samba - Nov 2004 - Office moving to a Domain system. Looking for some advice.

Hello all,

I currently maintain an office of 15 employees. All clients are running
Windows 200 Professional, although there has been discussion of
introducing a couple of Linux workstations on a testing basis. 

As part of the office infrastructure we have three Linux machines, a
firewall/gateway/webserver/FTP server/openVPN machine running Samba for
access to webserver directories and documents, a Samba file server that
also acts as a WINS server, and a machine that is dedicated to nightly
backups of the file server, this box also runs Samba to share out the
backup files.

The office is currently setup using a workgroup system and we feel it
is time to enjoy the benifits of a domain system with a Samba PDC. I
have done some preliminary research into the setup of everything but
would like to get some advice from those more experienced than myself
before I begin my journey.

This is what I would like.
1. The file server to be the PDC as well as an application server. not
sure if we will go with roaming profiles yet or not.
2  All authentication to be centralized to the PDC. I beleive I can
achieve this with winbind running on the two other machines running
Samba.
                  -currently I am maintaining the same Samba password
files on all three systems and it is a pain to co-ordinate
3. Eliminate the need to have each workstation user also be a user on
the Linux systems
4. Eventually be able to move to an openLDAP authentication system
without have to redo everything.


I know my point are pretty general, but I am just starting with the
concepts and developing my requirements, also, this is my first entry
into the world of domains so my knowledge is a little sparse.

As a note I am reasonably comfortable with basic Samba configuration,
manual edits, and administration with Linux

Thanks for any assistance
Michael Kelly

Hi,

Thank you for your very informative post. I am hoping to roll out the
network in stages, with openLDAP coming in a later stage, mostly due to
my need to get up its learning curve a bit more before putting it into
production. I am hoping that running winbind on the linux boxes that are
not the PDC will give me a reasonable authentication solution for the
time being in that I will not have to replicate usernames and passwords
to each Linux/Samba system. I totally agree that there should be a
standalone firewall that does nothing else, except maybe openVPN and
DHCP for the internal network, but protect the network. I do not believe
at this time that I need a DMZ, other than possibly for a webserver. The
only exterior access needed to our network is via openVPN and SFTP when
that is down. Our mailservers reside in a different local all together
and they are not under my umbrella. I have a SUS server on the wishlist
and am currently singing its praises to the higher ups.

I know that I have a lot of research and documentation left to do
before I get started so I can forsee any pitfalls before I get there. As
mentioned before, my biggest stumbbling block is going to be settig up
LDAP for authentication. I have yet to even get my hands damp with that
software, let alone set it up for network usage.

Thanks again for your reply
Michael Kelly
>>> rruegner <robert@ruegner.org> 10/11/2004 3:33:55 pm
>>>
Hi Michael,
good choice , make the pdc a ldap server
and let other nix machines be ldap clients
the other parts are depend to what you plan
to your network,
normally you have standalone firewall with
minimum 3 nics , web,dmz,intranet
pdc should be placed in intranet also backup machine,
ftp and www , proxy or an internal mail server too ( if you need this 
from outside in the dmz zone )proxy or an internal mail server here
too.
But there are many more setups thinkable
a small solution fo a firewall , which is easy to setup if you have 
dynamic ip or just one ip is ipcop (transparent proxy possible)
The firewall can be used as dhcp server and internal nameserver ( but 
you can let this be done by the pdc too )
If you want home workers connect to office network, pptpd is a good 
choice ( on the firewall or via kernel 2.4.27 pptp pom module on the
pdc 
  )openvpn is good for net to net connects on the firewall to other 
placed offices
A domain system and roaming profiles is an up to date solution
A sus server and a antivir update service is nice to have.
I have serveral setups like this all working very nice
But many things others would be done by others in another way , mostly

of security reasons,so for your question theres no uni-answer
Best Regards



Michael Kelly schrieb:
> Hello all,
> 
> I currently maintain an office of 15 employees. All clients are
running
> Windows 200 Professional, although there has been discussion of
> introducing a couple of Linux workstations on a testing basis. 
> 
> As part of the office infrastructure we have three Linux machines, a
> firewall/gateway/webserver/FTP server/openVPN machine running Samba
for
> access to webserver directories and documents, a Samba file server
that
> also acts as a WINS server, and a machine that is dedicated to
nightly
> backups of the file server, this box also runs Samba to share out
the
> backup files.
> 
> The office is currently setup using a workgroup system and we feel
it
> is time to enjoy the benifits of a domain system with a Samba PDC. I
> have done some preliminary research into the setup of everything but
> would like to get some advice from those more experienced than
myself
> before I begin my journey.
> 
> This is what I would like.
> 1. The file server to be the PDC as well as an application server.
not
> sure if we will go with roaming profiles yet or not.
> 2  All authentication to be centralized to the PDC. I beleive I can
> achieve this with winbind running on the two other machines running
> Samba.
>                   -currently I am maintaining the same Samba
password
> files on all three systems and it is a pain to co-ordinate
> 3. Eliminate the need to have each workstation user also be a user
on
> the Linux systems
> 4. Eventually be able to move to an openLDAP authentication system
> without have to redo everything.
> 
> 
> I know my point are pretty general, but I am just starting with the
> concepts and developing my requirements, also, this is my first
entry
> into the world of domains so my knowledge is a little sparse.
> 
> As a note I am reasonably comfortable with basic Samba
configuration,
> manual edits, and administration with Linux
> 
> Thanks for any assistance
> Michael Kelly
> 
> 
>