samba - Nov 2016 - Samba on Debian 8; NT4 domain, win10

On Tue, 29 Nov 2016 19:26:30 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-11-29 um 19:12 schrieb Andrew Bartlett:
> 
> > I'll let you choose the way forward for your site, but if you can
> > just re-create what fails to convert because it is just a service
> > account, that seems quite reasonable. 
> > 
> > In the days of passdb on the NT4-like domain controller, there
> > wasn't and still isn't any kind of fsck for the database. 
That
> > means that all manner of incorrect, odd or unexpected combinations
> > of entries can persist, without warning or notice.  Duplicate SIDs,
> > which is not an issue you have faced thankfully, are quite common
> > it seems. 
> > 
> > I suspect Rowland jumped on the rid < 1000 suggestion quite
> > reasonably because we have seen that too, but usually just because
> > of confusion around the Administrator account.  (Samba won't
> > normally create such sids).
> > 
> > When users are transferred to Samba's AD DC, they get put into a
> > quite strict database.  The reason why we strictly suggest
> > migration on an isolated test network is that this almost never
> > goes smoothly, and manual intervention is almost always required. 
> > 
> > I wish you all the best with your migration.
> 
> Thanks a lot for your wishes and the explanations.
> 
> Is there any good list of what to check in the test network before
> deciding to go productive?
> 
> I would think of:
> 
> * try to logon to a member-PC with an old domain-user
> * create new user, try logon
> * try to add a new member pc ... then logins ...
> * test login-scripts
> 
> Any killer-test to get a really good feeling ? ;-)
> 
> For the real switch: turn off all PCs, turn down old samba-config,
> switch on ADS-PDC, join file server, switch on test PC ... ?
> 
> -
> 
> One reason for me keeping this NT4-based for so long is the fact that
> I now need an additional machine for the PDC: you samba-guys
> recommend to run the PDC separated from the file server. 
You can use the DC as a fileserver, it is only for minor technical
reasons that it isn't recommended, amongst which is that you have to use
windows ACLs.
 
>So I have to
> deal with that without having to buy new hardware (the customer
> stopped understanding all the work around swapping server-hardware
> weeks ago). We talk small office here: ~25-30 PCs.
Your DC should be able to easily deal with that amount of PCs (provided
it is a reasonable spec and not out of the ark ;-) 


Rowland

Am 2016-11-29 um 19:55 schrieb Rowland Penny via samba:
> You can use the DC as a fileserver, it is only for minor technical
> reasons that it isn't recommended, amongst which is that you have to
use
> windows ACLs.
that is really *good* news (I think ;-) )
are there any pointers to what to consider?

Do I simply add the shares to the generated smb.conf then?
>> So I have to
>> deal with that without having to buy new hardware (the customer
>> stopped understanding all the work around swapping server-hardware
>> weeks ago). We talk small office here: ~25-30 PCs.
> 
> Your DC should be able to easily deal with that amount of PCs (provided
> it is a reasonable spec and not out of the ark ;-) 
no, it's a server bought this year, quadcore Xeon, 8 gigs of RAM, should
be no problem ;-)

On Tue, 29 Nov 2016 20:48:27 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-11-29 um 19:55 schrieb Rowland Penny via samba:
> 
> > You can use the DC as a fileserver, it is only for minor technical
> > reasons that it isn't recommended, amongst which is that you have
> > to use windows ACLs.
> 
> that is really *good* news (I think ;-) )
> are there any pointers to what to consider?
> 
> Do I simply add the shares to the generated smb.conf then?
It is a little bit more involved than that, but not much ;-)

Have a look here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

Any questions, just ask.
> 
> >> So I have to
> >> deal with that without having to buy new hardware (the customer
> >> stopped understanding all the work around swapping server-hardware
> >> weeks ago). We talk small office here: ~25-30 PCs.
> > 
> > Your DC should be able to easily deal with that amount of PCs
> > (provided it is a reasonable spec and not out of the ark ;-) 
> 
> no, it's a server bought this year, quadcore Xeon, 8 gigs of RAM,
> should be no problem ;-)
> 
>
That's an understatement, I sort of expected some 3 or 4 year old dual
core system, which would have coped ;-)

Rowland