I still don't get why Samba has to be run in a container

[quote=“giacomo, post:15, topic:4878, full:true”]
No, FreeIPA is not conflicting against Samba4: they are two different products with different targets.[/quote]

:joy:
I almost understand :stuck_out_tongue_winking_eye: that Samba4 and FreeIPA are different products.
Well, to be honest, I even understand this pretty well :sunglasses:

But if we launch another parallel topic, I’m very prone to discuss this further and explain why, even if from technical view point, these “products” (I would rather say “solutions”) are indeed very different, in term of scope and features, they are quite similar and because of this, Fedora choice is to promote FreeIPA and not implement Samba4 IMHO.
Too much overlap and conflicting services.

At least this is obvious to me but, of course, I might be wrong :blush:

“… Since version 3.0.0, FreeIPA also uses Samba to integrate with Microsoft’s Active Directory by way of Cross Forest Trusts.”

FreeIPA - Wikipedia

================================

" Components
In the picture we can see 5 major components of Samba we are currently interested in:

SMBD
EPMD
The Netlogon/LSA/SAMR daemon(s)
IPASAM
libndr_krb5"

IPAv3_Architecture — FreeIPA documentation

Samba yes, but is it Samba4 ??? :confused:
For sure Fedora is not going to invent yet another SMB emulation :wink:

Problem is that Samba wording is quite confusing:

  • Samba as smbd server: this work with Samba 3 since years
  • Samba as DC emulator: this implements, e.g. Kerberos. Which one should Fedora keep? MIT or Heimdall ??? Both can’t run in parallel
    Same for accounts directory.

What is painful is not SMB/CIFS (although IMHO, SMB is far for being the perfect file access protocol) but account management, request from customers to manage Windows workstations and accounts in the “Microsoft like” way, meaning with Microsoft tools and consol, GPOs etc…

Current open source answer is Samba4. Too bad, it shares the same name.

Therefore, when I say "FreeIPA and Samba4 share conflict of interest, you tell me:
“look at, FreeIPA uses Samba too”… :sweat:

Problem you currently face, as far as I understand, is not “Samba” but “Samba as DC”, AKA Samba4

Well, I’ll stop here, I definitely don’t know enough of NethServer to have any clever additional comment. Perhaps later…

1 Like

Good point!

EDIT:

But Samba AD was implemented beginning with Samba 4.
And everywhere is about AD. I don’t think they talk about AD and Samba with a version of Samba without AD.

Sure! And I think that @davidep and @giacomo have already given great answers here! Hope this will be enough for our curiosity :wink:
No distribution based on rhel/centos has already a Samba4 solution like our :slight_smile: and we’re almost upstream!
:thumbsup:

I was wondering: are there any measurable performance penalties in running the Samba 4 container in a VM with promiscuous mode enabled? I mean, especially in comparison with running Samba 4 without a container, in a VM too, but with promiscuous mode disabled.
Thanks,
Salvo

I don’t think there is a simple way to measure it.
By the way, KVM uses promiscuous mode by default when a VM is bridged to an existing bridge.

Just for the record, I want to say that I thini discussions like this are extremely important. It gives a greater understanding about the sbject . Not only for simple cummunity members like me, but also to confirm the direction of the implementation of , in this case Samba4 user authentication.
It would be even more valuable if a wikipage is created with a wrapup of the discussion for future reference.
Anyway, all that participated in this discussion: a big thank you!

Btw, please do continue the discussion with new developmens and/or insights. It brings us all on a higher level of understanding and accepting design decissions.

7 Likes

Totally agree with you, I have to admit that Devs have done a great “explanation” work here.
Describing or simplifying complex things isn’t always easy and sometimes they’re already focused on code and solutions, so it’s really hard to find time to give some context to non-experts. Shoutout to you guys! @davidep and @giacomo :loudspeaker: :clap: :loudspeaker: :clap:

3 Likes

If noobs like me can understand it means that it has been simplified very-well :slight_smile:
Thanks

3 Likes

Just read through this, as I was curious myself, and agree with the commentary . It is an example of the value and power of sharing and communicating knowledge of complicated issues.

A post was split to a new topic: Alternatives to Samba DC in Linux container