Go Premium for a chance to win a PS4. Enter to Win


help with push/pulling files to isilon storage from a remote network

Posted on 2014-03-21
Medium Priority
Last Modified: 2014-04-03
Hi I'm a Linux newbie and hope you can help with this one.
We are a broadcast station where we primarily have a mix of servers running Linux and Windows.  We have implemented Windows AD for central account mgmt.  We also have a large storage array with NFS and SMB mounts/shares.  We are currently in the process of turning user mode on in our storage forcing users to have an authenticated AD account to access large storage.
Our operations is installing another ingest system for On Air TV that cannot be joined to our existing Windows AD domain.  In order to be able to port over any content for airing that is on our storage, we have decided to place a intermediate bridge server, that resides in betweeen the new ingest system and our production storage.  The idea would be to set up the bridge server with Linux which would have an NFS mount to production storage.  The bridge server would be joined to the AD domain.  The new ingest systems (running Windows7 & Windows 2008R2 on a seperate subnet) would then ftp completed media files from ingest to the bridge server that has the nfs to production storage.  The initial ftp session would use the local account from the ingest system subnet but is there a way to push the file to the Production NFS mount  and have it use an AD account?  Could this be done in a single process? i.e eliminating the need of a two step file transfer process, ftp to bridge server then bridge server to NFS share?   How would I do this?  Sorry for the long message.....
Question by:MauiCentral
  • 2
  • 2
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39947102
You should try and use the Services for NFS which is available on Windows 2008 and above systems.

Please refer to the link below:


LVL 13

Expert Comment

by:Daniel Helgenberger
ID: 39948082

let me try to break this down a little bit:
You have an FTP server running Linux, witch has an existing NFS share mounted from your central storage. The FTP resides in some kind of perimeter network.
The isolated ingest stations would then move their footage to your central storage using the FTP server:

(central network) --- (FTP server) --- (ingest staton network)

Is this correct?
Could this be done in a single process? i.e eliminating the need of a two step file transfer process, ftp to bridge server then bridge server to NFS share?

I see no problem there. The key here is to export the mounted NFS again as FTP. FTP in tun is imported to use so your file system permissions on the central storage do not get messed up.

I do not know why you do this kind of setup; I assume you do this out of security considerations. If so, please read on for a few suggestions:
I recommend creating a 'real' perimeter network between the central and the ingest network and put your FTP there and a firewall each connection. Also, I strongly advice against the use of samba/Nfs shares directly in the ingest network:

(central network) --|fw|-- (perimeter(FTP server)) --|fw|-- (ingest staton network)*

To do so, I do recommend not to domain join the FTP server to not compromise the firewalling. This is also not necessary since the FTP server reads and writes as one fixed user. So, you would create a domain user named for instance 'ingest'. Deactivate this user. It's sole purpose is to provide the SID. But make sure it is in the correct groups and has read/write permissions where the ingest stations should write to.  
On the FTP server, create a local account with the matching GID/UID number from active directory and configure your FTPd to run as that user. All filesystem objects on your central network storage would then be owned by 'ingest'.
Configure the firewalls to allow the appropriate connections; on the ingest end you only need to allow FTP obviously. On the central network firewall, allow NFS.
Hint, fix the ports NFS is using:

Also, if you have a directory server on the ingest network, you can use LDAP to authenticate users:

Use Likewise / Power Broker to easily manage (tame) UID mapping between Linux and Active Directoy:

* This is of curse the logical setup, most likely you need only one 'real' firewall with the appropriate vlans configured.

Author Comment

ID: 39951928
Thank you Daniel Helgenberger for your response.  I think this is becoming  clearer. I have a few follow up questions.  

You mentioned,

I do not know why you do this kind of setup; I assume you do this out of security considerations. If so, please read on for a few suggestions:

It should be noted that all components are physically in the same facility.  Our current central storage is configured with anonymous mode  turned on which means if you can map a drive, you can access all of the content.  We’re trying to break that bad habit and turn user mode (at some point) on forcing a client to have a valid AD account in order to map said drives.  The new  ingest system/network cannot join AD, so to align with the new habit breaking policy, our security group came up with this idea.

So based on your recommendation of using UID mapping, files could be moved bidirectionally between the central storage and the ingest network, with the central storage only seeing an AD SID?

For files that would be moving inbound to the ingest would we need to write a script that would check the directory and then run ftp to put the file in the ingest network or is there a linux command that can do this on demand?  

Thank you.
LVL 13

Accepted Solution

Daniel Helgenberger earned 2000 total points
ID: 39952471
files could be moved bidirectionally between the central storage and the ingest network, with the central storage only seeing an AD SID?
Correct. The FTP server would read/write files with one particular Windows SID and can read / write any file this user can. Also, FTP can chroot; meaning you can force it to see only one directory downward.

For files being moved to the ingest, I would recommend HTTP.  Put a simple web server on the FTP server, witch can see all the files necessary. Users on the ingest station would access the FTP server not with a FTP client but HTTP; downloading files with mouse click. I consider this as save, but the ingest user would know your whole directory structure.
If you do not like this, you can still have a CGI script which can copy the file over to a place the ingest can access. You would need to solve the problem for the ingest user to know the file correct file path.  
There are no limits on what you can do there; in particular you might already have some kind of CMS where you can integrate this nicely. There, all the file paths would be stored in a database anyway and a user can just search for them, create some kind of basket which would be dropped (copied, linked) into a accessible destination.

If you prefer a simpler setup, please note that a computer does not need to be domain joined to mount a samba share but it can do so fine with a set of fixed credentials. This would mean of course the credentials need to be saved on the ingest station.

Author Closing Comment

ID: 39976948
Thank you for the feedback.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question