samba - Nov 2003 - Having Samba integrate/replace existing mixed Unix/Windows network

I've recently inherited a two-headed monster of a network and would like to 
see what Samba can do for me to help clean up the situation.  Due to 
bias/preference of the past administrator, who favored Unix, when it came 
time to introduce Windows machines to our department, he basically built a 
parallel network (physically and logically), and let a graduate student 
manage the Windows network.  As a result, we now have a network consisting 
of two subnets, Windows and Unix.  Each subnet provides it's own file 
server, print server, DNS, DHCP, directory (NIS vs. Active Directory) and 
user accounts.  Unfortunately for us, this is a rather arbitrary division, 
as we often have users that dual-boot between the two sides and students 
that need to do work on both and I would prefer that the two networks be 
more integrated.

I will be redesigning this network (both physically and logically) and I 
believe Samba can help me.  Some of the ways are clear, whereas some are 
much less clear.  Let me start with my design goals...

1.  Repartition the network based on functional needs, not OS choice.  Our 
context is a department at a university.  Instead of a Unix subnet and a 
Windows subnet, I would like a subnet for the undergraduate open labs, a 
subnet for research groups, a subnet for faculty workstations, 
etc....whatever services I provide need to play well in this multi-subnet 
environment.
2.  Consolidate file serving duties.  I would like for a user to see the 
same home directory whether booting into Linux, Solaris or Windows.  This 
will reduce the number of instances of users needing to move files between 
the two systems, as well as provide a single point as a target for backups.
3.  Consolidate user accounts.  I want one account for each user, 
period.  If I absolutely can't have this, I want to synchronize between the 
two so that it appears as one.  We eventually going to try to authenticate 
against the campus-wide LDAP service, and the fewer points of 
authentication I have within my department, the easier that will be.
4.  Consolidate DNS and DHCP.  Because we have two DHCPs, and because our 
firewall is set to pass all traffic between the two subnets, I actually 
have two network cables running to my laptop - I have to switch them when I 
switch OSes!  I am not 100% sure of the reason, the past admin simply said 
that's how it is, but I believe it's so I hit the "right" DHCP
server
first.  Obviously, that needs to go away.  Same with DNS - right now, 
adding a host means adding it to Active Directory, adding it to NIS, and 
adding it to 3 /etc/hosts files.  This needs to be much cleaner.
5.  Consolidate print servers.
6.  Preserve as much of the functionality that Active Directory is 
currently providing.  This includes login scripts, roaming profiles, all 
the permissions management and authentication, serving a dfs, etc....I 
understand that Samba cannot be an Active Directory server, but I also 
understand that it can do a lot of the same things AD does.

So, those are the highlights of my goals.  I see that it's very 
straightforward for Samba to do the file and print serving, but is this 
rock solid?  This will be the sole source of home dirs, I don't want the 
Windows clients flaking out on me.  I'm less sure about the 
authentication.  Right now, we use Active Directory on the Win side and NIS 
on the Unix side.  I believe one option is to keep the Active Directory for 
linux clients, and to use winbind to authenticate against that.  However, I 
would like to get rid of AD altogether if possible.  Is there a better 
model?  On the Unix side, NIS has to go.  Something like Kerberos or LDAP 
would be better but I want to make a choice that plays well with Samba and 
with the Windows clients as well.  I know that Kerberos is a good option 
for cross-platform single-point-of-authentication.  Perhaps LDAP.  Perhaps 
they work together?  What's the model I'm after and how does Samba fit 
in?  I'm not sure if Samba can help with the current DNS/DHCP woes or if 
that's simply a matter of setting up one on Linux and pointing everyone at 
it (not sure how good it is to have DHCP serving multiple subnets like I 
want, though...)  Thoughts?

For the "big picture" is it possible for me to get rid of Active
Directory
for this network I have of Sun, Linux, NT, 2000, and XP machines and still 
have hopes of a reliable network?  If I need to keep an AD around for one 
of more of these services, how best to set it up to play with Samba?  Those 
are the kinds of questions I'm after.  I have read through the beginning of 
the O'Reilly Samba book and it appears that Samba is definitely the right 
track, but I'm hoping for a bit more of the specifics of the model I'm
seeking.

Thanks for your time and thoughts,
Fran

Fran,

Your thinking is spot-on! Please document this as you go. Make a case
study out of it that we can publish on Samba.Org. If you run into trouble
- contact me, I'll do my best to help.

Cheers,

John T.

On Wed, 19 Nov 2003, Fran Fabrizio wrote:
>
> I've recently inherited a two-headed monster of a network and would
like to
> see what Samba can do for me to help clean up the situation.  Due to
> bias/preference of the past administrator, who favored Unix, when it came
> time to introduce Windows machines to our department, he basically built a
> parallel network (physically and logically), and let a graduate student
> manage the Windows network.  As a result, we now have a network consisting
> of two subnets, Windows and Unix.  Each subnet provides it's own file
> server, print server, DNS, DHCP, directory (NIS vs. Active Directory) and
> user accounts.  Unfortunately for us, this is a rather arbitrary division,
> as we often have users that dual-boot between the two sides and students
> that need to do work on both and I would prefer that the two networks be
> more integrated.
>
> I will be redesigning this network (both physically and logically) and I
> believe Samba can help me.  Some of the ways are clear, whereas some are
> much less clear.  Let me start with my design goals...
>
> 1.  Repartition the network based on functional needs, not OS choice.  Our
> context is a department at a university.  Instead of a Unix subnet and a
> Windows subnet, I would like a subnet for the undergraduate open labs, a
> subnet for research groups, a subnet for faculty workstations,
> etc....whatever services I provide need to play well in this multi-subnet
> environment.
> 2.  Consolidate file serving duties.  I would like for a user to see the
> same home directory whether booting into Linux, Solaris or Windows.  This
> will reduce the number of instances of users needing to move files between
> the two systems, as well as provide a single point as a target for backups.
> 3.  Consolidate user accounts.  I want one account for each user,
> period.  If I absolutely can't have this, I want to synchronize between
the
> two so that it appears as one.  We eventually going to try to authenticate
> against the campus-wide LDAP service, and the fewer points of
> authentication I have within my department, the easier that will be.
> 4.  Consolidate DNS and DHCP.  Because we have two DHCPs, and because our
> firewall is set to pass all traffic between the two subnets, I actually
> have two network cables running to my laptop - I have to switch them when I
> switch OSes!  I am not 100% sure of the reason, the past admin simply said
> that's how it is, but I believe it's so I hit the "right"
DHCP server
> first.  Obviously, that needs to go away.  Same with DNS - right now,
> adding a host means adding it to Active Directory, adding it to NIS, and
> adding it to 3 /etc/hosts files.  This needs to be much cleaner.
> 5.  Consolidate print servers.
> 6.  Preserve as much of the functionality that Active Directory is
> currently providing.  This includes login scripts, roaming profiles, all
> the permissions management and authentication, serving a dfs, etc....I
> understand that Samba cannot be an Active Directory server, but I also
> understand that it can do a lot of the same things AD does.
>
> So, those are the highlights of my goals.  I see that it's very
> straightforward for Samba to do the file and print serving, but is this
> rock solid?  This will be the sole source of home dirs, I don't want
the
> Windows clients flaking out on me.  I'm less sure about the
> authentication.  Right now, we use Active Directory on the Win side and NIS
> on the Unix side.  I believe one option is to keep the Active Directory for
> linux clients, and to use winbind to authenticate against that.  However, I
> would like to get rid of AD altogether if possible.  Is there a better
> model?  On the Unix side, NIS has to go.  Something like Kerberos or LDAP
> would be better but I want to make a choice that plays well with Samba and
> with the Windows clients as well.  I know that Kerberos is a good option
> for cross-platform single-point-of-authentication.  Perhaps LDAP.  Perhaps
> they work together?  What's the model I'm after and how does Samba
fit
> in?  I'm not sure if Samba can help with the current DNS/DHCP woes or
if
> that's simply a matter of setting up one on Linux and pointing everyone
at
> it (not sure how good it is to have DHCP serving multiple subnets like I
> want, though...)  Thoughts?
>
> For the "big picture" is it possible for me to get rid of Active
Directory
> for this network I have of Sun, Linux, NT, 2000, and XP machines and still
> have hopes of a reliable network?  If I need to keep an AD around for one
> of more of these services, how best to set it up to play with Samba?  Those
> are the kinds of questions I'm after.  I have read through the
beginning of
> the O'Reilly Samba book and it appears that Samba is definitely the
right
> track, but I'm hoping for a bit more of the specifics of the model
I'm seeking.
>
> Thanks for your time and thoughts,
> Fran
>
-- 
John H Terpstra
Email: jht@samba.org
-------------- next part --------------
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Hrmm.  It seems that this (from the HOWTO) puts a MAJOR damper on things....

-------------------------------------
Samba can act as a NT4-style DC in a Windows 2000/XP environment. However, 
there are certain compromises:
?       No machine policy files.
?       No Group Policy Objects.
?       No synchronously executed AD logon scripts.
?       Can't use Active Directory management tools to manage users and 
machines.
?       Registry changes tattoo the main registry, while with AD they do 
not leave permanent changes in effect.
?       Without AD you cannot perform the function of exporting specific 
applications to specific users or groups.
--------------------------------------

Considering my goal #6....

6.  Preserve as much of the functionality that Active Directory
is
>>currently providing.  This includes login scripts, roaming profiles, all
>>the permissions management and authentication, serving a dfs, etc....I
>>understand that Samba cannot be an Active Directory server, but I also
>>understand that it can do a lot of the same things AD does.
So...no login scripts and some of these other things (policy files, temp 
changes to the registry that get wiped at logout, etc...) are common on our 
network.  Almost all of our Windows clients are XP.  Do you truly lose the 
ability to do all of those things, or can you do older, NT-style versions 
of some of them by having the XP clients fallback into NT domain 
compatibility?

-Fran

On Thu, 2003-11-20 at 17:11, Fran Fabrizio wrote:
> So...no login scripts and some of these other things (policy files, temp 
> changes to the registry that get wiped at logout, etc...) are common on our
> network.  Almost all of our Windows clients are XP.  Do you truly lose the 
> ability to do all of those things, or can you do older, NT-style versions 
> of some of them by having the XP clients fallback into NT domain 
> compatibility?
This is correct - we match NT4 here, and XP will run NT login scripts,
and NT policy files.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20031120/c90b98a2/attachment.bin