Active Directory comes to Linux with Samba 4

Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett.

Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols.

Because AD is "far more than LDAP and Kerberos", Bartlett said, Samba 4 is not only about developing with Microsoft's customisation of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager.

"I've been working on Samba 4 for four years to try and provide a way to not run Microsoft servers at the centre of the network, which then leads to the clients," he said. "But I am a realist and we have implemented the logon server for Samba 4."

Bartlett admitted Samba has a "nasty" reputation for being "impossible to configure" and believes Samba 4 should "just work" without administrators needing to read through documentation first.

"For example, in Samba 4 we generate the DNS configuration and have an optional OpenLDAP backend and we have configured this as we know how Samba needs this setup."

Over the past year Samba 4 has added multi-master replication leveraging OpenLDAP, making Samba no longer a single-server implementation.

"Our users have also demonstrated how smart card logins work. I barely had to do anything in Samba 4 to get this to work. There is support for group policy as Windows clients are impossible to manage without it."

Samba also changed its scripting language to Python which Bartlett says should be easier for administrators, and there are bindings for other tools.

Also new is NTP signing support which allows Windows clients to accept a valid time from a linux server, which is needed for Kerberos authentication to work. Microsoft's own NTP signing protocol is non-standard and uses AD. This has been implemented in Samba 4 and "to say the NTP community was not happy is an understatement".

Bartlett said Samba 4 has had a lot of input from system administrators, but still needs more help.

"Samba is not just C anymore and we are doing more in scripting languages to make it more flexible," he said, adding some new features in Windows are easy to add to Samba via scripting.

"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry. We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security!

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine