Slashdot Mirror
Windows 2000 Directory Support While Keeping Unix?
"Although our group has historically been able to control it's own authentication and name services, our agency, together with some other affiliated entities, has begun to develop plans for the deployment of W2K and Active Directory, agency-wide, and we are beginning to hear noises about the possiblity of it being implemented in a configuration that would move that control outside of our group for the first time. Given that we are the only dyed-in-the-wool Unix shop anywhere in sight, we're not counting on Unix-specific concerns carrying much weight in this discussion. FWIW, "Unix" in this case is mostly Solaris/SPARC, with a growing Linux and BSD flavor, both also on SPARC as well as x86.
Now, to get to the point, I have the following serious questions to which informed answers would be tremendously useful right about now:
- It is my impression, which may be incorrect, that (a) a W2K workstation using Active Directory services cannot directly access old, NT4-style SMB shares, and (b) neither Samba (at least any stable releases thereof) nor any commercial SMB-on-Unix implementations (not that I'd be at all happy to ditch Samba) is able to export Unix filesystems via the new, W2K-style protocol, or at least not in any way that would provide "seamless integration" with W2K clients that also needed to access AD/W2K-based resources. From these impressions I would conclude that AD-infected W2K workstations cannot be made to access Unix-native filesystems via SMB. Is this correct? If there are inaccuracies in this, or if it's "not really that simple", I'd love to know the details.
- It is unclear as yet whether we would somehow be forced to use AD/W2K-based name and authentication services for our Unix machines. Potentially, for authentication we could use the vanilla Kerberos interface in AD. However, for name and directory services to work fully, we are likely to need to be able to store RFC 2307-compiant data in the AD LDAP. So, leaving aside the question of whether we would even be allowed to store the RFC 2307 data in the agency's AD, are these things possible or practical?
- One concern we have about AD is the liklihood that we may have to use a subtree of the central AD for our group. In this event, we expect that some sorts of access and control are likely to propigate down from the top of the tree, and that we may ultimately not be able to have the final say over who has what permissions with respect to the resources supported by our group. Not to be territorial, but this raises some sigificant security concerns in that some of the data we process is quite sensitive (e.g. respondant-level survey data -- can you say "privacy concern"?) and the auditors will want to see assurances that access and distribution are properly controlled within our group. Is this a legitimate concern about a centrally-controlled AD? Are there some AD configurations that are less troublesome than others in this regard?
- Does anyone know of any other potential killer incompatibilities between AD/W2K and Unix that should be put on the table as we discuss our "requirements" (ha) with the central IT people who are trying to do this?
- Has anyone gone (is anyone going) through this who would be willing to share experiences?
For everyone who will no doubt respond to this by identifying all the better solutions that may exist, I'd love to do something like that -- we had been investigating doing something with Kerberos and OpenLDAP before this came up -- but the point is that the direction here is likely to be totally beyond our control, and we may wind up stuck with the task of finding some way to salvage whatever we can of fifteen years of investment in a Unix-based solution. I'm just trying to understand the pitfalls a bit better before all this is set in stone.
Here are three previous /. items that seem most relevent, so you know that you don't have to point me to these."
Atleast to my understanding, the Microsoft's implementation of Kerberos is uncompatible in a such way that the Directory service is only available while running W2K Kerberos server. W2K is able to authenticate from UNIX Kerberos server, but I've heard a claim that UNIX clients will be unable to authenticate from W2K Kerberos. None of this I have tried out myself, not willing to touch W2K with even a long, very, very long stick.
1. There's no reason why a workstation participating in an Active Directory domain shouldn't be able to access older style NT or Samba shares. There are a few departments where I work that have (stupidly) deployed Active Directory, but it hasn't affected their access to our NT 4 file server. Well, except that they have no idea what they're doing, so that gets them sometimes :)
2. Using Kerberos in Win2k should work, as long as any Unix Kerb5 servers are slaves to the 2k server. From my reading, any attempt to use the AD LDAP for anything else is doomed to failure. Microsoft is supporting heterogeneous environments only to the extent that it moves people to their software, so they won't make it easy to maintain support of Unix systems.
3. If you're given your own Organizational Unit within the active directory, you can choose to block inheritance of permissions and policies and whatnot, and maintain a certain level of autonomy.
5. We've been going through the preliminary planning of rolling out AD in our mixed environment(NT, Solaris, Netware), and while it's been ugly, it doesn't seem hopeless. Services for Unix 2 promises a lot (password sync among them), and if it can deliver, then integration becomes that much easier. Just keep in mind that any Microsoft solution is offerred with the intention of burying your Unix boxes.
You fail to realize that that's as inevitable as death in most organizations.
...And as pleasant a thought.
Win2K is a fine gaming platform. Multiprocessor support and DirectX for games that don't run in an OpenGL mode. It has no other good uses. There is a better alternative for every other task you might want to do with a computer.
The only way to truly satisfy yourself is to setup a test environment. (To /.ers: please don't go on about "satisfying yourself" too much)
pi=sigma{n:0-infinity}[(1/16)^n][(4/(8n+1))-(2/(8n +4))-(1/ (8n+5))-(1/(8n+6))]
I've been using Win2K and Samba. They work fine together, with one hitch: Samba seems to have difficulty resolving names of connecting machines. If you can provide a method of name resolution, such as DNS or a simple /etc/hosts file, then this problem goes away.
Good luck.
It is a great article seperate from problems with win2k.
Leknor
http://Leknor.com
Leknor
http://Leknor.com
"So many idiots, so few comets"
An old one.
An older one.
Some old benchmarks.
BTW sales of Win2K have been abysmal. A fact you don't hear much about, but which lies behind some of Microsoft's actions. (Trying to squeeze more revenue from existing streams.) Go out and look for yourself for some links on that (unfortunately not well enough publicized) story.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
And therein lies the problem. Management need to be made forcefully aware that the agency is not a Windows only shop, and that proposing Windows only solutions like this is a road to ruin. Sure, you may only be a minority, but they need to know that you cannot integrate with their solution without (at the very least) significant work. The need to know what the impact of alienating your department will be on the agency as a whole. Like it or not, management are stupid. Sure there are a few exceptions, but on the whole, it's a good approximation. I once worked at a company where management decreed that all corporate email should be handled by exchange and outlook. Only after buying the servers, and doing an initial roll out to some PCs did they realise that 30% of the desktops ran SunOS or Solaris on Sparc hardware... Management don't understand technological issues like these, and they need to have them explained.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I think you totally missed his point. He doesn't (or won't) have the option of just 'ignoring it'. That's the entire problem. It's going to be mandated by a bunch of federal PHBs and if he's not prepared now rather than later his network could well be screwed. I recently came from a similar type of institution he's working in and I can tell you that what makes sense from a technical point of view never enters the minds of the ones who decide to mandate a solution based on the latest print ad microsloth put in their copy of PC magazine. Luckily I left that place, and am now entrenching Unix in a start-up company. And loving every minute of it.
There is a paper that describes MS AD service called "Implementing Directory Enabled Networks Using Windows 2000 Technology". It lives at http://www.microsoft.com/windows2000/library/techn ologies/communications/denuse.asp. I hope this helps.
G.H.
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege."
-- A Thinking Man's Creed for Crypto
Just wait till some crappy band steals your nic.
There is interesting technology in Active Directory. It is an interesting project to attempt to provide these services without requiring the use of a Windows 2000 server infrastructure. I can't say I'm doing an awful lot to help in this regard presently, but I've made some notes, and you can check them out at http://www.padl.com/~lukeh/XAD/whit e_paper.html. The SAMBA people are probably most active on this front.
To answer some of your questions: I believe W2K can access old SMB-style shares. After all, it wouldn't make sense for it not to work with NT 4 shares. I expect the "new" SMB is wrapped in the Kerberos SSPI (wire-compatible with the Kerberos GSS-API mechanism). Regarding storing RFC 2307 information AD, good luck. Microsoft have made some modifications to the schema in order to support various "features" of Active Directory, such as the lack of support for multi-valued naming attributes, auxiliary classes not being listed as values of the objectClass attribute, some attribute type conflicts with RFC 2307, etc. Microsoft have an "embraced and extended" version that ships with Services for UNIX, but this isn't plug-and-play with existing RFC 2307 clients unless they support on-the-fly attribute mapping.
