Home

Results 1 to 4 of 4

Thread: OES2 running Samba on ext3 - Want single signon for Win pc's

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    192

    OES2 running Samba on ext3 - Want single signon for Win pc's

    Hi
    I am sorting out a small network of about 20 users which has OES2 running a Samba (workgroup) and using the EXT3 filesystem with POSIX ACL's.

    At present all the pc's (XP, Vista and now Win7) have separate Windows logons, which I want to fix.

    My questions are:

    1. FILE SERVER
    Given that the data resides on the ext3 filesystem, is my best option for file system access in a Novell clientless setup, SAMBA?
    It seems that there are a lot of problems with the Novell client for Windows and I don't like the idea of introducing such hassles. How have others found using the latest Novell client on a mixed (XP, Vista, Win7) network? The Win7 one in particular has many posts about problems.

    Are these processes correct?
    Using Samba on EXT3, the only way to manage rights is setting POSIX ACL's on the server.
    Creating users is as follows - iManager - Create user - Set Universal Password - LUM enable user - Samba enable user.

    2. Single sign on.
    So that users don't have to manually keep the pc password in synch I see these options...What is the best one to use?
    - ZCM and DLU
    - Samba in PDC mode
    - DSfW

    For single sign on I am leaning towards Samba PDC or DSfW, which will also allow such things as Windows application servers (eg SQL Server) to provide single sign on as well. What do others recommend in my scenario?

    Many thanks
    Gordon

  2. #2
    Join Date
    Oct 2007
    Posts
    929

    Re: OES2 running Samba on ext3 - Want single signon for Win pc's

    gordon mzano wrote:

    >
    >Hi
    >I am sorting out a small network of about 20 users which has OES2
    >running a Samba (workgroup) and using the EXT3 filesystem with POSIX
    >ACL's.
    >
    >At present all the pc's (XP, Vista and now Win7) have separate Windows
    >logons, which I want to fix.
    >
    >My questions are:
    >
    >1. FILE SERVER
    >Given that the data resides on the ext3 filesystem, is my best option
    >for file system access in a Novell clientless setup, SAMBA?


    If you are not using the NSS file system, you are stuck with SAMBA for
    clientless login. If you are not using NSS and not using NCP I do not
    see any reason for running an OES2 server instead of a plain SLES
    server. You can use eDir and LUM on plain SLES, too.

    Why are you not using NSS?

    >It seems that there are a lot of problems with the Novell client for
    >Windows and I don't like the idea of introducing such hassles. How
    >have others found using the latest Novell client on a mixed (XP,
    >Vista, Win7) network? The Win7 one in particular has many posts about
    >problems.


    Since upgrading to Client 2 SP1 IR4 I don't have problems with this
    client and Win7. For WinXP the client4.91SP5(IR1) connection is the
    best connection option available in my opinion.

    >
    >Are these processes correct?
    >Using Samba on EXT3, the only way to manage rights is setting POSIX
    >ACL's on the server.
    >Creating users is as follows - iManager - Create user - Set Universal
    >Password - LUM enable user - Samba enable user.


    If you are not using NSS you could put your users apart from edir. If
    you are using LUM and LUM-enabled groups, you could at least omit the
    LUM enabling of the group.

    LUM is the weakest thing in th whole OES system in my opinion, so if
    you can avoid LUM - that is using NCP (or CIFS on NSS volumes) you have
    eliminated one of the most error prone elements of OES.

    >
    >2. Single sign on.
    >So that users don't have to manually keep the pc password in synch I
    >see these options...What is the best one to use?
    >- ZCM and DLU
    >- Samba in PDC mode
    >- DSfW
    >
    >For single sign on I am leaning towards Samba PDC or DSfW, which will
    >also allow such things as Windows application servers (eg SQL Server)
    >to provide single sign on as well. What do others recommend in my
    >scenario?


    That depends on your infrastructure - and your further needs. If you
    only need DLU or single sign on and have already ZCM deployed, then it
    is easiest to just put a DLU policy into your ZCM config.

    If you use SAMBA in PDC mode (non DSfW) and NCP parallel I don't know
    how well that works together and what Windows client OSs are working
    with this config.

    If you use DSfW you have to set up a new server as adding DSfW to an
    existing server is currently not supported (but shall be supported in
    the next SP). DSfW does only support W2K (limited), WinXP, Vista and
    Win7 clients.

    >
    >Many thanks
    >Gordon




    --
    W. Prindl


  3. #3
    Join Date
    Feb 2008
    Location
    Australia
    Posts
    192

    Re: OES2 running Samba on ext3 - Want single signon for Win

    Hi W_Prindl,
    Thanks for your input...

    Quote Originally Posted by W_Prindl View Post
    gordon mzano wrote:

    >
    >Hi
    >I am sorting out a small network of about 20 users which has OES2
    >running a Samba (workgroup) and using the EXT3 filesystem with POSIX
    >ACL's.
    >
    >At present all the pc's (XP, Vista and now Win7) have separate Windows
    >logons, which I want to fix.
    >
    >My questions are:
    >
    >1. FILE SERVER
    >Given that the data resides on the ext3 filesystem, is my best option
    >for file system access in a Novell clientless setup, SAMBA?


    If you are not using the NSS file system, you are stuck with SAMBA for
    clientless login. If you are not using NSS and not using NCP I do not
    see any reason for running an OES2 server instead of a plain SLES
    server. You can use eDir and LUM on plain SLES, too.
    I didn't know that eDir and LUM were available on SLES!..So it looks like SLES could do the job at present, but things like Netstorage and iFolder look useful too.

    Why are you not using NSS?
    The server was originally setup with a single logical disk, and no NSS.
    As per Novell recommendation NSS shouldn't now be used to manage the linux OS partitions. Best to have two logical disks - one for OS and the second one for data on NSS.


    >It seems that there are a lot of problems with the Novell client for
    >Windows and I don't like the idea of introducing such hassles. How
    >have others found using the latest Novell client on a mixed (XP,
    >Vista, Win7) network? The Win7 one in particular has many posts about
    >problems.


    Since upgrading to Client 2 SP1 IR4 I don't have problems with this
    client and Win7. For WinXP the client4.91SP5(IR1) connection is the
    best connection option available in my opinion.
    That is good to know. So even though we have ext3 file systems, with the Novell client we have NCP volumes as an option now too along with the trustee model for fs rights. POSIX ACLS are OK, but not ideal when things get complicated.

    You vouch for the Win7 client, but how about the Vista one?


    >
    >Are these processes correct?
    >Using Samba on EXT3, the only way to manage rights is setting POSIX
    >ACL's on the server.
    >Creating users is as follows - iManager - Create user - Set Universal
    >Password - LUM enable user - Samba enable user.


    If you are not using NSS you could put your users apart from edir. If
    you are using LUM and LUM-enabled groups, you could at least omit the
    LUM enabling of the group.
    Good point re LUM enabled groups - so a user is automatically LUM-ed once they are added to the LUM-enabled group.

    LUM is the weakest thing in the whole OES system in my opinion, so if
    you can avoid LUM - that is using NCP (or CIFS on NSS volumes) you have
    eliminated one of the most error prone elements of OES.
    But alas no NSS...With LUM I did see some problems with it a few years back, but nothing that a 0400hr croned rcnamcd restart wouldn't solve.


    >
    >2. Single sign on.
    >So that users don't have to manually keep the pc password in synch I
    >see these options...What is the best one to use?
    >- ZCM and DLU
    >- Samba in PDC mode
    >- DSfW
    >
    >For single sign on I am leaning towards Samba PDC or DSfW, which will
    >also allow such things as Windows application servers (eg SQL Server)
    >to provide single sign on as well. What do others recommend in my
    >scenario?


    That depends on your infrastructure - and your further needs. If you
    only need DLU or single sign on and have already ZCM deployed, then it
    is easiest to just put a DLU policy into your ZCM config.

    If you use SAMBA in PDC mode (non DSfW) and NCP parallel I don't know
    how well that works together and what Windows client OSs are working
    with this config.

    If you use DSfW you have to set up a new server as adding DSfW to an
    existing server is currently not supported (but shall be supported in
    the next SP). DSfW does only support W2K (limited), WinXP, Vista and
    Win7 clients.
    OES2 doesn't support SAMBA in PDC mode. But SLES does....So this take us back to SLES again.. Options galore, but I don't have time to rebuild a server every weekend! :-)

    DSfW was what I was after because the SQL app server could be added to the domain too, so there would be a single password for everything, but at the last minute I found out that it needs to be installed on a new server! I wasn't pleased because the documentation is not explicit about this important point.

    So it looks like ZCM's DLU is my best option for single sign on for workstations, which means that we are down to just two passwords: i) edir and ii) Windows SQL server.

    Thinking further we could make an Active Directory Domain Controller and use the OES IDM bundled edition which I think does the eDir to AD synch. Does this bundled IDM work nicely "out of the box" or is it pandora's box?

    -- Gordon

  4. #4
    Join Date
    Oct 2007
    Posts
    929

    Re: OES2 running Samba on ext3 - Want single signon for Win pc's


    gordon mzano wrote:

    >
    >Hi W_Prindl,
    >Thanks for your input...
    >

    No need to thank

    >W_Prindl;2037611 Wrote:
    >> gordon mzano wrote:
    >>
    >> >
    >> >Hi
    >> >I am sorting out a small network of about 20 users which has OES2
    >> >running a Samba (workgroup) and using the EXT3 filesystem with

    >>POSIX >ACL's.
    >> >
    >> >At present all the pc's (XP, Vista and now Win7) have separate

    >> Windows
    >> >logons, which I want to fix.
    >> >
    >> >My questions are:
    >> >
    >> >1. FILE SERVER
    >> >Given that the data resides on the ext3 filesystem, is my best

    >>option >for file system access in a Novell clientless setup, SAMBA?
    >>
    >> If you are not using the NSS file system, you are stuck with SAMBA
    >>for clientless login. If you are not using NSS and not using NCP I
    >>do not see any reason for running an OES2 server instead of a
    >>plain SLES server. You can use eDir and LUM on plain SLES, too.

