15 yo boy from surfing. when he logs out, all the history and cookies are gone. there is not a trace. All the kids use this at school to defeat any and all high school web security. The teachers even use this so they can surf during lunch hour. It has become the biggest joke in school. They have a hall monitor lady who now stands in the computer room, and she watches the kids to make sure they don't use this program. Luckily people at my office do not know about this, or maybe they do. But I feel defeated. I haven't contacted sonicwall yet, but eventually I will have too. any body see this ? Larry _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joe.doupnik at oucs.ox.ac.uk Fri Dec 19 14:49:06 2008 From: joe.doupnik at oucs.ox.ac.uk (Joe R. Doupnik) Date: Fri, 19 Dec 2008 14:49:06 +0000 Subject: P2V OES migrate and upgrade In-Reply-To: <494BB1FD020000AB00013444@dylan.trident.acustica.co.uk> References: <494A26FA0200007500040099@inet.eastcobbgroup.com> <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> <494BAAB6.3070205@oucs.ox.ac.uk> <494BB1FD020000AB00013444@dylan.trident.acustica.co.uk> Message-ID: <494BB462.3070002@oucs.ox.ac.uk> Simon, OES2 SP1 requires SLES 10 SP2, not SLED. Don't even think about SLED for this work. You can migrate iFolder, but first carefullly review the migration doc on this because you must copy the user filestore by hand in just the right way. Hint #2 here. Install SLES 10 SP2, clean it up, etc. Then come back and do the OES2 SP1 part as an add-on product with the Pre-Migration option checked (which means don't install an eDir replica). Clean that up, poke about with a working server, all that fun. And finally invoke the migration GUI to do the identity migration with selected services. Plan your layout carefully. Do not over partition things, but do create a /boot partition. You can read my frequently stated advice by going back through this list's archives. Practicing with a pre-migration server is an easy way to feel comfortable, just clear our its eDir objects before rebuilding it again. To be candid, I can't tell you all the steps and so forth in a list email message. There is too much involved and an understanding of Linux is necessary. Normally I teach a two day course on migration alone, more to build a Linux base. Joe D. -------------- Simon Shilton wrote: > thanks Joe > > sounds like I can give it a go, and I have nothing to loose? > > prior to migration I obviously need to install my target server, SLED 10 sp2 plus OES 2 sp 1 > > Are there any recommendations for SLED 2 install given that it will be used for OES 2 sp1 ifolder and nothing else? > > at present my ifolder server reports itself as OES-9-i386-SP2 + "online updates" and is a basic OES install with ifolder 3.2 and iManager plus ClamAV, not using NSS, with all files on Linux format partitions > > thanks > Simon > > > > > >>>> On 19 December 2008 at 14:07, in message <494BAAB6.3070205 at oucs.ox.ac.uk>, "Joe R. Doupnik" wrote: > > Simon Shilton wrote: >> I have a physical OES 1 server running iFolder 3.2, it only services about 6 users, and has around 20GB of stored data >> >> I would like to move it to a virtualised machine under VMware. >> >> I am thinking of an ID Transfer migration from OES to OES2 sp1. >> >> is this to risky to contemplate? or should it be ok? >> >> If it is ok, is there any advise on the SLES10 / OES 2 patterns to install during initial setup of the target server, there doesn't appear to be a "pre-migration server" type option as NW used to offer >> >> thanks >> Simon > -------------- > The identity transfer should work. There are things to pay attention to, > however. Start with ensuring NTP time is proper on both boxes. Ensure server > IP names are properly registered in the visible DNS servers. > The transfer process first requests services to migrate. You need not > do any, but you can choose say files to keep it happy and save you extra work. > Once those finish the eDir transfer part begins. In the past this step has > always resulted in eDir being removed and hidden on the source server. No > longer; just reboot the source server and all is as before. > After the eDir movement there starts changing IP number and host name. > Beware: remote connections will break. Best to do this at the destination > console, or login again and restart the GUI. Double check the number and > name parts by opening a text mode window and look very carefully indeed. > echo $HOSTNAME > will show the old destination name until you login again, as that item is > held in the user's login environment. /etc/HOSTNAME and /etc/hosts should > have been updated though. > The last step is to reboot the destination and up things come. > What you will be going through is a combination of Novell's command > line utilities fronted by the GUI plus my redesigns of the process during > the beta phase. The material is drastically different than found in the > public beta (aka beta 4). > Bottom line: the source remains intact, you can do the whole thing > over again. But if you do retry, then first clean out eDir objects with > the destination name and afterward rebuild the destination server (don't > just try to "fix" it). > Joe D. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell From Simon.Shilton at acustica.co.uk Fri Dec 19 15:00:36 2008 From: Simon.Shilton at acustica.co.uk (Simon Shilton) Date: Fri, 19 Dec 2008 15:00:36 +0000 Subject: P2V OES migrate and upgrade In-Reply-To: <494BB462.3070002@oucs.ox.ac.uk> References: <494A26FA0200007500040099@inet.eastcobbgroup.com> <494BA299020000AB0001343F@dylan.trident.acustica.co.uk> <494BAAB6.3070205@oucs.ox.ac.uk> <494BB1FD020000AB00013444@dylan.trident.acustica.co.uk> <494BB462.3070002@oucs.ox.ac.uk> Message-ID: <494BB714020000AB0001344E@dylan.trident.acustica.co.uk> Joe oops, typo D should be S, yes Server only ! thanks for the hints appreciate it is a complex subject area, just looking to avoid any obvious crashing errors thanks Simon >>> On 19 December 2008 at 14:49, in message <494BB462.3070002 at oucs.ox.ac.uk>, "Joe R. Doupnik" wrote: Simon, OES2 SP1 requires SLES 10 SP2, not SLED. Don't even think about SLED for this work. You can migrate iFolder, but first carefullly review the migration doc on this because you must copy the user filestore by hand in just the right way. Hint #2 here. Install SLES 10 SP2, clean it up, etc. Then come back and do the OES2 SP1 part as an add-on product with the Pre-Migration option checked (which means don't install an eDir replica). Clean that up, poke about with a working server, all that fun. And finally invoke the migration GUI to do the identity migration with selected services. Plan your layout