I am looking at ways to setup a Linux only network.

I want a client server model, could I install samba on a slack box and
have samba handle all domain stuff, such as authentication of users to teh
linux workstations, so I would not have to maintain a list of users on all
computers? samba could then provide home directories for all users. Or is
there a better way of having Linux as a domain server.

Could samba still be my domain server if I had windows clients?

Thanks in advance

Stuart

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2003-11-13, Stuart Mueller <none@none.none> wrote:
> I am looking at ways to setup a Linux only network.
>
> I want a client server model, could I install samba on a slack box and
> have samba handle all domain stuff, such as authentication of users to teh
> linux workstations, so I would not have to maintain a list of users on all
> computers? samba could then provide home directories for all users. Or is
> there a better way of having Linux as a domain server.

Well, there are two more native ways of doing it: NIS and LDAP. NIS is
fairly easy to configure, and is well-supported by Slackware. LDAP is a
little harder, and is not as supported by Slackware, so you'd have some
extra work to do. NIS sends crypted passwords over the wire in the
clear, so if you have a need for a more secure authentication scheme you
should look into LDAP over SSL.

As for filesharing, again, the more standard un*x-like way of sharing is
NFS. It's also very easy to configure, but has security problems as
well; unfortunately, there's no well-established alternative to NFS yet.
I believe a Samba-based solution for filesharing would be a bit of
nonstandard cobbling, but the Samba folks would know more.

> Could samba still be my domain server if I had windows clients?

Possibly. In theory an LDAP server on a Slackware machine could also
authenticate users on Windows clients. In practice I would be wary of
MS ''upgrading'' client software so as to be incompatible with all but
Microsoft's authentication servers.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/s6+khVcNCxZ5ID8RAppnAJ9FjwdoNU42v4uuKCxA3WZxbaYuMA CfVdCG
FpWEZK1h7xpkTv2cd7/4joA=
=fA3o
-----END PGP SIGNATURE-----

Stuart Mueller <none@none.none> wrote in message news:<pan.2003.11.13.16.00.57.333502@none.none>...
> I am looking at ways to setup a Linux only network.
>
> I want a client server model, could I install samba on a slack box and
> have samba handle all domain stuff, such as authentication of users to teh
> linux workstations, so I would not have to maintain a list of users on all
> computers? samba could then provide home directories for all users. Or is
> there a better way of having Linux as a domain server.
>
> Could samba still be my domain server if I had windows clients?
>
> Thanks in advance
>
> Stuart
**
Have you read some of the networking howtos or one of the four linux
system administrators guides available at tldp.org.
A linx/unix network does not need Samba. Samba handles the neworking
rquirements of the windoz clients.

Walt R.

On Thu, 13 Nov 2003 08:21:58 -0800, Keith Keller wrote:
> On 2003-11-13, Stuart Mueller <none@none.none> wrote:

>> I am looking at ways to setup a Linux only network.
>>
>> I want a client server model, could I install samba on a slack box and
>> have samba handle all domain stuff, such as authentication of users to teh
>> linux workstations, so I would not have to maintain a list of users on all
>> computers?

Yes.

> samba could then provide home directories for all users.

Correct.

>> Or is there a better way of having Linux as a domain server.

Yes. As Keith mensioned, there are serveral methods.

> Well, there are two more native ways of doing it: NIS and LDAP.

And Kerberos.

[...]

> As for filesharing, again, the more standard un*x-like way of sharing is
> NFS. It's also very easy to configure, but has security problems as
> well; unfortunately, there's no well-established alternative to NFS yet.

Well, NFSv3 can use MD5 and v4 Krb5 (via GSSAPI).
(Though the latter is still under development - 2.6.x has support.)

> I believe a Samba-based solution for filesharing would be a bit of
> nonstandard cobbling, but the Samba folks would know more.

I'm not one of the Samba folks, however have used it...

>> Could samba still be my domain server if I had windows clients?
>
> Possibly.

Yes.

> In theory an LDAP server on a Slackware machine could also
> authenticate users on Windows clients.

I dunno about how to do this directly (though SASL can) but you could
use Samba as the NTLM frontend.

If all the Windows machines are 2k/XP/2k3 you'd be better off haveing
users autenticate to a Krb5 KDC as that is native to them, as well.
(And much more secure - to boot.)

> In practice I would be wary of
> MS ''upgrading'' client software so as to be incompatible with all but
> Microsoft's authentication servers.

They are kind of in a position on this where that would be hard to do,
without them braking compatibility with there own legacy as well.

--
-Menno.

On Thu, 13 Nov 2003 08:21:58 -0800, Keith Keller wrote:

<snip>
>
> As for filesharing, again, the more standard un*x-like way of sharing is
> NFS. It's also very easy to configure, but has security problems as
> well; unfortunately, there's no well-established alternative to NFS yet.
> I believe a Samba-based solution for filesharing would be a bit of
> nonstandard cobbling, but the Samba folks would know more.
>
<snip>

If NFS has security issues would not samba be a better way to go? For file
sharing anyway?

