Re: RedHat 9 ISO image mirrors in Israel?

[Guy Teverovsky]

On Mon, 2003-06-02 at 11:51, Beni Cherniavsky wrote:
> > Beni Cherniavsky wrote:

> Doron Ofek wrote on 2003-06-02:
> > ftp://mirror.israel.net
> > http://mirror.israel.net
> 
> I've seen it.  Fast but doesn't carry the ISO images, only individual
> files.  I wonder why doesn't RedHat (and all others) use jigdo...  Or
> just loopback mount the served ISO image to also serve the individual
> files requests ;).
-- 

http://mirror.israel.net/pub/redhat/linux/9/en/iso/i386/
ftp://mirror.israel.net/pub/redhat/linux/9/en/iso/i386/

Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: First beta of Samba 3.0.0 available for download

[Guy Teverovsky]

Hi,

I've been running 3.0alpha2x for quite a while.
It successfuly authenticates against ADS (Kerberos) without any need for
defining local users or mappings.
The Hebrew works out of the box and files/directories created in Windows
show up correctly under KDE.

My impresion is that there is also a segnificant boost in the transfer
rates, not that I bothered to perform any benchmarking.

Guy

On Sun, 2003-06-08 at 02:43, Ilya Konstantinov wrote:
> On Sunday 08 June 2003 05:31, nadav mavor wrote:
> > The Samba Team is proud to announce the availability of the
> > first beta release of the Samba 3.0.0 code base.  While
> > we are significantly closer to the final release, I will
> > remind you that this is a non-production release provided for
> > testing only.
> 
> 2)  Unicode support. Samba will now negotiate UNICODE on the wire and
> internally there is now a much better infrastructure for multi-byte
> and UNICODE character sets.
> 
> At last, a version which has sensible UTF-8 support. Whoever uses SAMBA, 
> please test it.
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: [OT] A note about internet zahav customer care.

[Guy Teverovsky]

On Mon, 2003-06-16 at 17:17, Mix Sella wrote:
> On Monday 16 June 2003 03:45, Stiven Andre wrote:
> > May be the post is OT but some weeks ago i wrote a latter about problems
> > connecting to rh8 httpd server that was connected by
> > internet zahav ADSL service. The problem was that some people simply
[snip]
> >
> 
> You are correct. The morons use a misconfigured transparent proxy (something 
> they've been scolded for repeatedly), which [I believe] [in this particular 
> case] is also on very unfriendly terms with the closest DNS server. Been 
> there, done that. IMO netvision is less half-assed than the rest. Lately 
> though it looks like the entire Israeli 'net is having issues.
> 

I have a cable connection to Actcom and never had problems running a
website. Their transparent proxy does not cache inter-Israeli traffic.

Personally, I have not heard complains on Internet Zahav transparent
proxy. I would try to double check the DNS sync issue.

Have you been tracerouting by IP or FQDN ?

Ask the users to telnet your IP to port 80, it will give you an
indication whether you are talking to proxy or real web server (look an
the HTTP headers)

Regs,
Guy

> 
> > Best Regards.
> > S.A.
> >
> >
> > =
> > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > the word "unsubscribe" in the message body, e.g., run the command
> > echo unsubscribe | mail [EMAIL PROTECTED]
> >
> > This mail was checked for viruses by Romat email server
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: PPPoE on Linux - timeout waiting for PADO/PADS packets

[Guy Teverovsky]

There is a small button (about a size of a pinhead) at the back of the
modem.
Use it to reset the modem to factory defaults. Reboot the modem
(disconnect/connect the power) and let it sync.After that it should work
with PPTP.

Guy

On Mon, 2003-06-16 at 09:26, [EMAIL PROTECTED] wrote:
> Hello,
> 
> I've followed the instructions of enabling PPPoE on Linux
> as described at http://www.isoc.org.il/~doron/PPPoE.html
> and it worked at first but now after a reboot it stopped.
> 
> I get multiple messages like "Timeout waiting for PADO packets"
> and some "Timeout waiting for PADS packets". I tried configuraing
> the modem back to the PPTP setup but the old PPTP doesn't work either
> (gives same messages, but much less of them).
> 
> The modem is an ethernet SpeedTouch Home, debian unstable. ISP
> is actcom. Kernel is 2.4.20 with mppe and preemptive patches.
> 
> I googled for the error message but it looks like people mostly
> suspect the line or the ISP, not the setup. Also the PPTP broke
> so I don't know where to proceed.
> 
> Any hints anyone?
> 
> Thanks,
> 
> --Amos
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: traceroute and network timeouts to/from israel?

[Guy Teverovsky]

It looks like BezeqInt have one of their international lines way
overloaded. Their was a extesive discussion at Tapuz's broadband forum
regarding the issue [1]

Take a look at your IP. BezeqInt, as far as I recall, have 2 IP pools:
212.X.Y.Z and 81.X.Y.Z
If the user's IP is from the second pool, most of the chances are that
he will suffer from slow response time accessing resources abroad.

Several people tried to talk to their support, but got no comprehensive
answer. In your place I'd switch to ISP who does care about his
customers.

[1] Warning: flash bloated site !
http://www.tapuz.co.il/tapuzforum/main/Viewmsg.asp?id=20&msgid=16532720


Guy


On Mon, 2003-06-16 at 12:32, Yasha Harari wrote:
> shalom :)
> 
> i use bezeqint.net to connect to the net, using their little blue samsung
> ethernet adsl modem... attached to my linux slackware 8.1 server.
> 
> yesterday i tried to traceroute:
> sucksads.lonex.org  and
> lonex.org
> 
> which is where we keep some files for remote hosting ...
> 
> i timed out after about 20 hops ... but i noticed the first big lag was
> inside bezeqint.net itself!
> 
> so my questions are: how can the timeouts be annihilated?  is there another
> ISP that we should be using? any worthy recommendations are appreciated :)
> 
> note: these errors are replicable from all the places we have checked via
> bezeqint.net's network.  we are losing thousands of visitors a day to our
> sites/servers here in israel, because they keep timing out with network
> delays when they try to reach our sites... ie:
> www.schoolsucks.com
> 
> cheers,
> 
> yasha harari
> [EMAIL PROTECTED]
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Cable Internet DNS Problem

[Guy Teverovsky]

As I have a local caching DNS server which uses my ISP DNS servers as
forwarders and I do not want the resolve.conf (which points to my DNS)
to be overwritten, I just did:
chattr +i /etc/resolve.conf

Guy


On Sat, 2003-06-21 at 23:36, Boaz Rymland wrote:
> > Except that it is an ugly patch. You did find the core of the problem,
> > however.
> 
> Ugly indeed, I must agree.
> Linux gives you the power to find and correct the problem, not so with the
> time nessecarry to do so... .
> 
> > So now we only get to the solution - is there any way to configure DHCP
> > client to ignore the DNS settings from the DHCP server?
> >
> 
> Right. Lior Kesos has pointed a similar option used by the pppd. I wont have
> time today looking further for doing the same with the dhcp client config
> (tests, tests...), but I would have started from there (a similar option for
> dchp-client).
> 
> Boaz.
> 
> >  Shachar
> >
> > --
> > Shachar Shemesh
> > Open Source integration consultant
> > Home page & resume - http://www.shemesh.biz/
> >
> >
> 
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: A 2 hosts Ethernet network with a 255.255.255.254 netmask.

[Guy Teverovsky]

On Tue, 2003-07-08 at 21:09, Beni Cherniavsky wrote:
> Shaul Karl wrote on 2003-07-08:
> 
> > I still don't get something. Quoting section 7 of the IP Sub-Networking
> > Mini-Howto:
> >
> > For the sake of this example, let us assume that you have decided to
> > subnetwork you C class IP network number 192.168.1.0 into 4 subnets
> > (each of 62 usable interface/host IP numbers). However, two of these
> > subnets are being combined into a larger single network, giving three
> > physical networks.
> > These are :-
> >
> > __
> > Network Broadcast   Netmask Hosts
> > 192.168.1.0 192.168.1.63255.255.255.192 62
> > 192.168.1.64192.168.1.127   255.255.255.192 62
> > 192.168.1.128   192.168.1.255   255.255.255.128 124 (see note)
> > __
> >
> > Note: the reason the last network has only 124 usable network
> > addresses (not 126 as would be expected from the network mask) is that
> > it is really a 'super net' of two subnetworks. Hosts on the other two
> > networks will interpret 192.168.1.192 as the network address of the
> > 'non-existent' subnetwork. Similarly, they will interpret
> > 192.168.1.191 as the broadcast address of the 'non-existent'
> > subnetwork.
> >
> > So, if you use 192.168.1.191 or 192 as host addresses on the third
> > network, then machines on the two smaller networks will not be able to
> > communicate with them.
> >
> > \begin{interruptRequest}
> >
> >   How does the 2 smaller networks know that 192.168.1.191 and 192 were
> > initially a broadcast and network addresses? Would they treat any one of
> > 192.168.*.19[12] in the same way?
> >
> > \end{interruptRequest}
> >
> As far as I understand, they assume that sub-networking is uniform:
> they know the full network mask and know it is subnetted with a given
> subnet mask.  They assume it doesn't only apply to their own subnet
> but to each subnet of the network.  No, they wouldn't treat
> 192.168.*.* in this way, the full network mask seems to be
> 255.255.255.0 so they only assume things about "sibling subnets" i.e.
> 192.168.1.*.
-- 
Actually, I am not quite sure this is correct. The smaller networks do not do any 
assumptions regarding other networks.
The routing decision is done at the router, while the transmitting node is totally 
unaware of the subnet mask implemented at the destination network.
If you really want the guts, it depends on the routing protocol implemented on the 
router and whether it supports propagating VLSM masks and whether classless routing is 
implemented.
As long as routing is done by classless routing protocol, all-zeros and all-ones 
subnets become available for use. 
As the abbriviation of VLSM applies (Variable Length Subnet Mask), in this case you 
have the benefit of not loosing bits for what would look like a broadcast or network 
address, 
which does not really exists.

In the above axample, with VLSM implemented, the node does the following:
1) The destination address is not in node's network, so it will be transmitted to 
default gateway.
2) ARP broadcast to get the MAC address of the default gateway.
3) The node sends the packet to DG
4) DG (the router) performs a lookup in it's routing table and notices that 
192.168.1.191 is in 192.168.1.128/25 network which is directly attached to the router.
5) The router queries for the subnet mask associated with the interface and sees 
255.255.255.128  
5) The packet will be sent through the interface attached to 192.168.1.128/25 (this is 
not a broadcast !!!)
6) ARP broadcast to get the destination MAC
7) Packet gets to it's destination.

As you can see, this is a normal unicast address when using VLSM.

References:
1) "Routing TCP/IP. Volume 1" by Jeff Doyle, Cisco Press
2) "Cisco CCNA Exam 640-607 Certification Guide" by Wendell Odom, Cisco Press 

Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: dhcpd & M$ active directory

[Guy Teverovsky]

On Wed, 2003-07-16 at 19:06, Ben-Nes Michael wrote:
> Hi All
> 
> I been asked if DHCPD on linux can pass to clients, domain names thrugh
> Micorsoft active directory.
> 

What do you mean by that ?
Are you asking whether DHCP clients will be able to dynamically register
in the DNS ? 
If that is the question, then the answer is yes, but there is a catch:
you will probably end up with BIND (version => 9.0) as DNS server.

The caveat is that if you want to do it right, you must have the DHCP
server dynamically register the client at the DNS server (DDNS).
W2K and XP clients can be configured to register in the DNS by
themselves, but 9X and NT are not smart enough and if the DHCP server
will not register them in DNS, they will end up unresolvable through
DNS.

As far as I know, Linux DHCP server might have problems dynamically
registering clients in MS DNS (depends whether the DNS is AD
integrated). With BIND, of cause, there is no problem.

The best solution would be:
1) Setup BIND and configure it as SOA for the DNS namespace (Master for
domain.com)

2) Delegate the AD specific zones to MS DNS (_msdcs.domain.com,
_sites.domain.com, etc...) to keep the AD Domain Controllers happy when
registering SRV records securely (the zones can be AD integrated [1]).

3) Configure DHCP on Linux so that it will update BIND on behalf of DHCP
clients. 

Actually that is how my home network is setup. The DHCP/DNS is on Linux 
and my Active Directory is more then happy

The whole process is not that complicated, but you must watch out when
transferring the DNS to Linux - if you do not do it right, the AD will
not like it.


[1]: When zone is AD integrated, it's data is stored in AD DB and not in
plain text files (backup your AD !)
AD integrated zone con be configured to accept only secure updates: it
will accept dynamic updates only from a computer with valid machine
account in AD (appears there as an object).
>From security point of view, it's a good idea to let AD specific zones
accept only secure updates - you do not want people start registering
their own Kerberos or LDAP SRV records.

Cheers,
Guy

> As i have 0 knowledge in microsoft products I told them ill ask.
> 
> this is a good opportunity to push the second Linux server to Ziv Hospital.
> ( the first one was nice firewall )
> 
> --
> Canaan Surfing Ltd.
> Internet Service Providers
> Ben-Nes Michael - Manager
> Tel: 972-4-6991122
> Fax: 972-4-6990098
> http://sites.canaan.co.il
> --
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: [OT] Why do non-crossed ethernet cables exist?

[Guy Teverovsky]

Take a look here for the background:
http://www.netguru.co.il/modules.php?op=modload&name=News&file=article&sid=19

The cable issue is mostly historical. All network equipment is devided
into 2 categories:
- DTE (Data Terminal Equipment: NICs)
- DCE (Data Communication Equipment: hubs, switches, routers, etc...)

DTE<---(cross)-->DTE
DCE<---(cross)--->DCE
DTE<---(streight)--->DCE

The differences are explained here:
http://www.patton.com/technotes/about_dce-dte_for_ethernet.pdf

Guy


On Thu, 2003-07-24 at 18:39, Oleg Goldshmidt wrote:
> It occurred to me that I did not know *why* different cables were used
> for PC<->hub and PC<->PC. A quick google didn't help. Can anyone
> enlighten me regarding the reason?
>  
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: SMB mount point hangs

[Guy Teverovsky]

On Mon, 2003-07-28 at 20:51, Gil Freund wrote:
> Arik Baratz wrote:
> 
> >>1. Do you get a valid responce when do:
> >>nmblookup 
> > 
> 
> [snip]
> 
> Hostname resolution seems ok.
> 
> >>Also check the following:
> >>
> >>1. Has the share (mount) been unused for over a week? (Windows cycles 
> >>host credentials once a week)
> > 
> > 
> > It's been mounted for over a week, but used during this period. How come my Win2K 
> > can maintain a share window open for this amount of time but SAMBA can't? And if 
> > the credentials are incorrect, why can't I unmount?

Actually, in properly configured AD both W2K and Linux will be denied
access. Search the net for "Enforce password history". The default on
W2K is to remember 1 old password.

 
> Windows updates host credential at least once a week. Both the server 
> and the workstation have to be online for this to happen.

The default for machine account password renewal is 60 days.
The renewal process is much like DHCP: half lease, quoter lease...

> This is the theory. In practice, I noticed that windows 2k pro will 
> cache server credentials for longer peroids of time, even to a point 
> where a loptop user who has dissconnected and reconncted to the network, 
> while his password has expired, managed to contiune working with the 
> ssupposidle expired password.
> > 
You are mixing here machine and user accounts. Those are two different
stories. The user passwords are cached as long as you are logged in or
explicitly refreshed. Default user password max age is 42 days.

Windows clients maintain a per session connection. You can connect to
one share, change password, connect to another share and still be able
to access both shares. To clear the cache and drop all session to a
specific server on Windows you can use:
net use \\remote_server\ipc$ /delete

> > 
> >>2. Has the user information under which the mount taken place changed?
> > 
> > 
> > Now that you've mentioned it, I recently replaced my password (in Active 
> > Direcory). I will test it again, because I am pretty sure that I have had that 
> > happen even between password changes (our policy is 45 days).
> > 
> > And then again: So the credentials don't match; so what? Why prevent me from 
> > unmounting it? Can I change the credentials in smbmount while the folder is 
> > mounted?

