[Samba] Office moving to a Domain system. Looking for some advice.

Michael Kelly mkelly at victoria.komex.com
Thu Nov 11 20:17:31 GMT 2004


Thank you for your very informative post. I am hoping to roll out the
network in stages, with openLDAP coming in a later stage, mostly due to
my need to get up its learning curve a bit more before putting it into
production. I am hoping that running winbind on the linux boxes that are
not the PDC will give me a reasonable authentication solution for the
time being in that I will not have to replicate usernames and passwords
to each Linux/Samba system. I totally agree that there should be a
standalone firewall that does nothing else, except maybe openVPN and
DHCP for the internal network, but protect the network. I do not believe
at this time that I need a DMZ, other than possibly for a webserver. The
only exterior access needed to our network is via openVPN and SFTP when
that is down. Our mailservers reside in a different local all together
and they are not under my umbrella. I have a SUS server on the wishlist
and am currently singing its praises to the higher ups.

I know that I have a lot of research and documentation left to do
before I get started so I can forsee any pitfalls before I get there. As
mentioned before, my biggest stumbbling block is going to be settig up
LDAP for authentication. I have yet to even get my hands damp with that
software, let alone set it up for network usage.

Thanks again for your reply
Michael Kelly

>>> rruegner <robert at ruegner.org> 10/11/2004 3:33:55 pm >>>
Hi Michael,
good choice , make the pdc a ldap server
and let other nix machines be ldap clients
the other parts are depend to what you plan
to your network,
normally you have standalone firewall with
minimum 3 nics , web,dmz,intranet
pdc should be placed in intranet also backup machine,
ftp and www , proxy or an internal mail server too ( if you need this 
from outside in the dmz zone )proxy or an internal mail server here
But there are many more setups thinkable
a small solution fo a firewall , which is easy to setup if you have 
dynamic ip or just one ip is ipcop (transparent proxy possible)
The firewall can be used as dhcp server and internal nameserver ( but 
you can let this be done by the pdc too )
If you want home workers connect to office network, pptpd is a good 
choice ( on the firewall or via kernel 2.4.27 pptp pom module on the
  )openvpn is good for net to net connects on the firewall to other 
placed offices
A domain system and roaming profiles is an up to date solution
A sus server and a antivir update service is nice to have.
I have serveral setups like this all working very nice
But many things others would be done by others in another way , mostly

of security reasons,so for your question theres no uni-answer
Best Regards

Michael Kelly schrieb:
> Hello all,
> I currently maintain an office of 15 employees. All clients are
> Windows 200 Professional, although there has been discussion of
> introducing a couple of Linux workstations on a testing basis. 
> As part of the office infrastructure we have three Linux machines, a
> firewall/gateway/webserver/FTP server/openVPN machine running Samba
> access to webserver directories and documents, a Samba file server
> also acts as a WINS server, and a machine that is dedicated to
> backups of the file server, this box also runs Samba to share out
> backup files.
> The office is currently setup using a workgroup system and we feel
> is time to enjoy the benifits of a domain system with a Samba PDC. I
> have done some preliminary research into the setup of everything but
> would like to get some advice from those more experienced than
> before I begin my journey.
> This is what I would like.
> 1. The file server to be the PDC as well as an application server.
> sure if we will go with roaming profiles yet or not.
> 2  All authentication to be centralized to the PDC. I beleive I can
> achieve this with winbind running on the two other machines running
> Samba.
>                   -currently I am maintaining the same Samba
> files on all three systems and it is a pain to co-ordinate
> 3. Eliminate the need to have each workstation user also be a user
> the Linux systems
> 4. Eventually be able to move to an openLDAP authentication system
> without have to redo everything.
> I know my point are pretty general, but I am just starting with the
> concepts and developing my requirements, also, this is my first
> into the world of domains so my knowledge is a little sparse.
> As a note I am reasonably comfortable with basic Samba
> manual edits, and administration with Linux
> Thanks for any assistance
> Michael Kelly

More information about the samba mailing list