Presentation is loading. Please wait.

Presentation is loading. Please wait.

Samba4. What is Samba4? ● A replacement for Active Directory ● The centre of a windows domain: – Windows domain logon server – Windows-compatible LDAP.

Published byMegan Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "Samba4. What is Samba4? ● A replacement for Active Directory ● The centre of a windows domain: – Windows domain logon server – Windows-compatible LDAP."— Presentation transcript:

1 Samba4

2 What is Samba4? ● A replacement for Active Directory ● The centre of a windows domain: – Windows domain logon server – Windows-compatible LDAP server – Kerberos KDC, supporting Microsoft extensions ● Moving Samba beyond NT4 domains ● Also a fileserver – but not the topic here

3 Making life easier for sysadmins ● A focus on creating automated solutions ● Samba4 should 'just work' – Even when it needs to integrate with another package ● Generated configuration files for: – phpLDAPAdmin – BIND – Optional OpenLDAP Backend

4 New Samba4 Features ● Multi-master replication with OpenLDAP – Instead of local ldb, Samba4 can use OpenLDAP ● Smart-card login support ● Group Policy support ● Python as the scripting language ● NTP signing support – When patch to ntpd applied

5 The provision script ● Python script ● Sets up Samba4, ready to use – configuration files – DNS zones – Schema – Skeleton database ● Template driven ● Easy to extend templates and script

6 Provision-backend for OpenLDAP ● Samba4 can use OpenLDAP as a data store – OpenLDAP can be quite hard to configure ● Samba4 has very specific requirements – AD schema – Modules to handle linked attributes ● Python script to generate the slapd.conf and schema

7 Samba4 needs Sysadmins ● Sysadmins have many useful skills – Perl wrangler – Python handler – Configuration manager – Systems integrator – Wireshark sniffer – Live environment tester – and even occasional Programmer

8 Samba4 isn't just C anymore ● Not all Samba4 development tasks are deep C coding – There is still plenty of C coding, however ● Python Bindings – All our main libraries have some level of python binding ● Python scripts – Key tools such as 'provision' are written in python

9 Practical examples of assistance

10 Multi-master replication ● If OpenLDAP is hard, multi-master replication is harder ● Oliver Liebel extended the provision-backend scriptoliver@itc.li – Getting a multi-master Samba4 install is now just a configuration option!

11 PAC Validation ● My 'russian connection' had a strange error – 'PAC Validation failed'. ● PAC: Privilage Attribute Certificate – A Microsoft extension to attach groups to a Kerberos ticket – Windows XP must check the PAC with the KDC – But only rarely – so I never saw it in my testing

12 Using the full AD schema ● Microsoft has provided a copy of it's schema – But in 'not quite LDIF' format – And with syntax errors ● These we can resolve... ● I asked for help writing a conversion script – Sreepathi Pai took on the challengesree314@gmail.com – End result can be integrated into our provision script

13 Account expiry ● Some bugs just take time to discover ● Samba4 a hard-coded 28 day password expiry – Samba also incorrectly ignored the 'no expiry' flag – Only found once testers stopped having to re provision regularly

14 Dropping out of the domain ● Again, found by my Russian connection. – Windows clients would just stop working, after around a month. ● Monthly password change – To a Random byte buffer – Samba4 could not convert a random byte buffer into a UTF8 string – Samba actually set the password to “” – Fix was eventually to rework the whole password setting stack

15 NTP signing ● The client time at the russian install kept drifting – This breaks Kerberos quite badly ● Windows clients tried (and failed) to get time from the Samba4 DC ● Needed to implement the Microsoft-only NTP authentication extensions – MS-SNTP ● Patch now available, and well tested

16 Help still needed ● Testing Samba4 with other software is the remaining big challenge – For example, just how much more do we need to support Exchange? – Non-windows clients ● Developing administration tools ● Re-start the web interface – If administrators still want that kind of thing

17 LDAP schema mapping ● Is it a problem that Samba4 uses the AD schema? ● Do administrators want Samba4 to use a different backend schema? – Perhaps on the same server as Linux clients use? ● Can someone help me come up with a sensible mapping? – Samba3-like minimal mapping (just add kerberos) – Samba4 full schema to 'posix like' backend

18 The road ahead ● Domain Trusts ● Replication – Once-off (vampire) – Read-only copy – Full read-write replication

19 Taking it in our stride ● I've made it my aim to help Sysadmins with their deployments ● We are starting to get a community – I'm not the only one answering questions ● With the feedback from sysadmins, we can better direct Samba4 development ● I'm not asking to switch everything today – Just to tell me what stops you from using Samba4

20 Demo Time ● Demo of Samba's provision and a WinXP join

Download ppt "Samba4. What is Samba4? ● A replacement for Active Directory ● The centre of a windows domain: – Windows domain logon server – Windows-compatible LDAP."

Similar presentations

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.

James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.
1 Spidering the Web in Python CSC 161: The Art of Programming Prof. Henry Kautz 11/23/2009.

1 Spidering the Web in Python CSC 161: The Art of Programming Prof. Henry Kautz 11/23/2009.
Introduction to Active Directory December 10th, 2008 1-3pm Daniels 407.

Introduction to Active Directory December 10th, pm Daniels 407.
Chapter 12: Additional Active Directory Server Roles

Chapter 12: Additional Active Directory Server Roles
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Windows Server 2008 Chapter 4 Last Update 2012.05.01 1.0.0.

Windows Server 2008 Chapter 4 Last Update
Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.

Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.
Module 9: Active Directory Domain Services. Overview Describe new features in AD DS List manageability and reliability enhancements in AD DS.

Module 9: Active Directory Domain Services. Overview Describe new features in AD DS List manageability and reliability enhancements in AD DS.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Similar presentations

Ads by Google