Zentrale Domänenverwaltung über Samba 4.0 und UCS

Have you wondered what the specific differences are between Samba and Microsoft Active Directory, what functionality they offer, and what role they play in identity management for Univention Corporate Server?

In a nutshell: Samba and Microsoft Active Directory are both solutions for centralized discovery and authorization of members of a domain. While Samba is free software and under the GNU GPL license, Active Directory (AD) is the directory service of Microsoft Windows Server. Since Windows 2008, the core component is called Active Directory Domain Services (AD DS). Both solutions are used in the central organization, provisioning, and monitoring of a domain network: Samba and Microsoft AD manage objects on the network, such as users, groups, computers, services, servers, file shares, and so on.
In this article, I will introduce both approaches and show how you can use them to increase data protection and achieve better resilience of your IT systems. I will also explain how you can use Univention Corporate Server to build a bridge between the Linux/Unix and Windows worlds. This way, you can use the advantages of both systems and do not have to decide between Samba and Microsoft AD, and therefore not on the use of proprietary or open-source solutions.

What is Active Directory?

Active Directory is a solution developed by Microsoft to provide authentication and authorization services in a domain. The main elements of Active Directory are an LDAP directory service, a Kerberos implementation, and DNS services. Information about users, groups, and computers in your environment is stored by the directory service. Kerberos handles the authentication of users and computers. DNS (Domain Name System) answers name resolution requests. Thus, ensuring that client and server systems can find each other in this network and communicate with each other.
All three components, LDAP, Kerberos, and DNS, are closely intertwined and combined into a single unit in Active Directory Domain Services (AD DS). Windows server systems can provide these Active Directory Domain Services as so-called domain controllers or also join such a domain as a member. Windows clients can also join such a domain in the respective business and education versions of the operating system.

An introduction to DNS and its relationship with Univention Corporate Server

This article is about the Domain Name System (DNS) and explains how the “Internet’s telephone book” works. Alongside the fundamental details of name resolution on the Internet, we also look at special topics like administering DNS records in dynamic environments and debugging DNS setups during operation. …read more »

Multi-Master Replication: Resource Allocation and Reliability

Since the contents of the directory service replicate between several domain controllers, they are available on several systems. Replication means that the same data is accessible at several locations and is regularly synchronized. That not only provides load balancing in case of many requests. It is also more secure in case one server fails.
Active Directory supports so-called multi-master replication, which means that you can make changes on any domain controller; the synchronization with the other controllers takes place automatically.

Samba: Uniting Linux/Unix systems with the Microsoft solution

The Samba project maintains the free software suite of the same name that enables Linux and Unix-based systems to interoperate with services and protocols used and developed by Microsoft. Samba supports numerous services and protocols, including SMB/CIFS, NTLM, WINS/NetBIOS, (MS)RPC, SPOOLSS, DFS, SAM, LSA, and Windows NT domain model. Since version 4.0, Samba can be a fully-fledged alternative to Active Directory Domain Services.

Samba as Active Directory Domain Controller

Active_Directory_mit_UCSNow, Samba systems can not only join an Active Directory domain as a member. They can also take on the role of domain controller themselves, providing Active Directory Domain Services on a Linux or Unix-based system. Windows or macOS clients join a Samba-provided Active Directory domain through the same mechanism as an MS-AD domain. Applying Group policies to manage Windows clients is also possible.
UCS as a link between the Windows and Linux worlds

The directory service OpenLDAP is an important element of the Univention Corporate Server. It must be present in every UCS domain. Thanks to the Active Directory-compatible Domain Controller app, which you install from the Univention App Center, you can operate an AD domain via Samba. The S4 Connector developed by Univention synchronizes all relevant information between the OpenLDAP and the Samba directory service.

Therefore, UCS is ideally suited as a link between the Windows and Linux/Unix worlds and can combine both systems in one domain. Many customers use this feature to synchronize user and group memberships and passwords between Samba AD and OpenLDAP.

If you would like to read more about Samba, Microsoft AD, their combination, and the technical implementation in IT environments, feel free to take a look at our references. They describe very different deployment scenarios. I hope that this article has given you a first insight into the tasks of directory services, Samba, and Microsoft Active Directory. If you have any further questions, please do not hesitate to contact us.

More information:

Use UCS Core Edition for Free!

Download now
Michael Grandjean

Michael began his training as an IT specialist for system integration at G&M IT-Systeme GmbH in 2007. There, he subsequently provided support for small and medium-sized enterprises in the Support, Administration and IT Security departments. He also completed further training as an IT security manager. In 2013, he joined Univention’s Professional Services Team as an Open Source Software Consultant.