Changing from a Samba classic domain to Samba 4
Upgrade or Wait
Samba 4 has been around for more than three years, but some users still shy from it. If you are still sitting on the fence, this tour through some of the new features and capabilities might help you decide whether it is finally time to upgrade.
Samba [1] is the tool of choice for providing Windows-like file and print sharing services on a Linux server. If you only need basic file and print services, switching to Samba 4 it not worth the effort because the new Samba is not so much different. Samba 4 still contains the smbd, nmbd, and winbindd components, although it also has the samba service on-board, which Samba needs for the new features. You will also find some limitations. For instance, Samba 4 reduces access to TDBs (trivial databases) to a minimum.
But, if you use Samba in a classic Windows NT4 domain setting, and if you are willing to delve more deeply into the Windows world, some of the new Samba 4 features might come in handy.
What's New?
The main feature of Samba 4 is the possibility of using a Samba server as a full-fledged replacement for a Windows AD domain controller. Samba 4 supports Windows environments as of Windows 2000.
An LDAP server developed for Samba and integrated into the solution itself assumes the Active Directory role. Samba 4 relies on the built-in Kerberos KDC (Kerberos Key Distribution Center) to support Kerberos authentication via its usual ticket system.
DNS still plays a central role in a Windows AD domain, and you can set up Samba 4 with two possible DNS server roles. The Samba 4 binary includes a DNS server that is part of Samba 4. If necessary, admins can call on the DLZ (dynamically loadable zones) module to implement a Bind server. Both solutions support the typical maintenance of DNS records that is familiar to Windows administrators. The official recommendation is to use the built-in DNS and only change to Bind if necessary.
The correct system time is also important for Windows domains. For example, Kerberos relies on correct timestamps to avoid replay attacks. Samba 4 keeps time by accessing the well-known NTP daemon. (Btw: Windows 2000 clients do not behave as an NTP server would expect, so Samba 4 cannot act as an AD domain controller for Windows 2000 systems.)
Management
Windows admins can customize the entire configuration using the Microsoft Management Console (MMC). MMC is the standard tool for managing a Windows AD domain controller (see Figure 1). On the Linux side, admins manage current Samba versions with the help of the new samba-tool [2]. With samba-tool, you can create or delete users and groups or trigger a classicupgrade from version 3 to 4. Table 1 shows the options.
Table 1
samba-tool Commands
| Command | Function |
|---|---|
| dbcheck |
Check the local AD database for errors |
| delegation |
Manage delegations |
| dns |
Manage the domain name service (DNS) |
| domain |
Manage domains |
| drs |
Manage the directory replication service (DRS) |
| dsacl |
Manage access control lists (ACL) for domain services |
| fsmo |
Edit roles for flexible single master operations (FSMO) |
| gpo |
Manage Group Policy objects |
| group |
Manage groups |
| ldapcmp |
Compare two LDAP databases |
| ntacl |
Manage NT ACLs |
| processes |
List processes (for debugging on systems without setproctitle) |
| rodc |
Manage the read-only domain controller (RODC) |
| sites |
Site management |
| spn |
Manipulate identifiers of service instances (service principal names) |
| testparm |
Check config file for syntax errors |
| time |
Retrieve the timestamp on the server |
| user |
User management |
| vampire |
Synchronize a remote AD domain with the local server |
Samba 4 has a programming interface for Python. Admins and system integrators use this interface to seamlessly customize the software for their environments. Many Samba 4 tools (including samba-tool ) use Python and rely on this interface.
Versions
Major and minor versions of Samba 4 appear regularly. Major changes end up in major versions with numbers such as 4.0, 4.1, 4.2, and so on. Minor changes are incorporated in the minor versions, with version numbers like 4.1.1, 4.1.2, 4.2.1, or 4.2.2. The latest stable release is version 4.4.3 [3].
The major releases 4.1, 4.2, 4.3, and 4.4 improve performance and substantially expand the feature list. Since version 4.1, for example, the client tools now also work with the SMB 2 and 3 protocols. In addition, Samba 4.1 enables server-side copy actions.
Release 4.2 saw the CTDB (Cluster Trivial Database) enter the Samba tree. The CTDB lets you run Samba file servers in the form of clusters. A new tool called Samba Registry Editor lets you crawl the Samba registry.
The 4.3 and 4.4 releases improve existing features and add enhancements to some of the tools. Version 4.4 impresses with better performance, especially with asynchronous flush requests. When clients ask the server to write unsecured content to disk, this write operation is done in an asynchronous manner. The operation therefore blocks any other processes. Support for SMB-3-multichannel is still considered experimental, however. This feature allows the client to build multiple transport connections in an authenticated SMB session, which improves both fault tolerance and data throughput because the file can be transferred in parallel over multiple network connections.
Last but not least, some of the changes relate to the configuration in the /etc/samba/smb.conf file. The developers have removed 14 parameters, changed the default setting for seven, and added 37 new parameters [4].For those who like more detail, have a look at the release notes for the major releases 4.1 [5], 4.2 [6], 4.3 [7], and 4.4 [8].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia