Very Computer

I have the opportunity to migrate our entire organization to Linux on
the back end - if I can do it without spending a lot of cash and minimal
disruption to users.

I'd like some suggestions for setting this up, if there are any takers.
  I've got about 1.5 years of Unix/Linux experience, coming out of a
Netware/NT environment.  I do have the luxury of time, however - if I'm
well on the way by late summer, I'm OK.

Some background:

We have a few netware servers for file/print, and several NT/Win2K
servers for database, a couple IIS/COM apps, and vertical market
applications.  We also have some Linux boxes set up for SMTP, web,
print, and Tomcat Java servlet host.

All desktops (except mine and another fellow geek) are a mix of
Win95/98/2K.  No XP (and I'm trying to keep it that way).  We have about
300-400 people.  Most of our PC's at the line level are shared between
multiple users.  We have two overlapping shifts, so in general users
keep their work on a server and take a PC when it becomes available in
the office, so roving-everything would be nice.

A major goal is a unified user account and permissions database.  A
single password for our employees, for all resources from Unix and SAMBA
file access to web mail logins.  A single place to change their single
password.  A single location for group membership, available for
everything from file permissions to Java web application security
purposes.  And, I'd like to avoid setting up new user accounts in half a
dozen places like I do now.

Would an LDAP-based accounts database achieve this?  Am I correct that
using LDAP via PAM would make LDAP authentication transparent to all
Linux applications?  Is LDAP authentication secure over a large,
untrusted network?  ALL our networked computers - servers and
workstations - have 24/7 Internet-routable ethernet TCP/IP connections.
  I know many of you are aghast, but this is something that's out of my
scope of control at the moment.

Any other options?

Another issue I have to deal with is migrating our ACL-based permissions
to Unix-like permissions under SAMBA.  We have a a fairly involved set
of file access rules that I'd have to at least approximate.  Is there a
mature, seamless/transparent ACL package for Linux, or a general
algorithm/strategy for mapping ACL's to Unix's UGO's?  And, again, could
these group memberships and rules be unified/centralized e.g. via LDAP?

Regarding networking between the Linux servers themselves - given our
inherently insecure environment, NIS might not be the wisest choice.  Is
there a more secure alternative?

Finally, assuming there are workable solutions for the unified
accounts/permissions problem - what are the performance penalties (if any)?

As for replacing existing systems, the plan goes something like this:

- Replace the netware file/print with SAMBA

- Replace IIS/COM apps with Java servlets

- Replace our netware-based mail with Maildir, Courier-IMAP, qmail, and
SquirrelMail for web access

- Replace IIS with Apache

- Vertical-market apps that depend on their Windows servers stay there.

The remainder of the work will be porting our apps to Java, and finally
migrating our data from SQL Server to PostgreSQL.  This will be somewhat
challenging and time-consuming, but I can do this piece-meal concurrent
with the rest of the conversion.  If this part runs beyond summer that's
OK as long as everything works from the users' perspective.

Thanks very much in advance for your insights.  Any pointers to (recent,
relevant) books and on-line resources would also be appreciated.

   Spend some time with the docs for Samba/Winbind.  Also checkout the
various Linux acl projects.  This is a good one  http://acl.bestbits.at/

This should get you started.

Ted Staberow

-- Shaun

# Global parameters
[global]
 client code page = 437
 workgroup = CSRA1
 netbios name = MDK-LINUX
 interfaces = 127.0.0.1 192.168.0.9
 bind interfaces only = Yes
 encrypt passwords = Yes
 root directory = /
 unix password sync = Yes
 restrict anonymous = Yes
 deadtime = 30
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 printcap name = lpstat
 domain logons = Yes
 os level = 33
 lm announce = False
 preferred master = True
 domain master = True
 wins support = Yes
 admin users = shaun
 printer admin = shaun
 printing = cups
 lpq command = lpq -P%p %j
 printer name = Lexmark

[homes]
 read only = No
 browseable = No

[printers]
 path = /var/spool/samba
 create mask = 0700
 printable = Yes
 print command = lpr-cups -P %p -o raw %s -r
 lpq command = lpstat -o %p
 lprm command = cancel %p-%j
 browseable = No

[tmp]
 path = /tmp
 read only = No
 browseable = No

[Net-Share]
 path = /share
 read only = No

[root]
 path = /
 valid users = shaun, root
 admin users = shaun, root
 read list = shaun, root
 write list = shaun, root
 hosts allow = 127.0.0.1 192.168.0.1
 browseable = No
 delete readonly = Yes

[Lexmark]
 path = /var/spool/samba
 read only = No
 create mask = 0700
 printable = Yes
 print command = lpr-cups -P %p -o raw %s -r
 lpq command = lpstat -o %p
 lprm command = cancel %p-%j
 oplocks = No

[print$]
 path = /usr/local/samba/printers
 write list = shaun, root

Quote:

> I have the opportunity to migrate our entire organization to Linux on
> the back end - if I can do it without spending a lot of cash and minimal
> disruption to users.

> I'd like some suggestions for setting this up, if there are any takers.
>   I've got about 1.5 years of Unix/Linux experience, coming out of a
> Netware/NT environment.  I do have the luxury of time, however - if I'm
> well on the way by late summer, I'm OK.

> Some background:

> We have a few netware servers for file/print, and several NT/Win2K
> servers for database, a couple IIS/COM apps, and vertical market
> applications.  We also have some Linux boxes set up for SMTP, web,
> print, and Tomcat Java servlet host.

> All desktops (except mine and another fellow geek) are a mix of
> Win95/98/2K.  No XP (and I'm trying to keep it that way).  We have about
> 300-400 people.  Most of our PC's at the line level are shared between
> multiple users.  We have two overlapping shifts, so in general users
> keep their work on a server and take a PC when it becomes available in
> the office, so roving-everything would be nice.

> A major goal is a unified user account and permissions database.  A
> single password for our employees, for all resources from Unix and SAMBA
> file access to web mail logins.  A single place to change their single
> password.  A single location for group membership, available for
> everything from file permissions to Java web application security
> purposes.  And, I'd like to avoid setting up new user accounts in half a
> dozen places like I do now.

> Would an LDAP-based accounts database achieve this?  Am I correct that
> using LDAP via PAM would make LDAP authentication transparent to all
> Linux applications?  Is LDAP authentication secure over a large,
> untrusted network?  ALL our networked computers - servers and
> workstations - have 24/7 Internet-routable ethernet TCP/IP connections.
>   I know many of you are aghast, but this is something that's out of my
> scope of control at the moment.

> Any other options?

> Another issue I have to deal with is migrating our ACL-based permissions
> to Unix-like permissions under SAMBA.  We have a a fairly involved set
> of file access rules that I'd have to at least approximate.  Is there a
> mature, seamless/transparent ACL package for Linux, or a general
> algorithm/strategy for mapping ACL's to Unix's UGO's?  And, again, could
> these group memberships and rules be unified/centralized e.g. via LDAP?

> Regarding networking between the Linux servers themselves - given our
> inherently insecure environment, NIS might not be the wisest choice.  Is
> there a more secure alternative?

> Finally, assuming there are workable solutions for the unified
> accounts/permissions problem - what are the performance penalties (if
any)?

> As for replacing existing systems, the plan goes something like this:

> - Replace the netware file/print with SAMBA

> - Replace IIS/COM apps with Java servlets

> - Replace our netware-based mail with Maildir, Courier-IMAP, qmail, and
> SquirrelMail for web access

> - Replace IIS with Apache

> - Vertical-market apps that depend on their Windows servers stay there.

> The remainder of the work will be porting our apps to Java, and finally
> migrating our data from SQL Server to PostgreSQL.  This will be somewhat
> challenging and time-consuming, but I can do this piece-meal concurrent
> with the rest of the conversion.  If this part runs beyond summer that's
> OK as long as everything works from the users' perspective.

> Thanks very much in advance for your insights.  Any pointers to (recent,
> relevant) books and on-line resources would also be appreciated.

Quote:> Would an LDAP-based accounts database achieve this?  Am I
> correct that
> using LDAP via PAM would make LDAP authentication
> transparent to all
> Linux applications?  Is LDAP authentication secure over a
> large,
> untrusted network?  ALL our networked computers - servers
> and
> workstations - have 24/7 Internet-routable ethernet TCP/IP
> connections.
>   I know many of you are aghast, but this is something
> that's out of my
> scope of control at the moment.

LDAP can be used to authenticate users. PAM takes care of
authentication; be it with /etc/passwd or with a file on the
other end of the world. You need the PAM-LDAP module to have
it use the uid/passwd stored in  the database under the LDAP
server.

First part anwsered; yes it is possible

Second part; is it secure..
Not out of the box.. (as far as we can speak of an out of
the box installation over here..) The LDAP solution needs a
lot of stuff working together; LDAP, DBMS, PAM,
PAM-LDAPmodule, and to be secure Open-SSL and
Cyrus-openSASL. These last two provide the secure access
(crypted etc) over which username and password travel.

Quote:> Regarding networking between the Linux servers themselves
> - given our
> inherently insecure environment, NIS might not be the
> wisest choice.  Is
> there a more secure alternative?

Quote:> Finally, assuming there are workable solutions for the
> unified
> accounts/permissions problem - what are the performance
> penalties (if any)?

Quote:> Thanks very much in advance for your insights.  Any
> pointers to (recent,
> relevant) books and on-line resources would also be
> appreciated.

Good luck..

Arnoud