> You have to remmeber that Unix network mount types (such as NFS) are 
[snip]
> More to the point:
> You cannot change credentials on a monted CIFS share. Even in Windows, 
> if you changed your password while logged in, you will find that network 
> shares will act in an unpredicted manner (Some will work, some will not, 
> as windows caches the credentials).
> the smbmount command is acts as a proxy between the unix mount and the 
> CIFS file system. If the credentials have changed, samba cannot 
> determine the state of the share and returns the actual mount (or 
> umount) an invalid state.
> 
> I usually try to keep smbmount within the scope of a login session (more 
> like AutoFS or AMD), this is what a CIFS session expects.
> 
You CAN change the password without loosing the mount point IF you are
using Kerberos rather then NTLM authentication (Samba 3.x). In this
case, the TGT is refreshed automatically (or manually on demand) and the
session is not lost.
To do that, you have to join your linux machine to W2K Kerberos realm.

One more thing to mention: W2K tends to drop idle sessions. The default
is 15 minutes on W2K Server and not defined on Pro.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/563.asp
(now someone will want to slap my wrists for giving an MS links...)

Some other workarounds might involve statically registering the W2K
machine in WINS.
BTW, do you have DDNS on site ? is W2K a DHCP client ? (you can play
with DHCP lease and DNS scavenging timer)

Personally, I doubt this is a name resolution issue.

I have been using Samba 3.x for quite a while in AD environment and must
admit that it does much better job handling things like that.
-- 
Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: SMB mount point hangs

[Guy Teverovsky]

On Tue, 2003-07-29 at 02:08, Guy Teverovsky wrote:
[snip]
> Actually, in properly configured AD both W2K and Linux will be denied
> access. Search the net for "Enforce password history". The default on
> W2K is to remember 1 old password.
> 

It's the hour. This part is a total nonsense. Please, disregard it.
The proper way is either enforcing Kerberos authentication or disabling
cached credentials.

Sorry again for too MS stuffed post.

Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: ip_forward mysteriously turnes off(?)

[Guy Teverovsky]

On Wed, 2003-07-30 at 19:15, Beni Cherniavsky wrote:
> Some time ago I had a very long battle with iptables only to discover
> that they were fine all the time - turned out that
> /proc/sys/net/ipv4/ip_forward was 0.  I'm pretty sure I didn't setup
> it like this but I didn't investigate the reasons.  I turned it on,
> added ``FORWARD_IPV4="yes"`` to /etc/sysconfig/network, made sure it's
> enabled when I bring the net up -- and I've been a happy masquerading
> user since (windoze' connection sharing mangled all masqueraded scp
> and cvs, which was more than annoying, Baruch ShePtaranu ;).
> 
[snip]
> Jul 30 16:51:05 zion sysctl: net.ipv4.ip_forward = 0

Does your /etc/sysctl.conf file has a line like 
net.ipv4.ip_forward = 0 ? 

Change it to "net.ipv4.ip_forward = 1" and you should be set.

Guy
 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Linux cluster on HPPA (PA-RISC) architecture

[Guy Teverovsky]

Greetings all,

I did some hardware inventory in the warehouse debris at work and found
some 6-7 HP workstations (J200, J210, J280).

I would like to bring some life to those and free their enslaved by
HP-UX souls. The big question is whether there is any chance running
some a Linux cluster on this architecture ? 
>From my long-lasting trip to google I have found that Debian and Gentoo
support the architecture out of the box. What I have not found is any
evidence to running a Linux cluster on PA-RISC.

Any pointers are more then welcome...

Guy  
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: Linux cluster on HPPA (PA-RISC) architecture

[Guy Teverovsky]

Thanks for the input, all. 
It looks like I was too fast on the trigger as the developers are not
yet sure whether high-availability will be needed together with
computation. The links were very helpful - now I know what questions to
ask when they finalize the concept and come up with demands.

Thanks again,
Guy



On Wed, 2003-08-06 at 22:22, Tzahi Fadida wrote:
> I don't know what you are doing, but you might consider Agent technology with 
> mobility to move or
> clone agents (which are a set of behaviors that represent tasks). for example, JADE  
> works on any
> platform that can run java.
> checkout http://sharon.cselt.it/projects/jade/
> for other implementation of FIPA compliant http://www.fipa.org/ agent technology, 
> you might want to
> check the european union supported agentlink at
> http://www.agentlink.org/resources/agent-software.php
> 
> or agentcities http://www.agentcities.org/ maybe you'll get funded for it from the 
> european union.
> 
> also i don't know much about it but i think maybe beowulf clusters can do what you 
> want, check out
> http://www.beowulf.org/beowulf/hardware/
> 
> * - * - *
> Tzahi Fadida
> MSc Student
> Information System Engineering Area
> Faculty of Industrial Engineering & Management
> Technion - Israel Institute of Technology
> Technion City, Haifa, Israel 32000
> Email [EMAIL PROTECTED]
> Technion Email: [EMAIL PROTECTED]
> * - * - * - * - * - * - * - * - * - *
> 
> WARNING TO SPAMMERS:  see at http://members.lycos.co.uk/my2nis/spamwarning.html
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Orna Agmon
> > Sent: Wednesday, August 06, 2003 7:42 PM
> > To: Gilad Ben-Yossef
> > Cc: Guy Teverovsky; [EMAIL PROTECTED]
> > Subject: Re: Linux cluster on HPPA (PA-RISC) architecture
> >
> >
> > On Wed, 6 Aug 2003, Gilad Ben-Yossef wrote:
> >
> > > I guess it's either PVM (http://www.csm.ornl.gov/pvm/pvm_home.html) or
> > > one of those weird packages from SourceForge clustering section that I'm
> > > never sure what thwey do, like Condor: http://www.cs.wisc.edu/condor//
> >
> > For Alpha (by Digital-Compaq-HP), which is also RISC, pvm works great, but
> > Condor does not work
> > at all.
> >
> > Orna.
> >
> > =
> > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > the word "unsubscribe" in the message body, e.g., run the command
> > echo unsubscribe | mail [EMAIL PROTECTED]
> >
> >
> >
> 
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Linux cluster on HPPA (PA-RISC) architecture

[Guy Teverovsky]

Computational.

The main purpose is to run a pilot and get a proof of concept of
integrating linux clusters in current architecture, so the low
performance of such a cluster is not an issue.

High availability might be considered too (hey! if the developers can't
benefit of it, I can always find a way to make it do something useful
:-) )

Thanks,
Guy
 

On Wed, 2003-08-06 at 12:14, Gilad Ben-Yossef wrote:
> Guy Teverovsky wrote:
> > Greetings all,
> > 
> > I did some hardware inventory in the warehouse debris at work and found
> > some 6-7 HP workstations (J200, J210, J280).
> > 
> > I would like to bring some life to those and free their enslaved by
> > HP-UX souls. The big question is whether there is any chance running
> > some a Linux cluster on this architecture ? 
> >>From my long-lasting trip to google I have found that Debian and Gentoo
> > support the architecture out of the box. What I have not found is any
> > evidence to running a Linux cluster on PA-RISC.
> > 
> > Any pointers are more then welcome...
> 
> Define which cluster: computational, high availability, web servering?
> 
> Gilad
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: A story from ynet has been sent to you

[Guy Teverovsky]

On Tue, 2003-10-14 at 00:11, dittigas wrote:
> See some more information here:
> http://whatsup.org.il/article.php?sid=1661
> 
> more here: http://whatsup.org.il/article.php?sid=2030
> 
> and http://whatsup.org.il/article.php?sid=2060 about the subject.
> 
> all in Hebrew.

FYI, the topic has been slashdotted (may wrap):
http://slashdot.org/articles/03/10/15/2215249.shtml?tid=107&tid=109&tid=123&tid=187&tid=99


Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Fw: What's wrong with this code?

[Guy Teverovsky]

Reminder: to master the art of distinguishing between "Reply" and "Reply to all"

Guy

On Thu, 2003-11-13 at 10:46, Gilad Ben-Yossef wrote:

> 
> Now, what would have happend if this was a run of the mill closed source 
> security firm?

Closed source firms rarely use CVS (if ever). Big projects usually rely
on version control mechanisms with integrated version tracking, logging
and authentication mechanisms (user, time, machine, file, branch, etc...
where the file was checked-in). Pure mortal developers do not have the
permissions to perform merges with main branches. ClearCase by Rational
(or should I say IBM ?) is a good example of such an application. 

You might forget it, but in the proprietary code world one of your worst
fears is the industrial espionage and sabotage by your competitors. 

> First of all, I seriously doubt it that the fact of the change would have 
> been detected at all, but even if it were the sys admin discovering it 
> would "fix the technical problem" and would never ever send it to the R&D 
> (which are another dept. which is hated by the IT team).

SysAdmin who does not see the benefits in cooperating with R&D team
should be whipped with GigaEthernet cables.
 
> In short - people breaking in and putting in back door happen in both open 
> and closed source. But only in Open SOurce there's a real chance that 
> someone would discover it. In closed source land it's always "someone 
> else's problem".
Compromised code is a ticking bomb that can blow up any second and scare
away your customers. OS or closed source world, it doesn't matter.
It can happen anywhere and it all depends on the proficiency  and
skillfulness of the ones on the watch.

Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Version control (was: Re: What's wrong with this code?)

[Guy Teverovsky]

On Mon, 2003-11-17 at 20:39, Oleg Goldshmidt wrote:
> "Tal, Shachar" <[EMAIL PROTECTED]> writes:
> 
> > > From: Shachar Shemesh [mailto:[EMAIL PROTECTED]
> > > 
> > > Lets separate what the app can do, with the way it is being
> > > typically deployed. I am yet to see a deployment of clearcase
> > > where developers were given commit access to certain parts of a
> > > program, but not to others. 
You are welcome to contact me off-list.

> You can define code owners for code
> > > areas, and enforce that each commit to a given code be approved
> > > (or at least acknoledged) by the relevant owner. This can be done
> > > in CVS too, however.
At work I maintain ClearCase, CVS and Source Safe in the far past. 
Every developer who starts working with CVS after using ClearCase for a
while, complains about the immature approach to code maintenance.
Personally I do not write code. I let the developers judge.

I admit that I have much to learn about CVS in multi-site environment,
but from what I know, it can't have with multi-site support without
having a single master repository and yet maintain the ACLs across the
sites.  
> 
> UNIX permissions would suffice, actually, on a per-module basis.
They will. But only in conjunction with security enforcement mechanism.
> 
> > While agreeing with most of your post, I can testify to previously
> > working for a company with a state-of-the-art ClearCase
> > implementation. Each R&D team has it's own branch to work on, and
> > only the integration team merged files from these branches to our
> > /main branch. Furthermore, each feature had its own branch, which
> > was merged to relevant team branches once matured and tested.
> 
> I may be missing something, but at first glace there is nothing here
> that cannot be done with CVS.
> 
> Ouch! What have I done?! I am an IBM employee, and now I am saying
> that an amateurish piece of half-baked open source code can do what a
> "state of the art" instance of proprietary "software configuration"
> tool can do? Wait... I use CVS at work... ;-)

 
I am not a Rational/IBM employee. I just love the app. 


CVS is not: version control mechanism which is content aware and action
driven. It lacks inline documentation features and code maintenance
(bugs, features) tracking...  
Have I mentioned the wink-ing ? Suppose you have an app that compiles 5
hours and another developer has already done another build and parts of
the objects can be reused. As much as you might not like the product, it
saves a hell LOT of time as the version control mechanism will bring you
already compiled parts from the network.
Now consider an 6-7 hour build on a high-end workstation...
Well, I am starting to sound as a sales man, so I will stop here.

All that said, I doubt that there are many projects that would justify
paying load of greens for this luxury (~ $2-3K for a single floating
license). 

> 
> > The company I work for currently does not allow engineers access to
> > code they have no business reading in the first place.
> 
> They must have a *really* good reason for it. The disadvantages of
> this approach are too many to count. The more code your programmers
> read the better code they will write. External security restrictions
> or "clean room" requirements can justify this, but hardly anything
> else. In any case, the above exceptions should be just that -
> exceptions. Usually companies write more code for internal consumption
> than for customers.
No doubt about that.

Guy 
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: strange URL behaviour

[Guy Teverovsky]

Do you have --clamp-mss-to-pmtu in your iptables script ?
Something like:
$IPTABLES  -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu

Guy

On Mon, 2003-11-17 at 22:45, Shlomo Solomon wrote:
> Hi,
> 
> My network consists of my Mandrake 9.1 box and 3 Win98 machines. All 4 
> machines and my Alcatel ADSL modem are connected to a hub and I run iptables 
> with masquerading to allow the Win98 machines access to the internet. Until 
> recently, all machines could reach any URL. But recently, the Win98 machines 
> cannot reach certain URLs. I suspected a DNS problem so I tried equivalent IP 
> addresses but that didn't help. The strange thing is that **most** URLs are 
> still reachable and I haven't noticed any common factor in the unreachable 
> ones. Also, the URLs that can't be reached on the 3 Win98 machines can be 
> reached by Mozilla on the Mandrake machine. Of course, I also cheched if the 
> URLs could be reached from Windows machines not connected to my network. So 
> the problem does seem to be here.
> 
> Any ideas where to look? I'm enclosing two examples of unreachable URLs:
> 
> www.maariv.co.il
> www.simil.vze.com
> 
> TIA
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: strange URL behaviour

[Guy Teverovsky]

If the site blocks ICM's source-quench, PathMTUDiscovery algorithm fails
and the client can not determine the appropriate MTU for the
destination.

Blocking all ICMP traffic is not always a good idea.

Guy

On Tue, 2003-11-18 at 07:55, Oleg Goldshmidt wrote:
> "Geoffrey S. Mendelson" <[EMAIL PROTECTED]> writes:
> 
> > MTU. The MTU of your windows boxes is too big. Set it to about 1400.
> 
> Why would that affect only specific URLs consistently?
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Version control (was: Re: What's wrong with this code?)

[Guy Teverovsky]

On Tue, 2003-11-18 at 18:58, Oleg Goldshmidt wrote:
> "Tal, Shachar" <[EMAIL PROTECTED]> writes:
> 
> > Easily doesn't mean a sysadmin for a day. Easily means not having to
> > invest considerable man-power into making cvs and diff and branches
> > and IDE integration and nightly building and whatnot work
> > together. YMMV for the definition of considerable.
> 
> Disclaimer: I have not used ClearCase myself. However, I have an
> impression that, for one reason or other every company that uses Clear
> Case also has a full time "software configuration" *team* whose
> purpose in life is making ClearCase work for the developers.  This
> does not mean that ClearCase is bad, wrong, or anything. This just
> means that it probably fits someone's definition of "considerable
> man-power".

You can throw a team on ClearCase maintenance, but without first reading
the books they will spend all their time poking around in vein.
Most of my time spent on ClearCase involves going through the logs to
see one more time that it does what it's supposed to do.
Oopss... forgot. I do not do it anymore. I have a script that alerts me
if something funny is going on.

> At one company I worked for (about 15 developers) an internal effort
> was undertaken to write a system for hourly/nightly build of multiple
> versions of software kept in CVS, at least on two platforms. It took
> some effort (one person, I don't really remember how much time it
> took, maybe a week?), but it worked smoothly afterwards. Probably
> still works, years later - I don't know. Note also that the build
> system fit the particular development cycle and practices of the
> outfit - an out-of-the-box solution would not necessarily fit that.
It can be setup in ClearCase in 5 minutes. Create a bunch of dynamic
views each with it's own brunch and script the hourly/nightly builds
inside each view. Couple of one-liners will suffice.
What is the cost of weeks work of a decent sysadmin ?

> 
> Now, consider this. Just a few days ago a friend, who is a
> "configuration manager" for a big and well-known unnamed company,
> complained informally that ClearCase (which has its own filesystem
> implemented by Rational as a binary only kernel module) does not
> co-exist well with that company's corporate standard kernel
> configuration. And they cannot do anything about it until the vendor
> (IBM in this case) fixes the problem. I surely hope the vendor will
> provide a solution in time (until the client's standard kernel
> changes). Again, this is not as much to criticize ClearCase as to
> point out that this is something a multibillion dollar company would
> surely deem "considerable".

-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Version control (was: Re: What's wrong with this code?)

[Guy Teverovsky]

On Tue, 2003-11-18 at 22:00, Shachar Tal wrote:
> >  

> >
> And how much did the time it took you to learn to do that, cost your 
> company?
> 

One 2-day course at Rational and a crash&burn accelerated "course" of
migrating Windows VOBs from NT domain to another AD domain, while
preserving all the credentials and views, rollback as a result of
performance issues and another migration. I must admit that moving
around VOBs of total 30Gb is rather exhausting. 
Kind of makes you dig into the documentation before you run a 7-8 hour
job on the VOBs.

Just today I had a discussion with one of our developers regarding a new
project: remote site does not have CC licenses and our developers do not
want to switch to CVS. It looks like we are going to write a script
suite to sync CVS with CC to make everyone happy :-) 

Cheers,
Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Version control (was: Re: What's wrong with this code?)

[Guy Teverovsky]

On Wed, 2003-11-19 at 11:33, Oleg Goldshmidt wrote:
> Guy Teverovsky <[EMAIL PROTECTED]> writes:
> 
> > It can be setup in ClearCase in 5 minutes. Create a bunch of dynamic
> > views each with it's own brunch and script the hourly/nightly builds
> > inside each view. Couple of one-liners will suffice.
> 
> I wasn't clear. All the work was scripting builds. No CVS tweaking was
> needed. You are assuming that a build script is a one-liner - depends
> on what you build. I didn't say it was a single project.

Actually, I assumed that the build scripts are already in place.
The ones I'm used to span couple thousands lines, do debug/release
builds on 2 platforms and run test suite for each build and it's all
done using CC's CLI and shell scripts. Runs smoothly since before my
time in the company, which makes it several years...

Now back to where we started: there are quality closed source products
with the flexibility you want and might never thought about it. Not
many, but they exist. That is all I was trying to say.

Guy  
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: strange URL behaviour

[Guy Teverovsky]

Yes. It looks OK. This should adjust the client's MTU to the size
determined by PathMTU Discovery initiated from the router.

Try the following to eliminate a problem with MTU:
>From your Win98 box run:
ping -f -l  java.sun.com
where  is TCP's payload size.
Start from 1472 and go down till you get a reply instead of "Packet
needs to be fragmented but DF set".
Record the largest value which results in reply, add 28 to that number
(TCP headers size) and set the NIC's MTU to that value.

For example, if I get reply after "ping -f -l 1464", I would set the MTU
to 1492. 

Guy

On Tue, 2003-11-18 at 05:44, Shlomo Solomon wrote:
> I do, but I admit to not knowing what that means - is this what you meant?
> 
> [EMAIL PROTECTED] solomon]# iptables -L|grep clamp
> TCPMSS tcp  --  anywhere anywhere   tcp 
> flags:SYN,RST/SYN TCPMSS clamp to PMTU
> 
> 
> On Tuesday 18 November 2003 04:36, Guy Teverovsky wrote:
> > Do you have --clamp-mss-to-pmtu in your iptables script ?
> > Something like:
> > $IPTABLES  -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
> > --clamp-mss-to-pmtu
> >
> > Guy
> >
> > On Mon, 2003-11-17 at 22:45, Shlomo Solomon wrote:
> > > Hi,
> > >
> > > My network consists of my Mandrake 9.1 box and 3 Win98 machines. All 4
> > > machines and my Alcatel ADSL modem are connected to a hub and I run
> > > iptables with masquerading to allow the Win98 machines access to the
> > > internet. Until recently, all machines could reach any URL. But recently,
> > > the Win98 machines cannot reach certain URLs. I suspected a DNS problem
> > > so I tried equivalent IP addresses but that didn't help. The strange
> > > thing is that **most** URLs are still reachable and I haven't noticed any
> > > common factor in the unreachable ones. Also, the URLs that can't be
> > > reached on the 3 Win98 machines can be reached by Mozilla on the Mandrake
> > > machine. Of course, I also cheched if the URLs could be reached from
> > > Windows machines not connected to my network. So the problem does seem to
> > > be here.
> > >
> > > Any ideas where to look? I'm enclosing two examples of unreachable URLs:
> > >
> > > www.maariv.co.il
> > > www.simil.vze.com
> > >
> > > TIA
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: USB ADSL modem - experiences?

[Guy Teverovsky]

On Thu, 2003-11-20 at 16:42, Micha Feigin wrote:

> 
> If you take the 750 account you can get a eth modem from bezeq without
> extra cost and they should work with linux.
> I got the eci eth modem which is a "dumb" modem and it works great with
> pppoe.

Actually, this is not a "dumb" modem. It is officially (supported by
Bezeq) router. it's default configuration is a PPPoE modem, but it is a
router.
You can download the configuration guide from here:
http://www.netguru.co.il/files/manuals/eci/ECI_ROUTER_ADSL_270_400.pdf
(sorry boys and girls, but it's in Hebrew)

Warning: when configured as a router, there are 3 known bugs:

1) ports 6667-6668 (IRC) are blocked - you can't use IRC
2) port 1720 is blocked - H.323 protocol (Netmeeting anyone ?) won't
work
3) Passwords containing some special characters are not handled
correctly (at least with Netvision). For example: "+" is passed to
Radius server as "#". One of 9 7 4 5 digits in digits-only passwords are
not handled correctly. The resolution is to use only English letters
(capitals are OK)

ECI are aware of the bugs and have promised to release a firmware
update, which is supposed to resolve the issues, in a week. Currently
the fixed firmware is tested in their lab.

Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: USB ADSL modem - experiences?

[Guy Teverovsky]

On Fri, 2003-11-21 at 05:06, Micha Feigin wrote:

> Downloaded the file and tried accessing the modem as described, but
> apparently my modem does think that its dumb since when I try to browse
> to 192.168.1.1 I don't get any reply.
> I belive it does think that that is its address, since it does answear
> the arp request for that address (at list I belive the modem is the one
> answearing that since I made sure it wasn't connected at the time and
> its the only thing on that interface on non of my machines has that
> address).

Does the computer, you are trying to access the ECI from, has a network
interface in 192.168.1.0/24 subnet ?

Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: strange URL behaviour

[Guy Teverovsky]

On Fri, 2003-11-21 at 09:13, Shlomo Solomon wrote:
> OK - I tried Guy's advice and came up with 1372 + 28 = 1400 which is exactly 
> what was already suggested and didn't solve my problem. I had already set the 
> Win98 MTU to 1400 in the registry according to the instructions in the 
> ADSL-Bezeq HOWTO. I'm obviously doing something wrong. But I still have two 
> questions:
> 
> 1 - Is there any way to check if the MTU is actually set as it should be? I 
> tried **playing** with ethereal a bit, but to be honest, I have no idea what 
> I'm looking for and there is so much info that I'm lost ;-)
> 
Use this little app: http://www.dslreports.com/drtcp

> 2 - As I originally asked, what could cause this problem to suddenly appear? 
> To make myself clearer - I've been using ADSL since the original Bezeq trial 
> period so for years Win98 machines on my network have had no problems until 
> recently (about 3 weeks ago, I think). I know of no changes (but of course 
> there must be something) on the Linux box. And I'm sure there were no changes 
> in Win98 because:
> a - my wife and kids would't know how or what to change
> b - it makes no sense that a change would be made on all 3 Win98s
> c - all Win98s have up-to-date anti-virus so I rule out a virus
> 
Who is your ISP ?


Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: solved (was Re: strange URL behaviour)

[Guy Teverovsky]

On Sun, 2003-11-30 at 23:17, Shlomo Solomon wrote:


> 
> In fact, I had ruled out a DNS problem earlier because the Win98s could reach 
> most URLs with no problem and there were only a few problematical URLs. I 
> still don't understand this. I would have thought that if the DNS server was 
> not funtioning, all translations would not work. I guess I was wrong about 
> that. But, in any case, that's not really on topic, since I now know that the 
> problem was not LINUX.

Some ISPs mirror major websites and their DNS returns to their client
the IP address of the nearest mirror server. Not sure, but access to
those mirrors might be restricted based on the originating IP address
(value added service only to the ISP's client). This might explain the
different IP addresses you got from DNS.

Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: OT: ECI 270PR as router

[Guy Teverovsky]

On Wed, 2003-12-03 at 22:51, Yedidyah Bar-David wrote:
> Hello all,

> I got an ECI 270PR (the modem/router Bezeq offers for ADSL users), and
> while it's being advertized as a router, specifically one that allows
> "Internet connection sharing", the documentation that comes with it
> only explains how to setup PPPoE, and I couldn't find other things on
> Bezeq's site. A google search found this:
> 

finally it got indexed by google :-) 

> which seems like an official document (by whom?), and which explains
> how to configure many (relatively) advanced things in the router.
> I also know that Bezeq does not support users who upgrade their alcatel
> STH to Pro (and configure it as a router). Does anyone know what is the
> official policy of Bezeq regarding this issue? Is using this ECI modem
> as a router officially allowed and supported? And if yes, is the reason
> that alcatel isn't is only that it's not allowed by alcatel (because the
> Pro costs more), or some other reason?

The document has been contributed by ECI. Bezeq officially support the
router configuration. It is all 100% legal.
There are some issues with it's current firmware I have already
mentioned on this list. Search in the archives should reveal it.

Fixed firmware is in the pre-beta stage and being tested. If you are
willing to be beta-tester, I can arrange that you get it. The catch is
that you will have to supply feedback to ECI and "Networks and
Broadband" forum at Tapuz. The official updated firmware should be
released shortly.

The reason that Alcatel is not supported is because Alcatel Home's
firmware is different (actually just capped) from Alcatel Pro's firmware
and most of Alcatel owners never purchased Pro's firmware (hence, they
have no license to use it). Bezeq just didn't buy Pro's firmware for
distribution to end users.

Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: OT: ECI 270PR as router

[Guy Teverovsky]

On Thu, 2003-12-04 at 11:28, Geoffrey S. Mendelson wrote:
> Guy Teverovsky wrote:
> > On Wed, 2003-12-03 at 22:51, Yedidyah Bar-David wrote:
> 
> > > <http://www.netguru.co.il/files/manuals/eci/ECI_ROUTER_ADSL_270_400.pdf>
> > The document has been contributed by ECI. Bezeq officially support the
> > router configuration. It is all 100% legal.
> > There are some issues with it's current firmware I have already
> > mentioned on this list. Search in the archives should reveal it.
> 
> Anyone know where to find it in English? To be blunt, I  can't configure
> a toilet from reading a Hebrew manual, let alone a router. :-(
> 
> Geoff.

The best thing I have is this PPT:
http://www.netguru.co.il/files/manuals/eci/B-FOCuS_eng.ppt
(It will take a while as it's my cable line with 128Kb upload)

OpenOffice 1.1 on my computer had no problem opening it. If you do have
problems, let my know and I'll try to convert it to something more
conventional.

It's pretty short, but has all the basics covered.

Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Cable Internet, 012, and what's between it...

[Guy Teverovsky]

On Wed, 2003-12-10 at 00:33, Shaul Karl wrote:
> On Tue, Dec 09, 2003 at 11:07:37PM +0200, Dan Fruehauf wrote:
> >
> > move to another ISP, Netvision Probably. (in short - 
> > because they told me they can fix me a static ip and i wouldnt have to add 
> > any $$).
> > 
> 
> 
>   I want to know if this is the case. I hope that I am not the only one.

Netvision (or any other ISP accept Actcom) does not give static IPs.
What they can give you is static IP in cables network (actually they
will tell you to talk to cable company to do that).

The idea behind static IP (actually, just VERY long DHCP lease) is to
make dumb home routers, that do not have DHCP+PPTP functionality,
connect through PPTP.

In any case, you can connect to Netvision using either PPTP or L2TP
protocol.

Guy

-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: Cable Internet, 012, and what's between it...

[Guy Teverovsky]

On Wed, 2003-12-10 at 08:27, Michael Sternberg wrote:
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Dan Fruehauf
> > Sent: Tue, December 09, 2003 11:08 PM
> > To: [EMAIL PROTECTED]
> > Subject: Cable Internet, 012, and what's between it...
> > ...
> > ... beware of the evil 012 ...
> > ...
> 
> Strange. I'm connected to 012 via MATAV cables and happily use Linux with
> IP received via DHCP. Maybe it depends on the geographic area (Haifa) ?
> More than that - MATAV supplied modem that capable of providing network
> via NIC and via USB. And if I connect both - I receive two valid IPs via
> DHCP..

Only at Matav and only when your ISP does not force the use of dialer
(aka you connect using DHCP). And you are limited to 3 public IP
addresses, but those can turn to be in different subnets.

Guy

-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Cable Internet, 012, and what's between it...

[Guy Teverovsky]

On Wed, 2003-12-10 at 10:00, Shachar Shemesh wrote:

[snip]
 
> >
> When you connect to the internet, you get an IP. The IP is marked, at 
> the ISP's side, as belonging to you. If that IP address does something 
> bad, it's your door the police are going to be knocking down on.
> 
> Now, how possible is it going to be for you to claim that this does not 
> prove anything? You could hire my services, which is not a bad thing in 
> and on itself, but does not guarentee that the trial is going to go your 
> way.
> 

Hint: cable modem MAC address which can be easily tracked.

> Personally, I'd rather not even start.
> 
>  Shachar
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Cable Internet, 012, and what's between it...

[Guy Teverovsky]

On Wed, 2003-12-10 at 22:15, Alex Chudnovsky wrote:
[snip]
> >
> I have a regular 6104. May you tell me how you configured your router to use 
> BOTH DHCP and PPTP? I've encountered only the option of using either this or 
> that.

You can't.
What you can do is to call your Cable company and ask for static IP in
cables network (172.bla.bla.bla). After that, configure your router
according to this guide:
http://www.netguru.co.il/files/manuals/edimax/edimax.pdf
(sorry boys and girls, I have only Hebrew version)

Check the second part about configuring the router. The first part talks
about setting you Windows box so it can connect to the router web
interface.

Cheers,
Guy

-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Hebrew HTML Help: Bullets or Numbers in Lists appear at the right

[Guy Teverovsky]

Vote for the bug: http://bugzilla.mozilla.org/show_bug.cgi?id=140611

Guy


On Sun, 2003-12-14 at 17:01, Shlomi Fish wrote:
> Hi!
> 
> In the document:
> 
> http://t2.technion.ac.il/~shlomif/rub-a-dub/rub-a-dub-dub-heb_final.html
> 
> In Mozilla, the numbers and bullets of  and  lists appear at the
> far right of the screen. This is despite the fact that in Konqueror 3.1.x
> they appear fine, and that with simple pages
> (like http://www.mozilla.org.il/get-involved.shtml) they appear fine as
> well.
> 
> I have no idea what is causing it. Both the body and the  and 
> tags have a dir="rtl" attribute. This document was generated from an
> OpenOffice document, so something may be wrong there, but I tried
> everything I can think of.
> 
> Can anybody tell me what to do?
> 
> Regards,
> 
>   Shlomi Fish
> 
> 
> 
> --
> Shlomi Fish[EMAIL PROTECTED]
> Home Page: http://t2.technion.ac.il/~shlomif/
> 
> Writing a BitKeeper replacement is probably easier at this point than getting
> its license changed.
> 
>   Matt Mackall on OFTC.net #offtopic.
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: contact management

[Guy Teverovsky]

On Thu, 2003-12-18 at 23:07, Gil Freund wrote:

[snip]
> 
> I did that. I use LDAP now for authentication and mail routing for all 4 
> of my enterprise network users.
> I also used PHPGroupware as a front end to enter contact information so 
> I can access it via Mozilla and such. I since dropped phpgroupware and 
> am Using TUTOS which uses an SQL back end.
> LDAP has the following shortcomings (as far as I am concerned)
> 1. ACL's are external to the directory, which makes it hard to have 
> private, public and shared contacts.
Check these examples:
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html#GROUPADMIN

> 2. There is a shortage of reasonable front ends for data entry tools 
> which comply with standard schemes. rolodap and phpgroupware are the 
> only ones I have seen so far. There are general purpose interfaces which 
> give you access to the whole directory tree and allow you to preform a 
> lot of functions, and you can always write up LDIF files... But, no 
> simple phone book style data entry.
> 
Check out the Directory Administrator:
http://diradmin.open-it.org/index.php

> Just a note, if you allow external access to your LDAP server, be sure 
> to use SSL. If you don't keep security related or sensitive information 
> and you don't can about other people reading your phone book, you can 
> use normal access, but make sure you use an anonymous connection.
> 
> > 
> > --Amos
> > 
> > 
> > =
> > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > the word "unsubscribe" in the message body, e.g., run the command
> > echo unsubscribe | mail [EMAIL PROTECTED]
> > 
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Diagnostics - Part ][

[Guy Teverovsky]

On Fri, 2004-01-16 at 08:12, Ori Idan wrote:
[snip]  
> Windows Live-CD... No there is not and it is impossible I think due to 
> both technical and marketing reasons windows is a propriatry operating 
> system and thus they would not want anyone to use it this way without 
> paying...
> Another beuty of linux that you can build live-CD's...
> 

Google for Windows PE (Pre-installation Environment)
(available only for volume license customers)
 
A good example for Windows based CD is ERD Commander:
http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp
Free alternative for PE ca be found here: http://www.nu2.nu/pebuilder/

So it IS possible and it DOES exist.

Guy

> --
> Ori Idan
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Annoyance with Israeli ISPs

[Guy Teverovsky]

Totally agree with every word. Yet my couple cents:

The reason behind enforcing PPTP/PPPoE/PPPoA/L2TP/whatever tunnels is
provisioning, accounting and QoS - all those can not be done to the
satisfying extent when you are connected directly through DHCP.

When on DHCP, the ISP has no ability to identify and classify the
client. Consider the following services that ISPs provide today:
- Have not surfed ?  Will not pay. (if the ISP can not identify the
customer, the service will not be available to the end user)
- QoS and prioritizing. With DHCP the ISP has no ability to treat each
end connection separately and can only shape the traffic as a whole.
- Have you considered the legal sides ? How can abuse department track
down a customer with is abusing the net ?
- How do you track a client which is spreading SPAM from his computer ?
(no tunneling = no easy way to trace back the abuser)

The list goes on and on. I do not work for ISP and I guess there are a
lot of points I have missed.   

Guy

On Sat, 2004-02-07 at 18:31, Ariel Biener wrote:
> On Sat, 7 Feb 2004, Itamar Ravid wrote:
> 
> > The point in this post - I was wondering if there is anyone here who connects
> > directly using DHCP. Using the PPTP dialer slows my boot-process by ~15 seconds,
> > since the PPTP tunnel apparently takes some time to be established. Also, if I
> > wasn't using a GRE tunnel, my Netfilter matters would be less complicated.
> 
> 
> My my, 15 seconds delay at boot time !!! That must completely ruin your
> computing experience, I say switch ISPs.
> 
> 
> Now with that out of the way, this complaint can clearly show you why the
> Israeli customer is such an annoying one, never satisfied, always
> bickering and complaining.
> 
> Had you been in the US or even Europe, you'd be told the following:
> 
> 1). We offer PPtP connections.
> 2). We do not offer anything else.
> 
> That response would be uniform across the board.
> 
> You must understand that maintaining various ways of connecting means $$$
> for the ISPs, complicated procedures, both in Customer Support and network
> maintennace, and other problems I am not going to go into.
> 
> Since this "service" (DHCP direct) offers a minuscule advantage to you (15
> seconds shorter boot time, and one less iptables rule), I'd say that your
> ISP is not being unfair to you. However, if you chose Ilya's (in a reply
> mail to you) 1st point (threatening to leave), I believe you will be
> unfair to them. Not that Israeli's care about others.
> 
> --Ariel
> >
> > --
> > Regards, Itamar Ravid
> > [EMAIL PROTECTED]
> >
> 
> --
> Ariel Biener
> e-mail: [EMAIL PROTECTED]
> PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Annoyance with Israeli ISPs

[Guy Teverovsky]

On Sun, 2004-02-08 at 02:42, Ilya Konstantinov wrote:
> Hi Guy,
> 
> Maybe it wasn't your point, but it's all in the best traditions of
> driving a "high level" discussion into technicalities :)
As long as it's not a flame war, I'm with you on that one.
> 
> > When on DHCP, the ISP has no ability to identify and classify the
> > client. Consider the following services that ISPs provide today:
> > - Have not surfed ?  Will not pay. (if the ISP can not identify the
> > customer, the service will not be available to the end user)
> 
> The ISP can identify the user by performing DHCP LEASEQUERY command on
> the cables' Cisco DHCP server. This will return the modem's MAC
> address, which identifies you as a subscriber.
Problematic... If you are "pure DHCP" customer, you get the IP from the
cables company and not your ISP. The ISP allocates a DHCP pool for this
purpose and the cables company maps the cable modem's MAC to appropriate
DHCP pool. As the DHCP is provisioned by the cables company, the ISP has
no real control over the logs, etc... Even if the ISP has appropriate
access, they would rather prefer to handle this by in-house means.
This brings us to the logging issue: ISP has no on-line access to DHCP
server logs and history (consider abuse investigation involving an
expired DHCP lease). Well... you get the point. 

> I don't know what cable solutions other vendors have. The Israeli
> cables use Cisco (according to their MACs :).
Indeed.

> 
> > - QoS and prioritizing. With DHCP the ISP has no ability to treat each
> > end connection separately and can only shape the traffic as a whole.
> 
> Not familiar with the technology. Shaping on the IP level (by source
> IP) doesn't work very well?
I am not a traffic shaping guru, but from what I understand, each tunnel
client can be shaped/policed where the tunnel terminates as you are
dealing with an interface and are not filtering based on some criteria.
Shaping based on IP will require additional overhead on the routers. 
And what about the cases when you have a mail server spreading SPAM
which is spoofing it's source IP address ? You can easily block the
wrong customer if you are dealing only with source IP.

> 
> > - Have you considered the legal sides ? How can abuse department track
> > down a customer with is abusing the net ?
> 
> See above.
See above :-)
> 
> > - How do you track a client which is spreading SPAM from his computer ?
> > (no tunneling = no easy way to trace back the abuser)
> 
> See above.
See above :-)


Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Annoyance with Israeli ISPs

[Guy Teverovsky]

On Sun, 2004-02-08 at 03:54, Ilya Konstantinov wrote:
[snip]
> 
> > And what about the cases when you have a mail server spreading SPAM
> > which is spoofing it's source IP address ? You can easily block the
> > wrong customer if you are dealing only with source IP.
> 
> Cisco's "source-verify" feature effectively enforces your source IP,
> by only allowing outgoing packets from an IP which you were given
> by a DHCP lease.
> 
> http://www.cisco.com/warp/public/109/source_verify.html
> 
> Besides, not sure it's possible to talk SMTP (or any TCP protocol) from
> a spoofed source IP. I mean - you gotta establish a connection first...

It must be the hour. You are right, of course.
Yet (without source-verify, which I am not sure is enforced in Israel)
you can not trace DoS reflectors attack originated from spoofed source
IP (http://www.vayner.net/dos/dos.html#_Toc34219058)

-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Windows Security Model (Configuring GDM to limit user actions)

[Guy Teverovsky]

In the spirit of "Know your enemy" (well, actually I admit to be more MS
oriented), I will drop my couple of cents...

On Tue, 2004-02-10 at 13:41, Ez-Aton wrote:
> Well then, I'm just not the type. I'll elaborate.

> [snip]
> > This isn't against you specifically Ez, every Win* user I know thinks
> > the *previous* Windows sucks big time... isn't it weird?
[skipping so not to start a flame bate]

> Not exactly. For some time now, Windows 2003 Server is at hand, and I still 
> claim Windows 2000 to be a good product (generally speaking). Windows 2000 
> Server implements the AD mechanism (unlike Win2000 Pro), but it's not a 
> kernel based part, but a module, you can run the system without (AD 
> Maintenance mode).
AD in general is a bunch of bundled services. You can remove AD from
your server and can get it up and running back again. 

[snip]
> 
> >
> >   3. For site-wide hierarchical management many use LDAP. It is already
> >  integrated in the important infrastructural applications -- login,
> >  (via pam) Mail (sendmail, postfix, imap4, etc.) and more.
> 
> Agree. But it's not the native way of doing things, yet. Implementing an LDAP 
> schema is based on picking up the correct schema, while, although it reduces 
> the choise, AD (which is based on LDAP and Kerberos) has already built-in 
> schema.
Another important point is the lack of granular ACLs you can apply to
OpenLDAP objects/attributes. AD here does IMHO much better job. It is
not trivial, but very powerful. The ACL lets you easily delegate tasks
to other people, while, when properly maintained, protecting you data.

[snip]
> >
> > I think one of the problems we have in attaching security information
> > to the user login, is that there are many cases of "non-login" usage:
> >   - Someone is running a process via rsh/ssh (this isn't login).
> >   - Someone is using my DISPLAY (consuming resources).
> >   - Someone is using my disk via NFS (again,... resources).
> >   - Packets are being routed via my computer (there are no "user"
> > credentials in the packets at all..)
> 
> Agree.
In your spare time google for "QoS Admission Control" and "IP Security
Policy". In Microsoft world all the points you raised can be easily
managed (although it is VERY rare to stumble on an sysadmin using those.
Well... More points in my CV :) )

> 
> >
> > Let's combine the above points into a real-life scenario:
> >   I seat at computer A running via SSH a program on computer B
> >   (with its DISPLAY apears on A of course). The program was
> >   loaded from my NFS server C and establish a connection
> >   to a server D, and the packets are routed through router E.
> >
> > Now since the user activity is distributed, it's non-trivial
> > to apply some central policy to his actions.
See above. I can choke any Winbox in my network :)

> >
> 
> Not exactly. You could, through a central LDAP/other directory, which 
> Computers A, B & C are to AAA agains, the rules which apply to a specific 
> user/computer. If you're permitted to use DISPLAY on other computer, but 
> allowed to run only X,Y &Z, that's what you'll run (Computer B now). Computer 
> A asks if it's allowed to show DISPLAY, for who and from where, Computer B 
> checks if you're allowed to run the software you're running, your server, D, 
> checks what are your permissions regarding NFS, quota, etc, and computer E 
> checks the source, target, and may be given details about your UID. If all 
> computers are checking agains a directory located on computer F (with live 
> replica to computer G), you could and should be able to maintain one security 
> and permission directory service and tables, and no more. That's good for an 
> organization.
Sounds painful... 
I would prefer to see the services Kerberized. Much easier to manage.

> 
> > You are correct that having a central policy helps. But the hard
> > question is if we can do it *without* sacrification of our
> > distributed world ("The network is the computer" [McNeily]).
> 
> No. See above.
Kerberos based AAA anyone ? 

> 
> >
> > > (I enforced Proxy settings for IE on every client computer just
> > > yesterday),
> >
> > I'm not sure I understand what you mean by "enforced". Does it change the
> > settings in the Explorer preferences? Than this is not enforcement because
> > it depends on the cooperation of the Explorer program -- What would prevent
> > a user modifing the behaviour of Explorer? security by obscurity.
> 
> It changes the settings per computer in my Domain. Yes. You had proxy settings 
> ten minutes ago, now you don't. You can't change them back (if I decide you 
> can't), and even if you could, give the computer then minutes on the net, and 
> they'll be back to what I've predefined. That's the power of the GPO.
> 
> > The correct place to enforce proxy settings is the firewall regardless
> > of the OS.
You think so ?
Suppose you have a bunch of proxies and you want certain groups of users
or computers to point to differen

Re: Windows Security Model (Configuring GDM to limit user actions)

[Guy Teverovsky]

On Tue, 2004-02-10 at 22:51, Gil Freund wrote:
[snip]
> 
> This is also the weakness of it. OGO does not modify the security of 
> settings of the registry keys (as I assumed first time I used it), but 
> overrides them with the server stored keys. This gives a reasonably 
> intelligent user a window (hahaha) of opportunity.
[GPO of your choice]-->Computer Settings-->Security Settings-->Registry
Give it a try. 


Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Windows Security Model (Configuring GDM to limit user actions)

[Guy Teverovsky]

On Wed, 2004-02-11 at 02:17, Oron Peled wrote:
> On Tuesday 10 February 2004 23:49, Guy Teverovsky wrote:
> > AD in general is a bunch of bundled services. You can remove AD from
> > your server and can get it up and running back again. 
> 
> Does it mean it only affect other applications? or does the kernel
> somehow "calls back" AD to ask policy questions?
> 
> This question is important because it ultimately determines the level
> of *enforcement* AD has over applications. This is because user space
> applications or libraries may be subverted in various ways and thus not
> respect the settings AD ordered them. Only kernel level enforcement
> will achieve the required effect in these cases.

Let me re-phrase that:

>From the server(s) side: you can demote Domain Controller hosting an AD
to stand-alone server. You can also boot the box without AD services
loaded (used for AD restore/maintenance)

Clients: you can disjoin the client from AD domain (need "Addd/Remove
computer to domain right - by default Local Admin). As long as the
client computer is in the AD domain, the AD will enforce the security
model of the client (you can control computer specific or user specific
settings). I would not call it "kernel level", but rather Local System
Authority (LSA) level, which is not userland. I am having a hard time to
define "kernel level" in NT based OSes (is it just me ?)
Having local admin on the client might give you some leverage in default
configuration and let you block the security model enforcements, but the
local admin rights can be revoked using the same old buddy named GPO. So
you might find yourself having local admin, but not being able to
disjoin the machine from AD or block the enforcements. You can even
restrict local logons without authenticating against AD. 
Heck... I once managed to lock myself out of a workstation by using to
strict GPO and could not do anything even though I had local admin
account :) 

> 
> Even if  AD is user space only, it may still be very usefull as a central
> facility for controlling (cooperating) applications, but not as enforcement
> mechanism.
> 
> > Another important point is the lack of granular ACLs you can apply to
> > OpenLDAP objects/attributes. AD here does IMHO much better job. It is
> > not trivial, but very powerful. The ACL lets you easily delegate tasks
> > to other people, while, when properly maintained, protecting you data.
> 
> I'm not sure I follow you -- doesn't the 'access' directive in slapd.conf
> does exactly this? (man slapd.conf)
You mean that you must restart the service ? AD does that on the wire
(Ilya, thanks for pointing that out :) ).
I am repeating myself, but... No inheritance, no inheritance blocking.
OpenLDAP ACL is flat.

> 
> Of course most (but not all) Linux filesystems don't support ACL's so your
> claim is valid when directed to the granularity of Linux file permissions.
> > In your spare time google for "QoS Admission Control" and "IP Security
> > Policy". In Microsoft world all the points you raised can be easily
> > managed (although it is VERY rare to stumble on an sysadmin using those.
> > Well... More points in my CV :) )
> 
> That was interesting reading (BTW, net/sched/cls_rsvp.* implement this
> on standard Linux kernels at least since 2.2.19). However, to really control
> lan resources, the switches/routers should have some *authentication*
> mechanism to identify the DSBM -- otherwise people can easily highjack
> the network.
> 
> Example: http://www.mail-archive.com/[EMAIL PROTECTED]/msg12432.html

No I have to do some reading... Thanks for the pointer.

> 
> > I would prefer to see the services Kerberized.
> 
> Now you hit the point. Kerberos solves the distributed services problem:
>   - Because it is authenticated.
>   - Because the client and the server don't have to trust each other.
> 
> However, it seems that per user IP-policies (outside of the specific box) are
> still an illusion as IP packets don't carry the user information. We can 
> dictate them only on cooperating hosts.
Agreed. You can do you best to optimize the network, but meanwhile there
are ways out.


Guy
-- 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: [OT] Israeli Daylight Saving enabled time zone for Windows

[Guy Teverovsky]

On Thu, 2004-04-08 at 19:12, Shachar Shemesh wrote:
[snip]
> tzedit is only available through the Platform SDK, which in turn is only 
> truely available through MSDN, for which I payed full price. We tried to 
> get a discount for Hamakor members, but Microsoft didn't see us as an 
> interesting group to encourage. Strange, that.
> 
> The beuties of being a monopoly.

I would stick to the facts:

1) tzedit is part of NT 4.0 or Windows 98 Resource Kit and is there for
ages:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;247024
http://www.jsiinc.com/SUBC/tip1400/rh1468.htm

2) timezone.exe does a better job and is available as free download:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;194364

3) If you want more creative solution, take a look at my post at Tapuz:
http://www.tapuz.co.il/tapuzforum/main/Viewmsg.asp?forum=956&msgid=29612710
(sorry folks, it's in Hebrew)

If anyone wonders, the registry entries are constructed using tzedit.exe
interface and exported from the machine on which the changes were
performed.

Also be aware, that 9x and W2K/XP need different registry entries
(google will give you the correct KB for this one)

Cheers,
Guy

-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: [OT] Israeli Daylight Saving enabled time zone for Windows

[Guy Teverovsky]

On Fri, 2004-04-09 at 07:59, Shachar Shemesh wrote:

> >>tzedit is only available through the Platform SDK, which in turn is only 
> >>truely available through MSDN, for which I payed full price. We tried to 
> >>get a discount for Hamakor members, but Microsoft didn't see us as an 
> >>interesting group to encourage. Strange, that.
You can't blame them for that :-)

[snip]
> >3) If you want more creative solution, take a look at my post at Tapuz:
> >http://www.tapuz.co.il/tapuzforum/main/Viewmsg.asp?forum=956&msgid=29612710
> >(sorry folks, it's in Hebrew)
> >  
> >
> Why is it more creative? The guy uses an INF instead of a REG file, and 
> has a script. Otherwise, it's precisely the same solution.
The guy is me. 
Notice that I account the fact that W2K and XP by default store the
Israeli timezone settings under "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Time Zones\Israel Standard Time" and not "Jerusalem
Standard Time" (as opposed to NT)

If you do not want to confuse the users by having double entry for
Israel, you need to get rid of "Israel Standard Time".
More then that, your reg file will create on XP 2 timezone entries with
the same index of 0x87 (135) (one Jerusalem TZ and one Israeli TZ),
which has been proved in my tests to make XP very unhappy puppy.


Cheers,
Guy

-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Linux distribution for black-box type firewall/router

[Guy Teverovsky]

On Tue, 2004-04-13 at 17:02, Omer Zak wrote:

[snip]
> 
> Recently it was advertised that some models of Cisco routers have backdoor
> with default passwords.  I don't have the reference on hand.

http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml

Guy
-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Good Working Hours [was Re: Apache2 lecture - at what time?]

[Guy Teverovsky]

On Mon, 2004-04-19 at 11:55, Shlomi Fish wrote:
[snip]
> > > Furthermore, I define _good_ Info-Tech Worker Hours as a 40-hours week
> > > (8 work hours per day - 9 to 5 or something similar).
> >
> > you must not have left the university walls lately. 
> 
> Perhaps, but I still have learned a few things since then.
[snip]
> Such places are not run well.
[snip]
> Just because the majority of workplaces are doing something, doesn't mean it's 
> right.
[snip]
> Joel Spolsky once described this over-employment hours as 
> "Work-T.V.-Sleep-Work-T.V.-Sleep" (i.e: no life in between).
[snip]
> Many startup entrepreneurs are clueless in regards to team management (or 
> other areas). I suppose that as a worker in such a workplace, I can try to 
> educate them about research that was conducted in this area by more educated 
> people before them. If not, I'll probably try to find a better place.
> 
[snip]


And then I wake up and the reality kicks in...

Guy
-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: RedHat 9 problem with IP_Forwarding

[Guy Teverovsky]

echo "1" > /proc/sys/net/ipv4/ip_forward
To make it permanent add the following line to /etc/sysctl.conf:
net.ipv4.ip_forward = 1

If you do not have static IP assigned by your ISP, you will also need:
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
The corresponding line in /etc/sysctl.conf is:
net.ipv4.ip_dynaddr = 1

Guy

On Sun, 2004-04-25 at 19:36, David Suna wrote:
> Thanks to some off list help I was able to get my ISDN connection up
> with Bezeq.  The problem was that I needed to upgrade my
> redhat-config-network package and the rhpl package as well.  I thought I
> had done it but it turns out I hadn't.  Upgrading solved the problem.
> 
> I am now on to my next problem.
> 
> When I was running RH7.3 I had the Linux box set up with ip_masq and
> ip_filter to be the Internet gateway for the other machines on the
> network.  I am trying to do the same now but it is not working.  I am
> able to connect to the Internet from the Linux box.  I am able to ping
> the Linux box from the other machines on the LAN.  I have Samba running
> and I am able to browse the Linux box from the Windows machines. 
> However, when I try to ping an IP address (i.e. 192.0.34.161
> www.internic.net) from the Windows boxes on the LAN I get Request timed
> out responses.  I do see that the request is going out on the ISDN
> connection but it doesn't seem to be going back to the machine on the
> LAN.  I ran tcpdump and saw the icmp: echo request recorded.
> 
> The problem seems to be that the packets from the LAN machine are going
> out onto the Internet as coming from 192.168.0.4 which are then being
> ignored.  I believe the problem is with my routing table but I don't
> know how to fix it.
> 
> The output from route -n is:
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse
> Iface
> 192.168.0.0 0.0.0.0 255.255.255.0   U 0  00
> eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0  00
> eth0
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00
> lo
> 62.0.0.00.0.0.0 255.0.0.0   U 0  00
> ippp0
> 0.0.0.0 62.219.193.10.0.0.0 UG0  00
> ippp0
> 
> Any fixes or pointers to documentation that would tell me how to fix
> this would be appreciated.
> 
> Thanks,
> David Suna
> [EMAIL PROTECTED]
> 
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Re: RedHat 9 problem with IP_Forwarding

[Guy Teverovsky]

--=-X1DTPcYwJufIxwnwUEGL
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

See attached the cut-down version of the script I use.
It has port forwarding examples and a bunch of things I added.


Guy

On Mon, 2004-04-26 at 17:17, David Suna wrote:
> Yes, the problem seems to be with the IPTABLES.  I used the RedHat tool 
> for setting up the IPTABLES but that didn't seem to work.
> 
> I found the instructions below to clear out and set up a simple table for 
> maquerading.
> iptables -F
> iptables -t nat -F
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
> 
> Now I need to figure out how to add to this to include disabling any 
> outside connections (while still allowing the machines on the LAN to use 
> the services of the Linux box, i.e. telnet, http etc.).
> 
> Also, I need to figure out how to save this so that the 
> 
> Thanks,
> David Suna.
> 
> On 26 Apr 2004 at 15:28, Shaul Karl <[EMAIL PROTECTED]> wrote:
> 
> On Mon, Apr 26, 2004 at 09:01:40AM +, david wrote:
> > I have all of that set up.  Before I had ip_forward turned on the
> > packets didn't even go out on the Internet.  Now they go out but with
> > the wrong IP address (i.e. they say they are coming from 192.168.0.4
> > instead of the IP address of my Internet connection).
> 
>   
>   iptables (the firewall rules)?
> David Suna
> David's Consultants R.G.A Ltd
> [EMAIL PROTECTED]
> 972-2-993-8613
> 
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
-- 
Smith & Wesson - the original point and click interface

--=-X1DTPcYwJufIxwnwUEGL
Content-Disposition: attachment; filename=iptables.txt
Content-Type: text/x-sh; name=iptables.txt; charset=UTF-8
Content-Transfer-Encoding: 7bit

#!/bin/bash

IPTABLES=/sbin/iptables

# Servers
WWWSERVER="192.168.0.3"
MAILSERVER="192.168.0.101"

# Network information you will need to adjust
EXTIF="eth0"
INTIF="eth1"
INTERNALNET="192.168.0.0/16"
INTERNALBCAST="192.168.0.255"
MYADDR="X.Y.Z.W"# Needed for DNAT

# Pathnames
DMESG="/bin/dmesg"
IPTABLES="`which iptables`"

###
# Flush everything, start from scratch#
###

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -F icmp_packets


###
# Global settings - see /etc/sysctl.conf  #
###


###
# Set policies#
###

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP


###
# Declare additional tables   #
###

# a table for dealing with icmp traffic
$IPTABLES -N icmp_packets


###
# DoS - see /etc/sysctl.conf  #
###

###
# Set basic rules #
###

#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options, 
#   or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html

#Drop bad packets
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP

#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Allow all connections on the internal interface
$IPTABLES -A INPUT -i lo -j ACCEPT

#Kill connections to the local interface from the outside world.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT

#Allow unlimited traffic from internal network using legit addresses
$IPTABLES -A INPUT -i $INTIF -s $INTERNALNET -j ACCEPT

#Kill anything from outside claiming to be from internal network
$IPTABLES -A INPUT -i $EXTIF -s $INTERNALNET -j REJECT

#Allow ALL forwarding going out
$IPTABLES -A FORWARD -o $EXTIF -i $INTIF -j ACCEPT

#Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

##Allow established connections
$IPTABLES -A INPUT -m state --sta

Re: Single sign-on in Linux ?

[Guy Teverovsky]

On Thu, 2004-04-29 at 01:00, Yonah Russ wrote:
> Active directories is very heavy on kerberos- it's theoretically 
> possible to use the same kerberos for both the active directory and 
> linux- I've read you can even convince active directories to use a linux 
> kerberos server.
Heavy on kerberos ?
this is not theory. I have done it more then once. it works.
AD itself can not use non MS-Kerberos. AD clients, on the other hand,
can be configured to authenticate against KerberosV non-Microsoft realm
(kadmin utility - support tools).


> 
> I only briefly looked into this b/c it means switching to kerberized 
> deamons, etc. very annoying.
Depends upon your needs. pam_krb5 solves most of the problems.

[snip]

There are several approaches to SSO in this situation:

1) extending W2K AD schema to incorporate Posix schema extensions (using
Services For Unix schema extensions) and to use Microsoft's LDAP as
Posix account settings store, while doing either Kerberos or LDAP+SSL
authentication.
Downside: you need to be the AD admin and understand the impact on
security (this approach will require weakening AD security)

2) W2K3 schema lets you create user objects of inetOrgPerson class,
instead of default "user" class. This one is standard RFC class and can
be used by Linux clients.
Downside: depending on the AD size and applications installed, there
might be some issues and again, it requires to alter the AD defaults and
perform some conversions in AD

3) The way I do it:
- Linux LDAP which pulls it's data from AD (sAMAccountName, givenName,
sn, well... whatever is useful and you want from AD) and import it into
OpenLDAP, keeping the relevant attributes in sync.
- Linux client uses OpenLDAP as it's nsswitch backend. The user's
password in OpenLDAP is a special entry that points to user's Kerberos
principal in AD.
- User trying to logon is looked up in OpenLDAP, it's Kerberos principal
is pulled and the user is authenticated using pam_krb5 module.


All that said, if you do not mind having the users configured locally
(/etc/passwd), and yet have the authenticate against AD, the setup is
pretty simple. All you need to do is to edit /etc/krb5.conf and
/etc/rkb5.realms files and make sure the username in /etc/passwd matches
the username in AD (you will of course need to adjust the PAM to use
pam_krb5).

Guy
-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Single sign-on in Linux ?

[Guy Teverovsky]

On Thu, 2004-04-29 at 01:08, Oron Peled wrote:
> On Thursday 29 April 2004 01:00, Yonah Russ wrote:
> > Active directories is very heavy on kerberos- it's theoretically 
> > possible to use the same kerberos for both the active directory and 
> > linux- I've read you can even convince active directories to use a linux 
> > kerberos server.
> 
> I would be very cautios about this. Take a look at:
>   http://www.usenix.org/publications/login/1997-11/embraces.html

The only difference is that the "application-specific data" field in
Kerberos ticket contains SIDs (security identifiers) of the groups the
user is member of. As non-Microsoft clients do not need this field, and
this does not break the authentication process, I would personally say
that the claims are not based. More then that, the PAC (privileged
access certificate - the "application-specific" field in Kerberos
ticket) has been published long ago:
http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=BF61D972-5086-49FB-A79C-53A5FD27A092
(link may wrap)


> 
> As usual, MS "extended" the protocol with some undocumented credential
> information specific to Windows. They also chose to do it in a brutal way
> by using fields marked in the RFC as "unused".

As I said: MS uses the RFC defined "application-specific" field. You can
bash about it's implementation, but it's not an RFC violation.


> Now, there is some interoperability:
>  http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
> 
> But while it looks obvious that Unix/Linux machines would authenticate against
> a W2K kdc, I'm not sure if a Win* client that authenticate against a nominal
> MIT kdc, get all the features (I'm not very fluent in MS-speak :-), or maybe
> it is only authorized for a "compatibility mode" subset of features (which is
> what I would expect MS to implement).

Depends. MS Kerberos is not multi-part. You can not have Kerberos
principals in form of moshe/[EMAIL PROTECTED] - you need to explicitly do
some mappings to have multi-part entries.
Yet, there are more then enough places in the work (usually
universities) that do MIT Kerberos authentication for AD clients without
breaking anything.

Of course, in the case of MIT KerbV, there are limitations to what AD
can provide you, as in any case when you try to break apart a bundle of
tightly working services. AD was not built with external services doing
it's own job in mind, yet it can provide compliant services to non-MS
clients.

BTW, watch out: by default Kerberos TGT lifetime in AD is 8 or 10 hours
(W2K or W2K3). After that you need to kinit to renew the ticket or you
can use winbind from Samba3, which will do the work for you (never
tested that, but saw it mentioned).


Guy
-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Competitor to VMWare?

[Guy Teverovsky]

Actually UML is not that complicated considering the fact that
precompiled kernel rpms exist (both for host and for UML machines):
http://www.nrh-up2date.org/howto/uml/packages/
 
Guy

On Thu, 2004-05-27 at 18:06, Tzafrir Cohen wrote:
> On Thu, May 27, 2004 at 04:14:43PM +0200, Uri Sharf wrote:
> > The User Mode sounds interesting, any experiance with that?
> 
> One exception: You need a modified kernel for the simulated system.
> 
> For instance, I want to install a standard distro on that simulated 
> machine. Here's what you need to do to install RedHat on it:
> 
>   http://linuxhacker.ru/uml/
> 
> In short: you need to modify the kernel of the installer. Thus you can't
> simply use standard install media. Far from being trivial.


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

OpenSSI cluster and Lustre file system

[Guy Teverovsky]

Does anyone have any experience with the mentioned above ?
What I am looking in particular is whether anyone has managed to
configure OpenSSI and/or Lustre FS on relatively up-to-date free distro.

Any feedback is more than appreciated.

http://openssi.org/
http://www.lustre.org/

Thanks,
Guy

-- 
Smith & Wesson - the original point and click interface


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Windows domain authentication through winbind when disconnected ?

[Guy Teverovsky]

W2K and up support caching of logon credentials.
As far as I know, if you want the same behavior on Linux, you will need
to pay for 3rd party software, like VAS from Vintela. 

Guy 

-- 
Smith & Wesson - the original point and click interface


On Sat, 2004-08-21 at 20:10, Oded Arbel wrote:
> Hi list.
> 
> I'm using Samba 3.05's winbind and nss_wins to authenticate against the 
> company's Active Directory Windows  Domain. It works perfectly while 
> I'm  on the company's network, but as soon as I'm diconnected (or 
> connected to a foreign network) I can no longer log in. I've noticed 
> that the unix pwdb doesn't even have my login information anymore, while 
> in with previous versions I remember that loging in with winbind caused 
> a passwordless pwdb entry to be created - or that could have been a 
> configuration change: I'm not sure.
> 
> My laptop dual boots to Windows XP where I can login even when 
> disconnected - I guess that windows somehow caches login credentials for 
> use when the active directory server cannot be contacted. Is there some 
> way to get the same behavior in Linux ?



=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: how to set the initial value for domainname

[Guy Teverovsky]

[EMAIL PROTECTED] antid0t]$ cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=aristo.antid0t.net
GATEWAY=192.168.0.1

Those variables are picked at boot time.

If you want to set domain name without rebooting:
# echo "box.domain.com"> /proc/sys/kernel/hostname

For the wizard addicted:
$ redhat-config-network


Guy

On Thu, 2004-10-21 at 16:27 +0200, Dan Kenigsberg wrote:
> > btw,
> > i can't understand the connection between openoffice startup and the
> > availability of a nisdomain. 
> 
> This is a very good question indeed. I consider this an OpenOffice bug: on
> startup it queries my DNS for the IP of 'mycomputer.(none)' for some reason.
> 
> (FC1, openoffice.org-1.1.0-16)
> 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Wireless advice

[Guy Teverovsky]

You might want to do some reading about WPA and 802.1x protocols.
The idea is that a host trying to connect to wired or wireless network
needs to authenticate in order to enable the port it is connecting to
(we are talking here about layer 2 authentication). 
The approach gives you a wide choice of authentication methods like
EAP-TLS, PEAP, smart cards, certificates, etc...

The open source implementation of 802.1x can be found here:
http://www.open1x.org/
 
Just my 2 cents...

Guy

On Wed, 2005-01-05 at 11:17 +0200, Shachar Shemesh wrote:
> Geoffrey S. Mendelson wrote:
> 
> >Always use WEP (encryption) 64 bit is good enough. It is NOT to
> >keep your data secure, don't ever assume that it will be,
> >but to keep people from using your network to send spam or
> >"share" kidde porn.
> >
> Actually, I was seriously considering not using it. The idea is that, 
> since WEP is so weak, I might as well do without altogether. Any host 
> wishing to do anything at all on my network, including browsing the 
> internet, will need to have openvpn installed and configured. Once 
> that's the case, there is no extra benefit from using WEP.
> 
>   Shachar
> 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Wireless advice

[Guy Teverovsky]

On Wed, 2005-01-05 at 23:58 +0200, Dan Aloni wrote:
[snip]
> Regarding Windows drivers on Linux, I'd also like to recommend 
> another great piece of work named ndiswrapper [1].
> 
> I ended up using ndiswrapper because the 3Com PCMCIA card 802.11g 
> card that I ordered turned out to be a "WinModem"-like piece of 
> hardware.

At this point it is worth mentioning that Atheros chipset based 802.1g
cards do have open source drivers:
http://www.atheros.com/news/linux.html
http://madwifi.sourceforge.net/

As some 3Coms are Atheros based, I suggest you to check here:
http://customerproducts.atheros.com/customerproducts/ there is a good
chance you will be able to use the Atheros drivers.

Guy 


 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: WINE registry structure

[Guy Teverovsky]

[snip]
> If merely adding keys is not enough, and removing keys is also
> necessary, you can write an INF file to do that. If memory serves me
> right, sufficient INF support is available in Wine to do most basic
> stuff an INF can do. That is not always enough, however. For example,
> INFs didn't used to be able to produce DWORDs, not sure about today.

You can delete registry keys with reg files by putting a leading hyphen
in the key's name: http://support.microsoft.com/kb/310516#delete

Guy


To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: Outlook web access reverse proxy horrors!

[Guy Teverovsky]

http://techrepublic.com.com/5208-6239-0.html?forumID=54&threadID=155468

The important lines in the vhost configuration are:
"RequestHeader set Front-End-Https On" (see
http://support.microsoft.com/kb/307347 for details)

"ProxyPreserveHost On"


Guy

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Ira Abramov
> Sent: Thursday, January 27, 2005 9:28 PM
> To: IGLU Mailing list
> Subject: Re: Outlook web access reverse proxy horrors!
> 
> Quoting Diego Iastrubni, from the post of Thu, 27 Jan:
> > >
> > For all those lazy people:
> >
> > http://www.penguin.org.il/guides/owa-rproxy/
> 
> well, that's the plain and simple way of doing reverse proxy and the
> first thing I tried of course, but this didn't work in so many ways on
> my installation that I can only guess that either the guy who
installed
> the exchange at my site has done something odd and broke it (doubt
that)
> or that the above howto was working for Exchange 2000 but not on the
> Exchange 2003 I was grinding my teeth on today.
> 
> I ended up giving up on this, as it's an intermediate solution anyway,
> until VPN is set up.
> 
> but thanks to Eli for finding this, for a second there I was
> optimistic :)
> 
> --
> No mere mortal
> Ira Abramov
> http://ira.abramov.org/email/
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
> 



To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: CALL FOR PAPARS - August Penguin 2005

[Guy Teverovsky]

While reading the rules, several questions popped up in my head.

I have been working for a while on the subject of Linux & Microsoft
interoperability and Single Sign-On (SSO) in middle to large scale
environments and was considering suggesting this topic as a lecture for
Haifux or any other body interested in the subject. While I am willing to
suggest this topic to technical-academic track, I find the rules pretty
restrictive when addressing this specific topic. My comments are inline.

Regards,
Guy

[snip]
> Any software presented has to be licensed under an open source
> license, as defined by http://opensource.org/licenses/.
> 
[Guy] While the topic concentrates on open source technologies like
OpenLDAP, MIT Kerberos, Samba, etc, you can't present it without having
Microsoft infrastructure being addressed and presented.
To demonstrate SSO, I would need to also demonstrate technologies like
Active Directory, client computers from the both sides and so on...
The rule above basically prevents me from participating.

[snip]
> Along with the proposal, you will need to submit an abstract and a
> biography, which will be published on our website and in the program,
> should the proposal be accepted.

[Guy] I am working for a company which does not allow me giving external
consulting (when not representing the company) and being affiliated with it
at the same time. While I think that there is quite a bunch of people that
would like to hear about the topic, I can not allow that solution, tools,
approaches, will be affiliated with the company I work for. 
Publishing my biography is associating me with my employee. As I see it,
this can be addressed in one of 2 ways:
- not specifying the employer names 
- stating up front that all ideas presented in this topic should not be
affiliated with my employer and my employer is not responsible, bla bla
bla...

> Papers may be submitted either in English or in Hebrew. Papers can be
> submitted in latex or LyX or open-office using the template from the
> website.
> 
> Papers must be submitted using free fonts.
> 
[Guy] While putting things on paper is a common academy approach, we,
techees, tend to understand things better while actually seeing things at
work. And here I can not promise the use of only open source software (see
my comments above).



=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Linux, WiFi and 802.1x

[Guy Teverovsky]

Hello all,

 

I am designing a WiFi secure access solution at work based
on 802.1x protocol. 

Because of the security requirements, I can use only
two-factor authentication or one time passwords (OTP).

After research and some pilots, I have an infrastructure
capable of doing PEAP-MSCHAPv2, PEAP-TLS and EAP-TLS authentication protocols.

Currently I am trying to gather information about the level
of usability of 802.1x Linux supplicants and SmartCard device support.

Any real life experience about the things listed below is
greatly appreciated:

- 
802.1x supplicants
capable of doing one of: PEAP-TLS, PEAP-MSCHAPv2, EAP-TLS

- 
OTP hardware device
support (this is not a must as those can work as stand-alone, but could be nice
to copy&paste the OTP)

- 
SmartCard support –
as our security policy restricts storing digital certificates used for VPN
access on the hard drive, it has to be on one of those e-Token, ActiveCard,
SmartCard gadgets… Any pointers to Linux supported devices are more than
welcome. 

 

TIA,

Guy

RE: [OT, but so often discussed] www.iaa.gov.il wants IE

[Guy Teverovsky]

> Now, to the technical question: is Mozilla configurable to pretend it
> is IE, like Konqueror? Couldn't find anything fast enough (Mozilla
> 1.7.3 on RHEL WS3).

[Guy] Try this one:
http://extensionroom.mozdev.org/more-info/useragentswitcher

 

> 
> --
> Oleg Goldshmidt | [EMAIL PROTECTED]
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
> 



To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: MOSIX vs OpenMOSIX [2nd attempt]

[Guy Teverovsky]

I'll second that.

Have just started deploying OpenSSI for our researchers and it looks
very promising (mainly for high volume image processing). 

Couple of useful links:
http://www.gelato.org/pdf/Illinois/gelato_IL2004_openssi_walker.pdf
This one in Hebrew: http://www.eandm.co.il/events/120105/openssi.pdf

There are also several comments from both projects authors that are
worth looking at (it is more flamebate, but some points mentioned are
worth the hassle):

A Comparison of OpenSSI and OpenMosix (Bruce J. Walker):
http://sourceforge.net/mailarchive/forum.php?thread_id=5860473&forum_id=21441

Refute of Mr. Walker's White Paper on openMosix vs. OpenSSI (Moshe Bar):
http://openmosix.sourceforge.net/openssi_refute.html


Guy

On Wed, 2005-04-20 at 22:33 +0300, Muli Ben-Yehuda wrote:
> On Wed, Apr 20, 2005 at 08:45:36PM +0300, Micha Feigin wrote:
> 
> > You may also want to have a look at www.kerrighed.org/
> 
> OpenSSI (http://openssi.org/) is also worth watching. Of all of the
> SSI projects, it's the only one that appears to stand a non-negligible
> chance of mainline kernel inclusion - eventually.
> 
> Cheers,
> Muli


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: OT: Windows time zones with daylight saving support

[Guy Teverovsky]

Shahar,

Your update is not sufficient. The data from "HKLM\SOFTWARE\Microsoft
\Windows NT\CurrentVersion\Time Zones\Israel Standard Time" is read ONLY
when the client *switches* the timezone. When updating you also need to
write to HKLM\System\CurrentControlSet\Control\TimeZoneInformation
directly.

Take a look at the code of the tool I came up with a while ago:
http://guy.netguru.co.il/archives/8-Summer-clock-in-Israel-for-2005.html

Sorry for drifting away...
Guy


On Tue, 2005-04-19 at 13:05 +0300, Shachar Shemesh wrote:
> http://www.lingnu.com/support.html#timezone
> 
> Sorry about the noise.
> 
>   Shachar
> 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: OT: Windows time zones with daylight saving support

[Guy Teverovsky]

> It is incomplete on purpose:
> 1. You cannot change the setting while explorer is up. Changing the 
> registry directly like that creates inconsistency between the running 
> configuration and the stored configuration, resulting in confusion or worse.
We successfully updated several hundred hosts this way.

> 2. I'm assuming not everyone who uses it will even BE in the IST time zone.
Indeed. Some assumptions were made.

> 3. The instructions on the page clearly tell you to manually open the 
> settings and change them.
With your reg, you need to *switch* timezone to something different and
flip it back to Jerusalem (just ticking the "Adjust for DLT" is not
enough). Otherwise, if workstation had DLT settings from previous year,
the DLT start and DLT end info will not be refreshed at HKLM\System
\CurrentControlSet\Control\TimeZoneInformation (I had a server who's
owner did the reg thing and ended up with inconsistent settings - he did
have DLT settings from 2004 even after merging a reg just like yours).

It's not about who's solution is better. 
This is just an FYI that you might run into issues with your current solution.
Adding instruction to "switch TZ back and forth" after merging the reg 
would save you some grief. 

Cheers,
Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: good news: evolution + exchange server

[Guy Teverovsky]

Evolution uses Outlook Web Acceess (OWA) to gain access to the content stored 
on Exchange.
OWA is a web interface for the Exchange with the look&feel of Outlook.
Evolution does not use the native MAPI protocol (the IIS translates the the 
HTTP requests to native MAPI)
 
Guy



From: [EMAIL PROTECTED] on behalf of Oded Arbel
Sent: Wed 6/15/2005 12:42 PM
Cc: linux-il@linux.org.il
Subject: Re: good news: evolution + exchange server



On Wednesday, 15 ?June 2005 10:03, Gabor Szabo wrote:
> On 6/14/05, Dov Grobgeld <[EMAIL PROTECTED]> wrote:
> > Does anyone know if there is any scripting support (perl, python
> > or ruby) for accessing the exchange server protocol?
>
> I am not sure if this will answer any of your needs
> but have you checked Mail::Outlook ?
> http://search.cpan.org/dist/Mail-Outlook/

It should be noted that this is for MAPI bindings to perl, MAPI being
the library available in Win32 OSs where the above package may be used
to access the mail capabilities of an Outlook _client_ installed on the
local win32 machine.

I assume the original poster wanted to access an exchange server
remotely through the native MAPI wire protocol, probably for more then
mail access (for which IMAP is perfectly usable). I'm not aware of any
scripting libraries that allow access to it, but as the Ximian outlook
connector for evolution is GPL, I'm sure it won't be that hard to
either librarize it and make some bindings or even port it completly to
native perl/python/ruby.

--
Oded

::..
"Do you love me because I'm beautiful, or am I beautiful because you
love me?"
-- Cinderella

==
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]




To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: slashdot: m$ praises unix and linux shell clis and prepares to emulate them

[Guy Teverovsky]

Or you can enroll to the Beta and instead of listening to the rummors, jusge it 
for yourself.
I did... My first impressions have been blogged here:
http://guy.netguru.co.il/archives/6-Dazed-and-confused-Microsofts-MSH-shell-codename-Monad.html
 
And while I do admit that cmd.exe is quite a lacking shell, still it is not 
that lousy people tend to think.
More than once I have been able to squeeze some extra juice out of it. 
Examples:
http://guy.netguru.co.il/archives/19-Querying-services-and-the-account-they-run-under.html
http://guy.netguru.co.il/archives/4-Listing-GPO-owners-from-command-line.html
 
My suggestion: get to know some MS sysadmins who are not "I have just 
braindumped my MCSE and think I can call myself SysAdmin" - you will be quite 
surprised to discover quite a new world and people administering their 
environment using automation, batch and scripting. 
 
Guy



From: [EMAIL PROTECTED] on behalf of Geoffrey S. Mendelson
Sent: Fri 6/10/2005 12:52 PM
To: Peter
Cc: Gilad Ben-Yossef; linux-il@linux.org.il
Subject: Re: slashdot: m$ praises unix and linux shell clis and prepares to 
emulate them



On Fri, Jun 10, 2005 at 12:32:26PM +0300, Peter wrote:

> Con you log in more that twice simultaneous sessions, or do you have to
> buy extra licenses for that ? ;-)

Sure, you can set the limit.

Geoff.

--
Geoffrey S. Mendelson, Jerusalem, Israel [EMAIL PROTECTED]  N3OWJ/4X1GM
IL Voice: (077)-424-1667  IL Fax: 972-2-648-1443 U.S. Voice: 1-215-821-1838
VoN  Skype: mendelsonfamily. Looking for work as a CTO or consultant in
handheld gaming, large systems development, handheld device construction, etc.
See U.S. patent applications  20050108591,  20050107165.

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]




To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: good news: evolution + exchange server

[Guy Teverovsky]

Well... I wanted to keep it simple, but you are right (to a point ;) )
Evolution uses BOTH WebDAV and HTTP. Try switching OWA to form based 
authentication on older Evolution and see it break.
 
Btw, the WAP is served via the OMA (Outlook Mobile Access) component which 
(though works in conjunction with OWA) is not part of OWA itself. And if that 
is not enough, ActiveSync clients use a component called EAS (works much like 
OMA). Now this is all correct for Exchange 2003. In E2K the mobile access was 
served via a fully blown application called MIS (Mobile Information Service). 
 
Guy
 


From: [EMAIL PROTECTED] on behalf of Ira Abramov
Sent: Wed 6/15/2005 9:48 PM
To: linux-il@linux.org.il
Subject: Re: good news: evolution + exchange server



Quoting Guy Teverovsky, from the post of Wed, 15 Jun:
> Evolution uses Outlook Web Acceess (OWA) to gain access to the content
> stored on Exchange.  OWA is a web interface for the Exchange with the
> look&feel of Outlook.  Evolution does not use the native MAPI protocol
> (the IIS translates the the HTTP requests to native MAPI)

not exactly. the OWA component supports HTTP access via WAP, HTML or
WEBDAV. what most people mean when they say OWA is the nice HTML
front-end. AFAIR Evolution accesses webDAV directly, which make a lot
more sense than weeding out the messages out of the "look&feel" as you
call it.

so who said MS doesn't standardize some of their stuff :-)

Now that Daniel Robins (ex- Gentoo founding father and Ex- Israeli)
started working for MS on their FOSS initiatives (oh yes, they exist),
we might even see more of that going on.

Here's to open standards!

--
Center of the universe
Ira Abramov
http://ira.abramov.org/email/

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]




To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Active Directory - a short story

[Guy Teverovsky]

On Tue, 2005-06-21 at 16:23 +0300, Ira Abramov wrote:
> I wondered once or twice if people united their linux machine to
> authenticate against an existing Active Directory. today I had the
> chance to do it for a client. first we tried the old fashioned way -
> install SFU (Seervices for Unix) on the 2000/2003 machine, and bind to
> it with LDAP. this proved to be a trial-and-error process sadly rnough,
> most of the time we could not ever see the logs indicate that PAM was
> even logging into the LDAP.
For the sake of common sense, by any means try to avoid using SFU. It
opens up some very nasty black holes in AD sucking up any security you
may have already implemented in AD.
Much cleaner way is to use only SFU schema extensions without having AD
playing NIS-wannabe.

btw, for W2K3 you would probably need to enable simple binds on DCs
(disable LDAP signing requirement on the DCs). Also, for pam_ldap to
work without proxy account, you need to enable anonymous LDAP queries on
W2K3 DCs (off by default):
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
and grant read permission to sAMAccountName, userPrincipalName,
distinguishedName AD attributes of user objects (needed for
username<=>userDN resolution)

> We quickly ditched it for winbind, a daemon bundled with Samba. the Red
> Hat RHEL workstation (and appenretly Fedoras since at least RH9) come
> with a script caled authconfig that takes care of editinig your
> smb.conf, your nsswitch.conf and pam's system-auth  files, and helps you
> join the domain almost automaticly (needs kerberos). it was a bit
> confusing to discover one can authenticate only some 50-60 seconds after
> winbindd fires up but we did manage to get to the AD and authenticate
> users. 
The threshold depends on the the number of user/computer objects in the
AD. Winbind is quite stupid and tries to enumerate ALL the computer/user
objects in AD and generate uid/gid for them. I have seen it segfault
after 20-30 mins (!) in some large (>50K user account) environments.
Definitely think twice and test,test,test if you are going to implement
it in environment that counts the user accounts by thousands (or has
very low end DCs).

> at last we could not log in with them though since winbindd kept
> complaining about not being able to translate the users' SIDs to the
> local UIDs, but that too was solved with a reboot (Tomer Perry suggested
> it was a restart of nscd that released that final hurdle, I did not go
> back to figure it out for sure).

You should NOT run nscd on systems running winbind:
http://info.ccone.at/INFO/Samba/winbind.html#id2952021
Running nscd collides with winbind which is already doing caching.

> 
> I hope this helps people out there, enjoy :)
> 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Active Directory - a short story

[Guy Teverovsky]

On Tue, 2005-06-21 at 16:40 +0300, Josh Zlatin-Amishav wrote:

> and remember two important lessons:
> 1. when requesting a kerberos key with kinit the domain name is case
> sensitive
This is Kerberos realm and not domain name. Kerberos realms are always
upper case.

> 2. make sure to update you machines clock to the ntp server running on
> the kDC, any time skew more then a few minutes will cause problems.
By default MS KDCs tolerate clock skew of up to 5 minutes. Skews greater
than 5 minutes break Kerberos authentication.

> 
> --
>   - Josh
> 
> >
> >
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
> 


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: Active Directory - a short story

[Guy Teverovsky]

On Sun, 2005-07-03 at 20:27 +0300, Ira Abramov wrote:
> 
> to explain: when you use winbind and add a machine into the domain, the
> first time you look up a user she will be mapped to a local UID in an
> "idmap" database. the problem is, there is no hash function to map a
> lanman object's SID, and the idmap database fills up on a "first asked,
> first served" manner. this is a sick mess, since this means that if you
> have several machines winbound, they don't all see the same UIDs mapped
> to the same usernames, which makes NFS impossible.
Not exactly... When winbind service comes up first time, it does several
things:
1) Enumerates trusted domains
2) Reads ALL group objects from trusted domains (including AD) and
generates GIDs by hashing objectSID (octet string LDAP syntax - actually
a byte array) attribute. 
3) Reads ALL user/computer objects and generates UIDs (same logic here) 

The problem is not with idmap database, but rather with the efficiency
of the LDAP query which asks for all user/computer objects from AD - as
I mentioned already before: in my environment winbind is crashing after
about 20 mins, while trying to enumerate accounts, failing to complete
the LDAP query.

> 
> solution one - have one machine enumarate all the UIDs and then copy its
> idmap database, and do that again each time you add users to the AD (yuck)
> 
> solution 2 - have the userinfo come from the AD, the authentication from
> the kerberos (as before) and ask Samba to map the ids according to LDAP
> (yuck again). that LDAP server can either run on a separate linux
> machine, or be the LDAP that is already part of the SFU, and so keeps
> those details inside the AD itself, with a "Unix attributes" tag in the
> AD management dialog.
you can share UIDs via LDAP or SQL (OpenLDAP, mySQL), but yuck indeed.


> not NIS, just LDAP. the scheme extensions alone don't let you access
> them. the SFU adds the above mentioned tag to the dialog box.
Who cares about the GUI ? SFU registers a COM object which makes the tab
show up in ADU&C (AD Users & Computers), but you can still access those
attributes from any LDAP browser/editor or using Windows CLI utilities
like dsmod/dsget/dsquery/dsadd/dsrm (surprise, surprise ! there is CLI
in Windows ;-) )
And if you want even more flexibility, search for adfind/admod in
google.  

> * On winbound machines of the RHEL 3WS variety, I could "su - user" from
> root without any problem. not so on 3ES, where I got back "su: Invalid
> password". at some point it magicly fixed itself and I  could not
> recreate it (good thing?). could it be a kerberos glitch?
Try creating user called "root" in AD and disabling the requirement for
Kerberos pre-authentication on that account ("Account" tab in ADU&C or
adding directly 0x20 to userAccountControl attribute of the
account).

Guy


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: connectivity question

[Guy Teverovsky]

In order to install SFU you need the W2K3 box to be a member of Active
Directory. This is forest-wide change and is far from being recommended
for connecting single server.

If W2K3 is a stand-alone server and not part of AD infrastructure, SFU
is not an option (and promoting W2K3 box to Domain Controller for the
sakes of this kind of connectivity is damn stupid, especially if this is
internet facing box).

Though SFU comes with Posix tools and NFS server, the heart of SFU is
the schema extensions to Active Directory's LDAP which enable the SFU to
emulate a NIS server based on the accounts in AD. All the rest is bells
and whistles.

Guy

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Geoffrey S. Mendelson
> Sent: Tuesday, July 12, 2005 12:38 PM
> To: Hetz Ben Hamo
> Cc: Linux-IL
> Subject: Re: connectivity question
> 
> On Tue, Jul 12, 2005 at 10:08:43AM +0200, Hetz Ben Hamo wrote:
> > What I'm trying to do - is to make a permanent connection between
the
> > 2 servers.
> 
> Microsoft Services for UNIX. Free (as in beer, not open source).
> 
> Provides you with an almost complete posix environment including a
> telnet daemon, a real korn shell and gcc. You can also get ssh, bash,
> etc for it. Has commands like ps, top, kill, etc. Will run any .exe
file
> that does not require a window.
> 
> Geoff.
> 
> --
> Geoffrey S. Mendelson, Jerusalem, Israel [EMAIL PROTECTED]
N3OWJ/4X1GM
> IL Voice: (077)-424-1667  IL Fax: 972-2-648-1443 U.S. Voice:
1-215-821-
> 1838
> VoN  Skype: mendelsonfamily. Looking for work as a CTO or consultant
in
> handheld gaming, large systems development, handheld device
construction,
> etc.
> Support amateur (ham) radio, boycott Google!!!
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]


To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: connectivity question

[Guy Teverovsky]

If you feel comfortable with patching the RHEL's kernel, you can
configure IPSec in so called "opportunistic mode" with pre-shared keys
when you do not establish an actual tunnel, but force encryption of the
traffic between the two boxes.
If you were running 2.6 kernel, that would probably be the best choice.

As mentioned before, SSH is an option and does not require SFU or fully
blown sygwin on the W2K3 side - you can install the OpenSSH with minimal
set of sygwin http://sshwindows.sourceforge.net/ (I'm not a big fan of
installing on a server more than is actually needed)

Another approach could be tunneling the MMS traffic through reverse
proxy on RHEL to the W2K3 MMS server:

- External client request MMS stream from RHEL (on port other than 80)
- RHEL reverse proxies the request through SSH/VPN/IPSec/PPTP/whatever
tunnel to IIS on W2K3 (which would only talk to RHEL and not give
anything out to other clients).

This way IIS is not fully exposed to the world and from the client point
of view the data is coming from RHEL. 

Guy

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Hetz Ben Hamo
> Sent: Tuesday, July 12, 2005 11:09 AM
> To: Linux-IL
> Subject: connectivity question
> 
> Here's a scenario I have:
> 
> On one side of the globe, I have a Linux server (RHEL 3) in a hosting
> firm.
> On the other side of the globe - I have a Windows 2003 server which is
> hosted also.
> 
> What I'm trying to do - is to make a permanent connection between the
> 2 servers.
> 
> I can go ahead and use Samba, but samba is not an efficient
> connection, both in the terms of bandwidth (after all, I need to pay
> for the bandwidth), and in terms of connectivity (what if one of the
> servers goes down? I've seen Linux machines were definately affected
> from "misconnection" and until the mounting were removed, the machine
> would have crawled..
> 
> Is there another connectivity protocol which is:
> 
> 1. Does not need to send massive amount of data if I want just to
> browse directories, upload/download/sync
> 2. Can reconnect when there's a downtime and up again
> 3. Efficient
> 4. Supported (either as an open source solution or commercially) on
both
> OS's.
> 
> Any recommendations would be welcome.
> 
> Thanks,.
> Hetz
> 
> ==
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]


To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Oscar + Mosix/OpenMosix

[Guy Teverovsky]

 

I’m trying to find a smart way to centrally manage the
Mosix/OpenMosix cluster nodes and after some google-ing have come up with Oscar
which looks like a good candidate for the task (http://oscar.sf.net).
I remember that the name has come up at this list, so some questions:

- 
Does Oscar play
well with OpenMosix (or Mosix) kernel ?

- 
My understanding is
that Oscar provides userland tools for running distributed jobs on the cluster
nodes without the need for *Mosix kernel, so this boils up to: what are the
advantages of adding *Mosix kernel into the mix ? (performance ? capabilities
?)

- 
Long shot: the
documentation states that only RHEL 3 Update 2/3 are supported. Any chance
someone witnessed or deployed it on RHEL3 Update 4 ?

- 
A friend of mine
mentioned an alternative called Clip (appears that Team have deployed it), but I
seam not to be able to find anything about it on the web. Any pointer would be
helpful.

 

I am the stage that I have the luxury to build the whole
thing from scratch, so any pointers, tips, alternatives, experiences are welcome.

The intension is to have an HPC cluster for long running
tasks that are heavy on CPU.

 

TIA,

Guy

RE: Oscar + Mosix/OpenMosix

[Guy Teverovsky]

Thanks, Orna. Very useful info.
Still some question/thoughts inline...

Cheers,
Guy

> Regarding mosix/openmosix: After several years of considering and
> convincing regarding this issue, I decided to avoid installing any of
> them. It is not worth it. I send batch jobs via the batch queueing
system,
> and parallel jobs use pvm or mpi (which can be integrated with
openPBS).
> So far, I have not seen anything that needs more than that, and it is
not
> worth the risk of running something outside the mainstream in the
kernel,
> which means it is far less tested, and interacts closely with the
> program.

[Guy] One of my biggest concerns is the ease of use. Reading the Oscar's
documentation I noticed that the job submission/distribution process is
far from being intuitive. What I have is a bunch of researchers who are
very smart at what they do, but most of them will scold me if the job
submission involves some interaction with additional tools. Using
pvm/mpi in Oscar (at least according to the docs) would require some
manual fiddling on the user side. With *Mosix the process is much more
user friendly.

> 
> > -  Long shot: the documentation states that only RHEL 3
Update
> > 2/3 are supported. Any chance someone witnessed or deployed it on
RHEL3
> > Update 4 ?
> 
> I can check this when I am back in Israel (next week). But I doubt we
have
> installed something advanced.

[Guy] Thanks. 

> Clip is closed source, given only to those in commercial contract with
> Amnon Barak's team (MOSIX) or as a favour from this team. I am told
OSCAR
> management is easier than clip version 1 (or was this 1.2?). I did not
get
> a chance to compare it to CLIP 2.0, which is the new, closely-kept
version
> - did not see any site with it.

[Guy] I see... The info I have is about CLIP 2.0 and the feedback is
quite positive, but I doubt we will ever go the commercial contract
route for this implementation.

> Watch for NFS troubles - what do you intend to use for storage?
> Build the network according to the kind of HPC you are planning.
> How do you intend to monitor network usage?

[Guy] We are talking roughly about ten dual 1.8Ghz workstations for the
use of 3-4 researchers who will be running CPU intensive jobs. A lot of
image processing with minimal load on the network/storage. All of them
will sit on a dedicated switch - from our previous experience with
OpenMosix the network/storage were never a bottleneck. Ideally, any
submitted job should use all the nodes and chew up any CPU cycles
available. The nodes will also act as users second desktop, so the job
submission should be available from any node (makes me wonder how Matlab
will play in that mix).
I have no intension putting the nodes on a separate network segment/VLAN
- I need all the nodes fully routed and accessible from anywhere.

I think I'll try installing OpenMosix kernel, disabling OSCAR's HPC
related modules and using OSCAR only for nodes
deployment/management/image updates, but I'm open to suggestions.

In any case, looks like I need to hit some more docs to get a better
grasp of what I am dealing with.


To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: can't su under kerberos from root to others (was: Active Directory)

[Guy Teverovsky]

Some comments/thoughts inline.

Cheers,
Guy

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Ira Abramov
> Sent: Monday, July 25, 2005 1:26 PM
> To: IGLU Mailing list
> Subject: can't su under kerberos from root to others (was: Active
> Directory)
> > > * On winbound machines of the RHEL 3WS variety, I could "su -
user"
> from
> > > root without any problem. not so on 3ES, where I got back "su:
Invalid
> > > password". at some point it magicly fixed itself and I  could not
> > > recreate it (good thing?). could it be a kerberos glitch?

[Guy] Personally I consider it a VERY BAD thing, when you are able to su
to accounts defined in external authentication store. IMHO, you should
only be able to su to root only when logged on as account local to the
box or to be requested to re-authenticate and provide external account
password.
 
> >
> > Try creating user called "root" in AD and disabling the requirement
for
> > Kerberos pre-authentication on that account ("Account" tab in ADU&C
or
> > adding directly 0x20 to userAccountControl attribute of the
> > account).
> 
> Didn't work.

[Guy] Could be related to Kerberos ticket expiration (default = 10
hours). Because the only time you request TGT is when logging on, and
there is no process responsible for renewing the TGT, it might affect
the way su is doing things (I speculate here, as I'm not quite sure how
su handles this).
Try comparing the output of "klist" on the boxes that fail/succeed to
su.

