From Fedora Project Wiki

Samba AD

Summary

Samba AD is an open source implementation of an Active Directory set of tools and protocols. It allows Windows clients to be enrolled and managed using native Windows tools. In addition, Samba AD can serve as a domain controller for Fedora workstations and servers utilizing DCERPC, LDAP and Kerberos.

Owner

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-06-29
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Samba AD is an implementation of an Active Directory set of tools and protocols. It is developed and released as part of Samba suite. Upcoming Samba 4.7 release will contain changes to allow Samba AD to be built and used with MIT Kerberos. Prior to Samba 4.7 it was impossible to compile Samba AD with MIT Kerberos. As result, Samba AD was not packaged in Fedora.

Benefit to Fedora

Fedora already contains software to deploy domain controller capabilities. However, whether FreeIPA master or traditional Samba domain controller roles are used, both do not allow enrollment and management of contemporary Windows clients (Windows 8+) using their native supported protocols.

Samba AD is a reasonable alternative to Microsoft Active Directory implementations available in Windows Server 2008 or later. According to field reports, Samba AD is capable to support deployments of 100,000s users/groups, with a swift spot of 5,000-10,000 users/groups and multiple sites, with relatively inexpensive hardware requirements. It is suited well for small and medium businesses across many industries.

Samba AD deployments so far were predominantly based on Debian GNU/Linux and Ubuntu environments with Heimdal Kerberos. Fedora integration will enable to use a modern Kerberos (MIT Kerberos) features and will extend Samba AD availability to Fedora community. However the feature set of Samba AD with MIT Kerberos is not on the same level as with Heimdal yet!

Samba 4.7 also contains numerous bug-fixes that allow Samba AD deployments to interoperate with FreeIPA deployments through the use of a trust to the Active Directory feature of FreeIPA. Thus, Fedora with Samba AD becomes a sufficient platform to fully control and deploy enterprise environments based on Fedora.

Scope

  • Proposal owners:

Samba packages in Fedora already include a stub subpackage samba-dc that is going to be replaced with a full Samba AD implementation. Appropriate dependencies are already present in Fedora 27/Rawhide or will be added together with Samba 4.7 update. This mostly concerns upgrade of Samba-related libraries: libtevent, libldb, libtdb, and MIT Kerberos update to support new APIs added to accommodate Samba AD (already in Rawhide).

  • Other developers: N/A (not a System Wide Change)

We believe no impact to Release Engineering is needed for this change

  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There is no upgrade/compatibility impact. Samba AD has own deployment tools. Existing Samba deployments are not automatically upgraded.

N/A (not a System Wide Change)

How To Test

Samba AD can be tested within Samba test suite. This is the way it is automatically tested for each upstream Samba commit. We plan to enable testing of Samba AD as part of OpenQA eventually.

User Experience

Samba AD has own deployment tools. The whole procedure is documented at Samba wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

We intend to work on improving usability of Samba AD deployment tools in future Fedora releases.

Dependencies

All appropriate dependencies are already present in Fedora 27/Rawhide or will be added together with Samba 4.7 update. This mostly concerns upgrade of Samba-related libraries: libtevent, libldb, libtdb, and MIT Kerberos update to support new APIs added to accommodate Samba AD (already in Rawhide). N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: Samba 4.7 is planned to be released on Tuesday, September 5 2017. However, the first release candidate for Samba 4.7 is planned for Tuesday, July 4 2017.

We plan to package Samba 4.7 release candidates throughout this time frame to make sure a final release would be an small update on top of them. In case Samba 4.7 is not released before Fedora 27 release, we are confident Samba 4.7 release candidates are stable enough for the final Fedora release.

  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)
  • Blocks product? No

Documentation

N/A (not a System Wide Change)

Release Notes

Samba AD with MIT Kerberos

After four years of development, Samba finally supports compiling and running Samba AD with MIT Kerberos.

The feature set is not on par with with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos.

Missing features, compared to Heimdal, are:

  • PKINIT support
  • S4U2SELF/S4U2PROXY support
  • RODC support (not fully working with Heimdal either)

The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a correct kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system kdc.conf by default. It is possible to use a different location during provision. You should consult the 'samba-tool' help and smb.conf manpage for details.

Dynamic RPC port range

The dynamic port range for RPC services has been changed from the old default value 1024-1300 to 49152-65535. This port range is not only used by a Samba AD DC but also applies to all other server roles including NT4-style domain controllers. The new value has been defined by Microsoft in Windows Server 2008 and newer versions. To make it easier for Administrators to control those port ranges we use the same default and make it configurable with the option: 'rpc server dynamic port range'.

The 'rpc server port' option sets the first available port from the new 'rpc server dynamic port range' option. The option 'rpc server port' only applies to Samba provisioned as an AD DC.