[Samba] Basic questions regarding Samba capabilities

Jason Voorhees jvoorhees1 at gmail.com
Fri May 25 08:48:30 MDT 2012

Hi, thanks for your reply:

On Mon, May 21, 2012 at 7:51 AM, Aaron E. <ssureshot at gmail.com> wrote:
> First, I'm not sure if your speaking of samba4 or just upgrading your s3
> domain structure .. my comments are based on samba4 hope it helps ..

Actually I was thinking about using a stable version of Samba like
3.x. I know that Samba 4 is still being developed for many years. Do
you really suggest me to use this alpha version of Samba4 for a
critical environment like the one I described? It would be great to
have an Open Source ADS implementation with Samba4 but for now I think
I can just get as much as possible of features that Samba 3.x can
offer me.

> Policies: -- Group policy works with S4.. So whatever group policies you can
> set in windows DC you can set on the S4 dcs..

What tool do you use for edit/create policies? I was reading a little
about the native MS Windows 2000 tool for policy editing but if you
suggest me to use Samba4 I believe you could recommend me to use the
Windows 2003/2008 policy editor or something like that?

> Scalability -- 1PDC and several BDCs would be your answer. Essentially your
> going to create the same infrastructure as you would with the windows family
> of servers. unstead of multiple pdc's you'd use bdc's at in different
> vlans.. or RODC's but I am not sure where the RODC's are in terms of
> completeness.

I'm sorry but I have never heard about RODCs before. Are they read
only primary or backup domain controller? How do they work?

> Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only
> option is to use the built-in samba4 back-end at this point..
> Compatability -- there are no special steps in joining windows 7 or 2008
> servers to the S4 domain..
> There is an upgrade script that should pull your users and computers to the
> new domain, obviously this would require extensive testing in your
> environment.

Thanks for all
> On 05/20/2012 11:32 AM, Jason Voorhees wrote:
>> Hi people:
>> I've been using Samba for a long time with some "basic" features like
>> Samba working as a PDC, integrated with OpenLDAP, being a print
>> server, among others, for a small number of "almost controlled" users
>> (no more than 30 or 50 users).
>> But now I'm interested to implement a Windows domain using Samba for a
>> University with 6000-8000 users distributed through several VLANs,
>> subnets, offices in a medium/big campus. I'd like to avoid using a
>> propietary solution like Windows 2008 with ADS so I'd like to know
>> some suggestions like these:
>> Policies:
>> =======
>> - How well can Samba manage policies for workstations?
>> - Is it easy or safe to apply and/or remove policies from workstations?
>> - What kind of things can I allow or deny from succeding in
>> workstations using policies? For example: could I avoid users from
>> changing the IP address of the workstation? Could I set a fixed
>> wallpaper or internet explorer proxy settings to workstations?
>> Scalability
>> ========
>> In a big scenario like the previous i mentioned:
>> - How many BDCs would be needed? Is it enough to have 1 PDC and severals
>> BDCs?
>> - Is it possible to have multiple PDCs of the same domain each one
>> being in a different VLAN? or, what's the right approach in terms of
>> structure-architecture to implement PDCs and BDCs?
>> Backend
>> =======
>> Definitely I plan to use OpenLDAP as backend but, similar to the
>> previous question about BDCs: how many Master/Slave OpenLDAP servers
>> do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave
>> or master) for each office or VLAN?
>> Compatibility:
>> ===========
>> - I know that are some procedures to join Windows 7 to Samba domain, I
>> did this before successfully. Do you know -maybe- of another possible
>> compatibility problem that you suggest I can be prepared for?
>> - If after some time (weeks, months or years) I plan to replace this
>> Samba based domain to Windows 2k ADS domain: is it possible to do this
>> migration without problem? it isn't necessary to reinstall all the
>> domain and rejoin all the workstation?
>> Technically I can investigate how to implement each of these features
>> (policies, BDCs, openldap, etc...) but before taking a decision like
>> this i would like to have some suggestions of people that have done
>> similar implementations before. This help it would be excellent for
>> me, I hope some one can help.
>> Thanks
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list