[03:52] <wasabi> howdy abartlet.
[04:10] <robertj> it would be sweet if you could set up an area of the wiki that was read-only to non-project members
[04:11] <robertj> unfortunately any kind of brain-storming on the wiki turns...less than productive (see any page containing Community in the title)
[04:15] <ajmitch> yes, it does quickly turn into a bit of a mess
[04:18] <robertj> ajmitch: mmm, if only RecentChanges could be filtered by karma ;)
[04:19] <ajmitch> hah
[04:19] <ajmitch> you've seen the insane amounts of karma given for support requests?
[04:22] <robertj> ajmitch: true, but if its not used for anything I doubt anyone will bother to adjust the weighting
[04:23] <ajmitch> it's meant to be used for important things, like business partnerships with canonical
[04:24] <ajmitch> which is why having broken karma weightings is worrying
[04:27] <Fujitsu> They (LP people) said it should settle down after a couple of weeks, but it's been several.
[04:28] <ajmitch> months
[04:30] <Fujitsu> True.
[04:30] <robertj> ajmitch: well I see it is a chicken <> egg thing, where nothing important will use it unless its fixed
[04:30] <Fujitsu> robertj: The fix is quite simple. Disable support karma!
[04:30] <Fujitsu> Or divide it by 1000000 or something.
[04:31] <robertj> Fujitsu: I think its valid, it just needs to be devalued substantially
[04:31] <Fujitsu> And the lack of Soyuz karma is a little strange.
[04:32] <robertj> now that I've started using an RSS reader instead of visiting planets all day, I realize how pointless most of the garbage is
[04:33] <robertj> I'm _really_ hoping GOOG will implement some Advogato-style magic
[04:33] <Fujitsu> What garbage where?
[04:33] <robertj> Fujitsu: well 99.99% of everything everywhere is crap
[04:33] <robertj> doubly-so for things that find their way to RSS :)
[04:34] <Fujitsu> Probably.
[04:34] <ajmitch> Fujitsu: and eventually, bzr karma..
[04:35] <ajmitch> which would be horribly difficult to quantify
[04:35] <Fujitsu> It would, yes.
[04:35] <ajmitch> since I'm the sort of person who would commit every 5-10 minutes while working on something, while others commit daily
[04:35] <robertj> ajmitch: I think that's horribly bound to fail
[04:35] <ajmitch> I like to keep commits nice & small & independent changes
[04:35] <Fujitsu> I'm the former sort...
[04:35] <Fujitsu> Hm.
[04:35] <ajmitch> robertj: sure, doesn't mean they won't do it :)
[04:36] <Fujitsu> Somebody decided that nss-updatedb was the package for /usr/bin/updatedb
[04:36] <Fujitsu> Great.
[04:36] <robertj> ajmitch: network-flow based algorithms are the only viable choice I see for karma
[04:36] <ajmitch> yes, I reassigned that to slocate
[04:36] <ajmitch> robertj: it's closed source, we can't do anythign about it but complain
[04:36] <Fujitsu> Good, though I didn't see an email about it.
[04:37] <abartlet> :-)
[04:37] <robertj> Isn't LP supposed to be OSS eventually?
[04:37] <Fujitsu> It is seriously bad!
[04:37] <Fujitsu> robertj: That last word is the keyword.
[04:37] <Fujitsu> robertj: It's been going to be OSS soon for over 2 years now.
[04:37] <ajmitch> robertj: 'eventually' could be 5-10 years
[04:37] <Fujitsu> What ajmitch said.
[04:38] <Fujitsu> By which time countless volunteer hours will have been lost because of the patheticness of the UI, and the lack of useful features.
[04:38] <Fujitsu> 'cause Malone's search rocks.
[04:38] <robertj> is anyone going to be bringing this up at MVS?
[04:38] <Fujitsu> And finding the way to file a bug on a package in Ubuntu is soooo easy from the LP homepage. That gets a lot of new people.
[04:39] <Fujitsu> robertj: Little point, Mark will probably just step on anybody that does.
[04:39] <ajmitch> robertj: we could bring it up all we want, but what good will it do?
[04:39] <ajmitch> it's a known problem
[04:39] <robertj> ajmitch: what is he waiting on?
[04:39] <ajmitch> sure, we could hack around it by implementing our own free software launchpad
[04:39] <ajmitch> robertj: for when he feels like it
[04:40] <lophyte> hey guy
[04:40] <ajmitch> it's all one large interwoven zope3 app, so it's hard to even free various components without splitting them out
[04:40] <Fujitsu> ajmitch: That's not toooooooo impractical (emphasis on the tooooo).
[04:40] <lophyte> s
[04:40] <Fujitsu> Hey lophyte.
[04:41] <Fujitsu> (the writing a FOSS LP)
[04:41] <Fujitsu> ajmitch: Or so they say. That could just be an excuse)
[04:41] <robertj> what's in there they wouldn't want to be FOSS?
[04:41] <Fujitsu> robertj: Soyuz.
[04:41] <ajmitch> Fujitsu: apparantly it requires people to step up & help out
[04:41] <ajmitch> and malone
[04:42] <Fujitsu> ajmitch: Oh, and sign NDAs. Great.
[04:42] <ajmitch> and various other parts which give them a competitive advantage
[04:42] <ajmitch> Fujitsu: of course
[04:42] <Fujitsu> If they were really innocent, they wouldn't have interwoven anything in the first place.
[04:42] <ajmitch> no
[04:42] <ajmitch> it's just easier to make a system that is well integrated
[04:43] <ajmitch> apparantly he'd be happy with freeing rosetta & the product registry to start with
[04:43] <Fujitsu> It is easier, but it also gives the advantage of an excuse for not opening it.
[04:43] <Fujitsu> Of course, if he freed those two, there's no reason Malone and Soyuz couldn't be reimplemented by the FOSS community in a reasonable length of time.
[04:45] <Fujitsu> I've got it!
[04:45] <ajmitch> https://launchpad.net/faq
[04:45] <Fujitsu> He'll release them under the CDDL or whatever it's called!
[04:45] <ajmitch> "Launchpad is a large, monolithic, web application. We would be happy to release the code for the Registry, for example, which keeps track of all upstream products and their series and releases; however, that code will not run without the distribution management code, which is part of of the service that Canonical provides to other companies that make their own distributions."
[04:46] <Fujitsu> Yes, I've read that many, many times.
[04:46] <Fujitsu> Soyuz is the big thing.
[04:46] <ajmitch> for the distro point of view, yes
[04:46] <Fujitsu> But does he really think other commercial distros are going to use LP?
[04:47] <ajmitch> yes
[04:47] <Fujitsu> O_o
[04:47] <Fujitsu> That's incredible.
[04:47] <Fujitsu> What is it, ajmitch?
[04:47] <robertj> "however, that code will not run without the distribution management code, which is part of of the service that Canonical provides to other companies that make their own distributions." <- what companies are those?
[04:48] <Fujitsu> robertj: None at this time.
[04:48] <ajmitch> Fujitsu: plugging in the camera starts the gthumb importer, not f-spot
[04:48] <ajmitch> which was a decision we made (or we kept the status quo)
[04:48] <Fujitsu> That's g-v-m, innit?
[04:48] <ajmitch> yes
[04:48] <ajmitch> it's a gconf setting
[04:48] <lophyte> alright.. back to setting this stuff up
[04:48] <robertj> Fujitsu: is HP still shipping laptops with Ubuntu?
[04:48] <lophyte> I'm using heimdal now
[04:48] <Fujitsu> robertj: I don't know.
[04:48] <lophyte> HP is shipping laptops with ubuntu?
[04:49] <robertj> ajmitch: btw, I was elated to see I can right click & eject in Nautilus' side-bar now :)
[04:49] <ajmitch> heh
[04:49] <Fujitsu> robertj: Really?
[04:49] <Fujitsu> I didn't notice that...
[04:49] <robertj> lophyte: they were ages ago...like...pre-breezy maybe?
[04:49] <Fujitsu> That's annoyed a lot of people.
[04:49] <ajmitch> I didn't notice it because I'm used to it by now
[04:49] <Fujitsu> (I probably didn't notice 'cause I don't use Nautilus)
[04:50] <lophyte> sweet, maybe I'll look into getting an HP instead of a Dell.
[04:50] <lophyte> Dell wouldn't sell me an OSless laptop for lower than retail price
[04:50] <lophyte> so much for "Dell makes a computer for you"
[04:50] <robertj> doh, no right-click empty trash
[04:50] <robertj> lophyte: Dell makes money off the software they sell you
[04:50] <Fujitsu> lophyte: I know, that infuriated me when I got my laptop in January.
