[12:06] <stelis> BurgWork: I was thinking about asking for a section on admin-related stuff
[12:06] <stelis> Directory services, the thin client stuff happening around edubuntu, etc.
[12:07] <stelis> There seems to be a lot of interesting stuff happening or coming down the road:
[12:08] <stelis> Hula, iFolder, Samba 4, Xen, Stateless
[12:08] <stelis> etc. etc.
[12:12] <Burgwork> stelis: the rules for the UWN is that anything you write about has to have happened int eh past week
[12:12] <Burgwork> that being said a "this week in specs" would rock
[12:13] <stelis> I'll give it a shot
[12:13] <stelis> Is there a link on format, deadlines and so on
[12:15] <Burgwork> UbuntuWeeklyNews can give you the information
[12:22] <stelis> BurgWork: I'll have a think about how to boil the specs down into something digestible, and try to draft something tomorrow.
[12:23] <Burgwork> stelis: part of the issue is that you need to subscribe to every spec basically
[12:24] <Burgwork> there is "RecentChanges" for specs
[12:24] <stelis> Oh?
[12:25] <Burgwork> is no, rather
[12:25] <stelis> Ah
[12:25] <stelis> What I noticed that a lot are just stubs
[12:25] <stelis> And don't get developed
[12:26] <stelis> So it's case of finding the ones that are actually live
[12:28] <Burgwork> the best way is thus: take all the specs approved for mtv
[12:29] <Burgwork> as those need to have been approved by somebody
[12:29] <Burgwork> then subscribe to the wiki pages associated with them
[12:31] <stelis> OK. I'll go through those tomorrow.
[01:07] <wasabi_> abartlet: I'm here.
[01:09] <ajmitch> hi wasabi_
[01:09] <wasabi_> hiya
[01:09] <Burgwork> any fedora experts here? I am tearing out my hair
[01:09] <stelis> Burgwork: semi-expert
[01:09] <Burgwork> where does gdm log auth attempts?
[01:10] <wasabi_> GDM doesn't.
[01:10] <wasabi_> pam does.
[01:10] <wasabi_> auth syslog facility.
[01:10] <wasabi_> Which is usually /var/log/auth
[01:10] <Burgwork> not on FC machines
[01:10] <wasabi_> sucky. ;)
[01:11] <wasabi_> Bet it still does auth facility.
[01:11] <wasabi_> dunno where that goes though
[01:11] <Burgwork> /var/log/secure lists ssh and xscreensaver attempts, but not gdm stuff
[01:13] <nkinder> Burgwork: It should list gdm as well.
[01:13] <nkinder> At least it does on FC6.
[01:13] <Burgwork> heh, nope
[01:13] <Burgwork> FC4 all the way!
[01:13] <Burgwork> no, don't tell me to update. I can't
[01:14] <Burgwork> well, I think it is time for FC4 to die
[01:14] <nkinder> I see gdm logging in there on FC5 too.  I don't have a FC4 box to check.
[01:16] <Burgwork> likely a 4 specific bug
[01:16] <ajmitch> ok, should have a samba 3.0.23c package merged with debian changes tonight
[01:16] <ajmitch> hopefully it can be uploaded by UDS
[01:17] <Burgwork> rock
[01:18] <ajmitch> I'll try & get to the others that we need as well
[01:25] <Burgwork> the world now has one less fedora machine in it
[01:26] <ajmitch> and a kitten lives another day
[01:27] <Burgwork> no, 'cause I will probably be bored later tonight :)
[01:41] <ajmitch> welcome, bmonty
[01:41] <bmonty> hi!
[03:29] <wasabi_> abartlet: Howdy.
[03:54] <nkassi_study> What is the name of the spec that emulates W SUS
[04:00] <Burgwork> nkassi_study: update-server
[04:01] <nkassi_study> thank you
[04:07] <Burgwork> nkassi_study: update-server doesn't cover configuration issues
[04:07] <Burgwork> that is another ball of wax entirely
[04:08] <nkassi_study> why not ?
[04:09] <nkassi_study> if you push down a package how is going to be configured ? Or is simply for updates not for new apps ?
[04:09] <nkassi_study> is IT simply...
[04:09] <Burgwork> update server is exactly that
[04:09] <Burgwork> a method of testing and approving updates
[04:10] <nkassi_study> ok, so where would push down new packages be ?
[04:10] <Burgwork> a configuration server, not yet planned
[04:10] <nkassi_study> ah
[04:10] <Burgwork> all that sort of config stuff should be in some sort of centralized fashion
[04:11] <nkassi_study> Would it not be smart to just extend the update server to serve this function also ?
[04:11] <Burgwork> no, because they are different things
[04:11] <Burgwork> configuration requires an agent on the client
[04:11] <Burgwork> all update-server will do will be to have the sources.list pointed at the update server
[04:12] <Burgwork> ie: no new client
[04:12] <nkassi_study> ok. It makes sense. I will take out the comment.
[05:47] <nkassi_>  Not one post on planet ubuntu about UDS
[05:52] <ajmitch> get blogging!
[06:01] <abartlet_> :-)
[06:02] <ajmitch> now which UDS do you mean? :)
[06:04] <nkassi_> UbuntuDirectory Project in general.
[06:04] <nkassi_> hehe, I can't write. That should be obvious by now.
[06:05] <nkassi_> Plus, I'm not one of the lucky folks who's blog are on planet ;-)
[06:05] <ajmitch> most people in the wider ubuntu community refer to Ubuntu Developer Summit when talking about UDS
[06:05] <ajmitch> are you not a member yet?
[06:06] <nkassi_> ah true
[06:06] <nkassi_> Nope, never applied
[06:07] <nkassi_> I feel that becoming a ubuntu member requires some commitment ( at least I hope it does)
[06:08] <ajmitch> it does
[06:09] <nkassi_> hehe
[06:09] <nkassi_> My only Ubuntu clame to fame is being in the Ubuntu Below Zero picture ;-)
[06:10] <nkassi_> claim
[06:15] <ajmitch> oh, you were there?
[06:15] <nkassi_> Yeah, I meet you but you will never remeber me. I was a local
[06:16] <nkassi_> a picture is available here ;-) : nickassis.net
[06:17] <nkassi_> (SHAMELESS PLUG ALERT)
[06:21] <Burgwork> I am in way to deep to be merely "committed" anymore
[06:22] <Burgwork> nkassi_: I remember you
[06:22] <nkassi_> your entrenched :0)
[06:22] <nkassi_> True I was one of the other canadians ;-)
[06:22] <Burgwork> critical part of the infrastructure? ajmitch is in a similar state
[06:23] <nkassi_> hehe. I noticed after I started reading the wiki and found your and his name everywhere
[06:23] <nkassi_> Is there a refcount somewhere ?
[06:23] <Burgwork> don't know
[06:23] <ajmitch> Burgwork: sorry?
[06:24] <Burgwork> ok, there has got to be a better solution to this
[06:24] <ajmitch> I'm by no means critical
[06:24] <Burgwork> ubuntu requires users be part of several groups for permissions
[06:24] <Burgwork> how to do I automate this on all the machines?
[06:24] <ajmitch> nkassi_: I think I vaguely remember you...
[06:24] <ajmitch> Burgwork: as I was talking about with someone today, nested groups would be nice
[06:24] <nkassi_> ajmitch; nice my networking skills are working
[06:25] <Burgwork> I need to write a script todo the adding
[06:25] <nkassi_> wouah.. Nested groups ?
[06:26] <ajmitch> I'll be back soon, walking home
[06:32] <Burgwork> ok, I need to kickstart this
[06:34] <tepsipakki> burgwork: use pam_group
[06:34] <Burgwork> pam_group?
[06:34] <tepsipakki> yes
[06:35] <Burgwork> bloody hell all this stuff is badly documented
[06:35] <tepsipakki> heh
[06:35] <Burgwork> how does pam_group solve my "users on ldap need to be in local system group" issue?
[06:36] <tepsipakki> I have in /etc/pam.d/gdm "auth optional pam_group.so" and then in /etc/security/group.conf is "gdm;*;*;Al0000-2400;floppy,audio,cdrom,plugdev,video"
[06:36] <tepsipakki> works fine
[06:36] <wasabi> that looks familiar.
[06:36] <wasabi> I filed a bug about that ages ago.
