Slashdot Mirror

← Back to Stories (view on slashdot.org)

Active Directory Comes To Linux With Samba 4

Posted by kdawson on from the hyper-active dept.

Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."

29 of 276 comments (clear)

  1. About Time... by Mydnight · · Score: 2, Insightful

    After the headaches Active Directory has caused the company I work at over the last couple weeks (things like Windows telling the backup software that it wasn't allowed to backup anything to do with AD except the transaction logs), I can't wait!

    1. Re:About Time... by Lord+Bitman · · Score: 2, Insightful

      I'm guessing he doesn't want to pay for it.

      --
      -- 'The' Lord and Master Bitman On High, Master Of All
    2. Re:About Time... by afidel · · Score: 2, Insightful

      Um, you DO realize that you need a VSS aware backup program to get a usable backup of the domain controller, correct? Backing up the AD database files will do you zero good, and in fact if you could somehow get them to restore you would cause all sorts of problems.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    3. Re:About Time... by Anonymous Coward · · Score: 0, Insightful

      Ummmm... I've never seen any KKK member/skinhead/run-of-the-mill racist (in a movie or otherwise) use the term "Active Directory" as a pejorative. Did you mean "Samba" is a racist term? It's a kind of dance, and a portmanteau of SMB (Server Message Block). How is it racist?

      If this is a new type of troll, it's a weird one. I'm not enraged, just a little confused.

    4. Re:About Time... by Klootzak · · Score: 2, Insightful

      But it's still good news,

      Why is it good news? Is the Open-Source community embracing the concept "If you can't beat 'em join 'em?".

      Pish-Posh, Linux can have, and has its own "Directory" functionality, and the members of the OS community are more than capable of implementing their own standards.
      My opinion of this is that it's good for cross-compatibility, but not so much that it advances the concept that OSS products can compete in their own right.

      I will be more impressed when Microsoft adds standards compatibility for integration with Open-Source standards and not the other way around.

      --
      A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
    5. Re:About Time... by Architect_sasyr · · Score: 5, Insightful

      Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office. It's "big news" here when we find a government organisation or a school going with a Linux installation, and until it stops being so we can never consider Linux *as good* as MS or OS X, purely because of usage base. This functionality is an excellent step in the right direction for the office software, because we (as sysadmin's) can build a server that silently integrates with all the XP/Vista machines on a network, without "telling" anybody about it. After a few months of having a stable linux server in place, we can start pushing stable Linux onto the less-than-important PC's - like the receptionist (who can/should be trained) or the marketing department. Slowly (but surely) bringing across all the machines possible we can to Linux. Having AD functionality is definitely the first step. Getting a decent-free Exchange-replacement will be the next (and I mean free in the same way that Debian is free, unrestricted as much as possible) in the chain. Simply put, any OSS supporter needs to make some compromises to get their software into the enterprise. People grow up on Windows, or on OS X (as a rule it is one or the other) not (necessarly) on Linux, so we need to ease them in.

      Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.

      My $0.02 AU.

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    6. Re:About Time... by Skrapion · · Score: 2, Insightful

      I'm sorry, I missed the part where the GP was talking about OSS.

      Look, I'm an OSS fan too, but not everything is about OSS. The fact that a good product is being released would be good news even if it wasn't OSS.

      --
      The details are trivial and useless; The reasons, as always, purely human ones.
    7. Re:About Time... by Klootzak · · Score: 2, Insightful

      Perhaps Linux is used ALOT more than you think, you're just not aware of the installations ;)

      I know of at least 2 places which are very large and influential organizations that run ALOT of Linux and other Open-Source Systems - in one of the organizations I'm thinking of I implemented Linux in combination with MRTG, PHP and MYSQL for an application I wrote for the purposes of systems monitoring and server inventory, something I whipped up because Tivoli, a large, expensive "enterprise" product was proving too cumbersome and taking too long to implement and my Management needed something RealSoonNow(tm) to do the job.
      Unfortunately though, Non-Disclosure, and fear of being publicly identified prevents me from citing the organization(s) by name.

