2004/11/29 Active Directory

Microsoft's replacement for the awful Domain Controller concept. Two important things you need to understand here are that it is really LDAP, and that it is (or can be) distributed.

Unless you are working in a really big organization, you probably won't run into the distributed features, but it's just something to remember: one server doesn't necessarily have to be the central location for changes. In a small business, there probably will be just one server that handles it all, but it doesn't have to be that way.

As the base of Active Directory is LDAP, that immediately suggests that it could be holding a lot more information than just user account info, and in fact it does. See http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp for an overview of that.

AD also uses Kerberos for security. Again, that function could involve multiple machines, but probably won't in a small shop. Because of the possibility of all these distributed servers, AD makes heavy use of DNS. In the Unix world, particularly in small networks, we usually don't care too much about local DNS: if we pay any attention at all, it's often just /etc/hosts. Few of us bother to set up real DNS for the local network. However, AD, needs local DNS. For most of the folks reading this page, your only concern with that will be getting Samba to play happily with AD. Fortunately, the underlying LDAP/Kerboros/DNS of AD makes that a little easier than it was with the entirely proprietary Domain Controller concepts, but it isn't easy getting there. Truthfully, you and the client would be better of if they weren't using AD at all, but we don't always get to do what's right when Microsoft has a strong grip in a company. At this writing (Samba 3.09), the best you can do is work with AD:

(http://it.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id2520142)
As of the release of MS Windows 2000 and Active Directory, this
information is now stored in a directory that can be replicated
and for which partial or full administrative control can be delegated.
Samba-3 is not able to be a Domain Controller within an Active
Directory tree, and it cannot be an Active Directory server. This
means that Samba-3 also cannot act as a Backup Domain Controller
to an Active Directory Domain Controller.
 

That means that you can get Samba to authenticate from an AD controller, but it can't BE the AD controller or an AD server. Not yet, anyway. (If you happen to stumble across this at some later time when Samba no longer has to play second fiddle, please do let me know that I need to update this page.) However, unlike Domain Controllers that could more easily be asked for authentication, AD requires more work.

If you found something useful today, please consider a small donation.

Got something to add? Send me email.

2 comments

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us