[Samba] several offices: home dirs, local resources, ...

Rowland Penny rpenny at samba.org
Tue Nov 22 14:52:35 UTC 2022

On 22/11/2022 14:20, Michael Tokarev wrote:
>> In another post, you mentioned 'unbound', are you aware that your 
>> choices for a dns server in relation to a Samba AD DC are just two ? 
>> Samba's internal dns server or the Bind9 dns server. Yes you can use a 
>> different dns server, but only as a forwarder, anything for the AD dns 
>> domain must be forwarded to an AD DC, any AD DC, they are all 
>> authoritative for the AD dns domain.
> This is a bit too broad. Samba does not require its nameservers to be 
> autoritative
> for the zone.

Sorry, but yes they do.

  It requires (actually AD requires as you correctly
> mentioned) certain
> DNS records to be present and maintained.  The list of records samba 
> register in
> DNS is available in /var/lib/samba/private/dns_update_cache 
> ((re)generated by
> samba_dnsupdate from ../dns_update_list).  These names don't change with 
> time, -
> once put into DNS they can stay there, there's no need to update them.
> All the names listed in there are registered in our DNS.

There have been numerous others that have thought like yourself, they 
have all had problems.
Why do you think Samba went to all the trouble of writing their own dns 
server and also writing the code (along with Bind) to connect the Bind9 
server to Samba AD ?

> Samba only support 2 nameservers (named and samba internal) for 
> registering names
> *automatically*. But it is not mandatory to *use* one of these 2 
> nameservers,
> provided all the names are in the DNS.

Yes it is and you can use multiple nameservers in bind9

>> You also mention above 'maybe samba should not do that', well you 
>> could write that as 'maybe Active Directory should not do that'.
> I was referring to Kees's statement.  Samba registers itself as a FILE 
> server for
> a domain (with sysvol).  If the file server is non-functional, samba 
> should not do
> that, instead, another samba server (which *is* able to work as a file 
> server)
> should take these functions.

You can use a Samba DC as a fileserver, you just have to be aware of the 
limitations, one of which is that you must set the permissions from Windows.

>> Active directory is built on three things, DNS, Kerberos and LDAP. The 
>> last two depend on the first.
> Yes. Working DNS is a must.  Here I'm 100% sure DNS works correctly. 

Not from my perspective, but you do it your way and I will stick to mine.

> Unlike with all
> the issues people reporting all around the globe, - I do know how things 
> work and
> that there's no hidden movement behind my back which breaks stuff.
>> I have never used systemd containers, do they allow 'root' to operate 
>> exactly as if it was a full blown computer ? If they don't, then that 
>> could be your problem.
> "Exactly" is again a too broad term. For example, root user in a 
> container usually is
> not allowed to change host clock or reboot host.
> Which problem you're talking about, exactly? 

The ability for root to have the same capabilities as if it was a 
totally separate OS.

> Inability to register the 
> same SPN for
> another server? 

That is an Active directory thing, all SPN's must be unique.

> Or samba DC not working as a file server?

As I said, you can use A Samba AD DC as a fileserver, it just isn't a 
good idea.

>> Have you investigated using a GPO for your profiles problem ?
> Yes. It doesn't work either, at least I can't find a way to do that.
> There are 2 problems: a) having the same "fs" name for a *local* 
> fileserver, its own
> in every site/office.  and b) having user profiles stored in a 
> site-specific (not
> user-specific) file server. Solving a) will automatically solve b).
> I can't find a way to solve a) with GPO.
> Attempt to solve at least b): I can set GPO for a client machine to 
> always require
> user profiles to be stored on a certain server. But this breaks local 
> adminsitrator
> account (in case of emergency needs) - since it can't find this profile 
> on the
> "forced" server.  Or I can configure profile path per-user - but it must 
> be per-site.

Your problem isn't a Samba problem per se, it is an Active Directory 
problem, you would have the same problem if you were using Windows DC's.


More information about the samba mailing list