Microsoft

SolutionBase: Samba 3.0 enhances Windows and Active Directory integration

Discover how Samba 3.0's features improve--and sometimes limit--Windows 2000 and Windows Server 2003 integration and functionality. Plus, learn how Samba 3 servers can now completely replace Windows NT 4.0 domain controllers.

The folks on the Samba development team have been busy developing the latest version of their popular Linux-Windows integration software. Version 3.0 of the Samba Windows file-sharing software sports a number of enhancements that allow it to play a more useful role in Windows-based networks—even those based on Windows Server 2003.

New features flourish

The Samba team has not rested on their laurels with the success of the 2.x line of software. Indeed, Samba 3 provides a number of compelling new features, particularly dealing with domain integration and functionality.

Among the new domain features in Samba 3 are:

  • The ability to join an Active Directory domain as a member server.
  • The ability to authenticate users using LDAP and Kerberos.
  • Improved printing support, including support for publishing printer attributes in Active Directory.
  • The ability to migrate from a Windows NT4 domain directly to a Samba domain while maintaining SIDs.
  • Better Winbind performance (Samba/domain synchronization).

Important considerations

While Samba 3 greatly improves Samba's place in the Windows world of Active Directory, it's also important to understand Samba 3's limits. First, Samba 3's domain controller functions are limited to acting as NT4-like domain controllers only. Samba 3 cannot presently emulate a Windows 2000 or Windows Server 2003 domain controller running Active Directory. Furthermore, as a result of this, Samba 3 servers can't provide policy objects based on Active Directory, nor can it provide Active Directory-based login scripts.

However, as mentioned in the features list above, Samba 3 can join an Active Directory domain as a member server. For folks looking to eliminate Microsoft servers altogether, but still want Active Directory, this means that Samba isn't your solution. However, if you're looking for a very good, reliable way to achieve your integration goals between your Linux/UNIX servers and Windows Active Directory servers and desktops, then Samba 3 is an excellent solution.

Goals of Samba 3

The Samba 3 design team had a number of goals with regard to the new features that would be added to their product. In particular, the team addressed the areas of security, Active Directory integration, and migration from Windows NT as their primary development goals. Additionally, such "soft" areas as documentation and bug tracking have been improved to make it easier to deploy Samba into larger environments.

Integration

The Samba design team also had the goal of being able to integrate Samba into different environments. To that end, Samba 3 provides improved features to make this easier. Foremost is Samba 3's LDAP capability. With the right packages installed, you can integrate Samba 3 into your iPlanet, Tivoli, or Novell eDirectory infrastructure. Samba 3 can also make use of Microsoft's Active Directory Application Mode (ADAM).

Samba's Winbind application has also undergone (and continues to undergo) changes to make it more useful. The Samba 3 version of Winbind handles communications with NT4 and Active Directory domain controllers as well as authentication and identity management. The new version also maps Windows security identifiers to UNIX user and group IDs.

Even though the architecture and capability of Winbind make it very scalable, it still suffers from potential pitfalls. For example, in order to use the same user and group IDs across all of your Samba servers, you must use an LDAP back end to store the information. Without the LDAP back end, each Samba server has to track its own user and group IDs, and they won't necessarily match. Furthermore, the use of Winbind exposes all of your NT or Active Directory domain users to the Samba server, resulting in potential security concerns.

Vintela Authentication Services

There's a new commercial product you can use in place of (or in conjunction with) Winbind that addresses some of Winbind's shortcomings. Vintela Authentication Services (VAS) also provides authentication and identity management solutions similar to those of Winbind.

Vintela's solution actually uses a Microsoft Management Console to provide management capabilities for Linux/UNIX accounts, including the enabling, disabling, and storing of user and group IDs, along with other Linux/UNIX account information. From a security perspective, Vintela's product also uses secure Kerberos authentication.

The Vintela software keeps current by doing a periodic synchronization between Samba and the domain controller. Vintela works partly by replacing Samba 3.0's default smbpasswd with a version that is downloadable from the Vintela Web site. Refer to Vintela's Samba information page for more details on integrating VAS with Samba 3.0. VAS is licensed both by server and by Linux/UNIX-enabled user account. As of this writing, version 2.4 of VAS is available for trial download; the server license is $200, and user licenses start at $25 in 10-packs. Discounts may be available.

NT domain controller replacement

One of the most useful new features in Samba 3 is its ability to actually replace a Windows NT 4.0 domain controller. Furthermore, Samba 3 fully supports NT4 interdomain trusts and works natively (over TCP/IP) with Active Directory domains. While Samba 3 cannot yet mimic an Active Directory domain controller, these improvements are huge strides for Samba and can provide Windows NT network administrators with a compatible, supported environment to which they can migrate from Windows NT.

This can be particularly useful since NT4 domains are considerably less complex than Active Directory domains, and not everyone needs AD. Furthermore, Samba's nonexistent licensing costs may provide NT administrators with good justification for moving from a soon-to-be-unsupported NT environment to a new Samba 3 domain, without losing the ability to make integrated use of Active Directory if needed in the future.

Active Directory native integration

One point of confusion is Samba 3's ability to join Active Directory domains as native members. Samba 2.2 could also join Active Directory domains, but only by using NT4-compatible protocols that might be incompatible with the security requirement of your company. By providing the ability to join an Active Directory domain as a native member, a Samba 3 server can accept Kerberos tickets, a key underpinning of a secure Active Directory infrastructure.

Documentation

The Samba team has released a huge amount of information on configuring Samba in different environments. You can find a full list of the released information at the Samba HOWTO Web site.

Summary

With a focus on Windows NT migration, security, Active Directory integration, and documentation, the Samba team continues to provide Linux/UNIX servers with the ability to fully participate in Windows networks. Some of Samba 3's improvements even offer an NT4-based network the opportunity to migrate completely away from Windows in favor of an open source alternative.

Editor's Picks

Free Newsletters, In your Inbox