4

The company that I work for wishes to replace its windows servers with new linux servers but wants to keep Windows on employee desktops. The requirements are:

  • The employee desktops should be able to authenticate with a central linux server.
  • The employee desktops should have access to shared folders on a central linux server.
  • Software applications should be able to use Active Directory.

My first thought was to use samba, but can samba meet the above requirements, if so, in what way? (details are appreciated, but I just need the general idea.)

Keep in mind that I am not very familiar with server setup (I am a web designer by profession).

  • Please elaborate on that third point. – Zoredache Jun 29 '12 at 21:32
  • @Zoredache As far as I know, some applications can integrate with active directory (i.e for authentication). – Aimé Barteaux Jun 29 '12 at 21:40
  • If it's Windows API it will hardly work with samba. Seriously. If it's using LDAP or something else, it should work no problem, but not the Windows Directory Services API. – Andrew Smith Jun 29 '12 at 21:45
  • @AndrewSmith Can you please explain that a bit further? Does Samba4 not add that functionality? – Aimé Barteaux Jun 29 '12 at 21:48
  • Samba4 isn't even an alpha yet, the web site states `Samba 4 is currently not yet in a state where it can replace existing production deployments.`. So asking about that seems a bit silly. I don't think anyone would seriously consider using it at this point. AFAIK, it isn't even available as a package any version of linux that is commonly used for servers (Redhat, Centos, Debian, Ubuntu, SLES, etc.) – Zoredache Jun 29 '12 at 21:53
  • @Zoredache `The second beta (4.0.0-beta2) was released on the 10th of June 2012.` Reference: http://en.wikipedia.org/wiki/Samba_%28software%29 While I have my concerns about the beta, I'm willing to test it out to see how it performs, assuming the core functionality is there... – Aimé Barteaux Jun 29 '12 at 22:15
  • Samba 4 does indeed add AD features (LDAP directory, Kerberos authentication, SYSVOL and group policy) but I have not touched it for a really long time to tell anything about usability. Especially manageability and RPC interfacing have been touch grounds in the past. – the-wabbit Jul 01 '12 at 08:47
  • [Samba 4 has meanwhile released the second release-candidate](https://www.samba.org/samba/latest_news.html#4.0.0rc2) – Tobias Kienzler Oct 12 '12 at 10:45

1 Answers1

2

In my workplace, we switched from Windows shared folder for network use to Ubuntu server for our 4 disc hardware raid. We do not use Active Directory (I don't even know what it is) but we do use user permissions to access the raid and mount it as a network drive. You can install webmin and use that to help manage the server.

There are a couple tricks: setting up the user permissions and umask in smb.conf and then getting the shared folder's permissions and "sticky bits" set correctly.

Edit with some details of how I set up my file server:
1.5 years after answering this question, I installed new server OS (now is Debian 7.3) and went through setting up samba, again using webmin. One thing that didn't work as expected was user passwords linking to unix passwords. This QA fixed that with suggesting manually issuing smbpasswd -a <username>. Although the old ubuntu HDD was failing, I copied /etc/ to the /raid so I can look back at what worked before.

We've got the below permissions set up. The "smb" user and password are known by anyone needing access to the network share, which is then mapped to a drive letter consistently on windows computers. If I log in from my chrisk user on windows which coincidentally uses same password as on the filesrv, then I can access my personal folder on the raid as well as all of the /raid files. There are no "personal" groups, everyone is in users group.

12:53 chrisk@filesrv /raid$ ls -alh
drwxrwsr-x.  47 smb     users 4.0K Dec 29 18:43 .
drwxr-xr-x   23 root    root  4.0K Dec 27 02:36 ..
drwxrwsr-x.   7 smb     users 4.0K Aug 15  2009 catalog_tech
drwx--S--T.  42 chrisk  users  12K Dec 29 20:52 chrisk
drwxrwsr-x.   5 smb     users 4.0K Oct 12 12:36 customers
drwxrwsr-x.   6 smb     users 4.0K Dec 20 12:48 dealers
drwxrwsr-x    3 smb     users 4.0K Nov  5 17:51 Distributors
drwxrwsr-x.  22 smb     users 4.0K Dec 29 16:58 docs
drwx--S--T.  42 liz     users  12K Dec 29 20:52 liz
drwx------   17 smb     users 4.0K Sep  8  2011 smb

I read up and to get these permissions, I believe that I did a # chmod -R 7775 * on /raid and then # chmod -R 7775 <user> for each username.

This works really well for when windows share users log in and create files and lets the drive behave as one would expect on their own computer. Things get a little iffy when I am writing code, though, because I switch from Windows OS to my Linut Mint computer and I sshfs mount /raid and I'll create files that Windows people can't mess with because they will keep my permissions. On this brave new Debian raid world, I'll have to see if this is still the case.

Security is the inverse of convenience this configuration is very convenient and thus unsecure in many aspects of file security or employee vandalism. It works great for "mom & pop" situations. When we have new employees (twice in 7 years), we all have a meeting and go over what the staff thinks about it all. It is only one step better than having a Windows box with an everyone share.

Next steps of improved security I am considering: There could be users and staff groups implemented for nuanced levels of security and then make an "everyone login" that isn't smb for folks to access and share everyday files. SMB could probably have yet another everyone user which doesn't have write/delete privileges, too.

Krista K
  • 519
  • 7
  • 20
  • Thanks Chris! Also, might I ask, do you happen to use Samba as a primary domain controller? – Aimé Barteaux Jun 29 '12 at 22:12
  • No, the windows network in my office is quite informal. The ubuntu server is called "raid" in the smb.conf, and windows computers find it without having to know its LAN IP address. – Krista K Jun 29 '12 at 22:16