[00:15:24] --- Simon Wilkinson has left
[00:40:28] --- Russ has become available
[01:16:36] --- Russ has left: Disconnected
[04:38:39] --- Simon Wilkinson has become available
[05:08:34] --- Simon Wilkinson has left
[05:21:14] --- Simon Wilkinson has become available
[05:24:57] --- Simon Wilkinson has left
[06:01:23] --- kula has become available
[06:40:15] --- reuteras has left
[06:57:16] --- steven.jenkins has left
[06:57:28] --- steven.jenkins has become available
[07:02:11] --- Simon Wilkinson has become available
[10:16:00] --- Simon Wilkinson has left
[10:44:55] --- jaltman has left: Disconnected
[10:52:57] <andersk> OpenAFS 1.5.77 packages for Ubuntu 8.04–10.10:
https://launchpad.net/~openafs/+archive/master
[11:15:44] --- ksumner has become available
[11:19:57] <ksumner> Russ, do you have a pam config stub for pam_afs_session running on Ubuntu?
[11:22:20] <andersk> Have you looked at
/usr/share/doc/libpam-afs-session/README.Debian
/usr/share/doc/libpam-afs-session/README.gz
?
[11:23:38] <ksumner> I am familiar with setting up pam on Debian/Ubuntu.  More what I am referring to is the config file that pam-auth-update to use when it generates the pam stacks.
[11:24:33] <andersk> Oh.  There’s one in libpam-afs-sesssion 1.7-2 in maverick.
[11:25:39] <ksumner> Excellent, that's exactly what I needed to know.
[12:58:32] --- geekosaur has left
[13:17:03] --- geekosaur has become available
[13:29:54] <steven.jenkins> shadow (or anyone) -- the pts extensions work...is there code anywhere for that?  even draft code?
[15:33:51] --- Simon Wilkinson has become available
[15:37:08] <Simon Wilkinson> steven.jenkins: Which bits are you interested in?
[15:45:02] <shadow@gmail.com/owlEBE83A21> there will be code you can test against soon. there is nothing which
stores changes in the database.

well, in truth, there is some code now, but i am going to dinner
shortly and basically am not going to distill it out for distribution
right now
[15:45:37] <Simon Wilkinson> was the rx_identity stuff of use?
[15:46:31] <shadow@gmail.com/owlEBE83A21> yup
[15:47:34] <Simon Wilkinson> cool. i've almost got the UserList stuff done.
[16:27:09] --- jaltman has become available
[16:54:47] <rra> 1.6 is failing to build at the moment with:
make[3]: Entering directory `/home/eagle/dvl/openafs/src/rxkad'
make[3]: *** No rule to make target `fcrypt.h', needed by `/home/eagle/dvl/openafs/include/rx/fcrypt.h'.  Stop.
make[3]: Leaving directory `/home/eagle/dvl/openafs/src/rxkad'

[16:55:38] <rra> Ah, local problem.
[16:55:42] <rra> Somehow it got locally deleted.
[16:58:51] <jaltman> Apparently UMich is busy working on an AFS Web Service API to replace file drawers
[16:59:18] <rra> That would be nice.  Filedrawers is a nice product, but it has some problems and it's not very flexible.
[17:26:58] <jaltman> I would prefer to see file drawers implemented as a front-end to a web service api
[17:27:49] <jaltman> I have sent them mail asking that they consider submitting any proposals that they have for such an API to afs3-stds
[17:28:30] <jaltman> I have also inquired as to whether or not their API is compliant with any of the emerging cloud storage api standards
[17:29:05] <steven.jenkins> simon - any of them..
[17:29:41] <steven.jenkins> I'm interested in some basic problems like trying to make multiple krb realms appear as one, multiple cells appear as one (ie, from a pts perspective), etc.
[17:45:00] <rra> Doesn't multiple krb realms just work?  It does for us.  Or do you mean in the cross-realm case with multiple remote realms?