Stuart

In alt.os.linux.slackware, Stuart Mueller dared to utter,
> If NFS has security issues would not samba be a better way to go? For file
> sharing anyway?

It realy depends. I run NFS on a small LAN secured behind a firewall.
No services are forwarded down to any machines running on the LAN, and
only machines with IP addresses on the LAN are granted access to the
NFS server. The firewall does address matching to prevent IP spoofing,
so people who are not on my LAN don't send private IPs and get access
to my NFS server.

In practice, it is fairly secure, at least for my needs. I would not
reccomend the same configuration in a large corporate environment given
NFS's history of exploits, but it works like a champ for me.

Incidently, the same machine that runs NFS also runs Samba. I have
noted no performance difference between Samba and NFS.

--
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5

In article <pan.2003.11.14.09.02.22.773900@none.none>,
Stuart Mueller wrote:
> On Thu, 13 Nov 2003 08:21:58 -0800, Keith Keller wrote:
>> I believe a Samba-based solution for filesharing would be a bit of
>> nonstandard cobbling, but the Samba folks would know more.
>
> If NFS has security issues would not samba be a better way to go? For file
> sharing anyway?

NO form of file sharing is truly "safe" to enable. Samba's not immune.
But Samba really is designed for Windows. A smbfs mount, like any DOS
filesystem, does not support Unix file attributes. That would be a big
inconvenience for me as a user of a GNU/Linux workstation, but YMMV. For
my purposes and way of thinking I agree with Keith.

Samba's easy to toss out in a fairly secure way, such that each user
only gets access to his/her $HOME. See the smb.conf-sample provided for
an example.

NFS is easy to toss out in an insecure way, such that a root user on any
non-blocked machine could gain access to any $USER's $HOME (unless of
course "$USER" = "root".) But with a little more work you can tighten
this up adequately, and then you have a real Unix filesystem shared.

Overall I'd say that NFS is simpler to set up and to administer. As a
NT domain controller for Windows machines you can do splendid things.
That's because of the insecure ("user-friendly" if you prefer design
of Windows; the integration of SMB into everything. They login ("logon"
in their altered language and all sorts of great and terrible things
can be done to the system. Unix isn't made that way.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2003-11-14, Stuart Mueller <none@none.none> wrote:
>
> If NFS has security issues would not samba be a better way to go? For file
> sharing anyway?

It really depends on your circumstances. If your users can't or won't
try to crack the security of your NFS configuration, and your network is
firewalled off from the internet, then the security holes aren't really
that big an issue. Home networks are the prime example where the ease
of setting up an all-linux NFS network would probably be a lot easier
than setting up Samba. Again, though, I haven't configured Samba in
many years, so perhaps it's gotten easier to mount Samba shares in the
directory tree than it used to be. You should check it out for
yourself.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/tSJZhVcNCxZ5ID8RAjyaAJ9UhPTWRKnizRzQJ9SQzg+YzD3yfQ CdE2cH
ccZCxO1IJ8/GRXfJwqNbyUA=
=4YXo
-----END PGP SIGNATURE-----

In article <slrnbra7gq.mqq.rob0@linuxbox.linux.box>, I wrote:
> Overall I'd say that NFS is simpler to set up and to administer. As a
> NT domain controller for Windows machines you can do splendid things.

Clarification: I forgot the "with Samba" on the end. I've never used NFS
on Windows. Perhaps the "NT domain" part made it self-evident. Some
Windows (9x and probably NT4 & ME) don't have native support for NFS,
and of course it cannot do the great and terrible things that Samba can.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Alan Hicks <1001298936@ettin.custom-consulting.com> wrote:
> In alt.os.linux.slackware, Stuart Mueller dared to utter,

> > If NFS has security issues would not samba be a better way to
> > go? For file sharing anyway?

> It realy depends. I run NFS on a small LAN secured behind a
> firewall.

Small? As in two machines? As in the second machine has never
been turned on since it was "secured" behind the firewall?

> No services are forwarded down to any machines running on the
> LAN, and only machines with IP addresses on the LAN are granted
> access to the NFS server.

And that machine is never turned on except when checking to see
that NFS actually works.

> The firewall does address matching to prevent IP spoofing, so
> people who are not on my LAN don't send private IPs and get
> access to my NFS server.

And there is a huge lineup of people trying to do that, right?

> In practice, it is fairly secure, at least for my needs. I would
> not reccomend the same configuration in a large corporate
> environment given NFS's history of exploits, but it works like a
> champ for me.

> Incidently, the same machine that runs NFS also runs Samba. I
> have noted no performance difference between Samba and NFS.

No kidding. You have one machine running everything, dontcha?
What happens when you want to use Windoze and you dual boot your
"server?"

G'nite Wanda,

cordially, as always,

rm