I don't know about the issue of AD networked stations not being able to access NT4 style shares but I see no reason why they shouldn't
;)
What I DO KNOW is that the active directory can be run in 2 modes: native and mixed. In native mode it will of course deny anything that is not active directory compatible. In mixed mode it's supposed to let you work with older NT stations and servers/domain controllers. (Of course there are some features that require native mode to help force you a bit more towards it and once you're in native mode you can't go back to mixed either
About authentication, you'll have to check whether your Kerberos implementation is compatible to the one Microsoft is using and you'll also have to see whether your systems support the SVC records inside DNS. (Here are some RFCs that they refer to: RR records RFC2052, Dynamic DNS update RFC2136/RFC2137)
As for accessing data that is in the AD you'll have to figure out how to do it via LDAP I suppose.
Hope the above helps a bit. Unfortunately I'm no expert in these matters.
I'm using W2K on one machine to access shares on a Linux system running Samba. It works just fine.
Above all do NOT allow this to happen: Techies/consultants that are advising the rollout tell management "switch to Win2k". Management tells other departments "switch to Win2k". Other deptartments tell management "we can't". Management tells techies "they won't". Techies tell management "force them".
You've got to get ahold of the techies yourself--don't let management be the conduit for technical decisions. You still have to explain the issues to management so that they can mandate the discussion take place--but when the discussion happens managements only role should be as arbiter.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
cough*OpenLDAP*cough*
Insightful?!
Did you read what bob was asking? Let me snip the bit so it's easy for you: "...we had been investigating doing something with Kerberos and OpenLDAP before this came up -- but the point is that the direction here is likely to be totally beyond our control.."
So, um, OpenLDAP is great and all, but he's talking about SOMEONE ELSE deploying AD and he has to adapt to it.
I've worked for way too many goverment groups in the past and the best advice was from a water engineer at the soil conservation survice.
The goverment works like a large bolder rolling down the hill. You can't stop it but you can change its direction if you push it at the right time and place.
Years ago I used this while working for DISA (DIMA's parent, they control the IT for the AF, as well as the Army, Navy etc in theory). DISA had decided that GOSIP email was the one true way and nothing was going to change that. Ok fine. Its a messed up version of X400 based on some of the worst code I have ever seen. I attended lots of meetings where lots was discussed but nothing was ever done. At the time I managed a large email system that involved some 87,000 users over 12 main systems. It was the largest system of its kind in the goverment. From what I had learned while working at SCS, I did the only reasonable thing which was to ask a Col if I could make a change to the propsed migration document. I changed one line to allow both X.400 migration system as well as SMTP migration. That got included in the main document, which became the long term plan and now thanks to cut and past into other docs, fully allows SMTP as valid part of the GOSSIP systems.
One edit and I killed X.400. Not bad for goverment work.
To address issue #1:
I am the administrator for a computer science lab that has workstations that dual-boot Windows 2000 Professional and RedHat Linux 6.2. I run two servers in the lab: Win 2000 Server and RedHat Linux 6.1. The Linux server exports its home directories via both NFS and Samba. The Windows 2000 Professional workstations are able to connect to Samba shares on the Linux server without any difficulties.
The Windows 2000 Professional workstations are also able to connect to shares on NT 4 servers.
Hope this helps.
My own (possibly inappropriate) response would be to counsel against a blind W2K roll-out. If your group is autonomous, there's probably a reason, and it should stay that way.
Next, allow them to deploy W2K. Watch in horror as your group implodes, losing valuable apps, churning out incorrect data, etc.
Wait a little longer, until your group is nothing more than a flaming wreck.
Then call in Congress!
I tell you, there's nothing Congress likes more than the opportunity to investigate/gang-rape government agencies. Ideally, your management will have themselves raked over coals in front of some subcommittee, with a Senator screaming at them. You'll never hear about W2K again, provided that your group can survive this long in a dysfunctional state.
Of course, this all assumes that you're willing to destroy your own agency/group. It also assumes that your group is actually doing something valuable, but not TOO valuable.
And, as always, I could be wrong.
I have no
A) Win2k is not a gaming platform... if you want to play games, install WinMe. Many titles have problems under Win2k.
