[Samba] Help with samba migration
Tim Jordan
timothy_jordan at labor.state.ak.us
Fri Feb 27 22:07:57 GMT 2004
-----Forwarded Message-----
> From: Jeremy Austin <admin at wsfnet.org>
> To: aklug at aklug.org
> Subject: Help with samba migration (long)
> Date: Fri, 27 Feb 2004 12:36:10 -0900
>
>
> Mostly about WebDAV...
>
> I'm most of the IT department for a small non-profit school etc., and
> I'm mulling over some series issues here, guys. Wonder if anyone has
> some thoughts to add. Sorry this is so long --
>
> Existing services (among others):
> Support >100 users
> Provide cross-platform file share access
> ~ 100 Clients: Windows 95/98/NT4/2K/XP Home/XP Pro/Mac OS X
> Public user file spaces
> Web file access
> Email/webmail/groupware
> Must support computers not under my direct administration
>
> New goals:
> Private user file spaces
>
> Current setup:
> Mandrake 9.x
> Samba 3/LDAP
> Postfix/IMAP
>
> I've been running Samba for 5 years, running a NT-style domain. I
> don't have the network bandwidth to support roaming profiles, nor do I
> have the space on shared computers (approx. 3 dozen, mixed OSen) for
> tons of local profiles. So we've been using one account (shared) for
> public file access -- shares get mounted with an on-the-fly logon
> script, and individual accounts for email, groupware, web apps, etc. I
> can't give all domain users Administrator privileges on newer MS OSes
> -- and therefore on the domain -- and yet they must, in general, run
> with admin privileges because of legacy applications we haven't the
> budget to replace. So I'm pretty sure I'm going to have to stick with
> single profiles on shared computers; I haven't the network bandwidth or
> hard drive space for roaming profiles.
>
> Windows 2K or XP allow one to specify an account when connecting to a
> network share, so we're halfway there. Windows 9x, however, are a real
> pain in the rear -- everyone can use the same local profile, but
> logging on and off (to switch users) is too slow. Win2K or XP often
> require one to log off anyway to reconnect to a given share with
> different credentials. (I can't teach 5th graders the intricacies of
> "net use /delete"...)
>
> Possible solution:
> Continue using single logon for public shares + samba and
> Use something else (nfs, afp, WebDAV) for private shares
>
> There are some reportedly good commercial NFS clients, but I don't have
> the budget for it. Nor can I afford AFP clients.
>
> I've looked into WebDAV -- South River has a client that maps drive
> letters (would cost me $1500 for 100 users). Internet Explorer has its
> 'Web Folders' feature, which allows me to put shares into My Network
> Places -- this might be adequate, and would work nicely, I think. I see
> a number of universities online doing this.
>
> Likely to be a problem with WebDAV (as in mod_dav) is that all files
> (and hence user directories) must be owned by apache, thus trashing my
> quotas. mod_dav FAQ says, in short, "If you understand the security
> issues in running apache as root, write your own code and suid." I'm
> not quite capable of doing that. "MoulDAVia", which purports to solve
> this problem, appears to be 403 at the moment and sounds like it was
> never finished. The universities must have this figured out, since I
> see lots of them online using WebDAV.
>
> If I give up having quota support, and roll my own, then I could do
> mod_dav. I could use linux quota support for everything but
> apache-owned files, and run a handy-dandy script with du -s, I'm sure,
> for everything else. My home directories would look like this:
> Owner Directory
> someuser users /home/someuser
> /home/someuser/Mail <- webmail accessible
> apache apache /home/someuser/Private <- WebDAV accessible
> shareduser users /home/someuser/Public <- linked to separate SMB
> Public share
>
> Does anyone think I should use mod_dav? If there are any caveats I'm
> missing, I'd love to hear from anyone.
>
> Thanks to any and all,
> Jeremy Austin
> Whitestone Schools
>
> ---------
> To unsubscribe, send email to <aklug-request at aklug.org>
> with 'unsubscribe' in the message body.
>
More information about the samba
mailing list