Samba 4 appliances by SerNet and Univention
Serves You Right
Samba 4 is an important milestone for the entire IT world with its new Active Directory (AD) functionality. Originally, Samba primarily provided file and print services using the SMB/CIFS protocol on a Linux server; however, the most significant new feature in Samba 4 relates to authentication services.
A Linux server with Samba 4 can provide an Active Directory service for a Windows domain without Microsoft components. Version 3.1 of the Univention Corporate Server (UCS) [1], which was released in December, uses the Samba 4 version 4.0rc6, which was further developed by the Univention developers collaborating directly with the Samba team in version 4.0rc1.
The Samba 3 version is included in UCS for file and print services, or where the UCS is deployed as an NT domain controller, is v3.6.8. The Samba 4 implementation in the current v0.6 of the Samba SerNet appliance [2] is equivalent to the stable version of Samba 4.0 [3].
Samba 4 Structure
A Samba domain comprises at least one Samba 4-based domain controller whose trust context Windows clients can join as members. In the Univention version, UCS member servers also can do this because Univention integrates Samba 4 and Samba 3 components in its Corporate Server. A UCS member server does not offer any login services itself; however, with file or print services based on Samba 3, for example, UCS credentials are needed to log in to a UCS member server.
UCS 3.1
Univention, out of Bremen, Germany, was one of the early adopters [4] of Samba 4, which it integrated more than a year ago into its Debian 6-based UCS. After extensive tests, Univention assures that Samba 4 is ready for production use. Besides the Active Directory to Samba 4 migration tool, Univention AT Takeover, Univention offers an Active Directory Connector [5], which lets admins run UCS in parallel with existing Microsoft Windows Active Directory services, thus also supporting a gradual migration. Incidentally, UCS 3.1 relies on the Linux kernel 3.2.30 and, along with its function as an AD domain controller, also handles other tasks as a Small Business Server.
If you want to follow the steps in this article, you can download a free, not functionally limited, version of UCS for personal use [6]. The ncurses-based Basic Setup for UCS, designed as an appliance, should not take more than a couple of minutes, especially with the valuable support provided by the UCS 3.1 manual.
After the basic setup, you have to choose Master domain controller under System role for the UCS as a domain controller and for Samba operations; Samba 4 will only install on a UCS domain controller (domain controller master). That said, the Master domain controller option primarily relates to the deployment of the UCS as a Domain Controller in Univention's own UCS domain-based infrastructure; an identity management solution that relies on OpenLDAP Samba 4 also does this, but integrates OpenLDAP.
In the next step, the UCS installer requires the Fully qualified domain name for the subsequent Settings step; you should consider this name carefully; the installer derives the domain name from it directly for an Active Directory domain (FQDN minus the host part) and the suggested LDAP base and Windows domain name. Although you can modify the suggested LDAP base and Windows domain names, you cannot change the name of the AD domain.
When the Univention installer talks about the "Windows domain," it means the system's NetBIOS computer name (see the "NetBIOS Heritage" box). It stores this value in the UCS Configuration Registry (UCR) windows/domain variable regardless of whether the admin actually selects one of the software components for Samba 3 or Samba 4 operation in the last installer step (Software). Additionally, the NetBIOS name is also used as the workgroup name in domain mode.
In the next step, the installation wizard automatically takes care of partitioning, although manual partitioning is possible. By default, UCS uses a small, 500MB boot partition and assigns the rest of the available space to an LVM volume group. After configuring the bootloader, in the next step, you can and will want to customize the network configuration. In addition to a static IPv4 configuration, which is recommended for production environments, it is possible to enter a DNS fowarder; this is also recommended in view of the not yet fully resolved DNS problems in Samba.
After configuring the network, the next task is to set up the UCS as a domain controller explicitly in the Software step. For Samba 4 operation, you will need the Active Directory-compatible domaincontroller (Samba 4) component.
Alternatively or additionally available is the NT-compatible domaincontroller (Samba 3) component. Both components can be retrofitted by installing the univention-samba (Samba 3) or univention-samba4 (Samba 4) packages, but you will need to run
univention-run-join-scripts
for a retroactive installation.
On UCS member servers, the Installer component goes by the name of Windows memberserver (Samba 3/Samba 4); it is also installable by selecting the univention-samba and winbind packages. The third software component, Active Directory Connector, is designed to let the UCS sync bidirectionally or unidirectionally with an AD domain running on a native Microsoft Windows server (Figure 1). Univention also recommends activating NTP packet signing on all Samba domain controllers because precise time synchronization is essential for correct authentication via Kerberos.
The UCS maintains and uses two directory services in Active Directory mode. Because the Samba user accounts in Samba 4 are managed entirely by Samba, the internal univention-S4-connector system service takes care of synchronization between the OpenLDAP-based directory service on the UCS and Samba.
Status information can be found in the log file /var/log/univention/connector-s4.log. For example, if you use the Windows remote administration tools to create a user in Active Directory (Samba 4), the user is automatically created in OpenLDAP. Incidentally, the univention-s4-connector is automatically installed by the Univention Installer when you select the Master domain controller and Backup domain controller system roles. If you install the Samba packages manually, you also need to install the univention-s4-connector package manually. This completes the configuration of the AD domain controller in UCS to a point where Windows clients can join the Active Directory domain.
When users log on to an NT domain in Samba 3 mode, UCS authenticates them against its LDAP directory service on the basis of the username and password. UCS authenticates clients with Windows operating systems (from XP onward) via the NTLMv2 protocol in Windows NT domains; however, if the Windows client on which the user is logging in has joined a Samba 4 server, a Kerberos ticket is automatically issued to the client, which the client then uses for further authentication and which forms the sole basis for access to all of the domain's resources.
Advanced Configuration
From a practical point of view, the Samba 4 configuration is by no means done: In everyday life, the admin also needs to configure the authentication service in detail, as well as create computer/user profiles, file and print services, and, in particular, take care of automatically exporting the users' home directories. These details are beyond the scope of this article. That UCS provides comprehensive support through its management interface and system variables in these points is laudable, but rating this would not do justice to the two products' objectives: UCS sets out to provide a small business server with Active Directory support for production use, whereas the SerNet Samba appliance is purely a Samba 4 test setup.
The file services provided by the UCS support ACLs for shares based on CIFS, provided the underlying filesystem on the Samba server also supports this (which is the case with ext3, XFS, and ext4). In this case, Windows clients can also use ACLs. Samba 4 can optionally provide file services with its own virtual file server, NTVFS (necessitating a filesystem with XATTR support) or the embedded Samba 3 file server, S3FS.
Best practices suggest separating file and print services from authentication services anyway. If the authentication services run on a separate Samba 4-based domain controller, many admins will tend, like the Univention developers, to use the mature Samba 3 as the file and print server, guaranteeing, among other things, that high load on a file server does not interfere with the login service.
SerNet Samba 4 Appliance
SerNet, out of Göttingen, Germany, is a systems integrator that focuses on open source, security, and Samba-related services in particular. SerNet develops Samba in collaboration with the Samba team on its initiative and on customer order; it is also the only systems integrator that provides members to the Samba core team. Among other things, the team from Göttingen has developed an easy-to-deploy, Debian-based [7] Samba appliance that gives admins a convenient option for testing the features supported by the new version of Samba 4.
Version 0.1 first aired at CeBIT last year and has been officially downloadable since May 2012; however, it was still based on the Samba 4 preview. SerNet migrated its Samba appliance to the stable Samba 4 shortly after the release of the final version.
The version 0.6 appliance has been available for download with stable Samba 4 support since December 2012 and provides the ability to set up an Active Directory domain controller on a Debian server in a few simple steps. At this year's CeBIT, SerNet introduced an enhanced version of its appliance that integrates Zarafa and Opsi. AD schema files for Zarafa support are already included in version 0.6.
Windows admins typically use the graphical dcpromo.exe tool to set up a domain controller or promote a standard Windows server, but Samba admins typically have to resort to the command line. The core of the SerNet Samba appliance, however, is a graphical dcpromo wizard for provisioning Samba 4, which is part of the installation procedure of the appliance but can also be launched retroactively at any time to configure a new setup.
