On Tue, May 29, 2018 at 05:54:49PM +0100, Rowland Penny via samba wrote:> On Tue, 29 May 2018 09:18:49 -0700 > Jeremy Allison <jra at samba.org> wrote: > > > On Sat, May 26, 2018 at 02:47:24PM +0100, Rowland Penny via samba > > wrote: > > > On Sat, 26 May 2018 09:21:01 -0400 > > > Marco Shmerykowsky via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > In lieu of virtualization, I wouldn't be opposed to some > > > > small, inexpensive appliance type device (sort of like > > > > the Netgate firewalls that run pfsense). > > > > > > > > I came across the MintBox Mini Pro > > > > (http://www.fit-pc.com/web/products/mintbox/mintbox-mini-pro/) > > > > > > > > Any experience or alternate suggestions? > > > > > > > > > > Yes, just about any 64bit computer on the planet. > > > > > > I know the wikipage says it isn't recommended to use a DC as > > > fileserver, but I have never understood why. Every DC is used as a > > > fileserver, what do you think 'sysvol' & 'netlogon' are ? Yes, they > > > are shares serving files aka 'fileserver', anybody want to argue > > > this ? > > > > No, it's certainly being a fileserver there. The key here > > is 'recommended' :-). Doing a DC + fileserver on a box just > > uses more resources that could be more productively :-) :-) > > used in just serving files (Jeremy, who loves the file serving > > part of Samba, the DC part less so :-) :-). > > I am not saying that using a DC as a fileserver in a very large > organization is a good idea, but in a small office, it is more than > capable. Lets not forget where all the authentication is carried out, > it is on the DC, so if you only have a few computers and users, then it > is possible to use the DC as a fileserver. If everything starts slowing > down, then it would be time to add a separate fileserver. > Stop me if I am wrong, but didn't a certain company produce something > called an SBS ??Yeah you're right. The main thing to do I think is set expectations appropriately. e.g. for a so-and-so spec'ed machine, you can expect x authentications per/second and y IO operations per second simultaneously. Problem is, I have no idea what x and y are :-).
On Tue, 29 May 2018 09:57:50 -0700 Jeremy Allison <jra at samba.org> wrote:> On Tue, May 29, 2018 at 05:54:49PM +0100, Rowland Penny via samba > wrote: > > On Tue, 29 May 2018 09:18:49 -0700 > > Jeremy Allison <jra at samba.org> wrote: > > > > > On Sat, May 26, 2018 at 02:47:24PM +0100, Rowland Penny via samba > > > wrote: > > > > On Sat, 26 May 2018 09:21:01 -0400 > > > > Marco Shmerykowsky via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > In lieu of virtualization, I wouldn't be opposed to some > > > > > small, inexpensive appliance type device (sort of like > > > > > the Netgate firewalls that run pfsense). > > > > > > > > > > I came across the MintBox Mini Pro > > > > > (http://www.fit-pc.com/web/products/mintbox/mintbox-mini-pro/) > > > > > > > > > > Any experience or alternate suggestions? > > > > > > > > > > > > > Yes, just about any 64bit computer on the planet. > > > > > > > > I know the wikipage says it isn't recommended to use a DC as > > > > fileserver, but I have never understood why. Every DC is used > > > > as a fileserver, what do you think 'sysvol' & 'netlogon' are ? > > > > Yes, they are shares serving files aka 'fileserver', anybody > > > > want to argue this ? > > > > > > No, it's certainly being a fileserver there. The key here > > > is 'recommended' :-). Doing a DC + fileserver on a box just > > > uses more resources that could be more productively :-) :-) > > > used in just serving files (Jeremy, who loves the file serving > > > part of Samba, the DC part less so :-) :-). > > > > I am not saying that using a DC as a fileserver in a very large > > organization is a good idea, but in a small office, it is more than > > capable. Lets not forget where all the authentication is carried > > out, it is on the DC, so if you only have a few computers and > > users, then it is possible to use the DC as a fileserver. If > > everything starts slowing down, then it would be time to add a > > separate fileserver. Stop me if I am wrong, but didn't a certain > > company produce something called an SBS ?? > > Yeah you're right. The main thing to do I think is set expectations > appropriately. e.g. for a so-and-so spec'ed machine, you can expect > x authentications per/second and y IO operations per second > simultaneously. > > Problem is, I have no idea what x and y are :-).No and nobody else does and we never will do, if we keep saying 'do not use a DC as a fileserver'. Rowland
On Tue, 2018-05-29 at 18:20 +0100, Rowland Penny via samba wrote:> On Tue, 29 May 2018 09:57:50 -0700 > Jeremy Allison <jra at samba.org> wrote: > > No and nobody else does and we never will do, if we keep saying 'do not > use a DC as a fileserver'.G'Day Rowland, Thanks for raising this. To be clear, this wasn't ever meant to be as absolute as that, and like Microsoft's 'don't change the schema' from the days of Windows 2000, it has got a little out of control. In the same way that a warning intended to give administrators pause for thought has taken years to undo (I spoke long ago with the Microsoft engineer who first gave the warnings to be careful about the schema), this is perhaps the same. The reasons are this: - For anything but the smallest organisations, having more than one DC is a really good backup measure, and makes upgrades safer: - It encourages upgrades of the DC to also be upgrades of the host OS every year or two, because there isn't complex data to transition or other services involved. - This means upgrades can be done installing fresh, and replicating in the changes, which is better tested in Samba, gains new features and avoids a number of lingering data corruption risks. - The DC and file-server have different points at which an organisation would wish to upgrade. The needs for new features on the DC and file server come at different times. Currently the AD DC evolves rapidly to gain features whereas the fileserver after over 20 years is quite rightly more conservative. - The mandatory smb signing on the DC. Finally, in terms of reasons that don't apply any more: - In Samba 4.0 we shipped a different, much less capable 'winbind' service in the AD DC. We don't any more, we just plug in to the common winbindd codebase (just self-starting it as a forked child for samba). Anyway, as I say, it was set down just to give folks pause for thought, not as a total prescription. Samba remains free software and folks will use it as they want. I hope this clarifies things and you are welcome to embellish the wiki with the above. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba