Is Samba 4 AD viable with an Azure/365 infrastructure?

Lecbee · May 12, 2022 - 9:02 PM

Hello,

I'm a system and network administrator in an SME (~300 people worldwide). Our infrastructure is currently quite Microsoft-oriented, although there's a fair amount of Linux here and there.

We have an Active Directory infrastructure that's getting on a bit... and an upgrade project is coming up soon.

But for years now, I've secretly dreamed of migrating everything to Samba.

However, dreaming isn't enough; we have to face reality. The reality is that we're currently very dependent on Azure (well, Office 365, Teams, Exchange Online, etc.) due to historical factors and also because we have to adapt to our clients. Abandoning these tools is simply unthinkable.

Currently, our AD is synchronized with Azure. So, my question is very simple: before discussing Samba 4 AD with the rest of my team, is a Samba 4 AD infrastructure compatible with Azure, etc.?
If it's clearly not possible, at least I know I can move on.

Or is it only possible with workarounds? Or is it clearly supported and do you offer support for this type of architecture?

Thanks

May 17, 2022 - 3:41 PM

Hello lecbee,

Lecbee wrote: ↑May 12, 2022 - 9:02 PM I'm a system and network administrator in an SME (~300 people worldwide). Our infrastructure is currently quite Microsoft-oriented, even though there's a fair amount of Linux here and there. We have an Active Directory infrastructure that's getting on a bit... and an upcoming upgrade project.

But for years now, I've secretly dreamed of migrating everything to Samba. But dreaming isn't enough; we have to face reality. The reality is that we're currently very dependent on Azure (well, Office 365, Teams, Exchange Online, etc.) due to historical factors and also because we have to adapt to our clients. Abandoning these tools is simply inconceivable.

Our AD is currently synchronized with Azure. So my question is very simple: before discussing Samba 4 AD with the rest of my team, is a Samba 4 AD infrastructure compatible with Azure, etc.? If
it's clearly a no, at least I know I can move on. Or is it only possible with workarounds? Or on the contrary, is it clearly supported and do you offer support for this type of architecture?

It's possible to "hack" the Azure AD Connect installation so that it synchronizes directly with Azure AD. However, the fact that Samba doesn't currently support gMSAs (group managed service accounts) requires some workarounds [1]. I'm not a fan, but it works for some people.

Another option is to keep a Microsoft Active Directory (not visible to workstations) just for Azure AD synchronization; it works, but I'm not a big fan. You have to pay close attention to the site definitions and firewall configurations.

The other option is to implement synchronization scripts in Python (you can look for an example for inspiration on Gapps GitHub [2]). This works well, but Microsoft hasn't published the API for changing passwords using the NT hash. Indeed, the only way to update a password is to send it in plain text (so it's only possible when the user changes their password, but not afterward). The hash used by Azure is a pbkdf2 derivative of the NT hash, so it can be reproduced, but it can't be pushed...

One way to push the password is to use the smb.conf parameter check password script.

So if you're motivated by Samba-AD, it's possible. If it's just the license purchase that's the issue, that's not necessarily the deciding factor. Samba-AD is much easier to maintain over time, and much easier to secure. That's really where you gain in cost and productivity.

Sincerely,

Denis

[1] https://wiki.samba.org/index.php/Azure_AD_Sync
[2] https://github.com/baboons/samba4-gaps

Lecbee · May 31, 2022 - 7:44 PM

Good evening,

thank you very much for your reply; it already gives me a better understanding of the limitations and possibilities.

Off the top of my head, the solution of a Microsoft Active Directory connected to Azure seems the "cleanest." However, I don't know the limitations of this solution. You mentioned not being a fan of this solution.
I've done some more research on my end, and Samba 4 apparently still lacks quite a few "features" from the latest Active Directory versions (2012/2016/2019), so will that be a limitation in this use case? I don't know.

On a slightly different note, does Tranquil-IT also offer support for the file sharing (SMB/CIFS) aspect of Samba (in the case of using a Samba file server)?
Or only support for the Active Directory aspect of Samba?

June 1, 2022 - 3:51 PM

Lecbee wrote: ↑May 31, 2022 - 7:44 PM Off the top of my head, the solution of a Microsoft AD connecting to Azure seems the "cleanest." But I don't know the limitations of this solution. You say you're not a fan of this solution.
I've done some more research on my end, and Samba 4 apparently still lacks quite a few "features" from the latest AD versions (2012/2016/2019), so will that be a limitation in this use case? I don't know.

Unless you're a heavily Microsoft-centric company (SharePoint, on-premises Exchange, etc.), there are rarely any truly missing "features." From a security perspective, a Samba-AD is much easier to secure than a Microsoft-AD, and easier to back up, restore, and maintain. We have clients with tens of thousands of users in their Samba-AD, and one with over 100,000 users and 100,000 machines. So it can work at scale.

Basically, if you are comfortable with command line and Linux, Samba-AD is probably the best choice, and it's easy to achieve an ANSSI ORADAD 3 rating.

If you like clicking and powershell syntax doesn't make you cry, and you like spending days and days scrolling through the ANSSI security guide, Microsoft-AD is the right solution.

From a security point of view, the only really important thing that was missing compared to FL2k12 was Protected Users, and that's already in the git master samba, scheduled for release next September (funded by the DGFiP, it's your taxes that are working! cock-a-doodle-doo!).

Lecbee wrote: ↑May 31, 2022 - 7:44 PM On a slightly different topic, does Tranquil-IT also offer support for the file sharing (SMB/CIFS) part of Samba (when using a Samba file server)?
Or only support for the Active Directory (AD) part of Samba?

We perform Active Directory migrations and post-migration support, which of course includes the file server component. But we don't offer one-off support. Sorry.

Denis

Lecbee · June 13, 2022 - 10:25 PM

Sorry for the long delay in responding

In my case, the problem is that we do have things linked to Microsoft (Exchange Online and Azure AD, maybe SharePoint someday)

), and above all, I'm the only one who's really comfortable with Linux. Not necessarily so for my colleagues, obviously...

From a security perspective, a Samba-AD is much easier to secure than a Microsoft-AD, and easier to back up, restore, and maintain

I'm convinced of that

In any case, thank you very much for these answers, at least they give me good direction!

May 19, 2023 - 11:42

For your information, Samba 4.18 offers better support for the Azure AD Connect Windows client.

I've also developed an Azure AD Connect client for Samba 4 in pure Python, if you're interested:

https://github.com/sfonteneau/AzureADConnect_Samba4