Generic NAS question - School set up

[Aidan]

Hi,
I’m looking for some generic NAS advice. The scenario is that I have set up a FreeNAS NAS in a small school and so I have a few user names that don’t change much (staff) and a lot of users that would change a lot (students). The question is how best to implement this. My original thinking was to use generic names (‘Administrator’ (i.e. me), ‘Principal’, ‘Teacher’, ‘Assistant’, ‘Student’) and create appropriate shares (using the same names, plus a ‘Common’) with permissions across the different shares. Reading that list from left to right, each one on the left can access each of the ones on their right – so ‘Administrator’ can see all the shares and ‘Student’ can only see ‘Student’. So far so good, the query I have is will this work/ and even if it does, is it a good or bad idea? Can two/ three people signed on as ‘Teacher’ access the same share/ different shares at the same time? Can 90+ students all signed on as ‘Student’ access shares and save their own files in one big folder? I’m trying to avoid using either 'Student01' – 'Student99' or each students actual name for 90+ students. It’s a Windows flat network (no server) and currently they all sign on to XP (soon to change to Win7) using the names above (‘Principal’, ‘Teacher’, ‘Assistant’, ‘Student’) and the shares are mapped to drive letters.

A lot of people must be in this situation so what is the recommended approach? The admin end of things would be irregular, I do the IT work for the school (my wife is the Principal), so it would be great to not have to do a lot of name and share maintenance – hence the idea of using generic names, but only of it works, obviously. A particular driver for this now is the introduction of Tablets (Windows Surface) which don’t have much storage and the fact that students will most likely access different tablets each time (as a result, the preference is to store any work on the network). Any help greatly appreciated.

Thanks.
Aidan.

 

[anodos]

You can share credentials on FreeNAS (is have multiple users share the same credentials. I've seen it before in an international school overseas. The network was a hot mess. Don't do this if you value your time.

100+ users with lots of computers means active directory or other way of managing computers and credentials. For AD you have two options: Microsoft or setting FreeNAS as a AD DC. Since your not a samba expert, Microsoft is probably the better option in your circumstances. MS offers steep discounts for nonprofits ($53 for server and $2 for CALS). See here.

That being said my son's elementary school uses google/Chromebooks and lots of people like it. It might be worth calling them. They also have a site you can search for more info. :)

For that matter you can look into the office365 offerings (since you're already getting surface tablets). One advantage of google apps or office 365 is that it is easy to pass the costs to the parents. Note that of all the above options I only know samba. You'll have to do your own research.

I know this is a BSD forum, (I personally believe almost every problem can be solved with the proper application of more BSD) but I'm 'thinking of the children'. :)

 

[jgreco]

I haven't actually set up AD on FreeNAS, because the AD server here predated the availability. However, the AD server here is based on Samba on FreeBSD and should be a similar thing.

My impression is that an AD box should be separate and discrete from other infrastructure if possible. A FreeNAS hosted AD server might possibly be okay if you were sure that you were married to the NAS for a relatively long time, but in all likelihood you are better served by a separate machine.

For that purpose, if you had the time and resources, you'd create a FreeBSD box with a Samba instance to serve AD, or if you're more interested in just getting something working without all the fuss, then you're probably better off with Zentyal or as anodos suggested the Windows nonprofit route. The advantage to Windows is "everyone knows it" which may have some impact on your selection.

On the flip side, if you want to go the whole FreeBSD route, the documentation at https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO is actually rather complete. I remember in the early days of Samba and XP that it was a total nightmare trainwreck to get everything working correctly, which rather soured me on the whole Samba thing... but last time I had to mess with it, I really didn't do anything more significant than what's outlined there and some of the linked docs, and a lot of that has been embodied in a single tool to help do the complicated stuff for you. I nearly fainted when I ran the provisioning tool, started Samba, and it just worked.

 

[gpsguy]

As anodos said, I'd consider Microsoft for AD, file and print, etc. Given the deep discounts given to education, I wouldn't mess with FreeNAS.

Setting CIFS permissions in FreeNAS can be difficult and there is little support for doing it on the forum.

When you buy Win 7, ensure that you get the Pro version, so that it you can manage the computers with Active Directory.


Sent from my phone

 

[L]

What you are asking does work, but you do run the risk of students seeing/copying each others work. You are better off creating user accounts for each student, having the user own the file and have a group called teacher/admin, that can read the files.

I will tell you that my kids school solves this with google drive though..

