Andrew Bartlett
2016-Apr-30 08:17 UTC
[Samba] Multi tenancy and/or Hosted AD like solution
On Mon, 2016-04-18 at 09:18 -0700, Jeremy Allison wrote:> On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote: > > Hi, > > I've been doing some research and testing into implementing SAMBA 4 > > as a > > AD/DC role for offering "AD as a service" to various small > > companies, I've > > been testing SAMBA out in various different configurations and > > wondering if > > SAMBA in AD/DC role if it's possible to segment in such a way > > > > some requirements: > > - Windows 10 support, e.g SMB3 > > - AD tree segmentation so that one customer doesn't see a another > > customer > > AD tree, (users, computer, shares, etc..) > > - Single or multi domain (however I understand multi trust domains > > isn't > > supported yet) > > > > some ideas: > > - separate SAMBA instance for each customer, > > - use docker to host each SAMBA instance > > - single SAMBA instance running some splittree/forest > > > > Anyone attempt something before? > > Containerizations/VM's are the way to go here.I agree. If you go into this seriously, then some patches I did for our DNS code a while back (bug didn't integrate) would allow us to know that our public IP isn't the local interface IP (eg, support docker). If handled well, then docker could work well as the Samba binary could be shared, but the databases would remain private to each instance. We map pretty well into the 'state volume, stateless OS' model if you get the paths right. I'm always excited by 'samba as a service' opportunities and I encourage you in your endeavours. Please share your experiences and if possible any scripts/dockerfiles you make. It would be lovely if we could have a standard way to do this. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Thanks Andrew, I've a few ideas on the go with a client atm, will need to scrap out some of the data before sharing, But like you said stateless-ness is the way i'm trying to go here. We have a central backend that we hope can build/re-provision samba in a container on a per tenant bases. However migrating and updating SAMBA binary with a "state volume" is something still an unknown, as from what I understand SAMBA will have to run over the data files to update them to a newer version in some way. Could you point me to your patches in SAMBA? On 30 April 2016 at 10:17, Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2016-04-18 at 09:18 -0700, Jeremy Allison wrote: > > On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote: > > > Hi, > > > I've been doing some research and testing into implementing SAMBA 4 > > > as a > > > AD/DC role for offering "AD as a service" to various small > > > companies, I've > > > been testing SAMBA out in various different configurations and > > > wondering if > > > SAMBA in AD/DC role if it's possible to segment in such a way > > > > > > some requirements: > > > - Windows 10 support, e.g SMB3 > > > - AD tree segmentation so that one customer doesn't see a another > > > customer > > > AD tree, (users, computer, shares, etc..) > > > - Single or multi domain (however I understand multi trust domains > > > isn't > > > supported yet) > > > > > > some ideas: > > > - separate SAMBA instance for each customer, > > > - use docker to host each SAMBA instance > > > - single SAMBA instance running some splittree/forest > > > > > > Anyone attempt something before? > > > > Containerizations/VM's are the way to go here. > > I agree. If you go into this seriously, then some patches I did for > our DNS code a while back (bug didn't integrate) would allow us to know > that our public IP isn't the local interface IP (eg, support docker). > > If handled well, then docker could work well as the Samba binary could > be shared, but the databases would remain private to each instance. We > map pretty well into the 'state volume, stateless OS' model if you get > the paths right. > > I'm always excited by 'samba as a service' opportunities and I > encourage you in your endeavours. Please share your experiences and if > possible any scripts/dockerfiles you make. It would be lovely if we > could have a standard way to do this. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > >
Andrew Bartlett
2016-May-04 08:32 UTC
[Samba] Multi tenancy and/or Hosted AD like solution
On Wed, 2016-05-04 at 09:28 +0200, D Grealish wrote:> Thanks Andrew, > > I've a few ideas on the go with a client atm, will need to scrap out > some of the data before sharing, But like you said stateless-ness is > the way i'm trying to go here. We have a central backend that we hope > can build/re-provision samba in a container on a per tenant bases.Good.> However migrating and updating SAMBA binary with a "state volume" is > something still an unknown, as from what I understand SAMBA will have > to run over the data files to update them to a newer version in some > way.Just running dbcheck will be enough, and it doesn't need to know what the old version was, it just fixes things. This may be more complex if we upgrade the DB format properly, but we haven't done that so far.> Could you point me to your patches in SAMBA?I'll see what I can dig up. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
David STIEVENARD
2016-May-05 23:13 UTC
[Samba] Multi tenancy and/or Hosted AD like solution
Hi an idea for your needs : you could give a try to freebsd jails to separate samba instances. the doc about in freebsd handbook https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html a thread on this topic https://forums.freebsd.org/threads/54633/ Hope it can be usefull. On 05/04/2016 03:28 PM, D Grealish wrote:> Thanks Andrew, > > I've a few ideas on the go with a client atm, will need to scrap out some > of the data before sharing, But like you said stateless-ness is the way i'm > trying to go here. We have a central backend that we hope can > build/re-provision samba in a container on a per tenant bases. > > However migrating and updating SAMBA binary with a "state volume" is > something still an unknown, as from what I understand SAMBA will have to > run over the data files to update them to a newer version in some way. > > Could you point me to your patches in SAMBA? > > On 30 April 2016 at 10:17, Andrew Bartlett <abartlet at samba.org> wrote: > >> On Mon, 2016-04-18 at 09:18 -0700, Jeremy Allison wrote: >>> On Mon, Apr 18, 2016 at 03:39:02PM +0200, D Grealish wrote: >>>> Hi, >>>> I've been doing some research and testing into implementing SAMBA 4 >>>> as a >>>> AD/DC role for offering "AD as a service" to various small >>>> companies, I've >>>> been testing SAMBA out in various different configurations and >>>> wondering if >>>> SAMBA in AD/DC role if it's possible to segment in such a way >>>> >>>> some requirements: >>>> - Windows 10 support, e.g SMB3 >>>> - AD tree segmentation so that one customer doesn't see a another >>>> customer >>>> AD tree, (users, computer, shares, etc..) >>>> - Single or multi domain (however I understand multi trust domains >>>> isn't >>>> supported yet) >>>> >>>> some ideas: >>>> - separate SAMBA instance for each customer, >>>> - use docker to host each SAMBA instance >>>> - single SAMBA instance running some splittree/forest >>>> >>>> Anyone attempt something before? >>> Containerizations/VM's are the way to go here. >> I agree. If you go into this seriously, then some patches I did for >> our DNS code a while back (bug didn't integrate) would allow us to know >> that our public IP isn't the local interface IP (eg, support docker). >> >> If handled well, then docker could work well as the Samba binary could >> be shared, but the databases would remain private to each instance. We >> map pretty well into the 'state volume, stateless OS' model if you get >> the paths right. >> >> I'm always excited by 'samba as a service' opportunities and I >> encourage you in your endeavours. Please share your experiences and if >> possible any scripts/dockerfiles you make. It would be lovely if we >> could have a standard way to do this. >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> Samba Developer, Catalyst IT >> http://catalyst.net.nz/services/samba >> >> >> >>