Results 1 to 10 of 10
Thread: Office wide linux network
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- May 2006
Office wide linux network
I work for a small conpany with 10 employees. We make websites and run online marketing campaigns. The company is growing and so are the needs of the company. As part of my job I'm looking at restructuring the newtwork and making some big changes.
The biggest change I'd like to make is to the network. I'd like to bin the Microsoft Small business server and Microsoft Exchange server and replace with a Linux file and email server.
As a desktop user and Linux and a user of Linux, Apache, MySql and PHP for dev work I'm competent at using Linux for these things.
However I've never set up a network for an office that would act as a mail and file server and I wondered if any of the users here could give me any pointers / warn me of common pitfalls. I'd really like to push Linux into this company.
The network currently:
- 70 % windows XP and Vista users
- 20 % Mac Users
- 10 % Linux users
Im not bothered about domains or workgroups or suchlike I'd just like to run a network server that runs linux. All resources could be seen by all people by running a combination of Samba and an Intranet (served with LAMP)
Can anyone recommend and good resources for setting this up ? Any good books ? Anyone done this before ? Would it be easy for common resources like printers to be accessible to all users, regardless of platform ?
Any help is greatly appreciated.
Thanks in advance.
- Join Date
- Dec 2006
If it were me, I'd take the 'old hardware' approach. That's were you get one of the old cast-off computers (these things get upgraded occasionally) and stick a server version of Linux on it (either CentOS or Debian - my personal choice is CentOS, but that call is yours), and then set up a user account server (NIS or LDAP or whatever you choose) and put my email server on it.
Then I'd get some more old hardware and set it with the same OS, put samba and NFS servers on it, plug it into the account info on the other machine, and make it a my file server.
If I still had other old hardware around, I'd consider repeating for my web server - but you can always put Apache on one of the other boxes.
Specs? You can run a mail server on a Pentium II machine easy. If you run a heavy Web server, you'll still only need a PIII with Apache unless you're using heavy PHP/MySQL stuff. My combined Web/email/LDAP/Samba server is on one machine at home (6 users), and this runs a dual PIII with 512MB memory (ok, it has lots of hard disk space, but it does store my movie collection).
- Join Date
- Dec 2006
Okay, I got the NSF server working and the linux machines can work with that. This thread pointed the way and this NSF howto was invaluable. I got lots of errors working through it and chapters 3, 7, and 8 addressed all of them.
Samba is serving the same directories for Windows and really anything can use the samba shares because samba is allowing the 'nobody' user, and that's because I still have a computer using WinXP Home. It appears WinXP Home will never handle permissions appropriately because WinXP home can't join a domain and thus can't use LDAP.
True Macintosh networking apparently requires the netatalk implementation of the appletalk protocol. OS X can deal with Samba though and I can still IPP the printer directly, so no major heartburn there.
The NSF-without-LDAP method is not satisfying because the server simply trusts that the UID set on one machine matches the UID set on another machine; this is not true network authentication, but that's trivial compared to the gapping hole of anonymous Samba access. The only thing really securing the network secure is a WPA password. It appears the next priority is to either get another copy of WinXP Pro or migrate off Windows entirely. Meanwhile I can investigate LDAP.
Roxoff, does this yolinux tutorial describe how you'd recommend setting up LDAP?
lol, you dont have to do it the way I've done it. I run Windows XP pro on the machines I have to put windows on - otherwise they wouldn't be able to use the domain.
If you have NFS exported on the server and imported on your Linux clients, the next step (before the network gets any bigger) is to set up NIS (formerly known as yellow pages, or 'yp'). This shares user id's and gid's across the linux machines, and it ensures that NFS shares read and write with the correct uid/gid pair for each user in the server's filesystem. Let me stress that if you set this up right early, you'll save yourself tons of grief in the future. You need the 'ypserv' package on the server and (I believe) 'ypclient' on the clients.
Once that's up, you dont need a domain. Use 'workgroups' instead - set up samba with a username/password map for each user (use 'smbpasswd -a <username>' on the server for each user to set up their samba passwords). Dont forget to ensure samba is set for password encryption, and is restarted after any changes to smb.conf.
Then set each user's Windows XP Home PC to log on with a username and password which is set to the same as the samba account username and password they set up just before and have them log on using that account. You are now free to configure samba shares, using normal unix access controls to provide or deny access to different directories. Users should be able to map network drives, etc., with no problems.
Btw, I dont recommend using LDAP unless you need a domain. I set it up using Fedora Directory Server, which made things very easy, but still at least a whole order of magnitude more difficult than setting up Samba. I still have problems maintaining it, because I'm never certain about what changes to the database will have on the operation of the Windows XP machines in the domain.
- Join Date
- Dec 2006
Actually, part of the reason I'm doing this is that in the next year or so I may be setting up OpenACS at my medical school and I'll need to tie into to their domain, which may require LDAP. I doubt they're going to let me play in their sandbox if I'm unfamiliar with their protocols, which include LDAP.
Also, NIS seems famous as *the* insecure way to handle user authentication. Is your recommendation based exclusively on ease of implementation? If so, cool, but your response may help me navigate my decision matrix.
You have to remember where NIS is to be used. Normally its behind a firewall, so the data is not accessable outside of trusted sources. Yes, its potentially insecure, any user could do 'ypcat passwd' and read off the encrypted passwords, then do some kind of crack algorithm over it. But it wont get them the root password and most users have similar access levels, so there is not much to be gained that they probably couldn't get better through other means.
Believe me - using NIS is a good short term solution, it forces the network to use a common set of uid/gid pairs and as a result eases any migration to other things later (LDAP or whatever else you want to use).
And what do you mean 'tie into their domain'? Are you going to be plugging your Linux desktop into their domain? Samba already supports that in a different way. Are you going to be responsible for running the domain? You dont need LDAP to do that, you can do it with local authentication on your samba machine.
- Join Date
- Dec 2006
I'll write a grant to get money to buy a box, or scrounge a box, park that box in a campus office space, plug it in, plug the cat 5 cable in, and turn it on. That will get me an IP address from the block of addresses they own, but I won't be on the domain yet. I'll need the box on the domain, but since I'll also be running web services that are tied to individual users, under their domain, I will need to authenticate users. Yes, I could set up my own user authentication tables and have every student establish a new password, but that really ought to be unnecessary. The university integrates new web services with their existing LDAP directory all the time.
-- EDIT --
Here's the grand scheme, and perhaps this should be a different thread, but it started here.
I'm a former Navy officer and I started medical school at Tulane in August 2005, three weeks before Hurricane Katrina. After Hurricane Katrina the school evacuated to Houston and spent the rest of the school year teaching classes in Houston. This was, to say the least, a life-altering inconvenience for many people. Some dropped out of medical school because of it. So I started podcasting the lectures, just recording the feed from the wireless microphone's receiver, and posting the files on my web server. This allowed people to stay in New Orleans if necessary (those with family, property, responsibilities with the city, etc) to listen to the lectures. Quite popular.
The project has grown from there and I plan to introduce a OpenACS as an alternative to BlackBoard for faculty and student interaction. I'll be spending several weeks this summer with the people who maintain one of the longer running OpenACS installations. OpenACS is the software Philip Greenspun wrote to run photo.net. BlackBoard is some ugly corporate bloatware that meets 'certification' criteria by whatever misinformed academics think they know what certifies a content management system as appropriate for a learning environment, but allows BlackBoard to sell its shoddy wares to universities, regardless of how negative the student and faculty experience.
It seems to me that, as part of making the system friendly, it really ought to not require the students and faculty to register for yet another content management system. Using Tulane's LDAP will also allow me to accurately track 'null' users, those students and faculty who never use the site, which is critical to learning whether or not it's actually useful.
There are many interesting things one can learn from such data. We can see who downloads podcasts and compare podcast usage with grades. We can compare podcast download rates with faculty presentation performance. My logs suggest the better lecturers get downloaded more often, but does that translate to better grades? I do have some data that suggests podcasting is a fairly good way to learn, better than reading the textbook, review books, or notes purchased from the notes service.
So that's why I want to understand LDAP.
I dont want to sound negative or owt, but if you tell Samba to authenticate against a domain server, then it does that - you can tell the system to use that as a logon authentication, although you'd need a locally-provided home directory for each user.
Now you're branching into a different field, you want to monitor web/podcast downloads, but surely you read this information from the Apache logs, not from some LDAP service.
It strikes me that what you need is some scripting that is capable of filtering several log files (samba, apache, and maybe others) to dredge out the information you need rather than finding it in LDAP.
- Join Date
- Dec 2006
Good points. OpenACS uses AOLServer rather than Apache, so it sounds like I will have to investigate this further, perhaps the question I need to be asking is how will OpenACS interact with LDAP, and then, yes, either get the log files from AOLServer or OpenACS, depending on what those programs log.
Thanks for the help, will keep you posted.