From lvl at omnitec.net  Thu Oct  1 10:54:00 2015
From: lvl at omnitec.net (L. V. Lammert)
Date: Thu, 1 Oct 2015 09:54:00 -0500 (CDT)
Subject: [GRLUG] BSD Issue
Message-ID: <Pine.BSO.4.53.1510010953460.31864@Mail.omnitec.net>

All right folks, .. need to noodle a little:

Apparently OpenBSD 5.5+ uses an 8-byte time_t for all architectures, which
breaks a LOT of i386 packages.

Has anyone dealt with this and found a workaround?

        Thanks!

        Lee


From lvl at omnitec.net  Tue Oct  6 13:54:08 2015
From: lvl at omnitec.net (L. V. Lammert)
Date: Tue, 6 Oct 2015 12:54:08 -0500 (CDT)
Subject: [GRLUG] SuSE 13.2 group weirdness
Message-ID: <Pine.BSO.4.53.1510061251570.31864@Mail.omnitec.net>

Build a new server (minimal install), and it is exhibiting some strange
group behavior!

A UID is in three groups, .. *but* only the primary group shows at login!
After that, one can 'newgrp' to a different group of which you are Member,
and if you are not a Member of that group, it requires a password.

Has anyone ever seen behavior like this? It's a new one to me!

	TIA!

	Lee

From awilliam at whitemice.org  Tue Oct  6 14:59:38 2015
From: awilliam at whitemice.org (Adam Tauno Williams)
Date: Tue, 06 Oct 2015 14:59:38 -0400
Subject: [GRLUG] SuSE 13.2 group weirdness
In-Reply-To: <Pine.BSO.4.53.1510061251570.31864@Mail.omnitec.net>
Message-ID: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>

Quoting "L. V. Lammert" <lvl at omnitec.net>:
> Build a new server (minimal install), and it is exhibiting some strange
> group behavior!
> A UID is in three groups, .. *but* only the primary group shows at login!
> After that, one can 'newgrp' to a different group of which you are Member,
> and if you are not a Member of that group, it requires a password.
> Has anyone ever seen behavior like this? It's a new one to me!

Are you using SSSD for ident?

This is sort of a 'new default'.  Group enumeration due to absurdities  
in the NSS functions can be scandalously inefficient;  even more so  
now that many identity systems support nested groups [Ugh!]. Group  
membership may not be enumerated, but it should work for interrogation.

Lots of new code and subsystems work this way.

It is a *feature* you can toggle *off* if you really need getpwent()  
et al to enumerate all groups.  But generally all it will do is make  
things slower.



From greeneg at tolharadys.net  Tue Oct  6 15:12:27 2015
From: greeneg at tolharadys.net (Gary Greene)
Date: Tue, 6 Oct 2015 12:12:27 -0700
Subject: [GRLUG] SuSE 13.2 group weirdness
In-Reply-To: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>
References: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>
Message-ID: <C3E082DE-E445-4C26-925B-B55E38E067D0@tolharadys.net>

Agreed with Adam on this. As an admin that has worked in a fairly large LDAP shops (both OpenLDAP and AD), I appreciate this change with SSSd. 

--
Gary L. Greene, Jr.
==============================================================================
Volunteer developer of the KDE F/OSS project and Project Lead for AltimatOS
    http://www.kde.org/                 http://www.altimatos.com/
Please refrain from sending me proprietary binary documents (Doc, Xls, Ppt)
  Use a free office suite with standards approved formats like LibreOffice.
    http://www.libreoffice.org/
==============================================================================

> On Oct 6, 2015, at 11:59 AM, Adam Tauno Williams <awilliam at whitemice.org> wrote:
> 
> Quoting "L. V. Lammert" <lvl at omnitec.net>:
>> Build a new server (minimal install), and it is exhibiting some strange
>> group behavior!
>> A UID is in three groups, .. *but* only the primary group shows at login!
>> After that, one can 'newgrp' to a different group of which you are Member,
>> and if you are not a Member of that group, it requires a password.
>> Has anyone ever seen behavior like this? It's a new one to me!
> 
> Are you using SSSD for ident?
> 
> This is sort of a 'new default'.  Group enumeration due to absurdities in the NSS functions can be scandalously inefficient;  even more so now that many identity systems support nested groups [Ugh!]. Group membership may not be enumerated, but it should work for interrogation.
> 
> Lots of new code and subsystems work this way.
> 
> It is a *feature* you can toggle *off* if you really need getpwent() et al to enumerate all groups.  But generally all it will do is make things slower.
> 
> 
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug


From lvl at omnitec.net  Tue Oct  6 15:28:18 2015
From: lvl at omnitec.net (L. V. Lammert)
Date: Tue, 6 Oct 2015 14:28:18 -0500 (CDT)
Subject: [GRLUG] SuSE 13.2 group weirdness
In-Reply-To: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>
References: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>
Message-ID: <Pine.BSO.4.53.1510061426510.31864@Mail.omnitec.net>

On Tue, 6 Oct 2015, Adam Tauno Williams wrote:

> Are you using SSSD for ident?
> This is sort of a 'new default'.  Group enumeration due to absurdities
> in the NSS functions can be scandalously inefficient;  even more so  now
> that many identity systems support nested groups [Ugh!]. Group
> membership may not be enumerated, but it should work for interrogation.
>
In this case it did not - had to enumerate the group manually before I
could write to the file.

