feasible w/ samba?
Bart Silverstrim
bsilver at chrononomicon.com
Mon Oct 18 07:56:47 PDT 2004
random brain dropping question...still in the researching stage for
implementation.
Is it possible to have a setup similar to the following scenario:
I have three buildings. There are users that move among the buildings
on different days to use NT workstations (Win2K).
I'd like to put in four servers, identical in hard drive space and with
similar configurations running Samba.
I'd like every user to have a UNIX account and home directory.
There would be a master server called MASTER. The three buildings
would have different domains (AD support is still developing in SAMBA,
as I recall? "almost there"?)...domain1, domain2, and domain3, plus
the master server.
I'd like every night for the domain servers to rsync data to the master
server, then the master server would dole out periodically the changes
to remaining buildings. I.e., John logs into domain1 and works on NT
for the day, then logs off. domain1 server syncs back to the master
server that night, and then later syncs with domain2 and domain3.
John comes into building 2 for the day and logs in to domain2 domain.
Because it's domain2, a script runs that maps his home directory to J:
on \\domain2server\home\john. Because of the syncing, his home
directory contents are the same as they were on
\\domain1server\home\john.
The questions are,
1) is this type of setup feasible?
2) is it possible to "duplicate" accounts from the master server easily
to remote servers if they're unix accounts, or is it simpler to use a
different authentication and permission scheme? I know I can't just
sync home directories because UIDs and GIDs would not exist on the
remote systems without adding them to those machines, but can those
accounts be created by just syncing some files in /etc to those remote
machines (passwd, groups, etc.) and then syncing the directories in
question, since that should map the passwords and UID/GIDs? Or can
there be a simple syncing of samba users and their home directories by
just syncing a couple files that would make that layout simpler?
3) Would it be possible to have each of the workstations hardcoded to
log into their individual domains and, based on that, map the user's
home directory to their "local" server's version of the home directory
in question? I don't want them to be manipulating home directory data
on a server in building one when they're actually logged into a
workstation in building two, for example...I want the workstation
they're sitting at to log into the domain for domain2 and then map
their "home drive" to domain2's local server for later syncing with the
master server (and subsequent distribution to other systems).
4) What security problems would be immediately apparent with respect to
home directory access? I'd like just the owner of the directory and
root to have access to the home directories, but there may be other
shares for select groups of people to access being distributed as well.
I am still reading up on what Samba can and can't do, and it seems
some documentation is out of date out there, but looks like ACLs are
kind of iffy in support? How can this be done then, with cross-domain
access? Or is there another easier way to do it?
5) can users be "remotely created" easily by just copying a few files
among the servers? I.e., add a user on Master, then copy Master's
passwd, passwd.db., etc. files to each of the sub-servers, then the
subservers should know about "newuser" and "newuser"'s home directory
(also synced up from Master) without actually having to sit down and
create the user at each console. Or is there a way to sync information
using just Samba to have the correct password, directory info,
ownership, etc.?
***
What this would essentially be attempting to achieve is to have a way
for a geographically spread out network allow people to easily access
their home directories and shares no matter where they logged using
local servers acting as time-delayed proxies...all the user login
information, user home directory data, user shared data
directories...it's a lot of duplicated information out there, but it
would fix the problem with authentication and home directory
information being temporarily inaccessible when a link is down between
building locations. No matter what building they were in, they would
have access to that building's copy of their home directory; the next
day, logging into a different building, they'd get their information
again.
Thoughts and/or ideas? I'd like to do this using either just SAMBA to
authenticate or underlying FreeBSD accounts, whichever would still have
it easy to duplicate by just syncing up some files and not messing up
GID/UID ownership and passwords. I know there are ways for single
sign-on using services like LDAP, but LDAP is an unfamiliar beast to me
(for now!) and while it may sync usernames and password, I don't think
it would handle things like permissions to home directories, especially
when trying to get workstations to map to their local building's server
instead of a single master home directory server.
Thanks,
-Bart
More information about the freebsd-questions
mailing list