3

We are looking at migrating all of of shared folders and files to one server. Currently it's spread out over a few severs which has been the method for the past years but now we want to upgrade and consolidate.

We have been kicking around the idea of a Linux (Ubuntu to be exact) based file & print server. Which I'm familiar with the OS but what I'm not sure of is how to migrate the Windows shares (including user access rights,security,etc) over to the Linux machine and maintain those rights.

Another thing I'm not positive about is interlinking the Linux box with our Windows based LDAP for those permissions to be implemented. I know there is the Kerberos daemon which works fine within our domain but in the security and access control of a particular share via Samba we cannot select users from the domain to be "authorized" to use the share.

Info: I'm using Webmin to access the "GUI" of the Samba shares.

Mostly looking for information and literature on this, but if it becomes to troublesome we may have to stick with the Windows Server OS, which we are trying to avoid just to save a few bucks and some overhead on the machines performance.

Thanks in advance for any information!

nedm
  • 5,630
  • 5
  • 32
  • 52
RPGonzo
  • 65
  • 1
  • 2
  • 5

1 Answers1

4

The CIFS/Samba implementation in FreeNAS is excellent, we have several FreeNAS boxes and VMs going in an active directory enviroment, using AD for permissions on the shares. It's also extremely easy to set up and configure.

Once we've set up the FreeNAS box and enabled the CIFS/Samba service, we add the following to the 'Auxiliary Parameters' box in the CIFS service settings:

   client use spnego = yes
   winbind enum groups = no
   winbind enum users = no
   winbind separator = +
   winbind use default domain = yes
   wide links = no

Some of this may be unnecessary, but make sure to keep the 'wide links = no' in there as it mitigates a potential samba directory traversal vulnerability.

You can the create your shares. To set permissions via AD, we would add the following line to the 'Auxiliary Parameters' box for each individual share with the groups and/or users we want to have access to the share: 

Valid Users = @OURDOMAIN+Somegroup @OURDOMAIN+'Some Other Group' OURDOMAIN+someuser OURDOMAIN+someotheruser

Note the groups preceded by '@', everything is separated by spaces, and groups or users with a space in their name are single-quoted.

FreeNAS installs and runs on FreeBSD rather than Linux, which allows it to include things like ZFS, but if you're determined to use Linux, OpenFiler is the Linux-based version of the same project.

If you do want to roll your own rather than use one of these distros (though they will simplify things for you immensely), you also might want to look into Likewise as an alternative to Samba for getting your box on the AD domain.

EDIT: Wow, sounds like you've got a lot of shares to migrate -- you may be able to script the addition of new shares, but be careful -- the smb.conf file gets overwritten from the /conf/config.xml file in FreeNAS each time the system restarts. You might be able to create the xml share definitions from your sharenum output to then paste into copfig.xml, using an example share you make as the template, but these get their own uuid from FreeNAS so I'm not sure how that will work -- I suggest experimenting after install and before you migrate.

nedm
  • 5,630
  • 5
  • 32
  • 52
  • Thanks for the information, now to digest most of this. At first glance I agree the FreeNAS looks to be a viable solution. But FreeBSD is rather 'vague' to me so I need to brush up. Again thanks for the detailed info! – RPGonzo Sep 30 '10 at 17:36
  • No problem -- and one of the beautiful things about both FreeNAS and OpenFiler is that you don't necessarily need to know how the underlying OS works, you can just install, configure, and manage via the web interface and leave it at that. But if you do know more about the internals of FreeBSD and/or Linux, you can use it to your advantage (e.g., shell scripting, automation, etc.). – nedm Sep 30 '10 at 17:45
  • Exactly, I always like to be familiar with what I am 'in charge of'. Have you ever migrated existing Windows shares to this system? If so what kind of tips would you suggest? I just don't want to have to manually add rights to each share if a migration is not possible. – RPGonzo Sep 30 '10 at 18:01
  • Yes, we migrated all of our fileserving to a FreeNAS box, with the only exception being a single software-install directory for group policy that we left on a DC. It can be cumbersome to migrate -- using AD solves half of the problem, in that you don't have to set up any additional user accounts on the FreeNAS box, but migrating the shares themselves and setting permissions can take a while. – nedm Sep 30 '10 at 19:00
  • We also had to simplify how permissions on our shares were assigned, as it is difficult to set up individual folders or files on the same share with different AD user permissions. However, this actually made us organize our shares more effectively and has ended up being a positive in the long run. – nedm Sep 30 '10 at 19:06
  • To be more specific, we structured all of our shares based on the permissions required for access and used shortcuts to translate this to the organizational layout we wanted. For instance, all users get a shortcut placed on their desktop via a login script that goes to a folder on the NAS that contains shortcuts to the other company folders (e.g., general_office, billing, forms, etc.). The folder with the shortcuts is shared read-only so users can't mess with it, but once users follow one of the shortcuts they're subject to the access and permissions set on the target share. – nedm Sep 30 '10 at 19:21
  • Lastly, if you have a HUGE lot of shares to migrate, consider using something like [this](http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx) to get a list of your shares, and script something up to insert them into the FreeNAS config. See edit in the question above. – nedm Sep 30 '10 at 19:43
  • Wow, nifty little tool. Yes that would help TREMENDOUSLY on migrating things over. I just did a quick overview of one server, the newest one, and it had around 350 shares on one drive. I still have 3 other servers to count up. Thanks so much! – RPGonzo Sep 30 '10 at 19:51