[Samba] Books of Samba 4

Rowland Penny rowlandpenny at googlemail.com
Wed Mar 5 14:20:30 MST 2014 

On 05/03/14 21:01, Tony Hain wrote:
> Rowland Penny wrote:
>> On 04/03/14 23:06, Tony Hain wrote:
>>> Rowland Penny wrote:
>>>>> ... snip
>>>> Hi, your problem is that you tried to provision a member server, it
>>>> doesn't work, as you have found out. This is why I was querying just
>>>> why that option is there in 'samba-tool domain provision', it needs to
> be
>> removed.
>>>> What you require is to use the smbd, nmbd and winbind daemons from
>>>> samba4 just like you would with the daemons from samba 3, see here:
>>>>
>>> To a first order, there is no logic behind this statement. What the #$%^
>> does the 'process' of creating the .conf file have to do with which daemon
> is
>> running? From comments on thread there is clearly some kind of unstated
>> assumption that samba-tool is only for the samba daemon, but there is no
>> obvious reason why it should be. From what little I have been able to
> gather
>> from sorting through this, samba-tool is nothing more than a super-set of
>> tools used to configure and operate samba 3 over the last 5 years or so.
> How
>> does that end up being samba daemon specific?
>>
>> Firstly, samba-tool was created for the samba4 AD setup and really has
>> nothing to do with samba 3. If you want an AD DC, you use 'samba-tool
>> domain provision', for anything else, it is NOT used.
> That is not stated here:
> https://wiki.samba.org/index.php/Samba/Status
> Admin Tools	 Development		 samba-tool covers most command line
> functions;
>
>> Samba4 is actually two packages in one, one is the AD DC, the other is
>> anything the old samba 3 was and no whinging or whining is going to change
>> that.
> That is not the way it is described here:
> https://wiki.samba.org/index.php/Samba/Status
> File Server:  The Samba4 project actually started out as the "NTVFS
> Rewrite".
>
> or here:
> http://en.wikipedia.org/wiki/Samba_(software)
> Version 4 was released on December 11, 2012.[16] It is a major rewrite that
> enables Samba to be an Active Directory domain controller, participating
> fully in a Windows Active Directory Domain.
>
> or here:
> http://www.linux-magazine.com/Online/Features/What-s-New-in-Samba-4
> Samba 4.x is a full replacement and upgrade to Samba 3.
>
> On top of that, if the implementation architecture makes a difference in how
> the .conf file is created, that should be exposed on the wiki. If it is, I
> can't find it. In any case, I see no reason that there is any connection
> between which daemon is running and the .conf file creation tool. Yes
> whatever is used needs to be able to emit the correct current syntax, but
> your argument is that it is 'too much work' to make the new tool * leave out
> * information that is irrelevant to a member server.
>
>> You just require a member server, so forget samba-tool, read the page that
>> people are pointing you to, read any samba 3.6 howtos that are relevant to
>> what you are trying to do and then try again.
> There are many indications when doing a google search that conf statements
> have changed, but no clear statements about what. Even Andrew's comments on
> this thread indicate that samba 3 statements in the existing wiki references
> are dated and he wants the references removed. Couple that with the points:
> -- all indications in the references above are that samba 4 is a rewrite;
> -- the wiki main page basically says samba 3 is all but dead:
>       https://wiki.samba.org/index.php/Main_Page
>          Security fixes only tree: 3.6.22 (Release Notes);
> -- that the HowTo has no indication that it works as a samba 4 member
> server:
>   
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.htm
> l#ads-member
>          (Samba ADS Domain Membership -- This is a rough guide to setting up
>          Samba-3 with Kerberos authentication against a Windows 200x KDC.) ;
> and then figure out how someone that is not directly involved is supposed to
> know which things are still relevant.  Putting it in email responses does
> not scale, and only leads to lots of wasted time by people trying to work
> through a deployment using search and experimentation. Even if someone finds
> this mail thread in a search, how are they supposed to know they are reading
> the most current status?
>
>> If/when you have problems, post again and people will try to help you, but
>> only if you try to help yourself.
> Other than the persistent log file crap about cups not being installed, I
> had a working system by using google & experimentation before I even joined
> the list. I would have unsubscribed from this excessively noisy list days
> ago, but thought my contribution to the effort would be some insight about
> the usability of the wiki until I can get enough free time to actually help
> fix it. I just didn't understand that clearly "the wiki is perfect" and it
> is just those who do not have access to the inner workings of the
> implementation that are misguided.
>
> I note that you have chosen to not address the point below about the direct
> conflict between your claim about a massive amount of work, and Marc's claim
> that a simple paste from the wiki is adequate. This would indicate to me
> that someone is choosing to not do the apparently simple amount of work it
> would be to create a member server .conf, and I would speculate that is
> because you only see samba deployed as 'the center of the universe,
> one-machine-running-all-functions' AD forest root (since 18 months after
> http://lists-archives.com/samba/65892-samba-4-how-to-provision-as-simply-a-m
> ember-of-a-domain.html you apparently still haven't tried to configure and
> deploy a member server). Given that samba-tool already knows how to take in
> workgroup & realm, it would seem to be more work defending the position that
> it is a DC-only tool than it would be to add the few lines it would take to
> create an exact clone of the basic conf on the wiki for a member server.
> Then again, I don't know the implementation architecture of samba-tool, so
> maybe there is some horrendous amount of rework required to get it to STOP
> emitting DC focused statements and actually pay attention to role=member.
>
> As I said in my original note to the list, everything about this wiki is
> focused on deployment as a do-it-all, root-of-the-forest,
> one-machine-to-rule-them-all box. There is no guidance about how to safely
> separate roles and functions for those believing that is a more appropriate
> operational deployment model. Yes there is a lone page about a member
> server, but no indication outside of google hitting random email responses
> about how to turn printing OFF! When someone just wants a file share
> accessible to domain accounts, they are about as far from the rule-them-all
> focus of the samba 4 wiki as they can get, but given the indication that
> samba 3 is on life-support, they have no long-term alternative.
>
> Tony
>
>
>> Rowland
>>
>>> Again, the generic term 'provision' has nothing to do with a specific
> micro-
>> instance of creating a DC, it is about providing the environment for
>> something else to happen. Please stop equating 'provision' with DC, and
>> equate it with creating a .conf file.
>>>> https://wiki.samba.org/index.php/Samba/Domain_Member
>>>>
>>>> Probably sometime in the future, running provision to get a member
>>>> server will work, but it will require an extremely large amount of
>>>> work and the acceptance of various standards and/or even more input
>>>> from the person running samba-tool.
>>> I am sorry, but I don't buy that. If pasting in:
>>> [global]
>>>      workgroup = SHORTDOMAINNAME
>>>      security = ADS
>>>      realm = YOUR.SAMBA.DOMAIN.NAME
>>>      idmap config *:backend = tdb
>>>      idmap config *:range = 70001-80000
>>>      idmap config SHORTDOMAINNAME:backend = ad
>>>      idmap config SHORTDOMAINNAME:schema_mode = rfc2307
>>>      idmap config SHORTDOMAINNAME:range = 500-40000
>>>      winbind nss info = rfc2307
>>>
>>> creates an acceptable .conf file, then asking the user for realm &
>> workgroup is all that is required, and both are already in samba-tool. If
> there
>> is a large amount of work and additional questions, then the wiki is
> clearly
>> lacking in detail about the real requirements. Either your claims about
>> excessive work, or Marc's claims about the wiki HowTo being adequate, are
>> wrong because they are in direct conflict.
>>>> Until that far off day comes, you will have to write your own
>>>> smb.conf
>>>>
>>> I believe it is a far off day, but only because those in position to do
>> something about it believe that. I don't mind writing the smb.conf, but
>> consistent guidance that indicates it is still appropriate for current
> releases
>> would help.
>>> Tony
>>>
>>>
>>>> Rowland
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
This is the last that I will say on this subject.

Yes, samba4 was started out as a totally separate entity, but they 
folded samba3 into samba4 to get the fileserver components etc.
You can set up samba 4 as either an AD DC, OR as anything a samba 3.6 
could do, it all depends on how you set it up.
Yes, samba 3 will come to end of life sometime around end of August, but 
it will live on in samba 4.

If you want to get help, then I suggest you calm down, stop complaining 
about what samba cannot do yet and concentrate on what samba can do. If 
you stop and think about it, it is amazing just what the samba devs have 
managed to do so far and it just keeps getting better.

Rowland

More information about the samba mailing list