Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: ngomes on September 20, 2006, 11:29:14 AM
-
I have a new client which is public school. In this school they have an Active Directory (AD) infraestructure already in place where students, teachers and staff authenticate against before working with theirs Windows (XP Professional) boxes.
They would like to:
1# Set up a new SME Server 7.0 for email purposes that should be able to act as an Active Directory BDC (backup domain controller) or, in other words, as an Additional Domain Controller (Samba/NT4 like). Is this possible?
2# In the near future (1/2 months) they will have a new IT classroom with Linux boxes (I am testing Ubuntu for this) and they would like to use the SME Server Samba/LDAP authentication scheme to authenticate the Linux users. Is this possible?
Any thoughts?
-
1# Set up a new SME Server 7.0 for email purposes that should be able to act as an Active Directory BDC (backup domain controller) or, in other words, as an Additional Domain Controller (Samba/NT4 like). Is this possible?
It is not possible to mix Samba and Windows for primary and backup DC's.
2# In the near future (1/2 months) they will have a new IT classroom with Linux boxes (I am testing Ubuntu for this) and they would like to use the SME Server Samba/LDAP authentication scheme to authenticate the Linux users. Is this possible?
As far as I know the SME Server does not authenticate using LDAP (see this thread (http://forums.contribs.org/index.php?topic=33547.0) as well). Work is being done on that, see bug 1543 (http://bugs.contribs.org/show_bug.cgi?id=1543).
-
It is not possible to mix Samba and Windows for primary and backup DC's.
How about:
1# Creating a trust relationship between Samba (NT4 like) and Active Directory?
2# Creating SME Server email mailboxes to Active Directory users, i.e. SME Server would behave like an "AD client"?
The main purpose here is to share the user database between Windows AD and SME Server. Perhaps in the future we can replace AD but now is required hence we have to do this in several phases.
As far as I know the SME Server does not authenticate using LDAP (see this thread (http://forums.contribs.org/index.php?topic=33547.0) as well). Work is being done on that, see bug 1543 (http://bugs.contribs.org/show_bug.cgi?id=1543).
Studying this...
More thoughts?
-
Thanks cactus for pointing some important info.
It is not possible to mix Samba and Windows for primary and backup DC's.
Yes in deed (after reading lots of samba docs).
But I really do need some directions here.
Perhaps a trust relationship between the future SME Server (Samba3) and the existing Windows Servers 2003 (AD) will do the trick.
Or perhaps migrating all users to SME Server, uninstalling AD from the Windows Server box and integrating it in the new Samba domain (as member server). But still, in this scenario I don't have the ability to authenticate the Linux Desktop boxes as stated on the bug 1543 (http://bugs.contribs.org/show_bug.cgi?id=1543).
Some more thoughts?
-
While it's not exactly what you are after, this may help.
If its practical to do so, you could maintain the user names and passwords on both AD and the SME7. As far as I know this would need to be done manually.
Set the SME workgroup name to the same name as the AD domain & your Windows PCs will be able to access the SME without re-authenticating.
I have this in a couple of clients who already had MS Small Bus Server and I've added an SME. As long as user names & passwords are same on both, users logon to SBS as Domain Controller & then access the SME as file server.
Now for the bit I haven't tested. If the PDC fails, run server-manager & tick the box on the SME that says I'm domain controller. I'm far from convinced this will work though as I'm guessing the Windows PCs won't seamlessly authenticate to the SME - still it may be worth a try if you can test it easily.
-
If its practical to do so, you could maintain the user names and passwords on both AD and the SME7. As far as I know this would need to be done manually. Set the SME workgroup name to the same name as the AD domain & your Windows PCs will be able to access the SME without re-authenticating.
That's a good idea but not much practical. This school has around 1500 students...
Now for the bit I haven't tested. If the PDC fails, run server-manager & tick the box on the SME that says I'm domain controller. I'm far from convinced this will work though as I'm guessing the Windows PCs won't seamlessly authenticate to the SME - still it may be worth a try if you can test it easily.
The windows desktop boxes need to join a domain (AD, NT4 or Samba) in order to have central authentication for all users. If the AD PDC fails in your scenario, the users on the windows desktop boxes will not be able to authenticate, unless we join the windows desktop boxes to the Samba (SME) domain. Anyway, my dilema is:
1# With the existing AD in place I can have all Windows and Linux desktop boxes on the domain. By the way, about joining a SuSE Linux box to an AD domain read this article (http://reverendted.wordpress.com/?p=314).
2# With SME Server I can only have the Windows desktop boxes.
More ideas?
-
Just for reference purposes, if someone is interested, I found these 3 articles:
Integrating Linux with Active Directory (http://blogs.sun.com/tkblog/entry/integrating_linux_with_active_directory)
Integrating Samba 3 in to a Windows 2003 Domain (http://windows.ittoolbox.com/documents/tutorials/integrating-samba-3-in-to-a-windows-2003-domain-1893)
Samba & Windows 2003 Active Directory Integration (http://lilly.csoft.net/~vdebaere/handleiding/samba-activedirectory/index_en.html)
[/list]
Does anyone have tried some of these with SME Server?
-
Anyway, my dilema is:
1# With the existing AD in place I can have all Windows and Linux desktop boxes on the domain. By the way, about joining a SuSE Linux box to an AD domain read this article (http://reverendted.wordpress.com/?p=314).
2# With SME Server I can only have the Windows desktop boxes.
More ideas?
Probably a solution for the Linux Desktop boxes is at:
http://forums.contribs.org/index.php?topic=33276.0
-
Hi all,
Just for the record (and nothing more), due to the lack of SME Server native support or available options, our almost final decision about the possibility of having several Windows and Linux desktop boxes authenticating against 2 or more SME Servers in a public school (1500 users, 150 desktops, 3 servers and growing), is:
- Install Windows Server 2000/2003 on all servers.
- Install and configure Active Directory (AD) on 2 of them for authentication redundancy.
- Install and configure Windows Services for UNIX (SFU) to provide a NFS/NIS server in the network and username mapping (mapping Linux UID/GIDs to AD SIDs).
- Integrate all linux desktop boxes (Ubuntu) via SFU or AD (on testing this week).
Nuno
-
Just for the record (and nothing more), due to the lack of SME Server native support or available options, ...
How much are you prepared to offer for the development of the features you require?
-
How much are you prepared to offer for the development of the features you require?
By principle, I am totally in favour of giving the developers resources, i.e. money, to fund specific feature(s).
But it all depends on:
(1) What are the features exactly, from a developer point of view?
(2) How many people are willing to do the same?
(3) How much is enough for funding this development?
(4) Will it be GPL'ed? If so, will it be part of the next release (7.1)?
3 important things about us:
(1) We (my small firm, 2 persons) are not developers. Ocasionally we do some scripting (bash, vbs).
(2) In the last 5 years, we have implemented some SME Servers (tipically only one server per network) along with Windows Servers (when several servers must use the same user/group/machine/etc LDAP/NT database, or for running specific windows-only applications).
(3) Our available time to study client scenarios and take decisions is usually from 1/2 days (small networks with 5/10 pcs) to 6/7 days (medium networks with 100/150 pcs).
Nuno