/tags/active-directory/Recent content in Active-Directory on Buffer OverflowHugo -- gohugo.ioenThu, 16 Apr 2026 00:00:00 +0000/posts/a-dance-with-domains/Thu, 16 Apr 2026 00:00:00 +0000/posts/a-dance-with-domains/<p>In my previous post, <a href="/posts/whats-in-my-lab-now-2024/">What&rsquo;s In My Lab Now, 2024 Edition</a>, I detailed my lab&rsquo;s Active Directory setup which relies on Windows Server 2022 VMs. While that setup has served me perfectly well to date, recent advancements in Samba&rsquo;s support for Active Directory features, combined with a desire to reduce my need for software licenses in the future, presented an opportunity to experiment with cross-platform AD domains.</p><p>In my previous post, <a href="/posts/whats-in-my-lab-now-2024/">What&rsquo;s In My Lab Now, 2024 Edition</a>, I detailed my lab&rsquo;s Active Directory setup which relies on Windows Server 2022 VMs. While that setup has served me perfectly well to date, recent advancements in Samba&rsquo;s support for Active Directory features, combined with a desire to reduce my need for software licenses in the future, presented an opportunity to experiment with cross-platform AD domains.</p> <h2 id="why-samba-and-why-now">Why Samba, and why now?</h2> <p>Samba is a fantastic solution for integrating Linux and Windows systems as seamlessly as possible. I&rsquo;ve used Samba as a basic file server for Windows and Mac clients for the better part of 20 years with almost no fuss. Even when I first set up my homelab AD domain in the mid-2010s, it was trivial to integrate Samba into the domain as a member server to handle authentication and authorization for file shares and even provide networked home directories over SMB.</p> <p>The evolving roadmap of Active Directory is where things started to get a bit cloudy. In the mid-2010&rsquo;s, everything enterprise started moving toward cloud-native, but Microsoft&rsquo;s Active Directory platform still seemed to have plenty of on-prem life left. With the earlier advent of Azure AD, and its eventual rebrand to Entra ID, the lines kept blurring between on-prem and cloud and I&rsquo;m now more eager to search for an alternative.</p> <h2 id="get-on-my-functional-level">Get On My (Functional) Level</h2> <p>Samba&rsquo;s support for AD features (indicated by tiers called <em>Functional Levels</em>) had plateaued for many years. Samba versions 4.0 through 4.18 supported, at most, Functional Level 2008R2. This changed with Samba release 4.19, which introduced compatibility for the Server 2012 functional levels, and more recently with Samba version 4.20 which added general compatibility with Server 2016.</p> <p>While I can practically guarantee that <em>nothing</em> I do in my lab comes close to needing 2016 Functional Level requirements, it still felt good to be on the latest and greatest. Waiting for Samba&rsquo;s support to catch up wasn&rsquo;t about just being able to join a machine to the domain - Samba domain members never cared much about the functional levels in the first place - but if I decided to add a Linux-based domain controller, ensuring that Group Policy, Kerberos authentication, and replication behaved predictably across Windows and Linux was a top priority.</p> <h2 id="hurdles">Hurdles</h2> <p>There were three main components that I suspected would present the most challenge to my plans.</p> <h3 id="group-policies">Group Policies</h3> <p>The way Active Directory stores and replicates Group Policy Objects is through <em>Distributed File System Replication</em>, or DFS-R for short. AD Domain Controllers present a SYSVOL share that each DC replicates seamlessly, and each client reads GPOs from their respective logon server.</p> <p>Samba provides no support for DFS-R, so right out of the box, a hybrid domain will have inconsistencies in which some DCs contain GPOs and some do not. There seem to be no ready-made solutions for replicating the SYSVOL from the domain&rsquo;s PDC Emulator host. While Samba handles much of the heavy lifting of replicating LDAP objects around the domain, keeping the SYSVOL share in sync between Windows and Linux is left to the system admin.</p> <p>To ensure my Linux DCs could replicate the latest GPOs and scripts without manual intervention, I pieced together a <a href="/notes/linux/samba/replicating_sysvol/">fairly straightforward cron script</a>. Using the existing Kerberos machine principal as the key, it obtains a Kerberos ticket and creates a SMB mount of the Windows PDC&rsquo;s SYSVOL share. It uses <code>rsync</code> to pull those changes to the local Samba SYSVOL directory, and then uses Samba&rsquo;s built-in <code>sysvolreset</code> utility to ensure the replicated files have the proper NT ACLs applied. It’s not the most elegant or foolproof solution, but for my homelab environment, it&rsquo;s reliable, flexible, and most importantly, functional.</p> <h3 id="certificate-services">Certificate Services</h3> <p>Though most sprawling enterprises maintain their own PKI hierarchy separate from AD, smaller operations are often constrained in ways that justify using Active Directory Certificate Services to host an <a href="/posts/implementing-a-private-ca-for-home-use/">online intermediate CA</a> as a part of their domain. There doesn&rsquo;t seem to be any limitation here on the part of Samba, save for Samba DCs not being able to auto-enroll with an ADCS CA for things like LDAPS. If we temper our expectations a bit and simply aim for having <em>a valid certificate</em> automatically issued and renewed on each DC, then dear reader, you will not be disappointed.</p> <p>In my previous post on building a PKI hierarchy, I detailed how I moved away from manual certificate management in favor of a tiered approach:</p> <pre tabindex="0"><code>Offline Root → AD Certificate Services (Intermediate) → Smallstep (Issuing) → Clients </code></pre><p>The challenge with adding Linux DCs is that they still need valid, trusted certificates for proper secured LDAP connections. I didn&rsquo;t want to be the guy manually generating CSRs every time a certificate approached its expiration date.</p> <p>Instead, I leveraged Smallstep&rsquo;s <code>step-cli</code>. Because my Smallstep CA provides an API endpoint and its CA is integrated into my existing chain of trust, I was able to automate the enrollment process for the Samba DCs. Now, by using the <code>step-cli</code> in daemon mode, the Linux domain controllers handle their own certificate renewals automatically. As an added benefit, the daemon renewal process allows me to reliably issue certificates with a lifetime of just a few days, rather than months or years.</p> <h3 id="smart-card-authentication">Smart Card Authentication</h3> <p>Finally, the most frustrating, yet least-documented challenge I&rsquo;d face would be using Smart Card authentication on Windows against a Linux domain controller. It became a grueling exercise in Kerberos troubleshooting; I spent hours testing configurations and digging through dated documentation, often getting tantalizingly close to a working solution only to have it still fall apart during a login. Ask me how many times I audibly sighed as I read from the logs the words <code>PKINIT request but PKINIT not enabled</code>.</p> <p>Ultimately, after weighing the large amount of time spent against the actual utility it would provide in my lab, I decided to scrap Smart Card authentication for now. While the goal of enhanced security is always near the top of my list, sometimes you have to admit defeat, put it on the backburner, and come back later when you&rsquo;ve recovered some precious sanity.</p> <h2 id="the-result">The Result</h2> <p>The result of my experiment is a heterogeneous Active Directory domain that feels, for all intents and purposes, mostly homogeneous. My Windows Server 2022 nodes and my Samba DCs coexist, sharing the same trust roots and the same policy definitions. It’s another step toward the serenity I mentioned in previous posts, where the infrastructure itself is complex enough to be useful, but automated enough to stay out of my way.</p>