samba - Sep 2007 - What management of samba is available for large scale deployment

I'm working for a higher education institution, and we have Novell Netware
for our file sharing services.  We are looking at what migration paths
are available.

I know samba works, we use it on a number of Solaris and Linux boxes and
have it authenticate against our Windows ADS.  Manually editing samba
confiiguration files for up to a hundred users is OK.  The challenge is how
do you manage a few thousand users with backends that auto-populate
the samba config and front ends which administrators can tweak as needed?

Does someone make a product which helps with the management of Samba and
provide features like autocreation of groups to support shared permissions
on folders, etc?  If not a product, has there been a guide on how to
deploy samba with a large number (5000) of users and a large number
(perhaps 300-500) groups?

Having a product which permits users to self-administer their share
and allow read or write access to certain users or groups would be ideal.

--Donald Teed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

D G Teed wrote, On 19-09-2007 11:58:
> I'm working for a higher education institution, and we have Novell
Netware
> for our file sharing services.  We are looking at what migration paths
> are available.
> 
> I know samba works, we use it on a number of Solaris and Linux boxes and
> have it authenticate against our Windows ADS.  Manually editing samba
> confiiguration files for up to a hundred users is OK.  The challenge is how
> do you manage a few thousand users with backends that auto-populate
> the samba config and front ends which administrators can tweak as needed?
	I'm not sure I really understand what your are talking
about. When you say "backends that auto-populate the samba config"
this turns on the red light as it sounds like something a little
bit //dangerous//.

	I worked with scenarios with thousands of accounts and
usually the best way is to work with LDAP and ACLs on the
filesystem to make it easier to automatic inherit access by
groups, which should be simpler to keep up.

	By front-ends I know some people that users SWAT and a
lof of people that uses PHP tools like phpLDAPadmin or LDAP
Account Manager.  I'm not aware of any tools that looks like
similar to Novell Graphical Admin tools, but in a similar case,
there are people use Windows Management Console to deal with
users in Samba backends.

> Does someone make a product which helps with the management of Samba and
> provide features like autocreation of groups to support shared permissions
> on folders, etc?  If not a product, has there been a guide on how to
> deploy samba with a large number (5000) of users and a large number
> (perhaps 300-500) groups?
	Yes, it is called Samba By Example and it is available
as a book or on-line in the Samba Docs section.

> Having a product which permits users to self-administer their share
> and allow read or write access to certain users or groups would be ideal.
	"Self administer" their share?  You mean the share available
in the server? Sounds odd. But it probably can be done with some LDAP
ACLs.


	Kind regards,
- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG8pWRCj65ZxU4gPQRCJWcAKDGECnV/4ov9f90B3s5EfWHqsGqTQCeJwJj
VUluxzW4SRPvV3kp+NLdapM=NIxY
-----END PGP SIGNATURE-----

Thanks for the response, Felipe.

I mean something like this: the Windows user would
right click on their folder which they have full access to,
and select users to which they would like to assign
read/modify/write access.  In what I understand, this
is possible from Novell Netware - probably via the client
driver.  As it is faculty, it is difficult to take away freedoms
without complaints.

The LDAP suggestion is a good one for controlling departments,
but there are always lots of other associations we cannot predict,
like who becomes a Teaching Assistant for some faculty member
and needs access to grade assignments.  In these scenarios,
self-administer is ideal.

--Donald Teed

On 9/20/07, Felipe Augusto van de Wiel <felipe@paranacidade.org.br> wrote:
>         "Self administer" their share?  You mean the share
available
> in the server? Sounds odd. But it probably can be done with some LDAP
> ACLs.
>
>
>         Kind regards,
> - --
> Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
> http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG8pWRCj65ZxU4gPQRCJWcAKDGECnV/4ov9f90B3s5EfWHqsGqTQCeJwJj
> VUluxzW4SRPvV3kp+NLdapM> =NIxY
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

> I mean something like this: the Windows user would
> right click on their folder which they have full access to,
> and select users to which they would like to assign
> read/modify/write access.  In what I understand, this
> is possible from Novell Netware - probably via the client
> driver.  As it is faculty, it is difficult to take away freedoms
> without complaints.
Setting ACLs on shares from a Windows client?  I think that works
currently.

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

D G Teed <donald.teed <at> gmail.com> writes:
> The challenge is how
> do you manage a few thousand users with backends that auto-populate
> the samba config and front ends which administrators can tweak as needed?
I'll try to explain the setup we have which is maintained with perl scripts.

part 1)
For a group or departmental share called dept xyz, we'll create 2-3 groups
on
the (In our case Samba domain) deptxyz_A (admins), deptxyz_w (writers),
deptxyz_r (readers) and we are using Linux w/ extended ACLs on the file system.

The share "stanza" is appended by a script in another file that is
included from
the main smb.conf and looks like:
[deptxyz]
comment=deptxyz
writeable=yes
admin users=@mydomain\deptxyz_A,@"mydomain\domain admins"
path=/home/group/deptxyz

This allows the people in deptxyz_A to connect as root and then they can modify
ACLs, etc.

part 2) 
We have an apache web server configured to authenticate against the domain. IF
you are in the deptxyz_A group, you can use a perl cgi-bin to modify the users
in the deptxyz_* groups. The web server userid does "RPC" calls to a
privileged
perl "service" on another system that actually updates the group
membership.
We're OK with an existing admin giving admin to other people, but you could
restrict the ability to update the _A groups, etc.

Generally using the groups on the ACLs by default is good enough and end users
do not need to update ACLs on the file system.

I'm not sure if that's enough to handle your TA config (depends on where
the
grades are stored -- but you could also do the admin user thing on homedirs.)

Bill