Slashdot Mirror
Samba 4.0 Released: the First Free Software Active Directory Compatible Server
Jeremy Allison - Sam writes "We released Samba 4.0 today, containing the first compatible Free Software implementation of Microsoft's Active Directory protocols. 'Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8. The Samba 4.0 Active Directory Compatible Server provides support for features such as Group Policy, Roaming Profiles, Windows Administration tools and integrates with Microsoft Exchange and Free Software compatible services such as OpenChange.'"
Full release notes are available, and you grab the files from the download page.
We got a giant monolith instead of a bunch of core libraries and services.
Support my political activism on Patreon.
Oh hell yes
which is totally what she said
Slashdot does it again....
Oh My Gawd.
I have been waiting literally *years* for this.
This just made up for an otherwise very crappy day. No, this just fixed my whole year.
I'll be interested to see the reviews on this over the next several months. I'm interested to see how well this performs under different levels of load, and how it utilized group policy. Kind of exciting in an extremely nerdy sort of way.
I'm assuming if Microsoft could legally stop this, they would.
Likely the interfaces aren't copyrightable and this is probably a clean implementation -- but I'm sure if Microsoft could trot out a patent or something else to stop people they would.
I can't imagine they want implementations of their stuff out there. (Granted, they mostly started out by implementing other people's stuff, so there may not be much they can do about it.)
Lost at C:>. Found at C.
I did a network integration capstone course where we had linux and windows in a single active directory domain, with single sign on and all users and objects in one database. How is this different?
More power to them though, active directory is HUGE in the enterprise space. If you could integrate its security controls and policies into android tablets and smartphones, windows 8 and its lame tablet UI will never see the light of day in big business.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
Does swat still suck sweaty donkey balls?
I'm not a sysadmin, but I believe the whole point is that you can avoid running Windows servers (and all the high costs associated with them) and retain communication and sharing over a non-homogeneous network.
Apparently wizard is not a legitimate career path, so I chose programmer instead.
This might work for small networks, but what about Virtualization environments, Hyper-V, Multiple AD servers, Proxies, etc. I'm sure it's going to have limitations.
-- By all means let's be open-minded, but not so open-minded that our brains drop out.
Because if you have several hundred VMs in an organization that do nothing but act as local domain controllers for AD, you can now not spend that money on Windows licensing and instead do it with Linux?
But I guess that wasn't incredibly obvious.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Because Windows isn't always the best tool for the job? Because having a diverse ecosystem of IT appliances that can all share authentication and other such services is a VERY valuable thing?
Stop them? Microsoft helped the Samba team. Microsoft even uses the samba torture testing framework internally for their own products as I understand it. The torture tests catch crap that their own testing wouldn't since it tries to send packets that Windows clients would never send.
The EU is still a bit angry at Microsoft (remember when they had to release all of the documentation on their implementation of the SMB protocol?) and they don't need to be stoking that flame.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
It's funny that this happens (and gets posted on Slashdot) today, not long after the announcement of the live interview with Luke Leighton, who started the Samba TNG fork.
Apparently wizard is not a legitimate career path, so I chose programmer instead.
Where the fuck do you think all that web-based administration plugs into, a unicorn?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Uh-huh. Right...
I hate to be the one to burst your bubble, but cloud-based services complement traditional computing environments, they do not replace them. If you're in certain situations (e.g., a small business with only 10 employees), the cloud can indeed be your entire IT infrastructure... but that won't work for everyone. Different needs for different organizations.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
Unfortunatelly they kept the GPLv3 licence so it will never get used in any corporation large enough to have a "normal" legal team. :-(
I looks like Microsoft "educated" most of the lawyers that GPLv3 means trouble.
So Samba will be used by either small companies where the owner/CEO is smart enough that it does not care or by Google-level companies where the engineers have a word to say.
All the rest will have their lawyers say: "GPLv3 does not allow you to use Samba to manage protected information so we better buy some proprietary software without those limitations"
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
This kind of a momentous occasion because it represents many, many man hours of work. I think Samba 4.0 has been under development since 2003. Nine long years and the fruits of the labor have been realized.
The main advantage isnt price, but at the very least flexibility (having the code available may not be an advantage for you in particular, but someone else could do an improvenment on it that you could need). Security, embedding it on routers or even cellphones, freedom in general of doing with it what you need, not what Microsoft think you should, are other potentially important points.
Can someone mod this gentleman up please?
It's a sad reflection on slashdot if it's languishing at +2. Sort it out mods!
Will do.
How the heck can samba.org be /.'d?
It's only the linked page not the whole org, but /still/ guys...
I've worked for a long time in MS land. And I've had variopus open source things on the go now for many years. I'd like to congratulate the Samba team on their work. This is obviously a lot of work, and a lot of digging, and some very serious work. I personally did not like the EU stuff, and I never agreed to much of the assult on MS about lack of innovation - or many of the other smears that get tossed around.
AD remains a tremendous quantity of technology, created at cost by innovative people. I always felt it was wrong that they were some how forced to pay for their innovation and development - in the end being forced to open it up because someone else said so. And I always pondered why open source, Linux, call the other parties whatever you like failed to actually innovate a true answer. Instead - while immitation is rather a compliment, its rather telling that SMB/Samba has in many cases ended up not merely being a file sharing tech for open source to share with windows - but in fact open source to share with open source. But this is just something of a personal feeling I have. Its more a pang than a deep set feeling, and very warm congrats are still in play for the SAMBA team for making this milestone.
I am somewhat surprised thos in reading the notes:
Known Issues
============
- Replication of DNS data from one AD server to another may not work.
The DNS data used by the internal DNS server and bind9_dlz is stored
in an application partition in our directory. The replication of
this partition is not yet reliable.
As I say, I've been working in the area for a long time, and my take on this is it should not have been released as a .0 release with this being unreliable. If your AD DC servers don't get this working reliably - from where I sit, thats a serious problem. For absolute clarity - I have a view on this, and that view is that DNS not being right breaks AD. If you have fundamental breakage in the area - I am loathe to see the release. I hope that reliability can be found in due course, but think it should have been solved before this release.
It is said in thread that some MS engineers are happy/impressed by this release. I don't know any AD people who would be in any way happy with DCs having a gremlin at the DNS level. It is minor on single servers, its a major on any multiple DC AD setups.
We`re all equal
for access to the said documents that allowed interoperabliity. After Microsoft was forced by the EU to release the docs.
Following in the footsteps of a failing company...
I can see it all right now
Somersault: Hey, boss!
Boss: Yeah
Somersault:Remember that perfectly good working Windows infrastructure we installed that we are still paying off? Where you will lose your job if I dare sneeze near them let alone touch or change anything, and any downtime will cost the company hundreds of thousands an hour?
Boss: Yeah
Somersault: I have a brilliant idea! I was at this site called slashdot and want to make a statement about proprietary software while saving mere thousands of dollars while changing our mission critical million dollar infrastructure ...
Boss:Uh, what?!
Somersault:You see! Microsoft SUX. We are slaves to this proprietary environment that has served us fine and works perfectly and want to use this freeware called SAMBA 4, which well should do what we already have. Think about the thousands saved and I we could be all so cool and the CEO will think WOW, what brilliant IT guys we have who swear by using only free software and not what works already that is well supported, documented, and tested!! It has to be soooo much better because it is not made by Microsoft and ...
Boss:Somersault! I am having a bad day as it is shouldn't you be doing something right now? No I do not mean reading slashdot either! Pffft kids today. Oh and go get me a cup of coffee while you are at it? Finish your work and I will sign your internship papers so you can get your first IT job when you get your degree?
To prove I am not a troll, I will say AD is atrocious! The real risk is anything that changes the scheme permanently changes AD itself. THe only remedy is to use ASDI edit which most respected IT professionals will rough you up in the parking lott for doing so. It also is why the companies pay $150 an hour to pay someone to install Exchange or Sharepoint. A botched installation will adversely impact everything company wide!
That my friend is why you do not touch these things! The price is worth every penny to the money making enterprise. A small business under 20 employees does need AD as a simple server on a share will work fine. The owner can tell the user how to use it on the first day. Samba is not perfect and people who have tried to use it university environments report issues like corruption, all of the sudden passowrds not being accepted, and other glitches that the $1200 server version of Windows just keeps on working.
SAMBA is great for linux and Mac computers connecting to an enterprise network. But to replace a server or DC?! oh FUCK NO.
http://saveie6.com/
Sorry to point this out so bluntly, but I'm sick to death of this argument. that Microsoft is better than open source, because they offer full support to business customers. As a sys admin with 15 years under the belt, I can tell you that I have never gotten anything from Microsoft past a link to a technet support wizard that asks 4 obvious, general questions and always ends with "Sorry we cannot provide a solution to this problem, Do you find this article helpful?"
NO I FUCKIN' DON'T.
Microsoft would be the last place I would ever call if there was a critical server failure where downtime is money.
In the real world, this kind of support is provided by 3rd party Managed Service Companies who are paid separately anyways, so you might as well pay for support on a nix based system, as they are well known to be much more stable (look at your average local nix admin with his feet up knitting or making chainmail, because he's got his systems singing and cron-grepping him hourly reports about how awesome he is and why he deserves a raise, compare this you your best of breed bad ass wizard windows admin, stressed as fuck, up till 4am fixing stupid shit for peanuts)
Actually, I was thinking it plugs into the south end of a north-bound unicorn...
Congratulations to the Samba team on this major accomplishment! Great work, everyone!
Please correct me if I got my facts wrong.
Good thing I'm the boss then :p I don't hate MS as much as when I was a student, but I'm definitely going to look into this. I'm not going to completely get rid of our Windows servers right now either. But when Server 2003 goes out of support, I expect I won't be upgrading.
I've done Windows Server and Exchange installs and upgrades without assistance. I did need help the first time I messed up Exchange I'll admit, but it's not that bad once you figure it out and do your research.
This just makes it way, way easier to provide network service redundancy (all the VMs you can eat) and simplify backup/restore procedures without paying for extra licenses. I think it's great.
which is totally what she said
I realise it may not be officially supported by VMWare, but does anybody know whether Samba 4.0 can be used instead of MS Active Directory with VMWare View?
You do realize that many enterprise storage servers made by companies like IBM, Symantec, EMC, Dell etc. are or have been based on Samba code, right ?
Nah, probably not... :-). After all, you know that only Windows storage servers work with Windows clients don't you :-).
Jeremy
LOL
I agree, existing OpenLDAP sites using Samba 3.x in cooperation with a host of other packages, using the traditional LDAP directory structure deployed on many Linux oriented sites are not going to migrate to Samba 4.0 as an AD DC any time soon. The change is just as big as the change to migrate to Microsoft's Active Directory, except that we provide a tested upgrade tool to handle the Samba-essential parts.
We want this to be easier, and the tools can certainly be extended to cover other schema items, and integration of these services can improve, because many of these can work well against a Microsoft Windows AD. However, we know this is a big leap, so we continue to support existing configurations (with the existing features. (For want of a better term, we call it a 'classic' domain).
The issue isn't as much being unable to use an LDAP server as a data store (but this became more difficult as we became more like AD), as that unless we were to implement on the fly schema translation, most of the same issues would remain (assumptions about AD or traditional schema and layout between Samba and the other tools on the LDAP backend), and so the result would not have be useful anyway!
As such, the LDAP backend has been put aside as an interesting technical modal that didn't work out. If a plausible use case ever comes up, then interested developers might revive some of it (the code and some tests remain where they are not impeding development), but for now there are no plans for support of anything other than local LDB files and native replication with other AD servers.
Andrew Bartlett
Samba Team
>>>The main advantage isnt price,
wanna bet?
Samba uses Heimdal Kerberos precisely because we did not wish to re-invent Kerberos. We bundle a known-working copy of that in the tree, and launch the KDC inside the samba process so it behaves as a seamless part of the AD DC. We provide plugins for the things that need to be AD-specific (such as PAC handling and reading the AD Database) for the Heimdal codebase to use.
For LDAP, we took a different approach, and instead wrote our own LDAP-like database on top of tdb. LDAP is in many ways much simpler at the core, and the hard parts are all the schema rules and special cases that are AD-specific anyway, and which we have special modules to handle (on top of LDB, which remains quite lightweight). That isn't to say that this would not have been possible - indeed, Luke Howard's XAD shows it is - but just that we decided to do that part in-house. I'm quite comfortable with that choice.
Andrew Bartlett
Samba Team
Now to create a group policy to lock down the linux machines on my network!
Indeed, it was seeing the limitations of the NT4 modal that held back these domains that was one of the major reasons I started on the AD DC effort for Samba. I deployed (and indeed was involved in the creation of) a mixed Heimdal/Samba/LDAP domain, and saw how the lack of Group Policy caused real issues for a large network of Windows PCs. In my specialist area of Authentication, I also saw how NTLM authentication did and did not work, particularly in the load it put on the DCs. Kerberos is a much better authentication prototcol than NTLM, and I'm glad that Samba now not only can accept Kerberos authentication, but as the Domain Controller, it can now be the KDC too!
In the same way, I saw the writing on the wall for NT4 support for a long time, and I'm just very glad that the interoperability environment changed enough in time that we were able to get changes made to Samba and Windows to allow Samba NT4-like 'classic' domains to continue, long past when NT4 DCs became not only unsupported, but deliberately broken (in the name of increased security). As you mention it still requires a registry patch however, and so with the release of Samba 4.0 as an AD DC I look forward to Samba administrators being able to deploy a 'just works' solution again, even for the latest windows versions.
Andrew Bartlett
Samba Team
You are correct that if things were as bad as that particular paragraph sounds, then we would have a serious issue. That particular note (which I wrote) is over-cautious, and represents where we were at a few months ago. The situation is that when administrators manually attempt to replicate the DNS partition onto another DC, it is difficult to configure everything so that as well as the initial replication, updates are correctly propagated.
The good news is that now, when we are setting Samba up as a second DC, we now do this correctly at join time. From all reports, this seems to work fine, but the warning is there because I want administrators who are having issues in this area to know that some challenges may remain.
Overall, while we have great faith in our DRS replication code, and a large number of users have deployed multiple Samba DCs, we are promoting the single DC case first and foremost. Other limitations include that we cannot replicate the files in the sysvol share (where group policies reside) using native protocols (many of our production sites use an rsync script instead). We are well aware of these limitations, and try to describe them to our users.
You may feel we should have waited even longer to release, but I'm quite happy with what we have achieved, and how our production sites find it in the real world. There is always one more feature, one more bug, but I'm incredibly proud of what we have achieved with Samba 4.0
Andrew Bartlett
Samba Team
The bind9_dlz backend uses the same database as the rest of Samba, and so suffers the same features and limitations as the overall DC.
As I said in the other post, while we are concerned about this area, so far this does not appear to pose an issue in practice.
Andrew Bartlett
Samba Team
You got it all wrong!!!
You plug the Unicorn into the Administrator!
Note that according to the Lore, this can only done by a duly certified Virgin - and by implication, a Woman.
The AD DC is actually is a bunch of core libraries and services. To make things easiest for our users, the services are linked into and started up by one binary, but internally each different task ends up in a forked process (if appropriate). But we do one better, and allow this to be controlled at runtime, so with '-M single' it essentially becomes a giant state machine, and can be handled with a single gdb. Inter-process communication is via a unix domain socket based messaging system or full DCE/RPC pipes.
External processes can register specific named pipes (when, as we do by default, we use smbd as the file server, this is actually a key part of the design), or DCE/RPC server modules can be loaded (the OpenChange project provides such a module).
We could discuss if more or less of Samba's internal communication should use one design pattern or another, but what is more interesting is that without fanfare or bother, some of those ideas, implemented pragmatically rather than dogmatically, have become an essential part of how Samba is implemented. That pragmatism has then brought us the AD DC that we are so proud to announce today.
I also love that the shared libraries that we now use internally make Samba much smaller as well, reducing the disk space overhead.
Finally, a surprising amount of the code is actually in modules on ldb, our ldap-like database at the core of the system.
I know you were hoping to troll with what has been a long-running design philosophy, but when you spend the time building the system, you find the pragmatism rules the day, and we use a variety of tools to get the job done, and to get it done is a way that is most seamless to our users.
Andrew Bartlett
Samba Team
All very pretty, but "pragmatism" is what got us all our broken systems. Windows is a load of doing what's "pragmatic" because it works, and the end result is when they need to change something it really doesn't work anymore. Have you finished a Windows port of Samba yet?
Support my political activism on Patreon.
you find that pragmatism rules the day
FTFY
You do realize that many enterprise storage servers made by companies like IBM, Symantec, EMC, Dell etc. are or have been based on Samba code, right ?
Nah, probably not... :-). After all, you know that only Windows storage servers work with Windows clients don't you :-).
Jeremy
Actually, this is a question I just got from some of my IT friends: A lot of smaller shops are (perhaps justifiably) hesitant to custom build a Samba4 based AD server, but they would be happy to run a nicely boxed solution like ClearOS or FreeNAS or some of the other "enterprise storage servers" like you mention.
My question is, has anyone gathered a list of what Linux savvy solution providers are planning to move to Samba4?
Back in July, I made a partial list for a presentation I was doing on Samba4 at a technical conference. I don't know if this list is still accurate, or if more vendors have been added, but it's a starting point:
- Restara Server (AD replacement – recent Samba beta)
- ClearOS 6.x
- The ZEG (Zero Effort Groupware) edition of SOGo
- SerNet Samba 4 Appliance
- OpenChange (Open Source Exchange replacement)
- Zentyal 3.0 Beta
Somebody announces something awesome, and the actual developers show up in the comment thread further enhancing the awesome, and now I have to go download some stuff and try things out just for the hell of it.
It's like Slashdot Circa 1998. Crazy.
Hey you kids! Git offen mah lawn!
You think emacs is evil?! You've never used VM's XEDIT have you?!! That's evil, baby!
You're doing rather like using an Citrix 486 instruction code that isn't available on any others and complaining that not all x86 code is the same.
At the level you're talking about three things
1) You have just plowed yourself into lock-in. Maybe before you do that you should have picked a cheaper option (postres or MySQL).
2) At that level, you're not going to be using MSSQL, it doesn't work well enough to use in that complex an environment
3) You shouldn't be putting your business code on your database. For the reason of lock-in and also because you're limited to those options that your chosen vendor implements, not those that you wish to use.
I know you were hoping to troll with what has been a long-running design philosophy...
Meh. Most of us would call that reality. You're late and irrelevant, something that those who seek to interoperate and compete with Microsoft never seem to get into their thick skulls. While you're ducking and covering for over a decade they're getting ahead.
Andrew Bartlett
Samba Team
Really great job!
http://imgur.com/AiBKG
Now, if you could just fork your team and do the same thing with Exchange. BTW, Exchange, unlike AD, is in dire need of some sane re-engineering. Just look at how it handles attachments!
Social Credit would solve everything...
OpenChange, mentioned in the summary, handles the Exchange protocols. We are very proud of the close way we work with the OpenChange team.
Andrew Bartlett
Samba Team
Any company that locked themselves into Microsoft deserve all the pain that they get.
You would have to be pants-on-head retarded to use anything from MS.