A DRAFT statement on our build systems for Samba 4.0

Dewayne Geraghty dewayne.geraghty at heuristicsystems.com.au
Thu May 17 18:57:54 MDT 2012


Andrew, Thank-you for the excellent draft, though I have some minor points
following from Simo's suggestions.

1. We secure systems and distribute on Compact Flash, and other media.  Our
clients typically run samba3 DC's with Windows Server 2003, 2008 servers
joined to them.  Having a "Standard Samba 4" build with everything needed
is certainly the Holy Grail, however the need for builds that only require
file services or print services remains, for two reasons: minimisation of
threat profile, and keeping systems small (and usually simple, or at least,
consistent).  

To achieve this, we currently virtualise services to reduce the opportunity
of a failed/hacked (sub)system, so ldap lives on one, samba3 another, dns &
dhcp on another, and so on.  Similarly the disks are stratified by service.
Point being, installing a full AD kit on both the HQ/"Head Office" system
as well as remote Branches will unnecessarily expose elements, as well as
"bulk-up" the deployment.  So having options to build only whats needed
would be beneficial; for roll-out planning, maintenance ease, &  risk
reduction.

2. Another point of clarification for your draft; because there has been an
evolution of samba4 to include previously third party items: a significant
portion of heimdal, a "samba ldap" (for want of a better expression), and
I've lost track of whether there's a "samba dns/dhcp/ntp" instance. Would
your draft benefit from identifying what the new elements are, so community
members can start planning their migration from the services that they may
already have in place?  Or am I stretching the purpose too thinly?

My current thinking is to have two Samba4 servers, 1 at HQ, the other at
the Contingency site(s), and Samba3 file/print servers at the Branch sites.
I haven't been able to determine how DNS DHCP will interact, as the
branch's need resilience so they can function when their inter-office
network becomes unavailable. Folks can continue to print, email, web
browse. 

I see a LOT of challenges ahead, though I look forward to fulfilling the
aspiration of secure AD services.

Kind regards, Dewayne
PS I acknowledge the recently updated samba4 HowTo wiki page.



More information about the samba-technical mailing list