Letting technology work for you : A practical example of a case study.
Sep 15
A Few days ago I got an email from a listener of the show about implementing a server / network setup for his local church. Because it touches on the balance of "letting technology work for you" instead of the other way around I decided to share the mail (and my reply) with you. Thanx to Brent for the permission. ( My replies are in bold font).
" Hey Knightwise,You
might know me from Twitter as @trucklover, my real name is Brent.
We’ve talked a few times about various tidbits with Macs and Linux
computers. For the past week I have been following along with your
Ubuntu Server series with my MacBook Pro and a dual CPU 3.2Ghz IBM Zeon
desktop machine w/ 2GB of RAM currently. I tried to install Ubuntu
server 64 bit but said it was not supported on the computer. I guess
that in fact the CPU’s are 32 bit, yet the computer can have up to 8GB
of RAM installed. That doesn’t make much sense me because a 32bit
system can only address 4GB in RAM. Maybe you can clarify that for me
if my logic is incorrect.
Yeah
, its a real marketing thing sometimes. The mainboards have slots that
can carry up to four 2 gb sticks (or the max size they make a memory
stick these days) but those are just the "hardware specs" When it comes
to software there are not "run of the mill" OS’s that can go past the 3
gig limit when it comes to ram.
, its a real marketing thing sometimes. The mainboards have slots that
can carry up to four 2 gb sticks (or the max size they make a memory
stick these days) but those are just the "hardware specs" When it comes
to software there are not "run of the mill" OS’s that can go past the 3
gig limit when it comes to ram.
Anyways,
I am one of the three technically inclined people at my church and I
have been charged with finding a solution to the chaos of the setup
that we have now at the church building. We have around 10 computers
that are all running XP Pro (just had a fresh install about 2 months
ago) or Vista. Four of those computers are for general public use with
the same standard user account and permissions applied to all four.
Over time the passwords get told to everyone and then everyone and
(literally) their mom is on Facebook, MySpace, playing games, etc when
they shouldn’t be on the computers. My suggestion was to have a
dedicated Linux server that would allow any user from any computer in
the church to sign onto the server and have their own user directory at
any location with a specified amount of space that was dedicated to
their home directory.
You
have 2 questions here : One you would like to restrict the access to
the computers with passwords without them being "public knowledge" thus
crashing your entire security policy. That is a "policy" issue that no
amount of software security is going to fix. The best way to do this is
to 1: Set out a clear policy: what is a user allowed to do on the
church computer, and what not. Next communicate this policy to your
users. Explain their user accounts are personal and explain the
repercussions you will imply when such policy is violated.
have 2 questions here : One you would like to restrict the access to
the computers with passwords without them being "public knowledge" thus
crashing your entire security policy. That is a "policy" issue that no
amount of software security is going to fix. The best way to do this is
to 1: Set out a clear policy: what is a user allowed to do on the
church computer, and what not. Next communicate this policy to your
users. Explain their user accounts are personal and explain the
repercussions you will imply when such policy is violated.
Two
: You would like to store the location of the files of the users on a
network drive. you can do this with a linux server by simply creating
users on the linux server that also exist on the XP clients , share the
home drives with Samba (see the manual I wrote up on that one) and map
they my documents folder on the XP machine to that shared directory on
the linux server. This is a process that you’ll have to do manually for
each user on the XP systems. A windows Domain Controller WITH policies
IS able to push all of this out, but that would cost you a little money
for the licence.
: You would like to store the location of the files of the users on a
network drive. you can do this with a linux server by simply creating
users on the linux server that also exist on the XP clients , share the
home drives with Samba (see the manual I wrote up on that one) and map
they my documents folder on the XP machine to that shared directory on
the linux server. This is a process that you’ll have to do manually for
each user on the XP systems. A windows Domain Controller WITH policies
IS able to push all of this out, but that would cost you a little money
for the licence.
We need a solution that will allow more privileges to certain users and
limited privileges to others, for example: never allow anyone that is
not on church staff or leaders the ability to Facebook or MySpace or
even the ability to log onto a computer during specified times certain
days of the week. I knew that this was possible but wasn’t sure how to
go about it.
Thats a
networking question where you ‘tie in’ user accounts to access control.
There you are looking at a Linux firewall solution ( some of them built
into linux and configurable via the webmin interface) or others like
"Astaro" will be able to help you out there. They allow you to block or
allow certain websites. The trick is connecting this up with their user
accounts. You can do this via LDAP authentication. ( the simplest way
is to setup the ‘firewall / content filter’ on the same server as your
fileserver, thay way ldap authentication is not that hard to implement.
On the linux machine you CAN say when which users can login to the
network at what hours.
networking question where you ‘tie in’ user accounts to access control.
There you are looking at a Linux firewall solution ( some of them built
into linux and configurable via the webmin interface) or others like
"Astaro" will be able to help you out there. They allow you to block or
allow certain websites. The trick is connecting this up with their user
accounts. You can do this via LDAP authentication. ( the simplest way
is to setup the ‘firewall / content filter’ on the same server as your
fileserver, thay way ldap authentication is not that hard to implement.
On the linux machine you CAN say when which users can login to the
network at what hours.
I do have to point out that
"controlling content" (like blocking out facebook etc) is a lot harder
then it looks ,you would be amazed at how inventive people get to get
to the sites where they want to be.
"controlling content" (like blocking out facebook etc) is a lot harder
then it looks ,you would be amazed at how inventive people get to get
to the sites where they want to be.
I began to dive deeper into some of your screencasts that I haven’t
watched yet only to find screencasts that cover the download, setup,
installation of Ubuntu Server and Webmin (which is freakin sweet by
the way) and so on. I am learning more about LDAP, and Domain
Controller’s. This is the solution that I think our church needs as we
grow in size. We have on average 130 people for services on both
Sunday’s and Wednesday’s so that means that we would need at least 75
user accounts added to the PDC. I want to keep all user directories
and files on the server instead on the wired client machines. This
solution will be much easier to manage and backup when we go server
side administration instead of client side. So I say all of that to
say this… can you expand on the Ubuntu server and Webmin series to
show the Windows, Linux, and Mac tech geeks around the world how we can
do just that?
I’m not
really sure I can take the contents of the screencasts THAT far because
quite frankly I don’t have that expertise to do that. I will however do
a simple videocast about setting up samba and stuff. The questions you
have are in the area of using a Linux server as a windows domain
controller. Thats kinda hard ground to plow through ( been there
myself) because the "interaction" with your workstations (xp) are not
"open source’" Linux engineers have to ‘reverse engineer’ how to talk
(and modify) those XP workstations. And with Vista and 7 coming around
the bend, that might just change all over again. Microsoft continuously
modifies how there clients talk to the windows servers and the linux
guyz just have to keep up. Moving files to the home directories of the
clients is not really a problem , but implementing "active directory
policies’ from a linux server onto XP machines is on the verge of
impossible due to the closed source nature of the Windows Kernel.
Even
as easy as Webmin makes it to configure a Linux server, there is still
a lot in there that I don’t know how to do. I need the ability as well
as the other 3-4 computer admin folks to ssh or VNC into the Linux
server from home to manage or add new user accounts despite having a
dynamic public IP address at our church. I have created a DynDNS
account but am unsure how to put the server on the network & be
able to access it no matter where I am. I know I will have to do some
port forwarding to the static IP of the machine. I have begun to add
Samba user accounts as the server sits on my personal home network.
With
the screencasts I also posted a link to the SYSTEM website where they
give a clear explanation about this. What you need to do is make sure
the linux system has a static ip and has the openssh server installed.
Next configure your router to use the DYNDNS protocol (if it able to do
this) OR install DDCLIENT on your linux system. Either of these ways
will make sure that your dynamic dyndns hostname is tied to your (ever
changing) dynamic IP. Next configure your router to forward EXTERNAL
port 2222 to INTERNAL PORT 22 on the IP of your linux system. Then
connect (from the outside) with putty (using port 2222) and you’ll be
able to get hooked up.
the screencasts I also posted a link to the SYSTEM website where they
give a clear explanation about this. What you need to do is make sure
the linux system has a static ip and has the openssh server installed.
Next configure your router to use the DYNDNS protocol (if it able to do
this) OR install DDCLIENT on your linux system. Either of these ways
will make sure that your dynamic dyndns hostname is tied to your (ever
changing) dynamic IP. Next configure your router to forward EXTERNAL
port 2222 to INTERNAL PORT 22 on the IP of your linux system. Then
connect (from the outside) with putty (using port 2222) and you’ll be
able to get hooked up.
I think I’m almost to the point where I can bring the computer back to
the church and get it up and running there. Currently the server is
running off of a 40GB IDE drive. If I plug another hard drive into it,
the computer becomes unresponsive and I have to force shutdown the
machine (SSH doesn’t even respond). The church has 15 SCSI 10k rpm
drives that I want to use in a RAID 5 setup. All the server desktop
machines have the cables for skuzzy drive use, up to 6 drives per
computer. I’d also like to add a second Domain Controller for load
balancing if need be.
Load
balancing with a second PDC for a 130 users is hardly a necessity, the
only reason why you might want to go there is for redundancy.
balancing with a second PDC for a 130 users is hardly a necessity, the
only reason why you might want to go there is for redundancy.
I
would suggest giving the workstations a very small harddrive capacity
and pump all of your drives in to the server. You have to make sure the
raid card is supported by linux AND make sure that you can still BUY
the scsi drives you use. IF one or two drives fail and you can’t by any
new ones of the same brand and type.. your entire raid setup is lost.
Again : Backing up the data to an external (usb) drive and taking it
offsite is also a valuable backup solution.
would suggest giving the workstations a very small harddrive capacity
and pump all of your drives in to the server. You have to make sure the
raid card is supported by linux AND make sure that you can still BUY
the scsi drives you use. IF one or two drives fail and you can’t by any
new ones of the same brand and type.. your entire raid setup is lost.
Again : Backing up the data to an external (usb) drive and taking it
offsite is also a valuable backup solution.
We
are a media savvy church and we will have several users streaming
stored video and audio files to and from the server to their desktop
machines for saving, viewing,listening, editing, etc. We have 6
identical machines so even having a BDC would be nice if you think that
would be a good setup. I have tinkered with those drives and have had
absolutely no luck with the system even recognizing them when the
computer was running Linux Mint & OpenSUSE earlier this week. I’d
really like to make use of those super fast drives but at a complete
loss on how to do so. I’ve looked into mdadm for the RAID setup but got
kinda lost in all of that. Apple’s Disk Utility makes it super easy to
configure a striped or mirrored RAID array. I speak from experience
having a dual 1.5TB array in my PowerMac G5 (5 HDD’s total: 1.5TB for
the Macintosh HD & 1.5TB for Time Machine-which I don’t use
anymore. I’m a huge Crashplan advocate now). None of my Linux savvy
friends have ever messed with skuzzy drives before. It seems as though
that technology was all before our time, I’m only 25 and I’ve learned
and done all of this in less than a few days in my spare time.
The
main thing you have to think about here is "cost of ownership". The
mestake some geeks make is to implement technology "because they can"
While, from a learning point perspective that is a great idea, its not
always what the ‘customer’ wants. Therefore its very important to list
up the actual needs of the ‘customer’ to the technological solution you
provide them. When you make the technological answer to the demand too
complicated you might end up with a larger financial cost then the
customer is willing to spend ( you buy a pro firewall to solve the
facebook problem) OR you end up with a situation that is
technologically too complex for the customer.
My
golden advice here is : Let technology work for you. Round up the
‘questions" from your customers and come up with a technological
answer. That answer CAN be linux , but in some cases its not always
linux. With linux you can do anything , that is true. But some of those
things take a lot of time and energy to learn AND maintain them in a
production enviroment. What i’m saying is : Don’t construct a
technologiical equivalent of ‘Devestator_from Transformers2’ only to
come to the point you spend a lot of time maintaining it in a
‘production’ enviroment. If I listen to your question carefully my
advice would be the following.
golden advice here is : Let technology work for you. Round up the
‘questions" from your customers and come up with a technological
answer. That answer CAN be linux , but in some cases its not always
linux. With linux you can do anything , that is true. But some of those
things take a lot of time and energy to learn AND maintain them in a
production enviroment. What i’m saying is : Don’t construct a
technologiical equivalent of ‘Devestator_from Transformers2’ only to
come to the point you spend a lot of time maintaining it in a
‘production’ enviroment. If I listen to your question carefully my
advice would be the following.
