Active Directory Comes To Linux With Samba 4

Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."

Jumping the Gun

[TechForensics]

According to TFA FOSS AD is not here yet by a long shot, in early alpha, many missing features. Summary is *terrible* in suggesting non-M$ AD is already here.

Re:Jumping the Gun

[Darkk]

One thing I find it interesting in the article is that Microsoft been working with Samba developers to provide them the inner workings of AD. Hell, even Samba developers discovered a bug about random passwords in AD and told Microsoft about it.

AD in it's present form is still closed source project so I find it interesting Microsoft team is willing to provide them some of the secrets knowing that eventually it'll take away some of their profits like they'll miss it anyway.

So what exactly the direction is Microsoft taking?

Re:Jumping the Gun

[b4dc0d3r]

I'm just guessing here, but there was something about interoperability in, what was it, oh, every monopoly-related judgment they ever lost. Otherwise they wouldn't be helping.

Re:AD licensing

[Darkk]

Exactly. You need CALs for stuff like:

AD
Exchange
Terminal Server
etc.

It adds up pretty quickly.

It's really a nightmare for IT Depts as they have to keep track of the CALs and ensure they have enough licenses to cover the number of users.

Re:AD licensing

A careful reading of the TOS says that it is licensed via user or device CALs based on authenticated users..

They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.

Really, it is just a tax. A MS shop typically has to pay:
  - For a OEM license on windows
  - For a volume license upgrade on windows
  - For a device or user CAL for the windows machine/user
  - For a windows server license (per VM!)
  - For exchange server (and a windows server license)
  - Per user exchange CALs (yay!)
  - Office CALs for outlook

It used to be a CAL came along with NT4 so you didn't need a separate one, but that is not the case anymore. MS said their customers wanted the simpler model of paying more for the same thing.

Of course, CALs and VLK upgrades are locked to specific versions so you have to keep buying them again and again to keep the additional rights.

The only happy area is that the CALs apply to all servers at once, so if you have a thousand users and a thousand servers you only need a thousand CALs.

No software checks this, but these are the terms.

It is really quite insane, but maximizes MS's profits.

See http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx
And keep in mind that MS thinks performing an authentication against AD is accessing the server.

Re:AD licensing

[gallwapa]

No...no...no

There are "per device" or "per user" licenses.
If you have 5000 computers but 40,000 users, it is probably cheaper to buy device licenses...so you can do that.

In addition, each server DOES require a server license (which is different than a CAL).

Windows is licensed like so

Standard edition license includes 1 phys server + 1 VM (on the same server)
Enterprise includes 1 phys server + 4 VM (again on the same server)
Datacenter includes unlimited server licenses of any type

Users with enterprise agreements or software assurance don't have to repurchase - they're covered under their contract.

Re:Finally..an alternative

[cencithomas]

If you're calling an imperfect alternative to insanity "fixed"...

...why, you must be a Windows 7 developer. ;)

Re:Finally..an alternative

[symbolset]

What's wrong with Micosoft's licensing model? You pay either per server or per seat. If you license some servers per server, and some per seat their monitoring software tells you how often you need to "true up", and if their software fails to do its math correctly they get to sue you and seize all your computers. That makes a lot more sense than Linux or BSD's licensing model where no matter how many clients or servers you have you don't have to pay. That's just anarchy.

Re:About Time...

[Architect_sasyr]

Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office. It's "big news" here when we find a government organisation or a school going with a Linux installation, and until it stops being so we can never consider Linux *as good* as MS or OS X, purely because of usage base. This functionality is an excellent step in the right direction for the office software, because we (as sysadmin's) can build a server that silently integrates with all the XP/Vista machines on a network, without "telling" anybody about it. After a few months of having a stable linux server in place, we can start pushing stable Linux onto the less-than-important PC's - like the receptionist (who can/should be trained) or the marketing department. Slowly (but surely) bringing across all the machines possible we can to Linux. Having AD functionality is definitely the first step. Getting a decent-free Exchange-replacement will be the next (and I mean free in the same way that Debian is free, unrestricted as much as possible) in the chain. Simply put, any OSS supporter needs to make some compromises to get their software into the enterprise. People grow up on Windows, or on OS X (as a rule it is one or the other) not (necessarly) on Linux, so we need to ease them in.

Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.

My $0.02 AU.

Re:AD licensing

[symbolset]

Look, you seem like the average unbiased poster so I'm going to give you a few tips even though I'm going to be modded off topic.

If you're going to defend Microsoft or one of their products on /., you need to observe a few simple rules:

Don't ask for proof of Microsoft malfeasance. You'll just get proof, and that doesn't serve your goal. Read the series of Halloween documents for an introduction to how much we know. It's scary.

Don't ask questions you don't know the answer to. That's good guidance for lawyers, too. You'll get answers you don't want.

Don't ask about someone else's experience. Their experience isn't going to help your cause, and you'll get replies from the least helpful people.

Do brag features, but do it with some understanding of the features. Don't just list the marketing babble. Don't brag more than three features at a time because it's then obvious you're typing them from a list. Do brag features that seem important to the parent poster.

If you must employ "anecdotes are not proof" be prepared for a swarm of people who confirm the anecdote. Nearly a billion people use MS software. Given enough experience, every failure mode is common. Every anecdote is common here and you would be surprised how selection bias draws people with shared anecdotes to slashdot just in time to skew the replies.

If it's allowed in your contract, do be specific: What platform worked well on Vista, how much RAM did you have? What video card? If you must avoid vendor bias, split the vendors by market share and let the astroturfers brag up proportionate systems - if they work. And if they don't work, leave it alone.

Slashdot has a grand bullshit detector, so don't lie. If you lie, the lie is not just going to be modded down - the responses to the lie are going to be modded up and be the only thing that people see, so the lie does more damage than silence would.

There are more rules, but this should help quite a bit for now.

Re:AD licensing

[betacha]

I had the pleasure of formatting our Windows 2003 server this summer and completely replacing it with an Ubuntu Samba OpenLDAP Domain server using this tutorial... http://ubuntuforums.org/showthread.php?t=640760 The server has been working flawlessly at our school since September! We ran out of CAL's and our school is expanding very quickly. It didn't make sense to purchase more and continue paying the micro$oft tax..

Re:About Time...

[hairyfeet]

Reminds me of a story one of my former teachers told. He was working as a consultant for this decently large corporation. When taking stock of their computers he noticed an ancient NT server was sitting in the server closet doing their email and basic file serving. He went to the PHB and was told "I don't care what you change but do NOT touch that NT server! We had lots of problems until a IT guy we hired a few years back fixed it. It has never failed since and I do NOT want you messing with it!".

Of course being an IT nerd that instantly made him want to see what this "Miracle worker" had done. So one weekend while everyone was gone he plugged a monitor in to see what his magic recipe was. What he found was Red Hat 4 running with a text file sitting in \ with READ ME IMPORTANT. So of course he did. It said "The stupid boss thinks this is an NT server. Keep your mouth shut and everything will be fine. Dave". He of course choked on his coffee laughing, upgraded the RAM(which the PHB authorized) and soon after left the company. He said "it was too damned much like Dilbert."