When you're ordering food off of a menu, here are a couple of things to keep in mind.

"French" usually means with eggs, e.g. French Vanilla.

"Greek" usually means with feta cheese, e.g. Greek Veggie Burger.

Don't ask me why, I don't make these things up.

Fixed a "how'd that ever work?" bug in one of the apps I've been bundling with pam_krb5 (afs5log) today — it never checked for the presence of the ioctl-in-proc method of calling into AFS, so it couldn't give tokens to the kernel. Not something you'd ever noticed if you're not using AFS, but it's odd that it had always worked for me until today.

Fixed a few lingering bugs for older releases.

Started looking at why unlocking my screen with gnome-screensaver doesn't net me fresh Kerberos credentials the way doing so with xscreensaver does in Raw Hide. Need to chase that down further.

Also looking at what happens when you leave krb5-auth-dialog's password prompt dialog running all weekend: you eventually get credentials that are good starting now, but which expired yesterday. (Whee!)

Seth, basically the argument you're upset about boils down to "[insert project here] is about choice, now do what I want!" But then, you're assuming that people make sense. That's that, now back to more happy-go-lucky.

I bit the bullet and released pam_krb5 2.2 this week, so that finally people can stop pulling CVS snapshots to get the benefit of code that works correctly in the presence of OpenSSH's privilege separation, along with a couple of other new features. This one sat in CVS for far too long after I branched 2.1 for maintenance, but the new features took longer to debug than I'd hoped.

Also spent an unusually large amount of time looking at LDAP resolution for user names and PADL's nss_ldap in particular. The problem we need to solve here is that while LDAP is a hierarchical name space, which therefore allows you to define posixAccount objects with the same user name, so long as you put them in different parts of the tree, Unix and Unix-like systems expect a flat namespace, so while a directory server may let you create two account objets for users named "joe", the client systems aren't going to like it.

After toying with the idea, I figure the simplest thing to do is to take a page from the Samba team's winbindd and start munging up user names at the client in order to guarantee uniqueness of user names from the point of view of workstations. Basically, to make users whose entries live under ou=other,dc=example,dc=com appear to have a non-default prefix or suffix applied to their user and group names. The configuration file format starts to look a little limited when you consider how you'd express this, but I think the idea is sound.

Dance Karaoke Revolution Extreme.

Hey, it could happen.

Anyhow, fans in the Massachusetts area should check out the tour, coming this weekend to a mall near you.