[Samba] several offices: home dirs, local resources, ...

Kees van Vloten keesvanvloten at gmail.com
Tue Nov 22 16:46:16 UTC 2022

On 22-11-2022 17:07, Michael Tokarev via samba wrote:
> 22.11.2022 17:52, Rowland Penny via samba wrote:
>> On 22/11/2022 14:20, Michael Tokarev wrote:
>>>> In another post, you mentioned 'unbound', are you aware that your 
>>>> choices for a dns server in relation to a Samba AD DC are just two 
>>>> ? Samba's internal dns server or the Bind9 dns server. Yes you can 
>>>> use a different dns server, but only as a forwarder, anything for 
>>>> the AD dns domain must be forwarded to an AD DC, any AD DC, they 
>>>> are all authoritative for the AD dns domain.
>>> This is a bit too broad. Samba does not require its nameservers to 
>>> be autoritative
>>> for the zone.
>> Sorry, but yes they do.
> Even microsoft does not have this requiriment, - that dns must be hosted
> by the AD.  And they allow static DNS configuration too (without dynamic
> DNS updates), as far as I can see.
> Where this requirement comes from?
>>>   It requires (actually AD requires as you correctly
>>> mentioned) certain
>>> DNS records to be present and maintained.  The list of records samba 
>>> register in
>>> DNS is available in /var/lib/samba/private/dns_update_cache 
>>> ((re)generated by
>>> samba_dnsupdate from ../dns_update_list).  These names don't change 
>>> with time, -
>>> once put into DNS they can stay there, there's no need to update them.
>>> All the names listed in there are registered in our DNS.
>> There have been numerous others that have thought like yourself, they 
>> have all had problems.
> I don't know that. And I'm asking for particular reasons, just like with
> using DC as a file server, -- only after countless attempts to ask why
> this is so, Kees van Vloten finally gave some light there: the fileserver
> operations in source4 is not implemented completely.  But it took several
> dozens of emails and questions, before such a simple answer has been 
> given.
>> Why do you think Samba went to all the trouble of writing their own 
>> dns server and also writing the code (along with Bind) to connect the 
>> Bind9 server to Samba AD ?
> Because for many people adding dns records required for AD is difficult,
> it is much better for small setups if things can work out of the box.
>>> Samba only support 2 nameservers (named and samba internal) for 
>>> registering names
>>> *automatically*. But it is not mandatory to *use* one of these 2 
>>> nameservers,
>>> provided all the names are in the DNS.
>> Yes it is and you can use multiple nameservers in bind9
> Yes it is what?
> Once data is in Bind or in Samba internal DNS, it can be fetched from 
> there
> and managed by other nameservers. Or is this data so specific to samba
> that no other standard DNS servers can handle it? If so, what is the 
> problem,
> what is so non-standard in that data which makes it unsuitable for other
> nameservers?
>>>> You also mention above 'maybe samba should not do that', well you 
>>>> could write that as 'maybe Active Directory should not do that'.
>>> I was referring to Kees's statement.  Samba registers itself as a 
>>> FILE server for
>>> a domain (with sysvol).  If the file server is non-functional, samba 
>>> should not do
>>> that, instead, another samba server (which *is* able to work as a 
>>> file server)
>>> should take these functions.
>> You can use a Samba DC as a fileserver, you just have to be aware of 
>> the limitations, one of which is that you must set the permissions 
>> from Windows.
> Which permissions I have to set for a read-only DFS-root share which 
> serves
> only 2 folder referrals?  Why it works out of the box without setting any
> permissions, what I'm doing wrong?
>>>> Active directory is built on three things, DNS, Kerberos and LDAP. 
>>>> The last two depend on the first.
>>> Yes. Working DNS is a must.  Here I'm 100% sure DNS works correctly. 
>> Not from my perspective, but you do it your way and I will stick to 
>> mine.
> What do you think I'm missing?  I even dumped the content of the internal
> samba dns server, - it matches exactly the stuff which I've added 
> manually.
> Which other magic non-standard entries are there which I don't see and
