[Samba] using the DC as a file Server in AD

[Mike]

Sernet Samba 4.1.17 on CentOS 7.1503 running on older hardware - Dell
PowerEdge 2950 with 2 x Xeon cpu's and 16GB RAM.
AD DC and file server all in one.
Approximately 50 domain users and 50 computers.
No problems to report.
I'm learning to be very deliberate with changing posix and windows acl's so
I don't disturb users' access to files and folders.
I check acl's on a specific file/folder on the server with getfacl.
Then make one small acl modification to one file in a sub-directory of a
share.
Then record the difference reported by getfacl again.
Then will access the same file from Windows RSAT console as the Domain
Admin and note the permissions indicated on the Security tab.
Then make one small modification to the one file using windows console and
check the difference with getfacl on the linux/samba server to note the
difference.
Only after comprehending the series of small modifications, I'll apply a
particular change using setfacl across a whole directory and/or recursively
through sub-directories.
Setfacl seems very quick and powerful in applying modifications across
10's/100's of GB's --- with no disturbance to domain users.
Applying large acl changes with Windows RSAT tools is slower and uses more
cpu ---- makes me nervous.
I've found I can add/delete shares in smb.conf without stopping/starting
samba and smbd daemons.  Users can refresh the windows file explorer to the
host address "\\hostname-of-samba-ad-dc" and immediately view and access
shares.
Stopping/starting samba while domain users are logged in causes chaos and
makes the samba host inaccessible to a few, or half, or sometimes a
majority of the domain users.  Only cure appears to be a complete power-off
of all computers ----- 1. start up samba server, 2. start up domain user
computers.  Conclusion:  stop/start samba daemon as a last resort.








On Tue, Jun 9, 2015 at 6:47 AM, Pisch Tamás <pischta at gmail.com> wrote:

> Hi,
>
> there is a recommendation in the Samba AD DC howto: "We do not recommend
> using the Domain Controller as a file Server." We have two sites. We have
> two Samba3 servers now with ldap on site1, and one Samba3 BDC on site2. We
> have ~200 users, and around 50 clients connect to the servers at the same
> time on site1, and around 20 clients connect to the BDC on site2. On the
> BDCs there are file shares. If I upgrade to Samba4 and switch to AD, I
> would like to use DC2 and DC3 as file servers too. What issues can cause
> this setup, and how serious those are?
>
> Thanks,
> Tamas.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>