Sun

I was on the road most of the day today, so I must have missed this news earlier.  Apparently, Sun Microsystems and Network Appliance have had a little spat over ZFS and WAFL, and now NetApp is suing Sun for patent infringement.

Dave Hitz explained the situation in a blog entry:

This morning, NetApp filed an IP (intellectual property) lawsuit against Sun. It has two parts. The first is a “declaratory judgment”, asking the court to decide whether we infringe a set of patents that Sun claims we do. The second says that Sun infringes several of our patents with its ZFS technology.

Dave Hitz goes on to attempt to differentiate NetApp’s actions from the IP lawsuit(s) of SCO infamy.  Personally, I wouldn’t place NetApp and SCO in the same situation, although I am strongly opposed to the current system of software patents.  Patent reform is desperately needed, before things get worse than they already are.

In any case, this turn of events is unfortunate.  I’m not technical enough to be able to provide any sort of opinion with regards to whether or not ZFS actually does infringe upon NetApp’s WAFL patents (or the other way around), but I do hope that Sun and NetApp can settle things amicably and move forward with more innovation, rather than getting stuck in an argument over who owns what.  That’s the last thing either company needs right now.  In addition, ZFS’ status needs to be settled quickly, before more companies decide to try to adopt a supposedly open sourced file system and incorporate it into their own products (as Apple reportedly did with ZFS and Leopard).

For more information on the lawsuit, see this eWeek article or this report from The Register.  I’d also be interested in hearing anyone else’s feedback on the situation.  What’s your take?

I’ve targeted Solaris (specifically, Solaris 10 on x86) as the next major technology that I’m going to try to learn.  I’ve always been fascinated with UNIX and UNIX-like operating systems such as Linux, and Linux’s popularity on the x86 platform made it much easier to learn because I didn’t have to acquire any exotic hardware.  With Sun’s (apparent) renewed interest in x86/x64, Solaris is much more accessible now than it was in the past.

Obviously, I’m not a complete newbie to the Solaris environment, having written a couple articles on Solaris-AD integration (the latest being found here).  However, I don’t feel like I have a solid understanding of the operating system and its architecture, and I’d feel much more comfortable with that information under my belt.  At some point, the IT industry being what it is, I’ll need to seek some sort of Solaris certification, but that’s not my primary goal.  Understanding the product itself is my primary goal; certification will merely be a side effect.

Here’s what I’ve done so far:

• I’ve created a Solaris 10 (32 bit) virtual machine on my VMware ESX Server farm; that’s been the system I’ve used mostly for testing the Active Directory integration instructions.  I’ve also done some work with the automounter (automounting home directories via NFS).
• I’ve also just recently gotten a Solaris 10 (64 bit) VM running under VMware Fusion on my MacBook Pro; I’ll use that system for more day-to-day operational tasks and getting used to the interface.
• I have a group of Solaris- and UNIX-related RSS feeds in NetNewsWire, including BigAdmin (What’s New and Feature Articles), Inchoate Curmudgeon, and a del.icio.us tag feed, among others.

I’d certainly appreciate any suggestions from those who may have already been down this path as to specific projects I should undertake, books I should acquire, websites to frequent, RSS feeds to which I should subscribe, etc.  In addition, any guidance as to how I should balance Solaris vs. OpenSolaris (on which one should I focus more effort?) would be very helpful.  And what builds of Solaris/Solaris Express are most beneficial to use?  I’m currently using Solaris 10 Update 3, but I’m not sure if a different build would be better to work with.  That’s the kind of information that would be great to get from those wiser and more experienced.

Wish me luck!

I’ll start out by saying that I am neither a security expert nor a statistician.  With that disclaimer in hand, I wanted to briefly share my thoughts on the “days of risk” assessment that has recently been used to compare the security of Windows, Linux (Red Hat and SuSE), Mac OS X, and Sun Solaris.  Before continuing, I encourage you to have a look at the actual report itself, along with a few related articles:

• Days-of-risk in 2006 : Linux, Mac OS X, Solaris and Windows
• Days of Risk in 2006 : Client OS Products
• Recount: Windows Still Safest, Tops Mac OS X, Linux and Sun Solaris - But are statistics a true measure of security?
• Windows v Linux - Days of risk in 2006

In summary, the Days-of-Risk (DoR) assessment showed that Microsoft patched vulnerabilities in Windows more quickly than Red Hat, Novell, Apple, or Sun patched vulnerabilities in their products.  This is true even when only High Severity issues are taken into consideration, although the gap between Microsoft and the other vendors narrowed in that analysis (with the exception of Sun).

OK, that’s all well and good, but we all know statistics can be made to show just about anything.  I’m not saying that Mr. Jones deliberately limited his data to present a favorable outcome for Microsoft; Microsoft has done a very admirable job of improving their security responsiveness, and in that regard the other vendors would do well to improve their own responsiveness to the disclosure of security vulnerabilities.  No, my thoughts are more centered on the question: Is this data the right data to accurately and objectively represent the security profile of an operating system?

I would contend that, in addition to DoR, information on the following areas would also need to be included in order to more accurately depict an operating system’s security profile:

• Number and severity of exploits published or otherwise made available for vulnerabilities
• Number of viruses, trojans, rootkits, or other malware readily available or in active circulation

Now, before you say something like “Well, of course Windows is going to have more viruses and more exploits because it has a larger installed base!”, let me also say that these values should be correlated and weighted according to the installed base of the operating system as well.  This allows the values to account for the fact that Windows is in use by a much larger base of users than Linux, Solaris, or Mac OS X.

Again, I’m not a statistician, but surely there’s a way to correlate this data (including DoR) and start presenting some sort of objective guide, based on measurable facts, regarding the security of an operating system.  Then the vendors (Microsoft, Apple, Novell, Sun, Red Hat, and others) can stand on equal ground and be able to make some sort of reasonable comparison regarding the security of each product.  Isn’t that what we really need anyway?

As with the procedure for authenticating Linux against Active Directory and providing Kerberos-based SSO with Apache, there are a few steps to be performed.  Some of these steps are performed on the Active Directory side, some of them are performed on the Solaris 10 system.

This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product.

Preparing Active Directory (One-Time)

These steps only need to be performed once.  Note that if you have performed any of these steps as part of authenticating Linux to Active Directory, they do not need to be performed again.  Simply make note of the information used earlier and re-use that information again with Solaris.

1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant.  Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console.  You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default.  This will speed up the login process and reduce the overall load on your DCs.  (For more information, refer to my updated Linux-Windows Server 2003 R2 integration instructions, linked above.)  It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

Preparing Active Directory (Each User)

Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component).  The attributes that must be populated are:

• NIS domain:  It’s required on this tab in order to populate the other fields, but we won’t be using it.
• UID:  This is actually the UID number.  Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
• GID:  In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
• Login Shell:  Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
• Home Directory:  Specify the home directory (such as “/export/home/slowe”) that will be used for this user.  Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins.  I haven’t yet figured out how to reconcile these differences in a multi-platform environment (suggestions are welcome).

After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

Preparing Active Directory (Each Solaris Server)

These steps need to be repeated for each Solaris server that will authenticating via Kerberos to Active Directory.

1. Create a user account (not a computer account) for each Solaris server.  (Note that this is different than the instructions provided for integrating Linux.  I have an article planned to discuss this in more detail, but for now just trust me.)  I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server.  Since Solaris will use the HOST service principal, a name like “HOST-solarissrvr” would be good.  The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account.  The command will look something like this (substitute the appropriate values where necessary):

   ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\account
   -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
   -out filename

   Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file).  I suggest using the server’s name as the filename, i.e., something like “solarissrvr.keytab”.

Now that each Solaris server has a matching account in Active Directory, and each account has had a keytab generated for it, we’re ready to move on to configuring the Solaris servers themselves.

Configuring Solaris (Each Server)

The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

Configuring Kerberos

Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf.  Edit this file using your editor of choice to look something like the one below.  Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true
        verify_ap_req_nofail = false

[realms]
        EXAMPLE.COM = {
        kdc = dc01.example.com
        kdc = dc02.example.com
        admin_server = dc01.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        .subdomain.example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

Your particular information will need to be supplied here, of course, so you can’t simply copy and paste from here to the Solaris configuration file.

Of particular interest here is the “verify_ap_req_nofail = false” parameter.  I’m still shaking out some TGT validation/verification errors, and this is currently the only way to make authentication work from Solaris.  As soon as I get the validation/verification problems sorted out, I’ll post a new version of these instructions.

Transfer the keytab generated earlier by the ktpass.exe utility (in our example, it was called “solarissrvr.keytab”) to the Solaris server in some secure fashion, like SFTP or SCP.  Place it in the /etc/krb5 directory as krb5.keytab, and make sure that only root has permissions to the file.

Configuring LDAP

We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris.  The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \
-a proxyPassword=Password1 \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP.  However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again.  Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

I think it’s necessary at this point to restart the LDAP client service:

svcadm restart svc:/network/ldap/client:default

Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

Configuring PAM

The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris.  You’ll need to edit the /etc/pam.conf file to look something like what’s shown below.  I’ve edited away all the non-essential sections, so only change the sections listed below.

