Large Scale Deployment of Linux for File/Print Services? 40
sgtrock asks: "I was
approached this week by a manager of the server support group at my
company. He says he and his boss are trying to figure out what
should host our file and print services for the company (read,
replace Netware). He asked me if I thought if it would be feasible
to do on Linux servers. Now, I was more than pleasantly surprised by
the question, because as late as last fall I couldn't get this guy to
take Linux seriously for companies our size. However, recent stories
about Microsoft plus some of their actions here have really soured him
on the idea of moving to Win2k services where he doesn't have to. I
told him that in theory we could do it: LDAP authentication to our
existing NDS on the back end, Samba file service and either LPR/LPD or
CUPS based printing. The big open question mark for me is archiving.
He then asked me if I knew of anyone already doing it." I'm sure
there are shops out there that are using Linux as such. If you are,
please raise your hand! Numbers on the size of the network
and how well the system has been holding up would be appreciated.
"This is a pretty conservative company. We HATE to be first if we can avoid it. Every time we are we pay in much pain and sweat. So, I'd like to know the following: Does anyone know of or can point to success stories for this kind of application in very large environments? Mind you, I'm talking about tens of thousands of desktops, as we have 60,000 users. University stories will be looked at with skepticism by this management team. I'll read the stories, but they probably won't be given much credence by anyone else. Thanks for your time."
Moving to Linux in the Near Future (Score:2, Redundant)
Well cisco does it. (Score:2, Interesting)
Apparently it worked really well. You might want to try googling around for it. It's a pretty good read, but I can't remember who published it. I'm fairly certain it was one of the Linux only webzines though.
Re:Well cisco does it. (Score:2)
Re:Well cisco does it. (Score:1)
We still use CEPS at Cisco-- it's ain't going anywhere as it just ROCKS! The ceps boxes do a bunch of smart things, including kickstarts over the net (handy so you can just have a field sales office pop in a floppy to install a new print server), as well as include a recovery partition.
A *very* well put together system, to say the least.
Re:Well cisco does it. (Score:1)
After a second of Googling, I came up with this: http://ceps.sourceforge.net/index.shtml [sourceforge.net]
A project based on the work that was done.
Buy new printers if... (Score:2, Interesting)
me! me! me! (Score:3, Informative)
OT Question (Score:1)
What are people using for LDAP server software? Are there any Free solutions with graphical management tools? What platforms are available?
Thanks in advance
Re:OT Question (Score:1)
See this earlier Ask Slashdot article [slashdot.org] for information on suitable GUI clients for Linux / OpenLDAP.
Also, I like iPlanet's directory server. It's free for some quantity of users and has a nice Java GUI admin tool. This is my choice for a grown-up, enterprise directory server.
SAMBA with NT authentication (Score:2, Informative)
I have one "large" (150Gb storage) box that the other units trickle back to via rsync on 15 minute crons for backup, and a meagre 30Gb of archived files which barely fit on my 40Gb Tape backup unit. Check with the manufacturers for a supported hardware combination for your archive unit. I use HP, but they seem to be getting worse at support. IBM, for all their advertising, are probably just fine, or you could use an independant vendor. I don't recommend DELL. You will have to rsync via ssh the passwd and group files, and these will have to be generated independant from the NDS backend, or you can use "bad user" mapping, or even guest if you want.
I have had nothing but grief with LPR, then LPRNG, all due to bugs. Currently LPRNG hangs with many print jobs, and I have confirmed that this is a bug, but there isn't an updated RPM yet. Printing support for W2K/NT clients in Samba 2.2.2 changed dramatically, if you have only 9x clients, you should be fine, otherwise take some time to set up your "shares" and do stress testing. You may find you need to manually compile your printing engine, so you can rapidly update it. Some have suggested CUPS, I'll try that next.
Re:SAMBA with NT authentication (Score:2)
I assume you actually mean immature. In any case, if you use PAM, there's no reason you really need Samba to have LDAP built-in. LDAP + nsswitch + /etc/pam.d files should work for all services (telnet, samba, ssh, etc).
Been there, done that (Score:4, Informative)
Our biggest issues were with printing - LPR just plain sucks. At the time, CUPS was still very new, so we used LPRng. I ended up writing a GUI front end for printer management (since printtool didn't work well, and editing printcap files by hand was unacceptable). The final "problem" was quotas - the NT admins were used to setting directory level quotas, while Linux/Unix uses partition level quotas. Simply put, we had to split /home and /shared while they were used to having just one partition. Quota management under Linux just isn't the same as NT (for better or worse), and you need to remember things like "if a user & group quota affect a directory, the MOST restrictive effects the user" (which is why you need to make two partitions).
With newer kernels, this is a more reasonable project. Linux really is "enterprise-ready" now (I hate that term). Previously, things like a journaled filesystem were missing, which was a big gripe with the NT guys (when a system goes down, it takes a long time to scan 100 GB of data!). Also, newer kernels support more than 32000 users and groups (usefulness depends on your company size).
Finally, make sure you consider backup systems, how the systems would be administered, etc. It's a big project, but manageable if your company is really interested.
If you need some fodder for the fight to help convince management that this will save a LOT of money, check out this business case [uslinux.net]. You might also be interested in this deployment plan [uslinux.net]. Infrastructures.org [infrastructures.org] also has a number of useful (must read) documents. Finally, you may want some help designing the architecture, and making sure you've found any issues. Find someone who has done this before (shameless plug: US Linux Networks [uslinux.net]) and have them at least work through some fo the major points to make sure you've got everything covered - the cost for a few days of requirements, architecture, and design may save you a lot of wasted effort.
Not a big company but.... (Score:3, Informative)
OK, we are not a big company, so your "bigwigs" won't care too much for this story, but...
We are using Samba and cups to provide all of our file/print services, and they are both authenticating back to LDAP. Here [www.unav.es] is best source that I have found so far for samba and LDAP integration. It works very nicely, and with Samba 2.2 you can even do automatic NT/2000 printer driver installation [linuxbe.org] as well.
For backup we use a Tivoli storage manager, which has native linux [tivoli.com] support, and so far has proved to be pretty reliable. We also run this thing in a very heterogenous environment (Linux, AIX, Solaris, NT and 2000!) with very few problems.
And the business justification for replacing Net.. (Score:3, Insightful)
sPh
Re:And the business justification for replacing Ne (Score:1)
However, there's a strong technical contingent that loves eDirectory for all the right reasons, and is interested in Netware 6 (no Netware client required). However, no one that I've talked to that understands the company's infrastructure believes that we will be running native Netware servers in a few years.
Soooo, what's our alternative? I thought that the move to Win2k was a slam dunk until this guy stopped me in the hallway. This looks like a possible win for open source in a company that has historically avoided it. Who am I to turn away from the opportunity?
Cisco Linux Involvement (Score:2, Informative)
Cisco in 1998 was managing 50 print servers and about 1600 printers world-wide. About 10,000 Unix and Windows clients.
Linux Journal Article [linuxjournal.com]
Should have some sort of a registry... (Score:2)
People could say, "I've found hundreds of stories about companies our size. In fact, Joe Company down the road did it, and so did..."
-
Printing system (Score:2, Interesting)
http://ceps.sourceforge.net/index.shtml
and they work great under every OS
Not a huge implementation, but mission-critical... (Score:2, Interesting)
Not only that, but Samba runs flawlessly on the two machines that are absolutely critical to our enterprise. I'd never be able to do that with NT (apps on one, file services on the other if the apps are business-critical).
And, speaking as a fairly senior NT guy, the biggest reason for the positive uptime the the underlying OS. As long as NT is tied so tightly tied to a display subsystem, uptime will suffer. That has improved in Win2k, but an enhancement of a "broken" philosophy isn't as good as a better philosophy.
Ironically, we do use NT-based machines for general file services, though that is not considered business-critical at my company. However, we have it on our project list to move that (as well as domain control and WINS) to Samba/CIFS (CIFS is cool if you are an HP-UX shop since you can purchase commercial support from a company easily recognized by your executive-types).
May not be applicable, but.... (Score:2)
We have a 56K or 128K frame relay connection to each plant, and a Linux print server in each plant. At the time, CUPS was still brand-new, and plain lpr pretty much sucks, so we used LPRng. It's quite a bit more complex, but is rock-solid. Because the stability of Frame connections doesn't meet our uptime requirements, we had to come up with something to get the print jobs done if there was a failure. We generally have a failure or two per year per circuit that lasts longer than a couple minutes.
We have an internal modem in each print server, plus one in a print server at the corporate office. The ERP system prints everything to our corporate LPRng server. That system pipes the print job into its UUCP spool. UUCP is configured to try the frame connection first, and then use the modems if that doesn't work. It has proven VERY reliable. It took a while to figure out how to set it all up, but it has been mostly an install-and-forget experience. I highly recommend LPRng for its stability and flexibility. You just can't set up a system with these reliability requirements on a Microsoft platform.
Cisco (Score:2, Insightful)
Skip SAMBA (Score:3, Informative)
If you can, skip SAMBA. Instead use IPP in conjunction with CUPS. It's simply the easiest thing to use on the planet, and works perfectly with Windows2K, 98, ME and XP.
I was astonished how easy it was to get this working, and you can even copy over the printer drivers onto the server (from the NT box) and have CUPS automatically deliver the printer driver down to the client when they request to "add" that printer.
It's just the sweetest solution imaginable.
Hold the phone Jack. (Score:1)
Re:Hold the phone Jack. (Score:1)
SAMBA doesn't support Macs at all, but there is another package called netatalk that does. I'm in the process of setting up a SAMBA/CUPS/netatalk server for our printers, and it look like it will work well. However, I have just barely gotten it working, and there may be problems lurking ahead.
Re:Hold the phone Jack. (Score:1)
My advice would be to have a thorough look at it before making your boss and big promises though!
Re:Hold the phone Jack. (Score:1)
BTW, we've already moved more than half our user community off of IPX to IP on Netware 5.
Re:Hold the phone Jack. (Score:1)
Another consideration: if you ditch Netware, what happens to your NDS tree? afaik a linux server can join a tree, but it still has some reliance on Netware - it may a while before NDS can be run entirely from non-Netware servers. If you're ditching NDS too, it could be a massive cost (and potential distruption) while you move to another directory.
Don't forget virus software (Score:1)
Our NT network and the workstations were well protected, but people would still access the unix boxes from home (over our VPN) or through FTP. Our Unix admins were unwilling to look at virus software for their boxes becuase "unix doesn't get viruses." Well, there probably wasn't anything out there for Tru64 anyway.
So, it ended up being a pretty messed up situation leaving just about every Word document infected with some sort of macro virus.
Just something to think about when designing your environment.
Re:Don't forget virus software (Score:1)
Don't think of it as 'Linux' think of it as 'Unix' (Score:1)
For example
Samba works on all unix (Score:1)
I have been using samba on solaris for several years now and its stable as a rock.
Recently I installed version samba 2.2.2 for one of my customers and have now thrown out their nt pdc.
I havent used ldap or nis but have stuck with passwd and smbpasswd. Its more work but fairly easy to administer with ssh.
By the way. If you need encrypted network (ssh) resources and you are using linux clients then you can use kiofish. You plug it into KDE, type fish://server in konqueror and you can access the server.
regards Kenneth
Companies using Linux for File and Print services (Score:1)
hope this helps.
Mark