Samba with Active Directory: getting closer

Benefits for LWN subscribers The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

From one point of view, Samba is open source high drama at its finest: an early adopter of version 3 of the GNU General Public License, and the recipient of an unprecedented release of formerly proprietary Microsoft documentation, thanks to a high-profile anti-trust case. Meanwhile, though, it's the low-profile software that implements the Server Message Block (SMB) file-sharing protocol, sometimes known as CIFS. Samba powers every inexpensive NAS device in the computer store—without even a mention on the box—and comes with all the common Linux distributions and with Apple's Mac OS X Server. Today, as Samba comes closer to implementing a key Microsoft directory protocol, the two aspects are being forced together.

Samba creator Andrew Tridgell, better known as Tridge, posted to his blog, "There has been a lot of progress recently in the development of the directory server capabilities of Samba4." In a half-hour screencast video, he demonstrated a development version of Samba acting as a Microsoft Active Directory domain controller in a mixed environment. "We are making very rapid progress now," he added.

Active Directory (AD) is a central repository for all the administrative information that a modern Microsoft Windows site needs. Besides user names and passwords, AD functions as a DNS server, stores network configuration policy such as firewall rules, and acts as a back-end for applications' configuration. Microsoft Exchange, for example, is completely dependent on it.

AD is made up of "domains" which are data structures that contain groups of objects, which might represent everything from an individual printer to the entire company sales force. Domains can then be collected up into "forests". A company might have many AD domains within its forest, and everything in the forest can be managed by the same administrators. Because AD is such a critical service, Windows sites typically install multiple AD servers, which replicate their data using a formerly secret protocol.

The Samba team received Active Directory documentation, including the server-to-server protocol, as part of an agreement made in response to a European Commission antitrust case in 2007. The documents have helped the project, Tridge said:

Stefan Metzmacher had managed to decode some very important parts of the protocol as part of his thesis work, but we were still missing some key parts of the puzzle. The documentation from Microsoft filled in many of these key elements, and perhaps more importantly, Microsoft has been very willing to engage with us to fill in any gaps that we find, including working directly with traces of Samba talking to Windows domain controllers to enable us to debug our implementation.

The documentation project was a huge project from the Microsoft side. Tridge described it this way:

I think it is fair to say that the WSPP/MCPP documentation effort is one of the largest efforts in IT history to document a set of network protocols. The sheer scale of the effort means that there are inevitably errors and omissions. We have been pleased at how Microsoft has responded to our reports of these errors by providing us with additional documentation where needed.

In the video, Tridge demonstrates provisioning an Active Directory domain on a Samba server, running a development version of Samba from shortly before Samba 4 alpha 11. Once the Samba server is running, he then starts a copy of Microsoft Windows Server 2008R2 Standard as a guest under VirtualBox, and runs the Windows "dcpromo" command to have it join the domain as a domain controller.

A few clicks and entries in the "Active Directory Domain Services Installation Wizard" later, the Windows box is ready to reboot and come up as part of the domain originally created on Samba. It takes about 30 seconds to synchronize key information for the newly-created domain. This step might take hours on a larger, longer-running domain.

Samba 4 has a few limitations, compared to a Windows AD server. There is only one domain per forest, and only one site per domain, but Tridge says that removing those limitations are near-future priority tasks. Windows administrators, like sysadmins everywhere, fall all over the "lumpers" vs. "splitters" spectrum, and anyone but extreme lumpers with simple configurations will need the ability to define separate domains, for departments and roles, and separate sites, for physical locations.

The remaining manual step is to add the Windows domain controller to the DNS zonefile on the DNS server. Microsoft's Active Directory handles DNS duties itself, while Samba relies on the system nameserver. A change to a Samba AD domain requires a corresponding change to a zonefile on the nameserver. "What we don't yet support in Samba 4 is the ability to create arbitrary DNS names within a Bind9 server using Kerberos authenticated DNS requests," he said. "Microsoft stores DNS within Active Directory. We can't join a Windows domain controller as a new DNS server, so have to rely on the Unix machines to provide DNS," he added. After recording the screencast, Tridge did write a script to automate the needed zonefile changes, he said.

Tridge's screencast shows the Windows box successfully syncing with the Samba server, and a user added on the Windows side shows up quickly in a search of the Samba server. Samba 4 is also able to join an existing AD domain. A tool called "vampire" is the Samba-side equivalent of the "dcpromo" command on Windows. Tridge demonstrated using it to add a second Samba server to the domain, ending up with a domain with two Samba servers and one Windows server. This ability means that an administrator could soon add a Samba appliance to an existing AD network, reducing the number of actual Windows servers needed.

Integration and the "Franky" concept

Samba 4 is an ambitious rewrite, which has been in progress since 2003. Meanwhile, Samba 3 has been through many releases with incremental improvements, and currently works well as a member, but not a domain controller, of an Active Directory domain. Samba 3 is "closer and closer to Windows compatibility in timestamps and Windows ACLs. It's harder and harder to tell us from a Windows box," Samba team member Jeremy Allison said. Thanks to extensive usage and bug reports, Samba 3 has gained the ability to handle real-world client quirks, while Samba 4 has focused on the big AD problem but not faced the day-to-day beatings of production use.

Tridge said that in addition to remaining AD work, "we also need to find out exactly how we will achieve our stated goal of re-integrating the great file sharing and printing work that has been done in the Samba3 branch with all of the work on Active Directory server support in Samba4."

Samba developers have been discussing ideas for combining the new functionality in Samba 4 with the existing Samba 3 code. One design for a combined project, called "Franky," short for "Frankenstein," would run Samba 3, listening on the SMB ports (139 and 445), along with Samba 4 listening on the ports required for AD support. Another alternative would be to run Samba3, but pass through AD-related requests to Samba4. "Obviously this will require quite a lot of merge work, but we believe this may be possible to achieve in 2010," Jeremy said on the Samba team blog.

Tridge said:

We need to have a single common file server component and printing component again. The strain on the team of having two implementations of the file serving component is too great. One way of achieving that is via something like the 'Franky' approach, but that has a significant downside of making deployment and administration of Samba more difficult. We need to put more thought into how we can make it easy for administrators, while also offering the best set of features from both branches.

"I'm expecting a fairly heated discussion at SambaXP this year," said John Terpstra, Samba team member and chief software architect of ClearCenter, which produces a web-administered distribution for small and medium businesses. The SambaXP conference is scheduled for May 3rd - 7th, 2010 in Göttingen, Germany.

Licensing and downstream

Samba with Active Directory is still not on downstream roadmaps. Simo Sorce, Principal Software Engineer at Red Hat, who maintains Samba packages for Fedora, said that project is looking at including Samba 3.5.0 in Fedora 13, if it's ready in time. But AD is still in the future. For future releases, "We will wait until the solution is stable enough that upgrades won't mean your server has a good chance of breaking," he said.

ClearCenter's ClearOS combines network gateway with VPN, web and mail filtering, Samba file server, Kolab groupware, and web-based administration tools into a package designed for resellers to deploy at small businesses and branch offices. Samba is a key part of the company's product, which competes with Microsoft Small Business Server but with a monthly subscription bill instead of an up-front license price. ClearOS is based on CentOS, a rebuild of Red Hat Enterprise Linux, but includes Samba 3.4 in place of CentOS's 3.0 package. "ClearOS 6 is going to ship pretty quickly after Samba 4 ships," John said.

Samba adopted version 3 of the GPL in 2007. One effect of the new license was to prohibit downstream Samba resellers from entering into new patent license agreements covering Samba, like the controversial Novell-Microsoft patent deal of 2006. Samba's license change doesn't affect Novell, whose contract predates the GPLv3 cutoff date, but according to the Samba web site, "Patent covenant deals done after 28 March 2007 are explicitly incompatible with the license if they are 'discriminatory' under section 11 of the GPLv3."

No GPLv2 fork has emerged, and, Jeremy says, the license change "has essentially been a complete non-issue." Downstream vendors ship Samba on everything from tiny NAS devices that connect to a USB drive, up to IBM's Scale Out File Services, which runs clustered Samba on top of IBM's proprietary General Parallel File System (GPFS). "What Samba does is it turns the CIFS server into a commodity, allowing people to compete on back-end scaled clustered filesystems," Jeremy said.

All of the Samba code is under individual copyrights, without assignment. "It's completely impossible to be bought out," Jeremy said. "No one can get any advantage over anyone else in the Samba code." As part of the agreement with Microsoft, the company must disclose any of its patents that it believes are necessary to implement its protocols, and it has not added any to its list since reaching the agreement. Microsoft has been "very cautions about breaking compatibility," Jeremy said. "With Windows 7, Microsoft made sure that it would work with a Samba 3 domain controller." Microsoft ended support for Windows NT 4, the last of its OS products to implement the old NT Directory Services system, at the end of 2004, and Windows 7 does not work with an NT4 domain controller, he added.

Help wanted

As you might expect, the Samba team is looking for help. Tridge invites new contributors: "Join the #samba-technical IRC channel (on the FreeNode network, irc.freenode.net), join the samba-technical mailing list, and get involved with the development process. Point out what the priorities are for Samba4 before you would consider deploying it, and help us to prioritize our development to meet your needs."

Jeremy asks would-be redistributors and SMB appliance vendors to work on functionality they anticipate needing. "If you're planning on a product within the next 18 months, the earlier you get involved the more chance you get to steer it to do the things you need to do," he said. "If you need Samba to interface with a particular filesystem, give us a VFS module that will let us do that," Jeremy said. Contributions to Samba itself have to be licensed under the GPLv3, but the team does want to be able to run Samba on the user's choice of clustered filesystem.

Then, as Jeremy posted, "Once we have a merged code-base, we'll declare victory, ship Samba4 and have the biggest darn release party since Duke Nukem Forever shipped and revolutionized computer gaming ! :-)." Samba 3 has served well as an essential file server, and Samba 4 has broken new ground in Microsoft protocol discovery, but eventually, one way or another, there will be one Samba again.