[Samba] Basic questions regarding Samba capabilities

[Andrew Bartlett]

On Fri, 2012-05-25 at 09:48 -0500, Jason Voorhees wrote:
> Hi, thanks for your reply:
> 
> On Mon, May 21, 2012 at 7:51 AM, Aaron E. <ssureshot at gmail.com> wrote:
> > First, I'm not sure if your speaking of samba4 or just upgrading your s3
> > domain structure .. my comments are based on samba4 hope it helps ..
> >
> 
> Actually I was thinking about using a stable version of Samba like
> 3.x. I know that Samba 4 is still being developed for many years. Do
> you really suggest me to use this alpha version of Samba4 for a
> critical environment like the one I described? It would be great to
> have an Open Source ADS implementation with Samba4 but for now I think
> I can just get as much as possible of features that Samba 3.x can
> offer me.

The problem with deploying a Samba3 DC is that you cannot use group
policies in that version.  Only an AD DC can do that - which is one of
the major reasons we have done it. 

> > Policies: -- Group policy works with S4.. So whatever group policies you can
> > set in windows DC you can set on the S4 dcs..
> >
> 
> What tool do you use for edit/create policies? I was reading a little
> about the native MS Windows 2000 tool for policy editing but if you
> suggest me to use Samba4 I believe you could recommend me to use the
> Windows 2003/2008 policy editor or something like that?

You use the Microsoft management tools, just as if you were running a
headless AD DC from Microsoft.  Searching for the 'Remote server
administration tools' and you should find it. 

> > Scalability -- 1PDC and several BDCs would be your answer. Essentially your
> > going to create the same infrastructure as you would with the windows family
> > of servers. unstead of multiple pdc's you'd use bdc's at in different
> > vlans.. or RODC's but I am not sure where the RODC's are in terms of
> > completeness.
> >
> 
> I'm sorry but I have never heard about RODCs before. Are they read
> only primary or backup domain controller? How do they work?

The major gap on RODCs at the moment is that we need to record the
attributes that we replicate to the RODC.  We don't do that at the
moment. 

> > Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only
> > option is to use the built-in samba4 back-end at this point..
> >
> > Compatability -- there are no special steps in joining windows 7 or 2008
> > servers to the S4 domain..
> >
> > There is an upgrade script that should pull your users and computers to the
> > new domain, obviously this would require extensive testing in your
> > environment.
> >
> >
> >
> 
> Thanks for all
> >
> > On 05/20/2012 11:32 AM, Jason Voorhees wrote:
> >>

> >> Compatibility:
> >> ===========
> >> - I know that are some procedures to join Windows 7 to Samba domain, I
> >> did this before successfully. Do you know -maybe- of another possible
> >> compatibility problem that you suggest I can be prepared for?
> >> - If after some time (weeks, months or years) I plan to replace this
> >> Samba based domain to Windows 2k ADS domain: is it possible to do this
> >> migration without problem? it isn't necessary to reinstall all the
> >> domain and rejoin all the workstation?

If you were to go with Samba 3.x, then you could upgrade to Samba4.
Some folks have used this as a path to Microsoft's AD.   However, the
upgrade will only consider the Samba account details, not the full
directory LDAP directory structure.  

If you want AD, then go with Samba 4.0.  We hope to release a beta very
soon, now that we have integrated the new file server.  While we provide
tools for the upgrade, it is much easier to just start with that than to
upgrade to it, because you will develop tools and procedures for
modifying the LDAP directory, and many of these would need to be
rewritten, and adapted the the new schema. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org