/srv/irclogs.ubuntu.com/2006/10/29/#ubuntu-directory.txt

=== tuxub [n=maufeiti@87-196-24-71.net.novis.pt] has joined #ubuntu-directory
robertj..12:17
lophytewho declined it?12:35
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
nkassiHey y'all01:07
lophytehiya01:07
nkassiI reposting a question from ubuntu-server cause the channel seems dead01:07
nkassiI can't find the answer to why the slapd package in ubuntu and debian doesn't include SSL. Anyone knows ?01:08
wasabiIt should.01:08
wasabiYou of course have to enable and configure it with a certificate.01:08
nkassiIt's not enabled by default01:08
wasabiOf course not. Ubuntu doesn't distribute a cert for you.01:08
nkassiFrom what I gather, it's not enable in the build01:08
wasabiIt is.01:09
wasabichecking though.01:09
nkassihum, weird, after setting the TLS* config params and all and starting the ldap server, 636 is unused.01:09
wasabiTLS != SSL.01:09
nkassiport 636 I mean01:09
nkassiOh yeah sorry.01:09
wasabiTLS is Transport Layer Security.01:10
wasabiie a socket is transformed to SSL on the fly.01:10
nkassiIsn't TLS the SSL replacement ?01:10
wasabiAfter an unsecured hand shake.01:10
nkassioh ok.01:10
wasabiYes, but it doesn't require a new port.01:10
nkassiMe stupid.01:10
nkassi;-)01:10
wasabiThe handshake happens in plain text, over the normal port.01:10
nkassithanks for the info.01:11
wasabiI'm going to guess since libssl-dev is a build-dep, that it's enabled.01:11
wasabiAnd also, that I use it.01:11
nkassihehe01:12
nkassithat would be a give away ;-)01:12
nkassiI was wondering because I saw a lot of issues documents about enabling this in debian01:12
wasabiWell, plain ol' SSL isn't really needed or desired anymore.01:13
wasabiAnd TLS requires you creating a cert.01:13
wasabiSo it's not really something that can work out of the box.01:13
nkassiThat makes sens.01:13
wasabiAnd I'm all for using Kerberos anyways.01:14
nkassiHow hard would it be to create one automagically when the openldap server is installed ?01:14
wasabiWhich provides transport encryption on it's own.01:14
nkassiI guess that would be another option.01:14
wasabinkassi: Could create a self signed one, but that is completely unoptimal.01:14
wasabiI'd rather have the creation of a proper CA be part of our LDAP server plans.01:14
nkassiExcept I would like to use it to allow thunderbird to look up contacts01:14
nkassisound decent.01:15
nkassisounds decent. I mean01:15
wasabiAll of this is pretty far off imo01:15
wasabiUnless mark gets a hankering and pays for it01:15
nkassiWell that was something I was hoping to work on. ;-) I'm tired of hearing my friends complain about how AD is so much easier ;0)01:17
nkassiI was really happy when I saw the ubuntu movement towards this.01:19
wasabiWe need C coders. =)01:19
nkassiHehe,  I thought the project would mostly be in python seeing the Ubuntu commitment to python.01:20
=== Fujitsu [n=Fujitsu@ubuntu/member/fujitsu] has joined #ubuntu-directory
wasabiThe project consists of pam/nss modules and stuff. =)01:22
nkassiDusting off my C programming language book right now :0)01:22
wasabiAll the really big stuff imo, from the client side, is fixing up the pam/nss infrastructure.01:22
wasabiand nscd01:22
wasabiand then, yeah, a nice python wizard to configure it all.01:22
wasabiBut still, all the heavy actual work is in C.01:22
sbalneavWhat needs to be done in C?01:23
nkassiYeah is there going to be a sort of todo list somewhere ?01:23
wasabiI'm working on a plan.01:23
wasabihttp://wiki.ubuntu.com/NetworkAuthentication/Client.01:23
wasabiClient comes first, unless somebody else starts working on the server independently.01:23
sbalneavHmm, not subscribed to that one, which is odd, seeing as how I need this spec implemented for the LTSP side of things.01:25
nkassiWas there any discussion about adapting the already existing tools on fedora ?01:25
sbalneavI may be of use here, as I was the fellow who originally added openldap support for shadow components into pam_ldap :)01:25
wasabiThere was, but we don't really like their tools I don't think.01:27
wasabiAnd have some good ideas of our own.01:27
wasabiAnd ajmitch already has a codebase that works.01:27
wasabisbalneav: Sounds super insecure. ;)01:28
wasabiCheck out that wiki page then, change what you think.01:28
wasabiI'm going to add a new table to NSS.01:29
wasabi"realm"01:29
wasabiAnd do it right.01:29
wasabiSo, it'll be a lot of work to do it right. =)01:29
wasabiAlso I've been thinking about new async getpwent and such APIs01:30
bmontywasabi: a lot of the work can be done in python01:38
wasabiSure, the wizard, which spits out a pam and nss file.01:39
wasabiAnd creates the remote objects and all that cool stuff.01:39
wasabiBut that's not the hard part. That's scripting.01:39
wasabiThe hard part is reducing blocking in nss, or coming up with a good cache stragity, or putting cross realm support into libnss-ldap, or fallback, recover, walking the SRV records.01:40
bmontyI've been using LDAP+Kerberos for awhile now, and the PAM and NSS code needs some updating01:40
wasabiYup.01:40
bmontythere is essentially no viable caching as far as I'm concerned01:41
wasabiRight now there isn't.01:41
wasabiRight now I use nss-updatedb =)01:41
bmontyncsd doesn't seem to work at all, and I can't figure out why it doesn't cache any of my users or groups from the LDAP server01:41
nkassiI didn't know the whole spec was so extensive. So you really want to make this similar to the windows way.01:41
wasabinkassi: I want it to work right, anyways.01:41
nkassihehe01:41
wasabiYeah nscd is broken.01:42
bmontynkassi: that is how I read it....01:42
bmontyi.e. LDAP+Kerberos01:42
wasabiWell, obviously, the most important goal from a marketing point is joining AD.01:42
wasabiSince they are so prevailant.01:42
nkassitrue.01:42
wasabiBut luckily it's a super-set of Kerberos+LDAP.01:43
bmontywasabi: can't you already join an AD with samba?01:43
bmontyI think using NTLM01:43
wasabiYeah, but it's not really integrated.01:43
wasabiWe really want pam_krb5.01:43
nkassiI've had my share of head ache trying to do this exact thing ;-) We had to buy a commercial set of pam modules01:43
bmontyI agree01:43
wasabiAnd server-based UIDs01:43
bmontyhas anyone thought about which kerberos server Ubuntu is going to use?  Heimdal or MIT?01:44
wasabiNot really.01:44
wasabiI suspect when the dust clears we'll be using Heimdal.01:45
wasabiSimlpy because the Samba guys are pushing so much new stuff into it.01:45
bmontysupposedly the MIT server will be able to use LDAP for its user database in the near future01:45
wasabiYeah, and Heimdal can now.01:45
wasabiI am totally convinced that server work is far off.01:45
wasabiA server without a good client is useless.01:45
bmontydoes the existing pam-krb5 work with heimdal?01:45
wasabibmonty: There's a heimdal compile of it.01:45
bmontywasabi: don't you think that the server should be worked out before you get the client side going?01:46
wasabiNot really.01:46
wasabiWe know what we're targetting.01:46
lophytewasabi: the main goal is to get an AD-compliant client, right?01:46
wasabiThe first goal, yes.01:46
lophyteI figured01:46
wasabiAn AD compliant client that relies as much as possible on Krb5/LDAP01:46
wasabiSo the client works with whatever we choose for our own server.01:47
bmontyI thought the goal was to have the server architecture for AD-like authentication and authorization as well as an update server01:47
wasabiTHat's massive long term.01:47
bmontyobviously you need a client side for that as well01:47
wasabiIf you've used AD you know the issues involved with that.01:47
bmontyI use LDAP+Kerberos and I know there are plenty of issues there01:48
wasabiThe scope of work with AD is huge.01:48
lophyteI wish the SSO howto on the wiki wasn't half done01:48
wasabiI mean, what, it took MS 4 years and a 100 person team?01:48
lophyteworking full time, no less01:49
wasabiKerb5 at every level, LDAP schema defiinition, third party integration.01:49
wasabiLong term support, upgradability.01:49
wasabiReplication of schema.01:49
wasabiA custom CA.01:49
wasabiDomains, forests.01:49
lophyteindeed01:49
bmonty..figuring out how to lock customers into their solution01:49
wasabiPssh. That took them 2 minutes.01:49
lophytehaha01:50
wasabi"oh lets add 1 field to krb5"01:50
nkassihehe.01:50
wasabiOther than that, it's plain LDAP/Kerberos.01:50
Burgundavialophyte: which sso howto?01:50
lophytehttp://help.ubuntu.com/community/SingleSignOn01:50
bmontyI started writing that SSO howto, but I ran out of time to document all of the issues I was running in to01:51
Burgundavialophyte: didn't even know that existed01:51
Burgundaviahttps://help.ubuntu.com/community/LDAPClientAuthentication01:51
BurgundaviaI used that one01:51
Burgundavianeed to update it01:51
lophyteI wanna set up a server, though01:51
lophyteldap+krb501:51
wasabiGo for it.01:51
lophyteI don't know how.. that's the problem :P01:52
wasabiI do it for all my client machines.01:52
bmontylophyte: the server part is mosty complete01:52
wasabiI have two KDCs, two LDAP servers.01:52
bmontyexcept for how to add users01:52
wasabiReplicating over the inet. ;)01:52
lophyteergh..01:53
wasabiHeh. If you're telling me slapd can replicate between 500 peers, you've suprised me.01:53
wasabiUntil it can do that, it can't comprae to AD. ;)01:53
lophytemy computer sucks with 2 Xen guests..01:53
=== lophyte thinks he needs more RAM
wasabilophyte: vmware.01:53
wasabioh just ram?01:53
wasabiYou get xen working?01:53
lophyteit sucks just as bad with vmware, lol01:53
lophyteyeah, works fine now01:53
lophytemy biggest issue was networking.. using NAT, it works fine01:53
bmontyI haven't seen it documented anywhere, but there is a big issue with udev and having group info on the LDAP server01:54
bmontyespecially with edgy01:54
wasabiShould be fine... you just need to know how to configure nss right.01:54
wasabiie NSS *must never block ever*01:54
wasabiSince all apps make an assumption that it never will.01:55
bmontywasabi: that is one issue01:55
wasabiThe only way to accomplush that is to drive NSS from a pure cache.01:55
bmontythe second is that the network isn't available when udev assigns groups to the devices it creates01:55
wasabiYou should't need the network for local groups.01:55
wasabitry this:01:55
wasabipasswd:         compat db01:55
wasabigroup:          compat db01:55
wasabiAnd use nss_updatedb (package nss-updatedb) to update teh DB files from the ldap module.01:56
lophytebmonty: there's no instructions for configuring OpenLDAP.. I think that's the biggest issue01:56
bmontywasabi: I want to have those groups stored in LDAP directly01:56
wasabiThey are.01:56
wasabicronjob, runs once an hour, that refreshes the cache.01:57
bmontylophyte: good point, I have an OpenLDAP config file if you are interested01:57
Burgundavialophyte: I am going to write some openLDAP stuff coming up next week or so01:57
bmontywasabi: then you have a consistency issue01:57
lophytebmonty: where do you configure the sasl binds, in the slapd config?01:57
wasabibmonty: Yup. Until nss gets an async API, there is no solution.01:57
wasabibmonty: But this one makes the box work. ;)01:57
bmontylophyte: yes, you have to configure SASL in slapd.conf01:58
wasabiYou cannot have a network query go out for every group lookup. NSS is always used single threaded.01:58
lophytebmonty: ah, alright..01:58
wasabiThe best option I have is a daemon which keeps the local cache uptodate, by subscribing to LDAP notifications.01:58
wasabiANd that daemon's name might be nscd in the future. heh01:59
bmontylophyte: the two directives are sasl-secprops and sasl-regexp01:59
bmontywasabi: can I get a copy of your nss config file?02:00
lophyteI need to get more RAM, so I can create a virtual network of computers to tinker with this stuff02:00
bmontyI've never been able to solve the issues with nss, or find good info on the net02:00
bmontylophyte: www.newegg.com02:00
lophyteamerican site.. costs for shipping :P02:00
lophyteits probably cheaper to shop locally02:01
bmontyits isn't here :)02:01
nkassihehe02:02
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
bmontylophyte: you can use a pretty much stock LDAP config, but you have to add a couple of things for SASL to work correctly02:02
nkassiyeah, there nothing local around here that is cheaper than newegg + shipping ;-)02:02
lophyteoi..02:02
bmontyI've also found that SASL binds do not work on 64-bot machines02:03
lophyte$60 for 512mb02:03
lophytenot bad02:03
bmontyI still have to check and see if that is true with edgy though02:04
wasabiI have a 64 bit machine which binds using SASL just fine.02:04
wasabiIt's not a server though.02:04
lophytealright, i gotta go..02:04
lophyteperhaps later tonight I'll have some time to set this up02:05
bmontywasabi: what is the architecture of your server machine?02:05
lophytebbl02:05
wasabiem64t02:05
wasabiBut it's windows. =)02:05
bmontyok, I'm running OpenLDAP on i386, and SASL binds cause a segfault on the 64-bit machines02:05
wasabi64bit clients?02:06
bmontywasabi: yes02:06
wasabiHmm.02:07
wasabidapper?02:07
bmontyyeah with dapper02:07
wasabioh well. core dump, post a bug.02:07
bmontyI haven't tested with edgy yet02:07
bmontydist upgrading to edgy completly hosed my machine due to the LDAP/Kerberos setup I had02:07
wasabiheh02:08
bmontyit wouldn't boot even in "safe mode"02:08
wasabiJust set up NSS differently.02:08
bmontywasabi: yeah, I wish I had known that02:09
bmontyonce I did the dist upgrade though it was too late02:09
wasabilivecd + fix02:09
wasabior init=/bin/bash02:09
bmontywhere can I find info about setting up nss?02:09
wasabiNot really anywhere.02:09
wasabime =)02:09
bmontywasabi: too late, I already rebuilt the box :)02:09
wasabiahh. you neve rhave to rebuild a linux box.02:10
wasabiYou can always just boot with init=/bin/bash, get a shell, fix the problem, and reboot.02:10
bmontydo you have a working nss config file I can copy?02:10
Burgundaviasoon, I am going to rewrite the LDAPclient stuff02:10
wasabibmonty: Use libnss-db + nss-updatedb02:10
Burgundaviawhich will fix all the issues02:10
wasabiIt's the only reasonable way to remove the issue.02:10
bmontyBTW, other stuff I have been working on is a python binding for libkrb502:10
wasabiOh that's you?02:10
wasabiI saw somebody post about that someplace.02:10
bmontyand I also started a python-based LDAP user config utility02:11
bmontyboth are still very experimental02:11
Burgundaviaisn't the latter just n-a?02:11
bmontymy python-krb5 is based on MIT's code, so it will require some modification if the decision is to use heimdal02:11
wasabibmonty: What's your goal with that?02:12
wasabiWhat are you binding?02:12
wasabiGSSAPI or ?02:12
bmontywasabi: so you can use the krb5 library directly from python02:12
wasabiTo do what?02:12
wasabikadmin?02:12
bmontywhatever you want02:12
wasabiJust wondering what sort of program you would build that uses that.02:13
bmontykadmin uses the krb5 lib to do its functions02:13
bmontyI have a rewrite of klist in python using my bindings02:13
bmontyI don't have enough of the API to do kadmin...yet02:13
bmontyfor a lot of client side stuff you probably want to use GSSAPI02:14
bmontybut I think if you want to have a tool that can manage a LDAP+Kerberos server you need to use the krb5 lib02:14
bmonty...and if you want to write in C there is no problem with that02:15
bmontyif you want to use python do develop your solution you are stuck since there is currently no binding to the krb5 libs that python can use02:15
wasabiWell, doesn't help much with AD.02:16
wasabiThat I can see.02:16
Burgundaviainteresting: http://lists.debian.org/debian-devel/2006/10/msg01177.html02:16
bmontywhy do you say that?02:16
wasabiSince you don't use anything resembling kadmin to manage principals.02:16
bmontykrb5 tools can talk to AD02:17
wasabiAnd there's no need for client management of kerberos at all.02:17
wasabiIt should work silently and transparently.02:17
bmontywasabi: you are assuming that I'm running AD on a windows box, correct?02:17
wasabiNo.02:17
wasabiI'm just comparing MS's solution to our potential one.02:17
wasabiWhich is that I don't want our users dealing with krb5 principals. ;)02:18
wasabiNew User, type the name, done.02:18
wasabiThe only interface component we should need on the desktop is a notification tray that says "You're authentication has expired. Please click here to renew. *button*"02:18
whiprushwasabi: ajforgue has a little ticket applet thing he wrote.02:19
wasabiYeah. I hope we don' thave to show it to users ever. ;002:19
=== bmonty [n=bmonty@ubuntu/member/bmonty] has joined #ubuntu-directory
Burgundaviawasabi: do we have pieces of software in universe that needs to migrate to main?02:20
bmontywasabi: what are you using to manage users and groups in your setup?02:20
wasabiGQ mostly.02:20
wasabiBurgundavia: Probably will.02:21
bmontywhich is a decent tool, but can't manage kerberos principals02:21
wasabiYeah. I don't want to expose kerberos princs to users.02:21
wasabiI sort of want them to be stored in LDAP.02:22
bmontyI was thinking that eventually we need a tool that can manage users in the LDAP directory and the krb5 database02:22
wasabiAlso I'd be worried about the security/policy issues of seperating the two.02:22
bmontywasabi: I want that as well02:22
wasabiie an admin user could potentially compromise the integrity of the relation between the two.02:22
wasabiOnce, again, pulling another example from windows. THey have discrete APIs to create a user... which handes the kerberos part and ldap part together.02:22
wasabiANd makes sure all suceeds.02:22
bmontyis there an open source solution that can do that?02:23
wasabiNot yet.02:23
bmontyhence the need for tools to manage those02:23
wasabiYes, new tools... which don't use kadmin.02:23
wasabiConsider this. Im my company, HR creates users.02:23
wasabiBecause HR hires and fires them.02:23
bmontyyup, which requires that you can link in the krb5 lib...02:24
wasabiNope.02:24
wasabiSo, the HR users have permissions to create users. Not permissions to create principals.02:24
nkassiDoes this tool require a seperate spec ? Cause work on that could be started pretty much now. It would be extremely useful currently.02:24
wasabiNot permissions to create LDAP objects.02:24
wasabibut discrete permissions to issue a CreateUser RPC call to the server.02:24
wasabiThe logic of that lives on the server, where it can't be subverted.02:24
wasabiIf the user himself could create a principal, he could create one, and link it to any object.02:24
wasabiOr rename it independently.02:25
wasabiOr assign permissiosn to it he didn't otherwise have the permission to assign.02:25
wasabiHR can create users, but they cannot touch anything critical. THey are not systems admins.02:25
bmontythat all makes sense to me02:25
wasabiIt's something we're missing.02:25
wasabiCompletely.02:25
bmontywe are missing it in that there are currently no tools that implement that process02:26
bmontyI think the software that is available has features that could be used to make that work02:26
bmontywithout rewriting a whole ton of stuff02:26
wasabiSure, but I don't htink allow kadmin access from a client machine solves it.02:27
bmontywasabi: I agree, I never proposed that02:28
bmontyBTW, can I take a look at your nss config file?02:29
bmontyand what were the other nss packages you said I needed to install?02:29
wasabinss-updatedb02:31
wasabimy config file is "passwd: compat db"02:31
wasabigroup: compat db02:32
wasabinothing else02:32
bmontyand this basically copies the users and groups from the LDAP server to the local machine?02:32
ajmitchhey bmonty02:36
bmontyhi ajmitch02:37
ajmitchwhiprush: you around?02:39
ajmitchbmonty: coming to MV?02:39
