Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
Hi On 1 February 2013 04:18, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: [...] Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Well, adding server services = -s3fs, -winbind and commenting out any share definitions seems to stop smbd from starting, but I have no idea whether or not that will break anything. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Fri, 2013-02-01 at 10:50 +0200, Michael Wood wrote: Hi On 1 February 2013 04:18, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: [...] Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Well, adding server services = -s3fs, -winbind and commenting out any share definitions seems to stop smbd from starting, but I have no idea whether or not that will break anything. Michael, I know you are trying to address Dewayne's requirements, but please do not suggest untested combinations of server services. I say this because users tend to try out these things without understanding them, and only come back later to get us to come back and diagnose the breakage. I will address Dewayne's specific requirements in another mail. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On 1 February 2013 13:13, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 10:50 +0200, Michael Wood wrote: Hi On 1 February 2013 04:18, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: [...] Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Well, adding server services = -s3fs, -winbind and commenting out any share definitions seems to stop smbd from starting, but I have no idea whether or not that will break anything. Michael, I know you are trying to address Dewayne's requirements, but please do not suggest untested combinations of server services. I say this because users tend to try out these things without understanding them, and only come back later to get us to come back and diagnose the breakage. Fair enough. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
For your POSIX issue there could be an interesting hint:
https://wiki.samba.org/index.php/Samba4/beyond
Good Luck
Daniel
---
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Dewayne
Gesendet: Donnerstag, 31. Januar 2013 06:55
An: samba@lists.samba.org
Betreff: [Samba] Questions for minimal AD DC, DNS setup and Posix use
Our plan is to have one AD DC running in Head Office, RODC's at Branches and
a second writeable DC at a contingency site. Fileshares will run on separate
servers. The Windows 2003/2008 Servers use authentication services from
samba4 and run applications. Our current environment is Samba-3.6.9
PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal
backend - for SSO.
My questions are:
AD DC
Are smbd and winbindd necessary on the AD DC. I would prefer to start samba
with only what it needs to function. When I kill the smbd and winbindd
processes, the kerberos, ldap dns functionality remain. How can I produce
a minimal AD DC:
1) Do I need smbd to parse the smb.conf for samba4 to start correctly?
2) If not, is there a better way than kill -9 to achieve the result of
samba4 without smbd, winbindd?
For readers new to RODC, this is useful:
http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx
DNS
DNS is required in Samba4 AD DC as explained here
http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's
article is informative).
The internal DNS works like a dream. However the internal DNS doesn't slave
to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex
environment using Windows servers as members or DC's. However:
3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX
only servers where PCs and WinServers are effectively desktops for users;
can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or
are these contradictory requirements).
4) If we need to redesign our DNS infrastructure, is it sufficient that a
dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)?
Posix
In a Samba3 world, I rely upon smbldap-tools
(http://gna.org/projects/smbldap-tools) to manipulate user/group
information, including assignment of uidNumber/gidNumber that is unique to
an individual, per IT audit instruction.
I would greatly appreciate guidance on how to set/use posix on Samba4. I've
spent 4 hours trolling the web and mailing list searches with hints or
scripts, so
5) Do I need to manually add the ldap posixAccount object to each users'
ldap record, or is there an option in samba-tool user create that I haven't
found? Next issue is how to manage as the uidNumber/gidNumber content?
{This was being worked:
http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-D
Cs-td4637386.html ?}
6) Is there any mechanism that allows me to change the uid's being assigned
to files that are created by Samba AD DC to being the same as pre-existing
uid's used by Samba3. For example changing uid 320 to 1046, or gid
319 to 1001?
Miscellaineous
7) Will the list of smb.conf options described in samba4 source folder
source4/TODO be updated to reflect what appears in testparm -vss? It's a
little confusing as to which takes precedence?
With some instruction, I'd be happy to update/maintain some wiki information
for others' benefit.
Regards, Dewayne.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote:
Our plan is to have one AD DC running in Head Office, RODC's at Branches and
a second writeable DC at a contingency site. Fileshares
will run on separate servers. The Windows 2003/2008 Servers use
authentication services from samba4 and run applications. Our
current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores
samba, posix and acts as heimdal backend - for SSO.
My questions are:
AD DC
Are smbd and winbindd necessary on the AD DC. I would prefer to start samba
with only what it needs to function. When I kill the
smbd and winbindd processes, the kerberos, ldap dns functionality remain.
How can I produce a minimal AD DC:
1) Do I need smbd to parse the smb.conf for samba4 to start correctly?
on the AD DC, you start only 'samba'. We may start other binaries or
provide services via plugins, but you only have to start 'samba'.
2) If not, is there a better way than kill -9 to achieve the result of
samba4 without smbd, winbindd?
You should just kill the parent 'samba' process and any child processes
will notice this and go away. As you know, in general don't generally
kill -9 stuff, as something may be in progress. I think tdb is safe for
kill -9 these days, but it has always been best not to do this as a
first choice.
For readers new to RODC, this is useful:
http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx
DNS
DNS is required in Samba4 AD DC as explained here
http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's
article
is informative).
The internal DNS works like a dream. However the internal DNS doesn't slave
to a master DNS, so --dns-backend=BIND9_DLZ is the best
option for a complex environment using Windows servers as members or DC's.
