Antivirus in FC3?

[Craig White]

On Thu, 2005-03-24 at 13:40 -0600, Les Mikesell wrote:
> On Thu, 2005-03-24 at 11:59, Craig White wrote:
> 
> > > Yes, you have it straight.  Red Hat, the most popular distribution, or
> > > so they would like to claim, does not provide a standard solution so
> > > everyone else is forced to make up their own, resulting in versions
> > > that aren't likely to interoperate.  It makes about as much sense
> > > as making every user hand code their own sendmail.cf following their
> > > own interpretation of the RFC's.
> > ----
> > give Red Hat some credit - they finally migrated off the terribly
> > ancient openldap 2.0.27 that was in RHEL 3 into the 2.2.13 (still out of
> > date) in RHEL 4 and FC-3
> 
> That's the odd part.  All the pieces are there, but they are still
> useless unless someone puts them together in a standard way.
----
OK - I'll byte - what is the standard way? I certainly don't see a
standard way defined by openldap.org
----
> 
>  
> > > Who, other than Red Hat is in a position to fix this?
> > ----
> > seems to me that LDAP is a much larger technology and has implications -
> > uses in a large variety of OS's and hardware. My experience tells me
> > that most of the larger users/consumers of LDAP is not on Linux but on
> > various Unix systems. 
> 
> If it came up running on RH/fedora the situation would reverse
> overnight.  The people who need weird schemas can hire their armies of
> developers to build them.  Most people need just what the clients
> included in their distribution know how to query plus perhaps a
> replacement for their ancient windows NT domain controller.  All
> easily canned stuff.
----
I've been doing exactly that - replacing WinNT 4 domain
controllers...damn if I see it as 'easily canned stuff' - I'm obviously
not as bright as you.
----
> 
> > > Good defaults are what makes things work.  I don't know how to
> > > write a device driver and I'm happy that I don't need to.  I wish it
> > > were the same for LDAP.
> > ----
> > your view and my view of 'good defaults' for LDAP are likely gonna
> > differ. I don't know of any 'good defaults' for LDAP
> > ----
> 
> Let's leave out the people who already have X.500 and focus on small
> networks who have more than one fedora/RH box and want to use NFS
> with auto-mounted home directories and perhaps one or more windows
> boxes that need access to those same home directories.  That probably
> describes most small businesses and a lot of homes these days.  The
> 'good default' for this is basically the idealx setup but already
> done instead of having to correctly follow pages of instructions.
----
of course the 'good default' of IDEALX doesn't do anything with
automounted home directories - in fact - I haven't spent the time, but
Red Hat's autofs.schema doesn't work at all with openldap-2.2.24

One of these days, I'm gonna play with it and find out why - haven't had
the time.
----
> 
> > I know that you don't believe this but the standard base for users and
> > groups is in /etc/passwd and /etc/group (and obviously by
> > implication /etc/shadow)
> 
> That was a good idea back in the days when a company could only
> afford one computer and did not use network file systems that
> depended on consistent uids.  Now I'd guess that most of the people
> on this list have more than one personal computer, reinstall the OS
> on some of them frequently, and would like to not have to deal with
> keeping parts of those files in sync when their OS update may need
> other parts to be different on certain machines.
> 
> > They's been including various utilities for NIS but no one complains
> > that they don't have turnkey solutions for NIS administration.
> 
> Does anyone use NIS after reading about its insecurity? That might
> explain the lack of complaints.
> 
> > There's little difference with LDAP - if you actually created a DSA,
> > created a container for 'users' put in the attributes necessary for
> > users to authenticate, it still wouldn't work. LDAP doesn't do things
> > necessary such as create user home directories, keep track of UID's and
> > GID's to keep adding them sequentially, make their home directories, set
> > their shell, etc. That's another layer of infrastructure. If you start
> > to consider all of the layers of infrastructure that you will need to
> > get going, you will find that much of the time, you aren't really
> > talking about LDAP, you are talking about the integration of other
> > technologies. 
> 
> You keep describing the precise reasons that we need a standard default
> solution even though you don't seem to make that conclusion.  There
> probably was a time when unix had no wrapper that combined the concepts
> of creating user authentication and matching facilities like home
> directories and mailboxes.  Somebody fixed that - it's time to do it
> again. 
----
open source - knock yourself out - or leave it to others to do it but it
hardly seems to be a valid complaint if you expect others to do that for
you.
----
> 
> > LDAP is entirely off the table for a distribution unless it chooses to
> > make it so - and the only way that they can do it is to detail a finite
> > lists of services that are to be integrated and build it out. Recognize
> > though that should a distribution take this approach, all of the
> > services thus built out will have to have customized configurations too.
> 
> But there are clients already in the distribution - just no server to
> match.
----
some clients yes...but many clients no
----
> 
> > There may be a point where Red Hat does try to provide an integrated
> > setup - more specifically a turnkey setup of LDAP - but it isn't likely
> > to be functional beyond a certain point, interchangeable with other OS's
> > and other needs/implementations and thus, will be of value only to those
> > that want to point and click administrate.
> 
> If the most popular distribution ships a working server based on
> existing standards or RFC's then it would be up to everyone else to
> match up or have a good justification for their differences.  If you
> were really opposed to shipping something that sort-of works and
> fixing it up over subsequent releases you probably wouldn't be on this
> mailing list. 
----
I'm not opposed to anything that has a plan.

I know that the only 'simple' implementation is one that isn't that
simple when you start to flesh it out. I'm not entirely convinced of the
value of 'Linux Network Administration for Dummies' - Windows already
offers that. There are some who want Linux to be drop in replacement for
Microsoft offerings (and I think that this is somewhat where this thread
started). Good for them - they should code away. Not everyone feels that
way - perhaps a majority of Linux users don't feel that way.

And by the way...'the most popular distribution DOES ship a working
server based upon standards' - at least as they interpret them and that
includes kerberos, dns, dhcp, account management, authentication
services and ldap - it's called Windows Server.

Craig