[CentOS] Simple solution for small network in a school ?

Sat Jul 10 15:24:52 UTC 2010
Ross Walker <rswwalker at gmail.com>

On Jul 10, 2010, at 10:59 AM, Niki Kovacs <contact at kikinovak.net> wrote:

> Hi,
> 
> I have to install a small network in a school in a nearby village. The 
> network will be Linux-only, one server and fifteen desktops. Here's the 
> idea.
> 
> 1) Authentication should be managed centrally on the server.

Use some type of directory service (LDAP/NIS) coupled with an authentication service like Kerberos.

Basically keep passwords out of the directory and you need to have a Kerberos ticket to access the directory.

> 2) User home directories should also be on the server.

Not a problem, you can share these out via NFS and/or Samba.

> 3) Users should all have disk quotas, something like 1 GB per user.

Also not a problem to setup quotas and use rquotad to remotely query these from NFS clients. Samba has builtin support for quotas.

> 4) Some shared directories should be read/write for a defined group of 
> users (teachers) and read-only for others.

Standard posix perms can take care of that, for finer grained perms you can use ACLs.

> So far, I've only dealt with local authentication. I have a little 
> practice in basic setups of Samba and NFS and managed to get these to 
> work OK. On the other hand, I've never worked with NIS, LDAP or the likes.

NIS is easier then LDAP and might be a good quick-n-dirty way to get going initially. Just use a separate authentication service like Kerberos and keep passwords out of the directory service.

> My question is more general, and I don't want to go into technical 
> details. According to the KISS principle, which solution would you 
> recommend (or explicitly *not* recommend)? A mix of LDAP and Samba? Or 
> NIS and NFS? And what's this thing called Directory Server, which 
> vaguely sounds like it's the right way to go?

You can really mash all these technologies up.

If all clients are Linux then start with NFS/NIS/Kerberos then as things grow you can look to move to LDAP.

The "Directory Server" is a turn-key package for implementing LDAP plus Kerberos with a pre-established LDAP schema and tools to manage it.

Definitely worth taking a look at. Personally I don't have experience with it so can't recommend or not recommend it.

You COULD also have a Windows Active Directory server to provide LDAP and Kerberos services to your Linux environment. They definitely have nice management tools. MS for not-for-profit is dirt cheap. Run it as a VMware/VirtualBox/KVM/Xen VM. Hell, run the whole server as an ESXi host and have multiple VMs for redundancy/load spreading.

-Ross