Samba as an Active Directory Domain

Controller

Samba as an Active Directory Domain

ControllerGregory Havens II

Texas A&M University – venom@tamu.edu

Anthony LiguoriRutgers University – aliguori@clam.rutgers.edu

C. Donour SizemoreUniversity of Chicago – donour@cs.uchicago.edu

2CIFS Conference, 2002

Active Directory

Active Directory

3CIFS Conference, 2002

What is Active Directory?What is Active Directory?

u Central repository of network resources– users and groups– computers, printers, etc.– configuration data

u Administrative abstraction for managing users and resources.– ADSI– Windows MMC

4CIFS Conference, 2002

Why People Use Active Directory?Why People Use Active Directory?

u Provides much tighter integration of services than previously existed

u Bundled with all Windows 2000 servers.

u Provides central point of resource management

u Good Administration Tools

5CIFS Conference, 2002

ComponentsComponents

u LDAP Serveru Kerberos Key Distribution Center

(KDC)u Domain Controlleru Integrated Services

– File / Printer (CIFS)– Web (IIS)– Mail (Exchange)– Naming (DNS)

6CIFS Conference, 2002

AD Domain ControllerAD Domain Controller

7CIFS Conference, 2002

What are domains?What are domains?

1. Canonical– DNS

2. Resource– LDAP

3. Security– NT domains

u Active Directory combines these

8CIFS Conference, 2002

Domain Controller (DC) FunctionDomain Controller (DC) Function

u Manage various network resources– Printers– filesystems– Applications

u Provides– Authentication– Authorization– Administrative Abstraction

9CIFS Conference, 2002

Native vs. Mixed ModeNative vs. Mixed Mode

u Windows 2000 Server supports both native and mixed mode operation

u Mixed mode– Master-slave replication– Support for NT BDCs

u Native mode– peer to peer replication– better server scalability

(except Global Catalog which exists on one server)

10CIFS Conference, 2002

NT DomainNT Domain

NT PDC

Windows Client

NT BDC

Windows Client

Windows Client

Samba Client

uMaster-slave domain hierarchy

11CIFS Conference, 2002

Root Domain (ibm.com)

linux.ibm.comigs.ibm.com

ltc.linux.ibm.com

Samba ClientWindows Client

Active Directory DomainActive Directory Domain

12CIFS Conference, 2002

DC ComponentsDC Components

u Filesystem / RPC server– Samba

u Directory server– iPlanet, IBM Directory Server, eDirectory– OpenLDAP

u Kerberos– MIT / Kerberos– Heimdal

13CIFS Conference, 2002

DNS

Windows Client Active Directory

LDAP

SMB

DCERPC

Kerberos

BIND

MIT/Kererbos

Samba

OpenLDAP

Possible SolutionPossible Solution

14CIFS Conference, 2002

Common Domain ProcessesCommon Domain Processes

u Join a domainu User logonu Resource requestu Add useru Add a resource (printer, shared folder,

etc.)u Add domain controlleru System boot

15CIFS Conference, 2002

Domain Join ProcessDomain Join Process

u Locate Domain controller – DNS SRV record queries

u Locate logon server – CLDAPu Authenticate – Kerberosu Send connection request – SMB/RPCu Negotiate addition to domain

– Security Descriptor generation– objectSid generation

16CIFS Conference, 2002

CLDAPCLDAP

17CIFS Conference, 2002

CLDAPCLDAP

u Connectionless LDAP server– UDP 389– LDAP v3

u Ability is being integrated into the Samba 3.0 development tree.

u Failure drops back to NetBIOS name service– Long domain join delay

18CIFS Conference, 2002

CLDAP Server SupportCLDAP Server Support

u Not a true LDAP request, seems to be more of a new RPC transport - so it can’t be served by any current LDAP implementation.

u Preliminary work to integrate it into Samba’s nmbd.

19CIFS Conference, 2002

SambaSamba

20CIFS Conference, 2002

What Samba Can Do NowWhat Samba Can Do Now

u Samba 2.2 releases– Supports most of the RPC calls

necessary for a Windows XP join (netlogon, etc.)

– NT Primary Domain Controller

u Forthcoming in Future Samba releases– Active Directory client– Active Directory Domain Controller

21CIFS Conference, 2002

AD LDAP Server

AD LDAP Server

22CIFS Conference, 2002

Dynamically Generated FieldsDynamically Generated Fields

u Breaks with spirit of LDAP– ntSecurityDescriptor– objectSid

u Requires a special purpose backend to serve dynamic data.– Proxy backend– “AD” backend

23CIFS Conference, 2002

Active Directory SchemaActive Directory Schema

u Published in the Directoryu Root DSE attributes

– ldapServiceName

u Includes non-standard objectsu Breaks certain standard objects

– person object class

24CIFS Conference, 2002

KerberosKerberos

25CIFS Conference, 2002

KerberosKerberos

u Heimdal– Stores keytab data and principal database

in OpenLDAP

u MIT/Kerberos– Supports PAC extensions– Doesn’t support using an LDAP server for

storing configuration.