Good point, there's a careful balancing act that has to be done when you (Fedora) consider automatic configuration vs. ease of use. Microsoft has chosen the latter of the two and look where it got them, the next Windows XP service pack that's coming out is going to clamp down on all of the services/ports that are left wide open by a default Windows XP install because M$ has been getting burned by several different virus/worms. I think the Fedora project has chosen to give everyone a secure installation by default, if you want to open up your system to the world after the fact that's your choice. Again, there is no "hacking" involved in setting this up, unless you consider using a CLI and editing config files "hacking". Also you must keep in mind that Samba has to reverse engineer everything to work with AD, which M$ stole from Novell, and that is by no means a trivial task. I'd say if you really wanted to demo to your company the power/flexibility/freedom of Linux to setup a Samba server as a domain controller. Then try using the GUI Samba Authentication tool and see if it works... I bet it would.
_____
From: marc.mcswain@academy.com [mailto:marc.mcswain@academy.com] Sent: Thursday, January 15, 2004 3:23 PM To: fedora-test-list@redhat.com Subject: RE: file sharing
While I think that this is a bit, ok, way off topic, this thread seems to be the kind of thing that I hear all too often. People in a Micro$oft world are used to the software doing everything for them. I choose to use Linux because it does not try and do everything for me. This way I can choose the way things are setup, and what security risks that I am willing to deal with. FC1 will attach to Windows Shares with no problems, and Samba will use Micro$oft AD for Security, we use it every day. Does it take some configuration, yes. Is that too much to ask of an admin, no.
OK, I will get off my soapbox now.
Marc
"stephan schutter" rhl@farorbit.com Sent by: fedora-test-list-admin@redhat.com
01/15/2004 03:11 PM
Please respond to fedora-test-list@redhat.com
To fedora-test-list@redhat.com
cc
Subject RE: file sharing
This is just my point, though; why all this hacking to get this working? The experts in the community (or RedHat) could set it up right to start with. Customer / Client supplies data needed (NT domain name and credentials) then voila!
You know, the more you do FOR the user the more the user LIKES you. And it is within the scope of Fedora to make a great desktop product eventually, right?
I am relaying FEEDBACK to this list. From several people; current IT people (MS based as most are) and end users, and managers... Learning is expensive. I was hoping that Fedora as a project would appreciate feedback from non-Linux admins.
Stephan
On Thu, Jan 15, 2004 at 03:47:16PM -0600, Epps, Aaron M. wrote:
I think the Fedora project has chosen to give everyone a secure installation by default, if you want to open up your system to the world after the fact that's your choice. Again, there is no "hacking" involved in setting this up, unless you consider using a CLI and editing config files "hacking". Also you must keep in mind that Samba has to reverse engineer everything to work with AD, which M$ stole from Novell, and that is by no means a trivial task. I'd say if you really wanted to demo to your company the power/flexibility/freedom of Linux to setup a Samba server as a domain controller. Then try using the GUI Samba Authentication tool and see if it works... I bet it would.
Im not sure the Fedora set up is perfect. I'd still really like to get into a situation where the first time I go to say cups and add a printer it also kicks the firewall tools to sort out if you want remote access, and it takes it away when its no longer relevant
Little project for someone 8)
Thank you Alan. Me to.
And once again, I am not talking about servers, and I do not see how being able to authenticate to Active Directory by default is "unsafe".
-----Original Message----- From: fedora-test-list-admin@redhat.com [mailto:fedora-test-list-admin@redhat.com] On Behalf Of Alan Cox Sent: Thursday, January 15, 2004 4:17 PM To: fedora-test-list@redhat.com Subject: Re: file sharing
On Thu, Jan 15, 2004 at 03:47:16PM -0600, Epps, Aaron M. wrote:
I think the Fedora project has chosen to give everyone a secure
installation by default, if you want to open up your system to the world after the fact that's your choice. Again, there is no "hacking" involved in setting this up, unless you consider using a CLI and editing config files "hacking". Also you must keep in mind that Samba has to reverse engineer everything to work with AD, which M$ stole from Novell, and that is by no means a trivial task. I'd say if you really wanted to demo to your company the power/flexibility/freedom of Linux to setup a Samba server as a domain controller. Then try using the GUI Samba Authentication tool and see if it works... I bet it would.
Im not sure the Fedora set up is perfect. I'd still really like to get into a situation where the first time I go to say cups and add a printer it also kicks the firewall tools to sort out if you want remote access, and it takes it away when its no longer relevant
Little project for someone 8)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
stephan schutter wrote: | And once again, I am not talking about servers, and I do not see how being | able to authenticate to Active Directory by default is "unsafe".
I don't know much about AD, but if it's running on a M$ system it's unsafe.
-Thomas
On Thu, 2004-01-15 at 15:28, stephan schutter wrote:
Thank you Alan. Me to.
And once again, I am not talking about servers, and I do not see how being able to authenticate to Active Directory by default is "unsafe".
Because, the hash algorithm used by Microsoft for "secure" password based authentication is insecure. Go out and google for information about that, you should find plenty of material.
However, I think you are missing the point. Most Linux distributions (Fedora included) were not created in order to provide a drop in replacement to Windows. The fact that we *can* authenticate against AD domains is a near miracle in and of itself, given the ridiculous obfuscation that Microsoft goes through in their protocols in order to try (and fail) to *prevent* anyone else (especially Linux?) from being able to use them.
Lastly, I would like to point out that this is the Fedora TEST list. This entire thread belongs on the Fedora list. Perhaps a couple of items could be discussed on the Fedora Developer list. This statement is more for the archives rather than you, Stephen, as you have already heard this before.
[SNIP]
On Thu, 2004-01-15 at 15:16, Alan Cox wrote:
Im not sure the Fedora set up is perfect. I'd still really like to get into a situation where the first time I go to say cups and add a printer it also kicks the firewall tools to sort out if you want remote access, and it takes it away when its no longer relevant
IMO, this is the right approach.
Some people want completely automatic opening of ports (i.e. holes in their firewall/security). Not me.
Instead of just opening ports without the user/administrator knowing (bad cop, no donut!), the addition or reconfiguration of a service should require human acknowledgment to open a hole in the security configuration.
Of course, the balance between automation and administrator authorization is the part of this that would probably be the most widely debated.
Little project for someone 8)
Sigh...if I only had the time right now to add one more to my list. Maybe in a month or so?
/me cowardly refuses to hold breath and wait.
OK, I know how to configure samba. I use it as a server and a client at home. However, I work for a very large company that likes bulls eyes. There is no way that the 2400 Windows admins are going to rebuild the infrastructure to suit Linux. Linux has to fit in to the architecture, and not the other way around. Period. I will bet you money that this is true elsewhere as well. It's AD, DDNS, WINS, SMB CIFS, and Exchange -- and that will not change for a long time.
So no more soap boxes please.
Let's be pragmatic: -- Do we want Linux on the desktop? If NO then do nothing and stick to current practices. If YES then users ET. All. Need to Like Linux and not get frustrated by it. I put in the time and effort to learn Linux, but I do not know many that are willing to work that hard.
-- How can people be made to like Linux even if they are not freedom fighters or tech hobbyists?
Let us start here.
-----Original Message----- From: fedora-test-list-admin@redhat.com [mailto:fedora-test-list-admin@redhat.com] On Behalf Of Epps, Aaron M. Sent: Thursday, January 15, 2004 3:47 PM To: 'fedora-test-list@redhat.com' Subject: RE: file sharing
Good point, there's a careful balancing act that has to be done when you (Fedora) consider automatic configuration vs. ease of use. Microsoft has chosen the latter of the two and look where it got them, the next Windows XP service pack that's coming out is going to clamp down on all of the services/ports that are left wide open by a default Windows XP install because M$ has been getting burned by several different virus/worms. I think the Fedora project has chosen to give everyone a secure installation by default, if you want to open up your system to the world after the fact that's your choice. Again, there is no "hacking" involved in setting this up, unless you consider using a CLI and editing config files "hacking". Also you must keep in mind that Samba has to reverse engineer everything to work with AD, which M$ stole from Novell, and that is by no means a trivial task. I'd say if you really wanted to demo to your company the power/flexibility/freedom of Linux to setup a Samba server as a domain controller. Then try using the GUI Samba Authentication tool and see if it works... I bet it would.