carefully. Do not over partition things, but do create a /boot partition. You can read my frequently stated advice by going back through this list's archives. Practicing with a pre-migration server is an easy way to feel comfortable, just clear our its eDir objects before rebuilding it again. To be candid, I can't tell you all the steps and so forth in a list email message. There is too much involved and an understanding of Linux is necessary. Normally I teach a two day course on migration alone, more to build a Linux base. Joe D. -------------- Simon Shilton wrote: > thanks Joe > > sounds like I can give it a go, and I have nothing to loose? > > prior to migration I obviously need to install my target server, SLED 10 sp2 plus OES 2 sp 1 > > Are there any recommendations for SLED 2 install given that it will be used for OES 2 sp1 ifolder and nothing else? > > at present my ifolder server reports itself as OES-9-i386-SP2 + "online updates" and is a basic OES install with ifolder 3.2 and iManager plus ClamAV, not using NSS, with all files on Linux format partitions > > thanks > Simon > > > > > >>>> On 19 December 2008 at 14:07, in message <494BAAB6.3070205 at oucs.ox.ac.uk>, "Joe R. Doupnik" wrote: > > Simon Shilton wrote: >> I have a physical OES 1 server running iFolder 3.2, it only services about 6 users, and has around 20GB of stored data >> >> I would like to move it to a virtualised machine under VMware. >> >> I am thinking of an ID Transfer migration from OES to OES2 sp1. >> >> is this to risky to contemplate? or should it be ok? >> >> If it is ok, is there any advise on the SLES10 / OES 2 patterns to install during initial setup of the target server, there doesn't appear to be a "pre-migration server" type option as NW used to offer >> >> thanks >> Simon > -------------- > The identity transfer should work. There are things to pay attention to, > however. Start with ensuring NTP time is proper on both boxes. Ensure server > IP names are properly registered in the visible DNS servers. > The transfer process first requests services to migrate. You need not > do any, but you can choose say files to keep it happy and save you extra work. > Once those finish the eDir transfer part begins. In the past this step has > always resulted in eDir being removed and hidden on the source server. No > longer; just reboot the source server and all is as before. > After the eDir movement there starts changing IP number and host name. > Beware: remote connections will break. Best to do this at the destination > console, or login again and restart the GUI. Double check the number and > name parts by opening a text mode window and look very carefully indeed. > echo $HOSTNAME > will show the old destination name until you login again, as that item is > held in the user's login environment. /etc/HOSTNAME and /etc/hosts should > have been updated though. > The last step is to reboot the destination and up things come. > What you will be going through is a combination of Novell's command > line utilities fronted by the GUI plus my redesigns of the process during > the beta phase. The material is drastically different than found in the > public beta (aka beta 4). > Bottom line: the source remains intact, you can do the whole thing > over again. But if you do retry, then first clean out eDir objects with > the destination name and afterward rebuild the destination server (don't > just try to "fix" it). > Joe D. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From Simon.Shilton at acustica.co.uk Fri Dec 19 15:08:53 2008 From: Simon.Shilton at acustica.co.uk (Simon Shilton) Date: Fri, 19 Dec 2008 15:08:53 +0000 Subject: ultra surf In-Reply-To: <494BB401020000AB00013449@dylan.trident.acustica.co.uk> References: <494BB401020000AB00013449@dylan.trident.acustica.co.uk> Message-ID: <494BB905020000AB00013453@dylan.trident.acustica.co.uk> Larry it is a real beauty ! http://forums.techarena.in/server-security/1002038.htm http://nixcraft.com/linux-software/9158-how-block-ultrasurf.html http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/20319-ultra-surf-8-8-how-block-2.html looks like you have some fun on your hands, but looking at Astaros efforts there could be solutions coming Simon >>> On 19 December 2008 at 14:47, in message <494BB401020000AB00013449 at dylan.trident.acustica.co.uk>, "Simon Shilton" wrote: Larry never come across this before reading stuff on site, looks like it is some form of proxy relay with the client connecting to their system from http://www.ultrareach.com/usercenter_en.htm "11. Some companies block port 9666, which is used by UltraSurf, how do I bypass it? A: 9666 is local port. We will add an option to let users set the port. " does this help? Simon >>> On 19 December 2008 at 14:37, in message , "Larry Burd" wrote: my son comes into my office with a jump drive. has a copy of ultrasurf on it. plugs it into the USB port, and he bypasses every web filter we have in place. completly defeats the sonicwall. the sonicwall doesn't even record any site he visited. I have tried to block every proxy site, but this ultrasurf program just baffles me, and I can't stop him. ultrareach.net is where he downloaded the program, which I have blocked. but once the program is on a jump drive, I can not stop my 15 yo boy from surfing. when he logs out, all the history and cookies are gone. there is not a trace. All the kids use this at school to defeat any and all high school web security. The teachers even use this so they can surf during lunch hour. It has become the biggest joke in school. They have a hall monitor lady who now stands in the computer room, and she watches the kids to make sure they don't use this program. Luckily people at my office do not know about this, or maybe they do. But I feel defeated. I haven't contacted sonicwall yet, but eventually I will have too. any body see this ? Larry _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From Robrinsky at roillc.com Fri Dec 19 15:26:18 2008 From: Robrinsky at roillc.com (Robert Obrinsky) Date: Fri, 19 Dec 2008 07:26:18 -0800 Subject: ultra surf In-Reply-To: <494BB401020000AB00013449@dylan.trident.acustica.co.uk> References: <494BB401020000AB00013449@dylan.trident.acustica.co.uk> Message-ID: <494B4C9A.9F9C.006D.0@roillc.com> There is discussion on the Astaro forums about ultrasurf, and the consensus is that v7.4 of the Astaro Security Gateway can effectively block ultrasurf. However, v7.4 is still beta code. Interesting reading... you can join at http://www.astaro.org. You will need to register. I suggest that we all look at other firewall manufacturers' forums to see how they are faring with this double-edged sword. On the one hand, it allows users in countries that censor the internet to reach all of those previously unavailable sites (at least that is the claim). On the other hand, companies might be held liable for not properly restricting unlawful sites. Talk about a tangled web... Robert W. Obrinsky President Robert Obrinsky Industries, LLC 1425 NE 7th Avenue Unit 201 Portland, OR 97232 503.719.4387 (Office) 203.273.7012 (Mobile) >>> "Simon Shilton" 12/19/2008 6:47 AM >>> Larry never come across this before reading stuff on site, looks like it is some form of proxy relay with the client connecting to their system from http://www.ultrareach.com/usercenter_en.htm "11. Some companies block port 9666, which is used by UltraSurf, how do I bypass it? A: 9666 is local port. We will add an option to let users set the port. " does this help? Simon >>> On 19 December 2008 at 14:37, in message , "Larry Burd" wrote: my son comes into my office with a jump drive. has a copy of ultrasurf on it. plugs it into the USB port, and he bypasses every web filter we have in place. completly defeats the sonicwall. the sonicwall doesn't even record any site he visited. I have tried to block every proxy site, but this ultrasurf program just baffles me, and I can't stop him. ultrareach.net is where he downloaded the program, which I have blocked. but once the program is on a jump drive, I can not stop my 15 yo boy from surfing. when he logs out, all the history and cookies are gone. there is not a trace. All the kids use this at school to defeat any and all high school web security. The teachers even use this so they can surf during lunch hour. It has become the biggest joke in school. They have a hall monitor lady who now stands in the computer room, and she watches the kids to make sure they don't use this program. Luckily people at my office do not know about this, or maybe they do. But I feel defeated. I haven't contacted sonicwall yet, but eventually I will have too. any body see this ? Larry _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From Robrinsky at roillc.com Fri Dec 19 19:03:52 2008 From: Robrinsky at roillc.com (Robert Obrinsky) Date: Fri, 19 Dec 2008 11:03:52 -0800 Subject: ultra surf In-Reply-To: <494BB905020000AB00013453@dylan.trident.acustica.co.uk> References: <494BB401020000AB00013449@dylan.trident.acustica.co.uk> <494BB905020000AB00013453@dylan.trident.acustica.co.uk> Message-ID: <494B7F98.9F9C.006D.0@roillc.com> Just found this as well. http://www.smoothwall.net/solutions/blockingproxies.php Bob >>> "Simon Shilton" 12/19/2008 7:08 AM >>> Larry it is a real beauty ! http://forums.techarena.in/server-security/1002038.htm http://nixcraft.com/linux-software/9158-how-block-ultrasurf.html http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/20319-ultra-surf-8-8-how-block-2.html looks like you have some fun on your hands, but looking at Astaros efforts there could be solutions coming Simon >>> On 19 December 2008 at 14:47, in message <494BB401020000AB00013449 at dylan.trident.acustica.co.uk>, "Simon Shilton" wrote: Larry never come across this before reading stuff on site, looks like it is some form of proxy relay with the client connecting to their system from http://www.ultrareach.com/usercenter_en.htm "11. Some companies block port 9666, which is used by UltraSurf, how do I bypass it? A: 9666 is local port. We will add an option to let users set the port. " does this help? Simon >>> On 19 December 2008 at 14:37, in message , "Larry Burd" wrote: my son comes into my office with a jump drive. has a copy of ultrasurf on it. plugs it into the USB port, and he bypasses every web filter we have in place. completly defeats the sonicwall. the sonicwall doesn't even record any site he visited. I have tried to block every proxy site, but this ultrasurf program just baffles me, and I can't stop him. ultrareach.net is where he downloaded the program, which I have blocked. but once the program is on a jump drive, I can not stop my 15 yo boy from surfing. when he logs out, all the history and cookies are gone. there is not a trace. All the kids use this at school to defeat any and all high school web security. The teachers even use this so they can surf during lunch hour. It has become the biggest joke in school. They have a hall monitor lady who now stands in the computer room, and she watches the kids to make sure they don't use this program. Luckily people at my office do not know about this, or maybe they do. But I feel defeated. I haven't contacted sonicwall yet, but eventually I will have too. any body see this ? Larry _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From randygrein at comcast.net Fri Dec 19 20:14:05 2008 From: randygrein at comcast.net (Randy Grein) Date: Fri, 19 Dec 2008 12:14:05 -0800 Subject: ultra surf In-Reply-To: References: Message-ID: <1993E8B0-90C2-41DB-A60D-84C56E30FDAF@comcast.net> This is SO COOL! Sorry, but it is. Security tech is a constant war between offense & defense. This is an interesting twist on the problem, it's just our tough luck that something created to promote freedom of information access has the side effect of trashing your security policy. It does, however point out the need for defense in depth. You might try locking workstations down a bit more - block USB drives or disallow the executable. We had an infection hit the day before Thanksgiving. An old botnet installer was recently refreshed so MacAfee didn't recognize it; we had a number of computers infected. As part of the cleanup GWAVA installation was pushed to the top of my to do list. Turned out that email wasn't the infection vector but I did find some trojans that were removed - 24 to be exact. Since then we've had almost a hundred more blocked. Either it's from an internal system, Postini is leaking (unlikely but possible) or the firewall is allowing more than Postini to send SMTP through. Point is two checkpoints (Postini & firewall) may not be enough. You're probably like me without the time to check firewall logs fully, but it's necessary for full protection. Randy Grein, Master CNE, CCNA On Dec 19, 2008, at 6:37 AM, Larry Burd wrote: > my son comes into my office with a jump drive. has a copy of > ultrasurf on it. plugs it into the USB port, and he bypasses every > web filter we have in place. completly defeats the sonicwall. the > sonicwall doesn't even record any site he visited. I have tried to > block every proxy site, but this ultrasurf program just baffles me, > and I can't stop him. > > ultrareach.net is where he downloaded the program, which I have > blocked. but once the program is on a jump drive, I can not stop my > 15 yo boy from surfing. when he logs out, all the history and > cookies are gone. there is not a trace. All the kids use this at > school to defeat any and all high school web security. The teachers > even use this so they can surf during lunch hour. It has become > the biggest joke in school. They have a hall monitor lady who now > stands in the computer room, and she watches the kids to make sure > they don't use this program. > > Luckily people at my office do not know about this, or maybe they > do. But I feel defeated. > I haven't contacted sonicwall yet, but eventually I will have too. > any body see this ? > > Larry > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell From bbrush at gmail.com Fri Dec 19 20:21:30 2008 From: bbrush at gmail.com (Bill Brush) Date: Fri, 19 Dec 2008 14:21:30 -0600 Subject: blocking programs Re: ultra surf Message-ID: <167f4090812191221w487c15bap7ed012b31870453c@mail.gmail.com> On Fri, Dec 19, 2008 at 2:14 PM, Randy Grein wrote: > This is SO COOL! Sorry, but it is. > > Security tech is a constant war between offense & defense. This is an > interesting twist on the problem, it's just our tough luck that something > created to promote freedom of information access has the side effect of > trashing your security policy. It does, however point out the need for > defense in depth. You might try locking workstations down a bit more - > block USB drives or disallow the executable. Speaking of blocking executables, my coworker here has written a program that whitelists executables and kills anything that isn't on the list. It runs as a service, does automatic updates, and checks MD5 hashes to make sure that "harmless program.exe" isn't really just a renamed "pwn your system.exe." It's a pretty cool program, and hopefully he'll GPL it soon. Bill From John.Croft at pwgsc.gc.ca Sat Dec 20 00:24:42 2008 From: John.Croft at pwgsc.gc.ca (John Croft) Date: Fri, 19 Dec 2008 19:24:42 -0500 Subject: blocking programs Re: ultra surf In-Reply-To: <167f4090812191221w487c15bap7ed012b31870453c@mail.gmail.com> References: <167f4090812191221w487c15bap7ed012b31870453c@mail.gmail.com> Message-ID: <2D577FE21D6ECA4C934F49B86C51E22C06F54B6A@mb-ncr-020.ad.pwgsc-tpsgc.gc.ca> Symantec identifies it a virus type activity and deletes it at our shop -----Original Message----- From: novell-bounces at netlab1.oucs.ox.ac.uk [mailto:novell-bounces at netlab1.oucs.ox.ac.uk] On Behalf Of Bill Brush Sent: Friday, December 19, 2008 4:22 PM To: Novell LAN Interest Group Subject: blocking programs Re: ultra surf On Fri, Dec 19, 2008 at 2:14 PM, Randy Grein wrote: > This is SO COOL! Sorry, but it is. > > Security tech is a constant war between offense & defense. This is an > interesting twist on the problem, it's just our tough luck that > something created to promote freedom of information access has the > side effect of trashing your security policy. It does, however point > out the need for defense in depth. You might try locking workstations > down a bit more - block USB drives or disallow the executable. Speaking of blocking executables, my coworker here has written a program that whitelists executables and kills anything that isn't on the list. It runs as a service, does automatic updates, and checks MD5 hashes to make sure that "harmless program.exe" isn't really just a renamed "pwn your system.exe." It's a pretty cool program, and hopefully he'll GPL it soon. Bill _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From toomas.aas at raad.tartu.ee Sun Dec 21 21:37:10 2008 From: toomas.aas at raad.tartu.ee (Toomas Aas) Date: Sun, 21 Dec 2008 23:37:10 +0200 Subject: Non-admin accounts for IT staff Message-ID: <494EB706.9000603@raad.tartu.ee> Hello! During our current security audit a (perceived) problem has come up - our current policy that IT personnel has local Administrator rights on XP workstations whereas everyone else has User rights (implemented using Zen DLU) is not considered safe enough. Now even IT staff is required to do their daily work as ordinary Users and only use Administrator rights for actual admin work. I can see two ways to achieve this, both somewhat cumbersome: 1. Create two eDir accounts for each IT person - requires two OES licenses per person... 2. Make everyone Users and use just the local Administrator account for admin work - means that you can't access any network resources while adminning... How have others solved this dilemma? -- Toomas ... I used to be indecisive but now I'm not sure. From randygrein at comcast.net Sun Dec 21 22:09:43 2008 From: randygrein at comcast.net (Randy Grein) Date: Sun, 21 Dec 2008 14:09:43 -0800 Subject: Non-admin accounts for IT staff In-Reply-To: <494EB706.9000603@raad.tartu.ee> References: <494EB706.9000603@raad.tartu.ee> Message-ID: <2B357AF9-DF8D-4935-AD36-0A4C63B1AB4E@comcast.net> Yup, big problem. Our manager, with his shiny new CISSP tried to mandate the same thing. It's really a generic security solution and a good thing for the network in general - unix and linux solve this with SU access, Windows by authenticating for specific applications as an admin account. Netware can do this for iManager (because your login to the web console is separate from your client login) but Console One and the rest use the current network authentication. His solution is typical, to remove Netware. On the other hand, how much work requires local admin on the Windows workstation? The only thing that comes to mind is workstation Zen work, within Novell administration at least - creating Zen apps and such. Daily Netware admin doesn't care about the Windows login. Am I missing something? Using this method you could have a regular user (windows) account that syncs with the Netware account, then a separate Windows account to log in when required - but log into the same eDir account. I do something like this; my AD account is a local admin for workstations but doesn't allow local login to servers. For managing the Windows servers I login to an admin Windows account then use the same eDir account as normal. Randy Grein, Master CNE, CCNA On Dec 21, 2008, at 1:37 PM, Toomas Aas wrote: > Hello! > > During our current security audit a (perceived) problem has come up > - our current policy that IT personnel has local Administrator > rights on XP workstations whereas everyone else has User rights > (implemented using Zen DLU) is not considered safe enough. Now even > IT staff is required to do their daily work as ordinary Users and > only use Administrator rights for actual admin work. > > I can see two ways to achieve this, both somewhat cumbersome: > 1. Create two eDir accounts for each IT person - requires two OES > licenses per person... > 2. Make everyone Users and use just the local Administrator account > for admin work - means that you can't access any network resources > while adminning... > > How have others solved this dilemma? > > -- > Toomas > ... I used to be indecisive but now I'm not sure. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell From toomas.aas at raad.tartu.ee Sun Dec 21 22:19:11 2008 From: toomas.aas at raad.tartu.ee (Toomas Aas) Date: Mon, 22 Dec 2008 00:19:11 +0200 Subject: Non-admin accounts for IT staff In-Reply-To: <2B357AF9-DF8D-4935-AD36-0A4C63B1AB4E@comcast.net> References: <494EB706.9000603@raad.tartu.ee> <2B357AF9-DF8D-4935-AD36-0A4C63B1AB4E@comcast.net> Message-ID: <494EC0DF.50102@raad.tartu.ee> Randy Grein wrote: > Yup, big problem. Our manager, with his shiny new CISSP tried to mandate > the same thing. It's really a generic security solution and a good thing > for the network in general - unix and linux solve this with SU access, > Windows by authenticating for specific applications as an admin account. > Netware can do this for iManager (because your login to the web console > is separate from your client login) but Console One and the rest use the > current network authentication. His solution is typical, to remove Netware. :) > On the other hand, how much work requires local admin on the Windows > workstation? The only thing that comes to mind is workstation Zen work, > within Novell administration at least - creating Zen apps and such. > Daily Netware admin doesn't care about the Windows login. Am I missing > something? Yep, I probably wasn't clear enough. By 'admin' I meant not as much Netware administrative tasks as folks who are setting up local user PCs, installing network printers (until our move from NDPS to iPrint/ICM is completed) etc. > Using this method you could have a regular user (windows) > account that syncs with the Netware account, then a separate Windows > account to log in when required - but log into the same eDir account. Looks like this is a way to go, thanks. -- Toomas ... The big print giveth and the small print taketh away. From randygrein at comcast.net Sun Dec 21 22:21:23 2008 From: randygrein at comcast.net (Randy Grein) Date: Sun, 21 Dec 2008 14:21:23 -0800 Subject: Non-admin accounts for IT staff In-Reply-To: <494EC0DF.50102@raad.tartu.ee> References: <494EB706.9000603@raad.tartu.ee> <2B357AF9-DF8D-4935-AD36-0A4C63B1AB4E@comcast.net> <494EC0DF.50102@raad.tartu.ee> Message-ID: <9A4EE76A-5F8E-405B-9A5E-4537C6BD924C@comcast.net> You're welcome. The local admin rights is something our PC analysts complained about initially - the boss didn't think they needed such rights, but it was impossible for them to work without them. They now have Windows admin accounts. Randy Grein, Master CNE, CCNA On Dec 21, 2008, at 2:19 PM, Toomas Aas wrote: > Randy Grein wrote: > >> Yup, big problem. Our manager, with his shiny new CISSP tried to >> mandate the same thing. It's really a generic security solution and >> a good thing for the network in general - unix and linux solve this >> with SU access, Windows by authenticating for specific applications >> as an admin account. Netware can do this for iManager (because your >> login to the web console is separate from your client login) but >> Console One and the rest use the current network authentication. >> His solution is typical, to remove Netware. > > :) > > >> On the other hand, how much work requires local admin on the >> Windows workstation? The only thing that comes to mind is >> workstation Zen work, within Novell administration at least - >> creating Zen apps and such. Daily Netware admin doesn't care about >> the Windows login. Am I missing something? > > Yep, I probably wasn't clear enough. By 'admin' I meant not as much > Netware administrative tasks as folks who are setting up local user > PCs, installing network printers (until our move from NDPS to iPrint/ > ICM is completed) etc. > >> Using this method you could have a regular user (windows) account >> that syncs with the Netware account, then a separate Windows >> account to log in when required - but log into the same eDir account. > > Looks like this is a way to go, thanks. > > -- > Toomas > > ... The big print giveth and the small print taketh away. > _______________________________________________ > Novell mailing list > Novell at netlab1.oucs.ox.ac.uk > http://netlab1.usu.edu/mailman/listinfo/novell From rockp at Cardiff.ac.uk Mon Dec 22 09:22:36 2008 From: rockp at Cardiff.ac.uk (Paul Rock) Date: Mon, 22 Dec 2008 09:22:36 +0000 Subject: Non-admin accounts for IT staff In-Reply-To: <494EB706.9000603@raad.tartu.ee> References: <494EB706.9000603@raad.tartu.ee> Message-ID: <494F5C5C.D335.0084.1@groupwise.cf.ac.uk> > During our current security audit a (perceived) problem has come up - our > current policy that IT personnel has local Administrator rights on XP > workstations whereas everyone else has User rights (implemented using Zen > DLU) is not considered safe enough. Now even IT staff is required to do > their daily work as ordinary Users and only use Administrator rights for > actual admin work. Which is why the academic community have been nagging Novell for [must be 10] years to have scoped DLU policies. If anybody outside the academic community wants to join this campaign please nag away as you pay more per seat :) ie. Fred is admin of workstations in his lab but not anywhere else. - Paul From cmangiarelli at gmail.com Mon Dec 22 19:39:50 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Mon, 22 Dec 2008 14:39:50 -0500 Subject: Certs in OES2 In-Reply-To: <494A89440200007500008742@inet.eastcobbgroup.com> References: <494A89440200007500008742@inet.eastcobbgroup.com> Message-ID: Any idea how to do that? P.S. I was experimenting with the instructions in the cool solutions article we've been referencing and the command "openssl x509 -outform der -in /etc/opt/novell/SSCert.pem -out /etc/opt/novell/certs/SSCert.der" errored with a certificate error. hostname:~/ # openssl x509 -outform der -in /etc/opt/novell/SSCert.pem -out /etc/opt/novell/certs/SSCert.der Error opening Certificate /etc/opt/novell/SSCert.pem 20984:error:02001002:system library:fopen:No such file or directory:bss_file.c:349:fopen('/etc/opt/novell/SSCert.pem','r') 20984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351: unable to load certificate Not sure why, but I am going to set everything back to Novell Tech Supports method which works for apache but not for the ifolder client. As I said, the method in the Cool Solutions article might not be useable in the latest OES build. 2008/12/18 James Taylor > I assume you are talking about ifolder3? The install imports the cert from > the LDAPS interface. You probably need to configure your LDAP object for > the server to use the custom cert object you created. > -jt > > James Taylor > The East Cobb Group, Inc. > 678-697-9420 > james.taylor at eastcobbgroup.com > http://www.eastcobbgroup.com > > >>> "Christopher Mangiarelli" 12/18/08 2:37 PM > >>> > Woot, one step closer to done. I was able to get Apache to use a custom > cert with alternate subject names. Assuming the trusted root of my ca is > imported into the browser, I can give my users a meaningful URL without > popping up a security warning now. > > The solution was to use iManager to custom create a new cert (I called it > "SSL CertificateWEB"). I put in all of the names of the server (both fully > qualified, short names, and IP's). Exported the cert from iManager in > PKC12 > format. Copied that to my OES2 server. Used "openssl pkcs12 -in > sslwebcert.pfx -nodes -clcerts -out /etc/ssl/servercerts/sslwebcert.pem". > Edited /etc/apache2/vhosts.d/vhost-ssl.conf to point to the new > filename. Restarted > apache2 daemon and walla... all good! > > Now, the next problem. While this is all well and good for web access, the > iFolder install still displays security measures when connecting to the > server. Apparently the software does not use IE's keystore so I have to > hunt for this new location unless somebody else happens to know where it > exists. > > On Thu, Dec 18, 2008 at 2:13 PM, wrote: > > > A google for convert der to pem turned up this syntax for openssl: > openssl > > x509 ?in ?inform PEM ?out file> > ?outform DER I am assuming this to be reversed for DER to PEM. > > > > I seem to remember doing a lot of openssl a while back for a java app > that > > was particular but one thing I will say is that it may be a little more > > complicated but it usually works as advertised. > > > > HTH > > > > T2 > > > -- Christopher Mangiarelli cmangiarelli at gmail.com From James.Taylor at eastcobbgroup.com Mon Dec 22 20:23:46 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Mon, 22 Dec 2008 15:23:46 -0500 Subject: Certs in OES2 In-Reply-To: References: <494A89440200007500008742@inet.eastcobbgroup.com> Message-ID: <494FB1030200007500026FCA@inet.eastcobbgroup.com> Open ConsoleOne, right click on the LDAP server object for the server and select properties, then the SSL/TLS tab and browse the tree for the certificate object you created with iManager. Then select therefresh LDAP server button. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Christopher Mangiarelli" 12/22/2008 02:39 PM >>> Any idea how to do that? P.S. I was experimenting with the instructions in the cool solutions article we've been referencing and the command "openssl x509 -outform der -in /etc/opt/novell/SSCert.pem -out /etc/opt/novell/certs/SSCert.der" errored with a certificate error. hostname:~/ # openssl x509 -outform der -in /etc/opt/novell/SSCert.pem -out /etc/opt/novell/certs/SSCert.der Error opening Certificate /etc/opt/novell/SSCert.pem 20984:error:02001002:system library:fopen:No such file or directory:bss_file.c:349:fopen('/etc/opt/novell/SSCert.pem','r') 20984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351: unable to load certificate Not sure why, but I am going to set everything back to Novell Tech Supports method which works for apache but not for the ifolder client. As I said, the method in the Cool Solutions article might not be useable in the latest OES build. 2008/12/18 James Taylor > I assume you are talking about ifolder3? The install imports the cert from > the LDAPS interface. You probably need to configure your LDAP object for > the server to use the custom cert object you created. > -jt > > James Taylor > The East Cobb Group, Inc. > 678-697-9420 > james.taylor at eastcobbgroup.com > http://www.eastcobbgroup.com > > >>> "Christopher Mangiarelli" 12/18/08 2:37 PM > >>> > Woot, one step closer to done. I was able to get Apache to use a custom > cert with alternate subject names. Assuming the trusted root of my ca is > imported into the browser, I can give my users a meaningful URL without > popping up a security warning now. > > The solution was to use iManager to custom create a new cert (I called it > "SSL CertificateWEB"). I put in all of the names of the server (both fully > qualified, short names, and IP's). Exported the cert from iManager in > PKC12 > format. Copied that to my OES2 server. Used "openssl pkcs12 -in > sslwebcert.pfx -nodes -clcerts -out /etc/ssl/servercerts/sslwebcert.pem". > Edited /etc/apache2/vhosts.d/vhost-ssl.conf to point to the new > filename. Restarted > apache2 daemon and walla... all good! > > Now, the next problem. While this is all well and good for web access, the > iFolder install still displays security measures when connecting to the > server. Apparently the software does not use IE's keystore so I have to > hunt for this new location unless somebody else happens to know where it > exists. > > On Thu, Dec 18, 2008 at 2:13 PM, wrote: > > > A google for convert der to pem turned up this syntax for openssl: > openssl > > x509 ?in ?inform PEM ?out file> > ?outform DER I am assuming this to be reversed for DER to PEM. > > > > I seem to remember doing a lot of openssl a while back for a java app > that > > was particular but one thing I will say is that it may be a little more > > complicated but it usually works as advertised. > > > > HTH > > > > T2 > > > -- Christopher Mangiarelli cmangiarelli at gmail.com _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From cmangiarelli at gmail.com Tue Dec 23 18:14:04 2008 From: cmangiarelli at gmail.com (Christopher Mangiarelli) Date: Tue, 23 Dec 2008 13:14:04 -0500 Subject: Certs in OES2 In-Reply-To: <494FB1030200007500026FCA@inet.eastcobbgroup.com> References: <494A89440200007500008742@inet.eastcobbgroup.com> <494FB1030200007500026FCA@inet.eastcobbgroup.com> Message-ID: Already did that in iManager and doesn't seem to work. The certificate presented to the ifolder client when it installs still mentions the server hostname and still also complains about an "Untrusted" CA even though the CA Trusted Root is imported into the IE certificate store. On Mon, Dec 22, 2008 at 3:23 PM, James Taylor < James.Taylor at eastcobbgroup.com> wrote: > Open ConsoleOne, right click on the LDAP server object for the server > and select properties, then the SSL/TLS tab and browse the tree for the > certificate object you created with iManager. Then select therefresh > LDAP server button. > -jt > > James Taylor > The East Cobb Group, Inc. > 678-697-9420 > james.taylor at eastcobbgroup.com > http://www.eastcobbgroup.com > > > >>> "Christopher Mangiarelli" 12/22/2008 02:39 > PM >>> > Any idea how to do that? > > P.S. I was experimenting with the instructions in the cool solutions > article > we've been referencing and the command "openssl x509 -outform der -in > /etc/opt/novell/SSCert.pem -out /etc/opt/novell/certs/SSCert.der" > errored > with a certificate error. > > hostname:~/ # openssl x509 -outform der -in /etc/opt/novell/SSCert.pem > -out > /etc/opt/novell/certs/SSCert.der > Error opening Certificate /etc/opt/novell/SSCert.pem > 20984:error:02001002:system library:fopen:No such file or > directory:bss_file.c:349:fopen('/etc/opt/novell/SSCert.pem','r') > 20984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351: > unable to load certificate > > Not sure why, but I am going to set everything back to Novell Tech > Supports > method which works for apache but not for the ifolder client. As I > said, > the method in the Cool Solutions article might not be useable in the > latest > OES build. > -- Christopher Mangiarelli cmangiarelli at gmail.com From joea at j4computers.com Tue Dec 23 19:45:04 2008 From: joea at j4computers.com (joea at j4computers.com) Date: Tue, 23 Dec 2008 14:45:04 -0500 Subject: Certs in OES2 Message-ID: <4950F95E020000850005F296@FS-LIN-OES> That sounds like the cert is not actually installed, or the name does not match what is typed in the browser address line. Here is a link to another article on changing OES2 certs that might be helpful http://www.novell.com/communities/node/6072/replacing-open-enterprise-server-2-linux-server-certificates joe a. From Alar.Pandis at mtk.ut.ee Thu Dec 25 18:17:48 2008 From: Alar.Pandis at mtk.ut.ee (Alar Pandis) Date: Thu, 25 Dec 2008 20:17:48 +0200 Subject: SLES 10 SP1 OES2 to SLES SP2 OES2 SP1 Message-ID: <005601c966bd$17baf3f0$8800000a@infutiknt.mtk.ut.ee> Hi! Tried upgrade SLES 10 SP1 OES2 to SLES SP2 OES2 SP1, but some dependencies error appear in packages section about: intel-e1000 intel-e1000-kmp-smp libsmbMgmt novell-kerberos-password-agent yast2-novell-migration-gui-iprint Firs option is about "delete java-1_5_0-ibm-fonts". Should I ignore these? Well, I have working with NW, but with SLES about ... 2 months with installing SLES 10 SP1 OES2 into existing tree (NetWare 5.1). Any ideas how to proceed? More thanks, Alar. PS! (Well, in OES2 SP1 installing documents is warning to not use LDAP on earlier then NW 6.5 SP3 servers, we mostly use NW 5.1! Still. With OES2 ... no problems.) From joe.doupnik at oucs.ox.ac.uk Fri Dec 26 11:35:44 2008 From: joe.doupnik at oucs.ox.ac.uk (jrd) Date: Fri, 26 Dec 2008 11:35:44 +0000 Subject: SLES 10 SP1 OES2 to SLES SP2 OES2 SP1 In-Reply-To: <005601c966bd$17baf3f0$8800000a@infutiknt.mtk.ut.ee> References: <005601c966bd$17baf3f0$8800000a@infutiknt.mtk.ut.ee> Message-ID: <4954C190.9080600@oucs.ox.ac.uk> Alar Pandis wrote: > Hi! > Tried upgrade SLES 10 SP1 OES2 to SLES SP2 OES2 SP1, but some dependencies > error appear in packages section about: > intel-e1000 > intel-e1000-kmp-smp > libsmbMgmt > novell-kerberos-password-agent > yast2-novell-migration-gui-iprint > Firs option is about "delete java-1_5_0-ibm-fonts". > Should I ignore these? Well, I have working with NW, but with SLES about ... > 2 months with installing SLES 10 SP1 OES2 into existing tree (NetWare 5.1). > Any ideas how to proceed? > More thanks, > Alar. > PS! (Well, in OES2 SP1 installing documents is warning to not use LDAP on > earlier then NW 6.5 SP3 servers, we mostly use NW 5.1! Still. With OES2 ... > no problems.) ------------- Alar, I presume this is performing a SLES in-place upgrade with the OES2 SP1 part being an add-on product at the same time. You need to look at the particular dependencies being shown as problematic. There may be a number of obsolete RPMs which need to be removed, and that would be normal. Assuming the notices are of this kind you can go ahead with the process. Otherwise you will need to dig deeper into the reason why some items are causing trouble. I have performed this kind of upgrade several times on production servers and the results have been fine. However, I have not tried this with a NW 5 server in the mixture. The likely worry about NW 5 is eDir details. As you already have NW 5 mixed with OES2/Linux that means eDir 8.8 is now present in the tree and working correctly, so that the change to 8.8.4 with SP1 ought not be a problem. Joe D. From Alar.Pandis at mtk.ut.ee Fri Dec 26 19:10:21 2008 From: Alar.Pandis at mtk.ut.ee (Alar Pandis) Date: Fri, 26 Dec 2008 21:10:21 +0200 Subject: SLES 10 SP1 OES2 to SLES SP2 OES2 SP1 Message-ID: <000001c9678d$99a755e0$8800000a@infutiknt.mtk.ut.ee> Hi again and thanks Joe! Yes, in-place. And, yes, OES2 (on SLES 10 and also on NW 6.5) working ... seems to ... fine in same tree with NW 5.1 (master). First I tried find something for "intel-e1000", but ... not much. I have HP dc7800 machine, probably it is connected with that. I see SLES 10 SP2 drivers for dc7900, but not for dc7800. About ... libsmbMgmt and etc. I can't imagine connections. More thanks, Alar. >>> jrd joe.doupnik at oucs.ox.ac.uk Fri Dec 26 11:35:44 GMT 2008 <<< Alar Pandis wrote: > Hi! > Tried upgrade SLES 10 SP1 OES2 to SLES SP2 OES2 SP1, but some dependencies > error appear in packages section about: > intel-e1000 > intel-e1000-kmp-smp > libsmbMgmt > novell-kerberos-password-agent > yast2-novell-migration-gui-iprint > Firs option is about "delete java-1_5_0-ibm-fonts". > Should I ignore these? Well, I have working with NW, but with SLES about ... > 2 months with installing SLES 10 SP1 OES2 into existing tree (NetWare 5.1). > Any ideas how to proceed? > More thanks, > Alar. > PS! (Well, in OES2 SP1 installing documents is warning to not use LDAP on > earlier then NW 6.5 SP3 servers, we mostly use NW 5.1! Still. With OES2 ... > no problems.) ------------- Alar, I presume this is performing a SLES in-place upgrade with the OES2 SP1 part being an add-on product at the same time. You need to look at the particular dependencies being shown as problematic. There may be a number of obsolete RPMs which need to be removed, and that would be normal. Assuming the notices are of this kind you can go ahead with the process. Otherwise you will need to dig deeper into the reason why some items are causing trouble. I have performed this kind of upgrade several times on production servers and the results have been fine. However, I have not tried this with a NW 5 server in the mixture. The likely worry about NW 5 is eDir details. As you already have NW 5 mixed with OES2/Linux that means eDir 8.8 is now present in the tree and working correctly, so that the change to 8.8.4 with SP1 ought not be a problem. Joe D. From joe.doupnik at oucs.ox.ac.uk Sat Dec 27 10:14:26 2008 From: joe.doupnik at oucs.ox.ac.uk (jrd) Date: Sat, 27 Dec 2008 10:14:26 +0000 Subject: SLES 10 SP1 OES2 to SLES SP2 OES2 SP1 In-Reply-To: <000001c9678d$99a755e0$8800000a@infutiknt.mtk.ut.ee> References: <000001c9678d$99a755e0$8800000a@infutiknt.mtk.ut.ee> Message-ID: <49560002.1040305@oucs.ox.ac.uk> Alar Pandis wrote: > Hi again and thanks Joe! > Yes, in-place. And, yes, OES2 (on SLES 10 and also on NW 6.5) working ... > seems to ... fine in same tree with NW 5.1 (master). > First I tried find something for "intel-e1000", but ... not much. I have HP > dc7800 machine, probably it is connected with that. I see SLES 10 SP2 > drivers for dc7900, but not for dc7800. About ... libsmbMgmt and etc. I > can't imagine connections. > More thanks, > Alar. ---------- There was a bit of a flap recently concerning the Intel e1000 driver. A software blunder allowed the firmware to be destroyed. That has since been corrected. Thus this change may be part of what you see. libsmbMgmt is clearly an SMB thingy. We can see a conflict if you use CIFS from Novell in OES2 SP1. I must pass on the HP DC driver material; none here for reference. Joe D. From petervl at gmail.com Mon Dec 29 19:46:00 2008 From: petervl at gmail.com (Peter Van Lone) Date: Mon, 29 Dec 2008 13:46:00 -0600 Subject: OT -- CD to CD copy of audio cd for archiving Message-ID: <68b791330812291146j143f2b2cpc0fe3e6a11e45142@mail.gmail.com> Using SLED 10, in the past, I've been able to use Banshee in SLED 10 under gnome, to make a copy of an audio CD. I put the original in, click copy cd it reads the original and writes an image somewhere, and then prompts for a blank CD and then copies to it. However, I have a new batch of 50 or so CD's that I want to archive (yes, it has been awhile since I last did this) and on the first 3 tries, the first copy attempt prompts for the blank cd, then bombs out with an error writing to disk. I was able to put a new disk in, and it completed ... but, I can't afford to use up 2 discs for every one successful copy. Plus, the first part of the process in banshee is pretty slow (15-20 min for each cd, then another 5 to write to the blank). I know that banshee is not the uderlying tool that is doing the copy -- what is the tool? Would it be easier (and faster??) to drop to the command line and do the copy from there? What tool do I use, and what commands ... do I first have to manually create an iso, and then burn the iso to disk? Or is there some command line tool that will do it in one step as I have been used to in banshee? Peter When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 From James.Taylor at eastcobbgroup.com Tue Dec 30 02:21:37 2008 From: James.Taylor at eastcobbgroup.com (James Taylor) Date: Mon, 29 Dec 2008 21:21:37 -0500 Subject: OT -- CD to CD copy of audio cd for archiving In-Reply-To: <68b791330812291146j143f2b2cpc0fe3e6a11e45142@mail.gmail.com> References: <68b791330812291146j143f2b2cpc0fe3e6a11e45142@mail.gmail.com> Message-ID: <49593F610200007500027608@inet.eastcobbgroup.com> I use KDE, and K3B has always worked perfectly for me. However, in Gnome you can use Nautilus to burn CD's. Another Gnome based app that seems pretty popular is Brasero. I use openSUSE because SLED has a fairly limited application base. even so, SLED should have the Nautilus CD extensions. -jt James Taylor The East Cobb Group, Inc. 678-697-9420 james.taylor at eastcobbgroup.com http://www.eastcobbgroup.com >>> "Peter Van Lone" 12/29/2008 02:46 PM >>> Using SLED 10, in the past, I've been able to use Banshee in SLED 10 under gnome, to make a copy of an audio CD. I put the original in, click copy cd it reads the original and writes an image somewhere, and then prompts for a blank CD and then copies to it. However, I have a new batch of 50 or so CD's that I want to archive (yes, it has been awhile since I last did this) and on the first 3 tries, the first copy attempt prompts for the blank cd, then bombs out with an error writing to disk. I was able to put a new disk in, and it completed ... but, I can't afford to use up 2 discs for every one successful copy. Plus, the first part of the process in banshee is pretty slow (15-20 min for each cd, then another 5 to write to the blank). I know that banshee is not the uderlying tool that is doing the copy -- what is the tool? Would it be easier (and faster??) to drop to the command line and do the copy from there? What tool do I use, and what commands ... do I first have to manually create an iso, and then burn the iso to disk? Or is there some command line tool that will do it in one step as I have been used to in banshee? Peter When I do good, I feel good. When I do bad, I feel bad. That is my religion. -Abraham Lincoln http://www.the-brights.net http://xkcd.com/167 _______________________________________________ Novell mailing list Novell at netlab1.oucs.ox.ac.uk http://netlab1.usu.edu/mailman/listinfo/novell From joe.doupnik at oucs.ox.ac.uk Tue Dec 30 09:46:43 2008 From: joe.doupnik at oucs.ox.ac.uk (jrd) Date: Tue, 30 Dec 2008 09:46:43 +0000 Subject: OT -- CD to CD copy of audio cd for archiving In-Reply-To: <68b791330812291146j143f2b2cpc0fe3e6a11e45142@mail.gmail.com> References: <68b791330812291146j143f2b2cpc0fe3e6a11e45142@mail.gmail.com> Message-ID: <4959EE03.20107@oucs.ox.ac.uk> Peter Van Lone wrote: > Using SLED 10, in the past, I've been able to use Banshee in SLED 10 > under gnome, to make a copy of an audio CD. I put the original in, > click copy cd it reads the original and writes an image somewhere, and > then prompts for a blank CD and then copies to it. > > However, I have a new batch of 50 or so CD's that I want to archive > (yes, it has been awhile since I last did this) and on the first 3 > tries, the first copy attempt prompts for the blank cd, then bombs out > with an error writing to disk. I was able to put a new disk in, and it > completed ... but, I can't afford to use up 2 discs for every one > successful copy. Plus, the first part of the process in banshee is > pretty slow (15-20 min for each cd, then another 5 to write to the > blank). > > I know that banshee is not the uderlying tool that is doing the copy > -- what is the tool? Would it be easier (and faster??) to drop to the > command line and do the copy from there? What tool do I use, and what > commands ... do I first have to manually create an iso, and then burn > the iso to disk? Or is there some command line tool that will do it in > one step as I have been used to in banshee? > > Peter ------------- There is the simple way as well. dd if=/dev/cdrom of=file.iso then later dd if=file.iso of=/dev/cdrom This is a sector by sector approach, free of file system nuances. Above, /dev/cdrom represents your CD drive, whatever its name may be, and file.iso is just a filename where ever you wish it appear. man dd for details. Joe D.