samba - Feb 2014 - samba 4 best practices questions

I'm interested in using samba4 in a production environment that has
multiple locations tied together via a WAN.  In order to do so I need to
figure out what is the absolute most stable and supported path.


I found this email thread here stating samba4 ad roles, and file server
roles should be on separate servers.


https://groups.google.com/forum/#!topic/mailing.unix.samba/QySoM_uGGL8


Can anyone answer is this still the case?


In addition I've been noticing that sysvol replication is not officially
supported and third party tools such as rsync can be used as a work
around.  So I think I would ultimately like each location to have it's own
standalone PDC or just member servers of the PDC.


My question is are trust relationships working between samba 4 and samba4
servers yet?   I've been reading that trust relationships are one way only
does this apply to samba servers only talking to eachother as well?  Could
one user from one location log in at another location and so on this way?
Is this just a bad idea altogether right now?


If the above is not possible would joining file servers as member servers
only prove to be the best way forward until these features are
implimented?  Thanks in advance for any help or advice you may be able to
provide.


Joe Maloney

Hello Joe,

Am 08.02.2014 21:45, schrieb Joe Maloney:
> I found this email thread here stating samba4 ad roles, and file server
> roles should be on separate servers.
 >
 > Can anyone answer is this still the case?

Yes. Fileservers should be separate member servers and the DC only do 
the domain stuff.



> In addition I've been noticing that sysvol replication is not
officially
> supported and third party tools such as rsync can be used as a work
> around.
Not just "not offically supported". It's not implemented yet. :-)

You can use own solutions to replicate the SysVol content between your 
DCs. But you have to use tools, that can replicate the ACLs. An easy way 
is rsync:

https://wiki.samba.org/index.php/SysVol_Replication




 > So I think I would ultimately like each location to have it's own
 > standalone PDC or just member servers of the PDC.
 >
 > My question is are trust relationships working between samba 4 and
 > samba4 servers yet?   I've been reading that trust relationships are
 > one way only does this apply to samba servers only talking to
 > eachother as well?  Could one user from one location log in at
 > another location and so on this way?

I guess you mean with PDC and AD DC. But if you have different domains 
on each location, remember, that trusts are not working at the moment.

https://wiki.samba.org/index.php/FAQ#Trusts



> If the above is not possible would joining file servers as member servers
> only prove to be the best way forward until these features are
> implimented?  Thanks in advance for any help or advice you may be able to
> provide.
I don't know your environment, locations and requirements. But maybe you 
can simply have one domain and separate DCs and Member Servers at the 
different locations. Then the authentication is done on each place 
against the local DCs, etc.

I'm not that familiar with huge AD installations yet. But with 
sites/subnet declarations, etc. maybe most requirements can be complied. 
But of course testing is important. And feedback about things that are 
working or not working here on the list would be great. Then we can add 
them to the Wiki for others.


Regards,
Marc