Re: [DNG] Request for comments - training room
On Sat, 1 Dec 2018 22:17:58 + Simon Hobson wrote: > Rowland Penny wrote: > > >> I think what Roland was getting at here is the number of users and > >> how they are dealt with makes a huge difference. > >> > >> At one extreme, you have 28 seats, each one of them has a user such > >> as "user1", and you can simply use /etc/passwd & /etc/shadow to > >> manage that single user one each seat. You could probably build one > >> software image and simply image all 28 machines with that one > >> image. > > > > This would entail running Samba as a workgroup and, once you get > > past about 10 machines, it get unwieldy, you have to create the > > exact same users on every machine you want them to connect to and > > keep their passwords in sync. This can rapidly become a nightmare, > > this applies if you decide to go with NFS instead. > > Indeed, but this scenario is for a fixed setup where the users (28 of > them) are setup once and then there is no further user maintenance > going forward. In such a scenario, there's little point in going for > the complexity of setting up AD - as you say, a one-off setup of the > users in Samba. The clients could potentially be configured to > auto-login to the desktop (or training system) on boot so the users > don't even need to know about users. Easy for users, no security. Been there, done that, but with that many computers it becomes a struggle, the users want to use different computers and cannot because they are not set up on that computer, believe me, if you are setting something up of this size, a domain is the way to go. It also helps if a computer decides to turn its toes up and die, you just wheel a spare machine out and use that instead. > > >> At the other extreme, every person has their own login and can use > >> any seat at any time (and there are hundreds or even thousands of > >> them) so that progress/results can be logged for each person. In > >> this case, you will really need a centralised user management such > >> as Roland described using Samba & AD. You could still image each > >> machine from one common image - but you'll need to do some > >> post-imaging setup to give each machine a unique set of > >> identifiers etc for the AD to work properly. > > > > If you run Samba as an AD DC and join the clients to this, you only > > have to create the users & groups once and the password is only > > stored in one place, the DC. > > Exactly - for many users, and especially if the users are dynamic, > then it's the only sane way to do it. > > And it also means that each user has their own personal login & home > directory so (if it isn't stored in a database that's part of the > training system) there is somewhere for the system to store each > users progress etc. > > Which leads to another question ... Does the training system itself > have a user directory etc ? This also has an impact on the solution > chosen. > > If the training system has a logon for each user and stores (eg) > progress information in it's own database, then it makes little sense > to also configure each user separately to the OS (eg using Samba & > AD). Just setup the machines as above with a single user and manage > users via the training system. On the other hand, if the database > (the schema, not just the DB engine) is "open" enough then it may be > possible to use that as an authentication source - giving each user > their own OS level login which is the same as the traingin system > login, but using just the one database. > It was my understanding this was to be on a separate network. > Many possibilities - the "best" for any setup depends on answers to > these sorts of questions. > Personally, (and I repeat, I am biased), I would run 2 Samba AD DC's and at least one Samba Unix domain member as fileserver. Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
Rowland Penny wrote: >> I think what Roland was getting at here is the number of users and >> how they are dealt with makes a huge difference. >> >> At one extreme, you have 28 seats, each one of them has a user such >> as "user1", and you can simply use /etc/passwd & /etc/shadow to >> manage that single user one each seat. You could probably build one >> software image and simply image all 28 machines with that one image. > > This would entail running Samba as a workgroup and, once you get past > about 10 machines, it get unwieldy, you have to create the exact same > users on every machine you want them to connect to and keep their > passwords in sync. This can rapidly become a nightmare, this applies > if you decide to go with NFS instead. Indeed, but this scenario is for a fixed setup where the users (28 of them) are setup once and then there is no further user maintenance going forward. In such a scenario, there's little point in going for the complexity of setting up AD - as you say, a one-off setup of the users in Samba. The clients could potentially be configured to auto-login to the desktop (or training system) on boot so the users don't even need to know about users. Easy for users, no security. >> At the other extreme, every person has their own login and can use >> any seat at any time (and there are hundreds or even thousands of >> them) so that progress/results can be logged for each person. In this >> case, you will really need a centralised user management such as >> Roland described using Samba & AD. You could still image each machine >> from one common image - but you'll need to do some post-imaging setup >> to give each machine a unique set of identifiers etc for the AD to >> work properly. > > If you run Samba as an AD DC and join the clients to this, you only > have to create the users & groups once and the password is only stored > in one place, the DC. Exactly - for many users, and especially if the users are dynamic, then it's the only sane way to do it. And it also means that each user has their own personal login & home directory so (if it isn't stored in a database that's part of the training system) there is somewhere for the system to store each users progress etc. Which leads to another question ... Does the training system itself have a user directory etc ? This also has an impact on the solution chosen. If the training system has a logon for each user and stores (eg) progress information in it's own database, then it makes little sense to also configure each user separately to the OS (eg using Samba & AD). Just setup the machines as above with a single user and manage users via the training system. On the other hand, if the database (the schema, not just the DB engine) is "open" enough then it may be possible to use that as an authentication source - giving each user their own OS level login which is the same as the traingin system login, but using just the one database. Many possibilities - the "best" for any setup depends on answers to these sorts of questions. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
On Sat, 1 Dec 2018 21:49:41 + Simon Hobson wrote: > g4sra wrote: > > >> How is the Linux server going to authenticate users, > >> via /etc/passwd or other ? > >> > >> A lot depends on this, also the number of users will have a factor > >> as well. > > > Which network authentication method would you suggest ? > > I think what Roland was getting at here is the number of users and > how they are dealt with makes a huge difference. > > At one extreme, you have 28 seats, each one of them has a user such > as "user1", and you can simply use /etc/passwd & /etc/shadow to > manage that single user one each seat. You could probably build one > software image and simply image all 28 machines with that one image. This would entail running Samba as a workgroup and, once you get past about 10 machines, it get unwieldy, you have to create the exact same users on every machine you want them to connect to and keep their passwords in sync. This can rapidly become a nightmare, this applies if you decide to go with NFS instead. > > At the other extreme, every person has their own login and can use > any seat at any time (and there are hundreds or even thousands of > them) so that progress/results can be logged for each person. In this > case, you will really need a centralised user management such as > Roland described using Samba & AD. You could still image each machine > from one common image - but you'll need to do some post-imaging setup > to give each machine a unique set of identifiers etc for the AD to > work properly. If you run Samba as an AD DC and join the clients to this, you only have to create the users & groups once and the password is only stored in one place, the DC. You just need to use PAM to create the users home dir the first time they log onto a computer. It basically boils down to doing the hard work once and then maintaining the domain on the DC. Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
g4sra wrote: >> How is the Linux server going to authenticate users, via /etc/passwd or >> other ? >> >> A lot depends on this, also the number of users will have a factor as >> well. > Which network authentication method would you suggest ? I think what Roland was getting at here is the number of users and how they are dealt with makes a huge difference. At one extreme, you have 28 seats, each one of them has a user such as "user1", and you can simply use /etc/passwd & /etc/shadow to manage that single user one each seat. You could probably build one software image and simply image all 28 machines with that one image. At the other extreme, every person has their own login and can use any seat at any time (and there are hundreds or even thousands of them) so that progress/results can be logged for each person. In this case, you will really need a centralised user management such as Roland described using Samba & AD. You could still image each machine from one common image - but you'll need to do some post-imaging setup to give each machine a unique set of identifiers etc for the AD to work properly. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
On Sat, 1 Dec 2018 20:46:58 + g4sra wrote: > One server and 28+ workstations all to be Linux, the rest of the > network is inconsequential (firewalled off). > OK, I would install the latest Samba I could get, which, as you will be running Devuan, will be from here: http://apt.van-belle.nl/ I would then provision Samba as an AD DC and then join the Linux machines to the AD domain. This way you only have one place to maintain users & passwords etc More info here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller And here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
One server and 28+ workstations all to be Linux, the rest of the network is inconsequential (firewalled off). On 01/12/2018 18:04, Rowland Penny wrote: > On Sat, 1 Dec 2018 17:49:40 + > g4sra wrote: > >> Which network authentication method would you suggest ? >> >> On 01/12/2018 15:43, Rowland Penny wrote: >>> On Sat, 1 Dec 2018 15:21:51 + >>> g4sra wrote: >>> It's not an exhibition it's a room for training using simulation software (permanent classroom), think flight simulator game for 28+ people. Cabling is not my problem, the server and workstation software configuration is ;). NFS ? SAMBA ? Windows domain compatibility is not of consequence as the Linux server can be set up to authenticate Users. >>> >>> How is the Linux server going to authenticate users, >>> via /etc/passwd or other ? >>> >>> A lot depends on this, also the number of users will have a factor >>> as well. >>> >>> Rowland >> ___ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > I am just a bit biased ;-) > > More would need to be known about your network, how many computers and > what OS's. All Linux or all Windows, or a mixture of the two ? > > Rowland > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
On Sat, 1 Dec 2018 17:49:40 + g4sra wrote: > Which network authentication method would you suggest ? > > On 01/12/2018 15:43, Rowland Penny wrote: > > On Sat, 1 Dec 2018 15:21:51 + > > g4sra wrote: > > > >> It's not an exhibition it's a room for training using simulation > >> software (permanent classroom), think flight simulator game for 28+ > >> people. Cabling is not my problem, the server and workstation > >> software configuration is ;). > >> > >> NFS ? SAMBA ? > >> > >> Windows domain compatibility is not of consequence as the Linux > >> server can be set up to authenticate Users. > > > > How is the Linux server going to authenticate users, > > via /etc/passwd or other ? > > > > A lot depends on this, also the number of users will have a factor > > as well. > > > > Rowland > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I am just a bit biased ;-) More would need to be known about your network, how many computers and what OS's. All Linux or all Windows, or a mixture of the two ? Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
Which network authentication method would you suggest ? On 01/12/2018 15:43, Rowland Penny wrote: > On Sat, 1 Dec 2018 15:21:51 + > g4sra wrote: > >> It's not an exhibition it's a room for training using simulation >> software (permanent classroom), think flight simulator game for 28+ >> people. Cabling is not my problem, the server and workstation software >> configuration is ;). >> >> NFS ? SAMBA ? >> >> Windows domain compatibility is not of consequence as the Linux server >> can be set up to authenticate Users. > > How is the Linux server going to authenticate users, via /etc/passwd or > other ? > > A lot depends on this, also the number of users will have a factor as > well. > > Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
On Sat, 1 Dec 2018 15:21:51 + g4sra wrote: > It's not an exhibition it's a room for training using simulation > software (permanent classroom), think flight simulator game for 28+ > people. Cabling is not my problem, the server and workstation software > configuration is ;). > > NFS ? SAMBA ? > > Windows domain compatibility is not of consequence as the Linux server > can be set up to authenticate Users. How is the Linux server going to authenticate users, via /etc/passwd or other ? A lot depends on this, also the number of users will have a factor as well. Rowland ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
It's not an exhibition it's a room for training using simulation software (permanent classroom), think flight simulator game for 28+ people. Cabling is not my problem, the server and workstation software configuration is ;). NFS ? SAMBA ? Windows domain compatibility is not of consequence as the Linux server can be set up to authenticate Users. On 01/12/2018 08:16, Steve Litt wrote: > On Thu, 29 Nov 2018 21:25:00 + > Rowland Penny wrote: > >> On Thu, 29 Nov 2018 16:19:44 -0500 >> Steve Litt wrote: >> >>> On Sat, 24 Nov 2018 18:55:03 + >>> g4sra wrote: >>> >>> How should this training room be best implemented for reliability and ease of maintenance ? >>> >>> Be sure to tape every cable to the carpet/floor so nobody trips over >>> them. Ask the venue for which tape(s) are acceptable. >>> >> >> Do not run cables across the floor (taped down or otherwise), this >> would be a trip hazard. > > What other alternative is there for a temporary installation? Running > temporary conduit would be pretty expensive and a lot of work. > > SteveT > > Steve Litt > November 2018 featured book: Manager's Guide to Technical > Troubleshooting Brand new, second edition > http://www.troubleshooters.com/mgr > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
Steve Litt wrote: >> >> Do not run cables across the floor (taped down or otherwise), this >> would be a trip hazard. > > What other alternative is there for a temporary installation? Hung from the ceiling ? How practical that is depends on ceiling height, construction (suspended ceilings give easy access to the frame to put loops round), etc. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Request for comments - training room
On Thu, 29 Nov 2018 21:25:00 + Rowland Penny wrote: > On Thu, 29 Nov 2018 16:19:44 -0500 > Steve Litt wrote: > > > On Sat, 24 Nov 2018 18:55:03 + > > g4sra wrote: > > > > > > > How should this training room be best implemented for reliability > > > and ease of maintenance ? > > > > Be sure to tape every cable to the carpet/floor so nobody trips over > > them. Ask the venue for which tape(s) are acceptable. > > > > Do not run cables across the floor (taped down or otherwise), this > would be a trip hazard. What other alternative is there for a temporary installation? Running temporary conduit would be pretty expensive and a lot of work. SteveT Steve Litt November 2018 featured book: Manager's Guide to Technical Troubleshooting Brand new, second edition http://www.troubleshooters.com/mgr ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng