samba - Jul 2016 - Why is Samba4 not recommended as a file server?

On 26/07/16 21:43, Mark Foley wrote:
> Well, ladies and gentlemen -- it's now working! Sendmail *is*
authenticating with the
> nsswitch.conf settings (winbind added):
>
> passwd:         compat winbind
> shadow:         compat winbind
> group:          compat winbind
>
> and with the AD user REMOVED from /etc/passwd. All is well. I did nothing,
no patching of
> sendmail, no username rewrite rule in sendmail.[mc|cf].
>
> I can't really explain what changed. Perhaps restarting sendmail and/or
samba? I don't
> remember. I didn't reboot, but samba is automatically stopped/started
during a wee-hours daily
> backup and is also restarted weekly by logrotate. I did modify
/etc/mail/aliases for unrelated
> reasons and restarted sendmail thereafter.
>
> I'm guessing that restarting one or both of these programs did the
trick. I should follow my
> own advice to my users: try rebooting first! It solves a world of problems.
>
> So, Mr.  Penny, you will be pleased to know that henceforth I WILL NOT have
AD users also in
> /etc/passwd (well, except for 2 Outlook stragglers for whom I've not
yet figured out how to
> dovecot NTLM authenticate ... working on it; unless I can get them to
switch the Thunderbird
> first!).
>
> I've not checked the documentation, but I would suggest adding the
winbind settings to the docs
> for the AD/DC setup wiki, if missing.  You explictly gave me those settings
for configuring a
> domain member for single-sign-on last year, and I believe you incorporated
that info into the
> domain member wiki.
>
> Being able to authenticate *on* the AC/DC does not necessarily imply its
use as a file server.
> Programs should be able to authenticate when running on the AC/DC.
>
> Thanks!!! --Mark
>
>
Glad to see you got it work :-)

As for the info you would like adding to the wiki, it used to be there, 
but when the wiki was re-written, it was removed. The thinking seemed to 
be, as samba doesn't recommend using the DC as a fileserver, it 
shouldn't be there. Samba has been recommending not using the DC as a 
fileserver since version 4 was first released, this was nearly 4 years 
ago. Perhaps, due to the many changes since the first release, it is 
time to reconsider this recommendation.

Rowland

Since you bring up that topic (Samba4 not recommended as a file server),
I've been meaning to
ask on this list for a while: Why?

I installed Samba4 2 years ago next month.  I read then that recommendation in
the wiki and
took it literaly: not actual Samba shares.  I followed the advice and we have
two other
different servers acting as actual "classic" Samba file servers.  At
the time, I did not take
that recommendation to mean that hosting a mail server and the like were
included.

Therefore, I blithely went ahead and set up Samba4 as a full-on replacement for
our retiring
Windows SBS 2008 AD/DC.  That included AD authentication, mail server (with
sendmail/dovecot
replacing Exchange), Remote Desktop Connection (policy), redirected folders
(certainly file
server-like), DNS, DHCP, webmail, iCal calendar server ...  and probably a bunch
of stuff I'm
not thinking about at the moment.  When I figured out the various configs for
the various
services (not too hard, really, except for a long stretch trying to figure out
Dovecot
authentication), everything just worked, perfectly.  We've been running
production for more than
a year and a half with WIN7 workstations in user offices and a couple of
experimental Linux
domain member workstations.  We've never had a hiccup, never lost a file
that I'm aware of and
have had zero problems with Samba4 doing all this -- which is more than I can
say for good 'ole
SBS2008 in its day.

All that said to demonstrate that we've been using Samba4 for supposedly
"not recommended"
purposes in a real production environment for quite a while.  Furthermore,
outfits like Zentyal
must be doing the same. 

So, to repeat the main question: Why is Samba4 not recommended for this sort of
thing? I've
not come across actual reasons. Maybe too bit-specific technical for this list,
but I like
someone to at least speculate on the reason. I'm curious.

--Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Tue, 26 Jul 2016 22:13:43 +0100
> Subject: Re: [Samba] sendmail getting domain\user as email userId
>
[delted]
>
> As for the info you would like adding to the wiki, it used to be there, 
> but when the wiki was re-written, it was removed. The thinking seemed to 
> be, as samba doesn't recommend using the DC as a fileserver, it 
> shouldn't be there. Samba has been recommending not using the DC as a 
> fileserver since version 4 was first released, this was nearly 4 years 
> ago. Perhaps, due to the many changes since the first release, it is 
> time to reconsider this recommendation.
>
> Rowland

Mark Foley <mfoley at ohprs.org> writes:
> Since you bring up that topic (Samba4 not recommended as a file server),
I've been meaning to
> ask on this list for a while: Why?
> [...]
>> As for the info you would like adding to the wiki, it used to be there,
>> but when the wiki was re-written, it was removed. The thinking seemed
to
>> be, as samba doesn't recommend using the DC as a fileserver, it 
>> shouldn't be there. Samba has been recommending not using the DC as
a
What was said is "not using the DC as file server", not "not
using
Samba".

My understanding is that it is better to have one machine running the DC
and another serving files.

Best regards,

Olivier

Hi Mark,

You may have misunderstood. It's only the Samba 4 domain controllers 
that shouldn't be used as file servers. A regular server, whether domain 
member or free- standing, works perfectly as a file server.

regards,

John


On 28/07/16 15:31, Mark Foley wrote:
> Since you bring up that topic (Samba4 not recommended as a file server),
I've been meaning to
> ask on this list for a while: Why?
>
> I installed Samba4 2 years ago next month.  I read then that recommendation
in the wiki and
> took it literaly: not actual Samba shares.  I followed the advice and we
have two other
> different servers acting as actual "classic" Samba file servers. 
At the time, I did not take
> that recommendation to mean that hosting a mail server and the like were
included.
>
> Therefore, I blithely went ahead and set up Samba4 as a full-on replacement
for our retiring
> Windows SBS 2008 AD/DC.  That included AD authentication, mail server (with
sendmail/dovecot
> replacing Exchange), Remote Desktop Connection (policy), redirected folders
(certainly file
> server-like), DNS, DHCP, webmail, iCal calendar server ...  and probably a
bunch of stuff I'm
> not thinking about at the moment.  When I figured out the various configs
for the various
> services (not too hard, really, except for a long stretch trying to figure
out Dovecot
> authentication), everything just worked, perfectly.  We've been running
production for more than
> a year and a half with WIN7 workstations in user offices and a couple of
experimental Linux
> domain member workstations.  We've never had a hiccup, never lost a
file that I'm aware of and
> have had zero problems with Samba4 doing all this -- which is more than I
can say for good 'ole
> SBS2008 in its day.
>
> All that said to demonstrate that we've been using Samba4 for
supposedly "not recommended"
> purposes in a real production environment for quite a while.  Furthermore,
outfits like Zentyal
> must be doing the same.
>
> So, to repeat the main question: Why is Samba4 not recommended for this
sort of thing? I've
> not come across actual reasons. Maybe too bit-specific technical for this
list, but I like
> someone to at least speculate on the reason. I'm curious.
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Rowland penny <rpenny at samba.org>
>> Date: Tue, 26 Jul 2016 22:13:43 +0100
>> Subject: Re: [Samba] sendmail getting domain\user as email userId
>>
> [delted]
>> As for the info you would like adding to the wiki, it used to be there,
>> but when the wiki was re-written, it was removed. The thinking seemed
to
>> be, as samba doesn't recommend using the DC as a fileserver, it
>> shouldn't be there. Samba has been recommending not using the DC as
a
>> fileserver since version 4 was first released, this was nearly 4 years
>> ago. Perhaps, due to the many changes since the first release, it is
>> time to reconsider this recommendation.
>>
>> Rowland

Am 28.07.2016 um 07:31 schrieb Mark Foley:
> Since you bring up that topic (Samba4 not recommended as a file server),
I've been meaning to
> ask on this list for a while: Why?
what are you talking about?
"not using the DC" != "not using samba4"
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Rowland penny <rpenny at samba.org>
>> Date: Tue, 26 Jul 2016 22:13:43 +0100
>> Subject: Re: [Samba] sendmail getting domain\user as email userId
>>
>> Samba has been recommending not using the DC as a
>> fileserver
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160728/42eeee98/signature.sig>