Samba 4 appliances by SerNet and Univention

Serves You Right

SerNet Samba 4 Appliance

SerNet, out of Göttingen, Germany, is a systems integrator that focuses on open source, security, and Samba-related services in particular. SerNet develops Samba in collaboration with the Samba team on its initiative and on customer order; it is also the only systems integrator that provides members to the Samba core team. Among other things, the team from Göttingen has developed an easy-to-deploy, Debian-based [7] Samba appliance that gives admins a convenient option for testing the features supported by the new version of Samba 4.

Version 0.1 first aired at CeBIT last year and has been officially downloadable since May 2012; however, it was still based on the Samba 4 preview. SerNet migrated its Samba appliance to the stable Samba 4 shortly after the release of the final version.

The version 0.6 appliance has been available for download with stable Samba 4 support since December 2012 and provides the ability to set up an Active Directory domain controller on a Debian server in a few simple steps. At this year's CeBIT, SerNet introduced an enhanced version of its appliance that integrates Zarafa and Opsi. AD schema files for Zarafa support are already included in version 0.6.

Windows admins typically use the graphical dcpromo.exe tool to set up a domain controller or promote a standard Windows server, but Samba admins typically have to resort to the command line. The core of the SerNet Samba appliance, however, is a graphical dcpromo wizard for provisioning Samba 4, which is part of the installation procedure of the appliance but can also be launched retroactively at any time to configure a new setup.

The SerNet appliance is based on Debian 6 and relies on kernel 3.2.0 from the Debian backports with support for Microsoft Hyper-V. The appliance uses the embedded S3FS file server, instead of Samba 4's own NTVFS, which starts the SMB daemon from Samba 3 within Samba 4 so that Samba 3 tools such as smbstatus, smbpasswd, and smbclient still work. This is the default behavior of Samba 4. Furthermore, the internal NTP server on Samba 4 synchronizes the system time, which is vital for Kerberos authentication.

The fastest approach to automatic installation is to run the standard Debian installer. The automated installation in text mode overwrites the entire disk during partitioning. If no DHCP server is found, the installer offers to let you configure the network manually, which is especially important for production use. At the end of the basic installation, the system creates the sernet user account on the appliance and configures it by default for an automatic login after reboot. Alternatively, you can set an individual password. The root password is root and should be changed after the first login.

Next, the installer starts the dcpromo script to set up the Active Directory domain controller. The tool can be launched retroactively by clicking the desktop icon to initiate a complete reconfiguration of Active Directory. In the first three steps, the script prompts you for the domain controller hostname (DC by default) and the full realm, from which the AD domain name is derived by removing the hostname. Also, dcpromo derives a proposed NetBIOS name from the realm.

Then dcpromo prompts you for a password for the administrative account, Administrator . After this, the script then offers to set up a DNS forwarder for queries that cannot be answered the by Samba 4's internal DNS. Besides the NTP server, Samba 4 also includes an internal DNS service. However, according to the SerNet experts, this has not always been reliable. To complete the configuration, dcpromo lists the settings for the domain controller, which will result in all active Samba services stopping, in case of re-configuration (Figure 2). The script then configures all necessary Samba services with the selected data. On completion, dcpromo outputs the main domain parameters  – NetBIOS domain, DNS domain, and domain SID – and restarts the Samba service.

Figure 2: At the end, dcpromo outputs an overview of the selected settings.

Although this completes the configuration of the domain controller, and Windows 7 clients/users can now join the domain, the dcpromo script offers the option of installing Zarafa AD schema extensions in the next step. Anyone planning to deploy Zarafa groupware on the Samba 4 machine will want to take this opportunity to allow Zarafa users to authenticate against AD later on.

Joining In

Now that the domain controller is ready for use, the admin can join the trust context of the domain with an appropriate Windows client. To join the AD domain, you just need to log in as with any native Microsoft domain. To do so, go to Control Panel | System and Security | System , press Change settings in the Computer name, domain, and workgroup settings section, and select Change again and enter the FQDN of the desired AD domain (realm).

If the realm is accessible to the system, based on the chosen network configuration (see below), a logon dialog box for the domain appears, and you can sign in with the previously configured administrator account (Figure 3).

Figure 3: Once the Samba domain controller is running, suitable Windows clients can join the trust context of the domain.

A join will only work reliably and without any additional configuration if you add the IP address of the SerNet Samba appliance or the UCS as the DNS server setting in the IP configuration of the client's network adapter. A quick review of the Network and Sharing Center should confirm that the join worked.

After a reboot, you can log in to the domain as an administrative user. When logging in, a little trick is required if the "Administrator" account also exists locally. When you press Change user… to switch from the local login to the domain login, Windows will change back to the local login dialog when you type the last letter "r" in Administrator , but if you use the <domain name>\<administrator> format instead, the domain login will work.

Windows Explorer now also has a function to Search Active Directory under Network . You can use it to search the directory service for Users, Contacts, and Groups Computers , Printers , and Shared folders (Figure 4). The remaining configuration can be done either with the built-in Samba 4 command-line tools or with the standard Windows administration tools.

Figure 4: In domain mode, you can search for objects in AD with Windows Explorer.

Conclusions

Both the SerNet appliance and the Univention Corporate Server can be set up with little effort to provide an Active Directory domain controller based on Linux. The SerNet appliance is designed for test installations and relies on the latest stable version of Samba 4.0. Univention's UCS uses Samba version 4.0rc6, which was further developed by Univention in collaboration with the Samba team. It is based on the previous pre-release versions and has been tested for production use.

A direct comparison of the products would be meaningless because UCS provides a complete, web-manageable small business server. The SerNet appliance uses the embedded Samba 3 file server, S3FS, to provide file and print services, whereas Univention runs Samba 3.6.8 in parallel for file services. Univention also offers a migration tool from Microsoft AD to Samba 4 and an Active Directory Connector for cooperation with an existing Microsoft domain controller.

The Author

Thomas Drilling has been a full-time freelance journalist and editor for science and IT magazines for more than 10 years. He and his team make contributions on the topics of open source, Linux, servers, IT administration, and Mac OS X. Drilling is also a book author and publisher, advises small and medium-sized enterprises as an IT consultant, and lectures on Linux, open source, and IT security.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus