[Samba] samba 4 best practices questions

Joe Maloney jmaloney at pcbsd.org
Sat Mar 1 11:00:27 MST 2014

On Sat, Mar 1, 2014 at 11:05 AM, Marc Muehlfeld <samba at marc-muehlfeld.de>wrote:

> Hello Joe,
> Am 08.02.2014 21:45, schrieb Joe Maloney:
>  I found this email thread here stating samba4 ad roles, and file server
>> roles should be on separate servers.
> >
> > Can anyone answer is this still the case?
> Yes. Fileservers should be separate member servers and the DC only do the
> domain stuff.
>  In addition I've been noticing that sysvol replication is not officially
>> supported and third party tools such as rsync can be used as a work
>> around.
> Not just "not offically supported". It's not implemented yet. :-)
> You can use own solutions to replicate the SysVol content between your
> DCs. But you have to use tools, that can replicate the ACLs. An easy way is
> rsync:
> https://wiki.samba.org/index.php/SysVol_Replication

> > So I think I would ultimately like each location to have it's own
> > standalone PDC or just member servers of the PDC.
> >
> > My question is are trust relationships working between samba 4 and
> > samba4 servers yet?   I've been reading that trust relationships are
> > one way only does this apply to samba servers only talking to
> > eachother as well?  Could one user from one location log in at
> > another location and so on this way?
> I guess you mean with PDC and AD DC. But if you have different domains on
> each location, remember, that trusts are not working at the moment.
> https://wiki.samba.org/index.php/FAQ#Trusts

After I wrote this initial email I have found where it was stated that
trusts may work as there may be some work in progress or development code
would be the only reason but that it wasn't supported.  So in a test
environment I set up a master bind server to forward dns requests for each
zone to the appropriate PDC and I was able to set up trusts.  Afterwords I
was able to use group policy for all forests from a single console.  I have
not tested beyond that regarding trusts as I dropped the idea as it was
stated it was mentioned it wasn't really supported yet.  I've read that
others encountered broken trusts and had trouble being able to remove and
recreate them and so on.  So I could see why this wouldn't be a good idea
to implement in production yet.

I would like to roll completely independent PDC's at each location with
each having a member server.  I've been testing and it appears I can access
resources on each server as long as I have the same credentials on each
server.  My knowledge is somewhat limited here as I'm not primarily a
windows server guy these days but I believe I've always been able to do
this when I've connected using a FreeBSD or Linux desktop to a windows
server to access shares as those machines were never members of the server
I just happened to log in with the same credentials and it let me in.

This experiment was done without setting up any trusts.  I'm not entirely
sure yet of all the things that trusts accomplish.  From what I can tell I
simply can't login to another pdc and pull it's login script from that
remote server and so on from another server without the trusts?

I don't mind having to have separate GPO and user management consoles,
separate users for each location and so on as long as a a few users can
access a share on another member server if they need to located on another
domain.  Should this be possible without trusts?

I guess what I am really meaning to ask is should I be able to access
shares on a remote server that my client computer is not joined to as long
as I happen to have a user account on that remote server?  Do I have to
worry about that breaking someday if trusts are not supported?

>  If the above is not possible would joining file servers as member servers
>> only prove to be the best way forward until these features are
>> implimented?  Thanks in advance for any help or advice you may be able to
>> provide.
> I don't know your environment, locations and requirements. But maybe you
> can simply have one domain and separate DCs and Member Servers at the
> different locations. Then the authentication is done on each place against
> the local DCs, etc.
> I'm not that familiar with huge AD installations yet. But with
> sites/subnet declarations, etc. maybe most requirements can be complied.
> But of course testing is important. And feedback about things that are
> working or not working here on the list would be great. Then we can add
> them to the Wiki for others.

I've thought about this approach also.  Just having the one master PDC and
the rest member servers at each site.  The main thing I was trying to avoid
was having a master server go down and each location lose access to things
as well.  Or if I had joined servers at the other sites others as BDC's and
for some reason one day sysvol syncing went wrong then everyone being
broken that way as well. I suppose it wouldn't be so bad if sysvol became
corrupt at one location.  But if all were corrupt this would be bad.

What do you think about my other idea regarding rolling separate forests if
I only have a few users that need to access shares on other networks?  It's
a little more overhead of course to maintain multiple sets of user
accounts, but that I don't think anyone will mind in this situation.  Does
that seem like a good plan?

> Regards,
> Marc
Joe Maloney

More information about the samba mailing list