Confused about samba4 & s3fs

[steve]

On 20/08/12 10:04, Gémes Géza wrote:
> 2012-08-19 14:42 keltezéssel, Rowland Penny írta:
>> On 17/08/12 04:49, Andrew Bartlett wrote:
>>> On Thu, 2012-08-16 at 09:51 +0100, Rowland Penny wrote:
>>>> Hi, over on the samba-users forum, somebody asked a question about
>>>> Samba4's rfc2307 compatibility with Samba3 and got this reply:
>>>>
>>>> [quote]
>>>> At this stage, we still don't recommend combining file server and DC
>>>> functions.  By separating these functions onto different (virtual)
>>>> servers, you can avoid this issue.
>>>> [unquote]
>>>>
>>>> but from '[ANNOUNCE] Samba 4.0 beta6' there is this statement:
>>>>
>>>> [quote]
>>>> In particular note that the new default configuration 's3fs' may have
>>>> different stability characteristics compared with our previous default
>>>> file server.  We are making this release so that we can find and fix
>>>> any of these issues that arise in the real world.
>>>> [unquote]
>>>>
>>>> I do not understand this, the first statement says don't do it, the
>>>> second says please try it and see if any issues arise.
>>> For the AD DC, we have always recommended separation, and using a Samba
>>> 3.x member server for critical files.  However, there are some functions
>>> of being an AD DC that require a file server, such as providing the
>>> sysvol share, and DCE/RPC pipes over SMB.
>>>
>>> We chose to make 's3fs' the default in the AD DC, and did so earlier
>>> than perhaps it was perfectly stable because we need the feedback (no
>>> point pulling the switch on the day of the first release candidate!).
>>>
>>> The challenge in making that change in default is that the old default
>>> was incredibly stable!  The ntvfs file server isn't being further
>>> developed, but folks who have had long-standing Samba4 deployments
>>> simply haven't had issues with it, and found Samba4 quite stable
>>> overall, despite the 'alpha' designation.  As such, it was a step into
>>> the unknown at that point, and an odd situation where we worried the
>>> 'beta' releases could be less stable than the alphas that proceeded
>>> them!
>>>
>>> I will tidy up these statements on the basis of the experience we have
>>> had since that time.
>>>
>>>> There is also this statement in '[ANNOUNCE] Samba 4.0 beta6'
>>>>
>>>> [quote]
>>>> Samba 4.0 beta ships with two distinct file servers.  We now use the
>>>> file server from the Samba 3.x series 'smbd' for all file serving by
>>>> default.  For pure file server work, the binaries users would expect
>>>> from that series (nmbd, winbindd, smbpasswd) continue to be available.
>>>> [unquote]
>>>>
>>>>   From these two statements from '[ANNOUNCE] Samba 4.0 beta6', my
>>>> understanding is that 's3fs' can&  should be used to test it, is this
>>>> correct? and if not, why not.
>>> This is and will remain the default configuration of the AD DC. We
>>> expect it to work (modulo known bugs such as changing group policies as
>>> non-administrator) but we need folks to test it to help assure us of
>>> that.
>>>
>>> Andrew Bartlett
>>>
>> So after considering all the answers this thread has produced, I think
>> that provided I only start the samba daemon, (which will start the
>> smbd and the builtin winbindd daemons), I can use s3fs to export unix
>> home directories & windows profile shares so that s3fs can be tested.
>> I must also use ACLs on the server for directory & file ownership.
>>
>> Is the above correct?
>>
>> Rowland
>>
>>
> Hi Rowland
>
> I would suggest to set up a separate server running samba3 (or smbd,
> nmbd, winbind from samba4) for sharing home directories. Reasons:
> 1. samba/s3fs doesn't support the [homes] share which (in case of smbd)
> automatically maps to the users home folder
> 2. the winbind implementation in the samba binary (samba4) doesn't
> support the use of different path for home directories (home folders
> needs to be: /home/${DOMAINNAME}/${USERNAME})
>
> Regards
>
> Geza Gemes

Hi Géza
In fact we went through ths last xmas went we went over the possibility 
of storing unixHomeDirectory in AD and pulling it _not_ by winbind but 
using nslcd/nss-pam-ldapd, which works perfectly, and gets around the 
problem of the /home/${DOMAINNAME}/${USERNAME}) restriction of s3fs.

Rowland
I would steer well clear of winbind on the DC. It just isn't ready. 
nss-ldapd works fast and furious out of the box. I'd recommend using it 
over winbind any day.
HTH
Cheers,
Steve