[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tomasz Chmielewski wrote: | Hello, hmmm Small storeage area network? Gigabit ethernet might be cheap enough. Perhaps you could create a Gigabit backbone and basically do a mirror setup? Would RAID help? Have you been thinking of a backup solution? Jim C. - -- - - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBvSwk57L0B7uXm9oRAiRgAJ9rD4Rgl7fWD8y3Pcn01S+/U0odNQCeLSRM YSKY74yJ7igVjfFWXMHAlio= =qQpg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
Tomasz Chmielewski írta: John H Terpstra wrote: I thought of this approach: - keep profile size to the minimum (20-30 megs), How will you control the size of the profile? I can not see a practical solution to do this. Didn't think of it yet. Several years ago, in a rather big university facility I saw something like that on Windows NT workstations: if student profile was too big, user was disallowed to logout until he/she deleted some data (there was a pop-up window "your profile is bigger than XY megabytes, you can't log out, delete some files etc."). The only way to logout was to delete some files and try again, or to poweroff the machine (which meant the profile was lost). Anyone knows what this could be? NTConfig.POL made with NT4 policy editor saved to the root of the netlogon share can implement profile size limitations. I think one of the adm files distributed with poledit.exe can do the trick. - rsync changes of the profile to the other domain controllers when user logs out. The trouble is that you have to do it from each WAN location and there is just no way to maintain data integrity with multiple source locations and multiple targets. Given the fact that one user can log in only once and in one place, I think it is doable: just rsync changes to other places using "postexec" %U script. There are some problems to be solved (what if changes can't be uploaded for some time and we have two different profiles?), but I think I have to live with that as I didn't think of anything better so far. It would be great if there was some "profile-daemon" which could take care of profile replication: 1) user logs out and uploads profile to a local Samba server, 2) "profile-daemon" notices that user logged out and finished uploading profile locally, 3) "profile-daemon" attempts to copy profile to other location(s); if upload successful, exit 4) if upload unsuccessful, retries, 5) if user wants to log in locally again - no problem; if user is a olympic sprinter and managed to reach another building before the profile was fully uploaded, he should be notified during login that profile is not in sync (and ask what to do), 6) if upload unsuccessful because link broken, triggers dial-up and notifies other locations that the profile is *not uploaded*, 7) now other locations know that profiles are not in sync, and won't allow user to log in (or allow to log in, but warn that profile is not in sync), 8) every 5 or 10 minutes "profile-daemons" should communicate and exchange information; if they can't communicate, they know it, and during login present a user a window explaining "last profile change was on Friday, 11:34 etc., what to do"... This would need some additional software installed on a Windows side, too I think. Anyway I think it could be a killer Samba feature, especially for bigger organizations like universities. Do you think it's a good approach, or should I think of something else? I'd suggest local profiles for such mobile users. Remember you can use Windows XP Pro off-line folders to replicate data to a home server. But these mobile users can sit in front of a random workstation, so I can't do it like that. Tomek Very nice, but very hard to implement. Another idea: There is coda (http://coda.cs.cmu.edu/), which was designed for disconected operation, you could try to make it interoperate with samba. I think it is not trivial either, as coda uses its own authentication/authorization methods, with some support for kerberos. Cheers, Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
John H Terpstra wrote: I thought of this approach: - keep profile size to the minimum (20-30 megs), How will you control the size of the profile? I can not see a practical solution to do this. Didn't think of it yet. Several years ago, in a rather big university facility I saw something like that on Windows NT workstations: if student profile was too big, user was disallowed to logout until he/she deleted some data (there was a pop-up window "your profile is bigger than XY megabytes, you can't log out, delete some files etc."). The only way to logout was to delete some files and try again, or to poweroff the machine (which meant the profile was lost). Anyone knows what this could be? - rsync changes of the profile to the other domain controllers when user logs out. The trouble is that you have to do it from each WAN location and there is just no way to maintain data integrity with multiple source locations and multiple targets. Given the fact that one user can log in only once and in one place, I think it is doable: just rsync changes to other places using "postexec" %U script. There are some problems to be solved (what if changes can't be uploaded for some time and we have two different profiles?), but I think I have to live with that as I didn't think of anything better so far. It would be great if there was some "profile-daemon" which could take care of profile replication: 1) user logs out and uploads profile to a local Samba server, 2) "profile-daemon" notices that user logged out and finished uploading profile locally, 3) "profile-daemon" attempts to copy profile to other location(s); if upload successful, exit 4) if upload unsuccessful, retries, 5) if user wants to log in locally again - no problem; if user is a olympic sprinter and managed to reach another building before the profile was fully uploaded, he should be notified during login that profile is not in sync (and ask what to do), 6) if upload unsuccessful because link broken, triggers dial-up and notifies other locations that the profile is *not uploaded*, 7) now other locations know that profiles are not in sync, and won't allow user to log in (or allow to log in, but warn that profile is not in sync), 8) every 5 or 10 minutes "profile-daemons" should communicate and exchange information; if they can't communicate, they know it, and during login present a user a window explaining "last profile change was on Friday, 11:34 etc., what to do"... This would need some additional software installed on a Windows side, too I think. Anyway I think it could be a killer Samba feature, especially for bigger organizations like universities. Do you think it's a good approach, or should I think of something else? I'd suggest local profiles for such mobile users. Remember you can use Windows XP Pro off-line folders to replicate data to a home server. But these mobile users can sit in front of a random workstation, so I can't do it like that. Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
On Sunday 12 December 2004 06:15, Tomasz Chmielewski wrote: > John H Terpstra wrote: > > NT4 does not > > replicate or synchronize desktop profiles - nor does Samba. Where on > > earth did you obtain the idea that this ought to happen? > > Well, I know Samba doesn't replicate profiles. > I just asked what is the best way to do it. Sorry. My mis-reading of your posting. > > > The notion that all roaming profiles are stored on a central server and > > that profiles are transferred over a wide-area link at login time is not > > one I have created. Where did you get such a notion? I would not call > > that silly, I'd call that insane and completely unworkable. > > I got such a notion in one of replies to my post; which I criticized as > not very useful/possibly harmful. > > > The answer is: Practice good account management. Locate the users' > > profile on a server close to where the user is - preferably on the same > > network segment. I a user roams across multiple network segments and the > > wide-area bandwith can not handle the roaming profile then do exempt that > > user from having a roaming profile and instead store the profile locally > > on the workstation (or notebook) that is used by this user. > > Yes, this is why I asked my question. I want to introduce good account > management. > > But if there are two buildings, 2 minutes walk, connected by a 1 Mbit > VPN/WAN link, and users (students) need to use their profile in each > building (and they use different computers in different rooms, so can't > store profiles locally), I need some profile replication mechanism. Windows has no good replication solution for this. The only workable is a local profile. > > I thought of this approach: > > - keep profile size to the minimum (20-30 megs), How will you control the size of the profile? I can not see a practical solution to do this. Folder redirection is the best way to limit the size of the profile, but that means any profile contents will be accessed over the WAN link. Bandwidth could be a problem for that. The other solution is to share the profile data via NFS. I know I would not like to entertain that over a slow WAN link. > - rsync changes of the profile to the other domain controllers when user > logs out. The trouble is that you have to do it from each WAN location and there is just no way to maintain data integrity with multiple source locations and multiple targets. > > Do you think it's a good approach, or should I think of something else? I'd suggest local profiles for such mobile users. Remember you can use Windows XP Pro off-line folders to replicate data to a home server. - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
John H Terpstra wrote: NT4 does not replicate or synchronize desktop profiles - nor does Samba. Where on earth did you obtain the idea that this ought to happen? Well, I know Samba doesn't replicate profiles. I just asked what is the best way to do it. The notion that all roaming profiles are stored on a central server and that profiles are transferred over a wide-area link at login time is not one I have created. Where did you get such a notion? I would not call that silly, I'd call that insane and completely unworkable. I got such a notion in one of replies to my post; which I criticized as not very useful/possibly harmful. The answer is: Practice good account management. Locate the users' profile on a server close to where the user is - preferably on the same network segment. I a user roams across multiple network segments and the wide-area bandwith can not handle the roaming profile then do exempt that user from having a roaming profile and instead store the profile locally on the workstation (or notebook) that is used by this user. Yes, this is why I asked my question. I want to introduce good account management. But if there are two buildings, 2 minutes walk, connected by a 1 Mbit VPN/WAN link, and users (students) need to use their profile in each building (and they use different computers in different rooms, so can't store profiles locally), I need some profile replication mechanism. I thought of this approach: - keep profile size to the minimum (20-30 megs), - rsync changes of the profile to the other domain controllers when user logs out. Do you think it's a good approach, or should I think of something else? Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Argh! You are correct. I thought this was the one really good article that Buchan Milne wrote. It seems to have disapeared. |> http://linsec.ca/bin/view/Main/LdapAdvanced | NO, this article is about LDAP mainly, and says nothing about | replicating/synchronizing profiles/data/files. | Tomek Jim C. - -- - - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBvBG657L0B7uXm9oRAkY3AJ9blmu6Q7ZGVCAwpu+jGilObYSeAgCfRyUI fAJ/IzpMXWVhA7vGa5mZHXU= =oi0a -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
> >> As a consequence, this also means, that on each server there has to be > >> a copy of a profile of a given user, right? > > No, not right. The user roaming profile is stored only on one server. > So what is the sense of having BDCs? So distribute the profiles. Where the user's profile is located is just an attribute of the user object (when using an LDAP SAM). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
On Saturday 11 December 2004 13:06, Tomasz Chmielewski wrote:
> gints neimanis wrote:
> > Tomasz Chmielewski wrote:
> >> As a consequence, this also means, that on each server there has to be
> >> a copy of a profile of a given user, right?
> >
> > No, not right. The user roaming profile is stored only on one server.
>
> So what is the sense of having BDCs? I guess the biggest load happens
> when the profiles are copied; when there are hundreds of users, one PDC
> (on which the profiles are stored) would be much overloaded.
Tomasz,
An NT4 PDC is a master authentication database server. It is undesirable to
have network logon traffic run over a routed network. The purpose of the BDC
is to permit a single security domain (context) and still permit all network
logon traffic to be handled on the local network segment.
At some time in the future Samba me be able to handle full authentication
datebase synchronization (like NT4 PDC/BDC combinations can do). At this time
it does not, however there can be only on PDC per domain (security context).
The benefit of a single domain is that it helps keep to a minimum the number
of interdomain trusts required.
Authentication is entirely orthogonal to MS Windows client profile handling.
Both in NT4 as well as with Samba, the location of the use desktop profile is
set in the user account record in the authentication database. NT4 does not
replicate or synchronize desktop profiles - nor does Samba. Where on earth
did you obtain the idea that this ought to happen?
>
> Besides, Samba Guide chapter 7 ("Distributed 2000 users network")
> describes a setup when users are located in New York, London etc.
> different locations, which sounds just silly if roaming profiles were
> stored for example in New York only.
The notion that all roaming profiles are stored on a central server and that
profiles are transferred over a wide-area link at login time is not one I
have created. Where did you get such a notion? I would not call that silly,
I'd call that insane and completely unworkable.
Windows NT4/2KX profiles can be many gigabytes in size, particularly if
network administrators have not attempted to manage the network environment.
Microsoft's ZAW (Zero Administration Windows) program was designed to show
network administrators how to lock down the desktop profile so that logins
involve a minimum of network traffic and users get good network
responsiveness.
>
> > Maybe you may rename the each SAMBA server in each location in the same
> > NetBIOS name, but the profile directory on each server is fetched from
> > the central server over NFS.
>
> I don't think giving the same NetBIOS name for different machines is a
> good idea.
Agreed.
>
> Fetching profiles each time from a central server when user logs in /
> logs out doesn't seem to be good idea for me - what if company/school
> etc. has two or more buildings, and they are connected only by a slow
> VPN over internet/wireless etc.?
The answer is: Practice good account management. Locate the users' profile on
a server close to where the user is - preferably on the same network segment.
I a user roams across multiple network segments and the wide-area bandwith can
not handle the roaming profile then do exempt that user from having a roaming
profile and instead store the profile locally on the workstation (or
notebook) that is used by this user.
Cheers,
John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
Tomasz Chmielewski wrote: | Jim C. wrote: | |> -BEGIN PGP SIGNED MESSAGE- |> Hash: SHA1 |> |> | Or perhaps I don't understand something? |> |> Just a guess but a BDC is probably going to do the same thing with the |> files that the LDAP backend would do. I.E. replicate the data from the |> server. | But how should it be done? OK, real quick. I don't have time to read the rest of this email but try this: http://linsec.ca/bin/view/Main/LdapAdvanced NO, this article is about LDAP mainly, and says nothing about replicating/synchronizing profiles/data/files. Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
gints neimanis wrote:
Tomasz Chmielewski wrote:
As a consequence, this also means, that on each server there has to be
a copy of a profile of a given user, right?
No, not right. The user roaming profile is stored only on one server.
So what is the sense of having BDCs? I guess the biggest load happens
when the profiles are copied; when there are hundreds of users, one PDC
(on which the profiles are stored) would be much overloaded.
Besides, Samba Guide chapter 7 ("Distributed 2000 users network")
describes a setup when users are located in New York, London etc.
different locations, which sounds just silly if roaming profiles were
stored for example in New York only.
Maybe you may rename the each SAMBA server in each location in the same
NetBIOS name, but the profile directory on each server is fetched from
the central server over NFS.
I don't think giving the same NetBIOS name for different machines is a
good idea.
Fetching profiles each time from a central server when user logs in /
logs out doesn't seem to be good idea for me - what if company/school
etc. has two or more buildings, and they are connected only by a slow
VPN over internet/wireless etc.?
Tomek
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
Tomasz Chmielewski wrote: As a consequence, this also means, that on each server there has to be a copy of a profile of a given user, right? No, not right. The user roaming profile is stored only on one server. Maybe you may rename the each SAMBA server in each location in the same NetBIOS name, but the profile directory on each server is fetched from the central server over NFS. Gints -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
Jim C. wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | Or perhaps I don't understand something? Just a guess but a BDC is probably going to do the same thing with the files that the LDAP backend would do. I.E. replicate the data from the server. But how should it be done? I have read the whole Samba Guide, and I think I didn't find a clue on that - it seems for me that using configurations similar to these presented in Samba Guide would result in different roaming profiles on each domain controller. File replication is a different thing than LDAP replication: - files are big, LDAP queries are just a hundred bytes each, - file operations are read and write, LDAP are read mostly, - LDAP is one read/write master server and multiple read-only slaves, - with PDC and BDCs files can be read from and written to each server (PDC, BDC1, BDC2 etc.) - there is no "central" server which takes care of everything. So, now imagine this situation: We have a university/school facility with two buildings. Additionally, there is a campus nearby with 4 buildings. So 6 buildings in total. They are connected together using VPN over internet link - 1 Mbit down/upload in each building. Students have classes in each building, which means they should be able to log in and use their roaming profiles in each building, and also in each building in a campus. To keep traffic to the minimum, there is a domain controller + LDAP slave in each building: from 09.00-11.00 student Joe has classes in building A, so he uses domain controller (DC-A) in that building, and from 11.15-14.00 he has classes in building B (and therefore, uses DC-B). After that he makes his homework in the campus - so after each logout, his profile should be immediately replicated to other domain controllers in other buildings. With LDAP it is easy: master controlls everything: for example when user changes his/her password, slave gives this change to the master, which replicates the data to other slaves. When master is unavailable (link down or master server down) user will be notified that the password can't be changed. This is not the case with files. Even if I use some handmade scripts which use rsync to upload files to other DCs after user logs out, this will obviously fail when one DC is down for some time or internet link/VPN is down: - at 11.00 user Joe finishes his classes in building A, logs out, profile with important data is uploaded to other DCs, - as there is no connection between building A and B (roadwork workers just broke the internet link between buildings), this results in different profiles in building A and B, - at 11.15 logs in in building B, notices (or not), that his important data is incomplete, - at 14.00 he logs out in building B, internet link is back, so his incomplete data from building B overwrites important, complete data in building A, - we have data corruption, user confusion, students and staff loosing their data, admins fired etc. etc. So here comes my question again: how should the profiles be synchronized between domain controllers? What are the best ways to do it? What are your experiences? Hope the post wasn't too long :) but I think that the problem is not a trivial one, too. Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | Or perhaps I don't understand something? Just a guess but a BDC is probably going to do the same thing with the files that the LDAP backend would do. I.E. replicate the data from the server. Jim C. - -- - - | I can be reached on the following Instant Messenger services: | |---| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz| - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFButk657L0B7uXm9oRAm4TAJ9FbHfSVOMwBXgmLNe+2d3/hDP6kwCeONlC hejNa02+f9eAkCGwyERz15I= =csYH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
