inhibit startup of smbd/nmbd/winbindd when an AD DC (was Re: Releasing Samba 4.0 RC1?)

Sun Aug 19 00:53:07 MDT 2012

On 18/08/12 22:50, Andrew Bartlett wrote:
> On Sat, 2012-08-18 at 19:48 +0200, Michael Wood wrote:
>> Hi
>>
>> On 17 August 2012 23:52, Andrew Bartlett<abartlet at samba.org>  wrote:
>>> On Fri, 2012-08-17 at 13:46 -0300, Juan Pablo Lorier wrote:
>>>> Hi Andrew,
>>>> I deal with a lot of Microsoft lovers that often diminish the power of
>>>> open source software and Samba is a keystone for Unix/linux system to
>>>> stay strong in server environments and for gaining new desktops everyday
>>>> and I defend it as the great product it is, just don't want those guys
>>>> something to ground their critics.
>>>> Regards,
>>> G'day Juan Pablo,
>>>
>>> I understand your concern, and we may very well ship Samba 4.0 with a
>>> general caution on multi-DC use (also because we do not have a file
>>> systems replication protocol for sysvol yet).
>>>
>>> However, as you would have seen elsewhere in this thread, there is a
>>> cost to constantly calling this a beta:  network administrators who have
>>> tested Samba carefully and do have Samba 4.0 working very well for them
>>> are forced to argue why their networks should be trusted the beta
>>> software.  We know our code isn't perfect, but our automated testing
>>> also shows it is pretty good, and we also need to show some of the same
>>> confidence our users are already putting in it.
>>>
>>> We will not stop working to address the very real issues that do come
>>> up, but we should draw a line in the sand and say 'our users can
>>> confidently use this'.
>> I think it might help to make it extremely clear and explicit that
>> Samba 4 can be run as a DC using the samba binary, or it can be run
>> like a Samba 3 file/print server using the smbd/nmbd binaries, and any
>> other modes it can be used in.  I know the release notes try to do
>> this, but I think there's still a lot of confusion from users.
> I actually plan to do more than that.  It's a little tricky (which is
> why it's not done yet), and I'll allow an override, but being a AD DC
> puts 'server role = active directory domain controller' in the smb.conf.
> I would like to have smbd/nmbd/winbindd check this value and then simply
> fail to start up.
>
> Andrew Bartlett
>

If you do not allow smbd/nmbd/winbindd to start without fully 
transferring their actions to the samba daemon, you will not in my 
opinion have an AD domain controller as per microsofts spec or what the 
majority of users want.
This is just my opinion, but I would have thought that most users want a 
server that could be a direct swap with a microsoft one, if you read 
what a microsoft server can do, there is a long way to go.

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.