Contributed by jose on from the crazy-combo dept.
"I have used an obsd/samba fileserver for software rollouts to workstations and have been quite satisfied. It is an admin only server and has run for 10 months without a single problem.I imagine this can be done, but perhaps with a bit of work. Anyone else using an OpenBSD solution this way who can share some insight and tips?I would like to migrate common user fileservers from winblows but am concerned about some of the limitations. Most people here know about the pam/winbind support issues and how that prevents us from assigning centralized domain group access to acls on samba shares. Which of course leads to the replication of user/password info around the network so that each fileserver can have "local" users/groups for file system access.
With that said, Here's my vision on the setup.
My questions are ...
- kerberos (yeah I know about the v5 obsd issues) for centralized authentication
- samba as a dfs server frontend to simply host the dfs structure
- backend servers which hosts the actual files
If I have replicated user info on the dfs frontend, is there a way to bypass that requirement on the backend computers?
In other words, does the dfs frontend proxy the user during the frontend/backend exchange? And if so, does the backend simply see this as a request from the dfs frontend or does it see it as a request from the user?
My thought is that if the backend servers see the exchanges as requests from the frontend dfs server (vice the users themselves), the backend servers may not need all the accounts replicated to them.
If you could set up the above, I guess you could have an account for only the frontend server on the backend machines.
My goal here is to somehow minimize the number of computers that are in this account replication process. While also being able to distribute the load.
Thanks in advance."
(Comments are closed)
By Anonymous Coward () on
By Bolke () bolke@xs4all.nl on mailto:bolke@xs4all.nl
Correct me if I am wromg however.
By Concerned Citizen () on
I guarantee you, you're going to be blowing more money in man hours than if you had just gone and done it right.
I can understand if you're just going to tinker around on the side with Samba, but it sounds like you're doing this for a production environment. I can't believe your boss lets you tinker around with stuff like this instead of just getting the job done.
Comments
By submicron () god.hates.you@inherently-evil.net on mailto:god.hates.you@inherently-evil.net
Samba has already shown itself to be a very viable solution, perhaps not as polished as native Windows CIFS but hardly inferior.
After I migrated my company's servers over to OpenBSD and showed them the considerable cost savings (2% of total gross revenue), my boss had no trouble with me spending a little time "tinkering". In fact, he even coughed up to send me on a nice little vacation.
Comments
By Concerned Citizen () on
Here's some well-established studies:
IDC Puts Windows 2000 Ahead Of Linux in TCO Study
ZDNet
Samba is a great product, but it's ridiculous to claim it's not inferior. The (excellent) Samba team is constantly playing catch up with Microsoft and their new server technologies. It can never be anything but inferior, because it's always trying to play catch up against proprietary technologies. For good or bad, these proprietary technologies are the reality of the game.
These "massive security issues" crop up on ALL OSes. Sendmail? Linux kernel? BIND? Anything to do with RPC services? A lot of these so-called massive security issues exist, because the are a lot of lazy win2k (and unix) admins out there who don't patch their systems. It sounds like you don't have much experience with Windows 2000 administration, or you'd know the security tools are there for serious hardening.
With Automatic Updates, and Windows Update, I don't know how much easier Microsoft could make it for people to keep up with patches. And you want these people to start managing UNIX servers? No, we'll have to hire skilled technical people who demand large salaries. But hey, the software is free *cough cough*, right?
As the saying goes, it's only free if your time is worthless. Use the right tool for the right job.
Comments
By Blarney Stone this () on
The IDC research report you pointed out was funded by Microsoft. Flip side of a Slashdot story, take it out of the equation.
The other story says it can go both ways, linux admins are more productive than Microsoft admins.
But this is OpenBSD, and there are no TCO studies for OpenBSD shops.
But here is a data point:
I spent an entire night battling the slammer worm and the meltdown it caused on our network, even though we already blocked SQL ports at the firewall. An affiliate infected our MS servers hours after the initial worldwide infection.
Why did we get "slammed"? Because the people with the MS servers didn't have the patches applied. The next week we started scanning for unpatched MS servers and disconnecting them from the network if we could not verify they had been patched. One guy went ballistic, claiming he had already patched his MS server. Problem was he kept interrupting the Service Pack update or whatever when it went into a seeming pause, killing the update.
On the other hand, when the Bind vulnerability came out two years ago, I was out of town, connected via ssh and upgraded the OpenBSD dns servers remotely, and we were not impacted at all.
Now I would agree, use the right tool for the job, but not all of Microsoft products are the right tool for a network.
-.-
By killer, murderer, death monger of all windows piec () alpha@panix.com on to the loser winadmin
you got nerve rollin up i our hood here
last time i checked this was the
www.deadly.org hood
now i would strongly advise you to take your little prissy windows out of here
before we rollup in your winblows network
and drop fifty cents on your hide
this is the openbsd hood
you windows types need not apply
methods of mayhem
By Geeo () on
Comments
By Bebe () on
Comments
By zil0g () on
man 1 intro;
man 8 afterboot;
man 8 lpd;
man 5 printcap;
By Raśl () on
Comments
By Concerned Citizen () on
(due to my biases and using the wrong tool for the job basically)
Comments
By Anonymous Coward () on
I'm guessing it's somewhere in the microsoft.com domain.
By waldo () waldo@nospam.iastate.edu on mailto:waldo@nospam.iastate.edu
By coldie () rolick571@duq.edu on mailto:rolick571@duq.edu
By MrCognivore () bridge19 at msu dot edu on mailto:bridge19 at msu dot edu
By Irresponsible Babe () on
By dawg () on