FreeIPA vs Samba AD

When we use products from leading vendors, we don’t always think about the fact that they implement best practices that allow us to save on administration, improve infrastructure security, and provide a better user experience. But these details, like an awl in a bag, haunt you when you try to replace proven software with free software. It turns out that none of the alternative solutions is capable of providing comparable safety, convenience and efficiency without significant modifications.

Today you need to replace a large number of software products, and there is very little time, so you have to prioritize and start with the most important. Thus, one of the strategic directions of the Astra Group was the development of a directory service, which should replace Microsoft Active Directory and become the heart of the updated IT infrastructure of Russian enterprises. In our product, we combined the FreeIPA directory service with the SaltStack configuration system and supplemented the solution with a set of the most popular services, such as the Reprepro software repository, Samba file server, CUPS printer sharing, dynamic configuration of ISC DHCP hosts, OS installation over the TFTP HPA network, Zabbix and Grafana monitoring, syslog-ng logging.

ALD Pro (Astra Linux Directory Pro) is developing rapidly, and since the date of its first release several hundred improvements have been published, which has allowed it to become a leader in the domain solutions market. We already have hundreds of installations across the country, and there are more and more of them every day. But some users are very interested in the question of why we chose FreeIPA and not Samba AD as the basis for the directory service, and in this article we will share our thoughts. We are confident that the information will be useful not only to our customers, but also to users of vanilla FreeIPA and Samba AD.

Samba AD

When it comes to Samba (https://www.samba.org), you first need to decide in what context the product is being discussed, since this Swiss army knife can provide file sharing, printer sharing, and domain services, both in the Active Directory format and in the outdated NT4 implementation.

Andrew Tridgell began working on creating a file sharing service at the end of 1991, when he was a graduate student at the Australian National University and part-time responsible for network administration. The educational institution purchased PC X server eXcursion software from DEC (Digital Equipment Corporation), and Trigella ~~I wanted to~~ it was necessary to organize access from eXcursion to files located on other servers running the Sun operating system. There was no software product that would solve this problem, and Tridgell, as a real “tyzhprogrammer”, by reverse engineering the network protocol, simply by analyzing traffic, repeated the implementation of one of the most successful products of DEC, which brought the author well-deserved recognition. Subsequently, of course, it turned out that the protocol still has an open specification and this reveng did not have much practical meaning, but, as they say, seven miles is no detour for a mad dog.

I did some digging, asked around a bit, and discovered that the specification I needed was for the SMB protocol and that it was accessible via ftp. Then I downloaded it and started removing all these terrible constants from the code when they became clear. I was shocked to see the actual SMB specification and realized how lucky I was that my original code worked at all.
Andrew Tridgell
Samba-Unix Talking with PCs, Linux Journal issue #7, November 1994

Initially, the project was called SMB Server, after the Server Message Block protocol. But this name was already taken, and, according to legend, Tridgell chose a new name from words starting with the letter “S” and containing “M” and “B” in the same order, obtained by grepping them from the system dictionary:

grep -i '^s.*m.*b' /usr/share/dict/words
samba

Later, dancing to the Samba rhythm became, by and large, Tridgell’s main activity. Since 1994, he has led a project at the university that created the HiDIOS distributed file system for Fujitsu computers, and during this time several releases of Samba have been released, including the second version, which introduced support for the NT4-style directory service for the first time. Since 2001, Tridgell has been working at VA Linux Systems on network storage devices and developing Samba in terms of optimization for the Linux kernel. Having worked on enterprise storage systems at Quantum since October 2001, Tridgell adds the ability for Samba to run a Linux computer as part of an Active Directory domain. Since January 2003, Tridgell worked on the development of storage systems at the IBM Research Center, and in the same year Samba 3 was released, which introduced support for the SMB2.2 and SMB3 protocols.

In terms of Active Directory functionality, the turning point for the Samba project came in 2004, when the European Union Commission found Microsoft guilty of abuse of its monopoly position and imposed a fine of 500 million euros, requiring it to provide full information about the protocols to ensure compatibility. Tridgell worked at the IBM research center, where they decided to take advantage of the situation and request the necessary specifications, but now this request was already in the interests of Microsoft Corporation. To strengthen its position in the courts, Microsoft even hired Samba developer Chris Hertel to write documentation a few years later.

The opportunities that opened up determined the further direction of product development, and since 2005, Tridgell has completely switched to the development of Samba 4 as a participant in OSDL (Open Source Development Laboratory). IBM established this non-profit organization together with other technology giants – Intel, Hitachi, Hewlett-Packard, Fujitsu, NEC, Computer Associates – to accelerate the penetration of Linux into the corporate environment. Key projects were financed through it; it was there that Linus Torvalds himself and several other developers of the operating system kernel worked.

It is important to understand that the directors of these IT companies were not some naive altruists, communists or supporters of hippie culture. It’s just that by that time society had already come to the realization that by closing source codes, commercial organizations were creating exactly the same barriers to the development of the industry as AT&T did several decades earlier, limiting access to the use of their patents. Therefore, working together on system solutions can significantly contribute to development and benefit everyone.

Thanks to the unprecedented openness of Microsoft (for known reasons), seven years later it was possible to release Samba 4, which introduced the ability to work as an Active Directory controller with Heimdal Kerberos and announced the possibility of industrial operation, see Figure 1. At that time, only 40 were implemented % of the required functionality, but this was enough for a number of companies to start doing business on this.

Figure 1. History of the development of the Samba project

In terms of Samba AD implementation, the French company Tranquil IT (https://www.tranquil.it) has advanced the furthest, which has currently managed to implement more than 300 projects, the largest of which had about 140 domain controllers. They started by deploying NT4 domains on Samba 3, so they just needed to update some of the clients. Speaking at the SambaXP conference in 2017, the company’s founders Denis and Vincent Cardon noted that there are practically no obstacles to migrating small infrastructures to Samba AD, and the problems are mainly related to insufficient qualifications of employees – lack of knowledge of computer networks, devices Active Directory, lack of Linux administration skills.

Experienced engineers generally praise the product, but warn that you will need to study a large volume of poorly written documentation, re-read hundreds of topic subscriptions, perform countless experiments, and still something will not work as it should, or not work at all, and complaints You can only show it to yourself.

Take the product, use it. And if it doesn’t solve your problems, then remember how much you paid for it. And don’t forget to send me a bug report.
Andrew Tridgell
Samba-Unix Talking with PCs, Linux Journal issue #7, November 1994

By the way, in terms of documentation, be sure to pay attention to the Tranqil IT website, which is referenced even on the official website wiki.samba.org

If it’s clear with small infrastructures, large implementation projects are only possible with significant improvements to the product, which Tranquil IT implemented through commercial orders in Catalyst, for example:

When introducing the product to the central banks of West African countries, support for the latest entry (4.4.0) was implemented.
The project of the French Ministry of the Environment required the implementation of support for additional encryption protocols (4.7.0), logs in JSON format (4.9.0), and functions for exporting/importing group policy objects (4.9.0).

The implementation at the French Ministry of Culture and Communications was not complete without the implementation of Read Only Domain Controller (4.7.0).
Implementation in the French Ministry of Public Finance was made possible by removing the 4 GB limit on database size (4.9.0), developing graphical topology analysis tools (4.9.0), improving DNS management (4.9.0) and pre-fork operation (4.10 .0).
For the National Agency for Information Systems Security, the documentation regarding security functions has been significantly improved.

The project is not developing quickly, but in recent years quite a lot has been done in the direction of Enterpise so that even large projects have become possible in principle. Of course, there is still no support for forests, standard SYSVOL replication, you should not count on support for applications such as Exchange, which are strongly tied to the advanced functions of Active Directory, but if necessary, you can do without all this. The main reasons why we didn’t choose Samba are different.

If you analyze the latest commits, you can see that most of the improvements in Samba are made by employees of Catalyst, Red Hat (IBM), SerNet, SUSE, who have a direct commercial interest, and sometimes even compete with each other. But Microsoft’s interests have not gone away, and this chip holder will continue to hinder the development of the project to the extent that it is appropriate within the established rules. Well, and most importantly, the Samba AD project was initially aimed at creating compatibility with Windows, and not developing a native domain solution for Linux, so the Samba Team members are forever destined for the role of catching up.

FreeIPA

The ability to add Linux computers to an Active Directory domain was first introduced in Samba’s Winbind service, bridging the gap between the two worlds and beginning Linux’s penetration into the corporate environment, which at the time was overwhelmingly dominated by Microsoft with its Active Directory. But while Samba was looking for easy ways to integrate with Windows, the FreeIPA team focused its efforts on creating a new solution based on Microsoft best practices that would fully meet the needs of Linux, as Microsoft itself did in the late 90s when created its Active Directory using advanced UNIX technologies such as LDAP, Kerberos and DNS.

The IPA project (https://www.freeipa.org) officially started in 2007, but Red Hat began preparing for this much earlier, when in 2004 it acquired the rights to the Netscape Directory Server code from AOL (America Online), and along with the team of developers who have been developing this product for the last decade. If you look closely at the history of LDAP, then behind the dry wording from press releases a real detective story will be revealed, full of action, conflicts of interest, failures and overthrows, which can be used to make a real blockbuster, see Figure 2.

Figure 2. History of FreeIPA development

Initially, the X.500 electronic directory standard was developed by the International Telecommunication Union (ITU) and the technology development was driven by telecommunications companies that needed to provide authorized communication services to millions of subscribers. By the way, LDAP was also used in the infrastructure of Russian operators from the Big Three. The main role in the development of the technology was played by researchers from the University of Michigan, University College London, PSI, Critical Angle, Netscape, Sun, America Online, HP, etc. Microsoft also participated in the discussion of the standard, but its role was largely that it showed an alternative way of using technology to build corporate domains, and then IT giants took over the baton from telecommunications companies.

At the time of Netscape’s purchase, their software code incorporated the latest developments from leading market players, so Red Hat’s LDAP server still has a lot of potential that has not yet been tapped into their IdM solution. For example, 389 Directory Server allows you to build a three-level topology consisting of Masters, Hubs and Consumers, in which there are practically no restrictions on horizontal scaling for building systems that experience enormous read loads.

FreeIPA’s focus is on developing centralized identity, policy, and audit functions. To do this, the developers integrated the reference implementation of Kerberos SSO (MIT Kerberos) and one of the best implementations of the DNS service (ISC Bind9) with the LDAP server. And to interact with Active Directory, the Red Hat team took advantage of the developments of the Samba AD project, in the creation of which it took and continues to take part.

The efforts of the FreeIPA team in developing the client side are even more important. Rethinking Linux’s authentication needs led to the creation of a new service, SSSD, which was spun off as a separate project in 2009. This abbreviation officially stands for System Security Services Daemon, but, as one of the product developers says on the sidelines, these are actually the first letters of the names of the four founders: Simo Sorce, Sumit Bose, Stephen Gallagher and Dmitri Pal.

It took some time for the SSSD project to take off, but today this service has almost completely replaced Winbind and is the most correct answer to the question of how to ensure that a computer running an operating system from the Linux family works as part of a domain. With this service, a Linux computer can be entered into a Microsoft Active Directory domain, Samba AD, and even used as a backend with a simple LDAP v3 server. But the product is fully revealed, of course, if FreeIPA acts as the backend, in which case functions such as HBAC and SUDO rules, AutoFS mount policies, and SELinux user mapping become available. And on computers running Astra Linux equipped with the PARSEC security subsystem, through FreeIPA you can centrally manage mandatory access to protect confidential information, and we will definitely talk about this technology in one of the following articles.

In order to completely dispel doubts, we will compare the products through analysis of the program code. The development of Samba AD was carried out under conditions of lack of resources, so the source codes of the previous version, responsible for the operation of the SMB protocol, were added hastily with virtually no changes, and these problems remain in the project to this day: just open the repository with the source codes, and you you will see a folder called “Samba 3”. And it has always been like this. For example, back in the early 2000s, Luke Leighton proposed rewriting the product to a microservice architecture, but he failed to attract funding, so the Samba TNG (The Next Generation) fork finally died in 2005. And only 20 years later, in version 4.16, his ideas were finally implemented and MS-RPC services were separated into separate applications with interaction via unix sockets. In the FreeIPA project, things are completely different: developers invest significant resources in refactoring the program code. For example, with the release of Python 3, all program code was rewritten for the new language to take advantage of its new capabilities.

If you look at the amount of code using the wc -l $(git ls-files) command, it turns out that in Samba there are now almost 5.5 million lines, while in FreeIPA projects there are only 3 million in total, but, as you know, more is not better , and two more circumstances should be taken into account:

The Samba 4 project absorbed about 2.5 million lines of Samba 3, where support for SMB protocols was implemented, which is not directly related to the functions of the directory service, and taking this amendment into account, the amount of code will be comparable.
The FreeIPA product uses Samba AD code to integrate with Active Directory, and what’s more, Red Hat employees are helping the Samba project develop this functionality.

Figure 3. Comparison of code volume by number of lines

Even more revealing will be a comparison of the dynamics of changes, which can be obtained with the shortstat command.

cd samba/
git log --shortstat --pretty='^ "%h", "%as", "%an", ' |  tr "\n" " " | tr "^" "\n"
 "4c291514a9e", "2023-10-17", "Joseph Sutton",    2 files changed, 2 insertions(+), 12 deletions(-)
 "d209cdf4f0c", "2023-10-17", "Joseph Sutton",    2 files changed, 3 insertions(+), 2 deletions(-)
 "37594035547", "2023-10-17", "Joseph Sutton",    1 file changed, 1 insertion(+), 1 deletion(-)

If you compare the row addition/removal rates, it becomes obvious that Red Hat has invested significantly more effort into the project in recent years than the Samba Team. And this is not counting the fact that some of the Samba changes were made by the same Red Hat employees.

Figure 4. Dynamics of changes by project

Instead of concluding, we would like to once again point out that the directory service, of course, can be built on Samba AD, but strategically this will not be the most correct decision.

If you are responsible only for the server grouping and hope to implement import substitution WITHOUT replacement, simply replacing some controllers with others, without affecting services and workstations, then you really have no alternatives other than Samba AD, since only this directory service tries to mimic under Active Directory. But even in this case, you should not expect that you will be able to get by with little blood, and trust consultants who will convince you otherwise. Be sure to invest significant time and financial resources into checking compatibility with other infrastructure components and solving related problems so as not to end up with nothing. And even more so, you should not count on the reliable operation of a domain that will include both Samba AD and Microsoft Active Directory controllers: the operation of such an infrastructure will require employees to have exorbitant competencies in organizing the active directory in general and each implementation in particular, if there are any on the market labor. As they say, whoever thinks that it is difficult to find true love was not looking for Scala developers.

If you are making a strategic choice in the development of the enterprise IT infrastructure for decades and plan to completely switch to domestic operating systems that overwhelmingly use the Linux kernel, then it would be more correct to immediately implement a directory service based on FreeIPA, and the benefits of making such a decision with each will only grow as the years go by.

We hope that with this article we have answered most of the questions, and with those that remain, we invite you to comment.