Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: chuckt3hnoob on March 25, 2007, 07:15:23 PM
-
Hi as my name suggests i am no a linux guru, so after hearing about sme and reading through the wiki i found it to be exactly what i need. But after installing and configuring the server to host a learning center for the city of Parlier, I found that i have not seen any way to lock down the user accounts. I have been working with windows networks since 2000 so I am basing all statements on Windows Active Directory.
In Windows Active directory i can create a group policy object for each OU and the server. How would i do things like prevent them from using IE and prevent the last user displaying in the login prompt and shut down the system, also I would like to know if SME's PROXY has a way to block certain web pages (it is a city learning center, so myspace and the like is a waste of bandwidth) and also I want to create a guest account so that new user can log in and see the capabilities of the learning center but with little or no permissions.
and one last thing that i want to ensure is that the homepage of all the students is the same and cannot be changed please let me know where to do this and where i can find more information because i assure you this is just a taste of what i want to lock down on this network to keep it from it being used in a non education way
thanks for any info
-
Ok first thing's first... Did you read the user manual. You should do that to know SME.
How would i do things like prevent them from using IE and prevent the last user displaying in the login prompt and shut down the system
To prevent them from using IE would be done on windows and has nothing to do with SME. And they can't shut down sme because they would need shell access and they wouldn't have it (again user manual).
To block some webpages.... You would need a contrib called squidguard or dansguardian (search on this forum for both contribs).
You'll find out how to install them when you read the user manual.
I want to create a guest account so that new user can log in and see the capabilities of the learning center but with little or no permissions.
This would be done trough the lerning center's webpage and has nothing to do with accounts on sme (accounts are for mail and stuff - hint: The manual).
and one last thing that i want to ensure is that the homepage of all the students is the same and cannot be changed please let me know where to do this and where i can find more information because i assure you this is just a taste of what i want to lock down on this network to keep it from it being used in a non education way
This is done trough windows and not SME.
I found that i have not seen any way to lock down the user accounts.
If you wan't them to stop using mail you can do that from the server manager (read about it in the manual) and if you wan't to get them of your webpage do that from the webpage's amdin pannel (it's different for every webpage).
And now i'm confused.... Do you need a server (hosting webpages, files and mail) or just a client (browsing internet and checking mail). Because SME is a server distribution and you want something in between.
-
See chapter 26 of Samba manual for Policies Seach internet for others.
see http://samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html
Hope it Helps!
-
i guess i need to clarify what i was asking, what i was meaning when i asked how to prevent the user from shutting down the system i was not referring to the SME server, I was (and all other questions) to the client machines. And when i stated that i wanted to "lock down" the user's accounts i was referring to a user logged on to the SME domain and not have permissions to do things like change the screen saver or install active X controls. all things stated in my first post were after reading the manual, and in the manual it makes not reference to any similar configurations that emulate the Group Policy Object that is in a Windows Active Directory. Now i am quite fed up with MS and all its CALs so i am turning to open source because of the ability to be a part of something that is actually promoting ideas that make life easier. I am requesting help to emulate the benefits of using a .NET framework and GPO in active directory using SME
-
Well shuting down computers will have to be done trough clients so what will you install on the clients (MS, Linux).
-
all the computers (because they were purchased by at&t) are running windows XP sp2. The thing is i know you can set the group policy for like admins only to shut down the system but i want to ensure that any additional users or certain staff have that capability plus that would require me to go to each machine separately and set the permissions there/ cant sme do this for me as the domain controller?
-
No. I see that you don't understand what a domain controler is or what it can do.
Here you go:
http://whatis.techtarget.com/definition/0,289893,sid9_gci283996,00.html
SME can control printers and network, but you'll have to contact microsoft tech support or google if you want to find out how to add user accounts and privileges on xp.
-
I know that Active Directory gives you a lot of group policy options, but as far as I can tell, most of that functionality is not available on SME. I think that you would have to go to every machine to make the policy changes.
For instance at work we have a policy set that will not let users disable automatic updates. The only way to get around that is to change the group policy itself, or add the computer to a special container in AD that was setup for this purpose. I have not seen this type of capability with SME, but I am definitely still at beginner level.
Ryan
-
all the computers (because they were purchased by at&t) are running windows XP sp2. The thing is i know you can set the group policy for like admins only to shut down the system but i want to ensure that any additional users or certain staff have that capability plus that would require me to go to each machine separately and set the permissions there/ cant sme do this for me as the domain controller?
you already had the answer...
you have to use MS tools..
I use poledit (from w2k resource kit) with last .adm from xp to manage user/pc/group policy; it works smoothly even if it's not AD.
HTH
ciao
Stefano
-
much thanks to everyone for all the replies. I am trying the mstool right now and also installing the Berkeley DB. But i am having trouble wiht the DB. I downloaded the file "db-4.5.20.tar.tar" from the oracle web site and ran the following command "
>tar xvzf db-4.5.20.tar.tar
it extracted all of the files into a new folder inside my current folder (I'm assuming this is normal)
followed by
#cd build_unix
#../dist/configure
#make
#make install
Then i tried to run the ./configure for squidguard and i get the error that it cant find the db.h it tells me to run the command with the following argument --with-db=DIR where DIR is the directory where i installed BerkeleyDB. well the directory that it installed it's self was /usr/local/BerkeleyDB.4.5
and when i enter this i get the same error
I went to the man pages on BerkeleyDB located in /downloads/BerkeleyDB/db-4.4.20.NC/docs/index.html using elinks
on the pages that speaks of "Dynamic shared libraries" I read that i needed to enter the following commands in
#cc -L BUILD_DIRECTORY/.libs -o testprog testprog.o -lbd-.4.5
#envLD_LIBRARY_PATH="BUILD_DIRECTORY/.libs:$LD_LIBRARY_PATH" ./testprog
the man explains that BUILD_DIRECTORY is the location that BerkeleyDB was bult
so i entered this in
#cc -L /usr/local/BerkeleyDB.4.5/.libs -o testprog testprog.o -lbd-.4.5
getting the wonderful feedback as follows
cc: testprog.o: No such file or directory
I go to the web-site for squidguard.org hoping for help, and all it says is "Annotation: Make sure that the shared library of your BerkeleyDB installation is known by your system (check /etc/ld.so.conf). " so using vi i check it.... ok wtf am i looking for again? so here is prob... I dont know if linus knows where it is or not, because i... dont know where to find out what it would say if it did.
so now we get to the part where i am going to hear that i may as well re-install SME... :( so i subsitute the "testprog" with /etc/lb.so.conf
i get feed back that states that one file has been written
then the next command states the same thing again
env: ./testprog: no such file or directory
trying the subsitution:
and it writes it to the env file(.... is this good?, prob not)
trying the ./configure again and same error...:evil: i have spent the last 3 hours looking at page after page of manuals and i cant find anything relevent i know i am over looking it and I know i don't know jack about linux CLI, i admit i have been using MS products for the last 10 years and i just started with linux a week ago and with only a book on Linux+ cert from Thomson to guide me i am S.O.L.. so pardon my ignorance but i really need assistance
And i know what a domain controller is, i dont know how i keep coming accross as networking ignorant but i am not i have set up 5 windows 2003 active directories in the last year, i know how they work and the root domain controller on the active directory can set the permissions for both the domain GPO and local client machines GPO simply by taking control using a mmc so please help instead of lecturing me on active directory if you know what i am talking about then fill in the blanks otherwise ask questions so i can clarify. And i have seen that SME can do some of the things that active directory can do but not all, but what more can i expect from a OS that is built on a Linux core trying to take control of the closed source MS windows XP pro SP2 machines... things that people had to reverse engineer or come up with clean slate so i am not expecting perfection from SME and i am not afraid to spend a few weeks researching before implementing (i have been planning this for about 2 weeks now) I was always worried when the manual for SME was so cut slate and dry with only instructions on the webpage "server-manager" knowing full well that with any linux distro the true administration happens at the CLI
but please dont think that i am ungrateful for the responses that i have been given I just feel that we should not cover ground that we both know
-
much thanks to everyone for all the replies. I am trying the mstool right now and also installing the Berkeley DB.
