[00:02] <owh> This might turn into a question that's too big for IRC, but I'm unsure where to start. I need to provide SSO for a small business. They're going to be using Google Apps as their email/calendar and the workstations are running Windows. Currently it's all peer to peer, but I need to centrally manage their installations. There's a Ubuntu 8.04 File/Print server...
[00:03] <owh> I want the implementation to be Ubuntu based. I'd like them to have roaming profiles and I'd like it all to be centrally manageable. I like Google's UI for managing users and it seems to make sense to re-use that.
[00:03] <owh> Am I reaching for the moon?
[00:44] <icarus_squared> what kernel does 9.04 SE come with?
[01:32] <fbc-mx> Is there an easy way of running a command recursively on every directory under the one I'm in?
[01:33] <fbc-mx> Ops I meant "IN every directory"
[01:36] <owh> fbc-mx: Use the find command. What are you trying to do?
[02:59] <qman__> owh, It's certainly doable, but it'll take a lot of work. There's also not a lot in the way of documentation for creating complete solutions like that. You're going to need Samba in the very least, and probably openldap or kerberos
[03:03] <qman__> I'm all for open source, but there's something to be said for the simplicity of setting up Active Directory. Getting a working Linux domain controller is pretty difficult.
[03:04] <twb> It kinda helps AD that Microsoft wrote the standards that you're talking about.
[03:04] <qman__> That too, though it does help us that they used Kerberos
[03:04] <twb> They use Microsoft Kerberos.
[03:05] <twb> It's extended in some way that I forget the details of, though they did publish an RFC documenting it
[03:05] <sommer> twb: yep, and I believe that mit kerberos 1.7 will have much of their custom stuff
[03:06] <qman__> Samba 4 should make things a lot easier when it finally comes out
[03:13] <owh> I *really* don't want to install a Windows server in this network, just so I have an AD. I might as well format the HDD on the Linux server and give them an all Windows solution.
[03:14] <owh> Next, I'll remove Thunderbird, Firefox and OO.org and throw them right back into the stone-age :)
[03:15] <owh> Imagine for a moment that I didn't say SSO with Google, does that change the picture any? How do real networks without Windows to central authentication?
[03:15] <owh> Uh, that should read: "How do real networks without Windows do central authentication?"
[03:17] <sommer> owh: I use openldap
[03:18] <sommer> owh: but to take advantage of Google's SSO facilities, I imagine you'll need to write some type of pam plugin to talk to google over the net
[03:18] <sommer> owh: are you talking about using a web based application for machine authentication?
[03:18] <owh> No.
[03:19] <owh> I want them to talk to the samba server which is currently a peer, but will become a domain controller.
[03:19] <owh> s/talk/authenticate/
[03:19] <owh> I'd like the samba server to get credentials from somewhere else.
[03:20] <sommer> owh: ah, that's not that hard then... you'll need to configure samba as a domain controller, and the easiest thing is configure samba to get users from ldap
[03:20] <sommer> owh: there's information in the serverguide for setting samba up with ldap, and as a DC
[03:20] <sommer> owh: I am also migrating to goole apps, and the SSO stuff is on the todo list
[03:20] <owh> Yeah, I'm aware of the docs for that. What I haven't figured out is how their local person can manage accounts using that.
[03:21] <sommer> at this time there isn't a great single solution for that... but there are gui tools to manage an LDAP directory, phpldapadmin, lat, etc
[03:22] <sommer> also from the command line smbldaptools will tweak user settings
[03:22] <owh> I've lookes at most if not all of those, but they all expose the innards of LDAP, which is highly obnoxious to a simple user.
[03:22] <owh> s/lookes/looked/
[03:23] <sommer> agreed, but AFAIK there isn't a simple gui tool to do everything you'd like
[03:23] <sommer> err without exposing LDAP anyway :0
[03:23] <owh> I'm happy to assist in an integrated Google SSO solution. From what I've read thus far, it's really there to provide local authentication to a remote Google Application. Not quite what I need.
[03:24] <owh> I really don't want to have to provide all manner of sync tools and password change things - yuk.
[03:24] <sommer> there was a lot of discussion at the last UDS for a central directory solution, and the plan is to use the adduser scripts for LDAP management
[03:25] <owh> That's probably going to help making it possible to manage the users through the existing Ubuntu User GUI Admin Tool
[03:25] <sommer> it should :-)
[03:25] <owh> So, I'm a decade too early then :)
[03:26] <owh> Ok, so, how does a large - say SUN - installation do this?
[03:26] <owh> I mean, I cannot believe we're the first to tread this ground.
[03:26] <sommer> I imagine there own admin tools
[03:27] <owh> So is everyone else just cobbling together all little bits and pieces with their own little scripts?
[03:27] <ajmitch> all the pieces are there - the bits to tie them together & manage them aren't
[03:27] <sommer> that's the consensus I've come up with... from being around multiple admins
[03:27] <ajmitch> and it's those management tools & ways of setting things up that take a significant amount of time
[03:28] <owh> Yup
[03:28] <sommer> right you pretty much expose no LDAP innards, or all of them
[03:28] <sommer> and if you don't expose them you're locked into a certain tree configuration... which may or may not be a bad thing
[03:29] <owh> So how does AD deal with that? I cannot imagine the MCSE's I know doing any thinking of their own.
[03:29] <owh> Point - click - hunt - click - hunt - whoops - click - fixed.
[03:30] <owh> Or is that unfair?
[03:30] <ajmitch> because a lot of things on the client & server are preconfigured in the case of AD
[03:30] <sommer> AD locks you into their directory layout
[03:30] <ajmitch> s/a lot/nearly everything/
[03:30] <sommer> it's really hard to add attributes in AD for example
[03:31] <sommer> well once you do the pretty GUI admin tools won't know about your changes
[03:32] <owh> I read/skimmed the LP blueprint on some of this. I didn't really understand the concerns raised about example.com vs example, etc.
[03:32]  * owh is hunting for the URL
[03:32] <ajmitch> flexibility is both the best & worst thing about what we have
[03:33] <owh> Never a truer word has been spoken.
[03:33] <owh> The URL: https://blueprints.launchpad.net/ubuntu/+spec/ldap-defaultdit-usergrp-mgmt
[03:33] <owh> There is nothing wrong with making a choice. Ubuntu is a good example of that, u-s, ditto.
[03:33]  * ajmitch spent a little bit of time looking at this in the past
[03:34] <ajmitch> but not enough to suggest an easy way out :)
[03:35] <owh> Well, one comment in that page was to use the ubuntu-server survey to determine a starting point. SOHO was indicated by I'm guessing nijaba.
[03:36] <ajmitch> yep, that's the sort of target market I'd like to look at
[03:36] <ajmitch> since NZ is full of small businesses
[03:36] <owh> It's a good starting point. You can argue that a big organisation is a collection of SOHO's anyway.
[03:37]  * owh didn't know you were in NZ.
[03:37] <ajmitch> yep, in Dunedin enjoying the snow today
[03:37] <ajmitch> you'll be coming to LCA next year I hope?
[03:37] <owh> Details?
[03:38] <ajmitch> late january in wellington
[03:38] <owh> Sounds like an interesting idea.
[03:38] <ajmitch> http://www.lca2010.org.nz/
[03:38] <owh> Hmm, a very interesting idea indeed!
[03:39] <ajmitch> I'm just talking to one of the organisers now in our LoCo channel who wants people to talk about the sort of things you're asking
[03:39] <owh> Channel?
[03:39] <ajmitch> irc channel, the usual #ubuntu-nz
[03:40] <ajmitch> but we'll need someone able to talk on such things
[03:40] <owh> Well some of the time, if not most of the time, the problem is not writing the code. The problem is defining the problem.
[03:40] <owh> Design, Design, Design.
[03:41] <owh> And some coding on the side :)
[03:41] <ajmitch> of course
[03:44]  * ScottK works on some complex projects where the cost is 50% design, 20 % code, 30% testing and they don't test nearly enough.
[03:45] <owh> One of my colleagues is the testing manager for a bank - he agrees :)
[03:47] <owh> In a previous life I was a multi-media developer, design was 85%.
[03:50] <twb> owh: it probably doesn't help that he's writing in COBOL on an AIX
[03:51] <owh> You have no idea how funny that is twb. Lemmie tell you a little anonymised story.
[03:52]  * twb cowers
[03:52] <twb> "I work for an investment bank.  I have dealt with code written by stock exchanges.  I have seen how the computer systems that store your money are run.  If I ever make a fortune, I will store it in gold bullion under my bed."  -- Matthew Crosby
[03:53] <owh> An organisation bills $1million per day. It's a telco. Their billing software runs on a VAX cluster. VAXen are no longer made. They do not have infrastructure or resources to run an old system and a new system side-by-side to trial a new system. Their solution was to virtualise their hurd of VAXen.
