Using Verify Privilege Server Suite technology with Samba
These topics describe how Samba integrates with Verify Privilege Server Suite, and highlights some integration issues that you might encounter.
What is Samba?
Samba is an open source file and printer sharing program that allows a Linux or UNIX host to participate as an Active Directory services domain member. When Samba is installed, Windows users can share files and printers on the Linux or UNIX computers.
Samba.org distributes the Samba files and expects users to download and build their own packages. All major Linux and free UNIX distributions have Samba as a native package. For a native install of Samba on your system, see your distributor’s package or port system.
Also, the https://samba.plus web site offers Samba packages for Red Hat Enterprise Linux (RHEL), SuSE Linux Enterprise Server (SLES), and Debian systems. The http://en.opensuse.org/Samba web site offers Samba packages for all SuSE Linux products, including SLES.
What is Verify Privilege Server Suite-enabled Samba?
Verify Privilege Server Suite-enabled Samba is an adbindproxy module and PERL configuration script that enables Verify Privilege Server Suite and Samba to work together without UID, GID, or Active Directory conflicts.
In previous releases, Verify Privilege Server Suite would modify the Samba package and provide a unique, Verify Privilege Server Suite version of Samba for different operating systems. In this release, Verify Privilege Server Suite provides a couple of components that work with the stock Samba packages.
Verify Privilege Server Suite is an integrated set of commercial identity management products that enable a Linux, UNIX, or Mac host to participate as an Active Directory domain member. When you install Verify Privilege Server Suite products, you can manage the Verify Privilege Server Suite-managed computer’s user and group accounts and privileges entirely through Active Directory.
When open-source Samba is configured as an Active Directory domain member and the DirectControl agent is installed together with Samba on the same Linux or UNIX host, two problems can arise:
- Samba and the DirectControl agent both attempt to create and manage the same Active Directory computer account object, causing one of the products to stop working.
- Conflicting UIDs and GIDs are generated by Samba and the Verify Privilege Server Suite Management Services tools for the same Active Directory users and groups. However, the two programs use different algorithms for generating these values. The result is file ownership conflicts and access control problems.
To resolve these issues, Verify Privilege Server Suite provides the following components:
- adbindproxy (adbindd) module: The adbindproxy module uses the adbindd daemon. Unless otherwise noted, “adbindproxy” and “adbindd” are used interchangeably in the documentation. The adbindproxy (adbindd) module intercepts Samba UNIX ID mapping requests and reroutes them to the DirectControl agent for processing. This module ensures that Samba and DirectControl agent agree on the UNIX attribute values.
- adbindproxy.pl PERL configuration script: Automates most of the setup process and designates the DirectControl agent as the manager of the shared computer object.
Verify Privilege Server Suite-Enabled Samba Architecture
The following figure provides a conceptual view of the complete solution architecture using Active Directory, Samba, and Verify Privilege Server Suite for Samba components.
If you have not been using Samba up to this point, or if you have been using an older Samba security method (such as user or server), the integration process makes it easy to configure Samba as an Active Directory member.
On the other hand, if you have already been using Samba as an Active Directory domain member and have assigned UIDs and GIDs to Active Directory users and groups, the PERL configuration script helps to resolve conflicts when Samba and Verify Privilege Server Suite are integrated.
The integrated solution, composed of the DirectControl agent (installed separately), open-source Samba, and adbindproxy, provides the following:
- Samba and the DirectControl agent use the same Active Directory computer object without conflicts.
- Consistent user and group attributes are applied on files across Windows, Linux and UNIX computers.
- All UNIX user identity attributes, including the UID, GID, home directory, and login shell in UNIX profiles, are centrally stored and managed in Active Directory.
- Both Kerberos and NTLM Samba authentication methods are supported.
- Standard Samba access-control features are implemented and augmented by the Verify Privilege Server Suite zones technology.