samba - Dec 2021 - New Samba4 environment to replace existing Windows 2008R2 AD

Hello folks,
I have a client who is looking to retire their old 2008R2 AD
environment (a single server with the AD DC and file server roles).
It's been through a few upgrades (2003->2008->2008R2), and so the AD
is a bit of a mess. I've done some preliminary tests in adding a
Samba4 AD DC to the existing domain and there are a lot of little bits
of old AD schema still floating around and inevitably the Samba DC
stops syncing with the Windows server, logins are no longer
authenticated, etc. so we're going to set up a new AD from scratch. So
far, so good.

I have a couple of questions about deploying a Samba-only AD in a
production environment. The client network consists of about 60
workstations and virtual machines (all running Windows 10) so we all
understand the environment. Nothing fancy.

My questions:

  * Is it recommended to run multiple Samba AD DCs, like the typical
guidance for running Windows Server DCs? There are only about 35
users, so I don't see the need from a capacity standpoint.

   * If so, is it acceptable to use containers (LXC on Linux or jails
on FreeBSD) to run an AD DC and a file server on the same physical
host?

   * My initial design for the file server component is to use Debian
11 (Bullseye) hosts using btrfs on a hardware-backed RAID array
(presented as a single block device to Debian) for ACL and snapshot
support. I see that Samba's VFS has support for btrfs which started me
on this path. Is this a bad idea?

   * The network environment heavily uses ACLs for access-based
enumeration over many discrete files and directories. Will this be a
problem for either Samba or btrfs?

I've done several small-scale Samba4 AD installs, but not for clients
who so heavily used ABE/ACLs so I am hoping for some feedback from
folks who've worked with such setups.
I've got a few months for testing and I'm sure there will be quirks to
be ironed out, I'm just looking for experience from anyone who has
walked some of these paths before.

Thanks!

-- 
Gary S

On Thu, 2021-12-09 at 11:32 -0500, Shelton, Gary via samba
wrote:
> Hello folks,
> I have a client who is looking to retire their old 2008R2 AD
> environment (a single server with the AD DC and file server roles).
> It's been through a few upgrades (2003->2008->2008R2), and so the
AD
> is a bit of a mess. I've done some preliminary tests in adding a
> Samba4 AD DC to the existing domain and there are a lot of little
> bits
> of old AD schema still floating around and inevitably the Samba DC
> stops syncing with the Windows server, logins are no longer
> authenticated, etc. so we're going to set up a new AD from scratch.
> So
> far, so good.
> 
> I have a couple of questions about deploying a Samba-only AD in a
> production environment. The client network consists of about 60
> workstations and virtual machines (all running Windows 10) so we all
> understand the environment. Nothing fancy.
> 
> My questions:
> 
>   * Is it recommended to run multiple Samba AD DCs, like the typical
> guidance for running Windows Server DCs? There are only about 35
> users, so I don't see the need from a capacity standpoint.
You will not see the point of multiple DC's, right up until one falls
over, then you will be glad you have more than one DC.
> 
>    * If so, is it acceptable to use containers (LXC on Linux or jails
> on FreeBSD) to run an AD DC and a file server on the same physical
> host?
You can run Samba in VM's, but I personally wouldn't use jails and/or
freebsd.
> 
>    * My initial design for the file server component is to use Debian
> 11 (Bullseye) hosts using btrfs on a hardware-backed RAID array
> (presented as a single block device to Debian) for ACL and snapshot
> support. I see that Samba's VFS has support for btrfs which started
> me
> on this path. Is this a bad idea?
I actually think this a good idea, by using Debian, you will be able to
use Louis Van Belle's Samba repo: https://apt.van-belle.nl/
> 
>    * The network environment heavily uses ACLs for access-based
> enumeration over many discrete files and directories. Will this be a
> problem for either Samba or btrfs?
Fairly easy to set up, see the Samba wiki.
> 
> I've done several small-scale Samba4 AD installs, but not for clients
> who so heavily used ABE/ACLs so I am hoping for some feedback from
> folks who've worked with such setups.
There are lots of people on here who run such setups, so you should get
plenty of help.
> I've got a few months for testing and I'm sure there will be quirks
> to
> be ironed out, I'm just looking for experience from anyone who has
> walked some of these paths before.
Testing is always best, you will find out what works and what doesn't
(though Samba is highly adaptable). It will give you chance to try
different ways of doing things, use the internal dns server or Bind9,
use RFC2307 attributes on the Unix domain members or use the winbind
'rid' backend instead.

The best thing to do is to read the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

Then come back with any questions.

Rowland

On 12/9/21 10:32, Shelton, Gary via samba wrote:
> Hello folks,
> I have a client who is looking to retire their old 2008R2 AD
> environment (a single server with the AD DC and file server roles).
> It's been through a few upgrades (2003->2008->2008R2), and so the
AD
> is a bit of a mess. I've done some preliminary tests in adding a
> Samba4 AD DC to the existing domain and there are a lot of little bits
> of old AD schema still floating around and inevitably the Samba DC
> stops syncing with the Windows server, logins are no longer
> authenticated, etc. so we're going to set up a new AD from scratch. So
> far, so good.
> 
> I have a couple of questions about deploying a Samba-only AD in a
> production environment. The client network consists of about 60
> workstations and virtual machines (all running Windows 10) so we all
> understand the environment. Nothing fancy.
> 
> My questions:
> 
>    * Is it recommended to run multiple Samba AD DCs, like the typical
> guidance for running Windows Server DCs? There are only about 35
> users, so I don't see the need from a capacity standpoint.
> 
>     * If so, is it acceptable to use containers (LXC on Linux or jails
> on FreeBSD) to run an AD DC and a file server on the same physical
> host?
> 
As far as I'm concerned, one should *only* run a samba ad-dc in an LXD 
container, but I'm sure there are plenty who beg to differ. I Can 
confirm, however, that it works. Note that this is not the same thing as 
a VM.  A VM does OS emulation.  A container makes use of linux's ABI 
continuity and uses the linux kernel running on your machine to run at 
bare metal speeds. It just uses namespaces and cgroups to make it seem 
like it's a different machine.

>     * My initial design for the file server component is to use Debian
> 11 (Bullseye) hosts using btrfs on a hardware-backed RAID array
> (presented as a single block device to Debian) for ACL and snapshot
> support. I see that Samba's VFS has support for btrfs which started me
> on this path. Is this a bad idea?
> 
>     * The network environment heavily uses ACLs for access-based
> enumeration over many discrete files and directories. Will this be a
> problem for either Samba or btrfs?
> 
> I've done several small-scale Samba4 AD installs, but not for clients
> who so heavily used ABE/ACLs so I am hoping for some feedback from
> folks who've worked with such setups.
> I've got a few months for testing and I'm sure there will be quirks
to
> be ironed out, I'm just looking for experience from anyone who has
> walked some of these paths before.
> 
> Thanks!
>