On Tue, 2018-05-29 at 18:20 +0100, Rowland Penny via samba wrote:> On Tue, 29 May 2018 09:57:50 -0700 > Jeremy Allison <jra at samba.org> wrote: > > No and nobody else does and we never will do, if we keep saying 'do not > use a DC as a fileserver'.G'Day Rowland, Thanks for raising this. To be clear, this wasn't ever meant to be as absolute as that, and like Microsoft's 'don't change the schema' from the days of Windows 2000, it has got a little out of control. In the same way that a warning intended to give administrators pause for thought has taken years to undo (I spoke long ago with the Microsoft engineer who first gave the warnings to be careful about the schema), this is perhaps the same. The reasons are this: - For anything but the smallest organisations, having more than one DC is a really good backup measure, and makes upgrades safer: - It encourages upgrades of the DC to also be upgrades of the host OS every year or two, because there isn't complex data to transition or other services involved. - This means upgrades can be done installing fresh, and replicating in the changes, which is better tested in Samba, gains new features and avoids a number of lingering data corruption risks. - The DC and file-server have different points at which an organisation would wish to upgrade. The needs for new features on the DC and file server come at different times. Currently the AD DC evolves rapidly to gain features whereas the fileserver after over 20 years is quite rightly more conservative. - The mandatory smb signing on the DC. Finally, in terms of reasons that don't apply any more: - In Samba 4.0 we shipped a different, much less capable 'winbind' service in the AD DC. We don't any more, we just plug in to the common winbindd codebase (just self-starting it as a forked child for samba). Anyway, as I say, it was set down just to give folks pause for thought, not as a total prescription. Samba remains free software and folks will use it as they want. I hope this clarifies things and you are welcome to embellish the wiki with the above. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Wed, 30 May 2018 06:44:27 +1200 Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2018-05-29 at 18:20 +0100, Rowland Penny via samba wrote: > > On Tue, 29 May 2018 09:57:50 -0700 > > Jeremy Allison <jra at samba.org> wrote: > > > > No and nobody else does and we never will do, if we keep saying 'do > > not use a DC as a fileserver'. > > G'Day Rowland, > > Thanks for raising this. To be clear, this wasn't ever meant to be as > absolute as that, and like Microsoft's 'don't change the schema' from > the days of Windows 2000, it has got a little out of control. > > In the same way that a warning intended to give administrators pause > for thought has taken years to undo (I spoke long ago with the > Microsoft engineer who first gave the warnings to be careful about the > schema), this is perhaps the same. > > The reasons are this: > - For anything but the smallest organisations, having more than one > DC is a really good backup measure, and makes upgrades safer: > - It encourages upgrades of the DC to also be upgrades of the host > OS every year or two, because there isn't complex data to transition > or other services involved. > - This means upgrades can be done installing fresh, and replicating > in the changes, which is better tested in Samba, gains new features > and avoids a number of lingering data corruption risks. > > - The DC and file-server have different points at which an > organisation would wish to upgrade. The needs for new features on the > DC and file server come at different times. Currently the AD DC > evolves rapidly to gain features whereas the fileserver after over 20 > years is quite rightly more conservative. > > - The mandatory smb signing on the DC. > > Finally, in terms of reasons that don't apply any more: > > - In Samba 4.0 we shipped a different, much less capable 'winbind' > service in the AD DC. We don't any more, we just plug in to the > common winbindd codebase (just self-starting it as a forked child for > samba). > > Anyway, as I say, it was set down just to give folks pause for > thought, not as a total prescription. Samba remains free software > and folks will use it as they want. > > I hope this clarifies things and you are welcome to embellish the wiki > with the above. > > Andrew BartlettSo I take it from the above, that whilst it isn't a good idea to use a DC as a fileserver if you have the resources, it will work for a small office set up. I will use the information above to update the wiki and I feel that I should point out that I didn't start this thread. Rowland
On Tue, 2018-05-29 at 19:58 +0100, Rowland Penny via samba wrote:> > So I take it from the above, that whilst it isn't a good idea to use a > DC as a fileserver if you have the resources, it will work for a > small office set up.Exactly.> I will use the information above to update the wiki and I feel that I > should point out that I didn't start this thread.Thanks for all your efforts to help and advocate for our users Rowland, it is much appreciated. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba