samba - Mar 2019 - Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs

On Tue, 26 Mar 2019 13:08:25 +0000
Stephen via samba <samba at lists.samba.org> wrote:
> Go on, I give in, what is wrong with the official Samba documentation?
> 
> Off the top of my head:
> 1) Your (ie Samba project) docs are structured a little poorly and 
> actually pretty hard to follow - eg a single article describes
> setting up Samba both with SAMBA_INTERNAL and BIND which is
> confusing. Two separate articles, one on each topic would be better!
The problem is that the Samba wiki is written from the perspective of
using a self-compiled version of Samba, not from the perspective of
this is how you use Samba on distro X.
Could you supply a link to the Samba dns page you refer to ?
> 
> 2) Despite being the official documentation its not free of errors,
> as I have just demonstrated. There were two missing essential steps
> in the tutorial to add a backup DC to a domain and this is a very
> fundamental Samba task. Its like the seconds step in setting up a
> basic Samba setup.
Whilst I cannot deny there are errors, I try to fix these errors asap,
but this relies on people give us feedback, something that we do not
really get.
> 
> 3) They lacks the clear straightforward step by step approach of 
> TechMint with screenshots and similar?
Not really a fan of screenshots, unless there is no other way of
displaying information.
> 
> 4) In practice this means that non-experts cannot / wont be able to
> use Samba, even for basic tasks as I am trying to do here. People
> less determined than me will give up,
> and I am basically dependent upon this (awesome, thanks everyone) 
> mailing list and its support.
Again, the wiki was written from the point of view of experts and not
necessarily understandable by 'non-experts'. This needs to be fixed,
but to do this, we need to know what is actually wrong.
> 
> 5) You need to get one person to write the docs. Another person
> should then separately *verify* the instructions that are given to
> avoid simple mistakes.
This not entirely true, one person could do this, make notes as they do
something and then do it again, just following their notes.
> 
> To be absolutely clear - I am trying to be constructive here and 
> genunely offer suggestions for improvement. The last thing I want to
> do is insult you and the other Samba devotees and your heroic efforts
> here on this list Rowland.
> At the same time quite a few of the the questions that are asked
> relate to pretty basic stuff that wouldn't arise were the official
> docs clearer IMHO.
I perfectly understand where you are coming from, I once described the
wiki as 'technically brilliant, but not very useful'.

One problem I see is, if the wiki is altered in the way that you sort
of suggest, which distro do you use ?
> 
> I know you are all volunteers, time is precious, but I think a little 
> bit more up front work on the docs would payoff in the long run and
> help reduce mailing list traffic significantly.
> 
Whilst I agree that altering the wiki will help, again it comes down to
how?

Rowland

On 26/03/2019 13:39, Rowland Penny via samba wrote
>> Go on, I give in, what is wrong with the official Samba documentation?
>>
>> Off the top of my head:
>> 1) Your (ie Samba project) docs are structured a little poorly and
>> actually pretty hard to follow - eg a single article describes
>> setting up Samba both with SAMBA_INTERNAL and BIND which is
>> confusing. Two separate articles, one on each topic would be better!
> The problem is that the Samba wiki is written from the perspective of
> using a self-compiled version of Samba, not from the perspective of
> this is how you use Samba on distro X.
This is a big problem with your docs though. I am really not sure that 
is the right assumption to make from the viewpoint of actually driving 
Samba adoption in 2019. Yes, docs describing building from source are in 
theory universal, and there is the ever present problem of Linux 
fragmentation. However in reality I reckon probably 1% of your users 
build Samba for themselves from source. Most busy SysAdmins will be 
using either Debian/Ubuntu packages or CentOS/RedHat packages I would 
imagine, so you would only need two sets of docs to cover the vast 
majority of users.
> Could you supply a link to the Samba dns page you refer to ?
The page in question isn't actually about DNS but it is the main Samba 
AD installation tutorial here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

This is the main page for Samba AD installation and wants to be split 
into at least 2 further pages IMHO to avoid confusion

1) Samba AD installation with SAMBA_INTERNAL backend

2) Samba AD installation using BIND backend

3) Possibly split again to describe interactive and non interactive 
installation with Bind and Samba_internal
>> 3) They lacks the clear straightforward step by step approach of
>> TechMint with screenshots and similar?
>>
>> Not really a fan of screenshots, unless there is no other way of
>> displaying information.
You do need some way of letting the user confirm *for themselves* that 
what they see on their own termnial is what they should expect to see. 
This lets them verify that they have set things up correctly. This is 
very important!
Note that this doesn't have to be an actual picture screenshot, it could 
be some example terminal output. Something so they can verify that they 
are on the right track.
>> 4) In practice this means that non-experts cannot / wont be able to
>> use Samba, even for basic tasks as I am trying to do here. People
>> less determined than me will give up,
>> and I am basically dependent upon this (awesome, thanks everyone)
>> mailing list and its support.
> Again, the wiki was written from the point of view of experts and not
> necessarily understandable by 'non-experts'. This needs to be
fixed,
> but to do this, we need to know what is actually wrong.
Even assuming your guide is for experts, one of the biggest problems 
biggest problem is there is no common thread or narative linking 
together separate disparate wiki articles on multiple individual topics. 
You could do worse than create a section on the Samba website - "Getting 
Started with Samba AD" that covers the top 5 basic use cases for Samba. 
Suggested structure:

Section 1) Setting up a primary DC

Section 2) Setting up a failover secondary DC

Section 3) Syncing primary and secondary DCs together

Section 4) Joining another machine to the Domain and setting it up as a 
fileserver

Section 5) Printer sharing

Section 6) Configuring windows clients to join a samba domain

Section 7) Advanced Samba Usage
>> 5) You need to get one person to write the docs. Another person
>> should then separately *verify* the instructions that are given to
>> avoid simple mistakes.
>>
>> This not entirely true, one person could do this, make notes as they do
>> something and then do it again, just following their notes.
The problem with the same person checking, is that a second person will 
take different approaches to the first and will encounter problems that 
the first person doesn't encounter due to different set of mental 
implicit assumptions etc. It makes your documentation more robust if a 
second person is involved in the validation.


Cheers
Stephen

Its much more ..

Before you think of installing samba, you should know some basics. 
	- ip/hostname 
	- domainname
	- realm 
	- resolving
And its files used for that. 

Then first thing would be. 
- Use real setup cases.
	- install from source setups.
	- install from packages setups. 

- Split up the setup based on these setup styles. 
	- samba-ad-dc
	- samba-ad-member
	- samba-auth-only ( only winbind installed ) 

	- samba-NT4DOM-server ( try to avoid this ) 
	- samba-NT4DOM-member ( try to avoid this ) 

	- samba-standalone 
	- samba-standalone with authentication. 

So here we have 7 setups and all are different, which makes a samba setup much
harder to setup.

But this above is not usefull is the basics are wrong. 

If the base is wrong, you will inherit it to samba and it makes debugging much
harder.
Which is why i use scripts to collect the debug info and that works because the
debug info always looks the same.

Samba is not like samba 5-10 years ago, it involves much more these days and you
can play that much with the configs anymore.
Which is in my option ok, so its better to find bugs and errors in the setup. 

My thoughts about this, and im working on it but for a scripted setup on debian.
Once thats done, someone else can adapt it to an other os. 

Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stephen via samba
> Verzonden: dinsdag 26 maart 2019 15:11
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem achieving manual 
> synchronisation of idmap.ldb and the associated User and 
> Group ID mappings between two Samba 4 AD DCs
> 
> On 26/03/2019 13:39, Rowland Penny via samba wrote
> >> Go on, I give in, what is wrong with the official Samba 
> documentation?
> >>
> >> Off the top of my head:
> >> 1) Your (ie Samba project) docs are structured a little poorly and
> >> actually pretty hard to follow - eg a single article describes
> >> setting up Samba both with SAMBA_INTERNAL and BIND which is
> >> confusing. Two separate articles, one on each topic would 
> be better!
> > The problem is that the Samba wiki is written from the 
> perspective of
> > using a self-compiled version of Samba, not from the perspective of
> > this is how you use Samba on distro X.
> This is a big problem with your docs though. I am really not 
> sure that 
> is the right assumption to make from the viewpoint of 
> actually driving 
> Samba adoption in 2019. Yes, docs describing building from 
> source are in 
> theory universal, and there is the ever present problem of Linux 
> fragmentation. However in reality I reckon probably 1% of your users 
> build Samba for themselves from source. Most busy SysAdmins will be 
> using either Debian/Ubuntu packages or CentOS/RedHat packages I would 
> imagine, so you would only need two sets of docs to cover the vast 
> majority of users.
> > Could you supply a link to the Samba dns page you refer to ?
> 
> The page in question isn't actually about DNS but it is the 
> main Samba 
> AD installation tutorial here:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> _Directory_Domain_Controller
> 
> This is the main page for Samba AD installation and wants to be split 
> into at least 2 further pages IMHO to avoid confusion
> 
> 1) Samba AD installation with SAMBA_INTERNAL backend
> 
> 2) Samba AD installation using BIND backend
> 
> 3) Possibly split again to describe interactive and non interactive 
> installation with Bind and Samba_internal
> 
> >> 3) They lacks the clear straightforward step by step approach of
> >> TechMint with screenshots and similar?
> >>
> >> Not really a fan of screenshots, unless there is no other way of
> >> displaying information.
> 
> You do need some way of letting the user confirm *for 
> themselves* that 
> what they see on their own termnial is what they should 
> expect to see. 
> This lets them verify that they have set things up correctly. This is 
> very important!
> Note that this doesn't have to be an actual picture 
> screenshot, it could 
> be some example terminal output. Something so they can verify 
> that they 
> are on the right track.
> 
> >> 4) In practice this means that non-experts cannot / wont be able
to
> >> use Samba, even for basic tasks as I am trying to do here. People
> >> less determined than me will give up,
> >> and I am basically dependent upon this (awesome, thanks everyone)
> >> mailing list and its support.
> > Again, the wiki was written from the point of view of 
> experts and not
> > necessarily understandable by 'non-experts'. This needs to be
fixed,
> > but to do this, we need to know what is actually wrong.
> Even assuming your guide is for experts, one of the biggest problems 
> biggest problem is there is no common thread or narative linking 
> together separate disparate wiki articles on multiple 
> individual topics. 
> You could do worse than create a section on the Samba website 
> - "Getting 
> Started with Samba AD" that covers the top 5 basic use cases 
> for Samba. 
> Suggested structure:
> 
> Section 1) Setting up a primary DC
> 
> Section 2) Setting up a failover secondary DC
> 
> Section 3) Syncing primary and secondary DCs together
> 
> Section 4) Joining another machine to the Domain and setting 
> it up as a 
> fileserver
> 
> Section 5) Printer sharing
> 
> Section 6) Configuring windows clients to join a samba domain
> 
> Section 7) Advanced Samba Usage
> 
> >> 5) You need to get one person to write the docs. Another person
> >> should then separately *verify* the instructions that are given to
> >> avoid simple mistakes.
> >>
> >> This not entirely true, one person could do this, make 
> notes as they do
> >> something and then do it again, just following their notes.
> 
> The problem with the same person checking, is that a second 
> person will 
> take different approaches to the first and will encounter 
> problems that 
> the first person doesn't encounter due to different set of mental 
> implicit assumptions etc. It makes your documentation more 
> robust if a 
> second person is involved in the validation.
> 
> 
> Cheers
> Stephen
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Louis that would be perfect. As you say, the process is really getting 
far too involved for manual installation. Even SysAdmins need a helping 
hand and some sane defaults sometimes.

Thanks

Stephen

On 26/03/2019 14:18, L.P.H. van Belle via samba wrote:
> Its much more ..
>
> Before you think of installing samba, you should know some basics.
> 	- ip/hostname
> 	- domainname
> 	- realm
> 	- resolving
> And its files used for that.
>
> Then first thing would be.
> - Use real setup cases.
> 	- install from source setups.
> 	- install from packages setups.
>
> - Split up the setup based on these setup styles.
> 	- samba-ad-dc
> 	- samba-ad-member
> 	- samba-auth-only ( only winbind installed )
>
> 	- samba-NT4DOM-server ( try to avoid this )
> 	- samba-NT4DOM-member ( try to avoid this )
>
> 	- samba-standalone
> 	- samba-standalone with authentication.
>
> So here we have 7 setups and all are different, which makes a samba setup
much harder to setup.
>
> But this above is not usefull is the basics are wrong.
>
> If the base is wrong, you will inherit it to samba and it makes debugging
much harder.
> Which is why i use scripts to collect the debug info and that works because
the debug info always looks the same.
>
> Samba is not like samba 5-10 years ago, it involves much more these days
and you can play that much with the configs anymore.
> Which is in my option ok, so its better to find bugs and errors in the
setup.
>
> My thoughts about this, and im working on it but for a scripted setup on
debian.
> Once thats done, someone else can adapt it to an other os.
>
> Greetz,
>
> Louis
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Stephen via samba
>> Verzonden: dinsdag 26 maart 2019 15:11
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Problem achieving manual
>> synchronisation of idmap.ldb and the associated User and
>> Group ID mappings between two Samba 4 AD DCs
>>
>> On 26/03/2019 13:39, Rowland Penny via samba wrote
>>>> Go on, I give in, what is wrong with the official Samba
>> documentation?
>>>> Off the top of my head:
>>>> 1) Your (ie Samba project) docs are structured a little poorly
and
>>>> actually pretty hard to follow - eg a single article describes
>>>> setting up Samba both with SAMBA_INTERNAL and BIND which is
>>>> confusing. Two separate articles, one on each topic would
>> be better!
>>> The problem is that the Samba wiki is written from the
>> perspective of
>>> using a self-compiled version of Samba, not from the perspective of
>>> this is how you use Samba on distro X.
>> This is a big problem with your docs though. I am really not
>> sure that
>> is the right assumption to make from the viewpoint of
>> actually driving
>> Samba adoption in 2019. Yes, docs describing building from
>> source are in
>> theory universal, and there is the ever present problem of Linux
>> fragmentation. However in reality I reckon probably 1% of your users
>> build Samba for themselves from source. Most busy SysAdmins will be
>> using either Debian/Ubuntu packages or CentOS/RedHat packages I would
>> imagine, so you would only need two sets of docs to cover the vast
>> majority of users.
>>> Could you supply a link to the Samba dns page you refer to ?
>> The page in question isn't actually about DNS but it is the
>> main Samba
>> AD installation tutorial here:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
>> _Directory_Domain_Controller
>>
>> This is the main page for Samba AD installation and wants to be split
>> into at least 2 further pages IMHO to avoid confusion
>>
>> 1) Samba AD installation with SAMBA_INTERNAL backend
>>
>> 2) Samba AD installation using BIND backend
>>
>> 3) Possibly split again to describe interactive and non interactive
>> installation with Bind and Samba_internal
>>
>>>> 3) They lacks the clear straightforward step by step approach
of
>>>> TechMint with screenshots and similar?
>>>>
>>>> Not really a fan of screenshots, unless there is no other way
of
>>>> displaying information.
>> You do need some way of letting the user confirm *for
>> themselves* that
>> what they see on their own termnial is what they should
>> expect to see.
>> This lets them verify that they have set things up correctly. This is
>> very important!
>> Note that this doesn't have to be an actual picture
>> screenshot, it could
>> be some example terminal output. Something so they can verify
>> that they
>> are on the right track.
>>
>>>> 4) In practice this means that non-experts cannot / wont be
able to
>>>> use Samba, even for basic tasks as I am trying to do here.
People
>>>> less determined than me will give up,
>>>> and I am basically dependent upon this (awesome, thanks
everyone)
>>>> mailing list and its support.
>>> Again, the wiki was written from the point of view of
>> experts and not
>>> necessarily understandable by 'non-experts'. This needs to
be fixed,
>>> but to do this, we need to know what is actually wrong.
>> Even assuming your guide is for experts, one of the biggest problems
>> biggest problem is there is no common thread or narative linking
>> together separate disparate wiki articles on multiple
>> individual topics.
>> You could do worse than create a section on the Samba website
>> - "Getting
>> Started with Samba AD" that covers the top 5 basic use cases
>> for Samba.
>> Suggested structure:
>>
>> Section 1) Setting up a primary DC
>>
>> Section 2) Setting up a failover secondary DC
>>
>> Section 3) Syncing primary and secondary DCs together
>>
>> Section 4) Joining another machine to the Domain and setting
>> it up as a
>> fileserver
>>
>> Section 5) Printer sharing
>>
>> Section 6) Configuring windows clients to join a samba domain
>>
>> Section 7) Advanced Samba Usage
>>
>>>> 5) You need to get one person to write the docs. Another person
>>>> should then separately *verify* the instructions that are given
to
>>>> avoid simple mistakes.
>>>>
>>>> This not entirely true, one person could do this, make
>> notes as they do
>>>> something and then do it again, just following their notes.
>> The problem with the same person checking, is that a second
>> person will
>> take different approaches to the first and will encounter
>> problems that
>> the first person doesn't encounter due to different set of mental
>> implicit assumptions etc. It makes your documentation more
>> robust if a
>> second person is involved in the validation.
>>
>>
>> Cheers
>> Stephen
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

On Tue, 26 Mar 2019 14:10:52 +0000
Stephen via samba <samba at lists.samba.org> wrote:
> On 26/03/2019 13:39, Rowland Penny via samba wrote
> >> Go on, I give in, what is wrong with the official Samba
> >> documentation?
> >>
> >> Off the top of my head:
> >> 1) Your (ie Samba project) docs are structured a little poorly and
> >> actually pretty hard to follow - eg a single article describes
> >> setting up Samba both with SAMBA_INTERNAL and BIND which is
> >> confusing. Two separate articles, one on each topic would be
> >> better!  
> > The problem is that the Samba wiki is written from the perspective
> > of using a self-compiled version of Samba, not from the perspective
> > of this is how you use Samba on distro X.  
> This is a big problem with your docs though. I am really not sure
> that is the right assumption to make from the viewpoint of actually
> driving Samba adoption in 2019. Yes, docs describing building from
> source are in theory universal, and there is the ever present problem
> of Linux fragmentation. However in reality I reckon probably 1% of
> your users build Samba for themselves from source. Most busy
> SysAdmins will be using either Debian/Ubuntu packages or
> CentOS/RedHat packages I would imagine, so you would only need two
> sets of docs to cover the vast majority of users.
That is even easier than you think, using distro packages, you cannot
provision a DC on red-hat.
> > Could you supply a link to the Samba dns page you refer to ?  
> 
> The page in question isn't actually about DNS but it is the main
> Samba AD installation tutorial here:
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
I will have a look again.
> 
> This is the main page for Samba AD installation and wants to be split 
> into at least 2 further pages IMHO to avoid confusion
> 
> 1) Samba AD installation with SAMBA_INTERNAL backend
> 
> 2) Samba AD installation using BIND backend
> 
> 3) Possibly split again to describe interactive and non interactive 
> installation with Bind and Samba_internal
The difference between provisioning a Samba DC to use the internal dns
server and bind9 is '--dns-backend=BIND9_DLZ'. If you do not add that
you will use the default internal dns server.
> 
> >> 3) They lacks the clear straightforward step by step approach of
> >> TechMint with screenshots and similar?
> >>
> >> Not really a fan of screenshots, unless there is no other way of
> >> displaying information.  
> 
> You do need some way of letting the user confirm *for themselves*
> that what they see on their own termnial is what they should expect
> to see. This lets them verify that they have set things up correctly.
> This is very important!
> Note that this doesn't have to be an actual picture screenshot, it
> could be some example terminal output. Something so they can verify
> that they are on the right track.
My problem with screenshots is that a lot of people 'cut & paste',
any
most screenshots cannot be copied.
> 
> >> 4) In practice this means that non-experts cannot / wont be able
to
> >> use Samba, even for basic tasks as I am trying to do here. People
> >> less determined than me will give up,
> >> and I am basically dependent upon this (awesome, thanks everyone)
> >> mailing list and its support.  
> > Again, the wiki was written from the point of view of experts and
> > not necessarily understandable by 'non-experts'. This needs to
be
> > fixed, but to do this, we need to know what is actually wrong.  
> Even assuming your guide is for experts, one of the biggest problems 
> biggest problem is there is no common thread or narative linking 
> together separate disparate wiki articles on multiple individual
> topics. You could do worse than create a section on the Samba website
> - "Getting Started with Samba AD" that covers the top 5 basic use
> cases for Samba. Suggested structure:
> 
> Section 1) Setting up a primary DC
> 
> Section 2) Setting up a failover secondary DC
> 
> Section 3) Syncing primary and secondary DCs together
> 
> Section 4) Joining another machine to the Domain and setting it up as
> a fileserver
> 
> Section 5) Printer sharing
> 
> Section 6) Configuring windows clients to join a samba domain
> 
> Section 7) Advanced Samba Usage
The Samba wiki has all that, just not in that format. I think that the
wiki can be made better, but probably not in the format you suggest.
> 
> >> 5) You need to get one person to write the docs. Another person
> >> should then separately *verify* the instructions that are given to
> >> avoid simple mistakes.
> >>
> >> This not entirely true, one person could do this, make notes as
> >> they do something and then do it again, just following their
> >> notes.  
> 
> The problem with the same person checking, is that a second person
> will take different approaches to the first and will encounter
> problems that the first person doesn't encounter due to different set
> of mental implicit assumptions etc. It makes your documentation more
> robust if a second person is involved in the validation.
Whilst I cannot argue against what you are saying, it is finding the
two people to do what you suggest that is the problem ;-)

Rowland