[03:53] <twb> owh: ever seens the emulation layers necessary to run a Lisp Machine on AMD64 hardware?
[03:54]  * owh shudders.
[03:54] <owh> That's like emulating a PDP-11 on a 6502 running virtually.
[03:54] <ajmitch> on such things empires are built
[03:54] <twb> lispm -> genera -> alpha -> powerpc (ivory) -> os x
[03:55] <owh> twb: Where's the AMD64 in that?
[03:55] <twb> os x runs on AMD64 CPUs now
[03:55] <owh> Didn't know that.
[03:55] <twb> Apple dropped PowerPC years ago
[03:55] <owh> I thought it was all Intel.
[03:55] <twb> (Note that 64-bit Intel CPUs are AMD64 architecture.)
[03:56] <owh> Ah
[03:56]  * owh is waiting for a shiny 17" MacBook to arrive.
[03:57] <owh> This is so I can finally virtualise things again - bleh.
[03:58]  * ScottK has been bitten by "Don't worry, we're emulating the old environment so the software won't even know the difference."
[03:58] <owh> Details?
[03:58] <owh> They don't have to be sordid :)
[04:00] <owh> So, if integrated SSO is not ready for prime-time like discussion seems to indicate. What would be a smart way to start down the road so past investments don't end up being thrown out with the bathwater?
[04:03] <ScottK> It didn't go well.
[04:03] <owh> What kind of issues were there?
[04:03] <ScottK> Except of timing and I/O the emulation worked fine.
[04:04] <owh> You mean internal clocks etc?
[04:04] <ScottK> Yes
[04:04] <ScottK> It was essentially hand built assembly language, so it mattered.
[04:04] <owh> When virtual time and real time don't match - fun.
[04:05] <ScottK> That and timing mattered for some of the pieces it was integrated with.
[04:05] <ScottK> The getting bitten part was that none of this was noticed until the project was in the integration testing phase.
[04:06] <ScottK> At which point it was too late to go back ....
[04:06] <owh> I can just imagine trying to implement say a serial driver in an emulated environment.
[04:06] <ScottK> You're imagining in the right direction.
[04:06] <owh> So you couldn't sync clocks in any other way?
[04:07] <ScottK> The old system was extremely deterministic.  The new one, not so much.
[04:07] <ScottK> Imagine something engineered for a hard RT kernel and you swap in a regular one and expect it to be happy.
[04:08] <owh> phone
[04:12] <owh> That was the weirdest phone call I've had in years. Anyway moving right along.
[04:13] <owh> Yeah, I can see your fun.
[04:13] <owh> How did you end up fixing it?
[04:14] <ScottK> Fortunately I didn't have to.  I was involved in one of the projects that had to integrate with it.  We got promised it would be transparent.  We weren't at all suprised it wasn't.
[04:15] <ScottK> So we screamed and beat the other project with a metaphorical stick until they bug fixed a design into existence.
[04:16] <owh> Riiight. That's code for: "Ah, we uhm stopped virtualising it?"
[04:16] <ScottK> No, they actually made it sort of work.
[04:17] <ScottK> Well enough to pretend it was sort of OK until the real rehosted version was done.
[04:17] <ScottK> Then, of course, funding got cut so not all these bastardized ones got replaced .....
[04:17] <ScottK> So the long term solution was lowered expectations.
[04:18] <ScottK> Very motivational story, yes?
[04:18] <owh> I'll say.
[04:19] <owh> That seems to be the modus operandi these days.
[04:19] <ScottK> Of course that was the last time they got away with 'Trust us ....'.
[05:26] <owh> Authentication is a funny thing. Seems not all people can get their hands around the difference between me authenticating them and them authenticating me.
[09:04] <th0m> hi
[09:07] <th0m> i just install ubuntu server (8.10, and 9.04) as guest os under vmware esx4. "dd" is very slow (20MB/s). I have 200MB/s result under debian (same config, iscsi san storage). A,y idea what could be wrong with ubuntu server default install/kernel please ? (mtpbase maybe something?)
[09:08] <_ruben> "interesting" .. never done any real performance testing with linux guests on esx (ESXi 3.5 in my case) .. dd is far from useful as a benchmark, iometer is way better, then again, its linux client is kinda crappy as well
[09:11] <Ethos> if I change etc/sudoers what service do I need to restart for the changes to take effect?
