Three Platforms, One Server Part 1: Planning, Testing, Building

Background
As I've said probably a thousand-billion times, I work in a very multi-platform environment. Our lab consists of Mac, Windows and Linux workstations, all of which rely, in some form or another, on a centralized home account server. Currently, the way this works is problematic in several ways: Each platform -- Mac, Windows, Linux -- authenticates to a different server, and then mounts the home account server via one of two methods, either NFS or SMB. The main problems arise when we want to create new users, or when a user wants to change his or her password. When creating a user, we must do so on each platform's respective server -- i.e. on the Mac server, the Windows server and the NIS server which hosts Linux accounts. The user's short name, UID, GID and password must match across all three servers. Then, if a user later wants to change his password, he must do so on each platform separately or the passwords will not match. There is also an inconsistency in the way the actual home account location appears and is accessed on the various platforms. On Mac and Linux, the home account directories are mounted at /home, but on Windows, the home account is mounted at a location that is separate from the users' roaming profile, adding another layer of confusion for any user who might use both Windows and any other platform.

These problems make user creation painful and error-prone, and discourage regular password changes for the community. Also, educating the community about this system of servers is next to impossible. It's a bad, old system that's long overdue for an overhaul. And that's just what I intend to do.

The Plan
The plan for this overhaul is to migrate all user accounts to one server which will store all user information -- UID, GID, password, name, everything -- and which will also share out the home account server in as consistent a manner as possible. I've chosen Mac OSX Server for this job because it integrates both LDAP for Mac and Linux and Active Directory for Windows into its Open Directory system, and because it's capable of re-sharing an NFS mount out to each platform in a relatively consistent manner appropriate to said platform. There are three major hurdles to overcome in doing this.

The first problem to overcome is building and setting up the new server to host Windows accounts in an acceptable manner. Windows is the real wildcard here. The problem child. Setting up Linux clients is as simple as flipping a switch. Set the Linux client to get authentication info from the Mac Server and you're done. Linux sees the LDAP data just like Mac does and can mount our NFS server directly in /home. No problem. Standard *NIX stuff. Same as it is on Mac. Windows, on the other hand, understands neither LDAP nor NFS natively. So we need to make special arrangements on our Mac Server to accommodate it.

The second hurdle is getting users migrated from all three platforms over to the Mac Server. Here, two complications arise. The first is that my existing Mac Server has never hosted Windows accounts, and therefore, is not capable of doing so using the existing database. So for all intents and purposes, the user database needs to be rebuilt from scratch, which brings us to the second complication: We need to reset everyone's password. What do we reset the passwords to?

The final major hurdle we face is that of redundancy. Since we're now moving all users to a single database, every system is now dependent upon a single server. A single point of failure. We suddenly find all our eggs in one basket, and this is potentially dangerous. If that server goes down, no user can login in and work, and we're dead in the water. So we need to figure out a method for keeping a live backup of our server that can take over if it goes down.

These are the major hurdles, and there are some minor ones along the way, which we'll talk about as we get to them. So let's start building that server. Our authentication server. The mother of all servers.

Building the Server
I started fresh with a Tiger server. Nice clean install. I set it up to host Mac accounts, as usual, using the standard LDAP stuff that's built-in, as I always do. Master server, and all of that. But this time I've also set the server up as a Primary Domain Controller (PDC) so that it can also host Windows accounts. Getting the server to host Windows was not particularly difficult, but getting it to host them on a re-shared NFS mount, and having the Windows roaming profiles live on that NFS share was a bit more tricky. To do this, I first mounted our NFS export on the Mac Server at /home. I then set /home/username to be the location for our Windows roaming profiles. This should theoretically work. But the Windows client wants to copy everything in the roaming profile directory to the local computer at login, and then copy it all back at logout. This is a problem for any user who might have more than a few megabytes of data in his home account as the time it takes to do the copy is painfully long. Also, Widows ran into permissions problems when it hit the Spotlight directories, and errored out. So I've created a special directory in the home accounts, called Windows, that only holds the roaming profile data, and set the server to have Windows clients look here for said data. This initially failed to work until I realized that roaming profile data must actually exist for Windows clients to understand what's going on. Once I copied some basic roaming profile data (skel data, essentially) to the user's Windows folder, the Windows clients were able to login using this folder for the roaming profile. I'm almost surprised that this worked as we're essentially re-sharing an NFS mount out as SMB from a Mac Server to Windows clients. But work it did, and so far, at least, I've encountered no problems here. Windows users will now use the same home account location as Mac and Linux users. This is extremely cool.

So, on the Mac server we've mounted our home account RAID at /home, and in the Windows section of the user account, we have a roaming profile path that looks something like this:
\\ServerName\home\UserName\Windows

And in that Windows directory we have some basic Windows skel data. And that's pretty much all we need to host our Windows accounts.

Migrating Users
Next we need a plan. How will users access this new system? We'll have to reset their passwords. To what? And how do we inform them of the change? And how do we actually migrate the users from the old system to the new?

To answer the last question first, I decided that I wanted to start fresh. No actual user migration would occur. I want to build the new user database from scratch, since we'll be needing to reset all passwords anyway, and just in case there are any inconsistencies with our old server's database. Which brings us to the how of this, and that will answer the question of password resets as well. What I decided to do was to create a record descriptor -- a text file that can be imported into the Open Directory database on the Mac Server -- using easily obtained and formatted data. All I really need to do this is a list of users, their long names, their short names, their UIDs and GIDs, and their passwords. Since we're resetting their passwords, we can actually use whatever we want for this value. But it makes the most sense to use, for the reset passwords, something that is already in the possession of the users. This way, disseminating passwords is far less of a chore. Each user is given an ID card by the school when they start . This ID card has a number on it which we can use for the new passwords. Building this record descriptor is a fairly simple matter of obtaining the aforementioned data and tweaking it a bit. This can be done using a combination of a basic text editor, like TextEdit, and something like Excel for properly formatting the data. I will leave the details of this process for another exercise. Suffice to say, we have a clean slate upon which to build our user database, and a good method for reassigning passwords. So this step is effectively done.

When it comes time to implement the new system, users will be informed of the password change via email, and signs posted throughout the facility. And if they want to change their passwords after that, it will be as simple as logging onto a Mac and changing the password in the Accounts System Preference pane.

Redundancy
Finally, we have the problem of redundancy, and this is fairly crucial. Having all user data on a single machine is far more convenient, but also has certain risks associated with it. First and foremost among these is the idea of a single point of failure. That is, if our user account server -- our Mac Server, which in our model is soon to be responsible for user authentication for every workstation in the lab -- fails, no user can log in, and therefore, no user can work. Classes cannot happen. We're screwed. Hard. Ideally, we'd have a second server -- a replica, if you will -- of our primary Mac Server. If our primary went down, the replica would automatically step in, and take over the task of authenticating users until the primary is running again. Well, such a thing is indeed quite possible, and is also built in to Mac OSX Server. It will be crucial for us to set this up and make sure it works before we implement our plan.

What's Next
So, this is where we are at this point. I've built a model Mac Server. I've begun compiling the user data into a record descriptor (actually, all students have been added, but I need faculty and staff data to complete the job). I've tested the behavior on test Linux and Windows machines. The next steps will be: more thorough testing of the above, setting up and testing the server replica behavior, and, finally, alerting users to and implementing the new system. These will be covered in upcoming articles. If you're interested in such things, do check back. I hope to have all this completed by the end of the Christmas break. But then, you never know what sort of problems will crop up in a move like this, so we'll see.

Either way, I'll be documenting my experiences here. More soon to come.

Windows and Linux Dual Boot Part 4: Dell Laptop Fun

So I spent much of this past weekend installing both Windows and Linux on my Dell, who I shall hereby refer to by his rightful, and possibly permanent name, satan. Many mistakes, and much learning in the process. Hooray for learning.

My goal was to have one partition with the original Dell Windows system install, a second partition with Linux, and a third shared data partition. Initially, I screwed up during the partitioning. Setting up my partition scheme (10 GB, 10 GB, 15 GB), I did an NTFS format on the first 10 GB partition, and then a "quick format" on the second partition. Well, I didn't know this, but doing a "quick format" causes the Dell restore disc from which I was booted, to begin the system installation process directly after the "quick format," and onto the quickly formatted partition. So I ended up with Windows on my "D" drive. Oops!

Thinking this might be okay, I tried installing Linux, then, on the first partition, but it wouldn't work. It'd complain during the Fedora partitioning process. I don't really understand why. Perhaps someone here can enlighten me.

So, it was back to the drawing board.

Booted off the Windows CD again, repartitioned -- this time I did 5 GB for Windows, and 5 GB for Linux, leaving about 25 GB for shared data. This seems to have worked, and I now have a functional Windows/Linux dual boot-machine. I realized during the Linux install, though, that I'd really like a bigger partition for my Linux install. After cutting out a lot of cruft (and even some non-cruft I would've liked to have had) with the custom install, I was able to get it down to a size that will fit on the 3 GB of space I have left over after the 2 GB swap partition has been designated. But that only leaves me with 737 MB of free space, which really isn't enough to do much of anything, and it might be nice to, someday, you know, install some software.

So it will be back to the drawing board. Again. Soon.

But before I reinstall everything, I have some NFS tests I need to do -- which is why I started all of this when I did in the first place -- because of a problem I'm having with NFS home accounts and my Tiger workstations. When I do finally reinstall the whole kit and kaboodle, that will have made three times I've created my dual-boot system on satan. And hey, isn't the third time supposed to be a charm?

So what have we learned today kids?
1) Doing a "quick format" immediately installs the Windows OS on the "quick formatted" partition.
2) When setting up partitions, don't forget to account for Linux's swap space.
3) I didn't mention this earlier in the article, but I also learned that all the Dell drivers specific to my machine are included on a second CD, and each of those drivers must be installed individually, from long, idiotic Windows installers ("wizards" -- please!), so it's best to get this whole partitioning scheme thing nailed down before really getting Windows back up to snuff.

That said, can anyone out there recommend a good Windows-Linux-Data partition scheme? I'm thinking, at this point, 6 GB (WIndows XP), 10 GB (Linux FC3) and the remainder (approximately 20 GB) for shared data between Linux and Windows. Any suggestions? Recommendation? Admonitions?

This is no-man's land for me, so any thoughts are sincerely and deeply appreciated.

On a final note, I really like Linux, especially as compared to Windows. Linux is instantly navigable to me. It makes sense. I can find things. I can do things. Nothing (so far) is buried and the UI is clean and unobtrusive. And not one single damn popup. It just goes to show, there are right ways to do things, and there are wrong ways. In my opinion, where Linux (and, of course, Mac) generally get things right, Windows most often fails miserably. Anyway, thanks be to Linux for renewing my interest in my $1400 former doorstop, my good pal satan.

Alright, gonna go Google the phrase "my good pal satan" now. More info as the situation develops.

UPDATE 1:
Tried updating Linux with the up2date software. Yup. Ran out of disk space. Looks like I'll be doing this all again. S'Okay. Practice makes perfect.

UPDATE 2:
Our resident Windows/Linux guru informs me that both OSs need a fair amount of space, and recommends splitting the hard drive into two 17 GB partitions, one for Windows and one for Linux, and foregoing the shared data drive. So that's probably what I'll do. 'Cause she's a smartie.

The Dark Side Part 4: System Restore? What a great idea!

I'm trying to be as positive about my Windows experience as possible. It's not easy. But as the popups and virus alerts have subsided, I've managed to poke around and find some really useful stuff on my Windows system. Stuff that doesn't exist on the Mac. One of the most impressive of these is the System Restore feature. I haven't actually tested it yet, but from the looks of it, the way it works is, you open the System Restore application, and there are two options: either restore your system to the state it was in at an earlier date, or create a restore point, which is essentially a record of the state of your system at this particular moment in time. System Restore actually creates restore points on its own, at regularly scheduled intervals as well. On the fly. In the background.

Now I don't know how well this works, but it's a great idea. I would absolutely love something like this for Mac. On Mac, if you want to "restore" your system, you're essentially relegated to the "Archive and Install" procedure, which, you know if you've ever done one, sucks. Hard. Wouldn't it be great if we Mac users could apply the latest OS update, for instance, and, two days later, when we realized some key functionality is broken, simply run a System Restore-like application and be back to where we were in a few short minutes? I think it would. And I'm sure you agree.

I really hope Apple has something in the pipe like this. Since my first broken Mac OS X update, I've longed for a tool like System Restore, and it's been one of the few things I've actually envied the Windows folk for having.

The Dark Side Part 3: Stealing Focus

This will be a very brief update on the progress of my Windows foray: I just want to say, I'm on the train, and I'm trying to write this, but every 10-15 minutes a popup appears from the Wireless Network Connection do-dad on my "Taskbar." Unbenounced to me (I am not a touch typist, and need to look at the keyboard when I type), this takes over my mouse focus, and anything I type after that point misses the document and flies off somwehere into the ether. To be fair, the Mac does this from time to time too, and it's equally annoying on that platform. (No, that was not a train pun.) But the Mac does it less frequently, and more obviously, such that I rarely lose whole paragraphs of text I thought I was typing. So add one more to the count of things I have to turn off or on before I can be at peace with my Dell, and another to the list of nice things about the Mac. I have to say, the Mac is really well thought out and configured, straight out of the box.

And that, my friends, is why design matters.

And for the record, I have now discovered yet another program for accessing wireless networks. That makes a total of three -- count 'em, three -- programs vying for control of my wireless card: Quickset, by Dell; Intel PROSet/Wireless, by Intel; and the Wireless Internet Connection Control Panel built into Microsoft Windows XP. WTF?

The Dark Side Part 2: MusicMatch

Inserted my first cd in the Dell today. Musicmatch fired up.

Musicmatch, in the middle of my CD listening, brought me to some message window telling me how to get to the "Now Playing" window, which I was already in. It said, "When playing CDs... Click here for Now Playing," and it has a little arrow pointing to the track title. Funny, I thought the best way to get to the "Now Playing" section was to press the "Now Playing" button. But I guess the Musicmatch people think I'm wrong. Fortunately they saw fit to tell me in this message window, whose "Close" button does nothing. There's actually a "Close" button -- it says "Close" and my cursor changes to the hand icon when I roll over it -- but pressing it does nothing. Might be nice if a message window came up telling me how to close Musicmatch message windows.

Windows and the accompanying software are like some medieval torture system.

I'm switching to iTunes.

Filed Under: Windows