Slashdot Mirror
Windows Server Trusts Samba4 Active Directory
Darren Ginter writes "A group of Samba v4 developers recently spent a week in Redmond to work with Microsoft on Active Directory interoperability(?!). The result? Windows Server will now join, trust and replicate a Samba-based Active Directory using Microsoft-native protocols. Although Samba v4 is still in the alpha stages, this is a huge step for open source. Or it could be a trap."
But the supreme court may void software patents, so it might not spring.
Help stamp out iliturcy.
Windows Server will now join, trust and replicate a Samba-based Active Directory using Microsoft-native protocols.
Now I have to get ready for the 4 horsemen, rain of fire and the end of time.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
...and good to know the hard working Samba team came away from Redmond feeling positive about the progress that was made. I don't think it's an earth moving change in the relationship between MS and the free world, but it's better than a sharp stick in the eye.
We can't repel firepower of that magnitude! Their patent portfolio is operational!
Palm trees and 8
"Microsoft Windows" and "trust", do those two even go together?
only when joined together with the word 'anti'.
to being able to implement this at home and at work to word towards replacing Windows Server 2003.
For home or small office use, this might be an interesting read. It's the slideshow from Kai Blin's Samba ARMed and Ready: Running an Active Directory DC on 2 Watts talk on an embedded Samba4 DC.
Folks interested in saving a buck will start using Samba servers to either completely host or participate in Active Directory domains. The trap or catch will come further down the road when Microsoft patches something that breaks the functionality, at which point Microsoft will simply state that if you wanted something reliable you should have used genuine Windows servers. Don't believe me? The samba project is already rife with examples of this. Didn't we see Samba choke when enterprises tightening up security disabled ntlmv1?
I seriously doubt Samba-based AD servers will be fully functional anyway, just like Samba emulating an NT4 domain was just barely functional. Microsoft helped them figure out how to use the native Microsoft protocols to replicate the AD database instead of having to rely on the semi-functional openldap hack they had been using (actually be be more accurate, MS confirmed and correct their reverse engineering of the protocols).
Being able to replicating the AD database/ldap and form working trusts does not make Samba a good substitute for AD. It simply gives it an ability to co-exist with a real AD infrastructure. GPOs and most of the other desirable features of Active Directory are not implemented in Samba. Big businesses will still use MS boxes to ensure all the features work and its stable, since the cost of the software is not the driving factor.
I think you mean "this is a sterling example of how poorly documented and understood, even within Microsoft, Windows behavior is".
Microsoft had to dig into Windows kernel source to figure out why Windows didn't like what Samba was doing. How the hell was the Samba team supposed to figure it out from specs?
This is why the OOXML spec is six and a half thousand pages long and even then parts of it still read, simply, "do what Excel does here".
Microsoft have been working with the Samba folks for some time. I suspect this is more to shut the EU up than because they really want to, but if that's their purpose then starting to enforce patents against the Samba team would almost certainly be a most efficient foot-shooting exercise.
If I am being perfectly honest, the only frustration (and I'm sure it's got more to do with a lack of resources than a lack of talent - Samba probably needs about four times as many developers who know the protocol backwards and inside out, problem is most of them probably work for Microsoft) is the glacial speed this is all moving at. AD was introduced with Windows 2000, the Samba team have been working on getting Samba 4 out for years and it's still only alpha code. Frankly, only being able to provide something equivalent to an NT4 domain looked quaint four years ago. Today it's downright embarrassing for anyone claiming that F/OSS is functionally equivalent to Active Directory.
(note to F/OSS advocacy trolls: I am well aware that AD is little more than LDAP/Kerberos under the hood. When you compose your flames, perhaps you would be so good as to explain exactly how one can manage a network full of Windows workstations with the level of control AD policies offer using nothing but F/OSS software which has reached a reasonable level of stability. NT4 policies are a pretty lousy substitute.)
Vendors is in quotes, as an open source project team really isn't a vendor.
True, but it also gives Microsoft the most bang for their buck, since by working with Samba developers, the information gets out there for everyone to see. If I'm not mistaken, Microsoft requires you to pay for their documentation. Samba's interoperability is documentation in a real sense (and source code is almost always better documentation than something that a technical writer came up with), and this lowers the barrier to getting that information. I think that the EU will view this favorably, which is probably why Microsoft is doing this.
As a side note-- my gut feeling is that nowadays, Microsoft's closed-off protocols are a hindrance to them. At this point in the game, the lock-in is well-known and I think that works against Microsoft with many sysadmins planning new deployments. If, on the other hand, there is a large and open software ecosystem, sysadmins will look on Microsoft products more favorably. E.g., Exchange is quite full-featured as a groupware platform, relatively scalable, and fairly easy to use, but lock-in, cost, and infrastructure requirements are problems. But if someone can set up a Samba4 AD and run Exchange on top of it-- or even better, the other way around-- now we're talking. Microsoft's attitude up to this point, though, has made many people (me included) simply work to ditch the existing Microsoft software we use.
back in 1995 I ran a small business that did Linux installs for companies to replace Windows NT Server systems with Linux plus Samba. We used Slackware Linux and then later Red Hat, but it did Windows file and printer sharing for Windows clients and saved those businesses thousands in Windows Server licenses.
But when Active Directory came out, companies switched back to Windows Server, because Linux and Samba lacked that. Exchange can be done via OpenExchange and use MySQL or PostgreSQL instead of SQL Server.
Linux has to match Windows Server feature by feature in order to compete with it, and be used. Linux might never replace Windows on the desktop, but it can replace Windows on the server as Unix and Linux are designed as server operating systems.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
"Yes, Samba4 can emulate an AD server, if you don't mind having to maintain two sets of user and group accounts. Samba4 still requires either usermapping, or managing the linux users and groups separately. "
Wrong! It's certainly possible to use trivial mapping for Unix and Windows groups and accounts. It was possible to do this since the early days of Samba.
Samba4 even supports the full mapping of Windows ACLs which was the main missing feature in Samba3.
"It simply lacks the nice seamless integration of AD, and does not fully implement GPOs inheritances, etc."
Again, wrong. You can actually use Microsoft's tools to manage GPOs in Samba4.
"If you read the article, you'd see they barely got it to the point where a Win2008 server would talk to it enough to join the domain (not just replicate the LDAP database). That's a far cry full full interoperability."
Wrong. Win2008 server not just joined the Samba4 domain as a member. It has established a _trust_ _relationship_ with it. So members of Win2008 domain could now access resources in Samba4 domain with correct cross-authentication. And this is not a small task.
Samba4 is about >this close to the full AD replacement.
The main missing feature is printing, there's no support for it in Samba4. This task is being tackled in the 'Frankie' project which tries to use parts of Samba3 for printing.
WTF? How can you possibly justify your position?
Lets just a quick "Lets get the facts straight campaign":
A 2003 license is $429.99 US ex tax (Euro pricing, I am sure that the US is cheaper) and that includes 5 CALs. Datacentre runs well and truly above your $3,000 figure, try doubling it if you want Hyper-V.
A 2008 CAL is about $30, but it's not just that you are probably going to want, it's sharepoint and everything else. So really, you just haven't done any research.
Lets run with your understanding about using Linux to connect to Windows, it's wrong.
If you aren't using their software, why would you have to pay for a Client Access License? I am sure you could make a donation to the Samba Foundation, and I am sure that they would appreciate it. Aside from that though, why would the protocols need a license? They have publicly posted the protocols, they got forced to by the EU as part of their anti-trust investigation. This was part of their settlement. They have also posted the protocols for Exchange and a number of other protocols; they had to.
Really, this is the whole point of Jeremy Allison going tot he EU hearings and testifying and everything else, to MAKE Microsoft go through the interoperate with everyone else. Take a look here: http://www.samba.org/samba/PFIF/PFIF_history.html
Disclaimer: I am not an apologist, I am a Linux advocate but I still use a lot of MS products in my day to day business
Curiosity was framed; ignorance killed the cat. -- Author unknown