On 12/06/2019 18:02, Goetz, Patrick G via samba wrote:> So, the bug reports referenced below are in regard to having Samba be a > domain member. My question is why would I want Samba to be a domain > member? I want the machine Samba runs on to be a domain member, because > there are other things going on on that machine as well.You cannot have one without the other, a Unix computer without Samba is just that, a Unix machine. Add Samba and you can join an AD domain, the letters 'S', 'M' and 'B' in Samba are there for a reason. Even if there are other things on the computer, they can probably be integrated with AD.> > From that perspective, unless you're using Samba as a PDC/BDC, the only > security setting you ever want to use is > > security = user > > Am I missing something?Yes, using that means it can only be a standalone server and not part of a domain. Rowland
On 6/12/19 12:14 PM, Rowland penny via samba wrote:>> >> ? From that perspective, unless you're using Samba as a PDC/BDC, the only >> security setting you ever want to use is >> >> ????? security = user >> >> Am I missing something? > > Yes, using that means it can only be a standalone server and not part of > a domain. >I guess I don't understand what you mean by this. I have dozens of linux machines which are joined to our AD domain which don't even have Samba installed (well, samba-common and samba-libs are required by sssd, but not running smbd, nmbd, or winbind). They are definitely part of a domain (e.g, domain users can authenticate. Furthermore, on one of these machines I can run smbd 4.8.3 and mount shares from it to other domain bound machines. I am wondering if there are any gotchas waiting in store as a result; say permissions not being respected, or something, but any action taken through SMB is eventually going to have to pass through the VFS gatekeeper, so I'm not seeing how that could be a problem, at least for mode bits and POSIX ACLs. I'd love to use Windows ACL's, but ext4 doesn't support them and most of the file access occurs from other linux systems, Maybe could get away with NFSv4 access only, but am not sure I want to take on the headache of trying to mess Samba Windows ACLs with NFSv4 ACLs.
On Wed, 2019-06-12 at 18:14 +0100, Rowland penny via samba wrote:> On 12/06/2019 18:02, Goetz, Patrick G via samba wrote: > > So, the bug reports referenced below are in regard to having Samba be a > > domain member. My question is why would I want Samba to be a domain > > member? I want the machine Samba runs on to be a domain member, because > > there are other things going on on that machine as well. > > You cannot have one without the other, a Unix computer without Samba is > just that, a Unix machine. Add Samba and you can join an AD domain, the > letters 'S', 'M' and 'B' in Samba are there for a reason.Sorry Rowland, but this is incorrect, you need samba (smbd) only if you want to make the member server a file server. If you do not need to offer SMB file services there are many other products that join a unix machine to an AD server, including the mentioned sssd (with the realmd utility)> Even if there are other things on the computer, they can probably be > integrated with AD. > > > From that perspective, unless you're using Samba as a PDC/BDC, the only > > security setting you ever want to use is > > > > security = user > > > > Am I missing something? > > Yes, using that means it can only be a standalone server and not part of > a domain.
On Wed, 2019-06-12 at 18:51 +0000, Goetz, Patrick G via samba wrote:> On 6/12/19 12:14 PM, Rowland penny via samba wrote: > > > From that perspective, unless you're using Samba as a PDC/BDC, the only > > > security setting you ever want to use is > > > > > > security = user > > > > > > Am I missing something? > > > > Yes, using that means it can only be a standalone server and not part of > > a domain. > > > > I guess I don't understand what you mean by this. I have dozens of > linux machines which are joined to our AD domain which don't even have > Samba installed (well, samba-common and samba-libs are required by sssd, > but not running smbd, nmbd, or winbind). They are definitely part of a > domain (e.g, domain users can authenticate. > > Furthermore, on one of these machines I can run smbd 4.8.3 and mount > shares from it to other domain bound machines. I am wondering if there > are any gotchas waiting in store as a result; say permissions not being > respected, or something, but any action taken through SMB is eventually > going to have to pass through the VFS gatekeeper, so I'm not seeing how > that could be a problem, at least for mode bits and POSIX ACLs. I'd > love to use Windows ACL's, but ext4 doesn't support them and most of the > file access occurs from other linux systems, Maybe could get away with > NFSv4 access only, but am not sure I want to take on the headache of > trying to mess Samba Windows ACLs with NFSv4 ACLs. >It is not a problem if you do not run samba, but when you do, it needs to be a proper domain member.