> which cause other nameservers to be unable to serve this zone? Please
> tell me, I'm confused, I really am.
>>> Unlike with all
>>> the issues people reporting all around the globe, - I do know how 
>>> things work and
>>> that there's no hidden movement behind my back which breaks stuff.
>>>> I have never used systemd containers, do they allow 'root' to 
>>>> operate exactly as if it was a full blown computer ? If they don't, 
>>>> then that could be your problem.
>>> "Exactly" is again a too broad term. For example, root user in a 
>>> container usually is
>>> not allowed to change host clock or reboot host.
>>> Which problem you're talking about, exactly? 
>> The ability for root to have the same capabilities as if it was a 
>> totally separate OS.
> This is never the case in any container, including lxc and anything 
> else. Root in
> a container can have a set of necessary privileges (eg, full control 
> over container-
> specific network stack) but not all which is available on the host. I 
> highly doubt
> samba uses every capability a regular root on the host has, - it does 
> not use lots
> of syscalls for which their own special capabilities are needed.
> But still, which _problem_ you're talking about?  You said:
>  I have never used systemd containers, do they allow 'root' to operate 
> exactly
>  as if it was a full blown computer ? If they don't, then that could 
> be your problem.
> I don't see any problem with running samba in a container.  All 
> problems I see is
> due to lack of information about samba which I ask again and again and 
> again from
> different angles but still unable to get.
>>> Inability to register the same SPN for
>>> another server? 
>> That is an Active directory thing, all SPN's must be unique.
>>> Or samba DC not working as a file server?
>> As I said, you can use A Samba AD DC as a fileserver, it just isn't a 
>> good idea.
> In this case why samba4 uses iself as a file server? Where is the 
> logic, if it
> is not a good idea, it should delegate its sysvol thing to something 
> which
> *is* good as a fileserver, no?
>>>> Have you investigated using a GPO for your profiles problem ?
>>> Yes. It doesn't work either, at least I can't find a way to do that.
>>> There are 2 problems: a) having the same "fs" name for a *local* 
>>> fileserver, its own
>>> in every site/office.  and b) having user profiles stored in a 
>>> site-specific (not
>>> user-specific) file server. Solving a) will automatically solve b).
>>> I can't find a way to solve a) with GPO.
>>> Attempt to solve at least b): I can set GPO for a client machine to 
>>> always require
>>> user profiles to be stored on a certain server. But this breaks 
>>> local adminsitrator
>>> account (in case of emergency needs) - since it can't find this 
>>> profile on the
>>> "forced" server.  Or I can configure profile path per-user - but it 
>>> must be per-site.
>> Your problem isn't a Samba problem per se, it is an Active Directory 
>> problem, you would have the same problem if you were using Windows DC's.
> Sure. And I'm trying to solve it somehow.  If it were samba's internal
> DNS (or windows dns for that matter) it were unsolvable.  Now I do have
> a working solution finally, it seems, - with site-specific CNAME records
> overriding commonly-used names like "fs", - it finally appears to work.
> But I still really wish to understand:
> 1. which magic invisible DNS records are there which are required by 
> Samba which
>   I can't see in its internal DNS, and
> 2. why samba4 offers SYSVOL *file* share when using it as a file 
> server is not
>  a good idea, why not use reglar non-dc samba server for it?

SYSVOL is a special share which must be on the DC (and so is the 
netlogon share). You should take care of replications of the files 
yourself, the DC replication does not handle. The wiki describes 
multiple solutions to get it done (I am using the osync method with 
works well for my situation). Permissions on the SYSVOL share are very 
critical, if not exactly right Windows will not be able to pick up GPOs 
properly for example.

samba-tool can reset the permissions in case they got messed up.

> 3. what problem we're talking about?
> Thanks,
> /mjt

More information about the samba mailing list