B) You forgot to finish off your sentence so allow me to do the honour: "It has no other good uses [for a person like me who is blinded by zealotry].
I have a GNU/Linux box and a win2k box running side by side on my desktop. I use the GNU/Linux box for all server type things/webdev/coding etc, and I use the win2k box for graphics work in 3DSMax, Photoshop and Illustrator. Both machines do a fantastic job and I really can't complain.
I suggest you redirect some of that boundless energy you seem to have for analyzing all Microsofts faults and apply it to a worthy open source project.
- Toby
I don't know too much about talking with the AD from Linux, but I DO know that Win2K's SMB shares are exactly the same as NT4's whih are the same as Samba's etc. So for example I have had NO problems mounting a Win2K fileshare with smbmount at my work. We have a samba fileserver setup that everyone in our company uses and they have no clue that it is really running on Linux. As you may conclude from that samba has no problems authenticating Win2K user accounts against Win2K domain controllers... meaning if you just needed to authenticate users against a Win2K domain (for login purposes or other) use *could* setup a script to try smbmounting something on the domain with their login/pass and see if it worked. I'm sure you can conclude many other things from this.
As far as the AD goes, we tried to get Linux to talk with our Win2K domain controller and access the AD, but alas it never did work. Win2k's ldap implementation is standard, everything seemed to work according to spec, *except* the wierd kerbros authentication. So if we could have gotten the win2k ldap server to let us authenticate and connect we could have done anything we wanted to, but it never happened.
Hope that helps a bit.
Although it reads a little bit like a pro-Netware column, the article at: http://www.novell.com/competiti ve/nds/security.html gives specific steps (with pictures) on how to exploit ADS to gain access to sensitive information in a branch below you.
Hope it helps.
"Although I am no longer needed, I am still tolerated. I am deprecated." -.DM.
This whole things sounds like a good example of why we should encourage our government to require its own use of open standards and open data formats.
I don't like my tax money wasted on excessive PC support costs and data trapped within Office files.
Having been the IS manager for a large organisation looking after 3.5k users, across 50 sites using 64k wan links and having Win95 and Winnt w/s vouch for the benefits of directory technology for the efficient management of the whole infrastructure. This may not have gone down well with all the distributed IT functions, but my job was to deliver applications and systems access to users with the minimal amount of cockups, and at minimal cost to the company. Generally, the five man team managed to do everything required without moving their butts off their seats - suited them, suited the users, and suited the accountants. While I developed this solution with my team and the vendors, my company (a large US based outsourcer) was, in parallel, developing an NT/AD based solution. My _development_ cost, including licenses, salaries etc was $200k (approx)., my companies budget was reputedly $10m. Obviously I never stood a chance. The new network went in with a blaze of publicity, along with increased staffing, increased wan links, and new (enourmous) servers at each location. I left before it became clear that the cost savings promised from this solution were, frankly b.s. The moral of this story is: If someone senior to you in the organisation has staked enough money and his/her reputation on something, what they want is likely to come to pass. I believe if you buy into it enough, you'll get all the help you need to deliver service to your users. The downside is that you may not be able to deliver service the way you _want_ to do it, and it may not be the best. P.S. The directory technology used originally was NDS, and it worked on (nearly) all the platforms we wanted it to (apart from VMS!). I wouldn't attempt to build a large-scale / distributed network with anything else.
From the MS ADSI website
Getting and Using ADSI Providers
The standard Active Directory Service Interfaces objects, or providers, are found within multiple namespaces, typically directory services for various network operating systems. Providers enable communication between the server or client. ADSI 2.5 includes providers for:
And the real solution to the problem is getting someone to write an ADSI provider for Linux. So if you are inclined, HERES THE DEVELOPER KIT.
Or, Download someone else's provider HERE or HERE
I found the 4 places in MIT's KDC where I needed to create an 'exit' (principal create, update, delete, passwd-change). At these points I call out to an external program (I wanted to modify the KDC itself as little as possible). The external program encrypts a command like
createprincipalpassword
and sends it to a daemon running on the Win2K Domain controller. This daemon does a lookup to our X.500 server to get the 'name/addr/etc' stuff and then uses Win2K calls to add the user into Win2K AD.
The user is prohibited from changing their Win2K password, they must either change it in Unix, or on a SSL-web page -- both of these update Kerberos which reflects the change back into Win2K -- also they can use a 'win2k kpasswd client' too (but that could be improved).
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
Now really, no matter how tweaked or hacked or configured you get samba, it's really not secure worth jack. Beyond that, it (SMB) is a horribly inefficient transfer protocol.
With Services for Unix 2 on an NT box, you can map all your unix users to your NT accounts (and vice versa) as well as map groups. It's a little quirky getting used to its ins and outs (Such as not being able to mount ANY directory which is not world-readable, you must mount a parent and then the security mappings take effect).
It uses NFS for its file transfer, which is _way_ more efficient, as well as easier to configure and organize across a span of servers. NIS + NT PDC using MS-SFU2 = rather respectable cross-platform accessibility, worlds ahead of what samba can('t) do.
.... um, i lost you after "0110100001101001".
This is from experience, kiddies, not rumors or documentation. 1) Yes, NT 4 servers and workstations can talk to Win2K servers and workstations (and vice versa) regardless of what mode (native or compatible) the AD is in. NetBIOS is very difficult - if not impossible - to disable on both. NOTE: I have had difficulty connecting to an NT 4 server outside of my domain (no trust relationships in effect either) using My Network Places in Win2K. It likes to report that the resource is not available. Same with using Start > Run. But the net command works very well. This is not a problem when accessing machines in your domain. 2) MS modified its Kerberos implementation so that it relies on a documented, but formerly unused field. It eventually owned up to that, releasing the full specification (members of the SAMBA project may correct me on that one if they disagree), but slapped an obnoxious click-wrap NDA on it. They eventually released a less restricted, but less informative document to the same effect. Either way, no non-Win2K product is currently able to fully integrate into AD. 3) The latest versions of BIND, when properly configured do claim to support dynamic DNS, and Win2K's DNS server can be configured to support non-Windows dynamic DNS. 4) There is very little you can do to prevent administrators from gaining access. It's sort of like trying to prevent root from gaining access to a user's home directory. Slap whatever permissions you want on it, eventually they can override it. Thus, you need to have consistent, documented policies on what can be accessed by Administrators, and when and how. Bringing this to your superirors may slow the implementation of AD long enough for some tools to help you manage. An AD migration is painful for the admins, as the learning curve is steep and fast. Your users, oth, shouldn't notice too much of a problem. For example, NT 4 and 9x are perfectly happy sitting in an AD domain, it's just that some functionality is lost.
Windows 2000 is designed to market a Windows server-dependency. The IEEE Computer Society's latest August 2000 (Vol. 33, No. 8) Computer magazine featured an article called Windows 2000: A Threat to Internet Diversity and Open Standards? (PDF available to members here).
A such, you need to adopt a Windows server-free network. This includes holding off on Windows 2000 until either Samba supports its interfaces (will take some reverse engineering) or someone finds a way to have it use NIS/NIS+ for authentication -- e.g., NISGINA does for NT 4.0. At my company, Theseus Logic, we use NISGINA instead of Samba TNG (just use regular Samba 2.0.7) to deal with authentication of NT 4.0 systems.
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Aureal filed for bankruptcy, leaving me with a VideoLogic card with shoddy beta drivers which didn't work a whole lot, and "are not going to be updated". Fuck that. :-|
Open Source. Closed Minds. We are Slashdot.
It died when MS gained a monopoly. Now inferior products are forced on unsuspecting people by stupid PHBs who read too many MS whitepapers.
A Dick and a Bush .. You know somebody's gonna get screwed.
War is necrophilia.
I also work for a govt. agency.. and the absolutely, completely, bonheaded, nonthinking, Borg-perfect actions of the US govt. to use MS only solutions at the expense of any and all other computing solutions has been set in stone for some time now.
In the Air Force, they call it Joint Technical Architecture - and while it inlcudes unix today, it won't tomorrow.
In the Navy, they call it IT2000... it just as well should be called Windows2000.
DISA - Defense Information Service Agency - has a brilliant idea... make everyone fall under a single defense information infrastructure common operating environment - DII-COE - put all of our fscking eggs in one basket - which is held by Redomond.
http://diicoe.disa.mil/coe/
In short - i have seen all Mac communities, all NeXT communites, all SGI communities, and all Sun communities get their perfectly good computers tossed out, sent to DRMO (where you can get insane deals on hardware... buckets of Sun UltaSparcs for $50 a bushell, etc.).. all of them... packed up and shipped out for shitty fscking Compaq and Dell servers that give us nothing but the shits.
What people fail to realize is that in a lt of these kinds of communites, the people coming up now EXPECT computers to crash, to hang up, to fsck you over at any old time.. its old hat, and it doesn't bother them.
And - i promise i'm NOT going Mulder on you - but i am convinced, beyond a shadow of a doubt that there is a good reason for it.
Someone is living in redmond, and they don't work for Bill.. and the only way to assure that there are backdoors, ways in, and holes in security are to use this software, shit or not. I have seen grown up adults literally piss and moan that I couldn't demand a certain kind of projector, computer, or other piece of hardware because i didn't have a reason.. because we cannot "sole-source" our purchases.
5 seconds later, the only option we have which is directed by the same officers and contractors full of MSCE pukes is that we throw out PERFECTLY GOOD hardware and software - and bring in shitty Windows boxen.
I had a DNS server at a base that i had been told has been up for 4 years before i got there.. and in 3 years there, never crashed once. It was a Sparc classic. The Win-based Compaq POS that replaced the Sparc went down once a week.. and had to be restarted every night.. it was a checklist item to restart the Exchange and DNS servers.
In any case... i would say that it woudl behoove you to not fuck around with UNIX any more.. i promise that your ass is NOT going to win.. you ARE going to get overruled, and you ARE going to get fired for not going with the program if you continue to bitch and moan.
It WILL NOT matter that real work falls on the floor.. it WILL NOT matter that you have to keep fucking with the new machines every day.. and it will NOT BOTHER your higher ups or the workerbees.. so long as they finally get Outlook 2000 and MS Word... which is all they really want.
I pity you.. and i will pray for you. I pray for all of our souls.. i'm just glad i'm not going to be CIO of my location in 2 weeks... and that i'm off to other things.
oh well.
damn.. that's fucking depressing.
guns kill people like spoons make Rosie O'Donnell fat.
Surprisingly, you might find that cisco has made some advances in AD on unix. You might poke around their website and see if you can turn up anything useful.
To answer your questions,
1. this is true, when win2k workstations are using AD, they lose the ability to access old NT4 and other SMB shares. Even with
3. if at all possible, try to get your own OU and child domain, and you can isolate yourself from many stupid AD administration decisions. Make it clear that a move to AD means that all groups will have to maintain their own servers, rather than just one big central server where a screwup will take everyone down. This will allow for some degree of survivability during AD outages, which will be numerous during the first few years of rollout. Then you can propose a unix based AD/LDAP server for your group.
4. make your requirements that the win2k group accept working with lesser functionality for now, i.e. mixed mode AD, until such time as M$ opens their AD implementation so that every system can profit from those features. Propose running the AD servers on unix (does anyone have any good references?), which will guarantee a level playing field for everyone for now. The "benefits" of moving to win2k are not all that great if it locks everyone into win2k, with the expected increase in licensing fees that M$ does once a company or group makes the fatal switch. It has been well documented before, go find some horror stories in the press or on the web.
5. Only for large amounts of money. I'm not really an AD expert, I'm just supporting some guys who are learning it. In my spare time, I'm studying the security implications of putting all your eggs in one basket, especially when that basket runs on windoze. When AD becomes more widespread, and more critical data and functions are protected by AD, then the hackers will discover many exploits. Can you imagine what would happen to your group if your sole security server were cracked? Every machine would be instantly compromised and the infocriminals would have free reign on all systems without so much as another password prompt to keep them out.
Your best bet is to find some AD server which run on unix, certainly cisco has one that runs on solaris (as part of another product), and propose it to be the main server. And dig up a bunch of horror stories from the URLs already posted here and do your own web search. Trust me, the time you spend now helping steer this disaster in a slightly better direction will help you in the long run.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on