      Linux is used in quite a number of places, but it doesn't get the big "The Department of xyz for the pqr Government is installing Linux" publicity.

      Don't despair, Linux is making waves, you just can't see the ripples ;)

      Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.

      No offense intended... but I did say that in my original post ;)

      --
      A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
    8. Re:About Time... by Kjella · · Score: 4, Insightful

      Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office.

      Honestly? Gaming does not count. There was a nice market breakdown I saw not that long ago from AMD, breaking it down into laptop/desktop/server and low-end/mainstream/enthusiast and the gaming segments are honestly not that large. Replacing every Windows/MS Office with a Linux/OpenOffice solution would be 1000x greater than turning LAN parties into LUGs. Nor is it easy fruit - a game requires a lot of software infrastructure, it's got limited actuality (Linux support two years after is a big meh) and is full of bleeding edge performance optimizations. Just to take that college drop-out article we had recently - the school could have said "MS Office or OpenOffice". The DSL installation disc could have said "For Linux do steps X instead". Lots of things in that article was her fault but it's quite clear that Linux could be a lot more supported in ways that would matter a lot more to the masses that a few FPS junkies.

      --
      Live today, because you never know what tomorrow brings
    9. Re:About Time... by HangingChad · · Score: 4, Insightful

      It's "big news" here when we find a government organisation or a school going with a Linux installation...

      We're not a big office but we run on Linux. Primary application servers and most of the desktops. So far it hasn't been any big news outside and not a big deal inside. It was a quiet transition, no user upheaval. The best part is we (the IT department) don't have to spend part of our day handling the crisis/virus/trojan/black screen crisis of the moment. We actually have time to document, plan upgrades, and spend time on development instead of serving the Redmond machine. The stress level comes way down.

      You don't realize how much time you spend servicing Microsoft until you get away from them. Not just servicing the machines but the whole ecosystem. It's so complex, you need so many supporting services to keep it running right that the Windows admins I've seen are in a constant state of stress. And I think they like it, even though they tend to complain about how busy they are. Maybe it's job security. Don't know and honestly don't care.

      All I know is I can go to a partner integration meeting today knowing everything is working fine and, in the absence of hardware failure or massive internet outage, will stay working. That there won't be a stack of trouble tickets in the queue or bill for some piece of software that does...something...that we need because MS didn't include it in the base server package.

      --
      That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    10. Re:About Time... by Cowmonaut · · Score: 2, Insightful

      I'm sorry, but you didn't really counter any of his arguments. You say you are under an NDA so you can't name "two big organizations" that are using more Linux than Windows/OSX. Since you can't prove it, its useless. Hearsay. Moot.

      And not just for our little argument here either. You apparently can't point to these places for other sysadmins and say "it works there, why not where you do business?" because of your NDA. The problem with Linux is visibility in certain marketplaces. "Invisible ripples" don't help in any way until someone shines a light on them.

    11. Re:About Time... by Xabraxas · · Score: 2, Insightful

      People have to be willing to adapt and do things differently when the switch operating systems. People seem perfectly capable of adapting to OSX. I don't think it's because its less difficult to adapt to OSX than it is to Linux but because people that do switch to OSX are willing to do it. They do it because it's "cool" or because they are artists, or for many other reasosns. They've been convinced that it is an option for them and a lot of them will make it work even if that means they have to do things differently. Linux is still associated with geeks. There isn't a clear cut reason for most people to switch to Linux.

      What Linux lacks is marketing. It's virtually unheard of outside the tech world whereas everyone knows what a Mac is and certainly everyone has some kind of experience with Windows. Linux has little more than word-of-mouth exposure. Linux needs a selling point and someone to successfully market that point. Being unix-like, free, and "good enough" was enough to make it in the server market but things are not so easy in the desktop market where the users are less knowledgable and the benefits of being unix-like isn't a particular advantage.

      --
      Time makes more converts than reason
    12. Re:About Time... by walt-sjc · · Score: 4, Insightful

      Nice anecdote, but all that says is that the IT people in your company don't have a clue. Once upon a time, IT people were just as clueless about Windows / PC's. It's sad really - people call themselves professionals and then behave like that, refusing to educate themselves (If you are not CONSTANTLY educating yourself in IT, you will very very quickly become a dinosaur.)

    13. Re:About Time... by DrgnDancer · · Score: 3, Insightful

      But gaming is a weird animal. Many gamers (not all, maybe not even most, but many) are influential in other people's tech decisions. Whether it be the kids who his parent's assume "knows about computers" because he spends lots of time on one and can spout jargon he read on game sites, the programmer or sys admin who games as a hobby, or the "Tech Site" writers who's primary measure of performance is game FPS; lots of gamers have some level of influence on various numbers of people's technical decisions.

      On top of that, even many people who don't game take an attitude of "Well, if it'll play that game, it will certainly be able to handle my $trivaltask". Gamers may be a small part of the market, but they are a much bigger part of marketing.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    14. Re:About Time... by profplump · · Score: 2, Insightful

      So what you're saying is that you're 1 rescue-disk boot away from having root access, right?

  2. Release date? by russlar · · Score: 2, Insightful

    Nice features, but when will it be released?

    --
    Anybody want my mod points?
  3. Re:Wow... /.'s contextual ad for this page is fitt by Anonymous Coward · · Score: 1, Insightful

    You don't block ads?

  4. Re:Finally..an alternative by bluephone · · Score: 1, Insightful

    In the land of the blind, the one-eyed man is king.

    --
    jX [ Make everything as simple as possible, but no simpler. - Einstein ]
  5. Waiting for samba by CarpetShark · · Score: 2, Insightful

    Just can't wait! AD for linux. I honestly am surprised it's taken this long.

    I'm also surprised it has taken this long. Which is why I'm not waiting.

  6. Security by RiotingPacifist · · Score: 2, Insightful

    While i appreciate that this will be very usefull, I'd rather they worked on not requiring samba to run as root (or at least not the networked part) as it seams to be the victim of an increasing number of attacks because of this. Perhaps SELINUX and apparmour have me protected but seeing a network demon running as root always seams like a dumb idea to me.

    --
    IranAir Flight 655 never forget!
  7. Re:AD licensing by symbolset · · Score: 5, Insightful

    Look, you seem like the average unbiased poster so I'm going to give you a few tips even though I'm going to be modded off topic.

    If you're going to defend Microsoft or one of their products on /., you need to observe a few simple rules:

    Don't ask for proof of Microsoft malfeasance. You'll just get proof, and that doesn't serve your goal. Read the series of Halloween documents for an introduction to how much we know. It's scary.

    Don't ask questions you don't know the answer to. That's good guidance for lawyers, too. You'll get answers you don't want.

    Don't ask about someone else's experience. Their experience isn't going to help your cause, and you'll get replies from the least helpful people.

    Do brag features, but do it with some understanding of the features. Don't just list the marketing babble. Don't brag more than three features at a time because it's then obvious you're typing them from a list. Do brag features that seem important to the parent poster.

    If you must employ "anecdotes are not proof" be prepared for a swarm of people who confirm the anecdote. Nearly a billion people use MS software. Given enough experience, every failure mode is common. Every anecdote is common here and you would be surprised how selection bias draws people with shared anecdotes to slashdot just in time to skew the replies.

    If it's allowed in your contract, do be specific: What platform worked well on Vista, how much RAM did you have? What video card? If you must avoid vendor bias, split the vendors by market share and let the astroturfers brag up proportionate systems - if they work. And if they don't work, leave it alone.

    Slashdot has a grand bullshit detector, so don't lie. If you lie, the lie is not just going to be modded down - the responses to the lie are going to be modded up and be the only thing that people see, so the lie does more damage than silence would.

    There are more rules, but this should help quite a bit for now.

    --
    Help stamp out iliturcy.
  8. Re:Not very realistic by jonwil · · Score: 4, Insightful

    Clearly you havent priced the full costs of a full set of servers (and addons) for Exchange. AD etc. Not to mention all the client licenses you need (CALs or whatever they are).

