Active Directory,  Mac OS X Server,  Unix

Samba 4: A Poor Mans Active Directory

Today I pulled down the Samba 4 binaries and installed it using the instructions the developers are slowly building on the Samba 4 wiki. Overall it was a fairly painless experience, although I do believe I have a couple of bug reports to file (not surprising considering it is not out yet).

Overall I found the process to be far easier than it has been in the past. The Samba team seems to realize that in order for Samba 4 to compete with Active Directory that it needs to integrate really well in the *nix server ecosystem. For example, like Active Directory you can choose to have Samba integrate into your DNS infrastructure. However, the instructions call for manually editing gssapi to get bind to accept the updates from Samba. The instructions also end up having you comb through comments in the config files, a potentially daunting process. But once it was done I found the service records typically required for an Active Directory environment to be built out for me and easily managed.

One place where things are really well done is the integration between Samba 4 and the Active Directory administration tools. The wiki clearly explains how to install the tools and then use them to manage objects and policies within their version of Active Directory. There is also the promise of upcoming SWAT integration but it is not yet ready for production so from a GUI standpoint you’ll still need to use the Windows tools. However, SWAT is somewhat available and allows for easy GUI administration without reverting to Microsoft tools for a number of items. The further development and integration of SWAT or a different product (which is more likely it seems) will likely be critical to divorcing Samba 4 from Windows administration tools and having it prosper more fully in the community.

While the Samba team promises a more consistent and tightly integrated relationship between OpenLDAP and Samba, this is one place where the code doesn’t seem to be finished. For example, the documentation is still fairly non-existent, but supposedly you can leverage OpenLDAP to do multi-master replication with Samba. This represents a great feature that kills a lot of potential Samba rollouts, but not yet clear in terms of implementation. This extends to Kerberos for single sign on. I thought I was able to get it to work, but alas, I was mistaken. I’ll keep trying to figure this piece out and hopefully report back more on it in the future.

The new ntp signing feature is nice, although if you have clients that do not support ntp signing then this can be a bit of a cause of concern. Windows clients worked easily, right out of the box. I ended up using ntp authentication without an issue as opposed to signing and was able to get Mac OS X to use the ntp server, with a little configuration of the ntp.conf file on the Mac. However, once bound I had to create a few service records to get Mac OS X to go ahead and join the domain properly.

One thing I can say is that if you are interested in Active Directory you might just learn more about Active Directory in building out a Samba 4 infrastructure than you will likely learn by taking the Active Directory certifications. The reason for this is that you will begin to better understand what is going on in the back end. If you cannot bind a Mac OS X client to your faux Active Directory and you, let’s say, fire up Wireshark to try and figure out why, you’ll notice that something is missing: maybe it’s repeated attempts to enumerate something, throwing DNS requests all over the place. In order to fix it you will suddenly need to understand what each of those records is there for and what settings to populate them with. Likewise, you might find that you understand what FSMO roles are really for when you have to essentially integrate a completely different piece of technology for each of them. This kind of research will teach you more than you might know…

Overall, if you are going to put something like Samba 4 in production right now you might have a lot of growing pains. When it’s ready and it’s released then for Active Directory (or potential Active Directory) environments that don’t use the full compliment of Windows services it might very well be worth considering. However, currently it doesn’t support Exchange or other items that require extending an LDAP schema and so you might end up with a considerable amount of manual schema extensions in order to garner said support. The lack of a comprehensive set of GUI tools will keep a lot of Windows administrators away from Samba 4, but when their executives compare the steep cost of CALs to an open source tool then I’m guessing that some are going to start projects to determine if Samba 4 can work for them.

Note: None of this would make and build properly in Mac OS X. I did all of my testing on a Red Hat VM using the source downloaded from the following:
rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master