From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 14:56:47 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F83B16A4E2 for ; Mon, 18 Oct 2004 14:56:47 +0000 (GMT) Received: from mail.chrononomicon.com (chrononomicon.com [216.37.143.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id C785443D5C for ; Mon, 18 Oct 2004 14:56:46 +0000 (GMT) (envelope-from bsilver@chrononomicon.com) Received: from [127.0.0.1] (unknown [192.168.0.42]) by mail.chrononomicon.com (Postfix) with ESMTP id A2BC01275CF for ; Mon, 18 Oct 2004 10:56:45 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed To: FreeBSD Question List From: Bart Silverstrim Date: Mon, 18 Oct 2004 10:56:45 -0400 X-Mailer: Apple Mail (2.619) Subject: feasible w/ samba? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 14:56:47 -0000 random brain dropping question...still in the researching stage for implementation. Is it possible to have a setup similar to the following scenario: I have three buildings. There are users that move among the buildings on different days to use NT workstations (Win2K). I'd like to put in four servers, identical in hard drive space and with similar configurations running Samba. I'd like every user to have a UNIX account and home directory. There would be a master server called MASTER. The three buildings would have different domains (AD support is still developing in SAMBA, as I recall? "almost there"?)...domain1, domain2, and domain3, plus the master server. I'd like every night for the domain servers to rsync data to the master server, then the master server would dole out periodically the changes to remaining buildings. I.e., John logs into domain1 and works on NT for the day, then logs off. domain1 server syncs back to the master server that night, and then later syncs with domain2 and domain3. John comes into building 2 for the day and logs in to domain2 domain. Because it's domain2, a script runs that maps his home directory to J: on \\domain2server\home\john. Because of the syncing, his home directory contents are the same as they were on \\domain1server\home\john. The questions are, 1) is this type of setup feasible? 2) is it possible to "duplicate" accounts from the master server easily to remote servers if they're unix accounts, or is it simpler to use a different authentication and permission scheme? I know I can't just sync home directories because UIDs and GIDs would not exist on the remote systems without adding them to those machines, but can those accounts be created by just syncing some files in /etc to those remote machines (passwd, groups, etc.) and then syncing the directories in question, since that should map the passwords and UID/GIDs? Or can there be a simple syncing of samba users and their home directories by just syncing a couple files that would make that layout simpler? 3) Would it be possible to have each of the workstations hardcoded to log into their individual domains and, based on that, map the user's home directory to their "local" server's version of the home directory in question? I don't want them to be manipulating home directory data on a server in building one when they're actually logged into a workstation in building two, for example...I want the workstation they're sitting at to log into the domain for domain2 and then map their "home drive" to domain2's local server for later syncing with the master server (and subsequent distribution to other systems). 4) What security problems would be immediately apparent with respect to home directory access? I'd like just the owner of the directory and root to have access to the home directories, but there may be other shares for select groups of people to access being distributed as well. I am still reading up on what Samba can and can't do, and it seems some documentation is out of date out there, but looks like ACLs are kind of iffy in support? How can this be done then, with cross-domain access? Or is there another easier way to do it? 5) can users be "remotely created" easily by just copying a few files among the servers? I.e., add a user on Master, then copy Master's passwd, passwd.db., etc. files to each of the sub-servers, then the subservers should know about "newuser" and "newuser"'s home directory (also synced up from Master) without actually having to sit down and create the user at each console. Or is there a way to sync information using just Samba to have the correct password, directory info, ownership, etc.? *** What this would essentially be attempting to achieve is to have a way for a geographically spread out network allow people to easily access their home directories and shares no matter where they logged using local servers acting as time-delayed proxies...all the user login information, user home directory data, user shared data directories...it's a lot of duplicated information out there, but it would fix the problem with authentication and home directory information being temporarily inaccessible when a link is down between building locations. No matter what building they were in, they would have access to that building's copy of their home directory; the next day, logging into a different building, they'd get their information again. Thoughts and/or ideas? I'd like to do this using either just SAMBA to authenticate or underlying FreeBSD accounts, whichever would still have it easy to duplicate by just syncing up some files and not messing up GID/UID ownership and passwords. I know there are ways for single sign-on using services like LDAP, but LDAP is an unfamiliar beast to me (for now!) and while it may sync usernames and password, I don't think it would handle things like permissions to home directories, especially when trying to get workstations to map to their local building's server instead of a single master home directory server. Thanks, -Bart