– Management of Workstations.
–Protecting and managing the workstations : – Either use Linux workstations (nobody has admin rights and the configuration of user accounts can be done by editing the configuration on the server and pushing them out to the home profiles of all the users that log in)
– Or use windows workstations but use a windows domain controller to implement policies that manage the users and protect the XP workstations from abuse ( its amazing what you can do with the windows desktop enviroment when you pull in a Windows Domain
controller). Additionally you can setup a linux fileserver ALONG SIDE
the windows machine to handle files, printers etc . Hereby deferring the task that is best suited FOR either os TO either OS. Hooking up a LInux server to a windows domain ( for samba authentication) is simpler then trying to make a windows PDC out of a linux machine.
controller). Additionally you can setup a linux fileserver ALONG SIDE
the windows machine to handle files, printers etc . Hereby deferring the task that is best suited FOR either os TO either OS. Hooking up a LInux server to a windows domain ( for samba authentication) is simpler then trying to make a windows PDC out of a linux machine.
– Management of the domain. –
For easy user authentication and policy distribution in a windows
network ? use a windows server. It will cost but it will save you a lot
of time. If cost is an issue ,
explain to the customer that going towards the linux solution might
save them in cost , but will also mean sacrificing
some functionality. AND that you need to build up expertise and
experience in this field. This might have an impact on the production
environment you are rolling out : INform the client about this so he
can either cut down on functionality or accept your ‘learning curve’
For easy user authentication and policy distribution in a windows
network ? use a windows server. It will cost but it will save you a lot
of time. If cost is an issue ,
explain to the customer that going towards the linux solution might
save them in cost , but will also mean sacrificing
some functionality. AND that you need to build up expertise and
experience in this field. This might have an impact on the production
environment you are rolling out : INform the client about this so he
can either cut down on functionality or accept your ‘learning curve’
– Content management. Managing where people can surf en where they cant go is pretty hard.
Even with managed content filters that receive updates daily its still
possible to slip by the ‘guards’ to the occasional pornsite. Content
filtering always means loss of content (good and bad). A good user
policy tied in with some ‘social control’ where people use the computer
in a public place and can be ‘seen’ by peers ‘ is a very good
deterrent. Also inform your users WHY you need to block certain sites
and inform them you might be logging their traffic.
Even with managed content filters that receive updates daily its still
possible to slip by the ‘guards’ to the occasional pornsite. Content
filtering always means loss of content (good and bad). A good user
policy tied in with some ‘social control’ where people use the computer
in a public place and can be ‘seen’ by peers ‘ is a very good
deterrent. Also inform your users WHY you need to block certain sites
and inform them you might be logging their traffic.
Whew,
I know that’s a lot of info but I wanted to tell you the environment
for this project and how much help your info and advice is to people
all over the world. I’ve converted 3 people to Linux so far after
listening to your "Switching your family and friends to linux" episode.
I am using the KWTV content as well as recommending it to the other
computer minded folks at church so they can replicate it & learn in
a virtual machine similar to what I have already done on a real server.
I’m in the middle of getting this project finished. I just need a
little help with the rest of it. I think you can understand what we
need and how much is left to do for the environment that I have
explained above.
Thats
great to hear π Moving people towards a Linux desktop solution does
save you hours of support as a result. I’ve also switched 3 more people
towards a Ubuntu Desktop and when they have their firefox and can chat
via pidgin, they are mostly pretty happy with the os they have and
don’t want to switch back because linux is ‘so darn safe’ So good on ya
great to hear π Moving people towards a Linux desktop solution does
save you hours of support as a result. I’ve also switched 3 more people
towards a Ubuntu Desktop and when they have their firefox and can chat
via pidgin, they are mostly pretty happy with the os they have and
don’t want to switch back because linux is ‘so darn safe’ So good on ya
phoSo
is it in the pipe line of the server series to include how to set up a
domain controller for a family or small business? I think the topic
would be quite useful as today’s families are having more than one
computer and having a central domain controller server that can be
accessed from any computer and from any OS is a handy little thing to
have. It falls in the category of ‘letting technology work for you’.
