#ubuntu-directory 2006-10-30
<wasabi> howdy abartlet.
<robertj> it would be sweet if you could set up an area of the wiki that was read-only to non-project members
<robertj> unfortunately any kind of brain-storming on the wiki turns...less than productive (see any page containing Community in the title)
<ajmitch> yes, it does quickly turn into a bit of a mess
<robertj> ajmitch: mmm, if only RecentChanges could be filtered by karma ;)
<ajmitch> hah
<ajmitch> you've seen the insane amounts of karma given for support requests?
<robertj> ajmitch: true, but if its not used for anything I doubt anyone will bother to adjust the weighting
<ajmitch> it's meant to be used for important things, like business partnerships with canonical
<ajmitch> which is why having broken karma weightings is worrying
<Fujitsu> They (LP people) said it should settle down after a couple of weeks, but it's been several.
<ajmitch> months
<Fujitsu> True.
<robertj> ajmitch: well I see it is a chicken <> egg thing, where nothing important will use it unless its fixed
<Fujitsu> robertj: The fix is quite simple. Disable support karma!
<Fujitsu> Or divide it by 1000000 or something.
<robertj> Fujitsu: I think its valid, it just needs to be devalued substantially
<Fujitsu> And the lack of Soyuz karma is a little strange.
<robertj> now that I've started using an RSS reader instead of visiting planets all day, I realize how pointless most of the garbage is
<robertj> I'm _really_ hoping GOOG will implement some Advogato-style magic
<Fujitsu> What garbage where?
<robertj> Fujitsu: well 99.99% of everything everywhere is crap
<robertj> doubly-so for things that find their way to RSS :)
<Fujitsu> Probably.
<ajmitch> Fujitsu: and eventually, bzr karma..
<ajmitch> which would be horribly difficult to quantify
<Fujitsu> It would, yes.
<ajmitch> since I'm the sort of person who would commit every 5-10 minutes while working on something, while others commit daily
<robertj> ajmitch: I think that's horribly bound to fail
<ajmitch> I like to keep commits nice & small & independent changes
<Fujitsu> I'm the former sort...
<Fujitsu> Hm.
<ajmitch> robertj: sure, doesn't mean they won't do it :)
<Fujitsu> Somebody decided that nss-updatedb was the package for /usr/bin/updatedb
<Fujitsu> Great.
<robertj> ajmitch: network-flow based algorithms are the only viable choice I see for karma
<ajmitch> yes, I reassigned that to slocate
<ajmitch> robertj: it's closed source, we can't do anythign about it but complain
<Fujitsu> Good, though I didn't see an email about it.
* Fujitsu restrains self from ranting about LP's closedness.
<abartlet> :-)
<robertj> Isn't LP supposed to be OSS eventually?
<Fujitsu> It is seriously bad!
<Fujitsu> robertj: That last word is the keyword.
<Fujitsu> robertj: It's been going to be OSS soon for over 2 years now.
<ajmitch> robertj: 'eventually' could be 5-10 years
<Fujitsu> What ajmitch said.
<Fujitsu> By which time countless volunteer hours will have been lost because of the patheticness of the UI, and the lack of useful features.
<Fujitsu> 'cause Malone's search rocks.
<robertj> is anyone going to be bringing this up at MVS?
<Fujitsu> And finding the way to file a bug on a package in Ubuntu is soooo easy from the LP homepage. That gets a lot of new people.
<Fujitsu> robertj: Little point, Mark will probably just step on anybody that does.
<ajmitch> robertj: we could bring it up all we want, but what good will it do?
<ajmitch> it's a known problem
<robertj> ajmitch: what is he waiting on?
<ajmitch> sure, we could hack around it by implementing our own free software launchpad
<ajmitch> robertj: for when he feels like it
<lophyte> hey guy
<ajmitch> it's all one large interwoven zope3 app, so it's hard to even free various components without splitting them out
<Fujitsu> ajmitch: That's not toooooooo impractical (emphasis on the tooooo).
<lophyte> s
<Fujitsu> Hey lophyte.
<Fujitsu> (the writing a FOSS LP)
<Fujitsu> ajmitch: Or so they say. That could just be an excuse)
<robertj> what's in there they wouldn't want to be FOSS?
<Fujitsu> robertj: Soyuz.
<ajmitch> Fujitsu: apparantly it requires people to step up & help out
<ajmitch> and malone
<Fujitsu> ajmitch: Oh, and sign NDAs. Great.
<ajmitch> and various other parts which give them a competitive advantage
<ajmitch> Fujitsu: of course
<Fujitsu> If they were really innocent, they wouldn't have interwoven anything in the first place.
<ajmitch> no
<ajmitch> it's just easier to make a system that is well integrated
<ajmitch> apparantly he'd be happy with freeing rosetta & the product registry to start with
<Fujitsu> It is easier, but it also gives the advantage of an excuse for not opening it.
<Fujitsu> Of course, if he freed those two, there's no reason Malone and Soyuz couldn't be reimplemented by the FOSS community in a reasonable length of time.
<Fujitsu> I've got it!
<ajmitch> https://launchpad.net/faq
<Fujitsu> He'll release them under the CDDL or whatever it's called!
<ajmitch> "Launchpad is a large, monolithic, web application. We would be happy to release the code for the Registry, for example, which keeps track of all upstream products and their series and releases; however, that code will not run without the distribution management code, which is part of of the service that Canonical provides to other companies that make their own distributions."
<Fujitsu> Yes, I've read that many, many times.
<Fujitsu> Soyuz is the big thing.
<ajmitch> for the distro point of view, yes
<Fujitsu> But does he really think other commercial distros are going to use LP?
<ajmitch> yes
* ajmitch wonders if he should reject this f-spot bug
<Fujitsu> O_o
<Fujitsu> That's incredible.
<Fujitsu> What is it, ajmitch?
<robertj> "however, that code will not run without the distribution management code, which is part of of the service that Canonical provides to other companies that make their own distributions." <- what companies are those?
<Fujitsu> robertj: None at this time.
<ajmitch> Fujitsu: plugging in the camera starts the gthumb importer, not f-spot
<ajmitch> which was a decision we made (or we kept the status quo)
<Fujitsu> That's g-v-m, innit?
<ajmitch> yes
<ajmitch> it's a gconf setting
<lophyte> alright.. back to setting this stuff up
<robertj> Fujitsu: is HP still shipping laptops with Ubuntu?
<lophyte> I'm using heimdal now
<Fujitsu> robertj: I don't know.
<lophyte> HP is shipping laptops with ubuntu?
<robertj> ajmitch: btw, I was elated to see I can right click & eject in Nautilus' side-bar now :)
<ajmitch> heh
<Fujitsu> robertj: Really?
<Fujitsu> I didn't notice that...
<robertj> lophyte: they were ages ago...like...pre-breezy maybe?
<Fujitsu> That's annoyed a lot of people.
<ajmitch> I didn't notice it because I'm used to it by now
<Fujitsu> (I probably didn't notice 'cause I don't use Nautilus)
<lophyte> sweet, maybe I'll look into getting an HP instead of a Dell.
<lophyte> Dell wouldn't sell me an OSless laptop for lower than retail price
<lophyte> so much for "Dell makes a computer for you"
<robertj> doh, no right-click empty trash
<robertj> lophyte: Dell makes money off the software they sell you
<Fujitsu> lophyte: I know, that infuriated me when I got my laptop in January.
<robertj> lophyte: all those "free trials..." they get a cut I'm sure
<lophyte> I called them up and asked if I could get a laptop without Windows for cheaper..
<lophyte> I said I didn't wanna pay for the license
<lophyte> they were like "sorry we can't do that"
<robertj> lophyte: they are still cheaper $ for $
<lophyte> than what?
<robertj> if you shop the sales they are cheaper than almost everyone (even emachines)
<robertj> todays deal...Dell EPP E1505 Core 2 Duo 2.00GHz, 15.4" WXGA, 2GB, 80GB, DVDRW, $845
<robertj> that's....cheap
<lophyte> I was gonna get their cheapest one
<lophyte> it was like $615 or something
<robertj> lophyte: I bought a 1405 for $607 a few months back
<lophyte> I think it was the Dimension 1100
<robertj> What!
<robertj> 1100 at $600ish?
<robertj> are you in the US?
<lophyte> I believe so... but I may be mistaken
<lophyte> one sec
<nkassi> Do you have a link to the Dell EPP E1505 ?
<lophyte> oh,sorry
<lophyte> I got the names mixed up, haha
<robertj> EPP is more expensive than sales
<lophyte> moron ;_;
<lophyte> Dell Inspiron 1300
<nkassi> That is exactly what I was going to get from HP but for 1500$ with taxes
<nkassi> oh thanks
<nkassi> Going to shop now ;0)
<robertj> Dimension 1100 is like the cheapest desktop
<lophyte> right, Dimension is desktops..
<lophyte> Inspiron is laptops
<robertj> Latitude is also laptops
<robertj> for home users the distinction between lines is minimal
<robertj> http://www.fatwallet.com/t/18/666189/
<lophyte> ugh.. I'm going to run cat5 one of these days
<robertj> you pay more on one line for a guarantee that you can 3 years of replacement parts & that parts will interchange within all models in the given series
<robertj> so take the machine you like best without regard to the series
<lophyte> actually I think it was the Inspiron 1100
<lophyte> for $639
<robertj> lophyte: I've bought a $1505 too, they are nice
<robertj> err e1505
<nkassi> Bah, the HP 6000t still seems the best deal.
<nkassi> For those looking for a nice laptop.
<robertj> btw, I'm showing the 1300 at $569
<robertj> M 1.7ghz/1gig
<robertj> btbut if you can scrape it together the extra crash is way worth it for double the ram, much better proc & screen, and the burner
<lophyte> man..
<lophyte> setting up ldap/kerb is such a long process
<robertj> lophyte: isn't that why we are here ;)
<lophyte> indeed
<nkassi> hehe
<lophyte> i've never done it before
<lophyte> I'm using heimdal+openldap
<ajmitch> but it's so fun!
<lophyte> http://www.openinput.com/auth-howto/
<lophyte> using that howto ^
* ajmitch has only done it a couple of times - it didn't turn out to be too hard, but I did do a bit of reading
<ajmitch> well, maybe more than a couple
<robertj> ajmitch: you going to MVS right?
<ajmitch> yes
<robertj> can you _please_ pimp avahi advertisements of services like...maybe slapd?
<ajmitch> hehe
<lophyte> what /is/ avahi, btw?
<lophyte> I haven't read up on it yet
<robertj> lophyte: it is bliss
<ajmitch> you know you can just drop files into /etc/avahi/services ?
<nkassi> lophyte: http://www.linuxjournal.com/article/8374
<ajmitch> well, drop service descriptions in there
<nkassi> if you follow all parts you should have a pretty nice setup ;-)
<lophyte> nkassi: ty.. maybe that'll be better than this howto I'm following
<lophyte> robertj: wanna elaborate on that? :P
<robertj> lophyte: heard of bonjour/rendezvous?
<lophyte> isn't rendezvous like a LAN-based IM system?
<nkassi> lophyte: there are 4 parts by the way. They should turn up if you search on the LJ site.
<lophyte> nkassi: excellent.. thanks
<ajmitch> lophyte: multicast DNS service discovery
<lophyte> ah, sweet.
<abartlet> lophyte: that looks like a good howto!
<robertj> ajmitch: can you think of any reason a daemon shouldn't have an avahi service definition?
<abartlet> for once...
<lophyte> abartlet: which one? the one I pasted?
<abartlet> yeah
<abartlet> looks like a very high degree of clue
<ajmitch> robertj: because people may not like it :)
<ajmitch> hey abartlet
<abartlet> the only thing it needs is info on hooking Samba in, which you can do with heimdal
<ajmitch> abartlet: what's the status of shared libraries with samba4?
<abartlet> if that howto was the basis of this ubuntu directory project, I would at least be happy it would start with a good basis, of exising software
<ajmitch> jelmer said there were some issues..
<abartlet> ajmitch: shared libraries are hard :-)
<ajmitch> of course
<abartlet> but I think jelmer has them working for the moment
<ajmitch> oh great
<ajmitch> I'll have to chase him up :)
<abartlet> harder still is keeping APIs solid...
<ajmitch> yeah
<ajmitch> I really want to look at this new code for interfacing with AD that I've heard of
<abartlet> which bit?
<ajmitch> joining domains, password changes, notifications, etc
<ajmitch> all I've heard so far has been an article or two online & a novell podcast
<abartlet> perhaps move this over to #samba-technical?
<ajmitch> sure
<robertj> where does the list of services in System->Administration->Services come from?
<ajmitch> robertj: probably /etc/init.d & related rcX.d directories
<ajmitch> if it's the app I'm thinking of
<robertj> ok, more difficult question, is there a way to list all packages that place files in /etc/init.d
<robertj> going though those & weeding out the non-local services would probably be the most comprehensive list of files needing avahi service definitions :)
<ajmitch> robertj: it'd be hard - maybe by apt-file
<robertj> ajmitch: neuralis nailed it on -devel
<ajmitch> I should read that..
<robertj> #-devel that is
<robertj> <neuralis> robertj: apt-get install apt-file; apt-file update; apt-file search init.d
<ajmitch> right
<nkassi> Hey, what are the chances that samba 4.0 will be a part of the Ubuntu Directory on the server side ?
<Burgundavia> nkassi: given the server is currently no speced, I would say likely
<nkassi> cool. thanks.
<Burgundavia> however, samba4 is not out yhet
<ajmitch> and we've just been talking with some samba people
<ajmitch> it'll be awhile, certainly not likely for feisty
<nkassi> hehe, I pretty much guest that. From what I see the Server side will also be for feisty+1 right ?
<nkassi> guessed that ;)_
<Burgundavia> unless soembody comes along
<ajmitch> there'll be development work done in parallel for client & server, but it's most likely to be feisty+1 target
<nkassi> I would love to help but this stuff is way over my head right now ;0)
<ajmitch> Burgundavia: so most of the AD integration stuff that SLED10 has is in samba3
<ajmitch> which is useful
<Burgundavia> ah, interesting
<ajmitch> yeah
<Burgundavia> ajmitch: sanity check: our network auth connection stuff, which you are writing
<ajmitch> makes sense that they wouldn't be using samba4 code yet
<Burgundavia> is there a way to get that to be cross-distro?
<ajmitch> sorry?
<ajmitch> cross-distro on which way?
<Burgundavia> reduce our support burden by having suse and rh join in and use it
<ajmitch> the code I have is reasonably specific because of the package integration & the ways that distros differ with pam & other config files
<Burgundavia> ah, yes
<ajmitch> sure, the core is all there, and it's fully extensible by modules
<Burgundavia> those pam differences is total crack
<Burgundavia> there is no sane reason for each distro to have its own version
<ajmitch> but the current modules have some debian/ubuntu-specific stuff like reading/writing debconf values
<Burgundavia> ah
<ajmitch> it's not hard to factor that out
<Burgundavia> osdl needs to have a network-auth summit
<ajmitch> would be nice
<ajmitch> so we should probably make sure we get samba 3.0.23c in feisty
<Burgundavia> might suggest that on desktop-architects
<ajmitch> assuming that code we need is in there
<Burgundavia> debian already has .23 I think
<ajmitch> but what revision?
<ajmitch> ok, 3.0.23c
<Burgundavia> no idea
<ajmitch> so it needs merged, I'll see if I can do that this week or next
<ajmitch> pitti did it last, so I'll talk to him
<Burgundavia> what does our samba delta look like?
<ajmitch> I'll have to look
<ajmitch> don't ask me that when I'm only just checking it
<Burgundavia> yep, just wondering
<ajmitch> the more I use beryl, the more plugins I turn off
<ajmitch> you know that RH would ask why we didn't use authconfig instead
<ajmitch> and suse will want to promote their tool
<Burgundavia> which I think is yast
<Burgundavia> we dont' we use authconfig?
<ajmitch> ok, grabbed samba from edgy, now fetching from sid
<ajmitch> because I wanted some of that debian specific stuff
<Burgundavia> what do you mean?
<ajmitch> debconf, managing conffiles, packages, etc
<Burgundavia> ah
<ajmitch> and I was going to use authtool in package maintainer scripts as well, which may still be an option
<ajmitch> it'll probably still be needed
<ajmitch> so that when you upgrade various libraries, it just DTRT
<Burgundavia> right
<ajmitch> hence why the package got native versioning, etc
<ajmitch> which I should probably change
<ajmitch> whip up some screenshots
<ajmitch> blog about it
<lophyte> is it really necessary to import the contents of /etc/group into an LDAP directory
<ajmitch> rake in the millions
<ajmitch> lophyte: it can be useful
<lophyte> oi.. seems like a lot of work
<ajmitch> ok, seems like we don't have *too* many changes to samba, mostly well documented
<ajmitch> it'll take a bit of picking through
<nkassi> lophyte: I believe there are some scripts online that can do it for you and output to ldif.
<ajmitch> migration-tools package
<lophyte> oh, really
<ajmitch> which I don't like much, but it tends to work
<tepsipakki> Fujitsu: it was me =) (the updatedb-bug)
<tepsipakki> it was a bit too late to triage bugs
<Fujitsu> tepsipakki: I noticed :)
<Fujitsu> tepsipakki: It can get that way sometimes, I know.
<tepsipakki> I was seeing nss- all over the place
<tepsipakki> heh
<ajmitch> ah, more posts on the -directory thread on devel
<Burgundavia> nkassi: can you move the n-a/Server stuff to EasyLDAPServer ?
<ajmitch> ok, got the goahead to do the samba merge, so we can have toys to play with
<nkassi> Burgundavia: Done
<^robertj> mornign all
<nkassi> morning
<bmonty> ajmitch: ping
<wasabi_> morning freedom lovers.
<SimonAnibal> morning all
<wasabi_> I like this shizit about Oracle and RedHat battling for the enterprise.
<wasabi_> Lets sneak in under the radar and shoot both of em down.
<^robertj> wasabi_: also, it's worth noting that they aren't
<wasabi_> Yeah hah
<^robertj> Oracle is supporting Oracle
<wasabi_> Few server side installs.
<^robertj> "is there anything else on that server besides oracle? Sorry, that's not under your agreement"
<wasabi_> Oracle announced on Wednesday that it would take RHEL, strip out the Red Hat (NASDAQ: RHAT - news) copyrights and add in Oracle bug fixes to create Unbreakable   ?
<wasabi_> Just to run Oracle?
<^robertj> that's my buess
<^robertj> err guess
<wasabi_> Makes sense.
<SimonAnibal> So does that mean all Oracle boxes are going to be forced to be DEDICATE Oracle boxes?
<^robertj> Im betting we will see 5-10 specific certifications for Unbreakable + a vm
<nkassi> Oh well, Oracle doesn't seem to realise the amount of PR they will need to do to get people's confidence, I mean the  people who paid a good amount of money for Red Hat support
<nkassi> And what sort of patch are they going to provide that RH will not ?
<nkassi> Oracle specific ?
<^robertj> nkassi: probably a subset of security updates
<nkassi> I still don't see how that is going to make a difference, I believe that RH will be faster than Oracle to test and release them. What Oracle should do is buy RH.
<^robertj> could be sabre ratteling, I just don't care
<^robertj> I hope they don't buy RH though
<^robertj> so I guess I do, but either way I don't want to hear squat from some retard at /., cnet or digg
<SimonAnibal> Anyone have experience with SystemImager?
<nkassi> ^robertj: hehe, oh well, it's bound to happen.
<SimonAnibal> I'm wondering if it would be of use to me in my situation
<SimonAnibal> ~300 workstations on 3 different model computers
<SimonAnibal> I want to keep them all up to date and configured from one golden client, as it claims to do.
<SimonAnibal> My old way (using Norton Ghost to re-image everytime) won't work with if it's not deployed on identical hardware
<nkassi> Got to go, see y'all.
<SimonAnibal> Wondering if there might be a simpler/better solution out there that one of you might know about
<SimonAnibal> Otherwise, I'll be diving into it
<lophyte> morning all
<SimonAnibal> morning
<lophyte> bmonty: you around?
<bmonty> lophyte: hi
<lophyte> heya
<lophyte> would you be interested in collaborating and finishing the SingleSignOn howto together?
<bmonty> sure, I'm actually having to redo the setup on one of my machines, so the steps are fresh in my mind
<lophyte> cool.. I'm working on it too, in a Xen VM
<bmonty> the edgy upgrade did not deal well with my LDAP+Kerberos setup
<wasabi_> Any LDAP pros know the true cost of doing async LDAP notify operation?
<wasabi_> Socket open on the server I assume.
<bmonty> lophyte: is there any particular place you want to stazrt?
<bmonty> wasabi_: is a notify operation the server telling clients about a change?
<wasabi_> Yes.
<wasabi_> What's a reasonable top limit of open sockets on a server?
<wasabi_> From a single process.
<bmonty> isn't that a kernel parameter?
<bmonty> I think the sys admin can set that, plus there is a limit based on available system resources
<wasabi_> Yeah. Just curious what a real functional cost might be.
<bmonty> does OpenLDAP do the notify operation?
<wasabi_> Believe so. Uses it for repl.
<wasabi_> For instance if every client in an enterprise were to maintain a persistant query on passwd/group
<bmonty> ok, I can't remember seeing anything in the docs about pushing changes out to clients
<wasabi_> It's a standard LDAP operation.
<bmonty> cool, I'll have to check that out
<lophyte> bmonty: LDAP configuration seems like the first thing that's missing
<lophyte> actually, adding a host principal into kerberos is missing..
<lophyte> that involves installing krb5-admin-server and using kadmin.local, right
<wasabi_> I'm switching to Heimdal.
<lophyte> I'm using heimdal, actually :P
<wasabi_> Then it won't be krb5-admin-server you need.
<lophyte> nope..but the howto uses MIT
<bmonty> the MIT krb5 install takes care of creating an admin principal
<lophyte> ah
<bmonty> once you have the servers installed, it is fairly easy to run kadmin from any machine on your network
<bmonty> has anyone made a decision to make heimdal krb5 the standard for Ubuntu?
<wasabi_> Nobody has made any decisions about anything.
<wasabi_> I suspect that's where we'll end up on the server side though.
<bmonty> to me, that is a decision that needs to be made fairly early
<wasabi_> Nobody is going to start a server implementation for a long time.
<wasabi_> And the client side is portable enough.
<bmonty> any idea how closely the heimdal API mirrors the krb5 API?
<bmonty> MIT krb5 API that is
<^robertj> has anyone done an overview of the client side utils from Fedora, OS X, & Windows to see what is worth stealing?
<wasabi_> There are very few differences.
<wasabi_> They're not compatible, but whatever we build can be retrofitted in a few days.
<wasabi_> Except for the kadmin protocol...but we'll need to support both of those anyways.
<bmonty> wasabi_: if stuff gets written in python, it shouldn't be too hard to hide the differences
<wasabi_> I don't know what you expect to be written in python.
<wasabi_> Heh.
<wasabi_> Except a pretty config wizard.
<wasabi_> Which ajmitch has been doing nicely on, btw.
<^robertj> wasabi_: is there an accompanying util?
<wasabi_> for?
<^robertj> wizard is run once, right?
<bmonty> ^robertj: there is some stuff out there, but my general impression is that a lot is unmaintained, and the other stuff is very specific to a certain distro
<^robertj> bmonty: I mean't purely from a usability standpoint
<wasabi_> The idea is for a program called "authtool", which accepts a minimal number of settings, either on the command line, or a UI, and configures the relavent client services.
<bmonty> ^robertj: usuability of what?
<wasabi_> So, that's all text file parsing and command invoking. Perfect for Python.
<wasabi_> The actual things it's setting up are all C.
<^robertj> wasabi: but is it going to wipe out all your old settings or can you go in and adjust one setting after it is all said and done
<wasabi_> Depends.
<bmonty> wasabi_: if we were going to develop any GUI tools for the client, I see that being done in python
<bmonty> since not many exist, I expect that will have to happen
<wasabi_> That stuff is so far down the road.
<wasabi_> We're talking like, years.
<wasabi_> I would much rather get some people working on making an Ubuntu box able to join a domain and Work Right.
<^robertj> wasabi: i'm talking purely client-side
<wasabi_> You're talking client side tools for admining a server.
<wasabi_> A server which we do not yet possess, and which will be way off.
<wasabi_> Client side tools for a client, is really nothing but this one wizard.
<^robertj> nope
<wasabi_> "Please enter your domain name. Are you running Active Directory? Thanks... configuring NSS and PAM now!"
<^robertj> wasabi: I've got a fair number of other options on my OS X box that are actually useful
<bmonty> ^robertj: I have not seen any tools that are ready to integrate nicely with Ubuntu
<wasabi_> You mean user management tools?
<^robertj> wasabi: no, in the user-facing tool for setting up directory access
<wasabi_> That's the wizard.
<^robertj> wasabi: I'd be mad if I had to reenter all my attribute mappings on every run of the wizard
<wasabi_> If you have to enter attribute mappings, we've failed.
<^robertj> wasabi_: unfortunately static mappings & other garbage are a fact of life here
<wasabi_> Well, I'm not working on that.
<wasabi_> Are you? :)
<wasabi_> It will be a year or more before I get to that.
<^robertj> hopefully our DS group will get the pink-slip by then ;)
<wasabi_> I think expectations are too high. The goal is to clearly define scope to something that will drive Ubuntu support contracts.
<wasabi_> And something which is doable in some sort of timeline.
<wasabi_> We need to be able to join existing directories. AD being the first.
<^robertj> "not enough human resources to properly access the security risks? It's an 8 line schema adding 2 new attributes!"
<wasabi_> And we need to cover all our bases in those areas.
<wasabi_> disconnected operation, cross realm, caching, zero blocking NSS.
<wasabi_> Those are Huge things and not to be taken lightly.
<wasabi_> And they're all in C.
<bmonty> just getting NSS to behave properly would be a nice achievement
<wasabi_> Uh huh. That's going to require a massive effort in libnss-ldap, maybe even discarding it.
<SimonAnibal> I figure if whiprush and I have managed to join Ubuntu to AD more or less successfully with existing packages that it would be a matter of setting up a package for AD clients that depends on all necessary packages and has an easy way of getting the necessary information from the user to configure the box and join it to the domain
<lophyte> indeed..
<wasabi_> SimonAnibal: Yes, but your joining AD comes with MANY caveats. Try unplugging the network.
<wasabi_> Try doing the same on a laptop.
<wasabi_> Try logging onto another realm.
<wasabi_> I suspect if we offer "AD support", except for laptop users, and btw your box will lock up when a switch hicups, we'd be killed. =)
<SimonAnibal> Unplugging the network does nothing, as I have it set up to check for local accounts and consider them sufficient before even checking on the network. And shouldn't the correct behavior of a disconnected box be to not allow network logins?
<wasabi_> SimonAnibal: Tell that to laptop users.
<SimonAnibal> Hmmm, so how do laptop users do it? Don't they have a local account?
<SimonAnibal> How can you authenticate to a server you're not connected to?
<wasabi_> Windows caches creds and logins
<bmonty> i gave up getting my laptop to work
<wasabi_> So it works fine, and when you plug it in, you need to get a TGT
<SimonAnibal> So you login while connected and then you can login to that laptop even if disconnected?
<bmonty> yeah, if I'm on my home network it isn't a problem
<wasabi_> Yup.
<bmonty> but I have a laptop to carry it around
<wasabi_> Anyways, my point is just that even if we get Mark to buyin to it, and put one developer on it.
<wasabi_> Just getting the basic C stuff smoothed out is going to take a very long time.
<SimonAnibal> In our corporation, laptops do not cache credentials as far as I know, we provide a local account to use them when not connected to the network
<wasabi_> SimonAnibal: Windows laptops?
<wasabi_> SimonAnibal: You can login to the domain while disconnected on Windows. It caches your password and network information, but when you plug it into the network, you have no TGT until you get one (lock screen/unlock)
<SimonAnibal> Win XP on Dell laptops. And they might do the caching stuff, it's just we don't rely on it or expect it
<wasabi_> Well, in my company, I'd be fired if I suggested that. People have documents on their desktop they'd expet to be able to access.
<wasabi_> And maintaining two profiles? Ugh.
<bmonty> I've never seen that work 100%
<bmonty> my roaming profile at my work has never worked correctly
<SimonAnibal> Nod, nod.
<wasabi_> Not talking about roaming profiles really.
<SimonAnibal> So, then, what DO we have working?
<wasabi_> You have basic LDAP queries going to a LDAP server for a NSS query.
<wasabi_> They are slow, they block.
<bmonty> I don't think account caching works well with laptops at all
<wasabi_> bmonty: Works perfect on Windows.
<wasabi_> Every laptop in this company seems to have no problem with it.
<wasabi_> There is no fallback support for anything.
<wasabi_> There is no site locality for anything.
<bmonty> I'm not a windows admin...and I've never seen anyone set it up so that it worked for a non-tech user
<lophyte> it doesn't require setting up
<lophyte> its done automatically
<wasabi_> We need to look up SRV records, and order them based on locality.
<wasabi_> If one server goes down, we need to look for another.
<wasabi_> Same goes for KDCs
<bmonty> I like the SRV records
<bmonty> if you get that set up correctly, lots of things will "just work"
<wasabi_> Anyways, so all this needs to be fixed, before any question of a UI to map attributes really matters.
<bmonty> in my opinion getting LDAP+Kerberos (i.e. AD) authentication/authorization to work with PAM and NSS is a huge kludge
<wasabi_> Yup. It is.
<wasabi_> NSS is shitty.
<bmonty> which makes it difficult to maintain in a production environment
<wasabi_> It is not robust at all.
<wasabi_> And it has no potential to be.
<wasabi_> There is no way to query for users.
<wasabi_> No way to do async operations.
<bmonty> it would be nice if we could ditch NSS altogether and use PAM only
<wasabi_> PAM and NSS sovle different problems.
<wasabi_> So, that makes little sense.
<bmonty> yeah
<bmonty> well have PAM perform the functions of NSS
<wasabi_> Why?
<bmonty> for one, I could do the configuration of my SSO setup in one place
<wasabi_> That doesn't even make sense.
<wasabi_> They are fundamentally different things.
<bmonty> I don't agree, but I do think that NSS is inadequate as it is currently implemented
<wasabi_> It's also not changing. NSS is POSIX.
<wasabi_> So, it has to be made to work.
<wasabi_> Which means a lot of time writing C programs to make it work right.
<^robertj> have fun with the test suites ;)
<bmonty> so? there are lots of C coders last time I checked
<wasabi_> There are 2 in this channel I believe. =)
<SimonAnibal> So, having no C experience, am I only going to be of use as a real-world test case?
<lophyte> know python?
<lophyte> python coders are gonna be needed at some point ;)
<SimonAnibal> "Know" no. "Started learning but never got very far cause I didn't have a project to work on with it in order to actually understand it" yes.
<SimonAnibal> I'm not averse to learning, or trial by fire.
<SimonAnibal> I don't have any formal education about any of this yet. I won't deny that. But I doubt I'm useless.
<bmonty> SimonAnibal: nobody said you were useless :)
<lophyte> ergh...
<lophyte> ldapadd won't connect to my ldap server
<SimonAnibal> No, nobody did, it's just everything seems low-level enough that I'm doubting my value
<bmonty> SimonAnibal: I wouldn't do that until something actually starts happening
<bmonty> lophyte: are you using SASL?
<lophyte> yeah
<wasabi_> lophyte: What is the error?
<bmonty> what is the error?
<lophyte> nothing.. it just sits there after prompting for my password
<wasabi_> -Y GSSAPI
<lophyte> ldapadd: incompatible with previous authentication choice
<wasabi_> Are you passing -x?
<lophyte> yeah
<wasabi_> Don't.
<wasabi_> That's for a simple bind.
<wasabi_> Which you should disable. ;0
<bmonty> yup
<lophyte> hrm.. same thing.. it just sits there
<wasabi_> strace time.
<wasabi_> see where it's pausing on
<lophyte> ldapadd -h ldap.blindutopia.com -Y GSSAPI -D "cn=root,dc=blindutopia,dc=com" -W -f base.ldif
<wasabi_> Use -H also
<wasabi_> -W not needed either.
<wasabi_> -D not needed either. ;)
<wasabi_> You need to configure your server to support SASL auth I suspect.
<wasabi_> And set up some regexps to map logins to objects.
<lophyte> this howto essentially tells you to configure krb to use ldap as its db
<lophyte> but it gets you to configure ldap first..
<wasabi_> Well, the first goal is to get SASL binds through ldapi working first.
<bmonty> which howto is that?
<lophyte> http://www.openinput.com/auth-howto/
<wasabi_> yeah these howtos are useless.
<wasabi_> Learn the pieces, make your own decisions.
<wasabi_> # Unix-socket connections from the root user are mapped to the host object.
<wasabi_> sasl-regexp     uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
<wasabi_>                 cn=akita,ou=Computers,dc=larvalstage,dc=net
<wasabi_> As an example, I use that to allow local root logins over SASL EXTERNAL (ldapi:///) to map to a computer object.
<wasabi_> # Map Kerberos authenticated logins.
<wasabi_> sasl-regexp     uid=([^,] *),cn=larvalstage.net,cn=gssapi,cn=auth
<wasabi_>                 ldap:///dc=larvalstage,dc=net??sub?(&(objectClass=krb5Principal)(krb5Princ$
<wasabi_> I use that to map GSSAPI logins to the results of a query.
<wasabi_> Heimdal will use ldapi:// (running as root) to connect to LDAP
<wasabi_> You cannot use Kerberos for Kerberos to connect to LDAP. Chicken in egg problem.
<wasabi_> And I just use slapadd to setup the initial computer object.
<wasabi_> And hierarchy.
<lophyte> oi..
<wasabi_> I can explain it pretty easily, if you want.
<lophyte> is that even possible? ;)
<wasabi_> slapd can be connected to over a number of differnet sockets.
<wasabi_> Over that socket, you can authenticate in a number of different ways.
<bmonty> wasabi_: computer object == host prinicipal?
<wasabi_> Yup
<wasabi_> There is a unix socket which you can connect to slapd on.
<wasabi_> To enable that, you need to instruct slapd to use it.
<wasabi_> In /etc/default/slapd
<wasabi_> SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
<wasabi_> That enables slapd to listen on the ldap port, the ldaps port and ldapi (the unix socket)
<wasabi_> I think it's in /var/run someplace
<wasabi_> Once connected to those sockets, any of them, you can authenticate in two ways. anonymous, simple or SASL.
<wasabi_> anonymous means you don't auth. You should disable that
<wasabi_> # Features to disallow
<wasabi_> disallow        bind_anon bind_simple
<wasabi_> ^ in slapd.conf
<wasabi_> That disables both anonymous and simple binding.
<wasabi_> Leaving only SASL.
<lophyte> I think I'm gonna start over again...
<wasabi_> SASL is expandable... you can install different modules on the client/server side to extend it.
<nkassi> hehe
<wasabi_> And it's service independent.
<wasabi_> You can about only two SASL mechs... GSSAPI and EXTERNAL.
<wasabi_> GSSAPI is a kerberos handshake.
<wasabi_> EXTERNAL is system defined.
<wasabi_> sasl-secprops   minssf=0,noplain,noanonymous
<wasabi_> sasl-realm      LARVALSTAGE.NET
<wasabi_> sasl-host       akita.larvalstage.net
<lophyte> GSSAPI means it uses kerberos principals?
<wasabi_> Yup
<wasabi_> That disables plain and anonmous sasl connections. Sasl itself has a mech for PLAIN
<wasabi_> Which is seperate from simple binding.
<lophyte> so you'd login as root/admin@MYDOMAIN.COM ?
<lophyte> using GSSAPI
<wasabi_> No, host/$computername.domain.com@DOMAIN.COM
<wasabi_> # Unix-socket connections from the root user are mapped to the host object.
<wasabi_> sasl-regexp     uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
<wasabi_>                 cn=akita,ou=Computers,dc=larvalstage,dc=net
<lophyte> hm..
<wasabi_> When you login with SASL, slapd makes up a fake object name to represent your login.
<wasabi_> dn=external,cn=auth
<wasabi_> Those don't really exist.
<wasabi_> cn=auth <--- SASL was used
<bmonty> wasabi_: you are using the host principal for the purpose of updating the local NSS database, right?
<wasabi_> cn=external <--- the SASL mech
<wasabi_> bmonty: Yes.
<wasabi_> The SASL EXTERNAL mech defines peercred and uidnumber and gidnumber.
<wasabi_> Because you login using ldapi:///, over the unix socket.
<wasabi_> Using EXTERNAL.
<wasabi_> so it KNOWS your UID and GID
<wasabi_> Because it's a Unix socket. It can know that stuff.
<bmonty> lophyte: just so you know that is a different concept that what I did on my setup...and the concept that the SingleSignOn page is based on
<wasabi_> So what I'm saying with that mapping statement is that when uid 0 connects using EXTERNAL
<wasabi_> Map it to a specific object.
<wasabi_> Being the computer object.
<lophyte> I see..
<wasabi_> Now you have your path into LDAP. root on the same box is assumed to be "the computer itself"
<wasabi_> Heimdal will use that.
<wasabi_> So, logically, the computer itself should have full access
<wasabi_> access to *
<wasabi_>         by dn.regex="cn=akita,ou=Computers,dc=larvalstage,dc=net" write
<wasabi_> Now you need to populate the LDAP directory, and actually make the ou and computer object.
<wasabi_> You can use ldapadd -H ldapi:/// -Y EXTERNAL
<wasabi_> As root, to do that.
<wasabi_> To do that I basically make an object with top/account/krb5Principal
<wasabi_> And set the krb5PrincipalName: host/host.fqdn@REALM
<wasabi_> Then you need to tell heimdal to init it's DB.
<wasabi_> It'll spew all sorts of shit into LDAP.
<wasabi_> YOu go in and move it where it really belongs.
<wasabi_> Heimdal needs work.
<wasabi_> (In C!)
<bmonty> MIT krb5 has an LDAP backend that is coming along soon
<bmonty> I haven't played with it though....only read about it
<lophyte> man..
<lophyte> this shit is overwhelming
<wasabi_> Uh huh.
<bmonty> LDAP as a backend for the KDC makes things a lot nicer though
<wasabi_> ANyways, once you have some initial principals, then you can star logging into LDAP using GSSAPI
<wasabi_> You should use that for everything else.
<lophyte> time to start over and give this a try
<bmonty> wasabi_: do you implement a "roaming profile"...i.e. I could log on to any machine and my home directory is the same?
<wasabi_> No.
<wasabi_> I have some ideas for that though.
<wasabi_> Mostly involving git or bzr.
<bmonty> I've played with pam_mount, it works, but it doesn't know anything about SASL
<wasabi_> To mount what?
<lophyte> mount an nfs share on top of /home/username
<bmonty> to mount my home directory from an NFS server on login
<wasabi_> That's not really an acceptable path to go down.
<wasabi_> Ignores disconnected operation.
<bmonty> or any other network share you want
<bmonty> wasabi_: disconnnected operation is a shortfall
<wasabi_> Yes, but it's one NFS will never be able to solve.
<wasabi_> Ever.
<wasabi_> Which makes it pretty useless for the use case.
<wasabi_> Somebody tripping over your network cable, or a switch going faulty, can't result in your desktop crashing.
<wasabi_> Let along again, laptops.
<bmonty> NFS isn't the only network share, but that is beside the point, I want that kind of feature on Ubuntu
<wasabi_> Yeah. I think there's some room to investage using a DSCM for ~ specifically.
<nkassi> Hey y'all, I see that there is a preference for Heimdal but what is the advantage over MIT? I saw something about permformance. Is that all?
<wasabi_> nkassi: MIT doesn't yet have LDAP storage
<siretart> do you recommend the MIT or the heimdal implementation?
<wasabi_> Yet.
<wasabi_> I recommend it in that it's LDAP storage works. ;)
<siretart> what does MIT use as storage? bdb?
<bmonty> out of the box, yes
<nkassi> oh, yeah thats a major issue for me thanks ;0)
<bmonty> the latest version added a pluggable storage feature
<siretart> okay, and and what cases is an ldap storage preferable?
<bmonty> LDAP is one of the plugins available, but it isn't released yet
<wasabi_> Every case, IMO.
<siretart> why?
<bmonty> i agree
<wasabi_> It offers automatic replication.
<bmonty> consistency
<wasabi_> Yeah. Your keys move with your user objects.
<wasabi_> They are tied at the hip.
<bmonty> without LDAP as the backend, you have to maintain a kerberos database and an LDAP database
<nkassi> I also want to use the user info for contacts in thunderbird.
<bmonty> its doable, but I doubt it is scalable
<siretart> this means that account managment does only need to handle ldap, and I don't need to care about adding principals with kerb tools?
<wasabi_> You still need to.
<wasabi_> Only the KDC can sign new keys.
<nkassi> so a tool to add users would have to do both ?
<wasabi_> Basically, yes.
<bmonty> yup
<wasabi_> It would have to make a LDAP object, and then instruct the KDC to populate it.
<nkassi> There no way of having the KDC do the work ?
<wasabi_> There is, but the KDC isn't going to put your hsell in LDAP
<wasabi_> Or your UID
<wasabi_> and all that stuff.
<bmonty> by design I think the authentication and authorization pieces should be seperate
<nkassi> beurk. oh well, I will have to create scripts or are there some out there ?
<wasabi_> There are no scripts which do it right, and Heimdal is broken.
<wasabi_> It doesn't find existing LDAP objects, it always creates it's own.
<wasabi_> So you have to do some manual merging.
<bmonty> I use MIT kerberos, and as things exist today there isn't a reason why you couldn't create a tool to manage them
<wasabi_> It's also a question of policy.
<wasabi_> And security.
<bmonty> but one doesn't currenlty exist
<wasabi_> To me, it seems a bit insecure to allow a client machine, even with an admin user, to create an LDAP object, and instruct the KDC, in different bands.
<wasabi_> It's a single logical operation. There should be a single RPC on the server which does it all.
<bmonty> with your setup using ldapi, is that the only place you allow connections to create objects?
<wasabi_> No.
<bmonty> I'm thinking about something like the AD user manager that can run on any machine with MMC installed and any user that has the correct privs
<wasabi_> Yeah, that uses custom RPCs though.
<wasabi_> It doesn't contact the LDAP and KDC to make a user.
<wasabi_> It actually calls a MS RPC CreateUser API.
<lophyte> mmc for ubuntu would rock
<wasabi_> Using either named sockets or TCP
<bmonty> ok
<wasabi_> Which, imo, was done for a good reason.
<wasabi_> For instance, in my company, IT doesn't create users.
<wasabi_> HR does.
<bmonty> I see your point, and it makes sense to me
<wasabi_> THe last thing I want to do is give HR the permission to connect to the LDAP and make random objects.
<wasabi_> I want them to call a single unit of work to happen remotely.
<wasabi_> So, again, when we start talking about directory servers, we go down paths like that.
<wasabi_> And now we're creating and definign a remote API.
<wasabi_> And choosing a protocol for it.
<wasabi_> And complexity explodes. ;0
<bmonty> whee!
<wasabi_> So anyways, I see a suitable AD replacement seeing years off.
<wasabi_> I see a good client that can connect to an existing AD being maybe a year or more off.
<bmonty> why would canonical create a feature that requires youto purchase windows in order to use it?
<wasabi_> Because many people have already purchased windows.
<wasabi_> And we want those people to deploy Ubuntu in a reasonable time frame.
<wasabi_> Where it fits.
<siretart> I see an urgent need for proper overview documentation how directory and authentication services work with each other and how to resonably deploy it in, say, 6.06LTS
<wasabi_> An all or nothing approach is not reasonable.
<wasabi_> siretart: Me too.
<wasabi_> I'd love for somebody to document setting upa  PROPER KDC and ldap.
<wasabi_> Not this simple binding crud. :0
<^robertj> define PROPER
<wasabi_> Connections to LDAP established only with SASL.
<wasabi_> Everything that needs to be secured secured.
<bmonty> siretart: documenting the setup is hard without deciding on what software Ubuntu is goiung to use in implementing the specs
<wasabi_> KDC princs stored in LDAP.
<wasabi_> Replcation between LDAP servers happening using kerberos.
<bmonty> MIT krb5 vs. Heimdal krb5
<wasabi_> Clients using Kerberos for all connections to LDAP
<bmonty> for example
<siretart> robertj: proper in the sense that after reading a decently skilled admin can set it up without external documentation not referenced in that documents
<^robertj> wasabi: maybe start with a clean -server install on vmware and create a sh script which you curl and run via sudo to set it up and then document that?
<wasabi_> Sure.
<nkassi> <Was making food> About the MMC tool, how would that be implemented easily ? Is that a really huge complex project ?
<wasabi_> I'm not convinced we need anything like MMC at all.
<wasabi_> A nice LDAP client, sure.
<wasabi_> A weirdly plugable administration tool host?
<wasabi_> For the LDAP tool, I'd start by fixing GQ up.
<wasabi_> GQ is probably the closets of all of them. At least it's Gtk.
<^robertj> and written in our beloved python
<wasabi_> Is it?
<nkassi> Well, I know that I will need a administration tool for at least my boss, and the Windows Admins if I was to switch. They wouldn't go for the Web stuff really, they seem to love MMC on windows ...
<wasabi_> Believe gq is C
<^robertj> maybe not, I thought so
* ^robertj goes & checks
<wasabi_> nkassi: Admin tool for what, AD?
<^robertj> gtk+
<wasabi_> nkassi: MMC isn't an admin tool. It's a pluggable architecture for building admin tools.
<nkassi> wasabi: Hum, well I meant a tool to emulate the AD tools but to manage Ubuntu-Directory
<wasabi_> If you mean AD Users & Computers, sure, we need a nice LDAP client. :0
<nkassi> Ok the console then
<wasabi_> gq is still probably the closest to what you want.
<nkassi> wasabi, I guess that would work.
<wasabi_> It works now, it's really wonky and buggy though.
<wasabi_> And needs SRV record support, GSSAPI support compiled in and working.
<wasabi_> It's UI is sort of silly. Could use object-specific UI plugins.
<nkassi> What about Luma ? I know it's qt but I was looking at the backend, it could be used to create a Ubuntu specific GTK interface.
<wasabi_> Sure. The backend is Qt though.
<wasabi_> Isn't it?
<nkassi> hum, I meant the ldap stuff
<nkassi> I was going to try to rip out all the Qt stuff, I just liked the LDAP connection code.
<nkassi> I'm my making any sense ? (I usually don't  ;0) )
<nkassi> I meant I'm I ...
<nkassi> There you see, I don't make sense.
<bmonty> wasabi_: the code for SASL binds is in gq, but it is very buggy
<wasabi_> Yup
<bmonty> it looks like someone has picked up maintaining gq though
<wasabi_> That's nice.
<bmonty> I think the end result should be a tool that is a little more specific to managing users and groups instead of just editing the LDAP database
<wasabi_> Sure, but GQ can be turned into that.
<MagnusR> Agree, it would be nice to have an integration with Kerberos in a Unified interface.
<wasabi_> What it needs is a set of pluggable UI pieces which can be loaded based on detected objectclasses.
<nkassi> bmonty: I second that. How hard would it be to modify the user & group dialog in gnome-systems... package ?
<wasabi_> If no plugin matches, use the plain old property/value view.
<bmonty> nkassi: I think that is a larger issue..,
<wasabi_> Yeah, that dialog is on the way out anyways.
<bmonty> i.e. ALL of the user tools (adduser)...how do they know where to make changes?
<wasabi_> They make htem in the passwd file.
<wasabi_> They are meant for local users.
<nkassi> Oh I didn't know it was being replaced. oh well
<wasabi_> And there is nothing wrong with that at all.
<wasabi_> MS does the same.
<wasabi_> Control Panel, Users and Groups.
<wasabi_> MMC.
<bmonty> so then a new gnome applet that is for managing domain users and groups...not replacing the current tools
<wasabi_> I still think Gq is fine. =)
<wasabi_> It just needs love.
<bmonty> and it looks like it is getting it....new release v1.2.1 on 8 Oct
<lophyte> Gq?
<nkassi> Hum a separate menu could be created under System with all the "Administrative Services" Items ;0)
<bmonty> yup
<lophyte> never heard of it
<nkassi> The name is probably patented or something ;-)
<bmonty> http://gq-project.org/
<lophyte> ah, neat.
<bmonty> looks like they added gnome-keyring support...
<bmonty> hmmm...we still have 1.0.0 :(  Maybe I should take a look at repackaing it later today
<Burgwork> wasabi_: have you played with lat?
<Burgwork> lophyte: bmonty_away: either of you?
<wasabi_> lat = ?
<Burgwork> ldap admin tool
<Burgwork> I use it here
<wasabi_> no
<Burgwork> works quite well
<ajmitch> hi
<wasabi_> lat seems to be C#?
<wasabi_> no sasl support yet
<ajmitch> you don't like C#? :)
<wasabi_> love it. Just wondering.
<ajmitch> we probably don't want to have each tool done in its own language
<wasabi_> Doesn't really matter to me. Whatever is the least resistance.
<wasabi_> I'm not going to propose rewriting a LDAP tool because it's not our language of choice.
<ajmitch> I'm not suggesting rewriting
<wasabi_> Lat looks pretty good actually.
<ajmitch> just a factor in what we pick
<ajmitch> eg I'd love to have everything in python so that we could mix & match
<ajmitch> but that's just a dream..
<ajmitch> and not essential in any way
<ajmitch> wasabi_: you want me to fill in NetworkAuthentication/Client/Interface ?
<Burgwork> wasabi_: the only thing lat needs is some serious stablization work, but the UI works and the rest is good
<wasabi_> Yes please.
<ajmitch> k
<Burgwork> http://lists.debian.org/debian-devel/2004/12/msg00290.html
<wasabi_> Sillyness.
<ajmitch> 'interesting'
<ajmitch> you'd have to basically walk the whole tree anyway, no real advantage over the flat Packages file
<ajmitch> maybe a bit more compact, but that's hardly a blocker for apt
<Burgwork> I know the apt and rpm people have spoken with the samba people about storing the databases in ldb
<ajmitch> Burgwork: expect hate mail from beryl people ;)
<Burgwork> my -devel comment?
<ajmitch> yeah
<Burgwork> I did explicitly say this was about beryl by default
<ajmitch> I know
<Burgwork> I need to address the "gconf-is-a-bad-idea" meme
<ajmitch> the main thing that needs replaced is the settings manager
<ajmitch> have you seen it?
<ajmitch> it makes sawfish configuration look clean & elegant by comparison
<Burgwork> no, I haven
<Burgwork> '
<Burgwork> t
<ajmitch> http://ajmitch.net.nz/~ajmitch/beryl-manager.png
<ajmitch> a fraction of one pane of the many plugins
<Burgwork> holy crack!
<ajmitch> yeah
<Burgwork> ok, now I just pissed more people off
<ajmitch> see how many tabs, how many widgets
<ajmitch> heh
<ajmitch> that's ok
<ajmitch> I've got to go, back in ~30min
<Burgwork> said that gconf is a sane default for a gnome-based distro
<cberl1> Hi folks.  Got any PAM experts herein?
<cberl1> I need to get SSH to work with Winbind and PAM_MOUNT....
<cberl1> All of my users are in Active Directory.  I need to enable ssh access, then make their local "home" directory and map their Windows drives to they can access them.
<Burgwork> cberl1: both of our windows experts appear to be away
<cberl1> Wow, you have TWO?  <snicker>
<cberl1> Just kidding.
<cberl1> Alright, I'll have to try again later.  This is something that I'm going to need at some point.
<robertj> is it permissible to sign someone's key based off a form of ID other than a face-to-face visual ID?
<Burgwork> afaik, no
<robertj> noone in our LUG does key signing
<robertj> and it's rather dumb because why does Ubuntu care if my name is rover and I am a dog?
<Burgwork> ubuntu itself doesn
<Burgwork> 't care
<Burgwork> it only matters if you want to upload
<robertj> but why would it matter?
<wasabi_> Hi.
<robertj> like the old adage says, don't look a gift-dog in the mouth
<Burgwork> robertj: if you upload, we need to know who you are
<Burgwork> "I wouldnt want Shuttleworth to
<Burgwork> be right about the DCCA not working, its such a great idea." <-- http://lists.dccalliance.org/pipermail/dcc-devel/2006-June/000704.html
<robertj> Burgwork: maybe i'm missing something. Like if you were hacking on OOo & signing Sun's JCA I could see it being needed but otherwise...
<Burgwork> ok, lets look at it this way
<Burgwork> you upload a package to revu
<Burgwork> given I have never met you, how do I verify it is you that uploaded it?
<Burgwork> you sign it with you key
<Burgwork> which has been signed by somebody like ajmitch
<ajmitch> alright, back
<Burgwork> given I trust ajmitch, I trust you
<ajmitch> silly Burgwork, trusting me
<robertj> Burgwork: well I still have an identity
<Burgwork> I know
<Burgwork> yes, you do
<robertj> but instead of being Rob J. Caskey of Athens, GA I am rcaskey@uga.edu
<robertj> or some really long hash
<Burgwork> signed keys allow you to prove that you are you
<robertj> Burgwork: well they prove I have the key :)
<ajmitch> it's a trust path, so that people who haven't met you can trust to some degree that you are who you say you are
<Burgwork> yes, as I explained
<robertj> ajmitch: which is cool, that I grok, I just don't see why visual ID has to be required
<robertj> I mean, can't I just exist as rcaskey@uga.edu?
<ajmitch> they prove that you have the key, the email as on that key, and that you actually are the same person as the key claims
<Burgwork> because I need to verify that your name is associated with your face
<wasabi_> Email is not a secure path to establish initial trust.
<wasabi_> A government issued id acceptable, etc.
<Burgwork> email is trivially spoofable
<ajmitch> passport is somewhat less so
<robertj> wasabi: well I could post up on www.music.uga.edu and say <!-- I am responsible for this machine -->
<wasabi_> Also, you cannot hold an email address responsible.
<wasabi_> So? Somebody could have hacked your server.
<wasabi_> Somebody could have hacked your email.
<robertj> Somebody could hack my dev box after I had my key signed
<wasabi_> true true
<cberl1> robertj: at which point, wouldn't you want to get a new key?
<wasabi_> And that's why we allow revocation. :0
<lophyte> back
* ajmitch has had to revoke his key, last year
* robertj consoles ajmitch
<Burgwork> ajmitch: that would suck even harder for you, given how hard it is to get out of NZ
<ajmitch> Burgwork: why? there are 4 other DDs in dunedin
<Burgwork> ah
<ajmitch> besides, I lost my laptop & regenerated my key at UBZ, got plenty of sigs there
<ajmitch> (thanks siretart) :)
<lophyte> hey all
<ajmitch> hi lophyte
<lophyte> ugh..
<lophyte> gnome-pilot has issues
<Burgwork> yes, yes it does
<lophyte> i was hoping they'd be fixed by edgy
<ajmitch> many things weren't fixed by edgy
<Burgwork> there was no work, either upstream or in ubuntu for gnome-pilot during edgy
<lophyte> is there any other way to sync stuff wiht my pc?
<lophyte> it'd be nice to be able to sync with evolution
<Burgwork> opensync, but that doesn't work with evo
<lophyte> so I'm pretty much SOL?
<wasabi_> Use a server based store. ;)
<lophyte> what do you mean?
<wasabi_> What you trying to sync? Contacts, calendars, email?
<lophyte> calendars and todo lists
<lophyte> contacts would be nice too
<wasabi_> Well, here is another big thing to put on a todo list.
<wasabi_> Exchange. =)
<lophyte> ew
<lophyte> :P
<wasabi_> Or similar set of functionality. =0
<lophyte> indeed.
<lophyte> put that on our 10 year todo list
<wasabi_> yup
<cberl1> zimbra has some good functionality that way (just poking my head back here now and then)
* ajmitch sees a few more replies on the -diretory thread
<lophyte> erghg.. stupid connection
<cberl1> What does it mean when you can't get shadow information for  a user?
<wasabi_> It means you can't get shadow info for him
<wasabi_> Which is basically a md5 password hash
#ubuntu-directory 2006-10-31
<lophyte> Burgwork: opensync has evo plugins
<lophyte> opensync-plugin-evolution - Evolution plugin for opensync
<Burgwork> exciting
<Burgwork> we shoudl probably use opensysc
<lophyte> it is :)
<ajmitch> yes, we should
<ajmitch> the debian maintainers are nice & friendly too
<lophyte> maybe I'll give it a shot
<Burgwork> ajmitch: are you a debian maintainer of opensync?
