[Samba] Books of Samba 4

Tony Hain tony at tndh.net
Wed Mar 5 14:01:40 MST 2014 

Rowland Penny wrote:
> On 04/03/14 23:06, Tony Hain wrote:
> > Rowland Penny wrote:
> >>> ... snip
> >> Hi, your problem is that you tried to provision a member server, it
> >> doesn't work, as you have found out. This is why I was querying just
> >> why that option is there in 'samba-tool domain provision', it needs to
be
> removed.
> >>
> >> What you require is to use the smbd, nmbd and winbind daemons from
> >> samba4 just like you would with the daemons from samba 3, see here:
> >>
> > To a first order, there is no logic behind this statement. What the #$%^
> does the 'process' of creating the .conf file have to do with which daemon
is
> running? From comments on thread there is clearly some kind of unstated
> assumption that samba-tool is only for the samba daemon, but there is no
> obvious reason why it should be. From what little I have been able to
gather
> from sorting through this, samba-tool is nothing more than a super-set of
> tools used to configure and operate samba 3 over the last 5 years or so.
How
> does that end up being samba daemon specific?
>
> Firstly, samba-tool was created for the samba4 AD setup and really has
> nothing to do with samba 3. If you want an AD DC, you use 'samba-tool
> domain provision', for anything else, it is NOT used.

That is not stated here:
https://wiki.samba.org/index.php/Samba/Status
Admin Tools	 Development		 samba-tool covers most command line
functions;

> 
> Samba4 is actually two packages in one, one is the AD DC, the other is
> anything the old samba 3 was and no whinging or whining is going to change
> that.

That is not the way it is described here:
https://wiki.samba.org/index.php/Samba/Status
File Server:  The Samba4 project actually started out as the "NTVFS
Rewrite".

or here:
http://en.wikipedia.org/wiki/Samba_(software)
Version 4 was released on December 11, 2012.[16] It is a major rewrite that
enables Samba to be an Active Directory domain controller, participating
fully in a Windows Active Directory Domain.

or here:
http://www.linux-magazine.com/Online/Features/What-s-New-in-Samba-4
Samba 4.x is a full replacement and upgrade to Samba 3.

On top of that, if the implementation architecture makes a difference in how
the .conf file is created, that should be exposed on the wiki. If it is, I
can't find it. In any case, I see no reason that there is any connection
between which daemon is running and the .conf file creation tool. Yes
whatever is used needs to be able to emit the correct current syntax, but
your argument is that it is 'too much work' to make the new tool * leave out
* information that is irrelevant to a member server.

> 
> You just require a member server, so forget samba-tool, read the page that
> people are pointing you to, read any samba 3.6 howtos that are relevant to
> what you are trying to do and then try again.

There are many indications when doing a google search that conf statements
have changed, but no clear statements about what. Even Andrew's comments on
this thread indicate that samba 3 statements in the existing wiki references
are dated and he wants the references removed. Couple that with the points:
-- all indications in the references above are that samba 4 is a rewrite; 
-- the wiki main page basically says samba 3 is all but dead:
     https://wiki.samba.org/index.php/Main_Page   
        Security fixes only tree: 3.6.22 (Release Notes);
-- that the HowTo has no indication that it works as a samba 4 member
server:
 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.htm
l#ads-member 
        (Samba ADS Domain Membership -- This is a rough guide to setting up 
        Samba-3 with Kerberos authentication against a Windows 200x KDC.) ;
and then figure out how someone that is not directly involved is supposed to
know which things are still relevant.  Putting it in email responses does
not scale, and only leads to lots of wasted time by people trying to work
through a deployment using search and experimentation. Even if someone finds
this mail thread in a search, how are they supposed to know they are reading
the most current status? 

> 
> If/when you have problems, post again and people will try to help you, but
> only if you try to help yourself.

Other than the persistent log file crap about cups not being installed, I
had a working system by using google & experimentation before I even joined
the list. I would have unsubscribed from this excessively noisy list days
ago, but thought my contribution to the effort would be some insight about
the usability of the wiki until I can get enough free time to actually help
fix it. I just didn't understand that clearly "the wiki is perfect" and it
is just those who do not have access to the inner workings of the
implementation that are misguided. 

I note that you have chosen to not address the point below about the direct
conflict between your claim about a massive amount of work, and Marc's claim
that a simple paste from the wiki is adequate. This would indicate to me
that someone is choosing to not do the apparently simple amount of work it
would be to create a member server .conf, and I would speculate that is
because you only see samba deployed as 'the center of the universe,
one-machine-running-all-functions' AD forest root (since 18 months after
http://lists-archives.com/samba/65892-samba-4-how-to-provision-as-simply-a-m
ember-of-a-domain.html you apparently still haven't tried to configure and
deploy a member server). Given that samba-tool already knows how to take in
workgroup & realm, it would seem to be more work defending the position that
it is a DC-only tool than it would be to add the few lines it would take to
create an exact clone of the basic conf on the wiki for a member server.
Then again, I don't know the implementation architecture of samba-tool, so
maybe there is some horrendous amount of rework required to get it to STOP
emitting DC focused statements and actually pay attention to role=member. 

As I said in my original note to the list, everything about this wiki is
focused on deployment as a do-it-all, root-of-the-forest,
one-machine-to-rule-them-all box. There is no guidance about how to safely
separate roles and functions for those believing that is a more appropriate
operational deployment model. Yes there is a lone page about a member
server, but no indication outside of google hitting random email responses
about how to turn printing OFF! When someone just wants a file share
accessible to domain accounts, they are about as far from the rule-them-all
focus of the samba 4 wiki as they can get, but given the indication that
samba 3 is on life-support, they have no long-term alternative. 

Tony 


> 
> Rowland
> 
> >
> > Again, the generic term 'provision' has nothing to do with a specific
micro-
> instance of creating a DC, it is about providing the environment for
> something else to happen. Please stop equating 'provision' with DC, and
> equate it with creating a .conf file.
> >
> >> https://wiki.samba.org/index.php/Samba/Domain_Member
> >>
> >> Probably sometime in the future, running provision to get a member
> >> server will work, but it will require an extremely large amount of
> >> work and the acceptance of various standards and/or even more input
> >> from the person running samba-tool.
> > I am sorry, but I don't buy that. If pasting in:
> > [global]
> >     workgroup = SHORTDOMAINNAME
> >     security = ADS
> >     realm = YOUR.SAMBA.DOMAIN.NAME
> >     idmap config *:backend = tdb
> >     idmap config *:range = 70001-80000
> >     idmap config SHORTDOMAINNAME:backend = ad
> >     idmap config SHORTDOMAINNAME:schema_mode = rfc2307
> >     idmap config SHORTDOMAINNAME:range = 500-40000
> >     winbind nss info = rfc2307
> >
> > creates an acceptable .conf file, then asking the user for realm &
> workgroup is all that is required, and both are already in samba-tool. If
there
> is a large amount of work and additional questions, then the wiki is
clearly
> lacking in detail about the real requirements. Either your claims about
> excessive work, or Marc's claims about the wiki HowTo being adequate, are
> wrong because they are in direct conflict.
> >
> >> Until that far off day comes, you will have to write your own
> >> smb.conf
> >>
> > I believe it is a far off day, but only because those in position to do
> something about it believe that. I don't mind writing the smb.conf, but
> consistent guidance that indicates it is still appropriate for current
releases
> would help.
> >
> > Tony
> >
> >
> >> Rowland
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list