[Samba] D.C. and File Server on the same server...

Rowland Penny rpenny at samba.org
Thu Nov 10 09:18:39 UTC 2016

On Wed, 09 Nov 2016 15:20:41 -0800
Linda W <samba at tlinx.org> wrote:

> Rowland Penny via samba wrote:
> > On Sat, 05 Nov 2016 12:15:49 -0700
> > Linda W via samba <samba at lists.samba.org> wrote:
> >
> >
> >   
> >>     Is there a target date for when the 4.x server will be able to
> >> support 1 samba instance being the domain controller and serving
> >> files as the 3.x server is able to do?
> >>     
> >
> > You can already do this.
> >   
> ---
>     The 4.x server will serve files as well or better
> than the 3.6.x servers?

It should work the same, after all, it is using the same code.

> >   
> >>     I have been waiting for the 4.x server to become a full server
> >> before upgrading from 3.6.22, but it is getting a bit long in the
> >> tooth. The requirement that in upgrading to 4.x I'll still need to
> >> run a 3.6 server made the upgrade seem like alot of work for
> >> little gain (I only have a few users and most of them are "virtual
> >> me's"...). 
> >
> > Samba 4 is capable of being a full AD DC.
> >   
> ---
>     But is it capable of being a full 3.6.xx file server with the
> same flexibility in mapping windows-ID's to local unix ID's?

This is the 'old' way of doing things and Microsoft seems to be trying
to make it harder and harder to work with non-AD servers.
So no, you don't map windows users to local Unix users, you make them
local Unix users.

>     For example, I have the security groupings in my server's
> /etc/group file:
> Low Mandatory Level:!:11604096:
> Medium Mandatory Level:!:11608192:
> Medium Plus Mandatory Level:!:11608448:
> High Mandatory Level:!:11612288:
> System Mandatory Level:!:11616384:root
>     on the server, so when I login to windows and bring up cygwin,
> I see my security label in my group listing.  I have several
> Win-builtin and well-known ID ranges mapped to unix-ID ranges and
> that works (at least for identification purposes -- you can't
> force a Mandatory-level your user id doesn't already have in windows,
> but it will show ones you do have if there is a label for them
> in "winbind".  I use winbind to provide a single-signon from
> linux or win with the file ownerships being the same for domain RID's
> on linux and on windows (win7).

Just create the groups in AD and you probably wont need cygwin.

> >   
> > If you use the DC as a fileserver, then there are a few minor
> > problems you need to work around, mostly to do with IDs
> >   
> ----
>     "Minor problems" -- enough so that it is recommended to run them
> on separate machines?

OK, the main visible problems are, A DC uses xidNumber's by default,
these are all in the '3000000' range and any Unix domain members will
get different IDs. You can work around this by giving Domain users &
groups a uidNumber or gidNumber, this way, they all get the same ID
everywhere in Unixland.
You cannot use the login shell & Unix home directory attributes from AD
on a DC, you have to use template lines in smb.conf.

>     I have a rather useful Domain server that can return many or
> most of the MS-builtins as well as "well-known" domain ID's...
> Winbind also provides the logins for linux, so I have a single
> login on linux and win ("domain\login" on Win = login on my server for
> the most part, though if I login from win->linux w/ssh, I do have
> to accept and map domain\login => login in /etc/passwd, for example.

You don't really need most of the BUILTIN users & groups to be visible
to Unix, winbind will silently map them for you with 'idmap config
*:backend = tdb'

>     Consistent with having the same ID's is the ability of
> my win-userID's to access same files on the server as they can when
> logged into the server.  I only have single-user access to
> my Win-shares mounted on linux, as I haven't written a good
> CIFS-upcall handler to allow multi-user, but that's not a pressing
> need.

You can have consistent ID's and with a single point of administration`

>     I'd like my 4.x config to be at least as flexible as what
> I have now...  that should be easy, right?  (*wincing*)...
> Thanks!

No, you probably can't have it as easy as you have it now, with AD you
can have it easier ;-)


More information about the samba mailing list