Linda W
2016-Nov-05  19:15 UTC
[Samba] How can I setup a Domain Controller and File Server on the same hardware
Marc Muehlfeld via samba wrote:> Hi John, > > Am 05.11.2016 um 17:33 schrieb John te Bokkel via samba: > >> I understand from the wiki that I shouldn't have the domain controller also >> be the file server. >> >> Is it possible to to setup the domain controller in a chroot and have the >> file server run under regular root? >> >> Would it be better to setup a VM for the domain controller and have file >> server run on the main OS or vice-versa? >> > to run two Samba instances on the same host, you can create a NIC alias > with an additional IP address and bind the Samba DC to one IP and the > file server to the second. Of course you need two separate smb.conf > files and configure individual database directories. And then start the > daemons with the "-c" parameter and the path to the smb.conf file. >--- Is there a target date for when the 4.x server will be able to support 1 samba instance being the domain controller and serving files as the 3.x server is able to do? I have been waiting for the 4.x server to become a full server before upgrading from 3.6.22, but it is getting a bit long in the tooth. The requirement that in upgrading to 4.x I'll still need to run a 3.6 server made the upgrade seem like alot of work for little gain (I only have a few users and most of them are "virtual me's"...). I guess I don't understand why the 3.6.x file-serving code wasn't just included in the 4.x. On some level, at *worst*, it seems like the 4.x code could include all the 3.6 file-serving code and just fork the that portion for files to be shared -- not ideal, but it *seems* better than "recommending" multiple machines. I did say "seems", as I don't know why it is suggested they be separate, so please forgive my ignorance in advance. I've been off the list (not by choice) due to some mail-server snafu that only affects the samba list, so it's been impossible to track. For some reason the problem has, (at least temporarily) gone away (I hate unexplained solutions almost as much as unexplained problems). Thanks, -linda my
Rowland Penny
2016-Nov-05  20:02 UTC
[Samba] How can I setup a Domain Controller and File Server on the same hardware
On Sat, 05 Nov 2016 12:15:49 -0700 Linda W via samba <samba at lists.samba.org> wrote:> Is there a target date for when the 4.x server will be able to > support 1 samba instance being the domain controller and serving files > as the 3.x server is able to do?You can already do this.> > I have been waiting for the 4.x server to become a full server > before upgrading from 3.6.22, but it is getting a bit long in the > tooth. The requirement that in upgrading to 4.x I'll still need to run > a 3.6 server made the upgrade seem like alot of work for little gain > (I only have a few users and most of them are "virtual me's"...).Samba 4 is capable of being a full AD DC.> > I guess I don't understand why the 3.6.x file-serving code wasn't > just included in the 4.x. On some level, at *worst*, it seems like > the 4.x code could include all the 3.6 file-serving code and just > fork the that portion for files to be shared -- not ideal, but it > *seems* better than "recommending" multiple machines. I did say > "seems", as I don't know why it is suggested they be separate, so > please forgive my ignorance in advance. I've been off the list (not > by choice) due to some mail-server snafu that only affects the samba > list, so it's been impossible to track. For some reason the problem > has, (at least temporarily) gone away (I hate unexplained solutions > almost as much as unexplained problems). >If you are referring to the fileserving code in 'smbd', then again it is included in Samba 4, the 'samba' binary has been starting 'smbd' for some time now. If you use the DC as a fileserver, then there are a few minor problems you need to work around, mostly to do with IDs Rowland
Rowland Penny via samba wrote:> On Sat, 05 Nov 2016 12:15:49 -0700 > Linda W via samba <samba at lists.samba.org> wrote: > > > >> Is there a target date for when the 4.x server will be able to >> support 1 samba instance being the domain controller and serving files >> as the 3.x server is able to do? >> > > You can already do this. >--- The 4.x server will serve files as well or better than the 3.6.x servers?> >> I have been waiting for the 4.x server to become a full server >> before upgrading from 3.6.22, but it is getting a bit long in the >> tooth. The requirement that in upgrading to 4.x I'll still need to run >> a 3.6 server made the upgrade seem like alot of work for little gain >> (I only have a few users and most of them are "virtual me's"...). >> > > Samba 4 is capable of being a full AD DC. >--- But is it capable of being a full 3.6.xx file server with the same flexibility in mapping windows-ID's to local unix ID's? For example, I have the security groupings in my server's /etc/group file: Low Mandatory Level:!:11604096: Medium Mandatory Level:!:11608192: Medium Plus Mandatory Level:!:11608448: High Mandatory Level:!:11612288: System Mandatory Level:!:11616384:root on the server, so when I login to windows and bring up cygwin, I see my security label in my group listing. I have several Win-builtin and well-known ID ranges mapped to unix-ID ranges and that works (at least for identification purposes -- you can't force a Mandatory-level your user id doesn't already have in windows, but it will show ones you do have if there is a label for them in "winbind". I use winbind to provide a single-signon from linux or win with the file ownerships being the same for domain RID's on linux and on windows (win7).> > If you use the DC as a fileserver, then there are a few minor problems > you need to work around, mostly to do with IDs >---- "Minor problems" -- enough so that it is recommended to run them on separate machines? I have a rather useful Domain server that can return many or most of the MS-builtins as well as "well-known" domain ID's... Winbind also provides the logins for linux, so I have a single login on linux and win ("domain\login" on Win = login on my server for the most part, though if I login from win->linux w/ssh, I do have to accept and map domain\login => login in /etc/passwd, for example. Consistent with having the same ID's is the ability of my win-userID's to access same files on the server as they can when logged into the server. I only have single-user access to my Win-shares mounted on linux, as I haven't written a good CIFS-upcall handler to allow multi-user, but that's not a pressing need. I'd like my 4.x config to be at least as flexible as what I have now... that should be easy, right? (*wincing*)... Thanks! -linda