Open Source Training/Teaching as Advocacy? 29
dsavitsk asks: "I am a part owner and I.T. manager of a small company. I spend most of my time writing in-house software in Python and VB, and administering the various systems we use. (Our current setup is a Win2k Server, a few win2k clients, a FreeBSD gateway, and a few other things.) I am also in law school, so my time is very short. In general, whenever I can, I will use an open source program over a closed one (hence, most of our software is now Python powered). One of the perks of my job is that I have an open budget and mandate to learn as much as I can about new technology we might use. (I've bought $1200.00 in O'Reilly books in the last year alone!) So, the question. I simply don't have time to learn everything I need to know, and to configure lots of open source projects that don't have a pile of books or decent documentation written about them. I found, in fact, that not knowing anything, it was much easier to set up a Windows domain than a Samba server. We also don't have the money to hire a full time sysadmin. What we would like is to hire a consultant for open source software who would not only come in to install and configure something, but who would also teach me the hows and whys so that I could then pickup where they left off. Clearly, we are not looking for free help, and would be happy to pay market rate for the work. In short, we are looking for people who would advocate for open source not just be producing it and consulting about it, but by administering it and teaching at the same time. So, where would I find such a someone?"
Try it the other way around! (Score:3, Informative)
My first guess would be to call your local LUG and check local web bulletin boards for guys that do this kind of stuff.
One (Score:1)
a good place to start.
Find them? (Score:2, Funny)
AUTHORS.TXT (Score:3, Informative)
One of the wonders of Free software is that you can deal with the actual authors of the software you're using. Not everyone will be likely to help you out, but you might get some good suggestions on who *can* help you. Of course, physical proximity is helpful for setting some things up on your machine, but many packages can be installed and configured remotely, and email takes the pain of asynchronous communication away nicely.
Give us some contact info for chrissake! (Score:4, Informative)
Re:Give us some contact info for chrissake! (Score:4, Informative)
You need to think about what you are doing (Score:5, Insightful)
If you want to run a Windows domain -- use windows. While you *CAN* use samba, is it worth your time (which is in very limited supply if I read your post correctly) and your money to setup a custom, "free" solution to everything?
What do you do when Windows XP ServicePack 8 stops interacting with your Samba DC?? Do you stop studying for the bar, drop your management duties to figure out how to fix it? Do you have enough money lying around to pay an expert to fix it?
At work I try to stick with things that everyone is familiar with that also happen to work.
Use the best, simplest solution you can afford. If you want a Windows Domain, buy a server from Dell for $2000 with a W2k Server licence. You spend about 4 hours setting it up with resources available readiliy online.
If you go with a samba solution, you buy a server for $1200, and buy 16 hours of consulting time, while losing 8 hours of your time learning how to use it.
free doesn't always mean free.
Re:You need to think about what you are doing (Score:5, Insightful)
Moreover, wouldn't these guys [afr.com] be apt to find a fix to the "XP Service Pack 8" breakage for you? Open source doesn't always mean "fix it yourself", you know.
Of particular interest (apologies for the redundancy);
Re:You need to think about what you are doing (Score:1, Flamebait)
You are correct that open-source doesn't mean fix it yourself -- but open source isn't an IT nirvana either.
Let's assume one day this guy's company grows and he hires a sys admin, or a programmer who wears a sys admin hat. The original poster is an attorney now and is busy running his company.
Who in the hell has the time to do routine IT crap, and figure out all sorts of bizarre configurations. If you stick to standard configurations you'll be able to find people to run/fix/upgrade/maintain them. Unless you are a huge organization with lots of technical expertise, don't customize for the sake of doing it or to save $500.
This leads to another thought: If you don't want to run non-free software -- don't use Windows! If you want to adhere to open standards -- don't use a proprietary directory scheme! If you want a free user directory -- don't use a domain!
Re:You need to think about what you are doing (Score:2)
With about ten hours' worth of labour, I can install and configure a Linux server to replicate the majority of the functionality of a Win2k domain controller running Exchange. That means approximately a 90% savings on the cost of getting the server up and running - assuming the O.P. performs the Windows install/config himself.
He didn't say he wanted to avoid using non-free software altogether, only that he's interested in using OSS for his company servers. After having administered an NT4 domain (~1300 users), and with the few Win2k domains I'm presently responsible for, I can perfectly understand why he'd want to use a UNIX/Linux based approach.Re:You need to think about what you are doing (Score:2)
I'm asking a serious question, becuase I don't know how easy it is to support NFS on Windows desktops. How much is all the MS naming service crap worth? Why not use and promote the open alternatives from the top down. TCP/IP, DNS, NFS, SMTP, ???.
If this sort of thing was provided as a turnkey package that a guy like this could use, it would give us another very credible example to point to. Sort of a Lindows Server, to steal the name but not the business model.
This should protect him from the service pack that breaks everything a lot more than using emulated MS protocols.
Re:You need to think about what you are doing (Score:2)
That's what led me to use SMB -- samba works very well and I already paid for the client when I bought windows!
That being said, I don't think anything offers what the Windows 2000 domain model does. You get Dynamic DNS and authentication for both clients and machines that also allow you to place ACLs on filesystem objects.
I'd say the closest thing to this in the Unix world would be LDAP on an SGI or Linux box with the XFS filesystem and bind 9 (supports DDNS, right?). That would require alot of hacking just to get what Windows gives you out of the box.
Open WINS and SMB? (Score:2)
So what is the response of the Open/Free Source community to all of this? A Samba client on Windows might outperform the original code. The recent interview with Tresh made that clear. How hard would it be to make a replacement client? I know it won't be long before Palladium and related projects from MS make this even harder, but since when has that stopped anyone.
And what about an open replacement for their domain model? We went around this by using a MS domain controller with Samba servers. This was worthwhile because we needed both NFS and SMB from the same file systems. Even so there were some hoops to jump through.
Re:Open WINS and SMB? (Score:2)
To shoehorn that sort of model on Unix would be difficult -- to do so on Linux would be impossible. The "Trusted" Unix OS's hit the nail on the head from a filesystem point-of-view, but except for DCE (which is a nightmare) makes no allowance for networked users.
I think the next evolutionary step for this sort of thing is a "Trusted-AFS on crack" which would create a universal, virtual filesystem namespace instead of local filesystems and a universally available LDAP or other database. If you have used Tivoli Enterprise software, think of it as having Framework (except it works well) mixed with the AFS network filesystem.
good points... (Score:2)
I remember when I think it was SP4(?) for NT4 did this. It forced the SMB client to not send unencrypted passwords across the network. There was quite a large amount of dismay on the samba usenet groups.
Short term there was a fix to change a registry setting in Windows. Long term there was a fix to Samba to make it support encrypted passwords. What amazed me was the number of people who took the short term fix, and in fact are still promoting this as a legitimate option.
Sometimes I wonder if people really think through the full consequences of their decisions.
Re:good points... (Score:3, Informative)
Not really... (Score:2)
Most LANs are physically secured already to prevent sniffing by way of switched ethernet secured in a closet. The SMB password issue had more to do with social engineering someone to connect to your "server", which would then cause the authentication packet be sent in the clear, than it did with network sniffing.
IPsec or SSL are not great solutions unless you utilize them to prevent access to corporate LAN ports, because otherwise they are fairly non-discriminating on who they will setup a secure channel with. You can control this with ipsec, but there is quite a lot of overhead resulting from this solution both from computer resources and process management overhead, such that it is really only viable in paranoid installations.
So while the SMB encrypted password thing was not a great solution, it was an appropriate short term solution for the existing client base. A better long term solution was to move away from the password hashes completely and towards Kerberos PKI for authentication, which is what happened with the advent of Windows 2000.
Re:Not really... (Score:3, Insightful)
I completely fail to be impressed with the importance of a security fix whose primary function is to turn the "convince a user to connect to an external SMB server, then sniff their password" attack into the "convince a user to connect to an external SMB server, then sniff and crack their password" attack. Users, in the main, have terrible passwords. Giving away a hash is little better than giving away the password
Kerberos provides some sort of authentication infrastructure, but it sure wasn't Public Key Intrastructure last I checked, but rather pre-shared keys for DES (in the case of K4) and other symmetric cyphers (with K5). SSL and IPSec, on the other hand, do work quite nicely with public keys, even if most people don't seem to want to bother using client certificates or even verifying server certificates.
I replied to a comment that said, in essense, "it's not Microsoft that's lame for breaking Samba compatibility, it's Samba that's lame for not keeping up with Microsoft's l33t security updates" by saying, in essense, "Microsoft's security update is not so l33t and has the added effect of breaking stuff, so Microsoft is lame after all". You have failed to explain how this is off topic or, for that matter, wrong.
A low UID is not a license to be rude, and snide comments are especially out of place when they are misinformed. I suggest a calmative, followed by a period of quiet reflection.
Re:Not really... (Score:1, Flamebait)
I suggest a laxative.
Reread what I wrote, understand the issues and quit trying to play Mr.
Re:Not really... (Score:1)
"If you don't have anything to say, say it in a condescending tone." I'd be happy to continue the conversation about practical system administration as soon as you're ready to rejoin it. Since I had the last post with actual content, it's up to you now. I won't bother to reply to any more personal attacks from you.
Re:You need to think about what you are doing (Score:3, Insightful)
Once it's set up, you'll never think about it again. Good luck achieving that sort of stability on Windows.
Don't get confused. You can't estimate the initial setup costs on Linux and then tack on the usual maintenance costs on Windows. For the most part, it's one or the other, and, in my experience, I'll take the larger up-front investment over the weekly hassle any day.
GNU Service Directory! (Score:1)
"The GNU Service Directory (58k characters) [fsf.org] is a list of people who offer support and other consulting services."
I've bought $1200.00 in O'Reilly books... (Score:1)
Re:I've bought $1200.00 in O'Reilly books... (Score:1)
That $1200 is $1200 lost profit, part of which may have gone to him as cash. Basically, he paid for the books himself.
Actually (Score:1)
I'd bet that there are a lot of people who would rather pay someone to come in and train some of their IT staff than give that money to Micro$oft.
holy crap! (Score:1)
Looking for a Sysadmin? Well I'm your man.