Hi list, Since it is considered ?harmful? to run a domain controller that acts a fileserver I was considering the option of putting the AD DC into a chroot. Is there any special configuration to perform (except bind interfaces) to avoid conflicts ? (is there any broadcasting issues or so?) Regards -- S?bastien Le Ray
On 2015-03-17 09:27, S?bastien Le Ray wrote:> Hi list, > > Since it is considered ?harmful? to run a domain controller that acts a > fileserver I was considering the option of putting the AD DC into a > chroot. Is there any special configuration to perform (except bind > interfaces) to avoid conflicts ? (is there any broadcasting issues or so?)chroot is not a security feature and trivial to break out of, as the AD DC d?mon runs as root.> Regards > -- > S?bastien Le Ray-- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167 http://software.tao.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150317/1144d49a/attachment.pgp>
Hi, The goal of the chroot is to split the two roles, not to provide any additional security Regards Le 17/03/2015 10:01, Sven Schwedas a ?crit :> On 2015-03-17 09:27, S?bastien Le Ray wrote: >> Hi list, >> >> Since it is considered ?harmful? to run a domain controller that acts a >> fileserver I was considering the option of putting the AD DC into a >> chroot. Is there any special configuration to perform (except bind >> interfaces) to avoid conflicts ? (is there any broadcasting issues or so?) > chroot is not a security feature and trivial to break out of, as the AD > DC d?mon runs as root. > >> Regards >> -- >> S?bastien Le Ray > >
On Tue, 2015-03-17 at 09:27 +0100, S?bastien Le Ray wrote:> Hi list, > > Since it is considered ?harmful? to run a domain controller that acts a > fileserver I was considering the option of putting the AD DC into a > chroot. Is there any special configuration to perform (except bind > interfaces) to avoid conflicts ? (is there any broadcasting issues or so?)It isn't really that harmful (the sysvol part is a perfectly well functioning file server), but you can't get redundancy for the file server part, while you could cluster that if it wasn't a DC, so we worked hard to try and suggest folks think about it. We also like to encourage the DC, given the central role, to be a bit more isolated. But on 'small business server replacement' networks, this isn't really that important. Using Samba 4.2 (where we use winbindd) is recommended, and it is important to understand that the DC will force on the acl_xattr VFS module, and in doing so may interfere with setting other modules like btrfs. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Le 12/04/2015 13:00, Andrew Bartlett a ?crit :> It isn't really that harmful (the sysvol part is a perfectly well > functioning file server), but you can't get redundancy for the file > server part, while you could cluster that if it wasn't a DC, so we > worked hard to try and suggest folks think about it. We also like to > encourage the DC, given the central role, to be a bit more isolated. > But on 'small business server replacement' networks, this isn't really > that important. > > Using Samba 4.2 (where we use winbindd) is recommended, and it is > important to understand that the DC will force on the acl_xattr VFS > module, and in doing so may interfere with setting other modules like > btrfs. > > Andrew Bartlett >Hi Thanks a lot for these detailed explaination. I guess I'll try again with mixed DC/fileserver then. iirc the main issue was with homedir not being pulled from AD but since we flattened the layout I guess I could be fine with templates Regards