=== Fujitsu [n=Fujitsu@ubuntu/member/fujitsu] has joined #ubuntu-directory
=== nkassi [n=nkassi@WK20-156.lewisweb.net] has joined #ubuntu-directory
=== abartlet [n=abartlet@dp.samba.org] has joined #ubuntu-directory
wasabihowdy abartlet.03:52
robertjit would be sweet if you could set up an area of the wiki that was read-only to non-project members04:10
robertjunfortunately any kind of brain-storming on the wiki turns...less than productive (see any page containing Community in the title)04:11
ajmitchyes, it does quickly turn into a bit of a mess04:15
robertjajmitch: mmm, if only RecentChanges could be filtered by karma ;)04:18
ajmitchyou've seen the insane amounts of karma given for support requests?04:19
robertjajmitch: true, but if its not used for anything I doubt anyone will bother to adjust the weighting04:22
ajmitchit's meant to be used for important things, like business partnerships with canonical04:23
ajmitchwhich is why having broken karma weightings is worrying04:24
FujitsuThey (LP people) said it should settle down after a couple of weeks, but it's been several.04:27
robertjajmitch: well I see it is a chicken <> egg thing, where nothing important will use it unless its fixed04:30
Fujitsurobertj: The fix is quite simple. Disable support karma!04:30
FujitsuOr divide it by 1000000 or something.04:30
robertjFujitsu: I think its valid, it just needs to be devalued substantially04:31
FujitsuAnd the lack of Soyuz karma is a little strange.04:31
robertjnow that I've started using an RSS reader instead of visiting planets all day, I realize how pointless most of the garbage is04:32
robertjI'm _really_ hoping GOOG will implement some Advogato-style magic04:33
FujitsuWhat garbage where?04:33
robertjFujitsu: well 99.99% of everything everywhere is crap04:33
robertjdoubly-so for things that find their way to RSS :)04:33
ajmitchFujitsu: and eventually, bzr karma..04:34
ajmitchwhich would be horribly difficult to quantify04:35
FujitsuIt would, yes.04:35
ajmitchsince I'm the sort of person who would commit every 5-10 minutes while working on something, while others commit daily04:35
robertjajmitch: I think that's horribly bound to fail04:35
ajmitchI like to keep commits nice & small & independent changes04:35
FujitsuI'm the former sort...04:35
ajmitchrobertj: sure, doesn't mean they won't do it :)04:35
FujitsuSomebody decided that nss-updatedb was the package for /usr/bin/updatedb04:36
robertjajmitch: network-flow based algorithms are the only viable choice I see for karma04:36
ajmitchyes, I reassigned that to slocate04:36
ajmitchrobertj: it's closed source, we can't do anythign about it but complain04:36
FujitsuGood, though I didn't see an email about it.04:36
=== Fujitsu restrains self from ranting about LP's closedness.
robertjIsn't LP supposed to be OSS eventually?04:37
FujitsuIt is seriously bad!04:37
Fujitsurobertj: That last word is the keyword.04:37
Fujitsurobertj: It's been going to be OSS soon for over 2 years now.04:37
ajmitchrobertj: 'eventually' could be 5-10 years04:37
FujitsuWhat ajmitch said.04:37
FujitsuBy which time countless volunteer hours will have been lost because of the patheticness of the UI, and the lack of useful features.04:38
Fujitsu'cause Malone's search rocks.04:38
robertjis anyone going to be bringing this up at MVS?04:38
FujitsuAnd finding the way to file a bug on a package in Ubuntu is soooo easy from the LP homepage. That gets a lot of new people.04:38
Fujitsurobertj: Little point, Mark will probably just step on anybody that does.04:39
ajmitchrobertj: we could bring it up all we want, but what good will it do?04:39
ajmitchit's a known problem04:39
robertjajmitch: what is he waiting on?04:39
ajmitchsure, we could hack around it by implementing our own free software launchpad04:39
ajmitchrobertj: for when he feels like it04:39
lophytehey guy04:40
ajmitchit's all one large interwoven zope3 app, so it's hard to even free various components without splitting them out04:40
Fujitsuajmitch: That's not toooooooo impractical (emphasis on the tooooo).04:40
FujitsuHey lophyte.04:40
Fujitsu(the writing a FOSS LP)04:41
Fujitsuajmitch: Or so they say. That could just be an excuse)04:41
robertjwhat's in there they wouldn't want to be FOSS?04:41
Fujitsurobertj: Soyuz.04:41
ajmitchFujitsu: apparantly it requires people to step up & help out04:41
ajmitchand malone04:41
Fujitsuajmitch: Oh, and sign NDAs. Great.04:42
ajmitchand various other parts which give them a competitive advantage04:42
ajmitchFujitsu: of course04:42
FujitsuIf they were really innocent, they wouldn't have interwoven anything in the first place.04:42
ajmitchit's just easier to make a system that is well integrated04:42
ajmitchapparantly he'd be happy with freeing rosetta & the product registry to start with04:43
FujitsuIt is easier, but it also gives the advantage of an excuse for not opening it.04:43
FujitsuOf course, if he freed those two, there's no reason Malone and Soyuz couldn't be reimplemented by the FOSS community in a reasonable length of time.04:43
FujitsuI've got it!04:45
FujitsuHe'll release them under the CDDL or whatever it's called!04:45
ajmitch"Launchpad is a large, monolithic, web application. We would be happy to release the code for the Registry, for example, which keeps track of all upstream products and their series and releases; however, that code will not run without the distribution management code, which is part of of the service that Canonical provides to other companies that make their own distributions."04:45
FujitsuYes, I've read that many, many times.04:46
FujitsuSoyuz is the big thing.04:46
ajmitchfor the distro point of view, yes04:46
FujitsuBut does he really think other commercial distros are going to use LP?04:46
=== ajmitch wonders if he should reject this f-spot bug
FujitsuThat's incredible.04:47
FujitsuWhat is it, ajmitch?04:47
robertj"however, that code will not run without the distribution management code, which is part of of the service that Canonical provides to other companies that make their own distributions." <- what companies are those?04:47
Fujitsurobertj: None at this time.04:48
ajmitchFujitsu: plugging in the camera starts the gthumb importer, not f-spot04:48
ajmitchwhich was a decision we made (or we kept the status quo)04:48
FujitsuThat's g-v-m, innit?04:48
ajmitchit's a gconf setting04:48
lophytealright.. back to setting this stuff up04:48
robertjFujitsu: is HP still shipping laptops with Ubuntu?04:48
lophyteI'm using heimdal now04:48
Fujitsurobertj: I don't know.04:48
lophyteHP is shipping laptops with ubuntu?04:48
robertjajmitch: btw, I was elated to see I can right click & eject in Nautilus' side-bar now :)04:49
Fujitsurobertj: Really?04:49
FujitsuI didn't notice that...04:49
robertjlophyte: they were ages ago...like...pre-breezy maybe?04:49
FujitsuThat's annoyed a lot of people.04:49
ajmitchI didn't notice it because I'm used to it by now04:49
Fujitsu(I probably didn't notice 'cause I don't use Nautilus)04:49
lophytesweet, maybe I'll look into getting an HP instead of a Dell.04:50
lophyteDell wouldn't sell me an OSless laptop for lower than retail price04:50
lophyteso much for "Dell makes a computer for you"04:50
robertjdoh, no right-click empty trash04:50
robertjlophyte: Dell makes money off the software they sell you04:50
Fujitsulophyte: I know, that infuriated me when I got my laptop in January.04:50
robertjlophyte: all those "free trials..." they get a cut I'm sure04:50
lophyteI called them up and asked if I could get a laptop without Windows for cheaper..04:51
lophyteI said I didn't wanna pay for the license04:51
lophytethey were like "sorry we can't do that"04:51
robertjlophyte: they are still cheaper $ for $04:52
lophytethan what?04:53
robertjif you shop the sales they are cheaper than almost everyone (even emachines)04:53
robertjtodays deal...Dell EPP E1505 Core 2 Duo 2.00GHz, 15.4" WXGA, 2GB, 80GB, DVDRW, $84504:54
lophyteI was gonna get their cheapest one04:54
lophyteit was like $615 or something04:54
robertjlophyte: I bought a 1405 for $607 a few months back04:55
lophyteI think it was the Dimension 110004:55
robertj1100 at $600ish?04:55
robertjare you in the US?04:55
lophyteI believe so... but I may be mistaken04:55
lophyteone sec04:55
nkassiDo you have a link to the Dell EPP E1505 ?04:55
lophyteI got the names mixed up, haha04:55
robertjEPP is more expensive than sales04:56
lophytemoron ;_;04:56
lophyteDell Inspiron 130004:56
nkassiThat is exactly what I was going to get from HP but for 1500$ with taxes04:56
nkassioh thanks04:56
nkassiGoing to shop now ;0)04:56
robertjDimension 1100 is like the cheapest desktop04:56
lophyteright, Dimension is desktops..04:56
lophyteInspiron is laptops04:56
robertjLatitude is also laptops04:57
robertjfor home users the distinction between lines is minimal04:57
lophyteugh.. I'm going to run cat5 one of these days04:57
robertjyou pay more on one line for a guarantee that you can 3 years of replacement parts & that parts will interchange within all models in the given series04:57
robertjso take the machine you like best without regard to the series04:58
lophyteactually I think it was the Inspiron 110004:58
lophytefor $63904:59
robertjlophyte: I've bought a $1505 too, they are nice05:00
robertjerr e150505:00
nkassiBah, the HP 6000t still seems the best deal.05:00
nkassiFor those looking for a nice laptop.05:01
robertjbtw, I'm showing the 1300 at $56905:01
robertjM 1.7ghz/1gig05:01
robertjbtbut if you can scrape it together the extra crash is way worth it for double the ram, much better proc & screen, and the burner05:02
lophytesetting up ldap/kerb is such a long process05:02
robertjlophyte: isn't that why we are here ;)05:03
lophytei've never done it before05:03
lophyteI'm using heimdal+openldap05:03
ajmitchbut it's so fun!05:03
lophyteusing that howto ^05:04
=== ajmitch has only done it a couple of times - it didn't turn out to be too hard, but I did do a bit of reading
ajmitchwell, maybe more than a couple05:04
robertjajmitch: you going to MVS right?05:05
robertjcan you _please_ pimp avahi advertisements of services like...maybe slapd?05:06
lophytewhat /is/ avahi, btw?05:07
lophyteI haven't read up on it yet05:07
robertjlophyte: it is bliss05:07
ajmitchyou know you can just drop files into /etc/avahi/services ?05:07
nkassilophyte: http://www.linuxjournal.com/article/837405:07
ajmitchwell, drop service descriptions in there05:07
nkassiif you follow all parts you should have a pretty nice setup ;-)05:08
lophytenkassi: ty.. maybe that'll be better than this howto I'm following05:08
lophyterobertj: wanna elaborate on that? :P05:08
robertjlophyte: heard of bonjour/rendezvous?05:08
lophyteisn't rendezvous like a LAN-based IM system?05:09
nkassilophyte: there are 4 parts by the way. They should turn up if you search on the LJ site.05:09
lophytenkassi: excellent.. thanks05:09
ajmitchlophyte: multicast DNS service discovery05:09
lophyteah, sweet.05:10
abartletlophyte: that looks like a good howto!05:12
robertjajmitch: can you think of any reason a daemon shouldn't have an avahi service definition?05:13
abartletfor once...05:13
lophyteabartlet: which one? the one I pasted?05:14
abartletlooks like a very high degree of clue05:14
ajmitchrobertj: because people may not like it :)05:15
ajmitchhey abartlet05:15
abartletthe only thing it needs is info on hooking Samba in, which you can do with heimdal05:15
ajmitchabartlet: what's the status of shared libraries with samba4?05:16
abartletif that howto was the basis of this ubuntu directory project, I would at least be happy it would start with a good basis, of exising software05:16
ajmitchjelmer said there were some issues..05:16
abartletajmitch: shared libraries are hard :-)05:16
ajmitchof course05:16
abartletbut I think jelmer has them working for the moment05:16
ajmitchoh great05:16
ajmitchI'll have to chase him up :)05:16
abartletharder still is keeping APIs solid...05:16
ajmitchI really want to look at this new code for interfacing with AD that I've heard of05:18
abartletwhich bit?05:18
ajmitchjoining domains, password changes, notifications, etc05:19
ajmitchall I've heard so far has been an article or two online & a novell podcast05:19
abartletperhaps move this over to #samba-technical?05:19
robertjwhere does the list of services in System->Administration->Services come from?05:20
ajmitchrobertj: probably /etc/init.d & related rcX.d directories05:20
ajmitchif it's the app I'm thinking of05:21
robertjok, more difficult question, is there a way to list all packages that place files in /etc/init.d05:22
robertjgoing though those & weeding out the non-local services would probably be the most comprehensive list of files needing avahi service definitions :)05:23
ajmitchrobertj: it'd be hard - maybe by apt-file05:24
robertjajmitch: neuralis nailed it on -devel05:26
ajmitchI should read that..05:26
robertj#-devel that is05:27
robertj<neuralis> robertj: apt-get install apt-file; apt-file update; apt-file search init.d05:27
=== Burgundavia [n=corey@ubuntu/member/burgundavia] has joined #ubuntu-directory
nkassiHey, what are the chances that samba 4.0 will be a part of the Ubuntu Directory on the server side ?06:07
Burgundaviankassi: given the server is currently no speced, I would say likely06:07
nkassicool. thanks.06:07
Burgundaviahowever, samba4 is not out yhet06:08
ajmitchand we've just been talking with some samba people06:08
ajmitchit'll be awhile, certainly not likely for feisty06:08
nkassihehe, I pretty much guest that. From what I see the Server side will also be for feisty+1 right ?06:09
nkassiguessed that ;)_06:10
Burgundaviaunless soembody comes along06:10
ajmitchthere'll be development work done in parallel for client & server, but it's most likely to be feisty+1 target06:10
nkassiI would love to help but this stuff is way over my head right now ;0)06:11
=== lophyte [n=dsulliva@bas5-toronto63-1096730685.dsl.bell.ca] has joined #ubuntu-directory
ajmitchBurgundavia: so most of the AD integration stuff that SLED10 has is in samba306:38
ajmitchwhich is useful06:38
Burgundaviaah, interesting06:38
Burgundaviaajmitch: sanity check: our network auth connection stuff, which you are writing06:38
ajmitchmakes sense that they wouldn't be using samba4 code yet06:38
Burgundaviais there a way to get that to be cross-distro?06:38
ajmitchcross-distro on which way?06:39
Burgundaviareduce our support burden by having suse and rh join in and use it06:39
ajmitchthe code I have is reasonably specific because of the package integration & the ways that distros differ with pam & other config files06:39
Burgundaviaah, yes06:39
ajmitchsure, the core is all there, and it's fully extensible by modules06:39
Burgundaviathose pam differences is total crack06:40
Burgundaviathere is no sane reason for each distro to have its own version06:40
ajmitchbut the current modules have some debian/ubuntu-specific stuff like reading/writing debconf values06:40
ajmitchit's not hard to factor that out06:40
Burgundaviaosdl needs to have a network-auth summit06:40
ajmitchwould be nice06:40
ajmitchso we should probably make sure we get samba 3.0.23c in feisty06:41
Burgundaviamight suggest that on desktop-architects06:41
ajmitchassuming that code we need is in there06:41
Burgundaviadebian already has .23 I think06:41
ajmitchbut what revision?06:42
ajmitchok, 3.0.23c06:42
Burgundaviano idea06:42
ajmitchso it needs merged, I'll see if I can do that this week or next06:42
ajmitchpitti did it last, so I'll talk to him06:43
Burgundaviawhat does our samba delta look like?06:43
ajmitchI'll have to look06:43
ajmitchdon't ask me that when I'm only just checking it06:43
Burgundaviayep, just wondering06:44
ajmitchthe more I use beryl, the more plugins I turn off06:44
ajmitchyou know that RH would ask why we didn't use authconfig instead06:46
ajmitchand suse will want to promote their tool06:46
Burgundaviawhich I think is yast06:47
Burgundaviawe dont' we use authconfig?06:47
ajmitchok, grabbed samba from edgy, now fetching from sid06:47
ajmitchbecause I wanted some of that debian specific stuff06:47
Burgundaviawhat do you mean?06:48
ajmitchdebconf, managing conffiles, packages, etc06:48
ajmitchand I was going to use authtool in package maintainer scripts as well, which may still be an option06:48
ajmitchit'll probably still be needed06:49
ajmitchso that when you upgrade various libraries, it just DTRT06:49
ajmitchhence why the package got native versioning, etc06:50
ajmitchwhich I should probably change06:51
ajmitchwhip up some screenshots06:51
ajmitchblog about it06:51
lophyteis it really necessary to import the contents of /etc/group into an LDAP directory06:51
ajmitchrake in the millions06:51
ajmitchlophyte: it can be useful06:53
lophyteoi.. seems like a lot of work06:54
ajmitchok, seems like we don't have *too* many changes to samba, mostly well documented06:54
ajmitchit'll take a bit of picking through06:55
nkassilophyte: I believe there are some scripts online that can do it for you and output to ldif.06:55
ajmitchmigration-tools package06:55
lophyteoh, really06:55
ajmitchwhich I don't like much, but it tends to work06:55
tepsipakkiFujitsu: it was me =) (the updatedb-bug)07:06
tepsipakkiit was a bit too late to triage bugs07:06
Fujitsutepsipakki: I noticed :)07:06
Fujitsutepsipakki: It can get that way sometimes, I know.07:06
tepsipakkiI was seeing nss- all over the place07:06
ajmitchah, more posts on the -directory thread on devel07:39
Burgundaviankassi: can you move the n-a/Server stuff to EasyLDAPServer ?08:39
ajmitchok, got the goahead to do the samba merge, so we can have toys to play with08:42
=== SimonAnibal [n=sruiz@] has joined #ubuntu-directory
=== ^robertj [n=rcaskey@cai17.music.uga.edu] has joined #ubuntu-directory
=== wasabi [n=wasabi@ubuntu/member/wasabi] has joined #ubuntu-directory
nkassiBurgundavia: Done03:03
^robertjmornign all03:08
=== bmonty_away is now known as bmonty
bmontyajmitch: ping03:14
wasabi_morning freedom lovers.03:47
SimonAnibalmorning all03:48
wasabi_I like this shizit about Oracle and RedHat battling for the enterprise.03:48
wasabi_Lets sneak in under the radar and shoot both of em down.03:49
^robertjwasabi_: also, it's worth noting that they aren't03:49
wasabi_Yeah hah03:49
^robertjOracle is supporting Oracle03:49
wasabi_Few server side installs.03:49
^robertj"is there anything else on that server besides oracle? Sorry, that's not under your agreement"03:49
wasabi_Oracle announced on Wednesday that it would take RHEL, strip out the Red Hat (NASDAQ: RHAT - news) copyrights and add in Oracle bug fixes to create Unbreakable   ?03:50
wasabi_Just to run Oracle?03:50
^robertjthat's my buess03:50
^robertjerr guess03:50
wasabi_Makes sense.03:50
SimonAnibalSo does that mean all Oracle boxes are going to be forced to be DEDICATE Oracle boxes?03:51
^robertjIm betting we will see 5-10 specific certifications for Unbreakable + a vm03:51
nkassiOh well, Oracle doesn't seem to realise the amount of PR they will need to do to get people's confidence, I mean the  people who paid a good amount of money for Red Hat support03:54
nkassiAnd what sort of patch are they going to provide that RH will not ?03:54
nkassiOracle specific ?03:54
^robertjnkassi: probably a subset of security updates03:55
nkassiI still don't see how that is going to make a difference, I believe that RH will be faster than Oracle to test and release them. What Oracle should do is buy RH.03:58
^robertjcould be sabre ratteling, I just don't care04:01
^robertjI hope they don't buy RH though04:01
^robertjso I guess I do, but either way I don't want to hear squat from some retard at /., cnet or digg04:01
SimonAnibalAnyone have experience with SystemImager?04:04
nkassi^robertj: hehe, oh well, it's bound to happen.04:05
SimonAnibalI'm wondering if it would be of use to me in my situation04:08
SimonAnibal~300 workstations on 3 different model computers04:08
SimonAnibalI want to keep them all up to date and configured from one golden client, as it claims to do.04:08
SimonAnibalMy old way (using Norton Ghost to re-image everytime) won't work with if it's not deployed on identical hardware04:09
nkassiGot to go, see y'all.04:09
SimonAnibalWondering if there might be a simpler/better solution out there that one of you might know about04:10
SimonAnibalOtherwise, I'll be diving into it04:11
lophytemorning all04:12
lophytebmonty: you around?04:17
bmontylophyte: hi04:18
lophytewould you be interested in collaborating and finishing the SingleSignOn howto together?04:18
bmontysure, I'm actually having to redo the setup on one of my machines, so the steps are fresh in my mind04:20
lophytecool.. I'm working on it too, in a Xen VM04:20
bmontythe edgy upgrade did not deal well with my LDAP+Kerberos setup04:20
wasabi_Any LDAP pros know the true cost of doing async LDAP notify operation?04:20
wasabi_Socket open on the server I assume.04:21
bmontylophyte: is there any particular place you want to stazrt?04:25
bmontywasabi_: is a notify operation the server telling clients about a change?04:26
wasabi_What's a reasonable top limit of open sockets on a server?04:26
wasabi_From a single process.04:26
bmontyisn't that a kernel parameter?04:27
bmontyI think the sys admin can set that, plus there is a limit based on available system resources04:27
wasabi_Yeah. Just curious what a real functional cost might be.04:28
bmontydoes OpenLDAP do the notify operation?04:28
wasabi_Believe so. Uses it for repl.04:28
wasabi_For instance if every client in an enterprise were to maintain a persistant query on passwd/group04:28
bmontyok, I can't remember seeing anything in the docs about pushing changes out to clients04:28
wasabi_It's a standard LDAP operation.04:29
bmontycool, I'll have to check that out04:29
lophytebmonty: LDAP configuration seems like the first thing that's missing04:29
lophyteactually, adding a host principal into kerberos is missing..04:30
lophytethat involves installing krb5-admin-server and using kadmin.local, right04:30
wasabi_I'm switching to Heimdal.04:30
lophyteI'm using heimdal, actually :P04:31
wasabi_Then it won't be krb5-admin-server you need.04:31
lophytenope..but the howto uses MIT04:31
bmontythe MIT krb5 install takes care of creating an admin principal04:32
bmontyonce you have the servers installed, it is fairly easy to run kadmin from any machine on your network04:32
bmontyhas anyone made a decision to make heimdal krb5 the standard for Ubuntu?04:36
wasabi_Nobody has made any decisions about anything.04:36
wasabi_I suspect that's where we'll end up on the server side though.04:36
bmontyto me, that is a decision that needs to be made fairly early04:37
wasabi_Nobody is going to start a server implementation for a long time.04:37
wasabi_And the client side is portable enough.04:37
bmontyany idea how closely the heimdal API mirrors the krb5 API?04:44
bmontyMIT krb5 API that is04:44
^robertjhas anyone done an overview of the client side utils from Fedora, OS X, & Windows to see what is worth stealing?04:46
wasabi_There are very few differences.04:46
wasabi_They're not compatible, but whatever we build can be retrofitted in a few days.04:46
wasabi_Except for the kadmin protocol...but we'll need to support both of those anyways.04:47
bmontywasabi_: if stuff gets written in python, it shouldn't be too hard to hide the differences04:47
wasabi_I don't know what you expect to be written in python.04:47
wasabi_Except a pretty config wizard.04:47
wasabi_Which ajmitch has been doing nicely on, btw.04:48
^robertjwasabi_: is there an accompanying util?04:48
^robertjwizard is run once, right?04:48
bmonty^robertj: there is some stuff out there, but my general impression is that a lot is unmaintained, and the other stuff is very specific to a certain distro04:48
^robertjbmonty: I mean't purely from a usability standpoint04:49
wasabi_The idea is for a program called "authtool", which accepts a minimal number of settings, either on the command line, or a UI, and configures the relavent client services.04:49
bmonty^robertj: usuability of what?04:49
wasabi_So, that's all text file parsing and command invoking. Perfect for Python.04:49
wasabi_The actual things it's setting up are all C.04:49
^robertjwasabi: but is it going to wipe out all your old settings or can you go in and adjust one setting after it is all said and done04:50
bmontywasabi_: if we were going to develop any GUI tools for the client, I see that being done in python04:50
bmontysince not many exist, I expect that will have to happen04:50
wasabi_That stuff is so far down the road.04:50
wasabi_We're talking like, years.04:50
wasabi_I would much rather get some people working on making an Ubuntu box able to join a domain and Work Right.04:51
^robertjwasabi: i'm talking purely client-side04:51
wasabi_You're talking client side tools for admining a server.04:51
wasabi_A server which we do not yet possess, and which will be way off.04:51
wasabi_Client side tools for a client, is really nothing but this one wizard.04:51
wasabi_"Please enter your domain name. Are you running Active Directory? Thanks... configuring NSS and PAM now!"04:52
^robertjwasabi: I've got a fair number of other options on my OS X box that are actually useful04:52
bmonty^robertj: I have not seen any tools that are ready to integrate nicely with Ubuntu04:53
wasabi_You mean user management tools?04:53
^robertjwasabi: no, in the user-facing tool for setting up directory access04:53
wasabi_That's the wizard.04:53
^robertjwasabi: I'd be mad if I had to reenter all my attribute mappings on every run of the wizard04:54
wasabi_If you have to enter attribute mappings, we've failed.04:54
^robertjwasabi_: unfortunately static mappings & other garbage are a fact of life here04:54
wasabi_Well, I'm not working on that.04:55
wasabi_Are you? :)04:55
wasabi_It will be a year or more before I get to that.04:56
^robertjhopefully our DS group will get the pink-slip by then ;)04:56
wasabi_I think expectations are too high. The goal is to clearly define scope to something that will drive Ubuntu support contracts.04:57
wasabi_And something which is doable in some sort of timeline.04:57
wasabi_We need to be able to join existing directories. AD being the first.04:57
^robertj"not enough human resources to properly access the security risks? It's an 8 line schema adding 2 new attributes!"04:57
wasabi_And we need to cover all our bases in those areas.04:57
wasabi_disconnected operation, cross realm, caching, zero blocking NSS.04:58
wasabi_Those are Huge things and not to be taken lightly.04:58
wasabi_And they're all in C.04:58
bmontyjust getting NSS to behave properly would be a nice achievement04:59
wasabi_Uh huh. That's going to require a massive effort in libnss-ldap, maybe even discarding it.04:59
SimonAnibalI figure if whiprush and I have managed to join Ubuntu to AD more or less successfully with existing packages that it would be a matter of setting up a package for AD clients that depends on all necessary packages and has an easy way of getting the necessary information from the user to configure the box and join it to the domain05:00
wasabi_SimonAnibal: Yes, but your joining AD comes with MANY caveats. Try unplugging the network.05:00
wasabi_Try doing the same on a laptop.05:00
wasabi_Try logging onto another realm.05:00
wasabi_I suspect if we offer "AD support", except for laptop users, and btw your box will lock up when a switch hicups, we'd be killed. =)05:01
SimonAnibalUnplugging the network does nothing, as I have it set up to check for local accounts and consider them sufficient before even checking on the network. And shouldn't the correct behavior of a disconnected box be to not allow network logins?05:01
wasabi_SimonAnibal: Tell that to laptop users.05:01
SimonAnibalHmmm, so how do laptop users do it? Don't they have a local account?05:02
SimonAnibalHow can you authenticate to a server you're not connected to?05:02
wasabi_Windows caches creds and logins05:02
bmontyi gave up getting my laptop to work05:02
wasabi_So it works fine, and when you plug it in, you need to get a TGT05:02
SimonAnibalSo you login while connected and then you can login to that laptop even if disconnected?05:02
bmontyyeah, if I'm on my home network it isn't a problem05:03
bmontybut I have a laptop to carry it around05:03
wasabi_Anyways, my point is just that even if we get Mark to buyin to it, and put one developer on it.05:03
wasabi_Just getting the basic C stuff smoothed out is going to take a very long time.05:03
SimonAnibalIn our corporation, laptops do not cache credentials as far as I know, we provide a local account to use them when not connected to the network05:03
wasabi_SimonAnibal: Windows laptops?05:03
wasabi_SimonAnibal: You can login to the domain while disconnected on Windows. It caches your password and network information, but when you plug it into the network, you have no TGT until you get one (lock screen/unlock)05:04
SimonAnibalWin XP on Dell laptops. And they might do the caching stuff, it's just we don't rely on it or expect it05:04
wasabi_Well, in my company, I'd be fired if I suggested that. People have documents on their desktop they'd expet to be able to access.05:04
wasabi_And maintaining two profiles? Ugh.05:04
bmontyI've never seen that work 100%05:05
bmontymy roaming profile at my work has never worked correctly05:05
SimonAnibalNod, nod.05:05
wasabi_Not talking about roaming profiles really.05:05
SimonAnibalSo, then, what DO we have working?05:05
wasabi_You have basic LDAP queries going to a LDAP server for a NSS query.05:05
wasabi_They are slow, they block.05:06
bmontyI don't think account caching works well with laptops at all05:06
wasabi_bmonty: Works perfect on Windows.05:06
wasabi_Every laptop in this company seems to have no problem with it.05:06
wasabi_There is no fallback support for anything.05:06
wasabi_There is no site locality for anything.05:06
bmontyI'm not a windows admin...and I've never seen anyone set it up so that it worked for a non-tech user05:06
lophyteit doesn't require setting up05:06
lophyteits done automatically05:06
=== cliebow [n=cliebow@smoothwallkludge.ellsworth-hs.ellsworth.k12.me.us] has joined #ubuntu-directory
wasabi_We need to look up SRV records, and order them based on locality.05:07
wasabi_If one server goes down, we need to look for another.05:07
wasabi_Same goes for KDCs05:07
bmontyI like the SRV records05:07
bmontyif you get that set up correctly, lots of things will "just work"05:07
wasabi_Anyways, so all this needs to be fixed, before any question of a UI to map attributes really matters.05:08
bmontyin my opinion getting LDAP+Kerberos (i.e. AD) authentication/authorization to work with PAM and NSS is a huge kludge05:08
wasabi_Yup. It is.05:09
wasabi_NSS is shitty.05:09
bmontywhich makes it difficult to maintain in a production environment05:09
wasabi_It is not robust at all.05:09
wasabi_And it has no potential to be.05:09
wasabi_There is no way to query for users.05:09
wasabi_No way to do async operations.05:09
bmontyit would be nice if we could ditch NSS altogether and use PAM only05:09
wasabi_PAM and NSS sovle different problems.05:09
wasabi_So, that makes little sense.05:09
bmontywell have PAM perform the functions of NSS05:10
bmontyfor one, I could do the configuration of my SSO setup in one place05:11
wasabi_That doesn't even make sense.05:11
wasabi_They are fundamentally different things.05:11
bmontyI don't agree, but I do think that NSS is inadequate as it is currently implemented05:13
wasabi_It's also not changing. NSS is POSIX.05:13
wasabi_So, it has to be made to work.05:13
wasabi_Which means a lot of time writing C programs to make it work right.05:13
^robertjhave fun with the test suites ;)05:14
bmontyso? there are lots of C coders last time I checked05:14
wasabi_There are 2 in this channel I believe. =)05:14
SimonAnibalSo, having no C experience, am I only going to be of use as a real-world test case?05:15
lophyteknow python?05:16
lophytepython coders are gonna be needed at some point ;)05:17
SimonAnibal"Know" no. "Started learning but never got very far cause I didn't have a project to work on with it in order to actually understand it" yes.05:17
SimonAnibalI'm not averse to learning, or trial by fire.05:18
SimonAnibalI don't have any formal education about any of this yet. I won't deny that. But I doubt I'm useless.05:19
bmontySimonAnibal: nobody said you were useless :)05:19
lophyteldapadd won't connect to my ldap server05:19
SimonAnibalNo, nobody did, it's just everything seems low-level enough that I'm doubting my value05:19
bmontySimonAnibal: I wouldn't do that until something actually starts happening05:20
bmontylophyte: are you using SASL?05:20
wasabi_lophyte: What is the error?05:21
bmontywhat is the error?05:21
lophytenothing.. it just sits there after prompting for my password05:21
wasabi_-Y GSSAPI05:21
lophyteldapadd: incompatible with previous authentication choice05:21
wasabi_Are you passing -x?05:22
wasabi_That's for a simple bind.05:22
wasabi_Which you should disable. ;005:22
lophytehrm.. same thing.. it just sits there05:22
wasabi_strace time.05:23
wasabi_see where it's pausing on05:23
lophyteldapadd -h ldap.blindutopia.com -Y GSSAPI -D "cn=root,dc=blindutopia,dc=com" -W -f base.ldif05:23
wasabi_Use -H also05:24
wasabi_-W not needed either.05:24
wasabi_-D not needed either. ;)05:24
wasabi_You need to configure your server to support SASL auth I suspect.05:24
wasabi_And set up some regexps to map logins to objects.05:24
=== nkassi [n=nkassi@mullion.maint.fsu.edu] has joined #ubuntu-directory
lophytethis howto essentially tells you to configure krb to use ldap as its db05:25
lophytebut it gets you to configure ldap first..05:25
wasabi_Well, the first goal is to get SASL binds through ldapi working first.05:25
bmontywhich howto is that?05:25
wasabi_yeah these howtos are useless.05:25
wasabi_Learn the pieces, make your own decisions.05:25
wasabi_# Unix-socket connections from the root user are mapped to the host object.05:25
wasabi_sasl-regexp     uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth05:25
wasabi_                cn=akita,ou=Computers,dc=larvalstage,dc=net05:25
wasabi_As an example, I use that to allow local root logins over SASL EXTERNAL (ldapi:///) to map to a computer object.05:26
wasabi_# Map Kerberos authenticated logins.05:26
wasabi_sasl-regexp     uid=([^,] *),cn=larvalstage.net,cn=gssapi,cn=auth05:26
wasabi_                ldap:///dc=larvalstage,dc=net??sub?(&(objectClass=krb5Principal)(krb5Princ$05:26
wasabi_I use that to map GSSAPI logins to the results of a query.05:26
wasabi_Heimdal will use ldapi:// (running as root) to connect to LDAP05:27
wasabi_You cannot use Kerberos for Kerberos to connect to LDAP. Chicken in egg problem.05:27
wasabi_And I just use slapadd to setup the initial computer object.05:27
wasabi_And hierarchy.05:27
wasabi_I can explain it pretty easily, if you want.05:28
lophyteis that even possible? ;)05:28
wasabi_slapd can be connected to over a number of differnet sockets.05:28
wasabi_Over that socket, you can authenticate in a number of different ways.05:28
bmontywasabi_: computer object == host prinicipal?05:28
wasabi_There is a unix socket which you can connect to slapd on.05:29
wasabi_To enable that, you need to instruct slapd to use it.05:29
wasabi_In /etc/default/slapd05:29
wasabi_SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"05:29
wasabi_That enables slapd to listen on the ldap port, the ldaps port and ldapi (the unix socket)05:29
wasabi_I think it's in /var/run someplace05:29
wasabi_Once connected to those sockets, any of them, you can authenticate in two ways. anonymous, simple or SASL.05:30
wasabi_anonymous means you don't auth. You should disable that05:30
wasabi_# Features to disallow05:30
wasabi_disallow        bind_anon bind_simple05:30
wasabi_^ in slapd.conf05:30
wasabi_That disables both anonymous and simple binding.05:31
wasabi_Leaving only SASL.05:31
lophyteI think I'm gonna start over again...05:31
wasabi_SASL is expandable... you can install different modules on the client/server side to extend it.05:31
wasabi_And it's service independent.05:31
wasabi_You can about only two SASL mechs... GSSAPI and EXTERNAL.05:31
wasabi_GSSAPI is a kerberos handshake.05:31
wasabi_EXTERNAL is system defined.05:31
wasabi_sasl-secprops   minssf=0,noplain,noanonymous05:32
wasabi_sasl-realm      LARVALSTAGE.NET05:32
wasabi_sasl-host       akita.larvalstage.net05:32
lophyteGSSAPI means it uses kerberos principals?05:32
wasabi_That disables plain and anonmous sasl connections. Sasl itself has a mech for PLAIN05:32
wasabi_Which is seperate from simple binding.05:32
lophyteso you'd login as root/admin@MYDOMAIN.COM ?05:32
lophyteusing GSSAPI05:32
wasabi_No, host/$computername.domain.com@DOMAIN.COM05:32
wasabi_# Unix-socket connections from the root user are mapped to the host object.05:32
wasabi_sasl-regexp     uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth05:32
wasabi_                cn=akita,ou=Computers,dc=larvalstage,dc=net05:32
wasabi_When you login with SASL, slapd makes up a fake object name to represent your login.05:33
wasabi_Those don't really exist.05:33
wasabi_cn=auth <--- SASL was used05:33
bmontywasabi_: you are using the host principal for the purpose of updating the local NSS database, right?05:33
wasabi_cn=external <--- the SASL mech05:33
wasabi_bmonty: Yes.05:33
wasabi_The SASL EXTERNAL mech defines peercred and uidnumber and gidnumber.05:33
wasabi_Because you login using ldapi:///, over the unix socket.05:33
wasabi_Using EXTERNAL.05:33
wasabi_so it KNOWS your UID and GID05:34
wasabi_Because it's a Unix socket. It can know that stuff.05:34
bmontylophyte: just so you know that is a different concept that what I did on my setup...and the concept that the SingleSignOn page is based on05:34
wasabi_So what I'm saying with that mapping statement is that when uid 0 connects using EXTERNAL05:34
wasabi_Map it to a specific object.05:34
wasabi_Being the computer object.05:34
lophyteI see..05:35
wasabi_Now you have your path into LDAP. root on the same box is assumed to be "the computer itself"05:35
wasabi_Heimdal will use that.05:35
wasabi_So, logically, the computer itself should have full access05:35
wasabi_access to *05:35
wasabi_        by dn.regex="cn=akita,ou=Computers,dc=larvalstage,dc=net" write05:35
wasabi_Now you need to populate the LDAP directory, and actually make the ou and computer object.05:36
wasabi_You can use ldapadd -H ldapi:/// -Y EXTERNAL05:36
wasabi_As root, to do that.05:36
wasabi_To do that I basically make an object with top/account/krb5Principal05:37
=== nkassi [n=nkassi@mullion.maint.fsu.edu] has joined #ubuntu-directory
wasabi_And set the krb5PrincipalName: host/host.fqdn@REALM05:37
wasabi_Then you need to tell heimdal to init it's DB.05:38
wasabi_It'll spew all sorts of shit into LDAP.05:38
wasabi_YOu go in and move it where it really belongs.05:38
wasabi_Heimdal needs work.05:38
wasabi_(In C!)05:38
bmontyMIT krb5 has an LDAP backend that is coming along soon05:39
bmontyI haven't played with it though....only read about it05:39
lophytethis shit is overwhelming05:39
wasabi_Uh huh.05:39
bmontyLDAP as a backend for the KDC makes things a lot nicer though05:39
wasabi_ANyways, once you have some initial principals, then you can star logging into LDAP using GSSAPI05:40
wasabi_You should use that for everything else.05:40
lophytetime to start over and give this a try05:40
bmontywasabi_: do you implement a "roaming profile"...i.e. I could log on to any machine and my home directory is the same?05:41
wasabi_I have some ideas for that though.05:41
wasabi_Mostly involving git or bzr.05:41
bmontyI've played with pam_mount, it works, but it doesn't know anything about SASL05:42
wasabi_To mount what?05:42
lophytemount an nfs share on top of /home/username05:42
bmontyto mount my home directory from an NFS server on login05:42
wasabi_That's not really an acceptable path to go down.05:42
wasabi_Ignores disconnected operation.05:42
bmontyor any other network share you want05:42
bmontywasabi_: disconnnected operation is a shortfall05:43
wasabi_Yes, but it's one NFS will never be able to solve.05:43
wasabi_Which makes it pretty useless for the use case.05:43
wasabi_Somebody tripping over your network cable, or a switch going faulty, can't result in your desktop crashing.05:43
wasabi_Let along again, laptops.05:43
bmontyNFS isn't the only network share, but that is beside the point, I want that kind of feature on Ubuntu05:44
wasabi_Yeah. I think there's some room to investage using a DSCM for ~ specifically.05:44
nkassiHey y'all, I see that there is a preference for Heimdal but what is the advantage over MIT? I saw something about permformance. Is that all?05:44
wasabi_nkassi: MIT doesn't yet have LDAP storage05:44
siretartdo you recommend the MIT or the heimdal implementation?05:44
wasabi_I recommend it in that it's LDAP storage works. ;)05:44
siretartwhat does MIT use as storage? bdb?05:45
bmontyout of the box, yes05:45
nkassioh, yeah thats a major issue for me thanks ;0)05:45
bmontythe latest version added a pluggable storage feature05:45
siretartokay, and and what cases is an ldap storage preferable?05:45
bmontyLDAP is one of the plugins available, but it isn't released yet05:46
wasabi_Every case, IMO.05:46
bmontyi agree05:46
wasabi_It offers automatic replication.05:46
wasabi_Yeah. Your keys move with your user objects.05:46
wasabi_They are tied at the hip.05:46
bmontywithout LDAP as the backend, you have to maintain a kerberos database and an LDAP database05:46
nkassiI also want to use the user info for contacts in thunderbird.05:46
bmontyits doable, but I doubt it is scalable05:47
siretartthis means that account managment does only need to handle ldap, and I don't need to care about adding principals with kerb tools?05:47
wasabi_You still need to.05:47
wasabi_Only the KDC can sign new keys.05:47
nkassiso a tool to add users would have to do both ?05:47
wasabi_Basically, yes.05:47
wasabi_It would have to make a LDAP object, and then instruct the KDC to populate it.05:47
nkassiThere no way of having the KDC do the work ?05:47
wasabi_There is, but the KDC isn't going to put your hsell in LDAP05:48
wasabi_Or your UID05:48
wasabi_and all that stuff.05:48
bmontyby design I think the authentication and authorization pieces should be seperate05:48
nkassibeurk. oh well, I will have to create scripts or are there some out there ?05:48
wasabi_There are no scripts which do it right, and Heimdal is broken.05:49
wasabi_It doesn't find existing LDAP objects, it always creates it's own.05:49
wasabi_So you have to do some manual merging.05:49
bmontyI use MIT kerberos, and as things exist today there isn't a reason why you couldn't create a tool to manage them05:50
wasabi_It's also a question of policy.05:50
wasabi_And security.05:50
bmontybut one doesn't currenlty exist05:50
wasabi_To me, it seems a bit insecure to allow a client machine, even with an admin user, to create an LDAP object, and instruct the KDC, in different bands.05:51
wasabi_It's a single logical operation. There should be a single RPC on the server which does it all.05:51
bmontywith your setup using ldapi, is that the only place you allow connections to create objects?05:52
bmontyI'm thinking about something like the AD user manager that can run on any machine with MMC installed and any user that has the correct privs05:52
wasabi_Yeah, that uses custom RPCs though.05:52
wasabi_It doesn't contact the LDAP and KDC to make a user.05:53
wasabi_It actually calls a MS RPC CreateUser API.05:53
lophytemmc for ubuntu would rock05:53
wasabi_Using either named sockets or TCP05:53
wasabi_Which, imo, was done for a good reason.05:53
wasabi_For instance, in my company, IT doesn't create users.05:53
wasabi_HR does.05:53
bmontyI see your point, and it makes sense to me05:53
wasabi_THe last thing I want to do is give HR the permission to connect to the LDAP and make random objects.05:53
wasabi_I want them to call a single unit of work to happen remotely.05:54
wasabi_So, again, when we start talking about directory servers, we go down paths like that.05:54
wasabi_And now we're creating and definign a remote API.05:54
wasabi_And choosing a protocol for it.05:54
wasabi_And complexity explodes. ;005:54
wasabi_So anyways, I see a suitable AD replacement seeing years off.05:55
wasabi_I see a good client that can connect to an existing AD being maybe a year or more off.05:55
bmontywhy would canonical create a feature that requires youto purchase windows in order to use it?05:56
wasabi_Because many people have already purchased windows.05:56
wasabi_And we want those people to deploy Ubuntu in a reasonable time frame.05:56
wasabi_Where it fits.05:57
siretartI see an urgent need for proper overview documentation how directory and authentication services work with each other and how to resonably deploy it in, say, 6.06LTS05:57
wasabi_An all or nothing approach is not reasonable.05:57
wasabi_siretart: Me too.05:57
wasabi_I'd love for somebody to document setting upa  PROPER KDC and ldap.05:57
wasabi_Not this simple binding crud. :005:57
^robertjdefine PROPER05:58
wasabi_Connections to LDAP established only with SASL.05:59
wasabi_Everything that needs to be secured secured.05:59
bmontysiretart: documenting the setup is hard without deciding on what software Ubuntu is goiung to use in implementing the specs05:59
wasabi_KDC princs stored in LDAP.05:59
wasabi_Replcation between LDAP servers happening using kerberos.05:59
bmontyMIT krb5 vs. Heimdal krb505:59
wasabi_Clients using Kerberos for all connections to LDAP05:59
bmontyfor example05:59
siretartrobertj: proper in the sense that after reading a decently skilled admin can set it up without external documentation not referenced in that documents05:59
^robertjwasabi: maybe start with a clean -server install on vmware and create a sh script which you curl and run via sudo to set it up and then document that?06:00
nkassi<Was making food> About the MMC tool, how would that be implemented easily ? Is that a really huge complex project ?06:02
wasabi_I'm not convinced we need anything like MMC at all.06:03
wasabi_A nice LDAP client, sure.06:03
wasabi_A weirdly plugable administration tool host?06:03
wasabi_For the LDAP tool, I'd start by fixing GQ up.06:04
wasabi_GQ is probably the closets of all of them. At least it's Gtk.06:04
^robertjand written in our beloved python06:04
wasabi_Is it?06:04
nkassiWell, I know that I will need a administration tool for at least my boss, and the Windows Admins if I was to switch. They wouldn't go for the Web stuff really, they seem to love MMC on windows ...06:04
wasabi_Believe gq is C06:04
^robertjmaybe not, I thought so06:04
=== ^robertj goes & checks
wasabi_nkassi: Admin tool for what, AD?06:05
wasabi_nkassi: MMC isn't an admin tool. It's a pluggable architecture for building admin tools.06:05
nkassiwasabi: Hum, well I meant a tool to emulate the AD tools but to manage Ubuntu-Directory06:05
wasabi_If you mean AD Users & Computers, sure, we need a nice LDAP client. :006:05
nkassiOk the console then06:05
wasabi_gq is still probably the closest to what you want.06:06
nkassiwasabi, I guess that would work.06:06
wasabi_It works now, it's really wonky and buggy though.06:06
wasabi_And needs SRV record support, GSSAPI support compiled in and working.06:06
wasabi_It's UI is sort of silly. Could use object-specific UI plugins.06:06
nkassiWhat about Luma ? I know it's qt but I was looking at the backend, it could be used to create a Ubuntu specific GTK interface.06:07
wasabi_Sure. The backend is Qt though.06:07
wasabi_Isn't it?06:07
nkassihum, I meant the ldap stuff06:07
nkassiI was going to try to rip out all the Qt stuff, I just liked the LDAP connection code.06:08
nkassiI'm my making any sense ? (I usually don't  ;0) )06:10
nkassiI meant I'm I ...06:11
nkassiThere you see, I don't make sense.06:12
=== Burgwork [n=corey@ubuntu/member/burgundavia] has joined #ubuntu-directory
bmontywasabi_: the code for SASL binds is in gq, but it is very buggy06:30
bmontyit looks like someone has picked up maintaining gq though06:30
wasabi_That's nice.06:30
bmontyI think the end result should be a tool that is a little more specific to managing users and groups instead of just editing the LDAP database06:31
wasabi_Sure, but GQ can be turned into that.06:32
MagnusRAgree, it would be nice to have an integration with Kerberos in a Unified interface.06:32
wasabi_What it needs is a set of pluggable UI pieces which can be loaded based on detected objectclasses.06:32
nkassibmonty: I second that. How hard would it be to modify the user & group dialog in gnome-systems... package ?06:32
wasabi_If no plugin matches, use the plain old property/value view.06:32
bmontynkassi: I think that is a larger issue..,06:33
wasabi_Yeah, that dialog is on the way out anyways.06:34
bmontyi.e. ALL of the user tools (adduser)...how do they know where to make changes?06:34
wasabi_They make htem in the passwd file.06:34
wasabi_They are meant for local users.06:34
nkassiOh I didn't know it was being replaced. oh well06:34
wasabi_And there is nothing wrong with that at all.06:34
wasabi_MS does the same.06:34
wasabi_Control Panel, Users and Groups.06:34
bmontyso then a new gnome applet that is for managing domain users and groups...not replacing the current tools06:35
wasabi_I still think Gq is fine. =)06:35
wasabi_It just needs love.06:35
bmontyand it looks like it is getting it....new release v1.2.1 on 8 Oct06:36
nkassiHum a separate menu could be created under System with all the "Administrative Services" Items ;0)06:36
lophytenever heard of it06:36
nkassiThe name is probably patented or something ;-)06:36
lophyteah, neat.06:37
bmontylooks like they added gnome-keyring support...06:37
bmontyhmmm...we still have 1.0.0 :(  Maybe I should take a look at repackaing it later today06:39
=== bmonty is now known as bmonty_away
Burgworkwasabi_: have you played with lat?08:17
Burgworklophyte: bmonty_away: either of you?08:17
wasabi_lat = ?08:17
Burgworkldap admin tool08:17
BurgworkI use it here08:17
Burgworkworks quite well08:17
wasabi_lat seems to be C#?08:22
wasabi_no sasl support yet08:23
ajmitchyou don't like C#? :)08:23
wasabi_love it. Just wondering.08:24
ajmitchwe probably don't want to have each tool done in its own language08:25
wasabi_Doesn't really matter to me. Whatever is the least resistance.08:26
wasabi_I'm not going to propose rewriting a LDAP tool because it's not our language of choice.08:27
ajmitchI'm not suggesting rewriting08:27
wasabi_Lat looks pretty good actually.08:27
ajmitchjust a factor in what we pick08:27
ajmitcheg I'd love to have everything in python so that we could mix & match08:28
ajmitchbut that's just a dream..08:28
ajmitchand not essential in any way08:28
ajmitchwasabi_: you want me to fill in NetworkAuthentication/Client/Interface ?08:37
Burgworkwasabi_: the only thing lat needs is some serious stablization work, but the UI works and the rest is good08:37
wasabi_Yes please.08:37
=== MagnusR_away [n=magru@c83-250-59-127.bredband.comhem.se] has left #ubuntu-directory []
ajmitchyou'd have to basically walk the whole tree anyway, no real advantage over the flat Packages file08:49
ajmitchmaybe a bit more compact, but that's hardly a blocker for apt08:49
BurgworkI know the apt and rpm people have spoken with the samba people about storing the databases in ldb08:52
ajmitchBurgwork: expect hate mail from beryl people ;)08:53
Burgworkmy -devel comment?08:54
BurgworkI did explicitly say this was about beryl by default08:56
ajmitchI know08:56
BurgworkI need to address the "gconf-is-a-bad-idea" meme08:57
ajmitchthe main thing that needs replaced is the settings manager08:58
ajmitchhave you seen it?08:59
ajmitchit makes sawfish configuration look clean & elegant by comparison08:59
Burgworkno, I haven08:59
ajmitcha fraction of one pane of the many plugins09:00
Burgworkholy crack!09:01
Burgworkok, now I just pissed more people off09:02
ajmitchsee how many tabs, how many widgets09:02
ajmitchthat's ok09:02
ajmitchI've got to go, back in ~30min09:02
Burgworksaid that gconf is a sane default for a gnome-based distro09:02
=== cberl1 [n=berloc@mars.dsbn.edu.on.ca] has joined #ubuntu-directory
cberl1Hi folks.  Got any PAM experts herein?09:02
cberl1I need to get SSH to work with Winbind and PAM_MOUNT....09:03
cberl1All of my users are in Active Directory.  I need to enable ssh access, then make their local "home" directory and map their Windows drives to they can access them.09:04
Burgworkcberl1: both of our windows experts appear to be away09:07
cberl1Wow, you have TWO?  <snicker>09:08
cberl1Just kidding.09:08
cberl1Alright, I'll have to try again later.  This is something that I'm going to need at some point.09:08
robertjis it permissible to sign someone's key based off a form of ID other than a face-to-face visual ID?09:11
Burgworkafaik, no09:11
robertjnoone in our LUG does key signing09:13
robertjand it's rather dumb because why does Ubuntu care if my name is rover and I am a dog?09:17
Burgworkubuntu itself doesn09:18
Burgwork't care09:18
Burgworkit only matters if you want to upload09:18
robertjbut why would it matter?09:18
robertjlike the old adage says, don't look a gift-dog in the mouth09:19
Burgworkrobertj: if you upload, we need to know who you are09:19
Burgwork"I wouldnt want Shuttleworth to09:19
Burgworkbe right about the DCCA not working, its such a great idea." <-- http://lists.dccalliance.org/pipermail/dcc-devel/2006-June/000704.html09:19
robertjBurgwork: maybe i'm missing something. Like if you were hacking on OOo & signing Sun's JCA I could see it being needed but otherwise...09:20
Burgworkok, lets look at it this way09:21
Burgworkyou upload a package to revu09:21
Burgworkgiven I have never met you, how do I verify it is you that uploaded it?09:21
Burgworkyou sign it with you key09:21
Burgworkwhich has been signed by somebody like ajmitch09:21
ajmitchalright, back09:21
Burgworkgiven I trust ajmitch, I trust you09:21
ajmitchsilly Burgwork, trusting me09:22
robertjBurgwork: well I still have an identity09:22
BurgworkI know09:22
Burgworkyes, you do09:22
robertjbut instead of being Rob J. Caskey of Athens, GA I am rcaskey@uga.edu09:22
robertjor some really long hash09:22
Burgworksigned keys allow you to prove that you are you09:22
robertjBurgwork: well they prove I have the key :)09:23
ajmitchit's a trust path, so that people who haven't met you can trust to some degree that you are who you say you are09:23
Burgworkyes, as I explained09:23
robertjajmitch: which is cool, that I grok, I just don't see why visual ID has to be required09:23
robertjI mean, can't I just exist as rcaskey@uga.edu?09:23
ajmitchthey prove that you have the key, the email as on that key, and that you actually are the same person as the key claims09:24
Burgworkbecause I need to verify that your name is associated with your face09:24
wasabi_Email is not a secure path to establish initial trust.09:24
wasabi_A government issued id acceptable, etc.09:24
Burgworkemail is trivially spoofable09:24
ajmitchpassport is somewhat less so09:24
robertjwasabi: well I could post up on www.music.uga.edu and say <!-- I am responsible for this machine -->09:24
wasabi_Also, you cannot hold an email address responsible.09:24
wasabi_So? Somebody could have hacked your server.09:25
wasabi_Somebody could have hacked your email.09:25
robertjSomebody could hack my dev box after I had my key signed09:25
wasabi_true true09:25
cberl1robertj: at which point, wouldn't you want to get a new key?09:25
wasabi_And that's why we allow revocation. :009:25
=== ajmitch has had to revoke his key, last year
=== robertj consoles ajmitch
Burgworkajmitch: that would suck even harder for you, given how hard it is to get out of NZ09:26
ajmitchBurgwork: why? there are 4 other DDs in dunedin09:27
ajmitchbesides, I lost my laptop & regenerated my key at UBZ, got plenty of sigs there09:27
ajmitch(thanks siretart) :)09:27
lophytehey all09:28
ajmitchhi lophyte09:28
lophytegnome-pilot has issues09:30
Burgworkyes, yes it does09:31
lophytei was hoping they'd be fixed by edgy09:31
ajmitchmany things weren't fixed by edgy09:31
Burgworkthere was no work, either upstream or in ubuntu for gnome-pilot during edgy09:31
lophyteis there any other way to sync stuff wiht my pc?09:32
lophyteit'd be nice to be able to sync with evolution09:32
Burgworkopensync, but that doesn't work with evo09:32
lophyteso I'm pretty much SOL?09:33
wasabi_Use a server based store. ;)09:33
lophytewhat do you mean?09:34
wasabi_What you trying to sync? Contacts, calendars, email?09:34
lophytecalendars and todo lists09:34
lophytecontacts would be nice too09:34
wasabi_Well, here is another big thing to put on a todo list.09:35
wasabi_Exchange. =)09:35
wasabi_Or similar set of functionality. =009:35
lophyteput that on our 10 year todo list09:35
cberl1zimbra has some good functionality that way (just poking my head back here now and then)09:37
=== ajmitch sees a few more replies on the -diretory thread
=== lophyte [n=dsulliva@bas5-toronto63-1096730108.dsl.bell.ca] has joined #ubuntu-directory
lophyteerghg.. stupid connection10:01
cberl1What does it mean when you can't get shadow information for  a user?10:16
wasabi_It means you can't get shadow info for him10:27
wasabi_Which is basically a md5 password hash10:27
=== stelis [n=se@82-71-4-26.dsl.in-addr.zen.co.uk] has joined #ubuntu-directory
=== robertj_ [n=robertj@66-188-65-179.dhcp.athn.ga.charter.com] has joined #ubuntu-directory

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!