    >
    >I didn't know that eDir and LUM were available on SLES!..So it looks
    >like SLES could do the job at present, but things like Netstorage and
    >iFolder look useful too.
    >
    >> Why are you not using NSS?

    >The server was originally setup with a single logical disk, and no
    >NSS.
    >
    >As per Novell recommendation NSS shouldn't now be used to manage the
    >linux OS partitions. Best to have two logical disks - one for OS and
    >the second one for data on NSS.
    >
    >>
    >>
    >> >It seems that there are a lot of problems with the Novell client

    >>for >Windows and I don't like the idea of introducing such
    >>hassles. How >have others found using the latest Novell client on
    >>a mixed (XP, >Vista, Win7) network? The Win7 one in particular has
    >>many posts about >problems.
    >>
    >> Since upgrading to Client 2 SP1 IR4 I don't have problems with this
    >> client and Win7. For WinXP the client4.91SP5(IR1) connection is the
    >> best connection option available in my opinion.

    >
    >That is good to know. So even though we have ext3 file systems, with
    >the Novell client we have NCP volumes as an option now too along with
    >the trustee model for fs rights. POSIX ACLS are OK, but not ideal when
    >things get complicated.
    >
    >You vouch for the Win7 client, but how about the Vista one?


    Never really used Vista, all Vista Pcs were downgraded to XP.

    >
    >>
    >>
    >> >
    >> >Are these processes correct?
    >> >Using Samba on EXT3, the only way to manage rights is setting

    >>POSIX >ACL's on the server.
    >> >Creating users is as follows - iManager - Create user - Set

    >>Universal >Password - LUM enable user - Samba enable user.
    >>
    >> If you are not using NSS you could put your users apart from edir.
    >>If you are using LUM and LUM-enabled groups, you could at least
    >>omit the LUM enabling of the group.
    >>

    >Good point re LUM enabled groups - so a user is automatically LUM-ed
    >once they are added to the LUM-enabled group.
    >
    >>
    >> LUM is the weakest thing in the whole OES system in my opinion, so
    >>if you can avoid LUM - that is using NCP (or CIFS on NSS volumes)
    >>you have
    >> eliminated one of the most error prone elements of OES.

    >But alas no NSS...With LUM I did see some problems with it a few years
    >back, but nothing that a 0400hr croned rcnamcd restart wouldn't solve.
    >
    >>
    >>
    >> >
    >> >2. Single sign on.
    >> >So that users don't have to manually keep the pc password in

    >>synch I >see these options...What is the best one to use?
    >> >- ZCM and DLU
    >> >- Samba in PDC mode
    >> >- DSfW
    >> >
    >> >For single sign on I am leaning towards Samba PDC or DSfW, which

    >>will >also allow such things as Windows application servers (eg
    >>SQL Server) >to provide single sign on as well. What do others
    >>recommend in my >scenario?
    >>
    >> That depends on your infrastructure - and your further needs. If
    >>you only need DLU or single sign on and have already ZCM deployed,
    >>then it is easiest to just put a DLU policy into your ZCM config.
    >>
    >> If you use SAMBA in PDC mode (non DSfW) and NCP parallel I don't
    >>know how well that works together and what Windows client OSs are
    >>working with this config.
    >>
    >> If you use DSfW you have to set up a new server as adding DSfW to
    >>an existing server is currently not supported (but shall be
    >>supported in the next SP). DSfW does only support W2K (limited),
    >>WinXP, Vista and Win7 clients.
    >>

    >OES2 doesn't support SAMBA in PDC mode. But SLES does....So this take
    >us back to SLES again.. Options galore, but I don't have time to
    >rebuild a server every weekend! :-)
    >
    >DSfW was what I was after because the SQL app server could be added to
    >the domain too, so there would be a single password for everything,
    >but at the last minute I found out that it needs to be installed on a
    >new server! I wasn't pleased because the documentation is not
    >explicit about this important point.
    >
    >So it looks like ZCM's DLU is my best option for single sign on for
    >workstations, which means that we are down to just two passwords: i)
    >edir and ii) Windows SQL server.
    >
    >Thinking further we could make an Active Directory Domain Controller
    >and use the OES IDM bundled edition which I think does the eDir to AD
    >synch. Does this bundled IDM work nicely "out of the box" or is it
    >pandora's box?
    >
    >-- Gordon


    If you already have the licenses for a real Windows server, AD on
    Windows synced via IDM is probably the best solution. IDM is one of the
    best products of Novell, so reallly no problems.

    If not I'd either wait for OES2SP3, which shall have the option to add
    DSfW to an existing server, or reinstall the existing server with DSfW.
    If you want to keep the existing tree and have no other edir server in
    this tree, I'd introduce a second edir server (need not be OES, could
    be Windows/Linux/Solaris) e.g. on a virtual platform, add all
    partitions to this server and make it master - remove the server to be
    reinstalled and afterwards reinstall it into the existing tree -
    thereafter you can remove your 2nd edir server.

    HTH

    --
    W. Prindl

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •