joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Samba does Active Directory now… Whoah. Part Deux

by @ 10:26 pm on 12/18/2012. Filed under tech

So I previously http://blog.joeware.net/2012/12/13/2650/ pointed out an article talking about AD Support in Samba 4.0. Upon further reading around on the Samba Wiki, white papers, and release notes etc, the article appears to be a little over generous on the functionality.

One thing specifically that I was shocked to read is this

In addition, the new version offers full interoperability with Microsoft Active Directory servers. A Samba 4 server can be joined to an existing Active Directory domain, and Microsoft Active Directory Domain Controllers can join a Samba 4 server.

which is directly contradicted by the Samba 4.0 Whitepaper at http://wiki.samba.org/index.php/Samba_4.0_Whitepaper

Active Directory Compatible Server

Samba 4.0 for the first time features an Active Directory Compatible Domain Controller.

The one setup as Active Directory Compatible Server supported out of the box with Samba 4.0 is this:

  • There is only a single domain in the forest.
  • There are no cross-forest-trusts (more explicitly, samba can be trusted but can not trust)
  • Samba is the only domain controller in its domain.

These limitations are being worked on and will be removed in later 4.X releases.

The support for multiple domain controllers in a domain requires to flavours of replication:

  • directory replication (for the user database)
  • file system replication (for the sysvol and netlogon shares)

Of these two windows protocols, the directory replication is available in samba, but the file system replicatoin is still being worked on.

Note: homogeneous Samba 4.0 Multi-DC-Domains

Hence one can set up homogeneous Samba 4.0 Active Directory multi-DC domains, i.e. domains with multiple Samba 4.0 domain controllers and no windows domain controllers. For this kind of setup, one needs to set up an external substitute for the file system replication, for instance with some rsync-based shell scripts. One has to do this very carefully though, since the there is not concept of sysvol master role.

which appears to be contradicted by http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC

You start samba as a DC in the same way that you start it as a normal server, just run the command ‘samba’ from the sbin directory of your installation.

When you first start Samba as a new DC in an existing Windows domain, you may find errors messages like these in the samba log file:

UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samba.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com

This is caused by the Windows domain controller that haven’t yet run its Knowledge Consistency Checker (KCC), which means it has not yet created connections to the new Samba DC.

So perhaps things are not as shiny as indicated by The Register but hey, it is a start… Things should[1] only get better.

 

  joe

 

[1] I am not guaranteeing this…

Rating 4.50 out of 5

One Response to “Samba does Active Directory now… Whoah. Part Deux”

[joeware – never stop exploring… :) is proudly powered by WordPress.]