Vista: Pretty Face, Works Well With Others?
What is the Unix/Network guy doing writing about Windows, you ask? We want to see how well Vista plays with Unix services and the enterprise environment, of course. Mostly we're going to dispel a nasty Samba rumor that's been going around, and then explore some Vista oddities an enterprise customer needs to be aware of.
Vista RTM (release to manufacture) has recently appeared for business use. This is the final version of Vista, excluding any last-minute bug fixes, scheduled to be unleashed upon the masses sometime in February 2007.
A while back, people started having coronaries and blaming Microsoft for breaking interoperability, again. In actuality, Microsoft has upped the security ante, but it didn't purposefully break anything. It is true that older versions of Samba do not work with Vista out of the box. Samba versions 3.0.21 and higher will work without any modifications to either Samba configurations or Vista security policies.
Upgrading Samba isn't always easy, unfortunately, since it is widely used in embedded devices. Many NAS vendors actually run Linux without announcing it, and in those cases CIFS sharing is done via Samba. If your vendor hasn't released an update by the time Vista becomes widespread, you're going to have to modify a security policy setting in Windows. It's really not a big deal. Upgrading the NAS device might be a big deal though—they generally require a firmware update. Few vendors make firmware updates painless, but in this case it may be a necessary upgrade.
The so-called breakage is actually a result of a change in default levels for LAN Manager authentication. The latest protocol is version 2, or NTLMv2. In previous Windows versions, NTLMv1 and plain LM authentication methods were allowed by default. Vista only allows NTLMv2 by default, however.
Windows, ever since NT 4.0, has stored two password hashes for each user: one LM and one NTLM. Vista can do this as well, if you really must. The LM hash is only necessary if you have Windows 95 or 98 clients, because they didn't know of NTLM. The two protocols work the same way, the only difference being the password hashing mechanism. LM hashes are very insecure, and easy to crack, in case you didn't know. NTLMv2 is completely different from both LM and NTLM(v1), and much more secure. Version 2 implements a more robust challenge-response, and session security. In short, don't enable NTLMv1 unless you absolutely must.
To allow NTLMv1 or LM challenge-response operations, first become a user with Administrator rights. Next, run the program secpol.msc. Under Local Policies then Security Options, there should be something that reads, "Network Security: LAN Manager authentication level." By default, "Send NTLMv2 response only" is selected. There are a few options available, but choosing "Send LM & NTLM - use NTLMv2 session security if negotiated" seems to make the most sense. Everything should now magically start to work if using non-NTLMv2 aware systems.
To Print or not to Print
As expected with heightened security, many things get more difficult. There's nothing convenient about security, as a general rule. In Vista, users cannot install drivers for printers any more. The new version of Windows Installer has support for hardware drivers, so that's a workaround. Every driver for every printer in a network needs to be pre-installed, as opposed to the current "have the user find it on the network and click "connect" to install" printer-add method.
Other File Services
SFU, Services for Unix, still exists, and Microsoft also adds SUA: Subsystem for UNIX-Based Applications. SFU allows you to run an NFS client or server, and SUA provides POSIX libraries to make compiling Unix applications more likely on Windows. On the SFU front, NFS on Windows is a pain in a real environment, but is doable for just a few users (or uses). SUA is advertised to "help aid in the migration of Unix/Linux applications to Windows." No comment.
But Wait, There's More
Yes, Windows Vista has iSCSI capabilities! Right in the Control Panel is a nifty utility to configure an iSCSI initiator. In iSCSI, the Initiator is the "client" and a Target is the device or server hosting the iSCSI device. We're very pleased to see this in Vista. You're no longer limited to third party applications of fiber channel connections in Windows.
Everything else about Windows Vista, from a non-Windows sysadmin's point of view, is basically the same as Windows XP. Everything still works, barring that one little NT LAN Manager gotcha, and the loss of functionality with print driver installations.
In an Active Directory domain, we decided to give the upgrade install a try. After all, they're bound get that right eventually. We popped the DVD into a running system, logged in as an Administrator, and watched the screen turn into a pretty Vista-themed installer. The upgrade warned that it'd reboot many times, and after answering the questions, it chugged away.
We returned to find an odd-looking login screen. The password prompt beckoned, and so we attempted to login. And lo, it works!
Symantec AntiVirus failed to start (needs an update to v10.2), and the domain policy to supply drive mappings didn't work, but other than that, this box was fully functional. All of the previously installed applications worked as well. Existing printers existed, and we confirmed that adding a printer with just plain User privileged doesn't work.
Look for more on Vista networking and interoperability in the coming months.