[Samba] Questions for minimal AD DC, DNS setup and Posix use

Dewayne dewayne.geraghty at heuristicsystems.com.au
Wed Jan 30 22:55:17 MST 2013

Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares
will run on separate servers.  The Windows 2003/2008 Servers use authentication services from samba4 and run applications.  Our
current environment is Samba-3.6.9 PDC,BDCs & fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO.

My questions are:

Are smbd and winbindd necessary on the AD DC.  I would prefer to start samba with only what it needs to function. When I kill the
smbd and winbindd processes, the kerberos, ldap & dns functionality remain. How can I produce a minimal AD DC:

1) Do I need smbd to parse the smb.conf for samba4 to start correctly?

2) If not, is there a better way than "kill -9" to achieve the result of samba4 without smbd, winbindd?

For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx

DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article
is informative).

The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best
option for a complex environment using Windows servers as members or DC's. However:

3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively
desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory

4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component
of Samba4 AD DC)?

In a Samba3 world, I rely upon  smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information,
including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction.

I would greatly appreciate guidance on how to set/use posix on Samba4.  I've spent 4 hours trolling the web and mailing list
searches with hints or scripts, so

5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user
create that I haven't found?  Next issue is how to manage as the uidNumber/gidNumber content?
{This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html ?}

6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the
same as pre-existing uid's used by Samba3.  For example changing uid 3000020 to 1046, or gid 3000019 to 1001? 


7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in "testparm
-vss"?  It's a little confusing as to which takes precedence?

With some instruction, I'd be happy to update/maintain some wiki information for others' benefit.

Regards, Dewayne.

More information about the samba mailing list