Introduction

Initially, Samba was a package of programs that allow access to network drives and printers on various operating systems using the SMB / CIFS protocol, but starting from version 4 in Samba, it was possible to act as a domain controller and an analogue of the Active Directory service.

Despite the fact that Samba 4 is a good solution for replacing Active Directory Domain Services and it implements much of the functionality of AD, it still has a number of significant limitations that can be critical when implementing and operating a solution in a productive environment.
')
In this article we will try to answer the question of how good such a replacement can be and what problems and limitations can be encountered.

Samba features

Installing Samba and basic network services (DNS, NTP, Kerberos ...) on one of the Linux distributions gives you the following functionality:

1. Active Directory Domain Controller:
   • Kerberos v5-based Authentication Service;
   • LDAP-compatible directory service with DRS replication capability;
   • Group Policy Management Server;
   • BIND-based DNS server providing secure dynamic name registration.
2. File server
3. Print server

Due to the continuity in the approaches to implementing the Active Directory directory service (the Samba developers used Microsoft's open specifications), workstations with Microsoft Windows XP-2012R2 operating systems can be clients of the Samba domain. As tools for managing Active Directory domain services implemented on Samba, Microsoft Remote Server Administration Tools familiar to system administrators can be used.

In addition, Samba is open source software and is licensed under the GPL, and this ultimately allows you to:

1. Reduce the risks associated with the use of imported software (for government agencies this will be especially relevant from January 1, 2016).
2. Reduce the total cost of ownership of the information system.

For small and medium-sized organizations that plan to organize a domain for storing and retrieving information about information system objects, as well as for organizations that are planning to switch to open source software for several reasons, Samba can be a good alternative to Microsoft Active Directory.

But is Samba so good for everyone and does it really allow you to completely close Active Directory functionality? We will try to answer this question.

Samba restrictions

General information on the limitations of AD functionality in a Samba implementation can also be found in the wiki knowledge base on wiki.samba.org, but the data there will have to be collected bit by bit, and not all restrictions will be mentioned.

The described restrictions are valid for the current, at the time of writing, version of Samba 4.3.1.

And so, let's start with functional limitations:

The maximum size of the Samba database is limited to 4 GB

The limitation of the maximum size of a Samba database is related to the 32-bit tdb architecture. For large organizations, with hundreds of thousands of objects in the Active Dirtectory directory, switching to Samba may not be possible. (By the way, the information about this restriction appeared on November 13, 2015, almost 3 years after the release of Samba 4.0 and that, mainly due to active discussions in the mailing list).

Trust relationships (forest / domain trust)

The most complete implementation of trust relationships appeared in Samba 4.3, however, there are a number of significant limitations:

• Only bilateral trusts are supported;
• There is no SID Filtering function, rejection of it significantly reduces the level of security in the organization of trust relationships;
• Adding users or groups from the trusted domain “A” to domain “B” groups is not supported. This restriction makes it impossible to use Samba 4 in any large installations requiring a relationship of trust.

Multi-domain structure support / subdomain support

There is no support for a multi-domain structure, both at the code level and at the Samba database level. In fact, in Samba there is no global catalog implementation (when a global catalog is requested, it is redirected to a common LDAP directory).

If you create a subdomain based on Samba, or you enter Samba into a second-level domain, records of other domains and the root domain will be lost, and “due to” limitations in supporting phantom objects, work in a multi-domain environment can be very unstable. Unfortunately, any questions to the community in the mailing list you will receive answers like:

“It’s not a small task.
Sorry, "

Sysvol replication

Despite the fact that group policies are fully functional in Samba (with the exception of password policies assigned to a specific organizational unit), due to the lack of support for the DFS-R and FRS protocols, SYSVOL replication will have to be done manually or using a script. Information about the rsync settings for replication between Samba controllers is available on wiki.samba.org.

Regarding the implementation of SYSVOL replication between Windows domain controller and samba - you can write to me by mail.

KCC support

In the release notes for Samba 4.3.0, it is stated that developers are closer to implementing KCC, in accordance with Microsoft’s open specification, but in fact, it’s worth preparing for numerous errors in the event logs and creating / adjusting the replication graph manually.

Other restrictions

• Lack of full support for RODC;
• The lack of support for domain controllers based on Windows Server 2012 and Windows 2012 R2 in conjunction with Samba in the role of AD DC;
• Lack of MIT Kerberos support;
• Problems in the implementation of the module replication DRS *;
• Problems with Schema Extension replication **.

* In terms of the implementation of DRS, most of the functions work correctly, but there are a number of limitations that can be found on the DRS_TODO_List page.

** Despite the fact that the expansion of the scheme is a regular operation, after its implementation, the result can be quite unexpected. For example, the error werr_ds_dra_schema_mismatch may appear. In general, this error can occur even when the schemes coincide, but the disclosure of this topic requires a separately written article, therefore, now we will not focus on this.

It should be borne in mind that in the already implemented functional modules there are bugs, and judging by the lively correspondence in the mailing list there are quite a few of them (you can read more on bugzilla.samba.org ).

Support for various applications

In addition to functional limitations, Samba AD DC also has limitations related to the operation of a number of applications and services. At the test site, I have tested some basic infrastructure services. The test results can be found below.

All applications have been tested in basic configuration. A deep analysis of the nature of errors was not conducted.

application	Test result	Checklist
Microsoft Exchange Server 2003/2010/2013	Not supported *	Installation Starting Services
Microsoft SQL Server 2012R2	Supported by	Installation (including in failsafe configuration with Failover cluster) Creating Accessibility Groups User Authentication
Citrix Xen App 6.5	Supported *	Installation Launch a published application Citrix Policing Apply roaming user profiles
Microsoft System Center Configuration Manger 2007	Supported *	Installation Reporting Functionality Remote Desktop Access

* Comments:

• Microsoft Exchange Server 2003/2010/2013

After installing Exchange, replication problems may occur. The services necessary for the functioning of Exchange, I have not started. More information about the problem can be found at the following links Link 1 and Link 2 .

• Citrix Xen App 6.5

After successful installation of the Citrix Xen App, I had problems with replication, the problem was in an incorrect register for the SPN record (a description of a similar problem can be found here ).

• Microsoft System Center Configuration Manger 2007

Remote desktop access did not work for me because of an identification error in DCOM.

In general, applications that use Active Directory solely for authentication should work in a domain running Samba without any problems, but it’s still worth testing their work on the test site.

findings

To summarize, it turns out that Samba AD DC has quite a few limitations that can become a serious problem with large deployments. At the same time, Samba is currently the most mature open source replacement for Active Directory and directory services in general. The solution is being actively developed due to the presence of commercial support from foreign companies, as well as integration with cloud services ( using Samba on Amazon ) and interest in the product from integrators - all this gives reason to hope for the earliest resolution of all existing problems and refinement of the necessary functionality.