[12:17] <robertj> ..
[12:35] <lophyte> who declined it?
[01:07] <nkassi> Hey y'all
[01:07] <lophyte> hiya
[01:07] <nkassi> I reposting a question from ubuntu-server cause the channel seems dead
[01:08] <nkassi> I can't find the answer to why the slapd package in ubuntu and debian doesn't include SSL. Anyone knows ?
[01:08] <wasabi> It should.
[01:08] <wasabi> You of course have to enable and configure it with a certificate.
[01:08] <nkassi> It's not enabled by default
[01:08] <wasabi> Of course not. Ubuntu doesn't distribute a cert for you.
[01:08] <nkassi> From what I gather, it's not enable in the build
[01:09] <wasabi> It is.
[01:09] <wasabi> checking though.
[01:09] <nkassi> hum, weird, after setting the TLS* config params and all and starting the ldap server, 636 is unused.
[01:09] <wasabi> TLS != SSL.
[01:09] <nkassi> port 636 I mean
[01:09] <nkassi> Oh yeah sorry.
[01:10] <wasabi> TLS is Transport Layer Security.
[01:10] <wasabi> ie a socket is transformed to SSL on the fly.
[01:10] <nkassi> Isn't TLS the SSL replacement ?
[01:10] <wasabi> After an unsecured hand shake.
[01:10] <nkassi> oh ok.
[01:10] <wasabi> Yes, but it doesn't require a new port.
[01:10] <nkassi> Me stupid.
[01:10] <nkassi> ;-)
[01:10] <wasabi> The handshake happens in plain text, over the normal port.
[01:11] <nkassi> thanks for the info.
[01:11] <wasabi> I'm going to guess since libssl-dev is a build-dep, that it's enabled.
[01:11] <wasabi> And also, that I use it.
[01:12] <nkassi> hehe
[01:12] <nkassi> that would be a give away ;-)
[01:12] <nkassi> I was wondering because I saw a lot of issues documents about enabling this in debian
[01:13] <wasabi> Well, plain ol' SSL isn't really needed or desired anymore.
[01:13] <wasabi> And TLS requires you creating a cert.
[01:13] <wasabi> So it's not really something that can work out of the box.
[01:13] <nkassi> That makes sens.
[01:14] <wasabi> And I'm all for using Kerberos anyways.
[01:14] <nkassi> How hard would it be to create one automagically when the openldap server is installed ?
[01:14] <wasabi> Which provides transport encryption on it's own.
[01:14] <nkassi> I guess that would be another option.
[01:14] <wasabi> nkassi: Could create a self signed one, but that is completely unoptimal.
[01:14] <wasabi> I'd rather have the creation of a proper CA be part of our LDAP server plans.
[01:14] <nkassi> Except I would like to use it to allow thunderbird to look up contacts
[01:15] <nkassi> sound decent.
[01:15] <nkassi> sounds decent. I mean
[01:15] <wasabi> All of this is pretty far off imo
[01:15] <wasabi> Unless mark gets a hankering and pays for it
[01:17] <nkassi> Well that was something I was hoping to work on. ;-) I'm tired of hearing my friends complain about how AD is so much easier ;0)
[01:19] <nkassi> I was really happy when I saw the ubuntu movement towards this.
[01:19] <wasabi> We need C coders. =)
[01:20] <nkassi> Hehe,  I thought the project would mostly be in python seeing the Ubuntu commitment to python.
[01:22] <wasabi> The project consists of pam/nss modules and stuff. =)
[01:22] <nkassi> Dusting off my C programming language book right now :0)
[01:22] <wasabi> All the really big stuff imo, from the client side, is fixing up the pam/nss infrastructure.
[01:22] <wasabi> and nscd
[01:22] <wasabi> and then, yeah, a nice python wizard to configure it all.
[01:22] <wasabi> But still, all the heavy actual work is in C.
[01:23] <sbalneav> What needs to be done in C?
[01:23] <nkassi> Yeah is there going to be a sort of todo list somewhere ?
[01:23] <wasabi> I'm working on a plan.
[01:23] <wasabi> http://wiki.ubuntu.com/NetworkAuthentication/Client.
[01:23] <wasabi> Client comes first, unless somebody else starts working on the server independently.
[01:25] <sbalneav> Hmm, not subscribed to that one, which is odd, seeing as how I need this spec implemented for the LTSP side of things.
[01:25] <nkassi> Was there any discussion about adapting the already existing tools on fedora ?
[01:25] <sbalneav> I may be of use here, as I was the fellow who originally added openldap support for shadow components into pam_ldap :)
[01:27] <wasabi> There was, but we don't really like their tools I don't think.
[01:27] <wasabi> And have some good ideas of our own.
[01:27] <wasabi> And ajmitch already has a codebase that works.
[01:28] <wasabi> sbalneav: Sounds super insecure. ;)
[01:28] <wasabi> Check out that wiki page then, change what you think.
[01:29] <wasabi> I'm going to add a new table to NSS.
[01:29] <wasabi> "realm"
[01:29] <wasabi> And do it right.
[01:29] <wasabi> So, it'll be a lot of work to do it right. =)
[01:30] <wasabi> Also I've been thinking about new async getpwent and such APIs
[01:38] <bmonty> wasabi: a lot of the work can be done in python
[01:39] <wasabi> Sure, the wizard, which spits out a pam and nss file.
[01:39] <wasabi> And creates the remote objects and all that cool stuff.
[01:39] <wasabi> But that's not the hard part. That's scripting.
