Server Role questions

Andrew Bartlett abartlet at samba.org
Fri Jun 14 18:09:48 MDT 2013 

On Fri, 2013-06-14 at 09:47 -0500, Ricky Nance wrote:
> Ok, so I am back to the issue of trying to get the samba binary to 'do the
> right thing' and only start the needed services (instead of just warning
> the user about it not being an AD DC).
> 
> Currently samba has 5 different server roles defined:
> 
> } srv_role_tab [] = {
>         { ROLE_STANDALONE, "ROLE_STANDALONE" },
>         { ROLE_DOMAIN_MEMBER, "ROLE_DOMAIN_MEMBER" },
>         { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
>         { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
>         { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
>         { 0, NULL }
> 
> so if its not defined it falls into the NULL role. In my continuing efforts
> to make things 'easier' I would like to know what all can fall under the
> NULL (what kind of setups don't match the above). Obviously things like a
> standalone NMBD server or WINBINDD server, but are there others? If so can
> anyone explain what needs to be spawned and why?
> 
> Is there a need to add new roles? Can the 'server services =' be taken into
> account when the above roles aren't matched? Is there documentation on how
> the roles are supposed to act when they are used (and if not, can we start
> there)? Sorry for all the questions, but I am really needing some developer
> feedback here.

We don't ever fall into a 'null' role, we always have a role.  

The default for 'server role' is 'auto', which then works it out by
looking at the security, domain logons and domain master parameters.

The reverse is also true - the security, domain logons and domain master
parameters derive from the server role.  We can't set 'security=domain'
this way, but I would love to see if we could auto-detect this in
winbind and at join time enough to eliminate this parameter (keeping the
winbind rpc only = yes).

The issue is that currently, due to exceptions like the ntvfs cifs
proxy, dcerpc services such as openchange and the rpc proxy, the server
role isn't quite enough.  But I can handle these exceptions.  If you
were to make 'samba' launch all the right services (start with the code
in file_server), and not launch all the others for the normal meanings
of the roles above, that would be a great start.

I would recommend having the un-needed services just not start in the
same way the ldap server does, with task_server_terminate(), when not
required.  We can improve this in the future, but this will at least get
us a first working patch.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list