Initially, Samba represented the software package which allow to address network drives and printers on different operating systems under the SMB/CIFS protocol, but, starting with version 4 in Samba, an opportunity to act as the domain controller and analog of the Active Directory service was implemented.
In spite of the fact that Samba 4 is a quite good solution for replacement of services Active Directory Domain Services and in it the considerable part of functionality of AD is implemented, it, nevertheless, has a number of essential restrictions which can become critical at implementation and operation of a solution in production environment.
In this article we will try to answer a question, such replacement and what problems and restrictions it is possible to face can be how good.
Possibilities of Samba
Setting Samba and basic network services (DNS, NTP, Kerberos …) on one of Linux-distribution kits you receive the following functionality:
- Domain controller Active Directory:
• Service of Authentication based on Kerberos v5;
• A LDAP compatible directory service with a possibility of replication on DRS;
• Server of management of group politicians;
• The DNS server based on BIND providing safe dynamic registration of names.
- File server.
- Print server.
Thanks to succession in approaches to implementation of service of the Active Directory directory (the Samba developers used open Microsoft specifications), workstations with the Microsoft Windows XP-2012R2 operating systems can be clients of the domain based on Samba. As instruments of management of the domain services Active Directory implemented on Samba can be used usual to the Microsoft Remote Server Administration Tools system administrators.
Besides, Samba is the open source software and extends according to the license GPL, and it eventually allows:
- To reduce the risks connected with use of the import software (it will be especially actual for state institutions since January first, 2016).
- To reduce the aggregate value of ownership of an information system.
For the small and average organizations which are going to organize the domain for storage and information search about objects of information systems and also for the organizations which for a number of reasons plan transition to SPO, Samba can be quite good alternative of Microsoft Active Directory.
Whether but all Samba is so good and whether really it allows to close functionality of the Active Directory completely? Let's try to answer this question.
Restrictions of Samba
General information on restrictions of functionality of AD in implementation of Samba can be found also in the viki-knowledge base on wiki.samba.org, but data should be collected on particles there, and not all restrictions will be mentioned.
The described restrictions, are valid for actual, at the time of writing of article of the Samba 4.3.1 version.
And so, we will begin with functional restrictions:
The maximum size of the Samba database is limited to 4 GB
Restriction of the maximum size of the Samba database is connected with 32-bit architecture of tdb. For the large organizations, with hundreds of thousands of objects in the Active Dirtectory directory, transition to Samba can be impossible. (By the way, information on this restriction appeared on November 13, 2015, nearly 3 years later after an output of Samba 4.0 and that, generally thanks to active discussions in mailing list).
Trusting relationships (forest/domain trust)
The most complete implementation of trusting relationships appeared in the Samba 4.3 version, nevertheless, at it there is a number of essential restrictions:
- Only double-sided trusting relationships are maintained;
- There is no SID Filtering function, failure from it significantly reduces the security level at the organization of trusting relationships;
- Adding of users or groups of the entrusted domain "A" in groups of the domain "B" is not supported. This restriction makes impossible application of Samba 4 in a little big installations demanding the trust relations.
Support of multidomain structure / support of subdomains
Support of multidomain structure is absent, both at the level of a code, and at the level of the Samba database. Actually, in Samba there is no implementation of the global directory (at request of the global directory the redirect in the general LDAP directory is made).
If you create a subdomain based on Samba, or enter Samba into structure of the domain of the second level, records about other domains and a root domain will be lost, and "thanks to" restrictions in support of phantom objects, work in the multidomain environment can be very unstable. Unfortunately, on any questions to community in mailing list you will receive answers of type:
"We would also like to improve Samba to scale up, and to support more diverse domain structures, but it isn't a small task.
Replication of SYSVOL
In spite of the fact that group politicians fully function in Samba (except for a password policy, assigned to specific organizational division), due to the lack of support of the DFS-R and FRS protocols, replication of SYSVOL should be carried out in the manual mode, or by means of a script. Information on the rsync settings for replication between Samba controllers is on the website wiki.samba.org.
Concerning implementation of replication of SYSVOL between Windows the domain controller and samba — you can write me on mail.
Support of KCC
In Release notes to Samba 4.3.0 it is declared that developers approached implementation of KCC, according to the open Microsoft specification, in practice, it is worth preparing for numerous errors in event logs and creation/correction of the graph of replication manually.
- Lack of full support of RODC;
- Lack of support of domain controllers based on Windows Server 2012 and Windows 2012 R2 together with Samba as AD DC;
- Lack of support of MIT Kerberos;
- Problems in implementation of the replication module DRS *;
- Problems at replication of expansions of the scheme (Schema Extension) **.
* Regarding implementation of DRS, the majority of functions works correctly, but there is a number of restrictions which it is possible to examine on the DRS_TODO_List page.
** In spite of the fact that expansion of the scheme is regular operation, after its execution, the result can be very unexpected. For example, the error werr_ds_dra_schema_mismatch can appear. In general, this error can arise even when schemes match, but disclosure of this subject demands separately written article therefore, now we will not focus attention on it.
It should be taken into account that at already implemented functional modules there are bugs, and judging by brisk correspondence in their mailing list there is a lot of (it is possible to esteem on the website bugzilla.samba.org in more detail).
Support of different applications
In addition to functional restrictions, Samba AD DC also have restrictions connected with functioning of a number of applications and services. On a test polygon I tested some basic infrastructure services. It is possible to get acquainted with results of testing below.
All applications were tested in a basic configuration. The deep analysis of the nature of emergence of errors was not carried out.
|Application||Result of testing||List of checks|
|Microsoft Exchange Server 2003/2010/2013||It is not supported *||Installation
Start of services
|Microsoft SQL Server 2012R2||It is supported||Installation (including in a fault-tolerant configuration with Failover cluster)
Creation of groups of availability
Authentication of users
|Citrix Xen App 6.5||It is supported *||Installation
Start of the published annex
Application politician of Citrix
Application of the moved user profiles
|Microsoft System Center Configuration Manger 2007||It is supported *||Installation
Functionality of the reporting
Remote access to a desktop
- Microsoft Exchange Server 2003/2010/2013
After the Exchange installation there can be problems with replication. The services necessary for functioning of Exchange, of me were not started. It is possible to get acquainted with a problem on the following links the Link 1 and the Link 2 in more detail.
- Citrix Xen App 6.5
After the successful Citrix Xen App installation, I had problems with replication, the problem appeared in the incorrect register for the record SPN (it is possible to study the description of a similar problem here).
- Microsoft System Center Configuration Manger 2007
Remote access to a desktop at me did not earn because of an identification error in DCOM.
In general, applications which are used by Active Directories only for authentication have to work in the domain under control of Samba without special problems, but it is worth testing their work on a polygon nevertheless.
If to sum up the result, it turns out that Samba AD DC have very many restrictions which can become a serious problem at large implementations. In too time of Samba, at the moment, is the most mature open replacement of the Active Directory and directory service in general. The solution actively develops thanks to existence of commercial support from the foreign companies, and also integration with cloud services (use of Samba in Amazon) and to interest in a product from integrators — all this gives promise on the fastest permission of all available problems and completion of necessary functionality.
This article is a translation of the original post at habrahabr.ru/post/272777/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: firstname.lastname@example.org.
We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.