I’ve just hit a problem with smart, whenever I tried to upgrade a package on this machine I was presented with the error shown below. I’m not sure why smart is complaining about this, the public key is in my keyring already. Trying to set ‘gpgcheck = 0’ in the channel file and running a smart update didnt help, but running the command shown at the bottom did

Committing transaction...
warning: rpmts_HdrFromFdno: V3 DSA signature: NOKEY, key ID 5277a2fa
Trying to import the key 888366c05277a2fa from subkeys.pgp.net...
gpg: requesting key 5277A2FA from hkp server subkeys.pgp.net
gpg: key 5277A2FA: "Manfred Tremmel " not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

The above GPG key has been imported successfully.
It is required to install this package:

        libvorbis-1.1.1-0.pm.0.i686.rpm

Do you want to trust this key forever?

You must verify the below fingerprint before answering.
pub   1024D/5277A2FA 1999-07-26 [expires: ????-??-??]
      Key fingerprint = 5296 01E5 5911 A1DC 93D4  45D5 8883 66C0 5277 A2FA
uid                  Manfred Tremmel
sub   3072g/81D6CA10 1999-07-26

If you answer "Yes" all other packages signed with this key will be installed automatically. (y/N): n

error: libvorbis-1.1.1-0.pm.0.i686.rpm: public key not available
Saving cache...

message1:~ #

To fix this problem turn off signature checking, this should only be considered a temporary fix however

smart config --set rpm-check-signatures=false

Just found this in the last of the pics from our week in Devon and the IOW. Its the Plymouth Sound lighthouse.

Just found this old picture of a bit of a building used in the film Lock Stock and 2 Smoking Barrels.

I’ve just been setting up a Solaris 10 machine to authenticate from a OpenLdap directory, this is the command I used to make it work, note that the IP on the end is the IP of the directory server

% ldapclient manual -v \
  -a defaultsearchbase=dc=riviera,dc=org.uk \
  -a domainname=riviera.org.uk \
  192.168.254.100

The output produced is shown below

Parsing defaultsearchbase=dc=riviera,dc=org.uk
Parsing domainname=riviera.org.uk
Arguments parsed:
        defaultSearchBase: dc=riviera,dc=org.uk
        domainName: riviera.org.uk
        defaultServerList: 192.168.254.100
Handling manual option
Proxy DN: NULL
Proxy password: NULL
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "riviera.org.uk"
file_backup: stat(/var/yp/binding/riviera.org.uk)=-1
file_backup: No /var/yp/binding/riviera.org.uk directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname riviera.org.uk... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
System successfully configured
#

Then test that this is indeed working:

% grep rk295 /etc/passwd
% getent passwd | grep rk295
rk295:x:512:512::/home/rk295:/bin/bash
%

I found that after this had finished, hostname resolution no longer worked. Looking inside /etc/nsswitch.conf I found that the hosts entry had been changed to:

hosts:               ldap [NOTFOUND=return] files

I do not use LDAP for hostname resolution so I had to change this back to:

hosts:               files dns

And similarly the networks line was the same so I had to change that to use files dns as well.

At this point you can query LDAP using getent but you still need to configure PAM to use it for authentication etc. To do this you need to make some changes to /etc/pam.conf. Principally these changes involved telling it should fall back to LDAP if it doesnt match your credentials against the local files. My edited pam.conf is shown below, the lines which I have edited or added are shown in red.

#
#ident	"@(#)pam.conf	1.28	04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login	auth requisite		pam_authtok_get.so.1
login	auth required		pam_dhkeys.so.1
login	auth required		pam_unix_cred.so.1
<font color="red">
login	auth sufficient		pam_unix_auth.so.1
</font>
login	auth required		pam_dial_auth.so.1
<font color="red">
login	auth required 		pam_ldap.so.1
</font>
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth required		pam_dhkeys.so.1
rlogin	auth required		pam_unix_cred.so.1
<font color="red">
rlogin	auth sufficient		pam_unix_auth.so.1
rlogin	auth required 		pam_ldap.so.1
</font>
#
# Kerberized rlogin service
#
krlogin	auth required		pam_unix_cred.so.1
krlogin	auth binding		pam_krb5.so.1
krlogin	auth required		pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh	auth required		pam_unix_cred.so.1
krsh	auth binding		pam_krb5.so.1
krsh	auth required		pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet	auth required		pam_unix_cred.so.1
ktelnet	auth binding		pam_krb5.so.1
ktelnet	auth required		pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_cred.so.1
<font color="red">
ppp	auth sufficient		pam_unix_auth.so.1
</font>
ppp	auth required		pam_dial_auth.so.1
<font color="red">
ppp	auth required 		pam_ldap.so.1
</font>
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other	auth requisite		pam_authtok_get.so.1
other	auth required		pam_dhkeys.so.1
other	auth required		pam_unix_cred.so.1
<font color="red">
other	auth sufficient		pam_unix_auth.so.1
other	auth required		pam_ldap.so.1
</font>
#
# passwd command (explicit because of a different authentication module)
#
<font color="red">
passwd	auth sufficient		pam_passwd_auth.so.1
passwd	auth required 		pam_ldap.so.1
</font>
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
<font color="red">
other	account sufficient 	pam_ldap.so.1
</font>
other	account requisite	pam_roles.so.1
other	account required	pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session required	pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Now you should be able to su to a user whose credentials are stored only in ldap.

Saw these colourful boats with their crews getting ready to race down in Charlestown Cornwall.

A mate had a Mamiya RZ and a Leaf digital back on loan for a day to do some ad photography, I pinched it for 10 mins to have a play. Very nice things! You really need to see the large to appreciate just how detailed the images it creates are.

this box with neon!

Longexposure on a boat is hard, the damn thing vibrates too much!

One of the older Fastcats about to dock at Ryde Pier head, just as the sun dips below the horizon.

This is the first time I’ve been to Appuldurcombe, fantastic place. I’d like to go back again sometime and take some more photos.