Michael Kelly
2004-Nov-10 20:10 UTC
[Samba] Office moving to a Domain system. Looking for some advice.
Hello all, I currently maintain an office of 15 employees. All clients are running Windows 200 Professional, although there has been discussion of introducing a couple of Linux workstations on a testing basis. As part of the office infrastructure we have three Linux machines, a firewall/gateway/webserver/FTP server/openVPN machine running Samba for access to webserver directories and documents, a Samba file server that also acts as a WINS server, and a machine that is dedicated to nightly backups of the file server, this box also runs Samba to share out the backup files. The office is currently setup using a workgroup system and we feel it is time to enjoy the benifits of a domain system with a Samba PDC. I have done some preliminary research into the setup of everything but would like to get some advice from those more experienced than myself before I begin my journey. This is what I would like. 1. The file server to be the PDC as well as an application server. not sure if we will go with roaming profiles yet or not. 2 All authentication to be centralized to the PDC. I beleive I can achieve this with winbind running on the two other machines running Samba. -currently I am maintaining the same Samba password files on all three systems and it is a pain to co-ordinate 3. Eliminate the need to have each workstation user also be a user on the Linux systems 4. Eventually be able to move to an openLDAP authentication system without have to redo everything. I know my point are pretty general, but I am just starting with the concepts and developing my requirements, also, this is my first entry into the world of domains so my knowledge is a little sparse. As a note I am reasonably comfortable with basic Samba configuration, manual edits, and administration with Linux Thanks for any assistance Michael Kelly
Michael Kelly
2004-Nov-11 19:18 UTC
[Samba] Office moving to a Domain system. Looking for some advice.
Hi, Thank you for your very informative post. I am hoping to roll out the network in stages, with openLDAP coming in a later stage, mostly due to my need to get up its learning curve a bit more before putting it into production. I am hoping that running winbind on the linux boxes that are not the PDC will give me a reasonable authentication solution for the time being in that I will not have to replicate usernames and passwords to each Linux/Samba system. I totally agree that there should be a standalone firewall that does nothing else, except maybe openVPN and DHCP for the internal network, but protect the network. I do not believe at this time that I need a DMZ, other than possibly for a webserver. The only exterior access needed to our network is via openVPN and SFTP when that is down. Our mailservers reside in a different local all together and they are not under my umbrella. I have a SUS server on the wishlist and am currently singing its praises to the higher ups. I know that I have a lot of research and documentation left to do before I get started so I can forsee any pitfalls before I get there. As mentioned before, my biggest stumbbling block is going to be settig up LDAP for authentication. I have yet to even get my hands damp with that software, let alone set it up for network usage. Thanks again for your reply Michael Kelly>>> rruegner <robert@ruegner.org> 10/11/2004 3:33:55 pm >>>Hi Michael, good choice , make the pdc a ldap server and let other nix machines be ldap clients the other parts are depend to what you plan to your network, normally you have standalone firewall with minimum 3 nics , web,dmz,intranet pdc should be placed in intranet also backup machine, ftp and www , proxy or an internal mail server too ( if you need this from outside in the dmz zone )proxy or an internal mail server here too. But there are many more setups thinkable a small solution fo a firewall , which is easy to setup if you have dynamic ip or just one ip is ipcop (transparent proxy possible) The firewall can be used as dhcp server and internal nameserver ( but you can let this be done by the pdc too ) If you want home workers connect to office network, pptpd is a good choice ( on the firewall or via kernel 2.4.27 pptp pom module on the pdc )openvpn is good for net to net connects on the firewall to other placed offices A domain system and roaming profiles is an up to date solution A sus server and a antivir update service is nice to have. I have serveral setups like this all working very nice But many things others would be done by others in another way , mostly of security reasons,so for your question theres no uni-answer Best Regards Michael Kelly schrieb:> Hello all, > > I currently maintain an office of 15 employees. All clients arerunning> Windows 200 Professional, although there has been discussion of > introducing a couple of Linux workstations on a testing basis. > > As part of the office infrastructure we have three Linux machines, a > firewall/gateway/webserver/FTP server/openVPN machine running Sambafor> access to webserver directories and documents, a Samba file serverthat> also acts as a WINS server, and a machine that is dedicated tonightly> backups of the file server, this box also runs Samba to share outthe> backup files. > > The office is currently setup using a workgroup system and we feelit> is time to enjoy the benifits of a domain system with a Samba PDC. I > have done some preliminary research into the setup of everything but > would like to get some advice from those more experienced thanmyself> before I begin my journey. > > This is what I would like. > 1. The file server to be the PDC as well as an application server.not> sure if we will go with roaming profiles yet or not. > 2 All authentication to be centralized to the PDC. I beleive I can > achieve this with winbind running on the two other machines running > Samba. > -currently I am maintaining the same Sambapassword> files on all three systems and it is a pain to co-ordinate > 3. Eliminate the need to have each workstation user also be a useron> the Linux systems > 4. Eventually be able to move to an openLDAP authentication system > without have to redo everything. > > > I know my point are pretty general, but I am just starting with the > concepts and developing my requirements, also, this is my firstentry> into the world of domains so my knowledge is a little sparse. > > As a note I am reasonably comfortable with basic Sambaconfiguration,> manual edits, and administration with Linux > > Thanks for any assistance > Michael Kelly > > >