I'd say one of the first questions you need to ask yourself (and your management and legal people) is what level of security you require for your data. After that read up on NFSv3 security; a good article is at http://www.usenix.org/publications/login/2005-02/p dfs/musings.pdf , which touches on most of the major problems. And yes, the situation really is that bad, and tools to exploit the numerous weaknesses are easily obtainable. NFSv3 "security" is a joke. Unless you use it purely as a back end system on a secured, private network between physically secure machines that only people who have access rights to all files on the server have access to, you will lose to any minimally skilled cracker or disgruntled employee (or if someone decides to write self-replicating malware that exploits NFSv3 weaknessess, which frankly I wish someone would do so management types could fully grok how exposed they are).
Once your company understands how unacceptable NFSv3 security is for any kind of situation involving company-confidential or legally-sensitive data, solutions like Network Appliance will start to look like they suck, because they do not support any decently secure protocol that the majority of Unix clients can use, nor will they unless the vendor feels like adding them (appliance model = big, useless / overpriced bricks if you change storage strategies). Only the very latest Unix versions support NFSv4 at all, and that support is universally not well documented, and in my experiance, esp. on GNU/Linux, somewhat buggy. Managing the differing permissions models between CIFS, NFSv3 and NFSv4 is also insanely complex, with lot of subtle problems that can leave you wide open.
There is exactly one non-kludgey widely used solution to this problem, and that is OpenAFS (http://www.openafs.org). Designed for security, proven over more than a decade in demanding environments (Morgan Stanley, MIT, CMU), same permissions model across platforms etc. If you'd like to talk to a vendor, Sine Nomine Associates (http://sinenomine.net/support/afs) is one of several that sell support contracts (the software itself is Open Source). The best vendor backup solution for OpenAFS is TiBS (http://www.teradactyl.com/Products/Afs.html), although roll-your-own is pretty easy as well. Note that if you don't want to touch the Windows desktops with OpenAFS client installs, Samba has excellent support for using OpenAFS as a back end (i.e. Windows clients accessing AFS-space via their native CIFS clients via Samba). There is also a NFSv3 translator service for if you happen to have any extremely odd or old Unix operating systems that aren't supported by OpenAFS or ARLA (http://www.stacken.kth.se/project/arla/) clients. Another option in some cases would be to buy Sharity (http://www.obdev.at/products/sharity/index.html) licenses and access AFS-space via CIFS/Samba. To use OpenAFS you also need a Kerberos 5 KDC; for this you can use Active Directory, or MIT or Heimdal Kerberos 5, which are both free. For a cross-platform single signon solution, you can combine Samba, OpenLDAP and Heimdal; this requires experianced unix-y sys admins, but companies like Symas Corp., http://www.symas.com/ , will do it for you.
You mentioned DCE/DFS (which I've noticed several people have misinterpreted as Microsoft dfs, which has almost nothing in common with DCE/DFS). DCE/DFS is dead. It had little vendor uptake; IBM supplied clients for most platforms, and IBM stopped development and ended support quite a while ago. Management was a complete nightmare. There is no open source implementation. It's dead, Jim!:-)
IBM has 2 major migration paths away from DCE/DFS (and IBM AFS, which is also end-of-lifed, although most of those customers just moved to OpenAFS). One is SANFS (http://www.redbooks.ibm.com/abstracts/SG247057.ht ml?Open), which is cool but appropriate to only a limited r
SQL Relay does this (site looks like it is down at the moment so I'm pointing to the google cache). It is a persistent database connection pooling, proxying and load balancing system for Unix and Linux supporting ODBC, Oracle, MySQL, mSQL, PostgreSQL, Sybase, MS SQL Server, IBM DB2, Interbase, Lago and SQLite with APIs for C, C++, Perl, Perl-DBD, Python, Python-DB, Zope, PHP, Ruby, Ruby-DBD and Java, command line clients, a GUI configuration tool and extensive documentation. The APIs support advanced database operations such as bind variables, multi-row fetches, client side result set caching and suspended transactions. It is ideal for speeding up database-driven web-based applications, accessing databases from unsupported platforms, migrating between databases, distributing access to replicated databases and throttling database access.
There is an open-source alternative to SMB: OpenAFS
From the website:
What is AFS?
