gentoo as a pdc server

hi all,
i'm*thinking*to*replace*my*actual*pdc*(microsoft*windows*server*2003)*with
a gentoo+samba+kerberosd+ldapd+tpd+dhcpd+bind+postfi x+spamassassin and it
should replace all the services actually provided by win server:
authentication, directory services, filesystem/printers sharing, smtp/pop3,
spam filtering, antivirus on mail service.

and*i'm*also*thinking*of*adding*roaming*profiles*support*(the*way*i*can
make backup of users' desktops, documents, and outlook express folders) and
vnc (i don't know if there's something like rdp server on linux), and last
but not least a web interface for managing all that services remotely by
web.

my actual pdc is something like:
p3 500MHz, 256MB, 20GB, G400, 100BaseTX

and it's gonna be replaced with a dell (don't remember model) with:
p4 1.8GHz, 2GB, 40GB, radeon9700, 100BaseTX

domain is made of ~30 clients (win), ~10 servers (linux, win), 2 routers
adsl, 1 modem isdn, 2 switches. i'm thinking to use gentoo also as a
gateway/bastion host to separate 'dmz' with 10 servers and 'inside' with
all other clients.

any suggestion is apreciated, no other hardware upgrade is gonna be
discussed here :P (maybe only a new eth card on pdc so that it can be
confortably used as firewall...)
--
remove_this_ on mailing

On 2004-12-01, Hekaton Keires <(E-Mail Removed)> wrote:
> hi all,
> i'm*thinking*to*replace*my*actual*pdc*(microsoft*windows*server*2003)*with
> a gentoo+samba+kerberosd+ldapd+tpd+dhcpd+bind+postfi x+spamassassin and it
> should replace all the services actually provided by win server:
> [snipped]
> domain is made of ~30 clients (win), ~10 servers (linux, win), 2 routers
> adsl, 1 modem isdn, 2 switches. i'm thinking to use gentoo also as a
> gateway/bastion host to separate 'dmz' with 10 servers and 'inside' with
> all other clients.
>
Is Gentoo actually a Good Idea(tm)? Sure I'm biased being a Debian guy but
Gentoo really is for personal computers, if you are maintaining a box that is
to be used by multiple people the last thing you need is it to update *every*
package each time you upgrade.

Choose a distro that only applies security patches and not much else.

Regards

Alex

in Alexander Clouter's honest opinion:

> Is Gentoo actually a Good Idea(tm)? Sure I'm biased being a Debian guy
> but Gentoo really is for personal computers, if you are maintaining a box
> that is to be used by multiple people the last thing you need is it to
> update *every* package each time you upgrade.
>
> Choose a distro that only applies security patches and not much else.
>
> Regards
>
> Alex

so you suggest me using debian? anyway what do you think about packages i've
chosen for the server? i mean:

SMB - samba 3
NIS - openldap 2.1
NTP - ntp 4.2
KERBEROS - mit-krb5 1.3
DNS - bind 9
DHCP - dhcp 3

do you consider them the right choice? probably i'm going to install some
add value packages as:

HTTP - apache 2
VNC - tightvnc 1.3

and another thing: well i've choosen gentoo, just because i started use it 6
months ago and i feel really comfortable with it, after all i did not
mention emerging all the time any new package available in portage. but the
possibility of compiling from scratch every package during installation is
quite attractive.

i know debian is very stable, but the time of new releases for debian are
alswo very long - i'm not a debian user, so sorry for eventual mistakes. or
maybe some of you would suggest openbsd for a really stable server?

the last thing: do you suggest me to use SELinux kernel? i'd rather a
performant/fast server than a totally secure/stable server
--
remove_this_ on mailing

Alexander Clouter wrote:
> On 2004-12-01, Hekaton Keires <(E-Mail Removed)> wrote:
>
>>hi all,
>>i'm thinking to replace my actual pdc (microsoft windows server 2003) with
>>a gentoo+samba+kerberosd+ldapd+tpd+dhcpd+bind+postfi x+spamassassin and it
>>should replace all the services actually provided by win server:
>>[snipped]
>>domain is made of ~30 clients (win), ~10 servers (linux, win), 2 routers
>>adsl, 1 modem isdn, 2 switches. i'm thinking to use gentoo also as a
>>gateway/bastion host to separate 'dmz' with 10 servers and 'inside' with
>>all other clients.
>>
>
> Is Gentoo actually a Good Idea(tm)? Sure I'm biased being a Debian guy but
> Gentoo really is for personal computers, if you are maintaining a box that is
> to be used by multiple people the last thing you need is it to update *every*
> package each time you upgrade.
>
> Choose a distro that only applies security patches and not much else.
>
> Regards
>
> Alex

Gentoo allows you to choose which packages you want to upgrade and also
to set specific version numbers for installed packages. You do not have
to update every package in gentoo any more than you do in Debian or
Redhat.

btw, I'm happily using gentoo on multiple servers at my site while most
of the desktop users have chosen Redhat or Fedora.

Doug

On 2004-12-02, Douglas O'Neal <(E-Mail Removed)> wrote:
>
> Gentoo allows you to choose which packages you want to upgrade and also
> to set specific version numbers for installed packages. You do not have
> to update every package in gentoo any more than you do in Debian or
> Redhat.
>
So does *every* distro, what do you do about security updates? Upgrading to
a newer version of a package is not the solution, applying the tiny diff to
fix just that bug/issue is all that should *ever* be done on a production
system.

Regards

Alex

On 2004-12-02, Hekaton Keires <(E-Mail Removed)> wrote:
>
> so you suggest me using debian? anyway what do you think about packages i've
> chosen for the server? i mean:
>
> SMB - samba 3
> NIS - openldap 2.1
> NTP - ntp 4.2
> KERBEROS - mit-krb5 1.3
> DNS - bind 9
> DHCP - dhcp 3
>
Well the type of package is not always relevant on a per-distro basis. If
its available or not (and occasionally the version number, however you should
always try to avoid committing yourself to a particular version number on
reasons of convenience) is a completely different matter.

All those are in Debian (have a look at the Debian website[1] for the
comprehensive list, make sure you keep to 'stable'), I have used all of them
personally except for openldap and mit-krb5 however I know there are plenty
of people whom do.

> do you consider them the right choice? probably i'm going to install some
> add value packages as:
>
Well its not really my place to say. It will replace your Windoze box quite
comfortably, however from my understanding I hear openldap with samba is
'fun' to do, so expect a few nights burning the midnight oil.

> HTTP - apache 2
> VNC - tightvnc 1.3
>
Again, well if you want a webserver great, you will find there are plenty of
other webservers worth looking at. Again it depends on what you are serving
up.

As for 'tightvnc', I'm unsure why you would want to do this when 'ssh' can do
everything you need. If you need remote graphics and such then a locally
installed X server (cygwin for windows) and running things remotely that way
is much more efficient. However it depends what you are doing with VNC; then
this is not a Debian specific thing.

> and another thing: well i've choosen gentoo, just because i started use it 6
> months ago and i feel really comfortable with it, after all i did not
> mention emerging all the time any new package available in portage. but the
> possibility of compiling from scratch every package during installation is
> quite attractive.
>
Why? Most of the time the server probably will sit in IO-Wait (waiting for
the harddisk to supply the data it needs). Optimisation of the applications
is not really the magic bullet, you would be better off looking at
optimisation of your implementation and looking for scalability. Sure the
optimising will help, but its not going to get you out of a fix when your
environment grows tenfold

> i know debian is very stable, but the time of new releases for debian are
> alswo very long - i'm not a debian user, so sorry for eventual mistakes. or
> maybe some of you would suggest openbsd for a really stable server?
>
Well thats really what you want surely. Once you configure a server do you
want to forget about it or have to tend to it every hour; or each time an
upgrade occurs and fix everything the upgrade breaks? The packages that go
into the 'stable' tree do not change for a reason as they have been tested
for a long period of time. So if you are a 'proof in the pudding' kind of
guy then the fact that apache is a year and a half old will not concern you,
however what you do care about is that it is secure and stable.

The requirements of a server is not what you want in a desktop. Sure it
would be nice to have the 'latest is greatest' approach but then you end up
compromise on the stability and security aspects.

> the last thing: do you suggest me to use SELinux kernel? i'd rather a
> performant/fast server than a totally secure/stable server
>
Well you probably will find grsecurity[2] does more than help you. SELinux
is a good thing if you understand what its doing. If you are asking the
question its probably not for you GrSecurity should introduce you to a
number of things in a pleasant way that does not mean a steep learning curve.

Have fun

Alex

[1] http://www.debian.org/distrib/packages
[2] http://www.grsecurity.net/

in Alexander Clouter's honest opinion:

> So does *every* distro, what do you do about security updates? Upgrading
> to a newer version of a package is not the solution, applying the tiny
> diff to fix just that bug/issue is all that should *ever* be done on a
> production system.
>
> Regards
>
> Alex

isn't it possible to do the same with emerge? if one could only untar the
source to /var/tmp/portage (and take them here permanently, ready to be
patched) and then apply diffs when needed...

.... so that you can just rebuild needeed files and emerge them into live
system, isn't this possible with gentoo?
--
remove_this_ on mailing

in Alexander Clouter's honest opinion:

> Well the type of package is not always relevant on a per-distro basis. If
> its available or not (and occasionally the version number, however you
> should always try to avoid committing yourself to a particular version
> number on reasons of convenience) is a completely different matter.

first of all i have to thank you of all the information, you gave me many
interesting points of view.

> All those are in Debian (have a look at the Debian website[1] for the
> comprehensive list, make sure you keep to 'stable'), I have used all of
> them personally except for openldap and mit-krb5 however I know there are
> plenty of people whom do.

well now maybe i'm gonna really take a look at the debian website and
maybe [50%] new pdc is gonna be debian: i did some reflections about
openbsd, but sincerely don't wanna renounce to many linux attractions.

