@EddieJennings Cradlepoint routers are popular and work good but are a lot more expensive.

@fuznutz04 He used att and added it to his personal plan for $10/month. They have it billed as a "hotspot". He showed me the bill because I didn't believe him.

I have a 20/20 fiber connection as primary and another via cable modem as a backup. Works great and keeps everyone working if it does fail over. Don't see any reason why a cellular connection wouldn't work the same. I set up a site for a friend on cellular only and he gets a constant 80 mbps down and decent uploads. Been working fine for a few months. It uses the LB1120 from Netgear.

https://www.netgear.com/home/products/mobile-broadband/lte-modems/default.aspx

If you had a client/friend/relative and needed a file server for 'reasons' and they only knew MS since birth - would you still install a samba file server if licenses were not a factor?

Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it.

@Dashrender The original was intended to just run databases and did not have enough horsepower to run the other applications. A second was purchased and the plan is to migrate everything to it.

@Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.

@Dashrender said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

My best option IMO is to spin up 3 new VMs - 2 AD/DNS and 1 file server.

Where are you planning on hosting this? I have to assume you don't mean to buy two servers, and setup AD/DNS on each of them, plus then setup a file server on one of them as well? That would be hardware overkill for something like this.
So assuming you did go with a single server - then you're down to two VMs - 1 AD/DNS and 1 file server.

Another option would be 1 NAS, and simply map it to everyone's computer.

You mentioned managing local user accounts - do users move around and use other people's computers? or are they mainly only on their own? If they are mostly single use, a NAS is likely the best option. You'll build the users on the NAS and be done with it.

Nothing has to be purchased as there are 2 Hyper-V hosts running and are less than 6 months old.
Users only use 1 machine each. No roaming.

I know @Obsolesce uses samba too. How well does this work if the MS users connecting to samba sign in to their PCs with MS accounts instead of local user accounts? Basically, does it work properly with email addresses for usernames? I don't use MS accounts personally and have never tried to connect to a samba share that way.

That "tool" comes directly from https://www.ffiec.gov/ and it is apparently the "Gold Standard" that all financial institutions are graded by. It is a glorified Excel file with multiple tabs.

@scottalanmiller As far as samba goes - if they could manage it with Cockpit or the likes, it would be an easy choice.

@Obsolesce Yes. Unbelievable.

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

The more OSS you have, the lower your score will be.

Remember, all SEC regulated banks are 100% core on OSS. All, 100%. No exceptions. And their security is a million times the needs, audits, and requirements of small banks and little financials. In the REAL financial world, better security means better scores.

Literally, I'd consider legal action here. As the IT adviser, you have a legal requirement to let them know that they are being scammed and have a legal requirement to take action.

Exactly. Our main core is 100% Unix. Makes no sense how they come up with this stuff.

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

The more OSS you have, the lower your score will be.

Then it's an anti-audit. I mean it's that easy. If they are specifically penalizing security, that literally makes these guys social engineers / hackers. Instantly, you have a requirement to ban them from the company. Financial regulations actually makes that criminal.

Not to derail this thread, but I deal with this every year. These auditors come in and HAVE to find something "wrong" even though what they find are not actual problems. It just justifies the money spent for the audit. I know there are others on here who deal with these auditors. They know exactly how bad it is.

Here is an example from the FFIEC Cybersecurity Assesment Tool:

The more OSS you have, the lower your score will be.

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

They are 100% a MS shop so I think a Linux server with samba shares may not make sense.

Why? In what way would a Windows FS be superior?

By this logic, no shop would ever use NAS, SAN, or things like BSD, because they are not the OS of the desktops. Or Mac because it can't be used as a server. There can be a case, in extreme circumstances, where homogeneity itself has some value, but it's so rare that it should generally be simply discounted.

My logic here is: If the client wants to add a share on the MS server, they can easily do this themselves. If you throw samba in the mix, I feel they would struggle to understand why they are not using a MS server first, and then struggle to actually create a usable share in a system they know nothing about.

If it were for me, it would be samba 100%. I have to "fight" people all the time who will argue to the death that they don't want a Linux server of any type, because it is "free" and "not secure". I know we talk about audits all the time here on ML. The auditors, especially in the financial sector, argue this all the time and try to penalize you for using FOSS tools.

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

I confirmed yesterday that they prefer to have files accessible on the LAN versus through a web client/webdav.

WebDAV and LAN is the same thing to most people. Those aren't competing concepts. WebDAV and SMB shares are "the same thing." Both are "LAN mentality mapped drives." WebDAV works better over a WAN than SMB, but both are the same category of item, rather than alternatives.

WebDav is painfully slow for me, especially when connected to Nextcloud from a Windows 10 machine. I've tested this with multiple NC servers and different W10 clients, and at different locations. Browsing files and folders is fine. Opening, losing, and saving things take way longer than it should.

I think my best plan of action is to scrap AzureAD as they will never have servers hosted on Azure. I can pretty much guarantee this. I realize there is a hybrid approach but that just adds more complexity. My best option IMO is to spin up 3 new VMs - 2 AD/DNS and 1 file server. I know AD doesn't make much sense with 20 employees but it seems managing users in a regular "workgroup" with local accounts would take more effort. Am I wrong?
I confirmed yesterday that they prefer to have files accessible on the LAN versus through a web client/webdav. It has to be fast and reliable. They are 100% a MS shop so I think a Linux server with samba shares may not make sense.

@black3dynamite I looked into this one a few months after @Obsolesce mentioned it. Looks like it would be an excellent choice too.

@stacksofplates It has been a while since I've looked into Borg. I will check it out again.