[Samba] Help with samba migration

Tim Jordan timothy_jordan at labor.state.ak.us
Fri Feb 27 22:07:57 GMT 2004

-----Forwarded Message-----

> From: Jeremy Austin <admin at wsfnet.org>
> To: aklug at aklug.org
> Subject: Help with samba migration (long)
> Date: Fri, 27 Feb 2004 12:36:10 -0900
> Mostly about WebDAV...
> I'm most of the IT department for a small non-profit school etc., and 
> I'm mulling over some series issues here, guys. Wonder if anyone has 
> some thoughts to add. Sorry this is so long --
> Existing services (among others):
> 	Support >100 users
> 	Provide cross-platform file share access
> 		~ 100 Clients: Windows 95/98/NT4/2K/XP Home/XP Pro/Mac OS X
> 	Public user file spaces
> 	Web file access
> 	Email/webmail/groupware
> 	Must support computers not under my direct administration
> New goals:
> 	Private user file spaces
> Current setup:
> 	Mandrake 9.x
> 	Samba 3/LDAP
> 	Postfix/IMAP
> I've been running Samba for 5 years, running a NT-style domain.  I 
> don't have the network bandwidth to support roaming profiles, nor do I 
> have the space on shared computers (approx. 3 dozen, mixed OSen) for 
> tons of local profiles. So we've been using one account (shared) for 
> public file access -- shares get mounted with an on-the-fly logon 
> script, and individual accounts for email, groupware, web apps, etc. I 
> can't give all domain users Administrator privileges on newer MS OSes 
> -- and therefore on the domain -- and yet they must, in general, run 
> with admin privileges because of legacy applications we haven't the 
> budget to replace. So I'm pretty sure I'm going to have to stick with 
> single profiles on shared computers; I haven't the network bandwidth or 
> hard drive space for roaming profiles.
> Windows 2K or XP allow one to specify an account when connecting to a 
> network share, so we're halfway there. Windows 9x, however, are a real 
> pain in the rear -- everyone can use the same local profile, but 
> logging on and off (to switch users) is too slow. Win2K or XP often 
> require one to log off anyway to reconnect to a given share with 
> different credentials. (I can't teach 5th graders the intricacies of 
> "net use /delete"...)
> Possible solution:
> 	Continue using single logon for public shares + samba and
> 	Use something else (nfs, afp, WebDAV) for private shares
> There are some reportedly good commercial NFS clients, but I don't have 
> the budget for it. Nor can I afford AFP clients.
> I've looked into WebDAV -- South River has a client that maps drive 
> letters (would cost me $1500 for 100 users). Internet Explorer has its 
> 'Web Folders' feature, which allows me to put shares into My Network 
> Places -- this might be adequate, and would work nicely, I think. I see 
> a number of universities online doing this.
> Likely to be a problem with WebDAV (as in mod_dav) is that all files 
> (and hence user directories) must be owned by apache, thus trashing my 
> quotas. mod_dav FAQ says, in short, "If you understand the security 
> issues in running apache as root, write your own code and suid." I'm 
> not quite capable of doing that. "MoulDAVia", which purports to solve 
> this problem, appears to be 403 at the moment and sounds like it was 
> never finished. The universities must have this figured out, since I 
> see lots of them online using WebDAV.
> If I give up having quota support, and roll my own, then I could do 
> mod_dav. I could use linux quota support for everything but 
> apache-owned files, and run a handy-dandy script with du -s, I'm sure, 
> for everything else. My home directories would look like this:
> Owner               Directory
> someuser    users   /home/someuser
>                      /home/someuser/Mail    <- webmail accessible
> apache      apache  /home/someuser/Private <- WebDAV accessible
> shareduser  users   /home/someuser/Public  <- linked to separate SMB 
> Public share
> Does anyone think I should use mod_dav? If there are any caveats I'm 
> missing, I'd love to hear from anyone.
> Thanks to any and all,
> Jeremy Austin
> Whitestone Schools
> ---------
> To unsubscribe, send email to <aklug-request at aklug.org>
> with 'unsubscribe' in the message body.

More information about the samba mailing list