[09:13] <th0m> _ruben, i can understand that dd is not the tool for benchmark , but i should have at least the same perf as a debian default install. I cant get what's wrong ...
[09:27] <soren> Ethos: No need to restart anything.
[09:32] <Ethos> thanks
[09:55] <owh> th0m: Are you running vmware tools/open-vm-tools in both - on the same hardware?
[13:38] <ewook> hail ivoks
[13:39] <ivoks> hi
[13:40] <ewook> yo :)
[13:49] <ivoks> ttx: you remember the hadoop session?
[13:51] <ivoks> The HDFS filesystem is a Java-based filesystem
[13:51] <ttx> ivoks: yes
[13:51] <ivoks> hm... sometimes, developers play interesting games :)
[13:51] <ttx> ivoks: yes :)
[13:52] <ivoks> ttx: so, were there any significant stuff regarding java dependecies?
[13:53] <ttx> ivoks: there are a few issues, but nothing that cannot be worked-around
[13:53] <ivoks> aparently, there is source package
[13:53] <ivoks> so we could try to get it in ubuntu
[13:53] <ttx> ivoks: I wanted to have a look at the debian packaging from Cloudera
[13:53] <ivoks> i might work on that, but i'll need your help with java stuff
[13:54] <ivoks> ttx: that's the one i was thinking about
[13:54] <ttx> ivoks: I can send you the email about deps I already sent to soren a few weeks ago
[13:54] <ivoks> that would be good
[13:54] <ttx> ivoks: my guess about the cloudera packages is that they packaged a binary directly... I would be very surprised if they did it following the rules
[13:55] <ivoks> ttx: that's what they said, i didn't check it yest
[13:55] <ivoks> yet
[13:56] <ttx> ivoks: mail sent
[13:57] <ttx> ivoks: I'm available for help :)
[13:57] <ivoks> i've read it
[13:58] <ivoks> i hate non-FHS apps
[13:58] <ttx> ivoks: Java applications are notoriously FHS-adverse. With a few notable exceptions
[14:00] <ttx> ivoks: and Java upstream usually don't like when you try to install their software in a FHS-compliant way. They blame all issues on your symlink hacks.
[14:01] <ivoks> this is a good argument for pro-mono advocates
[14:01] <ivoks> :)
[14:01] <ttx> (which makes sense, from their OS-neutral point of view)
[14:01] <ttx> heh, don't start me on that one ;)
[14:28] <RobertF> Hello
[14:28] <RobertF> 9.10 (alpha2) => frederic is not in the sudoers file.
[14:35] <dnperfors> RobertF: So? is he a member of the admin group?
[14:38] <RobertF> dnperfors: is it a bug?
[14:38] <RobertF> dnperfors: I create the user during the install
[14:48] <Sam-I-Am> i've heard about an issue where the user created during install doesnt always get sudo access like they should
[14:48] <Sam-I-Am> not sure if its an official bug yet
[14:51] <ivoks> there was one couple of releases ago
[14:52] <ivoks> iirc, selecting mail server task with a 'no configuration' option for postfix, resulted in not adding user to admin group
[15:11] <lamont> ivoks: how very strange
[15:12] <ivoks> yeah
[15:12] <ivoks> we had hard time to figure out how come that happend to that user
[15:13] <ivoks> until she put all the steps in install
[15:13] <soren> lamont: It turned out to be because the postinst of postfix exited with an error code causing the rest d-i's finish-install stuff to be skipped.
[15:13] <ivoks> there was even a blog about it
[15:13] <ivoks> right
[15:14] <soren> lamont: Yes, postfix. So it was all your fault :)
[15:18] <Sam-I-Am> always blame lamont :P
[15:20] <lamont> I totally win
[16:28] <zul> so has anyone created a mirror from a cd-rom?
[16:28] <mathiaz> zul: what do you mean exactly?
[16:29] <mathiaz> zul: the packages on the cdrom have the same structure as a mirror
[16:29] <mathiaz> zul: there are dists/ and pool/ directories at the root of the iso
[16:29] <zul> mathiaz: gotcha
[16:46] <th0m> is there a way to freeze a test server ?
[16:46] <th0m> (to smiluate a troubleshooting)
[16:46] <th0m> cat /dev/random > /dev/something_crucial ?
[16:59] <ivoks> ttx: you should've been quiet :)
[16:59] <ttx> ivoks: I won't say anything more :P
[16:59] <ivoks> kirkland: so, what's your opinion on dkms?
[17:00] <ivoks> kirkland: did you use it for kvm backports?
[17:10] <ivoks> well, i have to go now... take care
[17:31] <leonel> will postgresql 8.4  included in Karmic ???  PostgreSQL 8.4 RC1 was released today ..
[17:56] <mathiaz> leonel: I'm not sure we include RCs in Debian/Ubuntu
[18:03] <leonel> mathiaz: of course not, I mean  now that  the  RC 1 is out, the Final version will be  on  Jun 29 so .. I guess it can make to Debian / Ubuntu right ??
[18:04] <mathiaz> leonel: probably - if pitti has time to upload 8.4 to debian before FeatureFreeze (end of august)
[18:50] <newtoubuntu> i am trying to uninstall gnome flash
[18:50] <newtoubuntu> can any one help?
[18:52] <giovani|work> what's gnome flash?
[19:13] <jeiworth> hi all, we are currently looking for a decent groupware for our tiny grafic design office, so far i have been checking zimbra, opengroupware and openxchange and it looks like we'll go for zimbra (although i have a bit of a stomach ache due to yahoo perhaps being sold to the evil overlord ;o)) anyone here with experience with opensource groupware?
[19:19] <sarthor> Hi, How to install / Run http://www.shorewall.net/MultiISP.html#lsm
[19:19] <kirkland> ivoks around?
[20:09] <mathiaz> kees: does this compiler error ring a bell? http://paste.ubuntu.com/197240/
[20:11] <Hecate> hezali, i don't know what gnome föash is supposed to be, either. maybe you're talking about gnash aka. gnu flash. if you do: this is totally off topic in the server chan.
[20:27] <kees> mathiaz: checking
[20:27] <kees> mathiaz: never seen that before.
[20:28] <kees> mathiaz: http://www.cellperformance.com/mike_acton/2006/06/understanding_strict_aliasing.html might be helpful?
[20:28] <mathiaz> kees: ok - I haven't done any investigation on this one
[20:29] <mathiaz> kees: is the failure related to the FORTIFY defaults?
[21:24] <kees> mathiaz: I don't think so -- likely just gcc tightening semantics of the language
[21:29] <maw> on a fresh install, what does ubuntu-server use as a MTA
[21:29] <maw> can mail be relayed off the server or do I need to install postfix?
[21:37] <oruwork> maw-> I am very new to linux and I set up postfix / dovecot about 6 monhts ago for a 10 people company that i work for and we haven't had a single problem
[21:37] <oruwork> maw-> to be more specific, its not just for internal email, its for external
[21:38] <maw> my question was asking if anyone knows if an MTA is shipped in the default install
[21:38] <maw> so apps can send email etc...
[21:38] <oruwork> yes it does
[21:38] <Nafallo> maw: not unless you ticket the task for it
[21:38] <maw> I am not trying to setup a mailserver for users
[21:38] <Nafallo> ticked even
[21:38] <oruwork> maw-> yeah, you have to check the mail task at install
[21:38] <maw> that would have been postfix if I clicked that box?
[21:38] <Nafallo> oh. shipped.
[21:39] <Nafallo> I reckon so.
[21:39] <maw> ah ok
[21:39] <Nafallo> postfix and exim (IIRC) are both on the install disk.
[21:39] <Nafallo> but none is installed by default of course :-)
[21:40] <maw> right... just clarifing. FreeBSD ships with sendmail already installed but configured as a local mailer
[21:40] <Nafallo> maw: it's a decision made to not install any listening daemons by default.
[21:41] <Nafallo> cups would be the exception, but set to bind to localhost in default installs.
[21:41] <maw> right
[21:42] <maw> I essentially verified that with  netstat -an
[21:42] <maw> ok thx for clarifying
[21:42] <Nafallo> netstat -ltun is what I would have used :-)
[21:43] <maw> whoops forgot the l :P
[21:44] <Nafallo> a and l are a bit mutually exclusive aren't they?
[21:44]  * Nafallo checks the manual
[21:44] <Nafallo> yeah. looks like it.
[21:44] <hvn> I'll add sudo and -p: sudo netstat -ltunp
[21:45] <hvn> shows the listening process too
[21:45] <maw> indeed, -a and -l would have similar info. That is not necessary as one might want to know just listening compared to all
[21:54] <billybigrigger> can any suggest a good apache log analyzer? besides awstats and webalizer?