<Burgwork> kde is moving towards it
<ajmitch> Burgwork: mainly lifeless & azeem
<Burgwork> ah, good people then
<ajmitch> yep
<ajmitch> I'm still in the LP team but haven't done much
<lophyte> arr.. suppose I'll have to use the CLI tools
<ajmitch> http://packages.qa.debian.org/libo/libopensync-plugin-evolution2.html
<ajmitch> funny, I'm still listed as comaintainer
<ajmitch> I should merge it in feisty if lifeless doesn't get to it first
<lophyte> is it even usable o_o
<ajmitch> ought to be
<lophyte> all I get from opensyncutils package is
<lophyte> osyncbinary  osyncdump    osyncplugin  osyncstress  osynctest
<lophyte> yay, unmet deps
<lophyte> The following packages have unmet dependencies:
<lophyte>   libmultisync-plugin-palm: Depends: libpisock8 but it is not installable
<Fujitsu> lophyte: multisync got obliterated from testing a while ago because it's no longer installable. Needs changes to work with pisock9.
<lophyte> ah.
<lophyte> guess I'm screwed then
<ajmitch> hi Burgundavia
<Burgundavia> hey ajmitch
<siretart> wasabi_: nice  work on https://wiki.ubuntu.com/NetworkAuthentication/Client
<ajmitch> hey siretart
<siretart> huhu ajmitch
<SimonAnibal> ahhhhh....coffee.....
<SimonAnibal> good morning all
<^robertj> howdy
<cberlo> would this be the right place to ask about a samba acl issue with Ubuntu?
<cberlo> Okay, let's put this out there anyway, and if you want to reply, thanks.  If not, oh well.  :)      I have a server that's mounting Windows user home drives to one share.  I'd like to create links for each user that logs in to their own "home drive" and give appropriate permissions.  I do not want other users to be able to have any access to other Windows home drives.  Can anyone suggest a way to go about doing this without having to mount ev
<ajmitch> morning
<tmh__> win 10
<bmonty> hi ajmitch
<Burgwork> woot!
<Burgwork> work just got me a 19" monitor
<bmonty> nice
<bmonty> I just finished packaging the new version of gq (1.2.1)
<Burgwork> cool
<SimonAnibal> work just got me...more stuff to do!
<Burgwork> can you do the new lat as well?
<ajmitch> what is the latest version of lat?
<bmonty> 1.2.1.1
<bmonty> we have 1.0.7-1
<ajmitch> debian has 1.2.0.1
<ajmitch> do we need to fork from debian for yet more packages?
<bmonty> i've never used lat
<ajmitch> it's a mono package
<bmonty> the screenshots look nice though
<bmonty> does it work better than gq?
<Burgwork> somewhat
<Burgwork> UI is nicer, but have had a few crashing issues
<Burgwork> 1.2.1 is latest stable
<Burgwork> 1.3.0 is latest unstable
<Burgwork> lat follows GNOME numbering scheme
<ajmitch> debian should get 1.2.1 soon
<Burgwork> lat is proposed for gnome-admin upstream
<ajmitch> and the hordes of users will scream at more mono stuff being added
<Burgwork> well, other people proposed gq in its place
<Burgwork> radio silence since then
<whiprush> ajmitch: confirmed the hotel
<ajmitch> yay
<whiprush> also added your name to the room, so you'll need id. (obviously)
<ajmitch> well I'll obviously have my passport :)
<whiprush> I am currently looking at how to walk there from the hotel
<whiprush> which looks long and out of the way
<whiprush> but still not too bad
<ajmitch> to google?
<whiprush> yeah
<whiprush> moffett south to middlefield, then to shoreline, then left on charleston
<ajmitch> pretty roundabout way to do it
<whiprush> yeah
<whiprush> I can't see a way to cross the 101 though
<whiprush> and directly north is like a nasa facility.
<whiprush> but, if you were planning on walking around and stuff when you get there, scouting out that way might work
<ajmitch> moffett goes over 101 right by the hotel, if there's a footpath
<whiprush> :)
<whiprush> yeah
<whiprush> that was my concern, a footpath
<ajmitch> otherwise just run across 8 lanes of traffic, it'll be fine
<ajmitch> get your exercise for the morning
<bmonty> ajmitch: last time I was there I almost got a ticket for running across of the roads
<bmonty> cops seem serious about jaywalking there
<ajmitch> it looks like there's a footpath on moffett as it goes over
<ajmitch> we'll find out on saturday
<ajmitch> hard to tell
<whiprush> "Hi everyone, well me made it, except for jorge, he won't be making the trip, he got killed on the highway .... well, let's get to work!"
<ajmitch> heh
<whiprush> I can't wait for this
<whiprush> I haven't seen you guys in like 2 years.
<ajmitch> not since sydney
<Burgwork> we have had ~15 subscriptions to our mailgn list in 2 days
<stelis> Burgwork: Is there a easy way to ping all the Ubuntu Directory team?
<Burgwork> via our mailing list
<stelis> There were 41 members listed on there this morning
<stelis> So most probably aren't on the ML yet
<Burgwork> likely
<stelis> I didn't know that the ML was up until well, 30 seconds ago
<ajmitch> I wonder how many team members are going to be inactive & just want to see stuff happen
<Burgwork> yep
<Burgwork> we need a good todo
<Burgwork> who has a few cycles right now?
* ajmitch needs to get writing
<stelis> FWIW, I've been waiting on MV
<Burgwork> creating a todo list now is good thing
<stelis> Since I don't know what UDS *is* yet, software-wise
<stelis> If that makes ssense
<Burgwork> I am speaking todo for the whole team
<Burgwork> then our todo is: evaluate fds vs openldap
<stelis> OK.
<stelis> I was puzzled by J Haltom saying that UDS would be directory independent
<stelis> https://lists.ubuntu.com/archives/ubuntu-directory/2006-October/000002.html
<stelis> ogra also talked about using smbldap on edubuntu-devel
<stelis> Would it be worth calling a pre-MV meeting?
<ajmitch> you've got about 2 days to do so
<stelis> ajmitch: probably too late then
<ajmitch> well MV starts on sunday, and people will be travelling
<stelis> Yep
<ajmitch> I'm only around for the next 2 days before I fly away
<stelis> Should have double-checked the date
<stelis> I just get the sense that we may have different people thinking of going in different directions
<ajmitch> possibly
<ajmitch> some of us will get together in MV & argue it out
<ajmitch> input from the lists, etc is welcome
<stelis> My two cents was really in the spec
<ajmitch> ok
<stelis> I think that the most important thing is that third party devs have one product to target
<Burgwork> yes, that is a clear target
<stelis> The other thing I'd like is one record for each host
<Burgwork> add it to the spec
<stelis> OK
#ubuntu-directory 2006-11-01
<Burgwork> http://edsadmin.sourceforge.net/Screenshots.html
<stelis> Yeah, it looks OK
<stelis> That reminds me...
<stelis> Windows doesn't expose any Kerberos or LDAP terminology in the default admin interface
<Burgwork> no, no it doesn't
<stelis> I'm unsure whether or not this is a good thing
<stelis> Part-time admins on small networks probably don't know what a DN is
<stelis> Maybe they don't need to know
<stelis> Not sure here
<stelis> Interesting reading: http://primates.ximian.com/~federico/docs/gnome-deployments-2006/index.html
<Burgwork> yep
<ajmitch> hm
<ajmitch> that's interesting
<ajmitch> https://features.launchpad.net/distros/ubuntu/feisty
<ajmitch> I was able to set n-a as a release goal, I thought only ubuntu-drivers could
<Burgwork> there is a bug about that
<Burgwork> I noticed it
<ajmitch> doesn't surprise me
<ajmitch> probably that anyone in core-dev can
<Burgwork> no, anybody can
<Burgwork> afaik
<ajmitch> that's worrying
<Burgwork> hmm, maybe you are right
<Burgwork> https://features.launchpad.net/distros/ubuntu/+spec/smartpm/+setrelease
<Fujitsu> No, only core-dev can.
<Burgwork> Sorry, you don't have permission to access this page.
<ajmitch> ok, I see it
<ajmitch> Drivers:
<ajmitch> Ubuntu Core Development Team
<ajmitch> it used to be Ubuntu Drivers
<Burgwork> so anybody in core-dev
<Fujitsu> Yes, that's what I was going to point out.
<Fujitsu> Yeah, which is OK.
<Burgwork> not really
<Fujitsu> core-dev should be trusted enough, shouldn't they?
<Burgwork> oh wait, I think it was somethignelse
<ajmitch> Fujitsu: they should be trustable, but it still shows up as "propose as a goal"
<Fujitsu> Milestone-targetting specs, Burgwork?
<Burgwork> https://launchpad.net/products/blueprint/+bug/62717
<Fujitsu> Aha, I was right.
<ajmitch> Fujitsu: yes, that's a historic problem
<Burgwork> milestone != distro
<Burgwork> which is crack
<ajmitch> there was a little discussion about that in #launchpad that I saw
<Fujitsu> Burgwork: It's LP, and LP !!= crack.
<Burgwork> indeed
<Burgwork> closed source crack at that
<ajmitch> the best kind
<Fujitsu> Closed source often implies crack, but this is particularly potent crack for a closed-source project.
<Burgwork> http://uncyclopedia.org/wiki/Kitten_Huffing
<Fujitsu> A level of crack which even Beryl fails to exceed.
<ajmitch> now that's stretching it
<Fujitsu> Beryl and LP must be two of the more crackful projects around, and they're both (going to be) integral parts of Ubuntu :S
<Burgwork> I think we can win the former fight
<Fujitsu> Hopefully.
<lophyte> Burgwork: ping
<Burgwork> lophyte: pong
<lophyte> Burgwork: hey.. what should I say to mvo regarding nwu/uus?
<Burgwork> can you look over our new spec for sanity?
<bmonty> ajmitch: are you going to link your authtool branch in to the directory team?
<lophyte> the uus spec?
<Burgwork> yes, the uus one
<ajmitch> bmonty: no, it's an open team, i don't feel like having the main branch being commited to by anyone
<lophyte> I didn't finish the uus spec, I wanted to talk to mvo first before I put any more into it
<ajmitch> anyone can make their own branch if they choose
<bmonty> true
<ajmitch> any one of you could push the code there as well
<ajmitch> and I'm quickly running out of time to do a pre-UDS cleanup
<ajmitch> work is taking most of my time
<bmonty> I feel your pain :)
<ajmitch> yeah, deadline was friday :)
<wasabi> Yeah. I'm probably going to put the finishing touches on my docs on the plane flight, I suspect.
<wasabi> I'm booked at work until friday
<Burgundavia> wasabi: cool
<Burgundavia> you should poke at the edubuntu-auth-server spec
<beazer> Hi, I am having trouble with samba 3.0.22 and AD - I seem to be able to join a domain, but a net ads testjoin
<beazer> gives "invalid credentials" and wbinfo -u and wbinfo -g don't return any users or groups
<beazer> I am now very stuck, so any pointers would be much appreciated
<nkassi_> Hey y'all
<nkassi_> where can I find the logs for this channel ?
<Burgundavia> nkassi_: people.ubuntu.com/~fabbione/irclogs/
<nkassi_> Burgundavia: Thanks a lot.
<Burgundavia> no worries
<stelis> nkassi: I saw your comment on the EasyLDAPServer spec
<^robertj> THUD!
<^robertj> that was the other shoe dropping
* ^robertj rereads Mark's latest blog
<stelis> ^robertj: his post on packaging?
<^robertj> yes
<^robertj> http://www.markshuttleworth.com/archives/66
<stelis> I've been hoping that something might happen since I saw the dpkg2 spec and the announcement that RPM development has stalled
<^robertj> stelis: well if Fedora goes along I think something could happen
<^robertj> stelis: although Redha
<stelis> Politics...
<^robertj> err Redhat probably wouldn't be happy
<stelis> They want to keep the yum/apt layer closely integrated with their tools
<stelis> Not sure whether they feel strongly about the package format
<stelis> They went with yum over smartpm because of the desire for tight integration
<wasabi> Okay. So I have done a 180 on my NA/CLient plans.
<stelis> wasabi: RichEd and co were just talking about the different auth specs on #ubuntu-meeting
<^robertj> wasabi: so abortions for some, novelty flags for others?
<tepsipakki> stelis: where was that announcement regarding RPM?
<stelis> tepsipakki: http://lwn.net/Articles/196523/#Comments
<stelis> Comment from skvidal
<stelis> (the lead yum developer)
<tepsipakki> stelis: thanks!
<tepsipakki> hey, is anyone here using kerberized NFS?
<stelis> That was August, though, and I don't follow yum/RPM development anymore
<nkassi> Stelis: Hey
<^robertj> wasabi: so winbind is now the one true way ;)
<nkassi> stelis: Still around ?
<wasabi_> morning
<^robertj> wasabi_: morning
<^robertj> I see I'm not the only one collecting ^  _'s and __^'s
<^robertj> :)
<wasabi_> yeah.
<wasabi_> Yeah. So. I'm changing my attack on the client side.
<wasabi_> Screw NSS, and screw PAM.
<wasabi_> Going to use winbind.
<lophyte> oh?
<lophyte> why?
<nkassi> Cause it works!! (tm)
<wasabi_> Nope, hold on.
<wasabi_> Okay, first off, it is the long term desired architecture. Second off, yes, it works now, but only for AD>
<wasabi_> NSS suffers from some design problems which are going to prevent us from using it into the future... no async API, no realms, no queries, etc.
<wasabi_> No caching of any sort. Sucky caching where it is.
<nkassi> So, SSL is totatly out of the question on the linux side ?
<wasabi_> The proper long term arch would be a daemon, with arbitrary backends (replacing NSS service modules), with a rich API for querying users/groups, async, etc.
<wasabi_> What? SSL? Huh? Where'd that come from?
<wasabi_> Winbind right now is the closest to that.
<nkassi> sorry, I meant LDAP+SSL
<wasabi_> Take winbind, rename it to something else, split the AD pieces into a backend, and it can formt he basis for a good NSS replacement.
<nkassi> no kerberos
<wasabi_> What's SSL have to do with anything?
<nkassi> between OpenLDAP and Linux client
<wasabi_> I still have no idea what that has to do with this conversation heh
<nkassi> Forget me, I'm doing calculus right now. I guess I wasn't following.
<stelis> nkassi: I'm back now...
<nkassi> stelis: you were asking about the piece I put at the end of the easyldapserver spec ?
<stelis> I was going to suggest that we had a brief discussion here or on the mailing list and then post the results to the Wiki page
<nkassi> oh.
<stelis> Rather than appending lots of comments to the spec
<stelis> My point of reference for printing is Windows and Active Directory, and I know very little about printing on other systems
<nkassi> Well, I think that first off there needs to be a blurb about the wizard tool
<nkassi> oh,
<nkassi> that part. Well there are some schema that allow printer information to be stored in the ldap database and I believe, correct me if I'm wrong, the cups can use ldap to query information
<stelis> The wizard was a good point - somebody had a Kerberos problem the other day because they forgot to install an NTP service to keep the clocks in sync
<stelis> There are too many moving parts for most folks to configure it all by hand
<nkassi> exactly, if for example, someone would run the wizard and ask for a Domain Controller to be setup then all those things would automagically be installed
<stelis> Like Windows :)
<nkassi> I don't really like the AD wizard but a nicer ubuntu style one would be cool
<nkassi> In the end the idea is the same.
<nkassi> It has too be flexible enough to setup different types of server with a master ldap server somewhere
<nkassi> Such that I can run it once on my ldap server, once on my print server, once on my ...
<nkassi> I could simply be a script that calls apt- to install the required packages and then feeds configuration parameters to debconf or what ever
<stelis> That sounds a tidy way of doing it
<stelis> It would work from the CLI
<nkassi> It could, I always like to have both cli and gui
<stelis> Yes. I think that debconf can run with a GTK graphical interface
<nkassi> But since installing a gui on a server is often useless, a cli is required
<stelis> Since Ubuntu Server doesn't install a GUI by default it would probably have to work as either a Web interface or command-line tool
<nkassi> or the script could feed debconf db with the config parameters before the installation starts
<nkassi> that might have to change to appeal to the Windows admins. They lover there buttons
<nkassi> their
<nkassi> not there ;-)
<stelis> :)
<stelis> Yes, some people seem a little frightened of CLI
<nkassi> a quote from our resident MCSE: "I can't remember the commands"
<SimonAnibal> wow
<SimonAnibal> that's rather sad
<SimonAnibal> I find that I'd rather type in a command in windows than swim through all the damned GUIs
<nkassi> is just finding excuses
<nkassi> true but they feel exactly the oposite.
<SimonAnibal> Win+R "iexplore mailhub" instead of "Open up Internet Explorer, click on this link, that link, the other, and you're at your Outlook Web Access login"
<stelis> I point out that if you can figure out the commands once you can write a script for it, and then not have to do the work yourself :)
<nkassi> He laugh at me when I fire up emacs and edit configs. Then I return the favor when he can't figure out what 0x0000223 errors occur.
<nkassi> or mean.
<SimonAnibal> I'm constantly using Win+R in XP
<SimonAnibal> (just like Alt+F2 in Ubuntu)
<nkassi> true
<nkassi> (the funny thing is that he remembers win commands to restart the update gpos and stuff ;0) )
<stelis> We have two guys who complain about Linux and then SSH into Cisco boxes to run IOS
<nkassi> woah! I make no sense
<nkassi> hehe
<stelis> But the junior techs just avoid anything CLI
<nkassi> Well, they haven't been introduced to it in any courses.
<stelis> I think that it must come down to familiarity and brand names
<stelis> Cisco is "safe", and Linux somehow isn't
<nkassi> cisco is what management wants and there isn't many options except IOS.
<nkassi> commands
<nkassi> Linux, well they believe that Windows is easier to maintain because they (manager) can see something on screen.
<stelis> True.
<stelis> They liked Webmin
<nkassi> Oh well they will like a gui wizard
<stelis> I think configuring the LDAP server itself might doable with a fairly simple tool
<stelis> May even simple enough that I could write it
<stelis> I'm not sure about configuring other services to use a remote DC.
<nkassi> hehe I think a python script could be done in few days
<stelis> That's about my level
<nkassi> generating a simple slapd.conf file shouldn't be too harsh
<stelis> Absolutely.
<stelis> But attaching other services to LDAP may mean rewriting their config files
<nkassi> yeah.
<stelis> That's why I figure it might need a different approach to do that
<nkassi> well the first step is configuring slapd and adding one user. Debconf does this already. Needs to be wrapped into a gui
<stelis> OK I'll make a note to look into GTK for debconf
<nkassi> second, a set of default schema should be choosen
<nkassi> (more can be added later.)
<stelis> Yes.
<nkassi> I guess that at first adding a people, group ou could be done automatically
<stelis> I think that's on the "outstanding issues".
<stelis> There has to be a "manager" account to login to LDAP
<nkassi> admin is added by debconf
<stelis> And that probably ought to go into a "Roles" OU
<stelis> OK
<nkassi> hum, well the acl are in the slapd.conf generated by debconf
<stelis> I think that the default name for the account in OpenLDAP is manager
<stelis> Yes, that's one thing about OpenLDAP that sucks
<nkassi> yeah, normally that is set with the rootdn, rootpasswd in the config but debian adds an admin user to the db and adds acl to allow it to do all that stuff (I believe that is what should be done)
<stelis> Fedora Directory Server stores ACLs inside the directory
<nkassi> Oh, nice. Didn't know that
<nkassi> I love this channel. I learn so much.
<stelis> It's very cool to talk to other *NIX admins
<stelis> A couple of us seem to like FDS, but making it run on Debian/Ubuntu would be a bit of work
<nkassi> yeah, and openldap is already there. OpenLDAP leave us more freedom too.
<nkassi> In terms of interface. (I guess that not really true)
<stelis> It's all LDAP commands via whatever library the programming language uses
<nkassi> doesn't FDS come with a lot of extra stuff ? Could the ldap db part be installed independently ?
<stelis> (Apart from the text config file bits)
<stelis> It comes with a (Perl?) setup script and a bunch of graphical Java appss
<stelis> apps
<nkassi> ah.
<stelis> Fedora are big on GCJ, so presumably those apps will have to work without the Sun JVM.
<stelis> I don't know whether they do yet.
<nkassi> I don't think so. I remeber seeing something about the fact that it requires sun java
<stelis> :(
<stelis> Ubuntu-specific tools probably ought to be written anyway, I guess
<nkassi> That would fit better into the GUI style of ubuntu in my mind
<stelis> Yes.
<stelis> I'm also thinking that the standard tools probably ought to avoid the technical terms
<stelis> e.g. say "login as user" rather than  "bind as DN"
<stelis> But it's up to whoever actually does the work
<nkassi> yeah. Maybe it should be in the spec to not use language that is overly complex.
<nkassi> Think about the folks who will use this with edubuntu
<stelis> edubuntu may have a different setup - the lead developer was thinking about reusing an existing system called smbldap
<nkassi> they don't really need to know what dc, dn, cn ... is
<nkassi> Oh really ?
<nkassi> Well they still need openldap
<nkassi> and I why would they use samba ? Windows clients ?
<stelis> I guess so - I hadn't heard of this software before
<nkassi> it's is used to store the samba user info inside of a ldap directory. Smbldap is what samba uses to query the ldap server I believe.
<nkassi> UDS will probably use it in the end. Or at least the samba.schema
<nkassi> (My personal opinion)
<stelis> We definitely need the schema
<stelis> I've never seen a network without Windows on it somewhere
<nkassi> I seen one,  I didn't provide any support for windows users. It was a research lab. If they ran windows they were on there own
<stelis> Paradise :)
<nkassi> Yeah.
<nkassi> Now I support windows full time ;0)
<stelis> It pays the bills...
<nkassi> WHY DID I LEAVE
<stelis> I want your old job
<nkassi> hehe true. Plus I switched school (1500 miles apart)
<stelis> That would have made commuting difficult I guess :)
<Burgwork> smbldap is, afaics, not an LDAP server
<nkassi> no I hope that's not what I said
<nkassi> Never know, calculus blurs my brain.
<nkassi> so do you have enough to remove my comments and put them into the main spec ? I don't like doing that I feel I'm stepping on someone (who is more knowledgable) toes
<stelis> :)
<stelis> I *am* an MCSE
<nkassi> Sorry, I am obligated to quit speaking to you. (just kidding)
<stelis> I don't feel knowledgeable enough to edit my own spec :)
<nkassi> hehe
<stelis> I admin Linux boxes as well, but as part of Windows domains
<stelis> So you probably know far more than me about how auth systems ought to work for UNIX systems
<nkassi> Burgwork: What is the correct procedure to edit a spec? Can I just put in my change ?
<Burgwork> the wiki or the LP one?
<Burgwork> the wiki, just edit
<nkassi> wiki
<nkassi> oh thanks
<nkassi> * A graphical Wizard to setup each of the services. Would collect information from user and feed them to debconf. (should support setting up specific services to split up the different components)
<nkassi> Sounds good ?
<stelis> "supported services" ?
<stelis> It may not be possible to make all of them work with LDAP for the first release
<nkassi> ah ok
<stelis> There's a long list on the spec, and I don't think that it's complete
<stelis> Basically all the network services ought to talk Kerberos
<stelis> Even if they don't store data in the LDAP tree
<nkassi> I will add cups but that requires some research to make sure it can work
<stelis> CUPS 1.4 has Kerberos support, but I don't know about storing it's data in LDAP
<nkassi> wait MikaelOlenfalk added some details about that.
<nkassi> ftp://ftp.ssc.com/pub/lj/listings/issue143/8377.tgz
<nkassi> This file include a printer.schema
<nkassi> which implements rfc 3712
<stelis> And an OpenSSH one as well!
<stelis> I'd love to have SSH tied into this
<nkassi> check out the series of article by the guy. There is tons of good info.
<nkassi> there 4 parts I believe.
* nkassi going to Calc 3 class. W00000T!
<stelis> It's great to see that somebody still loves maths :)
<nkassi> I'm about to be a Math Major (+ CS of course) ok I'm really out.
<nkassi_calc3> Hey folks
<stelis> Hi
<fernando> the easy-ldap-server looks like a distributed directory feature, and a replication service?
<nkassi_calc3> the easyLDAPserver spec should be renamed UbuntuDirectoryServer
<nkassi_calc3> cause that is what it's shaping to be
<nkassi_calc3> darn it, everytime I speak I kill the discussion ;-)
<stelis> Sorry, I was editing the spec and stopped looking at IRC
<stelis> fernando: it looks like it
<stelis> As soon as you have multiple services on multiple systems you need something like this
<stelis> Even Edubuntu does
<stelis> 1x server per classroom
<stelis> Say 5 classrooms to a school, plus an Intranet
<stelis> And a proxy server...
<stelis> And so on
<stelis> Fedora Directory Server has the technical capabilities
<stelis> And so does OpenLDAP I guess
<fernando> I'm confused. It works with replication, then i have 1 (or more) ldap master and many ldap slaves?
<stelis> Yes
<stelis> FDS also supports multiple masters I think
<stelis> My mistake - I didn't mention master-slave, because I just assumed it.
* fernando don't like FDS
<fernando> =)
<stelis> OK.
<stelis> We need to pick one or the other I think
<Burgwork> fds does multimaster
<stelis> I mostly use AD
<stelis> So I'm not qualified to make the call
<Burgwork> fds is probably the most advanced
<Burgwork> it has some nasty bits that will need to be worked on
<nkassi_calc3> We don't have to pick. We can have a server independent system (except for initial config of couse)
<Burgwork> no, we need to choose a server
<Burgwork> ubuntu has done very well choosing technology until now
<fernando> the idea is to use a x.500/LDAP?
<Burgwork> one specific ldap server
<Burgwork> likely FDS
<nkassi_calc3> Ah.
<Burgwork> that is part of what the easy ldap spec is about
<nkassi_calc3> I guess.
<nkassi_calc3> It would have the most management tools
<nkassi_calc3> Is any one actively porting FDS ?
<fernando> http://www.watersprings.org/pub/id/draft-zeilenga-ldup-harmful-02.txt
<fernando> http://www.ietf.org/rfc/rfc2251.txt, section 3.3
<Burgwork> lovely
<Burgwork> except the real world needs multimaster
<fernando> :D
<stelis> I've amended the spec to make multiple services explicit
<nkassi_calc3> http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu is this any good ?
<stelis> I guess that means that the core service can be repackaged.
<stelis> oops, too late
<stelis> But I think that Burgwork wasn't happy with some the library dependencies
<Burgwork> fds is going to be split for the next release
<Burgwork> the deps for the server are icky, but for the management console (sun or ibm java),such
<Burgwork> suck
<stelis> I increasingly feel that most management tools are slightly wrong
<stelis> They either ought to treat the LDAP directory as LDAP and use the correct terms etc.
<stelis> Or offer simple management facilities without using any of the terms
<stelis> Which probably means that I'm going to have to learn how to write Python Web apps at some point :)
<Burgwork> yes, yes you are
<ajmitch> hi Burgwork
<nkassi> I'm back class ended
<gottreu> can I ask about LDAP clients in here?
<nkassi> TurboGears!!! (over kill I know ;-) )
<^robertj> stelis: why web apps?
<stelis> Heterogenous networks
<fernando> gottreu: gq
<stelis> e.g. even if you have a Linux server you may have Windows clients
<stelis> Possibly even for the majority of desktops
<stelis> Also Ubuntu Server has no graphical interface
<Burgwork> hey ajmitch
<fernando> web apps (python-ldap) ?
<stelis> fernando: for management
<stelis> I've updated the spec again
<Burgwork> there are a number of client apps
<Burgwork> gq has issues with its UI
<Burgwork> it is also not really actively developed
<gottreu> gq is what i'm using now, what does not actively developed mean?
<nkassi> luma is nice if you don't mind the Qt stuff
<gottreu> how can I determine the versions of apps available in drake, eft, etc?
<gottreu> and possibly backported ones
<stelis> packages.ubuntu.com
<gottreu> stelis: thank you
<whiprush> wasabi_: I really like your NetAuth client spec
<stelis> I guess that I've thinking about this from two separate angles: generic LDAP service, and specific AD replacement for small networks
<stelis> In the first case you want to directly see the DNs and schema
<wasabi_> whiprush: Glad somebody does. Burg thinks it's too wordy.
<wasabi_> =)
<whiprush> heh
<wasabi_> whiprush: My explicite goal being to SELL Mark, I think it's fine.
<whiprush> yeah
<whiprush> I figured that
<nkassi> stelis: in that case they can easily use tools like gq to hack it up.
<wasabi_> Obviously none of this is happening unless he puts somebody paid on it.
<whiprush> plus, there's no real way to do this stuff without being wordy
<wasabi_> I don't have time to do it, you don't. Nobody here has C, etc.
<whiprush> yeah
<whiprush> I am going to blog about the lists and stuff in a minute.
<stelis> nkassi: Yes an existing tool would probably be OK
<wasabi_> Did you notice my amendment about winbind?
<whiprush> WANTED: Underappreciated C developers.
<wasabi_> I am radically altering my approach to the problem.
<whiprush> no I'm only half way through
<whiprush> gimme 10
<wasabi_> k
<stelis> In the second case you want to help people accomplish tasks like "add a printer"
<whiprush> ah that brings up a point
<whiprush> have we even talked about printers yet?
<nkassi> wasabi_: Why is a long term dependence on winbind undesirable ?
<whiprush> because that's going to suck
<wasabi_> nkassi, doesn't work for anything other than AD.
<stelis> whiprush: Started to
<whiprush> ok
<wasabi_> nkassi, part 2 of our mission is our own directory server, using LDAP and Kerberos.
<stelis> The EasyLDAPServer specs has comments
<whiprush> We should remember to not forget to talk about printers in mv.
<wasabi_> I'm very disinterested in focusing on printers, actually.
<whiprush> because we should have the cups guy there when we talk printers
<nkassi> wasabi_: So you want one solution for everything right ?
<stelis> whiprush: I guess you've already seen this: http://primates.ximian.com/~federico/docs/gnome-deployments-2006/index.html
<wasabi_> nkassi, cross over would be beneficial.
<wasabi_> nkassi, since both AD and our thing will be LDAP+Kerberos
<whiprush> wasabi_: yeah but there's only 2 chances a year where you can sit down with a printers guy, we might as well spec it
<stelis> I was surprised to see printer management flagged as an issue
<whiprush> stelis: yeah, I'm in it. :D
<nkassi> wasabi_ True. Sounds smart ;0)
<whiprush> stelis: I bitched about printers.
<whiprush> heh
<stelis> Ha
<whiprush> actually, alot of the longer comments in that survey are mine.
<wasabi_> An explicite goal of step #1 is to log onto AD though... winbind is the shortest path.
<wasabi_> And It is a step on the way to a replacement for NSS.
<whiprush> I gave lots of feedback, took me like 2 days to do it
<stelis> Replacing NSS?
<wasabi_> Yup.
<wasabi_> High and mighty goal, eh?
<stelis> That sounds radical
<stelis> Yeah
<wasabi_> Completely is.
<wasabi_> What we need is a robust, async, queryable, user/group base.
<wasabi_> With support for the concepts of realms.
<stelis> That's like replacing the whole init system or something :)
<wasabi_> Caching built in.
<wasabi_> Smart fall back.
<wasabi_> Robost configuration and runtime operation.
<stelis> Stop, I'm drooling
<wasabi_> Basically that comes down to replacing NSS with a daemon.
<wasabi_> And proving a local socket interface to it.
<nkassi> If the NSS replacement has the benefits of upstart it will be awesome
<wasabi_> And what is Winbind anyways, except that?
<nkassi> or impact I mean
<wasabi_> NSS will still exist, obviously, just like a sysvinit init framework will exist with upstart.
<wasabi_> Just like nss_winbind exists.
<wasabi_> But a whole new set of rich APIs for querying users will be added.
<wasabi_> That just doesn't fit into NSS at all.
<stelis> wasabi_: how does mDNS etc. fit in?
<wasabi_> It doesn't.
<stelis> I think that Avahi plug into NSS?
<wasabi_> Such a daemon would be only for user/groups. Not hosts.
<wasabi_> NSS again, will still exist, and gethostbyname, will still work.
<stelis> OK, I see
<wasabi_> All existing programs will not be radically changed to use !NSS.
<wasabi_> Upstream would have a fit, dropping POSIX basically.
<wasabi_> But a new set of APIS can be used where it makes sense: GnomeVFS for async resolution of owner info, Nautilus for a better permissions tab.
<stelis> POSIX seems a pretty dead standard to me
<wasabi_> It still holds large importance politically.
<^robertj> wasabi_: I propose the new system be officially named bangnss
<wasabi_> Also, it's a reality that gnome targets !Linux.
<wasabi_> And POSIX is a bridge to that.
<wasabi_> I suspect there will be a big #ifdef NEW_NSS_THING in Nautilus, with a coorresponding if (able to contact new nss thing) { new way} else { old way; }
<stelis> True, it's just not an area that I have much experience in personally
<stelis> It's either Linux or Windows for us
<stelis> Don't see Sun or AIX coming back on to our network
<wasabi_> Well, I'd like to reallyk think hard about whatever new User/Group API we come up with. I defintatly want the Samba guys to be involved big time.
<stelis> wasabi_: Have you looked at OLPC at all?
<stelis> What was at the back of my mind when I asked about mDNS was adhoc workgroups
<wasabi_> What's that mean?
<gottreu> what was that earlier about C developers wanted?
<stelis> Like a conference or meeting, where the users turn up and share resources
<fernando> have you talked with samba4 team?
<wasabi_> Briefly with jelmer this morning.
<fernando> do you have informations about samba4 ldap builtin?
<wasabi_> Yeah. I have an okay understanding of it now.
<wasabi_> It's an interesting problem.
<fernando> =)
<^robertj> hrmmm, has anyone looked at LAT?
<^robertj> gtk# directory util?
<wasabi_> Yeah. I like it.
<^robertj> I mean it's not python but other than that it looks ok ;)
<wasabi_> I've got this crazy idea that this new auth server deal will return a uri with each user/group record.
<wasabi_> where that uri may be a ldap://domain/?(query)
<wasabi_> And so, you should be able to click on the user from any location, and it would open in the user editor.
<^robertj> eh, couldn't hurt
<stelis> I guess that in an ideal world you should be able to type a name in Beagle or whatever and get back the person's contact details
<wasabi_> Yup.
<fernando> bye all
<wasabi_> I'm thinking that wouldn't be that hard.
* ^robertj notes that doesn't work on OS X
<wasabi_> You've got this name service... you've got a galago feed that pulls from it.
<^robertj> when it says Beagle searches your address book, it means "Beagle searches your local address book file"
<^robertj> err not Beagle, Spotlight
<wasabi_> You've got Beagle which searches Galago.
<wasabi_> You click on it in Beagle, Galago opens it by opening the handler for ldap:///
<wasabi_> And up pops the record.
<^robertj> wasabi: when you sell Mark, try to sell him on a team :)
<^robertj> because err...this is realy an appropriate size project for a small army
<wasabi_> Yeah. I agree.
<stelis> ^robertj: We seem to getting more than one new sign-up a day on Launchpad
<^robertj> stelis: I'd say that's next to meaningless
<stelis> I don't know how many will contribute
<^robertj> I mean _i'm_ signed up on launchpad
<stelis> I guess it surprised me, because I didn't think that DS was a cool topic
<wasabi_> It's not.
<stelis> But there is at least a lot of casual interest
<wasabi_> That's hte problem. Hackers at home don't have a need to work on it.
<wasabi_> People running huge networks do.
<wasabi_> And those tend to be corps who pay for commercial ones. ;)
<stelis> That's actually something I was thinking about when I wrote the server spec
<stelis> Anybody who has multiple systems in a small network can use bit of this stuff
<stelis> But it's perceived as corporate-only because the UNIX versions are complex
<stelis> Mac OS X and Microsoft Small Business Server are run by IT pros at home
<wasabi_> Yup.
<stelis> And in small businesses where no one knows a thing about Kerberos
<ajmitch> ^robertj: true, it doesn't just need to be wasabi_'s crusade to get hired :) (or mine)
<wasabi_> Yes, but it is. ;)
<ajmitch> wasabi_: doesn't always make for the best group environment :)
<stelis> I work with people who have been pressganged into managing small networks
<stelis> So I just wish that it sucked less for them
<SimonAnibal> Hey, I need a quick fact check, and this is the only active ubuntu channel I'm in: Is Ubuntu the most widely installed Linux distro? I seem to remember hearing that, but I don't know where or if it's accurate
<stelis> SimonAnibal: I don't know how that could be measured
<stelis> It's been top on DistroWatch for ages
<SimonAnibal> Me neither, which is why I'm suspicious
<^robertj> well most people probably never change their mirrors
<SimonAnibal> Yeah, I've got that (even more impressive considering it's competing with it's own derivatives on that list, and Kubuntu is number 12 right now)
<^robertj> so that's probably a pretty good indicator of the networked install base
<SimonAnibal> Hmm, I suppose I should scratch the "largest install base" stuff from my presentation tonight
<stelis> Most talked about?
<SimonAnibal> I'll just mention it being at the top of the distrowatch list
<stelis> The DistroWatch stats reflect /interest/
<SimonAnibal> how?
<stelis> Oh and there's that Google Trends thing with the pretty graphics
<SimonAnibal> which is to say: what makes a distro go up on that list
<stelis> People visiting the DistroWatch page that talks about that distribution
<stelis> Twice as many look at the Ubuntu page as the 2nd most popular
<SimonAnibal> Ok, and to someone who's never heard of Distro Watch, why is it important that it's ranked number one on that page?
