[Samba] samba4 best practices questions

Joe Maloney jmaloney at pcbsd.org
Wed Feb 12 20:51:40 MST 2014

Thanks for your replies.  I am currently also testing samba4 on FreeNAS
9.2.1 based on FreeBSD with ZFS which provides graphical management of
Samba4.  I've noticed FreeNAS uses the Directory Service Role and CIFS
shares roles on the same box by default.  These roles are not in isolated
like they could be in jails with virtual networking support and so on.

I would like to be able to maybe suggest the separation to the FreeNAS
developers for stability to improve their software but I would need to know
the technical reasons why the separation is important to be able to do so.

I'm curious can anyone elaborate some more on why Directory Services and
File Sharing roles should be spread across two servers and why file sharing
should be run on a member server?  Is it because of winbind?  Is it known
to cause lockups to have them on the same server?

Another thing I might like to suggest to the FreeNAS developers.  I've
noticed they also provision with NTVFS.  I've also noticed I can turn on
S3FS in FreeBSD with ZFS after provision and it seems to fix smbstatus.
 It's just that provision is still broken with FreeBSD + ZFS as we all
know.  From my research it appears S3FS a better option?  Is it pretty
stable at this point?  Can anyone see any harm in enabling it after the
fact if samba was originally provisioned with NTVFS?

Joe Maloney

On Sun, Feb 9, 2014 at 7:41 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sat, 2014-02-08 at 14:46 -0600, Joe Maloney wrote:
> > I'm interested in using samba4 in a production environment that has
> > multiple locations tied together via a WAN.  In order to do so I need to
> > figure out what is the absolute most stable and supported path.
> >
> >
> > I found this email thread here stating samba4 ad roles, and file server
> > roles should be on separate servers.
> >
> >
> > https://groups.google.com/forum/#!topic/mailing.unix.samba/QySoM_uGGL8
> >
> >
> > Can anyone answer is this still the case?
> >
> >
> > In addition I've been noticing that sysvol replication is not officially
> > supported and third party tools such as rsync can be used as a work
> > around.  So I think I would ultimately like each location to have it's
> own
> > standalone PDC or just member servers of the PDC.
> Your language is a bit confusing.  Each location should have at least
> one DC (depending on the size of the location), and if possible a
> separate file server.
> > My question is are trust relationships working between samba 4 and samba4
> > servers yet?   I've been reading that trust relationships are one way
> only
> > does this apply to samba servers only talking to eachother as well?
>  Could
> > one user from one location log in at another location and so on this way?
> > Is this just a bad idea altogether right now?
> This refers to trusts between different DOMAINS or REALMS, not between
> servers in the domain, which is fully functional.
> > If the above is not possible would joining file servers as member servers
> > only prove to be the best way forward until these features are
> > implimented?  Thanks in advance for any help or advice you may be able to
> > provide.
> Your file severs should be joined as a member server.
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba

More information about the samba mailing list