Samba 4 review: No substitute for Active Directory -- yet
Samba's open source alternative to Microsoft's domain controller is a good start, but not ready for prime time
Infoworld - Samba 4.0 is a milestone release that brings Active Directory functionality to the open source SMB/CIFS (Server Message Block/Common Internet File System) file and print server. Samba 4.0 can serve as an Active Directory Domain Controller, provide DNS services, handle Kerberos-based authentication, and administer group policy. The Samba 4.0 Domain Controller can even be managed using the native Windows Active Directory admin tools.
However, there are restrictions in this release -- mainly issues with file replication -- that limit the number of Domain Controllers you can join to only a single domain. Support for cross-forest trusts and multiple domain controllers is still to come. When that support arrives, Samba will be truly useful as an Active Directory replacement. Until then, the Domain Controller functionality is suitable mainly for testing. Not many environments can make good use of a single domain controller.
Beyond file and print servicesSMB is the protocol behind all network file communication used natively by Windows Server and Windows clients; it's also known as CIFS. Support for SMB/CIFS on other operating systems has primarily come from the Samba project. Samba started back in 1992 as a way to connect Unix and Linux machines to Microsoft's LAN Manager network operating system. It's provided the plumbing necessary for Unix and Linux machines to connect to Microsoft networks ever since.
The most common use of Samba is still in the client role, but that has changed along the way with the ability to provide file and print services to Unix and Linux clients, as well as systems running various versions of Windows.
Samba has maintained a solid capability as a file server and client but has never had the ability to function as an Active Directory Domain Controller until now. Samba 4.0 has been under development for quite a long time, and the Domain Controller functionality has been available in beta form during the later stages prior to release. Samba 4.0 delivers a stable release of this new capability but in a severely limited form.
For Samba 4.0 to be useful in large and multisite environments -- the sort that rely on Active Directory -- it will need to support cross-forest trusts and multiple domain controllers. Support for multiple domain controllers requires directory and file system replication to maintain the user database and the sysvol and netlogon shares. (The sysvol share stores the Group Policy Template along with other system templates and scripts, and the netlogon share contains system-wide logon scripts for the likes of assigning home directories and updating virus definitions.) Directory replication works reliably in this release, but the file system replication piece remains under development.
Samba 4.0 installation and setupThere are a number of ways to get Samba 4.0 installed, depending on your system and how you want to go about testing. You can download the latest release in gzip form and install it yourself. The Samba Wiki has a complete how-to detailing the process step by step. For popular distributions such as Ubuntu, there are packages available for installing using the normal methods. From a terminal window in Ubuntu 12.10, you can simply type:
apt-get install samba4
For the purposes of this review I downloaded the Excellent Samba4 Appliance, a ready-made virtual appliance based on SLES 11 SP2 64-bit and Samba4 Stable 4.0.0. The Excellent Samba4 Appliance virtual machine is available in the OVF format; in a VMware image that will work with VMware, VirtualBox, or KVM; and in a VHD file for use with Microsoft's Hyper-V. I chose the VHD file and installed it on an HP ProLiant DL385 G7 server running Windows Server 2012.
You must run a script to initialize a number of settings (IP address, domain name, admin account name, and so on) before you can actually start the Samba Domain Controller. Once you've entered the required information, the script (dcpromo.sh) will configure the appropriate DNS settings and create default DNS records. DNS is a requirement for Active Directory and must be running to enable client machines to connect to the domain.
Configuring an Active Directory domain in Samba is straightforward, though not as easy as in Windows Server. It's a much easier process on native Windows as the pieces come with Windows Server and you don't have to download anything. Many of the configuration tasks are handled in Windows Server 2012 with wizards.
Managing the Samba Domain ControllerWith your Samba Domain Controller up and running, you can use the standard Windows Active Directory administration tools to manage computers and users. The Excellent virtual appliance provides the 32-bit installer for Windows XP and Windows 7 in the /srv/www/htdocs directory. (If your Samba distribution doesn't include them, the tools are freely available from Microsoft's website.) You can get to the files on the Excellent Samba4 Appliance by opening a Web browser and entering the IP address of the appliance. It will present a list of files that you can then right-click on and save or run.
