[Samba] Re: What management of samba is available for large scale deployment

[Bill Marshall]

D G Teed <donald.teed <at> gmail.com> writes:

> The challenge is how
> do you manage a few thousand users with backends that auto-populate
> the samba config and front ends which administrators can tweak as needed?

I'll try to explain the setup we have which is maintained with perl scripts.

part 1)
For a group or departmental share called dept xyz, we'll create 2-3 groups on
the (In our case Samba domain) deptxyz_A (admins), deptxyz_w (writers),
deptxyz_r (readers) and we are using Linux w/ extended ACLs on the file system.

The share "stanza" is appended by a script in another file that is included from
the main smb.conf and looks like:
[deptxyz]
comment=deptxyz
writeable=yes
admin users=@mydomain\deptxyz_A,@"mydomain\domain admins"
path=/home/group/deptxyz

This allows the people in deptxyz_A to connect as root and then they can modify
ACLs, etc.

part 2) 
We have an apache web server configured to authenticate against the domain. IF
you are in the deptxyz_A group, you can use a perl cgi-bin to modify the users
in the deptxyz_* groups. The web server userid does "RPC" calls to a privileged
perl "service" on another system that actually updates the group membership.
We're OK with an existing admin giving admin to other people, but you could
restrict the ability to update the _A groups, etc.

Generally using the groups on the ACLs by default is good enough and end users
do not need to update ACLs on the file system.

I'm not sure if that's enough to handle your TA config (depends on where the
grades are stored -- but you could also do the admin user thing on homedirs.)

Bill