Hmmm, not sure why you are trying to install Berkley DB....
I do think that you are trying to do some things that you shouldn't as a new user (and I guess you haven't really been given a good start in how to do what you want to do).
First things first, smeserver is NOT an AD controller and won't give you AD policy management. It will act as a Domain Controller (via samba and it's capabilities - as implemented on smeserver) and all the other things noted in the manual.
When squidguard or dansguardian was suggested, they didn't mean to go and compile them from scratch. There are 'contributions' available that will add this fucntionality into your smeserver AND give you a control panel for managing them (via server-manager). These contribs will also load all the required dependencies.
For an overview of 'contributions' etc. look at the Technical Manual - Chapter 6: Adding New Software http://wiki.contribs.org/SME_Server:Documentation:Technical_Manual:Chapter6
For dansguardian I suggest that you look at http://dungog.net/sme/dansguardian.php with instructions on how to install from their repository under the Dowload/Install link (but do look at the Software Summary page as not all of dungog's packages are GPL)
Hope this helps a little
Trevor B
-
First things first, smeserver is NOT an AD controller and won't give you AD policy management. It will act as a Domain Controller (via samba and it's capabilities - as implemented on smeserver) and all the other things noted in the manual.
yeah found that out the hard way guess when i initially read the manual for SME i thought i would (in retrospect I think i was filling in the blanks) but i was not aware of anyother way to install the squidguard, when i heard about it from pbivk i went to the web page and read that i needed three things to start and Berkeley DB was one of them, and as you can see i have been having lots of fun with that,
For an overview of 'contributions' etc. look at the Technical Manual - Chapter 6: Adding New Software http://wiki.contribs.org/SME_Server:Documentation:Technical_Manual:Chapter6
as for that... i knew i was over looking something and my thanks goes to you for reminding me... I read that part but it registered as "how to get updates" instead of upgrades, i used yum to get things like a compiler, bison, and flex. Thinking that these things were nessasary for adding additional packages to my server. To be quite blunt this is my first attempt at Linux, i haven't even used it as a home desktop computer becuase my work requires windows for the monitoring of the radios on my wireless network so i have never installed a linux pakage before. but the dansguard seems a whole-heck-of-a-lot easier than what i was doing before but i will have to try it first thing in the morning, but be sure that i will repost with any additional news
again thanks for the information XD
-
as you can see i have been having lots of fun with that
We noticed :D
To be quite blunt this is my first attempt at Linux, i haven't even used it as a home desktop computer becuase my work requires windows for the monitoring of the radios on my wireless network so i have never installed a linux pakage before.
And the other problem is that smeserver has isolated most of the control back to the web interface or through a set of database parameters (which allows for seamless upgrades etc.), which is NOT standard linux. So if you just follow 'this is how you do it on Linux' instructions, you will normally find yourself in trouble. Many people have put in the effort to create 'contribs' for applications that make sense for them. You'll find tha there are many contribs beyond the official ones as well.
The sme part of smeserver is for 'Small to Medium Enterprises' where the server admin is just someone in the office, it is not aimed at a fully qualified MSCE. It's not to say smeserver doesn't work in that environment, but that the interface is aimed at that market. To go playing at a highly technical level will require some understanding of the underlying architecture.
I would suggest that you read the developers manual to help you understand how smeserver implements it's configurations and templates. I think this will help you in bridging the knowledge gap.
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
Good Luck :-)
Trevor B
PS. For another list of 'official' contribs look at the first item in the SME Server Contribs forum.
For additional items you could do a search through that forum for any particular topic you are looking for (eg. 'block emule').
-
Ok one more from me...
You can find squidguard contrib by searching on this forum. And you'll fine some of my posts on how to change default blacklist.
I didn't want to lecture you about AD but this is linux and doesn't have the same features as windows 2003. That was pointed in a few post by me.
