Go Back   AnandTech Forums > Software > *nix Software

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals
· Free Stuff
· Contests and Sweepstakes
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 12-28-2012, 12:17 PM   #1
OSULugan
Senior Member
 
OSULugan's Avatar
 
Join Date: Feb 2003
Location: Nevada
Posts: 260
Default Samba 4

Anyone have any experience setting up the new Samba 4 release for use as an Active Directory controller? I have it on my to-do list this weekend and was wondering i there are any gotchas/tips. I've got 12.10 Ubuntu Server running already.
OSULugan is offline   Reply With Quote
Old 12-28-2012, 09:31 PM   #2
Demo24
Diamond Member
 
Demo24's Avatar
 
Join Date: Aug 2004
Location: North GA
Posts: 7,809
Default

Curious about this as well, also interested if anyone has used it as a secondary to a windows primary domain controller.
__________________
.........
Demo24 is online now   Reply With Quote
Old 12-29-2012, 10:56 AM   #3
Nothinman
Elite Member
 
Nothinman's Avatar
 
Join Date: Sep 2001
Posts: 30,672
Default

I didn't notice they finally released that, I'll have to give it a try.

Demo24, there's no such thing as a primary domain controller in AD. They're all mostly equal except for the ones holding specific FSMO roles. And the recently added read-only DC role in 2008 R2 but that's only used in niche places like a DMZ where you want another server to authenticate against AD without giving it access to your internal DCs.
__________________
http://www.debian.org
Nothinman is offline   Reply With Quote
Old 12-29-2012, 12:12 PM   #4
Demo24
Diamond Member
 
Demo24's Avatar
 
Join Date: Aug 2004
Location: North GA
Posts: 7,809
Default

Quote:
Originally Posted by Nothinman View Post
I didn't notice they finally released that, I'll have to give it a try.

Demo24, there's no such thing as a primary domain controller in AD. They're all mostly equal except for the ones holding specific FSMO roles. And the recently added read-only DC role in 2008 R2 but that's only used in niche places like a DMZ where you want another server to authenticate against AD without giving it access to your internal DCs.
Right, my mistake. Meant in addition to an already existing domain and using the samba as an additional one.
__________________
.........
Demo24 is online now   Reply With Quote
Old 01-02-2013, 06:05 PM   #5
OSULugan
Senior Member
 
OSULugan's Avatar
 
Join Date: Feb 2003
Location: Nevada
Posts: 260
Default

So I thought I'd post my experience.

Setup was pretty straight forward. I haven't had a whole lot of experience installing and configuring Linux stuff, but the HOWTO Wiki was pretty easy to follow. I did miss having a guide on how to get it into the startup processes, but I did some googling and figured out how to create a simple script and add it in.

So far I have the domain controller up and running, domain users being able to authenticate from a Windows Vista Ultimate machine. I instituted some group policy management to control log-in times for my 10 year old. I was disappointed to see that Windows Vista does not allow Parental controls on domain users. One of the reasons for setting this up was to make it easier to allow my family members more ready access to other computers in the house. Not having a way to manage this for a domain user means I'll need to implement some controls in Linux.

I'm thinking about putting up a DNS filter on the Linux server, which I think will require a different DNS server instead of the built-in one that came with Samba 4.

I've also had problems getting profile space active and storing from the windows machines to the profile directory I setup (per the wiki HOWTO). Any gotchas that I should look out for?

Also, with Samba 4, samba users do not have to have a local linux account. How do I manage file/directory permissions for samba users?
OSULugan is offline   Reply With Quote
Old 01-02-2013, 07:41 PM   #6
Nothinman
Elite Member
 
Nothinman's Avatar
 
Join Date: Sep 2001
Posts: 30,672
Default

Quote:
Originally Posted by OSULugan View Post
So I thought I'd post my experience.

Setup was pretty straight forward. I haven't had a whole lot of experience installing and configuring Linux stuff, but the HOWTO Wiki was pretty easy to follow. I did miss having a guide on how to get it into the startup processes, but I did some googling and figured out how to create a simple script and add it in.

