My domain is tha shizznit
Yep. It is. Tha Shizznit.
(warning: technobabble follows. not afraid of technobabble? You will be …. you will be)
OK, so this started out with a simple request.
(my boss) “Dave, can you create a guest account that has access to the T drive?”
(me) “hmm, no problem”
( 5 minutes pass)
(me) “wait a minute …. these guests shouldn’t have access to the shared directory, just the temp directory, right?
(my boss) *gone, in a meeting*
(me) I guess not. That’d be stupid to open it up to them. How will I do that though?
(me) Well, the shared directory is groupid “shared”, and the temp directory is group “shared” too, with both having valid users = @shared… I guess I could create another group “tdrive” and make the t-drive group tdrive. And then add everyone in shared to the tdrive group … and it’d sort of work. But it’d cause odd problems with primary gid’s and file ownership, and I don’t like it. I’d rather use an acl.
*pokes the fileserver*
Crap! I didn’t build ACL support into the kernel for reiserfs, xfs, even ext3! What was I thinking? How shortsighted of me! And now the kernel source for my version is long-since pruned. Guess I’m either not using ACL’s or building a new kernel.
… well, I should really use ACL’s, though. They’re nice.
OK. I’ll do it, I’ll rob the kwik-e-mart! err, I mean build a new kernel and include ACL support on everything!
*fetch source, configure, compile, build, install*
Hmm, now I’ve got to reboot the fileserver. But there’s people actively using it. Oh well, I’ll wait till they go home or log out or whatever.
(2 hours of miscellaneous other stuff pass, including installing adobe CS2 on 2 machines)
*decides to stop presenting as a soliloquy*
Anyway, long story short, I rebooted into a new kernel (with nfs being awesomely patient for me too), sneakily hot-remounted all the filesystems on the fileserver to support acl’s (and turned the quota-enabled but not quota-using quotas off), tested out acl’s, added a group, added a user, then decided to go crazy and change like 35 other things too. Now I’ve got group-specific controls on all the shares, and appropriate users in each group, and group-forcing where appropriate. I’ve rewritten my netlogon scripts to be group-specific and mount only appropriate filesystems. I’ve done a hell of a lot of samba tweaking, and even tweaked my logon batch files to the point where the weekly status report launch is broken out to a separately called vbscript script, to keep the netlogon batch from hanging waiting for firefox to close.
Ohh …. so much awesomeness is to be had now. SO much awesomeness. Still working on tying all of that to an ldapsam backend, but …. oooooh, it’s cool as it is too.