[Samba] Suggestions please about what I need.

Jack Downes jax at nwmt.us
Mon May 12 11:30:14 MDT 2014

On 05/12/14 09:29, Steve Campbell wrote:
> On 5/12/2014 11:03 AM, Jack Downes wrote:
>> On 05/12/14 08:10, Steve Campbell wrote:
>>> On 5/12/2014 9:16 AM, Jack Downes wrote:
>>>> One thing you could do is download the turnkeylinux version of 
>>>> samba - http://www.turnkeylinux.org/fileserver, and if you like it, 
>>>> duplicated it in Centos. They use Webmin for their user/group mgmt, 
>>>> and that's fine for smaller outfits, but if you are in a larger 
>>>> place, you likely have ADS there already, or might want to look at 
>>>> openldap, opends, whatever for convenient user management. Anyway, 
>>>> that little turnkey appliance is slick as can be, might just help 
>>>> you out - at least see how someone else did it, and you can have 
>>>> one right there next to you to compare contrast with how your setup 
>>>> is working/not.
>>>> Jack
>>>> On 05/12/14 06:33, Steve Campbell wrote:
>>>>> I hate to use that "noob" word, but in this case I think it might 
>>>>> be proper.
>>>>> Our company is getting ready to get rid of Netware and start using 
>>>>> Samba. It will require that users log in and by doing so, have a 
>>>>> login script map drives to particular drive letters base on either 
>>>>> their user or group.
>>>>> I've been administering Centos servers for quite a while. I have 
>>>>> no problem with managing the Linux servers, but Samba appears to 
>>>>> be a completely unique subject on its own, much like Sendmail, 
>>>>> etc. I've read "Using Samba", and about anything else I can get my 
>>>>> hands on, including as much of the "Howto" matter on the Samba 
>>>>> site. I still have no idea how complex of a setup I need (AD or 
>>>>> not, things like that). I don't think we'll be doing things like 
>>>>> installing licensed software from the server, mostly just as I 
>>>>> stated above.
>>>>> For now, I'm fairly certain I'll use the Sernet installation. I'll 
>>>>> be retiring soon, and I want to make things as easy as possible 
>>>>> for whomever takes over. It'd be great if whatever I end up with 
>>>>> has some form of GUI for managing users, groups, and shares, but 
>>>>> not necessary. The person managing our Netware will be the one 
>>>>> assuming this Samba responsibilty. No Linux experience, so the Gui 
>>>>> would make it nice as they learn the ropes of LInux.
>>>>> I'm looking for suggestions here for what level of installation I 
>>>>> need. I'm sure once I get something installed, I can determine if 
>>>>> it's the right way or not. Starting over is not off the table, but 
>>>>> it'd be nice to get a clue before starting. Seems the more I read, 
>>>>> the more confused I get. So much to Samba and the way it can be 
>>>>> set up. I'm not much of a Windows server admin, which is perhaps 
>>>>> the biggest problem.
>>>>> Thanks for any pointers.
>>>>> steve campbell
>>> Thanks Jack.
>>> I use webmin for my server management for some tasks, so I 
>>> understand user/group management using webmin. Question now is - 
>>> what is a small outfit? I'm guessing we have about 200 users that 
>>> would need to mount from this server. The servers we'll be using are 
>>> pretty hefty, multiple CPUs/cores, tons or RAM, NICs all over the 
>>> place. It seems some flavors of configuration will handle both Samba 
>>> users and Linux users, while other flavors require individual user 
>>> management for each side.
>>> I meant to mention in the OP, redundancy is a must and possible 
>>> failover would be great. My take on this is that AD is like the 
>>> Cadillac of Samba, and anything less is like Chevy. We'll have two 
>>> servers for this, each a mirror of the other (meaning redundancy). 
>>> I'm not sure whether I need or must have LDAP, or will one of the 
>>> other password schemes suffice for this amount of users? I haven't 
>>> figured out whether I can do all of this with one server (AD/DC) or 
>>> whether I need two (AD->DC).
>>> There's not a lot of Samba4 reference books out there. Sorry.
>>> steve
>> Steve,
>> From my point of view, you are mixing things.  Samba is the file 
>> sharing service, ldap is the user control mechanism. However, that's 
>> why I asked about size.  200 people isn't that many, but then it's a 
>> lot to manage if you don't have tools in place for it.
>> Do you have a central location for users/passwords to be 
>> authenticated?  If so, you should try to integrate your Samba install 
>> against that method of authentication.
>> So, two subjects:  1) How do you authenticate your users - do they 
>> all have local accounts on their personal machines, or do they have 
>> "Domain Logins" with something ?  2) How are you handling file share 
>> authentication?  If you are using local users, are you going to 
>> replicate the users to your various Samba servers for each and every 
>> user that comes/goes?
>> As for authentication - in a place of you size, I'd say you are ready 
>> to look at using something other than local accounts.  You should 
>> focus in on getting your authentication system in place or ready to 
>> roll out with your Samba install.  Keep an eye towards compatability 
>> with Samba if you choose this route. There are a few LDAP servers out 
>> there - being you are using red hat compatible software, you might 
>> look at the Fedora Directory Server - 389 or something it's called.  
>> The Apache project hosts the Apache Directory Studio which can really 
>> help administer LDAP servers - not just ApacheDS servers, but 
>> OpenLDAP, OpenDS, etc.
>> Look, I'd like to be pretty clear on this point - LDAP is NOT 
>> required for Samba, however, once you get used to using it, you'll 
>> feel that it is a necessity.
>> Getting to the point of either load balancing or failover - you've 
>> got several technologies to look at - a favorite of linux folks is 
>> DRBD - I've used it, it's pretty cool, but... I'm more a freebsd guy, 
>> so I've not used it for at least 3 years now. There are several 
>> methods in FreeBSD, but i'm not going to worry about that, you'll 
>> have a lot to get through as it is.
>> Also, with regard to Samba, will you be centrally handling printing, 
>> or does everyone have a printer hanging off their machine, or are you 
>> using those big rigs that provide their own printserver per each 
>> printer?
>> Order of things to determine
>> Auth
>> File/Printer sharing
>> Load Balancing / Failover.
>> You have a pretty large job ahead of you man!  have a good time.
>> Now... I've only setup Samba4 installs for kicks, not really done 
>> much with it.  Most of what I've done has been with Samba3 - why I 
>> recommended turnkeylinux - it's Samba3 on that page. Now, someone 
>> with good Samba4 experience can probably tell you more/better stuff 
>> to worry about.  I know for a fact Samba3 works fine with Win7, 
>> Vista, WinXP, Win2k3, Win2k, I think it worked fine for Win8 as well, 
>> but I don't really recall now.
>> Anyway, I hope I've not wasted your time.
>> Jack
> Jack,
> Authentication? I was under the assumption that Samba gave me an 
> authentication method based on how it was installed/configured. For 
> now, with the Netware system, each user has their own login. Reading 
> the literature out there gave me the impression I could use passwd, 
> tdb, or ldap, and that samba used whatever I configured. Of course, I 
> would have to have the "method" installed like openldap, etc. Somehow, 
> authentication became part of authorization. I thought I read where 
> the samba install even provided a schema for ldap if I chose to use it.
> Now I'm confused as to where the name of the login script to use comes 
> from.
> Big job ahead of me is an understatement.
> The person taking over administering this tells me print sharing is 
> not a situation we will use. File sharing is the main purpose of this, 
> and having login scripts for groups is his main worry.
> I've used DRBD before. Didn't like it (without real fencing). Probably 
> better when you have it. Heartbeat sounds OK, with a shared virtual 
> IP. But I'm wondering how much replication is built into Samba4. I was 
> hoping there was something like MySQL master/slave for that. Again, 
> reading indicates it's available for all but SysVol, so I'm guessing 
> that means file shares.
> Anyway, I appreciate you taking the time to respond. This might be a 
> try-it-and-see project and something I learn by mistake.
> steve

Yeah, you are correct - Samba can work with a multitude of auth 
mechanisms - some are so well integrated they make it feel like Samba is 
doing the authentication.

There's been a few replies to you.  I think there are excellent 
suggestions in them.  So take what you've got and break into pieces.  
working Samba 4 isn't that hard to get up and running on it's own.  A 
working ADS isn't too hard to get working on it's own. Tying them 
together really isn't too difficult either.  It's trying to do them all 
at once that really gets people down the wrong rabbit hole in a 
hurry.... that was why i was saying to get your auth system in place 
first.  A windows ADS is a fantastic setup, they work like a charm, are 
simple to administer, etc.  I was suggesting openldap because I was 
unaware you had a Windows person in there as well.

Anyway, have fun, you will find out that while it all sounds like a 
nightmare, it ends up just being legos - once you have the parts built 
they just link up with ease.


More information about the samba mailing list