[CentOS] Re: SMB server with CentOS 4

Tue Dec 6 05:40:08 UTC 2005
Ugo Bellavance <ugob at camo-route.com>

Bryan J. Smith wrote:
> Ugo Bellavance <ugob at camo-route.com> wrote:
>> I started reading the Samba doc, but it is rather long.
> 
> Of course.  ;->
> 
> Samba has settings to emulate just about every detail of any
> release of Server Message Block (SMB) from old LAN Manager to
> Windows Server 2003.  Microsoft's "canned," server-wide
> settings in their server versions are usually an issue for
> various clients.
> 
> Hence why most enterprises with SMB experts prefer Samba over
> stock SMB in Windows Server.

Ok

> 
>> I planned on using this server as a PDC so that it is not
>> too different from using their former windows 2000 server.
> 
> <anal>
> FYI, the term Primary Domain Controller (PDC) is deprecated
> because it refers to the legacy CIFS NT 4.0 term.  We
> typically call modern CIFS/SMB, including ActiveDirectory
> Services (ADS) integration, as a Domain Controller (DC). 
> Although I noted that the more legacy Samba docs still call
> it a PDC.
> </anal>
> 

I knew that, but this is the terms they use in the Samba doc, probably 
because Samba can't emulate all the features of a DC.

> Note that newer DC services aren't just Samba.  Samba just
> provides the Windows client Remote Procedure Call (RPC)
> services to the Windows clients when they access it as a file
> server.  Samba can authenticate and authorize against other
> services.
> 

Yup.

> If you start reading a lot of Windows 2000 / ADS / Samba
> schtuff, you're going to see people talking about MS Kerberos
> and native Windows DC integration.  That _only_ applies when
> you are integrating Samba servers with _native_ ADS DC
> servers (as you've heard me say before, "making UNIX ADS'
> bitch").  In your case, you're not using a native Windows ADS
> DC, so Samba is the authority.
> 

Ok

> How you wish to maintain authentication and directory
> services is up to you.  The Samba 3.0 By Example book gives
> you a lot of "cookbook methods" to setting up LDAP Schema for
> Windows clients.  You can choose to do such if you wish.  In
> general, there is a _massive_ "learning curve" associated
> with this, because you have to understand how Windows clients
> really work at the authentication, directory and file
> services level -- as well as how UNIX does.
> 

Hmmm, and I don't know LDAP very well... I have started reading the 
oreilly book about it, but couldn't figure out how it looked/felt/worked 
in practice :(.

>> I'll be managing this server, which is currently a staging
>> server for web development (php/mysql/cvs).
> 
> Oh.  Do you really need SMB then?  Should they be doing CVS
> or Subversion/WebDAV-DeltaV check-ins instead?

Well, there will be a few programmers on this server, but also the 
direcor, the secretary, a project manager, so they'll obviously need 
network shares, and, of course, network printing.  On question that I 
have about Samba and printing:  Do the printers need to have drivers for 
linux, if only the windows clients will print, or having windows drivers 
is enough?


>> Anyone has a opinion on this, or better ideas?
> 
> Well, if you don't have native Windows ADS servers, then it's
> actually pretty easy to do.  Samba can and will emulate a lot
> of different RPC services for the Windows clients.  Tweaking
> those settings will be all you'll need to do.
> 

Ok

> How you handle the directory services is up to you -- you can
> even just use local UNIX accounts (although I don't recommend
> that for future growth and more servers).  Years ago I would
> have just used NIS (with Kerberos if I needed authentication
> security), but since NsDS 7.1, now FDS 7.1, became available
> earlier in the year, I've been recommending it (with or
> without Kerberos, your choice).  Especially with the
> multi-master replication.
> 

Hmm, I'll read a bit on it, but I wonder if it isn't overkill...

> The nice thing about building a network with NsDS is that if
> your organization should force native Windows ADS on you, you
> can still keep your authentication and control segmented,
> while synchronizing with ADS accounts.

Ok.  I doubt that because I'm the only sysadmin, but it can happen...

> 
>> My backups will be based on utilities and mondorescue,
> 
> Be careful with Mondo Rescue.  Hugo's a good guy, but his
> stuff tends to not work on all systems -- just a fact that
> systems differ and he can't test for everything.
> 

I know Hugo a lot.  I can't say I like his style/attitude/product 100% 
but it works on this specific system.  And if doesn't work as a 
bare-metal recovery system, it is easy to restore (.iso on a hard 
drive).  I agree that I would hesitate to rely on this on a new system, 
since I don't think there has been a new version of mindi/mondo for months.

>> kept on a internal (cold-swap drawer) hard-drive that I
>> would take every week (2-drawers rotation).
> 
> As long as you are keeping the disks active regularly, then
> that's okay.  Although longer-term storage (3+ months) really
> should go to a media like DVD-R, or tape if you can afford
> it.

The drives will be used one week over 2.

> 
>> Any recommendations welcome, will provide more details if
>> needed.
> 
> The scope -- number of servers, types of users, why you need
> SMB and/or NFS (if you have UNIX desktops) access, CVS or
> Subversion details, etc...
> 

Number of servers: 1 for the moment.  The prod server will be in colo. 
Types of users: see above.  Amount of users: ~ 10 for now, may grow up 
to 20 max within 24 months. Reason for SMB : file/print sharing.  CVS 
details?  What do you need to know exactly?  We are using CVS over SSH, 
Eclipse with ssh keys being the client.  The developpers work sometimes 
in the office, sometimes from home, connected to a vpn (the endpoint is 
a m0n0wall firewall).  The developpers have a Xampp setup on their 
laptops and develop there, then test on the staging server, then put it 
in prod.  The staging server is also the development MySQL server.  I'd 
like to use OpenXchange to have a mail/calendar/etc solution that can 
work with current tools (outlook :().
The server is a dual Athlon MP 1800, 1 gB RAM, 3 ware 7006-LP card in 
RAID 1 with 80 gB PATA HDDs + 1(X2) 200 GB removable hard drive (this 
server is also a backup server for a few servers for now, but this will 
probably change.

Please let me know if you need more details.

Thanks for your input ;).

-- 
Ugo

-> Please don't send a copy of your reply by e-mail.  I read the list.
-> Please avoid top-posting, long signatures and HTML, and cut the 
irrelevant parts in your replies.