[olug] Samba roaming profiles

Phil Brutsche phil at brutsche.us
Fri Apr 11 08:27:36 UTC 2008


Dan Linder wrote:
> So, if a true Microsoft Windows Server 2003 system is needed to get
> the bells and whistles of AD for WinXP/Vista clients,

Windows 2000, XP, Vista, the upcoming "Windows 7", their inevitable
successors as well as corresponding server editions (2000 Server, Server
2003, Server 2008) and their inevitable successors.

> can you purchase a single W2K3 server and setup Linux+Samba servers
> in remote locations for authentication and local file/print serving?
> Or are there still things missing from Samba that would still make
> the systems reliant on the Win2K3 server?

For Samba to handle authentication, Samba needs to be a DC (domain
controller).

Samba does OK as a file & print server as long as you don't need
anything even remotely resembling NTFS permissions (Samba currently uses
POSIX ACLs to simulate them as a gross hack that has never worked like
the real thing), but properly replace an AD (Active Directory) DC? No.

In order to process the Group Policy Objects (GPOs) the client machine
would need access to:

a) A DNS server with the appropriate SRV RRs pointing to one or more DCs
b) A Kerberos KDC to authenticate to, located by SRV RRs
c) An LDAP server that the client machine can query to find out which
policies apply to it, located by SRV RRs
d) the GPO data files themselves on a reachable DC, located by SRV RRs
e) probably more that I'm forgetting about as it's waaay past 2am

a) is simple enough as BIND can more than do the job. I forget which
release introduced support for SRV RRs, but it was one of the early 8.x
releases.

c) and d) are the sticking points - Samba 3 doesn't provide an LDAP
server (and Samba using OpenLDAP as a SAM backend doesn't count, Samba 3
doesn't use AD-compatible schema and the LDAP directory isn't exposed to
the client), and even if it did it wouldn't have the GPO data files.

The GPO files are stored under \\<dns domain>\SYSVOL and are replicated
by NTFRS (aka NT File Replication Service), as is \\<dns
domain>\NETLOGON. Both are necessary for proper DC operation.

The only non-Windows NTFRS implementation that could possibly exist is
in Samba4... and even then the existence is hypothetical at this point.
There's no documentation to indicate the Samba developers have gotten
that far. It's necessary for Samba 4 to be feature complete, though.

Samba 4 promises to make Superman-like leaps and bounds over Samba 3 and
earlier - including acting as a proper Active Directory DC and using
Ext3 xattrs to implement NTFS ACLs - but, as I said before, it's a long
ways away from being a feature-complete production-quality release.

What it comes down to is whatever OS your client systems run, your best
bet for the advanced bells and whistles is the corresponding server
environment. Once you get enough machines together (or as your
configuration complexity requirements increase) the bells and whistles
aren't a luxury, they're a necessity.

-- 

Phil Brutsche
phil at brutsche.us



More information about the OLUG mailing list