The questions and answers on this page have been extracted from the Samba technical mailing list.
Can I use Samba 4.0 as an AD DC on my production server right now?
We have now released Samba 4.0, and a number of users have it in use in a production environment. All the features from the Samba 3.6 series are now available, for example, the file server in the smbd binary.
Of course, normal Systems Administration caution is generally advised, as an AD Domain is the central hub for authentication on a network, as is participation on our mailing lists to discuss any issues that arise.
We do however encourage people to try Samba 4.0 as an AD DC, report bugs, and give feedback.
When will Samba 4.0 releases be made?
For the current Samba 4.0 and 4.x release plans, please see Samba Release Planning.
Is directory replication supported by a Samba AD DC?
Yes. Everything that is done inside the directory (user/group management, ACL changes, etc.), is replicated to other DC.
Is SysVol share replication supported by a Samba AD DC?
It's currently not implemented. But as workaround you can replicate changes e. g. with rsync. Depending on the kind of workaround you choose, you maybe have to do changes only on one DC, if your tool doesn't support bi-directional replication.
Does Samba support trust relationship with AD?
Trusts are currently not finished implemented. Samba can be trusted, but can't trust yet.
Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)?
Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level.
Background: The password settings have to be used and validated by the server. Otherwise a modified Windows client or a Unix client (which doesn't handle GPOs) could bypass these settings. But Samba can't evaluate and apply GPO restrictions. It only serves GPOs via the SysVol share.
Will Samba 4 have a built-in, full fledged LDAP server?
Yes. While we certainly won't compare ourselves with the standards-based products from other vendors (our aim is to please AD clients first, and hopefully do so while complying with the standards), it will include an LDAPv3 server.
Why is the LDAP backend (used so successfully in classic Samba domains) not supported with the AD DC?
We certainly appreciate the bind that the LDAP server situation puts our administrators in. We went to great lengths to try and avoid this, but were unable to make it work, while also supporting features such as DRS replication, and many of the finer points of AD's LDAP server. The biggest killer for the feature was the need for runtime schema translation, or for the administrator to load the AD schema and layout on their external LDAP server (which rather defeats the purpose).
The there are three ways out of this difficult situation
- continue to use Samba as a 'classic' domain controller as-is using smbd/nmbd (this code remains and remains supported).
- Add schema extensions to our LDAP server (disabled by default, but supported), and cope with the AD-specified layout restrictions.
- Somehow sync Samba with an existing LDAP server.
There are major challenges with synchronisation of directories - but it certainly may be an option in some situations.
We certainly understand that it appears almost rude, on the face of it, to step up from being an equal partner in the unix-LDAP ecosystem supporting a number of different directory servers to demanding that everyone else use only our internal server. We do wish it didn't have to be this way, and we have left in (with tests) as much of the code we used for the LDAP backend experiment as is possible, in case somehow someone builds a workable use case in the future.
Is it planned to support openLDAP as backend again?
An LDAP backend to the AD DC is not a viable proposition at this point in time, as even with the addition of massive extra resources trying to revive it would create an incredible distraction.
The biggest issue is that a significant part of the complexity of the AD DC turns out to be in our ldb modules. Creating a general-purpose, OpenLDAP backed AD DC would involve rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.
Totally removing the LDAP listener would require rewriting even more code than that, and would (based on the past experience of Luke Howard's XAD) require extensive patches to OpenLDAP.
Specific issues include the metadata required for both DRS replication and dirsync, schema manipulation, transactions, Access Control Lists, impersonation (if Samba still operated as an LDAP proxy) or authentication (if OpenLDAP was the LDAP listener) and AD-specific matching rules.
The components of LDAP that are left unaltered, after all this is done, are actually the easy bits, as is seen by the relative simplicity of ldb itself.
Finally, as mentioned in the previous question, even if this was all done, the schema would still be the AD schema, which removes the advantage of doing all that work in the first place.
The team has decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed, but where it does not compromise development, the technical doors open for some special case development here have been left open, with code and tests remaining in the tree.
Will it also be possible in the future to extend the server by loading user defined schema's?
Yes, user-defined schema may be loaded into the Samba 4.0 AD DC. It is experimental, so you must set
dsdb:schema update allowed = yes
in the smb.conf to permit it.