[03:01] <pushpop> any1 around
[03:04] <Burgundavia> pushpop: yep
[06:48] <BFTD> hey
[06:48] <BFTD> how do I use make-kpkg
[06:48] <BFTD> >
[06:48] <BFTD> is it like
[06:49] <BFTD> sudo make-kpkg kernel_name ?
[07:01] <Burgundavia> BFTD: feisty?
[07:01] <BFTD> yes
[07:03] <Burgundavia> it does use kpkg
[07:14] <BFTD> make: *** No rule to make target `menuconfig'.  Stop.
[07:14] <BFTD> I get that error
[01:29] <fernando> moin all
[03:38] <jdstrand> dendrobates, I read the "time to get onboard" email on ubuntu-server the other day.  I have a question regarding LDAP authentication.
[03:39] <jdstrand> dendrobates, I have been working with kerberos (heimdal) and ldap for an authentication/authorization system, and have some ideas regarding how this could be implemented with ubuntu-server.
[03:40] <jdstrand> dendrobates, I'd like to know what type of authentication/authorization system you are hoping to authenticate with.
[03:42] <jdstrand> dendrobates, obviously, there are many choices in how to go about this, but I was thinking that if you had a long-term goal of providing an authentication/authorization server (eg apt-get install auth-server), then the client packages could be tailored towards that.
[03:42] <jdstrand> dendrobates, they would of course be adjustable to work with other systems.
[03:46] <jdstrand> dendrobates, my current feeling is that for maximum security, kerberos is used for authentication, and ldap for authorization.  That way sensitive information can be left out of the LDAP server.
[03:48] <jdstrand> dendrobates, I am currently using this setup on a small LAN with workstations and laptops, and it is working fairly well.
[03:49] <jdstrand> dendrobates, I say fairly, because there a couple of small issues with disconnected users, when the user is on a network, but can't reach the auth server (it works, but is slow).
[03:51] <jdstrand> dendrobates, anyway, bottom line, I have gone through the ldap/kerberos maze and understand what needs to be done and would like to help.
[03:51] <jdstrand> dendrobates, interestingly, with a few backported packages from feisty, you can get all this to work on dapper too.
[03:52] <dendrobates> jdstrand: the current spec just wants to put some basic packages together.
[03:53] <jdstrand> dendrobates, as in something like 'apt-get install auth-client'?  Then it gets all the required packages, but lets the user configure them as needed?
[03:54] <dendrobates> jdstrand: kerberos is something that needs to be tackled, but it is a Gutsy+1 issue, *hopefully* 
[03:55] <dendrobates> auth-client would depend on ldap-auth-client-config, which would use debconf
[03:56] <dendrobates> I do plan on a ldap-authentication-server eventually.
[03:58] <jdstrand> dendrobates, so you want to leave out kerneros entirely for now?
[03:58] <jdstrand> s/kerneros/kerberos/
[03:59] <dendrobates> jdstrand: only because of the timeline for gutsy.
[04:02] <jdstrand> dendrobates, I guess what I am really getting at is that the whole LDAP/Kerberos thing is complicated, and there are many, many ways to implement it, and perhaps targetting a long term goal for some of the short term goals, would make some of the work easier.
[04:03] <ScottK> jdstrand: Do you have some short term goals that have very little risk of impacting something else that you can suggest?
[04:03] <jdstrand> dendrobates, eg if we knew we wanted an UbuntuDirectory typoe of thing, we oculd work on kerberos and LDAP and have the client packages bring in everything for that.
[04:04] <jdstrand> my personal short term goal would be to have kerberos (better) supported in gutsy.  The pieces are there in feisty (eg, no patches are needed AFAICT so far)
[04:06] <jdstrand> The issue is that pam and nss need to be adjusted in different ways depending on if you are authenticating against ldap or kerberos.  I was just trying to see if there was a long term goal for the authentication/authorization server, we could save some time on the client stuff.
[04:07] <jdstrand> cause the client packages would be looking to work with the authentication server
[04:07] <jdstrand> as an aside, better supporting kerberos should allow for easier use of ubuntu with AD.
[04:07] <dendrobates> jdstrand: I have the idea that once we do the ldap-client portion, we can use that as a model to do the rest.
[04:08] <ScottK> I think now is the time to be defining the long term goals, but I just got here too.
[04:09] <soren> 3/win 22
[04:09] <soren> Um...
[04:09] <jdstrand> dendrobates, hmmm... but there are so many client choices.  Would you agree that if we had an idea of the type of authentication server that was to be implemented, it might make it easier to define the client?
[04:11] <jdstrand> dendrobates, because if we say to define an ldap client, that makes a presupposition that down the line passwords will be stored in ldap.  Maybe that is what is wanted, but maybe it isn't.
[04:11] <dendrobates> jdstrand: I don't think we can assume we will be connecting to an ubuntu server, we should try to support the most common use cases in businesses first.  imho
[04:11] <jdstrand> dendrobates, this means extra work and configuration for single sign on
[04:12] <jdstrand> dendrobates, I absolutely agree with your last comment.
[04:12] <jdstrand> dendrobates, what do you see as the most common use cases?
[04:13] <jdstrand> dendrobates, which really gets back to my original question...
[04:13] <ScottK> Which is why it's convenient that one of the steps in writing an Ubuntu spec is defining the use cases...
[04:14] <dendrobates> jdstrand: AD for sure, than perhaps NDS, SUN, or redhat's openldap,  I'm not totally sure
[04:14] <jdstrand> dendrobates, for AD, you will need kerberos...
[04:15] <jdstrand> dendrobates, at least, as I understand it
[04:15] <dendrobates> ScottK, that is certainly true.  The only reson this spec is so narrow, is because I want to be able to complete something for Gutsy.  I expect this to be rolled under a more comprehensive spec later
[04:16] <ScottK> Right.  I wasn't suggesting changing the current spec, just start writing the comprehensive one.
[04:17] <jdstrand> perhaps then it would be good to have somehting like: auth-client-redhat, auth-client-nds, auth-client-ad, auth-client-sun, auth-client-ubuntu
[04:18] <jdstrand> perhaps all of those don't need to be separate, but you get the idea
[04:19] <jdstrand> perhaps those are separate packages, or separate debconf choices..
[04:20] <jdstrand> i am just brainstorming here
[04:20] <dendrobates> that is kind of what I have in my head.  perhaps an external program that will for the /etc/pam.d config stuff, for debconf, like we do for inetd
[04:20] <ScottK> User response would, of course, be: I don't want to pick.  I want it all.
[04:20] <jdstrand> user can't always get what he/she wants  :)
[04:21] <ScottK> Very true.
[04:21] <jdstrand> seriously, I don't know all their implementations, but certainly you can't have work with AD and straight LDAP simultaneously
[04:22] <jdstrand> perhaps down the road some sort of authentication profile could be in place, maybe with hooks in network manager or something, but not for this
[04:22] <jdstrand> that is not a bad idea actually...
[04:22] <jdstrand> but still not for this
[04:24] <jdstrand> dendrobates: well with what you described, there is nothign saying there couldn't be a auth-client-kerberos package/debconf option
[04:29] <jdstrand> dendrobates, when you said 'like we do with inetd', are you talking about 'update-inetd'?
[04:31] <dendrobates> just the fact that inted uses a separate app to do that.
[04:32] <jdstrand> dendrobates, has work been started on any of this?
[04:32] <jdstrand> eg has that app been started?  a preliminary package put together?
[04:43] <jdstrand> dendrobates, just thinking I could look at what has been started and jump in
[04:47] <nealmcb> I'm on the road, haven't read all of this conversation and have to take off now, but I'm very interested in helping make ubuntu authn work well, including kerberos et al.  Thanks, jdstrand and all.  And dendrobates, I'll chime in on your email question also probably tomorrow when I get home....
[04:53] <nealmcb> talk to you later
[10:09] <necrite_> hi
[10:11] <necrite_> anyone here use NFS with one rw directory with more than 500g?
[10:11] <ivoks> i do
[10:12] <ivoks> i think i do... let me check
[10:12] <ivoks> yes, i do
[10:13] <necrite_> lol
[10:13] <necrite_> how many g?
[10:13] <padwan> 990G
[10:13] <necrite_> OMG
[10:13] <ivoks> 2T
[10:13] <necrite_> :D
[10:13] <necrite_> oks oks 
[10:13] <necrite_> :D
[10:13] <ivoks> 2,3 to be exact :)
[10:13] <necrite_> lol
[10:29] <jdstrand> dendrobates, I started scripting auth-client-config today
[10:29] <jdstrand> dendrobates, I thought it should be named auth-client-config instead of ldap-auth-client-config, since it doesn't have to be just for ldap
[10:30] <miles> what is the name of the tool that installs lamp for you on ubuntu-server?
[10:30] <Burgundavia> miles: tasksel
[10:30] <miles> thanks
[10:30] <dendrobates> jdstrand: I created the package last week.  It should be available soon.
[10:30] <jdstrand> dendrobates, right now it can update nsswitch.conf with rudimentary settings for ldap and kerberos
[10:30] <jdstrand> you wrote ldap-auth-client-config?
[10:31] <jdstrand> dendrobates, the script that will be used to actually update nsswitch.conf and pam?
[10:32] <jdstrand> dendrobates, or whatever you are calling it.  you wrote it already
[10:32] <jdstrand> dendrobates, ?
[10:34] <dendrobates> jdstrand: I created the meta package only that depends on the other packages.
[10:34] <jdstrand> dendrobates, whew-- I thought I just wasted a bunch of time.  :)
[10:34] <dendrobates> jdstrand:  What are you writing it in?  debconf?
[10:35] <jdstrand> dendrobates, no-- the script that will actually do the legwork of updating nsswitch.conf and pam
[10:35] <jdstrand> dendrobates, ie, the update-inetd equivalent for auth-client (or whatever you named it)
[10:35] <dendrobates> I am going to create another package, ldap-auth-config, that will own ldap.conf and nssswitch.conf.
[10:36] <dendrobates> The script should also be in that package.
[10:36] <jdstrand> dendrobates, ok.  but isn't nsswitch.conf in base-files?
[10:36] <ajmitch> hi
[10:36] <dendrobates> ajmitch: hi
[10:38] <ajmitch> dendrobates: so you're going ahead with your plans for the client configuration
[10:38] <jdstrand> dendrobates, well, I keep plugging away at it, it won't care who owns the files.
[10:38] <dendrobates> ajmitch: it is not really client configuration.
[10:39] <ajmitch> right, ldap-auth-client-config just seems to imply that
[10:39] <dendrobates> ajmitch: I am trying to fix libpam-ldap and libnss-ldap.
[10:39] <ajmitch> a worthy goal
[10:40] <jdstrand> dendrobates, the nsswitch.conf part is working well so far, and I have the infrastructure to update other files, so adding pam in won't be too hard.  I should have something in a few days (at most).
[10:40] <dendrobates> That is intended to pull functionality out of the current packages and put it in a central package.
[10:40] <jdstrand> dendrobates, what are you chaning in libpam-ldap and libnss-ldap?
[10:40] <dendrobates> It is not intended to be a cli or gui.
[10:41] <ajmitch> meeting is 15:00 UTC, right?
[10:41] <dendrobates> look at the design section of https://wiki.ubuntu.com/LDAPAuthentication
[10:42] <ajmitch> s/design/implementation/ I hope
[10:43] <dendrobates> yeah ;)
[10:44] <dendrobates> Just so you know, I'm functioning at about 15% of brain capacity today due to jet lag.  I will make more sense tomorrow.
[10:44] <ajmitch> just got back from london?
[10:45] <miles> I am about to try and install subversion, i have installed apache2, subversion, and libapache2-svn
[10:45] <dendrobates> ajmitch: I read your spec and looked at the code, and I don't think these are conflicting projects.  I want to fix the packages.  You want to provide a ui.
[10:46] <ajmitch> yes, most of what I wrote was code to handle mangling pam & nsswitch.conf
[10:46] <ajmitch> which doesn't matter what pam or nss modules are used
[10:47] <ajmitch> if there are useful interfaces for managing ldap configuration, etc, I'm all for it
[10:47] <dendrobates> ajmitch: We should have a discussion on another day, about what functionality should be where.  what dpkg-reconfigure should do and what auth-tool should do.
[10:47] <ajmitch> definitely
[10:48] <ajmitch> it was useful to be able to poke stuff into debconf & use dpkg-reconfigure krb5-config
[10:48] <dendrobates> I'm just too out of it today to be useful.
[10:48] <ajmitch> we may be able to find a more suitable timezone then :)
[10:51] <miles> Question - is there a major difference between htpasswd2 and htpasswd?
[10:51] <dendrobates> that's right you are on the other side of the world.
[10:52] <ajmitch> which is why I doubt I'll be at the meeting at 3AM local time
[10:52] <miles> im following this tutorial on setting up subversion with apache on ubuntu, it says use "htpasswd2 -cm yadda yadda" but i dont have htpasswd2
[10:53] <miles> and its not in ubuntu repository
[10:53] <miles> so is it ok to use htpasswd or am i missing something?
[10:53] <ajmitch> most likely it's just renamed for apache2, use htpasswd
[10:53] <miles> k thanks
[10:54] <dendrobates> falling to sleep again.  I'll check back in a few.
[10:55] <ajmitch> ok, see you later
[11:27] <Innatech> So, I've run into an odd situation. I'm building a custom router. I have two 8GB CF cards fake-raided as a mirror. The mirror is subdivided into boot and root partitions. I then have two 2GB USB pendrives. The first holds /var , /etc , and /tmp and the second is swap. Dapper installs cleanly, but on the first reboot it cannot find an INITAB and stalls out with a runlevel: prompt. Where did I fail? 
[11:28] <ajmitch> you can't have /etc separate from /
[11:28] <Innatech> ah. Easy enough. Thanks! 
[11:35] <miles> ajmitch, did u make that up?
[11:35] <ajmitch> miles: no?
[11:36] <miles> o, im just wondering how you knew that, thats amazing!
[11:36] <ajmitch> there's no way that the partition with /etc can be mounted, given that you need /etc/fstab to get to it
[11:36] <miles> logic, nice
[11:36] <ajmitch> and to get to that point, you need the init scripts that are on /etc
[11:37] <miles> yea
[11:37] <miles> i feel like luke skywalker when obi-wan told him he just took a step into a bigger world
[11:58] <Innatech> yup, same sort of feeling here. I should have realized the problem, but at least I know I'll never do that again. 
[11:59] <Innatech> I'll have to script something on login to do what I want, which totally makes sense.