Tag Archives: Samba 4

possible Pitfall of Samba 4 AD Deployments

Once a new Active Directory Domain has been provisioned using Samba 4, it seems at least difficult to change the IP address of its Domain Controller. Samba 4 in AD DC mode does not automatically change its own address. Looking at the DNS data using Apache Directory Studio, I found the Resource Records to be encoded binary. Although still readable, Apache DS didn’t easily let me change them (one could do it, but it’s cumbersome).

I haven’t yet profoundly studied samba-tool, so there might in theory be a way to solve this kind of situation. For now, I have given up that testing domain, as in the meanwhile it had suffered from some challenges anyway, and nothing really depends on it. Provisioned again, joined a client, and I can continue my research on a new setup. Easy.

Conclusion: The question what to do when migrating your address scheme, say from using a CLASS-C net below 192.168.0.0/16 to something bigger below 10.0.0.0/8, seems quite important. Apart from the mere possibility to switch over with an S4 DC at all, it’s sensitivity for address scheme changes makes such migrations a lot more challenging. Might be good advise to migrate address wise first, if needed, before switching to production with an S4 DC.

Samba 4 experiments

Finally there’s is a great milestone reached in the world of Open Source IT business infrastructure: Samba 4 has achieved stable state and provides us with a free (as beer, and liberal) Active Directory implementation, which, properly packaged and deployed to a suitable environment, seems to work out of the box.

Of course it took a while to figure out how to run such a bleeding edge development on stable Debian. SerNet has done great work in this area. Basically, I use their Debian packages, but rather than installing the iso file of the appliance, I only use their packages, together with recompiled bind9 from sid (or wheezy? I’m sorry, I forgot. Needed the P3 packaging, and dlzones worked fine). The main reason is, I want to run this inside a Xen based (shell only) environment and be ready for normal Debian network based provisioning.

Integration into given LAN environments is another issue. You have to make your central DNS refer to the DC’s DNS, and there are multiple ways to do that. One of my objectives is, to figure out what can be considered best practice here. Getting ready for real life also covers to figure out replication, backup strategies, consistent cross server ID mapping, authentication on the shell level, consistent file access (permissions/ACLs, see also here) across smb and ssh access and last but not least deployment and migration strategies including architectural changes to be done to the given environment.

Test-Installations of Windows are easy to get using VirtualBox. I recommend to setup a basic windows installation with the Default User modified to your preferences (Desktop setup and such trivial things), needed Tools readily installed (like alternative browser, AD admin tools, sysinternals), the vm “syspreped” and then exported. Don’t add to much, as you can do this by rolling out Software using GPOs and a repackager (like Scalable Smart Packager Community Edition, be ready to register).

So, there are some things left to do, but for now, I’m really amazed and I’m taking my hat off to the samba guys, including SerNet.

weird Samba 3.6.10 behavior with ACL masks

I have no idea what’s going on. Some people seem to mention this behavior, but never there is any solution around. It’s only few people, so it looks like a configuration issue, and either it’s really rare or so common that I’m the last who didn’t get it yet. It’s as follows.

I have an experimental setup with a Samba 4 AD instance as Domain controller. The VM that demonstrates the bug is a samba 3.6.10 member server. Both are based on SerNet‘s builds (enterprisesamba and packages from the SerNet Samba 4 Appliance). Everything’s hosted on a Xen machine and made with debian squeeze as the base OS.

Rainbow Shield Bugs on Jatropha,
Ton Rulkens, Mozambique

Inside one share, I have a directory with some ACLs set, with the mask and default mask set to rwx. If I’m now creating a file using the shell, the file’s ACL mask becomes rw which is just correct. If I’m doing the same with samba, the mask will be rwx which is just plain wrong as the file would be executable like this.

I’ve tried many more or less random things like s-flags, samba parameters (inherit acls has no effect, it seems) and googled as described above, but this thing’s going consistently wrong.

Anybody around who knows more or is stunned like I am? Well, I didn’t expect to run into this issue, really not.

I’m giving back!

Whoever helps me to find an answer or even a fix can get some of my knowledge in the form of code: I offer a complete setup for Samba 4 and 3.6 experiments with Debian Squeeze. It incudes a debian packages source with all you need for such a (virtual) environment of this kind, such as an updated bind9 build and integratable S4 packages and a time saving xen-tools role script, which installs a DomU with these package sources, adding SerNet’s 3.6 (remote) sources as well, many often needed standard packages readily installed, /etc/hosts file adapted to the LAN environment, ethtools, NFS4 mounted from DomU (for easy data exchange between VMs, filesystem ACLs readily setup, and an A record added to a DNS zone file on the host system. So that’s all those repeated tasks after xen-create-image that usually take about 30 to 60 minutes every time to turn the installation into a comfortable, accessible and well integrated VM ready to dig into Samba’s Active Directory implementation details, and even taking steps towards a future production environment on a clean debian foundation (we’re not that far though, in my opinion).

Using this role and some more files in /etc/xen-tools/skel, it takes me 15 minutes for a S4-AD DC and a member server provisioned and up running, ready to join a Windows client and access with native AD management tools.