[Samba] Samba 4 Restrict User Create

Rowland Penny rowlandpenny at googlemail.com
Mon Nov 17 05:35:27 MST 2014

On 17/11/14 04:19, Greg Zartman wrote:
> On Sun, Nov 16, 2014 at 1:59 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>     Well its your funeral, but I think you will find  it would be
>     quicker and better in the long run to go down that path and it
>     also opens up the path to Openchange.
> SME Server is not trying to be a replacement for Exchange.  
> Openchange, and SOGO, would likely never be included in the SME Server 
> core distribution, but perhaps an add-on module (contrib) at most
> Right now my mission is Samba 4, not the email backend in SME Server.  
> I'm doing my best to integrate Samba4 (with the help of several 
> others) without breaking a bunch of SME's other services.  Two of the 
> things you said wouldn't work with Samba 4, we've gotten working: 1) 
> Supervising Samba4 with daemontools.

I never said you couldn't use daemontools, I said that you may have to 
stop using it. In fact, after a bit of investigation, why do want to use 
software that seems to be 13yrs old and doesn't seem to be maintained 
any more ? wouldn't you be better moving to something like 'Monit' ?

>  2) Running dnscache in front of Samba4 DNS.

Again, I never said that this wouldn't work, I questioned the way that 
you were trying to do it. I still think that you do not need the dns 
cache, you could just use Bind instead of the internal DNS server.

I still think that you are going about this in the old way, with old 

You do not want users to be created anywhere except on the S4 sme 
server, well good luck with that. You may get samba4 to run a script 
after a new user is added, but what happens if someone sets up a new sme 
server, then joins a windows server to it and then creates a user on the 
windows server. This new user will replicate to the samba AD DC, but it 
wont have whatever you want the sme user to have, are you going to ask 
microsoft to add the necessary code ?

Anything that a samba4 AD DC does that a windows AD DC doesn't, is 
likely to break AD somewhere.

Again, everything above is my personal opinion.


>   There's always more than one way to do most things and rarely is 
> something impossible.   We aren't going to sacrifice our reputation of 
> being a solid distribution with turnkey deployment just because it 
> might be a little easier to setup.  We'll spend the time it takes to 
> do it right or we won't do it.
> -- 
> Greg J. Zartman
> Board Member
> Koozali SME Server
> SME Server user and community member since 2000

More information about the samba mailing list