System-Engineering | 5 min read

The different sides of Samba

Pietro Stäheli
May 2019
written by Pietro Stäheli

One of my interests is open-source alternatives to proprietary software and Samba is an excellent alternative Microsoft Active Directory. While commercial products do their job perfectly well they are sometimes inflexible and may lack features. Some things are guaranteed to just get on your nerves.

Among other restrictions, Windows Server Essentials limits you to 25 user accounts [1]. This is merely a licensing issue, not a technical one. Too bad your small business should encounter the misfortune to be growing due to its success! Buy a bigger license!

Environment

With some exceptions (the Apple brigade and one stray Linux user) most people use Microsoft Windows for work. File server services are already integrated on a separate fileserver also bound to the domain. Other internal services run on Debian Linux. The functionality of the already existing services should not be impaired by the change. We would like to ensure that in the future new servers can join the Domain to make centralized user management possible. I have worked with openLDAP on Linux previously but sadly this is not suitable for Windows logons. So let’s learn a slightly different way to run LDAP with Samba.

Differences

Let’s first look at what you lose and what you gain with Samba:

Pros

  • The limitations you will face will be the technical challenges of your skills and knowledge.
  • Tinkering with open source stuff is fun.
  • The investment is in time, not money.
  • The folks on the Samba mailing list are generally nice and helpful. The documentation and examples on the Samba wiki are quite good.
  • Kerberos is a hard requirement of Active Directory but fortunately, it’s seamlessly integrated in Samba.
  • Samba is in productive use in large environments. Support 100,000+ users in a domain planned for Samba 4.11
  • Linux members are supported through Winbind.

Cons

  • Samba at the time of writing only supports Active Directory Functional Level 2008R2.
  • The Active Directory Administrative Center will not work as it relies on Active Directory Web Services.
    • This will have no impact on operations as we are not using this feature. If ADUC and ADSI Edit work there is very minor loss of functionality.
  • File replication does not work automatically (GPO, logon scripts), but there are workarounds.
  • Lack of manufacturer support.

Prerequisites

It is very helpful to have basic LDAP knowledge beforehand. Be familiar with directory structures and be able to spell “DN”.

Make your lab setup replicate the production environment. If your lab has a more open security policy than production you may run into trouble with firewall rules. I did and it was quite embarrassing!

If possible use configuration management and automation tools when you are testing so you can easily replicate what you did to make the whole thing work again later!

Name resolution, timing issues, and broken things

Some people can follow a manual and get something working correctly the first time. I am not one of those people. I am the type of person who will encounter a multitude of issues while learning more about how a thing works and what will break a system. But importantly I try to learn from such mistakes. With some luck, I can even understand what my cryptic notes mean weeks or months later after fixing issues. I will try to cover the most important and basic issues I’ve faced while testing as I am still new to Samba and Active Directory.

DNS

It’s always DNS! Functioning DNS is crucial for correct functionality of Active Directory. SRV entries in DNS will inform AD-integrated hosts of available domain controllers and where to find the services they’re looking for. If replication or logins aren’t working correctly, “suitable servers” couldn’t be contacted and so on, you may be facing DNS issues. If not, there’s always…

Time synchronization

It is essential that every host have the same time. This may sound trivial and everyone has NTP as a hard requirement for any machine. I rarely think about time issues because I just assume that always works. Kerberos is very sensitive to time differences and will refuse to function if the time difference between hosts is too large. These faults were mainly due to me neglecting to have a proper time sync setup in my initial lab. Hosts that just woke from hibernation or were restored from a snapshot may not always immediately have the right time.

Other things

If you’re using Debian or Ubuntu, services will be automatically started after installation. While this is a terrific user-friendly feature it will make your freshly joined Samba Domain Controller malfunction in mysterious ways. Replication will only partly work, there will be RPC failures, SIDs can’t be properly resolved and everyone gets very puzzled and upset.

Where to find help

The fine documentation will get you started https://www.samba.org/samba/docs/

For further questions, turn to the community mailing list https://www.samba.org/samba/archives.html

Samba presentations https://wiki.samba.org/index.php/Presentations

[1] I don’t know if this is true, but it says so on Wikipedia. I took a glance at the licensing terms in Windows Server 2012R2 and came across this gem:

“BACKUP COPY. You may make one backup copy of the software media. You may use it only to create instances of the software.”

And that was the point where I gave up on reading the licensing terms.

6+
Pietro Stäheli
May 2019
written by Pietro Stäheli

Like this article? | Share it with a colleague