[01:40] <wasabi> The hard part is reducing blocking in nss, or coming up with a good cache stragity, or putting cross realm support into libnss-ldap, or fallback, recover, walking the SRV records.
[01:40] <bmonty> I've been using LDAP+Kerberos for awhile now, and the PAM and NSS code needs some updating
[01:40] <wasabi> Yup.
[01:41] <bmonty> there is essentially no viable caching as far as I'm concerned
[01:41] <wasabi> Right now there isn't.
[01:41] <wasabi> Right now I use nss-updatedb =)
[01:41] <bmonty> ncsd doesn't seem to work at all, and I can't figure out why it doesn't cache any of my users or groups from the LDAP server
[01:41] <nkassi> I didn't know the whole spec was so extensive. So you really want to make this similar to the windows way.
[01:41] <wasabi> nkassi: I want it to work right, anyways.
[01:41] <nkassi> hehe
[01:42] <wasabi> Yeah nscd is broken.
[01:42] <bmonty> nkassi: that is how I read it....
[01:42] <bmonty> i.e. LDAP+Kerberos
[01:42] <wasabi> Well, obviously, the most important goal from a marketing point is joining AD.
[01:42] <wasabi> Since they are so prevailant.
[01:42] <nkassi> true.
[01:43] <wasabi> But luckily it's a super-set of Kerberos+LDAP.
[01:43] <bmonty> wasabi: can't you already join an AD with samba?
[01:43] <bmonty> I think using NTLM
[01:43] <wasabi> Yeah, but it's not really integrated.
[01:43] <wasabi> We really want pam_krb5.
[01:43] <nkassi> I've had my share of head ache trying to do this exact thing ;-) We had to buy a commercial set of pam modules
[01:43] <bmonty> I agree
[01:43] <wasabi> And server-based UIDs
[01:44] <bmonty> has anyone thought about which kerberos server Ubuntu is going to use?  Heimdal or MIT?
[01:44] <wasabi> Not really.
[01:45] <wasabi> I suspect when the dust clears we'll be using Heimdal.
[01:45] <wasabi> Simlpy because the Samba guys are pushing so much new stuff into it.
[01:45] <bmonty> supposedly the MIT server will be able to use LDAP for its user database in the near future
[01:45] <wasabi> Yeah, and Heimdal can now.
[01:45] <wasabi> I am totally convinced that server work is far off.
[01:45] <wasabi> A server without a good client is useless.
[01:45] <bmonty> does the existing pam-krb5 work with heimdal?
[01:45] <wasabi> bmonty: There's a heimdal compile of it.
[01:46] <bmonty> wasabi: don't you think that the server should be worked out before you get the client side going?
[01:46] <wasabi> Not really.
[01:46] <wasabi> We know what we're targetting.
[01:46] <lophyte> wasabi: the main goal is to get an AD-compliant client, right?
[01:46] <wasabi> The first goal, yes.
[01:46] <lophyte> I figured
[01:46] <wasabi> An AD compliant client that relies as much as possible on Krb5/LDAP
[01:47] <wasabi> So the client works with whatever we choose for our own server.
[01:47] <bmonty> I thought the goal was to have the server architecture for AD-like authentication and authorization as well as an update server
[01:47] <wasabi> THat's massive long term.
[01:47] <bmonty> obviously you need a client side for that as well
[01:47] <wasabi> If you've used AD you know the issues involved with that.
[01:48] <bmonty> I use LDAP+Kerberos and I know there are plenty of issues there
[01:48] <wasabi> The scope of work with AD is huge.
[01:48] <lophyte> I wish the SSO howto on the wiki wasn't half done
[01:48] <wasabi> I mean, what, it took MS 4 years and a 100 person team?
[01:49] <lophyte> working full time, no less
[01:49] <wasabi> Kerb5 at every level, LDAP schema defiinition, third party integration.
[01:49] <wasabi> Long term support, upgradability.
[01:49] <wasabi> Replication of schema.
[01:49] <wasabi> A custom CA.
[01:49] <wasabi> Domains, forests.
[01:49] <lophyte> indeed
[01:49] <bmonty> ..figuring out how to lock customers into their solution
[01:49] <wasabi> Pssh. That took them 2 minutes.
[01:50] <lophyte> haha
[01:50] <wasabi> "oh lets add 1 field to krb5"
[01:50] <nkassi> hehe.
[01:50] <wasabi> Other than that, it's plain LDAP/Kerberos.
[01:50] <Burgundavia> lophyte: which sso howto?
[01:50] <lophyte> http://help.ubuntu.com/community/SingleSignOn
[01:51] <bmonty> I started writing that SSO howto, but I ran out of time to document all of the issues I was running in to
[01:51] <Burgundavia> lophyte: didn't even know that existed
[01:51] <Burgundavia> https://help.ubuntu.com/community/LDAPClientAuthentication
[01:51] <Burgundavia> I used that one
[01:51] <Burgundavia> need to update it
[01:51] <lophyte> I wanna set up a server, though
[01:51] <lophyte> ldap+krb5
[01:51] <wasabi> Go for it.
[01:52] <lophyte> I don't know how.. that's the problem :P
[01:52] <wasabi> I do it for all my client machines.
[01:52] <bmonty> lophyte: the server part is mosty complete
[01:52] <wasabi> I have two KDCs, two LDAP servers.
[01:52] <bmonty> except for how to add users
[01:52] <wasabi> Replicating over the inet. ;)
[01:53] <lophyte> ergh..
[01:53] <wasabi> Heh. If you're telling me slapd can replicate between 500 peers, you've suprised me.
