Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Oct 2004 10:56:45 -0400
From:      Bart Silverstrim <bsilver@chrononomicon.com>
To:        FreeBSD Question List <freebsd-questions@freebsd.org>
Subject:   feasible w/ samba?
Message-ID:  <EE490635-2115-11D9-BCBA-000D9338770A@chrononomicon.com>

next in thread | raw e-mail | index | archive | help
random brain dropping question...still in the researching stage for 
implementation.

Is it possible to have a setup similar to the following scenario:

I have three buildings.  There are users that move among the buildings 
on different days to use NT workstations (Win2K).

I'd like to put in four servers, identical in hard drive space and with 
similar configurations running Samba.

I'd like every user to have a UNIX account and home directory.

There would be a master server called MASTER.  The three buildings 
would have different domains (AD support is still developing in SAMBA, 
as I recall?  "almost there"?)...domain1, domain2, and domain3, plus 
the master server.

I'd like every night for the domain servers to rsync data to the master 
server, then the master server would dole out periodically the changes 
to remaining buildings.  I.e., John logs into domain1 and works on NT 
for the day, then logs off.  domain1 server syncs back to the master 
server that night, and then later syncs with domain2 and domain3.

John comes into building 2 for the day and logs in to domain2 domain.  
Because it's domain2, a script runs that maps his home directory to J: 
on  \\domain2server\home\john.  Because of the syncing, his home 
directory contents are the same as they were on 
\\domain1server\home\john.

The questions are,
1) is this type of setup feasible?

2) is it possible to "duplicate" accounts from the master server easily 
to remote servers if they're unix accounts, or is it simpler to use a 
different authentication and permission scheme?  I know I can't just 
sync home directories because UIDs and GIDs would not exist on the 
remote systems without adding them to those machines, but can those 
accounts be created by just syncing some files in /etc to those remote 
machines (passwd, groups, etc.) and then syncing the directories in 
question, since that should map the passwords and UID/GIDs?  Or can 
there be a simple syncing of samba users and their home directories by 
just syncing a couple files that would make that layout simpler?

3) Would it be possible to have each of the workstations hardcoded to 
log into their individual domains and, based on that, map the user's 
home directory to their "local" server's version of the home directory 
in question?  I don't want them to be manipulating home directory data 
on a server in building one when they're actually logged into a 
workstation in building two, for example...I want the workstation 
they're sitting at to log into the domain for domain2 and then map 
their "home drive" to domain2's local server for later syncing with the 
master server (and subsequent distribution to other systems).

4) What security problems would be immediately apparent with respect to 
home directory access?  I'd like just the owner of the directory and 
root to have access to the home directories, but there may be other 
shares for select groups of people to access being distributed as well. 
  I am still reading up on what Samba can and can't do, and it seems 
some documentation is out of date out there, but looks like ACLs are 
kind of iffy in support?  How can this be done then, with cross-domain 
access?  Or is there another easier way to do it?

5) can users be "remotely created" easily by just copying a few files 
among the servers?  I.e., add a user on Master, then copy Master's 
passwd, passwd.db., etc. files to each of the sub-servers, then the 
subservers should know about "newuser" and "newuser"'s home directory 
(also synced up from Master) without actually having to sit down and 
create the user at each console.  Or is there a way to sync information 
using just Samba to have the correct password, directory info, 
ownership, etc.?

***
What this would essentially be attempting to achieve is to have a way 
for a geographically spread out network allow people to easily access 
their home directories and shares no matter where they logged using 
local servers acting as time-delayed proxies...all the user login 
information, user home directory data, user shared data 
directories...it's a lot of duplicated information out there, but it 
would fix the problem with authentication and home directory 
information being temporarily inaccessible when a link is down between 
building locations.  No matter what building they were in, they would 
have access to that building's copy of their home directory; the next 
day, logging into a different building, they'd get their information 
again.

Thoughts and/or ideas?  I'd like to do this using either just SAMBA to 
authenticate or underlying FreeBSD accounts, whichever would still have 
it easy to duplicate by just syncing up some files and not messing up 
GID/UID ownership and passwords.  I know there are ways for single 
sign-on using services like LDAP, but LDAP is an unfamiliar beast to me 
(for now!) and while it may sync usernames and password, I don't think 
it would handle things like permissions to home directories, especially 
when trying to get workstations to map to their local building's server 
instead of a single master home directory server.

Thanks,
-Bart



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EE490635-2115-11D9-BCBA-000D9338770A>