> Lots of new code and subsystems work this way.
> It is a *feature* you can toggle *off* if you really need getpwent()  et
> al to enumerate all groups.  But generally all it will do is make
> things slower.
>
I can see where it would slow things down for larger environments, the
fuddle factor is two different 13.2 systems act differently - one the
"old" way, one your "new" way.

	TFTR!

	Lee

From lvl at omnitec.net  Tue Oct  6 15:58:46 2015
From: lvl at omnitec.net (L. V. Lammert)
Date: Tue, 6 Oct 2015 14:58:46 -0500 (CDT)
Subject: [GRLUG] SuSE 13.2 group weirdness
In-Reply-To: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>
References: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>
Message-ID: <Pine.BSO.4.53.1510061458010.31864@Mail.omnitec.net>

On Tue, 6 Oct 2015, Adam Tauno Williams wrote:

> This is sort of a 'new default'.  Group enumeration due to absurdities
> in the NSS functions can be scandalously inefficient;
>

FYI, .. found the solution -nscd caching.

	systemctl restart nscd

fixed the problem.

	Thanks!

	Lee

From awilliam at whitemice.org  Tue Oct  6 16:57:28 2015
From: awilliam at whitemice.org (Adam Tauno Williams)
Date: Tue, 06 Oct 2015 16:57:28 -0400
Subject: [GRLUG] SuSE 13.2 group weirdness
In-Reply-To: <Pine.BSO.4.53.1510061458010.31864@Mail.omnitec.net>
References: <20151006145938.Horde.JbeKMw7WvAvLG7SdIeAAs3M@hordep.wmmi.net>
 <Pine.BSO.4.53.1510061458010.31864@Mail.omnitec.net>
Message-ID: <1444165048.18768.2.camel@whitemice.org>

On Tue, 2015-10-06 at 14:58 -0500, L. V. Lammert wrote:
> On Tue, 6 Oct 2015, Adam Tauno Williams wrote:
> > This is sort of a 'new default'.  Group enumeration due to
> absurdities
> > in the NSS functions can be scandalously inefficient;
> FYI, .. found the solution -nscd caching.
>         systemctl restart nscd
> fixed the problem.

Argh.  nscd is evil. I would add it to your task list to transition to
SSSD.  And with SSSD you can flush the cache, for users or groups, with
the sss_cache command rather than by restarting a service - and you can
actually set meaning cache criteria and expiration.

SSSD finally brings some sanity to ident management on LINUX.

nslcd is also better than nscd if SSSD is too far for you right now. 
 nscd is evil.  Get rid of nscd.

--
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA



From lvl at omnitec.net  Mon Oct 12 22:29:23 2015
From: lvl at omnitec.net (L. V. Lammert)
Date: Mon, 12 Oct 2015 21:29:23 -0500 (CDT)
Subject: [GRLUG] SuSE 13.2, Broadcom, & Panera
Message-ID: <Pine.BSO.4.53.1510122126190.31864@Mail.omnitec.net>

Have an interesting problem with my HP netbooks - since the 13.2 upgrade,
it chokes connect to the wifi authenticaiton server at Panera.

Thinking it might be some weird nocatauth sequence problem, I disabled or
closed anything that could be starting a connection, and opened Midori (no
plugins), .. same problem.

Has anyone seen such a problem? Thoughts on isolating?

	TIA!

	Lee

From geer at umich.edu  Thu Oct 15 11:50:02 2015
From: geer at umich.edu (Rob Geer)
Date: Thu, 15 Oct 2015 11:50:02 -0400
Subject: [GRLUG] Sr System Admin
Message-ID: <CANub6JviVcFGy-YeB_DBM72rQ0i35fK5ab63rDJXLvsqQmhV+w@mail.gmail.com>

I'm looking for strong System Admin (potential IT Manager) for a Grand
Rapids Client.  This environment is a combination of Windows and Linux so I
need someone who is solid in both areas.  Please send me an email if you
are interested.

Thanks

*Rob Geer*
*Account Executive*

*RANDSTAD TECHNOLOGIES*
4880 36th St SE, Grand Rapids,MI 49512
Direct Line:  616-419-8913 | Mobile: 616-570-1653
Website:  http://technologies.randstadusa.com/
<http://www.randstadtechnologies.com/>
LinkedIn: www.linkedin.com/in/robgeer

*EXPERTS POWERING TECHNOLOGY*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shinobu.grlug.org/pipermail/grlug/attachments/20151015/9886846a/attachment.html>