Slashdot Mirror
Ask Slashdot: Is Samba4 a Viable Alternative To Active Directory?
First time accepted submitter BluPhenix316 writes "I'm currently in school for Network Administration. I was discussing Linux with my instructor and he said the problem he has with Linux is he doesn't know of a good alternative to Active Directory. I did some research and from what I've read Samba4 seems very promising. What are your thoughts?"
We finally switched out our last NAS that was running Samba. Too many small glitches. Not worth the hassle.
It's important to realise that Active Directory has a bunch of overlapping different features. Samba4 is a great for part of it. Puppet is great for a different part of it (the ability to configure systems - like a superset of Active Directory Group Policies) LDAP covers some other parts etc. etc. You need to be really careful with this question because it is already loaded. Essentially, if the answer is "Active Directory" you are asking the wrong question. Your overall system administration story with Linux will be much better than Windows but you need to start thinking more from the beginning since it isn't always as obvious which tool is the right tool.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Samba 4 is in it's Alpha release stage and is not recommended for production. That said it's a remains to be seen thing if it will be.
It also depends a great deal on how and what you use AD for. For simple authentication you can use samba 3 + LDAP for that now.
For programs that require AD not so much with either.
I've managed to get XP clients to join an NT domain using Samba as a PDC. Samba 4 wasn't an option at the time, but I don't see why AD emulation should be beyond the realms of posibility.
The biggest problems I had were the cryptic errors from the Windows boxes, not Samba.
Samba 4 *is* intended to be a full AD implementation. Currently it has a built in LDAP and Kerberos server set in the same daemon. That is a problem
for some, like myself, that use Samba 3 + LDAP for shared auth. When complete is *should* be a fairly complete implementation of the AD specs, all
of them. I have no idea how long this will take, or just how complete it is, but those are the design goals. All of this is a result of Microsoft releasing the
full spec due to the European Union lawsuit.
I also commented above, Samba 4 *is* intended to be a full AD server implementation. It is using the documents Microsoft was forced to release
as a result of an EU lawsuit.
How complete an implementation it ends up being and how well it works will have to wait to be seen once it exits Alpha status and gets a few
beta releases under it's belt.
It's a whole new samba in the end.
It works for small environments. But as you start getting above 50 people AD is the way to go for two reasons: 1) Less admin overhead time. Like it or not, AD "just works" unless you really snork it up; and 2) AD credentials integrate with more stuff and it's not tenable to have to maintain different user databases for each one. Sooner or later an enterprise will want exchange.,,,,,,,and spam filtering......and internet proxies etc. There are a multitude of products out there that will integrate with AD. To get the same with Linux / Samba (if it can be done at all) will require cobbling together services and solutions that will complicate your life. The bottom line: I went through my Linux zealotry phase too. Then I got a life and couldn't spend hours on end reading docs and fiddling with services and config files. Towards that end AD just simplifies user admin and frees you up to deal with other stuff. Linux has its place in the enterprise, but it ain't as an AD replacement.
Slashdot discussion about Samba 4's Beta release Samba 4 Enters Beta
I am Slashdot. Are you Slashdot as well?
Please excuse my ignorance on Samba 4, I know it allows authentication but I don't know how robust the feature set is.
Some people hardly use AD. All it does for them is authentication. In that case, I would expect it to be an easy fit.
Microsoft AD offers a lot of features and many things integrate with it. The more of a Microsoft shop you are, the more you can become dependent on Microsoft's AD. Group policy is what jumps to mind the most for me. I don't know if you can use it with Samba 4, but it does make a lot of things easier. Most of what it does could be solved with scripts, I find myself using scripts less and less.
I find myself wanting to get our domain functionality level up to 2012 already for the new features, but I know many others that could care less. I would not be surprised to find a domain running 2000 or 2003 functionality levels. Those are the people that could get away with something else.
You are right, Samba is not. But Samba4 is.
You would be well advised to research the difference between release candidates and released software. Samba4 is not yet released... it is coming but not there yet.
NDS is seen as an alternative to active directory... Yet mostly in larger deployments. Whether this is licensing or complexity... Im not sure yet
The poster didn't say whether his instructor had a problem with a Windows client/Linux server setup or with a Linux network in general.
E.g., what if you just cut Win clients out of the picture? Just have straight up Linux. Would he still have a problem?
Secondly, if you did have straight Linux, what kind of software stack would you have?
How well does LDAP work when you get to the nitty gritty? Is Kerberos something you'd be using? What's the best NAS? FreeNAS? 7 or 8? Or NAS4Free? Just a Linux box running NAS-type packages?
Single signon?
I'm not a lawyer, but I play one on the Internet. Blog
Samba has had NT support since way back and now has AD compatibility. So it works as a drop in for Windows servers that cost $$$$.
We have, for many years, had a computing environment that, on the server side, is a mix of Red Hat Enterprise and Windows. Users and groups are (ostensibly) the same in both environments. The servers running Samba were in AD but were not acting as DCs.
Samba has always handled the user accounts perfectly. Groups, on the other hand, break fairly frequently - and by "break" I mean it stops realizing that group "foo" on Windows is also group "foo" on Linux. Since most of our end users are on Windows boxes, and most of the authorization on the web server (my main concern) is handled using groups, this has been a big headache for me. Fortunately we were able to convince our manager it wasn't worth the continued investment in man-hours by our Linux and Windows guys to keep debugging this group issue, and we just pulled the plug - now everyone has to use scp/sftp, and everything works well.
Admittedly this is a narrow use case I'm describing. Also I wouldn't be surprised if everything would be peachy if 100% of the AD stuff was being handled by Samba (and ONLY by Samba). But if this is a mixed environment, you should do some serious testing before making a decision.
#DeleteChrome
Pretty sure most collages and universities also turn a profit. At least the all the deans and administrators do.
Only the State obtains its revenue by coercion. - Murray Rothbard
Samba may be able to do some of the windows file and printer sharing... even acting as a domain controller. BUT. Trust me. It will be hell to administer. For what you pay for Windows 2012 standard... with Hyper-V, and all the roles and services you just get... I dont see how you can compete with the ease of use and administrations. In the other-hand, if you are hard core UNIX/Linux and you need to support a few windows boxen in your environment.. then this is a great fit for you. Otherwise, stay away... far away. Anything you save in dollars you will spend in time... ten times over.
When you talk about alternatives to Active Directory you need to be specific as to what features of Active Directory you refer to. Active Directory is a lot of things: Distributed multi-master database, Authentication provider, Authorization provider, Configuration management system, and more. The Active Directory infrastructure provides: File services, Print services, Group policy, LDAP, DNS, DHCP, and other services.
I haven't read in detail about Samba 4, and it appears that the Samba Wiki is down at the moment, but there is a decent description on the Fedora Project site. According to the Fedora site, Samba 4 includes the ability to be a domain controller and implements the Kerberos stack, but it is not clear that it provides the centralized configuration management that Active Directory does. This centralized management (Group Policy) and the ability to delegate administration (Organizational Unit based delegation) are very powerful features of Active Directory and what keep large organizations on the platform.
If what all you are looking for is a shared account database and the ability for multiple workstations to authenticate against it, Samba 4 may be just the ticket. If however you are looking for a replacement for Active Directory at an enterprise level, I doubt it is there yet.
Since 2005, The combination of OpenLDAP, Heimdal Kerberos, and Samba 3 has been a staple in the Linux Infrastructure, with other services such as FreeRadius, NFSv4, and AFS being tacked on for good measure.
Many if not most Linux based utilities support LDAP. Unlike Samba 3, which functioned as an OpenLDAP based application, Samba 4 completely replaces OpenLDAP, and Heimdal Kerberos. Consider the following. Samba 3, while far beyond what Windows NT4 was ever capable of, expanded the NT4 Domain concept far beyond it' design limiations. In the most recent era, Samba 3.5 and 3.6, created an enhanced form of NT Domain Authentication just for interoperability with Windows 7. (This is very fascinating because it uses Windows 2003 Sign and Seal with NT4 Authentication, something NT4 never could do.) So it can be be said, while Windows 7 expressly drops support for Windows NT4, Windows 7 has express support for Samba 3.
Yet the sword of Damoclese has swung over the head of Samba 3.x for a long while. Vista dropped support for NT4 Style System Policies, requiring administrators to resort to registry Trickery with Wine and third party policy tools such as NitroBit.
Samba 3 brought about a form of NT Domain that supported LDAP as a backend, could use Kerberos for Authentication both for file shares and joining the Domain. (Although only other Samba clients could utilize the Kerberos aspects of Samba 3.) Could delf out policy by OU. With help from OpenLDAP, Samba 3 could overcome the single PDC limitation, and all Samba Domain Controllers could be writable PDCs because OpenLDAP supported Multi-master Replication.
Beyond Samba, FreeRadius could use LDAP for authentication, Evolution could garner configuration information from OpenLDAP, for IMAP and SMTP settings (CalDAV Support was never added, even though there were feilds in the OpenLDAP schema for the three CalDAV based Calendar, Addressbook, and Task List.) This cooperated with eGroupware. Sudo could draw Sudoers from OpenLDAP, as could NSS. Each had their own unique Schemas.
Unlike when Windows moved from NT4 Domains too AD, the movement was simple, before, you had no Directory Service, and now, boom! you do. In the Linux world LDAP has been a reality for a long time. Many applications are built to participate in Open Directory based Domains based on OpenLDAP Schemas. What happens if the Schemas conflict definitions? How will this be resolved?"
Ask yourself why?
I used to be like you when I was 20 a decade ago. Here is what I have learned. Your enterprise hates change and looks at you as a financial burden and unnecessary cost unless you work for an IT company. If they have AD why switch? If what they have works don't mess with it.
I saw this pop up last week on slashdot when Microsoft suggested business users stop using XP. Shockingly a decade ago on slashdot people would be laughing at everyone using a 11 year old platform who refuses change all based on Microsoft. Fast forward today you see folks under 35 freak out and DEMAND XP BE SUPPORTED FOREVER because changing is something you never ever do! Those over 35 got modded down saying upgrading is part of your job. The point is to put SAMBA 4 in you have to fight such people. They hate change and will cling to obsolete products as their behaviors in the last decade taught htem to lock versions with no updates and view everything as a cost center. Even a free product like Samba as such.
If it breaks who do you sue? Who do you call for support? Will you be handed a pink slip with a boot up your ass out of the door if something breaks? AD is standard, it is used by everyone else, other products like SQL Server, Sharepoint, and Exchange use it. It is part of the proprietary eco system at work and even though slashdotters breathe down Linux as the end all for everything it is not in an already established enterprise environment.
Just stick with AD. It is what you will be quizzed on and expected to know in your first job interview. If you do not know it they will find someone else who will. It is that simple.
http://saveie6.com/
Maybe it's mediocre at mimicking NT4's domain system but AD is way out of Samba's league. That's OK though, AD has only been out for 12 years so it's still got some time to catch up.
So far I've set up several small offices using Samba4 as a drop in replacement for Active Directory. Here is what I've found it does well: Windows Authentication, AD DNS, Group Policy, Easy scripting (python tools and libraries). What it doesn't do well yet: Replicating AD with other servers. I haven't had much experience using subdomains, etc, mainly because I haven't been able to get it to replicate. But for a small office, it works fine.
This question needs some context. My first reaction was, "Hey, what about LDAP?" Then it occurred to me that the instructor was assuming a lot of MS-centric infrastructure that needs AD support. But that's just an assumption.
I've noticed a certain MS-centric viewpoint in many community college course on networking,. This probably has to do with MS giving schools a lot of resources.
Look at the use case.
I know too many Windows and Linux folks who try to shoehorn one way of doing things so it runs the way they want them to. This post reeks of that.
Find the best business reason to use one thing or another. I don't disqualify MS because it's not open source, or Linux because it's free. There are costs to doing everything, and usually made up outside of what infrastructure you decide on.
That said, Windows is best on the desktop because of Group Policy, its extension into things like System Center, IT Asset Management systems, reporting, workflow, automation, etc. I know it "can be done" with Linux but the process is usually smushed together and kludgy. Windows is simpler because of the software that supports it, many of them made by MS themselves.
I will stick with *nix for my backend requirements, and Windows for my front end. Until something changes drastically, I don't see much point in trying Linux on the desktop -- it's clearly not its strong suit.
The price is always right if someone else is paying.
Samba 4 is an EXCELLENT replacement for Active Directory. Any first year IT / Networking student should be able to configure a complete domain controller and master PC using Samba. In many cases Samba out preforms Active Directory on Windows. Samba uses less resources, less over head and that all get returned in speed. Infact the only case where I would consider using Windows Server in place of a Linux Server is if I could only hire grade 10 IT nerds who have no idea what there doing. If you want a server you want Linux, Windows is for people who want to show off there GUI instead of getting work done.
Keep in mind that "Group Policy" is, truly, is merely Windows Registry keys stored in the LDAP database in Active Directory. Samba 4 will store these in it's LDAP database. Something Samba 3.x+OpenLDAP Couldn't do.
Linux has no Registry, Linux approaches the Group policy concept differently by having application level Sub-Schemas that have to be imported into the tree. Linux applications then have to be configured to call on the LDAP Database instead of using it's local files. There are OpenLDAP Schemas for:
Sudoers ...and more.
Evolution
eGroupware/phpGroupware
DHCP
Samba 3 of course
Bind (Deprecated)
Posix Accounts (/etc/password, NIS and NFS related)
CUPS (Printers)
Kerberos
Posix
Puppet
urpmi (Exclusive to Mandriva)
Apache (Can store httpd cluster information)
Zimbra
When Samba 4 is released, you have to import all these OpenLDAP entries into the Samba 4 LDAP tree.
Take a look at http://www.zentyal.org/ .
Samba + OpenLDAP is a fine choice for AD replacement.
They're using their grammar skills there.
Off topic, but how does Puppet do with Windows clients, both server and workstations? Can it handle the standard packages I'd deploy via AD? I've been perusing their website but only see that Windows can be a client, not seeing the extent of it yet. Thx for any info in advance, I'm a rollout and installation pro from the Windows side of the data center and always looking for more config/app management skills. - HEX
Horror & SciFi Erotic Nudes
Let the kids have their toys, put your efforts into the man tools.
Got Code?
Samba4 is on the verge of being a viable alternative to AD. Check back in a few years.
There is a commercial AD replacement that i believe uses Samba4 at its core: Centrify.
SAMBA 4 as a simple directory replacement for Active Directory is no where near ready. But, even if it was close, it would still be lacking "minor" things like a dead simple and reliable GUI that even end users can use. It would still lack integration into third party application capabilities for Share Point and Exchange-like apps as well as reporting, monitoring and so much more.
