samba - Jan 2018 - Optimizing Samba servers roles in multi server network

Hi Samba Team !

I have only three servers to administer my 280 Windows and my 170
Linux clients. As this is the a high school network, the stations are
used by a wide number of persons and this generate a high network
traffic. So I need to share the load between my servers to optimize
their performance.

Currently I have decided to split all the services :
-> My three servers are AD DC
-> Each of them run a KDC
-> Each of them export Sysvol
-> Each of them run a Bind9 nameserver
-> I separated my user's homes on the three DCs with DFS
-> I separated my user's profiles on the three DCs taking care not
putting home and profile on the same DC
-> + many other services ( like puppet, apt-cacher ...)

So I divided all the roles by three.

But someone here recall to me that I should not export Samba shares on
DC other than Sysvol. On Samba wiki, I can read that there is some
limitation about using a DC as file server as the auto-enabled
acl_xattr force me to use Windows access control lists.

However, there is a compatibility layer enabled by :

acl_xattr:ignore system acls = no

So even if I export my file system by NFS, I never found limitations
about using acl_xattr. The ACL compatibility layer is very good.

My question is, there is another reason not using AD DC as file server
? Is there performance issue ?

Do you think that is better to have just one AD DC (so just one KDC)
and two member server exporting the home and profile shares ?

Thanks !

Am 17.01.2018 um 15:08 schrieb Prunk Dump via samba:
> -> + many other services ( like puppet, apt-cacher ...)
> My question is, there is another reason not using AD DC as file server
> ? Is there performance issue ?
This has already been discussed on this list recently.

First there is security - any other service running on the DC could make
it vulnerable for attack. You say this is a high school network - I'd
say you should expect that any exploit that can be found on the Internet
will probably be tried out against your servers. Especially if there is
valuable data on them. "Valuable" could also mean, say, solutions for
any upcoming tests and exams and the like.

Then there is the performance issue - because of these security reasons,
any traffic to/from DCs is usually required to be cryptographically
signed. This also means "normal" file sharing if you use your DC as a
file server. This will put quite a load on your server, especially if it
doesn't have hardware support for it. Traffic to non-DC file servers is
usually not signed. You could turn signing off altogether, but I would
strongly adivse against it.

I also wouldn't stick with a single DC in such an environment - when
it's gone, your network is effectively down. You would have to restore
from backup, which will take time. Think about virtual machines, I'd run
a small VM with a samba DC on every server. If your servers are too weak
for full virtualization, LXC containers might be a solution.

Bye,

Andreas