3.2. Dissection and Discussion
Many of the conclusions you draw here are obvious. Some requirements are not very clear or may simply be your means of drawing the most out of Samba-3. Much can be done more simply than you will demonstrate here, but keep in mind that the network must scale to at least 500 users. This means that some functionality will be overdesigned for the current 130-user environment.
3.2.1. Technical Issues
In this exercise we use a 24-bit subnet mask for the two local networks. This, of course, limits our network to a maximum of 253 usable IP addresses. The network address range chosen is one assigned by RFC1918 for private networks. When the number of users on the network begins to approach the limit of usable addresses, it is a good idea to switch to a network address specified in RFC1918 in the 172.16.0.0/16 range. This is done in subsequent chapters.
The high growth rates projected are a good reason to use the tdbsam passdb backend. The use of smbpasswd for the backend may result in performance problems. The tdbsam passdb backend offers features that are not available with the older, flat ASCII-based smbpasswd database.
The proposed network design uses a single server to act as an Internet services host for electronic mail, Web serving, remote administrative access via SSH, Samba-based file and print services. This design is often chosen by sites that feel they cannot afford or justify the cost or overhead of having separate servers. It must be realized that if security of this type of server should ever be violated (compromised), the whole network and all data is at risk. Many sites continue to choose this type of solution; therefore, this chapter provides detailed coverage of key implementation aspects.
Samba will be configured to specifically not operate on the Ethernet interface that is directly connected to the Internet.
You know that your ISP is providing full firewall services, but you cannot rely on that. Always assume that human error will occur, so be prepared by using Linux firewall facilities based on iptables to effect NAT. Block all incoming traffic except to permitted well-known ports. You must also allow incoming packets to establish outgoing connections. You will permit all internal outgoing requests.
The configuration of Web serving, Web proxy services, electronic mail, and the details of generic antivirus handling are beyond the scope of this book and therefore are not covered except insofar as this affects Samba-3.
Notebook computers are configured to use a network login when in the office and a local account to log in while away from the office. Users store all work done in transit (away from the office) by using a local share for work files. Standard procedures dictate that on completion of the work that necessitates mobile file access, all work files are moved back to secure storage on the office server. Staff is instructed to not carry on any company notebook computer any files that are not absolutely required. This is a preventative measure to protect client information as well as private business records.
All applications are served from the central server from a share called apps. Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network (or administrative) installation. Accounting and financial management software can also be run only from the central application server. Notebook users are provided with locally installed applications on a need-to-have basis only.
The introduction of roaming profiles support means that users can move between desktop computer systems without constraint while retaining full access to their data. The desktop travels with them as they move.
The DNS server implementation must now address both internal and external needs. You forward DNS lookups to your ISP-provided server as well as the abmas.us external secondary DNS server.
Compared with the DHCP server configuration in Chapter 2, "Small Office Networking", Example 2.3.2, the configuration used in this example has to deal with the presence of an Internet connection. The scope set for it ensures that no DHCP services will be offered on the external connection. All printers are configured as DHCP clients so that the DHCP server assigns the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation.
This is the first implementation that depends on a correctly functioning DNS server. Comprehensive steps are included to provide for a fully functioning DNS server that also is enabled for DDNS operation. This means that DHCP clients can be autoregistered with the DNS server.
You are taking the opportunity to manually set the netbios name of the Samba server to a name other than what will be automatically resolved. You are doing this to ensure that the machine has the same NetBIOS name on both network segments.
As in the previous network configuration, printing in this network configuration uses direct raw printing (i.e., no smart printing and no print driver autodownload to Windows clients). Printer drivers are installed on the Windows client manually. This is not a problem because Christine is to install and configure one single workstation and then clone that configuration, using Norton Ghost, to all workstations. Each machine is identical, so this should pose no problem.
220.127.116.11 Hardware Requirements
This server runs a considerable number of services. From similarly configured Linux installations, the approximate calculated memory requirements are as shown in Example 3.2.1.
You should add a safety margin of at least 50% to these estimates. The minimum system memory recommended for initial startup 1 GB, but to permit the system to scale to 500 users, it makes sense to provision the machine with 4 GB memory. An initial configuration with only 1 GB memory would lead to early performance complaints as the system load builds up. Given the low cost of memory, it does not make sense to compromise in this area.
Aggregate input/output loads should be considered for sizing network configuration as well as disk subsystems. For network bandwidth calculations, one would typically use an estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) would deliver below acceptable capacity for the initial user load. It is therefore a good idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T switched ports.
Example 3.2.1. Estimation of Memory Requirements
Application Memory per User 130 Users 500 Users Name (MBytes) Total MBytes Total MBytes ----------- --------------- ------------ ------------ DHCP 2.5 3 3 DNS 16.0 16 16 Samba (nmbd) 16.0 16 16 Samba (winbind) 16.0 16 16 Samba (smbd) 4.0 520 2000 Apache 10.0 (20 User) 200 200 CUPS 3.5 16 32 Basic OS 256.0 256 256 -------------- -------------- Total: 1043 MBytes 2539 MBytes -------------- --------------
Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O demand that would require a fast disk storage I/O capability. Peak disk throughput is limited by the disk subsystem chosen. It is desirable to provide the maximum I/O bandwidth affordable. If a low-cost solution must be chosen, 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec). Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, it makes sense to purchase well-known, branded hardware that has appropriate performance specifications. As a minimum, one should attempt to provide a disk subsystem that can deliver I/O rates of at least 100 MB/sec.
Disk storage requirements may be calculated as shown in Example 3.2.2.
The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 with two hot spare drives would require an 8-drive by 200 GB capacity per drive array.
3.2.2. Political Issues
Your industry is coming under increasing accountability pressures. Increased paranoia is necessary so you can demonstrate that you have acted with due diligence. You must not trust your Internet connection.
Apart from permitting more efficient management of business applications through use of an application server, your primary reason for the decision to implement this is that it gives you greater control over software licensing.
You are well aware that the current configuration results in some performance issues as the size of the desktop profile grows. Given that users use Microsoft Outlook Express, you know that the storage implications of the .PST file is something that needs to be addressed later.
Example 3.2.2. Estimation of Disk Storage Requirements
Corporate Data: 100 MBytes/user per year Email Storage: 500 MBytes/user per year Applications: 5000 MBytes Safety Buffer: At least 50% Given 500 Users and 2 years: ----------------------------- Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes Applications: 5000 MBytes = 5 GBytes ---------------------------- Total: 605 GBytes Add 50% buffer 303 GBytes Recommended Storage: 908 GBytes