:: Re: [DNG] Request for comments - tr…
Top Page
Delete this message
Reply to this message
Author: Dr. Nikolaus Klepp
Date:  
To: dng
Subject: Re: [DNG] Request for comments - training room
Am Samstag, 1. Dezember 2018 schrieb Rowland Penny:
> On Sat, 1 Dec 2018 22:17:58 +0000
> Simon Hobson <linux@???> wrote:
>
> > Rowland Penny <rpenny@???> wrote:
> >
> > >> I think what Roland was getting at here is the number of users and
> > >> how they are dealt with makes a huge difference.
> > >>
> > >> At one extreme, you have 28 seats, each one of them has a user such
> > >> as "user1", and you can simply use /etc/passwd & /etc/shadow to
> > >> manage that single user one each seat. You could probably build one
> > >> software image and simply image all 28 machines with that one
> > >> image.
> > >
> > > This would entail running Samba as a workgroup and, once you get
> > > past about 10 machines, it get unwieldy, you have to create the
> > > exact same users on every machine you want them to connect to and
> > > keep their passwords in sync. This can rapidly become a nightmare,
> > > this applies if you decide to go with NFS instead.
> >
> > Indeed, but this scenario is for a fixed setup where the users (28 of
> > them) are setup once and then there is no further user maintenance
> > going forward. In such a scenario, there's little point in going for
> > the complexity of setting up AD - as you say, a one-off setup of the
> > users in Samba. The clients could potentially be configured to
> > auto-login to the desktop (or training system) on boot so the users
> > don't even need to know about users. Easy for users, no security.
>
> Been there, done that, but with that many computers it becomes a
> struggle, the users want to use different computers and cannot because
> they are not set up on that computer, believe me, if you are setting
> something up of this size, a domain is the way to go.
> It also helps if a computer decides to turn its toes up and die, you
> just wheel a spare machine out and use that instead.


I usally use a custom "installer" that pulls a disk image on the new machines and a little script that syncs the users/groups on boot, and that's it. No NFS, no AD, just rsync over ssh. In my scenarios the users shut down theit maschines after logout or the sync script is run fron xdm.

>
> >
> > >> At the other extreme, every person has their own login and can use
> > >> any seat at any time (and there are hundreds or even thousands of
> > >> them) so that progress/results can be logged for each person. In
> > >> this case, you will really need a centralised user management such
> > >> as Roland described using Samba & AD. You could still image each
> > >> machine from one common image - but you'll need to do some
> > >> post-imaging setup to give each machine a unique set of
> > >> identifiers etc for the AD to work properly.
> > >
> > > If you run Samba as an AD DC and join the clients to this, you only
> > > have to create the users & groups once and the password is only
> > > stored in one place, the DC.
> >
> > Exactly - for many users, and especially if the users are dynamic,
> > then it's the only sane way to do it.
> >
> > And it also means that each user has their own personal login & home
> > directory so (if it isn't stored in a database that's part of the
> > training system) there is somewhere for the system to store each
> > users progress etc.
> >
> > Which leads to another question ... Does the training system itself
> > have a user directory etc ? This also has an impact on the solution
> > chosen.
> >
> > If the training system has a logon for each user and stores (eg)
> > progress information in it's own database, then it makes little sense
> > to also configure each user separately to the OS (eg using Samba &
> > AD). Just setup the machines as above with a single user and manage
> > users via the training system. On the other hand, if the database
> > (the schema, not just the DB engine) is "open" enough then it may be
> > possible to use that as an authentication source - giving each user
> > their own OS level login which is the same as the traingin system
> > login, but using just the one database.
> >
>
> It was my understanding this was to be on a separate network.
>
> > Many possibilities - the "best" for any setup depends on answers to
> > these sorts of questions.
> >
>
> Personally, (and I repeat, I am biased), I would run 2 Samba AD DC's
> and at least one Samba Unix domain member as fileserver.
>
> Rowland
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>




--
Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...