bmontyajmitch: no02:39
ajmitchunfortunate02:39
bmontyyeah...I'm way too busy at work02:40
bmontyajmitch: is this going to get discussed at MV?02:42
ajmitchdefinitely02:43
ajmitchwrite up anything else you think we need02:44
bmontyok02:44
Burgundaviabmonty: I have been using lat instead of gq02:48
Burgundaviaa little crashy, but a much nicer UI02:48
whiprushajmitch: yeah02:48
ajmitchwhiprush: got the hotel details?02:48
whiprushdang, not on me, I did it old school. (pen and paper)02:48
=== ajmitch will need to give these details to the friendly people in customs :)
ajmitchok02:48
whiprushoh02:48
whiprushlet me find it on the map02:49
BurgundaviaI just lie02:49
ajmitchmainly just the address02:49
ajmitchBurgundavia: I also want to know where it is02:49
=== bmonty [n=bmonty@ubuntu/member/bmonty] has left #ubuntu-directory []
whiprushhttp://www.choicehotels.com/ires/en-us/html/HotelInfo?hotel=CA679&promo=gglocal02:49
whiprushbooya02:49
ajmitchnice, I wonder how dodgy it is02:49
whiprushone of my friends works at google and said that it was nice.02:50
=== bmonty [n=bmonty@ubuntu/member/bmonty] has joined #ubuntu-directory
whiprushnot like, omg nice. but a nice normal hotel for a decent price02:50
ajmitchthat's excellent02:50
ajmitchaha, found it on google maps02:51
ajmitchnice & close to google HQ02:51
whiprushyep02:51
whiprushlearned my lesson after staying all far at the boston summit02:52
ajmitchright by the freeway though02:52
ajmitchlike *right* beside it, by the look of the map02:52
whiprushare you concerned about the noise?02:53
ajmitchit shouldn't be too bad, I guess02:54
Burgundaviaajmitch: whiprush's melodious snoring will drown out all02:54
wasabibmonty: "nss-updatedb ldap"   will retrieve the entire passwd/group tables from the libnss-ldap module, and store them in a bdb database.02:54
wasabibmonty: the "db" nss module will read from those.02:54
ajmitchwhiprush: that's what I expect02:54
wasabiYou schedule nss-updatedb to be run, using GSSAPI/SASL binding, every hour or something reasonable.02:54
wasabiAs root.02:54
ajmitchwhiprush: looks like we get free google wifi02:54
whiprushajmitch: don't worry, it's california, the cars don't actually move on the freeway02:55
whiprushit's more of a parking lot.02:55
wasabiI wish I could drive.02:55
bmontywasabi: ok, thanks02:55
ajmitchhaha02:56
ajmitchwhiprush: what are the arrangements for the airport? shall I try & get a shuttle in?02:56
whiprushajmitch: I recommend the train02:57
whiprushthe BART02:57
ajmitchbut the BART doesn't go down that way, does it?02:58
whiprushbut we should probably ask someone from mountain view02:58
whiprushit goes to mountain view02:58
whiprushthen you can cab from there02:58
=== ajmitch really hopes he gets paid before saturday :)
ajmitcheither that or if I catch a shuttle in,  mpt & infinity are on the same flight as I am02:01
Burgundaviafrom sfo there is a train02:02
Burgundaviawhiprush: we caught that02:02
ajmitchcaltrain02:02
Burgundaviahowever, google runs buses from downtown02:02
Burgundaviaand I presume the airport02:02
Burgundaviathey may be running buses for us02:02
ajmitchcanonical sponsored people have been told that there's a shuttle02:02
ajmitchnot google-provided02:02
Burgundaviaah02:03
ajmitchSupershuttle http://www.supershuttle.com/. >From San Francisco, it would02:03
ajmitchbe about $40-45.00 one way.02:03
ajmitchexpensive02:03
Burgundaviayou are landing at sfo?02:05
ajmitchyeah02:05
Burgundaviasfo is on the caltrain run02:06
ajmitchso I saw02:06
BurgundaviaI would take that to mtv, and then take a taxi from there02:06
ajmitchI'd have to check where it stops in MV02:06
Burgundaviadowntown02:06
Burgundaviaabout 20 minutes from google02:06
ajmitchok02:06
Burgundaviathis is the train we took for ubucon02:06
=== Burgundavia whips whiprush for being useless about this sort of stuff
ajmitchhow much does it cost?02:07
Burgundaviacaltrain? $10?02:07
ajmitchk02:07
ajmitchwhiprush: when do you get to the hotel?02:08
whiprushdamn, all these questions!02:08
whiprushsec02:08
ajmitchheh02:08
ajmitchwe like to plan ahead :)02:09
whiprushprobably 8-ish on Saturday the 4th.02:11
whiprush8pm02:11
whiprushI'll have your name on the room if you get there before we do.02:12
ajmitchmuch earlier02:12
ajmitchflight lands at 11:15AM02:12
whiprushok02:12
whiprushwhen I finalize the reservation I'll let them know you'll be coming in first02:12
ajmitchI can probably fill in the time :)02:13
ajmitchthanks02:13
whiprushI am sure there will be people around to hang out with02:13
whiprushgoogle is open on the weekends, I wonder if people will be hanging out there.02:13
ajmitchI wonder how long it'll take to walk to google02:13
whiprushajmitch: hopefully my friend will be our ride in everyday, heh.02:14
ajmitchyeah, but I may go for a walk anyway02:14
whiprushoh02:15
ajmitchbesides, I need to wander into MV about 5pm or so02:17
whiprushI wouldn't mind walking everyday if it's like, less than 45 minutes or something02:20
ajmitchlooks like it may be, but the tricky part is where to cross the freeway02:20
whiprushI am trying to remember if it's an elevated freeway02:21
whiprushlet me ask my google friend02:21
Burgundaviagot a linky to the map?02:22
BurgundaviaI might be able to remember02:22
whiprushhttp://maps.google.com/maps?f=q&hl=en&q=hotel+Mountain+View,+CA&ie=UTF8&z=14&ll=37.40746,-122.082739&spn=0.04568,0.114326&om=1&iwloc=H02:22
ajmitchjust looking at google maps02:22
whiprushI remember driving by that airbase multiple times02:23
ajmitchwe're at H on that map02:23
=== lophyte has never been to Cali
=== ajmitch has only been in airports there
lophyteactually I've never been out of Canada...02:24
lophyteor Ontario at that02:24
=== lophyte is sheltered :(
ajmitchtook me awhile to get out of NZ02:25
bmontyjust clicked on the map link...I've actually been there before :)02:26
lophytealrighty.. I'm gonna go through the SSO howto02:26
ajmitchbmonty: the hotel, or the area?02:26
bmontythe area02:26
bmontyI think the hotel I stayed at was right down the street02:27
bmontyI remember thinking that the place was set up to get around really easy without a car02:27
=== lophyte looks at his bank account and sighs
ajmitchlophyte: I know how it is02:28
ajmitchbread & water for me for the week :)02:28
lophytelol02:29
lophyteI really need to find a job..02:29
whiprushajmitch: my friend says it's 10-20 minute walk!02:30
ajmitchoh if I get paid this week I'd have about $2K USD by the weekend, and I'd be fine02:30
lophyteI don't get paid.. so..02:30
lophytethis is all I have02:30
ajmitchwhiprush: wonderful :)02:30
ajmitchwhiprush: I could probably walk from the train station too :)02:30
whiprushthat was like a 15 minute drive02:31
whiprushbut the area down there is nice02:31
ajmitchok02:31
whiprushyou could probably walk around the shopping areas and whatnot if you're bored02:31
ajmitchthe train station looks closer than google does02:32
ajmitchit's a walk straight down moffett blvd02:32
ajmitchyeah, since I can't get to mass on the sunday, I'll be going on saturday, so that'll take some time02:33
ajmitchconveniently that's right beside the train station02:33
=== cliebow [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory
whiprushBurgundavia: where can I find channel logs?03:49
whiprushis it still on people.something?03:49
Burgundaviawhiprush: for this channel?03:49
whiprushya03:49
Burgundaviapeople.ubuntu.com/~fabbione/irclogs03:49
whiprushta03:49
=== Shish [n=shish@raptor.ukc.ac.uk] has joined #ubuntu-directory
=== sbalneav [n=sbalneav@S0106000b6a5631f9.wp.shawcable.net] has left #ubuntu-directory []
wasabiSo I've been thinking about the caching problem.06:21
wasabiNumber of different solutions.06:21
wasabieither fix nscd, or use/write something else.06:22
wasabiThe db idea is pretty appealing.06:22
wasabiGuess I'd be worried about db corruption though.06:27
wasabihmmmmmmmmmmm06:27
wasabiI guess it would be reasonable for remote users to simply not exist until nscd starts.06:34
whiprushwasabi: also I thought about something while driving around today06:34
whiprushthat RH cert server isn't oss.06:34
wasabiThey have a cert server?06:36
whiprushyep06:36
wasabiI've heard some good things about OpenCA.06:36
whiprushI was driving around and was like "oh shit, we're going to need one of those."06:36
wasabiYeah.06:36
wasabiThought about it earlier.06:36
wasabiAgain, this is why server-side is a huge project. ;)06:36
wasabiSo many pieces that all tie in together.06:37
wasabiAnd are huge on their own.06:37
wasabiI've sort of got a game plan for where I will start work at. I've already got a broken patch to add a realm table to nss.06:38
wasabiI'll get that done, then start digging into libnss.06:38
wasabi-ldap that is06:38
wasabiOr whatever. To be honest, I don't have enought time for this.06:40
wasabime->bed06:41
=== alp [n=alp@host-87-74-40-238.bulldogdsl.com] has joined #ubuntu-directory
=== robertj [n=robertj@68-114-40-215.dhcp.athn.ga.charter.com] has joined #ubuntu-directory
=== MagnusR [n=magru@c83-250-59-127.bredband.comhem.se] has joined #ubuntu-directory
lophytemorning all03:47
wasabimoni04:03
wasabiDoes anybody want to be responsible for seperating server stuff out of NetworkAuthentication?04:15
MagnusRyou mean in the specification?04:16
wasabijust the wiki.04:16
wasabiit needs cleanup04:16
MagnusRI can give it a try. Shall I create a new page NetworkAuthenticationServer to put things that are cleand out until we now where to put it?04:17
wasabihttps://wiki.ubuntu.com/NetworkAuthentication/Client   is client stuff04:18
wasabiSo, I'd imagine /Server would be server stuff.04:18
MagnusRHmm seams that we have three diferent pages today: https://wiki.ubuntu.com/NetworkAuthentication https://wiki.ubuntu.com/NetworkAuthentication/Client https://wiki.ubuntu.com/NetworkAuthentication/ScratchPad04:20
