[Samba] The administrator experience with Samba4

Andrew Bartlett abartlet at samba.org
Sat Apr 30 09:24:25 UTC 2016

On Wed, 2016-04-20 at 09:29 +0200, Johannes Amorosa | Celluloid VFX
> This is a lot of effort because we didn't really understand how to
> continuously backup and replay a running domain. Samba gives us so
> much 
> headache that it is
> worth to dedicate some time in this to get it right.

The difficultly with backups of running domains is that because of the
replicated state, restoring an old backup can cause trouble.  We
suggest instead re-joining, realising that this can also be less than
ideal, but seems to work better.

> These playbooks can be run on vms, containers and real server for 
> continuously testing. Yup we're paranoid.

> Samba is great but my 2 cents it would be helpful if samba
> development 
> would focus a bit more on integrated backup strategies and easy
> robust 
> deployment. These things come in mind:
> - sysvol replication integrated

I agree, this is a major missing part.  We had some developers who were
interested in implementing this in a protocol-compatible way (ie, able
to replicate with Windows), but no progress has been made in a couple
of years.

Since we released Samba4, I have realised that we have produced a great
mimic of AD, but we have lost a little of what has always made Samba
great, that it needs to work with windows clients and tools, but not be
Windows - we can have some different behaviours.  It would be
reasonable to have a Samba-only sysvol sync tool, as long as we have a
way to import from Windows AD, as most folks don't run mixed Samba
-Windows domains after migration.

> - automatic promoting/joining/replicating etc. I never wan't to be 
> bothered using samba-tool for normal replicated setup - One namespace
> in 
> config should do the trick.

I understand the frustration here.  The pattern comes from how Windows
handles it, and the need for a privileged account (the administrator)
to create the new DC.  It should only be needed once, and in an ideal
world, it should start ongoing replication once Samba starts. 

I take it you would like Samba to be able to re-import the replicated
state from just a realm and a DC secret in secrets.ldb?  

I guess a 'samba-tool domain dcpromo' could detect that we have a
password to a working account and just re-sync from there.  Would this
be helpful?

> - integrated backup tool for everything that needs to be backupd to 
> bring up the same domain with one command: samba import backup
> Not to get me wrong a lot of issues are already been working on and a
> lot of things have been simplified.
> Samba should feel more like i.e. MongoDB where it is trivial to add
> and 
> remove instances dynamically, making backups, but of course that is 
> comparing different things.
> Hope this helps
> Johannes

One of the big challenges here is that while the Samba Team is large,
and we take great pride in supporting all of Samba, the number of us
who work daily on AD DC development is much more limited, and our time,
particularly for larger tasks, is essentially dictated by the needs of
our consulting/development clients.
The good news is that pretty much everyone uses Samba4 in much the same
way, so the tasks that come up and the patches they produce and the
experiences we gain end up helping us all. (I wrote with amusement
about this on the other list just earlier today).  
For example, I think I have, once and for all finally sorted out some
really nasty issues in our replication code.  Patches for that should
be in master soon. 
The bad news is that to get prompt attention to your particular issue,
when it is a larger one, you may need to contract one of the firms
employing Samba developers for commercial support: 
The other part of this is that we would love to have a class of
sysadmin-developer folks regularly contributing to Samba.  Having most
of our team being very heavy into the development, while not often
deploying Samba in the real world, means we just don't see the things
that truly get under your skin.  Writing about your experiences is
great, even better would be writing patches.  We developed samba-tool
in python in the hope that it would be easier to contribute to than our
C code.
Finally, if you wanted to take on the idea of re-replicating in using
just the DC secret, or writing a better backup script (integrated into
our make test so we know it just works every time), I would be happy to
guide you.
Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list