[Samba] The 'not-always-on' infrastructure at home and Samba4 AD DC's..

Vinicius Bones Silva vbs at e-trust.com.br
Wed Mar 28 22:18:05 UTC 2018

Cached credencials never expire, so it should be ok to go several weeks without talking to 
your DCs.
Passwords may expire, if you use a password policy (the default is not to, iirc)

take a look at 
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_Roles and 
https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles to check a few issues 
you might run into.


Em 28/03/2018 18:38, Vincent S. Cojot via samba escreveu:
> Hi everyone,
> Apologies in advance, this will be a bit long but I'm hoping to get some guidance and 
> hints on usual practices for using Samba4 AD DC as an Idm for W10 laptops that might be 
> on the road elsewhere..
> As much as I have been using samba for file serving, a Samba AD DC is something new to me.
> I built a small Samba AD DC infrastructure to serve UIDs and Passwords (4 VMs on 4 KVM 
> hosts). My problem is that not all Samba DC's will always be turned on. Out of the 4 KVM 
> hosts, 1 or 2 are going
> to be turned off quite often (especially in the summer), another one is going to be up 
> half of the time on average while the first server will most likely average 95% uptime.
> The key metric here is that at least -one- hypervisor/router will -always- be available 
> at any given time and this will be sufficient to provide all neded services. Also there 
> isn't any type of
> shared storage (only replicated storage when two nodes with a replication schedule 
> happen to be on at the same time).
> This strange setup has been serving a family of 5 for the past 10 years, providing DNS, 
> NFS, SMB, Squid+UfdbGuard, NAT, IDS, filtering, etc..
> Most of the family laptops now run W10 (Microsoft Office at school is still a hard 
> requirement in some places) while most other boxes use Fedora with the infra servers 
> running RHEL7.
> Wanting to provide centralized password management to the teenagers and not feeling like 
> managing local user accounts on their Windows laptops, I opted for Samba as an AD DC. To 
> this effect, I built
> 4 RHEL7 VMs (one per physical server because I have no shared storage). I used Wing's 
> 4.6.14 rpms (http://wing-repo.net/wing) because RHEL7's samba doesn't do AD DC yet.
> So I find myself with the following setup:
> - KVM Host #0 -> VM guest DC0   (expected uptime: around 95%)
> - KVM Host #1 -> VM guest DC1   (expected uptime: around 90%)
> - KVM Host #2 -> VM guest DC2   (expected uptime: around 25-50%)
> - KVM Host #3 -> VM guest DC3   (expected uptime: around 10-25%)
> I setup the 4 VMs (DC0, DC1, DC2, DC3) in an AD just fine and was able to verify proper 
> configuration/replication. ( Win10 connectivity, drs showrepl, RSAT access and usability).
> - Is the 4*DC setup a good or a bad idea in that use-case? I decided against a 2*DC 
> setup because there may be times both DC0 and DC1 might be turned off at the same time.
> - Aside from some TCP timeouts caused by the unavailability of some of the IPs (the AD A 
> DNS record will always show 4 IPs, regardless of which servers are turned off), what 
> other issues could happen
> on the laptops?
> - Is there a hard limit on the number of days that those W10 laptops can go without 
> being connected to any of Samba DC's (think remote summer job) and keep using cached 
> credentials? (or is it just
> like with an ordinary AD)
> Any do's and don'ts would be much apreciated. Thanks in advance.
> Regards,
> Vincent

More information about the samba mailing list