wasabiScratchPad was some stuff I was just braindumping too04:20
wasabiIt can be ignored. =)04:20
=== bmonty [n=bmontgom@ubuntu/member/bmonty] has joined #ubuntu-directory
tepsipakkiwasabi: was it you that had some ideas about an offline "cache" (using bzr) for a networked filesystem?04:23
wasabiyeah04:24
tepsipakkido you know about FS-Cache? it only provides the basic support for caching stuff but the offline-use is left to the fs itself04:24
wasabiNot a networked file system.04:24
MagnusRWhat about using ifolders?04:25
alpanyone familiar with the novell ldap stuff?04:26
wasabiNot really. Never had a chance to touch it.04:26
alpi think we have a good c# ldap stack04:26
alpthat should be "they"04:27
alpdon't know if their directory services are based on that, think it's all new04:28
tepsipakkiald: do you mean eDirectory?04:30
tepsipakkialp: ^^04:30
MagnusRI think the c#-bindings are used to connect new things to the old NDS stuff.04:30
alphttp://developer.novell.com/wiki/index.php/Ldapcsharp <- looks standards based and pretty active04:33
lophytewtf :\04:43
lophytekadmin: Improper format of Kerberos configuration file while initializing krb5 library04:43
wasabiNovell's LDAP C# libraries are fine.04:45
wasabiBut I suspect nobody here is going to use them.04:45
bmontylophyte: check your krb5.conf file, especially the part that tells the lib how to contact the kadmin server04:45
lophytewhy do I get the feeling these locale errors are reeking havoc04:46
alpwasabi: oh, what's the game plan?04:48
alpwhen i put together the mono debian packages and policy all those years ago this is exactly the kind of neat project i had in mind :-)04:49
alpi am unfamiliar with the python libraries though, it's quite possible they're more suitable04:50
MagnusRI think Apple have released Python Bindings for parts of kerberos.04:52
bmontyMagnusR: do you have a link?04:53
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
alpi have done some work with managed pam plugins and nss04:54
wasabiYeah, but whatever we do, I want to have uptake on every distro.04:55
wasabiAnd there's a political situation that matters.04:55
wasabiManaged NSS sounds sorta wonky too. A CLR in every process instance?04:55
wasabiUnless it's a shim to an out of process CLR or something.04:56
alpthe nss stuff was just for configuration04:57
wasabiI think we've got a pretty good plan on where to go from here for client side stuff. I think now I'll just do some little work before UMV to make sure it's reasonable, then have the full conversation at UMV.04:59
wasabiUnless mark pays some people, it's not going to happen... I suspect. =)04:59
alpi think it would be doable in a few months if it didn't aim to interoperate with AD, use ldap properly and so on05:00
wasabiALl that's needed to interoperate with AD is LDAP.05:00
wasabiAnd Kerberos.05:00
wasabiAD isn't very special.05:00
MagnusRbmonty: It is called python-kerberos in debian unstable.  It's under Apachel License05:01
bmontyMagnusR: thanks05:01
alpapparently integrating the c# ldap libraries with kerberos is on the novell todo list, though that means it's not around now (http://forge.novell.com/modules/xfmod/newsportal/article.php?group_id=1318&msg_id=981&group=novell.devsup.ldapcsharp)05:02
lophyteergh.. why won't the kdc run..05:04
wasabiError?05:04
lophytenothing at all05:04
wasabiWell, it has logs. =)05:04
lophyteyeah, but there's no logs either05:05
wasabi/var/log/krb5kdc i think05:05
lophyteyeah nothing there05:05
wasabiwell, try to start it without the init script.05:05
wasabithen strace it.05:06
lophytekrb5kdc: cannot initialize realm BLINDUTOPIA.COM - see log file for details05:10
lophytebut there's no log file05:10
wasabiHeh.05:10
lophytethat's helpful05:11
lophytestupid kdc05:11
wasabiInteresting. Looks like Heimdal and MIT both have PKINIT support, and so does pam_krb5.05:12
wasabiI think our pam-krb5 is diverged.05:12
wasabiYeah. Completely.05:15
tepsipakkipam_krb5 from redhat?05:18
wasabiYeah. Looks like the two bases diveraged years ago.05:18
wasabiOurs seems to be maintained still, theirs is only maintained internally.05:19
tepsipakkiyep05:19
lophyteoi.05:19
wasabihttp://www.stacken.kth.se/lists/heimdal-discuss/2006-10/msg00034.html05:19
tepsipakkioh, there are tools in fedora/rhel that notify about expired tickets05:19
wasabiWe got PKINIT patches just a few days ago.05:20
wasabiLooks like Nalin from RH is participating in the conversation (I talked to him a few years ago, he mainted libpam-krb5 internallt)05:20
wasabiso I bet they'll merge again05:20
lophytethis is silly05:21
MagnusRI have started to move server things from https://wiki.ubuntu.com/NetworkAuthentication to https://wiki.ubuntu.com/NetworkAuthentication/Server. Please add and comment.05:22
wasabiNice. Thanks.05:22
tepsipakkislapd is from openldap? how about fedora directory server?05:23
tepsipakkioh, it was mentioned05:24
tepsipakki=)05:24
tepsipakki(on the wiki)05:24
MagnusRFedora DS has alot of nice webbinterfaces. So I think it should be evaluated. Unfoutunately it takes more resources.05:25
tepsipakkiI remember seeing an ITP of it05:25
MagnusRAny one knows if there are any deb:s for it.05:25
wasabiThere aren't.05:25
wasabiFew people here were workingon it05:25
wasabiThe interfaces require Sun's JRE.05:26
MagnusRThat's bad05:26
lophytehrm05:26
tepsipakkibut we have that now :)05:26
lophyteso I got the kdc to start..05:26
lophytebut now kadmin fails05:26
wasabiThink I'm going to try to migrate my kerberos to LDAP05:30
tepsipakkihttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=31529705:30
tepsipakkithat's the ITP05:30
MagnusRwasabi: But with only ldap you do not get the SSO possibility.05:31
wasabiHuh?05:31
tepsipakkimagnusR: does fds have a kdc as well?05:31
wasabiDidn't say replace Kerberos.05:32
wasabiStore keys in LDAP05:32
MagnusRwasabi: ok, missunderstod you05:32
MagnusRtepsipakki: no05:32
=== lophyte [n=dsulliva@ubuntu/member/lophyte] has joined #ubuntu-directory
lophyteugh.. okay, I give up05:34
=== bmonty is now known as bmonty_away
wasabiAnybody aware how to enable simple bind in slapd only over ldapi?06:01
wasabiInteresting. When creating a new principal, it doesn't search for existing objects.06:11
wasabiTHat's not so good.06:11
=== lophyte [n=dsulliva@ubuntu/member/lophyte] has left #ubuntu-directory []
=== lophyte [n=dsulliva@ubuntu/member/lophyte] has joined #ubuntu-directory
=== lophyt1 [n=dsulliva@bas5-toronto63-1096730685.dsl.bell.ca] has joined #ubuntu-directory
=== lophyt1 is now known as lophyte
lophytehrm..06:41
lophyteyay, more errors06:45
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
lophytehow do I add a host principal in krb5?06:56
wasabikadmin07:01
wasabihost/fqdn07:01
lophytehow do you use kadmin without already having a principal set up, though?07:01
wasabikadmin -l07:01
lophyteah.07:01
lophyte..eh, there is no l option07:02
wasabikadmin.local then with MIT07:02
lophytehehe, no kadmin.local either :P07:02
wasabiBeats me then. ;)07:02
wasabione of the two should be present.07:03
lophyteor do I need krb5-admin-server installed07:03
lophytemeh.. i have to go07:04
lophyteI'll look for a complete howto later07:05
=== SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
=== SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory
=== chuckyp [n=chuckyp@adsl-75-36-112-138.dsl.bcvloh.sbcglobal.net] has joined #ubuntu-directory
=== darkpixel [n=darkpixe@longview-cuda1-g2-70-36-101-183.losaca.adelphia.net] has joined #ubuntu-directory
=== SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory
=== SimonAnibal [n=sruiz@adsl-68-251-147-250.dsl.bltnin.ameritech.net] has joined #ubuntu-directory
siretartcan you guys recommend a tutorial and/or good documentation for MIT Kerberos in edgy?10:21
=== ajmitch would have to dig through his bookmarks at home
wasabiNope.10:23
Burgundaviaajmitch, wasabi: would one of you mind responding to that -directory announce post on -devel and answer those peoples questions?10:39
wasabilooking10:40
wasabioh. missed all that10:40
tepsipakkiI tried tp3 a week ago10:41
tepsipakkishared libraries are broken, so I couldn't run the provisioning script10:42
tepsipakkior program, actually10:42
tepsipakkithat's samba-4.0.0tp3 I was talking about :)10:43
ajmitchyep10:44
ajmitchI saw your post on the samba list :)10:44
=== ajmitch was trying it out as well
tepsipakkioh :)10:45
tepsipakkithe packaging needed some tweaks to get through10:46
ajmitchyes10:46
=== ajmitch was looking at that also
tepsipakkianyway, I'm looking forward to the beta10:47
tepsipakkiwhenever that is released..10:48
ajmitchyep10:48
wasabiWhat do I want to respond to? heh10:58
wasabiWhat do I want to respond to? heh11:07
lophyteBurgundavia: I don't think I have time now to finish up the -ca approval.. I've got some things that need to be taken care of offline at the moment11:14
=== lophyte [n=dsulliva@ubuntu/member/lophyte] has joined #ubuntu-directory
=== netjoined: irc.freenode.net -> brown.freenode.net
=== bmonty_away [n=bmontgom@ubuntu/member/bmonty] has joined #ubuntu-directory
=== MagnusR_away [n=magru@c83-250-59-127.bredband.comhem.se] has joined #ubuntu-directory
=== robertj [n=robertj@68-114-40-215.dhcp.athn.ga.charter.com] has joined #ubuntu-directory
=== alp [n=alp@host-87-74-40-238.bulldogdsl.com] has joined #ubuntu-directory
=== Shish [n=shish@raptor.ukc.ac.uk] has joined #ubuntu-directory
=== cliebow [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory
=== siretart [i=siretart@ubuntu/member/siretart] has joined #ubuntu-directory
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-directory
=== whiprush [n=jorge@2001:5c0:8fff:fffe:0:0:0:2fad] has joined #ubuntu-directory
=== Toadstool [n=jcorbier@ubuntu/member/toadstool] has joined #ubuntu-directory
=== ajmitch [n=ajmitch@ubuntu/member/ajmitch] has joined #ubuntu-directory
=== wasabi_ [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!