[Samba] Suggestions please about what I need.

Steve Campbell campbell at cnpapers.com
Mon May 12 11:52:29 MDT 2014


Thanks all for the ideas.

steve
On 5/12/2014 1:30 PM, Jack Downes wrote:
>
> On 05/12/14 09:29, Steve Campbell wrote:
>>
>> On 5/12/2014 11:03 AM, Jack Downes wrote:
>>>
>>> On 05/12/14 08:10, Steve Campbell wrote:
>>>>
>>>> On 5/12/2014 9:16 AM, Jack Downes wrote:
>>>>> One thing you could do is download the turnkeylinux version of 
>>>>> samba - http://www.turnkeylinux.org/fileserver, and if you like 
>>>>> it, duplicated it in Centos. They use Webmin for their user/group 
>>>>> mgmt, and that's fine for smaller outfits, but if you are in a 
>>>>> larger place, you likely have ADS there already, or might want to 
>>>>> look at openldap, opends, whatever for convenient user management. 
>>>>> Anyway, that little turnkey appliance is slick as can be, might 
>>>>> just help you out - at least see how someone else did it, and you 
>>>>> can have one right there next to you to compare contrast with how 
>>>>> your setup is working/not.
>>>>>
>>>>> Jack
>>>>>
>>>>> On 05/12/14 06:33, Steve Campbell wrote:
>>>>>> I hate to use that "noob" word, but in this case I think it might 
>>>>>> be proper.
>>>>>>
>>>>>> Our company is getting ready to get rid of Netware and start 
>>>>>> using Samba. It will require that users log in and by doing so, 
>>>>>> have a login script map drives to particular drive letters base 
>>>>>> on either their user or group.
>>>>>>
>>>>>> I've been administering Centos servers for quite a while. I have 
>>>>>> no problem with managing the Linux servers, but Samba appears to 
>>>>>> be a completely unique subject on its own, much like Sendmail, 
>>>>>> etc. I've read "Using Samba", and about anything else I can get 
>>>>>> my hands on, including as much of the "Howto" matter on the Samba 
>>>>>> site. I still have no idea how complex of a setup I need (AD or 
>>>>>> not, things like that). I don't think we'll be doing things like 
>>>>>> installing licensed software from the server, mostly just as I 
>>>>>> stated above.
>>>>>>
>>>>>> For now, I'm fairly certain I'll use the Sernet installation. 
>>>>>> I'll be retiring soon, and I want to make things as easy as 
>>>>>> possible for whomever takes over. It'd be great if whatever I end 
>>>>>> up with has some form of GUI for managing users, groups, and 
>>>>>> shares, but not necessary. The person managing our Netware will 
>>>>>> be the one assuming this Samba responsibilty. No Linux 
>>>>>> experience, so the Gui would make it nice as they learn the ropes 
>>>>>> of LInux.
>>>>>>
>>>>>> I'm looking for suggestions here for what level of installation I 
>>>>>> need. I'm sure once I get something installed, I can determine if 
>>>>>> it's the right way or not. Starting over is not off the table, 
>>>>>> but it'd be nice to get a clue before starting. Seems the more I 
>>>>>> read, the more confused I get. So much to Samba and the way it 
>>>>>> can be set up. I'm not much of a Windows server admin, which is 
>>>>>> perhaps the biggest problem.
>>>>>>
>>>>>> Thanks for any pointers.
>>>>>>
>>>>>> steve campbell
>>>>>>
>>>>>>
>>>>>
>>>> Thanks Jack.
>>>>
>>>> I use webmin for my server management for some tasks, so I 
>>>> understand user/group management using webmin. Question now is - 
>>>> what is a small outfit? I'm guessing we have about 200 users that 
>>>> would need to mount from this server. The servers we'll be using 
>>>> are pretty hefty, multiple CPUs/cores, tons or RAM, NICs all over 
>>>> the place. It seems some flavors of configuration will handle both 
>>>> Samba users and Linux users, while other flavors require individual 
>>>> user management for each side.
>>>>
>>>> I meant to mention in the OP, redundancy is a must and possible 
>>>> failover would be great. My take on this is that AD is like the 
>>>> Cadillac of Samba, and anything less is like Chevy. We'll have two 
>>>> servers for this, each a mirror of the other (meaning redundancy). 
>>>> I'm not sure whether I need or must have LDAP, or will one of the 
>>>> other password schemes suffice for this amount of users? I haven't 
>>>> figured out whether I can do all of this with one server (AD/DC) or 
>>>> whether I need two (AD->DC).
>>>>
>>>> There's not a lot of Samba4 reference books out there. Sorry.
>>>>
>>>> steve
>>>>
>>>>
>>>
>>> Steve,
>>> From my point of view, you are mixing things.  Samba is the file 
>>> sharing service, ldap is the user control mechanism. However, that's 
>>> why I asked about size.  200 people isn't that many, but then it's a 
>>> lot to manage if you don't have tools in place for it.
>>>
>>> Do you have a central location for users/passwords to be 
>>> authenticated?  If so, you should try to integrate your Samba 
>>> install against that method of authentication.
>>>
>>> So, two subjects:  1) How do you authenticate your users - do they 
>>> all have local accounts on their personal machines, or do they have 
>>> "Domain Logins" with something ?  2) How are you handling file share 
>>> authentication?  If you are using local users, are you going to 
>>> replicate the users to your various Samba servers for each and every 
>>> user that comes/goes?
>>>
>>> As for authentication - in a place of you size, I'd say you are 
>>> ready to look at using something other than local accounts.  You 
>>> should focus in on getting your authentication system in place or 
>>> ready to roll out with your Samba install. Keep an eye towards 
>>> compatability with Samba if you choose this route. There are a few 
>>> LDAP servers out there - being you are using red hat compatible 
>>> software, you might look at the Fedora Directory Server - 389 or 
>>> something it's called.  The Apache project hosts the Apache 
>>> Directory Studio which can really help administer LDAP servers - not 
>>> just ApacheDS servers, but OpenLDAP, OpenDS, etc.
>>>
>>> Look, I'd like to be pretty clear on this point - LDAP is NOT 
>>> required for Samba, however, once you get used to using it, you'll 
>>> feel that it is a necessity.
>>>
>>>
>>> Getting to the point of either load balancing or failover - you've 
>>> got several technologies to look at - a favorite of linux folks is 
>>> DRBD - I've used it, it's pretty cool, but... I'm more a freebsd 
>>> guy, so I've not used it for at least 3 years now. There are several 
>>> methods in FreeBSD, but i'm not going to worry about that, you'll 
>>> have a lot to get through as it is.
>>>
>>> Also, with regard to Samba, will you be centrally handling printing, 
>>> or does everyone have a printer hanging off their machine, or are 
>>> you using those big rigs that provide their own printserver per each 
>>> printer?
>>>
>>> Order of things to determine
>>> Auth
>>> File/Printer sharing
>>> Load Balancing / Failover.
>>>
>>>
>>> You have a pretty large job ahead of you man!  have a good time.
>>>
>>> Now... I've only setup Samba4 installs for kicks, not really done 
>>> much with it.  Most of what I've done has been with Samba3 - why I 
>>> recommended turnkeylinux - it's Samba3 on that page. Now, someone 
>>> with good Samba4 experience can probably tell you more/better stuff 
>>> to worry about.  I know for a fact Samba3 works fine with Win7, 
>>> Vista, WinXP, Win2k3, Win2k, I think it worked fine for Win8 as 
>>> well, but I don't really recall now.
>>>
>>> Anyway, I hope I've not wasted your time.
>>>
>>> Jack
>>>
>> Jack,
>>
>> Authentication? I was under the assumption that Samba gave me an 
>> authentication method based on how it was installed/configured. For 
>> now, with the Netware system, each user has their own login. Reading 
>> the literature out there gave me the impression I could use passwd, 
>> tdb, or ldap, and that samba used whatever I configured. Of course, I 
>> would have to have the "method" installed like openldap, etc. 
>> Somehow, authentication became part of authorization. I thought I 
>> read where the samba install even provided a schema for ldap if I 
>> chose to use it.
>>
>> Now I'm confused as to where the name of the login script to use 
>> comes from.
>>
>> Big job ahead of me is an understatement.
>>
>> The person taking over administering this tells me print sharing is 
>> not a situation we will use. File sharing is the main purpose of 
>> this, and having login scripts for groups is his main worry.
>>
>> I've used DRBD before. Didn't like it (without real fencing). 
>> Probably better when you have it. Heartbeat sounds OK, with a shared 
>> virtual IP. But I'm wondering how much replication is built into 
>> Samba4. I was hoping there was something like MySQL master/slave for 
>> that. Again, reading indicates it's available for all but SysVol, so 
>> I'm guessing that means file shares.
>>
>> Anyway, I appreciate you taking the time to respond. This might be a 
>> try-it-and-see project and something I learn by mistake.
>>
>> steve
>>
>
> Yeah, you are correct - Samba can work with a multitude of auth 
> mechanisms - some are so well integrated they make it feel like Samba 
> is doing the authentication.
>
> There's been a few replies to you.  I think there are excellent 
> suggestions in them.  So take what you've got and break into pieces.  
> working Samba 4 isn't that hard to get up and running on it's own.  A 
> working ADS isn't too hard to get working on it's own. Tying them 
> together really isn't too difficult either.  It's trying to do them 
> all at once that really gets people down the wrong rabbit hole in a 
> hurry.... that was why i was saying to get your auth system in place 
> first.  A windows ADS is a fantastic setup, they work like a charm, 
> are simple to administer, etc.  I was suggesting openldap because I 
> was unaware you had a Windows person in there as well.
>
> Anyway, have fun, you will find out that while it all sounds like a 
> nightmare, it ends up just being legos - once you have the parts built 
> they just link up with ease.
>
> Jack



More information about the samba mailing list