Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
Hi On 1 February 2013 04:18, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: [...] Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Well, adding server services = -s3fs, -winbind and commenting out any share definitions seems to stop smbd from starting, but I have no idea whether or not that will break anything. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Fri, 2013-02-01 at 10:50 +0200, Michael Wood wrote: Hi On 1 February 2013 04:18, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: [...] Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Well, adding server services = -s3fs, -winbind and commenting out any share definitions seems to stop smbd from starting, but I have no idea whether or not that will break anything. Michael, I know you are trying to address Dewayne's requirements, but please do not suggest untested combinations of server services. I say this because users tend to try out these things without understanding them, and only come back later to get us to come back and diagnose the breakage. I will address Dewayne's specific requirements in another mail. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On 1 February 2013 13:13, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 10:50 +0200, Michael Wood wrote: Hi On 1 February 2013 04:18, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: [...] Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Well, adding server services = -s3fs, -winbind and commenting out any share definitions seems to stop smbd from starting, but I have no idea whether or not that will break anything. Michael, I know you are trying to address Dewayne's requirements, but please do not suggest untested combinations of server services. I say this because users tend to try out these things without understanding them, and only come back later to get us to come back and diagnose the breakage. Fair enough. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
For your POSIX issue there could be an interesting hint: https://wiki.samba.org/index.php/Samba4/beyond Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Dewayne Gesendet: Donnerstag, 31. Januar 2013 06:55 An: samba@lists.samba.org Betreff: [Samba] Questions for minimal AD DC, DNS setup and Posix use Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx DNS DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article is informative). The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex environment using Windows servers as members or DC's. However: 3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory requirements). 4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)? Posix In a Samba3 world, I rely upon smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information, including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction. I would greatly appreciate guidance on how to set/use posix on Samba4. I've spent 4 hours trolling the web and mailing list searches with hints or scripts, so 5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user create that I haven't found? Next issue is how to manage as the uidNumber/gidNumber content? {This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-D Cs-td4637386.html ?} 6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the same as pre-existing uid's used by Samba3. For example changing uid 320 to 1046, or gid 319 to 1001? Miscellaineous 7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in testparm -vss? It's a little confusing as to which takes precedence? With some instruction, I'd be happy to update/maintain some wiki information for others' benefit. Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx DNS DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article is informative). The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex environment using Windows servers as members or DC's. However: You can always forward to another DC, or have your complex DNS server point only a particular domain to Samba, say with a bind zone of type 'forward'. 3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory requirements). No, DNS is always required, even for our internal use. 4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)? There is discussion on the list about ways to make DHCP work. I would like to make this 'just work' using the normal TSIG code for both the bind9 and the internal server, but this remains a development task for an interested developer. (Warning, some crypto required). Posix In a Samba3 world, I rely upon smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information, including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction. I would greatly appreciate guidance on how to set/use posix on Samba4. I've spent 4 hours trolling the web and mailing list searches with hints or scripts, so 5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user create that I haven't found? Next issue is how to manage as the uidNumber/gidNumber content? {This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html ?} Yes, samba-tool is tested as being able to manage this. 4.0.3 will be a little easier in this regard, the posixAccount/posixGroup requirement has been dropped. 6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the same as pre-existing uid's used by Samba3. For example changing uid 320 to 1046, or gid 319 to 1001? Set those uid values on the LDAP directory using uidNumber and gidNumber, and set 'idmap_ldb:use rfc2307=yes'. Miscellaineous 7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in testparm -vss? It's a little confusing as to which takes precedence? Yes, this is confusing. Even the output of testparm -v and samba-tool testparm -v do not match up, and that TODO list refers mostly to the more limited capabilities of the ntvfs file server, which is available and supported, but is not the default. We essentially need to transform these details into manpage notes. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
-Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On 31/01/13 20:45, Dewayne Geraghty wrote: -Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just setup a Samba 4 AD DC and use another Linux computer running Samba 3.6.* as a fileserver. Use Samba 4 for authentication and the Samba 3 fileserver for everything else. If you run Samba 4 as a DC, you run the samba daemon which starts the smbd daemon, you cannot stop the smbd daemon running ( feel free to chime in here if I am wrong), also winbindd is built into Samba 4, there is no separate Daemon. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: -Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Questions for minimal AD DC, DNS setup and Posix use
Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx DNS DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article is informative). The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex environment using Windows servers as members or DC's. However: 3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory requirements). 4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)? Posix In a Samba3 world, I rely upon smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information, including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction. I would greatly appreciate guidance on how to set/use posix on Samba4. I've spent 4 hours trolling the web and mailing list searches with hints or scripts, so 5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user create that I haven't found? Next issue is how to manage as the uidNumber/gidNumber content? {This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html ?} 6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the same as pre-existing uid's used by Samba3. For example changing uid 320 to 1046, or gid 319 to 1001? Miscellaineous 7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in testparm -vss? It's a little confusing as to which takes precedence? With some instruction, I'd be happy to update/maintain some wiki information for others' benefit. Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba