Samba 4 review: No substitute for Active Directory -- yet

Samba's open source alternative to Microsoft's domain controller is a good start, but not ready for prime time

Samba 4.0 is a milestone release that brings Active Directory functionality to the open source SMB/CIFS (Server Message Block/Common Internet File System) file and print server. Samba 4.0 can serve as an Active Directory Domain Controller, provide DNS services, handle Kerberos-based authentication, and administer group policy. The Samba 4.0 Domain Controller can even be managed using the native Windows Active Directory admin tools.

However, there are restrictions in this release -- mainly issues with file replication -- that limit the number of Domain Controllers you can join to only a single domain. Support for cross-forest trusts and multiple domain controllers is still to come. When that support arrives, Samba will be truly useful as an Active Directory replacement. Until then, the Domain Controller functionality is suitable mainly for testing. Not many environments can make good use of a single domain controller.

[ Also on InfoWorld: Samba 4 threatens Microsoft's enterprise lock-in | 7 ways Windows Server 2012 pays for itself | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

Beyond file and print servicesSMB is the protocol behind all network file communication used natively by Windows Server and Windows clients; it's also known as CIFS. Support for SMB/CIFS on other operating systems has primarily come from the Samba project. Samba started back in 1992 as a way to connect Unix and Linux machines to Microsoft's LAN Manager network operating system. It's provided the plumbing necessary for Unix and Linux machines to connect to Microsoft networks ever since.

The most common use of Samba is still in the client role, but that has changed along the way with the ability to provide file and print services to Unix and Linux clients, as well as systems running various versions of Windows.

Samba has maintained a solid capability as a file server and client but has never had the ability to function as an Active Directory Domain Controller until now. Samba 4.0 has been under development for quite a long time, and the Domain Controller functionality has been available in beta form during the later stages prior to release. Samba 4.0 delivers a stable release of this new capability but in a severely limited form.

For Samba 4.0 to be useful in large and multisite environments -- the sort that rely on Active Directory -- it will need to support cross-forest trusts and multiple domain controllers. Support for multiple domain controllers requires directory and file system replication to maintain the user database and the sysvol and netlogon shares. (The sysvol share stores the Group Policy Template along with other system templates and scripts, and the netlogon share contains system-wide logon scripts for the likes of assigning home directories and updating virus definitions.) Directory replication works reliably in this release, but the file system replication piece remains under development.


Samba 4.0 installation and setupThere are a number of ways to get Samba 4.0 installed, depending on your system and how you want to go about testing. You can download the latest release in gzip form and install it yourself. The Samba Wiki has a complete how-to detailing the process step by step. For popular distributions such as Ubuntu, there are packages available for installing using the normal methods. From a terminal window in Ubuntu 12.10, you can simply type:

apt-get install samba4

For the purposes of this review I downloaded the Excellent Samba4 Appliance, a ready-made virtual appliance based on SLES 11 SP2 64-bit and Samba4 Stable 4.0.0. The Excellent Samba4 Appliance virtual machine is available in the OVF format; in a VMware image that will work with VMware, VirtualBox, or KVM; and in a VHD file for use with Microsoft's Hyper-V. I chose the VHD file and installed it on an HP ProLiant DL385 G7 server running Windows Server 2012.

You must run a script to initialize a number of settings (IP address, domain name, admin account name, and so on) before you can actually start the Samba Domain Controller. Once you've entered the required information, the script ( will configure the appropriate DNS settings and create default DNS records. DNS is a requirement for Active Directory and must be running to enable client machines to connect to the domain.

Configuring an Active Directory domain in Samba is straightforward, though not as easy as in Windows Server. It's a much easier process on native Windows as the pieces come with Windows Server and you don't have to download anything. Many of the configuration tasks are handled in Windows Server 2012 with wizards.

Managing the Samba Domain ControllerWith your Samba Domain Controller up and running, you can use the standard Windows Active Directory administration tools to manage computers and users. The Excellent virtual appliance provides the 32-bit installer for Windows XP and Windows 7 in the /srv/www/htdocs directory. (If your Samba distribution doesn't include them, the tools are freely available from Microsoft's website.) You can get to the files on the Excellent Samba4 Appliance by opening a Web browser and entering the IP address of the appliance. It will present a list of files that you can then right-click on and save or run.

Microsoft's administration tools come in the form of an .msu file, which will add options to the "Turn Windows features on or off" area of your Windows client machine's Control Panel. Once the installer finishes, you'll have to open Control Panel, find Programs and Features, choose "Turn Windows features on or off," then navigate to the Role Administration Tools section (see Figure 1). From there, expand the AD DS Tools section and choose the AD DS Snap-ins and Command-line Tools. Note that the Active Directory Administrative Center requires Active Directory Web Services, which Samba 4 does not support. If you want to use PowerShell, you should check Active Directory Module for Windows PowerShell as well.

Figure 1: From the Role Administration Tools section of the Control Panel on your Windows client machine, expand the AD DS Tools section and choose the AD DS Snap-ins and Command-line Tools.

PowerShell offers a number of built-in features to query and manage an Active Directory installation. Choosing to install the Active Directory Module makes these AD-specific commands readily available at the PowerShell command line. As an example, the dsquery command will return a wide range of information about the directory including computers, groups, servers, and users. There are also command-line tools such as dsadd, dsmove, and dsrm for adding, moving, and removing objects, and plenty more. Help is available for any of the commands by typing the command followed by /? at the command line.

One of the other big uses for Active Directory is in the area of GPO (group policy objects) and permissions. Samba 4.0 fully supports GPO settings for both computers and users. Group policy is especially useful for such capabilities as blocking access to Control Panel on a Windows machine so that normal users can't alter settings or install software. When you create a group policy, it is tied to a specific OU (organizational unit). Once set it applies to all computers or users in that OU.

The Microsoft Group Policy Management Editor provides the means to create or edit a group policy that will be attached to a specific domain. Figure 2 shows the GP Demo policy for the domain and the default rules. You can restrict specific pieces of Control Panel such as the Add or Remove Programs feature, or choose to prohibit access to the Control Panel altogether.

Figure 2: Viewing the GP Demo group policy through the Microsoft Group Policy Management Editor.

Another management option is Webmin. This freely available tool installs on the system running the Samba 4 server and provides a Web-based interface to manage a wide range of internal server settings (add administrators and users, create new file shares, share printers, allow and deny hosts) and software. I was able to get it running on the Samba 4 appliance with just a few minor tweaks to the configuration settings. Figure 3 shows the Webmin Samba module, which includes an icon labeled SWAT (Samba Web Administration Tool). This is the native Samba management tool (see Figure 4), which handles all of the traditional Samba user administration and server settings.

In short, Samba does not yet offer GUI tools for managing the Domain Controller or GPO settings from Unix or Linux, but there are Python-based hooks into the internals of Samba 4 that should make these easy to build.

Figure 3: The Webmin GUI on Samba (above) and Figure 4: The native Samba Web Admin Tool (below).

The bottom lineSamba 4.0 is definitely a zero point release, meaning it still has some growing and maturing to do. It is a good first step in providing a completely open source solution that mirrors much of Microsoft's Active Directory core functionality. Although the Domain Controller in Samba 4.0 appears to be stable, the single-domain limitation currently restricts it to small deployments. An obvious use case would be in education and training, where Samba 4.0 would provide a good platform for teaching domain administration. But in the real world, most small workgroups for which the Samba Domain Controller is suited will choose to do without.

On the plus side, there are new Python-based programmability features in Samba 4.0 that could prove useful to anyone looking for a way to either expand or more fully utilize the Samba 4 server functionality. PowerShell provides another avenue to script actions against a Samba Domain Controller.

The bottom line: Samba 4.0 is definitely early code and not enterprise-ready yet. As it matures, it will present an interesting option to larger organizations that rely on multiple Active Directory domains. If the Samba team meets its goal of a 9-month release cycle, we can hope to see a more scalable and useful version by late summer or early fall.

This story, "Samba 4 review: No substitute for Active Directory -- yet," was originally published at Follow the latest developments in open source software, Windows, and data center at For the latest business technology news, follow on Twitter.

Read more about networking in InfoWorld's Networking Channel.

Join the CSO newsletter!

Error: Please check your email address.

Tags unixLinuxNetworkingNetwork managementsambaopen source softwareoperating systemsaccess controlmanagementActive DirectoryMicrosoft WindowsMicrosoftsecuritysoftware

More about HPKVMLANLinuxMicrosoftTechnologyUbuntuVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Ferrill

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place