Samba as an Active Directory Domain Controller Gregory Havens II Texas A&M University venom@tamu.edu Anthony Liguori Rutgers University aliguori@clam.rutgers.edu C. Donour Sizemore University of Chicago donour@cs.uchicago.edu
Active Directory 2
What is Active Directory? Central repository of network resources users and groups computers, printers, etc. configuration data Administrative abstraction for managing users and resources. ADSI Windows MMC 3
Why People Use Active Directory? Provides much tighter integration of services than previously existed Bundled with all Windows 2000 servers. Provides central point of resource management Good Administration Tools 4
Components LDAP Server Kerberos Key Distribution Center (KDC) Domain Controller Integrated Services File / Printer (CIFS) Web (IIS) Mail (Exchange) Naming (DNS) 5
AD Domain Controller 6
What are domains? 1. Canonical DNS 2. Resource LDAP 3. Security NT domains Active Directory combines these 7
Domain Controller (DC) Function Manage various network resources Printers filesystems Applications Provides Authentication Authorization Administrative Abstraction 8
Native vs. Mixed Mode Windows 2000 Server supports both native and mixed mode operation Mixed mode Master-slave replication Support for NT BDCs Native mode peer to peer replication better server scalability (except Global Catalog which exists on one server) 9
NT Domain Master-slave domain hierarchy Samba Client NT BDC Windows Client NT PDC Windows Client Windows Client 10
Active Directory Domain Root Domain (ibm.com) igs.ibm.com linux.ibm.com ltc.linux.ibm.com Windows Client Samba Client 11
DC Components Filesystem / RPC server Samba Directory server iplanet, IBM Directory Server, edirectory OpenLDAP Kerberos MIT / Kerberos Heimdal 12
Possible Solution Windows Client Active Directory LDAP OpenLDAP SMB Samba DCERPC Kerberos DNS MIT/Kererbos BIND 13
Common Domain Processes Join a domain User logon Resource request Add user Add a resource (printer, shared folder, etc.) Add domain controller System boot 14
Domain Join Process Locate Domain controller DNS SRV record queries Locate logon server CLDAP Authenticate Kerberos Send connection request SMB/RPC Negotiate addition to domain Security Descriptor generation objectsid generation 15
CLDAP 16
CLDAP Connectionless LDAP server UDP 389 LDAP v3 Ability is being integrated into the Samba 3.0 development tree. Failure drops back to NetBIOS name service Long domain join delay 17
CLDAP Server Support Not a true LDAP request, seems to be more of a new RPC transport - so it can t be served by any current LDAP implementation. Preliminary work to integrate it into Samba s nmbd. 18
Samba 19
What Samba Can Do Now Samba 2.2 releases Supports most of the RPC calls necessary for a Windows XP join (netlogon, etc.) NT Primary Domain Controller Forthcoming in Future Samba releases Active Directory client Active Directory Domain Controller 20
AD LDAP Server 21
Dynamically Generated Fields Breaks with spirit of LDAP ntsecuritydescriptor objectsid Requires a special purpose backend to serve dynamic data. Proxy backend AD backend 22
Active Directory Schema Published in the Directory Root DSE attributes ldapservicename Includes non-standard objects Breaks certain standard objects person object class 23
Kerberos 24
Kerberos Heimdal Stores keytab data and principal database in OpenLDAP MIT/Kerberos Supports PAC extensions Doesn t support using an LDAP server for storing configuration. 25