And i'm sorry i didn't want to offend you or your knowledge but your first post was written so confusingly that i couldn't know how much you use linux or windows. I tend to forget that here are a lot of new users here that don't know what contrib is and how SME runs. So i'm sorry and i hope that i can be of more use for you in the future. :D
-
Hi..
take a look at this..
http://www.pcc-services.com/articles/implement_sys_policies.html
HTH
Ciao
Stefano
-
Stefano is correct. His link is accurate.
GP's are just forced regedits (or xp config db settings) onto the client pc's. You should be able to do anything you need with poledit and the adm templates.
MS doesn't want you to touch the registry directly so they have Group Policies (GP's). However everyone (even MS) knows that eventually you need to edit the registry directly to tweak it or to fix a problem.
So the MS hiccup is that changes can be forced through direct regedits or GP's . This is why in MS these types of edits are given in both regedit format and GP format: http://msdn2.microsoft.com/en-us/library/ms815238.aspx and they offer a reference file: http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en
It's important to note that GP's are only done with the correct ADM files, txt files that control the mapping of GP's to regedits. xp adm files live in: %systemroot%\inf (go ahead and look on your local xp pc -edit any adm file with txt editor). The adm files are ever increasing in size & complexity (SP2 contains 609 new adm policy settings & newly released have nearly 800 more than the 2003 sp1 ADM files, for a total of 2450 settings).
For example, when XP SP2 came out, new adm files were needed to control the additional settings, ie windows firewall. If you had a W2K server, you had to apply the new xp sp2 adm files to the local W2K server but couldn't use them directly from the server b/c W2K didn't have those registry edits locally in its OS. You needed to use a XP client to access the W2K server GP. Even after doing this, most ran into errors like "The following entry in the [strings] section is too long and has been truncated": http://support.microsoft.com/kb/842933 A classic situation of "Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section."
Have fun reading; white papers, tech notes, kb articles, discussion threads. All for information that isn't going to be around in 3 years when it's changed again or obsolete.
So to do this correcly from MS, you need to be familiar with the registry, the GP settings and the adm templates that tie them together. To matters worse, GP's aren't effective immediately, sometimes requires a twice-reboot and can "tatoo" the clients (leave the regedits after the GP is removed). On top of it all, they still can't easily do what most admin's want -prevent users from installing stupid stuff or making stupid changes all the while giving enough access to run the apps they need.
As a result, you'll find GPO's, regedits, regedit-scripts and ADM template all through the internet. For example, http://www.securityfocus.com/infocus/1719 or you can google your way into oblivion.
Obviously none of these options are necessarily intuitive. This leads to a huge 3rd party market trying to make it all make sense for customers. Such as: www.netpro.com, www.scriptlogic.com, www.visualclick.com and www.desktopstandard.com. Even linux has a 3rd party gpo provider: http://www.nitrobit.com/
How long are companies/admins going to tolerate this in terms of money and time before they switch to something easier? Basically, this type of network is a nightmare for companies. Especially when they have to start creating a seperate GPO just for a specific desktops to allow ports. It's easier just to make the desktop change. This, as well as overall cost, is pushing companies to thin client setups -citrix, sunrays, etc. Basically back to some type of mainframe setup, where minial changes need to happen to affect a large amount of users.
I wrote some basic steps awhile back:
http://forums.contribs.org/index.php?topic=31770.0
-
Sorry for the long away period but i have been reading and implementing the things in the developers manual and making many failed attempts to install dansguardian (cant seem to access the web interface (https://myserver/server-manager/dungog.net/dansguardian) didn't seem to work...
But in reply to all that has been said, I am amazed at how many people tried to help me with my issue and and most greatfull for the replies and insights. :D
I have looked at that link take a look at this..
http://www.pcc-services.com/articles/implement_sys_policies.html
HTH
and it looks like it may work (depending on the how well i follow instructions =p ) but i have to finish with the content filtering from dansguardian (i think it works but i had to re-install my server because of the Berkeley DB that i was failing to configure, the yum repos and who knows how many "uh-ohs" i did to the .conf files) so i have to re-add all the clients to the domain (been at it all weekend)
Having read your post i have a simple question i have to ask :oops: , because i dont want anymore mistakes, should those steps be carried out in XP or on the SME console its self?