[opensuse] OpenSuse 10.2 - Fortran compilation very slow through NFS network with a 64bit server and 32bit clients.
Dear all, I am a new OpenSuSE user and quite convinced by this distribution. However, I still have a problem. I have configured a gigabit network, using nfs and everything works fine except for all the Fortran compilers I have tried so far (Intel, g95, gfortran). There is no problem to compile some files which are stored locally on a nfs client. However, when I try to compile some files stored on /home which is mounted through nfs, then it takes hours to make the link between all the .o files created. My server is an OpenSuSE 10.2 - 64bit machine and the nfs options are "root_squash,sync,insecure,rw". All the clients run on OpenSuSE 10.2 - 32bit, with the options "rw,soft". Except for the compilation, I do not face any other slow network communication. Do you know if the problem is related to the "32bit clients - 64bit server" association? Should I add another nfs option to the server or to the clients? Thanks a lot for your help :-) Regards, Michel -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Michel Rasquin wrote:
Dear all,
I am a new OpenSuSE user and quite convinced by this distribution. However, I still have a problem.
I have configured a gigabit network, using nfs and everything works fine except for all the Fortran compilers I have tried so far (Intel, g95, gfortran).
There is no problem to compile some files which are stored locally on a nfs client. However, when I try to compile some files stored on /home which is mounted through nfs, then it takes hours to make the link between all the .o files created.
My server is an OpenSuSE 10.2 - 64bit machine and the nfs options are "root_squash,sync,insecure,rw". All the clients run on OpenSuSE 10.2 - 32bit, with the options "rw,soft".
Except for the compilation, I do not face any other slow network communication.
It's worth checking the speeds. Do some dd transfers between local disks and across the network for example.
Do you know if the problem is related to the "32bit clients - 64bit server" association? Should I add another nfs option to the server or to the clients?
You probably want an rsize= and wsize= options. 8192 is the traditional value but check the man pages for details Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dave Howorth wrote:
Michel Rasquin wrote:
Dear all,
I am a new OpenSuSE user and quite convinced by this distribution. However, I still have a problem.
I have configured a gigabit network, using nfs and everything works fine except for all the Fortran compilers I have tried so far (Intel, g95, gfortran).
gigabit network is STILL slow compared to memory access across the internal bus. I was once admining some machines at General Motors. Both the filesystems with the app and the data were on NFS mounts (user's home directory was on the workstation). Runtime for a CFD job was 8-10 hours. Moving him to the same machine as the app was on cut the execution time down to 2 1/2 hours. To make a long story short, we eventually got him off the SGI, and onto an HP (the CFD app wasn't available for IRIX, only HP-UX)....and got all three things -- home dir, scratch-space filesystem, and app all on the same machine cut the execution time down to under 10 minutes. 60x speed increase!
There is no problem to compile some files which are stored locally on a nfs client.
See above.
However, when I try to compile some files stored on /home which is mounted through nfs, then it takes hours to make the link between all the .o files created.
Doesn't surprise me in the slightest. Networks are SLOOOOOOOOOOOOWWWWWWWWWWWWWW it's not the software...it's that you're trying to push 32-bit quantities through a SERIAL connection, but on the same machine, you're moving those 32-bit quantities on a PARALLEL bus.
My server is an OpenSuSE 10.2 - 64bit machine and the nfs options are "root_squash,sync,insecure,rw". All the clients run on OpenSuSE 10.2 - 32bit, with the options "rw,soft".
Except for the compilation, I do not face any other slow network communication.
It's worth checking the speeds. Do some dd transfers between local disks and across the network for example.
Do you know if the problem is related to the "32bit clients - 64bit server" association? Should I add another nfs option to the server or to the clients?
You probably want an rsize= and wsize= options. 8192 is the traditional value but check the man pages for details
Cheers, Dave
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dave Howorth wrote:
Michel Rasquin wrote:
Dear all,
I am a new OpenSuSE user and quite convinced by this distribution. However, I still have a problem.
I have configured a gigabit network, using nfs and everything works fine except for all the Fortran compilers I have tried so far (Intel, g95, gfortran).
There is no problem to compile some files which are stored locally on a nfs client. However, when I try to compile some files stored on /home which is mounted through nfs, then it takes hours to make the link between all the .o files created.
Another thing -- it's probably worth trying to make sure it's using local disk for temporary store and preferably for the .o files as well. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Michel Rasquin wrote:
I am a new OpenSuSE user and quite convinced by this distribution. However, I still have a problem.
I have configured a gigabit network, using nfs and everything works fine except for all the Fortran compilers I have tried so far (Intel, g95, gfortran).
There is no problem to compile some files which are stored locally on a nfs client. However, when I try to compile some files stored on /home which is mounted through nfs, then it takes hours to make the link between all the .o files created.
That's not surprising, happens here as well and has nothing to do with the programming language Fortran etc. Don't put object files on NFS disks. You could store your source code on a network disk if you want to share it between hosts, but the build directory should always be on a local disk, in particular if you want to use multi-file optimization. Th. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2007-12-01 at 12:07 -0000, Thomas Hertweck wrote:
That's not surprising, happens here as well and has nothing to do with the programming language Fortran etc. Don't put object files on NFS disks. You could store your source code on a network disk if you want to share it between hosts, but the build directory should always be on a local disk, in particular if you want to use multi-file optimization.
Perhaps file creation is a slow operation over nfs :-? Interesting. Perhaps things would improve using "async", that's a difference with local filesystems that run "async" by default. But the man page says it can be dangerous. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHUWDPtTMYHG2NR9URAiYfAJ9NdvRm18PzNZbMNI3tdA+JlDoZeACfVmpk XBXXg6xPd2cM8zq+bTqRnlo= =oWU/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Saturday 2007-12-01 at 12:07 -0000, Thomas Hertweck wrote:
That's not surprising, happens here as well and has nothing to do with the programming language Fortran etc. Don't put object files on NFS disks. You could store your source code on a network disk if you want to share it between hosts, but the build directory should always be on a local disk, in particular if you want to use multi-file optimization.
Perhaps file creation is a slow operation over nfs :-?
EVERYTHING is slower over NFS -- or any other network connection -- by a factor of 100 or more.
Interesting.
Perhaps things would improve using "async", that's a difference with local filesystems that run "async" by default. But the man page says it can be dangerous.
VERY!
- -- Cheers, Carlos E. R.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 16 December 2007 18:54, Aaron Kulkis wrote:
Perhaps file creation is a slow operation over nfs :-?
EVERYTHING is slower over NFS -- or any other network connection -- by a factor of 100 or more. Yes, and, NFS typically does not work very well across a wan.
Isn't NFS a udp stateless connection that does not guarantee ordering of packets? Seems to me that if the connection is over a wan NFS is very slow or maybe even non functioning because of packet delays and ordering problems do to wan timing and routing. Does NFS work with tcp these days? -- Kind regards, M Harris <>< -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
M Harris wrote:
On Sunday 16 December 2007 18:54, Aaron Kulkis wrote:
Perhaps file creation is a slow operation over nfs :-? EVERYTHING is slower over NFS -- or any other network connection -- by a factor of 100 or more. Yes, and, NFS typically does not work very well across a wan.
In my experience NFS has worked very well over WANs. Obviously its speed depends on the speed of the WAN but the protocol works reliably. In the past, I've used it to run trading systems transatlantic over telephone circuits, for example :)
Isn't NFS a udp stateless connection that does not guarantee ordering of packets? Seems to me that if the connection is over a wan NFS is very slow or maybe even non functioning because of packet delays and ordering problems do to wan timing and routing. Does NFS work with tcp these days?
NFS makes specific guarantees about what it provides and doesn't provide (and has some well-known deficiencies in some circumstances) but ordering of packets over the network isn't a problem. And yes, either TCP or UDP can be used. <http://nfs.sourceforge.net/> is a good place to read more. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
but ordering of packets over the network isn't a problem. And yes, either TCP or UDP can be used. Thanks. You can tell how long its been since I even tried it... back not many years ago only udp worked. tcp will keep the packets ordered. And
On Wednesday 19 December 2007 09:44, Dave Howorth wrote: thanks for the link. -- Kind regards, M Harris <>< -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
M Harris wrote:
but ordering of packets over the network isn't a problem. And yes, either TCP or UDP can be used. Thanks. You can tell how long its been since I even tried it... back not many years ago only udp worked. tcp will keep the packets ordered. And
On Wednesday 19 December 2007 09:44, Dave Howorth wrote: thanks for the link.
UDP is stateless (no connection needed) -- but it is a reliable transport for NFS since NFS keeps track of the packet ordering and the packets which are 'outstanding'. TCP is preferred and is the default when it is available. Where TCP gets important is when NFS run between two machines on a *high* speed network (1G or greater). The reason being is that NFS uses a 16-bit counter to order packets. On a high speed network, it's possible too many packets (>65535) can be sent' out in a short time and NFS can get 'confused' and lose a bunch of packets. This is why "tcp" is the default and preferred transport. TCP is available with versions 3 & 4 of NFS (both supported by most modern kernels). A big change in 10.3 (I think), is that 10.3 appears to prefer NFS4 if available over NFS3. NFS "sessions" will use the maximum supported. However, regarding this:
Perhaps things would improve using "async", that's a difference with local filesystems that run "async" by default. But the man page says it can be dangerous.
