Can eBox replace MS AD for simple things?

[Elliott]

Hi,

I've been scanning these forums and searching for practical reviews online for about a month now. Most of what I've found is fairly positive. I'm hoping someone with a similar experience can answer a couple of questions.

First, let me give a background of my current situation. I'm running a small network (~15 users/~25 machines). Windows Server 2003 is in place with AD running for authentication. The only thing we're really using AD for is authentication for logins and file sharing.

The one thing I'm not clear on is if eBox will allow shares on a variety of file servers to be authenticated from the central LDAP or if it can only handle authentication for files it's serving.

I'd also like a little clarification on how/whether a backup LDAP server is synchronized with the primary so that in case of hardware failure, access is maintained.

Any answers or pointers to documents I've missed would be greatly appreciated.

-Elliott

[isaac]

Hi Elliott!

eBox can indeed replace your AD for authentication and file sharing.

eBox can work as a PDC so you can configure other Windows machines to be authenticated against it. In addition, starting with the upcoming 1.4 release (to be released in ~6 months, but with working alphas almost ready) you can set up a master eBox and a few slave eBoxes that replicate parts of the master LDAP (users and groups, but not service-specific data) allowing you to easily have your services distributed among several eBoxes.

Right now we don't have anything in place to facilitate the backup LDAP server. You would have to do that manually, probably using another eBox and syncrepl to replicate the LDAP.

If you install a slave eBox (remember that that is only available in the development 1.3 series) you will get a replica of the users but not of the Samba parts, so that wouldn't be too useful.

In any case it sounds like a nice feature to have and we will look into it.

[Elliott]

Quoting myself:
Ok, but specifically, can other servers or even "domain members" share directories on their machines and set permissions based on the eBox LDAP directory?


In my testing (and I'm no samba expert either) I have found that out of the box, eb-platform 1.2 does profide this level of service.

The only pressing issue still remaining for my personal needs is some type of hot or hot standby backup server. I've been reading threads on these forums regarding full backups and restores but there seems to still be issues with this. Lots of errors in restoring backups.

Are you working on the backup/restore process in the new version as well?

Ideally, since the master/slave model you are exploring might night be as full featured as some would like I'm wondering if there could be a backup routine that basically backs up everything necessary to get the server running on different hardware (either hard drive or even another machine) in case of a critical failure that wouldn't require readding all users/machines to the domain.

[isaac]

Ok, but specifically, can other servers or even "domain members" share directories on their machines and set permissions based on the eBox LDAP directory?

I am not an expert in Samba, but I fear we can't do that right now. I'll ask one of my workmates about it.

Right now we don't have anything in place to facilitate the backup LDAP server. You would have to do that manually, probably using another eBox and syncrepl to replicate the LDAP.

Do you know of any documentation or walk-throughs of this type of setup? I have several years of linux (and even specifically ubuntu) experience but nothing really with LDAP.

Uhm, there are some like http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP, but it's explains in too much detail (i.e., how to install slapd from source and configure the master LDAP, that eBox does for you).

The 6 month time frame is daunting because one of my 2 AD machines is on it's last legs and I'm looking to get a solution in place now. It would be nice if eBox could initially be setup as a Backup Controller to the existing AD Domain and then be elevated to take over later when these features are available!

Well, as I said a working alpha version with these features will be announced tomorrow. Anyway it still will lack some of the features you mention. The good news is we are really interested in improving eBox in this aspect. Bad news is it won't be ready in a while In any case I'll talk with other developers and report about our plans for LDAP/Samba in the near future.

Thanks

[SamK]

The one thing I'm not clear on is if eBox will allow shares on a variety of file servers to be authenticated from the central LDAP or if it can only handle authentication for files it's serving.

Ok, but specifically, can other servers or even "domain members" share directories on their machines and set permissions based on the eBox LDAP directory?

I support these views as they will greatly strengthen and enhance the appeal of eBox.  In my experience this is 'must have' functionality, particularly the Domain Member Servers. The Domain User Shares have usually been of lesser importance or forbidden as a matter of corporate policy.

...In any case I'll talk with other developers and report about our plans for LDAP/Samba in the near future.

Isaac this will be really welcomed, as I assumed (rather than knew) that central authentication of networked resources was being worked on.