1

Our goal is to set up one file server / print server on a small LAN. To solve file permissions issues and access issues we have encountered, we believe a type of LDAP solution should be part of this. Two of the solutions we are considering are:

  1. Samba 4, which (I believe) includes network file sharing, directory management and printer sharing functions.

  2. NFS + Kerberos + Avahi + CUPS most likely built on a FreeIPA server.

First, are we understanding the alternatives correctly?

Is Samba 4 a good alternative to option 2 (FreeIPA with NFS v4, Kerberos, CUPS, Avahai, etc.) in a local area network consisting of almost entirely Arch Linux clients?

We are looking for a very simple solution for authentication, secure file sharing and printer sharing. Plain Kerberos + LDAP + NFSv4 (without FreeIPA) was recommended, but this seems too complex for us. Hence, the reason we are considering FreeIPA or Samba.

NIS may also be an option (along with NFS, etc.). But NIS is old and not very secure. However, it is simple. Samba 4 also seems simple and it is more secure and more modern.

Is Samba 4 feature competitive (in terms of network file system security and authentication) with a system built around FreeIPA, NFS, LDAP, Kerberos?

The clients will be almost entirely Arch Linux. The server could be Arch if we run Samba 4 or NIS. (We prefer Arch everywhere.) If we use FreeIPA the server would have to be Ubuntu, Red Hat, Fedora or CentOS.

Our company is open to purchasing Red Hat with premium support if we go with FreeIPA. Nobody here knows anything about Red Hat. However, would it be easier to get the Arch Linux clients to work with Samba 4 as the directory service?

So there are two questions:

  1. Is Samba 4 a good alternative to FreeIPA+NFS+LDAP+Kerberos overall?

  2. With all Arch Linux clients, which alternative (FreeIPA-based or Samba 4-based) will have best compatibility and the least headaches?

MountainX
  • 701
  • 2
    The answer is simple: FreeIPA is not in any way a file sharing solution, and neither is NIS (and you absolutely don't want NIS at all for new environments), but FreeIPA makes the LDAP/Kerberos/NFS4 solution much simpler. – Sven Jan 30 '18 at 10:03
  • question has been updated – MountainX Jan 31 '18 at 23:11
  • Samba 4 really offers very little for a Linux shop; it's meant to simulate Active Directory and offer services of interest to Windows computers. FreeIPA is very straightforward; the brevity of its Arch Wiki page attests to that. – Michael Hampton Feb 01 '18 at 01:00
  • @MichaelHampton - Arch Linux cannot be a FreeIPA server, as there is no server package available. As mentioned in my question, if we use FreeIPA the server would need to be Ubuntu, Red Hat, Fedora or CentOS. I'm told that using a FreeIPA server is much easier than using Kerberos on its own, but I would still benefit from a more complete answer to the question, given that I really know almost nothing on this topic. Thanks – MountainX Feb 01 '18 at 01:20
  • That's a good point. If you're an all Arch shop, you probably prefer to have very recent software as soon as possible; that's the usual reason to choose Arch over all other distros. If that's the case, you'd probably be happiest with Fedora as a server as it comes closer than any of the others to having very recent software as soon as possible (though they do hold things back for stability's sake on occasion). I think your question is answerable now so I've reopened it. If I get some more time I'll try to put together a more complete answer. – Michael Hampton Feb 01 '18 at 01:39
  • If you want a single server, and you are thinking of using the Samba 4 in an AD DC role, then that is probably not your solution. Due to limitations present when provisioning the AD DC role, Samba recommends that you not use a Samba domain controller as a file server – Colt Feb 01 '18 at 02:10
  • @Colt - thank you. Very helpful info to know, especially that "running shares with POSIX ACLs on a Samba DC is not supported." Having to set up two servers makes Samba 4 less simple, and simplicity would probably be the main reason we were considering Samba. – MountainX Feb 01 '18 at 02:44

1 Answers1

3

First, let me say that whether you choose Samba4 or FreeIPA, you're setting up a lot of moving parts for "one" file/print server.

You could go with Samba4 as a file/print server, and not a domain controller, and have it keep a local list of users to authenticate against. That's only going to require one VM and a bunch of storage, but it means you lose things like self-service password resets and the like that you would get with an actual domain.

FreeIPA is a full featured identity, policy and audit solution. It doesn't by itself serve files or printers, but it enables file and print services to reside on the domain, authenticate to it, etc. It also manages all the domain joined computers, in your case a bunch of machines running Arch Linux. The complete feature list is extensive, and if you want some or all of those features in addition to file/print services, then FreeIPA is the way to go.

If you go this route, I'd recommend Fedora or RHEL/CentOS as the server base for FreeIPA. It is developed on these platforms and Debian/Ubuntu are a bit secondary. The Red Hat documentation should suffice to get you up and running.

In particular, if you're on Arch because you need very recent software in your environment, you may be happier with Fedora as a server, which tries to do the same. You'll find that many things are similar between them, e.g. anything to do with systemd, and the differences aren't too difficult to work out.

Michael Hampton
  • 247,473
  • Thank you. Good answer and very helpful. However, you raise a question: what is the simplest way to meet our goal? We only need: 1. a single file server with a network file system & authentication that allows us to resolve our internal LAN permissions problems and 2. a standard Avahi + CUPS printer server. Is there a simpler way? FYI, the article that got me interested in FreeIPA is this one indicating that it might not be overkill for our situation: FreeIPA for amateurs: why? https://www.happyassassin.net/2014/09/07/freeipa-for-amateurs-why/ That article makes FreeIPA sound very simple... – MountainX Feb 02 '18 at 00:47
  • Also, one reason we use Arch is that it is a rolling release. We do not necessarily need the latest of every package. But we do not like the non-rolling-release model. We would rather have frequent small doses of pain than the less frequent but much larger doses of pain that we had with every new Ubuntu LTS release. Our other reason for using Arch is that we find it easier to fix issues compared to Ubuntu. – MountainX Feb 02 '18 at 01:16
  • 1
    If all you really need is a small file/print server, you may as well run Samba4 on another Arch box, and forget about all the rest. As for the rolling release nature of Arch, Fedora is not far off from that; many of its packages do track upstream in a rolling manner, and if you really like pain there's always rawhide. – Michael Hampton Feb 02 '18 at 02:47
  • @Michael_Hampton could you elaborate on the option to run Samba4 on another Arch box? I like that idea, but I want to understand it a bit better in the context of this question. With that additional info, I think we'll have a good answer to this question. I appreciate your help so far. P.S. We have been running Arch on our existing file server for 2 years so far and Arch itself has been fine. Better than Ubuntu Server in my opinion. People think Arch on a server is a bad idea, but it has not been for us. It's been great. – MountainX Feb 02 '18 at 05:48
  • You did not mention why to choose one over the other? particularly, why you would not use Samba4 as a DC? I have been using it for a while and it never failed me. I have never used FreeIPA, therefore I am curious what it can do as a DC better than Samba4. – Mohammed Noureldin Sep 07 '21 at 08:15