Introduction

This wiki page will be used to track the integration effort of Samba 4 into SME 9+

Lead developer: Gzartman

Overview and Objectives

The primary objective of this effort is to create Active Directory support on SME 9+ with a focus on simplicity and easy integration, as is done on many of the other sub-systems on SME Server. Other distributions with Samba 4 support take the approach of providing a fairly complex front end to Samba 4 with many configuration parameters and options. Our approach for Samba 4 is to stream line implementation to provide a straight forward and simple set of UI parameters for the administrator to deploy Active Directory in a configuration that will work in most deployments. Support for the full array of Samba 4 options is provided under the hood in SME Server, but will be available primary from the console. The SME Server community may decide to create an Advanced Samba server-manager panel to control and configure some of the more advanced features available in Samba 4, but the Core SME Server deployment of Active Directory will remain focused on simplicity.

Deployment of Samba 4 on SME Server means that many of the authentication mechanisms on SME Server need to change to integrate with Active Directory, therefore this development effort is quite far reaching.

Samba 4 on SME Server is targeted for Koozali SME Server 10

Current Status

Current Release: Alpha 7

Samba 4 on SME Server will be provided by way of the package smeserver-samba, which will upgrade and obsolete e-smith-samba. The current release of Samba 4 on SME Server is available here: SME Server Samba 4 Packages

These packages are currently not provided by the Koozali buildsys because there is still a fair bit of work to do to integrate this code with existing SME services. Since Samba 4 on SME Server includes many other sub-systems, inclusion of the Samba 4 code is not being including in current development streams until the code is closer to release so as not to hold up other development activities. However, this code is available in CVS.

Samba 4 Packages

Upstream Centos 6 and 7 do not provide Samba 4 packages with full Active Directory support. This is because Samba 4 Kerberos is based upon Heimdal Kerberos whereas the upstream vendor uses MIT Kerberos. Heimdal Kerberos and MIT Kerberos are not compatible with one another and so the upstream vendor has decided to disable Kerberos support in Samba until such time as Samba supports MIT Kerberos. Details can be found here https://wiki.samba.org/index.php/MIT_Build and here https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/

To provide Active Directory support, the Koozali devteam has decided to fork the upstream Samba 4 package and re-compile with Heimdal Kerberos support on Koozali SME Server 10. Details of this rebuild are located in bugzilla:9751. Support for Active Directory on SME 9 can be provided by Sernet Samba 4.2 packages, which are the last set of open source Sernet packages. However, the devteam is currently focusing development effort on SME 10.

Installation

RPMs for this release can be found here: SME Server Samba 4 Packages

Install Instructions:

1. Download all rpms to a fresh SME 9.1 install.
2. yum localinstall *.rpm
3. signal-event post-upgrade; signal-event reboot
4. Once the server comes back up, provision the domain with: signal-event provision-domain-controller admin_password

Note: The password utilities in the server-manager are not yet working. We will be working to include SSSD in the next alpha and then all password utilities and functions will work as expected.

Change Log / Release Notes

Alpha 7

• Implementation of Samba 4 on SME 10.
• Drop bootstrap-console patch for e-smith-base for provisioning samba 4 from the console. We'll add this back in later

Alpha 6

• Final alpha on SME 9. Going forward, this code will be moved to the SME 10 alpha release for ongoing development and testing
• Change the way we are naming alpha package versions because it is becoming difficult to apply alpha level changes with patch files. Each alpha release will have its own source archive. Source archive (.tar.xz) file version numbers will track with the alpha release number.
• Rewrite server-manager user accounts panel for AD integration, except for the Reset Password link. We won't be able to update this function until we deploy SSSD, which will come in the next release
• Move smb.conf and AD schema extension fragments to /etc/samba
• Extend AD schema to include the attributes: lockable, removable, and emailForward
• Change the koozliUser objectClass to smeExtended for extended schema attributes
• Get rid of the user-create-AD action because we don't have enough control over the user create process in a server-manager panel using an action. Instead, we added the esmith::util::createADUser() function that sets up a basic Active Directory user. This function is somewhat analogous to the useradd utility
• Drop "Legacy Mode," which was part of the user-create-AD action
• Replace user-create event with user-initialize
• Add user-create-profiledir and user-create-home actions as part of the user-intialize event, since the useradd utility used to do this
• Update user-modify, user-delete, user-lock events for AD integration
• Create user-AD-enable and user-AD-disable actions
• Extensive clean-up of smb.conf fragments now that we have a working Samba 4 deployment, including default configuration dbase parameters. This clean-up and enhancement results in a very clean smb.conf file
• Update qmail and .qmail template fragments and configuration to pull user data from the Active Directory. Spam and filtering fragments have been excluded because we have not yet decided how to handle these configuration in the Active Directory
• Further enhancement and refinement to esmith::AD

Alpha 5

• Extend Active Directory schema to include quota and smeCustom attributes via the koozaliUser objectClass
• Remove adjust-samba event and use services2adjust
• Add Group-create-AD action
• Design changes to provision-domain-controller and bootstrap-provision-dc events to provision samba entirely cold using ldif
• Add pseudonym support to esmith::AD
• Further enhancement to esmith::AD to provide user & group management functionality similar to that provided by AccountsDB
• Re-write createlinks to flow a more logical sequence
• Fix dnsforwarder in smb.conf
• Fix several esmith::AD::User and esmith::AD::Group methods broken in 0.1-0-3 when we added runtime binding

Alpha 4

• Add dnscache and tinydns config per bug [SME: 9711]
• Add iptables preroute rule for DNS per bug [SME: 9711]
• Fix issues with domain admins assignment during provisioning
• Nearly full re-write of user-create-AD action to utilize esmith::AD class
• Add Legacy Mode to user-create-AD action to allow this action to work with AccountsDB
• Add user-create-AD to user-create event
• Add user-AD-disable action to disable AD user
• Continued development and enhancement to esmith::AD including POD documentation
• Continued development and enhancement to esmith::AD::User including POD documentation
• Add esmith::AD::OU to manage Organizational Units in the Active Directory
• Fix realm definition in provision action

Alpha 3

• Reconfigure provision event to account for default Samba complex password policy
• Abstract core LDAP queries in esmith::AD using runtime binding

Alpha 2

• Set requires to e-smith-base-5.6.0-30+ [SME:8668]
• Set requires for e-smith-LPRng-2.5.0+ [SME:8632]

Alpha 1

• Roll new smeserver alpha package for Samba4 [SME:8075]

Bugzilla references

bugzilla:4667
bugzilla:8075 Adding Samba 4
bugzilla:8632 Remove smb.conf template fragments from e-smith-LPRng-2.4.0-1
bugzilla:8638 Modify e-smith-dnscache for Samba 4 support
bugzilla:8660 User account authentication with Active Directory and AccountsDB
bugzilla:8663 Proftpd and active directory authentication (Samba 4)
bugzilla:8665 esmith::AD perl module for interacting with Active Directory
bugzilla:8668 Get rid of PPTP when we upgrade to Samba 4
bugzilla:8670 Qmail updates for Samba 4
bugzilla:8674 Remove smbpasswd and WINS pieces for Samba 4
bugzilla:8675 e-smith-LDAP + Samba 4
bugzilla:8687 Add SSSD daemon for Samba 4 local authentication
bugzilla:8703 Samba 4: Home directory
bugzilla:9651 Remove Samba Parts from esmith::Util for Samba 4
bugzilla:9653 Pseudonyms handling with Active Directory
bugzilla:9662 System Initialization and Re-Configuration with Active Directory
bugzilla:9700 Consider removing /sbin/e-smith/samba_check_password
bugzilla:9708 Evaluate registry fragments in server-resources for Samba 4
bugzilla:9711 Include dnscache and tinydns config in smeserver-samba for Samba 4 DNS queries
bugzilla:9712 Reconfigure shadowcopy for Samba 4
bugzilla:9713 Reconfigure recycle bin for Samba 4
bugzilla:9715 Modify e-smith-dnscache to allow connections from entire loopback network
bugzilla:9755 Re-Write Users Panel for AD integration
bugzilla:9799 Update esmith::util::chown for Samba users
bugzilla:9800 Update e-smith-quota to process quotas for active directory users
bugzilla:9802 Modify user events/actions and server-manager panel
bugzilla:9804 Update password functions in esmith::util for Samba 4
bugzilla:9806 e-smith-openssh modifications for Samba 4
bugzilla:9807 smeserver-qpsmtpd changes for Samba 4

Active Directory Schema

Following is a direct dump of the active directory from a freshly provisioned SME Server domain. The DNS/Kerberos domain is domain.com, the hostname is virgin, and the windows domain is sme-server. The ipaddress for this test machine is 192.168.0.67. These data is quite long, but I found it very useful; as it is extremely difficult to find these attributes in any documentation about Samba 4 and ADDC:

Samba 4 Active Directory Schema

Misc Development Topics

References

1. http://dev.nethserver.org/projects/nethserver/wiki/Samba4 (Thanks Filippo!)
2. https://lists.samba.org/archive/samba/2014-April/180336.html
3. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
4. http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller