Embed Size (px)
Citation preview
Samba as an Active Directory Domain
Controller
Samba as an Active Directory Domain
ControllerGregory Havens II
Texas A&M University – [email protected]
Anthony LiguoriRutgers University – [email protected]
C. Donour SizemoreUniversity of Chicago – [email protected]
2CIFS Conference, 2002
Active Directory
Active Directory
3CIFS Conference, 2002
What is Active Directory?What is Active Directory?
u Central repository of network resources– users and groups– computers, printers, etc.– configuration data
u Administrative abstraction for managing users and resources.– ADSI– Windows MMC
4CIFS Conference, 2002
Why People Use Active Directory?Why People Use Active Directory?
u Provides much tighter integration of services than previously existed
u Bundled with all Windows 2000 servers.
u Provides central point of resource management
u Good Administration Tools
5CIFS Conference, 2002
ComponentsComponents
u LDAP Serveru Kerberos Key Distribution Center
(KDC)u Domain Controlleru Integrated Services
– File / Printer (CIFS)– Web (IIS)– Mail (Exchange)– Naming (DNS)
6CIFS Conference, 2002
AD Domain ControllerAD Domain Controller
7CIFS Conference, 2002
What are domains?What are domains?
1. Canonical– DNS
2. Resource– LDAP
3. Security– NT domains
u Active Directory combines these
8CIFS Conference, 2002
Domain Controller (DC) FunctionDomain Controller (DC) Function
u Manage various network resources– Printers– filesystems– Applications
u Provides– Authentication– Authorization– Administrative Abstraction
9CIFS Conference, 2002
Native vs. Mixed ModeNative vs. Mixed Mode
u Windows 2000 Server supports both native and mixed mode operation
u Mixed mode– Master-slave replication– Support for NT BDCs
u Native mode– peer to peer replication– better server scalability
(except Global Catalog which exists on one server)
10CIFS Conference, 2002
NT DomainNT Domain
NT PDC
Windows Client
NT BDC
Windows Client
Windows Client
Samba Client
uMaster-slave domain hierarchy
11CIFS Conference, 2002
Root Domain (ibm.com)
linux.ibm.comigs.ibm.com
ltc.linux.ibm.com
Samba ClientWindows Client
Active Directory DomainActive Directory Domain
12CIFS Conference, 2002
DC ComponentsDC Components
u Filesystem / RPC server– Samba
u Directory server– iPlanet, IBM Directory Server, eDirectory– OpenLDAP
u Kerberos– MIT / Kerberos– Heimdal
13CIFS Conference, 2002
DNS
Windows Client Active Directory
LDAP
SMB
DCERPC
Kerberos
BIND
MIT/Kererbos
Samba
OpenLDAP
Possible SolutionPossible Solution
14CIFS Conference, 2002
Common Domain ProcessesCommon Domain Processes
u Join a domainu User logonu Resource requestu Add useru Add a resource (printer, shared folder,
etc.)u Add domain controlleru System boot
15CIFS Conference, 2002
Domain Join ProcessDomain Join Process
u Locate Domain controller – DNS SRV record queries
u Locate logon server – CLDAPu Authenticate – Kerberosu Send connection request – SMB/RPCu Negotiate addition to domain
– Security Descriptor generation– objectSid generation
16CIFS Conference, 2002
CLDAPCLDAP
17CIFS Conference, 2002
CLDAPCLDAP
u Connectionless LDAP server– UDP 389– LDAP v3
u Ability is being integrated into the Samba 3.0 development tree.
u Failure drops back to NetBIOS name service– Long domain join delay
18CIFS Conference, 2002
CLDAP Server SupportCLDAP Server Support
u Not a true LDAP request, seems to be more of a new RPC transport - so it can’t be served by any current LDAP implementation.
u Preliminary work to integrate it into Samba’s nmbd.
19CIFS Conference, 2002
SambaSamba
20CIFS Conference, 2002
What Samba Can Do NowWhat Samba Can Do Now
u Samba 2.2 releases– Supports most of the RPC calls
necessary for a Windows XP join (netlogon, etc.)
– NT Primary Domain Controller
u Forthcoming in Future Samba releases– Active Directory client– Active Directory Domain Controller
21CIFS Conference, 2002
AD LDAP Server
AD LDAP Server
22CIFS Conference, 2002
Dynamically Generated FieldsDynamically Generated Fields
u Breaks with spirit of LDAP– ntSecurityDescriptor– objectSid
u Requires a special purpose backend to serve dynamic data.– Proxy backend– “AD” backend
23CIFS Conference, 2002
Active Directory SchemaActive Directory Schema
u Published in the Directoryu Root DSE attributes
– ldapServiceName
u Includes non-standard objectsu Breaks certain standard objects
– person object class
24CIFS Conference, 2002
KerberosKerberos
25CIFS Conference, 2002
KerberosKerberos
u Heimdal– Stores keytab data and principal database
in OpenLDAP
u MIT/Kerberos– Supports PAC extensions– Doesn’t support using an LDAP server for
storing configuration.
