[Samba] Books of Samba 4

Tony Hain tony at tndh.net
Mon Mar 3 12:14:13 MST 2014

Marc Muehlfeld wrote:
> Hello Tony,
> thanks for your detailed mail about documentation wishes. But for the most
> things I have some questions about what you mean in detail.
> Am 02.03.2014 00:05, schrieb Tony Hain:
> > The inconsistencies between 3 & 4 wrt AD need some documentation, the
> wiki
> > is virtually useless, and the How-To guide is just about all 3 with
> > NT4-style domains, or how to join AD as a DC.
> What do you mean with "3 & 4 wrt"? 

Sorry, wrt is an abbreviation for with-respect-to. 

> Samba for DD-WRT? I never used that.

I have samba 3 running on a few dd-wrt systems as standalone servers, and
they work fine. I have also intermittently had implementations of samba as
standalone servers on FreeBSD over the last 15 years. The only problem I
have had is becoming a member server in an existing AD.

> But a documentation about that I would expect more on their homepage,
> than in the Samba Wiki.

I agree the details should be there, but it wouldn't hurt for the samba wiki
to acknowledge the implementation exists and point to their wiki. FWIW:
there is nothing magic other than the version is old. With the Optware port
you can get current 3.6.22, but it often takes awhile between the official
release and the Optware port availability. 

> The Samba HowTo Collection is about NT4-style domains. And I think it
> won't be renewed, because the Wiki should replace it with HowTos, etc.
> Why is the Wiki virtually useless? Please be more specific.

Try to configure a Samba 4.1 MEMBER SERVER from the wiki ... You repeatedly
get pointed to the Samba 3 How To book, and what little there is about a
member server fails to address the limitations of samba-tool.

> > Documentation of samba-tool is virtually non-existent, and what is there
> > assumes you know all the syntax of the underlying tool, and which new
> > command replaces what old command.
> I already thought about writing something about samba-tool. But the
> syntax and a short explanation you get with --help and I don't have an
> idea what to write about it.
> What exactly do you expect from a samba-tool documentation in the Wiki?

I did
samba-tool domain provision --server-role= member \
		 --domain=EXAMPLE --realm=EXAMPLE.LOCAL
and the resulting system failed to join the AD. I went looking for
information in the wiki after --help wasn't providing guidance, and found
nothing there either. Fundamentally, the existing help and documentation
assume everything works as expected. When it doesn't you have to resort to
google and hope you stumble across an email thread where someone had the
same problem, and actually got an answer. Finding people asking the same
question you are raising is easy, finding an answer takes time. That is
where the wiki should have been the correct resource to begin with. I guess
my point is that if you distilled the repetitive Q/A from this list into the
wiki, you would reduce the load on the list.

>  > The difference in provisioning is
> > frustrating at best. Particularly when samba-tool doesn't provide
> > configuration for a functional system.
> The provisioning provides just a basic setup to start with. The
> configuration is a functional system. But of course you have to add
> things like shares, etc. by yourself. It's not a wizzard and not
> something that replaces the old SWAT.

I didn't expect it to add shares, but the result from the command above is
NOT a functional system. It is a standalone DC that will refuse to be
demoted to a member server because it sees itself as the center of its own
little world.
# Next 8 lines from Provision MEMBER SERVER  Date: 2014/02/19 13:35:25
# Global parameters
        workgroup = EXAMPLE
        realm = EXAMPEL.LOCAL
        netbios name = SERVERNAME
        server role = member server
        passdb backend = samba_dsdb
        dns forwarder = 2001:db8::IID

> What are you missing for a "functional system" after the provisinging?

I had to experiment based on what little I could find from google, and
security = ADS
was the trick to get the box to stop being a DC and join the existing AD.
There may be other or better ways to get the job done, I stopped when I
found a workable solution that made some sense. To a first order, samba-tool
is broken in that it does not result in a working member server. More
fundamentally than that though, the core is broken in that it insists on
being a DC even when its configuration file tells it to be a member server.
It really should complain about a mismatch of expectations and stop.

>  > From my post about the printer errors
> > (that persist despite the offered config which I already had, and how to
> > turn off printing is another thing missing from the documentation):
> > 	The wiki and HOW TO are useless as they are just as focused on
> > 	making the server into a printing hub as it is on making the
> > 	machine be a DC despite a 'server role = member server' statement.
> > 	 FWIW:   samba-tool domain provision --server-role= member \
> > 		 --domain=EXAMPLE --realm=EXAMPLE.LOCAL
> > 	results in a DC that refuses to be demoted, and won't join an
> > existing
> > 	AD without adding to [global]:
> > 	# !!!!!!!!!!!!! mandatory & missing from member provision step
> > !!!!!!!!!!
> > 	security = ADS
> > 	It is all well and good to explain how to enable the services and
> > try to be the
> > 	one-box-to-rule-them-all, but there should be working examples
> about
> > how
> > 	to disable services when that service is not a role for this
> > machine.!.!.!
> Sorry. I don't understand what you are trying to say.
> Of course the print server HowTo describes how to configure print server
> functions on top of a working Samba installation. 

