[Samba] Books of Samba 4

Marc Muehlfeld samba at marc-muehlfeld.de
Mon Mar 3 13:02:25 MST 2014

Hello Tony,

Am 03.03.2014 20:14, schrieb Tony Hain:
> I have samba 3 running on a few dd-wrt systems as standalone servers, and
> they work fine. I have also intermittently had implementations of samba as
> standalone servers on FreeBSD over the last 15 years. The only problem I
> have had is becoming a member server in an existing AD.
>> But a documentation about that I would expect more on their homepage,
>> than in the Samba Wiki.
> I agree the details should be there, but it wouldn't hurt for the samba wiki
> to acknowledge the implementation exists and point to their wiki.

To what page should I link it?

>> Why is the Wiki virtually useless? Please be more specific.
> Try to configure a Samba 4.1 MEMBER SERVER from the wiki ... You repeatedly
> get pointed to the Samba 3 How To book, and what little there is about a
> member server fails to address the limitations of samba-tool.

What links to the Samba 3 HowTo book do you mean? I don't see any in the 
HowTo atm.

>> What exactly do you expect from a samba-tool documentation in the Wiki?
> I did
> samba-tool domain provision --server-role= member \
> 		 --domain=EXAMPLE --realm=EXAMPLE.LOCAL
> and the resulting system failed to join the AD. ...

I think you looked at a different HowTo.
You don't do the provisioning for a member. You simply join the machine 
to the domain like you did in the past. See the HowTo I mentioned above. 
This one is also linked at the Wiki user documentation page.

Can you give me the link to the Member Server HowTo in the Wiki you 
used? I'll have a look at it.

>> And how you get a
>> working DC or member server where you can put this on top, there are
>> other HowTos in the Wiki. Each topic has it's own HowTo. But of course
>> they can be combined. Or what do you mean in this section?
> It is clear that the focus of samba development is to be a functional
> replacement for all services that a MSFT PDC might have. That is fine, but
> in a security conscience operational world, not all services are wanted on
> every instance, and there is nothing on the wiki about how to turn services
> off in a constructive way that will not impact other services.

The services that are enabled on a DC in "server services" are all 
required and can't be omitted.

Andrew answered this:

Do you know a good place to write this down in the Wiki?

>> What services do you want to turn off?
> Printing is the primary point at the moment, because it is spewing into the
> log files. This instance is not, and will not be associated with any
> printing process, so there are no printers defined or drivers installed. The
> core OS is fine with that, but at least samba 4.1 goes berserk and ignores
> [global]
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> with or without ::
> [printers]
> browsable = no
> printable = no
> every 13 minutes :::
> Mar  3 10:44:29 arabian smbd[89010]: [2014/03/03 10:44:29.650775,  0]
> ../source3/printing/print_cups.c:151(cups_connect)
> Mar  3 10:44:29 arabian smbd[89010]:   Unable to connect to CUPS server
> localhost:631 - Connection refused
> Mar  3 10:44:29 arabian smbd[1323]: [2014/03/03 10:44:29.663580,  0]
> ../source3/printing/print_cups.c:528(cups_async_callback)
> Mar  3 10:44:29 arabian smbd[1323]:   failed to retrieve printer list:

What you have in your [global] section is the same that I have here on 
my Fedora workstation that runs a standalone Samba instance. I don't see 
this in my logfiles. What log level are you using?

> While I think you hit the problem, that brings up another point of
> frustration which seemed an unnecessary change, the current file is
> smb4.conf ...  I don't know if that is a FreeBSD port specific issue, but I
> don't see why that would get changed from the distribution because it would
> be a lot of work to maintain. The only obvious reason I can see for changing
> the name of the conf file is that there are fundamental differences in the
> syntax where the only way to assure the 4.x code base that someone had taken
> the time to look at that was to change the file name. If that is true, the
> wiki should be VERY clear about the point and what the syntax changes are.
> If it is not, the file name change was pointless wherever it occurred.

I don't have a smb4.conf here on my production DCs and test systems (all 
RH 6.5 and Scientific Linux 6.5 self compiled).

>>> Just as an exercise, try to walk through setting up a fresh 4.1 as a
>>> file-share-only member server in an existing AD, using the current
>>> documentation, and see how far you get.
>> I'm not sure what you mean here. What do you think is missing in the
>> Member Server HowTo that prevents a working setup?
>> https://wiki.samba.org/index.php/Samba/Domain_Member
> That is the page I started from ...
> "table ... This is just very a basic example that will make your member
> server part of your Active Directory."
> None of that was in the conf file after the samba-tool provisioning step.

Where in this HowTo do you read that you have to run a provision on a 
member server?

Simply following this HowTo should give you a working member server in 
an AD.

> "If you use different UID/GID ranges in your AD, you have to adapt them."
> No indication about how to find out what ranges your AD is using.

Most admins know what they ranges they have configured. :-) But you are 
right. I can add a note about that.

> "# net ads join -U administrator"
> No commentary ... just assumes it works. When it doesn't, there is nothing
> on the wiki anywhere that I could find about where to look to deal with it.

The HowTo describes often the perfect way. But when we find typical 
problems that often user are hitting, we of course add them to the wiki.

The problem is: When I write a HowTo, I try to mention typical pitfalls. 
But if I never had one and can't imagine big problems about it, I don't 
write about them. :-)

Let me know what typical problems you have with the join and I can add them.


More information about the samba mailing list