[Samba] using the DC as a file Server in AD

Wed Jun 10 00:04:20 MDT 2015

Mots and Mike: thanks for your experiences. Mike: how long have you using
this AD DC+file server configuration?

2015-06-10 3:25 GMT+02:00 Mike <1100100 at gmail.com>:

> Sernet Samba 4.1.17 on CentOS 7.1503 running on older hardware - Dell
> PowerEdge 2950 with 2 x Xeon cpu's and 16GB RAM.
> AD DC and file server all in one.
> Approximately 50 domain users and 50 computers.
> No problems to report.
> I'm learning to be very deliberate with changing posix and windows acl's
> so I don't disturb users' access to files and folders.
> I check acl's on a specific file/folder on the server with getfacl.
> Then make one small acl modification to one file in a sub-directory of a
> share.
> Then record the difference reported by getfacl again.
> Then will access the same file from Windows RSAT console as the Domain
> Admin and note the permissions indicated on the Security tab.
> Then make one small modification to the one file using windows console and
> check the difference with getfacl on the linux/samba server to note the
> difference.
> Only after comprehending the series of small modifications, I'll apply a
> particular change using setfacl across a whole directory and/or recursively
> through sub-directories.
> Setfacl seems very quick and powerful in applying modifications across
> 10's/100's of GB's --- with no disturbance to domain users.
> Applying large acl changes with Windows RSAT tools is slower and uses more
> cpu ---- makes me nervous.
> I've found I can add/delete shares in smb.conf without stopping/starting
> samba and smbd daemons.  Users can refresh the windows file explorer to the
> host address "\\hostname-of-samba-ad-dc" and immediately view and access
> shares.
> Stopping/starting samba while domain users are logged in causes chaos and
> makes the samba host inaccessible to a few, or half, or sometimes a
> majority of the domain users.  Only cure appears to be a complete power-off
> of all computers ----- 1. start up samba server, 2. start up domain user
> computers.  Conclusion:  stop/start samba daemon as a last resort.
>
>
>
>
>
>
>
>
> On Tue, Jun 9, 2015 at 6:47 AM, Pisch Tamás <pischta at gmail.com> wrote:
>
>> Hi,
>>
>> there is a recommendation in the Samba AD DC howto: "We do not recommend
>> using the Domain Controller as a file Server." We have two sites. We have
>> two Samba3 servers now with ldap on site1, and one Samba3 BDC on site2. We
>> have ~200 users, and around 50 clients connect to the servers at the same
>> time on site1, and around 20 clients connect to the BDC on site2. On the
>> BDCs there are file shares. If I upgrade to Samba4 and switch to AD, I
>> would like to use DC2 and DC3 as file servers too. What issues can cause
>> this setup, and how serious those are?
>>
>> Thanks,
>> Tamas.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>