Dear ALL, it was really cool stuff and a very good case study.sharing these experiences will prove panecea for all linux savvy guys. Thanks once again.
--- Raj Mathur <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So Supreet and I have been slogging our collective > a** off working at > a client's location (no names just yet), trying to > migrate his 5000 > users to Samba from a Winduhs file server. > > Some experiences... > > Client has 8 locations, including numerous > factories, spread over the > country. Were using NT for domain control as well > as file and print > services (FPS). MS got into the act, convinced them > about the joys of > Winduhs 2003 and got their domain controllers (DCs) > upgraded to W2K3. > In the meantime we'd already done most of the work > to switch the FPS > from NT to Linux. > > At the last minute (nearly) client comes to us and > asks, ``Can you > work with a W2K3 domain controller?''. Being the > blithe spirits that > we are, we searched the web, found some pointers > that seemed to > vaguely indicate the possibility of a chance of > there being some items > that could portend the peaceful co-existence of > Samba and W2K3, and > gave him the reply in one word, `Yes!'. > > Problem with W2K3 is that it only supports active > directory (AD) and > none of the older methods of authentication > (whatever they are -- /me > is no Winduhs expert). So we need a Samba that is > AD aware. Lo and > behold, Samba 3.0.0 (currently in final Beta) is AD > aware, and > Google-ification yields a few HOWTOs on how to get > the two working > together. > > OK, problem (1) solved. As long as /someone/ has > got it working, we > should be able to too, right? I mean, what're > mailing lists, IRC > channels, friends and AK-47s for if not to get you > assistance with > making Samba work with AD? Download, compile, test, > scream, tear out > hair, kill w2k3 admin because he can't properly set > the one goddam > registry entry that we need, find another w2k3 > admin, recompile, > retest, etc... you know the routine. Finally, it > sort of works. > > Except... see, Samba has this means of automatically > adding new users > when they're defined on the DC but not in Linux. So > we use that > facility (with some 'l33t shell scripting by yours > truly), but there's > some conflict in the group names and permissions and > whatnot, and life > sucks until Supreet comes up with this weird idea: > don't have Unix > users at all! I look at him in dismay, thinking, > ``He's really lost > it this time'' and am about to suggest a long > vacation, away from > computers when he explains: let the password > routines use Winbind to > get the users. Sounds like utter cr*p to me, but > we're desperate so I > mangle the appropriate files, and do a > > getent passwd > > ... and Voila! here's the list of all the users on > the AD server! The > rest of the office is eyeing us with concern (this > is at the client's > office) as we go into high-fives, middle-fives, > low-fives, jaffi-pa's, > bhangra, balle-balles and general rejoicing. The > rest of the > configuration looks like a breeze... > > ...Until... > > Wait, the client also has complex access rules for > his data! See, the > ``folder'' Marketing belongs to the marketing group > and everyone in > that group has read and write access to it, only, > see, the Director > Projects needs to view the files in /this/ > sub-folder, and the > Director Finance must be able to modify the files in > /this/ sub-folder > and /this/ sub-folder, and... you get the idea. > > Linux doesn't have fine-grained filesystem access > control yet (well, > the new betas do, but none of the ``stable'' > releases). Scratch heads > (scratch patka in Supreet's case), fgrep -ir acl > /usr/src/linux/Documentation with no result, try to > shrug off gloom > and despondency. Finally decide to bite the bullet, > put our noses to > the grindstone, our back to the wheel and our ear to > the ground and go > in for SGI's XFS. XFS is a hotsex filesystem which > is going to be > part of Linux 2.6, but is not available for the 2.4 > series except as a > patch. Rather than patch, we decide to get SGI's > complete Linux > kernel CVS tree for kernel 2.4.21. > > A few hours (170MB downloaded) and a couple of > kernel compiles later > we're ready to test ACLs on Linux. Bah, what > testing? It's Linux, > and it works as advertised. Plug ACLs into Samba, > and we're ready to > start testing the setup. > > I won't go into the details of the testing phase. > Suffice it to say > that it was bloody, gory and rigorous. And that it > passed off without > incident. > > Saturday (19th) night we brought the new system > online. Restored from > tape wherever possible -- if you restore a backup > from an NT machine > onto a Samba share you get the complete user, group > and access control > lists on each file and directory. Unfortunately > some of the tapes > (only worth about 10 gig of data) refuse to restore, > so we have to > copy those files manually from the old NT server. > Next 2 hours is > spent with the client's IT bossman, looking at each > of those files and > trying to decide whom it belongs to, who should have > access to it and > where it should go in the Larger Scheme Of Things. > > Yesterday (Monday, 21st) morning the users started > using the new > system, and last (Monday) night we added the few > remaining missing > parts, and are awaiting feedback from the client as > to how it goes. > System use has been mostly without any hiccoughs for > all of Monday and > so far on Tuesday, so we don't Auntie Cipate any > major problems. Once > Delhi is running fine we're to roll out similar > configurations to the > other sites. Will be making a success story out of > this client if all > goes well, Insh'llah. > > In the interim, of course, MS fscked up and the > client nearly had to > shut down his factories for a day due to w2k3 > problems, but that, as > they say, is another story altogether and we shall > not dwell on the > vagrancies of proprietary software vendors and their > excellent > products. > > Lessons learnt > > Firstly, we discovered that Linux beta software > works pretty damn > well. In fact, in most cases it works better than > release software > from proprietary vendors. Samba is currently > serving some 100-odd > clients on a single-processor server with just 256 > MB of RAM, and > doing a pretty good job of it too. XFS is behaving > exactly as one > would expect it to -- stable and full of features. > The plan is to > switch to Samba 3.0 stable as soon as it is released > (I *hate* > === message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
