content:en_us:announcements_releases_clearos_professional_samba_directory_-_alpha_1

Samba Directory - Alpha 1

The following document provides a synopsis of the Samba Directory (Samba 4) Alpha 1 release for ClearOS Professional.

What is Samba Directory

Samba 4 provides an Active Directory environment powered by open source. What may be surprising to those coming from Samba 3 is the fact that Samba 4 also includes a full LDAP implementation. In other words, Samba 4 not only provides file and print services, but also supports LDAP extensions and connections.

In order to avoid the pitfalls of confusing the trademarked Active Directory, we refer to the Samba 4 Active Directory implementation as Samba Directory in ClearOS documentation.

Driver Model

ClearOS Account Drivers - Samba 4, OpenLDAP and Active Directory Connector In ClearOS, Samba Directory is baked right into the operating system. How is this done? ClearOS uses a driver model for the accounts system (users and groups). One of the steps that you see when you install a ClearOS system is the account system driver selection (see adjacent screenshot). Once the final version of Samba 4 on ClearOS is released, you will be able to choose from one of the following account systems:

  • Samba 4
  • OpenLDAP
  • Active Directory Connector

Once selected, ClearOS will use the driver in its normal and native way. In other words, there's no synchronization going on between Samba 4 and other directories or user databases. When Samba 4 is running, all apps and services on ClearOS query the Samba Directory. Clean, reliable and simple.

From an end user's perspective, the user interface remains the same. The underlying driver handles all the details.

Installation

The test installation is no longer supported and the notes below are provided for historical purposes. All future test versions will be provided in the ClearOS 7 release.

The Alpha 1 release is rough around the edges, but it is certainly far enough along for kicking the tires.

Samba 4 needs to be installed before you initialize the accounts system. Proceed through the first boot wizard as you normally would, but please do not install the following incompatible apps:

  • Flexshare (this will work in a future version)
  • Windows Networking (old Samba)

Just after completing first boot wizard, run the following commands to install Samba 4:

 rpm -e app-openldap-directory-core app-samba-core app-samba-extension-core samba-client samba-client samba-common samba-winbind samba-winbind-clients tdb-tools --nodeps
 yum --enablerepo=clearos-test,clearos-core install app-samba-directory

Go to <navigation>System|Accounts|Account Manager</navigation> in the menu and select the Samba Directory option. The next section provides information on how to configure the app.

Configuration

Please see the User Guide for configuration details.

Managing Users and Groups

In the first alpha, the user and group interface is set to read-only mode. You will be able to see users and groups, but not add/edit information via the web-based interface. Instead, you can use Windows tools to connect to the Samba Directory and then create users and groups. Alternatively, you can use the samba-tool command:

samba-tool user add test1 --surname=Guy --given-name=Test1 --random-password
samba-tool user add test2 --surname=Guy --given-name=Test2 --random-password
samba-tool group add pptpd_plugin
samba-tool group add ftp_plugin
samba-tool group add print_server_plugin
samba-tool group add openvpn_plugin
samba-tool group add smtp_plugin
samba-tool group add user_certificates_plugin
samba-tool group add web_proxy_plugin
samba-tool group addmembers pptpd_plugin test2
samba-tool group addmembers ftp_plugin test2

print_server_plugin openvpn_plugin smtp_plugin user_certificates_plugin web_proxy_plugin

The Big Gotchas

With a few users and groups added to the system, go ahead and use the standard Linux command line tools for viewing users and groups:

# getent passwd test1
DOMAIN\test1:*:3000017:100:Test1 Guy:/home/DOMAIN/test1:/bin/false
# id test2
uid=3000018(DOMAIN\test2) gid=100(users) groups=100(users),3000019(DOMAIN\pptpd_plugin)

Here are the big gotchas (which probably have fixes):

  • The Domain is prefixed in the group listing
  • The home directory path has an embedded Domain (/home/DOMAIN/test1)

In Samba 3, the home directory could be changed by setting the template homedir parameter to /home/%U. The %U macro does not seem to be supported anymore (?). The group listing is not a showstopper, but it might cause grief for scripts and apps that depend on groups (for example OwnCloud).

Regardless, you can play around with Samba 4. Here are some helpful links:

App Policies and Plugins

Even though the embedded domain name noted above causes grief for the app policies engine in ClearOS, it is still worth knowing about how these policies work. The app policies engine was one of the major changes completed in ClearOS 6. What's an app policy? When you add a user to a system, you can select which apps are accessible to that user.

For example, the user mary may be allowed access to the Web Proxy, but not allowed to access the PPTP Server. This type of policy is implemented using plain old groups. By adding Mary to the web_proxy_plugin group, she is granted access to the Web Proxy system. When you visit an app page that requires user authentication, you will see an App Policy widget as shown in the screenshot below:

ClearOS Web Proxy Policies

You can view members of this app policy by clicking on View Members. To change the group membership, please do so from the command line or standard Windows tools. Here is a list of some of the apps that use user and and group information from Samba Directory:

AppGroup Name
Print Server Administratorprint_server_plugin
FTP Serverftp_plugin
OpenVPNopenvpn_plugin
PPTP Serverpptpd_plugin
SMTP Serversmtp_plugin
User Certificatesuser_certificates_plugin
Web Proxyweb_proxy_plugin

Roadmap

Big Gotchas

The big gotchas described above are the primary focus of development. Once we know what's possible, we can move forward with the Samba Directory driver implementation.

Kerberos

To make a long story short, most (if not all) of the Red Hat family distributions use the MIT Kerberos implementation, while Samba 4 uses the Heimdal implementation. These two implementations do not play well together in certain situations and this needs to be resolved. The Samba Team and Red Hat are working on the integration, but no ETA is available at this time.

DNS

DNS is an important part of an Active Directory environment. If a Samba Directory is running, then Samba's internal DNS is used and the DNS caching service for dnsmasq is disabled (for now).

content/en_us/announcements_releases_clearos_professional_samba_directory_-_alpha_1.txt · Last modified: 2020/05/07 13:12 (external edit)