quentin, you're on the right track for file / print sharing and user authentication with samba PDC. more, you should look into the winbind suite of samba and give some ACL support a go ( needs to be compiled into the kernel up to 2.4.x --not sure how high 'x' is ). combined they are some really clever stuff for file access through stupid windows network neighborhood, particularly when you're talking as precise control as you seem to need for fileserving :
acls : http://acl.bestbits.at winbind : http://www.samba.org i dont know if there is an rpm out for winbind yet, but you have to compile ACL support into that too so... be sure to patch the kernel with both the acl and extended attributes. as for the proxy, i might try squid. its got extensive access controls. might give you what you need. http://www.squid-cache.org/ hope this helps h .. --- Quentin Hartman <[EMAIL PROTECTED]> wrote: > Steve et al- > It seems I may have been unclear in stating > my request, for which > I apologize. We are trying to migrate away from MS > server OS's for a > variety of reasons, cost being the most significant. > When I stated we have > a mix of NT and Linux servers, I failed to mention > that the remaining NT > machine only serves to update our Norton AV > corporate edition clients. > There are no other services running on it, nor do we > wish there to be any. > My primary stumbling block in this project > is finding a > centralized way to control which users are allowed > out to the Internet (via > proxy, gateway, what have you) that will work for > both Linux and Windows > systems. I believe I have unified user logins across > platforms sorted using > Samba and PAM, but it is the Internet access control > that is stumping me. > We need to allow / deny Internet access to different > users based on whether > or not they have completed their acceptable use > forms, and also have the > ability to deny access to those who abuse the > system. I am relatively new > to this particular facet of network administration > and design, so please > excuse my ignorance on the topic. It seems this > should be a common need > with a well-established solution, but I have not > found one. > The users move between platforms regularly > and I need consistency > across them. I have found software (such as > Microsoft's Proxy server, or > Novell's) which works on a per-user basis, but those > only run on OS's we do > not use, or work only for Windows clients. It would > be simple enough to > block a particular machine using an ACL or similar, > but I have not found > anything that will authenticate on a per user basis > on a Linux-based > gateway, firewall, or proxy. I need it to work from > either Windows Domain > login (processed by a Samba PDC) or Linux terminal > logins. I have found > options which require people to SSH into a gateway > to open a connection > from the client, but I do not see that as a usable > option in a k-12 > environment. My users are simply not up to that kind > process, especially > not for the younger kids (or older teachers, for > that matter). Am I chasing > my tail, or is this sort of thing possible? > > <snip from Steve Sobol> > >LDAP might be another potential solution. > <snip> > > I have heard of a lot of people using LDAP as an > authentication database, > but I have yet to find any good current > documentation on how to get such a > beast rolling. I guess I just don't "get it". Such > an open-ended and > centralized system would be ideal for the services > we want to offer in the > future. I've tried a few times to figure it out on > my own with OpenLDAP, > but it seems pretty clunky in the role of an > authentication db. What am I > missing? What resources would you suggest? > > > -Thanks in Advance and Best Regards- > > -Quentin Hartman- > > > Original Post Follows: > > Colleagues- > I am working on re-building a network for a k-12 > institution, and am trying > to put in some security features that are sorely > needed. One of the most > glaringly obvious omission for this environment is > that there is no > mechanism in place to authenticate users for > internet access. It is a mixed > environment of Linux and Windows 9x workstations and > Linux and NT servers. > I would very much like to have centralized user > management. The scenario > goals we are trying to achieve are: > 1- Unrestricted user logs in. Has access to file / > app servers and Internet > 2- Semi-restricted user logs in. Has access to file > / app servers, but not > internet. > 3- restricted user logs in. Has access only to local > files and programs. > 4- Unauthorized user cannot login. > I imagine a combination of policy files for the 9x > clients, samba, pam, and > squid could achieve this, but I would like your > feedback on the best way to > proceed to complete this project. Am I on the right > track at all? > -Regards- > -Quentin Hartman- > __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com