> 
> for completion - the current setup is:
> 
> * all winbinding removed
> * one server running ypserv, users mostly have no password in the
shadow
> * both NIS server and all clients (about 10 now) use kerberos for
>   authentication, ADC is the KDC. both unix/NIS passwords and kerberos
>   let you in. (both set as sufficient in pam)
> 
> ypserver is 3ESu5. another server is also 3ESu5, both let me su just
> fine from root to any user. the rest of the clients are now 4WS ans
one
> Fedora core 3, all show the same symptom of:
> # su - anyone
> su: incorrect password

[Guy] I have observed the same inconsistent behavior with different RH
distros (FC 2,3 and RHEL 3). If only someone could give a hint about the
way su does it's checks (sorry folks, but no time right now for tracing
the code), you at least would know where to look for. 



To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: need script to find "alien" files

[Guy Teverovsky]

Try:
find / * | xargs rpm -qf | grep "not owned by"

Will trash the sh#$t out the the box, but will do the job.

Cheers,
Guy

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Michael Green
> Sent: Wednesday, July 27, 2005 5:13 PM
> To: ILUG
> Subject: need script to find "alien" files
> 
> I'm looking for script that will traverse filesystem of an RPM-based
> distro and find files that do not belong to any RPM.
> 
> Anyone?
> --
> Warm regards,
> Michael Green
> 
> ==
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]


To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: distributed disk

[Guy Teverovsky]

Take a good look at Lustre: http://www.lustre.org/

 

Guy

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Erez D
Sent: Wednesday, July 27, 2005
8:01 PM
To: ilug
Subject: distributed disk



 

hi

I have few machines, each with a small disk
i want to build one big network disk from all.
(i.e. one partition)

how do i do that ?


btw: system: centos-4.0 (RHEL4 equiv)

erez.

Re: Cost-Efficiency of Unix and Windows Admins [was Re: Relevancy Criticism (was: Re: [Job Offer] - Senior programmer (web))]

[Guy Teverovsky]

On Wed, 2005-08-03 at 20:28 +0300, Shlomi Fish wrote:
> On Wednesday 03 August 2005 18:54, Oron Peled wrote:
> >
> > BTW: My normal reply is that those people cost more because
> >  (on the average) they know more. If you'll get a
> >  *realy good* windows admin -- he also won't work for the
> >  dirt cheap salaries the low level MS-crowd work for.
I'll second that. Good MS admins are not cheaper than Linux ones.

> There are several factors in play here:
> 
> 1. As you said Linux sys-admins, on the average cost more than their 
> MS-centric counterparts, but on the other hand genreally know more.

Please do not compare apples with oranges. Find 2 sysadmins with the
same salary level and both considered professionals in their field, and
you'll be surprised to find out that MS guy might even cost more.

> 
> 2. It was shown that Linux admins can on average take care of much more 
> workstations than Windows sys-admins.
This is FUD. I know more than one organization where 2-3 *good* MS
admins handle several hundred core infrastructure servers spread all
over the world (and no, no one else has logon rights on those boxes)

> 
> 3. Low-maintenance X-Terminals may reduce the administration overhead even 
> further. Similar solutions now exist for Windows, though, even though they 
> also tend to incur per-user software licensing fees (which are not a big deal 
> for long-term TCO)
So you have just discovered the "thin client" buzz word ? And what does
licensing has to do with administration overhead (apart of $$$) ?
Moreover, thin clients are far from being ideal solution for most of the
cases.

> 
> 4. One of my friend works in a software development house who has an NT 
> server 
> farm that needs to have close to 100% uptime and operationality. Needless to 
> say, they have top-of-the-class admins, and also make use of scripting, the 
> command line, command automation, etc. a lot. Most NT sys admins don't know 
> anything about the NT command line, much less about scripting and automation.

Welcome to the real world with *real* MS sysadmins. Those who script,
automate, write code, know a thing or two about security and the
underlying technology. You know... professionals.

Please, please, do not tag those other "MCSE wannabes" with "Systems
Administrator" title. People that hardly know how to administer couple
servers and dozen workstations in my world are hardly called
"operators" (and the same stands in Linux world)

> 
> I recall hearing about an incident that a mail server running on an NT (in a 
> different company) was flooded with messages containing viruses. (all of the 
> same characterists) The local admin had no idea how to eliminate them. What 
> they eventually did was copy the mailbox file to a UNIX server, where the 
> UNIX admin wrote a simple script to filter out the bad E-mail messages, and 
> after that, they copied the mailbox back to the Windows box.

This has nothing to do with the platform. If he knew a thing or two, he
could:
- filter inbound mail at SMTP level with either VS API or custom event
sink.
- write a short script which uses MAPI and walk the Exchange store to
clean up the existing dirt.
- write couple CMD one-liners to clean up the SMTP queues.



=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: Linux, Active Directory and TIMEZONES

[Guy Teverovsky]

> On the other hand, as for people saying they have to go through
> the Windows desktops one by one to update them - I'm not a
> Windows expert but I heard the the really good Windows admins
> are able to do such stuff over the network through central servers.

[Guy] 
It's not about being good. It's about working with your head instead of
working with your legs:
http://guy.netguru.co.il/archives/8-Summer-clock-in-Israel-for-2005.html

And I hope some day I'll have the time to finish this one
(http://guy.netguru.co.il/uploads/w32tm.html ), so I won't have to
explain each time that "net time" should NOT be used on W2K and up in AD
environment(this is to-be-deprecated mechanism which uses legacy RPC
calls). The right way to sync the clock is by triggering the W32TM
service update via:

"w32tm /configure /update /syncfromflags:DOMHIER" will configure the
client to use AD domain hierarchy as it's SNTP source.
"w32tm /resync" will trigger an immediate clock resync via SNTP. 

And you do NOT need to update the timezone on the DCs as long as the UTC
on the DC is correct: the clock synchronization uses UTC and does not
care about timezones. Heck, my PDC Emulator (acts as SNTP hierarchy root
in AD environment) is in Palo Alto and the client machines still do not
show the time of the shiny California.

Guy

To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: Linux, Active Directory and TIMEZONES

[Guy Teverovsky]

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Greg Pendler
> Sent: Wednesday, September 28, 2005 8:27 AM
> To: Linux-IL
> Subject: Linux, Active Directory and TIMEZONES
> 
> Hi,
> 
> I've read previous posts on this issue, and tested the instructions,
> unfortunately nothing helps.
> 
> I have Linux server that connects to AD. Actually it refuses to
connect,
> complaining about timescew.
> 
> I look at the clock on Linux and it shows 08:45 and then i look at the
> clock on domain controller and it also shows 08:45.

[Guy] What is the UTC on the DC ?
 
> After fixing the date on Linux to 09:45 a can successfully join it to
> domain and work with it, but that brings two problem. First the date
on
> Linux is incorrect, second the time keeps coming back one hour after
> several timeout.

[Guy] From the Linux box run "ntpdate -qv " to query the DC's
clock. "ntpdate " will sync both date and clock from the DC.


To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: [OFFTOPIC] resume translate

[Guy Teverovsky]

Having visited lately the job market (it's upgrade time ;) ), and after
having some small-talks with the placement agents, I strongly recommend
writing the resume in Hebrew and making it one-page long (some will ask
to keep the resume without tables, as their applications have a hard
time parsing Word documents with tables - yes, some of them just dig out
the resumes from the DB based on keywords, while the received resumes
are handled by automated process).

I started with English version:
http://guy.netguru.co.il/uploads/cv/CV.doc and sent it via
http://www.runner.co.il  
I got hardly couple replies.
I switched to Hebrew: http://guy.netguru.co.il/uploads/cv/CV_HEB.doc 
I got much more responses, but some agents did not notice the second
page and I was flooded with questions about the technologies I was
familiar with (they WERE listed on the SECOND page)
I switched to short version (which I hated most):
http://guy.netguru.co.il/uploads/cv/CV_HEB_short.doc 
For a period of two weeks I had about an interview a day in average.

Couple tips of my own:
- Keep the long English version handy (hard copy) for technical
interviews (after the standard agency filtering based on short Hebrew
version)
- Do not trust agencies to translate your resume - usually those are not
technical people and I have seen more than once how the summary,
presented by agency, was technically ridiculous.
- Do not translate the keywords, and make them stick out (you might want
to place a quick summary of technologies, you master, at the top).
- If you have the time, go to EVERY interview you are being invited,
even if you are not quite sure that the proposed position is a 100%
match. Couple times I passed interviews, rejected the position and was
later contacted by the same people for another position (though not
always for the same company ;) )
- Be nice to placement agents. They are not techies (and probably will
never be). Do not overwhelm them with too many buzz words - feed them
with info they are capable of digesting (most of the time they will have
a checklist of required buzz-words).
- you might want to consider signing up at http://www.alljobs.co.il - it
costs about 30 NIS/month, but centralizes almost all the jobs posted at
various websites. Saves a ton of time. The website is partially broken
for non-IE browsers, but is quite usable.

Cheers,
Guy

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Man Gregory
> Sent: Thursday, October 06, 2005 8:08 PM
> To: Linux-IL
> Subject: [OFFTOPIC] resume translate
> 
> First off all sorry for offtopic stuff.
> I have a question and I don't know where can ask about this.
> 
> Do I need to translate my resume to Hebrew from English, if I want
send
> its to the job offers in IT industry of Israel?
> 
> This is my first resume in Israel after aliya and army service, and I
> don't  know what I need to do.
> I wrote resume in English and then I try to translate I get more words
> in English that in Hebrew (all programs and OS's names).
> --
> Regards,
> 
> Gregory Man
> 
> PGP public key:
> http://keyserver.kjsl.com:11371/pks/lookup?op=get&search=0xE5043B53
> --
> 
> =
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]


To unsubscribe, 
send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

RE: Microsoft propaganda

[Guy Teverovsky]

Comments inline...


Cheers,
Guy

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Hetz Ben Hamo
> Sent: Friday, January 20, 2006 15:45
> To: [EMAIL PROTECTED]
> Cc: Efraim Yawitz; linux-il list
> Subject: Re: Microsoft propaganda
> 
> Hi,
> 
> > Not any more biased than Red Hat's "White Papers" which showed the total
> > cost of ownership for Linux was far less than Windows because the
> > sysadmins were pimply faced kids who would work for next to nothing if
> > you did not mind giving them the morning off to attend high school.
> 
> I hardly think so, read on why..
> 
> > The reality of life is that a good sysadmin, makes a decent salary, and
> > UNIX (which in some markets includes Linux) sysadmins make a lot of
> > money, no matter what operating system they support.

Good MS infrastructure technologists do not complain about their salary too

> Here's an example: at my work (TheMarker) I (alone) admin all the
> Solaris and Linux servers, and there are around dozen Windows machine
> which are administrated by 2 sysadmins. I administrate more machines
> than the windows sysadmin guys do, and my salery is definately not
> much bigger than theirs.

It's about quality of sysadmins. I have experience of administering much larger 
server deployments spread all over the world on my own. Not long ago I had an 
offer for administering a ~200 server internet facing Microsoft OS based web 
farm and I was far from being intimidated by those numbers.
 
It is also about automation and skills. The main problem is the management 
which feels comfortable hiring a bunch of brain-dead 
how-to-for-dummies-followers instead of investing in people capable of 
performing much better (and getting higher salaries). Having a good *nix 
sysadmin and a bunch of crappy MS wannabes is like comparing apples and oranges.

> 
> In the next few weeks, I'm going to add a dozen (or so) new HP servers
> with RHEL 4 (hmm, am I the only guy who deploys RHEL 4 in
> production?), and I'm setting them all by myself (using most machines
> installations with kickstart). You can bet that according to my
> calculations, setting them up with all the stuff I need to setup there
> and administrate those machine will be way shorter with RHEL 4, and
> these machines WILL generate revenue to my employer as soon as the
> software is up and running.

Please define "as soon as possible". Given that I have an established server 
build process, requirements, OS components and roles; and using tools like HP 
Rapid Deployment Pack, Proliant Support Pack Scripting Toolkit and RIS or ADS 
(HP tools are free, RIS/ADS come with OS) you might need 1-3 days to prepare 
the deployment environment and configs and deploy the dozen servers in a matter 
of several hours without those quirky tools like Ghost (block-based, as opposed 
to file-based, imaging solutions for servers are evil and are not flexible) and 
without the need to deal with SIDs as mentioned. 
On the Linux front you will still have a hard time to automate the hardware 
configuration: RAID, iLO, etc - all those are easily automated with the tools 
mentioned above.  

> 
> I did a small calculation here, how much time it will take to install,
> setup and configure the OS and the applications with Windows, and to
> me it looks like it will take at least 1 more week, which means a week
> less revenue for my employer if they would choose Windows instead of
> Linux.

I have quite a bit experience with deploying both RHEL 3/4 and W2K/W2K3 on HP 
servers. Trust me: using the right tools combined with some knowledge, 
deploying Windows is not a bit slower (and from my own experience - much 
faster) than Linux. 

> Sometimes cheaper works, even if the open source solution even if
> doesn't have all the bells and whistles that the closed source
> application has (look at Samba for example).

Having been involved in deploying Samba for research business unit in a large 
enterprise, I can only say that Samba is NOT enterprise (or medium-size 
business) ready. It has too many bugs and I have already been bitten when the 
community was helpless and the developers were not willing to patch. It took me 
almost a month in debug level 10 and analyzing the network traces to find some 
workaround having to do with lousy Kerberos integration. 
Guess whose messages went unanswered: 
http://groups.google.com/group/linux.samba/browse_frm/thread/1c6c40a01a4e722f/172c54916c27e532?lnk=st&q=guy+teverovsky+Samba3+and+forest+trust&rnum=1&hl=en#172c54916c27e532

http://groups.google.com/group/linux.samba/browse_frm/thread/382d5f2b1fc75f29/d745c2876a78cbfd?lnk=st&q=hpl.hp.com+samba+windows+krb+ads&rnum=2&hl=en#d745c2876a78cbfd

RE: MS pricing policy (was: Microsoft propaganda)

[Guy Teverovsky]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> On Behalf Of Shachar Shemesh
> Sent: Saturday, January 21, 2006 09:40
> Cc: linux-il list
> Subject: OT: MS pricing policy (was: Microsoft propaganda)
> 


> If I'm reading this table correctly, if I need a server that serves 25
> stations, I can buy a Windows 2003 Server with 25 users CAL (Client
> Access License) for $3,999, or buy a 5 CAL server for $999 and add 20
> more CALs for $799, paying only $1798. That's less than half the price!
> What am I missing?

$3,999 is the price of W2K3 Enterprise Edition, while $999 is the price of 
Standard Edition. Same idea as RHEL ES vs. AS.
For product overview and differences between the versions:
http://www.microsoft.com/windowsserver2003/evaluation/overview/default.mspx#EVC 

Though CALs are bundled with OS, it is the same CAL for accessing Enterprise or 
Standard Edition.
To simplify:
Environment with 5 W2K3 servers (2 Standard, 3 Enterprise) and 100 users yields:
- 2 x $999  for Standard Edition servers
- 3 x $3,999for Enterprise Edition servers
- 5 x $799  for 5 20-pack CALs for end users
 

> 
> 
> I'm sure that MS's pricing isn't that skewed, and the version that costs
> $4K does give something that the $1.8K doesn't, but that does goes to
> show one of the aspects of proprietary software that isn't always
> discussed. Navigating companies' pricing table can be a tiresome and
> error-prone endevor.

Sounds familiar: http://www.in.redhat.com/software/rhel/purchase/ ?
AS (x86): $1,499-$2,499
ES (x86): $349-$799
WS (x86): $179-$299

> 
> 
> What's worse (assuming there really is a difference here), if I did go
> ahead and made that mistake, and the BSA came knocking, I would have
> been certain that I've done nothing wrong.

Give it some time and you will see BSA knocking to check the licenses of your 
RH or Suse servers.