[Samba] The 'not-always-on' infrastructure at home and Samba4 AD DC's..
Vinicius Bones Silva
vbs at e-trust.com.br
Wed Mar 28 22:18:05 UTC 2018
Cached credencials never expire, so it should be ok to go several weeks without talking to
Passwords may expire, if you use a password policy (the default is not to, iirc)
take a look at
https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles to check a few issues
you might run into.
Em 28/03/2018 18:38, Vincent S. Cojot via samba escreveu:
> Hi everyone,
> Apologies in advance, this will be a bit long but I'm hoping to get some guidance and
> hints on usual practices for using Samba4 AD DC as an Idm for W10 laptops that might be
> on the road elsewhere..
> As much as I have been using samba for file serving, a Samba AD DC is something new to me.
> I built a small Samba AD DC infrastructure to serve UIDs and Passwords (4 VMs on 4 KVM
> hosts). My problem is that not all Samba DC's will always be turned on. Out of the 4 KVM
> hosts, 1 or 2 are going
> to be turned off quite often (especially in the summer), another one is going to be up
> half of the time on average while the first server will most likely average 95% uptime.
> The key metric here is that at least -one- hypervisor/router will -always- be available
> at any given time and this will be sufficient to provide all neded services. Also there
> isn't any type of
> shared storage (only replicated storage when two nodes with a replication schedule
> happen to be on at the same time).
> This strange setup has been serving a family of 5 for the past 10 years, providing DNS,
> NFS, SMB, Squid+UfdbGuard, NAT, IDS, filtering, etc..
> Most of the family laptops now run W10 (Microsoft Office at school is still a hard
> requirement in some places) while most other boxes use Fedora with the infra servers
> running RHEL7.
> Wanting to provide centralized password management to the teenagers and not feeling like
> managing local user accounts on their Windows laptops, I opted for Samba as an AD DC. To
> this effect, I built
> 4 RHEL7 VMs (one per physical server because I have no shared storage). I used Wing's
> 4.6.14 rpms (http://wing-repo.net/wing) because RHEL7's samba doesn't do AD DC yet.
> So I find myself with the following setup:
> - KVM Host #0 -> VM guest DC0 (expected uptime: around 95%)
> - KVM Host #1 -> VM guest DC1 (expected uptime: around 90%)
> - KVM Host #2 -> VM guest DC2 (expected uptime: around 25-50%)
> - KVM Host #3 -> VM guest DC3 (expected uptime: around 10-25%)
> I setup the 4 VMs (DC0, DC1, DC2, DC3) in an AD just fine and was able to verify proper
> configuration/replication. ( Win10 connectivity, drs showrepl, RSAT access and usability).
> - Is the 4*DC setup a good or a bad idea in that use-case? I decided against a 2*DC
> setup because there may be times both DC0 and DC1 might be turned off at the same time.
> - Aside from some TCP timeouts caused by the unavailability of some of the IPs (the AD A
> DNS record will always show 4 IPs, regardless of which servers are turned off), what
> other issues could happen
> on the laptops?
> - Is there a hard limit on the number of days that those W10 laptops can go without
> being connected to any of Samba DC's (think remote summer job) and keep using cached
> credentials? (or is it just
> like with an ordinary AD)
> Any do's and don'ts would be much apreciated. Thanks in advance.
More information about the samba