Lets say i got 5 network storage servers / lxc all running smb as well as sftp (or sth else that uses normal linux auth), they all host different network shares / data, now i am trying to sync all the user accounts, both linux and samba (samba uses different hashing), that i dont need to manually create / change password of each client account on each lxc individually.
I have spend the last week trying to get ldap (via 389 directory) to work and i am just done... after several other things i am now stuck trying to figure out how to allow smb to authenticate against the ldap server since it uses a different hashing than standard linux auth and i found so many conflicting infos online.
Also the management (creating users / assigning them to groups via the cockpit plugin is just a pain...
I am wondering if it wouldnt be just the easier option to hard sync / mount all the /etc/shadow /etc/group /var/lib/samba/passdb.tdb files between all the worker nodes... Since all the configuration would be done on the controller, it should even be possible to mount those files in read only mode on all of the workers.
How bad is this idea?
How likely is this going to work / break?
Any advice appreciated :)
The full setup plan is:
- One Controller VM that runs debian and cockpit including the 45drives navigator and identities plugins for management (up until now also a 389 directory server)
- The Controller has all the network shares of the workers mounted and viewable via the browser cockpit 45drives navigator plugin, allowing for easy data viewing and transfer between multiple networkshares / workers
- The goal is to do all the management centralized via the cockpit interface running on the controller
- Multiple Worker Nodes / LXCs - that all run debian with smb installed, besides the actual data stored in the host mountpoint /data they are all identical - each worker only hosts a single network share
- All of the above running on proxmox backed by ceph or zfs (depending if HA is needed for the particular Network Share
- Since each smb share is inside its own container transferring the entire share to another node / physical server is easily done via the proxmox migrate function
- Plan for the permission setup was to create two groups for each worker node (hostnameofworker-rw and hostnameofworker-r) and grant those groups permissions inside the smb config and set the permissions on the filesystem of the /data via ACL accordingly
- The smb config is setup in a way to grant acl permissions recursively to both of those groups on the entire share
- Then just assign all the Client users to all those groups to grant them permissions
- This assignment would be done ether manually via the controller node or automatically via some of the deployment scripts (when i am adding a new share / worker node for example)
submitted by
/u/Pommes254 [link] [comments]