Samba Daemon dying

[Warren Togami]

Please try Squirrel Mail.  I truly believe it has major benefits over
SqWebMail, and it would be a very attractive feature for OBS.   Installation
should be very easy too, as long as you have IMAP working properly.

Reiserfs can be very powerful addition if you include a stable release with
your product.  It may save many trouble calls where fsck refuses to fix
problems on boot-up and insists on going into interactive mode (although
this can be forced in your settings, and I don't know how safe this is.)
Red Hat would have officially supported Reiserfs in 7.1, except it wasn't
stable until too late in their quality assurance testing period.

--

The scalable replication system sounds intriguing.  What type of things did
you have in mind for this?
Something that I have always wanted to build was a centralized
authentication system for all services: Samba domain, Netatalk domain, SSH
logins, POP, IMAP, Webmail, Linux workstation and Linux thin client logins.
Of course this would have to run on several different servers.  Normal NIS
would do this fine if we were talking only Unix networking, but integrating
Samba into this mix can seriously complicate matters.

If my understanding of Samba domain controllers is correct, you cannot
authenticate Samba connections off /etc/shadow if you use encrypted password
transmissions for your Windows clients.  Of course passwords MUST be
encrypted between the client and servers, so disabling encryption is not an
option.  Samba must then maintain its own username/password database because
of the nature of encryption used for client/server transmission (some one
way hash that can't be reversed, then MD5'ed for authentication off
/etc/shadow).  I don't understand exactly why, but if your Samba passwd file
is ever compromised, the cracker suddenly has access to all those accounts
stored within.

Is this some kind of retarded security with two way hash stored passwords
like MySQL?  If so, this is horrible...

If I understand Winbind and the two different samba_pam modules correctly,
they would allow all Unix services to authenticate off a Samba (or Windows
NT) domain controller.  This is clearly not an acceptable option.

So anyway, the usual solution is to make the only password changing
mechanism set the password for both /etc/shadow and Samba.  This is an ugly
kludge, and presents severe problems especially in replication consistency,
and password changing methods for /sbin/passwd and Netatalk.

----

Another thing that I have always wanted to write were web based or GUI tools
to make the job of administering an all-encompassing Open Source server
system easier.  It is simply a fact that GUI tools must exist to aid in the
transition, and reduce the fear of new prospective Linux users and system
administrators.  With some help from my friend, I began to write these tools
from scratch in PHP starting with a pretty good DHCP server configurator
that mostly works at the moment, though I realized there are several
existing systems already do many of these jobs that I described.

Webmin and Linuxconf are both generallized abstracted module based
configuration systems with web based interfaces.  Especially on the
Linuxconf side, many people don't realize that many great server
administration tools have been written for Webmin and Linuxconf in the form
of installable modules.  Webmin looks to be more flexible, user friendly and
security conscious, so you may consider writing Webmin modules for
configurators of OBS.  The only drawback of Webmin or Linuxconf is the lack
of seemless centralized control that a system administrator would expect if
they are using replication, because it would be a security risk to
needlessly run Webmin on every server.

The Ganymede project solves all of these problems and more.  It does one
sort of replication, user account management, and service configuration all
in one friendly and flexible interface.  You can even make delegate
different administration rights to different users in their access control
lists.  I HIGHLY suggest checking out Ganymede.  The main drawback of
Ganymede is the EXTREME difficulty in setup.  That's where you could make a
killing with OBS, with a preconfigured Ganymede system tailored for your
product.

Ganymede Home Page
http://www.arlut.utexas.edu/gash2/

----- Original Message -----
From: "Ho'ala Greevy" <hoala at secretbonus.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Wednesday, July 25, 2001 1:30 PM
Subject: [luau] Re: Samba Daemon dying


> yes, a basic intall of qmail with a few added bonuses to run on top of it.
> was planning to use courier-imap and qmail-pop3d on the internal network
> only and offer webmail as the only means of remote access.  i'm open to
> suggestions though.
>
> haven't considered reiserfs yet.
>
> a scalable replication system is an issue for the open business server
> right now.  i'm in the midsts of composing a perl script that'll do the
> dirty work, but like Larry Wall likes to say, "there's more than one way
> to do it."  so i'm open to suggestions.  which brings me to
> the realization that if the OBS is going to truly evolutionize the way
> people in Hawai'i exchange information, the project itself needs to go the
> open source route as well (config files, shortcuts, custom utilities,
> etc).  Hmmm... an open source systems integration project, sounds fun eh?
>
> who said we had to follow?
>
> -hg