# Default definition for Authentication management
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# Default definition for Account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
#

With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

Testing the Configuration

Once all of the configuration steps have been completed, you can test the configuration with the following commands:

• You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
• You can use “kinit <Name of AD user>” to test Kerberos authentication.  A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing.  Both of these tests will need to be successful in order for authentication to work correctly.

If the tests are successful, then you should now be able to authenticate on a Solaris server using your Active Directory username and password.  I tested this using SSH and the X Desktop login.

How I Tested

I tested this configuration using Solaris 10 x86 6/06 (the June 2006 release) running as a VM under VMware ESX Server 3.0.0.  Authentication was performed against a pair of virtual servers (one hosted on ESX 3.0.0, the other on ESX 2.5.3) running Windows Server 2003 R2, Standard Edition.

In a recent article discussing Novell’s leadership change, one analyst was quoted regarding the change as being positive for Novell in that they (Novell) could stop building very high quality products and instead build products that are just good enough.  I don’t know about you, but this spirit of mediocrity is exactly the wrong kind of thinking for IT vendors.

Specifically, the quote stated this:

“Ron Hovsepian appears to be an astute business person, one who will be able to quickly take stock of the environment and Novell’s position within that environment. This, I hope, will help Novell move from its current position of very slowly building extremely high quality products to quickly building and marketing products that are good enough to satisfy the market,” concluded Kusnetzky.

So what is he (Dan Kusnetzky) proposing then?  It sounds to me that Dan thinks IT software vendors should make their products just good enough to pass muster, instead of making them the best that they can be.

In my opinion, this spirit of mediocrity—this willingness to accept products that are knowingly released with imperfections and flaws because they are “good enough”—is exactly what brought the industry to where it is today.  This mediocrity is what brought SQL Slammer, Blaster, and Melissa.  This is the view that accepts that rebooting your computer a few times a day is just a part of life, and that our operating systems and applications shouldn’t be expected to be stable and reliable.  Just good enough?  When was the last time you recommended a product, service, or vendor because they were “just good enough”?  No, just good enough isn’t good enough.

Every major IT vendor out there—from HP, IBM, and Sun, to Apple, Microsoft, and Red Hat—should be held accountable for the quality of the products they release.  Hey, I understand that companies may make mistakes, and miss errors.  That’s understandable.  But any company that knowingly releases a product that’s “just good enough” when it could have been better is not a company we should be praising.  We should be supporting those companies that emphasize quality over “just good enough”.

Perhaps I’m overreacting.  Perhaps the analyst’s comments were merely directed at the speed with which Novell releases their products, and was instead trying to state that Novell needed to release competing products more quickly.  Even so, any vendor that values speed over quality is bound to get bitten sooner or later.  Microsoft got bitten, and changed their priorities (somewhat).  Apple will get bitten, too, if they start letting the quality of Mac OS X releases slide in favor of shorter development cycles.  The same goes for all the other vendors.

What about you?  I’d love to hear your comments on the matter.

Sun joins IBM in trying to use the open source software model to help with hardware as well.  (Thanks to Linux-Watch for the news.)  Creating a new project called OpenSPARC, Sun is open sourcing the specifications for its latest SPARC processor, the UltraSPARC T1, code-named “Niagara.”

According to the Linux-Watch article, the effort is intended to help drive the development of ports of Linux and BSD that can take full advantage of the CoolThreads technology in the UltraSPARC T1, which provides 32 threads of execution.  This allows the T1 to provide much greater throughput at lower clock speeds with dramatically lower power consumption.

In addition to the processor architecture and code, Sun is also open sourcing its HyperVisor API information.  Like other vendors’ hypervisor efforts, the idea is to allow multiple operating systems or multiple instances of an operating system to run simultaneously on the same hardware.  Again, ports of Linux and BSD that are designed to take full advantage of the UltraSPARC T1 architecture and HyperVisor API are beneficial to Sun because they can help drive sales of their hardware.

It’s a good idea, really, if you think about it.  Sun’s big into open source these days, after creating the OpenSolaris project in an effort to open source the entire Solaris operating system.  However, Solaris is really the only operating system that can run well on Sun’s SPARC hardware, and helping other alternatives to run equally well on SPARC hardware would encourage more people to buy SPARC hardware.  With any luck, Sun could create the kind of momentum and mystique around their SPARC hardware as they’ve done with their AMD-based “Galaxy” servers.

It’ll be interesting to see how it plays out.