Microsoft's administration tools come in the form of an .msu file, which will add options to the "Turn Windows features on or off" area of your Windows client machine's Control Panel. Once the installer finishes, you'll have to open Control Panel, find Programs and Features, choose "Turn Windows features on or off," then navigate to the Role Administration Tools section (see Figure 1). From there, expand the AD DS Tools section and choose the AD DS Snap-ins and Command-line Tools. Note that the Active Directory Administrative Center requires Active Directory Web Services, which Samba 4 does not support. If you want to use PowerShell, you should check Active Directory Module for Windows PowerShell as well.
Figure 1: From the Role Administration Tools section of the Control Panel on your Windows client machine, expand the AD DS Tools section and choose the AD DS Snap-ins and Command-line Tools.
PowerShell offers a number of built-in features to query and manage an Active Directory installation. Choosing to install the Active Directory Module makes these AD-specific commands readily available at the PowerShell command line. As an example, the dsquery command will return a wide range of information about the directory including computers, groups, servers, and users. There are also command-line tools such as dsadd, dsmove, and dsrm for adding, moving, and removing objects, and plenty more. Help is available for any of the commands by typing the command followed by /? at the command line.
One of the other big uses for Active Directory is in the area of GPO (group policy objects) and permissions. Samba 4.0 fully supports GPO settings for both computers and users. Group policy is especially useful for such capabilities as blocking access to Control Panel on a Windows machine so that normal users can't alter settings or install software. When you create a group policy, it is tied to a specific OU (organizational unit). Once set it applies to all computers or users in that OU.
The Microsoft Group Policy Management Editor provides the means to create or edit a group policy that will be attached to a specific domain. Figure 2 shows the GP Demo policy for the Linux.tstsamba.com domain and the default rules. You can restrict specific pieces of Control Panel such as the Add or Remove Programs feature, or choose to prohibit access to the Control Panel altogether.
Figure 2: Viewing the GP Demo group policy through the Microsoft Group Policy Management Editor.
Another management option is Webmin. This freely available tool installs on the system running the Samba 4 server and provides a Web-based interface to manage a wide range of internal server settings (add administrators and users, create new file shares, share printers, allow and deny hosts) and software. I was able to get it running on the Samba 4 appliance with just a few minor tweaks to the configuration settings. Figure 3 shows the Webmin Samba module, which includes an icon labeled SWAT (Samba Web Administration Tool). This is the native Samba management tool (see Figure 4), which handles all of the traditional Samba user administration and server settings.
In short, Samba does not yet offer GUI tools for managing the Domain Controller or GPO settings from Unix or Linux, but there are Python-based hooks into the internals of Samba 4 that should make these easy to build.
Figure 3: The Webmin GUI on Samba (above) and Figure 4: The native Samba Web Admin Tool (below).
The bottom lineSamba 4.0 is definitely a zero point release, meaning it still has some growing and maturing to do. It is a good first step in providing a completely open source solution that mirrors much of Microsoft's Active Directory core functionality. Although the Domain Controller in Samba 4.0 appears to be stable, the single-domain limitation currently restricts it to small deployments. An obvious use case would be in education and training, where Samba 4.0 would provide a good platform for teaching domain administration. But in the real world, most small workgroups for which the Samba Domain Controller is suited will choose to do without.
On the plus side, there are new Python-based programmability features in Samba 4.0 that could prove useful to anyone looking for a way to either expand or more fully utilize the Samba 4 server functionality. PowerShell provides another avenue to script actions against a Samba Domain Controller.
The bottom line: Samba 4.0 is definitely early code and not enterprise-ready yet. As it matures, it will present an interesting option to larger organizations that rely on multiple Active Directory domains. If the Samba team meets its goal of a 9-month release cycle, we can hope to see a more scalable and useful version by late summer or early fall.
This story, "Samba 4 review: No substitute for Active Directory -- yet," was originally published at InfoWorld.com. Follow the latest developments in open source software, Windows, and data center at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.
Read more about networking in InfoWorld's Networking Channel.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts