samba - Feb 2015 - File-Server update from Samba 3.6 to Samba 4.1

Hello,

I'm preparing a update from a heterogen environment with the services
OpenLDAP,
Kerberos, Bind9, Samba 3.6 (NT-Domain), NFS4 to a Samba4 AD. I'm setting up
a test
environment with a separate DC and a file server. 
There are some questions about the file server which is a debian file server
with some TB
of data right now.

The first question is, what to do with the existing TB of data (user homes,
global exports,
a.s.o.) only with POXIS ACLs (owner,group,others). Do I have to set the more
complex
Windows ACLs for every folder or file to get at least the same access rights as
before?

The second question is, if it is possible to export the same file system/folders
as an
NFS4 export and a Samba4 share or if there are problems concering the ACLs?

-- 
Viele Gr??e
Andreas Hauffe

Hello Andreas,

Am 03.02.2015 um 13:29 schrieb Andreas Hauffe:
> The first question is, what to do with the existing TB of data (user homes,
global exports,
> a.s.o.) only with POXIS ACLs (owner,group,others). Do I have to set the
more complex
> Windows ACLs for every folder or file to get at least the same access
rights as before?
It's not recommended to use the DC as a file server. Put your data on a
member server. If you currently have all data on your PDC, you could
configure this machine as a member server after you did the
classicupgrade (on a different host). The AD DC, doesn't have to be a
very powerful machine, if you don't have thousands of users flooding you
with authentication. :-)

You can use Posix ACLs, like ever in the past.
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_POSIX_ACLs

Where do you have your IDs stored atm? In openLDAP? Then it's easy. If
you do the classicupgrade, the process moves the IDs to AD. You can
configure your member servers to use RFC2307 idmap backend. Then all
files are owned by the same users/groups.



> The second question is, if it is possible to export the same file
system/folders as an
> NFS4 export and a Samba4 share or if there are problems concering the ACLs?
Sorry. Never tried this. But surely someone else can answer that. :-)


Regards,
Marc

Hello Marc,

at first thanks!

Am Dienstag, 3. Februar 2015, 15:15:47 schrieb Marc
Muehlfeld:
> Hello Andreas,
> 
> Am 03.02.2015 um 13:29 schrieb Andreas Hauffe:
> > The first question is, what to do with the existing TB of data (user
> > homes, global exports, a.s.o.) only with POXIS ACLs
(owner,group,others).
> > Do I have to set the more complex Windows ACLs for every folder or
file
> > to get at least the same access rights as before?
> It's not recommended to use the DC as a file server. Put your data on a
> member server. If you currently have all data on your PDC, you could
> configure this machine as a member server after you did the
> classicupgrade (on a different host). The AD DC, doesn't have to be a
> very powerful machine, if you don't have thousands of users flooding
you
> with authentication. :-)
Sorry! Bad description from my side. The DC is an separate machine even im my 
test environment and I'm going to configure the "old" server as a
member
server as file server.
> You can use Posix ACLs, like ever in the past.
>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_POSIX_
> ACLs
> 
> Where do you have your IDs stored atm? In openLDAP? Then it's easy. If
> you do the classicupgrade, the process moves the IDs to AD. You can
> configure your member servers to use RFC2307 idmap backend. Then all
> files are owned by the same users/groups.
Thanks for the hint. I read about this.
> 
> > The second question is, if it is possible to export the same file
> > system/folders as an NFS4 export and a Samba4 share or if there are
> > problems concering the ACLs?
> Sorry. Never tried this. But surely someone else can answer that. :-)
> 
No problem!
> 
> Regards,
> Marc
-- 
Viele Gr??e
Andreas Hauffe