[04:50] <robertj> lophyte: all those "free trials..." they get a cut I'm sure
[04:51] <lophyte> I called them up and asked if I could get a laptop without Windows for cheaper..
[04:51] <lophyte> I said I didn't wanna pay for the license
[04:51] <lophyte> they were like "sorry we can't do that"
[04:52] <robertj> lophyte: they are still cheaper $ for $
[04:53] <lophyte> than what?
[04:53] <robertj> if you shop the sales they are cheaper than almost everyone (even emachines)
[04:54] <robertj> todays deal...Dell EPP E1505 Core 2 Duo 2.00GHz, 15.4" WXGA, 2GB, 80GB, DVDRW, $845
[04:54] <robertj> that's....cheap
[04:54] <lophyte> I was gonna get their cheapest one
[04:54] <lophyte> it was like $615 or something
[04:55] <robertj> lophyte: I bought a 1405 for $607 a few months back
[04:55] <lophyte> I think it was the Dimension 1100
[04:55] <robertj> What!
[04:55] <robertj> 1100 at $600ish?
[04:55] <robertj> are you in the US?
[04:55] <lophyte> I believe so... but I may be mistaken
[04:55] <lophyte> one sec
[04:55] <nkassi> Do you have a link to the Dell EPP E1505 ?
[04:55] <lophyte> oh,sorry
[04:55] <lophyte> I got the names mixed up, haha
[04:56] <robertj> EPP is more expensive than sales
[04:56] <lophyte> moron ;_;
[04:56] <lophyte> Dell Inspiron 1300
[04:56] <nkassi> That is exactly what I was going to get from HP but for 1500$ with taxes
[04:56] <nkassi> oh thanks
[04:56] <nkassi> Going to shop now ;0)
[04:56] <robertj> Dimension 1100 is like the cheapest desktop
[04:56] <lophyte> right, Dimension is desktops..
[04:56] <lophyte> Inspiron is laptops
[04:57] <robertj> Latitude is also laptops
[04:57] <robertj> for home users the distinction between lines is minimal
[04:57] <robertj> http://www.fatwallet.com/t/18/666189/
[04:57] <lophyte> ugh.. I'm going to run cat5 one of these days
[04:57] <robertj> you pay more on one line for a guarantee that you can 3 years of replacement parts & that parts will interchange within all models in the given series
[04:58] <robertj> so take the machine you like best without regard to the series
[04:58] <lophyte> actually I think it was the Inspiron 1100
[04:59] <lophyte> for $639
[05:00] <robertj> lophyte: I've bought a $1505 too, they are nice
[05:00] <robertj> err e1505
[05:00] <nkassi> Bah, the HP 6000t still seems the best deal.
[05:01] <nkassi> For those looking for a nice laptop.
[05:01] <robertj> btw, I'm showing the 1300 at $569
[05:01] <robertj> M 1.7ghz/1gig
[05:02] <robertj> btbut if you can scrape it together the extra crash is way worth it for double the ram, much better proc & screen, and the burner
[05:02] <lophyte> man..
[05:02] <lophyte> setting up ldap/kerb is such a long process
[05:03] <robertj> lophyte: isn't that why we are here ;)
[05:03] <lophyte> indeed
[05:03] <nkassi> hehe
[05:03] <lophyte> i've never done it before
[05:03] <lophyte> I'm using heimdal+openldap
[05:03] <ajmitch> but it's so fun!
[05:04] <lophyte> http://www.openinput.com/auth-howto/
[05:04] <lophyte> using that howto ^
[05:04] <ajmitch> well, maybe more than a couple
[05:05] <robertj> ajmitch: you going to MVS right?
[05:06] <ajmitch> yes
[05:06] <robertj> can you _please_ pimp avahi advertisements of services like...maybe slapd?
[05:07] <ajmitch> hehe
[05:07] <lophyte> what /is/ avahi, btw?
[05:07] <lophyte> I haven't read up on it yet
[05:07] <robertj> lophyte: it is bliss
[05:07] <ajmitch> you know you can just drop files into /etc/avahi/services ?
[05:07] <nkassi> lophyte: http://www.linuxjournal.com/article/8374
[05:07] <ajmitch> well, drop service descriptions in there
[05:08] <nkassi> if you follow all parts you should have a pretty nice setup ;-)
[05:08] <lophyte> nkassi: ty.. maybe that'll be better than this howto I'm following
[05:08] <lophyte> robertj: wanna elaborate on that? :P
[05:08] <robertj> lophyte: heard of bonjour/rendezvous?
[05:09] <lophyte> isn't rendezvous like a LAN-based IM system?
[05:09] <nkassi> lophyte: there are 4 parts by the way. They should turn up if you search on the LJ site.
[05:09] <lophyte> nkassi: excellent.. thanks
[05:09] <ajmitch> lophyte: multicast DNS service discovery
[05:10] <lophyte> ah, sweet.
[05:12] <abartlet> lophyte: that looks like a good howto!
[05:13] <robertj> ajmitch: can you think of any reason a daemon shouldn't have an avahi service definition?
[05:13] <abartlet> for once...
[05:14] <lophyte> abartlet: which one? the one I pasted?
[05:14] <abartlet> yeah
[05:14] <abartlet> looks like a very high degree of clue
[05:15] <ajmitch> robertj: because people may not like it :)
[05:15] <ajmitch> hey abartlet
[05:15] <abartlet> the only thing it needs is info on hooking Samba in, which you can do with heimdal
[05:16] <ajmitch> abartlet: what's the status of shared libraries with samba4?
[05:16] <abartlet> if that howto was the basis of this ubuntu directory project, I would at least be happy it would start with a good basis, of exising software
[05:16] <ajmitch> jelmer said there were some issues..
[05:16] <abartlet> ajmitch: shared libraries are hard :-)
[05:16] <ajmitch> of course
[05:16] <abartlet> but I think jelmer has them working for the moment
[05:16] <ajmitch> oh great
[05:16] <ajmitch> I'll have to chase him up :)
[05:16] <abartlet> harder still is keeping APIs solid...
[05:18] <ajmitch> yeah
[05:18] <ajmitch> I really want to look at this new code for interfacing with AD that I've heard of
[05:18] <abartlet> which bit?
[05:19] <ajmitch> joining domains, password changes, notifications, etc
[05:19] <ajmitch> all I've heard so far has been an article or two online & a novell podcast
[05:19] <abartlet> perhaps move this over to #samba-technical?
[05:20] <ajmitch> sure
[05:20] <robertj> where does the list of services in System->Administration->Services come from?
[05:20] <ajmitch> robertj: probably /etc/init.d & related rcX.d directories
[05:21] <ajmitch> if it's the app I'm thinking of
[05:22] <robertj> ok, more difficult question, is there a way to list all packages that place files in /etc/init.d
[05:23] <robertj> going though those & weeding out the non-local services would probably be the most comprehensive list of files needing avahi service definitions :)
[05:24] <ajmitch> robertj: it'd be hard - maybe by apt-file
[05:26] <robertj> ajmitch: neuralis nailed it on -devel
[05:26] <ajmitch> I should read that..
[05:27] <robertj> #-devel that is
 robertj: apt-get install apt-file; apt-file update; apt-file search init.d
[05:27] <ajmitch> right
[06:07] <nkassi> Hey, what are the chances that samba 4.0 will be a part of the Ubuntu Directory on the server side ?
[06:07] <Burgundavia> nkassi: given the server is currently no speced, I would say likely
[06:07] <nkassi> cool. thanks.
[06:08] <Burgundavia> however, samba4 is not out yhet
[06:08] <ajmitch> and we've just been talking with some samba people
[06:08] <ajmitch> it'll be awhile, certainly not likely for feisty
[06:09] <nkassi> hehe, I pretty much guest that. From what I see the Server side will also be for feisty+1 right ?
[06:10] <nkassi> guessed that ;)_
[06:10] <Burgundavia> unless soembody comes along
[06:10] <ajmitch> there'll be development work done in parallel for client & server, but it's most likely to be feisty+1 target
[06:11] <nkassi> I would love to help but this stuff is way over my head right now ;0)
[06:38] <ajmitch> Burgundavia: so most of the AD integration stuff that SLED10 has is in samba3
[06:38] <ajmitch> which is useful
[06:38] <Burgundavia> ah, interesting
[06:38] <ajmitch> yeah
[06:38] <Burgundavia> ajmitch: sanity check: our network auth connection stuff, which you are writing
[06:38] <ajmitch> makes sense that they wouldn't be using samba4 code yet
[06:38] <Burgundavia> is there a way to get that to be cross-distro?
[06:38] <ajmitch> sorry?
[06:39] <ajmitch> cross-distro on which way?
[06:39] <Burgundavia> reduce our support burden by having suse and rh join in and use it
[06:39] <ajmitch> the code I have is reasonably specific because of the package integration & the ways that distros differ with pam & other config files
[06:39] <Burgundavia> ah, yes
[06:39] <ajmitch> sure, the core is all there, and it's fully extensible by modules
[06:40] <Burgundavia> those pam differences is total crack
[06:40] <Burgundavia> there is no sane reason for each distro to have its own version
[06:40] <ajmitch> but the current modules have some debian/ubuntu-specific stuff like reading/writing debconf values
[06:40] <Burgundavia> ah
[06:40] <ajmitch> it's not hard to factor that out
[06:40] <Burgundavia> osdl needs to have a network-auth summit
[06:40] <ajmitch> would be nice
[06:41] <ajmitch> so we should probably make sure we get samba 3.0.23c in feisty
[06:41] <Burgundavia> might suggest that on desktop-architects
[06:41] <ajmitch> assuming that code we need is in there
[06:41] <Burgundavia> debian already has .23 I think
[06:42] <ajmitch> but what revision?
[06:42] <ajmitch> ok, 3.0.23c
[06:42] <Burgundavia> no idea
[06:42] <ajmitch> so it needs merged, I'll see if I can do that this week or next
[06:43] <ajmitch> pitti did it last, so I'll talk to him
[06:43] <Burgundavia> what does our samba delta look like?
[06:43] <ajmitch> I'll have to look
[06:43] <ajmitch> don't ask me that when I'm only just checking it
[06:44] <Burgundavia> yep, just wondering
[06:44] <ajmitch> the more I use beryl, the more plugins I turn off
[06:46] <ajmitch> you know that RH would ask why we didn't use authconfig instead
[06:46] <ajmitch> and suse will want to promote their tool
[06:47] <Burgundavia> which I think is yast
[06:47] <Burgundavia> we dont' we use authconfig?
[06:47] <ajmitch> ok, grabbed samba from edgy, now fetching from sid
[06:47] <ajmitch> because I wanted some of that debian specific stuff
[06:48] <Burgundavia> what do you mean?
[06:48] <ajmitch> debconf, managing conffiles, packages, etc
[06:48] <Burgundavia> ah
[06:48] <ajmitch> and I was going to use authtool in package maintainer scripts as well, which may still be an option
[06:49] <ajmitch> it'll probably still be needed
[06:49] <ajmitch> so that when you upgrade various libraries, it just DTRT
[06:49] <Burgundavia> right
[06:50] <ajmitch> hence why the package got native versioning, etc
[06:51] <ajmitch> which I should probably change
[06:51] <ajmitch> whip up some screenshots
[06:51] <ajmitch> blog about it
[06:51] <lophyte> is it really necessary to import the contents of /etc/group into an LDAP directory
[06:51] <ajmitch> rake in the millions
[06:53] <ajmitch> lophyte: it can be useful
[06:54] <lophyte> oi.. seems like a lot of work
[06:54] <ajmitch> ok, seems like we don't have *too* many changes to samba, mostly well documented
[06:55] <ajmitch> it'll take a bit of picking through
[06:55] <nkassi> lophyte: I believe there are some scripts online that can do it for you and output to ldif.
[06:55] <ajmitch> migration-tools package
[06:55] <lophyte> oh, really
[06:55] <ajmitch> which I don't like much, but it tends to work
[07:06] <tepsipakki> Fujitsu: it was me =) (the updatedb-bug)
[07:06] <tepsipakki> it was a bit too late to triage bugs
[07:06] <Fujitsu> tepsipakki: I noticed :)
[07:06] <Fujitsu> tepsipakki: It can get that way sometimes, I know.
[07:06] <tepsipakki> I was seeing nss- all over the place
[07:06] <tepsipakki> heh
[07:39] <ajmitch> ah, more posts on the -directory thread on devel
[08:39] <Burgundavia> nkassi: can you move the n-a/Server stuff to EasyLDAPServer ?
[08:42] <ajmitch> ok, got the goahead to do the samba merge, so we can have toys to play with
[03:03] <nkassi> Burgundavia: Done
[03:08] <^robertj> mornign all
[03:09] <nkassi> morning
[03:14] <bmonty> ajmitch: ping
[03:47] <wasabi_> morning freedom lovers.
[03:48] <SimonAnibal> morning all
[03:48] <wasabi_> I like this shizit about Oracle and RedHat battling for the enterprise.
[03:49] <wasabi_> Lets sneak in under the radar and shoot both of em down.
[03:49] <^robertj> wasabi_: also, it's worth noting that they aren't
[03:49] <wasabi_> Yeah hah
[03:49] <^robertj> Oracle is supporting Oracle
[03:49] <wasabi_> Few server side installs.
[03:49] <^robertj> "is there anything else on that server besides oracle? Sorry, that's not under your agreement"
[03:50] <wasabi_> Oracle announced on Wednesday that it would take RHEL, strip out the Red Hat (NASDAQ: RHAT - news) copyrights and add in Oracle bug fixes to create Unbreakable   ?
[03:50] <wasabi_> Just to run Oracle?
[03:50] <^robertj> that's my buess
[03:50] <^robertj> err guess
[03:50] <wasabi_> Makes sense.
[03:51] <SimonAnibal> So does that mean all Oracle boxes are going to be forced to be DEDICATE Oracle boxes?
[03:51] <^robertj> Im betting we will see 5-10 specific certifications for Unbreakable + a vm
[03:54] <nkassi> Oh well, Oracle doesn't seem to realise the amount of PR they will need to do to get people's confidence, I mean the  people who paid a good amount of money for Red Hat support
[03:54] <nkassi> And what sort of patch are they going to provide that RH will not ?
[03:54] <nkassi> Oracle specific ?
[03:55] <^robertj> nkassi: probably a subset of security updates
[03:58] <nkassi> I still don't see how that is going to make a difference, I believe that RH will be faster than Oracle to test and release them. What Oracle should do is buy RH.
[04:01] <^robertj> could be sabre ratteling, I just don't care
[04:01] <^robertj> I hope they don't buy RH though
[04:01] <^robertj> so I guess I do, but either way I don't want to hear squat from some retard at /., cnet or digg
[04:04] <SimonAnibal> Anyone have experience with SystemImager?
[04:05] <nkassi> ^robertj: hehe, oh well, it's bound to happen.
[04:08] <SimonAnibal> I'm wondering if it would be of use to me in my situation
[04:08] <SimonAnibal> ~300 workstations on 3 different model computers
[04:08] <SimonAnibal> I want to keep them all up to date and configured from one golden client, as it claims to do.
[04:09] <SimonAnibal> My old way (using Norton Ghost to re-image everytime) won't work with if it's not deployed on identical hardware
[04:09] <nkassi> Got to go, see y'all.
[04:10] <SimonAnibal> Wondering if there might be a simpler/better solution out there that one of you might know about
[04:11] <SimonAnibal> Otherwise, I'll be diving into it
[04:12] <lophyte> morning all
[04:16] <SimonAnibal> morning
[04:17] <lophyte> bmonty: you around?
[04:18] <bmonty> lophyte: hi
[04:18] <lophyte> heya
[04:18] <lophyte> would you be interested in collaborating and finishing the SingleSignOn howto together?
[04:20] <bmonty> sure, I'm actually having to redo the setup on one of my machines, so the steps are fresh in my mind
[04:20] <lophyte> cool.. I'm working on it too, in a Xen VM
[04:20] <bmonty> the edgy upgrade did not deal well with my LDAP+Kerberos setup
[04:20] <wasabi_> Any LDAP pros know the true cost of doing async LDAP notify operation?
[04:21] <wasabi_> Socket open on the server I assume.
[04:25] <bmonty> lophyte: is there any particular place you want to stazrt?
[04:26] <bmonty> wasabi_: is a notify operation the server telling clients about a change?
[04:26] <wasabi_> Yes.
[04:26] <wasabi_> What's a reasonable top limit of open sockets on a server?
[04:26] <wasabi_> From a single process.
[04:27] <bmonty> isn't that a kernel parameter?
[04:27] <bmonty> I think the sys admin can set that, plus there is a limit based on available system resources
[04:28] <wasabi_> Yeah. Just curious what a real functional cost might be.
[04:28] <bmonty> does OpenLDAP do the notify operation?
[04:28] <wasabi_> Believe so. Uses it for repl.
[04:28] <wasabi_> For instance if every client in an enterprise were to maintain a persistant query on passwd/group
[04:28] <bmonty> ok, I can't remember seeing anything in the docs about pushing changes out to clients
[04:29] <wasabi_> It's a standard LDAP operation.
[04:29] <bmonty> cool, I'll have to check that out
[04:29] <lophyte> bmonty: LDAP configuration seems like the first thing that's missing
[04:30] <lophyte> actually, adding a host principal into kerberos is missing..
[04:30] <lophyte> that involves installing krb5-admin-server and using kadmin.local, right
[04:30] <wasabi_> I'm switching to Heimdal.
[04:31] <lophyte> I'm using heimdal, actually :P
[04:31] <wasabi_> Then it won't be krb5-admin-server you need.
[04:31] <lophyte> nope..but the howto uses MIT
[04:32] <bmonty> the MIT krb5 install takes care of creating an admin principal
[04:32] <lophyte> ah
[04:32] <bmonty> once you have the servers installed, it is fairly easy to run kadmin from any machine on your network
[04:36] <bmonty> has anyone made a decision to make heimdal krb5 the standard for Ubuntu?
[04:36] <wasabi_> Nobody has made any decisions about anything.
[04:36] <wasabi_> I suspect that's where we'll end up on the server side though.
[04:37] <bmonty> to me, that is a decision that needs to be made fairly early
[04:37] <wasabi_> Nobody is going to start a server implementation for a long time.
[04:37] <wasabi_> And the client side is portable enough.
[04:44] <bmonty> any idea how closely the heimdal API mirrors the krb5 API?
[04:44] <bmonty> MIT krb5 API that is
[04:46] <^robertj> has anyone done an overview of the client side utils from Fedora, OS X, & Windows to see what is worth stealing?
[04:46] <wasabi_> There are very few differences.
[04:46] <wasabi_> They're not compatible, but whatever we build can be retrofitted in a few days.
[04:47] <wasabi_> Except for the kadmin protocol...but we'll need to support both of those anyways.
[04:47] <bmonty> wasabi_: if stuff gets written in python, it shouldn't be too hard to hide the differences
[04:47] <wasabi_> I don't know what you expect to be written in python.
[04:47] <wasabi_> Heh.
[04:47] <wasabi_> Except a pretty config wizard.
[04:48] <wasabi_> Which ajmitch has been doing nicely on, btw.
[04:48] <^robertj> wasabi_: is there an accompanying util?
[04:48] <wasabi_> for?
[04:48] <^robertj> wizard is run once, right?
[04:48] <bmonty> ^robertj: there is some stuff out there, but my general impression is that a lot is unmaintained, and the other stuff is very specific to a certain distro
[04:49] <^robertj> bmonty: I mean't purely from a usability standpoint
[04:49] <wasabi_> The idea is for a program called "authtool", which accepts a minimal number of settings, either on the command line, or a UI, and configures the relavent client services.
[04:49] <bmonty> ^robertj: usuability of what?
[04:49] <wasabi_> So, that's all text file parsing and command invoking. Perfect for Python.
[04:49] <wasabi_> The actual things it's setting up are all C.
[04:50] <^robertj> wasabi: but is it going to wipe out all your old settings or can you go in and adjust one setting after it is all said and done
[04:50] <wasabi_> Depends.
[04:50] <bmonty> wasabi_: if we were going to develop any GUI tools for the client, I see that being done in python
[04:50] <bmonty> since not many exist, I expect that will have to happen
[04:50] <wasabi_> That stuff is so far down the road.
[04:50] <wasabi_> We're talking like, years.
[04:51] <wasabi_> I would much rather get some people working on making an Ubuntu box able to join a domain and Work Right.
[04:51] <^robertj> wasabi: i'm talking purely client-side
[04:51] <wasabi_> You're talking client side tools for admining a server.
[04:51] <wasabi_> A server which we do not yet possess, and which will be way off.
[04:51] <wasabi_> Client side tools for a client, is really nothing but this one wizard.
[04:51] <^robertj> nope
[04:52] <wasabi_> "Please enter your domain name. Are you running Active Directory? Thanks... configuring NSS and PAM now!"
[04:52] <^robertj> wasabi: I've got a fair number of other options on my OS X box that are actually useful
[04:53] <bmonty> ^robertj: I have not seen any tools that are ready to integrate nicely with Ubuntu
[04:53] <wasabi_> You mean user management tools?
[04:53] <^robertj> wasabi: no, in the user-facing tool for setting up directory access
[04:53] <wasabi_> That's the wizard.
[04:54] <^robertj> wasabi: I'd be mad if I had to reenter all my attribute mappings on every run of the wizard
[04:54] <wasabi_> If you have to enter attribute mappings, we've failed.
[04:54] <^robertj> wasabi_: unfortunately static mappings & other garbage are a fact of life here
[04:55] <wasabi_> Well, I'm not working on that.
[04:55] <wasabi_> Are you? :)
[04:56] <wasabi_> It will be a year or more before I get to that.
[04:56] <^robertj> hopefully our DS group will get the pink-slip by then ;)
[04:57] <wasabi_> I think expectations are too high. The goal is to clearly define scope to something that will drive Ubuntu support contracts.
[04:57] <wasabi_> And something which is doable in some sort of timeline.
[04:57] <wasabi_> We need to be able to join existing directories. AD being the first.
[04:57] <^robertj> "not enough human resources to properly access the security risks? It's an 8 line schema adding 2 new attributes!"
[04:57] <wasabi_> And we need to cover all our bases in those areas.
[04:58] <wasabi_> disconnected operation, cross realm, caching, zero blocking NSS.
[04:58] <wasabi_> Those are Huge things and not to be taken lightly.
[04:58] <wasabi_> And they're all in C.
[04:59] <bmonty> just getting NSS to behave properly would be a nice achievement
[04:59] <wasabi_> Uh huh. That's going to require a massive effort in libnss-ldap, maybe even discarding it.
[05:00] <SimonAnibal> I figure if whiprush and I have managed to join Ubuntu to AD more or less successfully with existing packages that it would be a matter of setting up a package for AD clients that depends on all necessary packages and has an easy way of getting the necessary information from the user to configure the box and join it to the domain
[05:00] <lophyte> indeed..
[05:00] <wasabi_> SimonAnibal: Yes, but your joining AD comes with MANY caveats. Try unplugging the network.
[05:00] <wasabi_> Try doing the same on a laptop.
[05:00] <wasabi_> Try logging onto another realm.
[05:01] <wasabi_> I suspect if we offer "AD support", except for laptop users, and btw your box will lock up when a switch hicups, we'd be killed. =)
[05:01] <SimonAnibal> Unplugging the network does nothing, as I have it set up to check for local accounts and consider them sufficient before even checking on the network. And shouldn't the correct behavior of a disconnected box be to not allow network logins?
[05:01] <wasabi_> SimonAnibal: Tell that to laptop users.
[05:02] <SimonAnibal> Hmmm, so how do laptop users do it? Don't they have a local account?
[05:02] <SimonAnibal> How can you authenticate to a server you're not connected to?
[05:02] <wasabi_> Windows caches creds and logins
[05:02] <bmonty> i gave up getting my laptop to work
[05:02] <wasabi_> So it works fine, and when you plug it in, you need to get a TGT
[05:02] <SimonAnibal> So you login while connected and then you can login to that laptop even if disconnected?
[05:03] <bmonty> yeah, if I'm on my home network it isn't a problem
[05:03] <wasabi_> Yup.
[05:03] <bmonty> but I have a laptop to carry it around
[05:03] <wasabi_> Anyways, my point is just that even if we get Mark to buyin to it, and put one developer on it.
[05:03] <wasabi_> Just getting the basic C stuff smoothed out is going to take a very long time.
[05:03] <SimonAnibal> In our corporation, laptops do not cache credentials as far as I know, we provide a local account to use them when not connected to the network
[05:03] <wasabi_> SimonAnibal: Windows laptops?
[05:04] <wasabi_> SimonAnibal: You can login to the domain while disconnected on Windows. It caches your password and network information, but when you plug it into the network, you have no TGT until you get one (lock screen/unlock)
[05:04] <SimonAnibal> Win XP on Dell laptops. And they might do the caching stuff, it's just we don't rely on it or expect it
[05:04] <wasabi_> Well, in my company, I'd be fired if I suggested that. People have documents on their desktop they'd expet to be able to access.
[05:04] <wasabi_> And maintaining two profiles? Ugh.
[05:05] <bmonty> I've never seen that work 100%
[05:05] <bmonty> my roaming profile at my work has never worked correctly
[05:05] <SimonAnibal> Nod, nod.