The fact of the matter is that a directory far technically superior to Active Directory has been available for a couple of decades. That is Novell eDirectory. Yet, the defacto decision has been to cast it aside in favor of Active Directory, which is slowly approaching a similar capability. Even if SAMBA 4 were vastly superior technically, it would still have no chance against the integration and ease of use that Active Directory has over the most prevalent and widely used operating systems and applications on the planet.
Novell in its SLES/OES has an install option that you can use with eDirectory called Domain Services for Windows (Google dsfw).
It essentially has a Novell written (ie: well tested "enterprise" quality software) that has a translation layer that converts active directory calls to eDirectory. The translation occurs transparently and works with at least win2k3 as a AD server. New versions should work with 2k8 soon (if not already). What else is nice is that when you use dsfw, you no longer need to use the Novell client or their tools (ie: Console 1 or eDirectory via http) to manage the windows machine; you just join it to a domain like usual and manage it entirely via MMS (group policies, etc.). And yes, they use Samba to provide the file access.
It works. Use it. Otheriwise, just stick with MS and go with AD if you _really_ need flawless AD compatibility.
i dunno about samba 4 but v.3. could do the roaming profile thing with winXP.
so all your stuff is on the samba server. if a XP box acts up or breaks, just move to another box (or plugin a spare)
put in your username and password (on the domain) and continue your work (which the XP will fetch
from the samba server).
doing it for the first time was a nightmare, but with all things linux-y, the "IT WORKS!" -or "IT'S ALIVE"
is a real dr. frankenstein moment and definitely worth it : )
Puppet has a server and client setup. The Puppet server process is Unix only.
MSI packages are supported. I'm not sure about group policies yet.
I can throw myself at the ground, and miss.
I realise Novell aren't exactly a powerhouse any more, but does anyone else remember about 5 years ago when they released Domain Services for Windows? That was basically Samba 4, but using eDirectory and NSS (that's a proper man's filesystem, for you young kids) as the back end. I only played with it briefly whilst at my last employer, but damn did it rock... All the NSS clustering and good bits of Novell tech were totally transparent. The only time you knew you were talking to a Linux box was if you opened up a DC in MMC and looked at its properties, where it said something along the lines of "SuSE Linux Open Enterprise Server".
Fairly obvious that Jeremy A was largely responsible for DSfW, just a shame that stuff was most likely locked up as Novell IP and off limits to Samba 4.
I don't think you can replace Active Directory for things like Group Policy, etc. The functionality just isn't there, as far as I know. On the other hand check out the FreeIPA project in Fedora (and IPA in RHEL) - they now support creating trusts with Active Directory domains which allows sharing resources, etc. This is the gist of how it works: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust
OpenLDAP, OpenDJ, FreeIPA. does anyone bother to use google anymore.
while
Check out products from Novell for really good stuff that integrates well across Windows and *nix.
I don't think it's bad for what it does, but the inability to rollback changes or even to know what's been changed is a serious oversight. There are third party tools that fix this (Google search for active directory change control), but for a large scale environment you shouldn't have to rely on third parties to make a tool usable.
Contrast this to a UNIX based ldap server (openldap) where the entire directory can be saved and reloaded as a text file over and over again.
AD also has the tendency to bury lots of information behind properties windows that have 30 or so tabs. Even if you look at all of those you'll still miss disconnected pieces like group policies or if an AD account has an exchange account.
I don't think "replace AD with Samba" is a good idea though. If you're going to be using lots of Windows systems then you're better off managing them with the tools provided by the vendor.
...it has a built in LDAP and Kerberos server set in the same daemon. That is a problem...
The reason is that M$'s implementation of things like LDAP is broken. So a standard LDAP (or Kerberos) server is not going to work.
E.g., OUs that really aren't (In AD, OUs are just cosmetic). There are attributes associated with objects that break LDAP spec. etc.
Microsoft broke Kerberos just enough to prevent using a standard Kerberos server setup, but works to use std. clients against AD.
Microsoft broke DNS in the 90s. They allowed things like underscores in names which are illegal according to spec-- all standard DNS servers now allow underscores to allow interop with the broken M$ implementation. There is even a DNS RFC that comes just short of naming M$ which calls out that they butchered and abused DNS in their AD implementation-- this abuse interoperates with current DNS servers, though. so this isn't a reason for including their own DNS.
So, rather than breaking every other existing software package, or trying to maintain a bunch of patch sets, Samba just includes its own implementation of the above with breakage compatible with M$'s breakage.
I don't see it in the posts, but having a number of AD environments (unrelated companies) large and medium sized which I'm involved in I'm still baffled by the lack of capability compared to directories and the related functions of old. Yes, I'm specifically talking eDirectory (NDS) worlds of which I still have one running and keep having to check back on what I can do to ensure I'm not seeing the world through rose tinted glasses.
Samba + related systems are trying to fill a theoretical gap when eDir is already linux native, just commercial. Couldn't Attachment/Novell do us all a favour and set eDir free as the linux directory solution?
Unless you plan on completely removing Windows from your environment, including client devices you are responsible for, Active Directory is clearly the right choice. Samba4 might off an alternative in the sense that it can serve the same function as many parts of AD, but it is not a realistic alternative when you consider the additonal administration if you are already running a Windows domain.
I assume the fixation with AD specifically to the point of referencing Samba 4 means Windows will be a way of life.
Once released and incorporated into something like RHEL, then I'd say Samba 4 becomes worthy of consideration. At that point in time:
-If your infrastructure is mostly Windows, stick with AD.
-If your infrastructure/clients is mostly Linux (or clients aren't going to be traditional Windows workstations either way) or you have *realistic* ambitions of this being the case, then Samba 4 will probably be a worthwhile mechanism to integrate and service the occasional Windows presence. Note the realistic aspect of such ambitions cannot be stressed enough. There are a number of pie in the sky plans that everyone who is a part of it *knows* will never happen, and then you'll be stuck with what will be inevitably awkward infrastructure in a windows centric businsess.
XML is like violence. If it doesn't solve the problem, use more.
The answer is no, Samba4 is not a good idea for admining a network of linux desktops. The point of Samba is to admin a windows network with a linux server. The poster never mentioned windows, and is asking about a tool like Active Directory for linux. He likely just means distributed authentication management. The answer is likely openldap (with or without kerberos) For all the other functions, there are tools, like chef, puppet, dsh, etc... that are better than anything in the Windows world.
You sound like steve balmer (I meant it as a bad thing)
It's too bad Resara shut down. Hopefully someone will pick up its pieces.
We finally switched out our last NAS that was running Samba. Too many small glitches. Not worth the hassle.
NAS boxes tend to be designed for home users. They are not a "real" server where you can easily install anything you need, and comfortably configure it. If you need stuf that is not in the web interface, it gets difficult. You cannot compare Samba on a NAS to a real server (be it a Linux or Windows server).
Besides, the whole comparison is irrelevant because the poster was talking about AD. So that means it is AD vs. Samba 4, which just released ther first "release candidate". That is not the same thing as Samba 3, which is a very reliable replacement for Windows NT server. I manage about a dozen servers with Samba 3 for various small businesses, and it works very well.
Someone mod this up. It's the absolute truth and not well known.
Samba 4 *is* intended to be a full AD implementation. Currently it has a built in LDAP and Kerberos server set in the same daemon. That is a problem
for some, like myself, that use Samba 3 + LDAP for shared auth. When complete is *should* be a fairly complete implementation of the AD specs, all
of them. I have no idea how long this will take, or just how complete it is, but those are the design goals. All of this is a result of Microsoft releasing the
full spec due to the European Union lawsuit.
I don't think I'm understanding this 'full AD implementation' thing.
Are you seeing Group Policy as being outside of a full AD implementation?
Or can Samba4 do Group Policy?
In the free world the media isn't government run; the government is media run.
to do which functions and to scale to what size? login authentication for 100 users in a medium sized business works very well, the medical office management company I set up with vmware and linux servers (but windows desktops) has been working very well that way for 3 years already.....
To the samba ppl. You could tell us theat smbpassword -a makes it work. I is not obvious.
Comment removed based on user account deletion
A good *alternative* to ActiveDirectory is OpenDirectory or similar. Samba is pretty much just a direct copy of ActiveDirectory, which means it is compatible with Windows by default, but inherits many of the same weaknesses as AD.
If you want active directory, run active directory - and when you're chasing down some wierd behaviour between client and server you can go to a single source for support.
If you don't want active directory, run something else.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Overall, no, it isn't even close. Samba 4 may offer the core features of AD its self, but it doesn't offer all the powerful management and Group Policy tools, system deployment facilities, etc. Some of it could probably be hacked in on top, but IMO, it's really not worth it.
I was running a Samba3 domain on an LDAP directory for years. It was OK, but always had annoying warts and problems, plus it was a pain to run. Automatic printer drive deployment was fiddly and never that reliable. Group Policy wasn't even an option.
Eventually I gave in and moved over to win2k8. As a heavy Linux user and long-time *nix sysadmin, I have to say, for running Windows networks I am NEVER going to use anything else. Sure it has its issues, but it's reliable and it has an amazing array of system management tools.
The Microsoft Deployment Toolkit alone is worth running a Win2k8 box for : just PXE boot your clients and have them auto-re-install themselves, install software and printers, change settings, add local users, install updates, and reboot almost ready to use. You can do this with a USB key and a manually copied Windows PE image, but it's fiddly and annoying.
Then there's Group Policy. Group Policy actually makes me want to use Windows. It makes me want to get rid of my Linux thin clients - despite their reliability - because with Group Policy I can just push changes out to all machines (or defined subsets) with a few simple changes in a central directory. It's seriously impressive.
About the only irritation is that so many software packages use custom installers rather than the Microsoft Installer (MSI), so it's not always easy to roll them out via Group Policy server push. Some of those that do (I'm looking at you, Adobe) don't make it easy to just download their updates whenever they come out and push them via Group Policy; you have to go and check for updates by hand. Fail.
Despite the irritations, there's just nothing like it for booting a client off the network and having it come up ready to use. Redirect the user's desktop and documents folder and you don't even need to worry about the machine breaking or having client backups; you back up the redirected folders, and if the machine breaks you just re-image it because it has no local data of any importance on it.
The sad fact is that tools like this are no fun to work on, so they're not something we're going to be seeing in Linux/BSD land in a hurry.
I think one needs to realize that MS became a de-facto standard, and that Samba is a Linux emulation of it. From what I see here, Samba4 also does Active Directory. But then it becomes a Linux re-implementation of A/D. Is it highly important to emulate pure file sharing at all? I once told myself that file sharing via a File Server may be a wrong approach to some problems, except when I'm copying and pasting some files here at home, between a mere 5 personal boxes. Even between my 5 home boxes, I've run in to Samba hiccups. It's true that Samba is even accepted by my Windows 7 Pro, 64-bit client, while running on a Linux server. But it's a wavelike phenomenon based on Windows popularity. /There should/ be better ways to go, for large enterprises. Mind you as sincere as I am, the main alternatives I can think of, are probably too Linux-centric for you. I.e. you could do an NFS mount, a Unison sync via SSH, some form of WCMS, some form of OpenVPN / SSH tunneling, etc..
$ lsb_release -r
Release: 12.04
$ apt-file search libkdc-policy.so /usr/lib/x86_64-linux-gnu/samba/libkdc-policy.so
samba4:
$ apt-file list samba4 | grep kdc /usr/lib/x86_64-linux-gnu/samba/libkdc-policy.so /usr/lib/x86_64-linux-gnu/samba/service/kdc.so
samba4:
samba4:
Nothing is stopping someone like Puppet Labs from using Active Directory to push policy to unix domain members. Puppet currently has plugins for LDAP to push variables/manifests down to nodes. The difference here is using the AD LDAP (and the OU structure) to push not settings themselves but instead pull which policy objects apply (read via CIFS from SYSVOL, replicated by FRS across your DCs) to use for hosts and following the same inheritance logical for hosts, users, and supporting loopback processing, which would segue nicely with how AD currently handles Windows systems. That way you could have one policy object for say setting HTTP proxy settings, and while there would be an entry for IE 6 and 8+, and then a separate entry for puppet-managed Firefox on Unix, at least it would hang together in one logical object and apply for the appropriate machines/users.
It's not terribly difficult write snap-ins or even basic ADMX templates to encode these key/values and put an admin-friendly face on them.
Centrify already has some of this (client plugins, management snap-ins for Windows admin workstations in AD). This is something I think that needs to become more commonplace.
The actual "artifacts" involved are very basic. ADM and ADMX files are simple INI-like files, fairly straightforward to author and parse. POL files are documented in technet and are essentially a binary version of the REG file format (add/modify/delete name-value pairs). You can also use INF files instead which can be specific to Puppet (treated like a foreign client-snapin to be ignored by Windows clients) but that requires writing a DLL to plug into MMC on Windows if you want to author/edit them on the Windows side.
We never have problems serving files from our netapp systems. Perhaps you should upgrade?
Samba 3 can already do group policy.
Sorry to say but Samba does not come close to AD, we tried it and failed (hard)
with entry level costs for AD via SBS 2011 you would be silly not to use it.
yes AD costs a bit more to deploy as its not free but you will save a heap by not wasting hours trying to do and deal with issues you should not have to.
Having WSUS in place alone saves a lot of time and money and that's before you start using GPO's do work their magic.
The Network Administration teacher is right there is no good alternative for AD that can just drop in and work. Before jumping all over him ask what AD actually is because there is a whole lot more going on there than just SMB shares. If you can find a way to give COM objects all the access they want without AD in linux then you deserve the nobel prize.
Still way too far behind AD.
"(In AD, OUs are just cosmetic)"
You're not really making yourself look as if you have any experience with AD here.
Fuck proprietary AD calls. LDAP is the standard to code apps with. AD has an LDAP interface by the way.
Everything I write is lies, read between the lines.
References:
http://stackoverflow.com/questions/997424/active-directory-vs-openldap
http://www.openldap.org/lists/openldap-software/200507/msg00185.html
http://blog.is4u.be/search?q=openldap
Everything I write is lies, read between the lines.
This is pretty funny considering microsoft was nothing but a good late follower to this market. Samba, if not samba 4, is a pretty easy to use alternative to AD. Setting up a file share or administering a small office network with it is very much possible, and for most people preferable. Doesn't windows AD basically copy the original UNIX user permission structure, so, by definition, any UNIX System is a replacement for AD?
Microsoft broke DNS in the 90s. They allowed things like underscores in names which are illegal according to spec-- all standard DNS servers now allow underscores to allow interop with the broken M$ implementation. There is even a DNS RFC that comes just short of naming M$ which calls out that they butchered and abused DNS in their AD implementation-- this abuse interoperates with current DNS servers, though. so this isn't a reason for including their own DNS.
Not really correct. The DNS specification in RFC1035 from 1987 allows the use of underscores in names. This has never changed.
This is a common misconception because the use of underscores in hostnames IS prohibited and this remains true. Microsoft chose the use of underscores in thier AD implementation to remove the possibility of name-space collision with hostnames. BIND, the most popular DNS server in use only permits underscores in hostnames when an option is set to override the default.
Microsoft has broken lots of standards either because they didn't understand them or found it advantageous to ignore them, but this is NOT one of them.
Kevin Oberman, Network Engineer, Retired
does samba4 support claims based authentication using WIF as does adfsv2?
OK, so if I want to have centralized login/credential management for my Windows workstations/laptops but don't want to let Windows near the server room, where do I start?
"Active Directory" or "Samba 4" are really the only two answers I'm aware of, and currently, I don't like either.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
If you don't need all that AD gives you (or all that Samba4 gives you), then you don't need AD or Samba4.
If all you need are network shares or windows boxes, you don't install AD/SMB. You install nfsd.
This is the correct answer. AD creates a foundation layer upon which all kinds of stuff gets built from desktop administration to email, sharepoint to digital encryption, and a whole suite of really good stuff that you may or may not use at all.
And then there is the PAC on Kerberos. I've read that the Samba team decided to implement their own internal LDAP and Kerberos systems because it would require so many modifications and patches on existing and stable projects that no open source project would want to maintain just because of Samba.
"Or can Samba4 do Group Policy?"
It does.
But there is GPO support on SAMBA4. You can even manage them remotely through GPMC on a Windows computer.
"Or can Samba4 do Group Policy?"
It does.
So I can roll out configurations to Windows 7 workstations, like get them to install software, set password policy, configure firewall settings etc all from a samba4 server?
In the free world the media isn't government run; the government is media run.
As far as I can tell the policies that can be set through the GPMC console are equal or better than those on a Windows 2003 server so I think you should give a good look at it. All those more cheesy policies I've checked like desktop settings and restrictions, package installation and more are there.
I don't know if you can edit the password settings through the "Domain Security" MMC but I'm not saying you can't either. The "samba-tool" command however allows you to set password policies.
Again, go look at it. Even if you are not planning to use it because its an interesting experience. I'm not saying that OP should use it because its still in release candidate stage but it will become a great piece of software when they release a stable version.
You could skip Samba4 and call Symas if you want consistent SID/POSIX mapping without learning everything about the protocols and paradigms of both systems. Or if you already understand the Deep Magic just use Kerb5 (MIT or Heimdal) and GSSAPI and SASL and OpenLDAP from sources.
Been down the Samba road a few times. While it's a wonderful tool, it's just not as seamless and well developed as AD. There's places to use it, as an AD controller, well, that would not be preferred unless you had no choice. It's definitely going to take more labor. If you're OK with that (labor is free camp), go for it.
If two tools do similar jobs in the same use case, but one can be administered by someone who isn't a dedicated professional, and the other one requires a specialist, then within that use case, the easier to use tool is better.
Really? What if the one that doesn't require the specialist costs more than hiring or training up a specialist? What if the one that doesn't require a specialist has other costs - like lockin, single-source supplier dependency, higher vulnerability to attack, etc.
I'm not saying that is the case with AD vs Samba (especially samba4, which is NOT yet released for production use). I'm not in charge of deploying either and haven't had any reason to compare them. I'm just saying that administrator skill level is not the only cost to compare.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Samba vampire basically automates this. It replaces an existing domain controller, by reading all the users/ groups/shares/member servers/etc. and then *becomes* it.
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Yes, samba4 is having growing pains. But we have several companies currently operating on Samba4 domains.
Also, you are using windows tools to administer, so it couldn't be anymore the same. all you are doing is getting rid of the ridiculous price tag
I'm a sys admin that deals with active directory among other things, I’ve never installed Samba but I got to ask why would I want to have Samba? Every place I’ve ever worked in recent history has had Active Directory setup when I got there. Why would I try to migrate to Samba when AD works just fine? Aside from the windows license AD is free, it’s the industry standard, 99.9% of software that integrates with Samba is also going to integrate with AD, but many products support AD but not Samba. It’s much easier to get support either free via forums, blogs, web searches etc, or paid support from Microsoft. It’s much easier and cheaper to find consultants that know AD. Active Directory supports things like group policies and AD integrated DNS zones. Does a product like Exchange integrate with Samba in a supported way? I don’t believe so, even If it does now my Exchange admin needs to know samba, that’s going to be a lot harder to find that one who also knows at least a little AD. The question isn’t why shouldn’t I go to Samba, but why should I.
Well, OK, granted for personal machines.
But you should at least be able to browse the available servers, right? What I see is the community will continue to put out buggy Windows interop software because M$ can't just hand over the AD source.
Anyway, like I said in another place in the discussion, the Linux community seems to have went about this wrong.
