January 21, 2009, 1:59 PM — Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett.
Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols.
Because AD is "far more than LDAP and Kerberos", Bartlett said, Samba 4 is not only about developing with Microsoft's customisation of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager.
"I've been working on Samba 4 for four years to try and provide a way to not run Microsoft servers at the centre of the network, which then leads to the clients," he said. "But I am a realist and we have implemented the logon server for Samba 4."
Bartlett admitted Samba has a "nasty" reputation for being "impossible to configure" and believes Samba 4 should "just work" without administrators needing to read through documentation first.
"For example, in Samba 4 we generate the DNS configuration and have an optional OpenLDAP backend and we have configured this as we know how Samba needs this setup."
Over the past year Samba 4 has added multi-master replication leveraging OpenLDAP, making Samba no longer a single-server implementation.
"Our users have also demonstrated how smart card logins work. I barely had to do anything in Samba 4 to get this to work. There is support for group policy as Windows clients are impossible to manage without it."
Samba also changed its scripting language to Python which Bartlett says should be easier for administrators, and there are bindings for other tools.
Also new is NTP signing support which allows Windows clients to accept a valid time from a linux server, which is needed for Kerberos authentication to work. Microsoft's own NTP signing protocol is non-standard and uses AD. This has been implemented in Samba 4 and "to say the NTP community was not happy is an understatement".
Bartlett said Samba 4 has had a lot of input from system administrators, but still needs more help.
"Samba is not just C anymore and we are doing more in scripting languages to make it more flexible," he said, adding some new features in Windows are easy to add to Samba via scripting.
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry. We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security! Samba now has a conversion logic that handles random characters and is then doing normal Kerberos functions on it."
Bartlett said the Samba team now has a good relationship with Microsoft and the password bug was never in any of its documentation so "they never thought it existed".
Microsoft has also provided a copy of its AD schema which can be worked around by the Samba team.
"We still need a lot of help. For example, how much more do we need to do to support Exchange? Letting me know what works and what doesn't is incredibly valuable."
If people want a Web interface to Samba 4 that is something the community may have to develop. Bartlett said there have been efforts to do this in the past, but they have been removed due to lack of support.
The road ahead
"I work for Red Hat and have been asked to work on domain trusts and have had limited success," Bartlett said. "We are also going to work on replication and we need some sort of migration process. We have the technology for it, but not an implementation yet."
Bartlett doesn't know when Samba 4 will be released as "we don't know what people need".
"If the level of functionality is there we will make a release. The code is quite solid but there are gaps in the functionality," he said. "Also, Samba 4 doesn't do all the things that Samba 3 does as it has taken a different path. In the meantime, about every 3 months, I will put out an alpha release."
The final aim is LDAP application portability from Windows AD to Samba 4.
Other features yet to be ported to Samba 4 are authenticating Linux and Unix clients which is still done with Samba 3 and a print server, also done in Samba 3.
If the demand is there Bartlett said he will consider releasing a "Samba Active Directory 1.0" release for use as an AD alternative.
