B.1 Understanding DSfW in Relation to Samba

DSfW simulates Active Directory environment on eDirectory and provides interoperability between eDirectory and Active Directory. A suite of services integrated with Samba help in achieving Active Directory equivalent environment. SAMBA is by default packaged with SLES and has the capability to emulate NT4 domain controller. DSfW takes this functionality forward and uses it to emulate Active Directory.

This means that the DSfW server can inter-operate with Active Directory and provides a gateway for DSfW users to access Active Directory resources with the help of trusts.This facilitates an environment where SLES and Windows servers can co-exist in an organization that has only Active Directory or only eDirectory or a mix of both Active Directory and eDirectory environments.

It is important to note that apart from providing emulation services for Active Directory, DSfW continues to support existing OES (Open Enterprise Server) services for the users in the DSfW environment.

Samba is an open source software suite that lets Linux and other non-Windows servers provide file and print services to clients that support the Microsoft SMB (Server Message Block) and CIFS (Common Internet File System) protocols.

A DSfW server uses the following services in order to provide Active Directory equivalent environment:

  • SAMBA-3.0.x

  • eDirectory

  • Novell Bind (DNS)

  • NTP server

  • xadsd (For handling RPC calls over LSARPC, SAMR and NETLOGON)

  • Kerberos KDC

  • Kerberos password server

During installation through YaST, when the Novell Domain Services for Windows pattern is selected, a set of other dependant RPMs also get selected. Provisioning helps in configuring DSfW and the supporting services.

Table B-1 DSfW and Samba

Functionalities

Samba

DSfW

Emulation

Emulates NT4 Domain Controller or can be a member server of Active Directory or NT domain.

Emulates Active Directory and can also be a member server.

Management

Can be managed through Windows NT4 Domain Server Manager and the Windows NT4 Domain User Manager. But cannot be managed from MMC.

DSfW can be managed from Microsoft MMC as well as eDirectory web management tools like iManager. So any Windows member server/client joined to the DSfW domain can use the power of Active Directory for creating shares, assigning access rights, managing users, trusts and group policies. In DSfW the Samba-3 shares and access rights can be managed using iManager.

Group Policies

No support for group policies that are crucial to implement security settings and enforce IT policies.

Supports Group Policies. For more information, see Managing Group Policy Settings.

Trusts

Supports NT style manual trusts between two domains.

Supports Active Directory level trusts that includes automatic Kerberos transitive trusts and cross-forest trusts.

DNS and Secure Updates

Does not come with DNS. Has to be installed separately. The bind DNS does not support secure dynamic updates. So, the DNS records have to be manually managed by the Active Directory administrators. Active Directory administrator has to create records for the DCs and for every member server joined to the domain.

Comes packaged with Novell Bind DNS that supports secure dynamic updates. As it is integrated into eDirectory, it provides centralized Active Directory administration and enterprise-wide management of DNS using iManager or Java Management Console. It leverages the benefit of eDirectory as Novell DNS configuration information is replicated just like any other data in eDirectory.

Provisioning Users

Provisioning is performed by including only Samba-specific information in the user objects created in the LDAP backend.

Provisioning is performed by extending the existing eDirectory object class and including Active Directory information in the user objects.

As a result, DSfW has the same information model as Active Directory.

Access Control at File system/Share level

Samba supports access control at both share level and file system level. It can be managed at share level from any Windows client. If the underlying file system is NSS and Novell Samba is installed, it can be managed using iManager.

DSfW supports access control at share level or at file system level. The access control can be managed at share level and file system level from a Windows client. If the underlying file system is NSS then it can be managed from iManager. It is recommended (but not required) that you create Samba shares on NSS data volumes in order to achieve this flexible dual access control.

Storage of security identities

Samba-3 stores security identities in local files. Whereas Novell SAMBA is integrated with eDirectory. This way it utilizes the power of eDirectory access control (trustee model) and data replication.

DSfW by default integrates SAMBA with eDirectory.

Password Policies

Supports NT domain type password policies.

Supports Active Directory domain password policies and existing eDirectory password policies.

Interoperability with Active Directory

SAMBA can be configured as a member server of the domain, but cannot be configured as domain controller.

With the help of cross-forest trust the users in DSfW environment will be able to access resources in Active Directory environment.