Web lists-archives.com

Re: [Samba] Q: Samba4 AD DC & small office file sharing




On Tue, 2018-05-29 at 18:20 +0100, Rowland Penny via samba wrote:
> On Tue, 29 May 2018 09:57:50 -0700
> Jeremy Allison <jra@xxxxxxxxx> wrote:
> 
> No and nobody else does and we never will do, if we keep saying 'do not
> use a DC as a fileserver'. 

G'Day Rowland,

Thanks for raising this.  To be clear, this wasn't ever meant to be as
absolute as that, and like Microsoft's 'don't change the schema' from
the days of Windows 2000, it has got a little out of control.

In the same way that a warning intended to give administrators pause
for thought has taken years to undo (I spoke long ago with the
Microsoft engineer who first gave the warnings to be careful about the
schema), this is perhaps the same.

The reasons are this:
 - For anything but the smallest organisations, having more than one DC
is a really good backup measure, and makes upgrades safer:
  - It encourages upgrades of the DC to also be upgrades of the host OS
every year or two, because there isn't complex data to transition or
other services involved. 
  - This means upgrades can be done installing fresh, and replicating
in the changes, which is better tested in Samba, gains new features and
avoids a number of lingering data corruption risks. 

 - The DC and file-server have different points at which an
organisation would wish to upgrade.  The needs for new features on the
DC and file server come at different times.  Currently the AD DC
evolves rapidly to gain features whereas the fileserver after over 20
years is quite rightly more conservative.   

 - The mandatory smb signing on the DC.

Finally, in terms of reasons that don't apply any more:

 - In Samba 4.0 we shipped a different, much less capable 'winbind'
service in the AD DC.  We don't any more, we just plug in to the common
winbindd codebase (just self-starting it as a forked child for samba).

Anyway, as I say, it was set down just to give folks pause for thought,
not as a total prescription.  Samba remains free software and folks
will use it as they want.

I hope this clarifies things and you are welcome to embellish the wiki
with the above.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba