[Samba] Questions for minimal AD DC, DNS setup and Posix use

Daniel Müller mueller at tropenklinik.de
Thu Jan 31 01:37:17 MST 2013

For your "POSIX" issue there could be an interesting hint:

Good Luck

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Dewayne
Gesendet: Donnerstag, 31. Januar 2013 06:55
An: samba at lists.samba.org
Betreff: [Samba] Questions for minimal AD DC, DNS setup and Posix use

Our plan is to have one AD DC running in Head Office, RODC's at Branches and
a second writeable DC at a contingency site. Fileshares will run on separate
servers.  The Windows 2003/2008 Servers use authentication services from
samba4 and run applications.  Our current environment is Samba-3.6.9
PDC,BDCs & fileshares, openldap stores samba, posix and acts as heimdal
backend - for SSO.

My questions are:

Are smbd and winbindd necessary on the AD DC.  I would prefer to start samba
with only what it needs to function. When I kill the smbd and winbindd
processes, the kerberos, ldap & dns functionality remain. How can I produce
a minimal AD DC:

1) Do I need smbd to parse the smb.conf for samba4 to start correctly?

2) If not, is there a better way than "kill -9" to achieve the result of
samba4 without smbd, winbindd?

For readers new to RODC, this is useful:

DNS is required in Samba4 AD DC as explained here
http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's
article is informative).

The internal DNS works like a dream. However the internal DNS doesn't slave
to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex
environment using Windows servers as members or DC's. However:

3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX
only servers where PCs and WinServers are effectively desktops for users;
can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or
are these contradictory requirements).

4) If we need to redesign our DNS infrastructure, is it sufficient that a
dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)?

In a Samba3 world, I rely upon  smbldap-tools
(http://gna.org/projects/smbldap-tools) to manipulate user/group
information, including assignment of uidNumber/gidNumber that is unique to
an individual, per IT audit instruction.

I would greatly appreciate guidance on how to set/use posix on Samba4.  I've
spent 4 hours trolling the web and mailing list searches with hints or
scripts, so

5) Do I need to manually add the ldap posixAccount object to each users'
ldap record, or is there an option in samba-tool user create that I haven't
found?  Next issue is how to manage as the uidNumber/gidNumber content?
{This was being worked:
Cs-td4637386.html ?}

6) Is there any mechanism that allows me to change the uid's being assigned
to files that are created by Samba AD DC to being the same as pre-existing
uid's used by Samba3.  For example changing uid 3000020 to 1046, or gid
3000019 to 1001? 


7) Will the list of smb.conf options described in samba4 source folder
source4/TODO be updated to reflect what appears in "testparm -vss"?  It's a
little confusing as to which takes precedence?

With some instruction, I'd be happy to update/maintain some wiki information
for others' benefit.

Regards, Dewayne.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list