[Samba] D.C. and File Server on the same server...

Linda W samba at tlinx.org
Wed Nov 9 23:20:41 UTC 2016 

Rowland Penny via samba wrote:
> On Sat, 05 Nov 2016 12:15:49 -0700
> Linda W via samba <samba at lists.samba.org> wrote:
>
>
>   
>>     Is there a target date for when the 4.x server will be able to
>> support 1 samba instance being the domain controller and serving files
>> as the 3.x server is able to do?
>>     
>
> You can already do this.
>   
---
    The 4.x server will serve files as well or better
than the 3.6.x servers?

>   
>>     I have been waiting for the 4.x server to become a full server
>> before upgrading from 3.6.22, but it is getting a bit long in the
>> tooth. The requirement that in upgrading to 4.x I'll still need to run
>> a 3.6 server made the upgrade seem like alot of work for little gain
>> (I only have a few users and most of them are "virtual me's"...).
>>     
>
> Samba 4 is capable of being a full AD DC.
>   
---
    But is it capable of being a full 3.6.xx file server with the
same flexibility in mapping windows-ID's to local unix ID's?

    For example, I have the security groupings in my server's
/etc/group file:

Low Mandatory Level:!:11604096:
Medium Mandatory Level:!:11608192:
Medium Plus Mandatory Level:!:11608448:
High Mandatory Level:!:11612288:
System Mandatory Level:!:11616384:root

    on the server, so when I login to windows and bring up cygwin,
I see my security label in my group listing.  I have several
Win-builtin and well-known ID ranges mapped to unix-ID ranges and
that works (at least for identification purposes -- you can't
force a Mandatory-level your user id doesn't already have in windows,
but it will show ones you do have if there is a label for them
in "winbind".  I use winbind to provide a single-signon from
linux or win with the file ownerships being the same for domain RID's
on linux and on windows (win7).

>   
> If you use the DC as a fileserver, then there are a few minor problems
> you need to work around, mostly to do with IDs
>   
----
    "Minor problems" -- enough so that it is recommended to run them
on separate machines?

    I have a rather useful Domain server that can return many or
most of the MS-builtins as well as "well-known" domain ID's...
Winbind also provides the logins for linux, so I have a single
login on linux and win ("domain\login" on Win = login on my server for
the most part, though if I login from win->linux w/ssh, I do have
to accept and map domain\login => login in /etc/passwd, for example.

    Consistent with having the same ID's is the ability of
my win-userID's to access same files on the server as they can when
logged into the server.  I only have single-user access to
my Win-shares mounted on linux, as I haven't written a good
CIFS-upcall handler to allow multi-user, but that's not a pressing need.

    I'd like my 4.x config to be at least as flexible as what
I have now...  that should be easy, right?  (*wincing*)...
Thanks!

-linda

More information about the samba mailing list