Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: donavon on February 26, 2009, 10:58:30 PM
-
Tell me if/how to get this done.
I want sme server #1 to at as domain controller, etc
I want sme-server #2 to act as file server,but I want sme-server#2 to get its user authentiction from sme-server#1..
Basically, sme1 is the gateway server, while i also want another sme server to act as the Domain controller, email server, etc. But I need to have SSO, sign sign on from the sme2
thanks in advance
-
Welcome!
You can't do this
I want sme server #1 to at as domain controller, etc
I want sme-server #2 to act as file server,but I want sme-server#2 to get its user authentiction from sme-server#1..
and this
Basically, sme1 is the gateway server, while i also want another sme server to act as the Domain controller, email server, etc. But I need to have SSO, sign sign on from the sme2
at the same time. They are opposites. You can't have SME server #1 act as a Domain controller and SME server #2 act a a Domain controller on the same net.
See this http://wiki.contribs.org/Advanced_Samba (http://wiki.contribs.org/Advanced_Samba) for more help in adding second SME servers into a domain.
-
maybe i confused you a little sorry. let me try to make my case clearer
sme # 1
gateway to the internet
vpn server
mail server
ftp server
sme#2
Domain Controller
authnetication
I want sme#1 to get its authentication from sme#2 (the DC).
I want a SSO single sign on setup..
thanks again
-
There used to be a NIS setup from Jurgen. It might still be usable.
-
donavon
Modern powerful highly spec'd computers are very capable of doing all those tasks on one server, and quite securely too. There are no real security gains to be made by seperating the functions.
What gains are you expecting from using two servers ?
That's apart from the problematic likelihood of being able to authenticate between machines anyway.
-
I appreciate your proposal, however, I wouldn't want my Domain Controler to be sitting on the network edge, ther are other instances where you may want an addtinal file server using sme server, and wnat all of them authenticat on the same DC
-
donavon
So I guess you are saying you don't believe in the model of having the firewall on the same DC server, despite the fact that the sme firewall is every bit as effective as any other firewall, whether seperate or "built in".
The security model of a seperate firewall in front of your server, is as good as how many ports you forward to your web server and what applications you run on your web server (and how vulnerable they are to hacking).
No firewall (wherever you put it) will stop a "buggy" web application getting hacked.
The merits of firewall "location" has been discussed many times before in these forums, and it seems to be a two camp scenerio, some will only use a seperate firewall, some are quite happy to use the sme firewall.
Let's not restart this discussion as my post is not meant to be a rehash of that argument.
I'm simply saying that sme used appropriately is very safe and secure, and I believe that one server will suffice your needs (assuming the scale of your activities is moderate and we are not talking thousands of users etc etc).
In the real world, thousands of sme servers are configured in server gateway mode and run as domain controllers without failure and without security ramifications, over many many years now, ie they are "exposed" directly to the Internet via a bridged modem and reliant upon the sme firewall.
This is a proven fact.
I personally have had a number of sme servers running in that mode since the days of sme 3.x and the firewall has never been breached in eight years.
The developers have given great attention to the security of sme server.
I'd suggest you reappraise the need for seperate servers as it is simply not necessary.
This is all apart from the fact that no current simple or supported mechanism exists for implementing the user authorisation functionality you ask for. True, it is a very desirable "feature" and many people have requested it over the years, but it is also complicated to implement, and "out of scope" of the main sme server project.
Charlie Brady gave some indication of the steps required to achieve this functionality a few years ago, I think in a devinfo list post, but a lot of work would be needed to develop the code and methodology, and that would need financial sponsorship to have the code developed.
If it is really important to you ie a "must have", then contact Charlie to discuss funding the development work, and the outcome would be a wonderful gift to the whole sme user community.
Work is being done on LDAP authentication, more so related to sme 8, which is still in beta stage, as a workaround that may be sufficient for your needs.
Perhaps the old procedure outlined earlier in this thread is still functional.
If you have only a few users then the simple answer is to manually replicate the user base on both servers.
-
Although this thread seems to deal with 2 matters, location of a server and authenticating from a different server, I want to correct my previous post...
There was some work done on NIS with sme6. Here's the link (I did not test it on sme7):
http://sme.swerts-knudsen.dk/howtos/howto_31.htm
Did you look at http://wiki.contribs.org/LDAP ?
-
Mary,
I read with great detail, your reply to my post. I too have all the confidence in the world in sme, i have sme running at more than half my clients.
In this case however, its a matter of minimizing the critical points of failure. I have a client, that while they can live without the Internet, in the event that the sme gateway dies, they cannot live without their DC and File server. The two functions then have been designated to two physical server.
I desperately want to use sme to provide the aforementioned tasks. Based on your post I see where its a feature that requested but just not yet implemented.
I would hope that SME8 will have the ability to join an AD schema. I will cotact Charlie about possible funding of having multi-sme boxes in a SSO domain.
Thanks for your sincere help..
-dac
-
You could try looking at this (http://wiki.contribs.org/Advanced_Samba). Just choose domain member on SME #1 and join it to SME #2's domain. Everything *should* work after that. It will probably require a bit of modification to get qmail to work.
Craig
-
donavon
... I have a client, that while they can live without the Internet, in the event that the sme gateway dies, they cannot live without their DC and File server. The two functions then have been designated to two physical server.
Now that really puzzles me.
Does you/your client think that the DC & File server will never fail by having that functionality in a seperate box ??
Some statistical analyses would suggest that with two servers there are more possible points of failure.
I'd suggest they would be better off using one server (to do everything) and investing the additional dollars for the other server into a onsite Affa backup server.
If the main server has any severe failure then the Affa backup server can be up and running in say 10 - 20 minutes using the affa --rise command (depending on amount of data etc).
I would hope that SME8 will have the ability to join an AD schema.
I think I read there will never be full AD support as that is proprietary MS stuff.
-
Full AD support is coming in Samba 4, which will support both client and server functions. However, Samba 4 appears to be stuck in perpetual development.
-
I'd suggest they would be better off using one server (to do everything) and investing the additional dollars for the other server into a onsite Affa backup server.
If the main server has any severe failure then the Affa backup server can be up and running in say 10 - 20 minutes using the affa --rise command (depending on amount of data etc).
I would second this recommendation. Put that AFFA server in a hardened/ fire resistant room/rack and you have a killer backup solution with very quick deployment time.
-
I strongly agree. My office network is powered by SME and backup with affa server. I had a severe hardware outage, but in minutes affa was configured as principal. End-users hardly notice the downtime.
-
I have often wondered if a simple hack could make it possible to do what you want. I have used SSH to copy /etc/passwd and /etc/shadow between computers before and it works quite well. If SME is using smbpasswd, then it too could be copied periodically via a cron job and you would then have something close to what you want. You would have to be careful not to add users or make changes on server1 as the cron job would overwrite them on the next update. It may not be pretty but I bet it could be made to work. Maybe someone who is more versed in the intracacies of SME could tell us what other files should be copied (Like maybe LDAP) to make the rest of the system work. It would essentially be like restoring a machine from backup but without changing the ibays.
Julian
-
julianweber
I have used SSH to copy /etc/passwd and /etc/shadow between computers before and it works quite well. If SME is using smbpasswd, then it too could be copied periodically via a cron job and you would then have something close to what you want. You would have to be careful not to add users or make changes on server1 as the cron job would overwrite them on the next update. It may not be pretty but I bet it could be made to work.
That is the very basic concept of how it could work on sme, but there is more to it than that eg the accounts db also needs to be copied and I'm sure a few others. User information and passwords are scattered in a variety of places in sme. Then there is the mechanism to cleanly update this across servers etc, it all takes considerable work and effort to turn the concept into a working solution, that will also survive upgrades and system improvements that may occur in new releases of sme.
It's a job for a clever developer.
The concept was mentioned by Charlie Brady in the thread referred to (search for it).