Before anyone starts yelling about search the threads, this is not a normal samba question, all the other threads I looked at deal with individual domain accounts or workgroups.

I work in a high school. I am looking to setup a samba server for our students to save files/documents to. While this may seem like a straight forward solution, it is not. At least not that I can tell. This comes from my minimal experience/knowledge with linux.

Here is how out network is setup.

- We are on a wired network.
- We are on a Windows AD domain.
- We are using Windows XP as our client OS.
- The students use a common (AD) domain account that is assigned to specific room (ie, the library has one username, the computer lab has one username, etc). Thats right. The students do not have their own individual accounts.

So, with that being said, here is what I would like to do.
- Setup a samba server for the students to save documents to.
- Have a separate main directory for each graduating class then have that directory broken down into individual directories for each student.
- Have it setup so they would have to enter a password to access the directory. If they don't have the password, then they cannot see what is in the directory.
- Each graduating class has a "Class Advisor". I would like for this person to have read access to the directories for their "Graduating Class". They may need to burn a cd with the students "work" on it to be used as a "portfolio" showing what the student has done over their 4 year period.
- Setup file/storage quotas.

The simple solution would be to give each student an individual account. But this is not an option! Why not? We have 17 different schools and 6 offsite locations in our system which are spread out across our state (Connecticut). We are a Technical High School system and have a rough total of over 12,000 students. And to support off of this, there are only 9 of us! If we were to give each student an individual account, it would be a full time job just changing passwords that they forget. They swap cycles between academics and trade and spend about 10 days in one before going to the other. So we just do not have the "man power" to support all of those extra accounts.

I am wanting to set this up on a small scale at one of the schools that I maintain. Initially is would be used by around 50 students. If it works with minimal issues, then I would want to slowly increase the amount of students using it until I had one entire school using it. Then I would try it in another school and possibly one in each school. If the boss approves it that is.


So, I would appreciate any suggestions, ideas or help that I can use on getting this setup.

I'm no expert on Samba, but just on an abstract level that sounds impossible with your current constraints. I can't think of any way that you could have individual user directories (and access control to them) without having individual user accounts, which brings us back to your problem of supporting them.

It looks to me like if you want to do this and can't handle the user accounts with your current staff, then you need more staff. Not really an answer, I realize, but there's only so much a given number of people can do. Otherwise you could use your smaller test setup you mentioned for a little while and see how much work it actually is supporting user accounts. From my time in tech support we generally didn't have to reset a lot of passwords. It was mostly just people who had been away for a long time and had forgotten. Of course in my situation these passwords were used every day, and it sounds like that might not be the case for you so YMMV.

You might try these guys;

http://www.tek-tips.com/threadminder.cfm?pid=865

Actually, you can learn from my school's system --- we have individual user accounts, and at a few designated points, people can log in to the system with their IC numbers and just change their passwords.

However, bear in mind that this is as good as no security --- once IC numbers are known, you simply lose everything. Yet, it works because people don't remember long numbers well, and that nothing in the system is really mission-critical.

Yeah, although if you control where they can do that it does help some. For ours they had to show us their ID, and then we just punched in their user id and it printed out a new password that they could pick up from our printer. It's not quite as good as having the user do it entirely on their own, but there was minimal tech involvement.

Simple alternative: Get a ID scanner, let them scan their ID and add a new password, and off they go --- minimal admin requirement.

if you have a database or the likes of your students you could probably write a lil script to import them into your AD, then sort them into groups and what not

setting up samba to auth to an AD is not overly difficult this sounds more like a didnt plan the network out too well, and need help with AD problem

if you have a database or the likes of your students you could probably write a lil script to import them into your AD, then sort them into groups and what not

setting up samba to auth to an AD is not overly difficult this sounds more like a didnt plan the network out too well, and need help with AD problem

Not wanting to authenticate through AD. Although I was not part of the initial network layout, it was never intended for students to use with individual accounts.

If I had individual directories on the samba server, I would probably have to create an account for each student on the samba server. This way, each one would have a specific account. And when they connected to the share, they would be required to provide a username/password to access the files. It may sound like double work but, if it was setup this way, then I could assign a teacher or two to manage the accounts on the samba server. This way, the students would not have any account within our AD. It may sound as simple as making the students accounts in our AD but we do not allow teachers access to any admin functions for security/legal reasons.

but how to you plan for them to provide a username and password when said username and password doesnt exist, is the main point

since really the only way to do what you want is to create a username and password somewhere, it only makes any sense at all to create them in your AD which is an LDAP directory protected by kerberos, now you have a centralized directory with your usernames and passwords available which from an admin standpoint is super easy to manage and maintain vs trying to keep a static list in a passwd file somewhere spread across possibly multiple machines

i understand what you are asking, and now im telling you what it will take, dont like it? reinvent the wheel

While I agree that it would be easier to have individual AD accounts, it is not a viable option. Why? Let me try to put it simply.

We originally started seven years ago with our own NT domain. We maintained it and it worked. Last year, we moved over to an AD domain. With this move, we do not have total control over everything. We are part of a State system. We work in the Department of Education but most of the final decesions (such as giving students individual accounts) are made by the Department of Information Technology. They will not allow us to add another 12 - 15 thousand user accounts to the system and we cannot convince them to let us. Another example is that I am Cisco certified but our routers are controlled by the Dept of Info Technology.

Now getting back to the username/password issue. Wouldn't I be able to have that information stored on the local server that I am trying to get setup? When they try to connect to the share, it prompts for a username/password. It may be inconvenient for them but atleast they would have "protected" storage. Right now, they save to a common share where they all have read/write access and can copy/change anything in the common share structure.

If we could get the accounts added to the AD domain, then the students would just be given individual storage space on our servers like the teachers have.

It almost seems like I am between a rock and a hard place with this.

this goes back to being an AD admin issue, you dont have to add it to their AD, you can extend their AD with a local AD server of your own

but if you dont want to spend money for another server license and client access licenses, and you really dont want your directory to have anything to do with your local it idiots, then just setup an openldap directory of your own on some old computer, nothing fancy, its not overly hard and its free, you would then have your central auth point, and have an easily maintainable directory for your students

if you had access to say a spreadsheet or database of your students names you could fill the ldap directory programatically and also script out the assignment of random passwords

this goes back to being an AD admin issue, you dont have to add it to their AD, you can extend their AD with a local AD server of your own

but if you dont want to spend money for another server license and client access licenses, and you really dont want your directory to have anything to do with your local it idiots, then just setup an openldap directory of your own on some old computer, nothing fancy, its not overly hard and its free, you would then have your central auth point, and have an easily maintainable directory for your students

if you had access to say a spreadsheet or database of your students names you could fill the ldap directory programatically and also script out the assignment of random passwords


I have never even looked at Openldap before. How hard is this to setup? I will take a look at this at work today. If I went this route, then they would have to log into a seperate (sub) domain then if I understand correctly?

no, they wouldnt be logging into a sub domain, their credentials would be stored on for their access to the samba server, and the samba server would have no knowledge of the AD domain, you can then setup samba to authenticate through LDAP which if your smb.conf is configured properly is going to prompt your users for a username and password, which is checked against the LDAP database

openldap is very easy to install and get running, and there are admin interfaces to make it easier to work with

adding users to your master.passwd would ultimatly be the easiest but what happens next year when everyone is in different classes, and some students leave or graduate, it becomes a real pickle to maintain, im not sure if samba supports it but it may also be able to authenticate against a true database backend like mysql, which would be another option

I would try to have all of the students grouped by the year they graduate. If everything was stored on the samba server, maintaining the accounts would not be that hard really. Since we are a "technical" high school system, I could have the IST (Information Systems Technology) teacher maintain the accounts on the samba server. Heck, I may even be able to get some of the IST 12th graders to help set it up and test it. Part of their electives is to study Cisco or linux anyway.

Hmmm... More options. Thanks for the help! I will still be doign some research on ldap though.