Slashdot Mirror

When will this stuff finally be ironed out?

yes, good article i agree

Markle explains the KDE and GNOME desktop environments, outlines the Samba project, and concentrates on the essential similarities and differences between the Windows and the Linux desktop. He recommends KNOPPIX as the first distro for newbies - installed via a fully bootable CD.

Oh come on......

No NFS support
Ok, no good free clients that I know of, but plenty of commercial ones - or you could use samba

broken kerberos support
Non-windows clients and servers can communicate using the GSS-API (RFC 1964) protocol

no NIS support that I know of
If you don't know then don't say it

no ssh client or server
Ok, you really are clueless - ever heard of Cygwin?

no X server
See above

Ok, I feel better now.

He's almost certainly talking about SAMBA. Microsoft probably (I haven't checked) has patents on several aspects of the SMB protocol and the NT Domain system. SAMBA would then reimplement these patents without a license. Therefore, Microsoft IP (patents) could very well be in open source software (SAMBA) without authorization.

To my knowledge, Microsoft has not moved on this issue. They probably see SAMBA as still being too small a fish. It wouldn't be profitable for them to sue a few developers into bankrupcy, but if a big company with deep pockets banks on SAMBA, they might reconsider.

In the interim, Microsoft spreading vague FUD on the issue is cheap and very beneficial to their bottom line.

This sounds like a pretty wacky claim on Microsoft's part. The only example that comes to my mind is maybe samba, which uses the Microsoft SMB protocol.

Now unfortunately for Microsoft, it is legal to reverse engineer a protocol for the sake of interoperability, when the documentation is not available from the company. This is clearly in the best interest of the public, which is most of us :)

Also check out this web page on How to Reverse Engineer and still be Legal.

Someone mod this up it's more relevant than most other rubbish here. All this is a SOLVED problem. It's in production and it works. It's called EVACS. It was developed using XTUML which is also interesting in it's own right.

Yes, the distributed build system is based on distcc. (I'm the distcc author, and I have been speaking to people at Apple.)

There are some Apple-specific hooks to integrate with their IDE and their nonstandard precompiled header system, but it's basically the same.

I applaud Apple for getting in touch early on and seeing what they could do to help with open source development.

Does it check if the libraries and compilers on the machines are producing the same object code?

I'm not sure. That has been a minor problem for distcc, because there is no really satisfactory OS/distribution independent way to check the versions of compilers and tool chains. (Red Hat users will recall that sometimes 2.96 aint 2.96). Because Apple know all the gritty details of OS/compiler versioning they can check this.

If you upgrade from NT4, do it right. Use Samba.

The latest version of Samba even allows you to set up your Samba server to be a PDC, and directly migrate your users & groups from an already functioning NT Domain.

Does anyone know if they just used distcc as discussed earlier or did they create another program? Does it check if the libraries and compilers on the machines are producing the same object code?

Simple, none of the *nix filesystems out there support the Windows security model.

And FAT partitions does?

(Note: Rudimentary understanding of XFS follows...)

I would expect that XFS is sufficient for Windows NT/2000/XP... XFS supports full ACLs, etc, it's just not available in Linux (well, commonly available) because the "Linux security model" doesn't mesh with the NT-like levels of ACLs supported by XFS. Supposedly this kind of functionality is supported by the IRIX version of XFS, and apparently the Linux version with some special ACL patches. I will refer you to the Samba Changelog for when NT ACL support was added (IIRC), which mentioned (I assume NT-compatible) ACLs were supported.

I'm pretty sure that's Anton Blanchard. Here's the link. I think he was working for Linuxcare at that time, but yes he's working for IBM now.

We'd be considerably more productive under Linux -- a P2-200 compiles the codebase about 2x as fast as the PPC603e we have for dev

The answer is "it depends".

I have a friend running distcc on a cluster of one 16CPU POWER4 machine and two quad Xeons on switched GigE and builds go pretty fast for them. :-)

But there are diminishing returns from distcc as you add more CPUs, as for many parallel systems. Going from ten to twenty CPUs will probably not double the speed, and may not increase it very much at all. Scalability depends on many factors including the speed of the client CPU, network connectivity, the complexity of the makefile and of the source.

