samba - Oct 2003 - Samba 3.0 as Active Directory Domain Controller with MIT Kerberos

"Gerald (Jerry) Carter" <jerry@samba.org> wrote in message 
news:<zwyd.1Tn.5@gated-at.bofh.it>...
> The Samba Team is proud to announce the availability of the
> first official release of the Samba 3.0 code base.
> 
> Major new features:
> - -------------------
> 
> 1)  Active Directory support.  Samba 3.0 is now able to
>      join a ADS realm as a member server and authenticate
>      users using LDAP/Kerberos.
> 
Hi Gerald (Jerry) and Samba Team!

Before anythings else, I'd just like to start by thanking you for your
magnificent contribution to the Open Source community.  I've been
using Samba in various contexts for almost 2 years now and it's been a
huge benefit to me.  Thank you, Thank you, Thank you!

I've been using Samba 2.2 as a PDC for a production environment with
Windows XPP and Windows 2000 Pro clients and serving up a database
application and Samba does beautifully at this task and has done so
for more than a year.

Since I see that with 3.0, Samba now supports Active Directory, it
occurs to me that I might now be able to use Samba as an emulated
Windows 2000 Domain Controller (i.e., an Active Directory Domain
Controller with Kerberos), but perhaps that level of functionality is
not there yet?  I see in the Samba-HOWTO collection documentation
(included with the 3.0 stable tarball and dated 21 April 2003) the
following statements:

====================The following functionalities are not provided by Samba-3: 

          SAM replication with Windows NT4 Domain Controllers (i.e., a
Samba PDC and a Windows NT BDC or vice versa). This means Samba cannot
operate as a BDC when the PDC is Microsoft-based or replicate account
data to Windows BDCs.

         Acting as a Windows 2000 Domain Controller (i.e., Kerberos
and Active Directory). In point of fact, Samba-3 does have some Active
Directory Domain Control ability that is at this time         purely
experimental that is certain to change as it becomes a fully supported
feature some time during the Samba-3 (or later) life cycle. However,
Active Directory is more then just SMB it's also LDAP, Kerberos, DHCP,
and other protocols (with proprietary extensions, of course).
====================
But in the official press release I see the following:

====================Replacement of Windows NT4 ? Domains

Samba 3.0 contains the first Open Source/Free Software implementation
of Windows NT Primary and Backup Domain Controller functionality.
Customers can transparently migrate their existing Windows NT domains
to Samba 3.0 whilst keeping their existing user and group account
databases. This enables significant cost of ownership savings over a
Windows NT4 domain as a Samba 3.0 Domain Controller does not require
client access licenses. Existing Windows tools can be used to manage a
Samba PDC, allowing customer Windows expertise to be leveraged in a
domain migration. A choice of LDAP back-ends allows integration with
an existing customer directory service.

Single Sign-on with Active Directory ? Integration   <-----<<<

Samba 3.0 seamlessly integrates into a Microsoft Active Directory
domain in both native and mixed mode. Samba 3.0 provides single
sign-on for UNIX ? / Linux ? clients in an Active Directory
environment, allowing both servers and clients to transparently use
Active Directory as an authentication and account source. Domain trust
relationships are fully supported, allowing Samba 3.0 Controlled
Domains to integrate easily into any Active Directory environment.

Complete Integration with Windows Security

Samba 3.0 fully implements Kerberos 5 authentication, SMB signing for
tamper-proof file serving sessions, and SCHANNEL security for secure
remote procedure calls. Samba 3.0 works "out of the box" with the
improved security settings of Windows 2003 Domain Controllers.
====================
It looks like the press release contradicts the documentation on at
least some points (BDC functionality), but then again the docs were
something like 6 months old.

So, my fundamental question is:

Can Samba 3.0 act as a Windows 2000 Domain Controller (i.e., an Active
Directory Domain Controller with Kerberos)?

I already have an MIT Kerberos 1.3 installation on my network that is
working fine with Mac OS X and Linux kerberos authentication, but I
seem to have discovered something rather important about Microsoft
Window XPP and kerberos authentication: it seems only to work with
Microsoft Windows 2000 Server and Microsoft Windows 2003 Server---not
with an MIT unix kerberos Key Distribution Center (KDC).

I actually found a Microsoft-authored howto on using Windows 2000
Professional client computers to authenticate against an MIT Kerberos
KDC, so I just assumed that this functionality would also exist in
XPP, but I've hunted all over for guidance on how to do it, and I've
come to the (perhaps premature) conclusion that XPP will not do this. 
So I'm hoping that Samba 3.0 combined with a functional MIT Kerberos
1.3 system _would_ allow me to use the wonderful kerberos protocol to
authenticate my Windows XPP client machines without investing the $$$$
in a M$ Windows 2000 Server or 2003 Server with per client licensing
and all that stuff.

Is there any hope for doing this with Samba 3.0?  If not...  <sigh>
then I'll just make do with Samba 3.0 as my NT4 PDC for authenticating
my XPP client machines, but I'd really like to use kerberos if at all
possible (and not use M$ Windows 200x Server).

If this functionality _is_ built into Samba 3.0, can anyone point me
to documentation on setting it up?  I find none in the ORA book, the
Samba-HOWTO-Collection (though they don't seem to accurately document
everything about the newest 3.0 stable release from just last
month---understandable as documentation must follow the coding
itself), etc.

Thanks in advance, and again, many thanks to the Samba Team for
creating a terrific software suite!

-Jane

On Sunday 12 October 2003 15:20, Jane Deer wrote:
> "Gerald (Jerry) Carter" <jerry@samba.org> wrote in message
> news:<zwyd.1Tn.5@gated-at.bofh.it>...
>
> > The Samba Team is proud to announce the availability of the
> > first official release of the Samba 3.0 code base.
> >
> > Major new features:
> > - -------------------
> >
> > 1)  Active Directory support.  Samba 3.0 is now able to
> >      join a ADS realm as a member server and authenticate
> >      users using LDAP/Kerberos.
> So, my fundamental question is:
>
> Can Samba 3.0 act as a Windows 2000 Domain Controller (i.e., an Active
> Directory Domain Controller with Kerberos)?
>
Nevermind...

Apologies for asking a question that's already been asked.  I just read 
John Terpstra's post from Sun, 12 Oct 2003 04:20:25 +0000 (GMT).

-Jane

On Sun, 12 Oct 2003, Jane Deer wrote:
>
> "Gerald (Jerry) Carter" <jerry@samba.org> wrote in message
> news:<zwyd.1Tn.5@gated-at.bofh.it>...
> > The Samba Team is proud to announce the availability of the
> > first official release of the Samba 3.0 code base.
> >
> > Major new features:
> > - -------------------
> >
> > 1)  Active Directory support.  Samba 3.0 is now able to
> >      join a ADS realm as a member server and authenticate
> >      users using LDAP/Kerberos.
> >
>
> Hi Gerald (Jerry) and Samba Team!
>
> Before anythings else, I'd just like to start by thanking you for your
> magnificent contribution to the Open Source community.  I've been
> using Samba in various contexts for almost 2 years now and it's been a
> huge benefit to me.  Thank you, Thank you, Thank you!
>
> I've been using Samba 2.2 as a PDC for a production environment with
> Windows XPP and Windows 2000 Pro clients and serving up a database
> application and Samba does beautifully at this task and has done so
> for more than a year.
>
> Since I see that with 3.0, Samba now supports Active Directory, it
> occurs to me that I might now be able to use Samba as an emulated
> Windows 2000 Domain Controller (i.e., an Active Directory Domain
> Controller with Kerberos), but perhaps that level of functionality is
> not there yet?  I see in the Samba-HOWTO collection documentation
> (included with the 3.0 stable tarball and dated 21 April 2003) the
> following statements:
>
> ====================> The following functionalities are not provided by
Samba-3:
>
>           SAM replication with Windows NT4 Domain Controllers (i.e., a
> Samba PDC and a Windows NT BDC or vice versa). This means Samba cannot
> operate as a BDC when the PDC is Microsoft-based or replicate account
> data to Windows BDCs.
>
>          Acting as a Windows 2000 Domain Controller (i.e., Kerberos
> and Active Directory). In point of fact, Samba-3 does have some Active
> Directory Domain Control ability that is at this time         purely
> experimental that is certain to change as it becomes a fully supported
> feature some time during the Samba-3 (or later) life cycle. However,
> Active Directory is more then just SMB it's also LDAP, Kerberos, DHCP,
> and other protocols (with proprietary extensions, of course).
> ====================>
> But in the official press release I see the following:
>
> ====================> Replacement of Windows NT4 ? Domains
>
> Samba 3.0 contains the first Open Source/Free Software implementation
> of Windows NT Primary and Backup Domain Controller functionality.
> Customers can transparently migrate their existing Windows NT domains
> to Samba 3.0 whilst keeping their existing user and group account
> databases. This enables significant cost of ownership savings over a
> Windows NT4 domain as a Samba 3.0 Domain Controller does not require
> client access licenses. Existing Windows tools can be used to manage a
> Samba PDC, allowing customer Windows expertise to be leveraged in a
> domain migration. A choice of LDAP back-ends allows integration with
> an existing customer directory service.
>
> Single Sign-on with Active Directory ? Integration   <-----<<<
>
> Samba 3.0 seamlessly integrates into a Microsoft Active Directory
> domain in both native and mixed mode. Samba 3.0 provides single
> sign-on for UNIX ? / Linux ? clients in an Active Directory
> environment, allowing both servers and clients to transparently use
> Active Directory as an authentication and account source. Domain trust
> relationships are fully supported, allowing Samba 3.0 Controlled
> Domains to integrate easily into any Active Directory environment.
>
> Complete Integration with Windows Security
>
> Samba 3.0 fully implements Kerberos 5 authentication, SMB signing for
> tamper-proof file serving sessions, and SCHANNEL security for secure
> remote procedure calls. Samba 3.0 works "out of the box" with the
> improved security settings of Windows 2003 Domain Controllers.
> ====================>
> It looks like the press release contradicts the documentation on at
> least some points (BDC functionality), but then again the docs were
> something like 6 months old.
No, there is no contradiction. No, the documentation is not 6 months old -
they were updated immediately before 3.0.0 shipped. Your assumptions may
extrapolate a little too far!
> So, my fundamental question is:
>
> Can Samba 3.0 act as a Windows 2000 Domain Controller (i.e., an Active
> Directory Domain Controller with Kerberos)?
No! As stated in the HOWTO, Samba-3.0.0 can NOT act as a ADS DC. It can
act as a member server in an AD environment, but Samba can not act as an
ADS. Samba can also NOT act as an ADDC in an ADS environment.
> I already have an MIT Kerberos 1.3 installation on my network that is
> working fine with Mac OS X and Linux kerberos authentication, but I
> seem to have discovered something rather important about Microsoft
> Window XPP and kerberos authentication: it seems only to work with
> Microsoft Windows 2000 Server and Microsoft Windows 2003 Server---not
> with an MIT unix kerberos Key Distribution Center (KDC).
Correct. MS XPP/200x all use proprietary protocol extensions for Kerberos
and use LDAP over Kerberos - neither or which are supported by native MIT
Kerberos, nor is the use of LDAP over Kerberos supported in OpenLDAP.
> I actually found a Microsoft-authored howto on using Windows 2000
> Professional client computers to authenticate against an MIT Kerberos
> KDC, so I just assumed that this functionality would also exist in
> XPP, but I've hunted all over for guidance on how to do it, and
I've
> come to the (perhaps premature) conclusion that XPP will not do this.
I am familiar with this MS Document. To say the very least, it aims to
permit UNIX and Linux authentication to integrate with ADS. It is VERY
messy, requires synchronization of /etc/passwd and /etc/group information
(ie: you must have entries in each for all ADS accounts), and is extremely
human resource intensive from an administration and maintenance
perspsctive.
> So I'm hoping that Samba 3.0 combined with a functional MIT Kerberos
> 1.3 system _would_ allow me to use the wonderful kerberos protocol to
> authenticate my Windows XPP client machines without investing the $$$$
> in a M$ Windows 2000 Server or 2003 Server with per client licensing
> and all that stuff.
This does NOT work today. This was clearly (I believe) stated in the
HOWTO.
> Is there any hope for doing this with Samba 3.0?  If not...  <sigh>
> then I'll just make do with Samba 3.0 as my NT4 PDC for authenticating
> my XPP client machines, but I'd really like to use kerberos if at all
> possible (and not use M$ Windows 200x Server).
I find necessity to repeat time and again: Samba-3.0.0, plus LDAP and
Kerberos is NOT the same as Windows 200x ADS + DC operation. It can not be
done. You can run Samba-3.0.0 only as a replacement for an NT4 PDC/BDC -
but even then - NOT in admixture. ie: No Samba-3.0.0 PDC and NT4 BDC (or
vica versa). Is that clear enough yet?
> If this functionality _is_ built into Samba 3.0, can anyone point me
> to documentation on setting it up?  I find none in the ORA book, the
> Samba-HOWTO-Collection (though they don't seem to accurately document
> everything about the newest 3.0 stable release from just last
> month---understandable as documentation must follow the coding
> itself), etc.
What is inaccurate please? I am ready to fix it!
> Thanks in advance, and again, many thanks to the Samba Team for
> creating a terrific software suite!
- John T.
-- 
John H Terpstra
Email: jht@samba.org