Practical Technology

for practical people.

Moving from NT to Samba


As you face the end of NT4 support,, you have another alternative to switching to Server 2003: Samba.

If you’re happy with your domain network, or you want to use one Server 2003 system to run AD (Active Directory), you can switch to Samba.

Samba is an open-source program that provides file and print services to SMB (Server Message Block) and CIFS (Common Internet File System) clients. In short, Samba can provide file and printer services for any version of Windows. Samba runs on essentially all Linux/Unix servers. Indeed, the vast majority of Linux servers, such as those from Novell/SuSE and Red Hat, come with Samba.

Why would you bother? There are several good reasons to move to Samba. The first is cost. Not only is Samba free, it can run on the legacy hardware you’re already using for NT.

Personally, I have production Samba servers running on systems as out of date as servers with 100MHz Pentium processors and 64MBs of RAM. Of course, you’ll be a lot better off with more powerful equipment, but my point is that you can run Samba successfully on equipment that couldn’t even boot Server 2003.

Samba is also fast. When I first tested Samba in 1999, it was already delivering files faster than NT. It’s only gotten better since then. In informal tests at my office, I’ve found untuned Samba 3 to be not quite as fast as untuned Server 2003 on the same server hardware.

That said, either one delivers files more than fast enough for most business uses. With performance tuning, I’ve found Samba 3 and Server 2003 ran neck-and-neck. Frankly, if you’re in a situation where server load—and not network bandwidth—is causing performance problems, your problem isn’t your operating system, it’s a need for better systems or hard drives.

If you want to do a simple drop and replacement for your customers’ SMB NT network and not change your network configuration, Samba 2.2 and higher work just fine. Earlier versions of Samba aren’t suitable for use as PDCs (Primary Domain Controllers). For more details, check out “How to Configure Samba 2.2 as a Primary Domain Controller.”

You also can use Samba 3 for NT-style networks, but what’s most useful about Samba 3 for Windows networks is that it supports AD.

With Samba 3, you can join Samba servers to an AD tree as a member server without requiring that AD be running in mixed mode. Typically, you only use mixed mode in networks where you’ll still be using NT servers, or Samba 2.2 or older servers.

You can run Samba 3 with an AD server running native mode. In this mode, you can run Samba 3, W2K (Windows 2000) server and Server 2003. You cannot, however, run Samba 3 in Server 2003 mode, a superset of native mode, which requires that all servers be running Server 2003.

For authentication purposes, your AD server must support LDAP (Lightweight Directory Access Protocol) and Kerberos. In my experience, W2K Server’s LDAP doesn’t work well with OpenLDAP, the usual LDAP server on Linux. Server 2003, however, gives far less trouble.

As I’ve said before in this series, whether you use Samba or not, Server 2003—not W2K—is simply the better Windows server upgrade option. On the Samba side, Samba 3.07 is the latest edition, and since it has several security fixes, I highly recommend you upgrade your Samba server to it before starting a migration.

Once you have Kerberos working, either MIT or Heimdal Kerberos on the Linux side, you’ll need to manually enter the Samba 3 Server into AD. With that done, you’ll want to add file shares and printers using Samba’s—typically with the SWAT Web interface, but you can do it via the Unix command line or by editing the Samba configuration files. These resources should then appear in AD management consoles and to Windows 2000, XP and 2003 clients.

What about 95, 98 or ME? Unfortunately, these operating system require the NT/LAN Manager (NTLM) challenge/response authentication protocol, and AD’s native mode doesn’t support that. Instead, it exclusively uses Kerberos for user authentication. So, if you still have those operating systems on your clients, you don’t want to upgrade to AD or Samba 3 using AD native mode. For better or worse, you still must use either a mixed mode or an NT-style domain system.

For your basic Samba setup, you can use the Web-based SWAT (Samba Web Based Administration Tool). But you may not want to use SWAT once you’re past your initial installation. That’s because SWAT always replaces the master Samba configuration file, smb.conf, with an optimized version of the file. That means, that any comments you’ve made in the file will be lost. Whoops!

Although it’s not part of Samba, I find that a better choice for a GUI-based Samba administration is Webmin. This is a useful, open-source, Web-based interface for Unix and Linux system administration. I highly recommend it not just for Samba but for many other Unix and Linux management jobs.

If you must use W2K Server AD with Samba 3, you may want to give MKS AD4Unix (ZIP file) a try. This is an AD Server plug-in that enables Unix-related authentication and user information to be stored in AD and managed via the MMC (Microsoft Management Console). Its goal is to create a unified user and computer account database for Windows and Unix servers via Active Directory.

I recommend, however, that you try this approach only if you know both AD and Unix administration extremely well. If possible, the better approach is simply to use Server 2003 instead of W2K.

Or, of course, you could simply use Samba in place of your NT domain system. The choice is up to you.

From the users’ perspective, though, it’s all moot. Whether as a complete replacement or as part of a Server 2003-based network, once set up properly, Samba works exactly like NT as far as they’re concerned.

Thus, given Samba’s improved security, cost and speed over pure-Microsoft approaches, I believe you should seriously consider Samba for any of your cost-conscious customers.

Finally, before starting on your journey to Samba, I’d like to strongly recommend that you get a copy of The Official Samba-3 HOWTO and Reference Guide. You also can read most of this material online at the Samba HOWTO collection. Both will go a long way toward making sure your NT-to-Samba upgrade goes smoothly.

A version of this story first appeared in Channel Insider.

Leave a Reply