Opinions on the best way to do this?
I have set up Samba to run on the Linux file server but would like everyone to have individual logins instead of group access.
The network is really two seperate networks on the same backbone one already has a NT 4 server that is a PDC for the Gov. administration.
The rest of the network is a Slack Linux box using Squid, DHCP, Apache and firewalls etc and the other box being the file server, backup etc.
1). Setup users to be authenticated on the NT machine, hard because it is contracted out to another party (Gov. requirement) and I have not got Admin permissions on it etc.
2). Change the subnets so the machines can't see each other and set the file sever box up as a PDC, would that even work?
(Somewhat unpractical because a couple of users need access to both the NT machine and the Linux file server).
If I had my way all machines would be *nix and it would be easier but changing the gov contracts is not easy!
Any Other sugestions ???
Maybe I'm being naive here, but why not use SAMBA's winbind for the
users that need access to both networks, and use the normal *NIX logins
for those that only have access to the *NIX part of the network?
There is around 1000 users and 200 computers!
But the users use any computer so I dont want to have to put everyone's user account onto each one.
At the moment they are broken down into several groups but the problem I am having is people deleting other people in the same groups work.
Thats why I thought I needed a PDC to do this easily, hence the original problem?
Linux is designed for large numbers of users! Use LDAP (or NIS, but
LDAP is better) as a directory service running on one server, have all
the other computers running as clients. Run the windows machines as
clients to the linux server, but with a subset of allowed users. This is
essentially what I help administer at work, though with just a few
windows boxes, and a few OS X boxes added in to spice things up.
Currently we use NIS (and NIS+) because our network guru hasn't
migrated the Solaris server over to LDAP. NIS used to be YP, which
is where ypbind, etc. come from.
Your server will house all of the user information, and your clients will
connect to the server to authenticate the user. For NIS(+), the file
/etc/nsswitch.conf tells the client how to do authentication. On our
systems, it tells the client to look in the nisplus database first, then
search less likely places for username/password combinations. . .
Netgroups allows you to restrict certain access to certain groups, which
means you can limit connections from the windows machines to certain
At work, we have MANY groups that allow us to limit access to disk
space, and we have the umask of users set so their files are generally
protected from everyone but themselves. This is all possible for the
windows machines if you house the working disks on a SAMBA server.
I might have to do some reading up on LDAP by the looks of it it sounds like what I need.
can umask work on a user and a group level at the same time?
ie can group_A have access to group_B files and not the other way around and and at the same time not eachothers work in group_A?
That's almost getting confusing ;)
I will ask a different way
Can I limit access to their home directory to just themselves and say everyone in group_A at the same time?
But say in a public folder everyone has full rwx permissions no matter who creates the files.
Basically, I would make the members of group_A also members of
group_B, with umasks set so that by default others can't mess with
their files. umask is a user specific thing, but you can set the sticky
bit in a directory that forces files under that directory to maintain
Quotas allow you to limit disk usage per user, per disk. You can limit
a user's disk usage in their home, and have a group disk with a different
limit. *NIX is all about securing one's files from access by another user,
so pretty much whatever you want in this realm is possible, you just
have to find the right manuals to read. . . =-}
I hadn't thought to have them in more than 1 group, that makes sense.
The sticky bit also sounds like it will do the job on other disks.
Now for a lot of reading to get it all set it up right now that I have the basic framework.
Alright I tried to find infomation on using LDAP to do this and haven't had any luck.
All I seemed to find was a lot of info in setting up phonebooks and address books and internet databases.
Can anyone point me to a good :newbie: reference on this, even better if it delt with what I am trying to do with it.
Have you tried:
Also, for a quick overview of LDAP's abilities, read:
Also, you will probably want to run SAMBA on the Linux server so that
your windows machines are able to access your directory service.
I had tried their home page but couldn't find what I needed.
I think I have found what I need to get started now.
It was in a pdf doc called Samba collection of how to's.
Now I have read it I understand a bit better what LDAP can do combined with Samba and how I may be able to use it with other apps as well.
I do already have Samba running on the file server so they should be able to have access to the directory service when I get it set up.
Thanks for all your help!
Keep us posted, and if you take a lot of notes while setting this up, you
could become a hero by posting a HOW-TO!
|All times are GMT -5. The time now is 08:35 PM.|