samba - May 2016 - Multi tenancy and/or Hosted AD like solution

On Mon, 2016-04-18 at 09:18 -0700, Jeremy Allison wrote:
> On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote:
> > Hi,
> > I've been doing some research and testing into implementing SAMBA
4
> > as a
> > AD/DC role for offering "AD as a service" to various small
> > companies, I've
> > been testing SAMBA out in various different configurations and
> > wondering if
> > SAMBA in AD/DC role if it's possible to segment in such a way
> > 
> > some requirements:
> >  - Windows 10 support, e.g SMB3
> >  - AD tree segmentation so that one customer doesn't see a another
> > customer
> > AD tree, (users, computer, shares, etc..)
> >  - Single or multi domain (however I understand multi trust domains
> > isn't
> > supported yet)
> > 
> > some ideas:
> > - separate SAMBA instance for each customer,
> > - use docker to host each SAMBA instance
> > - single SAMBA instance running some splittree/forest
> > 
> > Anyone attempt something before?
> 
> Containerizations/VM's are the way to go here.
I agree.  If you go into this seriously, then some patches I did for
our DNS code a while back (bug didn't integrate) would allow us to know
that our public IP isn't the local interface IP (eg, support docker).

If handled well, then docker could work well as the Samba binary could
be shared, but the databases would remain private to each instance.  We
map pretty well into the 'state volume, stateless OS' model if you get
the paths right. 

I'm always excited by 'samba as a service' opportunities and I
encourage you in your endeavours.  Please share your experiences and if
possible any scripts/dockerfiles you make.  It would be lovely if we
could have a standard way to do this.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Thanks Andrew,

I've a few ideas on the go with a client atm, will need to scrap out some
of the data before sharing, But like you said stateless-ness is the way i'm
trying to go here. We have a central backend that we hope can
build/re-provision samba in a container on a per tenant bases.

However migrating and updating SAMBA binary with a "state volume" is
something still an unknown, as from what I understand SAMBA will have to
run over the data files to update them to a newer version in some way.

Could you point me to your patches in SAMBA?

On 30 April 2016 at 10:17, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2016-04-18 at 09:18 -0700, Jeremy Allison wrote:
> > On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote:
> > > Hi,
> > > I've been doing some research and testing into implementing
SAMBA 4
> > > as a
> > > AD/DC role for offering "AD as a service" to various
small
> > > companies, I've
> > > been testing SAMBA out in various different configurations and
> > > wondering if
> > > SAMBA in AD/DC role if it's possible to segment in such a way
> > >
> > > some requirements:
> > >  - Windows 10 support, e.g SMB3
> > >  - AD tree segmentation so that one customer doesn't see a
another
> > > customer
> > > AD tree, (users, computer, shares, etc..)
> > >  - Single or multi domain (however I understand multi trust
domains
> > > isn't
> > > supported yet)
> > >
> > > some ideas:
> > > - separate SAMBA instance for each customer,
> > > - use docker to host each SAMBA instance
> > > - single SAMBA instance running some splittree/forest
> > >
> > > Anyone attempt something before?
> >
> > Containerizations/VM's are the way to go here.
>
> I agree.  If you go into this seriously, then some patches I did for
> our DNS code a while back (bug didn't integrate) would allow us to know
> that our public IP isn't the local interface IP (eg, support docker).
>
> If handled well, then docker could work well as the Samba binary could
> be shared, but the databases would remain private to each instance.  We
> map pretty well into the 'state volume, stateless OS' model if you
get
> the paths right.
>
> I'm always excited by 'samba as a service' opportunities and I
> encourage you in your endeavours.  Please share your experiences and if
> possible any scripts/dockerfiles you make.  It would be lovely if we
> could have a standard way to do this.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>

On Wed, 2016-05-04 at 09:28 +0200, D Grealish wrote:
> Thanks Andrew,
> 
> I've a few ideas on the go with a client atm, will need to scrap out
> some of the data before sharing, But like you said stateless-ness is
> the way i'm trying to go here. We have a central backend that we hope
> can build/re-provision samba in a container on a per tenant bases.
Good.
> However migrating and updating SAMBA binary with a "state volume"
is
> something still an unknown, as from what I understand SAMBA will have
> to run over the data files to update them to a newer version in some
> way.
Just running dbcheck will be enough, and it doesn't need to know what
the old version was, it just fixes things.  This may be more complex if
we upgrade the DB format properly, but we haven't done that so far.
> Could you point me to your patches in SAMBA?
I'll see what I can dig up.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi

an idea for your needs : you could give a try to freebsd jails to 
separate samba instances.

the doc about in freebsd handbook
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html

a thread on this topic
https://forums.freebsd.org/threads/54633/

Hope it can be usefull.


On 05/04/2016 03:28 PM, D Grealish wrote:
> Thanks Andrew,
>
> I've a few ideas on the go with a client atm, will need to scrap out
some
> of the data before sharing, But like you said stateless-ness is the way
i'm
> trying to go here. We have a central backend that we hope can
> build/re-provision samba in a container on a per tenant bases.
>
> However migrating and updating SAMBA binary with a "state volume"
is
> something still an unknown, as from what I understand SAMBA will have to
> run over the data files to update them to a newer version in some way.
>
> Could you point me to your patches in SAMBA?
>
> On 30 April 2016 at 10:17, Andrew Bartlett <abartlet at samba.org>
wrote:
>
>> On Mon, 2016-04-18 at 09:18 -0700, Jeremy Allison wrote:
>>> On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote:
>>>> Hi,
>>>> I've been doing some research and testing into implementing
SAMBA 4
>>>> as a
>>>> AD/DC role for offering "AD as a service" to various
small
>>>> companies, I've
>>>> been testing SAMBA out in various different configurations and
>>>> wondering if
>>>> SAMBA in AD/DC role if it's possible to segment in such a
way
>>>>
>>>> some requirements:
>>>>   - Windows 10 support, e.g SMB3
>>>>   - AD tree segmentation so that one customer doesn't see a
another
>>>> customer
>>>> AD tree, (users, computer, shares, etc..)
>>>>   - Single or multi domain (however I understand multi trust
domains
>>>> isn't
>>>> supported yet)
>>>>
>>>> some ideas:
>>>> - separate SAMBA instance for each customer,
>>>> - use docker to host each SAMBA instance
>>>> - single SAMBA instance running some splittree/forest
>>>>
>>>> Anyone attempt something before?
>>> Containerizations/VM's are the way to go here.
>> I agree.  If you go into this seriously, then some patches I did for
>> our DNS code a while back (bug didn't integrate) would allow us to
know
>> that our public IP isn't the local interface IP (eg, support
docker).
>>
>> If handled well, then docker could work well as the Samba binary could
>> be shared, but the databases would remain private to each instance.  We
>> map pretty well into the 'state volume, stateless OS' model if
you get
>> the paths right.
>>
>> I'm always excited by 'samba as a service' opportunities
and I
>> encourage you in your endeavours.  Please share your experiences and if
>> possible any scripts/dockerfiles you make.  It would be lovely if we
>> could have a standard way to do this.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
>>
>>
>>