Archive for the ‘Debian’ Category

Please don’t manage permissions of libnss-ldap.conf file with debconf

Friday, February 15th, 2008

During a random security upgrade on Debian :

# ls -l libnss-ldap.conf
-rw-r--r-- 1 root root 9863 2008-02-15 18:40 libnss-ldap.conf
# dpkg -l nscd | grep un
un  nscd           <none>         (no description available)
# aptitude upgrade
Preparing to replace libnss-ldap 251-7.5 (using .../libnss-ldap_251-7.5etch1_i386.deb) ...
Unpacking replacement libnss-ldap ...
Setting up libnss-ldap (251-7.5etch1) ...
# ls -l libnss-ldap.conf
-rw------- 1 root root 9863 2008-02-15 20:55 libnss-ldap.conf

Oops! With this permissions on the libnss-ldap.conf file, some services will be broken. For example, in Postfix/LDAP configuration, Postfix local mail delivery will fail because he can’t find homeDirectory of local user. And Postfix error message isn’t very explicit:

postfix/qmgr[12063]: warning: transport local failure --
see a previous warning/fatal/panic logfile record for the problem description

For more details, see my post on #455907

Timezone for Apache logs

Saturday, September 29th, 2007

Yesterday I installed RT on Apache/mod_perl server with default config in file:

Set($Timezone , 'US/Eastern');

I included PerlRequire in its VirtualHost and I discover today that this directive changes timezone for all Apache log files! Weird behavior… and I confirm that this server is hosted in Marseille (France), not in USA ;-)

JOIN syntax changes in MySQL 5

Saturday, September 15th, 2007

Migrate applications to MySQL 5 could need some rewrite. Here is one example :

mysql5> SELECT * FROM table0, table1 JOIN table2 on table0.colA = table2.colB;
ERROR 1054 (42S22): Unknown column 'table0.colA' in 'on clause'

That’s because JOIN operator has now higher priority. Previously, this request was interpreted like ((table 0, table1) JOIN table2) and now it is (table 0, (table1 JOIN table2)). A fast fix is adding parenthesis:

mysql5> SELECT * FROM (table0, table1) JOIN table2 on table0.colA = table2.colB;

You can find more information in MYSQL bug #13832 and in MySQL manual (See Join Processing Changes in MySQL 5.0.12 section).

pppoeconf in git repository

Monday, September 10th, 2007

git is the SCM developped for the Linux kernel after the famous affair with proprietary Bitkeeper system. There are good tutorials for git (for example, the official one) and a fun video talk with the “Linus touch”. I’m “yet another victim” of the buzz^Wpopularity of git (particularly in the Debian community):

Orange GPRS with Debian

Wednesday, June 27th, 2007

I use Nokia 6630 phone and Orange (french mobile phone provider).
Plug it with USB (you must have /dev/ttyACM0).

apt-get install ppp wvdial

And create these 3 files.

/etc/ppp/peers/gprs file:

lcp-echo-failure 0
lcp-echo-interval 0
connect "/usr/bin/wvdial --chat --config /etc/ppp/peers/gprs-wvdial.conf foo"
disconnect /etc/ppp/peers/gprs-disconnect-chat
115200 # fast enough
crtscts # serial cable, Bluetooth and USB, on some occations with IrDA too
user "user"

/etc/ppp/peers/gprs-wvdial.conf file:

[Dialer foo]
Init1 = ATH
Init2 = ATE1
Init3 = AT+CGDCONT=1,"IP","","",0,0
Dial Command = ATD
Phone = *99#
Username = orange
Password = orange

/etc/ppp/peers/gprs-disconnect-chat file:


exec /usr/sbin/chat -V -s -S
ABORT          "BUSY"
ABORT          "ERROR"
SAY            "nSending break to the modemn"
""             "K"
""             "+++ATH"
SAY            "nPDP context detachedn"

Finally you can:

pppd call gprs

Note that with Orange you can’t use SSH port (port 22) but others classical ports are enabled: 21, 25, 80, 110, 143, 443, 993 and 995.

Update on 2008 : you can now use SSH port!

reverse DNS query for LDAP server with nss_ldap

Saturday, February 3rd, 2007

With nss_ldap Debian unstable host, when I start a lot of softwares (XTerm, bash, top, xmms, etcetera), there is a reverse DNS query for LDAP server. I don’t know why there is this reverse DNS query !!
The problem is when this reverse DNS query fails and you use Avahi daemon : all this softwares start after 2 or 3 seconds. Example, if I start XTerm… I wait 3 seconds… Xterm window appears … I wait 3 seconds… bash prompt appears : WTF.
Workarounds could be :
– Add line for LDAP server in /etc/hosts
– Have reverse DNS entrie in DNS server
– Disable Avavhi daemon use in nsswitch.conf

PPTP VPN Gateway with Debian

Monday, December 18th, 2006

PPTP VPN gateway can avoid various constraints : single connection, delay for switching VPN between two hosts, etc.

