feasible w/ samba?

Bart Silverstrim bsilver at chrononomicon.com
Tue Oct 19 08:11:32 PDT 2004 

On Oct 18, 2004, at 2:26 PM, stheg olloydson wrote:

> --- Bart Silverstrim at chrononomicon.com> wrote:
>
>
>> Actually, it would be connectivity + bandwidth + geography.
>>
>> Some of the buildings are close together...close enough that you can
>> lean on the wall of one and throw a softball to hit the other.
>>
>> Others are over 20 miles apart, and it's not really 3 buildings...I
>> was using that just to simplify the scenario.  there would be 7.
>> Unfortunately, there's no way we currently know of to lay out enough
>> fiber for every building and still have reliable (and *fast*)
>> transfers compared to a "proxy" approach as I was envisioning in my
>> head.
>
> Ahhhh! This is a much different scenario. I was think of something like
> an office park or college campus.

Well, not really *much* different from what I was describing :-)

> Let me go over your questions in order
>
>> 1) is this type of setup feasible?
>
> Yes. About eight years ago, we did almost this exact thing on RedHat.

(how [well | poorly] did it turn out? Advantages, disadvantages?)

>> 2) is it possible to "duplicate" accounts from the master server
> easily
>> to remote servers if they're ununixccounts, or is it simpler to use a
>> different authentication and permission scheme?
>
> Include all relevant account data (e.g. password files) in the sync.

Do you know what on FreeBSD they would be, just to cover my bases of 
what files I should make sure of grabbing in the "final checklist"?

>
>> 3) Would it be possible to have each of the workstations hardcoded to
>> log into their individual domains and, based on that, map the user's
>> home directory to their "local" server's version of the home directory
>
>> in question?  I don't want them to be manipulating home directory data
>
>> on a server in building one when they're actually logged into a
>> workstation in building two, for example...I want the workstation
>> they're sitting at to log into the domain for domain2 and then map
>> their "home drive" to domain2's local server for later syncing with
> the
>> master server (and subsequent distribution to other systems).
>
> Does this make a difference? What if a user went to several buildings
> in one day?

99% of the time, they don't.  The only time I ever run into problems is 
when users go to another building for training.

The secondary purpose for syncing data would be a consistent copy of 
data available to them should it be necessary for searches or training 
in other buildings or a quick "need that file back!" moment.  In most 
cases doing a file find on any one server would find the user's file if 
they are searching for something...even if we're in a different 
building.  Just change the prefix of what server to have them connect 
to, and voila'..."list.doc is in your 
/home/jdoe/myfiles/mystuff/project directory".

> How do you merge the data? What may be easiest is for all
> users to always log into the master server if it's available.

For distant ones, no...not enough bandwidth to transfer some of their 
files in a way that won't make a lab choke.

> Before
> syncing, the master checks who logged into the remotes and which files
> they edited. Only those get synced. If a user logged into two remotes
> and edited the "same" file on each, then create a copy of each on the
> master.

They shouldn't, in theory, be logging in and editing from two servers 
the same file in their home directory, although this race condition is 
possible.  The sync method would be rsync.

It's the same with profiles under windows.  If they goof their profile 
by logging in twice and editing a document twice or losing something in 
their My Docs, the result is the same (although here with cron'd 
scripting we'd have finer control)...user education.  *don't do that!* 
:-)

The users in this scenario will not in 99% of cases be able to log into 
multiple servers at the same time to edit two "proxy" copies of their 
data.  Especially if there's a way to use domains in each building so 
they would physically have to be logging into a workstation that's 
hardcoded to map \\domain1server's storage and another workstation in 
another building for \\domain2server's storage.

Ideally, is there a way to run a Unix shell script on logoff of a 
windows 2000 system from a Samba domain controller?  Every logoff would 
result in a mini rsync back to the master...? (just a possibility)

>> 4) What security problems would be immediately apparent with respect
> to
>> home directory access?  I'd like just the owner of the directory and
>> root to have access to the home directories, but there may be other
>> shares for select groups of people to access being distributed as
> well.
>
> This is a sound policy. Home directories shouldn't contain files others
> need to access. The users should put those in shares with the
> appropriate permissions. BTW, FBSD has its own ACL facility.

How well integrated is it with Windows sharing?  Well, Samba...

do you know offhand if there are a lot (or any) of hand tweaking that 
would have to be done on samba in ports to do this?

Thanks for the feedback and help!

-Bart

More information about the freebsd-questions mailing list