Samba 4 appliances by SerNet and Univention
Serves You Right
Samba 4 is an important milestone for the entire IT world with its new Active Directory (AD) functionality. Originally, Samba primarily provided file and print services using the SMB/CIFS protocol on a Linux server; however, the most significant new feature in Samba 4 relates to authentication services.
A Linux server with Samba 4 can provide an Active Directory service for a Windows domain without Microsoft components. Version 3.1 of the Univention Corporate Server (UCS) [1], which was released in December, uses the Samba 4 version 4.0rc6, which was further developed by the Univention developers collaborating directly with the Samba team in version 4.0rc1.
The Samba 3 version is included in UCS for file and print services, or where the UCS is deployed as an NT domain controller, is v3.6.8. The Samba 4 implementation in the current v0.6 of the Samba SerNet appliance [2] is equivalent to the stable version of Samba 4.0 [3].
Samba 4 Structure
A Samba domain comprises at least one Samba 4-based domain controller whose trust context Windows clients can join as members. In the Univention version, UCS member servers also can do this because Univention integrates Samba 4 and Samba 3 components in its Corporate Server. A UCS member server does not offer any login services itself; however, with file or print services based on Samba 3, for example, UCS credentials are needed to log in to a UCS member server.
UCS 3.1
Univention, out of Bremen, Germany, was one of the early adopters [4] of Samba 4, which it integrated more than a year ago into its Debian 6-based UCS. After extensive tests, Univention assures that Samba 4 is ready for production use. Besides the Active Directory to Samba 4 migration tool, Univention AT Takeover, Univention offers an Active Directory Connector [5], which lets admins run UCS in parallel with existing Microsoft Windows Active Directory services, thus also supporting a gradual migration. Incidentally, UCS 3.1 relies on the Linux kernel 3.2.30 and, along with its function as an AD domain controller, also handles other tasks as a Small Business Server.
If you want to follow the steps in this article, you can download a free, not functionally limited, version of UCS for personal use [6]. The ncurses-based Basic Setup for UCS, designed as an appliance, should not take more than a couple of minutes, especially with the valuable support provided by the UCS 3.1 manual.
After the basic setup, you have to choose Master domain controller under System role for the UCS as a domain controller and for Samba operations; Samba 4 will only install on a UCS domain controller (domain controller master). That said, the Master domain controller option primarily relates to the deployment of the UCS as a Domain Controller in Univention's own UCS domain-based infrastructure; an identity management solution that relies on OpenLDAP Samba 4 also does this, but integrates OpenLDAP.
In the next step, the UCS installer requires the Fully qualified domain name for the subsequent Settings step; you should consider this name carefully; the installer derives the domain name from it directly for an Active Directory domain (FQDN minus the host part) and the suggested LDAP base and Windows domain name . Although you can modify the suggested LDAP base and Windows domain names, you cannot change the name of the AD domain.
When the Univention installer talks about the "Windows domain," it means the system's NetBIOS computer name (see the "NetBIOS Heritage" box). It stores this value in the UCS Configuration Registry (UCR) windows/domain
variable regardless of whether the admin actually selects one of the software components for Samba 3 or Samba 4 operation in the last installer step (Software
). Additionally, the NetBIOS name is also used as the workgroup name in domain mode.
NetBIOS Heritage
Unlike the AD domain name, the NetBIOS computer name is restricted to a maximum length of 15 characters. NetBIOS is a network protocol used on Windows systems for name resolution and network communication and is mapped in Samba 3 by the nmbd
daemon. In the Univention world, the NetBIOS name of a UCS system is also the UCS computer name by default.
You can configure a different NetBIOS name as an alias if required using the UCR variable samba/netbios/name
. Incidentally, a native AD environment no longer provides NetBIOS services. Although they are still enabled in Univention in a Samba 4 AD environment, you can change this by modifying the samba4/service/nmb
UCR variable.
In the next step, the installation wizard automatically takes care of partitioning, although manual partitioning is possible. By default, UCS uses a small, 500MB boot partition and assigns the rest of the available space to an LVM volume group. After configuring the bootloader, in the next step, you can and will want to customize the network configuration. In addition to a static IPv4 configuration, which is recommended for production environments, it is possible to enter a DNS fowarder; this is also recommended in view of the not yet fully resolved DNS problems in Samba.
After configuring the network, the next task is to set up the UCS as a domain controller explicitly in the Software step. For Samba 4 operation, you will need the Active Directory-compatible domaincontroller (Samba 4) component.
Alternatively or additionally available is the NT-compatible domaincontroller (Samba 3)
component. Both components can be retrofitted by installing the univention-samba
(Samba 3) or univention-samba4
(Samba 4) packages, but you will need to run
univention-run-join-scripts
for a retroactive installation.
On UCS member servers, the Installer component goes by the name of Windows memberserver (Samba 3/Samba 4)
; it is also installable by selecting the univention-samba
and winbind
packages. The third software component, Active Directory Connector
, is designed to let the UCS sync bidirectionally or unidirectionally with an AD domain running on a native Microsoft Windows server (Figure 1). Univention also recommends activating NTP packet signing on all Samba domain controllers because precise time synchronization is essential for correct authentication via Kerberos.
The UCS maintains and uses two directory services in Active Directory mode. Because the Samba user accounts in Samba 4 are managed entirely by Samba, the internal univention-S4-connector
system service takes care of synchronization between the OpenLDAP-based directory service on the UCS and Samba.
Status information can be found in the log file /var/log/univention/connector-s4.log
. For example, if you use the Windows remote administration tools to create a user in Active Directory (Samba 4), the user is automatically created in OpenLDAP. Incidentally, the univention-s4-connector
is automatically installed by the Univention Installer when you select the Master domain controller
and Backup domain controller
system roles. If you install the Samba packages manually, you also need to install the univention-s4-connector
package manually. This completes the configuration of the AD domain controller in UCS to a point where Windows clients can join the Active Directory domain.
When users log on to an NT domain in Samba 3 mode, UCS authenticates them against its LDAP directory service on the basis of the username and password. UCS authenticates clients with Windows operating systems (from XP onward) via the NTLMv2 protocol in Windows NT domains; however, if the Windows client on which the user is logging in has joined a Samba 4 server, a Kerberos ticket is automatically issued to the client, which the client then uses for further authentication and which forms the sole basis for access to all of the domain's resources.
Advanced Configuration
From a practical point of view, the Samba 4 configuration is by no means done: In everyday life, the admin also needs to configure the authentication service in detail, as well as create computer/user profiles, file and print services, and, in particular, take care of automatically exporting the users' home directories. These details are beyond the scope of this article. That UCS provides comprehensive support through its management interface and system variables in these points is laudable, but rating this would not do justice to the two products' objectives: UCS sets out to provide a small business server with Active Directory support for production use, whereas the SerNet Samba appliance is purely a Samba 4 test setup.
The file services provided by the UCS support ACLs for shares based on CIFS, provided the underlying filesystem on the Samba server also supports this (which is the case with ext3, XFS, and ext4). In this case, Windows clients can also use ACLs. Samba 4 can optionally provide file services with its own virtual file server, NTVFS (necessitating a filesystem with XATTR support) or the embedded Samba 3 file server, S3FS.
Best practices suggest separating file and print services from authentication services anyway. If the authentication services run on a separate Samba 4-based domain controller, many admins will tend, like the Univention developers, to use the mature Samba 3 as the file and print server, guaranteeing, among other things, that high load on a file server does not interfere with the login service.