[Samba] New Samba4 environment to replace existing Windows 2008R2 AD

Thu Dec 9 18:09:11 UTC 2021

On 12/9/21 10:32, Shelton, Gary via samba wrote:
> Hello folks,
> I have a client who is looking to retire their old 2008R2 AD
> environment (a single server with the AD DC and file server roles).
> It's been through a few upgrades (2003->2008->2008R2), and so the AD
> is a bit of a mess. I've done some preliminary tests in adding a
> Samba4 AD DC to the existing domain and there are a lot of little bits
> of old AD schema still floating around and inevitably the Samba DC
> stops syncing with the Windows server, logins are no longer
> authenticated, etc. so we're going to set up a new AD from scratch. So
> far, so good.
> 
> I have a couple of questions about deploying a Samba-only AD in a
> production environment. The client network consists of about 60
> workstations and virtual machines (all running Windows 10) so we all
> understand the environment. Nothing fancy.
> 
> My questions:
> 
>    * Is it recommended to run multiple Samba AD DCs, like the typical
> guidance for running Windows Server DCs? There are only about 35
> users, so I don't see the need from a capacity standpoint.
> 
>     * If so, is it acceptable to use containers (LXC on Linux or jails
> on FreeBSD) to run an AD DC and a file server on the same physical
> host?
> 

As far as I'm concerned, one should *only* run a samba ad-dc in an LXD 
container, but I'm sure there are plenty who beg to differ. I Can 
confirm, however, that it works. Note that this is not the same thing as 
a VM.  A VM does OS emulation.  A container makes use of linux's ABI 
continuity and uses the linux kernel running on your machine to run at 
bare metal speeds. It just uses namespaces and cgroups to make it seem 
like it's a different machine.

>     * My initial design for the file server component is to use Debian
> 11 (Bullseye) hosts using btrfs on a hardware-backed RAID array
> (presented as a single block device to Debian) for ACL and snapshot
> support. I see that Samba's VFS has support for btrfs which started me
> on this path. Is this a bad idea?
> 
>     * The network environment heavily uses ACLs for access-based
> enumeration over many discrete files and directories. Will this be a
> problem for either Samba or btrfs?
> 
> I've done several small-scale Samba4 AD installs, but not for clients
> who so heavily used ABE/ACLs so I am hoping for some feedback from
> folks who've worked with such setups.
> I've got a few months for testing and I'm sure there will be quirks to
> be ironed out, I'm just looking for experience from anyone who has
> walked some of these paths before.
> 
> Thanks!
> 