vincent at cojot.name
2018-Mar-28 21:38 UTC
[Samba] The 'not-always-on' infrastructure at home and Samba4 AD DC's..
Hi everyone, Apologies in advance, this will be a bit long but I'm hoping to get some guidance and hints on usual practices for using Samba4 AD DC as an Idm for W10 laptops that might be on the road elsewhere.. As much as I have been using samba for file serving, a Samba AD DC is something new to me. I built a small Samba AD DC infrastructure to serve UIDs and Passwords (4 VMs on 4 KVM hosts). My problem is that not all Samba DC's will always be turned on. Out of the 4 KVM hosts, 1 or 2 are going to be turned off quite often (especially in the summer), another one is going to be up half of the time on average while the first server will most likely average 95% uptime. The key metric here is that at least -one- hypervisor/router will -always- be available at any given time and this will be sufficient to provide all neded services. Also there isn't any type of shared storage (only replicated storage when two nodes with a replication schedule happen to be on at the same time). This strange setup has been serving a family of 5 for the past 10 years, providing DNS, NFS, SMB, Squid+UfdbGuard, NAT, IDS, filtering, etc.. Most of the family laptops now run W10 (Microsoft Office at school is still a hard requirement in some places) while most other boxes use Fedora with the infra servers running RHEL7. Wanting to provide centralized password management to the teenagers and not feeling like managing local user accounts on their Windows laptops, I opted for Samba as an AD DC. To this effect, I built 4 RHEL7 VMs (one per physical server because I have no shared storage). I used Wing's 4.6.14 rpms (http://wing-repo.net/wing) because RHEL7's samba doesn't do AD DC yet. So I find myself with the following setup: - KVM Host #0 -> VM guest DC0 (expected uptime: around 95%) - KVM Host #1 -> VM guest DC1 (expected uptime: around 90%) - KVM Host #2 -> VM guest DC2 (expected uptime: around 25-50%) - KVM Host #3 -> VM guest DC3 (expected uptime: around 10-25%) I setup the 4 VMs (DC0, DC1, DC2, DC3) in an AD just fine and was able to verify proper configuration/replication. ( Win10 connectivity, drs showrepl, RSAT access and usability). - Is the 4*DC setup a good or a bad idea in that use-case? I decided against a 2*DC setup because there may be times both DC0 and DC1 might be turned off at the same time. - Aside from some TCP timeouts caused by the unavailability of some of the IPs (the AD A DNS record will always show 4 IPs, regardless of which servers are turned off), what other issues could happen on the laptops? - Is there a hard limit on the number of days that those W10 laptops can go without being connected to any of Samba DC's (think remote summer job) and keep using cached credentials? (or is it just like with an ordinary AD) Any do's and don'ts would be much apreciated. Thanks in advance. Regards, Vincent
Vinicius Bones Silva
2018-Mar-28 22:18 UTC
[Samba] The 'not-always-on' infrastructure at home and Samba4 AD DC's..
Cached credencials never expire, so it should be ok to go several weeks without talking to your DCs. Passwords may expire, if you use a password policy (the default is not to, iirc) take a look at https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_Roles and https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles to check a few issues you might run into. Att, Vinicius Em 28/03/2018 18:38, Vincent S. Cojot via samba escreveu:> > Hi everyone, > > Apologies in advance, this will be a bit long but I'm hoping to get some guidance and > hints on usual practices for using Samba4 AD DC as an Idm for W10 laptops that might be > on the road elsewhere.. > As much as I have been using samba for file serving, a Samba AD DC is something new to me. > > I built a small Samba AD DC infrastructure to serve UIDs and Passwords (4 VMs on 4 KVM > hosts). My problem is that not all Samba DC's will always be turned on. Out of the 4 KVM > hosts, 1 or 2 are going > to be turned off quite often (especially in the summer), another one is going to be up > half of the time on average while the first server will most likely average 95% uptime. > > The key metric here is that at least -one- hypervisor/router will -always- be available > at any given time and this will be sufficient to provide all neded services. Also there > isn't any type of > shared storage (only replicated storage when two nodes with a replication schedule > happen to be on at the same time). > > This strange setup has been serving a family of 5 for the past 10 years, providing DNS, > NFS, SMB, Squid+UfdbGuard, NAT, IDS, filtering, etc.. > > Most of the family laptops now run W10 (Microsoft Office at school is still a hard > requirement in some places) while most other boxes use Fedora with the infra servers > running RHEL7. > > Wanting to provide centralized password management to the teenagers and not feeling like > managing local user accounts on their Windows laptops, I opted for Samba as an AD DC. To > this effect, I built > 4 RHEL7 VMs (one per physical server because I have no shared storage). I used Wing's > 4.6.14 rpms (http://wing-repo.net/wing) because RHEL7's samba doesn't do AD DC yet. > > So I find myself with the following setup: > > - KVM Host #0 -> VM guest DC0 (expected uptime: around 95%) > - KVM Host #1 -> VM guest DC1 (expected uptime: around 90%) > - KVM Host #2 -> VM guest DC2 (expected uptime: around 25-50%) > - KVM Host #3 -> VM guest DC3 (expected uptime: around 10-25%) > > I setup the 4 VMs (DC0, DC1, DC2, DC3) in an AD just fine and was able to verify proper > configuration/replication. ( Win10 connectivity, drs showrepl, RSAT access and usability). > > - Is the 4*DC setup a good or a bad idea in that use-case? I decided against a 2*DC > setup because there may be times both DC0 and DC1 might be turned off at the same time. > > - Aside from some TCP timeouts caused by the unavailability of some of the IPs (the AD A > DNS record will always show 4 IPs, regardless of which servers are turned off), what > other issues could happen > on the laptops? > > - Is there a hard limit on the number of days that those W10 laptops can go without > being connected to any of Samba DC's (think remote summer job) and keep using cached > credentials? (or is it just > like with an ordinary AD) > > Any do's and don'ts would be much apreciated. Thanks in advance. > > Regards, > > Vincent >