School Intranet Servers (was: Re: [Lias] Thanks for help re Proxy)

[Les Bell]

Andrew Dorrell <andrew.dorrell at cisra.canon.com.au> wrote a lot of good
points in that last post, so I'm going to make several replies dealing with
authentication, SMB shares and access control as separate threads:

>>
1. I setup my last server to use smb for all authentication (thanks to
PAM). I did this because it was the quickest way to unify things but I
susspect that a system base on LDAP would have been a better one?  This
seemed much harder but may have given much better mac integration.
<<

I think authentication is going to be a thorny issue. Our school has an NT
domain, but I'm not sure to what extent it's making use of user accounts
for authentication (the kids just log on with generic "workstation1",
"workstation2", etc. id's) and I haven't paid that much attention to
fitting in with it. To be honest, it's been there for so long, under the
control of various people with less than adequate training, that it's
probably a bit of a mess and it would be better to have workstations
authenticate to the Samba server, where we're starting with a clean slate
(not to mention the benefit of this discussion).

LDAP is a good option, especially when there is a need for cross-platform
authentication. Is anybody out there using it in practice? I've had it on
my to-do list for some time now, especially since our intranet is based on
Lotus Domino, which provides an LDAP server, but I'm about as far from
getting started on it as I was eighteen months ago.

Given that every user on a small setup would have a home directory, the
simplest approach would be to use useradd (or the equivalent in Webmin)
with shadow password authentication. What are the benefits of LDAP over
this?

Best,

--- Les Bell, CISSP
[http://www.lesbell.com.au]