TOM KEMP'S CENTRIFY BLOG

Integrating Samba with Active Directory

Tuesday, February 12, 2008

We recently updated our Samba package on our support site to reflect some of the updates coming from the Samba team, and I wanted to use this blog to discuss what we offer with respect to how DirectControl can better integrate Samba into Active Directory. During the early days of Centrify we realized that coexistence with Samba on the same host was going to present a unique challenge for us: the main reason being Samba and Centrify solve many of the same high-level problems - better integrating UNIX and Linux systems with a Windows environment - but in different ways (i.e. Samba = primarily a UNIX-based alternative to a Windows file server; DirectControl = primarily an identity management solution that turns a UNIX system into an Active Directory client). I will drill down into the gory details in a bit, but first a little background.

In 1984 IBM, in collaboration with Microsoft, introduced a DOS-based product called the IBM Network Program that allowed PCs to share their files and printers on a network. The underlying networking protocols in this product were named the "SMB" (Server Message Block) protocols. Shortly afterwards Microsoft introduced its own MS-DOS networking product based on the same protocols. The original SMB protocol was very simple, consisting of a couple dozen different message types. Anticipating future protocol enhancements, the designers built in mechanisms to allow computers to "negotiate" a common protocol dialect. Today, at least 10 different dialects supporting several security schemes have been implemented in commercial products. SMB is also used as a transport for administrative protocols such as MS-RAP and MS-RPC. Microsoft eventually renamed their implementation of the SMB protocols, CIFS (Common Internet File System). With the release of Windows 2008, Microsoft is introducing a greatly revamped form of this protocol called SMB2.

Samba is a popular open source UNIX-based implementation of the CIFS protocols that lets Windows, Macintosh and other UNIX computers to access files and printers on UNIX computers. Basically it gives customers a *nix-based alternative to Windows file servers. Additionally, Samba implements sufficient MS-RPC protocols to allow it to emulate a Windows NT 4.0 Domain member or server. In the last few years the Samba developers have added sufficient Kerberos and LDAP support to make Samba a full-fledged Active Directory domain member, allowing Active Directory users to authenticate and access UNIX resources served up by Samba. In Active Directory mode, Samba can assign UNIX attributes to the Active Directory users, and manage their identity on the UNIX box. Since Centrify DirectControl also makes UNIX computers Active Directory domain members and manages identity, but in different ways, herein lies the integration challenge that we strove to resolve.

In order for Samba and Direct Control to coexist on the same computer, two specific problems needed to be solved, the management of trust and the assignment of UNIX identity attributes (UIDs and GIDs, shell, home directory, etc.) to Active Directory users. While solving these problems, Centrify enhanced the Samba experience in several ways, some which I will touch on.

In Active Directory-based systems, trust is implemented by creating a computer account object for a host and assigning it a password. The host keeps the password in a secure manner and uses it to authenticate itself with Active Directory using Kerberos. Once the host is authenticated, it is given access to domain information such as users and their group membership. Active Directory systems typically require that computers automatically change their password from time to time. Since both Samba and Centrify must have trust and must manage the password, they can either create separate computer accounts for their common host, or one must take charge of the password management. Centrify chose the later approach. It disables Samba password management, changes the password as necessary and then lets Samba know about the new password, by writing it to one of Samba's private database files.

Active Directory users who log onto UNIX systems must be assigned UNIX-based identity attributes, because this is what the UNIX system expects. For instance on Windows systems, users are assigned security identifiers (SIDs), a multi-byte value that uniquely identifies that user throughout the world. The equivalent of a SID on a UNIX system is a UID for users or a GID for groups. By default Samba handles the assignment by generating new UIDs and GIDs for Active Directory users and groups on the fly, the first time it encounters them, and remembers the assignment in a private local database file. Centrify on the other hand assigns the UIDs and GIDs in Active Directory using its patent-pending Zoning technology. If Centrify and Samba were allowed to use their respective mechanisms to assign these IDs, almost certainly they will be different leading to a situation where the same Active Directory user is known by two different UNIX IDs, This can result in file ownership confusion and potentially unauthorized file access. Fortunately Samba provided a way for folks to implement plug-in libraries called "idmappers" that Samba will use instead of its internal scheme. The Centrify idmapper communicates with DirectControl to get the UNIX identity attributes from the Centrify Zone ensuring uniform mappings. In fact, Centrify contributed some code to the Samba open source project in this area.

Samba is a tremendously configurable product, and can operate in many different modes. Its flexibility is the salvation of the knowledgeable Samba engineer and the bane of the ordinary IT administrator. It can take days or even weeks for the uninitiated to configure Samba properly for Active Directory integration. We at Centrify have gone through this painful learning curve ourselves and have developed installation utilities that with a few simple questions automate the configuration of Samba and ensure its harmonious operation with DirectControl. Most of our customers have our Samba up and running in a matter of minutes.

Another benefit that has come out of the Samba Centrify integration work is tighter control of who can authenticate with a Samba server. This is an artifact of our Zoning technology where only users who belong to the zone are allowed to attempt authentication with the Samba server.

In addition, the binary Samba packages shipped with some platforms are built without Active Directory support. If customers want this important feature, they are forced to build custom versions from the Samba sources. Centrify has built Active Directory-enabled binary versions of one of the latest releases of Samba for each of the supported operating systems. This means you will be running an up-to-date version of Samba that has been thoroughly tested to integrate with DirectControl. The distribution for each operating system also includes other components that are required by Samba.

Finally, DirectControl for Samba includes an installation and deployment guide. There is also guidance related to testing your Samba environment. In addition, licensed Centrify customers who have support and maintenance contracts and are running Centrify DirectControl for Samba can get commercial support for the integration of DirectControl with Samba.

So now you get your Samba and your Centrify too, with all of the additional features that Centrify offers such as Active Directory integrated Web/database/ERP authentication, group policy, management reporting, and DirectAudit, not to mention future AD-based products currently in the pipeline that I will talk about in future articles.

Thanks to Dave Daugherty for helping me out with this blog entry, and for more information please check out my video chalktalk and interview with Dave regarding Samba and Active Directory integration.

< Previous Article: Case Study: Mac Windows Integration
> Next Article: Centrify Wins Best Identity Management Software Award