Slashdot Mirror
Windows Server Trusts Samba4 Active Directory
Darren Ginter writes "A group of Samba v4 developers recently spent a week in Redmond to work with Microsoft on Active Directory interoperability(?!). The result? Windows Server will now join, trust and replicate a Samba-based Active Directory using Microsoft-native protocols. Although Samba v4 is still in the alpha stages, this is a huge step for open source. Or it could be a trap."
But the supreme court may void software patents, so it might not spring.
Help stamp out iliturcy.
Windows Server will now join, trust and replicate a Samba-based Active Directory using Microsoft-native protocols.
Now I have to get ready for the 4 horsemen, rain of fire and the end of time.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
...and good to know the hard working Samba team came away from Redmond feeling positive about the progress that was made. I don't think it's an earth moving change in the relationship between MS and the free world, but it's better than a sharp stick in the eye.
We can't repel firepower of that magnitude! Their patent portfolio is operational!
Palm trees and 8
to being able to implement this at home and at work to word towards replacing Windows Server 2003.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
"Microsoft Windows" and "trust", do those two even go together?
only when joined together with the word 'anti'.
Are you saying the Samba folks are trying to EEE Windows server?
Folks interested in saving a buck will start using Samba servers to either completely host or participate in Active Directory domains. The trap or catch will come further down the road when Microsoft patches something that breaks the functionality, at which point Microsoft will simply state that if you wanted something reliable you should have used genuine Windows servers. Don't believe me? The samba project is already rife with examples of this. Didn't we see Samba choke when enterprises tightening up security disabled ntlmv1?
I seriously doubt Samba-based AD servers will be fully functional anyway, just like Samba emulating an NT4 domain was just barely functional. Microsoft helped them figure out how to use the native Microsoft protocols to replicate the AD database instead of having to rely on the semi-functional openldap hack they had been using (actually be be more accurate, MS confirmed and correct their reverse engineering of the protocols).
Being able to replicating the AD database/ldap and form working trusts does not make Samba a good substitute for AD. It simply gives it an ability to co-exist with a real AD infrastructure. GPOs and most of the other desirable features of Active Directory are not implemented in Samba. Big businesses will still use MS boxes to ensure all the features work and its stable, since the cost of the software is not the driving factor.
I think you mean "this is a sterling example of how poorly documented and understood, even within Microsoft, Windows behavior is".
Microsoft had to dig into Windows kernel source to figure out why Windows didn't like what Samba was doing. How the hell was the Samba team supposed to figure it out from specs?
This is why the OOXML spec is six and a half thousand pages long and even then parts of it still read, simply, "do what Excel does here".
Microsoft have been working with the Samba folks for some time. I suspect this is more to shut the EU up than because they really want to, but if that's their purpose then starting to enforce patents against the Samba team would almost certainly be a most efficient foot-shooting exercise.
If I am being perfectly honest, the only frustration (and I'm sure it's got more to do with a lack of resources than a lack of talent - Samba probably needs about four times as many developers who know the protocol backwards and inside out, problem is most of them probably work for Microsoft) is the glacial speed this is all moving at. AD was introduced with Windows 2000, the Samba team have been working on getting Samba 4 out for years and it's still only alpha code. Frankly, only being able to provide something equivalent to an NT4 domain looked quaint four years ago. Today it's downright embarrassing for anyone claiming that F/OSS is functionally equivalent to Active Directory.
(note to F/OSS advocacy trolls: I am well aware that AD is little more than LDAP/Kerberos under the hood. When you compose your flames, perhaps you would be so good as to explain exactly how one can manage a network full of Windows workstations with the level of control AD policies offer using nothing but F/OSS software which has reached a reasonable level of stability. NT4 policies are a pretty lousy substitute.)
Vendors is in quotes, as an open source project team really isn't a vendor.
True, but it also gives Microsoft the most bang for their buck, since by working with Samba developers, the information gets out there for everyone to see. If I'm not mistaken, Microsoft requires you to pay for their documentation. Samba's interoperability is documentation in a real sense (and source code is almost always better documentation than something that a technical writer came up with), and this lowers the barrier to getting that information. I think that the EU will view this favorably, which is probably why Microsoft is doing this.
As a side note-- my gut feeling is that nowadays, Microsoft's closed-off protocols are a hindrance to them. At this point in the game, the lock-in is well-known and I think that works against Microsoft with many sysadmins planning new deployments. If, on the other hand, there is a large and open software ecosystem, sysadmins will look on Microsoft products more favorably. E.g., Exchange is quite full-featured as a groupware platform, relatively scalable, and fairly easy to use, but lock-in, cost, and infrastructure requirements are problems. But if someone can set up a Samba4 AD and run Exchange on top of it-- or even better, the other way around-- now we're talking. Microsoft's attitude up to this point, though, has made many people (me included) simply work to ditch the existing Microsoft software we use.
A whole week? Here'a a nice memory jogger for you:
Only summer comes, and the code isn't ready. It isn't ready in the autumn, either, and this starts to play hell with Sendo's budgets. December rolls round, and according to Sendo, bugfixes that carriers have requested are being refused by Microsoft. Sendo is in a cash crisis, and a call to VCs is spurned. So Sendo asks Microsoft for a further cash injection, which is declined:
"Microsoft refused with the full knowledge that this refusal would push Sendo to insolvency", claims Sendo in the filing.
How did it know? Well, meet Marc Brown, who was by now acting in his capacity as a Sendo board member while continuing his day job as the director of Microsoft's corporate development and strategy group.
In the end Microsoft winds up with all of Sendo's cellular phone intellectual property as the company is liquidated:
"They were not entitled to such information under the terms of the SDMA" - the precursor to the February 2001 agreement that the two inked in the fall of 2000.
In fact, this SDMA turns out to have been Sendo's death warrant. As the company explains:
"Under the SDMA, in the event of a Sendo bankruptcy, Microsoft would obtain an irrevocable, royalty free license to use Sendo's Z100 intellectual property, including rights to make, use, or copy the Sendo Smartphone to create other to create other Smartphones and to, most importantly for Microsoft, sublicense those rights to third parties."
So... two years, 12 million dollars and a board member, and it does appear that it was a trap the whole time. To anybody who remembers IBM's partnership with Microsoft on OS/2 this tale will sound familiar. If you dance with the devil, you will pay his fee.
Help stamp out iliturcy.
back in 1995 I ran a small business that did Linux installs for companies to replace Windows NT Server systems with Linux plus Samba. We used Slackware Linux and then later Red Hat, but it did Windows file and printer sharing for Windows clients and saved those businesses thousands in Windows Server licenses.
But when Active Directory came out, companies switched back to Windows Server, because Linux and Samba lacked that. Exchange can be done via OpenExchange and use MySQL or PostgreSQL instead of SQL Server.
Linux has to match Windows Server feature by feature in order to compete with it, and be used. Linux might never replace Windows on the desktop, but it can replace Windows on the server as Unix and Linux are designed as server operating systems.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Even the Mac vs. Windows commercials, they start out "Hi, I'm a Mac," "And I'm a PC." Microsoft has very skillfully indoctrinated the PC-buying public in the USA to believe that Microsoft operating systems are the only thing that will run on an x86-based, non-Macintosh desktop computer.
"Choice" is anathema to Microsoft. Gates, Ballmer, Mundie, et alia want Windows on every PC in the world, and they are willing to use every means, legal or otherwise, to convince people (especially clueless executives) that there is no other system for a PC. In this, they were very successful for a long time. And, face it, a lot of people tolerate Windows in order to have computers on their desks, but how many actually like it?
Even if Microsoft were to admit openly that PC's can run other OS's, the sheer inertia Windows has today is going to take a while to overcome.
I have to disagree with your statement about popularity. If the majority of people didn't trust MS they wouldn't keep deploying it. That means that MS hasn't violated the trust of the majority and quite frankly, no one can please everyone.
While I agree that Microsoft shouldn't be trusted I understand that the majority of businesses out there do trust MS and only use basic functionality which in the Windows world simply works. Those of us that try to do unique things run into problems so we like flexible solutions so we ended trying alternatives and become Linux users. I think you would be hard pressed to come up with protocol busting behavior from MS beyond that of IE functionality which at the time all browsers were doing. Remember Netscape 4 and the lovely behavior it gave us? MS was just playing following the leader and since they had a nice install base surprise surprise, they came out on top. NTLM v1 was long considered a bad idea and v2 was clearly an improvement from a security standpoint. Could they have made it more interoperable? Probably but how much should they spend on it? At what point does breaking compatibility make the most sense? Apple does it just fine rather routinely and without backlash but MS seems to get blasted as untrustworthy for the exact same behavior so I say the popularity does determine trustworthiness.
So what you're basically saying here, is that Microsoft is not purposefully evil, but rather incompetent (like many shops) at documenting their source code and software behavior ?
What I'm saying is that this is not evidence of *Samba* being incompetent.
However.
You can't rule out both.
I have in the past said that I wouldn't mind Microsoft being the "Evil Empire" if only they were a *competent* Evil Empire.
"Yes, Samba4 can emulate an AD server, if you don't mind having to maintain two sets of user and group accounts. Samba4 still requires either usermapping, or managing the linux users and groups separately. "
Wrong! It's certainly possible to use trivial mapping for Unix and Windows groups and accounts. It was possible to do this since the early days of Samba.
Samba4 even supports the full mapping of Windows ACLs which was the main missing feature in Samba3.
"It simply lacks the nice seamless integration of AD, and does not fully implement GPOs inheritances, etc."
Again, wrong. You can actually use Microsoft's tools to manage GPOs in Samba4.
"If you read the article, you'd see they barely got it to the point where a Win2008 server would talk to it enough to join the domain (not just replicate the LDAP database). That's a far cry full full interoperability."
Wrong. Win2008 server not just joined the Samba4 domain as a member. It has established a _trust_ _relationship_ with it. So members of Win2008 domain could now access resources in Samba4 domain with correct cross-authentication. And this is not a small task.
Samba4 is about >this close to the full AD replacement.
The main missing feature is printing, there's no support for it in Samba4. This task is being tackled in the 'Frankie' project which tries to use parts of Samba3 for printing.
The trap wouldn't necessarily be Microsoft claiming patent infringement but offering the technology with a license that's incompatible with the GPLv3's patent requirements. Since the GPLv3 and Samba going to the GPLv3 license, it would basically cause Samba 4 to discard all works done under the GPLv3 license and basically cripple Samba to pre-GPLv3 conditions with a lot of work to redo a lot of functionality and improvements.
I warned of this possibility way back when the GPLv3 was a heated debate and again when Samba announced it's move to the GPLv3. Without a firm Commitment from Microsoft, this will forever linger and remain a possible threat. BTW, the unclean hands portion would drastically be negated in a court if MS offered a free as in beer license for any IP it considers infringing even if it isn't free as in speech and compatible with the GPLv3 requirements.
Publicly recanting the Halloween Documents, and particularly "embrace, extend, and extinguish" would be a start, if only a start.
Institute a 7 year clock.
Watch Microsoft actions over a seven year period, only start purchasing their products again if their actions over the last seven years show that they have honestly changed.
Anytime they spread FUD or Embrace or Extend or Extinguish or do anything, any action, to harm open source, FOSS and/or Linux RESTART THE CLOCK!
Your base your purchase decision based on their business decisions and actions, period. Let me say that again, based on ACTIONS, not WORDS or marketing FUD. Their words often lie, history is rife with examples. To not acknowledge this reveals you to be either a shill, working for Microsoft or ignorant of the factual history. Do not be part of the problem. Their actions often take 2 or 3 years before they can extinguish, thus a longer period is smart.
The added plus side is that if they KNOW that a business decision is going to cost them 7 years business from a significant segment of the market (they will try to tell you that it is not a significant part of the market, do not buy into that FUD) ; they are more likely to NOT be stupid.
All one has to do is look at the statistics in the browser wars; operating system wars, office wars, server wars, active directory wars, etc... to see that they win a battle here or there but they are slowly, very slowly losing the war. (It is not lost on the author that they started these wars, not anyone else) Do not let them spread more FUD that the numbers of users upset with their past business practices is small. Not now, not thanks to Vista and the Economic downturn.
Microsoft new campaign, "make web, not war", too funny. Is that the pot calling the kettle black or what!
I am waiting 7 years before I purchase again. If they behave badly I will reset the clock from that day. I reset the clock this month and will probably reset it again next month. Thats okay with me, its not like I need their products anyway there are ample options in every vertical. My guess is they will not be able to change their behavior, innovate and entice me to purchase. Only time will tell. It is up to them now, give me 7 years of good behavior and we can talk! Regardless they will not be able to harm me or the businesses for which I make purchasing decisions any more.
Keep it simple!
On a positive note, I am guaranteed not to waste another dollar on vendor lock-in and proprietary BS. That makes me smile...all the way to the bank. My TCO (total cost of ownership) is already the cost of Vista and Windows 7 cheaper per desktop than any Windows user that bought into Vista. (I have multiple desktops and servers at home)
Why are you Vista users putting up with this crap, give Beryl a try, you will not want to go back. They should have given a cheap ($20 - $30) upgrade or free upgrade from Vista to Windows 7. Yet another mistake and any Vista user is right to be upset over it. Makes Microsoft look desperate to me.
On full disclosure, I saw a $300 netbook that triple boots (Macintosh, Windows and Linux) so I might waste $300 for a testing platform only. While I use Microsoft desktops at various companies when I have no other options; at home I have been free of Windows for over two years now. Linux is a smarter development platform also, as you can develop for all platforms, even Windows. The converse is often NOT true. Helps you to avoid functionality that is dependent on Windows operating systems as well. Very smart to avoid those traps.
Why 7 years, glad you asked? They have been doing what they do, harming alternatives for well over two decades, 20 years plus, 7 years seems like enough time to know if they have changed or not. (I was in IT before DOS 1.0; I have lived it first hand. I do not need anyone to verify what I have experienced.)
For newer
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
WTF? How can you possibly justify your position?
Lets just a quick "Lets get the facts straight campaign":
A 2003 license is $429.99 US ex tax (Euro pricing, I am sure that the US is cheaper) and that includes 5 CALs. Datacentre runs well and truly above your $3,000 figure, try doubling it if you want Hyper-V.
A 2008 CAL is about $30, but it's not just that you are probably going to want, it's sharepoint and everything else. So really, you just haven't done any research.
Lets run with your understanding about using Linux to connect to Windows, it's wrong.
If you aren't using their software, why would you have to pay for a Client Access License? I am sure you could make a donation to the Samba Foundation, and I am sure that they would appreciate it. Aside from that though, why would the protocols need a license? They have publicly posted the protocols, they got forced to by the EU as part of their anti-trust investigation. This was part of their settlement. They have also posted the protocols for Exchange and a number of other protocols; they had to.
Really, this is the whole point of Jeremy Allison going tot he EU hearings and testifying and everything else, to MAKE Microsoft go through the interoperate with everyone else. Take a look here: http://www.samba.org/samba/PFIF/PFIF_history.html
Disclaimer: I am not an apologist, I am a Linux advocate but I still use a lot of MS products in my day to day business
Curiosity was framed; ignorance killed the cat. -- Author unknown