samba - Dec 2014 - Samba 4.1.14 Domain Controller as file server and internal winbind

Hi,

Im running a domain controller (AD DC) and file server, on the same
machine, with sernet-samba 4.1.14.

Right now, I have a process using almost 100% CPU all the time. After
'samba-tool processes' I found that the process is winbind_server.

On samba wiki page, they don't recommend using domain controller as file
server because winbind issues.

I already have other domain controller and file server, running without
problem.

Why is not recommended using domain controller as file server?
What issues exists in winbind in this kind of environment?

Regards,
Bruno Andrade.

On 30/12/14 12:27, Bruno Andrade wrote:
> Hi,
>
> Im running a domain controller (AD DC) and file server, on the same
> machine, with sernet-samba 4.1.14.
>
> Right now, I have a process using almost 100% CPU all the time. After
> 'samba-tool processes' I found that the process is winbind_server.
>
> On samba wiki page, they don't recommend using domain controller as
file
> server because winbind issues.
>
> I already have other domain controller and file server, running without
> problem.
>
> Why is not recommended using domain controller as file server?
> What issues exists in winbind in this kind of environment?
>
> Regards,
> Bruno Andrade.
OK, winbind built into the samba daemon on the AD DC, is not the same as 
the separate winbind daemon you would use on a member server It does not 
have the same capabilities and is not setup in the same way, it cannot 
pull the Unix attributes from AD and these have to be set in smb.conf 
via templates. These templates mean that you cannot have different home 
directories based on the user. The UID & GID numbers on the AD DC are 
all in the 3000000 range, these numbers only exist on the DC, they will 
be different on any member server (and any other DC's).

There are other reasons why you should not use an AD DC as a fileserver, 
but the above reasons are the most obvious.

Rowland

Thanks,

Is there any site/blog/post/mail where I can find a more completed list
of issues/reasons?

Regards,
Bruno Andrade.

On 12/30/2014 12:59 PM, Rowland Penny wrote:
> On 30/12/14 12:27, Bruno Andrade wrote:
>> Hi,
>>
>> Im running a domain controller (AD DC) and file server, on the same
>> machine, with sernet-samba 4.1.14.
>>
>> Right now, I have a process using almost 100% CPU all the time. After
>> 'samba-tool processes' I found that the process is
winbind_server.
>>
>> On samba wiki page, they don't recommend using domain controller as
file
>> server because winbind issues.
>>
>> I already have other domain controller and file server, running without
>> problem.
>>
>> Why is not recommended using domain controller as file server?
>> What issues exists in winbind in this kind of environment?
>>
>> Regards,
>> Bruno Andrade.
>
> OK, winbind built into the samba daemon on the AD DC, is not the same
> as the separate winbind daemon you would use on a member server It
> does not have the same capabilities and is not setup in the same way,
> it cannot pull the Unix attributes from AD and these have to be set in
> smb.conf via templates. These templates mean that you cannot have
> different home directories based on the user. The UID & GID numbers on
> the AD DC are all in the 3000000 range, these numbers only exist on
> the DC, they will be different on any member server (and any other
DC's).
>
> There are other reasons why you should not use an AD DC as a
> fileserver, but the above reasons are the most obvious.
>
> Rowland