Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs & fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO.
My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap & dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? 2) If not, is there a better way than "kill -9" to achieve the result of samba4 without smbd, winbindd? For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx DNS DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article is informative). The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex environment using Windows servers as members or DC's. However: 3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory requirements). 4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)? Posix In a Samba3 world, I rely upon smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information, including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction. I would greatly appreciate guidance on how to set/use posix on Samba4. I've spent 4 hours trolling the web and mailing list searches with hints or scripts, so 5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user create that I haven't found? Next issue is how to manage as the uidNumber/gidNumber content? {This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html ?} 6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the same as pre-existing uid's used by Samba3. For example changing uid 3000020 to 1046, or gid 3000019 to 1001? Miscellaineous 7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in "testparm -vss"? It's a little confusing as to which takes precedence? With some instruction, I'd be happy to update/maintain some wiki information for others' benefit. Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