________________________________
From: marc.mcswain@academy.com [mailto:marc.mcswain@academy.com] Sent: Thursday, January 15, 2004 3:23 PM To: fedora-test-list@redhat.com Subject: RE: file sharing
While I think that this is a bit, ok, way off topic, this thread seems to be the kind of thing that I hear all too often. People in a Micro$oft world are used to the software doing everything for them. I choose to use Linux because it does not try and do everything for me. This way I can choose the way things are setup, and what security risks that I am willing to deal with. FC1 will attach to Windows Shares with no problems, and Samba will use Micro$oft AD for Security, we use it every day. Does it take some configuration, yes. Is that too much to ask of an admin, no.
OK, I will get off my soapbox now.
Marc
"stephan schutter" rhl@farorbit.com Sent by: fedora-test-list-admin@redhat.com
01/15/2004 03:11 PM Please respond to fedora-test-list@redhat.com
To fedora-test-list@redhat.com cc Subject RE: file sharing
This is just my point, though; why all this hacking to get this working? The experts in the community (or RedHat) could set it up right to start with. Customer / Client supplies data needed (NT domain name and credentials) then voila!
You know, the more you do FOR the user the more the user LIKES you. And it is within the scope of Fedora to make a great desktop product eventually, right?
I am relaying FEEDBACK to this list. From several people; current IT people (MS based as most are) and end users, and managers... Learning is expensive. I was hoping that Fedora as a project would appreciate feedback from non-Linux admins.
Stephan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
stephan schutter wrote: | OK, I know how to configure samba. I use it as a server and a client at | home. However, I work for a very large company that likes bulls eyes. There | is no way that the 2400 Windows admins are going to rebuild the
How many admins? How many users? Unix admins can normally handle more users/machines.
| infrastructure to suit Linux. Linux has to fit in to the architecture, and | not the other way around. Period. I will bet you money that this is true | elsewhere as well. It's AD, DDNS, WINS, SMB CIFS, and Exchange -- and that | will not change for a long time.
Exchange aint going to happed (unless you BUY software for it).
I never really understood WINS, but samba works fine. I've never had trouble accessing share from windows machines.
What's DDNS? Some screwed up implementation of bind? Not a clue about AD.
-Thomas
On Fri, 16 Jan 2004 13:56:09 -0600 Thomas Dodd ted@cypress.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
stephan schutter wrote: | OK, I know how to configure samba. I use it as a server and a client at| home. However, I work for a very large company that likes bulls eyes. There | is no way that the 2400 Windows admins are going to rebuild the
How many admins? How many users? Unix admins can normally handle more users/machines.
| infrastructure to suit Linux. Linux has to fit in to the architecture, and| not the other way around. Period. I will bet you money that this is true| elsewhere as well. It's AD, DDNS, WINS, SMB CIFS, and Exchange -- and that| will not change for a long time.
Exchange aint going to happed (unless you BUY software for it).
I never really understood WINS, but samba works fine. I've never had trouble accessing share from windows machines.
What's DDNS? Some screwed up implementation of bind? Not a clue about AD.
I think DDNS is dynamic dns...
How many admins? How many users? Unix admins can normally handle more users/machines.
A: 250 000 users in AD...
I never really understood WINS, but samba works fine. I've never had trouble accessing share from windows machines.
A: the other way around...
What's DDNS? Some screwed up implementation of bind? Not a clue about AD.
A: Dynamic DNS... DHCP updates the records in DNS...
-
Alan Cox -
Epps, Aaron M. -
jason pearl -
Lamont R. Peterson -
Stephan Schutter -
Thomas Dodd