[116] in Kakapo Windows Team
26 Sept container admins minutes
daemon@ATHENA.MIT.EDU (Thomas L. Thornton)
Fri Sep 26 16:27:58 2003
Date: Fri, 26 Sep 2003 16:27:56 -0400 (EDT)
Message-Id: <200309262027.h8QKRuTo005043@the-rim.mit.edu>
From: "Thomas L. Thornton" <tomt@MIT.EDU>
To: contact-container-admins@MIT.EDU
CC: kakapo@MIT.EDU
Container Administrators meeting, 26 Sept, 2003
11:00am-1:00pm, E19-758
Agenda Outline
OpenAFS
Filename ANSIfy
Security Bulletin MS03-039
distrib local mirror
Null sessions
Offline files
Container maintenance
Profile choices
Discussion
OpenAFS
------
OpenAFS 2003-09-15 is deployed to many test machines in WIN. We
elicit feedback especially from Chad and Steve who have no complaints.
Richard says Clayton in HR makes good reports. There are some minor
remaining issues:
AFS is not working under vpn (like linux AFS)
There are a few aklog minor problems
Installing an IPv6 stack stops AFS
On W2k3s registry keys are not yet propagated, perhaps
Admins must reinstate net provider order - to be in release notice(s)
Admins must have netman turned on - to be in release notice(s)
Chad saw two machines hang at startup, so Paul wonders if we should
hold Domain-wide deploymrnt and test another week. Attendees think
not, asking for this to be deployed with the caveat that we may need
another deployment this semester. The consensus is to apply it after
5:00 PM next Wednesday night. Everyone says yes to a Domain-wide
reboot, but want early notice on the last two issues above plus how to
opt-out, especially for servers. The team aims for sending this
notice Monday.
Joe has a quick & dirty container reboot (without checking for
logged-in users) wmi-based script. It can be used by a local admin on
every machine in a container, but is raw and may need fixes. See
\\win.mit.edu\dfs\ops\distrib\containerreboot.cmd. Chad has a pslogin
script to check for logins, and warns he has to force-close to avoid
users' "Do you want to save" dialogs.
Container admins should remember to send pismere-team mail for any
other desired scripts.
Win2k SP4 has been tested for a couiple versions back of OpenAFS. A
week or so after OpenAFS we will apply it to the domain.
Filename ANSIfy
--------------
Some filenames, like those containing unicode, get converted poorly in
transitions between the OS and AFS. They can be renamed at logout
using the ansify test script by Joe. It enumerates through the local
profile, excluding files those that will not go back to a remote home
dir, and where it finds a unicode letter changes it. Someone asks if
maybe there could be a change log? Chad and Steve maybe will test.
How to set up your container to use ansify-profile:
Open your GPO,
Go to Computer Configuration/Administrative Templates/WinAthena
Settings/Logoff Scripts/Run these programs at user logoff
Make sure it's Enabled,
Click Show...
Click Add...
type "ansify-profile.pl" (no quotes necessary)
Now save your GPO
Reboot the machines in your container on which you want to start testing
right away (if not, wait for GP to refresh)
How to test actually:
On a machine which runs ansify-profile, log in with your Athena account.
Copy any file from \\win.mit.edu\dfs\departmental\pismere\public\unicode to
your desktop.
Notice the nice little unicode filenames.
Now log out.
(You should see the ansify-profile command window)
When you log back in, note that you can get your roaming profile and that
the file on your desktop has a changed name.
Security Bulletin MS03-039
-------------------------
Richard reports we deployed the hotfix to the Domain using
autohotfixer, which does not apply to a machine that is logged-in.
RIS images and Ops servers were applied at the same time. There are
inconsistent ways to test a machine to see if it has been patched and
scanner reports may vary, but these Domain machines will never be
compromised.
Joe has a bootable CD with a retail image of XP SP1 and the applied
hotfix. It is retail media (that is, you have to have a valid retail
product key to install/activate). In the WIN Domain, the image is
located here:
\\win.mit.edu\dfs\departmental\pismere\public\iso-images\winxppro-sp1-kb824146.iso
Jon Hunt says he would host the image for MIT people outside the
domain. Maybe a non-WinAthena RIS retail image would be nice, too.
distrib local mirror
-------------------
Joe and Richard have a script to copy, probably daily,
\\win.mit.edu\dfs\ops\distrib to a machine-local mirror and set the
path to look locally. This is under test, and we plan to run it
domain-wide, after further container admin testing.
To test this script, do the following:
Go to https://wince.mit.edu/containermaint/index.jsp
Task: "Run a custom script" and select a container. (Next)
In the URL field, type
\\win\dfs\ops\scripts\machine\maintenance\common\MirrorDistrib.cmd
and in the how-you-want-to-schedule field, select "Daily". (Next)
Choose the time you want the script to run (I suggest 1:00am) (Next)
Submit the request.
Also, regarding this script, we want to ask Chad to talk with us about
how his scripts write to the machine path, so that we do not have
conflicts.
Null sessions
------------
Do we want to push out a default setting on machines to disable Null
Session accounts? This might effect Exchange 5.5. The consensus is
to deploy it Domain-wide, with an ability to override it. This will
happen after AFS, maybe concurrent with SP4.
Offline files
------------
The team explores ramifications of offline files and possible
settings, scripts, maybe a GUI. Should it default to off? Chad
already sets it to off, since 37 users would set a machine to sync
files, adversly affecting later users. The consensus is default it to
off.
Container maintenance
--------------------
The container maintenance web form, at
https://wince.mit.edu/containermaint is cleaner, more rational, not
really with any new features, but the resulting email is better-framed
to make it easier for addressees to handle requests. Ops handles
requests unless they ask developers.
How does the container admin see what are current container
maintenance settings? Look in
\\win.mit.edu\dfs\ops\scripts\machine\maintenance\0.1\machines in your
container. Every script appears there.
Profile choices
--------------
We have mentioned before that users can try a web form to specify
where the profile and home dir reside. We are testing it more.
Discussion
---------
What can I do about a software installer that makes a per-user desktop
shortcut point to a file on the local machine? The installer should
put it into all users. MSI vsn 3.0 may try to interpret the installer
to make it better adhere to Logo requirements.
We are still gathering MSIs, so keep them coming.
Can I have a dialog to renew tokens? Running leash minimized will
allow it to pop up at renew time. We will look deeper into it as we
put krb5 into aklog.
Can I put non-h: command prompt window icon into the tool bar for
users who need to renew? Yes, you can add an icon to a window that
runs at c:. Can I set a timed screen saver that asks for the
password? Yes, but this would not help renew. The team will look at
running a screensaver through GP. Certainly any admin can run a
scheduled script to renew periodically, an exercise left as homework.