[05:05] <wasabi_> Not talking about roaming profiles really.
[05:05] <SimonAnibal> So, then, what DO we have working?
[05:05] <wasabi_> You have basic LDAP queries going to a LDAP server for a NSS query.
[05:06] <wasabi_> They are slow, they block.
[05:06] <bmonty> I don't think account caching works well with laptops at all
[05:06] <wasabi_> bmonty: Works perfect on Windows.
[05:06] <wasabi_> Every laptop in this company seems to have no problem with it.
[05:06] <wasabi_> There is no fallback support for anything.
[05:06] <wasabi_> There is no site locality for anything.
[05:06] <bmonty> I'm not a windows admin...and I've never seen anyone set it up so that it worked for a non-tech user
[05:06] <lophyte> it doesn't require setting up
[05:06] <lophyte> its done automatically
[05:07] <wasabi_> We need to look up SRV records, and order them based on locality.
[05:07] <wasabi_> If one server goes down, we need to look for another.
[05:07] <wasabi_> Same goes for KDCs
[05:07] <bmonty> I like the SRV records
[05:07] <bmonty> if you get that set up correctly, lots of things will "just work"
[05:08] <wasabi_> Anyways, so all this needs to be fixed, before any question of a UI to map attributes really matters.
[05:08] <bmonty> in my opinion getting LDAP+Kerberos (i.e. AD) authentication/authorization to work with PAM and NSS is a huge kludge
[05:09] <wasabi_> Yup. It is.
[05:09] <wasabi_> NSS is shitty.
[05:09] <bmonty> which makes it difficult to maintain in a production environment
[05:09] <wasabi_> It is not robust at all.
[05:09] <wasabi_> And it has no potential to be.
[05:09] <wasabi_> There is no way to query for users.
[05:09] <wasabi_> No way to do async operations.
[05:09] <bmonty> it would be nice if we could ditch NSS altogether and use PAM only
[05:09] <wasabi_> PAM and NSS sovle different problems.
[05:09] <wasabi_> So, that makes little sense.
[05:09] <bmonty> yeah
[05:10] <bmonty> well have PAM perform the functions of NSS
[05:10] <wasabi_> Why?
[05:11] <bmonty> for one, I could do the configuration of my SSO setup in one place
[05:11] <wasabi_> That doesn't even make sense.
[05:11] <wasabi_> They are fundamentally different things.
[05:13] <bmonty> I don't agree, but I do think that NSS is inadequate as it is currently implemented
[05:13] <wasabi_> It's also not changing. NSS is POSIX.
[05:13] <wasabi_> So, it has to be made to work.
[05:13] <wasabi_> Which means a lot of time writing C programs to make it work right.
[05:14] <^robertj> have fun with the test suites ;)
[05:14] <bmonty> so? there are lots of C coders last time I checked
[05:14] <wasabi_> There are 2 in this channel I believe. =)
[05:15] <SimonAnibal> So, having no C experience, am I only going to be of use as a real-world test case?
[05:16] <lophyte> know python?
[05:17] <lophyte> python coders are gonna be needed at some point ;)
[05:17] <SimonAnibal> "Know" no. "Started learning but never got very far cause I didn't have a project to work on with it in order to actually understand it" yes.
[05:18] <SimonAnibal> I'm not averse to learning, or trial by fire.
[05:19] <SimonAnibal> I don't have any formal education about any of this yet. I won't deny that. But I doubt I'm useless.
[05:19] <bmonty> SimonAnibal: nobody said you were useless :)
[05:19] <lophyte> ergh...
[05:19] <lophyte> ldapadd won't connect to my ldap server
[05:19] <SimonAnibal> No, nobody did, it's just everything seems low-level enough that I'm doubting my value
[05:20] <bmonty> SimonAnibal: I wouldn't do that until something actually starts happening
[05:20] <bmonty> lophyte: are you using SASL?
[05:20] <lophyte> yeah
[05:21] <wasabi_> lophyte: What is the error?
[05:21] <bmonty> what is the error?
[05:21] <lophyte> nothing.. it just sits there after prompting for my password
[05:21] <wasabi_> -Y GSSAPI
[05:21] <lophyte> ldapadd: incompatible with previous authentication choice
[05:22] <wasabi_> Are you passing -x?
[05:22] <lophyte> yeah
[05:22] <wasabi_> Don't.
[05:22] <wasabi_> That's for a simple bind.
[05:22] <wasabi_> Which you should disable. ;0
[05:22] <bmonty> yup
[05:22] <lophyte> hrm.. same thing.. it just sits there
[05:23] <wasabi_> strace time.
[05:23] <wasabi_> see where it's pausing on
[05:23] <lophyte> ldapadd -h ldap.blindutopia.com -Y GSSAPI -D "cn=root,dc=blindutopia,dc=com" -W -f base.ldif
[05:24] <wasabi_> Use -H also
[05:24] <wasabi_> -W not needed either.
[05:24] <wasabi_> -D not needed either. ;)
[05:24] <wasabi_> You need to configure your server to support SASL auth I suspect.
[05:24] <wasabi_> And set up some regexps to map logins to objects.
[05:25] <lophyte> this howto essentially tells you to configure krb to use ldap as its db
[05:25] <lophyte> but it gets you to configure ldap first..
[05:25] <wasabi_> Well, the first goal is to get SASL binds through ldapi working first.
[05:25] <bmonty> which howto is that?
[05:25] <lophyte> http://www.openinput.com/auth-howto/
[05:25] <wasabi_> yeah these howtos are useless.
[05:25] <wasabi_> Learn the pieces, make your own decisions.
[05:25] <wasabi_> # Unix-socket connections from the root user are mapped to the host object.
[05:25] <wasabi_> sasl-regexp     uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
[05:25] <wasabi_>                 cn=akita,ou=Computers,dc=larvalstage,dc=net
[05:26] <wasabi_> As an example, I use that to allow local root logins over SASL EXTERNAL (ldapi:///) to map to a computer object.
[05:26] <wasabi_> # Map Kerberos authenticated logins.
[05:26] <wasabi_> sasl-regexp     uid=([^,] *),cn=larvalstage.net,cn=gssapi,cn=auth
[05:26] <wasabi_>                 ldap:///dc=larvalstage,dc=net??sub?(&(objectClass=krb5Principal)(krb5Princ$
[05:26] <wasabi_> I use that to map GSSAPI logins to the results of a query.
[05:27] <wasabi_> Heimdal will use ldapi:// (running as root) to connect to LDAP
[05:27] <wasabi_> You cannot use Kerberos for Kerberos to connect to LDAP. Chicken in egg problem.
[05:27] <wasabi_> And I just use slapadd to setup the initial computer object.
[05:27] <wasabi_> And hierarchy.
[05:28] <lophyte> oi..
[05:28] <wasabi_> I can explain it pretty easily, if you want.
[05:28] <lophyte> is that even possible? ;)
[05:28] <wasabi_> slapd can be connected to over a number of differnet sockets.
[05:28] <wasabi_> Over that socket, you can authenticate in a number of different ways.
[05:28] <bmonty> wasabi_: computer object == host prinicipal?
[05:29] <wasabi_> Yup
[05:29] <wasabi_> There is a unix socket which you can connect to slapd on.
[05:29] <wasabi_> To enable that, you need to instruct slapd to use it.
[05:29] <wasabi_> In /etc/default/slapd
[05:29] <wasabi_> SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
[05:29] <wasabi_> That enables slapd to listen on the ldap port, the ldaps port and ldapi (the unix socket)
[05:29] <wasabi_> I think it's in /var/run someplace
[05:30] <wasabi_> Once connected to those sockets, any of them, you can authenticate in two ways. anonymous, simple or SASL.
[05:30] <wasabi_> anonymous means you don't auth. You should disable that
[05:30] <wasabi_> # Features to disallow
[05:30] <wasabi_> disallow        bind_anon bind_simple
[05:30] <wasabi_> ^ in slapd.conf
[05:31] <wasabi_> That disables both anonymous and simple binding.
[05:31] <wasabi_> Leaving only SASL.
[05:31] <lophyte> I think I'm gonna start over again...
[05:31] <wasabi_> SASL is expandable... you can install different modules on the client/server side to extend it.
[05:31] <nkassi> hehe
[05:31] <wasabi_> And it's service independent.
[05:31] <wasabi_> You can about only two SASL mechs... GSSAPI and EXTERNAL.
[05:31] <wasabi_> GSSAPI is a kerberos handshake.
[05:31] <wasabi_> EXTERNAL is system defined.
[05:32] <wasabi_> sasl-secprops   minssf=0,noplain,noanonymous
[05:32] <wasabi_> sasl-realm      LARVALSTAGE.NET
[05:32] <wasabi_> sasl-host       akita.larvalstage.net
[05:32] <lophyte> GSSAPI means it uses kerberos principals?
[05:32] <wasabi_> Yup
[05:32] <wasabi_> That disables plain and anonmous sasl connections. Sasl itself has a mech for PLAIN
[05:32] <wasabi_> Which is seperate from simple binding.
[05:32] <lophyte> so you'd login as root/admin@MYDOMAIN.COM ?
[05:32] <lophyte> using GSSAPI
[05:32] <wasabi_> No, host/$computername.domain.com@DOMAIN.COM
[05:32] <wasabi_> # Unix-socket connections from the root user are mapped to the host object.
[05:32] <wasabi_> sasl-regexp     uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
[05:32] <wasabi_>                 cn=akita,ou=Computers,dc=larvalstage,dc=net
[05:32] <lophyte> hm..
[05:33] <wasabi_> When you login with SASL, slapd makes up a fake object name to represent your login.
[05:33] <wasabi_> dn=external,cn=auth
[05:33] <wasabi_> Those don't really exist.
[05:33] <wasabi_> cn=auth <--- SASL was used
[05:33] <bmonty> wasabi_: you are using the host principal for the purpose of updating the local NSS database, right?
[05:33] <wasabi_> cn=external <--- the SASL mech
[05:33] <wasabi_> bmonty: Yes.
[05:33] <wasabi_> The SASL EXTERNAL mech defines peercred and uidnumber and gidnumber.
[05:33] <wasabi_> Because you login using ldapi:///, over the unix socket.
[05:33] <wasabi_> Using EXTERNAL.
[05:34] <wasabi_> so it KNOWS your UID and GID
[05:34] <wasabi_> Because it's a Unix socket. It can know that stuff.
[05:34] <bmonty> lophyte: just so you know that is a different concept that what I did on my setup...and the concept that the SingleSignOn page is based on
[05:34] <wasabi_> So what I'm saying with that mapping statement is that when uid 0 connects using EXTERNAL
[05:34] <wasabi_> Map it to a specific object.
[05:34] <wasabi_> Being the computer object.
[05:35] <lophyte> I see..
[05:35] <wasabi_> Now you have your path into LDAP. root on the same box is assumed to be "the computer itself"
[05:35] <wasabi_> Heimdal will use that.
[05:35] <wasabi_> So, logically, the computer itself should have full access
[05:35] <wasabi_> access to *
[05:35] <wasabi_>         by dn.regex="cn=akita,ou=Computers,dc=larvalstage,dc=net" write
[05:36] <wasabi_> Now you need to populate the LDAP directory, and actually make the ou and computer object.
[05:36] <wasabi_> You can use ldapadd -H ldapi:/// -Y EXTERNAL
[05:36] <wasabi_> As root, to do that.
[05:37] <wasabi_> To do that I basically make an object with top/account/krb5Principal
[05:37] <wasabi_> And set the krb5PrincipalName: host/host.fqdn@REALM
[05:38] <wasabi_> Then you need to tell heimdal to init it's DB.
[05:38] <wasabi_> It'll spew all sorts of shit into LDAP.
[05:38] <wasabi_> YOu go in and move it where it really belongs.
[05:38] <wasabi_> Heimdal needs work.
[05:38] <wasabi_> (In C!)
[05:39] <bmonty> MIT krb5 has an LDAP backend that is coming along soon
[05:39] <bmonty> I haven't played with it though....only read about it
[05:39] <lophyte> man..
[05:39] <lophyte> this shit is overwhelming
[05:39] <wasabi_> Uh huh.
[05:39] <bmonty> LDAP as a backend for the KDC makes things a lot nicer though
[05:40] <wasabi_> ANyways, once you have some initial principals, then you can star logging into LDAP using GSSAPI
[05:40] <wasabi_> You should use that for everything else.
[05:40] <lophyte> time to start over and give this a try
[05:41] <bmonty> wasabi_: do you implement a "roaming profile"...i.e. I could log on to any machine and my home directory is the same?
[05:41] <wasabi_> No.
[05:41] <wasabi_> I have some ideas for that though.
[05:41] <wasabi_> Mostly involving git or bzr.
[05:42] <bmonty> I've played with pam_mount, it works, but it doesn't know anything about SASL
[05:42] <wasabi_> To mount what?
[05:42] <lophyte> mount an nfs share on top of /home/username
[05:42] <bmonty> to mount my home directory from an NFS server on login
[05:42] <wasabi_> That's not really an acceptable path to go down.
[05:42] <wasabi_> Ignores disconnected operation.
[05:42] <bmonty> or any other network share you want
[05:43] <bmonty> wasabi_: disconnnected operation is a shortfall
[05:43] <wasabi_> Yes, but it's one NFS will never be able to solve.
[05:43] <wasabi_> Ever.
[05:43] <wasabi_> Which makes it pretty useless for the use case.
[05:43] <wasabi_> Somebody tripping over your network cable, or a switch going faulty, can't result in your desktop crashing.
[05:43] <wasabi_> Let along again, laptops.
[05:44] <bmonty> NFS isn't the only network share, but that is beside the point, I want that kind of feature on Ubuntu
[05:44] <wasabi_> Yeah. I think there's some room to investage using a DSCM for ~ specifically.
[05:44] <nkassi> Hey y'all, I see that there is a preference for Heimdal but what is the advantage over MIT? I saw something about permformance. Is that all?
[05:44] <wasabi_> nkassi: MIT doesn't yet have LDAP storage
[05:44] <siretart> do you recommend the MIT or the heimdal implementation?
[05:44] <wasabi_> Yet.
[05:44] <wasabi_> I recommend it in that it's LDAP storage works. ;)
[05:45] <siretart> what does MIT use as storage? bdb?
[05:45] <bmonty> out of the box, yes
[05:45] <nkassi> oh, yeah thats a major issue for me thanks ;0)
[05:45] <bmonty> the latest version added a pluggable storage feature
[05:45] <siretart> okay, and and what cases is an ldap storage preferable?
[05:46] <bmonty> LDAP is one of the plugins available, but it isn't released yet
[05:46] <wasabi_> Every case, IMO.
[05:46] <siretart> why?
[05:46] <bmonty> i agree
[05:46] <wasabi_> It offers automatic replication.
[05:46] <bmonty> consistency
[05:46] <wasabi_> Yeah. Your keys move with your user objects.
[05:46] <wasabi_> They are tied at the hip.
[05:46] <bmonty> without LDAP as the backend, you have to maintain a kerberos database and an LDAP database
[05:46] <nkassi> I also want to use the user info for contacts in thunderbird.
[05:47] <bmonty> its doable, but I doubt it is scalable
[05:47] <siretart> this means that account managment does only need to handle ldap, and I don't need to care about adding principals with kerb tools?
[05:47] <wasabi_> You still need to.
[05:47] <wasabi_> Only the KDC can sign new keys.
[05:47] <nkassi> so a tool to add users would have to do both ?
[05:47] <wasabi_> Basically, yes.
[05:47] <bmonty> yup
[05:47] <wasabi_> It would have to make a LDAP object, and then instruct the KDC to populate it.
[05:47] <nkassi> There no way of having the KDC do the work ?
[05:48] <wasabi_> There is, but the KDC isn't going to put your hsell in LDAP
[05:48] <wasabi_> Or your UID
[05:48] <wasabi_> and all that stuff.
[05:48] <bmonty> by design I think the authentication and authorization pieces should be seperate
[05:48] <nkassi> beurk. oh well, I will have to create scripts or are there some out there ?
[05:49] <wasabi_> There are no scripts which do it right, and Heimdal is broken.
[05:49] <wasabi_> It doesn't find existing LDAP objects, it always creates it's own.
[05:49] <wasabi_> So you have to do some manual merging.
[05:50] <bmonty> I use MIT kerberos, and as things exist today there isn't a reason why you couldn't create a tool to manage them
[05:50] <wasabi_> It's also a question of policy.
[05:50] <wasabi_> And security.
[05:50] <bmonty> but one doesn't currenlty exist
[05:51] <wasabi_> To me, it seems a bit insecure to allow a client machine, even with an admin user, to create an LDAP object, and instruct the KDC, in different bands.
[05:51] <wasabi_> It's a single logical operation. There should be a single RPC on the server which does it all.
[05:52] <bmonty> with your setup using ldapi, is that the only place you allow connections to create objects?
[05:52] <wasabi_> No.