AFS is a distributed filesystem product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). It offers a client-server architecture for file sharing, providing location independence, scalability and transparent migration capabilities for data.
What is OpenAFS?
IBM branched the source of the AFS product, and made a copy of the source available for community development and maintenance. They called the release OpenAFS.
This was posted to info-afs recently (subscritpion information at http://www.transarc.ibm.com/Support/common/mailing ListRequest.html , archive at http://www.mail-archive.com/info-afs@transarc.com/ )
From: Derrick J Brashear
To: info-afs@transarc.com
Subject: OpenAFS lists, cvs to be available at openafs.org
As soon as the relevant DNS changes happen, lists devoted to openafs development will be available at openafs.org, and a cvs archive will also be available. A preview of the site is available at www-openafs.central.org.
The URL is http://www.humanscale.com/home.html . I recently visited the Boston office to try out the chair, and loved it; I ordered one for my house and got my employer to order one for work as well. A few interesting bits of information:
It's actually cheaper to order directly from Humanscale then from a reseler. The standard discount is like 30%.
The chair without the headrest but with the gel is about $750; with the headrest, it's about $950.
Several features set Gale apart from other instant messaging systems.
Gale is open source software.
The GPL ensures that you and others retain the freedom to modify
and distribute the Gale source code. Gale will never lock
into any one vendor's proprietary, closed system.
Gale is useful.
Gale isn't just about poking "private" messages to someone sitting at
another computer. Gale does support secure private messaging, but
Gale also has a well-developed infrastructure for public (and
semi-public) chat. Advanced categorization and filtering
features mean that you can precisely control your level of participation
and distraction. We've been at this for years, we've tried
everything else out there, and we have a lot of experience with the
usability of real-time messaging systems. The result of our experience
is something like IRC, something like Zephyr, and something like
commercial "instant messaging" systems, but with many features you
won't find in any of these.
Gale is secure.
Most other systems depend on the security of a
central bank of servers, and provide no protection against network
eavesdroppers. Gale uses strong cryptography for both privacy
and authentication, and is designed to work in an environment
of mutual distrust between users and administrators.
Gale scales.
Gale's architecture uses a loosely-connected set of servers
which locate each other via DNS only when they need to talk to each
other. Multicast is accomplished by the dynamic creation of self-healing
spanning trees of interconnected servers. The network is robust;
servers and clients detect and route around failure.
This means Gale is fast and stable.
Gale will not suffer the kind of performance and reliability problems
USENET, IRC, and centralized commercial message systems do.
Gale is here today.
Gale has been in active development for over three years. Both
clients and servers have been well tested by daily use in an active user
community. Both simple command-line and sophisticated graphical
clients are available, and there are platform solutions for the POSIX,
Microsoft Windows, and Java platforms.
I have a friend at MIT who swares by NAWM, a layer in addition to whatever window manager you run that can be set up to do all sorts of nice keyboard shortcuts. A Development Version and Stable Version are available. All the documentation is in the man page.
The Belkin OmniCube is a real piece of crap, esp. if you need to deal with Windows computers that need rebooting all the time, or ever need to remotely reboot a UNIX workstation. The reason they are so cheap, besides bad build quality, is that there is no (or at least very bad) keyboard emulation circuitry in the box. This means that you need to have the switch be on the box you are rebooting throughout the entire reboot process, or the box will freeze with "missing keyboard" errors. This may seem like an okay compromise, but over time it gets *really* annoying. An alternative that costs just slightly more but has had flawless keyboard emulation for me over the past few years is the Dakota Scout KVM Switch, available from http://www.dakota-euro.com/ . I have one for home and got my employer to get me one for my office, after religating an Omnicube that procurement thought "would be just as good" to the scrap heap.
Another good alternative, esp. if it's not you spending the money, are the Raritan (http://www.raritan.com) switches. I ordered an 8-port for a co-worker that has been fine, and there is a 16-port Raritan switch in a lab that is still working fine after about 6 years (it's so old it has a seperate box for the mice!).
Slashdot Mirror
What is the model of atheros (ath5k?) minipci cards you ordered?
I'd say one of the first questions you need to ask yourself (and your management and legal people) is what level of security you require for your data. After that read up on NFSv3 security; a good article is at http://www.usenix.org/publications/login/2005-02/p dfs/musings.pdf , which touches on most of the major problems. And yes, the situation really is that bad, and tools to exploit the numerous weaknesses are easily obtainable. NFSv3 "security" is a joke. Unless you use it purely as a back end system on a secured, private network between physically secure machines that only people who have access rights to all files on the server have access to, you will lose to any minimally skilled cracker or disgruntled employee (or if someone decides to write self-replicating malware that exploits NFSv3 weaknessess, which frankly I wish someone would do so management types could fully grok how exposed they are).
:-)
Once your company understands how unacceptable NFSv3 security is for any kind of situation involving company-confidential or legally-sensitive data, solutions like Network Appliance will start to look like they suck, because they do not support any decently secure protocol that the majority of Unix clients can use, nor will they unless the vendor feels like adding them (appliance model = big, useless / overpriced bricks if you change storage strategies). Only the very latest Unix versions support NFSv4 at all, and that support is universally not well documented, and in my experiance, esp. on GNU/Linux, somewhat buggy. Managing the differing permissions models between CIFS, NFSv3 and NFSv4 is also insanely complex, with lot of subtle problems that can leave you wide open.
There is exactly one non-kludgey widely used solution to this problem, and that is OpenAFS (http://www.openafs.org). Designed for security, proven over more than a decade in demanding environments (Morgan Stanley, MIT, CMU), same permissions model across platforms etc. If you'd like to talk to a vendor, Sine Nomine Associates (http://sinenomine.net/support/afs) is one of several that sell support contracts (the software itself is Open Source). The best vendor backup solution for OpenAFS is TiBS (http://www.teradactyl.com/Products/Afs.html), although roll-your-own is pretty easy as well. Note that if you don't want to touch the Windows desktops with OpenAFS client installs, Samba has excellent support for using OpenAFS as a back end (i.e. Windows clients accessing AFS-space via their native CIFS clients via Samba). There is also a NFSv3 translator service for if you happen to have any extremely odd or old Unix operating systems that aren't supported by OpenAFS or ARLA
(http://www.stacken.kth.se/project/arla/) clients. Another option in some cases would be to buy Sharity (http://www.obdev.at/products/sharity/index.html) licenses and access AFS-space via CIFS/Samba. To use OpenAFS you also need a Kerberos 5 KDC; for this you can use Active Directory, or MIT or Heimdal Kerberos 5, which are both free. For a cross-platform single signon solution, you can combine Samba, OpenLDAP and Heimdal; this requires experianced unix-y sys admins, but companies like Symas Corp., http://www.symas.com/ , will do it for you.
You mentioned DCE/DFS (which I've noticed several people have misinterpreted as Microsoft dfs, which has almost nothing in common with DCE/DFS). DCE/DFS is dead. It had little vendor uptake; IBM supplied clients for most platforms, and IBM stopped development and ended support quite a while ago. Management was a complete nightmare. There is no open source implementation. It's dead, Jim!
IBM has 2 major migration paths away from DCE/DFS (and IBM AFS, which is also end-of-lifed, although most of those customers just moved to OpenAFS). One is SANFS (http://www.redbooks.ibm.com/abstracts/SG247057.ht ml?Open), which is cool but appropriate to only a limited r
SQL Relay does this (site looks like it is down at the moment so I'm pointing to the google cache). It is a persistent database connection pooling, proxying and load balancing system for Unix and Linux supporting ODBC, Oracle, MySQL, mSQL, PostgreSQL, Sybase, MS SQL Server, IBM DB2, Interbase, Lago and SQLite with APIs for C, C++, Perl, Perl-DBD, Python, Python-DB, Zope, PHP, Ruby, Ruby-DBD and Java, command line clients, a GUI configuration tool and extensive documentation. The APIs support advanced database operations such as bind variables, multi-row fetches, client side result set caching and suspended transactions. It is ideal for speeding up database-driven web-based applications, accessing databases from unsupported platforms, migrating between databases, distributing access to replicated databases and throttling database access.
There is an open-source alternative to SMB: OpenAFS
From the website:
What is AFS?
AFS is a distributed filesystem product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation (now IBM Pittsburgh Labs). It offers a client-server architecture for file sharing, providing location independence, scalability and transparent migration capabilities for data.
What is OpenAFS?
IBM branched the source of the AFS product, and made a copy of the source available for community development and maintenance. They called the release OpenAFS.
http://www.humanscale.com/products/keyboard_suppor ts/keyboard_platforms_index.html
I think they are about $150. They have different models for different situations: corner desk, handedness, etc.
This was posted to info-afs recently (subscritpion information at http://www.transarc.ibm.com/Support/common/mailing ListRequest.html , archive at http://www.mail-archive.com/info-afs@transarc.com/ )
From: Derrick J Brashear
To: info-afs@transarc.com
Subject: OpenAFS lists, cvs to be available at openafs.org
As soon as the relevant DNS changes happen, lists devoted to openafs development will be available at openafs.org, and a cvs archive will also be available. A preview of the site is available at www-openafs.central.org.
-D
http://www.wired.com/wired/a rch ive/8.07/chairs.html
The URL is http://www.humanscale.com/home.html . I recently visited the Boston office to try out the chair, and loved it; I ordered one for my house and got my employer to order one for work as well. A few interesting bits of information:
It's actually cheaper to order directly from Humanscale then from a reseler. The standard discount is like 30%.
The chair without the headrest but with the gel is about $750; with the headrest, it's about $950.
Gale is instant messaging software distributed under the terms of the GNU General Public License.
Several features set Gale apart from other instant messaging systems.
Gale is open source software. The GPL ensures that you and others retain the freedom to modify and distribute the Gale source code. Gale will never lock into any one vendor's proprietary, closed system.Gale is useful. Gale isn't just about poking "private" messages to someone sitting at another computer. Gale does support secure private messaging, but Gale also has a well-developed infrastructure for public (and semi-public) chat.
Advanced categorization and filtering features mean that you can precisely control your level of participation and distraction. We've been at this for years, we've tried everything else out there, and we have a lot of experience with the usability of real-time messaging systems. The result of our experience is something like IRC, something like Zephyr, and something like commercial "instant messaging" systems, but with many features you won't find in any of these.
Gale is secure. Most other systems depend on the security of a central bank of servers, and provide no protection against network eavesdroppers.
Gale uses strong cryptography for both privacy and authentication, and is designed to work in an environment of mutual distrust between users and administrators.
Gale scales. Gale's architecture uses a loosely-connected set of servers which locate each other via DNS only when they need to talk to each other. Multicast is accomplished by the dynamic creation of self-healing spanning trees of interconnected servers. The network is robust; servers and clients detect and route around failure. This means Gale is fast and stable. Gale will not suffer the kind of performance and reliability problems USENET, IRC, and centralized commercial message systems do.
Gale is here today. Gale has been in active development for over three years. Both clients and servers have been well tested by daily use in an active user community. Both simple command-line and sophisticated graphical clients are available, and there are platform solutions for the POSIX, Microsoft Windows, and Java platforms.
I have a friend at MIT who swares by NAWM, a layer in addition to whatever window manager you run that can be set up to do all sorts of nice keyboard shortcuts. A Development Version and Stable Version are available. All the documentation is in the man page.
The Belkin OmniCube is a real piece of crap, esp. if you need to deal with Windows computers that need rebooting all the time, or ever need to remotely reboot a UNIX workstation. The reason they are so cheap, besides bad build quality, is that there is no (or at least very bad) keyboard emulation circuitry in the box. This means that you need to have the switch be on the box you are rebooting throughout the entire reboot process, or the box will freeze with "missing keyboard" errors. This may seem like an okay compromise, but over time it gets *really* annoying. An alternative that costs just slightly more but has had flawless keyboard emulation for me over the past few years is the Dakota Scout KVM Switch, available from http://www.dakota-euro.com/ . I have one for home and got my employer to get me one for my office, after religating an Omnicube that procurement thought "would be just as good" to the scrap heap.
Another good alternative, esp. if it's not you spending the money, are the Raritan (http://www.raritan.com) switches. I ordered an 8-port for a co-worker that has been fine, and there is a 16-port Raritan switch in a lab that is still working fine after about 6 years (it's so old it has a seperate box for the mice!).