Waterloo Polaris requires a valid user login to begin every user session. Most users seem to understand that fact, just as they seem to understand why locks and driver's licenses need to exist.

Watstar servers now co-operate with other servers and allow them to validate user passwords.

Using an open protocol designed and widely used for such purposes, each Watstar server is assigned a trusted host running Unix, NT or some other operationg system. In actuality, most Watstar servers in a faculty will typically point to one such authentication host such as the Email server.

If the supplied userid and password match the copy cached in the Watstar server, the upstream host will not even be asked to validate the request. But if there is no match, the userid/password pair will be encrypted and set upstream.

In the longer term, the Watstar server itself will be phased out, and other servers (home fileservers and directory servers) will perform the necessary authentication and authorization entirely using open protocols.

Both the short term and the long term solutions co-operate fully with the campus-wide authentication project.

status: completed late September (in active use in several faculties)

Waterloo Polaris has inherited the directory services of Watstar but needs a new system as we migrate from Watstar servers.

The Watstar directory services were primitive in implementation, but used extensively. They permiate every topic:

• determine if and when each workstation gets updated
• may specify who can or cannot log into each machine
• records stations by room and administrator, determines where logs are sent, and to whom errors should be directed
• autoselect printers based on rooms
• autoselects Email and News servers by faculty or department
• determine who can access the hard disk
• allow a tiered management strategy, so faculties and departments can inherit things from the central group, opt out, etc.

For the short term, we will move toward an LDAP based system (Lightweight Directory Access Protocol) using open systems and open standards.

Later, when NT5 is released, we will likely migrate to an Active Directory system.

The Microsoft ADSI (Active Directory Service Interface) allow for a variety of directory server options, including LDAP, NDS, Netware, or WinNT native.

The Waterloo Polaris team is working with IST to resolve campus needs and deployment of directory services. An initial document is available which describes some of the issues.

status: incomplete

Although Watstar servers still do the login authentication, the audit logs that generates are now exported to open platforms.

Watstar servers syslog all logins and logouts (and other important events like failed password attempts, workstation virus scan results, software updates, etc) to (up to) two unix syslog daemons.

One of those daemons must be EC's master logger - so we can assist with various things, and the second can be a server of the faculty's choosing.

The faculties use this facility to plan capacity, deal with complaints, and to look for problems before users even report them.

status: complete

Projects are underway to evaluate various fileserver technologies. The resulting system must have SMB/CIFS access for users, it must offer user quotas, backup capabilities which integrate with the campus backup systems, home/village access, manageability, scalability, and much more.

Presently some individuals store their user files on Unix/Samba or NT, and all Math students store their files on a Network Appliance multiprotocol fileserver. However, other than Math, all the faculties are relying primarily on Watstar servers.

The remaining Watstar faculties are now looking at capable SMB/CIFS servers to replace their Watstar servers for the longer term. Unfortunately, due to the size of most faculty user communities and the traffic they generate, several popular technologies are not as appropriate as one might initially hope. Furthermore, users and sysadmins are expecting the successor server technology to be an improvement over its predecessor, not merely a replacement or less. While most contendors meet the basics, the issues of reliability, server availability and performance will likely determine the right technology.

Engineering Computing has released an RFP (request for proposal) and to find possible solutions for its needs.

The P: drive letter is assigned to a user's SMB/CIFS account if they have one.

status: RFP issued

Most faculties are providing user and group web pages on faculty and/or departmental Unix and sometimes NT servers.

The W: drive is allocated for the user web pages. Often this is a different export than the user's home directory, thus allowing different create mode privileges.

status: complete

The exact printing strategy in Waterloo Polaris varies by faculty. Each system combines unix and pcs for printing, each has printer accounting, and each somehow validates the user.

In AHS, Science and Engineering, printer queues are based in Watstarland and printer accounting is performed there. This is easy for Waterloo Polaris machines to understand, but harder for unix systems. To print to the same printers, unix systems must queue print jobs to the Watstar server based queues. Generally these pass through a helper unix machine (eg. globe) which accepts lpr then uses an nfs mount to transfer the files to a Watstar server behind the scenes.

In Arts, the printing from Waterloo Polaris machines first goes to Watstar server printer queues. Then the jobs are usually lpr'd up to a unix machine which manages the print queues and accounting. This transfer is done by a backroom pc with lpr privileges on the Unix computer. Arts has a private accounting system.

IST and Math use CAS (IST's Computing Accounting System) for accounting on unix machines.

In IST, jobs are initially sent to Watstar print queues, but upon release are passed through a PC in Engineering which then lpr's the job to the appropriate unix queue. This strategy in IST is a holdout from Watstar days.

Math's strategy is to entirely run the queues on unix. All their lab stations are using Waterloo Polaris, so samba on a unix computer is combined with a Waterloo Polaris feature to create an smb printer queue to which the stations automatically connect. Unlike any of the other systems, this one uses smb and the user's unix userid/password to authenticate the sender.

Converting IST's system to use smb rather than the present indirect route is a bigger challenge than might first appear. Basically, the issue of authenticating users at samba connect time must be solved.

EC is planning to investigate options for its own system, we want to eliminate the Watstar server from the equation.

status: investigating options

Most common application programs are typically loaded from the local hard disk, but obviously we have severely limited space for this to be a permanent solution.

From the start, Waterloo Polaris stations have accepted applications stored on Watstar and smb/cifs servers, though the latter has not typically been adopted in most faculties.

The evolution of Waterloo Polaris will see application file storage moving radically toward the smb/cifs servers. This server platform shift, combined with our client caching device driver is described in some depth in our appfiler white paper.

status: experimental system going live Sept. 1998