Ask Slashdot: Is Samba4 a Viable Alternative To Active Directory?

First time accepted submitter BluPhenix316 writes "I'm currently in school for Network Administration. I was discussing Linux with my instructor and he said the problem he has with Linux is he doesn't know of a good alternative to Active Directory. I did some research and from what I've read Samba4 seems very promising. What are your thoughts?"

No

[im_thatoneguy]

We finally switched out our last NAS that was running Samba. Too many small glitches. Not worth the hassle.

Re:No

[im_thatoneguy]

You're right. It is the administration not the software. We have a couple file servers running Small Business Server and a couple that were running Samba. The SBSs required no administration. We turned them on and they just kept trucking. Our samba box would have random drop outs where it would deny access unless you restarted the file server.

We also had trouble with user group permissions not getting picked up properly. We also had a problem where the clock would get out of sync and then deny access.

It seemed like there was a new unique "Administration" necessary every couple weeks.

Re:No

You don't know what you're doing then.

I have a samba box with Win7 auth via AD working fine, and serving 118MB/s over gig-e. Never had a problem with it, and I sometimes forget which shares are Win hosted and which are hosted from the FreeNAS box (samba).

Re:No

[im_thatoneguy]

Good for you. If you want to come setup my Samba box then be my guest. All I know is that one set of file servers works great without any administration and one has been a non-stop headache.

We have a grand total of 0 IT staff. That's possible with AD. I haven't found that to be possible with any Active Directory replacements.

Re:No

[Anomalyst]

Not expecting a drop-in but I would like it to at least provision a domain or have some response on irc or the samba maing list as to why it fails. Having the wiki howto up to date would not be a bad idea either.
The wiki and most other online resources indicate the one should use the "provision" command. This command is no longer available in the S4RC you must use samba-tool to accomplish the task.
sudo samba-tool domain provision --realm=new.example.com --domain=NEWDOM --dns-backend=BIND9_DLZ --adminpass=badpass --server-role='domain controller'
Unfortunately, attempting to provision on a fresh Ubuntu 12.04 install with the following additional packages:
build-essentials python-software-properties build-essential libacl1-dev python-dev libldap2-dev pkg-config gdb libgnutls-dev libblkid-dev libreadline-dev libattr1-dev openssl (please note these pre-requisite are not documented in the wiki) gives the following error:
"libkdc-policy.so: cannot open shared object file: No such file or directory"
and I cant get an answer as to where to find or build this module or find such info in a web search. All in all, it has been a very frustrating experience.

Re:No

[Bert64]

There's a difference between something possible and being a good idea...
I have seen samba networks setup with zero ongoing maintenance too...

If you don't maintain your servers, they will become more and more of a security liability as time goes on.

AD domains are terribly insecure at the best of times, find a single box in the domain thats got any vulnerability, exploit it and pull off some hashes then spray them across the network to get more boxes, eventually you own the whole domain. And if you think WSUS will ensure everything is updated, try updating a big network and then go around and thoroughly audit it (ie using something that checks for actual vulns or old file versions rather than querying the windows update apis)... You will usually find that a bunch of updates are marked as installed, when in reality they aren't... And all you need is one vulnerable box.

Re:No

[Compaqt]

It seems that it would almost be easier drop reverse engineering the Windows network server to allow standard Windows clients to use Samba, and instead:

Create a new Windows client network DLL which can be installed on Windows clients to be able to access resources provided by Linux servers running LDAP and friends.

Re:No

[CAIMLAS]

Sorry, what? Have you run Samba in a business environment? I have, and I can completely understand the sentiments here: there's a lot of little stuff that goes amiss or requires seemingly excessive management.

There are a LOT of "small glitches" while using Samba 3 in any not-just-Linux environment. It has nothing to do with 'poor administration'. Over the years, I have had problems with Windows - 98, XP, 2k, 2k3,Vista, and now W7 - operating properly against a Samba host. This isn't a matter of 'improperly administered' so much as it's a "Microsoft released a patch which broke things which worked previously" problem, and it seems to be getting worse as time goes on.

To add insult to injury, Samba 3 development has basically been in 'maintenance' mode for years, with Samba 4 getting seemingly preferential treatment. There have been very few new features of functionality added to Samba 3 aside from the odd "needed to keep things working well" patch or a backport from Samba 4 by an intrepid sysadmin (or so it seems). Really, what used to seem like a very nice and mature project now feels like something on life support, with half the features present having been backported from the development branch, often without a full implementation, inconsistencies, and no/poor documentation.

As for Samba 4, (which neither you nor my post's GP seem to realize we're talking about here): it's an entirely different beast than Samba 3. The only significant thing it appears to share in common with Samba 3 is the smb.conf format and actual file/print services (which is a fairly recent change). It is still in HEAVY development. What they started out to implement was really quite awesome and interesting: Active Directory based on open source tools currently in existence. At one point, they were using BIND for DNS integration and Heimdal for the directory. Their team members made many valiant attempts and efforts in providing patches to these supporting projects.

However...

Both those things are now internal to Samba 4. That's right: the directory itself as well as a DNS server are components to Samba 4. IMO, this is the biggest mistake they've made, and waiting would've been worth it if they could've gotten BIND to work (they couldn't, due to design differences between it and Windows AD/DNS frequency, chain of authority, etc. IIRC - not without making a mess).

Integration of their own directory (based on a heimdal fork, IIRC) makes sense. But not DNS, at least as its implemented now. The DNS server is not BIND compatible and will not take a zone transfer, and doesn't even do reverse records yet (not properly, at least).

THAT SAID, Samba 4 is still not hitting a 1.0 release. Who knows if 1.0 will mean 'beta, we're polishing' or 'production ready' - but I will bet you anything that it will be lacking documentation on how the tools work and have quite a few bugs. :(

I've been a follower of Samba 4 since I was in college, and that was close to a decade ago. I don't think there's much hope of it ever being production ready, not anymore. They tried to do too much, and as a result, Samba 4 won't be all that usable in an existing Samba 3 network where DNS is also used - it just won't be possible without making a huge mess of things due to a pre-existing DNS system which won't be able to be fully compatible.

Samba 4 works "OK" at home, but only if you've got very limited needs and you're starting from scratch. It's not nearly as flexible as Samba 3 (eg. different authentication backends, for instance) and from my point of view will not be 'production ready' for many years at its current pace.

Re:No

[CAIMLAS]

You realize that the guide you link is not only horribly out of date (over a year IIRC since alpha11 came out) and won't work with any of the current alpha (yeah, ALPHA) releases, but that Samba 4 has it's own dNS server now, basically requiring it operate autonomously from existing infrastructure?

Yes, building/installing and then provisioning Samba 4 takes all of about 5 minutes. Now integrate it with something which was in existence before you decide to stroke your balls with Samba 4... good luck, let me know how it goes.

Re:No

[ulzeraj]

Do this instead: get Open Enterprise Server with eDirectory and Domain Services for Windows. You can get a your sundry and basic AD duties done AND still get a cheaper, more stable, robust and feature rich Directory infrastructure than Active Directory.

Samba3 could fool XP

[CodeheadUK]

I've managed to get XP clients to join an NT domain using Samba as a PDC. Samba 4 wasn't an option at the time, but I don't see why AD emulation should be beyond the realms of posibility.

The biggest problems I had were the cryptic errors from the Windows boxes, not Samba.

Mixed results in a mixed environment

[93+Escort+Wagon]

We have, for many years, had a computing environment that, on the server side, is a mix of Red Hat Enterprise and Windows. Users and groups are (ostensibly) the same in both environments. The servers running Samba were in AD but were not acting as DCs.

Samba has always handled the user accounts perfectly. Groups, on the other hand, break fairly frequently - and by "break" I mean it stops realizing that group "foo" on Windows is also group "foo" on Linux. Since most of our end users are on Windows boxes, and most of the authorization on the web server (my main concern) is handled using groups, this has been a big headache for me. Fortunately we were able to convince our manager it wasn't worth the continued investment in man-hours by our Linux and Windows guys to keep debugging this group issue, and we just pulled the plug - now everyone has to use scp/sftp, and everything works well.

Admittedly this is a narrow use case I'm describing. Also I wouldn't be surprised if everything would be peachy if 100% of the AD stuff was being handled by Samba (and ONLY by Samba). But if this is a mixed environment, you should do some serious testing before making a decision.

What "Group Policy is"

[Zombie+Ryushu]

Keep in mind that "Group Policy" is, truly, is merely Windows Registry keys stored in the LDAP database in Active Directory. Samba 4 will store these in it's LDAP database. Something Samba 3.x+OpenLDAP Couldn't do.

Linux has no Registry, Linux approaches the Group policy concept differently by having application level Sub-Schemas that have to be imported into the tree. Linux applications then have to be configured to call on the LDAP Database instead of using it's local files. There are OpenLDAP Schemas for:

Sudoers
Evolution
eGroupware/phpGroupware
DHCP
Samba 3 of course
Bind (Deprecated)
Posix Accounts (/etc/password, NIS and NFS related)
CUPS (Printers)
Kerberos
Posix
Puppet
urpmi (Exclusive to Mandriva)
Apache (Can store httpd cluster information)
Zimbra ...and more.

When Samba 4 is released, you have to import all these OpenLDAP entries into the Samba 4 LDAP tree.

The closed source bit of Samba...

[Shuntros]

I realise Novell aren't exactly a powerhouse any more, but does anyone else remember about 5 years ago when they released Domain Services for Windows? That was basically Samba 4, but using eDirectory and NSS (that's a proper man's filesystem, for you young kids) as the back end. I only played with it briefly whilst at my last employer, but damn did it rock... All the NSS clustering and good bits of Novell tech were totally transparent. The only time you knew you were talking to a Linux box was if you opened up a DC in MMC and looked at its properties, where it said something along the lines of "SuSE Linux Open Enterprise Server".

Fairly obvious that Jeremy A was largely responsible for DSfW, just a shame that stuff was most likely locked up as Novell IP and off limits to Samba 4.

Re:Typical Instructor

[Murdoch5]

I know exactly what I'm talking about, in my experience the only people who blast Linux are really covering up the fact they don't understand it. Windows is capable because Microsoft slapped a over bloated GUI on. I've used many Windows and Linux servers and I have yet to see a case where Linux wasn't the better choice in 99% of all cases. That 1% is for the "special" software that some VP wants installed that only runs on Windows.

I've had many people complain that they have to learn the command line to use Linux and they need to understand how the network works and etc.... but I tell them to grab a book and learn. Out out the 100's of Linux servers I managed I would down grade 0 of them to Windows, from my personal experience Windows gets in the way and allows slop on my network, Linux keeps it neat and running fast, even the master Domain controller which is used for something like 1000 people to log onto the network is Linux based. Before I started the Domain controller was a Windows Server and the login time wasn't horrible, after I upgraded it to a Linux server we shaved about 1/2 second off the login times and another 20% on resource use. So my statement holds, If you don't want to use Linux for your network then you either don't understand it or you don't want to put effort in upfront.