[Samba] Basic questions regarding Samba capabilities

Lukasz Zalewski lukas at eecs.qmul.ac.uk
Fri May 25 10:26:19 MDT 2012

Hi Jorell,
On 25/05/12 16:57, Jorell wrote:
> On 5/25/2012 7:48 AM, Jason Voorhees wrote:
>> Hi, thanks for your reply:
>> On Mon, May 21, 2012 at 7:51 AM, Aaron E.<ssureshot at gmail.com> wrote:
>>> First, I'm not sure if your speaking of samba4 or just upgrading your s3
>>> domain structure .. my comments are based on samba4 hope it helps ..
>> Actually I was thinking about using a stable version of Samba like
>> 3.x. I know that Samba 4 is still being developed for many years. Do
>> you really suggest me to use this alpha version of Samba4 for a
>> critical environment like the one I described? It would be great to
>> have an Open Source ADS implementation with Samba4 but for now I think
>> I can just get as much as possible of features that Samba 3.x can
>> offer me.
>  >
>  From reading the mailing list, people using S4 for it's Active
> Directory have had great success, it's when they try to use the file
> server side of things is when they have problems.
> Also Samba 4 ADS is interchangeable with Windows Server ADS.

We have been running samba4 in production environment for almost two 
years. Our setup is quite basic, single S4 DC, and s3 member servers for 
file serving and printing.
We have ~300 pc's (almost all Windows 7) and ~2500 users

But you probably will need more elaborate setup.

>>> Policies: -- Group policy works with S4.. So whatever group policies
>>> you can
>>> set in windows DC you can set on the S4 dcs..
>> What tool do you use for edit/create policies? I was reading a little
>> about the native MS Windows 2000 tool for policy editing but if you
>> suggest me to use Samba4 I believe you could recommend me to use the
>> Windows 2003/2008 policy editor or something like that?
> To manage group policies you install "Group Policy Management Console"
> (gpmc.msi) on a windows workstation connected to the domain.
Windows RAT will do the trick:

>>> Scalability -- 1PDC and several BDCs would be your answer.
>>> Essentially your
>>> going to create the same infrastructure as you would with the windows
>>> family
>>> of servers. unstead of multiple pdc's you'd use bdc's at in different
>>> vlans.. or RODC's but I am not sure where the RODC's are in terms of
>>> completeness.
>> I'm sorry but I have never heard about RODCs before. Are they read
>> only primary or backup domain controller? How do they work?
>>> Backend -- OPENLDAP isn't supported as a back-end.. I believe that
>>> your only
>>> option is to use the built-in samba4 back-end at this point..
>>> Compatability -- there are no special steps in joining windows 7 or 2008
>>> servers to the S4 domain..
>>> There is an upgrade script that should pull your users and computers
>>> to the
>>> new domain, obviously this would require extensive testing in your
>>> environment.
>> Thanks for all
>>> On 05/20/2012 11:32 AM, Jason Voorhees wrote:
>>>> Hi people:
>>>> I've been using Samba for a long time with some "basic" features like
>>>> Samba working as a PDC, integrated with OpenLDAP, being a print
>>>> server, among others, for a small number of "almost controlled" users
>>>> (no more than 30 or 50 users).
>>>> But now I'm interested to implement a Windows domain using Samba for a
>>>> University with 6000-8000 users distributed through several VLANs,
>>>> subnets, offices in a medium/big campus. I'd like to avoid using a
>>>> propietary solution like Windows 2008 with ADS so I'd like to know
>>>> some suggestions like these:
>>>> Policies:
>>>> =======
>>>> - How well can Samba manage policies for workstations?
>>>> - Is it easy or safe to apply and/or remove policies from workstations?
>>>> - What kind of things can I allow or deny from succeding in
>>>> workstations using policies? For example: could I avoid users from
>>>> changing the IP address of the workstation? Could I set a fixed
>>>> wallpaper or internet explorer proxy settings to workstations?
>>>> Scalability
>>>> ========
>>>> In a big scenario like the previous i mentioned:
>>>> - How many BDCs would be needed? Is it enough to have 1 PDC and
>>>> severals
>>>> BDCs?
>>>> - Is it possible to have multiple PDCs of the same domain each one
>>>> being in a different VLAN? or, what's the right approach in terms of
>>>> structure-architecture to implement PDCs and BDCs?
>>>> Backend
>>>> =======
>>>> Definitely I plan to use OpenLDAP as backend but, similar to the
>>>> previous question about BDCs: how many Master/Slave OpenLDAP servers
>>>> do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave
>>>> or master) for each office or VLAN?
>>>> Compatibility:
>>>> ===========
>>>> - I know that are some procedures to join Windows 7 to Samba domain, I
>>>> did this before successfully. Do you know -maybe- of another possible
>>>> compatibility problem that you suggest I can be prepared for?
>>>> - If after some time (weeks, months or years) I plan to replace this
>>>> Samba based domain to Windows 2k ADS domain: is it possible to do this
>>>> migration without problem? it isn't necessary to reinstall all the
>>>> domain and rejoin all the workstation?
>>>> Technically I can investigate how to implement each of these features
>>>> (policies, BDCs, openldap, etc...) but before taking a decision like
>>>> this i would like to have some suggestions of people that have done
>>>> similar implementations before. This help it would be excellent for
>>>> me, I hope some one can help.
>>>> Thanks
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list