Minutes Waterloo Polaris Advisory Group November 15, 2000

Attendees:

Regrets:

Submitted items:

Q: (Bruce) FreeBSD security issues.
A: (Bruce) Engineering is doing almost nothing sofar with respect to development of this OS. Putting the latest patches to lock down AppFilers to not talk to the rest of the world is recommended. The thing is to stay where you are at, putting patches on, to keep the version running secure.

(Ray) There is two minor issues with icons on the AppFiler. If you make and icon from the AppFiler, Windows puts in the UNC name. This is a potential problem, if you take down your faculty AppFiler and the UNC name points to that downed server. If the icon is without the UNC name, the first time used, Windows will put in the UNC name. There is a -s (stupid) option on a Microsoft utility, called 'shortcut.'

Q: (Bruce) Moving the last 2 authentication masters to Solaris.
A: (Bruce) We would like to see Arts and Science move there authentication servers off a FreeBSD machine and on to a Solaris machine. This term would be nice. A good buy would be an Ultra 5. The reasons for this is to integrate passwords with Windows 2000 and PAM modules. It is not favourable to also develop on another OS like FreeBSD as this would only hinder/delay developments on a Solaris platform.

Q: (Bruce) Ensuring all unix auth clients are pam capable.
A: (Bruce) This is really only a problem in Science. Sciborg is a Solaris system and could be the authentication master with PAM. Pat Matlock may have to be asked to retro-fix (ftp, telnet, pop, etc.) and might be able to get away with this, since the OS is older. Ideally OS 7 or 8 on Sciborg would be good.

(Dennis) What is all of this for ?
(Bruce)  To integrate the existing Faculty authentication servers into a Windows 2000 Active Directory, we want to seed the AD with the existing passwords. I'm developing a PAM module to do this.

(Dennis) Are you going to use LDAP to authenticate to the AD ?
(Bruce)  I think we will start with RADIUS, since it is so easy, and we understand it fully. Windows 2000 comes with a good RADIUS server. Later, we will look for a PAM module that can authenticate using native Windows 2000 methods.

Q: (Bruce) What's next for Waterloo Polaris 95 systems that are not 2000 capable? (and when).
A: (Bruce) Engineering has been setting up a Win2K lab, but a lot of machines in Polaris labs are not Win2K ready. The question is, what to do with these machines? Engineering see four possible choices:

1. Do nothing, and use Win95 for as long as is possible.
2. Use as a thin client and run something like Hydra.
3. Use Linux, which works on lower grade hardware and can do email and browsing.
4. Put in more docking stations and let the students bring in their own machines.

(Dennis) Is anyone using K6's and memory only for their upgrades?
(Ray) There is a definite point at which it is cheaper to replace the box. RAM and hard drives are more critical to upgrade when you consider the dollars involved.
(Bruce) Every faculty will have to decide on the hardware needs and the prices to pay.
(Tim) The only thing about Linux and docking stations is the amount of software that students will need, software lock down, etc.
(Bruce) Engineering's perception is a lot of students tend to just browse and email. Only a few have needs for the specialty software. One could minumize the costs by having general browsing/email labs, and some labs with the specialty software stuff.
(Erick) Math is running terminal services and is finding it useful.
(Jim) Roughly, 1400 logins per week with 500 applications per day running (of course some of this is IE). In Math, we have some software that we do not want on Polaris. We are looking at two more systems to run more applications and improve efficiency. Currently, there are four 2-processor machines that are moderately running. We currently have some software which is not running on Polaris, but we were wondering if we could have Win2000 to run (with Hydra) in Polaris2000. We can currently run this directly from NCD's now. Some of our older NCD's are able to successfully run this too.
(Dennis) Isn't there a web browser based terminal services client available?
(Jim) Yes, but it is really slow.
(Ray) I believe the only browser it supports is IE.
(Jim) As far as I understand, there is a W95 client.
(Nevil) We have one on an Arts application now, and looking at further implementation.
(Erick) Be careful getting involved with software which is rapidly changing/updating video output. You may not want to get into something like that.
(Jim) There is still some differences between Win2000 and Server of terminal server, as NT moves up this way, Clayton is not too happy.
(Bruce) You must ask if all this is cost effective, to putting in new mother booards, etc.
(Erick) One of the good things is both products share the code running, so if there are 5 instances of Word running, there is only one copy running in memory.

Information items:

(Dennis) I was wondering if anyone is moving towards Extreme for switches?
(Bruce)  We are finding that they are approximately the same in price, although their entire product line offers hardware based routing, which is extremely fast. Their high end products are less expensive than comparable products from Cisco.

(Jim) Some of us are interested in having MathCAD2000 running.
(Ray) It is there on the Q: drive, but an icon may not be showing. At the end of the term I will be making sure the icon does show. As a note, MathCAD2000 is MathCAD9.

(Jim) Does the quota tool work?
(Bruce) Yes, with updates of the displayed usage every 60 seconds when shown on the desktop.
(Jim) I have see on log out with our people that files are lost, is there a tool like this on Solaris?
(Bruce) Yes, the program is some 20 lines of code, it works well and could be modified for ident.

(Dennis) Did your talk earlier about security in FreeBSD mention the break in that occured last week in Engineering?
(Bruce) The server went down with some dummy code which crashed the machine. This code was suppose to give root access to the server. The OS version was 7 which was updated and patched two days earlier. This bug has gone out to Solaris. We caught the fellow who broke in to prove he could do it. We may not have caught him if he did not confess.

(Dennis) Last ESAG was about up-todate DNS.
(Bruce) Engineering wants to keep it up-todate. This should be done unilaterally in Engineering.
(Dennis) Were the two fields to update Contact and Admin?
(Bruce) Yes, this is what we would want.

(Ray) The Stages virus (a worm type virus) which is a VB type is not detected by Norton AntiVirus and seems to by-pass the Polaris locked drive. This was found by only happening to see it on the E: drive (a registry key is also added). Tonight this will be fixed with Sysctl. You will recieve email tomorrow if Sysctl detects the virus in you Faculties computers.
(Tim) What is the status of Norton AntiVirus?
(Ray) The program is now on E: drive. On some machines it runs fine, on others the program makes the machine crawl. I suggest enabling for staff and seeing if performance is radically different.
(Dennis) We have done some test with the options. Instead of selecting 'all files' try just 'new files'.
(Tim) What if you edit a file, does Norton AntiVirus check?
(Ray) Because of slowness problems we should test the Faculty and Staff machines before enabling it for those users.
(Dennis) I have seen problems reading CD's with NAV runtime.
(Ray) Related to this, Martin has noted that some F: and G: drives are not being scanned. We should look at enveloping an environment variable to allow scanning local disks past the E: drive.

(Nevil) As for the NetApp and the 32K stub accounts, does this sometimes create generic problems like slow logins or hanging logins?
(Bruce) I have seen the files on the 32K stub accounts, but not these problems.
(Erick) The files being copied to the 32K account happens at logout.
(Bruce) One could test this out by modifying the 'userfiler' to log into an alternate server like Engfile instead of Scifile.
(Ray) I have now (Nov. 16) changed _sysctl95 to make sure all the correct flags are on the workstations just in case the writting was related to incorrect flag settings.

Created by: sempson@sciborg.uwaterloo.ca 2000/11/22
Revised by: sempson@sciborg.uwaterloo.ca 2000/11/23