Make can be a big loss. Switching to SCons can be much more efficient, partly because it can issue more jobs in parallel.

Networking is also important. With more than about 5 remote CPUs then fast ethernet will probably be saturated. If you go to gigabit ethernet there will be more headroom.

libtool is terribly inefficient; using it will kill performance for local compiles and cripple remote compiles.

If you had a lot of software to build and many CPUs, the smart thing would be to split it into independant subtrees and build them on separate build clusters.

distcc probably couldn't use 588 CPUs, but if you partitioned them into clusters of about 8 and farmed out work then you could do well.

And you actually could do it pretty quick too with this setup they're getting ;)

just 'emerge distcc' and you can harness the collective power of the boxes by automatically farming out the steps of the compile jobs to them all. Can make a big difference to building stuff like KDE under Gentoo, espcially if you're building it for a slow machine and you've got a powerful PC hooked up to the same network.

For those who've never seen it, distcc is a distributed gcc compiler which works pretty well, and takes very little effort to set up.

You might like to also look at Andrew Tridgell's ccache compiler cache, which can avoid running the compiler altogether if the object file is cached from a previous identical run. This is great if you work in several similar source trees. Of course it works well with distcc.

You might like to also look at Andrew Tridgell's ccache compiler cache, which can avoid running the compiler altogether if the object file is cached from a previous identical run. This is great if you work in several similar source trees. Of course it works well with distcc.

distcc.samba.org. It's another fine piece of coding from the Samba team. It uses your standard gcc, and does parallel builds on other machines. Really speeds things up.

ccache is a compiler cache. It acts as a caching pre-processor to C/C++ compilers, using the -E compiler switch and a hash to detect when a compilation can be satisfied from cache. This often results in a 5 to 10 times speedup in common compilations.

make dep clean && make bzImage modules modules_install

make dep clean && make CC="ccache gcc" bzImage modules modules_install

ccache -M 100M

Or you could just install the i686 binaries and do 'emerge -e world' with distcc setup on your network, and it it would be up and running faster than you can take your system completely apart and put it back togethor again (about 90 minutes for me).

Ideally, one would never want 100 PCs to deal with. I've worked in such environments before, and there are constantly parts breaking, etc, - its just a major headache. Thin clients with no moving parts are a much better solution. Check out this article on Largo, Florida, and the link to the original article:

http://newsforge.com/article.pl?sid=02/12/04/234 62 15

However, suppose you already made the mistake of buying a big pile of PCs, so you want to make use of them until you migrate to something that makes more sense. Rolling out Linux on them all would be relatively painless, and there are numerous ways of doing this. One method would be to go with the Linux Terminal Server project:

http://www.ltsp.org/

Supposing you want to keep the "PC" model, because, say, you don't have the network or server resources for a central login server setup, then there are many ways of rolling out a group of linux PC installs as well. Here's an article that discusses some of them:


http://www.linux-mag.com/2002-12/cloning_01.html


In UNIX/Linux, by default, normal users do not have the ability to modify the system. They have authority only over their own home directories. There is a great deal of security measures that one could take to "lock down" the system to a far greater degree than the average defaults, but the default configuration for most distributions likely offers more protection to the systems integrity than a professionally locked down Windows box.

You can set up Linux in several ways for centralized system accounts and authentication, to achieve, in effect, the type of "domain-like" logins that you are used to in Windows. LDAP servers are a great mechanism to do this (LDAP is actually the protocol on which MS DS is based).

There are numerous ways to centrally manage all of the software installs, configuration files (which determine all system settings), etc., on a network of Linux machines. Linux/UNIX philosophy is that tools are made to be simple and flexible, and to work easily with other tools. This gives the administrator the freedom to set things up the way s/he sees fit for his/her specific environment. Rsync is a good example of a tool with remarkable flexibility for keeping files in sync: http://rsync.samba.org/index.html

Perl has infinite potential and flexibility in systems management. http://www.perl.org

Cfengine is a powerful distributed configuration system: http://www.cfengine.org/

So basically you can patch together a system that works best for you. There are hundreds, maybe thousands of tools that you can use. Many of them are built in, others you might have to download and install.

If you want a commercial "out-of-the-box" management solution, those are available too. Ximian's Red Carpet product is an example of centralized package management. I think I read that Novell was working on some type of management software... I've never looked into commercial solutions, since the free & roll-your-own ones are more than sufficient for me.

As for your quip about no support and problems with drivers - that just shows your lack of experience with the platform. Support is generally a lot better with open source software than it is for commercial software, and its usually free. As for drivers, wouldn't you check to make sure they exist before buying the hardware? Chances are extremely high that any hardware you have in the enterprise today is fully supported in Linux. Its the bleeding edge, just released this month gaming hardware that isn't.

..which really doesn't take that long when you've got 2-3 i686's linked together via distcc. OpenOffice is, of course, the gluntenous exception. Heck, there's even a distcc build for my Zaurus.

The Tivo and Replay both support the passing through of the closed caption signal. The compression of the video doesn't affect CC.

However, if you are asking do the boxes themselves actually have the ability to generate CC subtitles, Replay does not. The Tivo Series 1 machines can *if* you have the ability and time to go through installing a separate add on program from here:

TivoVBI

I do distributed builds for the Linux target using distcc across many machines including cygwin boxes with x86 Linux cross compilers. Why? Because the Windows boxes we have are generally faster than the Linux boxes we have and are idle most of the time anyway.

Nothing like having a huge build complete much faster. Turns out that the limit on speed is how fast the machine doing the preprocessing is though.

Here's some tools you might want to look at. I found them right at the end of my last Job using C++ and wish I'd found them at the begining. Together they can really cut compile time down.

CCache http://ccache.samba.org/ this can make make project build almost 6 tines as fast on following compiles. This isn't very good for doing a ./configure, make, make install but great when you are developing something.

DistCC http://distcc.samba.org/ use everyones computer to compile the project.

So if your having slow compile times in a development environment use these to decrease them.

If at first you don't succeed, don't go sky diving.

Here's some tools you might want to look at. I found them right at the end of my last Job using C++ and wish I'd found them at the begining. Together they can really cut compile time down.

CCache http://ccache.samba.org/ this can make make project build almost 6 tines as fast on following compiles. This isn't very good for doing a ./configure, make, make install but great when you are developing something.

DistCC http://distcc.samba.org/ use everyones computer to compile the project.

So if your having slow compile times in a development environment use these to decrease them.

If at first you don't succeed, don't go sky diving.

I am a network engineer at SCO.
I was browsing through our smb shares to make sure nobody was downloading illegal files.
Lo and behold, I found a package called linux-2.4.20.tar.bz2

I noticed that you linux users are mirroring that same exact file on some website.

If you do not immediately remove this file, and any copies of the extracted contents of this file, we shall be contacting you through our team of recently graduated lawyers.

Have a nice day.

-r

> If anyone has root on ANY system or there are ANY > non-unix systems, forget it.

By that you mean that it's easy to read stuff off people's directory if you can spoof their UID. Sure. I think you'll find the same is true on a SMB network.

> The administrative functionality in NFS can't
> compare to the features that have been available
> to MacOS and Windows administrators for over a
> decade,

Given that 10 years ago Windows for Workgroup had hardly been released and didn't even have TCP/IP by default I think you are exagerating a little bit. At the same time MacOS version 7 was the norm, and we all know how secure that one was, right?

Maybe NFS4 is your answer?

I usually use rsync for one way backups, and unison where I need 2 way synchronization.
Rsync is nice because you can update lots of files very quickly, as it only moves binary diff's between files. Also, if it is a costly network link, you have the option to specify max transfer rates, so you don't kill your pipe when it runs from your cron job.
Unison is nice because it is pretty smart about determining which files should be moved, and can correctly handle new and deleted files on either end of the link. Plus it supports doing all of it's comm via ssh, so it's secure.

rsync

unison

The downside to both of these being that neither of them are instantaneous. However, I've had much success running both of these as often as every 5 minutes. Just make sure that you launch them from a script that is smart enough to check for already running instances before it starts trying to move data.

If you're running a 2.3 servlet container, drop in the jCIFS NTLM HTTP Authentication Filter. It's available here:

http://jcifs.samba.org/

but the latest jar is here (website a little broken):

http://users.erols.com/mballen/jcifs/

All you need to set is the domainController init parameter. There's also a base servlet for pre 2.3 containers that don't support filters.

