Login
LDAP (2016-12-06 17:59:36)
rmb @ 2013-12-29 12:55:36 from 89.236.59.15
You need to add indexes:

olcDbIndex.ldif:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

This is to speed up the slapd performance.
rmb @ 2013-12-29 13:12:59 from 89.236.59.15
To generate a key, do:
pushd /root/
certtool --generate-privkey --outfile vmzaphod01.key
certtool --generate-self-signed --load-privkey vmzaphod01.key --outfile vmzaphod01.pem
popd
pushd /etc/ssl
cp ~/vmzaphod01.key private/
cp ~/vmzaphod01.pem certs/
popd

Once you have generated the key, it is time to make slapd use it. This is a setting in cn=config:
olcTLS.ldif:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/vmzaphod01.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/vmzaphod01.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/vmzaphod01.pem
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
rmb @ 2013-12-29 13:15:02 from 89.236.59.15
This is not an LDIF file?
To allow users to change their passwords, you need this LDIF:
access to *
   by * read
access to attrs=userPassword by self write by * auth

Maybe this works:
olcAccess.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to attrs=loginShell,gecos
  by dn="cn=admin,dc=barnkob,dc=net" write
  by self write
  by * read
rmb @ 2013-12-31 14:27:37 from 89.236.59.15
It was a pretty bad idea - now I cannot add indexes to slapd :(
rmb @ 2013-12-29 14:34:25 from 89.236.59.15
The problem with ldapscripts was the password set in /etc/ldap.secret was set with a newline - this is a major showstopper - use:
echo -n "<secret>" >ldap.secret
to set without newline!
I still have problems with the user passwords, do I cannot authenticate against LDAP thus far.
rmb @ 2013-12-30 13:35:55 from 89.236.59.15
You need to open two ports in the firewall:
  $IPT -A INPUT -p tcp --dport kerberos -j ACCEPT
  $IPT -A INPUT -p udp --dport kerberos-iv -j ACCEPT
rmb @ 2013-12-31 11:45:30 from 89.236.59.15
Nice, little twist - add
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022

to /etc/pam.d/common-session to make it automagically create homedirs on first login. Remember this is done as root, so if you run a NFS with root-squash, it will fail.
rmb @ 2014-01-03 19:08:56 from 77.247.181.163
Cannot change password?
rmb @ 2014-02-14 18:13:56 from 89.236.59.15
This was what I used at Doms:
access to attr=userPassword
                        by self write
                        by anonymous auth
                        by dn.base="cn=admin,dc=doms-pss,dc=dk" write
                        by * none
access to *
                        by self write
                        by dn.base="cn=admin,dc=doms-pss,dc=dk" write
                        by * read

Followed by:
ldapadd -W -D cn=admin,dc=doms-pss,dc=dk -f ldap-allow-user-update-passwd

Note that the Doms-solution uses LDAP passwords and not Kerberos.
rmb @ 2014-12-28 12:59:57 from 89.236.3.144
Update the /etc/sssd/sssd.conf to read:
[sssd]
config_file_version = 2
services = nss,pam,sudo
domains = barnkob.net
[domain/barnkob.net] enumerate = false cache_credentials = true
id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_server = 10.0.0.1 krb5_realm = BARNKOB.NET
ldap_uri = ldap://10.0.0.1 ldap_search_base = DC=barnkob,DC=net ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/vmzaphod01.pem

File must be mode 0600
chmod 600 sssd.conf

Remember to install
libpam-krb5
This is what makes the magic happen!
rmb @ 2016-12-06 17:59:36 from 185.15.74.2
Devuan FTW!!!
  1. Standard Debian Jessie install
    The only thing you need on tasksel-page is std. system and SSH server - the rest we will do afterwards
  2. Switch away from Potteringware systemd:
    # apt-get install sysvinit-core sysvinit sysvinit-utils
    
    Then reboot your machine and remove all of the systemd packages
    # apt-get remove --purge --auto-remove systemd
    
    Prevent apt from installing systemd packages in the future.
    # echo -e 'Package: systemd\nPin: origin ""\nPin-Priority: -1' > /etc/apt/preferences.d/systemd
    
  3. aptitude update && aptitude upgrade
  4. aptitude install vim
  5. aptitude install slapd
  6. dpkg-reconfigure slapd You may need to delete /var/backups/* and dpkg-reconfigure slapd, update /etc/ldap/ldap.conf
  7. aptitude install ldap-utils ldapscripts
  8. Fix /etc/ldapscripts/ldapscripts.passwd using
    root@debian:/etc/ldapscripts# echo -n "..." >ldapscripts.passwd
    
  9. Update ldapscripts.conf - fix SERVER, SUFFIX, BINDDN and BINDPWDFILE
  10. Run ldapinit
  11. Prepare and add olcDbIndex.ldif
    ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif
  12. aptitude install gnutls-bin
  13. Run the key generation from below
  14. I spend a long time with wrong permissions on /etc/ssl/private - they must be such that the user openldap actually can read the private certificate!
  15. Do the add TLS:
    ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcTLS.ldif ------
  16. Install and update sssd.conf as described below
  17. Update /etc/pam.d/common-session as described below
  18. Install the NSLCD (aptitude install nslcd)
  19. Install Kerberos5
rmb @ 2016-12-06 17:58:06 from 185.15.74.2
I finalized with 2 errors in ldapinit
I had some problems getting this to work - especially nsswicth.conf was not updated correctly, but a manual editing session fixed that
Hvorfor jeg hader amerikanere (2016-11-30 21:27:16)
rmb @ 2013-09-11 14:23:58 from 89.236.59.15
De tror at deres verdensbillede skal påtrykkes hele verden - det nyeste er Danahers ønske om at ødelægge vores udviklingsafdeling med deres (u)sikkerhedspolitik - de har totalt misforstået det - når udviklernes arbejde hæmmes af politikket? password-politikker, der bare resultere i at folk skriver passwordet ned på papir og lægger ved arbejdsstationen... D'UH!!!
rmb @ 2013-09-16 16:44:21 from 87.48.158.178
Jeg burde være mere præcis - det er ikke Bill, der laver det reelle arbejde på fabrikken eller Roger, der udvikler SW til det nye produkt, der er derimod Tom, der ikke aner hvad erfaring på feltet er værd og Joshua, der vil sælge et produkt som kunderne kommer til at hade samt Walter, der ikke aner hvad der foregår af kampe i bunden men hæver sine 280 mio kr og et ukendt antal aktieoptioner...
rmb @ 2013-10-26 09:48:46 from 89.236.59.15
Og hvad er det for noget med krampagtigt at holde fast i "the imperial system" med pund, gallons og fahrenheit? væk med det crap, latterlige amerikanere!
rmb @ 2013-11-05 20:54:18 from 89.236.59.15
Deres idé om IT sikkerhed, som virker halvt gennemtænkt - perimeter defense but an obvious lack of internal protection - compartmentalize the network!
rmb @ 2013-11-05 20:57:42 from 89.236.59.15
Death to NSA - destroying the internet! Hvad f...den er project bullrun for en holdning - og vores statsminister, der udtaler sig på en måde som viser hvor lidt hun forstår af situationens alvor.
rmb @ 2013-11-10 19:19:09 from 89.236.59.15
Hvorfor bonus-ordninger skal droppes:
hvis man får en bonus for "nu"-løsninger er der sjældent tænkt over hvordan det ser ud om 5 år - "jeg har jo fået min bonus, så jeg skrider nu!". Det er set igen og igen hvor en sælger har solgt et produkt, der koster grotesk meget support et par år nede af linjen, men han er jo ligeglad - han har fået sin bonus og er væk nu.
rmb @ 2013-11-17 13:30:28 from 89.236.59.15
Død over NSA og CEOs
rmb @ 2013-11-20 20:25:05 from 37.130.227.133
Hvad foregår der i hovedet på de EU-politikere, der vil knække TOR? og vores blanke rets(tidligere IT)-ordfører, der foreslår at forbyde TOR?!? Kriminelle bruger også biler, skal vi forbyde dem? og cykler?
(dette er i øvrigt posted med TOR, derfor den mærkelige IP)
rmb @ 2013-11-23 11:33:59 from 171.25.193.235
Nu har jeg startet TOR igen - gad vide hvorfra jeg kommer nu...
rmb @ 2014-01-03 19:08:29 from 77.247.181.163
Så prøver vi igen.
rmb @ 2016-11-30 21:27:16 from 185.15.74.2
Politikem: Kroniken 30. nov. 2016 KL. 20.14 De svagest stillede får de dårligste fødsler
USA giver os et skræmmende eksempel på, at jo skøvere indkomstfordelingen er, des mere vil der lægges kræfter i at fastholde et usolidarisk sundhedsvæsen. I USA er den økonomiske elite vant til at have en de facto-fortrinsret til politisk indflydelse, prestigiøse privatskoler og universiteter, privathospitaler og på fødeklinikker.
...
Den amerikanske læge Linda Emanuel, der var medlem af den amerikanske lægeforenings etiske udvalg, sagde engang ved et nordisk møde om sundhedsforvaltning: »Det ser på mange måder ud til, at I også er på vej til at indføre et markedsstyret sundhedsvæsen, som vi har i USA.«
Det gjorde indtryk, da hun helt stilfærdigt sluttede sit indlæg med ordene: »Lad være! Det er en fejl«.
http://pol.dk/3492079
(2016-08-09 12:01:58)
rmb @ 2016-08-09 12:01:58 from 185.15.74.2
The choice is a potentially risky one. Alenia Aerospace is part of the Finmeccanica Group alongside companies such as AnsaldoBreda and AugustaWestland. Finmeccanica has a reputation for high-profile failures. And if it screws up the Dutch F-35s, an entire European air arm could be in jeopardy.
China on Mars (2016-06-26 13:06:02)
rmb @ 2016-06-26 13:06:02 from 185.15.74.2
A leaked memo indicates China will go to Mars within 10 years
ZPool (2016-02-07 10:17:55)
rmb @ 2016-02-07 10:17:55 from 92.243.231.165
Note the -d option - it wasw what I have been looking for!
       zpool import [-d dir] [-D] [-f] [-o opts] [-R root] pool | id [newpool]
Imports a specific pool. A pool can be identified by its name or the numeric identifier. If newpool is specified, the pool is imported using the name newpool. Otherwise, it is imported with the same name as its exported name.
If a device is removed from a system without running "zpool export" first, the device appears as potentially active. It cannot be determined if this was a failed export, or whether the device is really in use from another host. To import a pool in this state, the -f option is required.
-d dir Searches for devices or files in dir. The -d option can be specified multiple times.
-D Imports destroyed pool. The -f option is also required.
-f Forces import, even if the pool appears to be poten- tially active.
-o opts Comma-separated list of mount options to use when mount- ing datasets within the pool. See zfs(8) for a descrip- tion of dataset properties and mount options.
-R root Imports pool(s) with an alternate root. See the "Alter- nate Root Pools" section.
Gettys principper (2014-07-25 10:18:08)
rmb @ 2014-07-25 10:18:08 from 89.236.3.144
http://www.version2.dk/blog/gettys-principper-67713
  1. Do not add new functionality unless an implementor cannot complete a real application without it.
  2. It is as important to decide what a system is not as to decide what it is. Do not serve all the world's needs; rather, make the system extensible so that additional needs can be met in an upwardly compatible fashion.
  3. The only thing worse than generalizing from one example is generalizing from no examples at all.
  4. If a problem is not completely understood, it is probably best to provide no solution at all.
  5. If you can get 90 percent of the desired effect for 10 percent of the work, use the simpler solution.
  6. Isolate complexity as much as possible.
  7. Provide mechanism, rather than policy. In particular, place user interface policy in the client's hands.
Mine favoritideer (2014-04-14 10:16:05)
rmb @ 2014-04-14 10:16:05 from 89.236.59.15
LFTR lifter - Liquid Fluoride Thorium Reactor - melted salt nuclear reactor

IC4 - lav dem om til batteri-toge - potentiel måde at undgå at elektrificere hele det danske tognet.
marvin-ng (2014-02-19 16:48:21)
rmb @ 2014-02-19 16:48:21 from 89.236.59.15
Bundle the two 2 2TB disks into one vdev:
mdadm --create /dev/md0 --level=linear --raid-devices=2 \
  /dev/disk/by-id/ata-VBOX_HARDDISK_VBa8947a8b-b45f1901 \
  /dev/disk/by-id/ata-VBOX_HARDDISK_VBc75137d2-53511964

Then using parted, create a partition table on the new /dev/md0 device
parted ...
mklabel gpt

The /dev/md0 device can then be added as any other vdev to a zpool (even in RAIDz) using zpool create.
If you do not create a partition yourself, ZFS will create 2 parts for you - part1 and part9. It will complain if you try to add a disk without a partition table.
ZFS (2014-02-14 18:13:26)
rmb @ 2014-02-14 18:13:26 from 89.236.59.15
To achieve good performance with your pool there are some easy best practices you should follow. Additionally, it should be made clear that the ZFS on Linux implementation has not yet been optimized for performance. As the project matures we can expect performance to improve.
  • Evenly balance your disk across controllers: Often the limiting factor for performance is not the disk but the controller. By balancing your disks evenly across controllers you can often improve throughput.
  • Create your pool using whole disks: When running zpool create use whole disk names. This will allow ZFS to automatically partition the disk to ensure correct alignment. It will also improve interoperability with other ZFS implementations which honor the wholedisk property.
  • Have enough memory: A minimum of 2GB of memory is recommended for ZFS. Additional memory is strongly recommended when the compression and deduplication features are enabled.
  • Improve performance by setting ashift=12: You may be able to improve performance for some workloads by setting ashift=12. This tuning can only be set when the pool is first created and it will result in a decrease of capacity. For additional detail on why you should set this option when using Advanced Format drives see section 1.15 How does ZFS on Linux handles Advanced Format disks?
Auto-detect pump (2014-01-05 10:32:05)
rmb @ 2013-12-25 12:17:15 from 192.168.1.19
How cool it would be if the PSS was capable of auto-detecting what protocols was on each port?
Rule is if I already know what to expect on a port, try that first. Then proceed to try and auto-detect the protocol by trying to send various get-status mexsages. This would effectively get rid of the stupid P2P web page. Also, get rid of the utterly mal-placed IO message spacing - it has no purpose being where it is!
rmb @ 2013-12-28 12:14:08 from 89.236.59.15
Get rid of the netport web server and the iniche TCP/IP stack - it s... and has problems.
rmb @ 2013-12-31 10:32:51 from 89.236.59.15
Start using a scripting language in the PSS - eg. Lua would give us Xavante web-server, which again could allow us to get rid of the p... Netport server and its s... choices belonging in deeply embedded systems anno 1990.
This also leads us to use the underlying Linux filesystem instead of the iNiche's internal filesystem. I already investigated if pipes could solve this easily, but it failed.
rmb @ 2013-12-31 14:24:05 from 89.236.59.15
IPv6 is unsupported - IP stack not build for it
rmb @ 2014-01-01 20:24:50 from 89.236.59.15
Encrypt POS traffic with PKI
rmb @ 2014-01-05 10:32:04 from 89.236.59.15
Always record peep for the last 15min and if peep, store it on some external media - people discover errors after the happen and are not nescesarily able to reproduce,
Cubieboard-2 (2013-12-31 10:36:15)
rmb @ 2013-11-23 14:16:03 from 128.2.142.104
I have tried several times to set a fixed MAC on the Cubieboard-2. I even tried updating /boot/script.bin - that won't work!

I really like the Cubieboard as I find it very unfortunate that the RaspberryPi has network as an USB client - this means that a bad USB device can cause all sorts of network issues (yes, I tried this IRL during RaspBMC install!)

To solve this, update /etc/network
iface eth0 inet dhcp
   hwaddress ether DE:82:0E:E3:95:6E

Then it works with a fixed MAC on the Cubieboard-2. Of course you should not use DE...6E MAC address - chose one at random - there is a nice generator here http://www.miniwebtool.com/mac-address-generator/
rmb @ 2013-12-31 10:36:15 from 89.236.59.15
bump
Working? (2013-08-14 21:02:51)
rmb @ 2013-08-14 21:02:51 from 89.236.59.15
Now I have fixed this system to work as expected - does it?
rmb @ 2013-08-14 21:03:26 from 89.236.59.15
With threaded posts? ordered by the topic?
rmb @ 2013-08-18 12:26:54 from 89.236.59.15
Now there is support for BBcodes:
bold
italics
Teletype
Underline
And at one point,
preformattet

And code:
function foo(int bar)
  {
    return bar;
  }
...code is over...
rmb @ 2013-11-17 14:37:07 from 192.168.1.19
newline support is still lagging.
Turned out there still is a problem with topic titles
rmb @ 2013-11-17 16:15:01 from 89.236.59.15
Problem is, new posts inherit the topic of their parent, and if a 0 first enters the posts tree, it is propagated downwards and every single post belongs to topic 0.
Found a patch on the net allowing:
  • a
  • b
  • c
rmb @ 2013-11-22 18:52:17 from 128.2.142.104
Hvis patchet kan lave unordered lists kan der ikke være langt til
  1. Første item
  2. Andet item
  3. Tredje item
rmb @ 2013-11-22 19:40:51 from 89.236.59.15
Det var ret nemt at introducere tagget [ order ] og [ 1 ] som hvert item. Burde jeg i stedet arbejde med tagget [ . ]?
Vigtig detalje: * og 1 tagget må ikke afsluttes - det gør de selv.
rmb @ 2013-11-22 13:25:49 from 87.48.158.178
A new newline mapping - if a blank line exists...
...a forced line break is inserted.
Otherwise, the line will just continue like this.
rmb @ 2013-11-23 09:10:30 from 89.236.59.15
And now change database-user to a least-priv.
rmb @ 2013-08-17 14:08:57 from 89.236.59.15
Looking into BBcode support, like:
bold
italic
underlining
http://itil.barnkob.dk/ http://galskab.barnkob.dk/
Teletype
rmb @ 2013-08-17 15:26:32 from 192.168.1.19
I like the http://jbbcode.com php module, so I decided to use that.
rmb @ 2013-08-17 15:52:28 from 192.168.1.19
This also means removing the HTML support...
rmb @ 2013-08-17 16:02:39 from 192.168.1.19
Bad, BAD BBCode