From owner-freebsd-questions@freebsd.org Wed May 25 17:22:12 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C8C20B4ACB5 for ; Wed, 25 May 2016 17:22:12 +0000 (UTC) (envelope-from ml@netfence.it) Received: from smtp205.alice.it (smtp205.alice.it [82.57.200.101]) by mx1.freebsd.org (Postfix) with ESMTP id 4C00819F0 for ; Wed, 25 May 2016 17:22:12 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.ventu (79.42.58.185) by smtp205.alice.it (8.6.060.28) (authenticated as acanedi@alice.it) id 572625A0073339B3; Wed, 25 May 2016 19:21:59 +0200 Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18] (may be forged)) by soth.ventu (8.15.2/8.15.2) with ESMTP id u4PHLvLh019911; Wed, 25 May 2016 19:21:58 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.ventu: Host alamar.local.netfence.it [10.1.2.18] (may be forged) claimed to be alamar.ventu Subject: Re: Samba on FreeBSD To: byrnejb@harte-lyne.ca References: <3119dd177e3d8cbbe74a91f30656a005.squirrel@webmail.harte-lyne.ca> <96f7c99f-832e-c43d-7c5f-18e918ad8364@netfence.it> Cc: freebsd-questions@freebsd.org From: Andrea Venturoli Message-ID: <6ac960f8-7f98-c6c6-5f42-e68ed5b0f1f1@netfence.it> Date: Wed, 25 May 2016 19:21:57 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 17:22:12 -0000 On 05/25/16 18:58, James B. Byrne wrote: >> AD: Yes, in a jail (mainly, but not only, because on an AD DC there >> are some limitations WRT to NSS; that lets the base system or another >> jail act as file server). >> > > > Could you explain this issue in greater detail? I am aware that the > Samba team advise against having a SAMBA file-server act as a DC. I > have not followed the reasoning very well however. > > What are the NSS issues to which you refer? Suppose you want (for whatever reason) to see the Samba users as UNIX users: you'll put something like "passwd: files winbind" in /etc/nsswitch.conf. AFAICT that's not going to work on the machine (phyisical, virtual, jail, etc...) where Samba is configured to be an AD DC (*). I'm not sure why, I think it has something to do with the way winbindd works, which is different on the DC. So I use a jail for the DC (where I'll have no need for UNIX users) and configure any other instance be a domain member. (*) Notice "AD DC"; it will work on an NT DC. The only nuisance is the need to use that jail for DNS. > What are the issues with Bhyve that make it not production ready? I never investigated (yet), so I can't answer. It's also possible I've fallen behind and bhyve now works well. > Additionally, if the SAMBA DC was hosted on a Bhyve VM and another > SAMBA file-share server for that domain was hosted in a different > Bhyve VM would that be a problem in your opinion? (Leaving aside bhyve specific problems, which, as I said earlier, I'm not entitled to consider), I don't think there would be any problem: that's what I'm doing with jails. > Thank you for your response. I greatly appreciate it. I have kept my > reply to you off-list since it is probably outside the scope of being > FreeBSD related. However, I have no objection to anything I write > herein showing up on the list should you deem it appropriate. Why? I thinks the community might benefit from this... let them decide :) bye av.