[06:37] <Burgwork> tepsipakki: can you email that to my work addy, 'cause it is 10pm here
[06:37] <Burgwork> corey@userful
[06:37] <tepsipakki> sure
[06:37] <Burgwork> thanks
[06:38] <tepsipakki> umm, userful.what?-)
[06:38] <Burgwork> .com
[06:38] <tepsipakki> ah
[06:38] <Burgwork> hence why I want you to email me? :)
[06:39] <Burgwork> what about the giant warning at the top of group.conf?
[06:40] <tepsipakki> true, but is there an alternative?-)
[06:40] <tepsipakki> if you add them to the group anyway
[06:41] <wasabi> The giant warning is pretty clear. If you grant membership, it isn't INHERENTLY secure.
[06:41] <wasabi> Doesn't mean it isn't secure.
[06:42] <wasabi> Granting cdrom access to somebody who works hard enough to make a sgid binary doesn't seem like a real world risk to me.
[06:42] <tepsipakki> I'd say its more secure to use pam_group than to grant access directly..
[06:42] <wasabi> Also, these days, you can probably simply disallow a user to sgid anything.
[06:42] <wasabi> And be fine
[06:43] <ajmitch> hey tepsipakki
[06:43] <wasabi> tepsipakki: I have a thread/bug report someplace about this.
[06:43] <wasabi> I'm trying to find it.
[06:43] <tepsipakki> there was a thread on u-d in spring '05 :)
[06:43] <abartlet_> I prefer the RedHat approach (chown the devices)
[06:43] <wasabi> On login?
[06:43] <abartlet_> yeah
[06:43] <tepsipakki> abartlet: we used that before
[06:44] <wasabi> Sorta screws up multiple logins.
[06:44] <abartlet_> yeah, you have to have one user at a time
[06:44] <wasabi> I don't think there's anythign wrong with the pam_group thing at all.
[06:44] <abartlet_> perhaps pam_group fixes that.  It's an itneresting approach
[06:44] <Burgwork> which doesn't work when you have multi users on the same machine
[06:44] <wasabi> How would you unchown the items anyways?
[06:44] <wasabi> on pam session close?
[06:44] <tepsipakki> on logout
[06:44] <abartlet_> you need a way to say that sgid to a particualr gid is invalid
[06:44] <wasabi> What use is sgid'd binaries these days anyways?
[06:45] <abartlet_> plenty of things
[06:45] <abartlet_>  particularly things that don't want to be setuid root any more
[06:45] <wasabi> Yeah, but why should a USER be able to set that?
[06:45] <wasabi> a !0 user
[06:45] <wasabi> That to me seems like the problem.
[06:46] <wasabi> I like pam_group though, it's automatic, simple, effective, and works in the corner cases. I've been using it. :)
[06:48] <wasabi> https://lists.ubuntu.com/archives/ubuntu-devel/2005-March/006345.html
[06:48] <wasabi> https://lists.ubuntu.com/archives/ubuntu-devel/2005-March/006388.html
[06:48] <wasabi> tepsipakki: Oh shit, that's you
[06:48] <wasabi> Heh
[06:48] <abartlet_> wasabi: did nkinder get onto you about popping by Redhat?
[06:48] <wasabi> abartlet, Nope.
[06:48] <tepsipakki> wasabi: correct :)
[06:49] <wasabi> https://lists.ubuntu.com/archives/ubuntu-devel/2005-April/006747.html
[06:49] <wasabi> I knew I took part in that!
[06:50] <abartlet_> ok, ping nkinder in CA work hours, and have a chat
[06:50] <wasabi> okay, will do.
[06:50] <abartlet_> wasabi: when are you in mountain view?
[06:50] <wasabi> All next week.
[06:50] <abartlet_> they are down on Castro street, for reference
[06:51] <abartlet_> top floor, tallest building :-)
[06:51] <wasabi> Okay cool.
[06:51] <wasabi> Looks like I'll be landing at 2:15PM
[06:51] <abartlet_> and keen to have a chat
[06:51] <wasabi> Sat
[06:52] <Burgwork> tepsipakki: how many users do you have?>
[06:54] <wasabi> Searching for your own name on Google is really crazy sometimes.
[06:56] <nkassi_> Wow searching my name returns my website as number 1. I'm awesome ;-)
[07:04] <nkassi_> Anybody played with SSLBridge ?
[07:04] <nkassi_> the sambe web client ?
[07:08] <Burgwork> ok, I think I am finally fracking done
[07:08] <Burgwork> I will see you gents all tomorrow
[07:14] <tepsipakki> burgwork: well, active users maybe 12000
[07:19] <tepsipakki> and over 21000 if you count them all
[07:21] <tepsipakki> umm, actually only 4666 accounts are disabled, so that makes roughly 17000 active :)
[07:22] <tepsipakki> and ~10% of them use our linux-workstations weekly (we have graphs to prove that :)
[07:29] <ajmitch> Burgwork: so ogra doesn't seem so happy with progress so far
[07:29] <Burgwork> no, understandably
[07:29] <Burgwork> we wants a solution that works, not more talk
[07:29] <Burgwork> s/we/he
[07:31] <robertj> uhoh, trouble in -directory land?
[07:32] <ajmitch> not really
[07:33] <ajmitch> ogra just needs something that works by feisty feature freeze
[07:33] <ajmitch> it's critical for edubuntu
[07:37] <Burgwork> yep
[07:37] <robertj> ajmitch: on the server end?
[07:37] <Burgwork> he has a solution in mind, which none of us have ever heard of
[07:37] <Burgwork> common that certain markets have their own hacky stuff
[07:38] <robertj> Burgwork: got any info on that?
[07:38] <Burgwork> smbldap is the thing
[07:38] <ajmitch> smbldap
[07:38] <ajmitch> http://sourceforge.net/projects/smbldap-tools/
[07:39] <ajmitch> basically scripts to manage ldap+samba
[07:39] <robertj> ajmitch: so samba doesn't use ldap as it's store?
[07:39] <ajmitch> samba 3? no
[07:40] <robertj> I thought that was a backend option
[07:40] <ajmitch> not by default
[07:40] <ajmitch> sure it's an option for it
[07:40] <Burgwork> for 4 they have a custom ldap server
[07:40] <ajmitch> it's not integrated like with 4
[07:40] <ajmitch> custom ldap server because openldap Just Sucks
[07:41] <robertj> ajmitch: so err...crappy directory now, better directory later?
[07:41] <ajmitch> guess so :)
[07:41] <nkinder> Samba4 will still have the option to use a differetn LDAP server as it's backend.
[07:42] <ajmitch> nkinder: I guessed it would
[07:42] <ajmitch> good to know for sure though
[07:42] <Burgwork> http://www.majen.net/smbldap/
[07:42] <nkinder> The built-in one (ldb) will just be used by default.  The main reason is that AD does lot's of odd things which Samba4 needs to mimic.
[07:42] <robertj> why are there specific tools for managing samba ldap accounts?
[07:42] <ajmitch> smbldap really isn't much of a directory
[07:42] <ajmitch> robertj: because it's a hack
[07:43] <robertj> ajmitch: Apple's OpenDirectory is a hack, but is only nominally sucky
[07:43] <ajmitch> most things are hacks
[07:44] <Burgwork> ajmitch: is that smbldap thing even an ldap server?
[07:46] <ajmitch> no, it's configuration & some scripts to manage it
[07:46] <ajmitch> http://smbldap-tools.cvs.sourceforge.net/smbldap-tools/software/
[07:46] <ajmitch> there's the entirety of it
[07:47] <ajmitch> assuming this is the same cvs, and not just some additional scripts
[07:47] <robertj> the .tar.gz has some other utility scripts
[07:47] <robertj> for bulk add, delete, backup configuration
[07:47] <Burgwork> are we certain we are looking at the same thing
[07:47] <Burgwork> http://www.majen.net/smbldap/
[07:47] <Burgwork> that is what ogra is talking about
[07:48] <ajmitch> yes, there is some definite overlap of files
[07:48] <ajmitch> the tarball also has some pam config, slapd config, schema, etc
[07:48] <ajmitch> all perl
[07:49] <ajmitch> the scripts, that is
[07:49] <robertj> so what are his requirements for edubuntu?
[07:49] <robertj> are they enumerated anywhere?
[07:51] <ajmitch> in all the specs
[07:54] <robertj> "Set up edubuntu LTSP servers and Workstations to automatically authenticate against a edubuntu auth server, via the right pam setup and possible avahi integration for server detection."
[07:55] <robertj> Properly integrate http://www.majen.net/smbldap/ which is used widely in k12LTSP setups for user and group management into edubuntu.
[07:55] <robertj> Package and install http://edsadmin.sourceforge.net/ as maintenance tool for the above server setup.
[07:56] <ajmitch> https://wiki.ubuntu.com/UdsMtvEdubuntu
[07:56] <ajmitch> so 5 of our specs are on the edubuntu wishlist
[07:56] <ajmitch> some overlap with edubuntu-network-auth-{client,server}
[07:57] <Burgwork> eds is somewhat similar to lat and gq
[07:58] <robertj> I poked at it about a year back I think
[07:58] <ajmitch> we don't really have much specced about user/group management
[08:00] <nkinder> Has the Ubuntu Directory Project decided on an LDAP server yet?
[08:22] <wasabi_> nkinder: Hi. No. I suspect we won't for a long time.
[08:22] <wasabi_> Just my opinion though.
[08:22] <nkinder> wasabi_: So the project is at a very early stage then?
[08:22] <wasabi_> Very very. I have a big document which I'm working on, and a plan of execution.
[08:23] <wasabi_> But nobody except my business self to implement it.
[08:23] <wasabi_> s/business/busy/
[08:23] <wasabi_> nkinder: I'll be at UMV. abartlet said I should visit you.
[08:23] <nkinder> Yes, he said that you'll be out here next week.
[08:24] <wasabi_> https://wiki.ubuntu.com/NetworkAuthentication/Client    My lengthydissertation.
[08:25] <nkinder> wasabi_:  Will you have some time to swing by and chat with a few of us?
[08:25] <wasabi_> I'll be rewriting a large portition of hte middle of that though, so it's not exactly accurate.
[08:25] <wasabi_> Yeah, I should.
[08:25] <wasabi_> Unsure how I'll actually get there though.
[08:26] <nkinder> We are right by public transit (train and lightrail).
[08:26] <wasabi_> Nice.
[08:26] <wasabi_> Have a phone number or something? =)
[08:26] <ajmitch> wasabi_: nobody, because we're all just chopped liver, right? ;)
[08:27] <wasabi_> ajmitch: Don't mean it that way. I just mean that, all of us have real lifes... and other priorities, and even then, client work to do.
[08:28] <nkinder> wasabi: 650.567.9039 x79229
[08:28] <wasabi_> Also I think the total number people of here who have expressed interest in whatever C work needs to be done (which is substantial IMO) is like 3. =)
[08:28] <nkinder> Nobody likes to sign up for C work ;)
[08:29] <wasabi_> nkinder: What should I call you? :)
[08:29] <robertj> nkinder: who is "us"?
[08:29] <ajmitch> I just love it to death
[08:29] <nkinder> Nathan (Red Hat).
[08:29] <robertj> so wasabi, ajmitch, who is the third person?
[08:29] <nkinder> I work on the Fedora Directory Server.
[08:29] <robertj> ahh
[08:29] <robertj> nkinder: the evil suits!
[08:29] <robertj> ;P
[08:29] <ajmitch> nkinder: ah, wonderful
[08:30] <wasabi_> robertj, good question. I may have overestimated. ;)
[08:30] <ajmitch> nkinder: how's the autotoolification of it going, so that it's a bit easier to build?
[08:30] <nkinder> Been working on it for 6 years, well before it was the "Fedora" directory server.
[08:30] <nkinder> I jsut finished the autotools work
[08:30] <ajmitch> sweet!
[08:30] <nkinder> HEAD has it all checked in.
[08:30] <ajmitch> so now I just need to try & get it building with system libraries, and attempt to get it packaged
[08:30] <ajmitch> no problem.. ;)
[08:31] <nkinder> Some of the components we depend on still need some build-system work, but we're working through it.
[08:31] <nkinder> Well, we split out the Administration Server portion, so a core directory server is buildable with much fewer dependencies.
[08:32] <ajmitch> this might be manageable by feature freeze now
[08:32] <wasabi_> I still have yet to even look at FDS, mostly because it isn't easily accessible on Ubuntu right now.
[08:32] <robertj> nkinder: frontend tools being rewritten in XUL?
[08:32] <wasabi_> I have a lot of questions about it though.
