basics AGAIN!!!

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I am so mixed-up now that its hard to even figure out what i need to know, so let me tell you a story.....

It started about a week ago, when i first started on the server configuration module of my CIW course. I began to get confused concerning the topic of permissions and access levels in IIS 5. Because of this confusion i started to backtrack what i actually knew (or rather, what i thought i knew) about networks. I now find myself realizing that i am not even sure about the basic
types of networks. Anyway, thank you for your patience so far, and without further a-do here comes the obligatory questions.

I thought that a peer to peer network was any network without a dedicated server, so the hosts (computers) on the network communicated with each other directly. I also thought that once you added a server to the network, all the shares that were once stored on the individual computers are now moved to the server, and that the individual hosts no longer actually communicate with each other to access files, printers, etc.

However, now I am starting to think that i am wrong about this, and that the hosts may indeed still keep some shares on themselves to be accessed by the other hosts on the network.

It is this method of ACCESS that is confusing me.

QUESTION 1
Do the hosts now have to ask the server to fetch the shares on the other hosts, or can each host still have direct access to any other host?

QUESTION 2
A book i have states "a peer-to-peer network does not regulate user access from a central point". To me, this implies that using a server on the network somehow centralizes access, BUT ACCESS TO WHAT??. Does this mean access to the server that has just been installed, or that the server is responsible for giving permission for host "A" to connect to host "B" to access the shares stored on host "B

QUESTION 3
The same book also states (regarding user-level-access and some kind of access list)...."this access list can be central to a particular server or to an entire network"
WHAT THE HELL DOES THAT MEAN???
Does it mean that this list can be either stored on the SERVER (CENTRAL) or EACH HOST("entire network").

I hope one of you guys can figure out,at least, where i am getting confused because the more i read the more i seem to tie myself up

Thanks in advance if you had the patience to read this mammoth post.
Stuart

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

OK,

Question 1:

If you have a peer-to-peer network and and upgrade it to a client/server network (by adding a server) then all shares still exist on the individual clients (unless you actually move them yourself) and peers can still access one another's shares but users are authenticated differently, which brings me to...

Question 2:

In a peer-to-peer network (eg. a Windows workgroup) each PC takes care of its own user accesss. IE. to access every PC a user must have a user account set up on every PC. This is what makes large peer-to-peer networks a bitch to administer. If a user wants to access shares on other PCs they must also have a user account on each PC that is hosting a share they want to access. With me so far?

In a client/server network (a Windows domain for eg.) a central server or servers manage user access. A user logs onto a client, the clients asks the server if that user is allowed to log on, the server says yay or nay. Hence, a user can also access every share on every client they have permissions for because the server says they can.

Question 3:

This question isn't worded too well but I think it refers to the fact that a list of users stored on a server could be used to authenticate any user on the network or only local access (IE. logging on directly to that server).

HTH.

 

That actualy helped me more than a weeks worth of reading!!!

If i could just clear up a coupl of points though.

I think my confusion comes from the fact that on my home network (3 pc's) nobody actualy logs on to their machines; if i want to access a share on another machine i simply go to network neighbourhood and click on the share (no passwords or nothing)

Anyway when you say..

Do you mean that; if a user wanted to physicaly use another machine, then they must have an account (username/password) on that particular machine?? And if this IS what you mean, how does this relate to a network???


and when you say...

What exactly do you mean by an ACCOUNT? I thought all you needed to access the shares on the remote machine was a password for the share. How would this "account" be set up on the remote machine with so that a user could access the shares?

and lastly, when you say..

Do you mean that the user physicaly logs on to a machine? (as opposed to a share on another machine)

I know im pushing my luck a bit, but could you go through the sequence of events that would occur if a user "A" wanted to access shares stored on another machine ("B") on the network (not the server) Does user "A" make the initial request directly to "B", and then "B" contacts the server to determine permissions???

Thanks alot, you are saving me a fortune on Paracetemol.

 

What he said.

With regards to you getting confused over the fact that no one logs on to your home PC, there must be an account on the computer even if it's in your name. The account might be called Administrator, User1 or somesuch, but it's still a user account.

 

I think some of the terminology is confusing you. Let me try and clarify things.

1) any computer that is sharing files or printers is a server - the *server service* will be running on it.

2) A so-called server can also be a client - for example if you are sat at the server console and access a file on a workstation the server is a client. The *workstation service* provides this functionality.

Some operating systems are designed specifically to act as dedicated servers, ie Netware, Unix, Windows Server 2003 and so on.

These more powerful server operating systems are designed in such a way that they can perform a number of complex roles.

Now we are talking about roles, the first role you should understand is that of a DC *Domain Controller*

A DC is a server because it shares out it's sysvol share, but more importantly, it is a central depository for user and computer accounts - A domain is a security boundary. If you set up your users on a DC you will not have to set them up on individual members of the domain. When the client log-on box comes up, you can enter the username and password of anyone in the domain and if the DC authenticates those credentials it will issue an access token to the user. This token can be used on any computer that is a member of the domain. It contains user/group details which will be checked before access is granted to any domain resources.