[01:53] <wasabi> Until it can do that, it can't comprae to AD. ;)
[01:53] <lophyte> my computer sucks with 2 Xen guests..
[01:53] <wasabi> lophyte: vmware.
[01:53] <wasabi> oh just ram?
[01:53] <wasabi> You get xen working?
[01:53] <lophyte> it sucks just as bad with vmware, lol
[01:53] <lophyte> yeah, works fine now
[01:53] <lophyte> my biggest issue was networking.. using NAT, it works fine
[01:54] <bmonty> I haven't seen it documented anywhere, but there is a big issue with udev and having group info on the LDAP server
[01:54] <bmonty> especially with edgy
[01:54] <wasabi> Should be fine... you just need to know how to configure nss right.
[01:54] <wasabi> ie NSS *must never block ever*
[01:55] <wasabi> Since all apps make an assumption that it never will.
[01:55] <bmonty> wasabi: that is one issue
[01:55] <wasabi> The only way to accomplush that is to drive NSS from a pure cache.
[01:55] <bmonty> the second is that the network isn't available when udev assigns groups to the devices it creates
[01:55] <wasabi> You should't need the network for local groups.
[01:55] <wasabi> try this:
[01:55] <wasabi> passwd:         compat db
[01:55] <wasabi> group:          compat db
[01:56] <wasabi> And use nss_updatedb (package nss-updatedb) to update teh DB files from the ldap module.
[01:56] <lophyte> bmonty: there's no instructions for configuring OpenLDAP.. I think that's the biggest issue
[01:56] <bmonty> wasabi: I want to have those groups stored in LDAP directly
[01:56] <wasabi> They are.
[01:57] <wasabi> cronjob, runs once an hour, that refreshes the cache.
[01:57] <bmonty> lophyte: good point, I have an OpenLDAP config file if you are interested
[01:57] <Burgundavia> lophyte: I am going to write some openLDAP stuff coming up next week or so
[01:57] <bmonty> wasabi: then you have a consistency issue
[01:57] <lophyte> bmonty: where do you configure the sasl binds, in the slapd config?
[01:57] <wasabi> bmonty: Yup. Until nss gets an async API, there is no solution.
[01:57] <wasabi> bmonty: But this one makes the box work. ;)
[01:58] <bmonty> lophyte: yes, you have to configure SASL in slapd.conf
[01:58] <wasabi> You cannot have a network query go out for every group lookup. NSS is always used single threaded.
[01:58] <lophyte> bmonty: ah, alright..
[01:58] <wasabi> The best option I have is a daemon which keeps the local cache uptodate, by subscribing to LDAP notifications.
[01:59] <wasabi> ANd that daemon's name might be nscd in the future. heh
[01:59] <bmonty> lophyte: the two directives are sasl-secprops and sasl-regexp
[02:00] <bmonty> wasabi: can I get a copy of your nss config file?
[02:00] <lophyte> I need to get more RAM, so I can create a virtual network of computers to tinker with this stuff
[02:00] <bmonty> I've never been able to solve the issues with nss, or find good info on the net
[02:00] <bmonty> lophyte: www.newegg.com
[02:00] <lophyte> american site.. costs for shipping :P
[02:01] <lophyte> its probably cheaper to shop locally
[02:01] <bmonty> its isn't here :)
[02:02] <nkassi> hehe
[02:02] <bmonty> lophyte: you can use a pretty much stock LDAP config, but you have to add a couple of things for SASL to work correctly
[02:02] <nkassi> yeah, there nothing local around here that is cheaper than newegg + shipping ;-)
[02:02] <lophyte> oi..
[02:03] <bmonty> I've also found that SASL binds do not work on 64-bot machines
[02:03] <lophyte> $60 for 512mb
[02:03] <lophyte> not bad
[02:04] <bmonty> I still have to check and see if that is true with edgy though
[02:04] <wasabi> I have a 64 bit machine which binds using SASL just fine.
[02:04] <wasabi> It's not a server though.
[02:04] <lophyte> alright, i gotta go..
[02:05] <lophyte> perhaps later tonight I'll have some time to set this up
[02:05] <bmonty> wasabi: what is the architecture of your server machine?
[02:05] <lophyte> bbl
[02:05] <wasabi> em64t
[02:05] <wasabi> But it's windows. =)
[02:05] <bmonty> ok, I'm running OpenLDAP on i386, and SASL binds cause a segfault on the 64-bit machines
[02:06] <wasabi> 64bit clients?
[02:06] <bmonty> wasabi: yes
[02:07] <wasabi> Hmm.
[02:07] <wasabi> dapper?
[02:07] <bmonty> yeah with dapper
[02:07] <wasabi> oh well. core dump, post a bug.
[02:07] <bmonty> I haven't tested with edgy yet
[02:07] <bmonty> dist upgrading to edgy completly hosed my machine due to the LDAP/Kerberos setup I had
[02:08] <wasabi> heh
[02:08] <bmonty> it wouldn't boot even in "safe mode"
[02:08] <wasabi> Just set up NSS differently.
[02:09] <bmonty> wasabi: yeah, I wish I had known that
[02:09] <bmonty> once I did the dist upgrade though it was too late
[02:09] <wasabi> livecd + fix
[02:09] <wasabi> or init=/bin/bash
[02:09] <bmonty> where can I find info about setting up nss?
[02:09] <wasabi> Not really anywhere.
[02:09] <wasabi> me =)
[02:09] <bmonty> wasabi: too late, I already rebuilt the box :)
[02:10] <wasabi> ahh. you neve rhave to rebuild a linux box.
[02:10] <wasabi> You can always just boot with init=/bin/bash, get a shell, fix the problem, and reboot.
[02:10] <bmonty> do you have a working nss config file I can copy?
[02:10] <Burgundavia> soon, I am going to rewrite the LDAPclient stuff
[02:10] <wasabi> bmonty: Use libnss-db + nss-updatedb
[02:10] <Burgundavia> which will fix all the issues
[02:10] <wasabi> It's the only reasonable way to remove the issue.
[02:10] <bmonty> BTW, other stuff I have been working on is a python binding for libkrb5
[02:10] <wasabi> Oh that's you?
[02:10] <wasabi> I saw somebody post about that someplace.
[02:11] <bmonty> and I also started a python-based LDAP user config utility
[02:11] <bmonty> both are still very experimental
[02:11] <Burgundavia> isn't the latter just n-a?
[02:11] <bmonty> my python-krb5 is based on MIT's code, so it will require some modification if the decision is to use heimdal
[02:12] <wasabi> bmonty: What's your goal with that?
[02:12] <wasabi> What are you binding?
[02:12] <wasabi> GSSAPI or ?
[02:12] <bmonty> wasabi: so you can use the krb5 library directly from python
[02:12] <wasabi> To do what?
[02:12] <wasabi> kadmin?
[02:12] <bmonty> whatever you want
[02:13] <wasabi> Just wondering what sort of program you would build that uses that.
[02:13] <bmonty> kadmin uses the krb5 lib to do its functions
[02:13] <bmonty> I have a rewrite of klist in python using my bindings
[02:13] <bmonty> I don't have enough of the API to do kadmin...yet
[02:14] <bmonty> for a lot of client side stuff you probably want to use GSSAPI
[02:14] <bmonty> but I think if you want to have a tool that can manage a LDAP+Kerberos server you need to use the krb5 lib
[02:15] <bmonty> ...and if you want to write in C there is no problem with that
[02:15] <bmonty> if you want to use python do develop your solution you are stuck since there is currently no binding to the krb5 libs that python can use
[02:16] <wasabi> Well, doesn't help much with AD.
[02:16] <wasabi> That I can see.
[02:16] <Burgundavia> interesting: http://lists.debian.org/debian-devel/2006/10/msg01177.html
[02:16] <bmonty> why do you say that?
[02:16] <wasabi> Since you don't use anything resembling kadmin to manage principals.
[02:17] <bmonty> krb5 tools can talk to AD
[02:17] <wasabi> And there's no need for client management of kerberos at all.
[02:17] <wasabi> It should work silently and transparently.
[02:17] <bmonty> wasabi: you are assuming that I'm running AD on a windows box, correct?
[02:17] <wasabi> No.
[02:17] <wasabi> I'm just comparing MS's solution to our potential one.
[02:18] <wasabi> Which is that I don't want our users dealing with krb5 principals. ;)
[02:18] <wasabi> New User, type the name, done.
[02:18] <wasabi> The only interface component we should need on the desktop is a notification tray that says "You're authentication has expired. Please click here to renew. *button*"
[02:19] <whiprush> wasabi: ajforgue has a little ticket applet thing he wrote.
[02:19] <wasabi> Yeah. I hope we don' thave to show it to users ever. ;0
[02:20] <Burgundavia> wasabi: do we have pieces of software in universe that needs to migrate to main?
[02:20] <bmonty> wasabi: what are you using to manage users and groups in your setup?
[02:20] <wasabi> GQ mostly.
[02:21] <wasabi> Burgundavia: Probably will.
[02:21] <bmonty> which is a decent tool, but can't manage kerberos principals
[02:21] <wasabi> Yeah. I don't want to expose kerberos princs to users.
[02:22] <wasabi> I sort of want them to be stored in LDAP.
[02:22] <bmonty> I was thinking that eventually we need a tool that can manage users in the LDAP directory and the krb5 database
[02:22] <wasabi> Also I'd be worried about the security/policy issues of seperating the two.
[02:22] <bmonty> wasabi: I want that as well
[02:22] <wasabi> ie an admin user could potentially compromise the integrity of the relation between the two.
[02:22] <wasabi> Once, again, pulling another example from windows. THey have discrete APIs to create a user... which handes the kerberos part and ldap part together.
[02:22] <wasabi> ANd makes sure all suceeds.
[02:23] <bmonty> is there an open source solution that can do that?
[02:23] <wasabi> Not yet.
[02:23] <bmonty> hence the need for tools to manage those
[02:23] <wasabi> Yes, new tools... which don't use kadmin.
[02:23] <wasabi> Consider this. Im my company, HR creates users.
[02:23] <wasabi> Because HR hires and fires them.
[02:24] <bmonty> yup, which requires that you can link in the krb5 lib...
[02:24] <wasabi> Nope.
[02:24] <wasabi> So, the HR users have permissions to create users. Not permissions to create principals.
[02:24] <nkassi> Does this tool require a seperate spec ? Cause work on that could be started pretty much now. It would be extremely useful currently.
[02:24] <wasabi> Not permissions to create LDAP objects.
[02:24] <wasabi> but discrete permissions to issue a CreateUser RPC call to the server.
[02:24] <wasabi> The logic of that lives on the server, where it can't be subverted.
[02:24] <wasabi> If the user himself could create a principal, he could create one, and link it to any object.
[02:25] <wasabi> Or rename it independently.
[02:25] <wasabi> Or assign permissiosn to it he didn't otherwise have the permission to assign.
[02:25] <wasabi> HR can create users, but they cannot touch anything critical. THey are not systems admins.
[02:25] <bmonty> that all makes sense to me
[02:25] <wasabi> It's something we're missing.
[02:25] <wasabi> Completely.
[02:26] <bmonty> we are missing it in that there are currently no tools that implement that process
[02:26] <bmonty> I think the software that is available has features that could be used to make that work
[02:26] <bmonty> without rewriting a whole ton of stuff
[02:27] <wasabi> Sure, but I don't htink allow kadmin access from a client machine solves it.
[02:28] <bmonty> wasabi: I agree, I never proposed that
[02:29] <bmonty> BTW, can I take a look at your nss config file?
[02:29] <bmonty> and what were the other nss packages you said I needed to install?
[02:31] <wasabi> nss-updatedb
[02:31] <wasabi> my config file is "passwd: compat db"
[02:32] <wasabi> group: compat db
[02:32] <wasabi> nothing else
[02:32] <bmonty> and this basically copies the users and groups from the LDAP server to the local machine?
[02:36] <ajmitch> hey bmonty
[02:37] <bmonty> hi ajmitch
[02:39] <ajmitch> whiprush: you around?
[02:39] <ajmitch> bmonty: coming to MV?
[02:39] <bmonty> ajmitch: no
[02:39] <ajmitch> unfortunate
[02:40] <bmonty> yeah...I'm way too busy at work
[02:42] <bmonty> ajmitch: is this going to get discussed at MV?
[02:43] <ajmitch> definitely
[02:44] <ajmitch> write up anything else you think we need
[02:44] <bmonty> ok
[02:48] <Burgundavia> bmonty: I have been using lat instead of gq
[02:48] <Burgundavia> a little crashy, but a much nicer UI
[02:48] <whiprush> ajmitch: yeah
[02:48] <ajmitch> whiprush: got the hotel details?
[02:48] <whiprush> dang, not on me, I did it old school. (pen and paper)
[02:48] <ajmitch> ok
[02:48] <whiprush> oh
[02:49] <whiprush> let me find it on the map
[02:49] <Burgundavia> I just lie
[02:49] <ajmitch> mainly just the address
[02:49] <ajmitch> Burgundavia: I also want to know where it is
[02:49] <whiprush> http://www.choicehotels.com/ires/en-us/html/HotelInfo?hotel=CA679&amp;promo=gglocal
[02:49] <whiprush> booya
[02:49] <ajmitch> nice, I wonder how dodgy it is
[02:50] <whiprush> one of my friends works at google and said that it was nice.
[02:50] <whiprush> not like, omg nice. but a nice normal hotel for a decent price
[02:50] <ajmitch> that's excellent
[02:51] <ajmitch> aha, found it on google maps
[02:51] <ajmitch> nice & close to google HQ
[02:51] <whiprush> yep
[02:52] <whiprush> learned my lesson after staying all far at the boston summit
[02:52] <ajmitch> right by the freeway though
[02:52] <ajmitch> like *right* beside it, by the look of the map
[02:53] <whiprush> are you concerned about the noise?
[02:54] <ajmitch> it shouldn't be too bad, I guess
[02:54] <Burgundavia> ajmitch: whiprush's melodious snoring will drown out all
[02:54] <wasabi> bmonty: "nss-updatedb ldap"   will retrieve the entire passwd/group tables from the libnss-ldap module, and store them in a bdb database.
[02:54] <wasabi> bmonty: the "db" nss module will read from those.
[02:54] <ajmitch> whiprush: that's what I expect
[02:54] <wasabi> You schedule nss-updatedb to be run, using GSSAPI/SASL binding, every hour or something reasonable.
[02:54] <wasabi> As root.
[02:54] <ajmitch> whiprush: looks like we get free google wifi
[02:55] <whiprush> ajmitch: don't worry, it's california, the cars don't actually move on the freeway
[02:55] <whiprush> it's more of a parking lot.
[02:55] <wasabi> I wish I could drive.
[02:55] <bmonty> wasabi: ok, thanks
[02:56] <ajmitch> haha
[02:56] <ajmitch> whiprush: what are the arrangements for the airport? shall I try & get a shuttle in?
[02:57] <whiprush> ajmitch: I recommend the train
[02:57] <whiprush> the BART
[02:58] <ajmitch> but the BART doesn't go down that way, does it?
[02:58] <whiprush> but we should probably ask someone from mountain view
[02:58] <whiprush> it goes to mountain view
[02:58] <whiprush> then you can cab from there
[02:01] <ajmitch> either that or if I catch a shuttle in,  mpt & infinity are on the same flight as I am
[02:02] <Burgundavia> from sfo there is a train
[02:02] <Burgundavia> whiprush: we caught that
[02:02] <ajmitch> caltrain
[02:02] <Burgundavia> however, google runs buses from downtown
[02:02] <Burgundavia> and I presume the airport
[02:02] <Burgundavia> they may be running buses for us
[02:02] <ajmitch> canonical sponsored people have been told that there's a shuttle
[02:02] <ajmitch> not google-provided
[02:03] <Burgundavia> ah
[02:03] <ajmitch> Supershuttle http://www.supershuttle.com/. >From San Francisco, it would
[02:03] <ajmitch> be about $40-45.00 one way.
[02:03] <ajmitch> expensive
[02:05] <Burgundavia> you are landing at sfo?
[02:05] <ajmitch> yeah
[02:06] <Burgundavia> sfo is on the caltrain run
[02:06] <ajmitch> so I saw
[02:06] <Burgundavia> I would take that to mtv, and then take a taxi from there
[02:06] <ajmitch> I'd have to check where it stops in MV
[02:06] <Burgundavia> downtown
[02:06] <Burgundavia> about 20 minutes from google
[02:06] <ajmitch> ok
[02:06] <Burgundavia> this is the train we took for ubucon
[02:07] <ajmitch> how much does it cost?
[02:07] <Burgundavia> caltrain? $10?
[02:07] <ajmitch> k
[02:08] <ajmitch> whiprush: when do you get to the hotel?
[02:08] <whiprush> damn, all these questions!
[02:08] <whiprush> sec
[02:08] <ajmitch> heh
[02:09] <ajmitch> we like to plan ahead :)
[02:11] <whiprush> probably 8-ish on Saturday the 4th.
[02:11] <whiprush> 8pm
[02:12] <whiprush> I'll have your name on the room if you get there before we do.
[02:12] <ajmitch> much earlier
[02:12] <ajmitch> flight lands at 11:15AM
[02:12] <whiprush> ok
[02:12] <whiprush> when I finalize the reservation I'll let them know you'll be coming in first
[02:13] <ajmitch> I can probably fill in the time :)
[02:13] <ajmitch> thanks
[02:13] <whiprush> I am sure there will be people around to hang out with
[02:13] <whiprush> google is open on the weekends, I wonder if people will be hanging out there.
[02:13] <ajmitch> I wonder how long it'll take to walk to google
[02:14] <whiprush> ajmitch: hopefully my friend will be our ride in everyday, heh.
[02:14] <ajmitch> yeah, but I may go for a walk anyway
[02:15] <whiprush> oh
[02:17] <ajmitch> besides, I need to wander into MV about 5pm or so
[02:20] <whiprush> I wouldn't mind walking everyday if it's like, less than 45 minutes or something
[02:20] <ajmitch> looks like it may be, but the tricky part is where to cross the freeway
[02:21] <whiprush> I am trying to remember if it's an elevated freeway
[02:21] <whiprush> let me ask my google friend
[02:22] <Burgundavia> got a linky to the map?
[02:22] <Burgundavia> I might be able to remember
[02:22] <whiprush> http://maps.google.com/maps?f=q&hl=en&q=hotel+Mountain+View,+CA&ie=UTF8&z=14&ll=37.40746,-122.082739&spn=0.04568,0.114326&om=1&iwloc=H
[02:22] <ajmitch> just looking at google maps
[02:23] <whiprush> I remember driving by that airbase multiple times
[02:23] <ajmitch> we're at H on that map
[02:24] <lophyte> actually I've never been out of Canada...
[02:24] <lophyte> or Ontario at that
[02:25] <ajmitch> took me awhile to get out of NZ
[02:26] <bmonty> just clicked on the map link...I've actually been there before :)
[02:26] <lophyte> alrighty.. I'm gonna go through the SSO howto
[02:26] <ajmitch> bmonty: the hotel, or the area?
[02:26] <bmonty> the area
[02:27] <bmonty> I think the hotel I stayed at was right down the street
[02:27] <bmonty> I remember thinking that the place was set up to get around really easy without a car
[02:28] <ajmitch> lophyte: I know how it is
[02:28] <ajmitch> bread & water for me for the week :)
[02:29] <lophyte> lol
[02:29] <lophyte> I really need to find a job..
[02:30] <whiprush> ajmitch: my friend says it's 10-20 minute walk!
[02:30] <ajmitch> oh if I get paid this week I'd have about $2K USD by the weekend, and I'd be fine
[02:30] <lophyte> I don't get paid.. so..
[02:30] <lophyte> this is all I have
[02:30] <ajmitch> whiprush: wonderful :)
[02:30] <ajmitch> whiprush: I could probably walk from the train station too :)
[02:31] <whiprush> that was like a 15 minute drive
[02:31] <whiprush> but the area down there is nice
[02:31] <ajmitch> ok
[02:31] <whiprush> you could probably walk around the shopping areas and whatnot if you're bored
[02:32] <ajmitch> the train station looks closer than google does
[02:32] <ajmitch> it's a walk straight down moffett blvd
[02:33] <ajmitch> yeah, since I can't get to mass on the sunday, I'll be going on saturday, so that'll take some time
[02:33] <ajmitch> conveniently that's right beside the train station
[03:49] <whiprush> Burgundavia: where can I find channel logs?
[03:49] <whiprush> is it still on people.something?
[03:49] <Burgundavia> whiprush: for this channel?
[03:49] <whiprush> ya
[03:49] <Burgundavia> people.ubuntu.com/~fabbione/irclogs
[03:49] <whiprush> ta
[06:21] <wasabi> So I've been thinking about the caching problem.
[06:21] <wasabi> Number of different solutions.
[06:22] <wasabi> either fix nscd, or use/write something else.
[06:22] <wasabi> The db idea is pretty appealing.
[06:27] <wasabi> Guess I'd be worried about db corruption though.
[06:27] <wasabi> hmmmmmmmmmmm
[06:34] <wasabi> I guess it would be reasonable for remote users to simply not exist until nscd starts.
[06:34] <whiprush> wasabi: also I thought about something while driving around today
[06:34] <whiprush> that RH cert server isn't oss.
[06:36] <wasabi> They have a cert server?
[06:36] <whiprush> yep
[06:36] <wasabi> I've heard some good things about OpenCA.
[06:36] <whiprush> I was driving around and was like "oh shit, we're going to need one of those."
[06:36] <wasabi> Yeah.
[06:36] <wasabi> Thought about it earlier.
