Making Samba your Primary Domain Controller - Part One

My Samba installation went so well that I've decided to improve our network at the office a bit. We are a small company, but there are enough of us to make a primary domain controller a good idea. I did a bit of browsing around the 'net to see how this is done in Samba, only to discover that all of the necessary instructions seem to be for Samba 2; I'm using Samba 3. "Oh well," I say to myself, "how much different can it be?"

Before we get into the ugly details, a bit of background is in order. First, what is a Primary Domain Controller (PDC)?

Domain Controller
A PDC is actually a pretty good idea. The goal is to store a user's log on information in one place, and allow them to access different services in the domain without needing multiple authentications. Samba makes an excellent PDC. It supports roaming profiles, domain logon from all Windows clients, Windows system policies, name services, master browser, and user-level security for Windows 9x/ME clients (assuming you actually have any of those; do you? Shame on you).

What does this mean? Well, if a Windows user logs on from any machine on your network, their profile goes with them, and they'll have access to only those things that they ought to have access to, and their desktop will look just like they expect it to. This is generally a good thing, and saves lots of pointless calls for help to the sysadmin.

This is of less value to a Mac, BSD, or Linux user, but let's face it -- Windows dominates in the business world, and will for some time to come. If this is the case on your network, then Samba as a PDC might serve very well for you.

A word of caution: just as was the case with Connor McLeod, "in the end, there can only be one." Don't try this if you have a PDC on your network already. Bad things will happen. Your network might blow up. Ethernet cables will melt. Your hair will fall out. Avoid the heartache, and instead try this on a test network, get it working fine, and then use your shiny new Samba PDC as a drop in replacement for whatever you're using now.

So how do you do this? From what I can find on the 'net it looks fairly painless. The steps are as follows:

1) Install Samba.
2) Edit smb.conf, the Samba configuration file.
3) Add machines and users.

I did see some references to Windows XP being a pain, and the Professional edition requiring a registry patch to work with Samba, but those were email messages made some time ago. From the silence on the topic for the past couple of years, I can only conclude one of two things: either Samba is not being used as a PDC by anyone now, or it works fine. I'm hoping for the latter.

I should also note that you can use your Samba PDC in a variety of other ways, although I have not personally tried some of these. For example, I found reference to using Samba as a member of an Active Directory domain (update: this is natively supported in Samba 3.0x), and there are a number of other suggestions in this article. A lot of information is dated, and needs to be tested, but I plan on trying a few different things.

In part II, I'll cover the installation and configuration.

Alternatives to Nagios

I've never been a fan of putting all my eggs in one basket. Although, by all accounts, Nagios looks like it will be an adequate solution to network monitoring, there are alternatives. Here are the ones I've come across for my "just in case this doesn't work" list:

OpenNMS
One that I've seen quite a few times in my research is called OpenNMS. The website states that

OpenNMS is the world's first enterprise grade network management platform developed under the open source model. It consists of a community supported open-source project as well as a commercial services, training and support organization.

World's first, eh? And what's your criteria for establishing whether something "enterprise grade" or not? Ah, well. Cynicism is unbecoming, and the product looks decent enough, whether or not it's the "world's first."

I do have a few concerns about this product, though, that encouraged me to move it to the "just in case" list. I came across this on a mailing list:

The big thing that makes OpenNMS a non-starter for me was the inability to create dependencies between services. It's a pain to do in Nagios but it's there and that is a critical tool for enterprise level operations.

Yeah, that would be a bit of a show stopper, unless you're doing nothing more sophisticated than running a plain vanilla server install with a few simple services -- and who does that anymore?

Zenoss
This one seems relatively new, but has been getting a fair bit of buzz. Zenoss, according to the website, is as follows:

Zenoss Core is an enterprise-grade network and systems monitoring product that delivers the functionality IT operations teams need to effectively manage the health and performance of their entire infrastructure through a single, integrated package... Zenoss has changed the game by offering a complete, easy-to-use solution as a free..., downloadable, open source software product.

Okay, so far, so good. I perused the website fairly extensively, and have to admit that it looks like a very slick package -- arguably more feature complete and functional than Nagios. There is a fully functional demo available, so I can check things out without having to do a local install, and see if it's more hype than reality... and this appears not to be the case. This is encouraging. Plus, the app appears to be written in Python, so it'll be portable and easy to modify and extend, should the need arise.

I may in fact do a double install -- both Nagios and Zenoss, just to see which one is more appropriate for my needs.

Zenoss seems very impressive.

Server Monitoring: Nagios

As I mentioned last time, I am looking for an easy, free, stable, and highly functional network monitoring system. Nagios is my first venture into this investigation. Nagios has been around for awhile, and I believe that I evaluated it a few years ago before throwing my hands up in frustration and doing a quick and dirty solution myself. In all fairness, I was incredibly busy at the time, and probably didn't give it a fair shake.

According to the website, it will do exactly what I want:

Nagios is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do. It has been designed to run under the Linux operating system, but works fine under most *NIX variants as well. The monitoring daemon runs intermittent checks on hosts and services you specify using external "plugins" which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser.

Well, I've never been much of one for believing in the whole truth in advertising thing, so I decided to give it a go on my own, and see how it works.

The network I decided to test it on consists of six machines. In addition, I have two development servers in an external data center that were doing nothing but humming, so I elected to include them in the tests. The machines are a mixture of FreeBSD and a couple of different Linux distros (CentOS and Debian).

Prior to actually installing this package, I did a bit of reading on their website. They have a number of helpful screenshots; here are a few that were of interest to me.

This is the status detail screen (and it would appear that someone is having a bad day with this particular network!). It looks quite helpful, and provides a good "dashboard" view of the various processes on a given machine.

Now this is interesting -- a status map of a network segment. I'm not sure how you define the map (but suspect it is painful), but it is an interesting method of graphically representing the layout of various workstations and servers. Nice touch.

This gives the bird's eye view of all monitored services. Simple, and effective. It seems that you can group services together, which would be very helpful.

After I finished amusing myself with screenshots and the propoganda on their site, I went over to the Wikipedia entry to see what it had to say. It's a short article, and simply lists the services it monitors, has pointers to helpful install guides, and mentions that it came out in 2002, when it used to be called NetSaint. The talk page had this obscure comment:

I would say this is a very handy application when argumented with Cacti. I just set up one and its really cool to see it in action.

I presume "argumented" was supposed to be "augmented", but there you go. But was is this "Cacti"? I'll have to find out.

I'm going to try a test install of this on the weekend. I'll keep you posted.

Automated Server Monitoring

I have been looking for a decent, non resource intensive server monitoring program. There are a number of them out there (many written in Perl, and getting a bit long in the tooth) but it has been some time since I explored this in any detail. Actually, I think it's been several years since I did this. I'm getting old.

Last time around, I wound up trying and abandoning a number of solutions, and writing a simple Java process that polled a list of servers & ports, and sent an SMS, email, and page when it was unable to connect to something on its watch list.

Talk about rudimentary.

As I recall, there were a few packages that did what I wanted, but they ate CPU cycles like they were going out of style, which was unacceptable. I hope things have improved over time.

Ideally, the monitoring software will track cpu usage, system temperature, disk space, maintain a list of processes to watch and keep up, memory usage, track logins, and so forth. It should also support a "dashboard" of services, statistics, and allow for historical reporting.

I've compiled a short list (which will no doubt grow as I get into the research) of projects to try out, and I'm going to start with Nagios.

I'll keep you posted.

Trixbox 2.0

While browsing around today I noticed a post on distrowatch.org, indicating that Trixbox 2.0 was released a few days ago. The press release is available here. According to the press release, Trixbox is a CentOS based distribution that includes a completely functional, ready to customize install of Asterisk. It can be installed in less than 15 minutes, supports multiple languages and provides increased reliability and stability, flexible user customization, and support for a wide-range of hardware vendors.

Given that I am planning to do an @home install of Asterisk, this seems like a logical approach. I am still waiting to order the necessary hardware to complete my installation of Asterisk at home, but could use one of the many "softphones" to play with this.

I have managed to cobble together some hardware from spare parts, and will attempt an install of this over the next few days. It is entirely possible that my wife may throw me out for cutting of her phone for hours at a time... but hey, she has a cell phone ;)

Exchange Server Alternatives - Scalix

I've made some additional progress in the ongoing saga to find an alternative to Microsoft Exchange. As promised, I've done some research into (and actually played with) Scalix. I came at this one with some skepticism, largely because of the great deal of online attention focussed on its competitors, most notably Open-Xchange. I was pleasantly surprised -- this is a very good alternative to OX.

Like most of the packages I've explored so far, Scalix comes in both "free" and "commercial" flavours. Unlike its competitors, it's not as feature-crippled in the for-free version. Of the most interest to me at this point is the fact that it offers complete Outlook connectivity without a fee. Admittedly, the free version only offers this for a limited number of users, but you can upgrade to the commercial version at any time without a complete reinstall required. This is quite attractive.

It took me some time to figure out what all of the various offerings on their web site were -- and to distinguish between the various versions. Things get much simpler if you simply go to the download page and give it a read -- I recommend skipping much of the marketing hype and going directly there.

I have found Outlook support on everything I've looked at so far to be... well... okay. Not great, but acceptable. So when I saw this on the Scalix site:

Scalix offers the Linux industry’s most transparent Outlook support because it is a mature native MAPI implementation. Scalix’s Outlook support has been enhanced further with Scalix 11, with indexed search and improved mobile performance.

I was skeptical, to say the least. I am pleased to report that there is sometimes truth in marketing. Support for Outlook (a client which I personally do not like or use, I might add, but many people I work with require it) is exceptionally good in this package. In addition, the package offers support for Google Desktop and MSN Search, McAfee VirusScan, Symantec Norton Utilities and Captaris RightFax Outlook Extension. Well done.

I plan on doing some extensive testing on this in the coming days, but right now this package wins, hands down.