During a marathon 12 day stint I upgraded the Raid 5 array to Raid 6. It took almost 12 days to reshape the array. Awful.
Almost immediately thereafter, playback on XBMC became unwatchable, jerking and stuttering. For 2 nights I have been able to watch nothing. Is this coincidence, or is this problem owing to the new Raid setup?
Well, it wasn’t the raid array, proving once again that coincidences actually do happen. I moved a movie to the local hard drive, and played it there – the raid array not involved. And it still has the issue.
After some diagnostics and some reading, I did two things together. I reset the SMC, and I cleaned the air intakes of dust. I should have done them separately, but I didn’t. I powered down, unplugged everything, took off the bottom, blew out the dust with a can of air, plugged it all back in. Having unplugged I have reset the SMC. Some reading suggests that the need to do SMC resets may be a harbinger of impending power supply failure. We will see. For now it works.
It worked for half a day, then began to fail again. In the end, the way I fixed this had to do with Boinc. I’ve always run Boinc, and never have had any problem with competition for resources. But this time, after a lot of attempts at a lot of different things, it turned out that if I stop Boinc the movies play, if I run Boinc they don’t. I changed the parameters on the mac mini so Boinc will only compete if the cpus are idle and have been idle for 3 minutes. Problem solved.
Every time I have to mess with cyrus-imap mailboxes I spend a half hour trying to figure out how to get cyradm to run. While I have by no means figured it all out, I do have one piece of lore worthy of being written down.
My imap server forbids plaintext logins unless they are within a TLS session, so /etc/imapd.conf has the setting allowplaintext: 0
But, cyradm uses imap authentication (witness all the failed attempts to get cyradm to authenticate putting entries in the /var/log/secure log using pam_unix imap:auth). The problem of course is that cyradm doesn’t have a tls session, so allowplaintext rejecting the plaintext password.
Reset /etc/imapd.conf to allowplaintext:1 temporarily, systemctl restart cyrus-imapd, and then, as root, cyradm tarragon. Make all the mailboxes you want. Then reverse and turn plaintext back off.
This blog is running on my wmbuck.net server, tarragon, in the Amazon cloud. This server, in addition to hosting this blog, hosts about 20-25 websites (for friends, most of them very low traffic), including my own. It also operates mail for myself and a few others, and provides some other services.
One of the weaknesses has been that most of the people who use the server aren’t really very unix literate, and they don’t really WANT to be. Perhaps they want a website, or they want to have a good place to manage their mail. But in general, the last thing they want is to learn how to ssh into the server to change their password.
So, for most of them, they just use whatever password I set up for them.
One of my friends, who just began using mail on the server, was surprised that it was not convenient to change his password. That spurred me to address the long standing problem. How to let people manage their password for access to services.
The blog now has a new menu on the left, for access to the backend, and for linking to the reset-password screen. There is also a reset password link on the login page https://wmbuck.net/index/login.
The same password is used for all the wmbuck.net stuff: the password for access to mail, the password to get access to protected websites in apache, and the password for logging in to the wmbuck.net backend website.
Continue reading Managing passwords on this server
On the occasion of moving the server to amazon, I decided to stop using LDAP. I was making very little use of it, having started to keep my contacts elsewhere. All it was really doing was providing the authentication file for apache logins. And there were so few of those it was quite easy to manage with an htpasswd file.
But recently I’ve begun providing mail to some friends, and while I am happy to provide them with system accounts the problem is that they don’t really WANT system accounts – they just want mail. So the husband asked me, how do I change my password? And the only answer I have is, you have to log on. Worse than that of course, I can’t really even allow him to log on without making him set up for public key authentication.
I would like to enable people to use the server for mail, and to be able to authenticate with apache, and I would like them to manage their own passwords for this, without making them log on via ssh, which would require that they have a key pair registered with me. I looked into being able to change the system password via a webpage, but it looks very messy, and seriously – system passwords are supposed to require a human being – that is intentional.
So I looked into authenticating the mail, and apache, using a database. I found a pam module called pam_mysql which I can use with saslauthd. I set /etc/pam.d/imap and smtp to point to a new pam entry called mail, which uses pam.mysql to autheticate against the database (and still also authenticate against system accounts as well if there is no entry in the database).
Continue reading Using pam_mysql for authentication