One of the other big uses for Active Directory is in the area of GPO (group policy objects) and permissions. Samba 4.0 fully supports GPO settings for both computers and users. Group policy is especially useful for such capabilities as blocking access to Control Panel on a Windows machine so that normal users can't alter settings or install software. When you create a group policy, it is tied to a specific OU (organizational unit). Once set it applies to all computers or users in that OU.
The Microsoft Group Policy Management Editor provides the means to create or edit a group policy that will be attached to a specific domain. Figure 2 shows the GP Demo policy for the Linux.tstsamba.com domain and the default rules. You can restrict specific pieces of Control Panel such as the Add or Remove Programs feature, or choose to prohibit access to the Control Panel altogether.
Figure 2: Viewing the GP Demo group policy through the Microsoft Group Policy Management Editor.
Another management option is Webmin. This freely available tool installs on the system running the Samba 4 server and provides a Web-based interface to manage a wide range of internal server settings (add administrators and users, create new file shares, share printers, allow and deny hosts) and software. I was able to get it running on the Samba 4 appliance with just a few minor tweaks to the configuration settings. Figure 3 shows the Webmin Samba module, which includes an icon labeled SWAT (Samba Web Administration Tool). This is the native Samba management tool (see Figure 4), which handles all of the traditional Samba user administration and server settings.
In short, Samba does not yet offer GUI tools for managing the Domain Controller or GPO settings from Unix or Linux, but there are Python-based hooks into the internals of Samba 4 that should make these easy to build.
Figure 3: The Webmin GUI on Samba (above) and Figure 4: The native Samba Web Admin Tool (below).
The bottom lineSamba 4.0 is definitely a zero point release, meaning it still has some growing and maturing to do. It is a good first step in providing a completely open source solution that mirrors much of Microsoft's Active Directory core functionality. Although the Domain Controller in Samba 4.0 appears to be stable, the single-domain limitation currently restricts it to small deployments. An obvious use case would be in education and training, where Samba 4.0 would provide a good platform for teaching domain administration. But in the real world, most small workgroups for which the Samba Domain Controller is suited will choose to do without.