It would have been better to come up with a networking addon for Windows clients to allow them to easily browse and connect to resources provided by Linux servers in a hierarchical domain arrangement (basically, Domain Name System). So: ibm.com, fl.ibm.com, miami.fl.ibm.com, files1.miami.ibm.com, etc.
Auth handed by OpenLDAP and Kerberos. Remote login by RADIUS.
Some of that stuff would need some polishing around the edges plus integration, but again, writing your own Windows client DLL should seem to be much easier than divining and decoding messages passed around an AD network.
Also: it would have been nice to really think outside the box. Like, how about allowing users to browse resources instead of being concerned with which server a resource happens to reside on?
I'm not a lawyer, but I play one on the Internet. Blog
I've noticed a certain MS-centric viewpoint in many community college course on networking,. This probably has to do with MS giving schools a lot of resources.
Tell me about it.
I just started a database class at a full-blown 4-year-degree-granting college. The class requires the use of SQL Server 2008 Express (preferably R2) and its management studio. It's on a half-term, running at double speed to get done in eight weeks, so there's no time to even experiment with running parallel with MySQL, let alone attempting to do the assignments on it and falling back / testing on MS if something screws up. My home is now a pure unix/linux shop, so I (actually, my wife B-) ) configured up an XP system on a spare laptop just for this class. (We already have the firewall set up to provide a logically and physically separate "rednet" LAN to isolate any Microsoft machines - from when she had a similar situation at a community college.)
At first I wondered why the class couldn't use MySQL. It has about the same penetration as SQL server in the industry (and then there's Oracle, so MS is actually a small player in this pond), which means learning only the MS way may be carreer-limiting. MySQL is free, is open-source (so students could get under-the-hood if they wanted to see how the sausage is made), etc. Even asked The Prof if the school was considering switching over later - but answer was just that class is on it now. Then I cracked the book (From John Wiley & Sons), and it became clear:
"Now available to educational institutions adopting this Wiley textbook is a free 3-year membership in the MSDN Academic Alliance. The MSDN AA is designed to provide the easiest and most inexpensive way for academic departments to make the latest Microsoft software available in labs, classrooms, and student and on student and instructor PCs. Database software, including Access and SQL Server, is available though this Wiley and Microsoft publishing partnership, free of charge with the adoption of Gilleson's textbook. ... Each copy of the software is the full version with no time limitation and can be used indefinitely for educational purposes."
Then in chapter 2: "The diagramming technique we will use is called the ... E-R model. ... there are many variations of the diagrams ... We will use [the version] provided by Microsoft Visio ..." And so on.
The schools are bribed with free, up-to-date, software and support IF they build their courses around the book. The publisher is bribed with a captive market into publishing a book that is designed to make students familiar only with the Microsoft ecosystem databases, documentation styles, and development tools. The students graduate ready to drop into a Microsoft-based operation but are left floundering and uncomfortable in a shop using other databases or documentation styles.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I work at a major web-hosting company where the entire infrastructure is Linux; including workstations and desktops.
The problem here is the assumption that you even need active directory. We instead completely ditched that idea and manage all machines using puppet. It's faster and easier and has the added bonus of patch management and installation of software specific to a machine.
The problem with AD (or its alternatives such as openLDAP) is that it becomes a long term nightmare to manage. The only benefit is that it gives whomever is managing it job security.
How does one get into this collage racket?
As many have mentioned, it depends on your requirements. My past experience with Samba leads me to believe that it will probably take some bug fixing after the point release to make the edges smooth.
I also wouldn't encourage forklift upgrading Active Directory with this unless you have a compelling reason to do so such as licensing issues with no budget to fix.
With the integrators that will put mindless GUIs on top of it in the coming years, I would guess it could be very good replacement for AD in many scenarios. There will always be some that won't such as third party apps that require AD and do not provide support for a Samba environment.
What really matters is, do you want to put in place a system that most admin dont know about, puting your company at risk if you leave and do a poor job at managing it.
It's already complicated enough to manage in a GOOD way Active Directory but replacing it altogether, you are not doing a service to your employer.
Group policies are really just bundles of registry settings and Puppet and CFEngine can both manage registry settings easily.
All you need to do is get a small brick wall (four feet wide by six feet tall is enough) set up in the network administrator's office. Next to this set a bucket, and keep the bucket full of rocks. The rocks should be small but as sharp and pointy as possible. First thing each day, have the network administrator put one or two of the rocks inside each of his shoes and keep it there for the rest of his shift, then periodically have him bang his head against the brick wall.
This will adequately simulate all the really important aspects of the experience of working with MSAD. Technically you could also use Samba, but it isn't necessary.
Cut that out, or I will ship you to Norilsk in a box.
you can get it to work. it will be amazing. if you are scriptaculous it can be easy to administer.
but wait till the next windows OS comes out. good luck upgrading a samba DC to speak to new clients..... nightmare.
So, thank the EU then ?
Does it actually *work* properly though?
Samba 3 had network printer driver support. Theoretically. In practice it was a buggy PITA that took 10x as much work to get to the point where it worked 1/2 as well as the Windows setup.