Advanced Samba / File Server Options - an open discussion

Hi All!

Continuing the discussion as per suggestion from @davidep from here:


I suggest three main sections:

  • Additional AD Domain Controllers
  • Additional File Servers
  • File Servers using just LDAP, not AD

I think these three main subjects cover most of what’s needed, if more is needed, they can be added to the discussion…


Additional AD Domain Controllers

Both LDAP (OpenLDAP) and AD have included mechanisms from the start to include and allow “replicas” of the user-database to co-exist and function.

OpenLDAP has no limitations in this respect.

Samba-AD has the well known limitation rthat Samba does not include the Sysvol in the replicas.
A two node system would still be easy to achieve, using rsync or some other mechanism to replicate the folder content.

There are also several options to use 2-way sync protocolls (They DO exist).
Unison or MooseFS are two options of “easy to handle” 2-way sync protocolls.
Both are available for the systems used for NS8.
This could be used, for example, by using a container containing such a 2 way sync protocoll file system for the Sysvol.
Inside a several node NS8 cluster, the communication for the file sync of Sysvol could be done over the internal VPN.
For those preferring an independant node, ports can be used, or a similiar VPN solution linking both DCs…

→ An independant node would assure PCs and Servers still can use AD authentification, even if the cluster as such is down, for whatever reasons… (Planned maintenence, Update issue…). This is especially important for any clients using several sites. Sysvol sync would not be available during this time, but contents are available, and so are user / group / machine accounts.
I would suggest providing both options, a cluster integrated AD DC, but also the option for an independant one, eg on a VM or Container or native HW Install somewhere.


Additional File Servers

For large to very large systems, it can make a lot of sense to split up the file sharing.
For one, Backups can be concurrent, making backups in all faster…
Second, the file servers can be split up according to site.
There are also other considerations, like special file systems, special permissions, or certain access forms, which can be taken into consideration. One good example would be a two way sync for certain shares…

Generally said, there is quite a lot of demand for such a feature, even here in the forums.


File Servers using just LDAP, not AD

I will probably not need this directly, but I do think there are a lot of people interested in this feature.

Here are a few good pointers:

https://www.reddit.com/r/linuxadmin/comments/yk74x4/best_openldap_samba_file_server_approach/

On a multi node cluster running one or several LDAP servers, this would be a great addition.
Several of the options mentioned above for a Samba AD File Server could also be put to consideration here.


Comparison OpenMediaVault or TrueNAS, both AD integrated

As a workaround, I have tested and compared both OpenMediaVault (OMV) and TrueNAS (Core). Both were equipped with AD integration and connected to NS8.
Both running as VMs on a powerful Proxmox Hypervisor (8 cores, 8 GB RAM).

Both work fairly well. Both had the same share contents, about 6 TB!
At the end, the OMV used half the RAM and less CPU than TrueNAS, so we stayed with OMV.

This is intended just as a side note, in case anyone is curious… :slight_smile:


OK, the discussion is open now…

Any good ideas, comments, questions, all are welcome!

My 2 cents
Andy

3 Likes

This limitation exists in NS7 as well. The multi-DC scenario is still unavailable in NS8 because Samba lacks a built-in Sysvol replication solution. However, it should be possible to provision LAN-accessible DCs from the CLI. I believe this works at the DC level, but I’ll verify limitations regarding UI compatibility. Note that Sysvol replication would require an external tool (e.g., a Windows-based scheduled xcopy between Sysvols).

For a file server-only solution in NS8, a dedicated module with the Samba Domain Member role is an obvious choice. Container images already exist, and they could be the base for a Nethforge project!

Beside that, I’ve had encouraging results experimenting with the RODC role.
The main advantage of the RODC role is that it does not require a machine account like a Domain Member. It involves minimal configuration, provides shares like the DC role, and can be implemented using the existing Samba module in NS8 with a special procedure.

We used the ldapsam:// database in NS6. Since Samba 4 introduced AD support, there is no need to revert to ldapsam for file server setups.


TL;DR

Both multi-DCs in a LAN and RODC file servers can be achieved with the core Samba module. I’ll confirm the feasibility and, if successful, provide a how-to guide.

2 Likes