From owner-freebsd-chat Sun Oct 7 21:19: 4 2001 Delivered-To: freebsd-chat@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id 23FF437B406 for ; Sun, 7 Oct 2001 21:19:00 -0700 (PDT) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.3) with ESMTP id XAA21014; Sun, 7 Oct 2001 23:18:57 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Sun, 7 Oct 2001 23:18:56 -0500 (CDT) From: Chris Dillon To: Evan Sarmiento Cc: Subject: Re: FreeBSD and Active Directory In-Reply-To: <200110062149.f96LnFj26783@csa.bu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Moved to -chat... This is not appropriate for -stable. On Sat, 6 Oct 2001, Evan Sarmiento wrote: > My high school recently hired a new technology coordinator. > Instead of using open source software, the coordinator redesigned > the network to support Windows 2000 and Active Directory. For > those of you who do not know what Active Directory is: Active > Directory is an LDAP server which delineates what privledges each > host on the network has, etc. I've read every message in this thread so far and all I have to say is that, as the network administrator of a large K-12 institution, I can sympathise with some of his learyness of allowing any kind of "foreign" machine on the network. Due to our non-unique situation in the under-staffed world of public education, I have essentially become a network-Nazi and would readily flip the switch disallowing any machine that I did not personally configure (or, actually, design the custom installation system for in our case) on the network if it wouldn't suddenly cut off quite a few machines that we have not had time to get to since we took over several years (!) ago. There is just me and one other person in our tech department dealing with about 3000 users and nearly 1000 workstations on a shoestring budget, and this is a pretty common situation for public schools. In four years we had a ten-fold increase in the number of machines on the network with no additional staff or increase of our budget (though that is changing, I hope). Even if your technology coordinator has half as many workstations and users and three times the budget and staff that we do, I still sympathize with his learyness of foreign machines introduced into the relatively fragile entity we call a "network". It has become a conditioned reaction to just say NO to any request that doesn't immediately seem like a technically sound idea when you're in a situation like that, and the only thing that will change that is an infinite budget and an infinite abundance of well-trained network monkeys jumping around to handle every little problem that would pop up if everybody were allowed to do whatever they wanted. > I asked him his policy on laptops. After a long conversation, he > said: "I do not allow any laptops running *NIX to be placed on the > network, as I believe it will interfere with Active Directory." The AD fear is unfounded, but see above why I don't like the idea of foreign machines on "my" network. This might be his way of saying the same thing. > I tried to explain to him how false his assumption was, but, he > would not recant his infamy. I can understand, in a way -- He > wants to make sure that the network is running for students to > use. That is generally the number one priority. > How would I go about convincing this enthusiast that FreeBSD will > not somehow interfere with Active Directory? This is what I have > tried so far. The answer would be to convince him that you can configure a machine properly so that it won't ever interfere with anything on the network and gain his trust. Going above his head to the boss (as you mentioned in another message) is not one way to do that. As an aside, I DO allow "untrusted" machines on our network in a couple of locations, both of which are on their own segmented and firewalled networks. They happen to be computer tech classes in our vocational school which obviously require an environment more open to "experimentation". I also keep an eye on every one of our networks via an intrusion detection system as well as network protocol analyzers. I immediately know when anything goes out of whack and the owner of any machine causing anything to go even slightly out of whack is likely to get one him/her-self in some form or another. If I can do that given our staff situation and budget, so can your technology coordinator. It only requires a clue and a good implementation of it. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet - Available for IA32 (Intel x86) and Alpha architectures - IA64, PowerPC, UltraSPARC, and ARM architectures under development - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message