However:
You can always forward to another DC, or have your complex DNS server
point only a particular domain to Samba, say with a bind zone of type
'forward'.
3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX
only servers where PCs and WinServers are effectively
desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC
functionality. (Or are these contradictory
requirements).
No, DNS is always required, even for our internal use.
4) If we need to redesign our DNS infrastructure, is it sufficient that a
dhcp server, provide updates to bind9-DLZ (as a component
of Samba4 AD DC)?
There is discussion on the list about ways to make DHCP work. I would
like to make this 'just work' using the normal TSIG code for both the
bind9 and the internal server, but this remains a development task for
an interested developer. (Warning, some crypto required).
Posix
In a Samba3 world, I rely upon smbldap-tools
(http://gna.org/projects/smbldap-tools) to manipulate user/group information,
including assignment of uidNumber/gidNumber that is unique to an individual,
per IT audit instruction.
I would greatly appreciate guidance on how to set/use posix on Samba4. I've
spent 4 hours trolling the web and mailing list
searches with hints or scripts, so
5) Do I need to manually add the ldap posixAccount object to each users' ldap
record, or is there an option in samba-tool user
create that I haven't found? Next issue is how to manage as the
uidNumber/gidNumber content?
{This was being worked:
http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html
?}
Yes, samba-tool is tested as being able to manage this. 4.0.3 will be a
little easier in this regard, the posixAccount/posixGroup requirement
has been dropped.
6) Is there any mechanism that allows me to change the uid's being assigned
to files that are created by Samba AD DC to being the
same as pre-existing uid's used by Samba3. For example changing uid 320
to 1046, or gid 319 to 1001?
Set those uid values on the LDAP directory using uidNumber and
gidNumber, and set 'idmap_ldb:use rfc2307=yes'.
Miscellaineous
7) Will the list of smb.conf options described in samba4 source folder
source4/TODO be updated to reflect what appears in testparm
-vss? It's a little confusing as to which takes precedence?
Yes, this is confusing. Even the output of testparm -v and samba-tool
testparm -v do not match up, and that TODO list refers mostly to the
more limited capabilities of the ntvfs file server, which is available
and supported, but is not the default. We essentially need to transform
these details into manpage notes.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
-Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On 31/01/13 20:45, Dewayne Geraghty wrote: -Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just setup a Samba 4 AD DC and use another Linux computer running Samba 3.6.* as a fileserver. Use Samba 4 for authentication and the Samba 3 fileserver for everything else. If you run Samba 4 as a DC, you run the samba daemon which starts the smbd daemon, you cannot stop the smbd daemon running ( feel free to chime in here if I am wrong), also winbindd is built into Samba 4, there is no separate Daemon. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
On Fri, 2013-02-01 at 07:45 +1100, Dewayne Geraghty wrote: -Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. Just start and stop 'samba' and ignore any other processes it may create as children, no matter what they may be named now and in the future. Currently those child processes are called 'samba' and 'smbd', but that may change. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Questions for minimal AD DC, DNS setup and Posix use
Our plan is to have one AD DC running in Head Office, RODC's at Branches and a
second writeable DC at a contingency site. Fileshares
will run on separate servers. The Windows 2003/2008 Servers use authentication
services from samba4 and run applications. Our
current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores
samba, posix and acts as heimdal backend - for SSO.
My questions are:
AD DC
Are smbd and winbindd necessary on the AD DC. I would prefer to start samba
with only what it needs to function. When I kill the
smbd and winbindd processes, the kerberos, ldap dns functionality remain. How
can I produce a minimal AD DC:
1) Do I need smbd to parse the smb.conf for samba4 to start correctly?
2) If not, is there a better way than kill -9 to achieve the result of samba4
without smbd, winbindd?
For readers new to RODC, this is useful:
http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx
DNS
DNS is required in Samba4 AD DC as explained here
http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's
article
is informative).
The internal DNS works like a dream. However the internal DNS doesn't slave to
a master DNS, so --dns-backend=BIND9_DLZ is the best
option for a complex environment using Windows servers as members or DC's.
However:
3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX
only servers where PCs and WinServers are effectively
desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC
functionality. (Or are these contradictory
requirements).
4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp
server, provide updates to bind9-DLZ (as a component
of Samba4 AD DC)?
Posix
In a Samba3 world, I rely upon smbldap-tools
(http://gna.org/projects/smbldap-tools) to manipulate user/group information,
including assignment of uidNumber/gidNumber that is unique to an individual,
per IT audit instruction.
I would greatly appreciate guidance on how to set/use posix on Samba4. I've
spent 4 hours trolling the web and mailing list
searches with hints or scripts, so
5) Do I need to manually add the ldap posixAccount object to each users' ldap
record, or is there an option in samba-tool user
create that I haven't found? Next issue is how to manage as the
uidNumber/gidNumber content?
{This was being worked:
http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html
?}
6) Is there any mechanism that allows me to change the uid's being assigned to
files that are created by Samba AD DC to being the
same as pre-existing uid's used by Samba3. For example changing uid 320 to
1046, or gid 319 to 1001?
Miscellaineous
7) Will the list of smb.conf options described in samba4 source folder
source4/TODO be updated to reflect what appears in testparm
-vss? It's a little confusing as to which takes precedence?
With some instruction, I'd be happy to update/maintain some wiki information
for others' benefit.
Regards, Dewayne.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