[06:36] <wasabi> Again, this is why server-side is a huge project. ;)
[06:37] <wasabi> So many pieces that all tie in together.
[06:37] <wasabi> And are huge on their own.
[06:38] <wasabi> I've sort of got a game plan for where I will start work at. I've already got a broken patch to add a realm table to nss.
[06:38] <wasabi> I'll get that done, then start digging into libnss.
[06:38] <wasabi> -ldap that is
[06:40] <wasabi> Or whatever. To be honest, I don't have enought time for this.
[06:41] <wasabi> me->bed
[03:47] <lophyte> morning all
[04:03] <wasabi> moni
[04:15] <wasabi> Does anybody want to be responsible for seperating server stuff out of NetworkAuthentication?
[04:16] <MagnusR> you mean in the specification?
[04:16] <wasabi> just the wiki.
[04:16] <wasabi> it needs cleanup
[04:17] <MagnusR> I can give it a try. Shall I create a new page NetworkAuthenticationServer to put things that are cleand out until we now where to put it?
[04:18] <wasabi> https://wiki.ubuntu.com/NetworkAuthentication/Client   is client stuff
[04:18] <wasabi> So, I'd imagine /Server would be server stuff.
[04:20] <MagnusR> Hmm seams that we have three diferent pages today: https://wiki.ubuntu.com/NetworkAuthentication https://wiki.ubuntu.com/NetworkAuthentication/Client https://wiki.ubuntu.com/NetworkAuthentication/ScratchPad
[04:20] <wasabi> ScratchPad was some stuff I was just braindumping too
[04:20] <wasabi> It can be ignored. =)
[04:23] <tepsipakki> wasabi: was it you that had some ideas about an offline "cache" (using bzr) for a networked filesystem?
[04:24] <wasabi> yeah
[04:24] <tepsipakki> do you know about FS-Cache? it only provides the basic support for caching stuff but the offline-use is left to the fs itself
[04:24] <wasabi> Not a networked file system.
[04:25] <MagnusR> What about using ifolders?
[04:26] <alp> anyone familiar with the novell ldap stuff?
[04:26] <wasabi> Not really. Never had a chance to touch it.
[04:26] <alp> i think we have a good c# ldap stack
[04:27] <alp> that should be "they"
[04:28] <alp> don't know if their directory services are based on that, think it's all new
[04:30] <tepsipakki> ald: do you mean eDirectory?
[04:30] <tepsipakki> alp: ^^
[04:30] <MagnusR> I think the c#-bindings are used to connect new things to the old NDS stuff.
[04:33] <alp> http://developer.novell.com/wiki/index.php/Ldapcsharp <- looks standards based and pretty active
[04:43] <lophyte> wtf :\
[04:43] <lophyte> kadmin: Improper format of Kerberos configuration file while initializing krb5 library
[04:45] <wasabi> Novell's LDAP C# libraries are fine.
[04:45] <wasabi> But I suspect nobody here is going to use them.
[04:45] <bmonty> lophyte: check your krb5.conf file, especially the part that tells the lib how to contact the kadmin server
[04:46] <lophyte> why do I get the feeling these locale errors are reeking havoc
[04:48] <alp> wasabi: oh, what's the game plan?
[04:49] <alp> when i put together the mono debian packages and policy all those years ago this is exactly the kind of neat project i had in mind :-)
[04:50] <alp> i am unfamiliar with the python libraries though, it's quite possible they're more suitable
[04:52] <MagnusR> I think Apple have released Python Bindings for parts of kerberos.
[04:53] <bmonty> MagnusR: do you have a link?
[04:54] <alp> i have done some work with managed pam plugins and nss
[04:55] <wasabi> Yeah, but whatever we do, I want to have uptake on every distro.
[04:55] <wasabi> And there's a political situation that matters.
[04:55] <wasabi> Managed NSS sounds sorta wonky too. A CLR in every process instance?
[04:56] <wasabi> Unless it's a shim to an out of process CLR or something.
[04:57] <alp> the nss stuff was just for configuration
[04:59] <wasabi> I think we've got a pretty good plan on where to go from here for client side stuff. I think now I'll just do some little work before UMV to make sure it's reasonable, then have the full conversation at UMV.
[04:59] <wasabi> Unless mark pays some people, it's not going to happen... I suspect. =)
[05:00] <alp> i think it would be doable in a few months if it didn't aim to interoperate with AD, use ldap properly and so on
[05:00] <wasabi> ALl that's needed to interoperate with AD is LDAP.
[05:00] <wasabi> And Kerberos.
[05:00] <wasabi> AD isn't very special.
[05:01] <MagnusR> bmonty: It is called python-kerberos in debian unstable.  It's under Apachel License
[05:01] <bmonty> MagnusR: thanks
[05:02] <alp> apparently integrating the c# ldap libraries with kerberos is on the novell todo list, though that means it's not around now (http://forge.novell.com/modules/xfmod/newsportal/article.php?group_id=1318&msg_id=981&group=novell.devsup.ldapcsharp)
[05:04] <lophyte> ergh.. why won't the kdc run..
[05:04] <wasabi> Error?
[05:04] <lophyte> nothing at all
[05:04] <wasabi> Well, it has logs. =)
[05:05] <lophyte> yeah, but there's no logs either
[05:05] <wasabi> /var/log/krb5kdc i think
[05:05] <lophyte> yeah nothing there
[05:05] <wasabi> well, try to start it without the init script.
[05:06] <wasabi> then strace it.
[05:10] <lophyte> krb5kdc: cannot initialize realm BLINDUTOPIA.COM - see log file for details
[05:10] <lophyte> but there's no log file
[05:10] <wasabi> Heh.
[05:11] <lophyte> that's helpful
[05:11] <lophyte> stupid kdc
[05:12] <wasabi> Interesting. Looks like Heimdal and MIT both have PKINIT support, and so does pam_krb5.
[05:12] <wasabi> I think our pam-krb5 is diverged.
[05:15] <wasabi> Yeah. Completely.
[05:18] <tepsipakki> pam_krb5 from redhat?
[05:18] <wasabi> Yeah. Looks like the two bases diveraged years ago.
[05:19] <wasabi> Ours seems to be maintained still, theirs is only maintained internally.
[05:19] <tepsipakki> yep
[05:19] <lophyte> oi.
[05:19] <wasabi> http://www.stacken.kth.se/lists/heimdal-discuss/2006-10/msg00034.html
[05:19] <tepsipakki> oh, there are tools in fedora/rhel that notify about expired tickets
[05:20] <wasabi> We got PKINIT patches just a few days ago.
[05:20] <wasabi> Looks like Nalin from RH is participating in the conversation (I talked to him a few years ago, he mainted libpam-krb5 internallt)
[05:20] <wasabi> so I bet they'll merge again
[05:21] <lophyte> this is silly
[05:22] <MagnusR> I have started to move server things from https://wiki.ubuntu.com/NetworkAuthentication to https://wiki.ubuntu.com/NetworkAuthentication/Server. Please add and comment.
[05:22] <wasabi> Nice. Thanks.
[05:23] <tepsipakki> slapd is from openldap? how about fedora directory server?
[05:24] <tepsipakki> oh, it was mentioned
[05:24] <tepsipakki> =)
[05:24] <tepsipakki> (on the wiki)
[05:25] <MagnusR> Fedora DS has alot of nice webbinterfaces. So I think it should be evaluated. Unfoutunately it takes more resources.
[05:25] <tepsipakki> I remember seeing an ITP of it
[05:25] <MagnusR> Any one knows if there are any deb:s for it.
[05:25] <wasabi> There aren't.
[05:25] <wasabi> Few people here were workingon it
[05:26] <wasabi> The interfaces require Sun's JRE.
[05:26] <MagnusR> That's bad
[05:26] <lophyte> hrm
[05:26] <tepsipakki> but we have that now :)
[05:26] <lophyte> so I got the kdc to start..
[05:26] <lophyte> but now kadmin fails
[05:30] <wasabi> Think I'm going to try to migrate my kerberos to LDAP
[05:30] <tepsipakki> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315297
[05:30] <tepsipakki> that's the ITP
[05:31] <MagnusR> wasabi: But with only ldap you do not get the SSO possibility.
[05:31] <wasabi> Huh?
[05:31] <tepsipakki> magnusR: does fds have a kdc as well?
[05:32] <wasabi> Didn't say replace Kerberos.
[05:32] <wasabi> Store keys in LDAP
[05:32] <MagnusR> wasabi: ok, missunderstod you
[05:32] <MagnusR> tepsipakki: no
[05:34] <lophyte> ugh.. okay, I give up
[06:01] <wasabi> Anybody aware how to enable simple bind in slapd only over ldapi?
[06:11] <wasabi> Interesting. When creating a new principal, it doesn't search for existing objects.
[06:11] <wasabi> THat's not so good.
[06:41] <lophyte> hrm..
[06:45] <lophyte> yay, more errors
[06:56] <lophyte> how do I add a host principal in krb5?
[07:01] <wasabi> kadmin
[07:01] <wasabi> host/fqdn
[07:01] <lophyte> how do you use kadmin without already having a principal set up, though?
[07:01] <wasabi> kadmin -l
[07:01] <lophyte> ah.
[07:02] <lophyte> ..eh, there is no l option
[07:02] <wasabi> kadmin.local then with MIT
[07:02] <lophyte> hehe, no kadmin.local either :P
[07:02] <wasabi> Beats me then. ;)
[07:03] <wasabi> one of the two should be present.
[07:03] <lophyte> or do I need krb5-admin-server installed
[07:04] <lophyte> meh.. i have to go
[07:05] <lophyte> I'll look for a complete howto later
[10:21] <siretart> can you guys recommend a tutorial and/or good documentation for MIT Kerberos in edgy?
[10:23] <wasabi> Nope.
[10:39] <Burgundavia> ajmitch, wasabi: would one of you mind responding to that -directory announce post on -devel and answer those peoples questions?
[10:40] <wasabi> looking
[10:40] <wasabi> oh. missed all that
[10:41] <tepsipakki> I tried tp3 a week ago
[10:42] <tepsipakki> shared libraries are broken, so I couldn't run the provisioning script
[10:42] <tepsipakki> or program, actually
[10:43] <tepsipakki> that's samba-4.0.0tp3 I was talking about :)
[10:44] <ajmitch> yep
[10:44] <ajmitch> I saw your post on the samba list :)
[10:45] <tepsipakki> oh :)
[10:46] <tepsipakki> the packaging needed some tweaks to get through
[10:46] <ajmitch> yes
[10:47] <tepsipakki> anyway, I'm looking forward to the beta
[10:48] <tepsipakki> whenever that is released..
[10:48] <ajmitch> yep
[10:58] <wasabi> What do I want to respond to? heh
[11:07] <wasabi> What do I want to respond to? heh
[11:14] <lophyte> Burgundavia: I don't think I have time now to finish up the -ca approval.. I've got some things that need to be taken care of offline at the moment