Slashdot Mirror
Active Directory Comes To Linux With Samba 4
Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."
After the headaches Active Directory has caused the company I work at over the last couple weeks (things like Windows telling the backup software that it wasn't allowed to backup anything to do with AD except the transaction logs), I can't wait!
Just can't wait! AD for linux. I honestly am surprised it's taken this long.
I love the OSS community!
Finally an alternative to Microsoft's insane licensing model.
It brings one step closer for those who want to move to linux or least convert some windows to linux.
I've got a line of outfits that can benefit from this!
There are so many companies I know that have little to know real dependence upon AD other than the fact that it's all they're really known...
Nice features, but when will it be released?
Anybody want my mod points?
Can someone tell me how AD is licensed? I thought it was a part of server 2003 and once you buy that there should be no additional costs right? Our Sys Admin is planning to install ad for our office (we used never had AD before) and I am trying to figure out what if any the advantages of getting AD will be.
My last tussle with samba was yet another try with ubuntu on this old macbook.
Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually, and samba did not respond properly to the config.
Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
According to TFA FOSS AD is not here yet by a long shot, in early alpha, many missing features. Summary is *terrible* in suggesting non-M$ AD is already here.
Those are my principles, and if you don't like them... well, I have others.
mark my words, it'll have bugs which will result in 1000's of "RTFM n00b" or "it's ms's protocol that sucks" responses.
If you mod me down, I will become more powerful than you can imagine....
"A new year... A new hope?" "Let us know your predictions for 2009".
And, right on par with my hope of seeing Half-Life 2 Episode 3 in "early 2009", my hope of seeing a fully working, easy to set up and maintain, "it just works" Active Directory server for Linux this year has diminished due to the fact that this same exact story was posted here over 3 years ago. (or on Digg)
You don't block ads?
I'm also surprised it has taken this long. Which is why I'm not waiting.
This spells the end of all things good.
Did you read your own post?
It is not an alternative.
SAMBA is not an AD alternative for the real world.
While i appreciate that this will be very usefull, I'd rather they worked on not requiring samba to run as root (or at least not the networked part) as it seams to be the victim of an increasing number of attacks because of this. Perhaps SELINUX and apparmour have me protected but seeing a network demon running as root always seams like a dumb idea to me.
IranAir Flight 655 never forget!
SAMBA does not yet support basic aspects of the SMB protocol, like multiplexing.
I have integrated SAMBA in enterprise products and this was a serious downfall. This has been a constant issue that has never been addressed.
Stubborness on the SAMBA teams behalf, not to use a thread pool, has prevented this from happening.
How many times have you seen ERROR_NETWOR_NAME_NOT_FOUND while copying a file to a SAMBA server while trying to access another resource on the same server?
Does this mean I could have an Linux AD server at home that would force whatever machine I connect to it to install my favourite set of applications and themes and wallpapers automatically.
Or is this just for windows? does gnome/kde need AD support? or would this be implemented as a daemon?
It's about replacing Windows Shares and networking.
LDAP and Kerberos are the "AD" of the OSS world (in fact, the rest of the world, really).
But SAMBA isn't aiming for that. It's aiming for MS SMB compatibility. Which includes AD.
Well everybody here says "Linux" but let me point out that Apples Xserve uses Samba as well.
So there will be even more interesting alternatives ahead.
Martin
It is not very comforting to read the following statement:
... thing). I would at least expect that the Samba developers have experience in installing, running and maintaining a "realistic" Active Directory environment (read: more than 1000 client machines) before delving into the real messy details. I am not sure I even want to know how they are going to handle disaster recovery (one of the fun parts of AD, rest assured).
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
"Something to do with...". This is in every AD 101 book (machine accounts, password renewal,
Honestly, I cannot imagine why anyone would want to run a FOSS equivalent Active Directory. After having spent months in setting up a full mixed Windows/Linux environment (OpenLDAP, Kerberos, Samba, the works), I can say that setting up AD is a breeze: for me, it is a prime example where Microsoft took existing technologies (LDAP, DNS, Kerberos) and actually turned it into something useful without the typically associated configuration nightmares. And it works very stable indeed.
And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
What makes you automatically assume I haven't installed several Linux Systems running Samba+Sendmail&Postfix+Squid with IP_MASQ enabled for several clients I've serviced?
;)
I've had to diagnose Samba issues for other clue(minus) Linux "Zealots" when they haven't realized you ALSO need +w enabled on the filesystem for the share to be writeable... Don't assume that because I'm not a Zealot I'm not fond of Open Source Systems my friend
Yeah, that's pretty bizarre on Slashdot. Some early versions of Adblock/Filterset.G would screw up page layout when blocking ads. But it's all been groovy for years, and I can't imagine going back.
That may be, but they are a lot closer now. The most interesting article I've seen so far is in this thesis.
why did you ask why Samba had AD support? If it doesn't support AD, it isn't an MS SMB compatible product, is it.
...are from disgruntled Linux bods being forced to acknowledge that a system they don't like (and generally pretend doesn't exist) is actually being used happily by the majority of the rest of the world... ..so far so Apple, but they were like this when AD was first released ('Why not just use LDAP?' was the cry).
And what did they fail to do? Provide a popular, useable alternative for work and home. Just like Linux, really (hehehe)
I didn't ask if Samba had AD support... I asked why the PP thought this was a "Good Thing"... Because an Open-Source product was integrating itself with a Non-Standard one that Microsoft produces?
Not that I mind really, I just think it's not that great of a leap ahead for Open Source Software, just more Integration with Commercial Closed-Source software that already exists.
Do you understand that a "Directory" and SMB are two different things?
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
Easy. You're "Anonymous Coward". You're anyone and no one.
Well, even posting under my Slashdot "handle" I could be everyone and no-one too ;)
A novice administrator would know this. I think you've been talking to the average joeish end users.
No, the person I had to correct that issue for considered himself an "experienced" Linux Administrator (and Zealot - "Linux should be used for EVERYTHING"), having worked with various distros for 3 or 4 years. He was also employed by the Victorian Department of Education at the time - the problem he was having was at a client he was moonlighting for. I was the poor Bastard who had to drive on-site when he eventually called me for help at 8pm on Saturday after he'd spent a good 10 hours working on the issue (mind you, I walked away with $100 in cash for typing 'chmod -R ug+w [directory]', so it was inconvenient, but lucrative).
The assumption you're making is that just because someone uses Linux, they also understand the underlying design of the technology that it is integrated with... not everyone understands filesystem permissions, you'd probably be surprised, like I always say... Computers/Operating-Systems/Applications are a "tool" - to be the most effective, you need to understand the function of the tool in addition to it's application.
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
Me. You got a problem with that?
Help stamp out iliturcy.
Mr Ballmer himself will absolutely not sit still for this to happen. The "method" will be disclosed as being copyright by Microsoft and that Samba is infringing on Microsofts patented trademark of "Active Directory". You watch. A Quash order will be forthcoming.
I don't think so.
http://blogs.zdnet.com/microsoft/?p=1064
http://news.samba.org/announcements/pfif/
http://www.microsoft-watch.com/content/server/samba_licenses_microsoft_benefits.html
It sure doesn't seem too likely in the face of all that, does it?
Can you say "estoppel"?
http://en.wikipedia.org/wiki/Estoppel
wow! You mean it's ready to download and run right now? oh wait it's NOT. How about posting this in news when it actually IS NEWS. There hasn't even been a new Alpha release. It's just people blowing hard about an unfinished product. At least wine bothered to get a large release out and get a ton of programs working. That Slashdot is running this article at all shows the editors are horrible at performing an oversight function. We shouldn't be reading articles that aren't NEWS. Slashdot: Alpha versions for nerds, stuff that's irrelevant.
I like Samba 4 except it doesn't have $RANDOM feature :)
davecb5620@gmail.com
It is not very comforting to read the following statement:
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
It goes on to say:
We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security! Samba now has a conversion logic that handles random characters and is then doing normal Kerberos functions on it"
davecb5620@gmail.com
"Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually .."
..
Generally, GUI config tools get in the way, editing the dreaded config file is simpler and more straight forward.
"and samba did not respond properly to the config"
What you mean is you don't understand SAMBA enough to configure it
davecb5620@gmail.com
The only potential problem with this is that this is Mr. Steve Ballmer we're talking about. The same person who believes that if you own an iPod, you are stealing music illegally even if you purchased it from iTunes! I do not trust anything about Mr. Ballmer, nor anything that emanates from his oral device!
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
support for its reason for creation.
GIMP will have 32-bit colour and a CMYK colour space.
PS has these too.
Will it be "a bad thing" for GIMP to get these features because Photoshop has them?
No.
Because GIMP is aimed for production use where such features are worthy of addition.
Likewise, a SAMBA server that acts more like an MS SMB server is news for the SAMBA system because it is supposed to ACT like an MS SMB server.
For those places that do not need to have something that looks like an MS SMB server, they already have LDAP and Kerberos.
SAMBA IS NOT A REPLACEMENT FOR THEM: IT IS A REPLACEMENT FOR MS SMB SERVERS.
And that includes AD support.
You should try setting up Citadel with the Bynari Connector and Outlook. It works like a charm. Citadel is very efficient thanks to its Oracle BerkeleyDB back end, so you can replace dozens of Exchange servers with a single Citadel server.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
All good examples. FYI you may be interested in trying PSPP, a SPSS like statistics package, although the current version (0.6.1) seems very limited. I use the R/CRAN statisical package myself, although retraining is unlikely to be worth it. Running through wine is problematic. VirtualBox or buying the Linux version should work I also find the lack of a decent PDF editor annoying... again there are many PDF ediors for Linux, though none that I really recommend, see e.g. http://www.linux.com/feature/113907. At least the foxit pdf editor apparently runs under wine.
I am guessing this would be mixture of convoluted and deluded.
Unfortunately, there are a number of hits in a web search so you don't get credit for coining the term.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
You've cloned another Microsoft product. Good job, guys! I knew you could design and build something new on your own!
Is it per server, or per server per CPU?
I believe that for boxes with a whole lotta CPUs, you're paying more (because hey, what you *should* be doing is having multiple boxes and buying extra copies of the software for each), or at least that used to be the case.
I'm not sure how they've updated licenses for multi-core though.
"or an introduction to how much we know. It's scary." - by symbolset (646467) * on Monday January 19, @05:56AM (#26514323)
I just noticed it's the moron symbolset replying above all else - go away you clueless moron, first of all.
Secondly - Those "Halloween Documents" are just another line of total bullshit, & the typical maneuver of the /. crowd here that's "Pro-*NIX" to try to use as somekind of 'proof' when all it is, is more FUD b.s..
Posts like yours count on the fact that your readers of your replies don't actually read them themselves is why!
(Thus, they look like some kind of proof of 'Linux superiority', when, they're anything but that).
Until your "year of the Linux desktop" comes true, which it has not and probably won't (and we've all been hearing online since 1992 no less and it has not come true, no less)? Blow away and die.
I think that the slashdot crew believes that the more b.s. they spout, the more idiots worldwide will read and believe them. Good luck, it hasn't worked since 1992 and that is what, by now? 17 yrs.??
LOL! So much for the "year of Linux" etc. et al...
I think that it's a red herring to say that people don't switch to Linux because they aren't willing. The nasty truth of the matter is that OSX works. Even Ubuntu, the slickest of all distributions, is still held together with twine and gum. Linux is a beast when compared to Windows and OSX. I have about 12 Windows boxes in my business, and I'd love to switch to *nix just to save money, but the fact of the matter is that none of the *nixes are up to snuff for a multitude of reasons. If OSX wasn't expensive and didn't have hardware lock-in, I'd definitely consider a switch to OSX. Switching to *nix would be an even more expensive nightmare.
In my (admittedly limited) experience, SWAT has a bad habit of producing overly verbose config files that do not necessarily coincide with what the user is actually trying to do -- SWAT sets options that the user hasn't touched (example), instead of relying on the already-sane Samba defaults, resulting in unexpected behaviour. GSAMBAD is even worse.
Of course, it's been a while since the linked issues were posted, and YMMV. :)
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."
MS has not customized the Lightweight Directory Access Protocol as far as I know (they customized the schema though but everyone else does too except the OpenLDAP project) however I believe I heard a while back that they have made some changes to the Kerberos protocol. I just wanted to clear that up.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Samba runs as root for a few different reasons that I know of:
1. bind to privileged ports (1024)
2. set{e,r}{u,g}id for the user being authenticated
3. RPC-based system administration
If it was just the first, I bet it could prolly drop root soon after startup. If it was just the first and the second, it might be able to drop root after authenticating, since each connection gets its own process. Samba may already do some of this, for all I know. Alternatively, implementing this may be difficult for architectural reasons, which may or may be solvable via code restructuring.
But for the third, it has to run as root all the time. What this refers to is the ability to perform system administration tasks (like adding/changing/deleting users, groups, computers, etc.) via Microsoft's RPC mechanism. This is how Windows does this, and Samba supports quite a bit of it. Notably, if you're doing to support Windows domains on Samba, it needs to be able to create host OS (Unix) accounts for users and machines.
It's probably theoretically possible to develop some kind of frontend/backend layer for process privilage separation, but at that point, you're basically just implementing all the protocol work Samba has to do all over again, in an internal protocol. If you couldn't get it right the first time, I wouldn't expect this try to be much better.
Remember, Samba aims to be bug-for-bug compatible with Microsoft Windows, which means inheriting any brain damage present in SMB/CIFS. If you want a clean design, this is the wrong place to look.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Well, that was a cute post.
I am a Samba + RedHat Directory Server (previously OpenLDAP) since the early 3.0 series for our Domain.
I've also watched Samba development closely in the past years and I am pretty sure that Samba 4 won't happen. The real Samba 4 will probably be based of a very recent 3.x series with a few Samba 4 patches backported.
Most Samba developers are currently working on the samba-3.2-testing or samba-3.3-testing git branches and occasionally adding a patch or two to the samba-4.0-testing tree.
Samba 3.2 is currently very limited in functionality:
* no AD logins, actually no AD features at all. The Solaris CIFS server (which is a simple and beautiful piece of engineering that does only 1 thing, as simple and beautiful things should do) requires Active Directory.
* No NFSv4 ACL support. Don't be fooled by it. Samba's NFSv4 ACL support is useful for read-only stuff at best, once you start creating files remotely on that volume (say a ZFS), you start having a mess with permissions, Samba+ZFS cannot mimic Windows behavior, while Solaris CIFS Server + ZFS can. You cannot have directory and file masks for NFSv4 ACLs.
* Samba doesn't do the sane thing of reordering the ACLs with the deny entries first (not required by NFSv4/ZFS but required by Windows) when setting them and Windows cannot read them.
* What's with the IDMAP config, are they high? It changed 3 times in the 3.0 series and it's still different in 3.2. Can't they get it right just once? Every time I do a version upgrade joining the domain and creating users gets broken because of version changes and I get woken up from my sleep at 3-4AM.
I don't usually criticize OSS projects, but Samba is a vital one and right now they are either understaffed or they don't have their priorities straight. I know that this will blow away half of my karma points but Samba is more or less in the same place from a functional point of view as it was in September 2003 (5 and 1/2 years ago) when Samba 3.0 was launched. While it was reasonable in 2003 not to have AD support and the rest of the deal, in 2008 it means our company will most probably have to abandon FLOSS DC support this year in favor of "the real thingâ" (Windows 2008).
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever ones.