Active Directory Comes To Linux With Samba 4

← Back to Stories (view on slashdot.org)

Active Directory Comes To Linux With Samba 4

Posted by kdawson on Sunday January 18, 2009 @06:45PM from the hyper-active dept.

Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."

70 of 276 comments (clear)

About Time... by Mydnight · 2009-01-18 18:49 · Score: 2, Insightful

After the headaches Active Directory has caused the company I work at over the last couple weeks (things like Windows telling the backup software that it wasn't allowed to backup anything to do with AD except the transaction logs), I can't wait!
1. Re:About Time... by Z00L00K · 2009-01-18 19:46 · Score: 4, Informative
  
  Actually - the AD support in Samba is a bit of old news, since that has been promoted before.
  But it's still good news, especially since lately the configuration of Microsoft's softwares and platforms has started to get incredibly complex and very hard to penetrate - as well as configure in a secure way.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
2. Re:About Time... by rmallico · 2009-01-18 19:48 · Score: 3, Informative
  
  headache of AD? uh.. backing up? are you serious? there are command line tools, 3rd part tools as well that handle backing up of AD as well as full forest recovery (and even restoring a single attribute for one use to ALL users in minutes... google is your friend..
  
  --
  sig goes here!
3. Re:About Time... by Lord+Bitman · 2009-01-18 20:12 · Score: 2, Insightful
  
  I'm guessing he doesn't want to pay for it.
  
  --
  -- 'The' Lord and Master Bitman On High, Master Of All
4. Re:About Time... by afidel · 2009-01-18 20:21 · Score: 2, Insightful
  
  Um, you DO realize that you need a VSS aware backup program to get a usable backup of the domain controller, correct? Backing up the AD database files will do you zero good, and in fact if you could somehow get them to restore you would cause all sorts of problems.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
5. Re:About Time... by retyurecvb · 2009-01-18 20:38 · Score: 3, Informative
  
  He has Samba confused with Sambo. Somebody(same person?) made a post just like this a couple of days ago.
6. Re:About Time... by Klootzak · 2009-01-18 21:27 · Score: 2, Insightful
  
  But it's still good news,
  Why is it good news? Is the Open-Source community embracing the concept "If you can't beat 'em join 'em?".
  
  Pish-Posh, Linux can have, and has its own "Directory" functionality, and the members of the OS community are more than capable of implementing their own standards.
  My opinion of this is that it's good for cross-compatibility, but not so much that it advances the concept that OSS products can compete in their own right.
  
  I will be more impressed when Microsoft adds standards compatibility for integration with Open-Source standards and not the other way around.
  
  --
  A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
7. Re:About Time... by Architect_sasyr · 2009-01-18 22:00 · Score: 5, Insightful
  
  Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office. It's "big news" here when we find a government organisation or a school going with a Linux installation, and until it stops being so we can never consider Linux *as good* as MS or OS X, purely because of usage base. This functionality is an excellent step in the right direction for the office software, because we (as sysadmin's) can build a server that silently integrates with all the XP/Vista machines on a network, without "telling" anybody about it. After a few months of having a stable linux server in place, we can start pushing stable Linux onto the less-than-important PC's - like the receptionist (who can/should be trained) or the marketing department. Slowly (but surely) bringing across all the machines possible we can to Linux. Having AD functionality is definitely the first step. Getting a decent-free Exchange-replacement will be the next (and I mean free in the same way that Debian is free, unrestricted as much as possible) in the chain. Simply put, any OSS supporter needs to make some compromises to get their software into the enterprise. People grow up on Windows, or on OS X (as a rule it is one or the other) not (necessarly) on Linux, so we need to ease them in.
  
  Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.
  
  My $0.02 AU.
  
  --
  Me failed English...
  FreeBSD over Linux. If my comments seem odd, this may explain...
8. Re:About Time... by Skrapion · 2009-01-18 22:13 · Score: 2, Insightful
  
  I'm sorry, I missed the part where the GP was talking about OSS.
  Look, I'm an OSS fan too, but not everything is about OSS. The fact that a good product is being released would be good news even if it wasn't OSS.
  
  --
  The details are trivial and useless; The reasons, as always, purely human ones.
9. Re:About Time... by Klootzak · 2009-01-18 22:59 · Score: 2, Insightful
  
  Perhaps Linux is used ALOT more than you think, you're just not aware of the installations ;)
  
  I know of at least 2 places which are very large and influential organizations that run ALOT of Linux and other Open-Source Systems - in one of the organizations I'm thinking of I implemented Linux in combination with MRTG, PHP and MYSQL for an application I wrote for the purposes of systems monitoring and server inventory, something I whipped up because Tivoli, a large, expensive "enterprise" product was proving too cumbersome and taking too long to implement and my Management needed something RealSoonNow(tm) to do the job.
  Unfortunately though, Non-Disclosure, and fear of being publicly identified prevents me from citing the organization(s) by name.
  
  Linux is used in quite a number of places, but it doesn't get the big "The Department of xyz for the pqr Government is installing Linux" publicity.
  
  Don't despair, Linux is making waves, you just can't see the ripples ;)
  
  Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.
  No offense intended... but I did say that in my original post ;)
  
  --
  A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
10. Re:About Time... by Kjella · 2009-01-18 23:51 · Score: 4, Insightful
  
  Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office.
  Honestly? Gaming does not count. There was a nice market breakdown I saw not that long ago from AMD, breaking it down into laptop/desktop/server and low-end/mainstream/enthusiast and the gaming segments are honestly not that large. Replacing every Windows/MS Office with a Linux/OpenOffice solution would be 1000x greater than turning LAN parties into LUGs. Nor is it easy fruit - a game requires a lot of software infrastructure, it's got limited actuality (Linux support two years after is a big meh) and is full of bleeding edge performance optimizations. Just to take that college drop-out article we had recently - the school could have said "MS Office or OpenOffice". The DSL installation disc could have said "For Linux do steps X instead". Lots of things in that article was her fault but it's quite clear that Linux could be a lot more supported in ways that would matter a lot more to the masses that a few FPS junkies.
  
  --
  Live today, because you never know what tomorrow brings
11. Re:About Time... by HangingChad · 2009-01-19 00:56 · Score: 4, Insightful
  
  It's "big news" here when we find a government organisation or a school going with a Linux installation...
  We're not a big office but we run on Linux. Primary application servers and most of the desktops. So far it hasn't been any big news outside and not a big deal inside. It was a quiet transition, no user upheaval. The best part is we (the IT department) don't have to spend part of our day handling the crisis/virus/trojan/black screen crisis of the moment. We actually have time to document, plan upgrades, and spend time on development instead of serving the Redmond machine. The stress level comes way down.
  You don't realize how much time you spend servicing Microsoft until you get away from them. Not just servicing the machines but the whole ecosystem. It's so complex, you need so many supporting services to keep it running right that the Windows admins I've seen are in a constant state of stress. And I think they like it, even though they tend to complain about how busy they are. Maybe it's job security. Don't know and honestly don't care.
  All I know is I can go to a partner integration meeting today knowing everything is working fine and, in the absence of hardware failure or massive internet outage, will stay working. That there won't be a stack of trouble tickets in the queue or bill for some piece of software that does...something...that we need because MS didn't include it in the base server package.
  
  --
  That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
12. Re:About Time... by Cowmonaut · 2009-01-19 01:27 · Score: 2, Insightful
  
  I'm sorry, but you didn't really counter any of his arguments. You say you are under an NDA so you can't name "two big organizations" that are using more Linux than Windows/OSX. Since you can't prove it, its useless. Hearsay. Moot.
  And not just for our little argument here either. You apparently can't point to these places for other sysadmins and say "it works there, why not where you do business?" because of your NDA. The problem with Linux is visibility in certain marketplaces. "Invisible ripples" don't help in any way until someone shines a light on them.
13. Re:About Time... by kimvette · 2009-01-19 02:01 · Score: 4, Informative
  
  It is every bit as racist as niggardly is; as in "Microsoft behaves niggardly with its protocols while at the same time preaches interoperability."
  That legitimate words "sound kinda like" racist slurs does not mean the common words are racist. On the other hand, we have just been trolled.
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
14. Re:About Time... by Xabraxas · 2009-01-19 02:09 · Score: 2, Insightful
  
  People have to be willing to adapt and do things differently when the switch operating systems. People seem perfectly capable of adapting to OSX. I don't think it's because its less difficult to adapt to OSX than it is to Linux but because people that do switch to OSX are willing to do it. They do it because it's "cool" or because they are artists, or for many other reasosns. They've been convinced that it is an option for them and a lot of them will make it work even if that means they have to do things differently. Linux is still associated with geeks. There isn't a clear cut reason for most people to switch to Linux.
  What Linux lacks is marketing. It's virtually unheard of outside the tech world whereas everyone knows what a Mac is and certainly everyone has some kind of experience with Windows. Linux has little more than word-of-mouth exposure. Linux needs a selling point and someone to successfully market that point. Being unix-like, free, and "good enough" was enough to make it in the server market but things are not so easy in the desktop market where the users are less knowledgable and the benefits of being unix-like isn't a particular advantage.
  
  --
  Time makes more converts than reason
15. Re:About Time... by walt-sjc · 2009-01-19 02:52 · Score: 4, Insightful
  
  Nice anecdote, but all that says is that the IT people in your company don't have a clue. Once upon a time, IT people were just as clueless about Windows / PC's. It's sad really - people call themselves professionals and then behave like that, refusing to educate themselves (If you are not CONSTANTLY educating yourself in IT, you will very very quickly become a dinosaur.)
16. Re:About Time... by Whizzmo2 · 2009-01-19 03:11 · Score: 2, Informative
  ntdsutil (included with Windows Server) is plenty capable of doing backups and restores of AD data. Microsoft has lengthy documentation on the subject, including how to properly prepare and what to do when the feces hit the oscillator.
  A few documentation links:
  
  Performing an Authoritative Restore of Active Directory Objects
  Performing a Nonauthoritative Restore of a Domain Controller
  Active Directory Backup and Restore General Guidelines
  Also, you do know that ntbackup.exe is "a VSS aware backup program," right? Bonus: It's included at no charge from Microsoft.
  
  In short, RTFM and STFU.
  
  --Whizzmo
17. Re:About Time... by DrgnDancer · 2009-01-19 03:47 · Score: 3, Insightful
  
  But gaming is a weird animal. Many gamers (not all, maybe not even most, but many) are influential in other people's tech decisions. Whether it be the kids who his parent's assume "knows about computers" because he spends lots of time on one and can spout jargon he read on game sites, the programmer or sys admin who games as a hobby, or the "Tech Site" writers who's primary measure of performance is game FPS; lots of gamers have some level of influence on various numbers of people's technical decisions.
  On top of that, even many people who don't game take an attitude of "Well, if it'll play that game, it will certainly be able to handle my $trivaltask". Gamers may be a small part of the market, but they are a much bigger part of marketing.
  
  --
  I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
18. Re:About Time... by The+Real+Tachyon · 2009-01-19 03:56 · Score: 2, Informative
  
  Even if his examples are missing or bad ones, he's still right. There's a LOT of Linux out there that people use or are affected by every day but never know it.
  
  Just one example I'm aware of is ADP (www.adp.com).
  Most of their core application servers run Linux. And they are everywhere, but you'd never know it even if you used those systems every day. They provide Payroll, HR, Benefits management etc. systems that are accessed with a Windows Based PC client. The users might never know about the servers being Linux based. They also sell dealer management systems (the backend for car dealers) to a vast portion of the auto dealer market. Again, users might not know this, even though they use it every day. Though in this case this is probably a good thing since the client side of the application is not exactly 5 star. However, it still remains that they have millions of users working on Linux server based applications every day without the users ever even knowing it.
  
  I'm sure there are a lot of other such examples, but there's no one spending millions to put ads bragging about it like Microsoft does every time they win a contract somewhere.
  
  Anyway, my point is that I agree with Klootzak that there are probably a huge number of Linux based systems out there in real business use that the general public and even the basic IT community are not generally aware of.
  
  Finally, I for one am thrilled to have an alternative to Windows Server and AD for our corporate network. Not for Linux fanboy reasons, but because I have to manage and budget whatever solution we use and my experience is that Windows causes me more work and more expense, where once you get a Linux solution configured and running, you can generally ignore it from then on as it continues to just work without magically breaking itself every few weeks/months/days.
  Linux solutions generally mean less of my time spent working late nights troubleshooting things and more time home with my family. And THAT is something I place real value on.
  As for the ease of use argument, I'd rather spend a day setting up a Linux solution than 2 hours setting up a Windows one because I know I'll more than get that time back in the future.
19. Re:About Time... by Penguin+Follower · 2009-01-19 04:14 · Score: 2, Interesting
  
  Since you bring up ADP... I will also mention that their competitor Reynolds & Reynolds also uses Linux for their app servers. Between ADP and R&R you have the large majority of car dealerships in the USA having Linux in the business back-end.
20. Re:About Time... by KagatoLNX · 2009-01-19 06:02 · Score: 2, Interesting
  
  Ironically, SPSS was cloned fairly early on in the OSS wars.
  http://www.gnu.org/software/pspp/
  I've found that making employees accountable for knowing their software is a huge benefit. Before a number of OSS shifts I've administered, nobody knew what was important. The entire workflow was undocumented. In some ways, tracking down this information is quite valuable in it's own right--and you'd never get it if you couldn't make people's jobs depend on it.
  The key is to do it in responsible phases. Pick a representative set of really good people in your workflow. Make them into a "conversion team". Incentivize them to make the conversion process a success. Just doubling existing incentives works really well for sales people. They are notoriously hard to sell on OSS, but 2x-commission brings out the gambler in them. Most importantly--listen to them when they "can't do their work". If you've picked the right people, it'll be due to legitimate concerns.
  Go department by department. Be tactical. Allow islands of resistance to form. If they can't be ignored, exploit existing divisions in the company to prevent them from uniting. When they're all that's left in a sea of OSS users, they're easier to deal with. Let their case be about real needs, not "everybody's doing it". Indeed, you don't even have to argue it, their arguments change on their own. It's a remarkably social phenomenon.
  The legal department can be your friend. Most organizations are woefully out of compliance in licensing. If legal is made aware of this, they often just can't ignore it and will take it to the top. Ignoring it any any level can make people personally liable. The lawyers will tell them this.
  Conversely, if you are in compliance, accounting is your friend. When software licenses are properly budgeted, they show up and they're ugly. It's also fairly easy to demonstrate that, once stabilized, OSS departments require less administrative labor than proprietary ones.
  Most importantly, determine where there aren't OSS alternatives. In a big enough organization, you'll invariably have a few MS boxen just for interoperability or niche software. It's fine. That's what virtualization is for, and you can deal with that at your leisure. Rest assured that this is a dwindling list of software.
  Be careful. Like any large IT shift, a bad roll-out can negate years of cost savings. No vendor, especially not the OSS community, should be blamed for your botched implementation.
  In the end, the dream of an OSS organization is achievable. It can be worth the trouble. Rather you breathe Unix, sleep with a copy of the GPL, hate that your company is probably way out of license compliance, or just want that money in your bank instead of Redmond, there are plenty of reasons to do it.
  
  --
  I think Mauve has the most RAM. --PHB (Dilbert Comic)
21. Re:About Time... by profplump · 2009-01-19 06:44 · Score: 2, Insightful
  
  So what you're saying is that you're 1 rescue-disk boot away from having root access, right?
22. Re:About Time... by bored_engineer · 2009-01-19 06:57 · Score: 3, Interesting
  
  And was re-offered his position after many people including Julian Bond, chairman of the NAACP, spoke harshly of mayor Williams "acceptance" of Howard's resignation. Too bad that it went as far as it did, though. Ignorance always has a cost.
23. Re:About Time... by hairyfeet · 2009-01-19 08:13 · Score: 5, Funny
  
  Reminds me of a story one of my former teachers told. He was working as a consultant for this decently large corporation. When taking stock of their computers he noticed an ancient NT server was sitting in the server closet doing their email and basic file serving. He went to the PHB and was told "I don't care what you change but do NOT touch that NT server! We had lots of problems until a IT guy we hired a few years back fixed it. It has never failed since and I do NOT want you messing with it!".
  Of course being an IT nerd that instantly made him want to see what this "Miracle worker" had done. So one weekend while everyone was gone he plugged a monitor in to see what his magic recipe was. What he found was Red Hat 4 running with a text file sitting in \ with READ ME IMPORTANT. So of course he did. It said "The stupid boss thinks this is an NT server. Keep your mouth shut and everything will be fine. Dave". He of course choked on his coffee laughing, upgraded the RAM(which the PHB authorized) and soon after left the company. He said "it was too damned much like Dilbert."
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Finally..an alternative by Darkk · 2009-01-18 18:52 · Score: 2, Interesting

Finally an alternative to Microsoft's insane licensing model.
It brings one step closer for those who want to move to linux or least convert some windows to linux.
1. Re:Finally..an alternative by cencithomas · 2009-01-18 19:56 · Score: 5, Funny
  
  If you're calling an imperfect alternative to insanity "fixed"...
  
