LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 07-10-2008, 08:45 AM   #1
watsond83
LQ Newbie
 
Registered: Sep 2004
Location: Australia
Posts: 2

Rep: Reputation: 0
80+ samba domains into 1 directory service


Hi, can anyone please offer and recommendations for the following scenario...

I currently have over 90+ sites running CentOS4.3-4.6. Where all our windows clients authenticate locally to their site servers using SAMBA 3 on each server.
I am feeling some pressure from the rest of our colleagues who operate and support OS systems to connect into their Active Directory structure so we can start to use some of their applications and authenticate to their systems through the AD.

We will like to keep to our current Open Source environment with changes to 1 directory structure. Where I want to get SAMBA, freeradius and squid authenticating.

I have looked at the following:
1. Samba connected to OpenLDAP backend, having one PDC and all other sites acting as BDCs. Problems encountered so far with this is I am having a lot of problems to set this up (only been working on Linux for 1 year and inherited system) and the GUI tools for the frontends dont seem to user friendly for system administrators. (webmin seems to be almost there)

2. IPA- a tool that seems to install frontend and backend, but am having issues getting samba running with it.

3. Fedora Directory server- currently doing some dev work on this to see if this will resolve our issues.

4. Active directory services- a colleague of mine is currently looking to see if we can get SAMBA talking directly to one of the Active directory domains as this will be the quick fix as we can then setup trusts to the OS AD domains...

Any advice would be greatly appreciated...
 
Old 07-12-2008, 01:59 PM   #2
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Yikes. Congratulations on retaining your sanity.

First of all, don't put too much reliance on graphical tools - on Linux they are just thin wrappers to the underlying libraries and command-line utilities. Only a subset of the functionality is exposed graphically, and you've probably got too complex an architecture for the simpler GUI tools to cope at all.

If I understand you correctly, I think that you have got three separate projects here:

1) Determine which central LDAP directory will hold the user records, and setting it up appropriately.
2) Figuring out how to configure your key services (Samba etc.) to use that directory.
3) Migrating the users and services to point to the central directory (probably site-by-site).

Active Directory, OpenLDAP and Fedora/Red Hat Directory Server are all proven technologies capable of handling a massive quantity of records. FreeIPA is a preconfigured setup of FDS plus other stuff. Which one is best for your organization depends on your circumstances. It is possible to sync records from one directory to another if want or need to maintain two separate directory services.

Plugging your services into an existing LDAP infrastructure requires a basic knowledge of LDAP, but is manageable. Actually designing and implementing a large LDAP infrastructure is a much bigger project because there are a lot of non-technical details that have to be sorted out, in addition to the technical implementation work. The two best sources of information that I've seen on this are the copious Red Hat Directory Server docs that RH provide for free download, and study information for the MS Active Directory design exam.

If your organization already has an AD system then the support team for it have already done the work, and may have the necessary expertise to maintain it. I say "may" because Windows seems very forgiving of botched directory implementations, so in the worst case the corporate AD may be a mess, there may be no-one on hand that really understands how it works, and the support team may think it's OK because, hey, the users can sign in from their XP desktops.

The litmus test of whether you can work with the AD system is to talk to the senior technical person and slide in the term "schema extensions". MS strongly discourage all modification of the AD schema (except that which their own products do), but it's a perfectly legitimate thing to do, and may be necessary to fully support non-MS clients. His/her reactions will tell you whether you can work with them and use their system, or will have have to go it alone.
 
Old 07-16-2008, 07:45 AM   #3
watsond83
LQ Newbie
 
Registered: Sep 2004
Location: Australia
Posts: 2

Original Poster
Rep: Reputation: 0
Hi Hob

thanks for the reply, sorry about the delay, been stuck in a room all week trying to get this up and running.
Yes, it is 3 projects or a few stages at least.
1- To determine the directory service that will hold all our user records. I have managed to get SAMBA 3.0.28 running on an OpenLDAP backend where we have 1 PDC and it replicates changes to our BDC (more BDCs to come, as all our other sites will act as BDCs). The following doc helped alot.
http://wiki.samba.org/index.php/Repl...ver_using_LDAP
2.- So now we can register onto the domain and connect to either the BDC or PDC which is where we were trying to head.
3- Once I have this all rounded off and tested thoroughly, I will then look at rolling this our site by site, hitting small sites first as we can test in the live environment.

Our biggest hit with this solution was that our Global partners wanted us to connect to their Active Directory in order to access their applications. Where I have setup a trust account on SAMBA and setup a trust (outgoing) on the AD. Now we can add users into a group that the AD admins can allow access to the applications that they require us to access without them needing to setup accounts and handle passwords etc...
 
Old 10-07-2008, 04:07 PM   #4
rzafar
LQ Newbie
 
Registered: Sep 2008
Distribution: ubuntu hardy heron
Posts: 5

Rep: Reputation: 0
You might want to try zivios (http://www.zivios.org). Its a consolidated web panel and an n-tiered PHP-5 application. It uses MySQL and OpenLDAP as it's data store, with OpenLdap being the primary back end for identity management and application integration and MySQL being used for panel specific data. Check it out!
 
  


Reply

Tags
ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba and trusted domains tpe Linux - Server 2 06-23-2008 02:40 AM
samba : several domains : how to set the samba one as default? tonguim Linux - Networking 3 01-12-2006 09:16 AM
two domains one samba server sparc Linux - Networking 1 08-28-2004 01:00 PM
Multiple domains under samba bruceg Linux - Networking 1 11-12-2003 02:16 PM
SAMBA and Domains? TheRealDeal Linux - General 4 10-14-2003 07:36 AM


All times are GMT -5. The time now is 12:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration