Samba 4 testbed

Ray Klassen rklassen at
Thu Sep 19 19:18:16 CEST 2013

"We would encourage you to report your successes and failures to the
samba-technical mailing list"

So this is me reporting

I have an existing production samba 3 domain controller that has about
30 shares all hidden, all governed by 'valid users' and 'force group'
etc. directives (the kind of thing that samba4 rules out.-- I found that
out later) The LDAP server on that box is replicated to about 8
read-only copies for use by the server on which they reside -- email,
caldav, web services, etc.

set up a semi-private vlan for doing a test migration

for a quick and dirty samba 3 domain to migrate
figured I will need a bind DNS backend. apt-get source bind9. edited
debian/rules to include --with-dlopen, debuild -uc -us --
voila! bind with dlopen

ran the conversion
configured nslcd.conf to use kstart following
(goto include a reverse lookup domain!)

created a typical share (as on my current domain controller) with "valid
users" etc. Found that it doesn't work at all(!) although the directive
is actually honoured -- log level = 255 dumps a lot of information about
searching in the specified group and not finding the user in it.

experimented with changing the share permissions from a workstation,
OK(!)if we must behave exactly like windows we must. We now even have to
hide shares in a traditional windows fashion by adding a '$' because
otherwise they won't present themselves to be managed remotely from said

Created a second server running samba 3 and joined it to the samba 4
domain successfully with nslcd (using the same setup as above pointing
to the domain controller as ldap server) handling uid resolving etc. and
all shares still behave as expected -- based on that, am planning to
demote my current domain controller to a domain server and migrate
shares over to another samba 4 server gradually before redoing that
server from the ground up.

Looking at the logs, /usr/local/samba/var/log.smbd complains that cups
is not available. So apt-get install cups. everything is happy.

Problem. After reboot, kerberos, nslcd etc. do not work. Resolving names
in the samba domain do not work, except when using the host utility
directly. Kerberos complains that it can't find a kdc. Ping doesn't
resolve names. After looking at the output of strace ping <host> I was
intrigued by the presence of avahi in the list of system calls ping
made. I tried uninstalling it (and cups! debian makes avahi-daemon a
dependency of cups) and eureka! things suddenly work again.

Am thinking of setting up another dc or two to handle all the ldap stuff
from the other servers. That will not be very easy.


*Ray Klassen*

 IT Manager

Communitas Supportive Care Society
/Office 604 850 6608 x331
Mobile 604 308 6215/

More information about the samba-technical mailing list