Hi,

We have a w2k school network which we plan to migrate over to Linux / samba domain controllers. Each student will have his/her own user account in the DC. In the dorm areas we want to provide internet access only to those who have authenticated against the samba DC.

Can we use a Linux firewall for the dorm area network and somehow require authentication from the domain controllers to gain internet access through the firewall? Users who can not provide a valid login would not gain access to the internet.

If possible we want to keep only *one* authentication for both the classroom network and the dorm area internet access.

Which options do we have? Thanks a lot for hints and tips

best regards

Tor

I'm not sure because I've never done anything like that, but it sounds like you're going to need a proxy server like squid: http://www.squid-cache.org/

I'm not sure because I've never done anything like that, but it sounds like you're going to need a proxy server like squid: http://www.squid-cache.org/

I thought that squid only 'bothered' with http(s) and ftp traffic. Can squid control access to *any* internet traffic or service?

Another one has suggested authentication via a Radius server. But I have only found a howto on this using a M$ w2003 server. Does it exist a how-to on implementing a Radius server under linux (ubuntu)?

Thanks again for hints

Tor

you can use ldap-auth with squid to control access, you might be able to use some type of ldap_auth module with a firewall or authenticating gateway like auth_pf

your students really have no use for most inet access outside of the basics, so use your firewall to cut them off from everything, take a brick out of the wall where needed with say an authenticated proxy like squid

be noted that you will probably need to a w2k/2k3 master KDC which replicates to your samba machines, atleast until samba 4 is released

be noted that you will probably need to a w2k/2k3 master KDC which replicates to your samba machines, atleast until samba 4 is released

So I cannot yet do this in a pure linux environment?

I hoped to get rid of Bill$ completely except for a WSUS distribution server :-|


Tor

just use a very basic install as a KDC and only a KDC and possibly your wsus server, use your samba boxes for everything else, since that is a very basic requirement just about any hardware can fill that void, so grab and old server or something to setup as your kdc

just use a very basic install as a KDC and only a KDC and possibly your wsus server, use your samba boxes for everything else, since that is a very basic requirement just about any hardware can fill that void, so grab and old server or something to setup as your kdc

So you mean just a basic w2003 domain controller with fixed IP and no other exposed service?

Samba3 boxes replicates against this w/o problems..? What if the w2003 box goes down, can a new w2003 server box replicate its user base back from one of the samba boxes to have it up and running immediately? Tips on howtos or info on this issue?

Will it represent a security risk to put wsus in the same box so I have all the Billz stuff in only one box...?

regards

Tor

the only replication is your ldap directory, you will have to run openldap with your samba boxes and they must all be configured as slaves that replicate from the master and to each other with slurpd

search google.com/linux for active directory there should be plenty of info

Jumping in a little late here, but we use Campus Manger (http://www.bradford-sw.com/product/pindex.htm) to control access to our resnet. It might be a little overkill for what you're trying to do, or it may not even do what you want, I'm not entirely sure. Just something else to look at.

Jumping in a little late here, but we use Campus Manger (http://www.bradford-sw.com/product/pindex.htm) to control access to our resnet. It might be a little overkill for what you're trying to do, or it may not even do what you want, I'm not entirely sure. Just something else to look at.

Im a student worker for a University IT department (Christopher Newport Univeristy) and we use Campus Manager, and I find it to be quite annoying. The program may be useful, but it has a habit of cutting people off for no reason and occasional packet loss.

Yeah, I've seen that too. I wish they would work out all the bugs in the system before adding features because it seems like something new breaks everytime there's an update. In fact it shut off my port semi-randomly at one point and I had to connect my laptop to the wireless a few doors down to re-enable it.

That said, although we have a number of people here who would like to do terrible things to Campus Manager, I'm not aware of a good alternative that does all the same things. If there is one I'd love to hear about it, although it doesn't matter much to me anymore since I'll be graduating a couple of months.:)