Solved

help with push/pulling files to isilon storage from a remote network

Posted on 2014-03-21
5
909 Views
Last Modified: 2014-04-03
Hi I'm a Linux newbie and hope you can help with this one.
We are a broadcast station where we primarily have a mix of servers running Linux and Windows.  We have implemented Windows AD for central account mgmt.  We also have a large storage array with NFS and SMB mounts/shares.  We are currently in the process of turning user mode on in our storage forcing users to have an authenticated AD account to access large storage.
Our operations is installing another ingest system for On Air TV that cannot be joined to our existing Windows AD domain.  In order to be able to port over any content for airing that is on our storage, we have decided to place a intermediate bridge server, that resides in betweeen the new ingest system and our production storage.  The idea would be to set up the bridge server with Linux which would have an NFS mount to production storage.  The bridge server would be joined to the AD domain.  The new ingest systems (running Windows7 & Windows 2008R2 on a seperate subnet) would then ftp completed media files from ingest to the bridge server that has the nfs to production storage.  The initial ftp session would use the local account from the ingest system subnet but is there a way to push the file to the Production NFS mount  and have it use an AD account?  Could this be done in a single process? i.e eliminating the need of a two step file transfer process, ftp to bridge server then bridge server to NFS share?   How would I do this?  Sorry for the long message.....
0
Comment
Question by:MauiCentral
  • 2
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39947102
You should try and use the Services for NFS which is available on Windows 2008 and above systems.

Please refer to the link below:

http://technet.microsoft.com/en-us/library/dd758767%28v=ws.10%29.aspx

Sudeep
0
 
LVL 13

Expert Comment

by:Daniel Helgenberger
ID: 39948082
Hello,

let me try to break this down a little bit:
You have an FTP server running Linux, witch has an existing NFS share mounted from your central storage. The FTP resides in some kind of perimeter network.
The isolated ingest stations would then move their footage to your central storage using the FTP server:

(central network) --- (FTP server) --- (ingest staton network)

Is this correct?
Could this be done in a single process? i.e eliminating the need of a two step file transfer process, ftp to bridge server then bridge server to NFS share?

I see no problem there. The key here is to export the mounted NFS again as FTP. FTP in tun is imported to use so your file system permissions on the central storage do not get messed up.

I do not know why you do this kind of setup; I assume you do this out of security considerations. If so, please read on for a few suggestions:
I recommend creating a 'real' perimeter network between the central and the ingest network and put your FTP there and a firewall each connection. Also, I strongly advice against the use of samba/Nfs shares directly in the ingest network:

(central network) --|fw|-- (perimeter(FTP server)) --|fw|-- (ingest staton network)*

To do so, I do recommend not to domain join the FTP server to not compromise the firewalling. This is also not necessary since the FTP server reads and writes as one fixed user. So, you would create a domain user named for instance 'ingest'. Deactivate this user. It's sole purpose is to provide the SID. But make sure it is in the correct groups and has read/write permissions where the ingest stations should write to.  
On the FTP server, create a local account with the matching GID/UID number from active directory and configure your FTPd to run as that user. All filesystem objects on your central network storage would then be owned by 'ingest'.
Configure the firewalls to allow the appropriate connections; on the ingest end you only need to allow FTP obviously. On the central network firewall, allow NFS.
Hint, fix the ports NFS is using:
http://www.fclose.com/1668/fixing-ports-used-by-nfs-server/

Also, if you have a directory server on the ingest network, you can use LDAP to authenticate users:
http://agix.com.au/blog/?p=2509

Use Likewise / Power Broker to easily manage (tame) UID mapping between Linux and Active Directoy:
http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

---
* This is of curse the logical setup, most likely you need only one 'real' firewall with the appropriate vlans configured.
0
 

Author Comment

by:MauiCentral
ID: 39951928
Thank you Daniel Helgenberger for your response.  I think this is becoming  clearer. I have a few follow up questions.  

You mentioned,

I do not know why you do this kind of setup; I assume you do this out of security considerations. If so, please read on for a few suggestions:

It should be noted that all components are physically in the same facility.  Our current central storage is configured with anonymous mode  turned on which means if you can map a drive, you can access all of the content.  We’re trying to break that bad habit and turn user mode (at some point) on forcing a client to have a valid AD account in order to map said drives.  The new  ingest system/network cannot join AD, so to align with the new habit breaking policy, our security group came up with this idea.

So based on your recommendation of using UID mapping, files could be moved bidirectionally between the central storage and the ingest network, with the central storage only seeing an AD SID?

For files that would be moving inbound to the ingest would we need to write a script that would check the directory and then run ftp to put the file in the ingest network or is there a linux command that can do this on demand?  

Thank you.
0
 
LVL 13

Accepted Solution

by:
Daniel Helgenberger earned 500 total points
ID: 39952471
files could be moved bidirectionally between the central storage and the ingest network, with the central storage only seeing an AD SID?
Correct. The FTP server would read/write files with one particular Windows SID and can read / write any file this user can. Also, FTP can chroot; meaning you can force it to see only one directory downward.

For files being moved to the ingest, I would recommend HTTP.  Put a simple web server on the FTP server, witch can see all the files necessary. Users on the ingest station would access the FTP server not with a FTP client but HTTP; downloading files with mouse click. I consider this as save, but the ingest user would know your whole directory structure.
If you do not like this, you can still have a CGI script which can copy the file over to a place the ingest can access. You would need to solve the problem for the ingest user to know the file correct file path.  
There are no limits on what you can do there; in particular you might already have some kind of CMS where you can integrate this nicely. There, all the file paths would be stored in a database anyway and a user can just search for them, create some kind of basket which would be dropped (copied, linked) into a accessible destination.

If you prefer a simpler setup, please note that a computer does not need to be domain joined to mount a samba share but it can do so fine with a set of fixed credentials. This would mean of course the credentials need to be saved on the ingest station.
0
 

Author Closing Comment

by:MauiCentral
ID: 39976948
Thank you for the feedback.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now