[Samba] Books of Samba 4

Rowland Penny rowlandpenny at googlemail.com
Mon Mar 3 13:38:38 MST 2014

On 03/03/14 20:02, Marc Muehlfeld wrote:
> Hello Tony,
> Am 03.03.2014 20:14, schrieb Tony Hain:
>> I have samba 3 running on a few dd-wrt systems as standalone servers, 
>> and
>> they work fine. I have also intermittently had implementations of 
>> samba as
>> standalone servers on FreeBSD over the last 15 years. The only problem I
>> have had is becoming a member server in an existing AD.
>>> But a documentation about that I would expect more on their homepage,
>>> than in the Samba Wiki.
>> I agree the details should be there, but it wouldn't hurt for the 
>> samba wiki
>> to acknowledge the implementation exists and point to their wiki.
> To what page should I link it?
>>> Why is the Wiki virtually useless? Please be more specific.
>> Try to configure a Samba 4.1 MEMBER SERVER from the wiki ... You 
>> repeatedly
>> get pointed to the Samba 3 How To book, and what little there is about a
>> member server fails to address the limitations of samba-tool.
> What links to the Samba 3 HowTo book do you mean? I don't see any in 
> the HowTo atm.
> https://wiki.samba.org/index.php/Samba/Domain_Member
>>> What exactly do you expect from a samba-tool documentation in the Wiki?
>> I did
>> samba-tool domain provision --server-role= member \
>>          --domain=EXAMPLE --realm=EXAMPLE.LOCAL
>> and the resulting system failed to join the AD. ...
> I think you looked at a different HowTo.
> You don't do the provisioning for a member. You simply join the 
> machine to the domain like you did in the past. See the HowTo I 
> mentioned above. This one is also linked at the Wiki user 
> documentation page.
> Can you give me the link to the Member Server HowTo in the Wiki you 
> used? I'll have a look at it.
>>> And how you get a
>>> working DC or member server where you can put this on top, there are
>>> other HowTos in the Wiki. Each topic has it's own HowTo. But of course
>>> they can be combined. Or what do you mean in this section?
>> It is clear that the focus of samba development is to be a functional
>> replacement for all services that a MSFT PDC might have. That is 
>> fine, but
>> in a security conscience operational world, not all services are 
>> wanted on
>> every instance, and there is nothing on the wiki about how to turn 
>> services
>> off in a constructive way that will not impact other services.
> The services that are enabled on a DC in "server services" are all 
> required and can't be omitted.
> Andrew answered this:
> http://www.spinics.net/lists/samba/msg113742.html
> Do you know a good place to write this down in the Wiki?
>>> What services do you want to turn off?
>> Printing is the primary point at the moment, because it is spewing 
>> into the
>> log files. This instance is not, and will not be associated with any
>> printing process, so there are no printers defined or drivers 
>> installed. The
>> core OS is fine with that, but at least samba 4.1 goes berserk and 
>> ignores
>> [global]
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>> with or without ::
>> [printers]
>> browsable = no
>> printable = no
>> every 13 minutes :::
>> Mar  3 10:44:29 arabian smbd[89010]: [2014/03/03 10:44:29.650775,  0]
>> ../source3/printing/print_cups.c:151(cups_connect)
>> Mar  3 10:44:29 arabian smbd[89010]:   Unable to connect to CUPS server
>> localhost:631 - Connection refused
>> Mar  3 10:44:29 arabian smbd[1323]: [2014/03/03 10:44:29.663580,  0]
>> ../source3/printing/print_cups.c:528(cups_async_callback)
>> Mar  3 10:44:29 arabian smbd[1323]:   failed to retrieve printer list:
> What you have in your [global] section is the same that I have here on 
> my Fedora workstation that runs a standalone Samba instance. I don't 
> see this in my logfiles. What log level are you using?
>> While I think you hit the problem, that brings up another point of
>> frustration which seemed an unnecessary change, the current file is
>> smb4.conf ...  I don't know if that is a FreeBSD port specific issue, 
>> but I
>> don't see why that would get changed from the distribution because it 
>> would
>> be a lot of work to maintain. The only obvious reason I can see for 
>> changing
>> the name of the conf file is that there are fundamental differences 
>> in the
>> syntax where the only way to assure the 4.x code base that someone 
>> had taken
>> the time to look at that was to change the file name. If that is 
>> true, the
>> wiki should be VERY clear about the point and what the syntax changes 
>> are.
>> If it is not, the file name change was pointless wherever it occurred.
> I don't have a smb4.conf here on my production DCs and test systems 
> (all RH 6.5 and Scientific Linux 6.5 self compiled).
>>>> Just as an exercise, try to walk through setting up a fresh 4.1 as a
>>>> file-share-only member server in an existing AD, using the current
>>>> documentation, and see how far you get.
>>> I'm not sure what you mean here. What do you think is missing in the
>>> Member Server HowTo that prevents a working setup?
>>> https://wiki.samba.org/index.php/Samba/Domain_Member
>> That is the page I started from ...
>> "table ... This is just very a basic example that will make your member
>> server part of your Active Directory."
>> None of that was in the conf file after the samba-tool provisioning 
>> step.
> Where in this HowTo do you read that you have to run a provision on a 
> member server?

Marc, I cannot point you to an HowTo, but perhaps you, or anybody, can 
explain this:

If you run 'samba-tool  domain provision --help', amongst everything 
else is this:

   --server-role=ROLE    The server role (domain controller | dc | member
                         server | member | standalone). Default is dc.

Now, I thought that a member server is a computer that belongs to a 
domain and is not a domain controller, it does not process account 
logons, participate in Active Directory replication, or store domain 
security policy information. I also thought that the only thing that you 
provisioned was a DC, so why is there this option????, it can only 
confuse people who do not know better.


> Simply following this HowTo should give you a working member server in 
> an AD.
>> "If you use different UID/GID ranges in your AD, you have to adapt 
>> them."
>> No indication about how to find out what ranges your AD is using.
> Most admins know what they ranges they have configured. :-) But you 
> are right. I can add a note about that.
>> "# net ads join -U administrator"
>> No commentary ... just assumes it works. When it doesn't, there is 
>> nothing
>> on the wiki anywhere that I could find about where to look to deal 
>> with it.
> The HowTo describes often the perfect way. But when we find typical 
> problems that often user are hitting, we of course add them to the wiki.
> The problem is: When I write a HowTo, I try to mention typical 
> pitfalls. But if I never had one and can't imagine big problems about 
> it, I don't write about them. :-)
> Let me know what typical problems you have with the join and I can add 
> them.
> Regards,
> Marc

More information about the samba mailing list