  ...why, you must be a Windows 7 developer. ;)
  
  --
  ...'tis easier to blame than to improve.
2. Re:Finally..an alternative by symbolset · 2009-01-18 20:43 · Score: 5, Funny
  
  What's wrong with Micosoft's licensing model? You pay either per server or per seat. If you license some servers per server, and some per seat their monitoring software tells you how often you need to "true up", and if their software fails to do its math correctly they get to sue you and seize all your computers. That makes a lot more sense than Linux or BSD's licensing model where no matter how many clients or servers you have you don't have to pay. That's just anarchy.
  
  --
  Help stamp out iliturcy.
3. Re:Finally..an alternative by Curl+E · 2009-01-19 01:06 · Score: 2, Informative
  
  vrms's one seems reasonable...
  
  --
  Backups are for wimps. Real men post their data in comments and have slashdot mirror it
Just waiting the release... by 8282now · 2009-01-18 18:53 · Score: 2, Interesting

I've got a line of outfits that can benefit from this!
There are so many companies I know that have little to know real dependence upon AD other than the fact that it's all they're really known...
Release date? by russlar · 2009-01-18 18:54 · Score: 2, Insightful

Nice features, but when will it be released?

--
Anybody want my mod points?
AD licensing by ani23 · 2009-01-18 18:58 · Score: 3, Interesting

Can someone tell me how AD is licensed? I thought it was a part of server 2003 and once you buy that there should be no additional costs right? Our Sys Admin is planning to install ad for our office (we used never had AD before) and I am trying to figure out what if any the advantages of getting AD will be.
1. Re:AD licensing by Anonymous Coward · 2009-01-18 19:04 · Score: 2, Funny
  
  You are correct.
2. Re:AD licensing by Anonymous Coward · 2009-01-18 19:13 · Score: 2, Informative
  
  You need a CAL for every user in the AD.
  Gets expensive. Wait for samba4
3. Re:AD licensing by Darkk · 2009-01-18 19:27 · Score: 5, Informative
  
  Exactly. You need CALs for stuff like:
  AD
  Exchange
  Terminal Server
  etc.
  It adds up pretty quickly.
  It's really a nightmare for IT Depts as they have to keep track of the CALs and ensure they have enough licenses to cover the number of users.
4. Re:AD licensing by Anonymous Coward · 2009-01-18 19:34 · Score: 5, Informative
  
  A careful reading of the TOS says that it is licensed via user or device CALs based on authenticated users..
  They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.
  Really, it is just a tax. A MS shop typically has to pay:
  - For a OEM license on windows
  - For a volume license upgrade on windows
  - For a device or user CAL for the windows machine/user
  - For a windows server license (per VM!)
  - For exchange server (and a windows server license)
  - Per user exchange CALs (yay!)
  - Office CALs for outlook
  It used to be a CAL came along with NT4 so you didn't need a separate one, but that is not the case anymore. MS said their customers wanted the simpler model of paying more for the same thing.
  Of course, CALs and VLK upgrades are locked to specific versions so you have to keep buying them again and again to keep the additional rights.
  The only happy area is that the CALs apply to all servers at once, so if you have a thousand users and a thousand servers you only need a thousand CALs.
  No software checks this, but these are the terms.
  It is really quite insane, but maximizes MS's profits.
  See http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx
  And keep in mind that MS thinks performing an authentication against AD is accessing the server.
5. Re:AD licensing by gallwapa · 2009-01-18 19:48 · Score: 5, Informative
  
  No...no...no
  There are "per device" or "per user" licenses.
  If you have 5000 computers but 40,000 users, it is probably cheaper to buy device licenses...so you can do that.
  In addition, each server DOES require a server license (which is different than a CAL).
  Windows is licensed like so
  Standard edition license includes 1 phys server + 1 VM (on the same server)
  Enterprise includes 1 phys server + 4 VM (again on the same server)
  Datacenter includes unlimited server licenses of any type
  Users with enterprise agreements or software assurance don't have to repurchase - they're covered under their contract.
6. Re:AD licensing by El+Lobo · 2009-01-18 19:51 · Score: 2, Informative
  
  The CAL has NOTHING to do with active directory at all. If you don't use active directory you need to buy a cal license anyway to access the server's resources.
  
  --
  It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
7. Re:AD licensing by Anonymous Coward · 2009-01-18 21:05 · Score: 3, Funny
  
  Really, it is just a tax. A MS shop typically has to pay:
  - For a OEM license on windows
  - For a volume license upgrade on windows
  - For a device or user CAL for the windows machine/user
  - For a windows server license (per VM!)
  - For exchange server (and a windows server license)
  - Per user exchange CALs (yay!)
  - Office CALs for outlook
  In comparison, a Linux shop typically has to pay:
  - Nothing for a volume license for Ubuntu Linux,
  - Nothing for license upgrades,
  - Nothing for the Linux client machine/user,
  - Nothing for a Linux server license (also nothing per VM),
  - Nothing for Openchange or Citadel on a server
  - Nothing per Openchange or Citadel user
  - Nothing for copies of Thunderbird or Evolution or Akonadi or Kontact
  That is a lot of zeroes ... fortunately there is no "1" at the beginning though.
8. Re:AD licensing by symbolset · 2009-01-18 21:12 · Score: 2, Interesting
  
  Windows is licensed like so....
  Yeah, that makes a lot of sense compared to the completely irrational "use all the copies you want, but if you make changes you have to share them back" model.
  Who would take a completely insane deal like "use all you want. We'll make more." rather than the more rational "pay us per seat or per user, but no changes are possible and if you overdeploy, we'll sue you." Or the even more rational "Pay us per seat and per server, annually, and you get the right to update to our latest software... if we ever do update our software - oh, and if you overdeploy, we'll sue you" model.
  That's just crazy talk. It's like choosing to not be sued. Who in their right mind would choose to not be sued even if choosing not to be sued would save them tons of cash? Especially when the alternative is free and contains no lawsuit exposure? Please, please don't throw me in that briar patch.
  
  --
  Help stamp out iliturcy.
9. Re:AD licensing by Jezza · 2009-01-18 21:58 · Score: 4, Informative
  
  Well really they probably pay for "service".
  Now some think this is a total waste of money and the whole point of Linux is you don't pay for anything. While it's true you can do this, if you're multi-million wonga business is relying on your IT that may not be too smart.
  But buying "service" isn't some nasty con, you're actually getting something. Also you can shop around for it, and even switch suppliers.
  Now the "free" aspect of Linux really helps you (as a business) as all your "computer wonks" can have a copy (for free) and take it home, use it outside the office (so they learn the product inside out). It does work out cheaper than Microsoft. The product evolves quicker, but you're not forced on some insane upgrade cycle.
  You can get lots of certified hardware (which is important) and you're not alone (lots of other businesses have done the same).
  Business get very twitchy when Linux advocates talk about "free" and the reason is they want to know: "Who's accountable if this stops working". A word of advice if you're trying to get your employer to consider Linux, keep the talk about "free" to a minimum (even "cheap" has negative connotations) instead talk about:
  Lower Total Cost of Ownership
  Competition in the market for Linux Support
  No vendor lock-in
  Hardware support from all major suppliers
  Plenty of success stories
  Oh and don't forget Sun make great Linux kit (not just Solaris)
10. Re:AD licensing by symbolset · 2009-01-18 22:19 · Score: 3, Informative
  
  SCO is dead. They'll convert to liquidation any day now. At least one would hope so. Nobody knows how long that zombie has to shamble.
  
  there's no such thing as no lawsuit exposure.
  That is true enough but to accept that as a premise is to refuse to do business. There is some middle ground where businesses can still operate in where the risk is acceptible. Limiting your exposure by avoiding licensing agreements that include the right to sue you if you overdeploy seems wise, and licensing agreements that include the right to audit you more so. Especially when there are options available that include terms like "use all you want for free".
  
  (i'd like to see documented example of it)
  Meet Ernie Ball. But wait... that wasn't Microsoft... that was their representatives, the Business Software Alliance! Same same. Evil by proxy is still evil.
  
  --
  Help stamp out iliturcy.
11. Re:AD licensing by symbolset · 2009-01-18 22:56 · Score: 5, Insightful
  
  Look, you seem like the average unbiased poster so I'm going to give you a few tips even though I'm going to be modded off topic.
  If you're going to defend Microsoft or one of their products on /., you need to observe a few simple rules:
  Don't ask for proof of Microsoft malfeasance. You'll just get proof, and that doesn't serve your goal. Read the series of Halloween documents for an introduction to how much we know. It's scary.
  Don't ask questions you don't know the answer to. That's good guidance for lawyers, too. You'll get answers you don't want.
  Don't ask about someone else's experience. Their experience isn't going to help your cause, and you'll get replies from the least helpful people.
  Do brag features, but do it with some understanding of the features. Don't just list the marketing babble. Don't brag more than three features at a time because it's then obvious you're typing them from a list. Do brag features that seem important to the parent poster.
  If you must employ "anecdotes are not proof" be prepared for a swarm of people who confirm the anecdote. Nearly a billion people use MS software. Given enough experience, every failure mode is common. Every anecdote is common here and you would be surprised how selection bias draws people with shared anecdotes to slashdot just in time to skew the replies.
  If it's allowed in your contract, do be specific: What platform worked well on Vista, how much RAM did you have? What video card? If you must avoid vendor bias, split the vendors by market share and let the astroturfers brag up proportionate systems - if they work. And if they don't work, leave it alone.
  Slashdot has a grand bullshit detector, so don't lie. If you lie, the lie is not just going to be modded down - the responses to the lie are going to be modded up and be the only thing that people see, so the lie does more damage than silence would.
  There are more rules, but this should help quite a bit for now.
  
  --
  Help stamp out iliturcy.
12. Re:AD licensing by betacha · 2009-01-18 23:08 · Score: 5, Informative
  
  I had the pleasure of formatting our Windows 2003 server this summer and completely replacing it with an Ubuntu Samba OpenLDAP Domain server using this tutorial... http://ubuntuforums.org/showthread.php?t=640760 The server has been working flawlessly at our school since September! We ran out of CAL's and our school is expanding very quickly. It didn't make sense to purchase more and continue paying the micro$oft tax..
13. Re:AD licensing by blincoln · 2009-01-19 00:02 · Score: 2, Interesting
  
  They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.
  Not only that, but it gets more complicated depending on how many MS server products you use.
  For example, if you have a SharePoint system accessible on the internet that users can log into, you need a SharePoint CAL, a SQL Server CAL, and a Windows CAL for each of the users.
  I've even read a Gartner paper that claims it's not just AD users, but users who log in using credentials of any kind. IE if you run an online store on IIS, you need to purchase a user CAL for each of your customers (assuming they can log in), whether you write your own auth system or give them AD accounts. Alternately, you can purchase a very expensive blanket CAL that covers them all. Either way, those CALs are going to cost more than most small businesses ever make off of single transactions from casual customers.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
14. Re:AD licensing by betacha · 2009-01-19 00:47 · Score: 2, Interesting
  
  Glad you find the link useful! There is still some playing around with scripts... I had to learn how to use vim etc... which wasn't too easy to figure out... I recommend running through the tutorial once with a virtual machine following it verbatim using the exact version of ubuntu server recommended 7.10... and using the same domain name etc... It took me a few tries to get through it successfully... Then I created my own on the real server using my own domain personalization...
15. Re:AD licensing by jalefkowit · 2009-01-19 01:06 · Score: 2, Funny
  
  Probably somebody who knows how to spell "sheriff".
  
  --
  Read my blog.
16. Re:AD licensing by bbbaldie · 2009-01-19 03:25 · Score: 4, Funny
  
  Hmmm...Obviously the teachings of KARL MARX figure prominently in your school's curricula... ;-)
17. Re:AD licensing by marcosdumay · 2009-01-19 04:31 · Score: 2, Insightful
  
  Microsoft isn't accountable for windows doing anything. Red Hat, by the other way, will work at your place to solve every little problem that your unique configuration causes. But your CEO doesn't know that, he thinks that it is MS that solves all Windows' problems, and that those guys that run around every time your computers have problems are just making some cooper. So, don't expect him to understand. To make things worse, every time you try to point that MS support never did something useful for your company, somebody will come with an event where they called MS support and could get some kind of answer. You can't contest the usefulness of such an answer on a non-technical meeting, so you will lose the argument.
  To keep matters simple, forget about accountability and focus on the GP's list. It is a great one.
  
  --
  Rethinking email
This is good for industry, what about end user? by plasmacutter · 2009-01-18 19:08 · Score: 3, Interesting

My last tussle with samba was yet another try with ubuntu on this old macbook.
Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually, and samba did not respond properly to the config.
Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?

--
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
1. Re:This is good for industry, what about end user? by SanityInAnarchy · 2009-01-18 19:32 · Score: 2, Informative
  
  Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?
  I think SWAT was meant to be that, and it kind of sucked.
  
  --
  Don't thank God, thank a doctor!
Jumping the Gun by TechForensics · 2009-01-18 19:09 · Score: 5, Informative

According to TFA FOSS AD is not here yet by a long shot, in early alpha, many missing features. Summary is *terrible* in suggesting non-M$ AD is already here.

--
Those are my principles, and if you don't like them... well, I have others.
1. Re:Jumping the Gun by Darkk · 2009-01-18 19:21 · Score: 5, Interesting
  
  One thing I find it interesting in the article is that Microsoft been working with Samba developers to provide them the inner workings of AD. Hell, even Samba developers discovered a bug about random passwords in AD and told Microsoft about it.
  AD in it's present form is still closed source project so I find it interesting Microsoft team is willing to provide them some of the secrets knowing that eventually it'll take away some of their profits like they'll miss it anyway.
  So what exactly the direction is Microsoft taking?
2. Re:Jumping the Gun by b4dc0d3r · 2009-01-18 19:35 · Score: 5, Informative
  
  I'm just guessing here, but there was something about interoperability in, what was it, oh, every monopoly-related judgment they ever lost. Otherwise they wouldn't be helping.
3. Re:Jumping the Gun by shutdown+-p+now · 2009-01-18 19:44 · Score: 4, Informative
  
  Ever since the EU antitrust/monopoly judgement and fines, MS has significantly increased the emphasis on open standards. It's still NIH syndrome more often than note, but at least the results are now documented, and usually come with a no-patent-enforcing pledge ("Open Specification Promise" - this covers e.g. OOXML and older Office formats, XPS, Silverlight, and so on). Also, I recall that EU specifically named SMB/CIFS & AD as something that should be opened up, and Samba as the beneficiary.
  Whether it's just a coincidence or one followed from another is up for you to judge.
Wow... /.'s contextual ad for this page is fitting by Doug52392 · 2009-01-18 19:28 · Score: 3, Interesting

"A new year... A new hope?" "Let us know your predictions for 2009".
And, right on par with my hope of seeing Half-Life 2 Episode 3 in "early 2009", my hope of seeing a fully working, easy to set up and maintain, "it just works" Active Directory server for Linux this year has diminished due to the fact that this same exact story was posted here over 3 years ago. (or on Digg)
Waiting for samba by CarpetShark · 2009-01-18 20:06 · Score: 2, Insightful

Just can't wait! AD for linux. I honestly am surprised it's taken this long.
I'm also surprised it has taken this long. Which is why I'm not waiting.
1. Re:Waiting for samba by morgan_greywolf · 2009-01-19 01:33 · Score: 2, Interesting
  
  I'm not surprised. Anyone who has followed Samba's development as religiously as I have knows that Active Directory was always not fully documented and has always been a moving target. Samba 4 has been in development a very long time -- I remember hearing about "Samba TNG" (what they used to call it) years ago.
  Slowly but surely they added Active Directory client integration and server development happened in parallel.
  What will surprise you is how stable Samba 4 is right now. Even the alphas were stable enough that some people have been using them in production a while.
  