    I am sure there are quite a lot of people who would LOVE to be able to replace a windows server machine with a linux machine running Samba + OpenChange + whatever else

  9. Apologies for the AC post. by Klootzak · · Score: 2, Insightful

    Easy. You're "Anonymous Coward". You're anyone and no one.

    Well, even posting under my Slashdot "handle" I could be everyone and no-one too ;)

    A novice administrator would know this. I think you've been talking to the average joeish end users.

    No, the person I had to correct that issue for considered himself an "experienced" Linux Administrator (and Zealot - "Linux should be used for EVERYTHING"), having worked with various distros for 3 or 4 years. He was also employed by the Victorian Department of Education at the time - the problem he was having was at a client he was moonlighting for. I was the poor Bastard who had to drive on-site when he eventually called me for help at 8pm on Saturday after he'd spent a good 10 hours working on the issue (mind you, I walked away with $100 in cash for typing 'chmod -R ug+w [directory]', so it was inconvenient, but lucrative).

    The assumption you're making is that just because someone uses Linux, they also understand the underlying design of the technology that it is integrated with... not everyone understands filesystem permissions, you'd probably be surprised, like I always say... Computers/Operating-Systems/Applications are a "tool" - to be the most effective, you need to understand the function of the tool in addition to it's application.

    --
    A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
  10. Re:Finally..an alternative by Anonymous Coward · · Score: 1, Insightful

    Or a freak.

  11. I like Samba 4 except .. by rs232 · · Score: 2, Insightful

    I like Samba 4 except it doesn't have $RANDOM feature :)

    --
    davecb5620@gmail.com
  12. it goes on to say .. by rs232 · · Score: 2, Insightful

    It is not very comforting to read the following statement:

    "My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."

    It goes on to say:

    We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security! Samba now has a conversion logic that handles random characters and is then doing normal Kerberos functions on it"

    --
    davecb5620@gmail.com
    1. Re:it goes on to say .. by Krokant · · Score: 2, Insightful

      Yes, so I read that they tried blank machine account passwords where Microsoft (indeed) uses a random password only known to the computer (and the hash in AD)...

      For more information (just some google hits):

      http://blogs.technet.com/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
      http://technet.microsoft.com/en-us/library/cc785826.aspx

  13. Re:Not very realistic by spazimodo · · Score: 3, Insightful

    The costs for AD/Exchange, etc. pale in comparison to the administrative salary costs associated with supporting an IT infrastructure and the lost productivity costs of down time.

    I've found Samba in a Domain environment to be kind of flaky, and while it's useful for accessing the file system on a Linux server (though I prefer scp) there's no way I would look at replacing any Windows file server that had an SLA with a Samba server. The licensing costs for a Windows server (especially virtualized) are negligible.

    On the other hand, there's still no great solution for something similar to AD on Linux. NIS+ is old and sucks. Going through the whole LDAP rigmarole only gets you part of the way and requires a hell of a lot of upkeep depending on the server. Winbind against AD isn't bad though again it's flaky and requires way too much work to setup. I supposed there's the tried and true method of rsync-ing passwd, group and shadow files around.

    The combo of AD and Group Policy is pretty killer, It would be really nice to see something similar for Linux, or at the very least improved AD integration would be awesome.

    --

    Fsck the millennium, we want it now.
    Millennium Crisis Line: 0890 900 2000 [calls cost 50p/min]
  14. Re:AD licensing by marcosdumay · · Score: 2, Insightful

    Microsoft isn't accountable for windows doing anything. Red Hat, by the other way, will work at your place to solve every little problem that your unique configuration causes. But your CEO doesn't know that, he thinks that it is MS that solves all Windows' problems, and that those guys that run around every time your computers have problems are just making some cooper. So, don't expect him to understand. To make things worse, every time you try to point that MS support never did something useful for your company, somebody will come with an event where they called MS support and could get some kind of answer. You can't contest the usefulness of such an answer on a non-technical meeting, so you will lose the argument.

    To keep matters simple, forget about accountability and focus on the GP's list. It is a great one.

    --
    Rethinking email