Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-09-2011, 02:27 AM
|
#1
|
Member
Registered: Apr 2005
Posts: 252
Rep:
|
Solutions for my network infrastructure please suggest
I will try and save everyone's eyes and short phrase what I want to do and if you guys could help me decide what's best.
I have a windows, linux, and a couple macs. The windows network has DC's and workstations etc. It is on a seprate public IP. Then I have 2 DNS's on 2 seprate IP's. They are on linux plattforms. Then I have a webserver on another IP. I was thinking about letting the DNS and webservers keep their own public IP's and then the windows network has its own. Then add a second NIC's in the linux boxes and connect them to the windows network switch then activate samba and nfs to access those servers within the network as a whole now. This will work right? Also I want to be able to have the windows domain and linux boxes all have the same login with the windows servers being the boss. I haven't used kerbose before so I haven't even researched on how to use it. I have a couple 1 TB usb drives on the windows networks for storage. I would like to use them to access between the windows and linux pc's as well. I am going to be adding a couple more linux servers.
what do you guys think?
|
|
|
03-10-2011, 04:04 AM
|
#2
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
It sounds like you want to have public facing IP addresses for servers and use a private LAN to communicate amongst the machines. This will work and can have a lot of security advantages. For your authentication and sharing, Samba with Kerberos and LDAP should do the trick. There is lots of documentation on how to set this up, but will likely still be a project in-and-of itself (read PITA).
I say go for it. Take it a step at a time though, and focus on getting one thing working at a time. You will have a lot of variables, including using options that may not be standard in some of the packages, such as Kerberos support, and you may need to compile them from source.
|
|
|
03-10-2011, 08:23 AM
|
#3
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
It sounds like you want to have public facing IP addresses for servers and use a private LAN to communicate amongst the machines. This will work and can have a lot of security advantages. For your authentication and sharing, Samba with Kerberos and LDAP should do the trick. There is lots of documentation on how to set this up, but will likely still be a project in-and-of itself (read PITA).
I say go for it. Take it a step at a time though, and focus on getting one thing working at a time. You will have a lot of variables, including using options that may not be standard in some of the packages, such as Kerberos support, and you may need to compile them from source.
|
thank you for your response noway2. Sounds good. I figured it was good to do but I didn't even think about the advantages of security. What is the differece in LDAP and kerberos? And is there one of these packages that I should setup first?
|
|
|
03-10-2011, 11:33 AM
|
#4
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
In terms of security, a private LAN is a good place to put network based tools that you don't want to have be publicly accessible, such as webmin, myadmin, etc which can really FSCK you up if they get owned. It isn't 100% so be sure you still use good credential authentication methods, but it puts a good size hurdle in front of them.
With regards to your other question, LDAP and Kerberos work together, but on different aspects of the authentication. In essence, LDAP is a database for authenticating your users and realms. Windows Active Directory and Linux can be configured to utilize LDAP for user authentication and maintaining a "home" directory. This frees you from having to have individual user accounts on each machine. Once a user has been authenticated on one machine, Kerberos works in the background to allow one machine to authenticate with an other and allow them to communicate securely. I admit that I don't understand all the details behind it, but it utilizes public-key encryption techniques to generate authentication 'tickets' that are good for a certain period of time. Combined the two systems allow you to have a single, centralized user login system that can be used on any machine and one can access their files from any of these machines.
|
|
|
03-10-2011, 06:45 PM
|
#5
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
In terms of security, a private LAN is a good place to put network based tools that you don't want to have be publicly accessible, such as webmin, myadmin, etc which can really FSCK you up if they get owned. It isn't 100% so be sure you still use good credential authentication methods, but it puts a good size hurdle in front of them.
With regards to your other question, LDAP and Kerberos work together, but on different aspects of the authentication. In essence, LDAP is a database for authenticating your users and realms. Windows Active Directory and Linux can be configured to utilize LDAP for user authentication and maintaining a "home" directory. This frees you from having to have individual user accounts on each machine. Once a user has been authenticated on one machine, Kerberos works in the background to allow one machine to authenticate with an other and allow them to communicate securely. I admit that I don't understand all the details behind it, but it utilizes public-key encryption techniques to generate authentication 'tickets' that are good for a certain period of time. Combined the two systems allow you to have a single, centralized user login system that can be used on any machine and one can access their files from any of these machines.
|
Any suggestions on what servers should do what? What I mean is you know have a kreberos and a ldap as one and samba nfs. You know where there isnt one server doing it all or do you think that is okay? as you know a linux serve can handle a lot on one machine.
|
|
|
03-10-2011, 09:02 PM
|
#6
|
Member
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 269
Rep:
|
If you already have the Windows server acting as a Domain Controller and you want that to be the central server to manage logins there is no real need for a Linux LDAP or Kerberos server since that is essentially what the Domain Controller does. All you need if you want to authenticate your Linux servers against the existing Windows directory is the client portions. And if you want to make it easier, and gain some more control, there are tools such as Centrify and Likewise to get it done.
|
|
|
03-10-2011, 09:06 PM
|
#7
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
Quote:
Originally Posted by ComputerErik
If you already have the Windows server acting as a Domain Controller and you want that to be the central server to manage logins there is no real need for a Linux LDAP or Kerberos server since that is essentially what the Domain Controller does. All you need if you want to authenticate your Linux servers against the existing Windows directory is the client portions. And if you want to make it easier, and gain some more control, there are tools such as Centrify and Likewise to get it done.
|
Yeah I have a good windows network going. 3 DC's. I just want the linux boxes to have the same logins and such. So if you attempted to login on any linux server/client, your login creditials are check by the windows domain and permissions as well?
|
|
|
03-10-2011, 11:07 PM
|
#8
|
Member
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 269
Rep:
|
Exactly, essentially you are joining those Linux machines to your Windows domain and they become just like any of the Windows machines in terms of authentication. You can even get fancy and do a kerberized SSH so you can login to any of the other Linux machines with no need to type a password since a Kerberos ticket gets passed in the background.
|
|
|
03-11-2011, 12:06 AM
|
#9
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
Quote:
Originally Posted by ComputerErik
Exactly, essentially you are joining those Linux machines to your Windows domain and they become just like any of the Windows machines in terms of authentication. You can even get fancy and do a kerberized SSH so you can login to any of the other Linux machines with no need to type a password since a Kerberos ticket gets passed in the background.
|
Interesting. I just built 3 new boxes with out O/S's on them yet. I think I will load one up with centos 5.5 and first get it joined to the windows network and test it all out before I do anything with the other two and once I get it on working correctly I will decided what to do with the other 2 and the current servers joined up too. So I will need to just start out the NFS and samba right?
|
|
|
03-11-2011, 06:55 AM
|
#10
|
Member
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 269
Rep:
|
That will depend on what your end goal is. If you want the Windows servers to provide just authentication and the Linux servers to provide storage yes. If you already have files on the Windows servers you want the Linux PCs to be able to access you might need only Samba.
|
|
|
03-11-2011, 07:39 AM
|
#11
|
Member
Registered: Apr 2005
Posts: 252
Original Poster
Rep:
|
Quote:
Originally Posted by ComputerErik
That will depend on what your end goal is. If you want the Windows servers to provide just authentication and the Linux servers to provide storage yes. If you already have files on the Windows servers you want the Linux PCs to be able to access you might need only Samba.
|
I will actually want to do it both ways. Such as, Windows PC's can access files on the Linux Boxes, and Linux be-able to access other Linux and Windows Shared Folders/Drives.
|
|
|
All times are GMT -5. The time now is 02:55 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|