Hello,

I'm looking for a way to automagically push patches etc out to the windoze users on my office LAN. I know that SUS server under windoze can do it, but I'm looking at a linux solution so that I don't have to get a windoze server.

I'm currently using Samba as a PDC and am doing stuff via login scripts, but I'm trying to find a centralized method to puch security updates out.

Is there any method that I can do this using linux?

Has anyone managed to do this successfully?

Your thoughts and suggestions are appreciated and most welcome

Perhaps I'm not asking the right questions?

I've been doing research on how best to manage a mixed windows/linux
network as far as single-sign-on goes, and it seems the biggest sticking
point is having something to push internal software updates to the
windows boxes.

Is there something like software update services or some other reasonable custom-update system for windows boxes on a samba domain?

I feel your pain my brother. I had the same problem. Here's what I did. I went to each workstation and did a manual update for every security patch possible. Then, every now and then, I'd go to microsoft's website and find the latest patches and manually download them to my login server. Then I would create a small script that would do a quiet install of the patch: patchname.exe /quiet or some such. Now we have a small shop (40 users) so if you have a larger shop, it won't work that well. Also, in my script I would have it check for an empty text file that is hidden to the user in a hidden folder. If it didn't find it, it would run the script. Afterwards, it would copy an empty text file to this folder. That way, when I add a new machine to the network, it automatically installs the patches that are needed. Sloppy I agree, but it works very well for me. Of course, we're all on a Win2k standard for everyone, so there's no complexity of having to deal with win9x, and xp clients. Hope that helps!

Travis

Sus server, i have heard of it but not any experence with it. Could you run it on wine. Or anything else like wine.

Just a suggestion, like i said before have no hands on experence with it.

Good point. Sus server requires IIS to run, so I don't think it will work, but there's no harm in trying!

Travis

Travis,

Thanks for replying! I was wondering if anyone else had tried to do this and had given up on finding a solution in the short term.

Your solution sounds like an ideal way for me to do this - I'm looking about about 50 desktop machines, which isn't too many.

If you could be so kind as to provide me with your script as a reference and guide that would be greatly appreciated.

Thanks,

Rohan

Absolutely! Here you go. The winmsg.exe file is a small freeware program that I use to send out pop up messages to my users informing them about the patch. You can get it @ http://home.comcast.net/~stewartb/files/wast61.zip It's called Bill Stewarts' Admin tools. These are GREAT stuff to work with. Just replace yourserver with your server name and yourshare with the shared name. Also, the messages I did that are in quotes are all one line. These 4 sections were for some recent stuff going around. This also works for service packs! I did a site wide install of Service Pack 4 for Win2k this way. Worked WONDERFULLY! Saves you a bunch of time and headaches. Also, if you'd like, you can make the empty txt files hidden and read only in case you have users who might go into the root of C and delete them. A simple line of attrib +r +h filename.txt will do fine. Check your permissions of the patches that they run! I had a minor glitch that way. Also, when you download the patch, do a patchname /? and it'll give you all the switches that are valid for that patch. They sometimes are different. Sorry for rambling, I just want to make sure I get all scenarios in before you head off. Anyway's here's part of the script that matters.


if exist C:\korgo.txt goto ie6
\\yourserver\yourshare\winmsg.exe -t "Windows Update Patch" -m "There is a security updates that need to be done on your machine. It may ask you to restart your machine when it is done Travis"
xcopy \\yourserver\yourshare\korgo.txt C:\ /y
\\yourserver\patches\korgo.exe /passive

:ie6
if exist C:\ie6.txt goto oe6
\\yourserver\yourshare\winmsg.exe -t "Windows Update Patch" -m "There are 2 security updates that need to be done on your machine. It will ask you to restart your machine when it is done Travis"
xcopy \\yourserver\yourshare\ie6.txt C:\ /y
\\yourserver\patches\ie6.exe /q


e6
if exist C:\oe6.txt goto sasser
\\yourserver\yourshare\winmsg.exe -t "Windows Update Patch" -m "This is part 2 of 2 security patches for your machine. It will ask you to restart your machine when it is done Travis"
xcopy \\yourserver\yourshare\oe6.txt C:\ /y
\\yourserver\patches\oe6.exe /q

:sasser
if exist C:\sasser.txt goto dell
\\yourserver\yourshare\winmsg.exe -t "Windows Update Patch" -m "This is an patch to fix a security issue. This WILL AUTOMATICALLY REBOOT YOUR MACHINE WHEN IT'S DONE. Travis"
xcopy \\yourserver\yourshare\sasser.txt C:\ /y
\\yourserver\patches\sasser.exe /passive /forcerestart

That little happyface is a : with an o next to it. It put a smiley in for me that I didn't want.

Thanks for your help Travis!

I'll customise this and let you know how it goes

Cheers,

Rohan

Always welcome. Keep me posted and let me know how it goes!!

Travis

I was just thinking, how about vmware workstation on the box with a trial version of microsuck server and sms running on that. I was just sitting here and it came to mind, so i throught i would share it. U can get trial versions of all that software for free.