[Samba] several offices: home dirs, local resources, ...
Kees van Vloten
keesvanvloten at gmail.com
Tue Nov 22 16:41:21 UTC 2022
On 22-11-2022 17:07, Michael Tokarev via samba wrote:
> 22.11.2022 17:52, Rowland Penny via samba wrote:
>>
>>
>> On 22/11/2022 14:20, Michael Tokarev wrote:
>>>>>>
>>>>
>>>> In another post, you mentioned 'unbound', are you aware that your
>>>> choices for a dns server in relation to a Samba AD DC are just two
>>>> ? Samba's internal dns server or the Bind9 dns server. Yes you can
>>>> use a different dns server, but only as a forwarder, anything for
>>>> the AD dns domain must be forwarded to an AD DC, any AD DC, they
>>>> are all authoritative for the AD dns domain.
>>>
>>> This is a bit too broad. Samba does not require its nameservers to
>>> be autoritative
>>> for the zone.
>>
>> Sorry, but yes they do.
>
> Even microsoft does not have this requiriment, - that dns must be hosted
> by the AD. And they allow static DNS configuration too (without dynamic
> DNS updates), as far as I can see.
>
> Where this requirement comes from?
>
>>> It requires (actually AD requires as you correctly
>>> mentioned) certain
>>> DNS records to be present and maintained. The list of records samba
>>> register in
>>> DNS is available in /var/lib/samba/private/dns_update_cache
>>> ((re)generated by
>>> samba_dnsupdate from ../dns_update_list). These names don't change
>>> with time, -
>>> once put into DNS they can stay there, there's no need to update them.
>>>
>>> All the names listed in there are registered in our DNS.
>>
>> There have been numerous others that have thought like yourself, they
>> have all had problems.
>
> I don't know that. And I'm asking for particular reasons, just like with
> using DC as a file server, -- only after countless attempts to ask why
> this is so, Kees van Vloten finally gave some light there: the fileserver
> operations in source4 is not implemented completely. But it took several
> dozens of emails and questions, before such a simple answer has been
> given.
>
>> Why do you think Samba went to all the trouble of writing their own
>> dns server and also writing the code (along with Bind) to connect the
>> Bind9 server to Samba AD ?
>
> Because for many people adding dns records required for AD is difficult,
> it is much better for small setups if things can work out of the box.
>
>>> Samba only support 2 nameservers (named and samba internal) for
>>> registering names
>>> *automatically*. But it is not mandatory to *use* one of these 2
>>> nameservers,
>>> provided all the names are in the DNS.
>>
>> Yes it is and you can use multiple nameservers in bind9
>
> Yes it is what?
>
> Once data is in Bind or in Samba internal DNS, it can be fetched from
> there
> and managed by other nameservers. Or is this data so specific to samba
> that no other standard DNS servers can handle it? If so, what is the
> problem,
> what is so non-standard in that data which makes it unsuitable for other
> nameservers?
The DNS records live in AD, to be more exact in LDAP and hence they are
replicated to the other DCs.
There are just to frontend interfaces for that Samba-internal and Bind
with DLZ.
You can manage it with the MS-tools for AD or with samba-tool dns, both
will push the records into LDAP
>
>>>> You also mention above 'maybe samba should not do that', well you
>>>> could write that as 'maybe Active Directory should not do that'.
>>>
>>> I was referring to Kees's statement. Samba registers itself as a
>>> FILE server for
>>> a domain (with sysvol). If the file server is non-functional, samba
>>> should not do
>>> that, instead, another samba server (which *is* able to work as a
>>> file server)
>>> should take these functions.
>>
>> You can use a Samba DC as a fileserver, you just have to be aware of
>> the limitations, one of which is that you must set the permissions
>> from Windows.
>
> Which permissions I have to set for a read-only DFS-root share which
> serves
> only 2 folder referrals? Why it works out of the box without setting any
> permissions, what I'm doing wrong?
>
>>>> Active directory is built on three things, DNS, Kerberos and LDAP.
>>>> The last two depend on the first.
>>>
>>> Yes. Working DNS is a must. Here I'm 100% sure DNS works correctly.
>>
>> Not from my perspective, but you do it your way and I will stick to
>> mine.
>
> What do you think I'm missing? I even dumped the content of the internal
> samba dns server, - it matches exactly the stuff which I've added
> manually.
> Which other magic non-standard entries are there which I don't see and
> which cause other nameservers to be unable to serve this zone? Please
> tell me, I'm confused, I really am.
>
>>> Unlike with all
>>> the issues people reporting all around the globe, - I do know how
>>> things work and
>>> that there's no hidden movement behind my back which breaks stuff.
>>>
>>>> I have never used systemd containers, do they allow 'root' to
>>>> operate exactly as if it was a full blown computer ? If they don't,
>>>> then that could be your problem.
>>>
>>> "Exactly" is again a too broad term. For example, root user in a
>>> container usually is
>>> not allowed to change host clock or reboot host.
>>>
>>> Which problem you're talking about, exactly?
>>
>> The ability for root to have the same capabilities as if it was a
>> totally separate OS.
>
> This is never the case in any container, including lxc and anything
> else. Root in
> a container can have a set of necessary privileges (eg, full control
> over container-
> specific network stack) but not all which is available on the host. I
> highly doubt
> samba uses every capability a regular root on the host has, - it does
> not use lots
> of syscalls for which their own special capabilities are needed.
>
> But still, which _problem_ you're talking about? You said:
>
> I have never used systemd containers, do they allow 'root' to operate
> exactly
> as if it was a full blown computer ? If they don't, then that could
> be your problem.
>
> I don't see any problem with running samba in a container. All
> problems I see is
> due to lack of information about samba which I ask again and again and
> again from
> different angles but still unable to get.
>
>>> Inability to register the same SPN for
>>> another server?
>>
>> That is an Active directory thing, all SPN's must be unique.
>>
>>> Or samba DC not working as a file server?
>>
>> As I said, you can use A Samba AD DC as a fileserver, it just isn't a
>> good idea.
>
> In this case why samba4 uses iself as a file server? Where is the
> logic, if it
> is not a good idea, it should delegate its sysvol thing to something
> which
> *is* good as a fileserver, no?
>
>>>> Have you investigated using a GPO for your profiles problem ?
>>>
>>> Yes. It doesn't work either, at least I can't find a way to do that.
>>>
>>> There are 2 problems: a) having the same "fs" name for a *local*
>>> fileserver, its own
>>> in every site/office. and b) having user profiles stored in a
>>> site-specific (not
>>> user-specific) file server. Solving a) will automatically solve b).
>>>
>>> I can't find a way to solve a) with GPO.
>>>
>>> Attempt to solve at least b): I can set GPO for a client machine to
>>> always require
>>> user profiles to be stored on a certain server. But this breaks
>>> local adminsitrator
>>> account (in case of emergency needs) - since it can't find this
>>> profile on the
>>> "forced" server. Or I can configure profile path per-user - but it
>>> must be per-site.
>>
>> Your problem isn't a Samba problem per se, it is an Active Directory
>> problem, you would have the same problem if you were using Windows DC's.
>
> Sure. And I'm trying to solve it somehow. If it were samba's internal
> DNS (or windows dns for that matter) it were unsolvable. Now I do have
> a working solution finally, it seems, - with site-specific CNAME records
> overriding commonly-used names like "fs", - it finally appears to work.
>
> But I still really wish to understand:
>
> 1. which magic invisible DNS records are there which are required by
> Samba which
> I can't see in its internal DNS, and
>
> 2. why samba4 offers SYSVOL *file* share when using it as a file
> server is not
> a good idea, why not use reglar non-dc samba server for it?
>
> 3. what problem we're talking about?
>
> Thanks,
>
> /mjt
>
More information about the samba
mailing list