Samba, Windows 2000, Kerberos, and Active Directory
Samba expert Jerry Carter looks at the issues surrounding the integration of Samba with Windows 2000 and what paths may lie ahead.
"So now we have one big mess." What a statement to start with. This was a statement from one person as she described to me her company's migration to Windows 2000 and the attempt to integrate existing Unix services with it. Her words probably ring true for you as well if you are battling the integration bear.
It is good to understand before we continue exactly what current functionality is provided by Samba to Windows 2000 clients. Integration can occur on many levels actually, so let's begin with the simplest configuration. Samba can and will continue to operate as a standalone file and print server. In fact, as I mentioned in a previous article, Samba's printing support for Windows NT/2000 clients is only getting better. Therefore, the answer to the question of "Does Samba work with Windows 2000?" is "yes."
However, when people ask this question, they normally want to know more about Samba's domain-controlling capabilities and whether Windows 2000 can log onto a Samba-controlled domain. After all, OEMs are shipping new PCs preloaded with Windows 2000, and it can be very hard to stop people on your network from having these new machines shipped directly (thus bypassing your watchful eyes).
I've mentioned that certain domain controlling functionality is noticeably absent in a Samba 2.0.7 PDC (which is unofficial support, I have to state again for the record). One of these features is the incapability to support domain logons from Windows 2000 clients. In a soon upcoming release (maybe not 2.2.0, but soon), the Samba team is working to provide this minimal functionality.
Maybe a simple domain logon is good enough for you. However, I think that the question "How well does Samba play with Windows 2000?" is a really just a veiled reference to "Can I use Samba to provide an Active Directory server and not install any Windows 2000 domain controllers?" This is a tougher question to answer—much harder than many people realize. The reason is that Samba is only part of the puzzle in this case.
Loosely speaking, what is required to implement an Unix-based Windows 2000 domain is this:
A Kerberos V KDC that can issue the Microsoft Windows 2000 PAC (which is undocumented)
An LDAP server that uses Kerberos V for authentication and that implements the Windows 2000 AD schema (also not entirely documented)
A CIFS server, such as Samba, that uses the Kerberos ticket-granting tickets (TGT) for user validation and obtains user profile information from an AD-complaint LDAP server
This is not a small order, by any means. It is my hope that the LDAP development underway in Samba currently can correspond with other necessary LDAP server (OpenLDAP, for example) enhancements. Other are also presently looking at the MS Kerberos PAC issues.
All in all, it's much more than a day's work. However, as has always been the case with Samba and other Open Source projects, development and enhancements are driven by community needs and support. If you would like a Unix-based Windows 2000 domain, get involved. Subscribe to the Samba mailing lists. Explore OpenLDAP. You might also want to view Luke Howard's XAD page, at http://www.padl.com/~lukeh/XAD/. Good luck, and enjoy.
Gerald Carter has been a member of the SAMBA Team since 1998, and he is employed by VA Linux Systems. He is currently working with O'Reilly Publishing on a guide to LDAP for system administrators. He holds a master's degree in computer science from Auburn University, where he was also previously employed as a network and systems administrator. Gerald has published articles with various Web based magazines, such as Linuxworld, and has authored instructional course for companies such as Linuxcare. In addition, he acted as the lead author of Teach Yourself Samba in 24 Hours (Sams Publishing, 2000), and he actively gives tutorials at systems administration conferences.
During his spare time, Gerald enjoys running, hiking, playing music, and bible study. He resides with his beautiful wife of seven years in Dadeville, Alabama.