<stelis> I'm looking for that Google graph...
<stelis> That shows searches against distributions
<stelis> It was on Slashdot or something
<SimonAnibal> Google would certainly be a more familiar name as far as dropping statistics
<stelis> WRT DistroWatch: it's the proportions that are interesting
<stelis> http://distrowatch.com/
<stelis> Ubuntu has double the interest that Fedora Core does, and is consistently no. 1 whilst the other distros go up and down rankings depending on whether they've just put out a release
<SimonAnibal> Cool, well, thanks for being helpful! I've got to go before I give my fiancee reason to hurt me!
<stelis> http://www.google.com/trends?q=debian%2C+redhat%2C+fedora%2C+centos&ctab=0&date=all&geo=all
<stelis> Play with it if you have time
<SimonAnibal> oooh
<SimonAnibal> I don't, but oooh
<stelis> :)
<nkassi> Ubuntu beats Mac OSX on trends ;-)
<nkassi> stelis: People actually use WIN2k3 small bussiness ?
<stelis> Loads of them
<nkassi> stelis: I heard it suck really really bad
<SimonAnibal> is that trends of searches performed on the Operating system
<nkassi> stelis: since it misses a lot of the ad tools that EEhas
<SimonAnibal> or searches performed with any OS usinig that name?
<stelis> It had some nasty issues I beleive, but there is a specific scenario:
<stelis> SimonAnibal: I believe that can compare any five terms
<SimonAnibal> ahh, so it's search terms
<SimonAnibal> thanks
<stelis> Yup
<SimonAnibal> later!
<stelis> It looks pretty, which all you can ask of stats :)
<stelis> nkassi: WRT SBS what happens is that a small business hires a consultant
<stelis> They only want one server to do file, print, email and calandaring
<stelis> Plus may be run CRM and payroll apps
<stelis> So he clicks the wizards in SBS
<nkassi> stelis: I guess I can see the niche for it
<stelis> And somebody in the business may add and remove ussr accounts etc.
<stelis> There's a lot of similarity with small school environments I guess
<nkassi> stelis: I can see the killer market for ubuntu
<stelis> The catch is that need LDAP, groupware, and Web application platforms
<stelis> Plus make it easy for consultants and ISVs to sell it
<stelis> Because they won't promote stuff that they can't use
<stelis> Or make a profit on
<stelis> MS already developed all this tech for enterprises
<stelis> So SBS is nearly pure profit...
<nkassi> stelis: I don't see how free licenses would not allow them to make pure profit. I can see a consultant walking in installing Ubuntu SBE and making 10K for a month of work
<nkassi> stelis: Plus the fact that these setups rarely need more than a few hours of attention.
<stelis> nkassi: Sure, but there's perception that "Free Software" and no license fees means that nobody get paid
<stelis> The "Free Software people all live in their parent's basements" BS
<nkassi> stelis: From whom the client or consultant ?
<stelis> The consultants often know very little about Linux or OSS
<abartlet> also, the consultant doesn't bear the risk
<abartlet> if it goes wrong, they get paid to fix it again
<stelis> abartlet: Absolutely
<nkassi> stelis: oh well, in terms they will see the benefit. If not it's more money for people like us
<stelis> The expectations are so low
<stelis> People don't expect their IT to work right :(
<nkassi> thats a good thing cause it never does
<stelis> It can
<nkassi> I agree but currently, even Linux Mac or WIndows don't have anything flawless.
<stelis> True
<stelis> I've just been looking at OpenBSD for small servers...
<nkassi> stelis: Flawless=No job ;-)
<nkassi> yikes, that would require lots of setup time would it not ?
<stelis> :)
<stelis> I've been suprised
<stelis> It ships a bunch of standard services in the install
<nkassi> oh.
<stelis> The installer is really simple
<stelis> Though the partition editor makes no sense
<stelis> Until you read the instructions, really, really carefully
<nkassi> hehe, I got burned on that one once
<stelis> I love VMware
<stelis> I've been playing with it in that, and just trashing the VMs
<nkassi> I agree
<stelis> I like OpenBSD a lot, but the main software update system is source based
<stelis> So I'm not sure whether I'll persist with it, or go back to stripping down Debian installs
<nkassi> Well I can't live without dpkg&apt anymore
<^robertj> I'd like to say that I have no interest in working for someone where they are going to complain about the cost of AD
<nkassi> what do you mean ?
<nkassi> Where they won't buy Win2K3
<^robertj> nkassi: if you chose not to buy Win2K3 just because you are scared of the initial cost outlay you can't afford to pay someone worth their salt to keep up your directory server
<^robertj> except for CALS there isn't a whole lot of money to be saved from the _software_ cost of Microsoft's server products
<stelis> ^robertj: That's very true
<nkassi> I guess it's true
<stelis> It's the maintenance costs
<nkassi> But I guess I wouldn't turn down the savings
<^robertj> nkassi: but like I said, theres probably not alot of savings to be had in most cases
<nkassi> Well, the terminal server licenses can bite.
<^robertj> nkassi: the real advantage gets to be when you have 5000 seats and have to automate all the day-to-day stuff
<stelis> nkassi: When I said pure profit I meant for MS
<stelis> They spent a huge amount developing AD and Exchange
<nkassi> stelis: oh, yeah.
<stelis> And stick new GUIs on it for small business
<nkassi> sadly you had to bring up exchange
<stelis> I'm very hopeful about Hula
<nkassi> *shudders*
<^robertj> I'm not
<stelis> How so?
<nkassi> what about ZImbra ?
<stelis> Proprietary
<stelis> The search and /backup/ require the proprietary versions
<nkassi> only the outlook part
<nkassi> oh really ?
<stelis> I think so, unless it's changed
<^robertj> Planet should be covered up with screenshots of Evolution & Hula and rc debs, but it's not
<^robertj> it's got dork buzz but no street-cred
<stelis> True, but there's been no release for mainstream IT to go potty over
<^robertj> thus the point about there not being an rc
<stelis> I spoke to a Hula guy last week
<^robertj> and also, Samba4 quite simply has to work
<stelis> He was very aware that they need to do more to show that the project is alive
<stelis> VMware machines etc.
<stelis> Unfortunately they are the depths of a rewrite
<^robertj> stelis: but there is going to be an incredible drive to get Samba4 really, really spick-and-span
<stelis> True. I guess that's the same issue: the devs need to blog and go to conferences and give presentations and all that stuff
<stelis> To get other people interested in testing
<nkassi> stelis:I wish there was a Samba4 dev blog
<ajmitch> stelis: the same thing needs to happen with ubuntu stuff
<^robertj> stelis: but if Hula goes away, people will whine. If Samba4 goes away, Redhat will pay to have it nursed back to life.
<stelis> I was thinking that somebody ought to do a weekly thing on Ubuntu and admin related stuff
<stelis> Get some buzz going
<^robertj> stelis: and they need to be a bastard
<^robertj> stelis: so it can stay short and on-topic and interesting
<nkassi> I got a 2 ubuntu-administration domain ? I'll be glad to let someone use them
<nkassi> .org and .com
<stelis> nkassi: That sounds *very* useful
<nkassi> they point to opensource parking right now
<stelis> See macenterprise.org
<stelis> And afp548
<^robertj> <3
<stelis> Mac admin comminities
<nkassi> woooh!
<nkassi> You know, I didn't want to split the community by creating another site but if there is a need for a Enterprise/Admin only site Iwould be glad to work on it
<stelis> I would
<^robertj> nkassi: why not just keep it on the DL
<^robertj> put up a wikipage for DirectoryIntegrationNews
<^robertj> or EnterpriseIntegrationHappenings
<nkassi> Sounds good too.
<stelis> DL?
<nkassi> yeah... DL ?
<stelis> My mind is going
<^robertj> down-low
<stelis> A section in Ubuntu Weekly News would one way to do it I guess
<nkassi> sure
<stelis> That infrastructure is already there
<nkassi> I was imagining ubuntu-administration.org to be like debian-administration.org just a bunch of how-to
<nkassi> then I realised that is what the WIki is for
<stelis> I was thinking about news
<stelis> There's lot of cool stuff going on around GNOME, Ubuntu, Fedora, etc.
<nkassi> That could be done easily with wordpress
<^robertj> I feel like I'm over-newsed as it is though
<nkassi> hehe
<^robertj> most of the real happenings "X considers Y"
<^robertj> and then the minute they go up on a web page, they get dugg, and 200 replies
<stelis> Well I have too many feeds, which is the only reason I know about half the stuff
<nkassi> Digg has gone down a bit lately.
<stelis> I can't help but feel that the ifolder and hula lists ought to be buzzing
<nkassi> v3's new algorithm hasn't really helped
<^robertj> I've unsubscribed from Digg
<^robertj> it's now far worse than /. ever was
<stelis> ArsTechnica is now my main tech news source
<stelis> The articles are usually intelligent, and the comments as well
<stelis> plus a zillion feeds
<nkassi> why do people have to post every single 1995 unix tutorial they see ???
<stelis> on digg?
<nkassi> yeah
<^robertj> unix docs are'nt fun to read until you go at least back into the 80s
<stelis> I love the old UNIX books
<nkassi> Well, those aren't actually online much.
<stelis> I took one look at the digg comments and never went back to the site
<nkassi> But I have the first oreilly emacs book. That is what I learned emacs with. Haven't read the new stuff
<^robertj> then you get all the fun stuff about first boot proccesses where you start by typing ASM, then you recompile the kernel if you are using a hard drive
<nkassi> At least Lion
<nkassi> 's is online ;-)
<^robertj> stelis: I swear, it really makes me want a "turn off comments from south america, france, and the middle east" option in Digg
<stelis> Yeah
<stelis> I still occasionally visit slashdot.org as a guilty pleasure though
<nkassi> Oh well, I still read and I love the read x ;-)
<stelis> Zealotry is *fun* darn it
<nkassi> 10 minutes ....
<nkassi> (work ends here I mean)
<stelis> ^robertj: WRT Samba4, is there anything Ubuntu-related that could be done to drive interest?
<^robertj> stelis: well Samba4 is going to happen without any additional interest
<^robertj> the question is will Ubuntu be matching pace with it or playing catch up when it does come out
<stelis> I was thinking about VMware machines with TPs on, I guess
<stelis> I don't understand the schedule for Samba4 ATM
<^robertj> stelis: they need real life grinding
<nkassi> How long do you think it will take for Samba4 to come out ? (I know it's going to be some christmas (perl 6 reference))
<Burgwork> no idea
<Burgwork> they have not set a date
<ajmitch> it's far from ready for general release
<nkassi> What is sort of level would TP be ? Beta ? Alpha ?
<Burgwork> alpha, I think
<nkassi> oh thanks,
<^robertj> feature-incomplete pre-alpha
<ajmitch> pretty much
<ajmitch> eg I asked about winbindd, and apparantly it's in a few pieces to get the AD integration that samba3 has now
<ajmitch> so they all need stitched together
<ajmitch> 17:24 <@abartlet> so, we need to work on Samba4's winbindd
<ajmitch> 17:25 <@abartlet> we have the peices, and even a winbindd, but not as much of the actual deamon
<^robertj> ajmitch: are there any core contributors that remain unhired yet ;)
<ajmitch> core contributors to..?
<^robertj> samba
<ajmitch> yeah, there are some
<abartlet> yeah, we have folks who would be very glad to be paid
* ajmitch wouldn't mind getting paid for something either, but that's probably far in the future :)
<nkassi_> all this talk about money make me want to buy something
<ajmitch> I would if I could afford it
<nkassi_> well, I love student loans ;-)
<nkassi_> Got a new laptop :-)
<nkassi_> I won't like them later I guess
<ajmitch> yeah
<ajmitch> I'm trying to find some way to pay off mine
<nkassi_> yeah, I decided I would be a career student that way I will never have to pay them (I dream in 4-dimensions)
<ajmitch> you'll find that money is useful at times
<nkassi_> hehe
<nkassi_> I'm just kidding.
<nkassi_> stelis: are you still interested in developing a news site ?
<stelis> I think that ^robertj is right about starting small
<nkassi_> hehe
<nkassi_> I just feel that I wasted 16 bucks
<nkassi_> At least it's supporting somehting. Opensourceparking.com
<stelis> I think that it's worth keeping that domain :)
<nkassi_> they are paid for for a while in any case
<stelis> If directory-services keeps moving forwards I'll ask about having a section about admin stuff in UWN
<nkassi_> just if you think of something don't hesitate in asking.
<stelis> Thanks.
<abartlet> 'morning all
<ajmitch> hi :)
<abartlet> so, those who are coming to the thing in mountain view, are invited to hook up with RedHat while you are in town
<fernando> hi abartlet
<abartlet> (just got off my weekly con-call with my team in MTV)
<ajmitch> abartlet: wonderful
<Burgwork> stelis: what do you need from the UWN?
<abartlet> hi nkinder
<nkinder> Hey abartlet
<abartlet> wasabi: wasabi_: are you around?
#ubuntu-directory 2006-11-02
<stelis> BurgWork: I was thinking about asking for a section on admin-related stuff
<stelis> Directory services, the thin client stuff happening around edubuntu, etc.
<stelis> There seems to be a lot of interesting stuff happening or coming down the road:
<stelis> Hula, iFolder, Samba 4, Xen, Stateless
<stelis> etc. etc.
<Burgwork> stelis: the rules for the UWN is that anything you write about has to have happened int eh past week
<Burgwork> that being said a "this week in specs" would rock
<stelis> I'll give it a shot
<stelis> Is there a link on format, deadlines and so on
<Burgwork> UbuntuWeeklyNews can give you the information
<stelis> BurgWork: I'll have a think about how to boil the specs down into something digestible, and try to draft something tomorrow.
<Burgwork> stelis: part of the issue is that you need to subscribe to every spec basically
<Burgwork> there is "RecentChanges" for specs
<stelis> Oh?
<Burgwork> is no, rather
<stelis> Ah
<stelis> What I noticed that a lot are just stubs
<stelis> And don't get developed
<stelis> So it's case of finding the ones that are actually live
<Burgwork> the best way is thus: take all the specs approved for mtv
<Burgwork> as those need to have been approved by somebody
<Burgwork> then subscribe to the wiki pages associated with them
<stelis> OK. I'll go through those tomorrow.
<wasabi_> abartlet: I'm here.
<ajmitch> hi wasabi_
<wasabi_> hiya
<Burgwork> any fedora experts here? I am tearing out my hair
<stelis> Burgwork: semi-expert
<Burgwork> where does gdm log auth attempts?
<wasabi_> GDM doesn't.
<wasabi_> pam does.
<wasabi_> auth syslog facility.
<wasabi_> Which is usually /var/log/auth
<Burgwork> not on FC machines
<wasabi_> sucky. ;)
<wasabi_> Bet it still does auth facility.
<wasabi_> dunno where that goes though
<Burgwork> /var/log/secure lists ssh and xscreensaver attempts, but not gdm stuff
<nkinder> Burgwork: It should list gdm as well.
<nkinder> At least it does on FC6.
<Burgwork> heh, nope
<Burgwork> FC4 all the way!
<Burgwork> no, don't tell me to update. I can't
<Burgwork> well, I think it is time for FC4 to die
<nkinder> I see gdm logging in there on FC5 too.  I don't have a FC4 box to check.
<Burgwork> likely a 4 specific bug
<ajmitch> ok, should have a samba 3.0.23c package merged with debian changes tonight
<ajmitch> hopefully it can be uploaded by UDS
<Burgwork> rock
<ajmitch> I'll try & get to the others that we need as well
<Burgwork> the world now has one less fedora machine in it
<ajmitch> and a kitten lives another day
<Burgwork> no, 'cause I will probably be bored later tonight :)
<ajmitch> welcome, bmonty
<bmonty> hi!
<wasabi_> abartlet: Howdy.
<nkassi_study> What is the name of the spec that emulates W SUS
<Burgwork> nkassi_study: update-server
<nkassi_study> thank you
<Burgwork> nkassi_study: update-server doesn't cover configuration issues
<Burgwork> that is another ball of wax entirely
<nkassi_study> why not ?
<nkassi_study> if you push down a package how is going to be configured ? Or is simply for updates not for new apps ?
<nkassi_study> is IT simply...
<Burgwork> update server is exactly that
<Burgwork> a method of testing and approving updates
<nkassi_study> ok, so where would push down new packages be ?
<Burgwork> a configuration server, not yet planned
<nkassi_study> ah
<Burgwork> all that sort of config stuff should be in some sort of centralized fashion
<nkassi_study> Would it not be smart to just extend the update server to serve this function also ?
<Burgwork> no, because they are different things
<Burgwork> configuration requires an agent on the client
<Burgwork> all update-server will do will be to have the sources.list pointed at the update server
<Burgwork> ie: no new client
<nkassi_study> ok. It makes sense. I will take out the comment.
<nkassi_>  Not one post on planet ubuntu about UDS
<ajmitch> get blogging!
<abartlet_> :-)
<ajmitch> now which UDS do you mean? :)
<nkassi_> UbuntuDirectory Project in general.
<nkassi_> hehe, I can't write. That should be obvious by now.
<nkassi_> Plus, I'm not one of the lucky folks who's blog are on planet ;-)
<ajmitch> most people in the wider ubuntu community refer to Ubuntu Developer Summit when talking about UDS
<ajmitch> are you not a member yet?
<nkassi_> ah true
<nkassi_> Nope, never applied
<nkassi_> I feel that becoming a ubuntu member requires some commitment ( at least I hope it does)
<ajmitch> it does
* ajmitch should be committed
<nkassi_> hehe
<nkassi_> My only Ubuntu clame to fame is being in the Ubuntu Below Zero picture ;-)
<nkassi_> claim
<ajmitch> oh, you were there?
<nkassi_> Yeah, I meet you but you will never remeber me. I was a local
<nkassi_> a picture is available here ;-) : nickassis.net
<nkassi_> (SHAMELESS PLUG ALERT)
<Burgwork> I am in way to deep to be merely "committed" anymore
<Burgwork> nkassi_: I remember you
<nkassi_> your entrenched :0)
<nkassi_> True I was one of the other canadians ;-)
<Burgwork> critical part of the infrastructure? ajmitch is in a similar state
<nkassi_> hehe. I noticed after I started reading the wiki and found your and his name everywhere
<nkassi_> Is there a refcount somewhere ?
<Burgwork> don't know
<ajmitch> Burgwork: sorry?
<Burgwork> ok, there has got to be a better solution to this
<ajmitch> I'm by no means critical
<Burgwork> ubuntu requires users be part of several groups for permissions
<Burgwork> how to do I automate this on all the machines?
<ajmitch> nkassi_: I think I vaguely remember you...
<ajmitch> Burgwork: as I was talking about with someone today, nested groups would be nice
<nkassi_> ajmitch; nice my networking skills are working
<Burgwork> I need to write a script todo the adding
<nkassi_> wouah.. Nested groups ?
<ajmitch> I'll be back soon, walking home
<Burgwork> ok, I need to kickstart this
<tepsipakki> burgwork: use pam_group
<Burgwork> pam_group?
<tepsipakki> yes
<Burgwork> bloody hell all this stuff is badly documented
<tepsipakki> heh
<Burgwork> how does pam_group solve my "users on ldap need to be in local system group" issue?
<tepsipakki> I have in /etc/pam.d/gdm "auth optional pam_group.so" and then in /etc/security/group.conf is "gdm;*;*;Al0000-2400;floppy,audio,cdrom,plugdev,video"
<tepsipakki> works fine
<wasabi> that looks familiar.
<wasabi> I filed a bug about that ages ago.
<Burgwork> tepsipakki: can you email that to my work addy, 'cause it is 10pm here
<Burgwork> corey@userful
<tepsipakki> sure
<Burgwork> thanks
<tepsipakki> umm, userful.what?-)
<Burgwork> .com
<tepsipakki> ah
<Burgwork> hence why I want you to email me? :)
<Burgwork> what about the giant warning at the top of group.conf?
<tepsipakki> true, but is there an alternative?-)
<tepsipakki> if you add them to the group anyway
<wasabi> The giant warning is pretty clear. If you grant membership, it isn't INHERENTLY secure.
<wasabi> Doesn't mean it isn't secure.
<wasabi> Granting cdrom access to somebody who works hard enough to make a sgid binary doesn't seem like a real world risk to me.
<tepsipakki> I'd say its more secure to use pam_group than to grant access directly..
<wasabi> Also, these days, you can probably simply disallow a user to sgid anything.
<wasabi> And be fine
<ajmitch> hey tepsipakki
<wasabi> tepsipakki: I have a thread/bug report someplace about this.
<wasabi> I'm trying to find it.
<tepsipakki> there was a thread on u-d in spring '05 :)
<abartlet_> I prefer the RedHat approach (chown the devices)
<wasabi> On login?
<abartlet_> yeah
<tepsipakki> abartlet: we used that before
<wasabi> Sorta screws up multiple logins.
<abartlet_> yeah, you have to have one user at a time
<wasabi> I don't think there's anythign wrong with the pam_group thing at all.
<abartlet_> perhaps pam_group fixes that.  It's an itneresting approach
<Burgwork> which doesn't work when you have multi users on the same machine
<wasabi> How would you unchown the items anyways?
<wasabi> on pam session close?
<tepsipakki> on logout
<abartlet_> you need a way to say that sgid to a particualr gid is invalid
<wasabi> What use is sgid'd binaries these days anyways?
<abartlet_> plenty of things
<abartlet_>  particularly things that don't want to be setuid root any more
<wasabi> Yeah, but why should a USER be able to set that?
<wasabi> a !0 user
<wasabi> That to me seems like the problem.
<wasabi> I like pam_group though, it's automatic, simple, effective, and works in the corner cases. I've been using it. :)
<wasabi> https://lists.ubuntu.com/archives/ubuntu-devel/2005-March/006345.html
<wasabi> https://lists.ubuntu.com/archives/ubuntu-devel/2005-March/006388.html
<wasabi> tepsipakki: Oh shit, that's you
<wasabi> Heh
<abartlet_> wasabi: did nkinder get onto you about popping by Redhat?
<wasabi> abartlet, Nope.
<tepsipakki> wasabi: correct :)
<wasabi> https://lists.ubuntu.com/archives/ubuntu-devel/2005-April/006747.html
<wasabi> I knew I took part in that!
<abartlet_> ok, ping nkinder in CA work hours, and have a chat
<wasabi> okay, will do.
<abartlet_> wasabi: when are you in mountain view?
<wasabi> All next week.
<abartlet_> they are down on Castro street, for reference
<abartlet_> top floor, tallest building :-)
<wasabi> Okay cool.
<wasabi> Looks like I'll be landing at 2:15PM
<abartlet_> and keen to have a chat
<wasabi> Sat
<Burgwork> tepsipakki: how many users do you have?>
<wasabi> Searching for your own name on Google is really crazy sometimes.
<nkassi_> Wow searching my name returns my website as number 1. I'm awesome ;-)
<nkassi_> Anybody played with SSLBridge ?
<nkassi_> the sambe web client ?
<Burgwork> ok, I think I am finally fracking done
<Burgwork> I will see you gents all tomorrow
<tepsipakki> burgwork: well, active users maybe 12000
<tepsipakki> and over 21000 if you count them all
<tepsipakki> umm, actually only 4666 accounts are disabled, so that makes roughly 17000 active :)
<tepsipakki> and ~10% of them use our linux-workstations weekly (we have graphs to prove that :)
* Starting logfile irclogs/ubuntu-directory.log
<ajmitch> Burgwork: so ogra doesn't seem so happy with progress so far
<Burgwork> no, understandably
<Burgwork> we wants a solution that works, not more talk
<Burgwork> s/we/he
<robertj> uhoh, trouble in -directory land?
<ajmitch> not really
<ajmitch> ogra just needs something that works by feisty feature freeze
<ajmitch> it's critical for edubuntu
<Burgwork> yep
<robertj> ajmitch: on the server end?
<Burgwork> he has a solution in mind, which none of us have ever heard of
<Burgwork> common that certain markets have their own hacky stuff
<robertj> Burgwork: got any info on that?
<Burgwork> smbldap is the thing
<ajmitch> smbldap
<ajmitch> http://sourceforge.net/projects/smbldap-tools/
<ajmitch> basically scripts to manage ldap+samba
<robertj> ajmitch: so samba doesn't use ldap as it's store?
<ajmitch> samba 3? no
<robertj> I thought that was a backend option
<ajmitch> not by default
<ajmitch> sure it's an option for it
<Burgwork> for 4 they have a custom ldap server
<ajmitch> it's not integrated like with 4
<ajmitch> custom ldap server because openldap Just Sucks
<robertj> ajmitch: so err...crappy directory now, better directory later?
<ajmitch> guess so :)
<nkinder> Samba4 will still have the option to use a differetn LDAP server as it's backend.
<ajmitch> nkinder: I guessed it would
<ajmitch> good to know for sure though
<Burgwork> http://www.majen.net/smbldap/
<nkinder> The built-in one (ldb) will just be used by default.  The main reason is that AD does lot's of odd things which Samba4 needs to mimic.
<robertj> why are there specific tools for managing samba ldap accounts?
<ajmitch> smbldap really isn't much of a directory
<ajmitch> robertj: because it's a hack
<robertj> ajmitch: Apple's OpenDirectory is a hack, but is only nominally sucky
<ajmitch> most things are hacks
<Burgwork> ajmitch: is that smbldap thing even an ldap server?
<ajmitch> no, it's configuration & some scripts to manage it
<ajmitch> http://smbldap-tools.cvs.sourceforge.net/smbldap-tools/software/
<ajmitch> there's the entirety of it
<ajmitch> assuming this is the same cvs, and not just some additional scripts
<robertj> the .tar.gz has some other utility scripts
<robertj> for bulk add, delete, backup configuration
<Burgwork> are we certain we are looking at the same thing
<Burgwork> http://www.majen.net/smbldap/
<Burgwork> that is what ogra is talking about
<ajmitch> yes, there is some definite overlap of files
<ajmitch> the tarball also has some pam config, slapd config, schema, etc
<ajmitch> all perl
<ajmitch> the scripts, that is
<robertj> so what are his requirements for edubuntu?
<robertj> are they enumerated anywhere?
<ajmitch> in all the specs
<robertj> "Set up edubuntu LTSP servers and Workstations to automatically authenticate against a edubuntu auth server, via the right pam setup and possible avahi integration for server detection."
<robertj> Properly integrate http://www.majen.net/smbldap/ which is used widely in k12LTSP setups for user and group management into edubuntu.
<robertj> Package and install http://edsadmin.sourceforge.net/ as maintenance tool for the above server setup.
<ajmitch> https://wiki.ubuntu.com/UdsMtvEdubuntu
<ajmitch> so 5 of our specs are on the edubuntu wishlist
<ajmitch> some overlap with edubuntu-network-auth-{client,server}
<Burgwork> eds is somewhat similar to lat and gq
<robertj> I poked at it about a year back I think
<ajmitch> we don't really have much specced about user/group management
<nkinder> Has the Ubuntu Directory Project decided on an LDAP server yet?
<wasabi_> nkinder: Hi. No. I suspect we won't for a long time.
<wasabi_> Just my opinion though.
<nkinder> wasabi_: So the project is at a very early stage then?
<wasabi_> Very very. I have a big document which I'm working on, and a plan of execution.
<wasabi_> But nobody except my business self to implement it.
<wasabi_> s/business/busy/
<wasabi_> nkinder: I'll be at UMV. abartlet said I should visit you.
<nkinder> Yes, he said that you'll be out here next week.
<wasabi_> https://wiki.ubuntu.com/NetworkAuthentication/Client    My lengthydissertation.
<nkinder> wasabi_:  Will you have some time to swing by and chat with a few of us?
<wasabi_> I'll be rewriting a large portition of hte middle of that though, so it's not exactly accurate.
<wasabi_> Yeah, I should.
<wasabi_> Unsure how I'll actually get there though.
<nkinder> We are right by public transit (train and lightrail).
<wasabi_> Nice.
<wasabi_> Have a phone number or something? =)
<ajmitch> wasabi_: nobody, because we're all just chopped liver, right? ;)
<wasabi_> ajmitch: Don't mean it that way. I just mean that, all of us have real lifes... and other priorities, and even then, client work to do.
<nkinder> wasabi: 650.567.9039 x79229
<wasabi_> Also I think the total number people of here who have expressed interest in whatever C work needs to be done (which is substantial IMO) is like 3. =)
<nkinder> Nobody likes to sign up for C work ;)
<wasabi_> nkinder: What should I call you? :)
* ajmitch loves C!
<robertj> nkinder: who is "us"?
<ajmitch> I just love it to death
<nkinder> Nathan (Red Hat).
<robertj> so wasabi, ajmitch, who is the third person?
<nkinder> I work on the Fedora Directory Server.
<robertj> ahh
<robertj> nkinder: the evil suits!
<robertj> ;P
<ajmitch> nkinder: ah, wonderful
<wasabi_> robertj, good question. I may have overestimated. ;)
<ajmitch> nkinder: how's the autotoolification of it going, so that it's a bit easier to build?
<nkinder> Been working on it for 6 years, well before it was the "Fedora" directory server.
<nkinder> I jsut finished the autotools work
<ajmitch> sweet!
<nkinder> HEAD has it all checked in.
<ajmitch> so now I just need to try & get it building with system libraries, and attempt to get it packaged
<ajmitch> no problem.. ;)
<nkinder> Some of the components we depend on still need some build-system work, but we're working through it.
<nkinder> Well, we split out the Administration Server portion, so a core directory server is buildable with much fewer dependencies.
<ajmitch> this might be manageable by feature freeze now
<wasabi_> I still have yet to even look at FDS, mostly because it isn't easily accessible on Ubuntu right now.
<robertj> nkinder: frontend tools being rewritten in XUL?
<wasabi_> I have a lot of questions about it though.
<nkinder> wasabi_: We're trying to resolve that.
<ajmitch> alien doesn't really make things accessible for people wanting to use it
<nkinder> The autotools work is a huge part of that.
<ajmitch> nkinder: we really appreciate work done on that
<nkinder> robertj:  Not yet, but that's been suggested.  XUL can do some pretty cool things.
<wasabi_> Heck. I'd be satisfied with Java.
<wasabi_> If ya just used java-gnome. ;0
<wasabi_> And worked on gcj.
<nkinder> ajmitch:  Thanks.  I'd like to know any problems you run into with it.
<nkinder> wasabi_: Thats more than most people would say.  Most people want to get as far away from Java as possible.
<wasabi_> Doesn't matter to me.
<wasabi_> Language is a language is a language
<ajmitch> what do most people prefer instead?
<wasabi_> As a user, as long as it works.
<wasabi_> And looks right, I don't care.
<robertj> nkinder: that's true, but if your going to not be 100% native, there is alot of advantage in going web-based so that you could use it from <cring /> ie
<nkinder> wasabi_: Once you know your availability when you're out here, send me an e-mail and let me know (nkinder<at>redhat.com).
<wasabi_> I will.
<nkinder> robertj: Personally, I like the web-based approach.
<wasabi_> I don't. =(
<wasabi_> I like AD U&C MMC, so sue me. It's quick. Things open in new windows. It looks like the rest of hte OS.
<wasabi_> There's value in that.
<nkinder> We've heard arguments for both sides (a fat-app and web-based).  I cetainly don't dislike the fat-app approach either.
<wasabi_> I also find them easier to code.
<wasabi_> Opening a new window, filling it with controls, doing proper text layout with accessibility? Super easy.
<wasabi_> Web? Just try to open a new window on every browser. ;)
<nkinder> Perhaps both a fat-app and a more-basic web-based administration tool.
<wasabi_> A java-gnome Gtk, or python gtk, or c# gtk... whatever. All of those run on Windows just fine.
<robertj> nkinder: I do Apple's Open Directory here and use phpldapadmin when I need a quick fix from home and the carbon app when I'm at my desk, works well
<nkinder> robertj:  You run OpenDirectory, or you work on it at Apple?
<robertj> just run it
<nkinder> ah, ok.
<ajmitch> nkinder: you're in MV?
<nkinder> ajmitch: Yeah.
<wasabi_> RH has a shop there.
<ajmitch> great, hopefully we can catch up
<wasabi_> nkinder: Going to stop by UMV?
<robertj_> ooh, unprovoked hard shutdown with nothing in the logs, joy
<nkinder> wasabi_: I don't know that I'll be able to get away to head over there.
<nkinder> Are there going to be discussions about the Ubuntu Directory Project going on there?
<ajmitch> yes
<ajmitch> a few specs being discussed
<nkinder> Is there a schedule?
<ajmitch> not yet
<ajmitch> that probably won't be there until we start, sadly
<nkinder> hmmm
<nkinder> I may be able to pop in, but I'm not sure at this point.
<ajmitch> ok
<nkinder> I'd primarily be interested in the directory related discussions, so if I can fnid out when those are, that'd help.
<ajmitch> nkinder: sure, once we find out I'll try & let you know
<ajmitch> so, http://www.novell.com/linux/microsoft/faq.html
<ajmitch> "Microsoft and Novell will undertake work to make it easier for customers to manage mixed Windows and SUSE Linux Enterprise environments and to make it easier for customers to federate Microsoft Active Directory with Novell eDirectory."
<ajmitch> that's interesting to hear
#ubuntu-directory 2006-11-03
<lophyte> ajmitch: isn't it
<robertj__> ajmitch: should make the relative necessity of hiring a small contingent to work on -directory full-time an easier pitch eh ;)
<ajmitch> sure
<ajmitch> as if that'll happen :)
<nkassi_> Hey folks
<ajmitch> hello
<nkassi_> So will edubuntu just do there own thing ?
<ajmitch> we'll discuss that next week
<nkassi_> oh at the Ubuntu Summit ?
<ajmitch> yes
<nkassi_> ah
<nkassi_> Using the samba.schema isn't a bad idea. Of course smbldap will be obsolete as soon as Samba 4 is out ,already pointed out I know, but including  the schemaby default  seems useful.
<abartlet_> well, the transition from samba3 to samba4 schema will be a big thing, no matter how it's done...
<nkassi_> yeah, I guess so. But until then, samba3 seems like a nice enough temporary solution. The upgrade might hurt.
<abartlet_> one other interesting approach could be a passdb backend for samba3 that reads the AD-like schema
<nkassi_> uhm, never heard of that one beford
<nkassi_> before
<abartlet_> hi wasabi
<wasabi> hiya
<ajmitch> hello wasabi
<wasabi> hiya
<robertj__> nkassi_: directory services are always going to hurt
<nkassi_> I'm living through NT4 with win 2000 to AD with XP right now at work. It quite painful. ( I lost the war, their gui were better then mine)
<nkassi_> But the pain from AD to Linux will feel like love ;0)
<robertj__> what's so painful about AD?
<nkassi_> It's mostly the amount of work required in cleaning up the old stuff. The file are shared using PC Netlink on a solaris box, lots of permissions are messed up. We just couldn't do a simple upgrade. Plus changing 300 desktop from 2k to XP and making sure all there files are on the san is work
<nkassi_> AD isn't bad. It's just not what I'm used too.
<nkassi_> Plus, I really don't have enough working experience with AD to pass judgment.
<nkassi_> what happened to termcap-compat ? It's refered to in the FDS install doc for ubuntu/
<ajmitch> probably another rpm they want you to convert
<nkassi_> hum, no it doesn't seem so.
<nkassi_> http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu
<nkassi_> oh it seems to not be part of edgy's universer
<nkassi_> -r
<nkassi_> https://launchpad.net/distros/ubuntu/+source/termcap-compat
<nkassi_> I found the .deb but the Fedora folks will have to update their docs
<nkassi_> Of course it depends on libc5 which is also not available.
<nkassi_> oh well no FDS for me I guess.
<abartlet_> nkassi_: I think it's a wiki, so you should be able to update it (with variable amounts of pain to get an account)
<fernando> morning all
<lophyte> morning
<fernando> hi lophyte
<lophyte> hiya
<SimonAnibal> howdy
<SimonAnibal> So, how bout that Microsoft and Novell deal?
<lophyte> yeah, really...
<SimonAnibal> The NYTimes article I read was very vague
<SimonAnibal> one thing that bothered me was: "As part of the agreement, Microsoft said it would not file patent infringement suits against customers who purchase Novells SuSE Linux."
<lophyte> yeah
<lophyte> what happens if they develop this joint technology and Microsoft pulls out of the deal?
<lophyte> then do they have the right to sue the ass off of Novell?
<lophyte> or their customers
<fernando> I don't believe in Santa Claus anymore.
<SimonAnibal> So...question is, if Microsoft and Novell jointly integrate their stuff, is it going to be MORE DIFFICULT, at least in the U.S., for Ubuntu to integrate with AD?
<lophyte> maybe, maybe not
<SimonAnibal> What, with "patent infringement" being bandied about like some sort of real possibility
<SimonAnibal> You know what this means for me is that our corporate people are going to want us to start using Novell
<lophyte> probably
<lophyte> gr.. I need a VGA male-to-male cable
<SimonAnibal> That's all we have over here
<SimonAnibal> (males are the ones with the wires sticking out, right?)
<nkassi_> yep
<SimonAnibal> Hey, if I
<SimonAnibal> m subscribed to Planet Ubuntu, is that just an aggregator for other people's blogs (that is, can I just unsubscribe those people I had previously subscribed)
<lophyte> I think so
<SimonAnibal> cool
<stelis> wasabi_: I think that NetworkAuthentication/Server and EasyLDAPServer are basically the same spec
<stelis> The EasyLDAPServer page talks about Kerberos, and has stuff about setup and management tools
<stelis> Although no specific recommendations for existing tools that could be reused
<wasabi_> Yeah. I suspect they overlap.
<wasabi_> I personally think "EasyLDAP" is a bit of a naive term to throw around though.
<stelis> I wasn't fond of it
<stelis> It was basically an empty spec that we occupied
<stelis> One thing that I was careful to do was emphasise that LDAP ought not be an auth system
<stelis> So the page explicits talks about using it in tandem with Kerberos
<stelis> Feel free to hack the EasyLDAP spec around to suit your requirements
<stelis> I noticed that your client auth spec talked about a Kerberos principal per machine
<stelis> Which I guess ties into having a record for each system in "EasyLDAP"
<stelis> https://wiki.ubuntu.com/EasyLDAPServer
<wasabi_> stelis: My complaint with it is I would be very... maybe embarressed, to release a system which consisted of not much more than creation of a LDAP server.
<wasabi_> This is something, which if we release, could be uptaken by really big shops.
<wasabi_> They're going to expect us to have a schema in place, a supportable methodology to upgrade that schema.
<stelis> I agree about the big shops, but I figured that it might seem easier to sell/relate to for Ubuntu folks if I talked about small shops in the use cases
<stelis> Also I felt that if it was designed properly the underlying components would scale
<stelis> And different interfaces could be provided for different scales of deployment
<stelis> Again, the specs for interfaces emphasise the basic stuff that I thought would be more familiar to people
<stelis> Talking about federated authentication etc. might just sound like moon language
<stelis> But I am absolutely not an expert
<stelis> My own grand plans are more about system/host management
<stelis> What would like to see/do/implement?
<Burgwork> wasabi_: we need to consider that getting something that works is a first step
<wasabi_> Burgwork: I sort of disagree, expecially when it comes to LDAP.
<wasabi_> Which is something we need to maintain an upgrade path for.
<wasabi_> Something which tends to be hard, with LDAP.
<wasabi_> Y know, if we choose one schema, and it sucks, and doesn't take some stuff into account, and people deploy it... then we have to upgrade schema.
<wasabi_> So, big scripts for schema migration, hacks made so old clients work with new schema versions.
<wasabi_> It can get messy
<fernando> this is very common
<wasabi_> I want to sit down and really think hard about it before commiting to anything.
<Burgwork> yep
<wasabi_> MS did a very good job at it, and it took them 4 years.
<Burgwork> however, be aware that ogra is going to roll something out for Feisty for Edubuntu
<wasabi_> And way more man power than we have. ;)
<Burgwork> come hell or high water
<wasabi_> Yeah. I want to think about that though. Even it means commiting to one server, no replication, and an unsupported or complex upgrade path.
<wasabi_> I want everybody to have in mind what we will have to maintain.
<wasabi_> And it not to be a suprise.
<Burgwork> talk with ogra at MTV
<Burgwork> he has a plan
<wasabi_> MS of course unleashed the entire thing, after 4 years. Cross realm auth, forests, mutlimaster repl, replicated schema updates.
<wasabi_> schema locks, etc.
<wasabi_> With the entire thing well planned out.
<wasabi_> We can start smalll, but I don't want adding one of those to screw up everybodies install. =/
<SimonAnibal> Ya'll have a great weekend
<SimonAnibal> ciao!
<SimonAnibal> Anyone alive?
#ubuntu-directory 2006-11-04
<Burgwork> SimonAnibal: not really on a friday afternoon
<SimonAnibal> heh
<Burgwork> thoughts?
<SimonAnibal> yes
<SimonAnibal> sorry, in irl conversation at the same time
<SimonAnibal> Burgwork: still alive?
<Burgwork> somewaht
<Burgwork> less every minute
<SimonAnibal> I see
<SimonAnibal> So, my thoughts on the development of ubuntu-directory is as follows
<SimonAnibal> Novell is now position to proclaim that it's easy to integrate NLD into existing Microsoft Networks
<SimonAnibal> I know that's going to be a HUGE success for them in the U.S. market
<Burgwork> yep
<Burgwork> until MS sues somebody
<SimonAnibal> right, anyhow
<SimonAnibal> I'm expecting my own IS people
<SimonAnibal> to strongarm me into switching to Novell
<Burgwork> so need a backup
<Burgwork> so you need, rather
<Burgwork> here is the skiny
<SimonAnibal> One way I can fend them off, is to get my Ubuntu workstations integrated somehow
<Burgwork> oliver grawert of Edubuntu is pushed hard for something for feisty
<Burgwork> you can do it know, it is just a pain
<SimonAnibal> Ok, and I can tell you the MOST IMPORTANT part, strategically
<SimonAnibal> is to get something that can connecting workstations to an existing microsoft network
<SimonAnibal> I don't mind the pain
<Burgwork> ok, that is more serious pain
<SimonAnibal> You can help me by writing a simple howto, and I can flesh it out with real life experience
<Burgwork> ajmitch is bringing the new version of samba3, which can apparently do
<SimonAnibal> You I mean the team
<Burgwork> right
<SimonAnibal> With my real life experience, and the team's expertise, do you think we can get SOMETHING together by Feisty
<Burgwork> yes, because orga is going to have something
<SimonAnibal> Alright, I've done afew things by reading howtos
<SimonAnibal> but they don't really explain the whys and such, so when I had questions, I was screwed
<SimonAnibal> e.g. I've gotten the workstations to authenticate off the AD server using kerberos
<SimonAnibal> But if I signed in that way I had no sound
<Burgwork> ah, that is easy
<Burgwork> that is due to group permissions
<SimonAnibal> Later I learned from Jorge that I was maybe supposed to autheticate using LDAP instead?
<Burgwork> AD is LDAP
<SimonAnibal> Ok, so these are the sorts of things I don't know, and I feel if I keep bumbling through this I'm going to create a bad system
<Burgwork> yep
<SimonAnibal> With the team's expertise, we can create a good system, and even if it's quick and dirty, I can set it up and get something running
<SimonAnibal> I can be your guinea pig
<SimonAnibal> And let you know where the rough spots are that really need work
<Burgwork> I am already a guinea pig, but for a fully ubuntu system
<SimonAnibal> Yeah, see, I'm in an otherwise homogenous MS system
<SimonAnibal> and I'm your target customer for Fesity
<SimonAnibal> Feisty
<SimonAnibal> If Ubuntu can deliver that interoperability, then we can keep Novell from kicking us out of U.S. Enterprise settings
<Burgwork> you are also a school, so talk to Edubuntu
<SimonAnibal> I'm in ubuntu-education
<Burgwork> ogra in particular
<Burgwork> #edubuntu
<SimonAnibal> edubuntu is only concerned with LTSP as far as I can tell
<SimonAnibal> I've been on th edubuntu mailing list since last school year
<Burgwork> until now, yes
<SimonAnibal> Well, I understand big changes are underway
<Burgwork> ogra has ignored the auth stuff, but that is a major target for feisty
<Burgwork> ogra has ignored the auth stuff because somebody else always said they were going to do it
<SimonAnibal> I'm working closely with Richard Weideman in the "Ubuntu and Education" community, but I'll talk to ogra and see how we can get this done
<Burgwork> cool
<Burgwork> you are going to make a great poster child for Ubuntu in schools
<SimonAnibal> As far as I can tell you, this piece is NOT education specific
<SimonAnibal> which is why I joined this Launchpad team
<SimonAnibal> Hah, if I can keep from being made to use Novell, I'll do my best
<SimonAnibal> is ogra Oliver Grawert?
<Burgwork> yes
<Burgwork> I have FC at work and that is what our product is based off of
<SimonAnibal> Ok, I've interacted with him on the edubuntu mailing list
<SimonAnibal> He hasn't been speaking on there about the auth piece
<Burgwork> whiprush: you around?
<bmonty> does anyone have ssh kerberos authentication working?
<Burgundavia> bmonty: whiprush does
<bmonty> Burgundavia: just to make sure, the default openssh-server package does not do kerberos, correct?
<Burgundavia> no idae
<nkassi_> Hey
<bmonty> got it working, you just have to add GSSAPIAuthentication yes to sshd_config
<robertj_> I wonder why that is off by default
<bmonty> speed up the logon maybe?
<bmonty> it won't have to try and fail the GSSAPI method
<nkassi_> Yike I hadn't seen this quote from ballmer today: "You get no covenant not to sue if you chose Oracle"
<nkassi_> Ugly
<Burgundavia> nkassi_: linky?
<nkassi_> printed article in NY Times
<nkassi_> It might be online let me check
<nkassi_> http://www.theledger.com/apps/pbcs.dll/article?AID=/20061103/ZNYT01/611030352/1001/BUSINESS
<nkassi_> reprint
<nkassi_> I wonder if they will attack the little guy or go after people like Google and IBM ? That is what killed sco. To much to chew
<nkassi_> actually Google+IBM's market cap = Microsoft's. Estimating that IBM probably has patent on a lot of Microsoft's stuff this is FUD
<whiprush> Burgundavia: yeah
<nkassi_> On the client side will Evolution be automatically set to use the contacts from the ldap server ?
<nkassi_> or should it ?
<Burgundavia> evo needs some "autoconfig" love
<Fujitsu> I think Evo needs to be attacked with something... fatally perhaps?
<Fujitsu> I think it has gone down-hill recently :(
<nkassi_> hehe, So  I guess this is work. I would love to use thunderbird but the calendar is not really an option yet
<Burgundavia> no, I don't think it has
<Fujitsu> Sunbird isn't too bad.
<Burgundavia> not GNOME
<Burgundavia> doesn't integrate tightly
<nkassi_> Sad that it ends up being that way ;0)
<Fujitsu> True, but it does work better in some ways.
<nkassi_> I agree (except dont
<Burgundavia> it is because Mozilla doesn't give a damn about Linux
<nkassi_> 'try to read a folder with 13000 email while downloading email)
<nkassi_> just discovered that bug
<Burgundavia> evo got lost in the shuffle at Novell
<nkassi_> Burgundavia: What are the type of issues between gnome and thunderbird ?
<Burgundavia> and the current evo team has the challenge of being on the wrong side of the world
<Burgundavia> nkassi_: more that moz doesn't spend much effort integrating into Linux
<Burgundavia> hmm, rh is looking to expand their ds team
<Burgundavia> http://redhat.hrdpt.com/cgi-bin/a/highlightjob.cgi?jobid=633
<nkassi_> interesting. Know any good Ubuntu dev that could be used to infiltrate RH and help the Ubuntu domination ;0)
<Burgundavia> right
<Burgundavia> rh is not evil
<Burgundavia> in so far as a corp is not evi
<nkassi_> Nope but installing FDS on edgy is hard. That dude/dudette could make it easier (I'm just kidding by the way)
<Burgundavia> they are working on that
<nkassi_> cool
<Burgundavia> remember, FDS lived for many years as a closed source app
<Burgundavia> worse, it moved from company to company
<nkassi_> yeah.
<nkassi_> Spagethi code
<Burgundavia> X is somewhat similar
<nkassi_> who wrote the X code originally ?
<Burgundavia> lots of people
<Burgundavia> Sun, ATT, IBM, etc.
<nkassi_> True, the story is somewhat comming back
<nkassi_> but it always was somewhat open
<Burgundavia> yes it always has been
<wasabi> about to leave for airport
<bmonty> nice, there is a new version of pam-krb5 out
<bmonty> does anyone here have evolution pulling addresses out of their LDAP server?
<robertj_> bmonty: I did at one time
<bmonty> robertj_: any chance you have it working with the evolution in edgy?
<robertj_> bmonty: nope
<robertj_> this was like breezy maybe?
<bmonty> I've been trying to get it to work on evolution 2.8.1 with no luck
* robertj_ goes & tries now
<robertj_> I can't even fight the right dialog
<robertj_> where did it get moved to?
<bmonty> click on "Contacts" and then right click in the left pane and select "New Address Book"
<bmonty> change type to "On LDAP Server"
<robertj_> bmonty: hrmm, doesn't seem to be asking me for my password
<robertj_> bmonty: I give up too
<bmonty> robertj_: thanks for trying...I think that part of evolution is broken...even though they claim to support LDAP addressbooks
<robertj_> bmonty: if you have a test installation you might try running slapd interactively so you can see what query it is sending
<bmonty> robertj: I can sniff the traffic and see results coming back from the server, but evolution doesn't display them
<robertj> bmonty: maybe it requirse inetorg persons?
<bmonty> they are inetOrgPerson
<bmonty> I've heard there is an evolution LDAP schema, but I can't find it anywhere
<robertj> bmonty: I dunno, I can't even figure out why I can't log in on a fresh slapd install as cn=admin,dc=localdomain
<bmonty> and it isn't in the source distribution either
<bmonty> well I found the schema in the evolution-data-server package
<robertj> surely it can't require a custom schema though
<bmonty> it appears that it does
<robertj> and without it evo will return no results?
<bmonty> from a quick look at the source code if a doesn't have an objectClass of evolutionPerson then it doesn't get displayed
<bmonty> a result that is
<bmonty> but I added that objectClass to an entry plus a few of the attributes from the schema and it still isn't displayed
<bmonty> ajmitch: have you ever had any luck getting evolution to use LDAP for the addressbook?
<ajmitch> nope, haven't tried
#ubuntu-directory 2006-11-05
<robertj_> anythong new in -directory land?
<robertj_> i s this the quiet before the storm?
<ajmitch> quiet before people meet up in person
* ajmitch just had a 12 hour flight
<ajmitch> & so I'm off to have a shower now :)
<robertj_> is krb5-kdc not in any .schema?
<robertj_> err any .deb
<robertj_> krb5-kdc.schema is MIA according to apt-file
<lophyte> arr..
* lophyte wishes he was at the uds
<wasabi_> hi
<ajmitch> hi wasabi
<nkassi> Hey
<bmonty> hi nkassi
<ajmitch> morning all
<ajforgue> shut up, n00b.
<ajforgue> roflcopter
<nkassi> Does Gconf have a way to pull info from an ldap server ?
<bmonty> nkassi: I saw some info about pulling settings for evolution from LDAP into gconf
<bmonty> I don't think the code is maintained anymore though
<nkassi> evolution-gconf-ldap-backend Just saw that on google
<bmonty> other than that I havn;'
<bmonty> grr
<nkassi> that sucks.
<bmonty> I have not seen anything other than that
<nkassi> I was thinking that it would be possible to use that to create *gulp* GPOs
<nkassi> At least to control the desktop
<bmonty> nkassi: it makes sense to me
<bmonty> kinda like the windows registry can override local machine settings with domain settings
<nkassi> exactly
<nkassi> http://www.gnome.org/projects/gconf/plans.html
<nkassi> according to that it's already been done twice.
<ajmitch> nkassi: I've looked at the code, it's fairly ioncomplete/old
<nkassi> so no luck on that one I guess.
<ajmitch> unless someone wants to do some coding :)
<wasabi_> who's here?
<ajforgue> nobody
<ajforgue> ajmitch is here too
<ajmitch> sort of
<wasabi_> Hhe.
<ajmitch> wasabi_: going to edubuntu network auth server spec session at 11?
<wasabi_> Most definitly.
<ajmitch> great
<ajmitch> ogra is right in front of me now
<wasabi_> LP is slow. =(
<ajmitch> always
<wasabi_> okay where is everybody? haha
<wasabi_> ????
<ajmitch> forums arguments
<wasabi_> where are you?
* ajmitch doesn't know the room name, off to the right hand side
<bmonty> what room number is the edubuntu network auth server discussion?
<bmonty> nevermind, I found it just needed a page refresh
<robertj_> will recordings of the meetings be online or do we need to listen in via sip
<bmonty> both are available
<robertj_> well I'm sure there are enough competent people there so I'll catch up later
<ajmitch> we're just in the room now
<bmonty> ajmitch: I'm listening to the VOIP room
<ajmitch> anything interesting? :)
<bmonty> not yet
* robertj_ can't make out anything in 5001
* robertj_ 5004 isn't any better
<robertj_> ahh cleared up
<robertj_> wasabi_: so what happened in edubuntu network auth?
<robertj_> I tried to listen in but my machine conspired against me
<ajmitch> basically they'll use smbldap-tools, they need stuff working asap
<robertj_> did they decide on openldap then?
<wasabi_> they did not decide.
<wasabi_> If we can get FDS packed they'll consider it
<wasabi_> I'm not that concerned either way. Whatever they do will have very limited scope... small schools, etc.
<wasabi_> And hopefully it'll get them working on the same stuff we know they need to be working on anyways? heh
<ajmitch> any multi-server stuff will be fairly basic - mostly just 1 auth server for everything
<wasabi_> Ya know, principal unplugs his laptop, NSS blocks.
<wasabi_> Yeah. I suspect they aren't going to touch on kerberos much. ogre said he had some more meetups scheduled for it.
<wasabi_> I suspect they'll run into the same things we're already considering when they start talkinga bout large districts connected together, and various security requirements in the US, etc etc
<wasabi_> kbuntu samba integration next hour?
<wasabi_> Wonder what that's about.
<robertj_> did you see GOOG's plans for a 20k annual donation to SMB?
<robertj_> (recurring annually that is)
<wasabi_> Woh. No.
<robertj_> make no mistake, to GOOG it is chump change, but like I said, samba 4 has _got_ to work
<bmonty> wasabi_: kubuntu samba integration is about making it easier to mount smb shares in KDE
<wasabi_> ahh.
<bmonty> doesn't look like a directory services type topic
<robertj_> although ironically OS X uses structured network views to do just that
* robertj_ doesn't use any of those in his directory though
<robertj_> wasabi_: but to put things in perspective, if you are in the middle of a rural school district you probably don't have hardware that can really deliver enough 9's, so a very limited scope is probably pretty realistic
<robertj_> although alot of those issues go away if home directories are synced and credentials cached vs mounting
<wasabi_> Sure. Worst case scenarios apply though.
<wasabi_> Server goes down, entire school locks up.
<wasabi_> Not being able to access network resources is one thing, losing open documents because the filechooser tried to lookup a uid and the server was gone, is another.
<robertj_> wasabi: and for that reason I think you will see a lot of schools with only student desktops being managed in such a fashion, at least until syncing replaces mounting
<abartlet> wasabi_: which uid are they going to be looking up?
<wasabi_> Heh. Good point.
<abartlet> most users operate with files in their own uid, or at least their supplementary groups
<abartlet> and most gui apps don't display the user anyway
<abartlet> so, the user and their supplementary groups are 'easy' to cache
<wasabi_> How does winbind deal with that anyways? it has a password cache built in right?
<ajmitch> hey abartlet
<wasabi_> But also a lookup one, but under what criteria is the record cached?
<abartlet> easy
<abartlet> at login time, it is a sensible decision to cache information about the user who just logged in
<abartlet> ie, all the groups returned in the initgroups()
<abartlet> you probably have that anyway, as part of processing the initgroups
<abartlet> we aggressivly cache the user -> group list information at login time
<abartlet> taken from either the PAC, or the 'info3' reply from a NTLM SamLogon request
<wasabi_> Heh. I really want to have a conversation with somebody about my winbind->somethingelse idea.
<abartlet> what would the something else be?
