Samba – PT Jasanix Digital Integrasi

Samba 4 History

Samba 4 Features

What is Samba Active Directory?

At a time when securing sensitive data and limiting access is a major challenge for companies, an Active Directory allows you to centralize, manage and authenticate users and computers in a domain. Its objective is then to list all the information present on your network to allow you to manage the authentications and rights (to make a long story short). It is therefore essential for organizations to set up an Identity and Access Management tool (IAM).

And now, you’re probably thinking: “Great, if only it was possible to simply implement this solution”. It’s possible!

At JASANIX, when it comes to Active Directories, we can’t help but talk about Samba AD. Indeed, Samba AD is the Open Source equivalent of Microsoft Active Directory. The same features without the license fees. The little extra of Samba AD is that we can recommend our support to help you with your migrations, realise skills transfer or even provide you with documentation to do it all by yourself.

File Sharing and Mutual Authentication

In 1980, the world of computing experienced a revolution with the arrival of microcomputing. The computers at the time acquired more power and gained in utility since they were able to run programs locally and directly on the machine. Despite the obvious advantage of this revolution, new challenges had to be taken into account before exploiting the power of these machines:

File sharing: It is necessary to ensure that users of different machines can access the same document.
Mutual authentication: Managing user rights and ensuring that the user is connected to the right machine becomes essential.

NetBIOS Protocol: Facilitating Communication Between Machines

It was not until 1983 that Sytek developed the NetBIOS protocol to facilitate communication between the machines. This protocol allows to have an abstraction layer between the application layer and the transport layer. IBM followed the movement shortly thereafter, launching its resource sharing protocol in 1985. SMB operates through a client/server structure, so the server responds to requests sent by the client. Although the protocol is quickly becoming a standard, it faces stiff competition, particularly from Novell and its NetWare product. LAN Manager integrated into OS/2, the result of the alliance between IBM, Microsoft and 3COM, will emerge from this competition. IBM will realize the potential of the NetBIOS protocol and will quickly impose it by leveraging its position as a leader in the IT industry. With the advent of client-server environments, it was necessary to ensure that the client and server could recognize each other. To secure access to data LAN Manager will introduce 3 new principles: Identification: Establish the identity of the user. Authentication : Verify the user’s identity. Authorization: Authorize if a user has access or not to certain resources

Manage identification and authentication

Project Athena: The beginning of Samba

The Athena project was initiated by MIT in 1983 and aims to develop strategies and software as part of a client/server network system. The Athena project was born from the realization that students would have to access file servers on a high-value network with their own computers.

The development of the identification and authentication mechanism was then integrated into the Athena project. The objective was to develop an authentication network protocol (Kerberos) that could manage trust on closely monitored and controlled machines. In addition, authentication communications between trusted servers and network computers will be encrypted so that they cannot be intercepted.

The birth of Samba: Interoperability between environments

The Samba project is a software suite that allows interoperability between Windows environments and Unix / Linux environments. The project owes its name to the communication and file sharing protocol it uses: SMB. The SMB protocol is becoming increasingly popular and is quickly becoming the standard for exchanging files on Windows, Linux and Mac networks, including :

Centralized identification and authentication management in Active Directory and NT4 domain mode.
Centralized group management.
File sharing according to the version of the Microsoft SMB protocol.
Centralized management of access rights to files and directories.
Sharing printers.

Samba will continue to democratize in the IT environment and evolve through its different versions:

Samba1: Simple implementation of LAN Manager protocols and workgroup support.
Samba2: NT4-style domain controller service for Windows workstations that are members of a domain.
Samba3: Support for NT4 domain features and support for new versions of the SMB

Samba4: Transition to an Active Directory

The Samba project, since version 2.0, has had the will to become an Active Directory. And since 2005, with the release of Samba4, that this project finally took off. Indeed, the objective of this version is to completely rewrite Samba based on Microsoft’s official specifications. Access to these specifications facilitates the development of this version. To consolidate the interoperability approach, the actors of the SMB protocols meet each year to test their different implementations of the protocol.

2012 : A deciding year for Samba

In 2012, it appeared that the implementation of the SMB protocol, based exclusively on Microsoft specifications, was not functional and that the SMB protocol implemented by Microsoft was complex and poorly documented. This is where Samba, developed empirically, had been able to make its mark by offering fully functional file sharing and printer features. The rewriting of Samba4 involved 3 major components:

The Active Directory component.
The smbd file sharing component.
The winbindd user mapping component.

In September 2012, it was decided to use the smbd3 code as the basis for providing file and printer sharing functions. The Samba4 code was intended to provide the Active Directory function. Samba 4.0.0.0 was available in a stable version in December 2012. Starting with Samba 4, the development team has adopted the following approach:

Version in development, considered as non-stable N+1, for example 4.11.
Version in stable production N, for example 4.10.
Version in corrective maintenance and security N-1, for example 4.9.
Version in safety maintenance N-2, for example 4.8.

It is important to note that Samba3 is no longer maintained and that it is therefore important to prepare for a migration. This migration is simplified by the fact that Samba4’s development is based on Samba3’s code.

SAMBA4 is designed to operate as part of existing microsoft infrastructures and it can assists you in replacing Microsoft Windows domains controllers with a few clicks. Until then, we wil be happy to discuss Active Directory project with you

Samba4: Features

Samba Active Directory helps creating and managing Windows, OS X and Linux infrastructures providing Open Source alternatives to Microsoft based products.

The core product is SAMBA 4 ACTIVE DIRECTORY, a flexible, cost-efficient and successful alternative for Microsoft Windows Server and Microsoft Small Business Server. It includes comprehensive Active Directory functionalities and an App Center that integrates and manages own or third party enterprise applications.

SAMBA4 management console is well suited for organizations of any size, either as a standard on-premises setup, in the cloud or in hybrid IT environments.

Samba AD: File service and AD domain control

Starting with Samba AD version 4.2.0, the development team will make improvements in file services, software operation and security, as well as domain controller performance. The end of Samba3 support was announced with version 4.2.0, although it still supports the NT4 identification and authentication protocol.

Improvements to the file service:

Access to Shadow Copy files hosted on a share, allowing you to revert to saved versions of the file sharing tree.
SMB 3.1.1.1 support, standard file exchange protocol that appeared with Windows 10.
VirusFilter module support that integrates with Sophos, F-Secure and ClamAV antivirus to provide filtering functions on the file server.

Improvements to the domain controller:

Encryption of RPC exchanges between domain controllers, avoiding MITM attacks.
Improved overall password management strategy.
Improved KCC, a mechanism that allows the controller to map the replication topology for operation with a large network.
Improved deletion of defective domain controller.
Last Login / Last Logoff support.
Improved replication and DNS performance.

Evolution of Security:

Default disabling of NTLMv1 for any new implementation of the domain controller to handle increasing ransomware attacks.
Restriction of the range of ports used by the MS-RPC service.
Encryption of sensitive data on disk.
Differentiation of password policies between users and user groups.
Set up audit of Active Directory events (login, adding AD elements…).
Added a script in smb.conf allowing to choose the complexity of passwords, functional on Windows client machines.

Modifications to the functionality :

Improved KCC to optimize replication topology based on latencies and network speeds.
Creation of an Active Directory recycle bin to recover objects deleted after a bad manipulation.
Read-only domain controller (RODC) support to allow sites that do not have sufficient physical security to have a DC that only replicates users’ passwords.
General improvement in the functioning of approval relationships.
Implementation of Automatic Site Coverage to allow computers on a site without a domain controller to connect to the nearest domain controller.
LMDB database support for domains with more than 100,000 objects (users, groups, computers, etc.).

Possibility to export the GPOs of a domain in a generalized XML file allowing the backup of partial GPOs.
The “samba-tool domain backup” command now has an “offline” command to perform an offline backup in a secure way.
Samba 4.X fully supports Python 3 (now used by default). Samba 4.X will be the latest version to support Python 2.
New audit events are also at the heart of Samba 4.10’s new features. Authentication messages now contain the Windows event ID number and user name.