Hi, I've been doing some research and testing into implementing SAMBA 4 as a AD/DC role for offering "AD as a service" to various small companies, I've been testing SAMBA out in various different configurations and wondering if SAMBA in AD/DC role if it's possible to segment in such a way some requirements: - Windows 10 support, e.g SMB3 - AD tree segmentation so that one customer doesn't see a another customer AD tree, (users, computer, shares, etc..) - Single or multi domain (however I understand multi trust domains isn't supported yet) some ideas: - separate SAMBA instance for each customer, - use docker to host each SAMBA instance - single SAMBA instance running some splittree/forest Anyone attempt something before? thanks in advance Grealish
On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote:> Hi, > I've been doing some research and testing into implementing SAMBA 4 as a > AD/DC role for offering "AD as a service" to various small companies, I've > been testing SAMBA out in various different configurations and wondering if > SAMBA in AD/DC role if it's possible to segment in such a way > > some requirements: > - Windows 10 support, e.g SMB3 > - AD tree segmentation so that one customer doesn't see a another customer > AD tree, (users, computer, shares, etc..) > - Single or multi domain (however I understand multi trust domains isn't > supported yet) > > some ideas: > - separate SAMBA instance for each customer, > - use docker to host each SAMBA instance > - single SAMBA instance running some splittree/forest > > Anyone attempt something before?Containerizations/VM's are the way to go here.
Thanks Jeremy, Has anyone done this before with automating the administration of multiple SAMBA AD's? i'm thinking AD itself has possible some feature there to help, On 18 April 2016 at 18:18, Jeremy Allison <jra at samba.org> wrote:> On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote: > > Hi, > > I've been doing some research and testing into implementing SAMBA 4 as a > > AD/DC role for offering "AD as a service" to various small companies, > I've > > been testing SAMBA out in various different configurations and wondering > if > > SAMBA in AD/DC role if it's possible to segment in such a way > > > > some requirements: > > - Windows 10 support, e.g SMB3 > > - AD tree segmentation so that one customer doesn't see a another > customer > > AD tree, (users, computer, shares, etc..) > > - Single or multi domain (however I understand multi trust domains isn't > > supported yet) > > > > some ideas: > > - separate SAMBA instance for each customer, > > - use docker to host each SAMBA instance > > - single SAMBA instance running some splittree/forest > > > > Anyone attempt something before? > > Containerizations/VM's are the way to go here. >
Andrew Bartlett
2016-Apr-30 08:17 UTC
[Samba] Multi tenancy and/or Hosted AD like solution
On Mon, 2016-04-18 at 09:18 -0700, Jeremy Allison wrote:> On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote: > > Hi, > > I've been doing some research and testing into implementing SAMBA 4 > > as a > > AD/DC role for offering "AD as a service" to various small > > companies, I've > > been testing SAMBA out in various different configurations and > > wondering if > > SAMBA in AD/DC role if it's possible to segment in such a way > > > > some requirements: > > - Windows 10 support, e.g SMB3 > > - AD tree segmentation so that one customer doesn't see a another > > customer > > AD tree, (users, computer, shares, etc..) > > - Single or multi domain (however I understand multi trust domains > > isn't > > supported yet) > > > > some ideas: > > - separate SAMBA instance for each customer, > > - use docker to host each SAMBA instance > > - single SAMBA instance running some splittree/forest > > > > Anyone attempt something before? > > Containerizations/VM's are the way to go here.I agree. If you go into this seriously, then some patches I did for our DNS code a while back (bug didn't integrate) would allow us to know that our public IP isn't the local interface IP (eg, support docker). If handled well, then docker could work well as the Samba binary could be shared, but the databases would remain private to each instance. We map pretty well into the 'state volume, stateless OS' model if you get the paths right. I'm always excited by 'samba as a service' opportunities and I encourage you in your endeavours. Please share your experiences and if possible any scripts/dockerfiles you make. It would be lovely if we could have a standard way to do this. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba