The folks on the Samba development team have been busy developing the latest version of their popular Linux-Windows integration software. Version 3.0 of the Samba Windows file-sharing software sports a number of enhancements that allow it to play a more useful role in Windows-based networks--even those based on Windows Server 2003.
New features flourish
The Samba team has not rested on their laurels with the success of the 2.x line of software. Indeed, Samba 3 provides a number of compelling new features, particularly dealing with domain integration and functionality.
Among the new domain features in Samba 3 are:
- The ability to join an Active Directory domain as a member server.
- The ability to authenticate users using LDAP and Kerberos.
- Improved printing support, including support for publishing printer attributes in Active Directory.
- The ability to migrate from a Windows NT4 domain directly to a Samba domain while maintaining SIDs.
- Better Winbind performance (Samba/domain synchronization).
Important considerations
While Samba 3 greatly improves Samba's place in the Windows world of Active Directory, it's also important to understand Samba 3's limits. First, Samba 3's domain controller functions are limited to acting as NT4-like domain controllers only. Samba 3 cannot presently emulate a Windows 2000 or Windows Server 2003 domain controller running Active Directory. Furthermore, as a result of this, Samba 3 servers can't provide policy objects based on Active Directory, nor can it provide Active Directory-based login scripts.
However, as mentioned in the features list above, Samba 3 can join an Active Directory domain as a member server. For folks looking to eliminate Microsoft servers altogether, but still want Active Directory, this means that Samba isn't your solution. However, if you're looking for a very good, reliable way to achieve your integration goals between your Linux/UNIX servers and Windows Active Directory servers and desktops, then Samba 3 is an excellent solution.
Goals of Samba 3
The Samba 3 design team had a number of goals with regard to the new features that would be added to their product. In particular, the team addressed the areas of security, Active Directory integration, and migration from Windows NT as their primary development goals. Additionally, such "soft" areas as documentation and bug tracking have been improved to make it easier to deploy Samba into larger environments.
Integration
The Samba design team also had the goal of being able to integrate Samba into different environments. To that end, Samba 3 provides improved features to make this easier. Foremost is Samba 3's LDAP capability. With the right packages installed, you can integrate Samba 3 into your iPlanet, Tivoli, or Novell eDirectory infrastructure. Samba 3 can also make use of Microsoft's Active Directory Application Mode (ADAM).
Samba's Winbind application has also undergone (and continues to undergo) changes to make it more useful. The Samba 3 version of Winbind handles communications with NT4 and Active Directory domain controllers as well as authentication and identity management. The new version also maps Windows security identifiers to UNIX user and group IDs.
Even though the architecture and capability of Winbind make it very scalable, it still suffers from potential pitfalls. For example, in order to use the same user and group IDs across all of your Samba servers, you must use an LDAP back end to store the information. Without the LDAP back end, each Samba server has to track its own user and group IDs, and they won't necessarily match. Furthermore, the use of Winbind exposes all of your NT or Active Directory domain users to the Samba server, resulting in potential security concerns.
Play video
There are some concerns about Samba that it doesn't support software deployment, and Active Directory does.
It is not true.
Active Directory can only deploy software that is available in MSI format, which is rare - most installers are in EXE format.
So Active Directory is not that good for software deployment.
With Samba, you can distribute software in many formats (MSI, EXE, other) with a tool called WPKG - it is GPL and can be downloaded from wpkg.org
You can use WPKG with Active Directory, too.
Posted by Blake on Saturday, July 02 2005 07:56 PM