[Samba] Samba 4.x "changes"

Andrew Bartlett abartlet at samba.org
Tue Mar 18 20:19:01 MDT 2014

On Tue, 2014-03-18 at 16:07 -0600, Wayne Andersen wrote:
> I have been using Samba for quite a while now in my production 
> environment, really since the very early releases of 4.
> There has been some pain here and there, but it has been an exciting and 
> rewarding process.
> I have been noticing more and more changes in the environment, most 
> minor but some more significant.
> A couple of examples.
> I did not use--use-rfc2307  when provisioning,  it was not in the Samba AD How to originally.
> Can not find any way to create those records after the fact.

We don't currently have a tool for that, but this link looks about


> Now I am trying to switch from the internal DNS to BIND, and it looks 
> like the DNS directory has changed from /usr/local/samba/private to 
> /usr/local/samba/private/DNS.
> (I would like to know where this is defined so that I can update it)

This isn't a recent change, just the long-standing and deliberate
behaviour for the BIND9_DLZ backend.  What has happened here is that to
allow BIND to access the DNS partitions, without giving the bind process
access to the whole domain, the DNS partitions are hard linked into this
directory, and a dummy sam.ldb file is added.  This means BIND9 can
read/write the DNS entries, but not the keys and passwords for the rest
of the domain.  This is needed because we need transactions and so can't
do this over LDAPi, and want the DNS server to be able to start and
operate independent of the LDAP server. 

> None of the issues I have run into are deal breakers at this point most 
> just nice to have or nuisances.
> My question boils down to, at some point should I quit fighting the 
> changes that have crept in with each update and start over again new.

I see no reason why you need to take such drastic action.  Can you
explain in more detail what you find so unsettling?

> There are clearly dis-advantages to both scenarios.
> I am not aware of any way to backup the AD data in a way that would let 
> me install a fresh domain then import the same machines and users.

A domain is either fresh, or has the same machines and users.  It is
never both.

> So I think I would be starting over from scratch.

I don't recommend that. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list