[05:52] <bmonty> I'm thinking about something like the AD user manager that can run on any machine with MMC installed and any user that has the correct privs
[05:52] <wasabi_> Yeah, that uses custom RPCs though.
[05:53] <wasabi_> It doesn't contact the LDAP and KDC to make a user.
[05:53] <wasabi_> It actually calls a MS RPC CreateUser API.
[05:53] <lophyte> mmc for ubuntu would rock
[05:53] <wasabi_> Using either named sockets or TCP
[05:53] <bmonty> ok
[05:53] <wasabi_> Which, imo, was done for a good reason.
[05:53] <wasabi_> For instance, in my company, IT doesn't create users.
[05:53] <wasabi_> HR does.
[05:53] <bmonty> I see your point, and it makes sense to me
[05:53] <wasabi_> THe last thing I want to do is give HR the permission to connect to the LDAP and make random objects.
[05:54] <wasabi_> I want them to call a single unit of work to happen remotely.
[05:54] <wasabi_> So, again, when we start talking about directory servers, we go down paths like that.
[05:54] <wasabi_> And now we're creating and definign a remote API.
[05:54] <wasabi_> And choosing a protocol for it.
[05:54] <wasabi_> And complexity explodes. ;0
[05:55] <bmonty> whee!
[05:55] <wasabi_> So anyways, I see a suitable AD replacement seeing years off.
[05:55] <wasabi_> I see a good client that can connect to an existing AD being maybe a year or more off.
[05:56] <bmonty> why would canonical create a feature that requires youto purchase windows in order to use it?
[05:56] <wasabi_> Because many people have already purchased windows.
[05:56] <wasabi_> And we want those people to deploy Ubuntu in a reasonable time frame.
[05:57] <wasabi_> Where it fits.
[05:57] <siretart> I see an urgent need for proper overview documentation how directory and authentication services work with each other and how to resonably deploy it in, say, 6.06LTS
[05:57] <wasabi_> An all or nothing approach is not reasonable.
[05:57] <wasabi_> siretart: Me too.
[05:57] <wasabi_> I'd love for somebody to document setting upa  PROPER KDC and ldap.
[05:57] <wasabi_> Not this simple binding crud. :0
[05:58] <^robertj> define PROPER
[05:59] <wasabi_> Connections to LDAP established only with SASL.
[05:59] <wasabi_> Everything that needs to be secured secured.
[05:59] <bmonty> siretart: documenting the setup is hard without deciding on what software Ubuntu is goiung to use in implementing the specs
[05:59] <wasabi_> KDC princs stored in LDAP.
[05:59] <wasabi_> Replcation between LDAP servers happening using kerberos.
[05:59] <bmonty> MIT krb5 vs. Heimdal krb5
[05:59] <wasabi_> Clients using Kerberos for all connections to LDAP
[05:59] <bmonty> for example
[05:59] <siretart> robertj: proper in the sense that after reading a decently skilled admin can set it up without external documentation not referenced in that documents
[06:00] <^robertj> wasabi: maybe start with a clean -server install on vmware and create a sh script which you curl and run via sudo to set it up and then document that?
[06:01] <wasabi_> Sure.
[06:02] <nkassi> <Was making food> About the MMC tool, how would that be implemented easily ? Is that a really huge complex project ?
[06:03] <wasabi_> I'm not convinced we need anything like MMC at all.
[06:03] <wasabi_> A nice LDAP client, sure.
[06:03] <wasabi_> A weirdly plugable administration tool host?
[06:04] <wasabi_> For the LDAP tool, I'd start by fixing GQ up.
[06:04] <wasabi_> GQ is probably the closets of all of them. At least it's Gtk.
[06:04] <^robertj> and written in our beloved python
[06:04] <wasabi_> Is it?
[06:04] <nkassi> Well, I know that I will need a administration tool for at least my boss, and the Windows Admins if I was to switch. They wouldn't go for the Web stuff really, they seem to love MMC on windows ...
[06:04] <wasabi_> Believe gq is C
[06:04] <^robertj> maybe not, I thought so
[06:05] <wasabi_> nkassi: Admin tool for what, AD?
[06:05] <^robertj> gtk+
[06:05] <wasabi_> nkassi: MMC isn't an admin tool. It's a pluggable architecture for building admin tools.
[06:05] <nkassi> wasabi: Hum, well I meant a tool to emulate the AD tools but to manage Ubuntu-Directory
[06:05] <wasabi_> If you mean AD Users & Computers, sure, we need a nice LDAP client. :0
[06:05] <nkassi> Ok the console then
[06:06] <wasabi_> gq is still probably the closest to what you want.
[06:06] <nkassi> wasabi, I guess that would work.
[06:06] <wasabi_> It works now, it's really wonky and buggy though.
[06:06] <wasabi_> And needs SRV record support, GSSAPI support compiled in and working.
[06:06] <wasabi_> It's UI is sort of silly. Could use object-specific UI plugins.
[06:07] <nkassi> What about Luma ? I know it's qt but I was looking at the backend, it could be used to create a Ubuntu specific GTK interface.
[06:07] <wasabi_> Sure. The backend is Qt though.
[06:07] <wasabi_> Isn't it?
[06:07] <nkassi> hum, I meant the ldap stuff
[06:08] <nkassi> I was going to try to rip out all the Qt stuff, I just liked the LDAP connection code.
[06:10] <nkassi> I'm my making any sense ? (I usually don't  ;0) )
[06:11] <nkassi> I meant I'm I ...
[06:12] <nkassi> There you see, I don't make sense.
[06:30] <bmonty> wasabi_: the code for SASL binds is in gq, but it is very buggy
[06:30] <wasabi_> Yup
[06:30] <bmonty> it looks like someone has picked up maintaining gq though
[06:30] <wasabi_> That's nice.
[06:31] <bmonty> I think the end result should be a tool that is a little more specific to managing users and groups instead of just editing the LDAP database
[06:32] <wasabi_> Sure, but GQ can be turned into that.
[06:32] <MagnusR> Agree, it would be nice to have an integration with Kerberos in a Unified interface.
[06:32] <wasabi_> What it needs is a set of pluggable UI pieces which can be loaded based on detected objectclasses.
[06:32] <nkassi> bmonty: I second that. How hard would it be to modify the user & group dialog in gnome-systems... package ?
[06:32] <wasabi_> If no plugin matches, use the plain old property/value view.
[06:33] <bmonty> nkassi: I think that is a larger issue..,
[06:34] <wasabi_> Yeah, that dialog is on the way out anyways.
[06:34] <bmonty> i.e. ALL of the user tools (adduser)...how do they know where to make changes?
[06:34] <wasabi_> They make htem in the passwd file.
[06:34] <wasabi_> They are meant for local users.
[06:34] <nkassi> Oh I didn't know it was being replaced. oh well
[06:34] <wasabi_> And there is nothing wrong with that at all.
[06:34] <wasabi_> MS does the same.
[06:34] <wasabi_> Control Panel, Users and Groups.
[06:34] <wasabi_> MMC.
[06:35] <bmonty> so then a new gnome applet that is for managing domain users and groups...not replacing the current tools
[06:35] <wasabi_> I still think Gq is fine. =)
[06:35] <wasabi_> It just needs love.
[06:36] <bmonty> and it looks like it is getting it....new release v1.2.1 on 8 Oct
[06:36] <lophyte> Gq?
[06:36] <nkassi> Hum a separate menu could be created under System with all the "Administrative Services" Items ;0)
[06:36] <bmonty> yup
[06:36] <lophyte> never heard of it
[06:36] <nkassi> The name is probably patented or something ;-)
[06:37] <bmonty> http://gq-project.org/
[06:37] <lophyte> ah, neat.
[06:37] <bmonty> looks like they added gnome-keyring support...
[06:39] <bmonty> hmmm...we still have 1.0.0 :(  Maybe I should take a look at repackaing it later today
[08:17] <Burgwork> wasabi_: have you played with lat?
[08:17] <Burgwork> lophyte: bmonty_away: either of you?
[08:17] <wasabi_> lat = ?
[08:17] <Burgwork> ldap admin tool
[08:17] <Burgwork> I use it here
[08:17] <wasabi_> no
[08:17] <Burgwork> works quite well
[08:18] <ajmitch> hi
[08:22] <wasabi_> lat seems to be C#?
[08:23] <wasabi_> no sasl support yet
[08:23] <ajmitch> you don't like C#? :)
[08:24] <wasabi_> love it. Just wondering.
[08:25] <ajmitch> we probably don't want to have each tool done in its own language
[08:26] <wasabi_> Doesn't really matter to me. Whatever is the least resistance.
[08:27] <wasabi_> I'm not going to propose rewriting a LDAP tool because it's not our language of choice.
[08:27] <ajmitch> I'm not suggesting rewriting
[08:27] <wasabi_> Lat looks pretty good actually.
[08:27] <ajmitch> just a factor in what we pick
[08:28] <ajmitch> eg I'd love to have everything in python so that we could mix & match
[08:28] <ajmitch> but that's just a dream..
[08:28] <ajmitch> and not essential in any way
[08:37] <ajmitch> wasabi_: you want me to fill in NetworkAuthentication/Client/Interface ?
[08:37] <Burgwork> wasabi_: the only thing lat needs is some serious stablization work, but the UI works and the rest is good
[08:37] <wasabi_> Yes please.
[08:37] <ajmitch> k
[08:39] <Burgwork> http://lists.debian.org/debian-devel/2004/12/msg00290.html
[08:40] <wasabi_> Sillyness.
[08:48] <ajmitch> 'interesting'
[08:49] <ajmitch> you'd have to basically walk the whole tree anyway, no real advantage over the flat Packages file
[08:49] <ajmitch> maybe a bit more compact, but that's hardly a blocker for apt
[08:52] <Burgwork> I know the apt and rpm people have spoken with the samba people about storing the databases in ldb
[08:53] <ajmitch> Burgwork: expect hate mail from beryl people ;)
[08:54] <Burgwork> my -devel comment?
[08:54] <ajmitch> yeah
[08:56] <Burgwork> I did explicitly say this was about beryl by default
[08:56] <ajmitch> I know
[08:57] <Burgwork> I need to address the "gconf-is-a-bad-idea" meme
[08:58] <ajmitch> the main thing that needs replaced is the settings manager
[08:59] <ajmitch> have you seen it?
[08:59] <ajmitch> it makes sawfish configuration look clean & elegant by comparison
[08:59] <Burgwork> no, I haven
[08:59] <Burgwork> '
[08:59] <Burgwork> t
[09:00] <ajmitch> http://ajmitch.net.nz/~ajmitch/beryl-manager.png
[09:00] <ajmitch> a fraction of one pane of the many plugins
[09:01] <Burgwork> holy crack!
[09:01] <ajmitch> yeah
[09:02] <Burgwork> ok, now I just pissed more people off
[09:02] <ajmitch> see how many tabs, how many widgets
[09:02] <ajmitch> heh
[09:02] <ajmitch> that's ok
[09:02] <ajmitch> I've got to go, back in ~30min
[09:02] <Burgwork> said that gconf is a sane default for a gnome-based distro
[09:02] <cberl1> Hi folks.  Got any PAM experts herein?
[09:03] <cberl1> I need to get SSH to work with Winbind and PAM_MOUNT....
[09:04] <cberl1> All of my users are in Active Directory.  I need to enable ssh access, then make their local "home" directory and map their Windows drives to they can access them.
[09:07] <Burgwork> cberl1: both of our windows experts appear to be away
[09:08] <cberl1> Wow, you have TWO?  <snicker>
[09:08] <cberl1> Just kidding.
[09:08] <cberl1> Alright, I'll have to try again later.  This is something that I'm going to need at some point.
[09:11] <robertj> is it permissible to sign someone's key based off a form of ID other than a face-to-face visual ID?
[09:11] <Burgwork> afaik, no
[09:13] <robertj> noone in our LUG does key signing
[09:17] <robertj> and it's rather dumb because why does Ubuntu care if my name is rover and I am a dog?
[09:18] <Burgwork> ubuntu itself doesn
[09:18] <Burgwork> 't care
[09:18] <Burgwork> it only matters if you want to upload
[09:18] <robertj> but why would it matter?
[09:18] <wasabi_> Hi.
[09:19] <robertj> like the old adage says, don't look a gift-dog in the mouth
[09:19] <Burgwork> robertj: if you upload, we need to know who you are
[09:19] <Burgwork> "I wouldnt want Shuttleworth to
[09:19] <Burgwork> be right about the DCCA not working, its such a great idea." <-- http://lists.dccalliance.org/pipermail/dcc-devel/2006-June/000704.html
[09:20] <robertj> Burgwork: maybe i'm missing something. Like if you were hacking on OOo & signing Sun's JCA I could see it being needed but otherwise...
[09:21] <Burgwork> ok, lets look at it this way
[09:21] <Burgwork> you upload a package to revu
[09:21] <Burgwork> given I have never met you, how do I verify it is you that uploaded it?
[09:21] <Burgwork> you sign it with you key
[09:21] <Burgwork> which has been signed by somebody like ajmitch
[09:21] <ajmitch> alright, back
[09:21] <Burgwork> given I trust ajmitch, I trust you
[09:22] <ajmitch> silly Burgwork, trusting me
[09:22] <robertj> Burgwork: well I still have an identity
[09:22] <Burgwork> I know
[09:22] <Burgwork> yes, you do
[09:22] <robertj> but instead of being Rob J. Caskey of Athens, GA I am rcaskey@uga.edu
[09:22] <robertj> or some really long hash
[09:22] <Burgwork> signed keys allow you to prove that you are you
[09:23] <robertj> Burgwork: well they prove I have the key :)
[09:23] <ajmitch> it's a trust path, so that people who haven't met you can trust to some degree that you are who you say you are
[09:23] <Burgwork> yes, as I explained
[09:23] <robertj> ajmitch: which is cool, that I grok, I just don't see why visual ID has to be required
[09:23] <robertj> I mean, can't I just exist as rcaskey@uga.edu?
[09:24] <ajmitch> they prove that you have the key, the email as on that key, and that you actually are the same person as the key claims
[09:24] <Burgwork> because I need to verify that your name is associated with your face
[09:24] <wasabi_> Email is not a secure path to establish initial trust.
[09:24] <wasabi_> A government issued id acceptable, etc.
[09:24] <Burgwork> email is trivially spoofable
[09:24] <ajmitch> passport is somewhat less so
[09:24] <robertj> wasabi: well I could post up on www.music.uga.edu and say <!-- I am responsible for this machine -->
[09:24] <wasabi_> Also, you cannot hold an email address responsible.
[09:25] <wasabi_> So? Somebody could have hacked your server.
[09:25] <wasabi_> Somebody could have hacked your email.
[09:25] <robertj> Somebody could hack my dev box after I had my key signed
[09:25] <wasabi_> true true
[09:25] <cberl1> robertj: at which point, wouldn't you want to get a new key?
[09:25] <wasabi_> And that's why we allow revocation. :0
[09:26] <lophyte> back
[09:26] <Burgwork> ajmitch: that would suck even harder for you, given how hard it is to get out of NZ
[09:27] <ajmitch> Burgwork: why? there are 4 other DDs in dunedin
[09:27] <Burgwork> ah
[09:27] <ajmitch> besides, I lost my laptop & regenerated my key at UBZ, got plenty of sigs there
[09:27] <ajmitch> (thanks siretart) :)
[09:28] <lophyte> hey all
[09:28] <ajmitch> hi lophyte
[09:30] <lophyte> ugh..
[09:30] <lophyte> gnome-pilot has issues
[09:31] <Burgwork> yes, yes it does
[09:31] <lophyte> i was hoping they'd be fixed by edgy
[09:31] <ajmitch> many things weren't fixed by edgy
[09:31] <Burgwork> there was no work, either upstream or in ubuntu for gnome-pilot during edgy
[09:32] <lophyte> is there any other way to sync stuff wiht my pc?
[09:32] <lophyte> it'd be nice to be able to sync with evolution
[09:32] <Burgwork> opensync, but that doesn't work with evo
[09:33] <lophyte> so I'm pretty much SOL?
[09:33] <wasabi_> Use a server based store. ;)
[09:34] <lophyte> what do you mean?
[09:34] <wasabi_> What you trying to sync? Contacts, calendars, email?
[09:34] <lophyte> calendars and todo lists
[09:34] <lophyte> contacts would be nice too
[09:35] <wasabi_> Well, here is another big thing to put on a todo list.
[09:35] <wasabi_> Exchange. =)
[09:35] <lophyte> ew
[09:35] <lophyte> :P
[09:35] <wasabi_> Or similar set of functionality. =0
[09:35] <lophyte> indeed.
[09:35] <lophyte> put that on our 10 year todo list
[09:35] <wasabi_> yup
[09:37] <cberl1> zimbra has some good functionality that way (just poking my head back here now and then)
[10:01] <lophyte> erghg.. stupid connection
[10:16] <cberl1> What does it mean when you can't get shadow information for  a user?
[10:27] <wasabi_> It means you can't get shadow info for him
[10:27] <wasabi_> Which is basically a md5 password hash