[Samba] Questions for minimal AD DC, DNS setup and Posix use

Daniel Müller mueller at tropenklinik.de
Thu Jan 31 01:37:17 MST 2013


For your "POSIX" issue there could be an interesting hint:
https://wiki.samba.org/index.php/Samba4/beyond

Good Luck
Daniel 

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Dewayne
Gesendet: Donnerstag, 31. Januar 2013 06:55
An: samba at lists.samba.org
Betreff: [Samba] Questions for minimal AD DC, DNS setup and Posix use

Our plan is to have one AD DC running in Head Office, RODC's at Branches and
a second writeable DC at a contingency site. Fileshares will run on separate
servers.  The Windows 2003/2008 Servers use authentication services from
samba4 and run applications.  Our current environment is Samba-3.6.9
PDC,BDCs & fileshares, openldap stores samba, posix and acts as heimdal
backend - for SSO.

My questions are:

AD DC
Are smbd and winbindd necessary on the AD DC.  I would prefer to start samba
with only what it needs to function. When I kill the smbd and winbindd
processes, the kerberos, ldap & dns functionality remain. How can I produce
a minimal AD DC:

1) Do I need smbd to parse the smb.conf for samba4 to start correctly?

2) If not, is there a better way than "kill -9" to achieve the result of
samba4 without smbd, winbindd?

For readers new to RODC, this is useful:
http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx


DNS
DNS is required in Samba4 AD DC as explained here
http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's
article is informative).

The internal DNS works like a dream. However the internal DNS doesn't slave
to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex
environment using Windows servers as members or DC's. However:

3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX
only servers where PCs and WinServers are effectively desktops for users;
can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or
are these contradictory requirements).

4) If we need to redesign our DNS infrastructure, is it sufficient that a
dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)?


Posix
In a Samba3 world, I rely upon  smbldap-tools
(http://gna.org/projects/smbldap-tools) to manipulate user/group
information, including assignment of uidNumber/gidNumber that is unique to
an individual, per IT audit instruction.

I would greatly appreciate guidance on how to set/use posix on Samba4.  I've
spent 4 hours trolling the web and mailing list searches with hints or
scripts, so

5) Do I need to manually add the ldap posixAccount object to each users'
ldap record, or is there an option in samba-tool user create that I haven't
found?  Next issue is how to manage as the uidNumber/gidNumber content?
{This was being worked:
http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-D
Cs-td4637386.html ?}

6) Is there any mechanism that allows me to change the uid's being assigned
to files that are created by Samba AD DC to being the same as pre-existing
uid's used by Samba3.  For example changing uid 3000020 to 1046, or gid
3000019 to 1001? 


Miscellaineous

7) Will the list of smb.conf options described in samba4 source folder
source4/TODO be updated to reflect what appears in "testparm -vss"?  It's a
little confusing as to which takes precedence?

With some instruction, I'd be happy to update/maintain some wiki information
for others' benefit.

Regards, Dewayne.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list