Ok so every now and then I manage to come up with a truly puzzling thread for these forums, here is one for those of us with experience in network admin....

Currently going to be converting my wife's windows box to a Linux server, and putting her on a Mac(Definite step up;). This server will be replacing one that died some time ago. At any rate here is what I am looking to do, and I am looking for advice/suggestions on this path...

This server will act as a fileserver for the house, it needs to interact with Mac, Linux, and Windows(Roommate) machines.

I would like the login onto a machine to be almost a two step process I suppose. Let me explain my reasoning behind this and see if t here are better solutions to this first as this seems a bit like the wrong way to do things...

Primarily I would like the benefits of remote login still having the same settings(Desktop etc) as much as possible, but I dont want it to happen in a way that if the Server goes down for any reason, it would prevent my wife, or my roommate from using their own computers. This is why I was wondering if a two step process might be better, where the local logon would automatically after succeeding attempt to log on to the server and share Files etc. That way worst case scenario they would be working locally, remember this has to be cross platform compatible with Windows(Which I havent dealt with serious networking in it in some time) and Mac.

Looking at the above it seemed that if I used the server for a PDC etc in a windows style network and used it as the logon authenticator, that if it went down for whatever reason(Power Outage while I am on the road etc.) they might not be able to use their computer which is somewhat unacceptable. Please feel free to correct me if I am wrong.

I figured if I did a 2 step process, I might use rsync to create a local cache of the Home Directory on the local machine. The Home Directory would not be very large in most cases, documents etc. Media is on different directories(See later)

The server may actually end up running a Myth Backend on it as well. In the meantime though I would like to share, not only a home directory, but also the appropriate share directory for my media(Video, Music, etc) as long as permissions are granted for it for that person. Now my understanding in Samba(Previous use of Samba for myself was just to share Home Directories) is that this is done by creating different 'share' sections. My question though would be how to determine if a user has access to those shares, and how to automount those shares in that case on the various OSes.

This wont be happening for another month(When I actually get home, remember that on the road thing I mentioned before?;) so I intend to use this next month to plan it out so that hopefully I can implement it farily easily. As such comments/suggestions/claims of insanity are quite welcome;)

Seablade

Hope I can help here, :-)

Firstly, regarding authentication,
if this is a windows based Domain Controller, I know for a fact that, if a client in the domain loses connectivity with the server, the client will look at previous logon sessions and authenticate the user from there.
This applies to Windows Domain computers. I'm not sure, but i think this would also occur in OSX.

Regarding Samba,
You can restrict samba shares according to IP addresses, and you can also specify user-ids and passwords in the samba conf file.These ofcourse arent end-user changeable

From personal experience, i've noticed that Macs play pretty well with windows domains. But ofcourse that would mean no Myth.

This would be really interesting. Keep us updated on how this goes.

if this is a windows based Domain Controller, I know for a fact that, if a client in the domain loses connectivity with the server, the client will look at previous logon sessions and authenticate the user from there.


Well it would be a linux box running the Samba Server as a Domain Controller. It may be that I just have to set it up and try it out, the other half of this of course is that some computers(My Powerbook and in the Future my Wife's Macbook) are laptops, and need to be able to log on to several different locations at times if needed.


You can restrict samba shares according to IP addresses, and you can also specify user-ids and passwords in the samba conf file.These ofcourse arent end-user changeable


Yea part of this though would be to have a single login though, which putting seperate passwords etc into a plain text files seems a bit self defeating to me. If I used the same password I would be much to worried about security issues there, well I am worried anyways about passwords in plaintext. Obviously I would be encrypting the logon transmissions.



From personal experience, i've noticed that Macs play pretty well with windows domains. But ofcourse that would mean no Myth.



Actually on my powerbook at the moment I have a man page for smb.conf so I am of course thinking that they do so by using the SAMBA software actually;) I agree that all of the above can play nice in mixed networks, I just havent played around with setting up a domain for this purpose before.

Thanks for the info though, it is much appreciated.

Seablade

If it were my network (under these circumstances) I would just use a router with wireless capabilities. If power goes off while you are away, you just wait for the router to reconnect when the power comes back on. (Wireless access points have gotten very cheap these days.) Let the router control access. Only those who are directly cabled can access the router other than thru wireless access, which can be set up using wpa (or wep, if only "b" devices are present) with MAC addresses restricted by the router such that only allowed MAC addresses can connect. That way if your Linux server has problems, the windows and Mac computers still have internet connectivity and the rest of the network (whatever the windows computer and Mac are sharing) is still available.

Then set up the Linux server as just a Samba file server, which can require passwords if necessary.

I run Samba as a PDC here, and even if I keep the profiles stored on the server Windows will still quite happily log in if I'm at work and not hooked up to the home network, it just uses a cached copy of the login credentials and a cached local copy of the network profile.

If it were my network (under these circumstances) I would just use a router with wireless capabilities. If power goes off while you are away, you just wait for the router to reconnect when the power comes back on. (Wireless access points have gotten very cheap these days.) Let the router control access. Only those who are directly cabled can access the router other than thru wireless access, which can be set up using wpa (or wep, if only "b" devices are present) with MAC addresses restricted by the router such that only allowed MAC addresses can connect. That way if your Linux server has problems, the windows and Mac computers still have internet connectivity and the rest of the network (whatever the windows computer and Mac are sharing) is still available.

Then set up the Linux server as just a Samba file server, which can require passwords if necessary.


Um that unfortunatly addresses none of the problems I am worried about with this. There will be a router seperate from the server, this server is not acting like a gateway(At least not initially anyways) My current router I am thinking of replacing with a Cisco for the IOS programming of the firewall etc. which is as close as I can get to a low power linux router short of programming my own SBC, which I am definitly considering as well:)

The router serves a different purpose than the PDC. My concern is how the PDC going down would affect the network. There really wont be sharing going on in between the individual machines, that is what the server is there for and what it would accomplish.


I run Samba as a PDC here, and even if I keep the profiles stored on the server Windows will still quite happily log in if I'm at work and not hooked up to the home network, it just uses a cached copy of the login credentials and a cached local copy of the network profile.


That is good to know, that means that is one less thing I have to worry about at least. As long as a local copy is cached in the various OSes this shoudlnt be a problem at all.

How is logon handled in that sort of situation? Does it just not logon or does it do so via a cached copy of the passwords(Which seems kinda counterproductive in an enterprise environment, but I could probably get away with it for htis environment;)?

Seablade

How is logon handled in that sort of situation? Does it just not logon or does it do so via a cached copy of the passwords(Which seems kinda counterproductive in an enterprise environment, but I could probably get away with it for htis environment;)?

Yep - it [windows] logs on against a cached copy of the password hash (not the actual password, that would be highly insecure.. then again, the password hashes are fairly easy to brute force).

I think you can turn that off in the Policy Editor if you desire folks to simply be denied login if the PDC (and BDC if you have one) has gone away

I can only speak for Windows, incidentally - I've not tried any of this with OSX, as I haven't got anything here that's OSX-capable unfortunately.


Oh yes - one thing to be aware of, you need to turn off 'RequireSignOrSeal' in the registry of each XP machine that's connecting to a Samba PDC, otherwise it won't sign in nor join the domain (it's a registry setting - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/RequireSignOrSeal )

More than happy to share my smb.conf & procedures when you come to do it if you like :)

More than happy to share my smb.conf & procedures when you come to do it if you like :)
Would you mind posting it a bit sooner?

No problem - I'll throw it up when I get home.

Is the registry setting the same in Win2K which if I can find my disk of, is the windows environment that would be used probably?

Yea a hash makes more sense and that is what I was thinking, if it kept the actual passwords then I would be severely dissapointed, even for MS;)

Seablade

Hey Aaron(Or anyone else that might know)

You got any experience running Servers with Wake On Lan enabledfor pwoersaving reasons? I am considering a couple of things, one is using WoL and a cron script possibly to take down the server and bring it back up on demand. Obviously I would need to spend some time getting the bootup as quick as possible for this, but I am wondering how the interface with Windows(And Mac) boxes with this would work as I havent done WoL before ona machine. Obviously you need to send the magic packet to wake it up, the question then becomes how to set up a machine to send that packet before it attempts to log onto or connect to the domain.

Possibly tie that in with a Soekris project later if I need support from the internet to wake it up(That one would be fairly easy, just set the soekris router to listen on a port and send the magic packet when that port is activated with a command, maybe not the most secure, but then all standard security policies would apply after that)

Seablade

Ooh this reminds me, I totally forgot to post up my smb.conf..

Regarding the registry setting - it's XP only, Win2k works fine with no tweaks (as does anything prior to that) :)

Regarding WOL - I'm afraid I've never used it (at all!), and I'd have thought the boot times would be too long, such that whatever operation had caused the box to wake would have timed out before it had woken up fully..

Unless you could have it suspend rather than shut down - but I've never had much luck with Linux and ACPI suspend states to be honest :( Not that I've tried for a few years, mind.


Incidentally - for bigtrouble - I've uploaded my smb.conf: http://www.mindserv.co.uk/smb.conf

Nothing much special in there, really, it's a fairly vanilla configuration :)

Regarding WOL - I'm afraid I've never used it (at all!), and I'd have thought the boot times would be too long, such that whatever operation had caused the box to wake would have timed out before it had woken up fully..


Yep boot times are exactly what I am worried about as well. Strangely I had found that my Workstation I could put linux in the BIOS to get an ultra quick boot going;) Havent checked the MB I am using for this server though.

But at any rate, with minimal system requirements, no X needed, etc. I THINK I can get the boot time down, the real catch is just how to start it so that the operation doesnt time out, so preferably it gets started before the operation even begins.

Seablade

Incidentally - for bigtrouble - I've uploaded my smb.conf: http://www.mindserv.co.uk/smb.conf

Thanks!