Also take a look at the Davenport project which permits IE users (and I suspect Mozilla users now) the ability to browse the entire WAN using the negotiated NTLM pawssword hashes as a WebDAV folder or using plain HTML. Again, uses jCIFS.

This guy wrote the software with Linux in mind, not BSD. Actually, most successful large, Open Source projects are designed primarily for Linux (such as KDE and Samba.)

Deal with it.

There are several SAMBA GUIs listed on the Samba web site: http://samba.org/samba/GUI/

How many add-ons does it have to have? Or how many more add-ons does it have to have? There's a TON out there already, from TiVo and from the hacking community.

mp3 and ogg decoding?

There's an addon available (for cost) that does mp3, but not ogg.

programmable from any computer?

The same addon as the mp3 ability does that, too. Or you can use the free, community-provided tool, that's been around for awhile.

hackable?

There is plenty of that going on .

How about a pop3 client? Or perhaps AIM on your TiVo? What about caller id? Plenty of other stuff, too.

Personally, I'm glad that they don't slap a recordable DVD drive in there. That would just jack the cost of the hardware. If it is that important, just throw the TiVo on your network and hit google for tivo video extraction. With the tools available, it is fairly trivial to extract the MPEG streams to your PC and record them to DVD, plus you get the benefit of using whatever video editing software you want (to do things like cut the commercials, etc), and whatever DVD recording software you like. If the functionality were on the TiVo, I'd doubt that you'd get much more than save to DVD, with no editing possible.

Also note that DEC/Compaq/HP has/had a product called Pathworks which supports SMB over DECNET or TCPIP. It has been renamed Advanced Server, last time I checked.

Well if you've got at least more than 1 computer you may want to consider setting up a cluster. Given, it won't perform like a true SMP system, it's still cool. For compiling you will probably want to use distcc and then install an openMosix kernel. Of course a 100mb switch is recommended. If you've got SMP systems in the cluster then this will work even better.

I have just a p233 and p3 500 running Gentoo Linux with their openMosix kernel. It's much more bearable compiling on the 233 with help of the 500.

I wish I could put my Athlon 1800+ on the cluster, but I have it running Win2k for games. I don't feel like dealing with Wine or dual booting, maybe one day when I have more time.

I'd just like to point out a misnomer in the linked article that "SMB is a file sharing protocol developed originaly by Microsoft". As alluded to in Samba's History, SMB was originally invented by Digital Equipment Corporation.

Dude, you need distcc.

You should probably run Samba 2.2.8 before you get 0wn3d like NT.

There does seem to be one clever thing they are doing. From their web page:

..The next time you visit the Amazon home page (which may have changed since the last visit), the following events occur:

• Your request for the Web page is automatically routed by the Propel Client to the Propel Network.
• The Propel Network retrieves the requested Web page from the Amazon Web site. Having identified the page elements that had previously been retrieved in a prior visit, the Propel Network only compresses and transmits those components that changed.
• Data already stored on your PC - plus any new decoded page elements - are assembled locally by the Propel Client and delivered to the Web browser.

Diffs! That's actually a good idea and it really would work.

Caching unchanged bits of documents sounds rather like rproxy, an http proxy which uses the rsync protocol to just send changes to documents. But that project is inactive because apparently there isn't the demand for it.

Personally, I think that the right place for this kind of cleverness is just between the ISP and the user. So the ISP runs a proxy server which downloads things as normal, and then has a single connection (perhaps over a compressed ssh tunnel) with the user's PC, over which it can just send deltas against pages cached on the user's PC. So all of the effort is focused on the real bottleneck, the modem link.

I don't think ISPs need to buy this company's product, they could put together an equivalent using rsync and a few weeks' perl coding.

rsync doesnt use gzip, or the deflate algorithm - it uses the Burrows-Wheeler Transform, same as used in bzip2. If you read Tridge's thesis you'll see that he actually proposes an rzip algorithm based on the BWT and his work on rsync that compresses better than gzip or bzip2 on typical files.

-Baz

What I did, since Amanda doesn't have very good robotic library support, was to set up our NT server with an old version of Backup Exec (it was available used, from another company that upgraded, and it was cheap). Then I added a surplus Exabyte 8mm library (an EXB210, if I recall correctly) that I got for about $50 at the local used computer place.

Next, I installed Samba on our NetBSD boxes, set up the shares and permissions, and viola! Centralized backup with minimal hassle and cost.

Granted, this was done with older software and surplus components. While the exact hardware, and specific backup software I used may not be suitable for "enterprise" environments, the same principle applies. Samba is a lot more useful than I think some folks give it credit for. Thank you, Andrew Tridgell!

True, except here it basically says if you expose samba/CIFS in general, you're fuxored.

"The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks."

So all they've done is release a patch for what can be fixed WITHOUT breaking Windows integration.

And for the hax0rs without a local shell, there's a recent samba instant-remote-r00t vulnerability. Get your patches while they're hot!

First of all, there will be the cost savings of not having to license an anti-virus suite for your email server.

Next, there is the per-seat licensing issue that will simply go away. No more $35,000 (or so) for licensing 1000 connections into an Exchange server.

Next, if you want to implement a decent campus-wide kiosk type Internet access system, there are plenty of NCD type terminals ($30.00 or so on ebay in quantity) that work remotely with XFree86. Our friends at the K-12 Linux Terminal Server Project can probably offer some advice on how to set this sort of system up.

If you need to maintain some sort of Windows compatibility (there will probably be 1 or 2 systems that must run Windows only software), our friends at the Samba Project offer an excellent Windows Networking compatibility layer.

You can also emphasize that without Windows, your computer investment won't become obsolete in 2 years.

I could probably come up with hundreds of other ideas, but this should help get things rolling.

..and MS gave us SMB file sharing.

Er, I don't think they did. Now, correct me if I'm wrong, but didn't the samba team have to reverse engineer the protocol to get something that worked?

Samba History

You mean "somebody send them a copy of ccache? As others have pointed out, ofttimes a clean build is needed. ccache can speed repetitive clean builds up quite a bit.

I agree in principle, but among the bugfixes in the 10.2.4 update were several security-related items. From http://docs.info.apple.com/article.html?artnum=617 98 (Comments in brackets mine)

Mac OS X 10.2.4

• Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, could permit a denial of service attack and possibly allow execution of arbitrary code. Mac OS X 10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also address CAN-2002-1165. [Not an issue for most, obviously, but, well, it's sendmail.]
  
  
• AFP: Fixes CAN-2003-0049 "AFP login permissions for the system administrator". Provides an option whereby a system administrator may or may not be allowed to log in as a user, authenticating via their admin password. Previously, administrators could always log in as a user, authenticating via their own admin password. [I haven't seen any documentation on setting this up yet. Hrm. Hrm.]
  
  
• Classic: Fixes CAN-2003-0088, where an attacker may change an environment variable to create arbitrary files or overwrite existing files, which could lead to obtaining elevated privileges. Credit to Dave G. from @stake, Inc. for discovering this issue. [This one can be pretty serious if you're running the classic environment in a lab setting. <insert standard physical security disclaimer here>]
  
  
• Samba: Previous releases of Mac OS X are not vulnerable to CAN-2002-1318, an issue in Samba's length checking for encrypted password changes. Mac OS X currently uses Directory Services for authentication, and does not call the vulnerable Samba function. However, to prevent a potential future exploit via this function, the patch from Samba 2.2.7 was applied although the version of Samba was not changed for this update release. Further information is available from: http://samba.org/samba/whatsnew/samba-2.2.7.html [This may not have been an real issue for OS X, but it was a pain for me nevertheless. Every time our internal security scanner checked my systems, it would squawk about a high-priority security alert. That never fails to attract the attention of managers.]
  
  

Note: To my knowledge, none of these security fixes were released prior to 10.2.4. You could fix some of them yourself, but for the general Mac audience, that's a wildly unrealistic expectation.

ObOnTopic: I experienced the clock reset on my dualie, but NTP fixed that easily enough. In previous releases, I've had Dock items added and experienced other minor annoyances. It's never been consistent across machines, though, and since the problems were so trivial I never bothered to troubleshoot them further. Permissions issues? Files out of place? Gremlins?

Xix.