> Well its not really my place to say. It will replace your Windoze box
> quite comfortably, however from my understanding I hear openldap with
> samba is 'fun' to do, so expect a few nights burning the midnight oil.

in fact, that's what i tried to ask: do that packages suit for the services
mentioned? i mean is it a right 'coupling' use samba, openldap, postfix for
replace an active domain?

i ask this just because i never used ldap and neither krb5, even if
teorically i have some idea. the problem is that i want to use a single
database for managing domain auth, mail, dns and any other stuff i'm gonna
add

> Again, well if you want a webserver great, you will find there are plenty
> of other webservers worth looking at. Again it depends on what you are
> serving up.

old pdc has iis5 for publishing offices website, that's why i need apache -
i know it can support activeX, ASP, and some frontpage extensions - and
i'll probably will need them for compatiblity with some old webpages,
probably will need also odbc connectors too.

> As for 'tightvnc', I'm unsure why you would want to do this when 'ssh' can
> do everything you need. If you need remote graphics and such then a
> locally installed X server (cygwin for windows) and running things
> remotely that way is much more efficient. However it depends what you are
> doing with VNC; then this is not a Debian specific thing.

in fact i tried some remote Xs (cygwin and remote linuxes), but not always
cygwin worked well, and even if probably it just needs some tuning and
configuration, it seems to load my network. i thought that vnc would be of
less impact and it would give me much more compatibility if i could use it
via webclient.

after all i might not need vnc: my only hope is to give to some other users
possibility to manage server if needed remotely via an GUI interface (even
http) when i'm out of site it would be difficult to give support explaining
commands via ssh.

you could say that's it is insecure to follow this road: but sometimes
connections and ISP problems would force us to change default gw and remote
dns, and then we have several public ip's behind which often we need to
change the servers (for demo purposes we would need several architectures
to show to clients) or some time ago there was a spam intrusion (my fault,
and exchange's) so remote configuration for mail server is also
requested... so these and some other stuff makes us change configuration on
dns, dhcp and apache and network quite often (2,3 times a month).

> Why? Most of the time the server probably will sit in IO-Wait (waiting
> for the harddisk to supply the data it needs). Optimisation of the
> applications is not really the magic bullet, you would be better off
> looking at optimisation of your implementation and looking for
> scalability. Sure the optimising will help, but its not going to get you
> out of a fix when your environment grows tenfold

you're right - i would like to touch as less as possible a server
unfortunately it's not always possible.

> The requirements of a server is not what you want in a desktop. Sure it
> would be nice to have the 'latest is greatest' approach but then you end
> up compromise on the stability and security aspects.

well i knew that when i was 16 "don't touch a functional computer", even
a desktop.

> Well you probably will find grsecurity[2] does more than help you.
> SELinux is a good thing if you understand what its doing. If you are
> asking the question its probably not for you GrSecurity should
> introduce you to a number of things in a pleasant way that does not mean a
> steep learning curve.
>
> Have fun
>
> Alex

thanks again alex, it was a pleasure to exchange ideas with you.
--
remove_this_ on mailing

Alexander Clouter wrote:
> On 2004-12-02, Douglas O'Neal <(E-Mail Removed)> wrote:
>
>>Gentoo allows you to choose which packages you want to upgrade and also
>>to set specific version numbers for installed packages. You do not have
>>to update every package in gentoo any more than you do in Debian or
>>Redhat.
>>
>
> So does *every* distro, what do you do about security updates? Upgrading to
> a newer version of a package is not the solution, applying the tiny diff to
> fix just that bug/issue is all that should *ever* be done on a production
> system.
>
> Regards

You're changing the reason you wouldn't run gentoo on a server. Quoting
from your first post:

"the last thing you need is it to update *every* package each time you
upgrade."

You do not have to update every package each time you upgrade.

I have never run a Debian system so I will not speak about its practices
but gentoo security patches are generally released as a point upgrade,
e.g., take phpwebsite-0.9.3_p4 and upgrade to phpwebsite-0.9.3_p4-r1. No
other packages need to be touched. Of course, if you're running v. 0.6
and you need to patch, this approach will not work in gentoo. How does
Debian handle security patches for non-current versions?

Doug

On 2004-12-03, Hekaton Keires <(E-Mail Removed)> wrote:
>
> isn't it possible to do the same with emerge? if one could only untar the
> source to /var/tmp/portage (and take them here permanently, ready to be
> patched) and then apply diffs when needed...
>
Yes you can however:

1) for every package that needs updating you will have to do
this...manually.. You need to decide if your employers (and if you do not
fall into a state where you kill yourself with bordom through maintaining
your own package tree) are willing to pay you to spend your time extracting
the patch, applying and testing before rolling it out.

2) you will be expected to actually backport a number of security fixes too
which are not easily avaliable for it

> ... so that you can just rebuild needeed files and emerge them into live
> system, isn't this possible with gentoo?
>
The thing is are you scalable enough to cope with *every* package and
maintain your own distro tree? This is in effect what you would be doing.

Cheers

Alex