Menu
▾
▴
Re: [webmin-l] Users and Groups module - Problem with Samba "MachineTrust Accounts"
|
From: William A. <waa...@re...> - 2005-12-08 21:03:48
|
Kris Deugau wrote: > William Arlofski wrote: > >>That server is slated for an upgrade (the whole thing, not just Samba >>- it is a RH 6.2 server) > > > *wince* *shiver* I sincerely hope this machine is NOT directly > Internet-connected. Of course not silly. It is a SAMBA server. :) >>but it is difficult trying to coordinate a "good >>time" (tm) with the client to take their main server offline. > > > Tell them that this is a security-critical change, and the sooner it's > done the better. Been there, done that... Fortunately, they are very good about understanding and taking heed when it comes to this type of stuff. I think this one is more my fault because I am not looking forward to the large amount of work it is going to take to upgrade this particular system. It provides several other services on top of Samba file/print services. > You have likely spent far more time maintaining software updates and > building custom backported versions of software for RH6.2 than it would > take to set up a new machine. Not really becasue long ago (RH 6.2 era) when building systems I would lock things down pretty good, turn off EVERYTHING that didn't need to be on, and even remove the tons of unnecessary RPMs that were installed by default. I'd also install an iptables script so that only the required ports were even exposed - and only to machines or subnets that required the service. Next, all the important software on this server was built from souce (kernel, samba, apache, openssh, openssl, proftpd and certain library dependancies etc) so that upgrades of critical components have generally been a simple download, configure, recompile, install, service restart for the affected daemon. That was probably the only thing that helped me to keep my sanity. > I recently had a glimpse of some of the > potential headaches in doing this when I set up a RH6.1 box in an > attempt to build some software that requires a third-party library which > is only available to me (currently) as a compiled object file. I > discovered that RH6.1 didn't seem to have SSH... and started trying to > backport the openssh package from RH7. It wasn't fun. No kidding. I have played that game a bit on some systems so I know your pain. Lately I have been deploying Gentoo bozex and have not looked back. It gives me the best of both worlds (IMHO) - Ease of use/upgrading, and building from source. Cheers! - Bill Arlofski Reverse Polarity waa...@re... |