The SerNet appliance is based on Debian 6 and relies on kernel 3.2.0 from the Debian backports with support for Microsoft Hyper-V. The appliance uses the embedded S3FS file server, instead of Samba 4's own NTVFS, which starts the SMB daemon from Samba 3 within Samba 4 so that Samba 3 tools such as smbstatus, smbpasswd, and smbclient still work. This is the default behavior of Samba 4. Furthermore, the internal NTP server on Samba 4 synchronizes the system time, which is vital for Kerberos authentication.
The fastest approach to automatic installation is to run the standard Debian installer. The automated installation in text mode overwrites the entire disk during partitioning. If no DHCP server is found, the installer offers to let you configure the network manually, which is especially important for production use. At the end of the basic installation, the system creates the sernet user account on the appliance and configures it by default for an automatic login after reboot. Alternatively, you can set an individual password. The root password is root and should be changed after the first login.
Next, the installer starts the dcpromo script to set up the Active Directory domain controller. The tool can be launched retroactively by clicking the desktop icon to initiate a complete reconfiguration of Active Directory. In the first three steps, the script prompts you for the domain controller hostname (DC by default) and the full realm, from which the AD domain name is derived by removing the hostname. Also, dcpromo derives a proposed NetBIOS name from the realm.
Then dcpromo prompts you for a password for the administrative account, Administrator. After this, the script then offers to set up a DNS forwarder for queries that cannot be answered the by Samba 4's internal DNS. Besides the NTP server, Samba 4 also includes an internal DNS service. However, according to the SerNet experts, this has not always been reliable. To complete the configuration, dcpromo lists the settings for the domain controller, which will result in all active Samba services stopping, in case of re-configuration (Figure 2). The script then configures all necessary Samba services with the selected data. On completion, dcpromo outputs the main domain parameters – NetBIOS domain, DNS domain, and domain SID – and restarts the Samba service.
Although this completes the configuration of the domain controller, and Windows 7 clients/users can now join the domain, the dcpromo script offers the option of installing Zarafa AD schema extensions in the next step. Anyone planning to deploy Zarafa groupware on the Samba 4 machine will want to take this opportunity to allow Zarafa users to authenticate against AD later on.
Joining In
Now that the domain controller is ready for use, the admin can join the trust context of the domain with an appropriate Windows client. To join the AD domain, you just need to log in as with any native Microsoft domain. To do so, go to Control Panel | System and Security | System, press Change settings in the Computer name, domain, and workgroup settings section, and select Change again and enter the FQDN of the desired AD domain (realm).
If the realm is accessible to the system, based on the chosen network configuration (see below), a logon dialog box for the domain appears, and you can sign in with the previously configured administrator account (Figure 3).
A join will only work reliably and without any additional configuration if you add the IP address of the SerNet Samba appliance or the UCS as the DNS server setting in the IP configuration of the client's network adapter. A quick review of the Network and Sharing Center should confirm that the join worked.
After a reboot, you can log in to the domain as an administrative user. When logging in, a little trick is required if the "Administrator" account also exists locally. When you press Change user… to switch from the local login to the domain login, Windows will change back to the local login dialog when you type the last letter "r" in Administrator, but if you use the <domain name>\<administrator> format instead, the domain login will work.
Windows Explorer now also has a function to Search Active Directory under Network. You can use it to search the directory service for Users, Contacts, and Groups Computers, Printers, and Shared folders (Figure 4). The remaining configuration can be done either with the built-in Samba 4 command-line tools or with the standard Windows administration tools.
Conclusions
Both the SerNet appliance and the Univention Corporate Server can be set up with little effort to provide an Active Directory domain controller based on Linux. The SerNet appliance is designed for test installations and relies on the latest stable version of Samba 4.0. Univention's UCS uses Samba version 4.0rc6, which was further developed by Univention in collaboration with the Samba team. It is based on the previous pre-release versions and has been tested for production use.
A direct comparison of the products would be meaningless because UCS provides a complete, web-manageable small business server. The SerNet appliance uses the embedded Samba 3 file server, S3FS, to provide file and print services, whereas Univention runs Samba 3.6.8 in parallel for file services. Univention also offers a migration tool from Microsoft AD to Samba 4 and an Active Directory Connector for cooperation with an existing Microsoft domain controller.