I’m glad @podfeet had you on her podcast a few months back. I love
listening to her show, she’s funny and fun to listen to. Through her
podcast she was able to get you more listeners to your podcast. You
have (or will soon) enrich the computing lives of well over 150 people
because of the information that you give back to the community, for
that I am grateful and will dutifully recommend your website &
podcasts to other like minded folks like you and I. The same goes for
Allison too. π Gotta give some credit where credit is due.
Thanx
for your compliments π Its great to hear from listeners how they enjoy
the shows and I never stop blushing when I read such praise. I love to
do the Knightcasts and KWTV episodes to ‘preach the gospel’ of linux
(no pun intended) because it is so versatile and I can do a lot of cool
things with it without cost. I might do a video about the ‘feisty for
the family’ series where i’ll go a little deeper into setting up
printers and such, but building a "domain controller" ( Which is a
purely windows term) might be out of scope for my series. The only
reason why you might need the "domain controller’ is if you decide to
work with (and manage) windows workstations. You might ask yourself
(and the church) the question : Do we still need these windows machines
? Would it not be more cost effective to switch to linux machines (that
the users can no longer frack-up by installing stuff etc ?)
for your compliments π Its great to hear from listeners how they enjoy
the shows and I never stop blushing when I read such praise. I love to
do the Knightcasts and KWTV episodes to ‘preach the gospel’ of linux
(no pun intended) because it is so versatile and I can do a lot of cool
things with it without cost. I might do a video about the ‘feisty for
the family’ series where i’ll go a little deeper into setting up
printers and such, but building a "domain controller" ( Which is a
purely windows term) might be out of scope for my series. The only
reason why you might need the "domain controller’ is if you decide to
work with (and manage) windows workstations. You might ask yourself
(and the church) the question : Do we still need these windows machines
? Would it not be more cost effective to switch to linux machines (that
the users can no longer frack-up by installing stuff etc ?)
My
final advice when I see people rushing into Linux solutions comes from
personal experience. The answer to the question ‘ CAN LINUX DO this and
that ? is mostly YES , linux CAN do just about anything (and even for
free) The question you have to ask is " can I do this and that " and
"can I MAINTAIN this and that" ITs true , you can setup a complete
"variant" to a windows PDC controller using LDap and stuff. But the
question is : How much time will it take you to really learn the
technology AND to maintain it. When having to plow through heaps of dox
and spend hours tinkering and fixing in a production environment to
setup your linux machine as a software router .. It might be a better
idea to just "buy" a cheap hardware router. So don’t get caught in a
situation where you have to ‘work’ to keep your technology going.
final advice when I see people rushing into Linux solutions comes from
personal experience. The answer to the question ‘ CAN LINUX DO this and
that ? is mostly YES , linux CAN do just about anything (and even for
free) The question you have to ask is " can I do this and that " and
"can I MAINTAIN this and that" ITs true , you can setup a complete
"variant" to a windows PDC controller using LDap and stuff. But the
question is : How much time will it take you to really learn the
technology AND to maintain it. When having to plow through heaps of dox
and spend hours tinkering and fixing in a production environment to
setup your linux machine as a software router .. It might be a better
idea to just "buy" a cheap hardware router. So don’t get caught in a
situation where you have to ‘work’ to keep your technology going.
I
hope i’ve given you some pointers, if you need more info you can
contact me anytime ( my name is "knightwise" on skype) I was wondering
if i could post our little email to my website because it is a
wonderful example of how you can let technology work for you , and what
hurdles one might run into ?
hope i’ve given you some pointers, if you need more info you can
contact me anytime ( my name is "knightwise" on skype) I was wondering
if i could post our little email to my website because it is a
wonderful example of how you can let technology work for you , and what
hurdles one might run into ?
Regards
KW.