Here is an easy solution :

– Install Debian with ppp and pptp-linux packages
RTFM and create /etc/ppp/options.pptp file :

lock noauth nobsdcomp nodeflate

And /etc/ppp/peers/my-tunnel file :

pty "pptp SERVER-IP --nolaunchpppd"
name LOGIN
remotename PPTP
file /etc/ppp/options.pptp
ipparam my-tunnel

where LOGIN is your PPTP login.

Put Microsoft CHAP parameters in /etc/ppp/chap-secrets file :


where PASSWORD is your PPTP password.

Then, PPTP connection is ready.
Add it in interfaces file :

auto mobile
iface mobile inet ppp
provider my-tunnel
up sleep 10 && route add -net 192.168.x.0/24 dev ppp0
up route add -net 192.168.y.0/24 dev ppp0
up /etc/init.d/firewall start

In this example, 192.168.x.0/24 and 192.168.y.0/24 are in VPN network.

And /etc/init.d/firewall file is easy IPTables script :


# just route it !
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_ecn
iptables -t nat -D POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# MTU in tunnel (only for Windows machines... strange)
iptables -D FORWARD -p tcp  --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -p tcp  --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
(update : I use now "--set-mss 294" option after some problems with "--clamp-mss-to-pmtu")
iptables -L --line-numbers
iptables -L -t nat --line-numbers

Then, to enable or disable your PPTP VPN Gateway :

# ifup mobile
# ifdown mobile

‘df’ command VS ‘du’ command

Saturday, October 28th, 2006

On a mail server, I had a strange problem on ext3 partition. When I saw output of ‘df’ command, partition was Use% at 95% (size of 8 Go) but only 2 Go if I use ‘du’ command. And I have only 15.000 files on this partition according “find | wc -l” hack (then no block-size problem). Solution is in Linux ext3 FAQ :

The standard cause for this is some user process keeping a deleted file open. When this happens, the space is not visible via ‘du’, since the file is no longer visible in the directory tree. However, the space is still used by the file until it is deallocated, and that can only happen once the last process which has the file open either closes its file descriptor to the file, or the process exits. You can use the lsof program to try to find which process is keeping an open file. Usually it’s some log file, or some large data base file which gets rotated out, but some older process are still keeping the log file open.

Then I discovered ghost files with :

# lsof | grep “(deleted)”

In my case, an amavis daemon didn’t close an old and big log file.
I closed this process and now ‘df’ command say me Use% at 20%.

Then ‘df’ command win ;-)
End of alert.

TCP window scaling in kernel 2.6.17

Monday, July 17th, 2006

I had a strange problem: TCP freeze after HTTP GET with particular web sites (but no problem for HTTP HEAD for example) when I use machines with 2.6.17 Linux (Debian) kernel. I find why. Use of TCP window scaling changes in 2.6.17 and some broken routers don’t like this. Here is interesting discussion about use of TCP window scaling.

For my problem, fast (and bad) work around is:

echo 0 > /proc/sys/net/ipv4/tcp_default_win_scale

or even:

echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

OTP on Debian system

Saturday, May 20th, 2006

When you are not in your secure hacklab, and you login on your Debian systems (laptop, remote server), it’s not secure to enter your very private password (“please, could you see ceiling” is not a secure way).

Then you could use OTP (One Time Password) way.
On Debian system, do this :

# (apt-get|aptitude) install opie-server

Add in your PAM info. For example, in pam.d/ssh (or pam.d/common-auth for all your pam.d/foo), modify to have :

auth sufficient
auth sufficient
auth required

Your systeam is now ready for OTP.

To use it, log you and :

$ opiepasswd -f -c
(You must choose a secret pass phrase to generate your OTP)

Generate 10 passwords for example :

$ opiekey -n 10 497 ab1234
(Enter your secret pass phrase)

In this example, 497 is your current seq number and ab1234 is your seed. You could known them with opieinfo command (only if /etc/opiekeys is chmod 644).

Print your 10 passwords (with your printer or you hand if you are paranoiac) and you could use them. For example, OTP login :

homer login : jdoe
Password : [enter]
otp-md5 497 ab1234 ext, Response : [enter your OTP number 497][enter]
Welcome !!