Confused about samba4 & s3fs

Mon Aug 20 02:44:03 MDT 2012

On 20/08/12 09:04, Gémes Géza wrote:
> 2012-08-19 14:42 keltezéssel, Rowland Penny írta:
>> On 17/08/12 04:49, Andrew Bartlett wrote:
>>> On Thu, 2012-08-16 at 09:51 +0100, Rowland Penny wrote:
>>>> Hi, over on the samba-users forum, somebody asked a question about
>>>> Samba4's rfc2307 compatibility with Samba3 and got this reply:
>>>>
>>>> [quote]
>>>> At this stage, we still don't recommend combining file server and DC
>>>> functions.  By separating these functions onto different (virtual)
>>>> servers, you can avoid this issue.
>>>> [unquote]
>>>>
>>>> but from '[ANNOUNCE] Samba 4.0 beta6' there is this statement:
>>>>
>>>> [quote]
>>>> In particular note that the new default configuration 's3fs' may have
>>>> different stability characteristics compared with our previous default
>>>> file server.  We are making this release so that we can find and fix
>>>> any of these issues that arise in the real world.
>>>> [unquote]
>>>>
>>>> I do not understand this, the first statement says don't do it, the
>>>> second says please try it and see if any issues arise.
>>> For the AD DC, we have always recommended separation, and using a Samba
>>> 3.x member server for critical files.  However, there are some 
>>> functions
>>> of being an AD DC that require a file server, such as providing the
>>> sysvol share, and DCE/RPC pipes over SMB.
>>>
>>> We chose to make 's3fs' the default in the AD DC, and did so earlier
>>> than perhaps it was perfectly stable because we need the feedback (no
>>> point pulling the switch on the day of the first release candidate!).
>>>
>>> The challenge in making that change in default is that the old default
>>> was incredibly stable!  The ntvfs file server isn't being further
>>> developed, but folks who have had long-standing Samba4 deployments
>>> simply haven't had issues with it, and found Samba4 quite stable
>>> overall, despite the 'alpha' designation.  As such, it was a step into
>>> the unknown at that point, and an odd situation where we worried the
>>> 'beta' releases could be less stable than the alphas that proceeded
>>> them!
>>>
>>> I will tidy up these statements on the basis of the experience we have
>>> had since that time.
>>>
>>>> There is also this statement in '[ANNOUNCE] Samba 4.0 beta6'
>>>>
>>>> [quote]
>>>> Samba 4.0 beta ships with two distinct file servers.  We now use the
>>>> file server from the Samba 3.x series 'smbd' for all file serving by
>>>> default.  For pure file server work, the binaries users would expect
>>>> from that series (nmbd, winbindd, smbpasswd) continue to be available.
>>>> [unquote]
>>>>
>>>>   From these two statements from '[ANNOUNCE] Samba 4.0 beta6', my
>>>> understanding is that 's3fs' can&  should be used to test it, is this
>>>> correct? and if not, why not.
>>> This is and will remain the default configuration of the AD DC. We
>>> expect it to work (modulo known bugs such as changing group policies as
>>> non-administrator) but we need folks to test it to help assure us of
>>> that.
>>>
>>> Andrew Bartlett
>>>
>> So after considering all the answers this thread has produced, I 
>> think that provided I only start the samba daemon, (which will start 
>> the smbd and the builtin winbindd daemons), I can use s3fs to export 
>> unix home directories & windows profile shares so that s3fs can be 
>> tested. I must also use ACLs on the server for directory & file 
>> ownership.
>>
>> Is the above correct?
>>
>> Rowland
>>
>>
> Hi Rowland
>
> I would suggest to set up a separate server running samba3 (or smbd, 
> nmbd, winbind from samba4) for sharing home directories. Reasons:
> 1. samba/s3fs doesn't support the [homes] share which (in case of 
> smbd) automatically maps to the users home folder
> 2. the winbind implementation in the samba binary (samba4) doesn't 
> support the use of different path for home directories (home folders 
> needs to be: /home/${DOMAINNAME}/${USERNAME})
>
> Regards
>
> Geza Gemes
>
>
>

Thanks Geza, but you have confused me again!

If we consider this reply to one of Steve's emails over on samba-users, 
which seems to say 'use s4 for authentication and another s3x server as 
a fileserver':

  On 11/08/12 07:39, Andrew Bartlett wrote:
 > On Fri, 2012-08-10 at 06:04 +0200, steve wrote:
 >> Hi
 >> In Samba3, I have full rfc2307 compliance via winbind where all
 >> attributes can be obtained from AD.
 >>
 >> In Samba4 I only have partial rfc2307 compatibility with:
 >> idmap_ldb:use rfc2307 = yes
 >> uidNumber and gidNumber can be obtained from AD but uinxHomeDirectory
 >> and loginShell are missing.
 >>
 >> The workarounds are to use the winbind [homes] share and link from 
there
 >> to the real unixHomeDirectory or else use nss-ldapd.
 >>
 >> Is it planned that Samba4 winbind will inherit all of rfc2307 at 
some stage?
 >
 > At this stage, we still don't recommend combining file server and DC
 > functions.  By separating these functions onto different (virtual)
 > servers, you can avoid this issue.
 >
 > (snip)
 > Andrew Bartlett
 >

with this reply (to another of Steve's emails), this time, here on 
samba-technical:

On 19/08/12 23:53, Andrew Bartlett wrote:
 > On Sun, 2012-08-19 at 20:06 +0200, steve wrote:
 >
< (snip)
 >> Given a college with 2000 students and dual boot KDE/w7 with art and
 >> design taking up the vast majority of the file server in jpg's via gimp
 >> and photoshop alone, where would you go?
 >>
 >> S4/s3fs. S4DC/S3.6
 >
 > This.  It doesn't really matter what solution the DC uses (so use the
 > default: s3fs), but for 2000 students hitting a server with graphic
 > files, I would ideally suggest a separate server for them.
 > (snip)
 >
 > Andrew Bartlett
 >

The latest one seems to say that it is ok to use S4 s3fs to serve files, 
it would seem that in 8 days a Certain Andrew Bartlett has changed his 
mind! and yes I know he said use a separate server, but this would be 
for the graphic files.

Yes, you are correct about the homes shares, but what if you export them 
as normal shares and call them anything but [homes]? This works by the way.

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.