Practical Technology

for practical people.

Samba 4 Moves Closer to Active Directory Server Compatibility


For years, if you wanted an inexpensive, but Windows-compatible file and print server, you turned to Samba running on Linux. Now, with the first alpha release of Samba 4, this open-source project is moving closer to becoming a complete Windows 2003/Longhorn replacement.

Since Samba 3 arrived in 2003, Windows network administrators have been able to use Samba and Linux as a drop-in replacement for an NT file/print server. You could, and many have, used Samba in place of an NT PDC (primary domain controller).

This enables LAN managers to run small networks’ several dozen Samba and Windows servers and several hundred Windows clients using Samba alone.

With Samba 3, you could also use Samba servers in a Microsoft AD (Active Directory) in both native and mixed mode. What you could not do, however, is run Samba as an AD domain controller or run it in a Windows Server 2003 level Forest or Domain.

For practical purposes since many Windows LANs run in mixed mode to allow the use of older versions of Windows 2000 or 2003 even if Samba isn’t present this means that Samba couldn’t be used in enterprise-level WANs. Typically, it’s only in these most complex of corporate networks that companies deploy a Windows Server 2003 Forest.

Now, Samba is getting closer to being able to replace Server 2003 even in corporate WANs. As Andrew Barlett described in his 2005 paper, Samba 4 – Active Directory (PDF Link), “Samba version 4 is … a massive leap forward in the way Samba is designed and built. This thesis attempts to take that further, but examining the protocol basis and implementation details adding support for hosting the Kerberos network authentication system into Samba4’s partial implementation of an Active Directory Domain controller. Active Directory forms the heart of Microsoft’s modern network architecture, and is the heart of many corporate networks. Producing a compatible product is important, if the Samba project is to remain relevant into the future.”

The problem that Samba faced in particular, was dealing with AD authentication protocols. Microsoft’s proprietary NTLM2 (NT LAN Manager) and Kerberos extensions make creating an open-source, white room compatible AD replacement a difficult task.

Nevertheless, the Samba developers have moved closer to supporting the Active Directory logon protocols in this release. According to the programmers, “Samba4 alpha1 is the culmination of four and a half years of development under our belt since Tridge [prominent Samba developer Andrew Tridgel] first proposed a new Virtual File System layer for Samba 3–a project which eventually led to our Active Directory efforts–and one and a half years since we first released a Technology Preview. We wish to allow users, managers and developers to see how we have progressed, and to invite feedback and support.

However, the Samba Group warns would-be users that, “Samba 4 is currently not yet in a state where it is usable in production environments. Note the WARNINGS in WHATSNEW.txt in the source and the STATUS file which aims to document what should and should not work.”

A version of this story first appeared in Linux-Watch.

Leave a Reply