[ale] Switching from Server 2003 to Samba

Edward Holcroft eholcroft at mkainc.com
Tue Jul 15 09:35:11 EDT 2014 

Many thanks for all the pointers. I have a test machine becoming available
this week and will give feedback on how things work out. Initially I plan
to just get the shares working with existing Windows AD permissions and at
some later point look into how we can get rid of Windows AD, but that's
going to be a tough one, since we're a M$ shop on the desktop and use a lot
of GPO's.

To kick things off I'll be using Ubuntu 14.04 as a test bed and to get
familiar with the basics. I'll let ya'll know ...

cheers
ed


On Sat, Jul 12, 2014 at 2:55 PM, Michael Trausch <mike at trausch.us> wrote:

> Testing, testing, testing.
>
> Before I go further: I can't speak to anything more recent than about 18
> months ago, as I haven't had to admin a setup like this for a while.
> however, it doesn't appear that much has changed.
>
> Since you have an existing system and you need to migrate, you *NEED* to be
> given a lab environment that allows you to deploy a mirror of the current
> AD domain, so that you can test migrating it to e.g., Samba 4.  Users need
> to ensure that all of their applications work correctly, as well.  Windows
> and applications that run on it make many assumptions that may or may not
> hold true under Samba 4 for a variety of reasons (not the least of which is
> the fact that it is a different implementation than Microsoft Windows).
>
> That said, I've had good luck.  The major sticking points I ran into:
>
>    - File permissions are an issue. Ensure that you're using POSIX ACLs,
>    and ensure that your Samba configuration is suitably configured to use
>    them.  Note, however, that POSIX filesystem permissions and Win32
>    filesystem permissions are two very different beasts, and there will be
>    issues in mapping.  Samba 4 does a much better job than Samba 3, but as
> of
>    the last I used it, they're still not perfect.
>    - Some AD functionality is stubbed out.  Ensure that none of the
>    functionality that your users depend on is missing/stubbed.
>    - It's relatively easy to get it to function for UNIX systems as well,
>    but it's better to use FreeIPA to create a trust with the AD server and
>    re-export that way.
>    - In fact, if you're doing this and not going to be running Windows
>    clients after the migration (or are going to be doing this in order to
>    support the addition of UNIX/Linux clients to the network) just deploy a
>    FreeIPA domain.
>    - Also, pay very close attention to the Samba/AD replication.  In order
>    to replace the AD server, you're going to have to have Samba 4
> configured
>    as a secondary controller, synchronize it with the domain, and then
> promote
>    it.  After promotion of Samba 4, you can demote the Windows box, and
> then
>    retire it.
>    - Multiple users attempting to work on the same document at the same
>    time was quite broken in Samba 3.  It seems to work halfway in Samba 4;
>    instead of fully supporting concurrent access, the first time a file is
>    opened, that process gets the ability to read/write it; all other
> processes
>    are not allowed to write the file at all.
>
> Samba 4.1 has support for efficient hosting on top of btrfs and claims
> better AD replication support, as well as SMB3 encrypted connections.  You
> should be able to implement VSS and server-side copy operations now with
> Samba 4.  (This is on my todo-list to try out.)  This means that it can
> function as a backup destination for the Windows machines on the network,
> too.
>
> Full disclosure: The last version of Samba I've had the pain of having to
> administer was 4.0.3—Samba 4.1 appears to be much better and if it works as
> advertised, should provide for you a much smoother transition than was
> previously possible.  The network that I had to administer was a Samba 3
> network for a long time simply because all the systems in the network were
> happy with NT4-style domains.
>
> One other thing to note: deploying AD with Samba first seems to be much,
> much more difficult than installing a temporary microsoft domain controller
> and then using Samba to take over from it.  This seems to have to do with
> the setup of a lot of the AD-things that Samba 4.0 had stubbed out.  This
> may have changed since then.
>
>
> On Sat, Jul 12, 2014 at 11:42 AM, Michael Trausch <mike at trausch.us> wrote:
>
> > I can't do so right this second, but I will post a decent write up of my
> > experiences for you later today.
> >
> > Sent from my iPhone
> >
> > > On Jul 10, 2014, at 3:53 PM, Edward Holcroft <eholcroft at mkainc.com>
> > wrote:
> > >
> > > All,
> > >
> > > The time has finally come to ditch our Micro$haft file servers as
> another
> > > increment towards weaning ourselves of our Windows habit. For now, I
> have
> > > to keep Active Directory in the picture, although I have managed to
> > reduce
> > > the AD server footprint from 18 servers down to 4. Corporate mindset
> > issues
> > > demand small steps.
> > >
> > > Question: Is it better to go with an "appliance solution" such as
> FreeNAS
> > > vs. distro+Samba?
> > >
> > > I played around with FreeNAS a bit and while it has great automation of
> > > things like AD integration (which I will need to do for now) and a
> great
> > > web interface, it seems less flexible when it comes to e.g. backup
> > options.
> > > It seems a simple Ubuntu/Samba box gives me many options on how to
> handle
> > > our daily backups to USB, while FreeNAS can potentially close doors to
> > me,
> > > or at least make things harder. That's just one example that I ran
> into.
> > >
> > > So, I'd like to hear from you about experiences/pros-cons of
> > appliance-type
> > > options vs the manual way. I've tried both at a simple test level. They
> > > both seem viable and I really want to like FreeNAS, but just cannot
> seem
> > to
> > > get comfortable with it - little glitches seem to pop up that have the
> > > potential to be major sticking points. So right now I'm leaning towards
> > > distro+Samba.
> > >
> > > Feel free to suggest other options besides the two mentioned here.
> > Whatever
> > > solution I deploy I have to be able to use Windows ACL's on the shares
> > ...
> > > for now.
> > >
> > > cheers
> > > ed
> > >
> > > --
> > > Edward Holcroft | Madsen Kneppers & Associates Inc.
> > > 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> > > O (770) 446-9606 | M (770) 630-0949
> > >
> > > --
> > > MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc.
> > WARNING/CONFIDENTIALITY
> > > NOTICE: This message may be confidential and/or privileged. If you are
> > not
> > > the intended recipient, please notify the sender immediately then
> delete
> > it
> > > - you should not copy or use it for any purpose or disclose its content
> > to
> > > any other person. Internet communications are not secure. You should
> scan
> > > this message and any attachments for viruses. Any unauthorized use or
> > > interception of this e-mail is illegal.
> > > -------------- next part --------------
> > > An HTML attachment was scrubbed...
> > > URL: <
> >
> http://mail.ale.org/pipermail/ale/attachments/20140710/5da89949/attachment.html
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.ale.org/pipermail/ale/attachments/20140712/ea68a15e/attachment.html
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
Edward Holcroft | Madsen Kneppers & Associates Inc.
11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
O (770) 446-9606 | M (770) 630-0949

-- 
MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY 
NOTICE: This message may be confidential and/or privileged. If you are not 
the intended recipient, please notify the sender immediately then delete it 
- you should not copy or use it for any purpose or disclose its content to 
any other person. Internet communications are not secure. You should scan 
this message and any attachments for viruses. Any unauthorized use or 
interception of this e-mail is illegal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140715/98d3d31c/attachment.html>

More information about the Ale mailing list