VERY!
It depends on the environment, but in a local area network, "async" is usually preferred. "Async" causes *great* speed increases when used with NFS that cannot be attained with a 'synchronous' mount. Few 'end users' need 'sync' on NFS mounts. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 19 December 2007 12:48, Linda Walsh wrote:
...
---- UDP is stateless (no connection needed) -- but it is a reliable transport for NFS since NFS keeps track of the packet ordering and the packets which are 'outstanding'.
Not to mention its own checksumming, time-out and retrying.
...
Perhaps things would improve using "async", that's a difference with local filesystems that run "async" by default. But the man page says it can be dangerous.
VERY!
In particular, you can get notification of an error (e.g., "disk full") on the reply to a request much later than that of the request which actually encountered the error. Software with complex ordering and error sensitive behavior can be seriously undermined by asynchronous NFS. E.g. one of the most subtle problems I ever debugged was corruption in Berkeley DB files when the aforementioned disk-full condition occurred on a file system being accessed by the BDB code over asynchronous NFS.
...
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
In particular, you can get notification of an error (e.g., "disk full") on the reply to a request much later than that of the request which actually encountered the error. Software with complex ordering and error sensitive behavior can be seriously undermined by asynchronous NFS. E.g. one of the most subtle problems I ever debugged was corruption in Berkeley DB files when the aforementioned disk-full condition occurred on a file system being accessed by the BDB code over asynchronous NFS.
Ug! Running a 'db' over NFS? That's sounds ugly -- especially for performance. I don't think NFS was designed for such -- since to get any performance out of NFS, the defaults are to cache information on the client. That's not acceptable with a heavily shared database. Even on local disks, I don't think anything but 'synchronous' is recommended for critical database applications. I suppose my assumption is that if someone had a critical business application that they needed to be networked, they'd more likely be using one of the Suse-Business editions and not asking about performance questions on the open-suse list...:-) But that is an assumption...:-) For "Fortran" compilations, (development work), I'd strongly recommend async operation as preferable for performance reasons. But to each their own...:-) Linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 20 December 2007 21:23, Linda Walsh wrote:
Randall R Schulz wrote:
In particular, you can get notification of an error (e.g., "disk full") on the reply to a request much later than that of the request which actually encountered the error. Software with complex ordering and error sensitive behavior can be seriously undermined by asynchronous NFS. E.g. one of the most subtle problems I ever debugged was corruption in Berkeley DB files when the aforementioned disk-full condition occurred on a file system being accessed by the BDB code over asynchronous NFS.
--- Ug! Running a 'db' over NFS? That's sounds ugly -- especially for performance. ...
NFS is kind of ugly itself, don't you think?
I suppose my assumption is that if someone had a critical business application that they needed to be networked, they'd more likely be using one of the Suse-Business editions ...
Well, this was about 10 years ago and it was a Windows / Solaris shop. For all I know, the BDB folks have found a way to deal with this issue. We just turned off asynchronous operation in the NFS configuration, since fixing the guts of the BDB code wasn't our reason for existence.
Linda
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus. Sherry anyone? Love Lynn x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 21 December 2007 11:10, primm wrote:
NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
Sherry anyone?
Love Lynn x
Loveless in Luser Land, RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 21 December 2007 11:10, primm wrote:
NFS is kind of ugly itself, don't you think? Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
That's why we get paid the big bucks ;-)
Sherry anyone?
Love Lynn x
Loveless in Luser Land, RRS
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 21 December 2007 20:28:04 Randall R Schulz wrote:
On Friday 21 December 2007 11:10, primm wrote:
NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5. Just curious, but what are my alternatives for nfs? Love from L -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-12-23 at 08:10 +0100, primm wrote:
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs?
None that I know. There is samba, of course, but that doesn't export linux filesystems with proper permissions and flags. And it is way more complicated to setup and convince to just work. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHbkrwtTMYHG2NR9URAl1rAKCE/sPEAafM8bFmoM8eBf8coVKoigCeKaRh oBKxgvlt0wujBMAj8s73MQk= =dGfu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
You can get close with samba and cifs, but like Carlos says it's more work. There is also afs. On Sun, Dec 23, 2007 at 12:47:44PM +0100, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Sunday 2007-12-23 at 08:10 +0100, primm wrote:
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs?
None that I know.
There is samba, of course, but that doesn't export linux filesystems with proper permissions and flags. And it is way more complicated to setup and convince to just work.
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFHbkrwtTMYHG2NR9URAl1rAKCE/sPEAafM8bFmoM8eBf8coVKoigCeKaRh oBKxgvlt0wujBMAj8s73MQk= =dGfu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 08:10:47 primm wrote:
On Friday 21 December 2007 20:28:04 Randall R Schulz wrote:
On Friday 21 December 2007 11:10, primm wrote:
NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs? Love from L
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs? Love from L
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000. It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later. I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk. But for gads sake, it's been up for 6 months with my staff reading e-mails and chatting to and from their latest boyfriends all through the lunch break. I use SuSEfirewall2. Setup by Yast. What a mess. I can't afford to go back to commercial products at the moment. Other people have told me that I have no alternatives. . . What the ???? is nfsv4 + kerberos? Yes, I know I can google it. I just have. But tomorrow morining I'll be back at work and I've a date this evening. It's at times like these I wish I'd stayed with my Microsoft rep. Do I change my network back to Windows 2000? I'm not a hobbyist. Can anyone advise me in plain English o Español? Please, if you do not run a network then please do not write. Love from Primm xx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 14:09:44 primm wrote:
NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs? Love from L
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000.
It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk.
It is a security risk in that it's not encrypted. Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share. In version 4, if you use kerberos authentication, it doesn't do that. And with kerberos you can also get encrypted nfs
But for gads sake, it's been up for 6 months with my staff reading e-mails and chatting to and from their latest boyfriends all through the lunch break. I use SuSEfirewall2. Setup by Yast.
What a mess. I can't afford to go back to commercial products at the moment. Other people have told me that I have no alternatives. . . What the ???? is nfsv4 + kerberos? Yes, I know I can google it. I just have. But tomorrow morining I'll be back at work and I've a date this evening.
It's at times like these I wish I'd stayed with my Microsoft rep.
Don't be silly
Do I change my network back to Windows 2000? I'm not a hobbyist. Can anyone advise me in plain English o Español? Please, if you do not run a network then please do not write.
So long as you trust all machines on the LAN, you don't have a problem. Basically, it's the same as switching from telnet to ssh. telnet is fine as long as you trust all machines on the network Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 23 December 2007 14:09:44 primm wrote:
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk.
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
I thought the purpose of root squash was to prevent that. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 14:59:12 James Knott wrote:
Anders Johansson wrote:
On Sunday 23 December 2007 14:09:44 primm wrote:
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk.
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
I thought the purpose of root squash was to prevent that.
No, the purpose of root squash is to prevent anyone from pretending to be UID 0 But if your home share is UID 1000, and I have root on my machine, I create a user with UID 1000, mount, su to that user and I can access your home as if I were you As I said, nfs v <= 3 trusts the client. Actually, v4 does too, if you don't use kerberos Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 15:17:46 Anders Johansson wrote:
On Sunday 23 December 2007 14:59:12 James Knott wrote:
Anders Johansson wrote:
On Sunday 23 December 2007 14:09:44 primm wrote:
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk.
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
I thought the purpose of root squash was to prevent that.
No, the purpose of root squash is to prevent anyone from pretending to be UID 0
But if your home share is UID 1000, and I have root on my machine, I create a user with UID 1000, mount, su to that user and I can access your home as if I were you
As I said, nfs v <= 3 trusts the client. Actually, v4 does too, if you don't use kerberos
OK guys. Anoraks off and xmas ties on. This is the works xmas outing. Hands up: Which of the posters to this thread actually runs a network? That works. cu tomorrow afternoon! L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
OK guys. Anoraks off and xmas ties on. This is the works xmas outing. Hands up: Which of the posters to this thread actually runs a network? That works.
LOL, good one. I "run a network" at my home office - rather smallish, 7 linux boxes, and 3 macs, but I do have similar things going on in much bigger environments at various client locations. Typically in such cases, the "network" is run by the cisco experts, but we unix people do manage clients and servers that live on those networks. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm pecked at the keyboard and wrote:
On Sunday 23 December 2007 15:17:46 Anders Johansson wrote:
On Sunday 23 December 2007 14:59:12 James Knott wrote:
OK guys. Anoraks off and xmas ties on. This is the works xmas outing. Hands up: Which of the posters to this thread actually runs a network? That works.
cu tomorrow afternoon!
Before I retired I ran a small network of approx. 60 offices throughout the US which comprised approx 700 users. I managed all the network including the Cisco gear, DNS and the webserver. Does that count? -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 20:31:33 Ken Schneider wrote:
primm pecked at the keyboard and wrote:
On Sunday 23 December 2007 15:17:46 Anders Johansson wrote:
On Sunday 23 December 2007 14:59:12 James Knott wrote:
OK guys. Anoraks off and xmas ties on. This is the works xmas outing. Hands up: Which of the posters to this thread actually runs a network? That works.
cu tomorrow afternoon!
Before I retired I ran a small network of approx. 60 offices throughout the US which comprised approx 700 users. I managed all the network including the Cisco gear, DNS and the webserver. Does that count?
Yes. That counts. Thank you. G & T? L xx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
On Sunday 23 December 2007 15:17:46 Anders Johansson wrote:
On Sunday 23 December 2007 14:59:12 James Knott wrote:
Anders Johansson wrote:
On Sunday 23 December 2007 14:09:44 primm wrote:
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk. It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share. I thought the purpose of root squash was to prevent that. No, the purpose of root squash is to prevent anyone from pretending to be UID 0
But if your home share is UID 1000, and I have root on my machine, I create a user with UID 1000, mount, su to that user and I can access your home as if I were you
As I said, nfs v <= 3 trusts the client. Actually, v4 does too, if you don't use kerberos
OK guys. Anoraks off and xmas ties on. This is the works xmas outing. Hands up: Which of the posters to this thread actually runs a network? That works.
I have been part of running several (so large that it's actually a team effort!) with the number of machines ranging from several dozen to a few thousand.
cu tomorrow afternoon!
L x
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2007-12-23 at 19:40 +0100, primm wrote:
OK guys. Anoraks off and xmas ties on. This is the works xmas outing. Hands up: Which of the posters to this thread actually runs a network? That works.
Understand the remark: having heard somebody about using nfs it something different than feeling the blisters yourself. Works at innovation department at gov org. 60K users, end users mainly on M$, servers all kinds on nix hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 22:51:23 Hans Witvliet wrote:
On Sun, 2007-12-23 at 19:40 +0100, primm wrote:
OK guys. Anoraks off and xmas ties on. This is the works xmas outing. Hands up: Which of the posters to this thread actually runs a network? That works.
Understand the remark: having heard somebody about using nfs it something different than feeling the blisters yourself.
The discussion was about the security of nfs. I don't see what administration has to do with it Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"? Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 14:07, Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
I think he's referring to a kind of jacket. It's Britishism, like "boot" or "bum" or "lift" or "lorry" or "petrol"... As ever, the U.S. and the U.K. are two nations separated by a common language.
Anders
-- Madness takes its toll
That, too. RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 23:24:16 Randall R Schulz wrote:
On Sunday 23 December 2007 14:07, Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
I think he's referring to a kind of jacket. It's Britishism, like "boot" or "bum" or "lift" or "lorry" or "petrol"...
I know, but it's also an expression, a bit like "nerdy" in the US. It signifies people like train spotters and people who attend star trek conventions I just think it doesn't apply to a technical discussion Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 14:26, Anders Johansson wrote:
On Sunday 23 December 2007 23:24:16 Randall R Schulz wrote:
On Sunday 23 December 2007 14:07, Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
I think he's referring to a kind of jacket. It's Britishism, like "boot" or "bum" or "lift" or "lorry" or "petrol"...
I know, but it's also an expression, a bit like "nerdy" in the US. It signifies people like train spotters and people who attend star trek conventions
I thought is was like "OK, roll up your sleeves and start the work of blah, blah, blah..." This seems consistent with the use of the verb "off," as in "doff" or "remove."
I just think it doesn't apply to a technical discussion
Who can say? I only speak English.
Anders
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 23:44:11 Randall R Schulz wrote:
On Sunday 23 December 2007 14:26, Anders Johansson wrote:
On Sunday 23 December 2007 23:24:16 Randall R Schulz wrote:
On Sunday 23 December 2007 14:07, Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
I think he's referring to a kind of jacket. It's Britishism, like "boot" or "bum" or "lift" or "lorry" or "petrol"...
I know, but it's also an expression, a bit like "nerdy" in the US. It signifies people like train spotters and people who attend star trek conventions
I thought is was like "OK, roll up your sleeves and start the work of blah, blah, blah..." This seems consistent with the use of the verb "off," as in "doff" or "remove."
On the other hand it's not consistent with "...and xmas ties on. This is the xmas works outing". No, "Anoraks off" meant "stop being nerdy" Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On the other hand it's not consistent with "...and xmas ties on. This is the xmas works outing".
No, "Anoraks off" meant "stop being nerdy"
Almost. But not quite. You failed to take the phrases in the context in which they were trying to penetrate. '...Xmas ties on.', actually means 'ask me for the next dance'. Or at the very least, 'You're looking good tonight, did you buy that dress with the money you saved by ditching NT'. Answer: Yes. A large G&T would be just fine. To get back to the point, the saleseman tells me w2000 is better than what I've installed myself. NFS. And the girls can all use office like they have at home with all the menus in the same place. What do you say? L xx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
On the other hand it's not consistent with "...and xmas ties on. This is the xmas works outing".
No, "Anoraks off" meant "stop being nerdy"
Almost. But not quite. You failed to take the phrases in the context in which they were trying to penetrate. '...Xmas ties on.', actually means 'ask me for the next dance'. Or at the very least, 'You're looking good tonight, did you buy that dress with the money you saved by ditching NT'. Answer: Yes. A large G&T would be just fine.
To get back to the point, the saleseman tells me w2000 is better than what I've installed myself. NFS. And the girls can all use office like they have at home with all the menus in the same place.
What do you say?
I say that the salesman isn't making any money when you run Linux, but he makes a very tidy sum if you would just go back to buying expensive, buggy, insecure software from him and his supplier in Redmond, Washington, USA.
L xx
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 23:44:11 Randall R Schulz wrote:
I just think it doesn't apply to a technical discussion
Who can say? I only speak English.
While "anorak" is actually Danish (from Eskimo), anorak meaning nerd is very English Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Who can say? I only speak English.
While "anorak" is actually Danish (from Eskimo), anorak meaning nerd is very English
Anorak means someone with a playstation 2, is 42 years old, has never had a girlfriend and still lives with his Mother. L xx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I first came across "anorak" being transferred from the garment to the wearer when we had the first students who logged into the departmental computer system before removing their anoraks, or in extreme cases ever removing same. Before that such people were called computer researchers, or hackers. ==John ffitch ex-hacker, second generation computer scientist "This research is of insufficient standard" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I thought is was like "OK, roll up your sleeves and start the work of blah, blah, blah..." This seems consistent with the use of the verb "off," as in "doff" or "remove."
I just think it doesn't apply to a technical discussion
Who can say? I only speak English.
English is great for mailing lists. Hopeless for making love. L xx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 23:24:16 Randall R Schulz wrote:
On Sunday 23 December 2007 14:07, Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
I think he's referring to a kind of jacket. It's Britishism, like "boot" or "bum" or "lift" or "lorry" or "petrol"...
As ever, the U.S. and the U.K. are two nations separated by a common language.
Anders
-- Madness takes its toll
That, too.
RRS
Please do not refer to me as "he's". Maybe Mr. Johannsson could help you get to the gas station. How sad. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On December 23, 2007 02:24:16 pm Randall R Schulz wrote:
As ever, the U.S. and the U.K. are two nations separated by a common language.
And those of us in Canada aren't too sure about either of you. Yanks can't spell and the Brits drive on the wrong side of the road....... :-) :-) -- Bob Smits bob@rsmits.ca A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 24 December 2007 08:26:53 Robert Smits wrote:
On December 23, 2007 02:24:16 pm Randall R Schulz wrote:
As ever, the U.S. and the U.K. are two nations separated by a common language.
And those of us in Canada aren't too sure about either of you.
Yanks can't spell and the Brits drive on the wrong side of the road.......
First rule of comedy: Never admit you is Canadian. Diminués et proportionnés. ¡feliz navidad! L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2007-12-23 at 23:26 -0800, Robert Smits wrote:
On December 23, 2007 02:24:16 pm Randall R Schulz wrote:
As ever, the U.S. and the U.K. are two nations separated by a common language.
And those of us in Canada aren't too sure about either of you.
Yanks can't spell and the Brits drive on the wrong side of the road.......
:-) :-)
Wrong, wrong, what a harsh word...All is relative, (according to my mirror. ;-) besides, from the time i worked in Monza, i remember that the Italians drive on either side of the road that was the least crowded.... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 24 December 2007 11:36:00 Hans Witvliet wrote:
besides, from the time i worked in Monza, i remember that the Italians drive on either side of the road that was the least crowded....
Are you sure that was *in* Monza, and not *at* Monza? :) Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Sun, 2007-12-23 at 23:26 -0800, Robert Smits wrote:
On December 23, 2007 02:24:16 pm Randall R Schulz wrote:
As ever, the U.S. and the U.K. are two nations separated by a common language.
And those of us in Canada aren't too sure about either of you.
Yanks can't spell and the Brits drive on the wrong side of the road.......
:-) :-)
Wrong, wrong, what a harsh word...All is relative, (according to my mirror. ;-)
besides, from the time i worked in Monza, i remember that the Italians drive on either side of the road that was the least crowded....
I recall reading that in France, one way signs are considered a suggestion. ;-) -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott pecked at the keyboard and wrote:
Hans Witvliet wrote:
On Sun, 2007-12-23 at 23:26 -0800, Robert Smits wrote:
On December 23, 2007 02:24:16 pm Randall R Schulz wrote:
As ever, the U.S. and the U.K. are two nations separated by a common language.
And those of us in Canada aren't too sure about either of you.
Yanks can't spell and the Brits drive on the wrong side of the road.......
:-) :-)
Wrong, wrong, what a harsh word...All is relative, (according to my mirror. ;-)
besides, from the time i worked in Monza, i remember that the Italians drive on either side of the road that was the least crowded....
I recall reading that in France, one way signs are considered a suggestion. ;-)
On a visit to Boston years ago my brother took me to an intersection that was a four way flashing yellow. Almost as bad as two way traffic on a one way street. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I recall reading that in France, one way signs are considered a suggestion. ;-)
Another anorak who lives with his mother girls. But lets encourage him by telling him to keep it up. Driving fast and having fun is still allowed on this list. Now count the blank lines: But only just. New Audi TT anyone? No. Thought not. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
I recall reading that in France, one way signs are considered a suggestion. ;-)
Another anorak who lives with his mother girls. But lets encourage him by telling him to keep it up. Driving fast and having fun is still allowed on this list.
When do we start talking about MotoGP, and Stoner's chances in 2008? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 23:07:49 Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
Anders
Anders, darling. _you_ are the anorak. You know everything. We love you. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 24 December 2007 06:49:38 primm wrote:
On Sunday 23 December 2007 23:07:49 Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
Anders
Anders, darling. _you_ are the anorak. You know everything. We love you.
But I have a PS3. PS2 is so yesterday Anders PS. If you want to go around calling people 'darling', I suggest you get a separate mail account. It's sometimes confusing to think you're being called 'darling' by someone called Steve -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 24 December 2007 13:53:23 Anders Johansson wrote:
On Monday 24 December 2007 06:49:38 primm wrote:
On Sunday 23 December 2007 23:07:49 Anders Johansson wrote:
On Sunday 23 December 2007 19:40:41 primm wrote:
OK guys. Anoraks off
Why is a technical discussion "anorak"?
Anders
Anders, darling. _you_ are the anorak. You know everything. We love you.
But I have a PS3. PS2 is so yesterday
Anders, darling. I love you too. You have all the answers. You must make more money than my microsoft rep. Take my advice: Ask your Mom to get you an xbox 361 t-shirt for xmas. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
Nah, if you use root_squash that isn't going to happen. remote nfs root access gets mapped to nobody, with limited rights and privileges. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 19:12:41 Joe Sloan wrote:
Anders Johansson wrote:
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
Nah, if you use root_squash that isn't going to happen. remote nfs root access gets mapped to nobody, with limited rights and privileges.
I already responded to that, but ok: it only helps if root is the only one allowed to write to the share. As soon as you have a user with write permissions, a client can fake that user ID, because the server trusts it. With nfs4 + kerberos, this problem doesn't exist. Users are properly authenticated Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 23 December 2007 19:12:41 Joe Sloan wrote:
remote nfs root
access gets mapped to nobody, with limited rights and privileges.
I already responded to that, but ok: it only helps if root is the only one allowed to write to the share. As soon as you have a user with write permissions, a client can fake that user ID, because the server trusts it.
Yes, I saw your response to the other guy after I'd already responded - I was talking about remote root access, which is disabled with the root_squash setting, but it is true that root on the remote machine can become any other user, which is a real problem unless you control the root account on the machines you trust. In the type of environment lynn was talking about, I don't imagine it would be a problem to control the root account though.
With nfs4 + kerberos, this problem doesn't exist. Users are properly authenticated
Hopefully that or something like it will become the standard nfs setup. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Anders Johansson wrote:
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
Nah, if you use root_squash that isn't going to happen. remote nfs root access gets mapped to nobody, with limited rights and privileges.
He's talking about someone having access to a root account, and making a fake ID with the same UID number as another legitimate account (usually for the purpose of data espionage or data sabotage/destruction).
Joe
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000.
It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk.
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
What? So, I login as me. There is no way nfs will let me write to the folders of other users. Unless the other user has given me permission to do so. What do you mean by 'control the root account on all machines'? No one else other than me can login as root on any box on my network. Could you please tell me if need to change my filesystem? What version of nfs do I have if I have opensuse version 10.3? Yes. I know I can find out. But please don't tell me where to stuff it. Lynn x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 19:31:45 primm wrote:
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000.
It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk.
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
What? So, I login as me. There is no way nfs will let me write to the folders of other users. Unless the other user has given me permission to do so. What do you mean by 'control the root account on all machines'? No one else other than me can login as root on any box on my network.
That is exactly what I mean by "controlling the root account". So you don't have a problem then Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-12-23 at 19:31 +0100, primm wrote:
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
What? So, I login as me. There is no way nfs will let me write to the folders of other users. Unless the other user has given me permission to do so. What do you mean by 'control the root account on all machines'? No one else other than me can login as root on any box on my network. Could you please tell me if need to change my filesystem? What version of nfs do I have if I have opensuse version 10.3? Yes. I know I can find out. But please don't tell me where to stuff it.
What it means is that root on a machine that connects to the network can fake any user while connecting to the nfs server. Meaning, for example, that a guest with a laptop, if allowed to connect to the network, could gain access to any dir exported by nfs - at least with previous NFS versions. Which version do you have? Do 'cat /proc/fs/nfsd/versions', for instance. Or try 'nfsstat'. But I'm not allowed to write here, so please ignore me. :-P - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHbrT5tTMYHG2NR9URAiHoAJ98jlm/jUgspIUh021yuuFnUCMiEwCeJS4Q 6xbVVYyTfTaxofjadmVw1Cw= =gmiD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs 4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000.
It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk. It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
What? So, I login as me. There is no way nfs will let me write to the folders of other users.
Unless you have root access, and create a second username with the same UID as a legitimate user.
Unless the other user has given me permission to do so.
Or you have root access and give yourself permssion to do so. This one reason (among many) why root passwords should NEVER be given to non-admins -- even those who are competant enough to not screw things up...are also competant enough to become security threats in other ways.
What do you mean by 'control the root account on all machines'? No one else other than me can login as root on any box on my network.
In many large companies, MANY people have the root password, and they are changed frequently in case any admin momentarily falls prey to the (sometimes very great) temptation to just give a knowledgeable and competant user the root password so he can "fix the problem himself."
Could you please tell me if need to change my filesystem? What version of nfs do I have if I have opensuse version 10.3? Yes. I know I can find out. But please don't tell me where to stuff it.
You're perfectly secure. As long as you keep the root password to yourself, or an employee whose ONLY job is to be an admin, then the security weakness of NFS doesn't apply to you. (As soon as you give an admin additional responsibilities, there is a very great temptation for the admin to configure the system to his benefit at the expense of the other employees, and therefore to you, the owner).
Lynn x
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000.
It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk.
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
What? So, I login as me. There is no way nfs will let me write to the folders of other users. Unless the other user has given me permission to do so. What do you mean by 'control the root account on all machines'? No one else other than me can login as root on any box on my network. Could you please tell me if need to change my filesystem? What version of nfs do I have if I have opensuse version 10.3? Yes. I know I can find out. But please don't tell me where to stuff it.
Lynn x
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'. I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'.
I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation.
Just make sure that each user on your network has a UNIQUE user ID number ... if Joe has user ID 1002 on one machine, and Jane has user ID 1002 on another machine, then you will have problems. You want Joe to have the same user ID (say 1002) on every machine, and Jane to have her own user ID (say 1003) on every machine. The easiest way to do this is with NIS.
L x
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
primm wrote:
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'.
I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation.
Just make sure that each user on your network has a UNIQUE user ID number ... if Joe has user ID 1002 on one machine, and Jane has user ID 1002 on another machine, then you will have problems.
You want Joe to have the same user ID (say 1002) on every machine, and Jane to have her own user ID (say 1003) on every machine.
The easiest way to do this is with NIS.
With the Windows Domain Login, one option is to create a home directory. Is this possible with NIS? If not what does one use for a home directory, when logged onto a computer without a home directory for that user? -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 27 December 2007 22:11:53 James Knott wrote:
With the Windows Domain Login, one option is to create a home directory. Is this possible with NIS? If not what does one use for a home directory, when logged onto a computer without a home directory for that user?
That is a pam option, possible with all kinds of authentication. Just add pam_mkhomedir.so to the authentication chain But a common variation is to have the home directory on NFS, available on all machines Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 27 December 2007 22:17:57 Anders Johansson wrote:
Just add pam_mkhomedir.so to the authentication chain
Sorry, that should be "to the session chain" Look at "man pam_mkhomedir" for more info Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Thursday 27 December 2007 22:11:53 James Knott wrote:
With the Windows Domain Login, one option is to create a home directory. Is this possible with NIS? If not what does one use for a home directory, when logged onto a computer without a home directory for that user?
That is a pam option, possible with all kinds of authentication. Just add pam_mkhomedir.so to the authentication chain
But a common variation is to have the home directory on NFS, available on all machines
It's generally the superior way of going about things. Otherwise, your nightly backups are a nightmare. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Aaron Kulkis wrote:
primm wrote:
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'.
I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation. Just make sure that each user on your network has a UNIQUE user ID number ... if Joe has user ID 1002 on one machine, and Jane has user ID 1002 on another machine, then you will have problems.
You want Joe to have the same user ID (say 1002) on every machine, and Jane to have her own user ID (say 1003) on every machine.
The easiest way to do this is with NIS.
With the Windows Domain Login, one option is to create a home directory. Is this possible with NIS? If not what does one use for a home directory, when logged onto a computer without a home directory for that user?
Sure, use the make_home_dir utility - works like a charm. http://www.trustsec.de/soft/oss/make_home_dir-1.0.tar.gz Of course, the old school linux method is to combine nis with nfs and automounter, so you get the same home directory everywhere. But for limited environments, make_home_dir will fit the bill. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
James Knott wrote:
primm wrote:
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'.
I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation. Just make sure that each user on your network has a UNIQUE user ID number ... if Joe has user ID 1002 on one machine, and Jane has user ID 1002 on another machine, then you will have problems.
You want Joe to have the same user ID (say 1002) on every machine, and Jane to have her own user ID (say 1003) on every machine.
The easiest way to do this is with NIS. With the Windows Domain Login, one option is to create a home
Aaron Kulkis wrote: directory. Is this possible with NIS? If not what does one use for a home directory, when logged onto a computer without a home directory for that user?
Sure, use the make_home_dir utility - works like a charm.
http://www.trustsec.de/soft/oss/make_home_dir-1.0.tar.gz
Of course, the old school linux method is to combine nis with nfs and automounter, so you get the same home directory everywhere. But for limited environments, make_home_dir will fit the bill.
And then the NIS map of the automount files can be used to allow ANY workstation to automount the home directory located on the user's "usual" workstation. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 27 December 2007 04:33:15 pm Aaron Kulkis wrote:
Joe Sloan wrote:
James Knott wrote: ... And then the NIS map of the automount files can be used to allow ANY workstation to automount the home directory located on the user's "usual" workstation.
Aaron, what is with your clock? Is it adjusting to corespondent time? -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rajko M. wrote:
On Thursday 27 December 2007 04:33:15 pm Aaron Kulkis wrote:
Joe Sloan wrote:
James Knott wrote:
...
And then the NIS map of the automount files can be used to allow ANY workstation to automount the home directory located on the user's "usual" workstation.
Aaron,
what is with your clock?
Is it adjusting to corespondent time?
Maybe he's back dating his messages. ;-) -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 12 January 2008 07:05:50 pm James Knott wrote:
Rajko M. wrote:
On Thursday 27 December 2007 04:33:15 pm Aaron Kulkis wrote:
Joe Sloan wrote:
James Knott wrote:
...
And then the NIS map of the automount files can be used to allow ANY workstation to automount the home directory located on the user's "usual" workstation.
Aaron,
what is with your clock?
Is it adjusting to corespondent time?
Maybe he's back dating his messages. ;-)
Sure ;-) It seems that his spool forgets sometimes to send them out. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rajko M. wrote:
On Thursday 27 December 2007 04:33:15 pm Aaron Kulkis wrote:
Joe Sloan wrote:
James Knott wrote: ... And then the NIS map of the automount files can be used to allow ANY workstation to automount the home directory located on the user's "usual" workstation.
Aaron,
what is with your clock?
Is it adjusting to corespondent time?
Yes, my clock is accurate, and that mail did go out within 24-hours of me writing it. I don't know why the delay. I just saw another message I wrote a full MONTH ago just show up today. Weird.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 12 January 2008 10:09:12 pm Aaron Kulkis wrote:
Rajko M. wrote:
On Thursday 27 December 2007 04:33:15 pm Aaron Kulkis wrote:
Joe Sloan wrote:
James Knott wrote:
...
And then the NIS map of the automount files can be used to allow ANY workstation to automount the home directory located on the user's "usual" workstation.
Aaron,
what is with your clock?
Is it adjusting to corespondent time?
Yes, my clock is accurate, and that mail did go out within 24-hours of me writing it. I don't know why the delay. I just saw another message I wrote a full MONTH ago just show up today. Weird.
It is. I wrote article on this, asking for explanation, but there was no answer. I should look headers better. Received: from smtp-out.hotpop.com (smtp-out.hotpop.com [38.113.3.71]) by mx2.suse.de (Postfix) with ESMTP id 68376300C4 for <opensuse@opensuse.org>; Sat, 12 Jan 2008 22:36:43 +0100 (CET) Received: from hotpop.com (kubrick.hotpop.com [38.113.3.105]) by smtp-out.hotpop.com (Postfix) with SMTP id B82375CF21E2 for <opensuse@opensuse.org>; Fri, 28 Dec 2007 07:01:17 +0000 (UTC) Received: from [192.168.2.20] (adsl-76-226-85-2.dsl.sfldmi.sbcglobal.net [76.226.85.2]) by smtp-3.hotpop.com (Postfix) with ESMTP id 025915CF228D for <opensuse@opensuse.org>; Fri, 28 Dec 2007 07:00:48 +0000 (UTC) Your mail was hanging on smtp-out.hotpop.com from Fri, 28 Dec 2007 07:01:17 +0000 (UTC) to Sat, 12 Jan 2008 22:36:43 +0100 (CET) It seems that they use a server pool and some server was out for lunch for a almost a month without telling them. ;-) -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Aaron Kulkis wrote:
primm wrote:
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'.
I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation. Just make sure that each user on your network has a UNIQUE user ID number ... if Joe has user ID 1002 on one machine, and Jane has user ID 1002 on another machine, then you will have problems.
You want Joe to have the same user ID (say 1002) on every machine, and Jane to have her own user ID (say 1003) on every machine.
The easiest way to do this is with NIS.
With the Windows Domain Login, one option is to create a home directory. Is this possible with NIS?
Yes. It's been a standard part of NIS since the late 1980's The home directories are either automounted, or you just keep mount /home to all of the clients via NFS. Automounting individual home directories is slightly more secure, but also a pain in the neck if one person has to visit other user's directories on a regular basis... then they have to wait for automount to negotiate the mount every time they go to a new user's home directory. For a small business, NFS-mounting all of /home is feasible. For a large organization, like General Motors Engineering Division, it's not practical, and each user's home directory must be individually auto-mounted. [This has nothing to do with user ID's, and everything to do with disk-space management -- in the GM scenario, users' home directories are spread over a few dozen servers.
If not what does one use for a home directory, when logged onto a computer without a home directory for that user?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
James Knott wrote:
Aaron Kulkis wrote:
primm wrote:
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'.
I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation. Just make sure that each user on your network has a UNIQUE user ID number ... if Joe has user ID 1002 on one machine, and Jane has user ID 1002 on another machine, then you will have problems.
You want Joe to have the same user ID (say 1002) on every machine, and Jane to have her own user ID (say 1003) on every machine.
The easiest way to do this is with NIS.
With the Windows Domain Login, one option is to create a home directory. Is this possible with NIS?
Yes. It's been a standard part of NIS since the late 1980's The home directories are either automounted, or you just keep mount /home to all of the clients via NFS.
Automounting individual home directories is slightly more secure, but also a pain in the neck if one person has to visit other user's directories on a regular basis... then they have to wait for automount to negotiate the mount every time they go to a new user's home directory.
For a small business, NFS-mounting all of /home is feasible. For a large organization, like General Motors Engineering Division, it's not practical, and each user's home directory must be individually auto-mounted.
[This has nothing to do with user ID's, and everything to do with disk-space management -- in the GM scenario, users' home directories are spread over a few dozen servers.
If not what does one use for a home directory, when logged onto a computer without a home directory for that user?
I'm well aware of mounting a common /home via NFS, but was curious about what would happen with NIS, if someone logged in, without a /home directory. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Aaron Kulkis wrote:
James Knott wrote:
primm wrote:
What NFS allows is the user id number, not name. This means is if user A is 1000 on one system. Another user 1000 on another system will have access to A's files. The key is make sure user ID's are consistent across all systems. Someone with root access could of course create a new user with whatever ID they want or use an existing ID.
I setup the nfs server with yast. I setup the nfs clients with Yast. Yast tells me nothing about id. It doen't say, 'are you sure you want to continue becaus this is s big security risk'.
I come back to my original worry: I'm the only one with root access on any box on my network. Yast set it up for me. What are my problems? I'm sorry to have to ask for confirmation. Just make sure that each user on your network has a UNIQUE user ID number ... if Joe has user ID 1002 on one machine, and Jane has user ID 1002 on another machine, then you will have problems.
You want Joe to have the same user ID (say 1002) on every machine, and Jane to have her own user ID (say 1003) on every machine.
The easiest way to do this is with NIS. With the Windows Domain Login, one option is to create a home
Aaron Kulkis wrote: directory. Is this possible with NIS? Yes. It's been a standard part of NIS since the late 1980's The home directories are either automounted, or you just keep mount /home to all of the clients via NFS.
Automounting individual home directories is slightly more secure, but also a pain in the neck if one person has to visit other user's directories on a regular basis... then they have to wait for automount to negotiate the mount every time they go to a new user's home directory.
For a small business, NFS-mounting all of /home is feasible. For a large organization, like General Motors Engineering Division, it's not practical, and each user's home directory must be individually auto-mounted.
[This has nothing to do with user ID's, and everything to do with disk-space management -- in the GM scenario, users' home directories are spread over a few dozen servers.
If not what does one use for a home directory, when logged onto a computer without a home directory for that user?
I'm well aware of mounting a common /home via NFS, but was curious about what would happen with NIS, if someone logged in, without a /home directory.
Same thing that happens without NIS -- if there's no valid home directory for the login process to cd into, then the user's shell gets dumped into /. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I'm well aware of mounting a common /home via NFS, but was curious about what would happen with NIS, if someone logged in, without a /home directory.
It gives a sensible error and doen't let them go any further. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 December 2007 14:45:16 James Knott wrote:
I'm well aware of mounting a common /home via NFS, but was curious about what would happen with NIS, if someone logged in, without a /home directory.
Depends on your pam settings. By default the user will be logged in and put in /, but you can use modules like pam_succeed_if, or pam_homecheck, to make the login fail if the home directory doesn't exist. Those aren't enabled by default though And as mentioned, pam_mkhomedir can be used to create one dynamically Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
I'm well aware of mounting a common /home via NFS, but was curious about what would happen with NIS, if someone logged in, without a /home directory.
That depends on the OS and security settings, but by default on the linux distros I've used, they get "/" as ahome directory, and no rights to modify it. A very unsatisfying shell session IOW. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
James Knott wrote:
I'm well aware of mounting a common /home via NFS, but was curious about what would happen with NIS, if someone logged in, without a /home directory.
That depends on the OS and security settings, but by default on the linux distros I've used, they get "/" as ahome directory, and no rights to modify it. A very unsatisfying shell session IOW.
When I was a student in the 1980's, the Purdue Engineering Computer Network (http:ecn.purdue.edu) had a homegrown command called "ns" on the 4.3BSD machines. Usage: ns host command [args...] So, from ed machine, I could do work on ec like this: ed$ ns ec csh -i This would give me an interactive /bin/csh on ec. The first thing to do would be to cd to /tmp, so that the process would have a place to read/write files. I took advantage of this (plus the fact that on the PDP-11 machines, the ns connection would lose my user ID) to carry out an e-mail practical joke. (I won't go into it here). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
NFS is kind of ugly itself, don't you think? Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus. Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful. I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs? Love from L nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000.
Wow....that's pathetically sad.
It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk. But for gads sake, it's been up for 6 months with my staff reading e-mails and chatting to and from their latest boyfriends all through the lunch break. I use SuSEfirewall2. Setup by Yast.
Yes, NFS is a security risk -- but as you have also discovered, it's a very small one....substantially lower risk than any Windows machine just being ON the internet.
What a mess. I can't afford to go back to commercial products at the moment. Other people have told me that I have no alternatives. . . What the ???? is nfsv4 + kerberos? Yes, I know I can google it. I just have. But tomorrow morining I'll be back at work and I've a date this evening.
If I were you, I wouldn't lose any sleep over it. NFS has been in use for a good 20 years now, and I know of no ACTUAL exploitations of the flaws in NFS. It doesn't mean that they aren't there...it just means that nobody has successfully taken advantage of them. The fact that major corporations like GM and Ford continue to use NFS to this very day, without demanding a more secure product from Unix vendors (Sun, HP, etc) tells me that the risk is controllable to a level which is acceptable. Firewalls play a big part in that equation, and you say you use them, so you should be OK.
It's at times like these I wish I'd stayed with my Microsoft rep.
Do I change my network back to Windows 2000? I'm not a hobbyist. Can anyone advise me in plain English o Español? Please, if you do not run a network then please do not write.
You're fine. Stick with what you have. It's very easy for some spammer on the other side of the planet to hijack your Windows machines -- all he has to do is set up a website designed to be an attractive nuisance -- like post a video that everyone wants to watch...and on the same page, load up a script into your Windows machine that imports a virus or whatever remote-control mechanism they want to use.
Love from Primm xx
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 18:17:54 Aaron Kulkis wrote:
primm wrote:
> NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs? Love from L
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost from an engineer who also sold me the licences for my workstations. That was w2000.
Wow....that's pathetically sad.
It was plagued by viruses and most of my hardware wan't recognised so I had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is also a security risk. But for gads sake, it's been up for 6 months with my staff reading e-mails and chatting to and from their latest boyfriends all through the lunch break. I use SuSEfirewall2. Setup by Yast.
Yes, NFS is a security risk -- but as you have also discovered, it's a very small one....substantially lower risk than any Windows machine just being ON the internet.
What a mess. I can't afford to go back to commercial products at the moment. Other people have told me that I have no alternatives. . . What the ???? is nfsv4 + kerberos? Yes, I know I can google it. I just have. But tomorrow morining I'll be back at work and I've a date this evening.
If I were you, I wouldn't lose any sleep over it. NFS has been in use for a good 20 years now, and I know of no ACTUAL exploitations of the flaws in NFS.
It doesn't mean that they aren't there...it just means that nobody has successfully taken advantage of them.
The fact that major corporations like GM and Ford continue to use NFS to this very day, without demanding a more secure product from Unix vendors (Sun, HP, etc) tells me that the risk is controllable to a level which is acceptable.
Firewalls play a big part in that equation, and you say you use them, so you should be OK.
It's at times like these I wish I'd stayed with my Microsoft rep.
Do I change my network back to Windows 2000? I'm not a hobbyist. Can anyone advise me in plain English o Español? Please, if you do not run a network then please do not write.
You're fine. Stick with what you have.
It's very easy for some spammer on the other side of the planet to hijack your Windows machines -- all he has to do is set up a website designed to be an attractive nuisance -- like post a video that everyone wants to watch...and on the same page, load up a script into your Windows machine that imports a virus or whatever remote-control mechanism they want to use.
Love from Primm xx
Oh thank gad. Sense at last. Thank ?*%k for that. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2007-12-23 at 12:58 +0100, Anders Johansson wrote:
On Sunday 23 December 2007 08:10:47 primm wrote:
On Friday 21 December 2007 20:28:04 Randall R Schulz wrote:
On Friday 21 December 2007 11:10, primm wrote:
NFS is kind of ugly itself, don't you think?
Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus.
Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Just curious, but what are my alternatives for nfs? Love from L
nfs is good, it mostly just works. But v3 has drawbacks in security, so if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though, so you still don't have to abandon nfs
just my $0.02, If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok. I've encountered only one nightmare situation: nfs over a tunnel over an satelite connection... probably due to the latency. One might even condider sshfs (available for SLEx and opensuse on http://ftp5.gwdg.de/pub/opensuse/repositories/filesystems/ hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 22:43:24 Hans Witvliet wrote:
If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok.
huh? You're connecting each client to the server using vpn on the *local LAN*? That doesn't sound like a very good configuration nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 23 December 2007 22:43:24 Hans Witvliet wrote:
If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok.
huh? You're connecting each client to the server using vpn on the *local LAN*?
That doesn't sound like a very good configuration
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly
Anders
Unless you want to guard against packet sniffing. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 23:22:58 James Knott wrote:
Anders Johansson wrote:
On Sunday 23 December 2007 22:43:24 Hans Witvliet wrote:
If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok.
huh? You're connecting each client to the server using vpn on the *local LAN*?
That doesn't sound like a very good configuration
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly
Anders
Unless you want to guard against packet sniffing.
Why would one encryption be better than another in that case? Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2007-12-23 at 23:10 +0100, Anders Johansson wrote:
On Sunday 23 December 2007 22:43:24 Hans Witvliet wrote:
If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok.
huh? You're connecting each client to the server using vpn on the *local LAN*?
That doesn't sound like a very good configuration
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly
Well, at my work they're rather paranoid. For some, we have to tunnel internet through the corporate network, For others, we tunnel our corporate network with voip over public networks. Indeed, sounds odd, it is odd, but true. NFS4 is still on my "to investigate" list hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Sun, 2007-12-23 at 23:10 +0100, Anders Johansson wrote:
On Sunday 23 December 2007 22:43:24 Hans Witvliet wrote:
If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok. huh? You're connecting each client to the server using vpn on the *local LAN*?
That doesn't sound like a very good configuration
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly
Well, at my work they're rather paranoid. For some, we have to tunnel internet through the corporate network, For others, we tunnel our corporate network with voip over public networks.
Indeed, sounds odd, it is odd, but true.
That's standard practice in up-to-date IT departments.
NFS4 is still on my "to investigate" list
It's not a big deal. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 24 December 2007 02:40:58 Aaron Kulkis wrote:
Hans Witvliet wrote:
On Sun, 2007-12-23 at 23:10 +0100, Anders Johansson wrote:
On Sunday 23 December 2007 22:43:24 Hans Witvliet wrote:
If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok.
huh? You're connecting each client to the server using vpn on the *local LAN*?
That doesn't sound like a very good configuration
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly
Well, at my work they're rather paranoid. For some, we have to tunnel internet through the corporate network, For others, we tunnel our corporate network with voip over public networks.
Indeed, sounds odd, it is odd, but true.
That's standard practice in up-to-date IT departments.
VPN from the client to the server when both are inside the corporate network? No, that is very much not standard practice. VPN is normally used to reach the corporate network from outside - I have never seen, or even heard about, a setup where it's used inside Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Monday 24 December 2007 02:40:58 Aaron Kulkis wrote:
Hans Witvliet wrote:
On Sun, 2007-12-23 at 23:10 +0100, Anders Johansson wrote:
On Sunday 23 December 2007 22:43:24 Hans Witvliet wrote:
If you are not in control of your network, use openswan or strongswan for vpn, and put nfs-v3 over it. We have been using it in a test for connecting several locations. Works ok. huh? You're connecting each client to the server using vpn on the *local LAN*?
That doesn't sound like a very good configuration
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly Well, at my work they're rather paranoid. For some, we have to tunnel internet through the corporate network, For others, we tunnel our corporate network with voip over public networks.
Indeed, sounds odd, it is odd, but true. That's standard practice in up-to-date IT departments.
VPN from the client to the server when both are inside the corporate network? No, that is very much not standard practice. VPN is normally used to reach the corporate network from outside - I have never seen, or even heard about, a setup where it's used inside
Some militaries uses VPN's within their networks. Each time you cross into a VPN boundary, you're going to a higher or lower level of classification Example: | <============== VPN 1 UNCLASSIFIED ===============>| | | | | <======= VPN 2 SECRET =========>| | | | | | | | |<= VPN 3-TOP SECRET =>| | |
Anders
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anders Johansson wrote:
On Monday 24 December 2007 02:40:58 Aaron Kulkis wrote:
Hans Witvliet wrote:
On Sun, 2007-12-23 at 23:10 +0100, Anders Johansson wrote:
Indeed, sounds odd, it is odd, but true. That's standard practice in up-to-date IT departments.
VPN from the client to the server when both are inside the corporate network? No, that is very much not standard practice. VPN is normally used to reach the corporate network from outside - I have never seen, or even heard about, a setup where it's used inside
Anders
I have... i) Where there is a requirement for address space that is independent of the underlying network topology. e.g. a department which physically and logically exists in multiple network locations in the organisation but does not wish to share address space with other departments in those locations... ii) Where there is a requirement that certain mobile devices should have a static address to access resources, from different parts of the organisations address space (e.g. financial auditor laptops, I.T. admin laptops, etc, etc).. What I understand is that VPN gives an address space that is independent of the underlying network address structure, this can be useful in very complex network infrastructures. The security aspect is also potentially very useful in contexts where parts of the infrastructure should not be or are not trusted (e.g. Academic Institution networks, and possibly military or security networks). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHdSxtasN0sSnLmgIRAkJZAJwPSeEcm5HGKKZqaVqZ19kNMrQslgCfWPei VzD+e/TLQjRiO4mFpZ1fxsY= =Lg/a -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 23 December 2007 17:40:58 Aaron Kulkis wrote: [msg snipped] I'm curious why there's almost a four-day delay between the writing of the response and its receipt by the first MTA. Are you not connected 24/7, or do you only periodically send queued messages? From the messages headers: <...> Received: from [192.168.2.20] (adsl-76-226-85-2.dsl.sfldmi.sbcglobal.net [76.226.85.2]) by smtp-3.hotpop.com (Postfix) with ESMTP id 947275CCF79B for <opensuse@opensuse.org>; Thu, 27 Dec 2007 20:21:17 +0000 (UTC) Message-ID: <476F0E2A.4070102@hotpop.com> Date: Sun, 23 Dec 2007 20:40:58 -0500 From: Aaron Kulkis <akulkis00@hotpop.com> <...> Jim Cunning -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Cunning wrote:
On Sunday 23 December 2007 17:40:58 Aaron Kulkis wrote: [msg snipped]
I'm curious why there's almost a four-day delay between the writing of the response and its receipt by the first MTA. Are you not connected 24/7, or do you only periodically send queued messages?
From the messages headers: <...> Received: from [192.168.2.20] (adsl-76-226-85-2.dsl.sfldmi.sbcglobal.net [76.226.85.2]) by smtp-3.hotpop.com (Postfix) with ESMTP id 947275CCF79B for <opensuse@opensuse.org>; Thu, 27 Dec 2007 20:21:17 +0000 (UTC) Message-ID: <476F0E2A.4070102@hotpop.com> Date: Sun, 23 Dec 2007 20:40:58 -0500 From: Aaron Kulkis <akulkis00@hotpop.com> <...>
hotpop.com has been flaky lately. sometimes it's taking 2-3 days to get messages off of my machine to smtp.hotpop.com. :-/ Unfortunately, there's not much I can do about it, other than switch to a pay service for POP access -- which I will probably do within the next year..but for now, I'm kinda stuck with these glitches. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-12-27 at 18:46 -0500, Aaron Kulkis wrote: ...
hotpop.com has been flaky lately.
sometimes it's taking 2-3 days to get messages off of my machine to smtp.hotpop.com. :-/
Unfortunately, there's not much I can do about it, other than switch to a pay service for POP access -- which I will probably do within the next year..but for now, I'm kinda stuck with these glitches.
You could use a gmail account. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHdNi2tTMYHG2NR9URApz+AJ0eRtiA32JbPtW4/Dtli1ntgvYsdACfd/5C Yt2ktJB7lHo5JwA1HfNtusI= =NO6G -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Thursday 2007-12-27 at 18:46 -0500, Aaron Kulkis wrote:
...
hotpop.com has been flaky lately.
sometimes it's taking 2-3 days to get messages off of my machine to smtp.hotpop.com. :-/
Unfortunately, there's not much I can do about it, other than switch to a pay service for POP access -- which I will probably do within the next year..but for now, I'm kinda stuck with these glitches.
You could use a gmail account.
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying. I have a yahoo account as "backup" -- if I REALLY need to send something out, IMMEDIATELY, and hotpop's smtp is being flaky...then I use that. But a list like this isn't worth the trouble of interacting with it on yahoo or gmail or any other webmail service.
- -- Cheers, Carlos E. R.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFHdNi2tTMYHG2NR9URApz+AJ0eRtiA32JbPtW4/Dtli1ntgvYsdACfd/5C Yt2ktJB7lHo5JwA1HfNtusI= =NO6G -----END PGP SIGNATURE-----
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Aaron Kulkis <akulkis00@hotpop.com> [12-28-07 09:33]:
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying.
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services. - -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHdRiaClSjbQz1U5oRAgNKAKCpyREES81TLXaShHDAYsr88O8trwCgjWmu wQrPQJLit/phNm3d63M18eM= =cAM9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
* Aaron Kulkis <akulkis00@hotpop.com> [12-28-07 09:33]:
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying.
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services.
Really. When did they add that? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
Patrick Shanahan wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
* Aaron Kulkis <akulkis00@hotpop.com> [12-28-07 09:33]:
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying.
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services.
Really.
When did they add that?
They've had it as long as I've had access and that's a couple of years or so. I use imap. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Aaron Kulkis <akulkis00@hotpop.com> [12-28-07 15:22]:
Patrick Shanahan wrote:
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services.
Really.
When did they add that?
pop and smtp over a year ago, maybe two (or more?). imap has been recent, a relative term which at my age could be quite long. - -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHdVvRClSjbQz1U5oRAutRAKCE/U/iunyFzXdFNQoOJcjXA6PsgACgjxwU ySWMy7ao+CDGX7drkpHCzOI= =VmHH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 December 2007 11:03, Aaron Kulkis wrote:
...
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services.
Really?
Really.
When did they add that?
1982? RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 28 December 2007 11:03, Aaron Kulkis wrote:
...
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services. Really?
Really.
When did they add that?
1982?
I know Google's a pretty advanced company, but when did they get into time travel? :-P -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 December 2007 12:49, Aaron Kulkis wrote:
Randall R Schulz wrote:
On Friday 28 December 2007 11:03, Aaron Kulkis wrote:
...
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services.
When did they add that?
1982?
I know Google's a pretty advanced company, but when did they get into time travel? :-P
So, I guess you haven't seen the whiteboard?? Word is they have their own wormhole. How else could they suck in all the Internet each hour? RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Randall R Schulz <rschulz@sonic.net> [12-28-07 15:33]:
On Friday 28 December 2007 11:03, Aaron Kulkis wrote:
When did they add that?
1982?
*Almost* Orwellian, -2 :^) - -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHdWG5ClSjbQz1U5oRAleAAKCp9zV8iX8ifcrXVPO8US69OG9UhACgm48e s3D9TUWuDdN9VYqM9HcFy6k= =q5yf -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Randall R Schulz wrote:
On Friday 28 December 2007 11:03, Aaron Kulkis wrote:
...
cool your knickers and get more information before condemning. GMail provides web, pop and imap and smtp services.
Really?
Really.
When did they add that?
1982?
RRS
Hmmm... I didn't realize GMail had been around for 25 years. ;-) -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-12-28 at 09:21 -0500, Aaron Kulkis wrote:
You could use a gmail account.
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying.
Who said anything about webmail? It has pop, smtp, and recently I heard also imap. And free as in beer. Where have you been you don't know this? :-p It is true that you have to log in the web now and then to check the spam folder for false positives, but that's all. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHdRlBtTMYHG2NR9URAnGLAJ4kP4gYgLFnLGMaOS3XThvlph1mNACeOJAt jwkunyxK5XEBLld+Q32Pu4E= =T8uo -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2007-12-28 at 09:21 -0500, Aaron Kulkis wrote:
You could use a gmail account.
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying.
Who said anything about webmail? It has pop, smtp, and recently I heard also imap. And free as in beer.
Where have you been you don't know this? :-p
Last time I checked, it was still web-mail only.
It is true that you have to log in the web now and then to check the spam folder for false positives, but that's all.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-12-28 at 14:04 -0500, Aaron Kulkis wrote:
Who said anything about webmail? It has pop, smtp, and recently I heard also imap. And free as in beer.
Where have you been you don't know this? :-p
Last time I checked, it was still web-mail only.
And that was... in 1980? :-P Common, it has always had pop3. You simply did not look at the right place. http://mail.google.com/support/?ctx=gmail&hl=en http://mail.google.com/support/bin/topic.py?topic=12805 - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHdWQytTMYHG2NR9URApwuAKCJ1MQxQ3orbMYTPBEu1rRFnJ5ejQCfVf79 DVmpOJotiz7j3CDolx37jbM= =yt0X -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying.
I have a yahoo account as "backup"
Pop details for Yahoo.com: http://help.yahoo.com/help/ca/mail/pop/pop-03.html Just remember to log in once in a while to keep your account active. Cheers, David -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * David <d_garbage@yahoo.com> [12-28-07 14:30]:
I hate web-mail....waiting...waiting...waiting for a stupid web-page to be built, transmitted and rendered just to read a text message is too annoying.
I have a yahoo account as "backup"
Pop details for Yahoo.com:
http://help.yahoo.com/help/ca/mail/pop/pop-03.html
Just remember to log in once in a while to keep your account active.
iianm, this is ONLY good if you have purchased the upgrade, for pay, account. BUT, there does exist perl scripts to pop access via html and perform nearly identicallly to the for-pay pop access. I know of two that work, fetchyahoo and YoSucker. Then there is gotmail for hotmail pop access. - -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFHdVWgClSjbQz1U5oRAlfXAJwIYdurgkQDKkCxEyxsw9rzruhusACfZ2Bu gdLcC6ckMP6YDGglrHhEdWc= =ZAF0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
hotpop.com has been flaky lately.
sometimes it's taking 2-3 days to get messages off of my machine to smtp.hotpop.com. :-/
Unfortunately, there's not much I can do about it, other than switch to a pay service for POP access -- which I will probably do within the next year..but for now, I'm kinda stuck with these glitches.
What I find curious is when replyies to a post appear before the post does. I've seen some that were hours or even days later than the messages that replied to them. That's happened on this list and others. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Aaron Kulkis wrote:
hotpop.com has been flaky lately.
sometimes it's taking 2-3 days to get messages off of my machine to smtp.hotpop.com. :-/
Unfortunately, there's not much I can do about it, other than switch to a pay service for POP access -- which I will probably do within the next year..but for now, I'm kinda stuck with these glitches.
What I find curious is when replyies to a post appear before the post does. I've seen some that were hours or even days later than the messages that replied to them. That's happened on this list and others.
Because hotpop's smtp host is flaky. For some reason, occasionally, it will stop accepting outgoing mail -- even though I can do this: telnet smtp.hotpop.com 25 and get a valid response (i.e. data sent to the smtp port is being sent). There seems to be some sort of problem with their user account validation, or something. They have a trouble-ticket system, but i've never seen any activity on it (other than my own follow up comments). I've even told them that if they would just be RESPONSIVE, I would be happy to upgrade to a pay account. Even that hasn't prompted even the slightest acknowledgement of a trouble-ticket other than the software's built-in auto-responder. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
James Knott wrote:
Aaron Kulkis wrote:
hotpop.com has been flaky lately.
sometimes it's taking 2-3 days to get messages off of my machine to smtp.hotpop.com. :-/
Unfortunately, there's not much I can do about it, other than switch to a pay service for POP access -- which I will probably do within the next year..but for now, I'm kinda stuck with these glitches.
What I find curious is when replyies to a post appear before the post does. I've seen some that were hours or even days later than the messages that replied to them. That's happened on this list and others.
Because hotpop's smtp host is flaky. For some reason, occasionally, it will stop accepting outgoing mail -- even though I can do this:
telnet smtp.hotpop.com 25
and get a valid response (i.e. data sent to the smtp port is being sent).
There seems to be some sort of problem with their user account validation, or something. They have a trouble-ticket system, but i've never seen any activity on it (other than my own follow up comments). I've even told them that if they would just be RESPONSIVE, I would be happy to upgrade to a pay account. Even that hasn't prompted even the slightest acknowledgement of a trouble-ticket other than the software's built-in auto-responder.
I wasn't referring to your messages. It can happen to anyone. For example, yesterday I noticed replies on another mail list, but the original that those messages replied to, didn't appear until hours later. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-12-28 at 10:10 -0500, James Knott wrote:
I wasn't referring to your messages. It can happen to anyone. For example, yesterday I noticed replies on another mail list, but the original that those messages replied to, didn't appear until hours later.
There are two possible causes for that I can think: Your own receiving account is bad, or the replier got a direct mail off-list (cc). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHdRnQtTMYHG2NR9URAusdAJ9rqkxEATC28KAECn6hIa5jlWJ/oQCfWloO bs4QX5pE/1f28CY5dkDRhB0= =tCiY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
I wasn't referring to your messages. It can happen to anyone. For example, yesterday I noticed replies on another mail list, but the original that those messages replied to, didn't appear until hours later.
It depends on a lot of factors: the routing involved, whose server is down for maintenance or backups, etc. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jerry Houston wrote:
James Knott wrote:
I wasn't referring to your messages. It can happen to anyone. For example, yesterday I noticed replies on another mail list, but the original that those messages replied to, didn't appear until hours later.
It depends on a lot of factors: the routing involved, whose server is down for maintenance or backups, etc.
I suppose, though my own mail was coming in regularly and I did see the replies which came from the same server as the OP. The headers showed all the messages were received by my ISP shortly before I received them. I suppose I'm correct in assuming the original was actually sent before the replies. ;-) -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 December 2007 05:47, James Knott wrote:
...
What I find curious is when replyies to a post appear before the post does. I've seen some that were hours or even days later than the messages that replied to them. That's happened on this list and others.
Keep in mind that SMTP mail delivery is a store-and-forward process. Look at the headers of a message and see how many Received: headers there are. Each of them represents a hop (server) through which the message passed and on which it was stored and queued for outgoing delivery to the next server in the chain. If anything interferes with delivery from one particular host to the next, it keeps the messages in its queue until it can successfully deliver it or until some timeout (often measured in days) expires and the server bounces the message back to its originator. Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly
Well, at my work they're rather paranoid. For some, we have to tunnel internet through the corporate network, For others, we tunnel our corporate network with voip over public networks.
Indeed, sounds odd, it is odd, but true.
NFS4 is still on my "to investigate" list
Good boy. But does he run a network? Can we include him? I don't think we can. He tels of his experience of networks but doesn't mention a network address, kerebos whatever that is firewall, ip client and ssh. . . So no. sorry. L xx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
nfs4 + kerberos gives authentication and encryption and requires very little in the way of configuration. No offense, but VPN on a local LAN is just silly Well, at my work they're rather paranoid. For some, we have to tunnel internet through the corporate network, For others, we tunnel our corporate network with voip over public networks.
Indeed, sounds odd, it is odd, but true.
NFS4 is still on my "to investigate" list
Good boy. But does he run a network? Can we include him? I don't think we can. He tels of his experience of networks but doesn't mention a network address, kerebos whatever that is firewall, ip client and ssh. . . So no. sorry.
He's more than qualified to give you advice for the complexity level of your network. kerberos is an encrypted, time-variant authentication system. The reason for time-variance is so that when you send your encrypted password, someone can't capture it with a network sniffer program and use it later, because the encryption of the valid password keeps changing as time goes by.
L xx
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
primm wrote:
On Friday 21 December 2007 20:28:04 Randall R Schulz wrote:
On Friday 21 December 2007 11:10, primm wrote:
NFS is kind of ugly itself, don't you think? Ugly? Naah! It's soooo neat. With nis and nfs anyone can login anywhere and get their own files and start work right after they've got a coffee. It just works. Just like NT server before someone downloded a virus. Well, I guess if someone else is configuring and maintaining it, sure, it's wonderful.
I setup an nfs server to export /home to 5 other clients. The same server handles nis logins. No eggageration, it took me 1/2 hour most of which was reading man exports until I discovered that Yast had read it for me already! I'll bet that some gurus on this list could do it in 5.
Yeah, it's pretty easy to both set up and maintain.
Just curious, but what are my alternatives for nfs?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (23)
-
Aaron Kulkis -
Anders Johansson -
Carlos E. R. -
Dave Howorth -
David -
G T Smith -
Hans Witvliet -
James Knott -
Jeff Graham -
Jerry Houston -
Jim Cunning -
Joe Sloan -
jpff -
Ken Schneider -
Linda Walsh -
M Harris -
Michel Rasquin -
Patrick Shanahan -
primm -
Rajko M. -
Randall R Schulz -
Robert Smits -
Thomas Hertweck