Introduction:
In my current job role I work as an IT Manager for a Not for Profit company. Therefore cost of the enterprise is my main concern. The entire infrastructure used to run Windows NT Server. In time this became quite antiquated and I had to upgrade.
So my situation was to convince the powers that be that we should spend $15,000+ on MS Server licensing, or go with a "free" solution. Let’s stop for a moment and look at the Pro/Cons of an Open Source System.
Pros
- Low Cost (nothing is free)
- Although the software is free, there are no costs associated with the OS itself, one must realize that freely distributable Linux OS's are rarely out of the box solutions. You will likely have to spend a little time (time is money) to get the thing working just so. They are getting better and if you want to shell out for a licensed system from RedHat or Novell, you do have more "out of the box" solutions ready. It should also be noted that the licensing costs tend to be lower than Windows based servers.
- Manageability
- With closed source systems you tend to have less manageability. ie) usually forced to use the included management consoles and such, with open source systems, you have many options when it comes to OS add-ons (this COULD also be a bad thing).
- customizable
- Since the source is open, you can do pretty much anything you want with the software.
- many available services
- Again relating back to manageability, there are many OS add-ons you can download (WITH CAUTION)
- Support
- Open Source communities are great resources. That being said, one should most defiantly exhaust all other sources and read forums before posting questions. This tends to aggravate avid forum posters when basic questions that have already been answered are posted again. If you get RTFM you likely asked a question that has been answered in many different places or it was obvious you didn’t try on your own first.
Cons
- Lack of configurability
- Since the source is closed, you cannot do a lot of the custom configs one is able to do with open source solutions. Third party add-ons are not as available as they are with open source.
- Cost
- There is a price to pay for convenience. Since closed source solutions tend to be turn key or out of the box ready, you will pay for this. Licensing costs can add up and be quite hefty
- lack of logging
- This is more of a personal observation of mine. In the Linux/UNIX world, I just love the depth of some logging abilities. So when something goes bump in the night, its usually recorded dated and time stamped in some log somewhere.
So now I have weighted the pros and cons. The decision was quite easy for me. There are many other pros and cons, the list could be limitless, however these were they key items for me.
It came time to select a distro to use. I have used many distros, and decided that OpenSuSE would be a good release to use. Simply because of its YaST Manager. I don’t intend on working here for the rest of my life, so not knowing what kind of skills one would have who comes after me, I know SuSE has a great management interface. YaST! Let me give you this warning NOW! Use YaST or don’t use it at all! If you start making many manual edits to configs as I tend to do, this has a way of making YaST freak out and things don’t go bump in the night, but rather an earth shattering KABOOM in the day!
The SAMBA Server
- Install OpenSuSE on server
- Installing SuSE is pretty straight forward. Be sure to use a good partition scheme for a server.
- Be sure Samba packages are selected
- Nothing to be said here ;)
- Customize server environment
- Are you going to use a login server, consolidated syslog, local security policy, configure any other services like DHCP, DNS etc... (I already had these running on another server)
- Customize Samba using YaST
- Be sure to tell YaST Samba is going to be a PDC
- Manual edits of the /etc/samba/smb.conf
- When it comes to setting up shares, I much prefer to edit the conf by hand. I do for most things, but as I said, this can be dangerous on OpenSuSE. Smb.conf seems to be ok with this. I will quote my smb.conf file below.
- adding accounts.
- Adding accounts is easy. Be sure the user has a system account and is inserted in the right groups etc... then issue the smbpasswd -a username. The -a adds the account if not there and is ignored if it’s already there. Now set the initial user login password. This is the password used to log in the station. Note that a UNIX password is not necessary and its best if you set their login shell to /etc/nologin or /etc/false (your distro may use something different) since they will not require shell access.
Setting up the machine
- Add the machine account to Samba. This can be done as root for each computer. Issue the following command smbpasswd -a -m machine-name$ the $ represents a machine account.
- Login to the machine locally as administrator, join the domain and add the following local ADMINISTRATOR account. Since windows will not recognize root as an administrator, this must be done manually by adding a new user called domain\root with administrator privileges.
- Setting up a workstation from scratch is easy. If the user already has a profile on it, by joining a new domain will cause that profile to not be used and a new one generated. If you know a way to get around this, please let me know. So you will likely have to rebuild the profile on existing machines after joining the domain.
- Reboot and voila, you should be logging in on the domain.
If you are new to samba, I recommend some reading on UNIX permissions as these will be what’s governing your security settings by default.
Please see below for some links with good information.
In the end, this is my smb.conf.
________________________________________________
# // Samba Server Configuration File
# // Written by Ian Langdon
# // LAST UPDATE: Aug 7/2007
[global]
workgroup = institute
comment = Aquarius
netbios name = AQUARIUS
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = Yes
domain master = Yes
local master = Yes
os level = 65
preferred master = Yes
security = user
#wins support = yes
logon home =
logon path =
log level = 0
smb ports = 139
[homes]
comment = Home Directories
netbios name = Home Directories
volume = Home DirectoriesVOL
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
_________________________________________
Other shares I have removed for security reasons. Theoretically, machines can add themselves when supplied with the root credentials. I have done this once on this config, however, I like to do things my way. I guess that’s why I like to drive a manual ;)
The smb.conf has many many many options and some time with a few cups of coffee and the man page for smb.conf is in order. Making changes to the smb.conf *CAN* be done w/o restarting the service. After you have made changes and used the testparm to check your config file for problems you can use 'smbcontrol smbd reload-config'. This has worked for me, however, I am not confident that it works right. Changes can take some time to go into effect. I always prefer to '/etc/init.d/smb restart' but if you have MS Access users or people using accounting software who happen to post a batch post during this is, umm, BAD NEWS. Don’t ask, lesson learned ok!? ;)
There is a nice MINI-HOWTO located here: http://daniel.fiser.cz/?go=samba
The official Samba page is here: http://www.samba.org
amd the link to the main HOWTO is here: http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/
Have Fun and please share your experiences.
Ian.
No comments:
Post a Comment