I’ve recently had to set up a new machine, but didn’t have an install
cdrom available, so I decided to use the easiest method for installing
Ubuntu; PXE booting. Here’s how I did it. PXE involves setting up two
simple technologies, DHCP and TFTP. We start by setting up TFTP.

TFTP is Trivial
File Transfer Protocol
, a cut down version of FTP. There are a
number of TFTP servers in Debian and Ubuntu, but not all of them support
the extensions that the pxelinux bootloader used by debian-installer
need. Experience has shown that tftpd-hpa works correctly, so we’ll want
to install that.

ace root% apt-get install tftpd-hpa

Note: If this installs an inetd at the same time, you may need to
restart the inetd so it enables the tftpd service.

The tftpd will serve files out of /var/lib/tftpboot, so we
need to add some files for it to serve. You can use this script to fetch
various netboot installers from Ubuntu’s servers.


set -u
set -e

cd /var/lib/tftpboot

for dist in dapper feisty gutsy hardy intrepid; do
    mkdir -p $dist
    for arch in amd64 i386; do
        mkdir -p $dist/$arch/
        (cd $dist/$arch/ && ncftpget -RT 

Download ubuntu-tftp-update.sh

Now we need to alter our dhcpd configuration. (You are using DHCP
aren’t you?) All we need to add is a group declaration to your subnet
declaration, adding a next-server and a filename
parameter. You can then add a host declaration for any machine you want
to netboot into the installer.

group { # intrepid amd64
     filename "intrepid/amd64/pxelinux.0";
     host foobar { hardware ethernet 00:22:15:45:cc:fa; fixed-address foobar.example.com; }

You’ll need to restart the dhcp server so it picks up the new
setting. The next-server parameter is the name or IP address of your
tftp server. filename is the path to the bootloader. Obviously,
you can use this to pick which version of the installer you want to
run. If you do a lot of installations, it might be worth configuring
every installer you’re likely to use and then move hosts in and out of
the suitable group as and when you need to install them.

All that’s left to do now is to boot the computer and set it to boot
from the network and enjoy medialess installation.

If you get the following error:

/etc/ldap/slapd.conf: line 127: substr index of attribute "sambaSID" disallowed

when you run slapindex, then you haven’t updated your
samba.schema to the version from Samba 3.0.23. Dapper and Edgy
had 3.0.22, so if you’ve recently upgraded to Hardy, you will see this
problem. The file should have an MD5 of
0e23b3ad05cd2b38a302fe61c921f300. I’m hoping this resolves
problems I have with samba not picking up group membership changes. I’ll
update if it does.

Update: Having installed the new schema and run slapindex, net rpc info shows I have twelve groups when previously it showed zero. This may not solve my group membership problems, but it can’t be a step backwards.

Spamassassin 3.2, which is available in Gutsy and Lenny, comes with a new feature to increase performance by
compiling its regular expressions using re2c. It’s very quick to enable.
First, you need to install the required packages:

apt-get install re2c libc6-dev gcc make

Next, edit /etc/spamassassin/v320.pre and uncomment the line
that says:

loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody

Next pre-compile the regular expressions using sa-compile:

femme:/etc/logcheck# sa-compile
[18741] info: generic: base extraction starting. this can take a while...
[18741] info: generic: extracting from rules of type body_0
100% [===========================] 3293.83 rules/sec 00m00s DONE
100% [===========================] 650.12 bases/sec 00m01s DONE
[18741] info: body_0: 647 base strings extracted in 2 seconds
[snip compiler output]
make install
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
Installing /tmp/.spamassassin18741hDrlUQtmp/ignored/man/man3/Mail::SpamAssassin::CompiledRegexps::body_0.3pm
Writing /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/.packlist
Appending installation info to /var/lib/spamassassin/compiled/3.002004/perllocal.pod
cp /tmp/.spamassassin18741hDrlUQtmp/bases_body_0.pl /var/lib/spamassassin/compiled/3.002004/bases_body_0.pl
cd /
rm -rf /tmp/.spamassassin18741hDrlUQtmp

Finally, restart spamassassin, and you should find it runs faster.
You will need to run sa-compile every time you update your rules, or
they won’t take effect.

If you get the following warning:

Can't locate Mail/SpamAssassin/CompiledRegexps/body_0.pm in @INC

you forgot to run sa-compile; re-run it and the error should go

Apache 2.2 changed the way you configure LDAP authentication.
mod_auth_ldap was replaced with mod_authnz_ldap, so don’t forget to
enable the new module and disable the old one. Because I’ll always
forget, here’s the new style config.

AuthType basic
AuthName "admin"
AuthBasicProvider ldap
AuthLDAPUrl ldap://ldap.example.com:389/ou=people,dc=example,dc=com?uid?sub
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=systems,ou=groups,dc=example,dc=com
AuthLDAPGroupAttribute memberUid

The sections in bold are the sections I had to change from the 2.0

Unfortunately I live in the UK, where 6 months of the year, the time
is GMT. Now is the time of year when I discover which of my servers don’t
have the right timezone configuration and show the wrong time during
daylight saving. For future reference, here’s how
to set the timezone to Europe/London rather than UTC.

root@cms01:/tmp/openssl-0.9.8g# date
Mon Mar 31 08:23:35 GMT 2008
root@cms01:/tmp/openssl-0.9.8g# tzconfig
Your current time zone is set to GMT
Do you want to change that? [n]: y

Please enter the number of the geographic area in which you live:

   1) Africa         7) Australia

   2) America        8) Europe

   3) US time zones     9) Indian Ocean

   4) Canada time zones    10) Pacific Ocean

   5) Asia           11) Use System V style time zones

   6) Atlantic Ocean    12) None of the above

Then you will be shown a list of cities which represent the time zone
in which they are located. You should choose a city in your time zone.

Number: 8

Amsterdam Andorra Athens Belfast Belgrade Berlin Bratislava Brussels
Bucharest Budapest Chisinau Copenhagen Dublin Gibraltar Guernsey Helsinki
Isle_of_Man Istanbul Jersey Kaliningrad Kiev Lisbon Ljubljana London
Luxembourg Madrid Malta Mariehamn Minsk Monaco Moscow Nicosia Oslo Paris
Podgorica Prague Riga Rome Samara San_Marino Sarajevo Simferopol Skopje
Sofia Stockholm Tallinn Tirane Tiraspol Uzhgorod Vaduz Vatican Vienna
Vilnius Volgograd Warsaw Zagreb Zaporozhye Zurich

Please enter the name of one of these cities or zones
You just need to type enough letters to resolve ambiguities
Press Enter to view all of them again
Name: [] London
Your default time zone is set to 'Europe/London'.
Local time is now:      Mon Mar 31 09:23:48 BST 2008.
Universal Time is now:  Mon Mar 31 08:23:48 UTC 2008.

More information is available in the Debian
System Administrator Manual

Recently, we rolled out a Shibboleth Single Sign On
service to protect one of our services. However, we started recieving
intermittant login failures, both on our automated monitoring and from
customers. Curiously these failures tended to happen mostly in the
evening, which isn’t a peak time for us. Debugging showed that the
authentication worked, but the authorisaton was failing. Shibboleth
works as an apache module and daemom that protects a service, which
communicates with a webservice that does the authenication processing.
The log files were showing an occasional SSL error in this communcation

INFO shibtarget.SessionCache [43005] sessionGet: trying to get new attributes
      for session (ID=_d0cd2f93840bb92050b28fa73d19ce4f)
INFO SAML.SAMLSOAPHTTPBinding [43005] sessionGet: sending SOAP message to
ERROR SAML.SAMLSOAPHTTPBinding [43005] sessionGet: failed while contacting
      SAML responder: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
ERROR shibtarget.SessionCache [43005] sessionGet: caught SAML exception
      during SAML attribute query: SOAPHTTPBindingProvider::send() failed
      while contacting SAML responder: error:1408F06B:SSL
      routines:SSL3_GET_RECORD:bad decompression
ERROR shibtarget.SessionCache [43005] sessionGet: no response obtained

