[Samba] Samba 3.0 and Active Directory Replication
John Brown
There is something that still confuses me.
Can Samba 3.0 join a Windows 2000 network as a domain controller and
replicate Active Directory information with existing Windows 2000 domain
controllers?
If Samba 3.0 is the only domain controller on a network with Windows 2000/XP
clients, will the clients see it as a domain controller running Active
Directory?
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
John H Terpstra
> I have been following the development ot Samba 3.0 with great interest.
> There is something that still confuses me.
>
> Can Samba 3.0 join a Windows 2000 network as a domain controller and
> replicate Active Directory information with existing Windows 2000 domain
> controllers?
NO! I hope that is clear.
When you hear "Active Directory" you should immediately think, "Oh, that's
LDAP plus Kerberos - with Microsoft proprietary extensions of course."
When you hear "Domain Control" you should immediately think, "Oh, that
means a CIFS (common internet file system) server."
Samba is a CIFS server. Got that? It's a CIFS file and print server.
OpenLDAP and Kerberos are services that can substitute for Microsoft
Active Directory. Got that too? These bits handle the authentication
backend technology. Where it gets messy is that with the introduction of
Kerberos authentication Microsoft married this into the CIFS server
functionality.
Samba is NOT a Kerberos (KDC) server.
Samba is not an LDAP server.
Now to add to this, Samba-3.0.0 CAN work fine with an LDAP backend, and
also within an MIT Kerberos, or a Heimdal Kerberos, environment. These
provide 'alternatives' to Active Directory, but are not the same as Active
Driectory. For example, none of the Active Directory administration tools
that come with Windows XP Pro will work against the "Samba-3.0.0 +
OpenLDAP + Kerberos" combination.
Microsoft Windows 200x Active Directory CAN be used apart from the CIFS
server functionality. This allows native UNIX / Linux clients to use an
Active Directory server for Kerberos based authentication. It's very messy
- but it can be done.
The answer to your question is:
1. Samba-3.0.0 can natively join an Active Directory as a MEMBER server
2. Samba-3.0.0 can natively join an Active Directory as a MEMBER server
that does have domain control capability.
3. Samba-3.0.0 CAN NOT participate in Active Directory Replication AT ALL!
At this time the Samba-3.0.0 domain controller will function as a Windows
NT4 style domain controller.
Samba can use an LDAP authentication backend, this effectively substitutes
for the registry based User Accounts part of the NT4 SAM (security account
manager).
> If Samba 3.0 is the only domain controller on a network with Windows 2000/XP
> clients, will the clients see it as a domain controller running Active
> Directory?
If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
clients these clients can work fine as domain members. There are some
compromises that you must accept, none of these are serious issues. For
example
- John T.
--
John H Terpstra
Email: j...@samba.org
John Brown
You said,
"If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
lients these clients can work fine as domain members. There are some
compromises that you must accept, none of these are serious issues. "
Please clarify these compromises.
"At this time the Samba-3.0.0 domain controller will function as a Windows
NT4 style domain controller".
Do you mean that it will work as a BDC and keep a non-writeable duplicate
of the SAM database?
"NO! I hope that is clear".
Clear as a bell. Are there any plans to add this functionality in the
future?
Thank you.
"John H Terpstra" <j...@samba.org> wrote in message
news:Pine.LNX.4.50.030712...@dp.samba.org...
John H Terpstra
> John,
>
> You said,
>
> "If Samba-3.0.0 is configured as a domain controller with Windows 200x/XP
> lients these clients can work fine as domain members. There are some
> compromises that you must accept, none of these are serious issues. "
>
> Please clarify these compromises.
1. No machine policy files
2. No Group Policy Objects
3. No synchonrously executed AD logon scripts
4. Can't use ANY Active Directory management tools to manage users and
machines
5. Registry changes tattoo the main registry, while with AD they do NOT
ie: Leave permanent changes in effect
6. Without AD you can not peprform the function of exporting specific
applications to specific users or groups
Is that sufficient for now?
> "At this time the Samba-3.0.0 domain controller will function as a Windows
> NT4 style domain controller".
>
> Do you mean that it will work as a BDC and keep a non-writeable duplicate
> of the SAM database?
Nope. A Samba BDC can use a common LDAP backend (ie: the same as the one
used by the PDC). But Samba-3 does NOT provide all the services and
protocol capabilities of an MS Windows 200x server. Samba-3 does not
implement many of the advanced RPC calls that MS products do.
> "NO! I hope that is clear".
>
> Clear as a bell. Are there any plans to add this functionality in the
> future?
Please clarify your question. Are you asking, "Will samba integrate
OpenLDAP and Kerberos and will it become an Active Directory server?"
No! Not at this time. To do this will require changes that cross over into
all three projects (samba, openldap and kerberos (MIT or Heimdal)). Some
of the changes required may not fit the goals and objectives of all three
projects. The only way to get around the barrier would be to build LDAP
and Kerberos servers into samba. The samba-team is having enough
difficulty just managing samba, I can not imagine how it will deal with a
project that is three times more complex.
- John T.
John Brown
These compromises are small issues compared to the benefits of Samba. We
use Samba 2.x and we have benefitted from:
Less expensive software
Lower hardware requirements
Significantly fewer reboots
Greater stability
Faster performance
Many companies don't use group policy anyway.
One last thing. We will be using OpenLDAP with Samba 3.0. I have
downloaded the code and have read through the documentation on samba.org.
How does the whole authentication thing work? Do we still need the
/etc/passwd and /etc/samba/smbpasswd files? If so, are there any plans to
have just one password database?
I have read of people using the User Manager for Domains and Server Manager
tools from Microsoft. Where can I get them and what version has been
tested?
What are the differences between the sambaAccount and posixAccount
objectclasses. Why is the posixAccount necessary?
Regards.
"John H Terpstra" <j...@samba.org> wrote in message
news:Pine.LNX.4.50.030713...@dp.samba.org...
paul
> Your answers have helped quite a bit. I understand a lot more now.
>
> These compromises are small issues compared to the benefits of Samba. We
> use Samba 2.x and we have benefitted from:
>
> Less expensive software
> Lower hardware requirements
> Significantly fewer reboots
> Greater stability
> Faster performance
>
> Many companies don't use group policy anyway.
>
> One last thing. We will be using OpenLDAP with Samba 3.0. I have
> downloaded the code and have read through the documentation on samba.org.
>
> How does the whole authentication thing work? Do we still need the
> /etc/passwd and /etc/samba/smbpasswd files? If so, are there any plans to
> have just one password database?
achieved by a different NSS source (could be ldap, nis, whatever). If
you gonna use LDAP as SAM backend you don't need /etc/samba/smbpasswd
anymore. (you need nss_ldap and possibly pam_ldap from padl.com)
>
> I have read of people using the User Manager for Domains and Server Manager
> tools from Microsoft. Where can I get them and what version has been
> tested?
from microsoft?
>
> What are the differences between the sambaAccount and posixAccount
> objectclasses. Why is the posixAccount necessary?
see above, for every samba group/user/machine you need a corresponding
entity on the unix side to map access rights (filesystem). Think of
posixAccount as a template for a system user in your directory,
sambaAccount extends this object to hold the samba specific attributes.
>
> Regards.
>
greetings
paul
Jamrock
> you may have read the docu but... anyway replacing /etc/passwd is
> achieved by a different NSS source (could be ldap, nis, whatever). If
> you gonna use LDAP as SAM backend you don't need /etc/samba/smbpasswd
> anymore. (you need nss_ldap and possibly pam_ldap from padl.com)
Fine. I am currently going through the 385 page Samba manual. Where can I
find more info. about the other NSS sources? What are the
advantages/disadvantages of using another one?
With Samba 2.x we need to create the user in two places. I was just
checking to see if we could now create the user in just one.
Regards.
"paul" <pa...@subsignal.org> wrote in message
news:bf95lh$p5n$1...@main.gmane.org...
Buchan Milne
Hash: SHA1
> Message: 1
> Date: Sat, 19 Jul 2003 09:05:44 -0400
> From: "Jamrock" <dmc_j...@yahoo.com>
> Subject: [Samba] Re: Samba 3.0 and Active Directory Replication
> To: sa...@lists.samba.org
> Message-ID: <bfbkl3$7r2$1...@main.gmane.org>
>
> Hi Paul,
>
>
>>> you may have read the docu but... anyway replacing /etc/passwd is
>>> achieved by a different NSS source (could be ldap, nis, whatever). If
>>> you gonna use LDAP as SAM backend you don't need /etc/samba/smbpasswd
>>> anymore. (you need nss_ldap and possibly pam_ldap from padl.com)
>
>
> Fine. I am currently going through the 385 page Samba manual. Where
can I
> find more info. about the other NSS sources? What are the
> advantages/disadvantages of using another one?
>
This is probably one of the better documents on LDAP available at present:
http://www.mandrakesecure.net/en/docs/ldap-auth2.php
BTW, NIS is mostly of academic value now, people still running NIS will
likely be looking to migrate to LDAP in the future.
> With Samba 2.x we need to create the user in two places. I was just
> checking to see if we could now create the user in just one.
>
This is not entirely true ...
http://www.mandrakesecure.net/en/docs/samba-pdc.php
This one may also be interesting:
http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php
Regards,
Buchan
- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/G8WtrJK6UGDSBKcRAlF+AJsGDqp43RE/9QMy9ls2Jxo4boLZHwCeJ6i1
knisFMYUp47szyMezu3TIVs=
=oSN8
-----END PGP SIGNATURE-----
******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer or send an e-mail to in...@cae.co.za for a copy.
******************************************************************
paul
> Hi Paul,
>
>
>>you may have read the docu but... anyway replacing /etc/passwd is
>>achieved by a different NSS source (could be ldap, nis, whatever). If
>>you gonna use LDAP as SAM backend you don't need /etc/samba/smbpasswd
>>anymore. (you need nss_ldap and possibly pam_ldap from padl.com)
>
>
> Fine. I am currently going through the 385 page Samba manual. Where can I
> find more info. about the other NSS sources?
manpage, search google for nss. There are various modules out there
(found one for mysql and radius).
What are the
> advantages/disadvantages of using another one?
you're starting from scratch, I'd recomend LDAP, as it provides nice
features (replication, ACL's, authentication via SASL, TLS support,...)
I don't like NIS, it's very insecure, NIS+ might be better but I haven't
looked at.
>
> With Samba 2.x we need to create the user in two places. I was just
> checking to see if we could now create the user in just one.0
Yes. You can hold all info in your directory, replicate it for security
and redundancy and let all your sambas authenticate against it (better
use TLS for that ;)). With the hooks given by samba ( add user script,
add machine script..) it is easier to automate most of the daily tasks.
hope this helps
Paul
>
> Regards.
Xavier Nicollet
> >With Samba 2.x we need to create the user in two places. I was just
> >checking to see if we could now create the user in just one.0
> Yes. You can hold all info in your directory, replicate it for security
> and redundancy and let all your sambas authenticate against it (better
> use TLS for that ;)). With the hooks given by samba ( add user script,
> add machine script..) it is easier to automate most of the daily tasks.
Has someone a link to a script that would add a user ?
Tell me if I am wrong, but we must first add a unix user and then use
pdbedit to add the samba stuff in the Ldap.
Is this correct with samba 3 beta ?
--
Nicollet Xavier
EFREI Linux: http://www.linux.efrei.fr/