Fran Fabrizio
2003-Nov-20 04:56 UTC
[Samba] Having Samba integrate/replace existing mixed Unix/Windows network
I've recently inherited a two-headed monster of a network and would like to see what Samba can do for me to help clean up the situation. Due to bias/preference of the past administrator, who favored Unix, when it came time to introduce Windows machines to our department, he basically built a parallel network (physically and logically), and let a graduate student manage the Windows network. As a result, we now have a network consisting of two subnets, Windows and Unix. Each subnet provides it's own file server, print server, DNS, DHCP, directory (NIS vs. Active Directory) and user accounts. Unfortunately for us, this is a rather arbitrary division, as we often have users that dual-boot between the two sides and students that need to do work on both and I would prefer that the two networks be more integrated. I will be redesigning this network (both physically and logically) and I believe Samba can help me. Some of the ways are clear, whereas some are much less clear. Let me start with my design goals... 1. Repartition the network based on functional needs, not OS choice. Our context is a department at a university. Instead of a Unix subnet and a Windows subnet, I would like a subnet for the undergraduate open labs, a subnet for research groups, a subnet for faculty workstations, etc....whatever services I provide need to play well in this multi-subnet environment. 2. Consolidate file serving duties. I would like for a user to see the same home directory whether booting into Linux, Solaris or Windows. This will reduce the number of instances of users needing to move files between the two systems, as well as provide a single point as a target for backups. 3. Consolidate user accounts. I want one account for each user, period. If I absolutely can't have this, I want to synchronize between the two so that it appears as one. We eventually going to try to authenticate against the campus-wide LDAP service, and the fewer points of authentication I have within my department, the easier that will be. 4. Consolidate DNS and DHCP. Because we have two DHCPs, and because our firewall is set to pass all traffic between the two subnets, I actually have two network cables running to my laptop - I have to switch them when I switch OSes! I am not 100% sure of the reason, the past admin simply said that's how it is, but I believe it's so I hit the "right" DHCP server first. Obviously, that needs to go away. Same with DNS - right now, adding a host means adding it to Active Directory, adding it to NIS, and adding it to 3 /etc/hosts files. This needs to be much cleaner. 5. Consolidate print servers. 6. Preserve as much of the functionality that Active Directory is currently providing. This includes login scripts, roaming profiles, all the permissions management and authentication, serving a dfs, etc....I understand that Samba cannot be an Active Directory server, but I also understand that it can do a lot of the same things AD does. So, those are the highlights of my goals. I see that it's very straightforward for Samba to do the file and print serving, but is this rock solid? This will be the sole source of home dirs, I don't want the Windows clients flaking out on me. I'm less sure about the authentication. Right now, we use Active Directory on the Win side and NIS on the Unix side. I believe one option is to keep the Active Directory for linux clients, and to use winbind to authenticate against that. However, I would like to get rid of AD altogether if possible. Is there a better model? On the Unix side, NIS has to go. Something like Kerberos or LDAP would be better but I want to make a choice that plays well with Samba and with the Windows clients as well. I know that Kerberos is a good option for cross-platform single-point-of-authentication. Perhaps LDAP. Perhaps they work together? What's the model I'm after and how does Samba fit in? I'm not sure if Samba can help with the current DNS/DHCP woes or if that's simply a matter of setting up one on Linux and pointing everyone at it (not sure how good it is to have DHCP serving multiple subnets like I want, though...) Thoughts? For the "big picture" is it possible for me to get rid of Active Directory for this network I have of Sun, Linux, NT, 2000, and XP machines and still have hopes of a reliable network? If I need to keep an AD around for one of more of these services, how best to set it up to play with Samba? Those are the kinds of questions I'm after. I have read through the beginning of the O'Reilly Samba book and it appears that Samba is definitely the right track, but I'm hoping for a bit more of the specifics of the model I'm seeking. Thanks for your time and thoughts, Fran
John H Terpstra
2003-Nov-20 05:38 UTC
[Samba] Having Samba integrate/replace existing mixed Unix/Windows network
Fran, Your thinking is spot-on! Please document this as you go. Make a case study out of it that we can publish on Samba.Org. If you run into trouble - contact me, I'll do my best to help. Cheers, John T. On Wed, 19 Nov 2003, Fran Fabrizio wrote:> > I've recently inherited a two-headed monster of a network and would like to > see what Samba can do for me to help clean up the situation. Due to > bias/preference of the past administrator, who favored Unix, when it came > time to introduce Windows machines to our department, he basically built a > parallel network (physically and logically), and let a graduate student > manage the Windows network. As a result, we now have a network consisting > of two subnets, Windows and Unix. Each subnet provides it's own file > server, print server, DNS, DHCP, directory (NIS vs. Active Directory) and > user accounts. Unfortunately for us, this is a rather arbitrary division, > as we often have users that dual-boot between the two sides and students > that need to do work on both and I would prefer that the two networks be > more integrated. > > I will be redesigning this network (both physically and logically) and I > believe Samba can help me. Some of the ways are clear, whereas some are > much less clear. Let me start with my design goals... > > 1. Repartition the network based on functional needs, not OS choice. Our > context is a department at a university. Instead of a Unix subnet and a > Windows subnet, I would like a subnet for the undergraduate open labs, a > subnet for research groups, a subnet for faculty workstations, > etc....whatever services I provide need to play well in this multi-subnet > environment. > 2. Consolidate file serving duties. I would like for a user to see the > same home directory whether booting into Linux, Solaris or Windows. This > will reduce the number of instances of users needing to move files between > the two systems, as well as provide a single point as a target for backups. > 3. Consolidate user accounts. I want one account for each user, > period. If I absolutely can't have this, I want to synchronize between the > two so that it appears as one. We eventually going to try to authenticate > against the campus-wide LDAP service, and the fewer points of > authentication I have within my department, the easier that will be. > 4. Consolidate DNS and DHCP. Because we have two DHCPs, and because our > firewall is set to pass all traffic between the two subnets, I actually > have two network cables running to my laptop - I have to switch them when I > switch OSes! I am not 100% sure of the reason, the past admin simply said > that's how it is, but I believe it's so I hit the "right" DHCP server > first. Obviously, that needs to go away. Same with DNS - right now, > adding a host means adding it to Active Directory, adding it to NIS, and > adding it to 3 /etc/hosts files. This needs to be much cleaner. > 5. Consolidate print servers. > 6. Preserve as much of the functionality that Active Directory is > currently providing. This includes login scripts, roaming profiles, all > the permissions management and authentication, serving a dfs, etc....I > understand that Samba cannot be an Active Directory server, but I also > understand that it can do a lot of the same things AD does. > > So, those are the highlights of my goals. I see that it's very > straightforward for Samba to do the file and print serving, but is this > rock solid? This will be the sole source of home dirs, I don't want the > Windows clients flaking out on me. I'm less sure about the > authentication. Right now, we use Active Directory on the Win side and NIS > on the Unix side. I believe one option is to keep the Active Directory for > linux clients, and to use winbind to authenticate against that. However, I > would like to get rid of AD altogether if possible. Is there a better > model? On the Unix side, NIS has to go. Something like Kerberos or LDAP > would be better but I want to make a choice that plays well with Samba and > with the Windows clients as well. I know that Kerberos is a good option > for cross-platform single-point-of-authentication. Perhaps LDAP. Perhaps > they work together? What's the model I'm after and how does Samba fit > in? I'm not sure if Samba can help with the current DNS/DHCP woes or if > that's simply a matter of setting up one on Linux and pointing everyone at > it (not sure how good it is to have DHCP serving multiple subnets like I > want, though...) Thoughts? > > For the "big picture" is it possible for me to get rid of Active Directory > for this network I have of Sun, Linux, NT, 2000, and XP machines and still > have hopes of a reliable network? If I need to keep an AD around for one > of more of these services, how best to set it up to play with Samba? Those > are the kinds of questions I'm after. I have read through the beginning of > the O'Reilly Samba book and it appears that Samba is definitely the right > track, but I'm hoping for a bit more of the specifics of the model I'm seeking. > > Thanks for your time and thoughts, > Fran >-- John H Terpstra Email: jht@samba.org -------------- next part -------------- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Fran Fabrizio
2003-Nov-20 06:11 UTC
[Samba] Having Samba integrate/replace existing mixed Unix/Windows network
Hrmm. It seems that this (from the HOWTO) puts a MAJOR damper on things.... ------------------------------------- Samba can act as a NT4-style DC in a Windows 2000/XP environment. However, there are certain compromises: ? No machine policy files. ? No Group Policy Objects. ? No synchronously executed AD logon scripts. ? Can't use Active Directory management tools to manage users and machines. ? Registry changes tattoo the main registry, while with AD they do not leave permanent changes in effect. ? Without AD you cannot perform the function of exporting specific applications to specific users or groups. -------------------------------------- Considering my goal #6.... 6. Preserve as much of the functionality that Active Directory is>>currently providing. This includes login scripts, roaming profiles, all >>the permissions management and authentication, serving a dfs, etc....I >>understand that Samba cannot be an Active Directory server, but I also >>understand that it can do a lot of the same things AD does.So...no login scripts and some of these other things (policy files, temp changes to the registry that get wiped at logout, etc...) are common on our network. Almost all of our Windows clients are XP. Do you truly lose the ability to do all of those things, or can you do older, NT-style versions of some of them by having the XP clients fallback into NT domain compatibility? -Fran
Andrew Bartlett
2003-Nov-20 07:13 UTC
[Samba] Having Samba integrate/replace existing mixed Unix/Windows network
On Thu, 2003-11-20 at 17:11, Fran Fabrizio wrote:> So...no login scripts and some of these other things (policy files, temp > changes to the registry that get wiped at logout, etc...) are common on our > network. Almost all of our Windows clients are XP. Do you truly lose the > ability to do all of those things, or can you do older, NT-style versions > of some of them by having the XP clients fallback into NT domain > compatibility?This is correct - we match NT4 here, and XP will run NT login scripts, and NT policy files. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20031120/c90b98a2/attachment.bin