A peer to peer network is one where all the computers have equal status ie they can all serve files and they can all access files on other workstations. However, because there is no central point for administrating user accounts, the accounts need to be set up identically (same username and password) on each PC.

 

Thanx Sparky.

What i meant to say was...What would be the sequence of events if THE SERVER WAS NEEDED. Would machine "A" request the share from machine "B", and machine B then contact the server to get machine A's permissions?

Tell you the truth, I dont actualy know what I mean now; my head is totaly cabbaged.

I think what im trying to say is:
Having established that just because there is a server on the network, doesnt mean that all shares from all networked pc's have to be moved to the server. And,, given that some shares may still reside on pc's on the LAN (that are not dedicated servers),, then what is the procedure for pc1 when it wants to access a share on pc2.

NOW..
I gather the every share on the network is treated as an "object" that has an Access Control List (ACL) associated with it that determines which users or groups may perform certain actions upon it. So if this ACL is stored on the same machine that is hosting the shares, Then WHY DO WE NEED THE SERVER?

And if we move this access control list to the server (by the way, i dont know if we actual do this!!) then what is the procedure that a client has to go through when it wants to access a share that is hosted on some machine on the network (the share is not on the server, but the ACL IS on the server)

Also (I think i'll write a novel next)...
what if a machine wants to make another "new" share available on the network...How does the server get to know about this "new" share.

If i dont get it after this, i'll get a new carreer as a flowrist or somehting.

Thanks guys
Stuart

 

Sorry if the stuff i just asked has been answered, but it took about 40 minutes to try and write that last post. In which time ive had 2 responces.

 

If you set this stuff up in a lab rather than just reading about it, it becomes much much MUCH clearer.

 

Hehe that happens you have gotta learn to type faster

Check my post re the access token, I believe that will help you understand. It is that access token that is used to gain access to resources ie printers and shares etc.

Note: We haven't mentioned Active Directory yet which is a very complex subject but just so you know, it is a database which keeps track of shares and other resources in a domain and controls who can do what.

Resources are published in Active Directory so that users can find them. The Active Directory database is stored on a domain controller.

 

I Knew it would be but ive got no spare machine to use at the moment. I cant wait to get onto appache, ive had that installed and waiting for a few weeks now (In fact i think ive got it twice because ive just installed Linux Mandriva as a dual boot with my WindBLOWS XP home machine)

 

I think you may be running XP's *simple file sharing*

http://www.practicallynetworked.com/sharing/xp/filesharing.htm

 

PLEASE...PLEASE....STOP...IT HURTS..

 

LOL

 

Hi Blue
Ive got a C&G electronics as well. Took 3 years part time and i loved every second. I got so good at boolean algebra that I end up correcting the tutors and nearly teaching it myself (although you wouldnt believe that with these newbie posts)

 

Well if you can learn electronics you can also learn networking. I believe that understanding electronics helps consolidate a true understanding of how different technologies communicate. Don't beat yourself up about being new to this. We were all new to this at one time or another.

 

Cheers Blue. I must admit i was starting to get a bit depressed with this topic, but i think im almost there (and here comes the punchline). Is there any way you could interpret these two passages for me regarding all we have disscussed so far? They come from the Sybex CIW Server Administrators book.

The first bit is talking about "access control lists(ACL) and "user-level access" (i.e where a share has user permissions as opposed to just password).
Here it is:
"this access list can be central to a particular server or to an entire network".

Im not sure what the bold text means

Here's the next bit:
"Operating systems that provide both centralised and local user-level server access include the following: Win2000 server..."

Same again here, especialy with regards to "local", i.e dont centralised and local mean the same thing?

"

 

Okay, it is out of context and damn confusing so I am not sure what they mean either but here is my take on things.

If you join an XP workstation to a domain, it then becomes a member of that domain.

Once it is a member of the domain, you can chose (with a drop down list) at the log-in box to enter either your username and password for the domain *or* your username and password to log in locally. They are two different accounts with two different profiles ie different desktops and favorites etc.

If you log on locally, you will not authenticate with the domain controller and therefore you may not be granted access to resources to other computers on the network, because your local identity is not known outside your local machine, because, If you log in locally you will be authenticated by the local SAM (security accounts manager) in XP.

If you log-in to a domain you get authenticated by a domain controller which then gives you an access token that contains such things as your group membership etc.

Now, any share on any domain member server (that won't be running *simple file sharing* as it's turned off when you join a domain), will have an ACL (access control list). You can add users or groups to this list and tweak it so that only specific groups can do certain things. You could add for example the sales group and give them permissions to read any documents in the share but not delete them, you could give the managers group different permissions, for example you could allow them to delete documents as well as create new ones. When you create a new share, a built in group called *everyone* is added and XP gives it the 'read only' share permission - This is the starting place and you can remove that entry and configure the share with whatever permissions you desire.

So with any shared resource, you can configure who can access it 'over the network' and give them different rights depending on their group membership.

Note; these share permissions have no effect when a user is logged into the server console i.e. he is sat at the server or remoting into it and not using the network.

Note; you can further secure your resources using NTFS permissions, they have an effect even if the user is local ie sat at the server and for network access.

 

VMWare or Virtual PC are good tools to use if you've only got one PC.