I don't want a print server, I want to turn it OFF. There is nothing on the
wiki about how to do that. There are mail threads about it (which you have
use google to find), but even those commands are not working.

> And how you get a
> working DC or member server where you can put this on top, there are
> other HowTos in the Wiki. Each topic has it's own HowTo. But of course
> they can be combined. Or what do you mean in this section?

It is clear that the focus of samba development is to be a functional
replacement for all services that a MSFT PDC might have. That is fine, but
in a security conscience operational world, not all services are wanted on
every instance, and there is nothing on the wiki about how to turn services
off in a constructive way that will not impact other services. 

> > In general there is a lack of documentation about how to turn off
> > that are not wanted on this instance, or if it does exist, it is not
> > found.
> What services do you want to turn off?

Printing is the primary point at the moment, because it is spewing into the
log files. This instance is not, and will not be associated with any
printing process, so there are no printers defined or drivers installed. The
core OS is fine with that, but at least samba 4.1 goes berserk and ignores
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

with or without ::
browsable = no
printable = no

every 13 minutes :::
Mar  3 10:44:29 arabian smbd[89010]: [2014/03/03 10:44:29.650775,  0]
Mar  3 10:44:29 arabian smbd[89010]:   Unable to connect to CUPS server
localhost:631 - Connection refused
Mar  3 10:44:29 arabian smbd[1323]: [2014/03/03 10:44:29.663580,  0]
Mar  3 10:44:29 arabian smbd[1323]:   failed to retrieve printer list:

> > The documentation about %U vs %u left me initially confused. Just
> > the documentation about the variable definitions requires a google
> > because the wiki search returns nothing when you look for definition of
> > variables, or variable substitutions. Put in %U or \%U and you get back
> > pile of references to -U... I misremembered the reference I had read in
> > initial read through, but did pull out 'requested vs. current', figured
> > wanted the received current ID rather than the requested one because
> that
> > would map to the unix acls on this server, and didn't make the
> > that requested equated to the AD SID that all remote requests would be
> > using. This lead to a couple of days trying to find the page again that
> > it clear I picked the wrong one.
> Have you looked at the smb.conf manpage? There's a section about
> variable substitution. But it's right, that some of the variable stuff
> is confusing, as the AD DC stuff uses different code parts and some
> parameters and variables doesn't work if it's an DC or Member server,
> because some functions use different code. This could be really
> sometimes be confusing.

While I think you hit the problem, that brings up another point of
frustration which seemed an unnecessary change, the current file is
smb4.conf ...  I don't know if that is a FreeBSD port specific issue, but I
don't see why that would get changed from the distribution because it would
be a lot of work to maintain. The only obvious reason I can see for changing
the name of the conf file is that there are fundamental differences in the
syntax where the only way to assure the 4.x code base that someone had taken
the time to look at that was to change the file name. If that is true, the
wiki should be VERY clear about the point and what the syntax changes are.
If it is not, the file name change was pointless wherever it occurred.

> > Just as an exercise, try to walk through setting up a fresh 4.1 as a
> > file-share-only member server in an existing AD, using the current
> > documentation, and see how far you get.
> I'm not sure what you mean here. What do you think is missing in the
> Member Server HowTo that prevents a working setup?
> https://wiki.samba.org/index.php/Samba/Domain_Member

That is the page I started from ...

"table ... This is just very a basic example that will make your member
server part of your Active Directory."
None of that was in the conf file after the samba-tool provisioning step. It
is unclear if those lines are a samba 3 thing where the documentation is out
of date, or the samba-tool is broken. Adding idmap strings without knowing
the impact is not something I am inclined to do, but I did eventually put
them in. I don't know if they have any effect one way or the other because I
couldn't see an obvious difference after putting them in.

"If you use different UID/GID ranges in your AD, you have to adapt them."
No indication about how to find out what ranges your AD is using. 

"# net ads join -U administrator"
No commentary ... just assumes it works. When it doesn't, there is nothing
on the wiki anywhere that I could find about where to look to deal with it. 

> Can you be a bit more specific what you mean in detail and what things
> you are missing in the Howtos?
> And if you are missing complete HowTos, let me know about what topics.
> Then I can see what I can provide if I have time.
> But of course you can register yourself to the Wiki and contribute
> documentation, too.

Eventually I might get there, but right now I am trying to get other
services deployed, where samba was supposed to be a way to make things
easier and save time, but getting it running has consumed as much time as it
was supposed to save.


> Regards,
> Marc

More information about the samba mailing list