[08:32] <nkinder> wasabi_: We're trying to resolve that.
[08:33] <ajmitch> alien doesn't really make things accessible for people wanting to use it
[08:33] <nkinder> The autotools work is a huge part of that.
[08:33] <ajmitch> nkinder: we really appreciate work done on that
[08:33] <nkinder> robertj:  Not yet, but that's been suggested.  XUL can do some pretty cool things.
[08:33] <wasabi_> Heck. I'd be satisfied with Java.
[08:33] <wasabi_> If ya just used java-gnome. ;0
[08:34] <wasabi_> And worked on gcj.
[08:34] <nkinder> ajmitch:  Thanks.  I'd like to know any problems you run into with it.
[08:34] <nkinder> wasabi_: Thats more than most people would say.  Most people want to get as far away from Java as possible.
[08:35] <wasabi_> Doesn't matter to me.
[08:35] <wasabi_> Language is a language is a language
[08:35] <ajmitch> what do most people prefer instead?
[08:35] <wasabi_> As a user, as long as it works.
[08:35] <wasabi_> And looks right, I don't care.
[08:35] <robertj> nkinder: that's true, but if your going to not be 100% native, there is alot of advantage in going web-based so that you could use it from <cring /> ie
[08:35] <nkinder> wasabi_: Once you know your availability when you're out here, send me an e-mail and let me know (nkinder<at>redhat.com).
[08:35] <wasabi_> I will.
[08:35] <nkinder> robertj: Personally, I like the web-based approach.
[08:35] <wasabi_> I don't. =(
[08:36] <wasabi_> I like AD U&C MMC, so sue me. It's quick. Things open in new windows. It looks like the rest of hte OS.
[08:36] <wasabi_> There's value in that.
[08:37] <nkinder> We've heard arguments for both sides (a fat-app and web-based).  I cetainly don't dislike the fat-app approach either.
[08:37] <wasabi_> I also find them easier to code.
[08:38] <wasabi_> Opening a new window, filling it with controls, doing proper text layout with accessibility? Super easy.
[08:38] <wasabi_> Web? Just try to open a new window on every browser. ;)
[08:38] <nkinder> Perhaps both a fat-app and a more-basic web-based administration tool.
[08:38] <wasabi_> A java-gnome Gtk, or python gtk, or c# gtk... whatever. All of those run on Windows just fine.
[08:38] <robertj> nkinder: I do Apple's Open Directory here and use phpldapadmin when I need a quick fix from home and the carbon app when I'm at my desk, works well
[08:39] <nkinder> robertj:  You run OpenDirectory, or you work on it at Apple?
[08:39] <robertj> just run it
[08:39] <nkinder> ah, ok.
[08:42] <ajmitch> nkinder: you're in MV?
[08:43] <nkinder> ajmitch: Yeah.
[08:44] <wasabi_> RH has a shop there.
[08:44] <ajmitch> great, hopefully we can catch up
[08:44] <wasabi_> nkinder: Going to stop by UMV?
[08:45] <robertj_> ooh, unprovoked hard shutdown with nothing in the logs, joy
[08:46] <nkinder> wasabi_: I don't know that I'll be able to get away to head over there.
[08:47] <nkinder> Are there going to be discussions about the Ubuntu Directory Project going on there?
[08:47] <ajmitch> yes
[08:47] <ajmitch> a few specs being discussed
[08:47] <nkinder> Is there a schedule?
[08:47] <ajmitch> not yet
[08:47] <ajmitch> that probably won't be there until we start, sadly
[08:48] <nkinder> hmmm
[08:50] <nkinder> I may be able to pop in, but I'm not sure at this point.
[08:50] <ajmitch> ok
[08:50] <nkinder> I'd primarily be interested in the directory related discussions, so if I can fnid out when those are, that'd help.
[09:12] <ajmitch> nkinder: sure, once we find out I'll try & let you know
[11:55] <ajmitch> so, http://www.novell.com/linux/microsoft/faq.html
[11:56] <ajmitch> "Microsoft and Novell will undertake work to make it easier for customers to manage mixed Windows and SUSE Linux Enterprise environments and to make it easier for customers to federate Microsoft Active Directory with Novell eDirectory."
[11:56] <ajmitch> that's interesting to hear