Briefly explained: Samba and Active Directory: Central Domain Administration

Zentrale Domänenverwaltung über Samba 4.0 und UCS

Have you wondered what the specific differences are between Samba and Microsoft Active Directory, what functionality they offer, and what role they play in identity management for Univention Corporate Server?

In a nutshell: Samba and Microsoft Active Directory are both solutions for centralized discovery and authorization of members of a domain. While Samba is free software and under the GNU GPL license, Active Directory (AD) is the directory service of Microsoft Windows Server. Since Windows 2008, the core component is called Active Directory Domain Services (AD DS). Both solutions are used in the central organization, provisioning, and monitoring of a domain network: Samba and Microsoft AD manage objects on the network, such as users, groups, computers, services, servers, file shares, and so on.
In this article, I will introduce both approaches and show how you can use them to increase data protection and achieve better resilience of your IT systems. I will also explain how you can use Univention Corporate Server to build a bridge between the Linux/Unix and Windows worlds. This way, you can use the advantages of both systems and do not have to decide between Samba and Microsoft AD, and therefore not on the use of proprietary or open-source solutions.

What is Active Directory?

Active Directory is a solution developed by Microsoft to provide authentication and authorization services in a domain. The main elements of Active Directory are an LDAP directory service, a Kerberos implementation, and DNS services. Information about users, groups, and computers in your environment is stored by the directory service. Kerberos handles the authentication of users and computers. DNS (Domain Name System) answers name resolution requests. Thus, ensuring that client and server systems can find each other in this network and communicate with each other.
All three components, LDAP, Kerberos, and DNS, are closely intertwined and combined into a single unit in Active Directory Domain Services (AD DS). Windows server systems can provide these Active Directory Domain Services as so-called domain controllers or also join such a domain as a member. Windows clients can also join such a domain in the respective business and education versions of the operating system.

An introduction to DNS and its relationship with Univention Corporate Server

This article is about the Domain Name System (DNS) and explains how the “Internet’s telephone book” works. Alongside the fundamental details of name resolution on the Internet, we also look at special topics like administering DNS records in dynamic environments and debugging DNS setups during operation. …read more »

Multi-Master Replication: Resource Allocation and Reliability

Since the contents of the directory service replicate between several domain controllers, they are available on several systems. Replication means that the same data is accessible at several locations and is regularly synchronized. That not only provides load balancing in case of many requests. It is also more secure in case one server fails.
Active Directory supports so-called multi-master replication, which means that you can make changes on any domain controller; the synchronization with the other controllers takes place automatically.

Samba: Uniting Linux/Unix systems with the Microsoft solution

The Samba project maintains the free software suite of the same name that enables Linux and Unix-based systems to interoperate with services and protocols used and developed by Microsoft. Samba supports numerous services and protocols, including SMB/CIFS, NTLM, WINS/NetBIOS, (MS)RPC, SPOOLSS, DFS, SAM, LSA, and Windows NT domain model. Since version 4.0, Samba can be a fully-fledged alternative to Active Directory Domain Services.

Samba as Active Directory Domain Controller

Active_Directory_mit_UCSNow, Samba systems can not only join an Active Directory domain as a member. They can also take on the role of domain controller themselves, providing Active Directory Domain Services on a Linux or Unix-based system. Windows or macOS clients join a Samba-provided Active Directory domain through the same mechanism as an MS-AD domain. Applying Group policies to manage Windows clients is also possible.
UCS as a link between the Windows and Linux worlds

The directory service OpenLDAP is an important element of the Univention Corporate Server. It must be present in every UCS domain. Thanks to the Active Directory-compatible Domain Controller app, which you install from the Univention App Center, you can operate an AD domain via Samba. The S4 Connector developed by Univention synchronizes all relevant information between the OpenLDAP and the Samba directory service.

Therefore, UCS is ideally suited as a link between the Windows and Linux/Unix worlds and can combine both systems in one domain. Many customers use this feature to synchronize user and group memberships and passwords between Samba AD and OpenLDAP.

If you would like to read more about Samba, Microsoft AD, their combination, and the technical implementation in IT environments, feel free to take a look at our references. They describe very different deployment scenarios. I hope that this article has given you a first insight into the tasks of directory services, Samba, and Microsoft Active Directory. If you have any further questions, please do not hesitate to contact us.

More information:

Univention and the Verband Bildungsmedien e. V. network publishers, schools and school authorities

Pilotrojekt BILDUNGSLOGIN: Logos Univention und Verband Bildungsmedien
Bremen, May 5, 2021 – Univention and the Verband Bildungsmedien e. V. are improving digitization in education with their partnership. The association has commissioned the Bremen-based software manufacturer to connect the identity management of its school solution UCS@school with the association’s license management BILDUNGSLOGIN as part of a pilot project. It intends to provide teachers and pupils with simple access to digital educational media in compliance with data protection laws.

The piloting will take place with selected school authorities, starting in the school year 2021/2022. Afterward, BILDUNGSLOGIN will be connected to all leading public and private school administration and learning management systems.

UCS 5.0 – first release candidate published

With the first release candidate (RC), we are announcing the finalization phase for the major release of Univention Corporate Server, UCS 5.0. We will be concentrating on stabilizing the features implemented up to this point. Compared to the beta version of UCS 5, which we published in December, we have been able to achieve many improvements, in particular in the web interface of the UCS portal, the management console and the Univention App Center. I would like to present these briefly.

Cool Solutions on GitHub

Almost ten years have passed since we published the first Cool Solution for UCS 3.0: in 2011, on November 25 at 8:02 am, we created a new page in the Univention Wiki which collects the Cool Solutions for the different versions of Univention Corporate Server. A lot has happened since then: Many instructions are now available in English and no longer in German, and there is a separate section for the Cool Solutions in the Univention forum.

How to integrate with LDAP – Example Redmine

In the blog article series “How to integrate with LDAP”, we introduce a whole range of different options and possibilities for how you can use LDAP provided by UCS to expand or use in cooperation with other services.

In the first section of this article, “Typical Configuration Options”, I will be using an example to demonstrate the sort of information typically required to perform user authentication against the UCS LDAP. I will be taking you through the necessary configuration steps using the project management system Redmine as an example, as this requests all the typical information.

In the second section, “Types of Search Users”, I will detail the possibilities available to you if it is not possible to search through the UCS LDAP anonymously.

Univention Summit 2021: transferring a proven format to the web

The Univention Summit looks back on a 13-year tradition as a place of exchange and discussion around the topics of digital sovereignty and sovereign IT infrastructures. This year, for the first time, it had to be purely digital. This article looks back at the challenge of translating such an event, with all its interactivity and discussion spaces, from the real world to the virtual.
In order to realize the 14th Univention Summit as an online event, Univention approached us, Plain Schwarz, last year as an event agency and service provider for the conception and implementation of virtual, hybrid events as well as face-to-face events. We already knew each other through the Open Source environment and shared networks before we worked together for the Summit.

Bitwarden: Open Source Password Manager

Logos von Bitwarden und UCS mit einem Schlüsselbund in der Mitte
Apart from two-factor authentication (2FA), strong passwords are still your best protection against data theft. We already described how you can apply what are known as “password policies” in our article “Secure passwords for the UCS domain”.
In this article, we will go one step further. After a brief refresher on the topic of password managers in general, we will present a concrete software solution that offers a convenient way to store and manage passwords – so that none of your users have to rely on writing down their access data anywhere in plain text.