[Samba] Domain controller in a chroot

Andrew Bartlett abartlet at samba.org
Sun Apr 12 05:00:28 MDT 2015

On Tue, 2015-03-17 at 09:27 +0100, Sébastien Le Ray wrote:
> Hi list,
> Since it is considered “harmful” to run a domain controller that acts a 
> fileserver I was considering the option of putting the AD DC into a 
> chroot. Is there any special configuration to perform (except bind 
> interfaces) to avoid conflicts ? (is there any broadcasting issues or so?)

It isn't really that harmful (the sysvol part is a perfectly well
functioning file server), but you can't get redundancy for the file
server part, while you could cluster that if it wasn't a DC, so we
worked hard to try and suggest folks think about it.  We also like to
encourage the DC, given the central role, to be a bit more isolated.
But on 'small business server replacement' networks, this isn't really
that important. 

Using Samba 4.2 (where we use winbindd) is recommended, and it is
important to understand that the DC will force on the acl_xattr VFS
module, and in doing so may interfere with setting other modules like

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list