 

[anodos]

In this sort of situation you need the following for your network:
1) Good quality switch that supports LACP (don't buy hubs. don't daisy-chain anything.)
2) Firewall / DHCP server.
3) Domain controller (DC) (you should have two of these on a network for redundancy - these do not have to be powerful computers and you can virtualize the second one - just not on your primary DC).
4) Storage server
5) Good quality wireless access points if you're doing wifi (not consumer-grade stuff)
6) UPS for (1)-(4)

Using windows server for your AD DC gets you the following advantages: windows deployment services (for managing images of your workstations), windows update services (to centralize patch management), and ability to configure and push out group policies. It's good to hear that Samba4 has come a long way in terms of being useful as a AD DC, but I'd still wait for it to bake a little longer before recommending it for noobs (I read the samba mailing lists) :)

Managing large amounts of computers without AD is about as much fun as getting punched in the face. Not only will you waste lots of time with manual configuration, you will probably have endless problems of computers not being able to see each other (because NetBIOS name resolution sucks). Don't do that.

 

[Aidan]

Hey - thanks for all the replies. I really appreciate you all taking the time. As I said, the main point really was whether or not the generic names was a good or bad idea. The rest of it is covered (IT Kit, setup etc.) I'm leaning toward giving the staff individual names and still a bit unsure ref the students with the account maintenance it will involve as the names change more often. With snapshots and backups it wouldn't be a disaster if one of them deleted something. It's a primary school so seeing each other's work is not really an issue. I was trying to avoid setting up an AD, but may have to bite the bullet. I'm looking into what's available including the one in FreeNAS itself. As is often the case, time on site is an issue (amongst other things, my wife doesn't really want to spend her weekends there much, even if I'm happy to do the work....!). Ok - thank you all very much - good food for thought in your posts.

 

[anodos]

Hey - thanks for all the replies. I really appreciate you all taking the time. As I said, the main point really was whether or not the generic names was a good or bad idea. The rest of it is covered (IT Kit, setup etc.) I'm leaning toward giving the staff individual names and still a bit unsure ref the students with the account maintenance it will involve as the names change more often. With snapshots and backups it wouldn't be a disaster if one of them deleted something. It's a primary school so seeing each other's work is not really an issue. I was trying to avoid setting up an AD, but may have to bite the bullet. I'm looking into what's available including the one in FreeNAS itself. As is often the case, time on site is an issue (amongst other things, my wife doesn't really want to spend her weekends there much, even if I'm happy to do the work....!). Ok - thank you all very much - good food for thought in your posts.

Kids will delete or otherwise mess up each other's stuff. It's human nature.

Originally networking for Microsoft OS (DOS/Windows) was peer-to-peer. While this works fine for networks with a small number of computers, it begins to exponentially suck as the number of computers increases. Microsoft had various technical ways of reducing the amount of suck (master browsers, WINS, etc), but they weren't particularly good and countless manhours have been wasted over time trying to resolve questions like "why can't I see the server). Gradually, Microsoft transitioned to (or embraced, extended, and tried to exterminate) a more sane way of doing things (DNS / Kerberos / LDAP). The simple fact of the matter (based on my experience) is that Workgroups / NetBIOS starts to get flaky when you have more than 20 computers. In the long run you will save a lot of time by setting up AD.

As far as administering it goes - set up a VPN and administer from home. That way you can avoid interacting with meatbags.

 

[Starpulkka]

Well i remember old stuff, when i was studying University of Applied Sciences (Polytechnic school) school gived us a 3 1/2 Floppy disks where we kept our papers. As this gives privacy to us and same time we learn responsibility to safeguard my own files. Also its cheap as there is no redundancy.

I think nowadays when every one graduated we use admin tested usb sticks (i see this on hospitals every day. and no it was not u2f key it really was usb key), of course with backups and it works better than having a server fail and you dont get your files. Of course while this method gives us privacy it does not give, googledrive or No Such Agency access to our files and make money from us data. Schools did have management/spy software witch allowed upgrade pc classes and look/record and takeover mouse/keyboard if student is doing bad stuff. Ofcourse there is places where you cant bring usb stick with you.

I just agree that every student should have they files behind a password, so other student cant delete or copy files. Copying others stuff might be hurting that student in future. And "sharing" is happening if both party is agreed that he can borrow he's /she's files so after then he can send file to he's friend. And make an additional account where everyone can put stuff so everyone can see it (and only teachers can delete files from it).
Of course i think oldscool i have no idea how schools do stuff today.

Edit: lol i just re read what you sayed, you use ipads, so there is no usb port thinkin in apple, oh well, but behind password files still applies to my thinkin..

 

[rogerh]

In Europe data protection law would forbid you to share the kids' info with each other, I should think.