[Samba] Best Way to install a Samba4 DC with Samba3 Memberserver

Hauke Homburg hhomburg at w3-creative.de
Sun May 25 12:09:24 MDT 2014

Am 23.05.2014 18:02, schrieb Marc Muehlfeld:
> Hello Hauke,
> Am 23.05.2014 16:11, schrieb Hauke Homburg:
>> I thought it is better to in install a Memberserver like a Fileserver
>> with SAMBA 3 because i wasn't sure to use a SAMBA 4 Installation for
>> Fileservices, too.
>> My actual Knowlede is that SAMBA 4 is primally for the AD Services. The
>> File Service is in the SAMBA 3 Code in Package.
> 3.6 ->  4.0 ->  4.1 (->  4.2)
> Samba 4 does not mean AD. You can upgrade your Samba NT4-style PDC to
> 4.1 and stay at your NT4-style PDC without any problem.
>> I didn't know that SAMBA should be discontinued with SAMBA 4.2.
> https://wiki.samba.org/index.php/Samba_Release_Planning
>> So i think it is the best Way to install both, DC and Memberserver, with
>> SAMBA 4?
> I would not install 3.6 any more if I have the choice. 3.6 is already in
> "security updates only" mode and gets discontinued, when 4.2 is
> published. Following the 9 month rule this will be this summer.
>> What is the State of the Nested Group Support in the File Services of
>> SAMBA 4? I want to use AGDLP for Rightsmanagement.
>> Till this day ich installed the "old" SAMBA 4 iso Image from Sernet and
>> the UCS Server 3.0. In the face off it the nested group support was not
>> good.
> What kind of problems do you have with nested groups?
> In production I have some nested groups in my AD and it works without
> problems for all Windows services (file shares, printer, permissions, etc.).
> Regards,
> Marc
Hello Marc,

I myself have no problems with nested Groups because i don't use the 
nested Groups at this time.
But in Future with my new Domain Installation i want to use the AGDLP 
Concept to manage Rights with SAMBA 4.
So i learn the ropes at this time.

I am not sure about the best Way to realize the Group Management. In my 
actual installation i don't use local Groups in Linux. I only use Local 
Groups in Windows. I created the Groups with a Windows Workstation and 
assigned the Groups with Winbind to the Linux ACL.
I delibrate wherether i should create local Groups in Linux, and domain 
local Groups and global Groups in SAMBA, and assign the ACL alone in 
Linux Groups.
 From pure Windows Installations i know the Way to only use Windows 
Domain Groups and assign the ACL to domainlocal groups.

 From Windows Servern ich know that die ACL are kumulative. Linux ACL 
are not! kumulative. Are the Groups im SAMBA AD kumulative or not? If i 
use nested Groups?
I have the Idea, that SAMBA itself collects the Goup ACL and can make 
from an r-- and an -w- ACL a "common" rw- ACL. This is given to the 
Linux Kernel. Is this right or wrong?


More information about the samba mailing list