Hey folks,
I've got a CentOS / RHEL (5.x) environment and am in the process of migrating the 5.3 file server over to an Oracle/Sun 7120 appliance.
I want to keep my main 5.3 server as our NIS server but am moving NFS and Samba functions over to the appliance.
NFS was a no brainer as one can imagine. Samba seems a bit trickier because of the authentication requirements in the ZFS server. They seem to want a domain controller which we don't have.
Has anyone been here recently and can help with how to config the appliance for Samba but to authenticate from NIS ?
thanks, -Alan
On Fri, Nov 25, 2011 at 4:00 PM, Alan McKay alan.mckay@gmail.com wrote:
Hey folks,
I've got a CentOS / RHEL (5.x) environment and am in the process of migrating the 5.3 file server over to an Oracle/Sun 7120 appliance.
I want to keep my main 5.3 server as our NIS server but am moving NFS and Samba functions over to the appliance.
NFS was a no brainer as one can imagine. Samba seems a bit trickier because of the authentication requirements in the ZFS server. They seem to want a domain controller which we don't have.
Has anyone been here recently and can help with how to config the appliance for Samba but to authenticate from NIS ?
thanks, -Alan
--
I don't know that particular NAS, but does it allow you to setup an anonymous SMB user?
If not, then setup a normal SMB share on the NAS and mount it on the CentOS server, then rsync the data across
I don't know that particular NAS, but does it allow you to setup an anonymous SMB user?
If not, then setup a normal SMB share on the NAS and mount it on the CentOS server, then rsync the data across
Moving the data is the easy part.
The problem here is that currently SMB runs on the 5.3 box which is also where NIS runs, and people authenticate from there.
The ZFS appliance is going to be the new home for SMB but it does not have a native authentication system and seems to want a pretty elaborate one, not something nice and simple like the Linux Samba software.
On 11/25/11 10:46 AM, Alan McKay wrote:
The problem here is that currently SMB runs on the 5.3 box which is also where NIS runs, and people authenticate from there.
The ZFS appliance is going to be the new home for SMB but it does not have a native authentication system and seems to want a pretty elaborate one, not something nice and simple like the Linux Samba software.
if you're running multiple windows systems with a server and DONT have centralized authentication, you have a mess.
if you're not running windows systems, then why are you using SMB ? NFS is the native file sharing system for Unix and Linux systems.
if you're running multiple windows systems with a server and DONT have centralized authentication, you have a mess.
if you're not running windows systems, then why are you using SMB ? NFS is the native file sharing system for Unix and Linux systems.
It is a bit of an oddball arrangement. We are a scientific research lab within a hospital environment. Most people use Linux or Mac - and those who do use Windows connect to the hospital domain. We don't have any control over that domain at all - I support the researchers and am independent from central IT. When the Windows users connect to the 5.3 box via SMB they use a local username and password on the 5.3 box, not their central domain credentials.
Hmmm, I probably know what the answer will be, but I could always ask the hospital to let me connect it to the domain. Though that could present security risks that I don't want to deal with.
On Fri, 2011-11-25 at 19:50 -0500, Alan McKay wrote:
if you're running multiple windows systems with a server and DONT have centralized authentication, you have a mess.
if you're not running windows systems, then why are you using SMB ? NFS is the native file sharing system for Unix and Linux systems.
It is a bit of an oddball arrangement. We are a scientific research lab within a hospital environment. Most people use Linux or Mac - and those who do use Windows connect to the hospital domain. We don't have any control over that domain at all - I support the researchers and am independent from central IT. When the Windows users connect to the 5.3 box via SMB they use a local username and password on the 5.3 box, not their central domain credentials.
---- I would think you would be better off using LDAP and at least you can unify the Linux/Windows/(possibly Macintosh) logins from one single authentication source (LDAP).
There are migration scripts for Linux/NIS - (openldap-servers)
If there's not too many samba users, you could copy/paste their hashed passwords from the backend (presuming that you are using smbpasswd or tdp passdb in samba).
There are some tools you can use to create/modify users and simultaneously change their passwords for both Linux/Windows logins and make them the same password.
You could also make Samba & LDAP a Windows domain controller.
I mention possibly Macintosh because it is possible to have Mac's authenticate against LDAP too but I suspect that you are using all local logins on both Mac's and Windows.
Craig
On 11/25/11 4:50 PM, Alan McKay wrote:
Hmmm, I probably know what the answer will be, but I could always ask the hospital to let me connect it to the domain. Though that could present security risks that I don't want to deal with.
yes, that is the answer, and actually, no, there's no security risks. your server will just be using the domain to authenticate windows users, and they'll see it as a 'single signon' same as any other "windows" server. other authentication, like local unix administration, NFS users will proceed the same as before.
to 'join the domain', the windows domain admins will just need to create a computer account for your server, and then it 'joins' the domain, this involves an automated private key exchange sequence... it can be done several different ways, at the whims of your windows domain admins. one method, a domain admin needs to enter his domain credentials (domainname\username, password) once into your server, and it joins (the admin credentials are only used once and not saved). the other method, they precreate the computer account on the domain, and you then join your host and it exchanges those keys previously mentioned.
this establishes a limited 'trust' relation, where basically your server trusts the domain server(s) to do windows user authentication, and the domain servers allow your windows server to do this. nothing else. its actually all quite well thought out, based on Kerberos and LDAP.
On 11/25/11 6:00 AM, Alan McKay wrote:
Has anyone been here recently and can help with how to config the appliance for Samba but to authenticate from NIS ?
I've never heard of Samba authenticating off NIS, as Windows (SMB/CIFS) and Unix (PAM, NIS, etc) use different incompatible password hashes. on a pure Samba system that doesn't have an external authentication system such as Active Directory, I've always had to use smbpasswd to setup the SMB passwords for the 'windows' users.
I've never heard of Samba authenticating off NIS, as Windows (SMB/CIFS) and Unix (PAM, NIS, etc) use different incompatible password hashes. on a pure Samba system that doesn't have an external authentication system such as Active Directory, I've always had to use smbpasswd to setup the SMB passwords for the 'windows' users.
Yeah, this is what I'm afraid of - that I'll have to install some directory services.
I'm going to start off next week with a call to Oracle. Just figured I'd ping the list to see if maybe someone had been here.
p.s. even if I could get it to authenticate SMB from the current 5.3 box I'd be happy.
If I have to go the directory services route I can only say that I hope it has improved a lot since the last time I installed it 18 months ago - though that was 389-ds ...
On 11/25/11 10:23 AM, Alan McKay wrote:
p.s. even if I could get it to authenticate SMB from the current 5.3 box I'd be happy.
If I have to go the directory services route I can only say that I hope it has improved a lot since the last time I installed it 18 months ago - though that was 389-ds ...
I've been sniffing at FreeIPA, which is a bundle based on the latest version of 389, with a bunch more stuff around it to allow both windows and 'nix systems to authenticate, also stuff for policy management, etc. It looks really interesting, but I haven't had a go at setting it up yet.
On Fri, Nov 25, 2011 at 10:00 PM, Alan McKay alan.mckay@gmail.com wrote:
I've got a CentOS / RHEL (5.x) environment and am in the process of migrating the 5.3 file server over to an Oracle/Sun 7120 appliance.
Hi Alan, sorry for the OT. I'm very much interested on the 7120. How much space do you have on it and what is the price?
The oracle web doesn't show the price.
-
Alan McKay -
Craig White -
Fajar Priyanto -
John R Pierce -
Rudi Ahlers