From Fedora Project Wiki

Revision as of 19:45, 22 November 2013 by Abbra (talk | contribs) (→‎Executive summary)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Availability of Samba AD DC features to Fedora

Introduction

Fedora users show big interest in Samba AD DC functionality being available on Fedora. This page serves as a current tracker of our progress in bringing Samba AD DC features to Fedora.

State of progress since Fedora 18 (as of May 2013) is available as a talk at SambaXP conference: http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track2/Alexander_Bokovoy_Simo_Sorce-Samba-4-Fedora.pdf

Additionally, you can see progress of Samba development, which includes integration of Samba AD DC and MIT Kerberos, at https://wiki.samba.org/index.php/Samba_Next_Goals

Executive summary

2013-11-22: Samba in Fedora 18+ cannot yet be used for AD DC configuration

Progress since Fedora 18

  • Unified Samba package set is provided. Each package is prefixed with samba-. There are no separate samba-package and samba4-package package sets anymore.
  • Samba 4.x is built with MIT Kerberos for Samba server modes outlined below.
  • Work has started Samba upstream on bringing newer embedded Heimdal build to Samba so that there is less difference between MIT Kerberos and Heimdal APIs. Once this done, we'll be able to gradually extend parts of Samba AD DC to turn on.
  • Work is being done on allowing use of MIT Kerberos KDC instead of embedded Heimdal KDC within Samba AD DC. This will be done with the help of CWrap project which provides preloading libraries to divert certain networking and identity-related functions to separate processes. Original versions of these libraries are used within Samba to perform functional tests of whole Samba suite.
  • Work has started to extend Samba AD DC to allow forest trust setup with another forests.

Please note that most work is done directly Samba upstream. You can check Samba planning outline at https://wiki.samba.org/index.php/Samba_Next_Goals

Supported setups in current Fedora releases starting with Fedora 18

General

We don't support deprecated options from Samba earlier than 4.0 if there are replacements for them. Please migrate to new options. Feel free to ask about correct config files in general samba mailing lists because these are not specific to Fedora.

Client

Winbind and related tools (security=ads (Active Directory) and security=domain (NT4-style Domain Controller))

We support all winbind setups especially having a Linux client joined to an Active Directory domain. (We don't plan to have client GPO support yet). This includes all tools needed to get information out of a Domain like wbinfo, joining and managing accounts with the 'net' command and pam_winbind for logging in.

We also support Samba as a NT4 domain member for existing installations (security = domain)

Client libraries

The following libraries are supported: libsmbclient, libsmbsharemodes, libnetapi and libwbclient. They are needed by Desktop Environments or Display Managers for logging in.

Also for user login: libnss_winbind.so, libnss_wins.so and pam_winbind.so.

Server modes

security mode user
File servers in security mode user are fully supported and will be in future.
security mode share
THIS IS DEPRECATED!!! Please move to security mode user for current configurations. This feature is really old and shouldn't be used anymore. It has been already removed in Samba 4.0.
security mode server
THIS IS DEPRECATED!!! Please move to security mode user for current configurations. It has been already removed in Samba 4.0.
security mode ads
We only support configurations where winbind is running. smbd without winbind is unsupported.
Trusts
net rpc trustdom
Samba can be used as a PDC that can establish trusted relationships with AD
FreeIPA AD trusts
Samba is used as a PDC within FreeIPA configuration to provide minimal AD-like setup that can be trusted by existing Microsoft Active Directory implementation

Please also note that Samba AD DC configurations, whether it hosted on other platforms or your own compiled version, do not currently support forest level trusts to another Active Directory-compatible setup. Thus, they cannot be used to establish trust with FreeIPA deployments yet.

Printing

We fully support Samba as a print server with cups and lprng backend.

LDAP integration

Configuring Samba PDC with ldapsam PASSDB module is supported. However, use of smbldap-tools is unsupported. As we don't package them, if you can prove that it is a samba issue (providing logs, backtraces, reproducer) we are fine fixing Samba-specific issues.

Samba DCE libraries

Every Samba library used by Fedora packages is supported. External usage is not supported if it is not explicitly stated below. We support libraries used by openchange evolution-mapi, FreeIPA and SSSD. Additionally we support all public libraries of the samba-libs package.