Samba AD
Summary
Samba AD is an open source implementation of an Active Directory set of tools and protocols. It allows Windows clients to be enrolled and managed using native Windows tools. In addition, Samba AD can serve as a domain controller for Fedora workstations and servers utilizing DCERPC, LDAP and Kerberos.
Owner
- Name: Alexander Bokovoy
- Email: abokovoy@redhat.com
- Name: Andreas Schneider
- Email: asn@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 27
- Last updated: 2017-06-29
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Samba AD is an implementation of an Active Directory set of tools and protocols. It is developed and released as part of Samba suite. Upcoming Samba 4.7 release will contain changes to allow Samba AD to be built and used with MIT Kerberos. Prior to Samba 4.7 it was impossible to compile Samba AD with MIT Kerberos. As result, Samba AD was not packaged in Fedora.
Benefit to Fedora
Fedora already contains software to deploy domain controller capabilities. However, whether FreeIPA master or traditional Samba domain controller roles are used, both do not allow enrollment and management of contemporary Windows clients (Windows 8+) using their native supported protocols.
Samba AD is a reasonable alternative to Microsoft Active Directory implementations available in Windows Server 2008 or later. According to field reports, Samba AD is capable to support deployments of 100,000s users/groups, with a swift spot of 5,000-10,000 users/groups and multiple sites, with relatively inexpensive hardware requirements. It is suited well for small and medium businesses across many industries.
Samba AD deployments so far were predominantly based on Debian GNU/Linux and Ubuntu environments with Heimdal Kerberos. Fedora integration will enable to use a modern Kerberos (MIT Kerberos) features and will extend Samba AD availability to Fedora community. However the feature set of Samba AD with MIT Kerberos is not on the same level as with Heimdal yet!
Samba 4.7 also contains numerous bug-fixes that allow Samba AD deployments to interoperate with FreeIPA deployments through the use of a trust to the Active Directory feature of FreeIPA. Thus, Fedora with Samba AD becomes a sufficient platform to fully control and deploy enterprise environments based on Fedora.
Scope
- Proposal owners:
Samba packages in Fedora already include a stub subpackage samba-dc that is going to be replaced with a full Samba AD implementation. Appropriate dependencies are already present in Fedora 27/Rawhide or will be added together with Samba 4.7 update. This mostly concerns upgrade of Samba-related libraries: libtevent, libldb, libtdb, and MIT Kerberos update to support new APIs added to accommodate Samba AD (already in Rawhide).
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
We believe no impact to Release Engineering is needed for this change
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
There is no upgrade/compatibility impact. Samba AD has own deployment tools. Existing Samba deployments are not automatically upgraded.
N/A (not a System Wide Change)
How To Test
Samba AD can be tested within Samba test suite. This is the way it is automatically tested for each upstream Samba commit. We plan to enable testing of Samba AD as part of OpenQA eventually.
User Experience
Samba AD has own deployment tools. The whole procedure is documented at Samba wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
We intend to work on improving usability of Samba AD deployment tools in future Fedora releases.
Dependencies
All appropriate dependencies are already present in Fedora 27/Rawhide or will be added together with Samba 4.7 update. This mostly concerns upgrade of Samba-related libraries: libtevent, libldb, libtdb, and MIT Kerberos update to support new APIs added to accommodate Samba AD (already in Rawhide). N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: Samba 4.7 is going to be released in Autumn 2017. Exact date is not known yet. However, release candidates for Samba 4.7 are planned for July-August 2017. We plan to package Samba 4.7 release candidate throughout this time frame to make sure a final release would be an small update on top of them. In case Samba 4.7 is not released before Fedora 27 release, we are confident Samba 4.7 release candidates are stable enough for the final Fedora release.
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change)
- Blocks product? No
Documentation
N/A (not a System Wide Change)