On Jul 10, 2010, at 10:59 AM, Niki Kovacs contact@kikinovak.net wrote:
Hi,
I have to install a small network in a school in a nearby village. The network will be Linux-only, one server and fifteen desktops. Here's the idea.
- Authentication should be managed centrally on the server.
Use some type of directory service (LDAP/NIS) coupled with an authentication service like Kerberos.
Basically keep passwords out of the directory and you need to have a Kerberos ticket to access the directory.
- User home directories should also be on the server.
Not a problem, you can share these out via NFS and/or Samba.
- Users should all have disk quotas, something like 1 GB per user.
Also not a problem to setup quotas and use rquotad to remotely query these from NFS clients. Samba has builtin support for quotas.
- Some shared directories should be read/write for a defined group of
users (teachers) and read-only for others.
Standard posix perms can take care of that, for finer grained perms you can use ACLs.
So far, I've only dealt with local authentication. I have a little practice in basic setups of Samba and NFS and managed to get these to work OK. On the other hand, I've never worked with NIS, LDAP or the likes.
NIS is easier then LDAP and might be a good quick-n-dirty way to get going initially. Just use a separate authentication service like Kerberos and keep passwords out of the directory service.
My question is more general, and I don't want to go into technical details. According to the KISS principle, which solution would you recommend (or explicitly *not* recommend)? A mix of LDAP and Samba? Or NIS and NFS? And what's this thing called Directory Server, which vaguely sounds like it's the right way to go?
You can really mash all these technologies up.
If all clients are Linux then start with NFS/NIS/Kerberos then as things grow you can look to move to LDAP.
The "Directory Server" is a turn-key package for implementing LDAP plus Kerberos with a pre-established LDAP schema and tools to manage it.
Definitely worth taking a look at. Personally I don't have experience with it so can't recommend or not recommend it.
You COULD also have a Windows Active Directory server to provide LDAP and Kerberos services to your Linux environment. They definitely have nice management tools. MS for not-for-profit is dirt cheap. Run it as a VMware/VirtualBox/KVM/Xen VM. Hell, run the whole server as an ESXi host and have multiple VMs for redundancy/load spreading.
-Ross