We didn’t manage to find any suitable solutions on the internet, so
we pulled out the trusty wireshark and started looking to see what was
going on. We could see that the client was advertising deflate and null
compression, and that the server was responding by asking for deflate
compression. However the client would then claim that there was a
decompression error in the servers response. This opened a few lines of
enquiry. I made sure that both ends of the connection were running the
same version of OpenSSL and they were both using 0.9.8a from Ubuntu
Dapper. Interestingly 0.9.8a is the first version that had compression
support. We found a couple of suggestions including forcing connections
to be SSL2, which lacked compression or recompiling openssl without zlib
support. As the former was easier, we tried that first by putting


in /etc/apache2/mods-enabled/ssl.conf as suggested by Debian
bug #338008
, and this seemed to work for around an hour. Packet
sniffing showed that it was still negotiating SSL3 including deflate
compression. Clearly we had to try something else.

Rather than recompile OpenSSL without zlib support, I thought I’d try
upgrading the version of OpenSSL to something later in case that fixed
the decompression bug. the version in Hardy is 0.9.8g, which sadly
required recompiling and disabling the Ubuntu change to enable
-Bsymbolic-functions during linking. Installing this on the
client end didn’t fix the problem, however installing it on the server
end seemed to fix it. So far it’s been running for 24 hours without an
error, so fingers crossed that this has fixed it for good.

#tag Debian,Java,gotchas,debconf

Installing the Sun Java packages on Debian or Ubuntu require to you
accept Sun’s license before you can install them. This means that it’s
not easy to install non-interactively, for example when using
pbuilder. Fortunately the license uses
debconf to check to see if you have already accepted the license. This
means you can use debconf to accept the license before you install the
packages. Create a file containing the following lines:

sun-java5-jdk shared/accepted-sun-dlj-v1-1 select true
sun-java5-jre shared/accepted-sun-dlj-v1-1 select true
sun-java6-jdk shared/accepted-sun-dlj-v1-1 select true
sun-java6-jre shared/accepted-sun-dlj-v1-1 select true

Then run /usr/bin/debconf-set-selections <file> and
when you install the java packages, you should find it doesn’t prompt
for the license any more.

By default, warnquota sends out emails with the device name in the
message, which probably doesn’t make much sense to most non-technical


We noticed that you are in violation with the quotasystem
used on this system. We have found the following violations:


                        Block limits               File limits
Filesystem           used    soft    hard  grace    used  soft  hard  grace
               +- 1044404 1000000 1200000  6days    1781     0     0

You can improve this by using /etc/quotatab to assign a more
meaningful name to the partition:

/dev/mapper/Ubuntu-home:user directory
/dev/mapper/Ubuntu-shared:shared area

I’ve been running Hardy on my workstation for a while and had
recently noticed that I was failing to type a space after “I”. I was
doing it far too much for it to just be me failing to press the space
bar properly, and it wasn’t happening after any other letter. After a
little bit of experiementing, I discovered that something was eating
shift-space. What was happening was that I was failing to release the
shift key quick enough after typing “I” and before I hit the space bar,
so it wasn’t getting passed on.

Turns out that the problem was a recent update of Hardy installed
SCIM, which uses
shift-space as a keyboard shortcut. To turn it off, load the SCIM Setup
program and go to the FrontEnd Global Setup screen and remove
“Shift+Space” from the Trigger hotkey.

Caused confusion for a few minutes. 🙂

dpkg has a very useful feature where if you delete a conffile (pretty
much everything under /etc and a few other files) it isn’t
replaced when you upgrade the package[0]. This behaviour was
confusing me for a while until I realised what was happening. I was
attempting to reinstall a package to get the default configuration
files back that had been accidentally deleted, but no matter what I
tried, the files didn’t exist after running dpkg. Once I
figured out that dpkg had this behaviour the solution was
simple; use the --force-confmiss command line argument.

root@quux:~# dpkg --force-confmiss -i /tmp/foo_2.0.0-build.14_all.deb
(Reading database ... 33418 files and directories currently installed.)
Preparing to replace foo 2.0.0-build.14 (using .../foo_2.0.0-build.14_all.deb) ...
Unpacking replacement foo ...
Setting up foo (2.0.0-build.14) ...

Configuration file `/etc/foo/foo.xml', does not exist on system.
Installing new config file as you request.
[0] If the file didn’t exist in
the previously installed version, it is installed, so you get new
configuration files.