[01:38:23] --- Russ has left: Disconnected
[01:38:59] --- reuteras has left
[01:39:00] --- reuteras has become available
[01:48:29] --- reuteras has left
[01:48:39] --- reuteras has become available
[05:09:25] --- jaltman/FrogsLeap has left: Disconnected
[05:12:31] --- jaltman/FrogsLeap has become available
[05:22:58] --- meffie has become available
[07:01:43] --- reuteras has left
[07:28:19] --- deason has become available
[07:42:02] --- mho has become available
[07:46:16] --- jaltman/FrogsLeap has left: Disconnected
[09:50:10] --- jaltman/FrogsLeap has become available
[09:52:03] --- jaltman/FrogsLeap has left: Disconnected
[10:00:00] --- rra has become available
[10:01:22] --- jaltman/FrogsLeap has become available
[10:07:50] <shadow@gmail.com/owl3BA35B6F> any of you using AD with macos for password verification?
[10:12:21] <deason> like, using the AD auth for logging in to os x ?
[10:13:23] <shadow@gmail.com/owl3BA35B6F> correct
[10:13:50] <shadow@gmail.com/owl3BA35B6F> (via AD, not via kerberos)
[10:14:43] <deason> oh, I suppose not, then
[10:15:05] <deason> I expect that's kerberos auth, but with some additional AD authz restrictions, or something?
[10:15:09] <shadow@gmail.com/owl3BA35B6F> i suspect our "get tokens at login" handling interferes. 
[10:15:20] <shadow@gmail.com/owl3BA35B6F> it uses a different mechanism entirely, from what i can tell
[10:16:52] <deason> ntlm2? I didn't think that was used anymore, but I wouldn't know
[10:19:11] <shadow@gmail.com/owl3BA35B6F> i mean a different code path and thus a different set of libraries
[10:20:59] <shadow@gmail.com/owl3BA35B6F> (it may be ntlmv2; i don't know)
[10:21:21] <jaltman/FrogsLeap> which AD?
[10:21:44] <jaltman/FrogsLeap> 2000? 2003? 2008?  2008-R2?
[10:21:52] <shadow@gmail.com/owl3BA35B6F> uh. what are my choices?
[10:21:56] <shadow@gmail.com/owl3BA35B6F> don't care.
[10:22:18] <shadow@gmail.com/owl3BA35B6F> indifferent to which. i just need a mac configured to talk to one not
via krb5
[10:22:40] <jaltman/FrogsLeap> any machine bound to AD is going to use krb5
[10:22:44] <shadow@gmail.com/owl3BA35B6F> nope.
[10:22:51] <shadow@gmail.com/owl3BA35B6F> not for the purpose of this discussion
[10:23:17] <shadow@gmail.com/owl3BA35B6F> there's an AD plugin for osx which is not simply setting up kerberos
authentication
[10:23:36] <jaltman/FrogsLeap> is it binding the machine to AD or not?
[10:24:11] <jaltman/FrogsLeap> AD authentication uses the PAC in the Kerberos v5 ticket to provide authorization info for logon
[10:24:17] <deason> "not simply kerberos" doesn't necessarily mean it doesn't involve kerberos at all
[10:24:30] <shadow@gmail.com/owl3BA35B6F> it's binding
[10:25:03] <shadow@gmail.com/owl3BA35B6F> sure. all i know for sure is there's ldap behind the scenes. i don't
actually care if there's kerberos or not, frankly. it's out of scope
for what i am trying to determine
[10:25:26] <jaltman/FrogsLeap> the AD LDAP is not used for authentication.
[10:26:07] <deason> okay, I get what you mean from the earlier comments; the "actually part of AD" setup, not the common "just use AD krb5" setup
[10:26:14] <jaltman/FrogsLeap> its used for the client to access policy data and other things
[10:26:24] <shadow@gmail.com/owl3BA35B6F> yes.
[10:26:30] <shadow@gmail.com/owl3BA35B6F> not "AD is my kerberos server"
[11:13:29] --- allbery_b has left
[11:13:35] --- allbery_b has become available
[12:27:05] --- allbery_b has left
[12:29:37] --- allbery_b has become available
[13:10:00] --- allbery_b has left
[13:10:06] --- allbery_b has become available
[15:49:17] <deason> can anyone tell me why the linux CM looks for vcaches that have a refcount of 1 when looking for vcaches to afs_FlushVCache? (as opposed to 0)
[15:49:29] <deason> is the refcount just never supposed to drop that low? or is the caller supposed to hold a ref?
[15:53:24] <deason> it also worries me a bit that the 1.4 cm seemed to look for refcount==1 everywhere, but the 1.6 cm looks for refcount<1 on non-linux
[16:07:43] --- deason has left
[17:32:46] --- rra has left: Disconnected
[17:49:54] --- Russ has become available
[18:36:20] --- shadow@gmail.com/owl3BA35B6F has left
[18:37:22] --- shadow@gmail.com/owl6C2E40C1 has become available
[19:36:48] --- meffie has left
[19:39:16] <Russ> pam-afs-session is getting EINVAL from its setpag call on Mac OS X, and pagsh in 1.6.0pre1 has the same problem.  I don't think 9da7f3cc73bf990427a9dd80ba2bbbb618383ea3 could be causing this.  Any ideas?  Is this a known problem that's been fixed already?
[19:39:32] <shadow@gmail.com/owl6C2E40C1> no pags on macos.
[19:39:38] <Russ> Oh, so this is known to just not work?
[19:39:48] <shadow@gmail.com/owl6C2E40C1> it's a known problem that is fixed by not setting pags
[19:40:01] <Russ> Right.  :)
[19:40:17] <shadow@gmail.com/owl6C2E40C1> see the macos page on the web site if you're curious of details
[19:40:29] <Russ> Okay, cool, I'll just update the documentation to tell people to use nopag on Mac OS X.
[19:41:02] --- mfelliott41973 has become available
[19:41:02] --- mfelliott41973 has left
[19:41:02] --- mfelliott69401 has become available
[19:41:02] --- mfelliott69401 has left
[19:41:02] --- mfelliott91638 has become available
[19:41:02] --- mfelliott has left
[19:41:03] <shadow@gmail.com/owl6C2E40C1> (effectively: no persistent kernel structure to keep a pag in; nothing
without performance impact or "off limits" or both to otherwise keep
track)
[19:41:31] <Russ> I suppose I could just quietly turn on nopag on Mac OS X, but making people set it has the advantage of ensuring people know they don't have a PAG.
[19:51:24] --- shadow@gmail.com/owl6C2E40C1 has left
[19:52:14] --- shadow@gmail.com/owl3F737421 has become available
[20:18:16] --- deason has become available
[20:20:35] --- shadow@gmail.com/owl3F737421 has left
[20:21:11] --- shadow@gmail.com/owl371ADF77 has become available
[20:38:26] --- mfelliott91638 has left
[20:38:33] --- mfelliott has become available
[22:07:32] --- deason has left
[22:49:27] --- reuteras has become available