OpenBSD Journal

samba dfs and kerberos

Contributed by jose on from the crazy-combo dept.

dawg asks:
"I have used an obsd/samba fileserver for software rollouts to workstations and have been quite satisfied. It is an admin only server and has run for 10 months without a single problem.

I would like to migrate common user fileservers from winblows but am concerned about some of the limitations. Most people here know about the pam/winbind support issues and how that prevents us from assigning centralized domain group access to acls on samba shares. Which of course leads to the replication of user/password info around the network so that each fileserver can have "local" users/groups for file system access.

With that said, Here's my vision on the setup.

  • kerberos (yeah I know about the v5 obsd issues) for centralized authentication
  • samba as a dfs server frontend to simply host the dfs structure
  • backend servers which hosts the actual files
My questions are ...

If I have replicated user info on the dfs frontend, is there a way to bypass that requirement on the backend computers?

In other words, does the dfs frontend proxy the user during the frontend/backend exchange? And if so, does the backend simply see this as a request from the dfs frontend or does it see it as a request from the user?

My thought is that if the backend servers see the exchanges as requests from the frontend dfs server (vice the users themselves), the backend servers may not need all the accounts replicated to them.

If you could set up the above, I guess you could have an account for only the frontend server on the backend machines.

My goal here is to somehow minimize the number of computers that are in this account replication process. While also being able to distribute the load.

Thanks in advance."

I imagine this can be done, but perhaps with a bit of work. Anyone else using an OpenBSD solution this way who can share some insight and tips?

(Comments are closed)

  1. By Anonymous Coward () on

    fwiw, login_ldap was just added to the openbsd ports tree. That may work out better than kerberos.

  2. By Bolke () on

    As far as I know the request will give a redirect to the client, as that's whole purpose of the DFS (eg reduce server load including the load on its NIC)

    Correct me if I am wromg however.

  3. By Concerned Citizen () on

    How much money do you actually think you're going to save by following your biases and going with the inferior product for this specific task (eg. Windows sharing/domain stuff), instead of picking the product that would be right for this job (eg. Windows 2000 Server).

    I guarantee you, you're going to be blowing more money in man hours than if you had just gone and done it right.

    I can understand if you're just going to tinker around on the side with Samba, but it sounds like you're doing this for a production environment. I can't believe your boss lets you tinker around with stuff like this instead of just getting the job done.

    1. By submicron () on

      I think its already been fairly well established that the TCO of Windows 2000 Server is higher than linux/bsd/*nix solutions. You have the obscenely high license fees + the high end hardware to run it, not to mention having to constantly fear the next massive security issue to be discovered.

      Samba has already shown itself to be a very viable solution, perhaps not as polished as native Windows CIFS but hardly inferior.

      After I migrated my company's servers over to OpenBSD and showed them the considerable cost savings (2% of total gross revenue), my boss had no trouble with me spending a little time "tinkering". In fact, he even coughed up to send me on a nice little vacation.

      1. By Concerned Citizen () on

        Well-established by who? Sure, Slashdot, and the various Linux trade mags who supposedly did "independent" studies. Quote your sources from people that DON'T have a vested interest in Linux's success.

        Here's some well-established studies:
        IDC Puts Windows 2000 Ahead Of Linux in TCO Study

        Samba is a great product, but it's ridiculous to claim it's not inferior. The (excellent) Samba team is constantly playing catch up with Microsoft and their new server technologies. It can never be anything but inferior, because it's always trying to play catch up against proprietary technologies. For good or bad, these proprietary technologies are the reality of the game.

        These "massive security issues" crop up on ALL OSes. Sendmail? Linux kernel? BIND? Anything to do with RPC services? A lot of these so-called massive security issues exist, because the are a lot of lazy win2k (and unix) admins out there who don't patch their systems. It sounds like you don't have much experience with Windows 2000 administration, or you'd know the security tools are there for serious hardening.

        With Automatic Updates, and Windows Update, I don't know how much easier Microsoft could make it for people to keep up with patches. And you want these people to start managing UNIX servers? No, we'll have to hire skilled technical people who demand large salaries. But hey, the software is free *cough cough*, right?

        As the saying goes, it's only free if your time is worthless. Use the right tool for the right job.

        1. By Blarney Stone this () on

          Warning...Stink-o-meter rising.....

          The IDC research report you pointed out was funded by Microsoft. Flip side of a Slashdot story, take it out of the equation.

          The other story says it can go both ways, linux admins are more productive than Microsoft admins.

          But this is OpenBSD, and there are no TCO studies for OpenBSD shops.

          But here is a data point:

          I spent an entire night battling the slammer worm and the meltdown it caused on our network, even though we already blocked SQL ports at the firewall. An affiliate infected our MS servers hours after the initial worldwide infection.

          Why did we get "slammed"? Because the people with the MS servers didn't have the patches applied. The next week we started scanning for unpatched MS servers and disconnecting them from the network if we could not verify they had been patched. One guy went ballistic, claiming he had already patched his MS server. Problem was he kept interrupting the Service Pack update or whatever when it went into a seeming pause, killing the update.

          On the other hand, when the Bind vulnerability came out two years ago, I was out of town, connected via ssh and upgraded the OpenBSD dns servers remotely, and we were not impacted at all.

          Now I would agree, use the right tool for the job, but not all of Microsoft products are the right tool for a network.


        2. By killer, murderer, death monger of all windows piec () on to the loser winadmin

          What up fool,
          you got nerve rollin up i our hood here
          last time i checked this was the
          now i would strongly advise you to take your little prissy windows out of here
          before we rollup in your winblows network
          and drop fifty cents on your hide
          this is the openbsd hood
          you windows types need not apply
          methods of mayhem

  4. By Geeo () on

    Don't make me laugh, dude.

    1. By Bebe () on

      OpenBSD is a fine firewall OS, but when it comes to file/print serving, I'd avoid using it at any cost. it doesn't worth the time and effort.

      1. By zil0g () on

        man 1 man;
        man 1 intro;
        man 8 afterboot;
        man 8 lpd;
        man 5 printcap;

      2. By Raśl () on

        You are a very lazy guy because Samba on OpenBSD doesn't require so much effort. In my company we have setup a structure based on this (with centralized LDAP authentication) around 6 countries in Europe with minor pain (due to windows clients basically).

        1. By Concerned Citizen () on

          that last part should be:
          (due to my biases and using the wrong tool for the job basically)

          1. By Anonymous Coward () on

            Hey, Jose, can you trace the troll's IP?

            I'm guessing it's somewhere in the domain.

      3. By waldo () on

        worked fine for me. dunno what you guys are complaining about. i've got obsd on my fileserver and it's running rather nicely with samba.

      4. By coldie () on

        took me about .. maybe 10 minutes to setup samba and it streams video over my network to several windows clients without any problems thus far

      5. By MrCognivore () bridge19 at msu dot edu on mailto:bridge19 at msu dot edu

        I'm suprised noone mentioned CVS... It took me about 20 sec to set up a CVS server for my workgroup! It works great, and the security means we have more peace of mind.

      6. By Irresponsible Babe () on

        is this the way you rised tco for microsoft's linux study??

  5. By dawg () on

    just because msft may have a solution doesn't mean I should/will use it. frankly, I hate msft will the fire of 10,000 suns. and for that reason only, I am willing to find an alternative. as far as extra work is concerned, like I said in my intro, my samba fileserver has run for 10 months without a hitch. I have never seen a msft product run even 10 weeks without a hitch.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]