[17:50:32] <kula> huh. i should go find who at UMich is working on an AFS Web Service API
[18:29:49] --- Simon Wilkinson has left
[18:42:06] --- jaltman has left: Disconnected
[18:42:15] --- jaltman has become available
[19:01:22] --- jaltman has left: Disconnected
[19:05:06] <steven.jenkins> rra - standard 'cross-realm' solves part of the problem, yes.  I'm trying to determine if the pts extension work is going to solve 'the rest' of it, or if more work will be needed (and there are going to be lots of questions/issues around mgmt/tooling interfaces to manage those cleanly)
[19:38:12] <rra> I don't know of any remaining problems with treating multiple Kerberos realms as identical to the local realm.
[19:38:17] <rra> If you're talking about something else, then yeah.
[20:00:55] --- abo has left
[20:01:35] --- abo has become available
[20:02:19] --- rra has left: Disconnected
[20:18:24] --- rra has become available
[20:30:44] <steven.jenkins> rra - is there a good write-up somewhere of cross-realm setup?  The best I know of is a single slide from Alf's training materials; the krb.conf and krb.excl man pages aren't bad, but they lack good examples (and a man page isn't really the place for good, long examples).  
[20:32:32] <rra> I guess I've never thought of it as something complex enough to warrant a writeup.  I'm not entirely sure what one would say.  You set up cross-realm trust between the local realm and whatever other equivalent realms, and then you list all the realms in krb.conf.
[20:33:11] <rra> There should certainly be something about it in the admin guide, though, and there probably currently isn't.
[20:39:51] <steven.jenkins> I think the 'needs discussing' is two pieces: 1- a basic scenario (like what's in the man pages, but with a tiny sample set of AFS ids) and 2- the interaction of mapping and not-in-sync AFS ids
[20:41:34] <rra> Oh, mapping.
[20:41:45] <rra> Yes, that's the thing that the PTS work would help with.
[20:41:55] <rra> Right now, you of course can't do any mapping.  You just treat the realms as equivalent.
[20:42:11] <steven.jenkins> right.  and put any non-matching ids into krb.excl
[20:42:58] --- jaltman has become available
[20:43:02] <rra> The example in the krb.excl man page doesn't really make a lot of sense.
[20:43:23] <rra> I'm not sure why you'd have two realms configured that way.
[20:43:39] <steven.jenkins> quick syntax question (not sure where this is documented) -- is the short-cut for mounting a volume /afs/$cell:$volume (assuming perlish syntax, e.g., $cell = 'some.cell', $volume = 'my.volume')
[20:44:13] <rra> Oh, I see, the example makes sense; the description just doesn't as much.
[20:45:29] <steven.jenkins> the rationale section in there is not too bad.
[20:45:54] <steven.jenkins> it's a bit hard to find, though; i.e., starting from a problem and then realizing I needed to look at that particular man page
[20:46:21] <rra> It's the rationale in particular that didn't make sense to me.
[20:46:37] <steven.jenkins> heh.
[20:46:44] <rra> The problem isn't generally that "the principals for administrators aren't the same between the two realms"; if that were the case, you wouldn't need krb.excl at all.
[20:47:03] <rra> The problem is that you don't trust the foreign realm to have AFS administrator privileges, so you dont' want to let someone create that principal in the foreign realm and suddenly gain those privileges.
[20:47:06] <steven.jenkins> ah.  I didnt even read the second paragraph.
[20:47:07] --- ksumner has left
[20:47:42] --- ksumner has become available
[21:04:30] <steven.jenkins> hm.  did any catch my previous question about the syntax to automagically mount a volume?
[21:04:56] <rra> If you're asking me, yes, but I've never used that feature and have no idea.
[21:05:53] <steven.jenkins> I've googled around a bit and looked at the src but havent found it yet.
[21:10:56] * rra tries to figure out why the Linux kernel module is always rebuilt every time one runs make, and is built twice on make install.
[21:14:30] <steven.jenkins> found it.  syntax is: /afs/.:mount/slac.stanford.edu:pub
[21:24:00] <rra> Ah, we do that because we explicitly build it twice (?!?), and force it to be rebuilt every time (?).
[21:24:36] <rra> This code confuses me a lot.
[23:43:46] --- rra has left: Disconnected