Samba 3: Linux File Serving for the Active Directory Generation

By Steven J. Vaughan-Nichols | Aug 27, 2003 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3069121_2/Samba-3-Linux-File-Serving-for-the-Active-Directory-Generation.htm

Do you want cheap Windows file/print services for your network? If your answer is a resounding "Yes!" your best way to this goal is to use the Samba file/print server on Linux.

Samba 2.x is faster than Windows NT or W2K Server, a lot cheaper, and, in its most recent versions, can be used in a NT Domain style network not only as a simple domain server or a Backup Domain Server (BDC) but also as a Primary Domain controller (PDC). The key word here, though, is "Domain," and with Microsoft planning to retire out Windows NT 4 server and its Domain-based networking on December 31, 2004, it's high time for NT and Samba Domain administrators to think about switching over to Active Directory (AD).

For NT mangers, Microsoft finally has a decent upgrade path built from Windows Server 2003 and Active Directory Migration Tool 2.0. And now, thanks to the arrival in beta release of the feature-complete Samba 3, Samba administrators do as well.

Don't get me wrong — it's not ready for prime time yet, but with this beta, Samba shows that if the day ever comes that NT domains are antiquated, Samba will be ready to contribute, fast, inexpensive AD-compatible servers.

But Why Bother with AD?

Or you could just choose to do what John Terpstra of the Samba Team suggested at the SambaXP Conference in Germany last April — migrate to a Samba 3-only solution for your Windows style file/print requirements and abandon both the NT Domain and W2K/Server 2003 AD paths.

Why would you want to do make such a radical move? The biggest reason is — to be frank — cost. By going it alone with Samba 3 for your file/print needs, you avoid the initial costs of buying Microsoft server operating systems and the continuing costs of Microsoft's Licensing 6.

It also frees you from being stuck with Microsoft's upgrade plans even when you don't want to upgrade. Since Samba is open source, you can never be cut completely off from support, as will be the case with NT users come 2005.

If you were to make this move, you could choose just how far to remove your network from Domains or AD. For example, under Samba 3, you can still use Winbind to connect with NT or 200x servers for authentication, or you could run authentication using a combination of smbpasswd, the Samba password program, and a MySQL-based DBMS.

Tempting as this path may be for administrators who love open source, using an exclusively Samba 3 approach really requires administrators and programmers who also understand open source extremely well. Although Samba as a file/print server is very mature, Samba as a drop-in file/print/user/group/administration package is relatively new.

Page 2: Continued...

Still, with this beta, Samba does have migration support for moving from NT 4 domains to a pure Samba 3 network. It's not as smooth as Active Directory Migration Tool 2, but on the other hand, it's a lot easier than moving from NT 4 to AD under Windows 2000 ever was. Of course, considering how difficult that was, this isn't saying much!

If you and your IT cohort already know Samba well, understand network management theory as well as its practice, and like to write Perl scripts in your spare time, go for it. If, however, this doesn't sound like you, the high cost of picking up that expertise will probably overshadow Samba's low cost in the short run. In the future, Samba 3-exclusive networks might work for any company, but for now, I think your best deal will be to use Samba 3 in conjunction with either your existing Domain network or an AD network.

Samba 3 and AD

Fortunately, with this beta, Samba 3 has AD support. To be more precise, you can now join your Samba 3 server to an ADS tree as a member server without requiring that AD be running in mixed mode. Instead, AD can be running in native mode. You cannot, however, run it in Server 2003 mode, a superset of native mode which requires that all servers are running the Server 2003 operating system.

For authentication purposes, you'll also need to set your AD server to support LDAP and Kerberos, which is a common enough setting. With W2K Server, LDAP interoperability with Linux LDAP Servers, typically OpenLDAP, can sometimes be troublesome. With Server 2003, however, you should have far less trouble.

On the Samba side, you'll need to pay close attention to the HOWTO file to make sure that your Kerberos processes know how to talk to AD's Kerberos server. Once they're talking, you'll need to manually enter the Samba 3 Server into AD. With that done, you'll want to add file shares and printers using Samba's — typically with the SWAT Web interface, but you can do it via the Unix command line as well. These resources should then appear in AD management consoles and to Windows 2000, XP, and 2003 clients.

What about 95, 98, or ME? Unfortunately, these operating system require the NT/LAN Manager (NTLM) challenge/response authentication protocol and AD's native mode doesn't support that. Instead, it relies entirely on Kerberos for user authentication. So to make a long story short, if you still have those operating systems on your clients, you don't want to upgrade to AD or Samba 3 using AD native mode. For better or worse, you still must use either a mixed mode or a pure domain system.

If you're determined to combine W2K Server AD with Samba 3, you might be better off exploring the use of MKS AD4Unix. AD4Unix is a plug-in for AD Server that enables Unix-related authentication and user information to be stored in AD and managed via the Microsoft Management Console (MMC).

This approach, however, is recommended only for those who know both AD and Unix administration extremely well. If you need to manage both Unix and Windows clients all the time and want one interface, this is an approach you should explore. In a typical office, though, where the goal is to simply provide cheap file and printing services via Samba to Windows users, it would be overkill.

Once you have Samba 3 and AD in place, what can you expect? Well, while your overall network resources won't be as easy to manage as they would be under Server 2003 mode, you'll still have the advantage of lower prices for your available system resources.

Samba 3, in my informal testing, dishes out files faster than W2K Server in this environment, But it's slower than Server 2003 in delivering files. Still, for software that's still in beta, running in a new mode, its performance is quite impressive, and I look forward to seeing how the official release fares on the file playing field.

Is it ready for production use? No, it's not. Is it ready for you to start testing for production? Yes, it is. And if your company needs to add file server capacity, while keeping a close eye on the budget, it's well past the time for you to start testing Samba 3. It's that good now and its promise for tomorrow is looking even better.

This feature originally appeared on Enterprise IT Planet.

Back to Enterprise Storage Forum