[Samba] samba4 AD DC as file server?
d tbsky
I want to setup a small samba4 server with AD and file server function.
I know that samba4 AD DC has no netbios browsing support. are there other
missing functions, like winbindd or something else?
and if I install two samba4 instance, one to "/usr/local/samba"(for file
server), one to "/usr/local/samba-ad"(for AD DC). and give them two seprate
ip to bind. will it work better?
thanks a lot for suggestion!!
Regards,
tbskyd
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
> hi:
> I want to setup a small samba4 server with AD and file server function.
> I know that samba4 AD DC has no netbios browsing support. are there other
> missing functions, like winbindd or something else?
creating world-writeable files in additional file shares.
> and if I install two samba4 instance, one to "/usr/local/samba"(for file
> server), one to "/usr/local/samba-ad"(for AD DC). and give them two seprate
> ip to bind. will it work better?
one winbind per machine, and the different winbind is most important
difference between the operating modes).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Gerry Reno
> On Tue, 2013-03-12 at 01:30 +0800, d tbsky wrote:
>> hi:
>> I want to setup a small samba4 server with AD and file server function.
>> I know that samba4 AD DC has no netbios browsing support. are there other
>> missing functions, like winbindd or something else?
> The next release will include this patch, which avoids mistakenly
> creating world-writeable files in additional file shares.
>
>> and if I install two samba4 instance, one to "/usr/local/samba"(for file
>> server), one to "/usr/local/samba-ad"(for AD DC). and give them two seprate
>> ip to bind. will it work better?
> No, it would need to be a different virtual machine (you can only have
> one winbind per machine, and the different winbind is most important
> difference between the operating modes).
>
> Andrew Bartlett
>
>
Daniel Müller
I do a lot of testing with samba4 at this time. Set up a samba 4 server on centos 6.3 working just fine.
Now tried to join a second samba4 to the existing domain by : samba-tool domain join tplechler DC -Uadministrator --realm=tplechler.kkh --dns-backend=BIND9_DLZ
This worked without any errors.
But samba_dnsupdate --verbose --all-names ends up with errors:
dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 20 entries
The dns-keytab file was generated on domain joining!?
samba-tool drs showrepl is ok:
Default-First-Site-Name\SAMBA4
DSA Options: 0x00000001
DSA object GUID: 9ed1322c-6044-4e17-b109-ce2809a52487
DSA invocationId: c2a9094f-afa6-4904-a5d3-b341be2b919d
==== INBOUND NEIGHBORS ====
CN=Schema,CN=Configuration,DC=tplechler,DC=kkh
Default-First-Site-Name\LINUX2 via RPC
DSA object GUID: a6f6ec2d-5b27-4dff-a2fc-581488411b99
Last attempt @ Tue Mar 12 10:02:29 2013 CET was successful
0 consecutive failure(s).
Last success @ Tue Mar 12 10:02:29 2013 CET
DC=ForestDnsZones,DC=tplechler,DC=kkh
Default-First-Site-Name\LINUX2 via RPC
DSA object GUID: a6f6ec2d-5b27-4dff-a2fc-581488411b99
Last attempt @ Tue Mar 12 10:02:29 2013 CET was successful
0 consecutive failure(s).
Last success @ Tue Mar 12 10:02:29 2013 CET
DC=tplechler,DC=kkh
Default-First-Site-Name\LINUX2 via RPC
DSA object GUID: a6f6ec2d-5b27-4dff-a2fc-581488411b99
Last attempt @ Tue Mar 12 10:02:29 2013 CET was successful
0 consecutive failure(s).
Last success @ Tue Mar 12 10:02:29 2013 CET
CN=Configuration,DC=tplechler,DC=kkh
Default-First-Site-Name\LINUX2 via RPC
DSA object GUID: a6f6ec2d-5b27-4dff-a2fc-581488411b99
Last attempt @ Tue Mar 12 10:02:29 2013 CET was successful
0 consecutive failure(s).
Last success @ Tue Mar 12 10:02:29 2013 CET
DC=DomainDnsZones,DC=tplechler,DC=kkh
Default-First-Site-Name\LINUX2 via RPC
DSA object GUID: a6f6ec2d-5b27-4dff-a2fc-581488411b99
Last attempt @ Tue Mar 12 10:02:29 2013 CET was successful
0 consecutive failure(s).
Last success @ Tue Mar 12 10:02:29 2013 CET
==== OUTBOUND NEIGHBORS ====
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 7dcfeeaa-a228-4275-bce6-bba8f787a350
Enabled : TRUE
Server DNS name : linux2.tplechler.kkh
Server DN name : CN=NTDS Settings,CN=LINUX2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tplechler,DC=kkh
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Andrew Bartlett
Gesendet: Montag, 11. März 2013 23:34
An: d tbsky
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] samba4 AD DC as file server?
Andrew Bartlett
Rowland Penny
> On 03/11/2013 06:34 PM, Andrew Bartlett wrote:
>> On Tue, 2013-03-12 at 01:30 +0800, d tbsky wrote:
>>> hi:
>>> I want to setup a small samba4 server with AD and file server function.
>>> I know that samba4 AD DC has no netbios browsing support. are there other
>>> missing functions, like winbindd or something else?
>> The next release will include this patch, which avoids mistakenly
>> creating world-writeable files in additional file shares.
>>
>>> and if I install two samba4 instance, one to "/usr/local/samba"(for file
>>> server), one to "/usr/local/samba-ad"(for AD DC). and give them two seprate
>>> ip to bind. will it work better?
>> No, it would need to be a different virtual machine (you can only have
>> one winbind per machine, and the different winbind is most important
>> difference between the operating modes).
>>
>> Andrew Bartlett
>>
>>
> Are you saying that it is not possible to use a Samba 4 AD DC as a file server?
>
>
smbclient for instance, you just cannot browse to them.
The accepted practice seems to be, set up Samba 4 for authorisation and
then set up a separate Samba3 fileserver.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Denis Witt
Rowland Penny <rpe...@f2s.com> wrote:
> You can create shares on samba4 and connect to them from the cli, via
> smbclient for instance, you just cannot browse to them.
> The accepted practice seems to be, set up Samba 4 for authorisation
> and then set up a separate Samba3 fileserver.
I'm using Samba 4.0.3 as an AD DC here and, yes, he doesn't show up in
the Network list of my clients but if you type in the Machine Name or
the IP the (visible) shares are shown as usual. Also you can create a
Group Policy to bind the shares as network drives. So I can't see any
reason why someone should set up a separate Samba3 as fileserver. File
and Access rights are working fine, too (and they are easier to handle
than Samba3 rights when you can make use of xattrs).
Did I miss something?
Bye for now.
Jim Potter
I've been wondering about the separate Dc and fileserver setup (and the 2
winbinds) too.
In my current setup (samba3/openLDAP) all my fileservers are DCs because
then I don't have to worry about idmaps and winbind at all.
This DC/fileserver samba4 separation can't be the recommended setup purely
because the DCs don't do network browsing, surely. In my environment (a
school) a browseable network neighbourhood is trouble and disabled for
everyone. Except me.
Am I right in thinking that a Samba3 fileserver is recommended because its
more tried and tested at fileserving, and separating out the DC'ing onto a
samba4 box just separates everything nicely and avoids complications? Or
does a samba4 DC also acting as a fileserver have limitations of some kind?
cheers
Jim
Andrew Bartlett
> On 03/11/2013 06:34 PM, Andrew Bartlett wrote:
> > On Tue, 2013-03-12 at 01:30 +0800, d tbsky wrote:
> >> hi:
> >> I want to setup a small samba4 server with AD and file server function.
> >> I know that samba4 AD DC has no netbios browsing support. are there other
> >> missing functions, like winbindd or something else?
> > The next release will include this patch, which avoids mistakenly
> > creating world-writeable files in additional file shares.
> >
> >> and if I install two samba4 instance, one to "/usr/local/samba"(for file
> >> server), one to "/usr/local/samba-ad"(for AD DC). and give them two seprate
> >> ip to bind. will it work better?
> > No, it would need to be a different virtual machine (you can only have
> > one winbind per machine, and the different winbind is most important
> > difference between the operating modes).
> >
> > Andrew Bartlett
> >
> >
>
> Are you saying that it is not possible to use a Samba 4 AD DC as a file server?
for the wheels to turn on a security release with it in.
We have generally suggested separating the roles, but that is because we
think that users of our AD DC might wish to have different redundancy,
life cycle and other requirements between the two modes of operation.
This applies particularly on larger sites.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andrew Bartlett
> Hi all,
>
> I've been wondering about the separate Dc and fileserver setup (and the 2
> winbinds) too.
>
> In my current setup (samba3/openLDAP) all my fileservers are DCs because
> then I don't have to worry about idmaps and winbind at all.
>
> This DC/fileserver samba4 separation can't be the recommended setup purely
> because the DCs don't do network browsing, surely. In my environment (a
> school) a browseable network neighbourhood is trouble and disabled for
> everyone. Except me.
>
> Am I right in thinking that a Samba3 fileserver is recommended because its
> more tried and tested at fileserving, and separating out the DC'ing onto a
> samba4 box just separates everything nicely and avoids complications? Or
> does a samba4 DC also acting as a fileserver have limitations of some kind?
3.x, simply updated with the latest work from that line of
development.
No matter if you are running an AD DC, or a file server as a member
server, we use the same code for file server operations. However, some
support infrastructure varies between the operating modes, and some
options are forced on in the AD DC, so as to emulate NT ACLs in the way
we must for the SYSVOL share. We also use a different winbind
implementation.
For smaller sites, where there is just one server, using the AD DC as
the file server is perfectly fine and supported. It will work well.
For other (generally larger) sites, the knowledge that the file server
and DC can be configured, upgraded and replicated independently will be
far more important, and so follow our advise to separate these roles.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Tran Tien Hung
Samba4 AD can be config to be File Server is very easy.
Follow check:
File System Support
To use the advanced features of Samba4 you need a filesystem that supports
both the "user" and "system" xattr namespaces.
ext3/ext4 File System
If you are using either ext3 or ext4 for your file system you will need to
include the options "user_xattr","acl" and "barrier=1" in your /etc/fstab.
For example:
/dev/hda3 /home ext3
user_xattr,acl,barrier=1 1 1
Simply change ext3 to ext4 if you are using it. Normally you will want to
just modify the existing line to add those options. Please use caution when
modifying your fstab as it can lead to an un-bootable system if the wrong
thing is modified.
The *barrier=1* option ensures that tdb transactions are safe against
unexpected power loss. A number of sites have corrupted their AD database
in sam.ldb by not having this option enabled.
You also need to compile your kernel with the XATTR, SECURITY, and
POSIX_ACL options for your filesystem. For ext3 (change the 3 to a 4 for
ext4) that means you need:
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT3_FS_POSIX_ACL=y
Step 12: Setup a File Share
The provisioning will create a very simple /usr/local/samba/etc/smb.conf file
with no non-system shares by default. For the server to be useful you, will
need to update it to have at least one share. For example:
[test]
path = /data/test
comment = Test Share
read only = no
After File System & set Share File is ok. We can use Share File in Windows
to set permissions (using userdatabase in AD) for that share.
Fly.
Hung.