So far I have the domain controller up and running, domain users being able to authenticate from a Windows Vista Ultimate machine. I instituted some group policy management to control log-in times for my 10 year old. I was disappointed to see that Windows Vista does not allow Parental controls on domain users. One of the reasons for setting this up was to make it easier to allow my family members more ready access to other computers in the house. Not having a way to manage this for a domain user means I'll need to implement some controls in Linux.

I'm thinking about putting up a DNS filter on the Linux server, which I think will require a different DNS server instead of the built-in one that came with Samba 4.

I've also had problems getting profile space active and storing from the windows machines to the profile directory I setup (per the wiki HOWTO). Any gotchas that I should look out for?

Also, with Samba 4, samba users do not have to have a local linux account. How do I manage file/directory permissions for samba users?
Avoid roaming profiles regardless of the server involved, they've never worked well. You can use a GPO to do folder redirection for things like the Desktop, My Documents, etc and achieve the (usually) primary goal of keeping thing central and backed up without the hassles of full roaming profiles.

I haven't touched Samba4 yet and I'm not sure if referencing itself would be a problem, but you could use winbind (assuming it's still in Samba4) to have the Linux machine also use AD for authentication and such. But that sounds like it could easily break if Samba ever fails to start so it would probably be best to make the DC a dedicated machine and put all of the files on a second one.
__________________
http://www.debian.org
Nothinman is offline   Reply With Quote
Old 01-03-2013, 06:13 PM   #7
OSULugan
Senior Member
 
OSULugan's Avatar
 
Join Date: Feb 2003
Location: Nevada
Posts: 260
Default

Am I reading that right? You're recommending using the Linux machine I have setup now as just the DC, and then setting up a second server as a storage server?
OSULugan is offline   Reply With Quote
Old 01-04-2013, 05:43 AM   #8
Nothinman
Elite Member
 
Nothinman's Avatar
 
Join Date: Sep 2001
Posts: 30,672
Default

Quote:
Originally Posted by OSULugan View Post
Am I reading that right? You're recommending using the Linux machine I have setup now as just the DC, and then setting up a second server as a storage server?
Only because I'm not sure how the Linux DC would handle being pointed to the Samba instance on itself and how it would react if for some reason those Samba daemons failed to start. The reason it works as well as it does on Windows is because the local accounts on a DC become AD accounts (or vice versa depending on your perspective) once you run a dcpromo so there's no differentiation between them but on Linux that isn't true and the local services will still want to run as Linux accounts defined in the standard /etc files.

If you're using physical machines for this then it's probably not worth it, but with virtualization as cheap and efficient as it is now I don't see a reason not to play it safe and build them as separate machines.
__________________
http://www.debian.org
Nothinman is offline   Reply With Quote
Old 01-04-2013, 10:16 AM   #9
OSULugan
Senior Member
 
OSULugan's Avatar
 
Join Date: Feb 2003
Location: Nevada
Posts: 260
Default

I hadn't even considered setting it up as a virtual machine. I may look into that.
OSULugan is offline   Reply With Quote
Old 01-04-2013, 11:23 AM   #10
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,494
Default

Out of curiosity - Why are you looking to do this? I only ask because the last time I tried to make Samba happy in the enterprise I ended up just spending the $400 to get a Windows license. Mostly because at the time, their Wiki tended to suck. There was lots of info there but it was often a mismash of versions / forum postings etc. I was never able to get permission mapping correct etc. I had better luck getting AD/LDAP and NIS playing together. [Read: I had better things to do than worry about this]

Does Samba handle proper NTFS permissions yet or is still that odd ball hacky kludge of mapping to linux rights that doesn't really translate properly?

Any idea what level of AD they are trying to emulate? I would be surprised if they have 2008 / R2 / 2012 working yet since they started making some pretty drastic under the hood changes like dropping FRS and all the added security.

It has been a long while since I tried to get it working in a Domain however. I am still pretty "fearful" because I wasted way more $$ on time than just buying a proper Windows license.
imagoon is offline   Reply With Quote
Old 01-04-2013, 12:12 PM   #11
OSULugan
Senior Member
 
OSULugan's Avatar
 
Join Date: Feb 2003
Location: Nevada
Posts: 260
Default

There were a few motivations to this:

1) I had the extra hardware available.
2) I expect my kids will begin to want more heavy PC use, and I wanted a central way to manage user rights, etc.
3) I expect that soon we'll be getting 1 or more additional PCs in the house (we currently have 2 in use, and 1 which I'm setting up as a server), and I want to enable single-account sign-on, shared desktop/documents/etc. so that there aren't fights over which PC is available for use.
4) Potential migration from a Windows environment to a Linux desktop on the shared PCs in the house, since the family doesn't really need Windows (I'm the only real PC Gamer, and I'd expect open office to suffice for school papers, etc.).

It looks like my DC is configured to emulate Windows Server 2003, but I seem to recall a selection to change that to other options (including 2008). But I haven't played with it. Same thing with how NTFS permissions are handled.

My basic needs don't really extend much more than what I've got setup right now. I was hoping that WHS 2011 would provide single account sign-on/shared desktop functionality, and I would've just bought that. But from what I understand, it does not, and I didn't want to spend $400+ on a full blown Windows Server license for this project. It's overkill for my needs.

Unfortunately, I didn't get to spend as much time playing with it over my holiday break from work, so now I am mainly relegated to making changes on the weekends.
OSULugan is offline   Reply With Quote
Old 01-04-2013, 01:02 PM   #12
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,494
Default

Remember you will need the "non-home" editions of XP / Vista / Win 7 if you want to join the local machines to the Domain then. Good luck on the Windows to Linux thing. I had an aunt and uncle that were fine with that but my Niece and Nephews hated it since it "didn't work" which was translation of they couldn't use most of their games and had some odd ball website issues. [I am assuming IE active x crap here btw since I didn't have an issue on my test boxes with most sites.]

Good luck on your project. Roaming profiles is a major project on Windows [to correctly] implement, adding Samba should give you a thorough understanding of how that part works.
imagoon is offline   Reply With Quote
Old 01-04-2013, 01:10 PM   #13
OSULugan
Senior Member
 
OSULugan's Avatar
 
Join Date: Feb 2003
Location: Nevada
Posts: 260
Default

Yeah, I'm running Windows Vista Ultimate 64 on my machines currently. I freed up a license with the install of Ubuntu onto the one PC, so even if I get another PC, I can always join it to the domain using the older OS (although I would like to transition to Win 7 soon enough).

I have one PC joined currently. I want to get it working in a limited environment before joining the other PC and then considering the transition. I'm sure I'll be bugging the forum more going forward as I run into issues. Since this isn't in a work environment, I have the benefit of implementing things in a non-rushed setting.
OSULugan is offline   Reply With Quote
Old 08-30-2013, 12:14 PM   #14
mitcheldrake
Junior Member
 
Join Date: Aug 2013
Posts: 1
Default Samba4 DC and Windows 7 domain profiles

We currently have a Samba4 setup with Active directory and have added several Windows 7 to the domain successfully. User accounts are able to authenticate to the Server and we have Folder redirection setup for Documents, Pictures, Music, Videos, Desktop and AppData\roaming.

When I setup Windows 7 on the workstation I built and tested a customized Default User profile (In Win7 the directory is called "Default"). Before joining to the domain I tested my customized Default profile by logging on to a new local user account, and the profile was built as expected.

However now that the workstation is joined to the Samba4 domain, when a new user logs on for the first time, the users profile is missing several of the directories that are present under the "Default" profile directory.

My question is, when a new domain user account is logged on, from were is the profile directory structure built from?
mitcheldrake is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:01 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.