[Samba] Questions for minimal AD DC, DNS setup and Posix use
Dewayne
dewayne.geraghty at heuristicsystems.com.au
Wed Jan 30 22:55:17 MST 2013
Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares
will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our
current environment is Samba-3.6.9 PDC,BDCs & fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO.
My questions are:
AD DC
Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the
smbd and winbindd processes, the kerberos, ldap & dns functionality remain. How can I produce a minimal AD DC:
1) Do I need smbd to parse the smb.conf for samba4 to start correctly?
2) If not, is there a better way than "kill -9" to achieve the result of samba4 without smbd, winbindd?
For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx
DNS
DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article
is informative).
The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best
option for a complex environment using Windows servers as members or DC's. However:
3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively
desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory
requirements).
4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component
of Samba4 AD DC)?
Posix
In a Samba3 world, I rely upon smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information,
including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction.
I would greatly appreciate guidance on how to set/use posix on Samba4. I've spent 4 hours trolling the web and mailing list
searches with hints or scripts, so
5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user
create that I haven't found? Next issue is how to manage as the uidNumber/gidNumber content?
{This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html ?}
6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the
same as pre-existing uid's used by Samba3. For example changing uid 3000020 to 1046, or gid 3000019 to 1001?
Miscellaineous
7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in "testparm
-vss"? It's a little confusing as to which takes precedence?
With some instruction, I'd be happy to update/maintain some wiki information for others' benefit.
Regards, Dewayne.
More information about the samba
mailing list