Managing the Samba Domain Controller

With your Samba Domain Controller up and running, you can use the standard Windows Active Directory administration tools to manage computers and users. The Excellent virtual appliance provides the 32-bit installer for Windows XP and Windows 7 in the /srv/www/htdocs directory. (If your Samba distribution doesn't include them, the tools are freely available from Microsoft's website.) You can get to the files on the Excellent Samba4 Appliance by opening a web browser and entering the IP address of the appliance. It will present a list of files that you can then right-click on and save or run.

Microsoft's administration tools come in the form of an .msu file, which will add options to the "Turn Windows features on or off" area of your Windows client machine's Control Panel. Once the installer finishes, you'll have to open Control Panel, find Programs and Features, choose "Turn Windows features on or off," then navigate to the Role Administration Tools section (see Figure 1). From there, expand the AD DS Tools section and choose the AD DS Snap-ins and Command-line Tools. Note that the Active Directory Administrative Center requires Active Directory Web Services, which Samba 4 does not support. If you want to use PowerShell, you should check Active Directory Module for Windows PowerShell as well.


Figure 1: From the Role Administration Tools section of the Control Panel on your Windows client machine, expand the AD DS Tools section and choose the AD DS Snap-ins and Command-line Tools.

PowerShell offers a number of built-in features to query and manage an Active Directory installation. Choosing to install the Active Directory Module makes these AD-specific commands readily available at the PowerShell command line. As an example, the dsquery command will return a wide range of information about the directory including computers, groups, servers, and users. There are also command-line tools such as dsadd, dsmove, and dsrm for adding, moving, and removing objects, and plenty more. Help is available for any of the commands by typing the command followed by /? at the command line.

One of the other big uses for Active Directory is in the area of GPO (group policy objects) and permissions. Samba 4.0 fully supports GPO settings for both computers and users. Group policy is especially useful for such capabilities as blocking access to Control Panel on a Windows machine so that normal users can't alter settings or install software. When you create a group policy, it is tied to a specific OU (organisational unit). Once set it applies to all computers or users in that OU.

The Microsoft Group Policy Management Editor provides the means to create or edit a group policy that will be attached to a specific domain. Figure 2 shows the GP Demo policy for the Linux.tstsamba.com domain and the default rules. You can restrict specific pieces of Control Panel such as the Add or Remove Programs feature, or choose to prohibit access to the Control Panel altogether.


Figure 2: Viewing the GP Demo group policy through the Microsoft Group Policy Management Editor.

Another management option is Webmin. This freely available tool installs on the system running the Samba 4 server and provides a web-based interface to manage a wide range of internal server settings (add administrators and users, create new file shares, share printers, allow and deny hosts) and software. I was able to get it running on the Samba 4 appliance with just a few minor tweaks to the configuration settings. Figure 3 shows the Webmin Samba module, which includes an icon labeled SWAT (Samba Web Administration Tool). This is the native Samba management tool (see Figure 4), which handles all of the traditional Samba user administration and server settings.

In short, Samba does not yet offer GUI tools for managing the Domain Controller or GPO settings from Unix or Linux, but there are Python-based hooks into the internals of Samba 4 that should make these easy to build.


Figure 3: The Webmin GUI on Samba (above) and Figure 4: The native Samba Web Admin Tool (below).

Verdict

Samba 4.0 is definitely a zero point release, meaning it still has some growing and maturing to do. It is a good first step in providing a completely open source solution that mirrors much of Microsoft's Active Directory core functionality. Although the Domain Controller in Samba 4.0 appears to be stable, the single-domain limitation currently restricts it to small deployments. An obvious use case would be in education and training, where Samba 4.0 would provide a good platform for teaching domain administration. But in the real world, most small workgroups for which the Samba Domain Controller is suited will choose to do without.

On the plus side, there are new Python-based programmability features in Samba 4.0 that could prove useful to anyone looking for a way to either expand or more fully utilise the Samba 4 server functionality. PowerShell provides another avenue to script actions against a Samba Domain Controller.

Samba 4.0 is definitely early code and not enterprise-ready yet. As it matures, it will present an interesting option to larger organisations that rely on multiple Active Directory domains. If the Samba team meets its goal of a nine-month release cycle, we can hope to see a more scalable and useful version by late summer or early fall.

OUR VERDICT

Samba 4.0 is definitely early code and not enterprise-ready yet. As it matures, it will present an interesting option to larger organisations that rely on multiple Active Directory domains. If the Samba team meets its goal of a nine-month release cycle, we can hope to see a more scalable and useful version by late summer or early fall.