  --
  My blog
Security by RiotingPacifist · 2009-01-18 20:35 · Score: 2, Insightful

While i appreciate that this will be very usefull, I'd rather they worked on not requiring samba to run as root (or at least not the networked part) as it seams to be the victim of an increasing number of attacks because of this. Perhaps SELINUX and apparmour have me protected but seeing a network demon running as root always seams like a dumb idea to me.

--
IranAir Flight 655 never forget!
1. Re:Security by Bert64 · 2009-01-18 22:34 · Score: 2, Interesting
  
  The windows counterpart to samba also runs as SYSTEM...
  Not sure if samba needs root for anything other than binding to the ports it uses and accessing files as specific users... I wonder how hard it would be to make it run as a normal user, losing filesystem permissions in the process ofcourse.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:just 4 more years and it'll be stable. by stephenpeters · 2009-01-18 22:38 · Score: 3, Interesting

mark my words, it'll have bugs which will result in 1000's of "RTFM n00b" or "it's ms's protocol that sucks" responses.
Just as Slashdot is full of trolls and OT comments help forums often have people posting unhelpful comments. Just ignore them. Life is too short for arguing with idiots.
I find the Samba help forums are generally excellent if you take the time to ask a sensible question instead of just posting the first problem that comes up. Often the task of formulating a sensible question solves a problem without actually having to ask on the forums at all. I also generally find my query has already been answered in the forum and all I need to do is search.
The Samba documentation is an excellent resource and generally answers most of the questions you may have. Try starting with John Terpstra's Samba 3 by example which is a practical guide to implementing Samba 3. I don't know if John is working on a Samba 4 update to the book, but there is a WIKI, HowTO and a FAQ available. If you are risk averse you may not want to use Samba 4 in production just yet :)
Not very realistic by Krokant · 2009-01-18 22:55 · Score: 3, Informative

It is not very comforting to read the following statement:

"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."

"Something to do with...". This is in every AD 101 book (machine accounts, password renewal, ... thing). I would at least expect that the Samba developers have experience in installing, running and maintaining a "realistic" Active Directory environment (read: more than 1000 client machines) before delving into the real messy details. I am not sure I even want to know how they are going to handle disaster recovery (one of the fun parts of AD, rest assured).

Honestly, I cannot imagine why anyone would want to run a FOSS equivalent Active Directory. After having spent months in setting up a full mixed Windows/Linux environment (OpenLDAP, Kerberos, Samba, the works), I can say that setting up AD is a breeze: for me, it is a prime example where Microsoft took existing technologies (LDAP, DNS, Kerberos) and actually turned it into something useful without the typically associated configuration nightmares. And it works very stable indeed.

And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
1. Re:Not very realistic by jonwil · 2009-01-19 00:05 · Score: 4, Insightful
  
  Clearly you havent priced the full costs of a full set of servers (and addons) for Exchange. AD etc. Not to mention all the client licenses you need (CALs or whatever they are).
  I am sure there are quite a lot of people who would LOVE to be able to replace a windows server machine with a linux machine running Samba + OpenChange + whatever else
2. Re:Not very realistic by spazimodo · 2009-01-19 02:34 · Score: 3, Insightful
  
  The costs for AD/Exchange, etc. pale in comparison to the administrative salary costs associated with supporting an IT infrastructure and the lost productivity costs of down time.
  I've found Samba in a Domain environment to be kind of flaky, and while it's useful for accessing the file system on a Linux server (though I prefer scp) there's no way I would look at replacing any Windows file server that had an SLA with a Samba server. The licensing costs for a Windows server (especially virtualized) are negligible.
  On the other hand, there's still no great solution for something similar to AD on Linux. NIS+ is old and sucks. Going through the whole LDAP rigmarole only gets you part of the way and requires a hell of a lot of upkeep depending on the server. Winbind against AD isn't bad though again it's flaky and requires way too much work to setup. I supposed there's the tried and true method of rsync-ing passwd, group and shadow files around.
  The combo of AD and Group Policy is pretty killer, It would be really nice to see something similar for Linux, or at the very least improved AD integration would be awesome.
  
  --
  
  Fsck the millennium, we want it now.
  Millennium Crisis Line: 0890 900 2000 [calls cost 50p/min]
3. Re:Not very realistic by DaMattster · 2009-01-19 04:09 · Score: 3, Interesting
  
  "My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
  Samba 4 is not really production ready yet. That is why it is labeled as an alpha version. Those using it in production, do so at their own risk. That said, I use it in a home network and it does run beautifully. However, I would be leery of using it in a business environment just yet.
  Something to do with...". This is in every AD 101 book (machine accounts, password renewal, ... thing). I would at least expect that the Samba developers have experience in installing, running and maintaining a "realistic" Active Directory environment (read: more than 1000 client machines) before delving into the real messy details. I am not sure I even want to know how they are going to handle disaster recovery (one of the fun parts of AD, rest assured).
  Disaster recovery will be far easier on a Samba 4 DC because access to AD itself will be far less obscured and convuluded. A simple raw LDAP call could restore the entire database at the linux command line. I have seen countless problems restoring AD after a DC failure. I created a mock scenario with a Samba 4 DC wherein the entire database was wiped. I simply used Samba's own LDB toolset and had it up and running again in seconds.
  And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
  You're missing the point. It isn't about cost at all. The point of having an open source replacement for AD is to make it easier for software developers to take advantage of the largely undocumented protocols. This is designed to facilitate interoperability. Even Microsoft, from the light of the anti-trust lawsuit it lost, extended an olive branch to the Samba team to assist in providing documentation. Plus, the work that Samba does stands to benefit Microsoft as well because they might be able to see where the Samba team has had some really good ideas and legally incorporate them into mainstream AD. And, before you express such confidence, I would try using Samba 4 myself. Some parts of the code are very mature and work well.
Re:XServe by Ash-Fox · 2009-01-18 23:35 · Score: 2, Informative

Well everybody here says "Linux" but let me point out that Apples Xserve uses Samba as well.
Wait, you're referring to the Apple, whom ships broken stuff and trying to fix it during only major versions for their server OSes?
Past examples of things which were not fixed until the next major version:
Samba (numerous times, numerous issues)
Apache (first few kb of files would only be sent)
Squirel mail that was shipped with OS X server being incompatible with the shipped version of PHP with OS X server
Apple's VNC server (numerous issues)
Numerous exploits in daemons (sshd, apache, samba, bind etc.)
This is unacceptable for a server operating system. No, you can't spin this, having to wait for a entire major release after just getting a major release for a fix is completely unacceptable.

So there will be even more interesting alternatives ahead.
Here is the reason why I would use Linux over Windows for some domain usage:
Faster file servers
Cheaper licensing
Offering FUSE access though Samba to certain remote data.
Does OS X fit any of these scenarios?
OS X server from my past experiments is not faster than Linux or Windows on the same hardware for file server usage.
OS X server is not cost effective against Windows and certainly not against Linux.
OS X server is unpredictable with FUSE support.
If the version of OS X server you're using has some AD intergration issues (even though the issue is not located in the official Samba version), Apple will likely not fix the issue until next major release - before you even mention that they will, I will remind you that they have not in the past and have showed no better behaviour towards fixes recently either.
So I can't even recommend OS X for AD intergration.

--
Change is certain; progress is not obligatory.
Apologies for the AC post. by Klootzak · 2009-01-19 00:27 · Score: 2, Insightful

Easy. You're "Anonymous Coward". You're anyone and no one.
Well, even posting under my Slashdot "handle" I could be everyone and no-one too ;)

A novice administrator would know this. I think you've been talking to the average joeish end users.
No, the person I had to correct that issue for considered himself an "experienced" Linux Administrator (and Zealot - "Linux should be used for EVERYTHING"), having worked with various distros for 3 or 4 years. He was also employed by the Victorian Department of Education at the time - the problem he was having was at a client he was moonlighting for. I was the poor Bastard who had to drive on-site when he eventually called me for help at 8pm on Saturday after he'd spent a good 10 hours working on the issue (mind you, I walked away with $100 in cash for typing 'chmod -R ug+w [directory]', so it was inconvenient, but lucrative).

The assumption you're making is that just because someone uses Linux, they also understand the underlying design of the technology that it is integrated with... not everyone understands filesystem permissions, you'd probably be surprised, like I always say... Computers/Operating-Systems/Applications are a "tool" - to be the most effective, you need to understand the function of the tool in addition to it's application.

--
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
I like Samba 4 except .. by rs232 · 2009-01-19 02:21 · Score: 2, Insightful

I like Samba 4 except it doesn't have $RANDOM feature :)

--
davecb5620@gmail.com
it goes on to say .. by rs232 · 2009-01-19 02:24 · Score: 2, Insightful

It is not very comforting to read the following statement:

"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."

It goes on to say:

We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the best for security! Samba now has a conversion logic that handles random characters and is then doing normal Kerberos functions on it"

--
davecb5620@gmail.com
1. Re:it goes on to say .. by Krokant · 2009-01-19 02:38 · Score: 2, Insightful
  
  Yes, so I read that they tried blank machine account passwords where Microsoft (indeed) uses a random password only known to the computer (and the hash in AD)...
  
  For more information (just some google hits):
  
  http://blogs.technet.com/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx
  http://technet.microsoft.com/en-us/library/cc785826.aspx
Samba and root by DragonHawk · 2009-01-19 15:15 · Score: 2, Informative

Samba runs as root for a few different reasons that I know of:
1. bind to privileged ports (1024)
2. set{e,r}{u,g}id for the user being authenticated
3. RPC-based system administration
If it was just the first, I bet it could prolly drop root soon after startup. If it was just the first and the second, it might be able to drop root after authenticating, since each connection gets its own process. Samba may already do some of this, for all I know. Alternatively, implementing this may be difficult for architectural reasons, which may or may be solvable via code restructuring.
But for the third, it has to run as root all the time. What this refers to is the ability to perform system administration tasks (like adding/changing/deleting users, groups, computers, etc.) via Microsoft's RPC mechanism. This is how Windows does this, and Samba supports quite a bit of it. Notably, if you're doing to support Windows domains on Samba, it needs to be able to create host OS (Unix) accounts for users and machines.
It's probably theoretically possible to develop some kind of frontend/backend layer for process privilage separation, but at that point, you're basically just implementing all the protocol work Samba has to do all over again, in an internal protocol. If you couldn't get it right the first time, I wouldn't expect this try to be much better.
Remember, Samba aims to be bug-for-bug compatible with Microsoft Windows, which means inheriting any brain damage present in SMB/CIFS. If you want a clean design, this is the wrong place to look.

--

dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.