The following document provides a synopsis of the Samba Directory (Samba 4) Alpha 1 release for ClearOS Professional.
Samba 4 provides an Active Directory environment powered by open source. What may be surprising to those coming from Samba 3 is the fact that Samba 4 also includes a full LDAP implementation. In other words, Samba 4 not only provides file and print services, but also supports LDAP extensions and connections.
In ClearOS, Samba Directory is baked right into the operating system. How is this done? ClearOS uses a driver model for the accounts system (users and groups). One of the steps that you see when you install a ClearOS system is the account system driver selection (see adjacent screenshot). Once the final version of Samba 4 on ClearOS is released, you will be able to choose from one of the following account systems:
Once selected, ClearOS will use the driver in its normal and native way. In other words, there's no synchronization going on between Samba 4 and other directories or user databases. When Samba 4 is running, all apps and services on ClearOS query the Samba Directory. Clean, reliable and simple.
From an end user's perspective, the user interface remains the same. The underlying driver handles all the details.
The Alpha 1 release is rough around the edges, but it is certainly far enough along for kicking the tires.
Samba 4 needs to be installed before you initialize the accounts system. Proceed through the first boot wizard as you normally would, but please do not install the following incompatible apps:
Just after completing first boot wizard, run the following commands to install Samba 4:
rpm -e app-openldap-directory-core app-samba-core app-samba-extension-core samba-client samba-client samba-common samba-winbind samba-winbind-clients tdb-tools --nodeps yum --enablerepo=clearos-test,clearos-core install app-samba-directory
Go to <navigation>System|Accounts|Account Manager</navigation> in the menu and select the Samba Directory option. The next section provides information on how to configure the app.
Please see the User Guide for configuration details.
In the first alpha, the user and group interface is set to read-only mode. You will be able to see users and groups, but not add/edit information via the web-based interface. Instead, you can use Windows tools to connect to the Samba Directory and then create users and groups. Alternatively, you can use the samba-tool command:
samba-tool user add test1 --surname=Guy --given-name=Test1 --random-password samba-tool user add test2 --surname=Guy --given-name=Test2 --random-password samba-tool group add pptpd_plugin samba-tool group add ftp_plugin samba-tool group add print_server_plugin samba-tool group add openvpn_plugin samba-tool group add smtp_plugin samba-tool group add user_certificates_plugin samba-tool group add web_proxy_plugin samba-tool group addmembers pptpd_plugin test2 samba-tool group addmembers ftp_plugin test2
print_server_plugin openvpn_plugin smtp_plugin user_certificates_plugin web_proxy_plugin
With a few users and groups added to the system, go ahead and use the standard Linux command line tools for viewing users and groups:
# getent passwd test1 DOMAIN\test1:*:3000017:100:Test1 Guy:/home/DOMAIN/test1:/bin/false
# id test2 uid=3000018(DOMAIN\test2) gid=100(users) groups=100(users),3000019(DOMAIN\pptpd_plugin)
Here are the big gotchas (which probably have fixes):
In Samba 3, the home directory could be changed by setting the template homedir parameter to /home/%U. The %U macro does not seem to be supported anymore (?). The group listing is not a showstopper, but it might cause grief for scripts and apps that depend on groups (for example OwnCloud).
Regardless, you can play around with Samba 4. Here are some helpful links:
Even though the embedded domain name noted above causes grief for the app policies engine in ClearOS, it is still worth knowing about how these policies work. The app policies engine was one of the major changes completed in ClearOS 6. What's an app policy? When you add a user to a system, you can select which apps are accessible to that user.
For example, the user mary may be allowed access to the Web Proxy, but not allowed to access the PPTP Server. This type of policy is implemented using plain old groups. By adding Mary to the web_proxy_plugin group, she is granted access to the Web Proxy system. When you visit an app page that requires user authentication, you will see an App Policy widget as shown in the screenshot below:
You can view members of this app policy by clicking on . To change the group membership, please do so from the command line or standard Windows tools. Here is a list of some of the apps that use user and and group information from Samba Directory:
The big gotchas described above are the primary focus of development. Once we know what's possible, we can move forward with the Samba Directory driver implementation.
To make a long story short, most (if not all) of the Red Hat family distributions use the MIT Kerberos implementation, while Samba 4 uses the Heimdal implementation. These two implementations do not play well together in certain situations and this needs to be resolved. The Samba Team and Red Hat are working on the integration, but no ETA is available at this time.
DNS is an important part of an Active Directory environment. If a Samba Directory is running, then Samba's internal DNS is used and the DNS caching service for dnsmasq is disabled (for now).