Samba 4.0 Released: the First Free Software Active Directory Compatible Server

Jeremy Allison - Sam writes "We released Samba 4.0 today, containing the first compatible Free Software implementation of Microsoft's Active Directory protocols. 'Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8. The Samba 4.0 Active Directory Compatible Server provides support for features such as Group Policy, Roaming Profiles, Windows Administration tools and integrates with Microsoft Exchange and Free Software compatible services such as OpenChange.'" Full release notes are available, and you grab the files from the download page.

If only it were samba-ng

[bluefoxlucid]

We got a giant monolith instead of a bunch of core libraries and services.

Re:If only it were samba-ng

[Jeremiah+Cornelius]

Gates is forked.

This will be embeddable on ARM appliances, and baked into VM management software, etc.

It only took 12 years... :-)

Re:If only it were samba-ng

[Jeremiah+Cornelius]

Tell it to the BSD license troll, who gave me his sophomore, libertarian rant on the FreeBSD funding thread... ;-)

No more licensing fees :)

[somersault]

Oh hell yes

Re:No more licensing fees :)

[somersault]

I already have loads of client licenses, but this means no more server licensing, so it will be significantly cheaper for small businesses to build a small network with full redundancy, and massively cheaper to build out large networks. Get this onto Ubuntu Server with a friendly interface, and MS will be close to dead in the water as far as servers go.

Re:No more licensing fees :)

[wonkey_monkey]

SQL may be SQL, but MSSQL is not MySQL is not PostgreSQL.

Re:No more licensing fees :)

[kagaku]

Spoken like someone who has NEVER done SQL development. SQL most definitely is not SQL, it's a world full of vendor specific dialects of SQL, each varying in subtle and incompatible ways. Not to mention each requires a different method of connection, protocol, authentication and integration.

Re:No more licensing fees :)

[Tailhook]

ODBC? JDBC?

Neither of these normalize vendor specific dialects. Both of these require vendor specific drivers to implement vendor protocols. All of this leads to costly subtleties.

The grandparent is correct, both in its assertions about SQL and of you.

Re:No more licensing fees :)

[TheNinjaroach]

ODBC / JDBC takes care of the connection, protocol and authentication, but it definitely doesn't take care of vendor-specific dialects.

Most good databases support ANSI SQL standards, but those specifications are lacking in too many ways to build a completely functional application without having to poke around with implementation-specific hacks.

Re:No more licensing fees :)

[Bill+Dimm]

There are a ton of differences that are not normalized away by ODBC, including really basic functionality like the SQL code to drop or add multiple columns (and the need by some to manually drop indexes before dropping the columns, or the need to do a REORG TABLE after dropping columns). And, in spite of how incredibly old the ODBC standard is, ODBC drivers still don't implement some things or implement them incorrectly, so you really can't expect things to work with different DBMSs without testing.

Re:No more licensing fees :)

[bigstrat2003]

I'd still wait 1/2 a year to put it into a test environment...

Why? Isn't the whole point of a test environment to find out if something has issues? I think that interested parties should put it into a test environment immediately, cause that's why they have a test environment. But yes, wait some time to put it into production.

Re:No more licensing fees :)

[erroneus]

Sorry, but no. There are bunches and bunches of PHBs out there who will perpetually doubt that anyone can make a Microsoft server as good as Microsoft and would be more than a little afraid that by doing this, they would be in violation of some sort of license requirement. At the very least, it would void any support services if an exchange server were to connect to a Samba 4 AD domain. PHBs care a lot about stuff like that even if people rarely if ever use Microsoft's support.

For that dream to become a reality, a big player out there would have to step up and put their branding and reputation behind it. For example, IBM might be a great candidate for that. PHBs still know who IBM is. RedHat might not get the reception Linux users might think they deserve. Oracle, as much as I would like to see them die in a fire, might also be able to pull it off.

For now, the IT world is ruled by PHBs and one must always consider what things they might believe regardless of how ridiculous it may actually be.

Re:No more licensing fees :)

[Synerg1y]

JDBC... lol, don't java'ers use hibernate now? Shit even got ported to .NET for some reason I'll never fully understand.

Re:No more licensing fees :)

[Synerg1y]

Nope, enjoy MS licensing fees. Don't google mysql... don't do it...
...
...
...
What did I just say? Now forget everything you've read here and enjoy MS licensing fees, don't forget to buy those CALs.

Re:No more licensing fees :)

[somersault]

You don't sound like you have much of a clue either to be honest; when you buy server licenses, you also need to buy "client" licenses to go with them. These are in addition to normal desktop Windows licenses (as far as I'm aware at least). Though if you're using a non-MS implementation of the server, I don't see why you should need the client licenses too. If you do, that's still a hefty cost, but at least you shouldn't need to upgrade them every few years when running SAMBA.

Re:No more licensing fees :)

[jeffmeden]

You are right, but the bottom line (to steal the adage) is that "no one gets fired for choosing microsoft". Yes you are locked in, but you are locked in to an ecosystem that 90%+ of the world's businesses run on, so it is seen as the safest of all choices (and cost is a small factor compared to job safety).

This will take off when Samba can integrate with Google Apps and let companies throw away anything microsoft-related (but still be microsoft-like)...

Re:No more licensing fees :)

[aquarajustin]

This is why I don't work for a PHB. In fact, he's balding a bit. I have the best boss ever. He just gave me the green light to be early adopters and run this in production (once it passes a few sanity checks). We've been running the alphas and betas with much success. Samba team ftw!! Thanks guys! I've been waiting for this for so long.

Re:No more licensing fees :)

[Bill+Dimm]

Why would you be adding/dropping fields outside of installation/upgrading?

I'm not sure whether you intend "you" in the above to mean the person who wrote the "accounts software" referenced at the beginning of this thread, or me personally. My personal experience was with writing document clustering software (groups related documents together based on analysis of the content) that could analyze the text stored in virtually any SQL database with an ODBC driver and export the cluster results back into the database as a set of additional columns. It would add a Cluster ID column (rows with the same ID would be in the same cluster), a column indicating whether the document was the representative document (i.e. approximately the center) for the cluster, and a few other columns. If the user ran multiple calculations on the same database and wanted to replace some old results instead of adding new columns, the old columns would be dropped and replacement columns would be added -- this was done because sizes needed for the columns may vary between different calculations, so simply overwriting the old ones wouldn't necessarily work. Getting everything to work across all test databases (Oracle, MSSQL, DB2, MySQL, PostgreSQL) was a major pain.

Re:No more licensing fees :)

[datapharmer]

nonsense. how about upsert in mysql? Has to be done as a merge in mssql. Kinda killed your code for mysql and it works for everything argument. Not to mention the inefficiency of not being able to implement vendor specific options. sure you can limit yourself to vanilla sql, but if you want to get work done you pick a tool and use it. If you can get all the vendors to agree I'd be happy as pie, but claiming that is reality now is disingenuous.

Re:No more licensing fees :)

[Em+Adespoton]

The problem is that SQL is all about the query language formalized structure. It says nothing about the procedures or how to control the backing server.

Think about SWL (structured written language). There are a few standards, one of which is the Roman standard. Using this standard, we can use the same character set to represent many different spoken languages. We can store meaning using the Roman SWL and anyone else who knows the structure can extract it.

However, the transforms and functions, cliches and linguistic interlinks all exist outside of that structure. As a result, a lexicon is also required in order to put in IItalian and have it usable by someone in the Philippines. The information stores just fine, but updating and making sense of what you've retrieved takes more work.

Annoyingly (to me anyway), almost every SQL server vendor out there has hard-coded a way of handling this extra meta-data and interfacing it with the data itself. Some of their solutions are similar enough that ODBC and OLE DB can handle basic procedure calls -- but anything written to take advantage specifically of the strengths of a specific SQL-backed service tends to be incompatible.

So yes, you can connect SQL to SQL in any form, but actually managing the data and preserving context in a way an existing application wants to... that's another kettle of fish altogether.

Of course, once it's done, it's done -- so someone could easily re-tool a Postgres DB to act enough like a MySql DB *for a specific DB instance* that the samba service should function "mostly" as expected -- and the actual structured data should migrate just fine once the re-tooling and testing is complete.

Re:No more licensing fees :)

[somersault]

Exactly :) I'd rather not have me or my employer fined or given a criminal record for this kind of thing, so I want to ensure that we are fully legal. Of course all the licensing BS and cost just makes it a royal PITA to upgrade, so our network is still running 2003 Server/Exchange. I was considering Server 2008 soon as 2003 will be out of maintenance in a few years, but.. I like this better! Still have to decide what to do with email, but there are some nice mature options out there compared to last time I seriously considered switching (~6 years ago).

Re:No more licensing fees :)

[erroneus]

Actually, I have read right here among the commentary that one can still use the Microsoft tools for managing a Samba server. Getting Samba set up initially might require some level of ability, but you know? As much as it pains me to admit it, you have to have at least as much ability to do it with Microsoft. Anyone who thinks they can't learn to do it under Linux is simply limiting themselves needlessly.

Re:No more licensing fees :)

[DragonWriter]

SQL is SQL, yes. But Oracle speaks PL-SQL.

PL/SQL isn't the Oracle dialect of SQL, its the SQL-based procedural language supported by Oracle for triggers/procedures, etc. An application talking SQL to Oracle doesn't need to use PL/SQL, but it does need to use the Oracle dialect of SQL.

Re:No more licensing fees :)

[LurkerXXX]

MySQL is utter crap. It's not a replacement for MS SQL, it's not a replacement for any decent SQL server. It took those bozos YEARS to finally get MySQL to not recognize Feb 31st as a valid date.

PostgreSQL is a potential replacement, but certainly not a drop-in replacement. Lots and lots of work would need to be done to convert between the different lingo's they speak and way features are implemented.

Re:No more licensing fees :)

[dgatwood]

Just as long as you don't have to create a table, add any sort of triggers, or do anything interesting like automatic time stamping on modification/creation, choosing a random n entries out of the matches without shipping the entire huge set over a slow network, etc., then yes. As soon as you have to do something even slightly nontrivial, the difference between SQL dialects becomes the tenth circle of hell.

Re:No more licensing fees :)

[LurkerXXX]

As a rule, MS SQL and Sybase are going to be pretty similar for most things, so it's fine to include it. (MS SQL was based off of Sybase until a few versions ago)

Re:No more licensing fees :)

[ArsonSmith]

My anecdote: 5 years ago we were a 95% Windows shop with only 15 Linux servers. Today we are a 90% Linux shop with near 1000 Linux servers. We went from 5 Windows Admins and 1 Linux admin to 6 Linux admins and 3 Windows Admins. Yet we are unlikely to convert AD to this for the exact same reasons. It's not just AD it's the plugins to AD the monitoring and the fact that, while it rarely breaks anyway, if something does break the amount of repair tools and articles on how to fix it are numerous. As that original 1 Linux admin I would like to see this as an option. But it's not very likely.

Re:No more licensing fees :)

[Yosho]

JDBC is an API for connecting to databases; Hibernate is a specific implementation of JPA, which is a persistence framework that provides object-relational mapping. The two are not incompatible at all; in fact, Hibernate uses JDBC under the hood.

Re:No more licensing fees :)

[mjwx]

You are right, but the bottom line (to steal the adage) is that "no one gets fired for choosing microsoft". Yes you are locked in, but you are locked in to an ecosystem that 90%+ of the world's businesses run on, so it is seen as the safest of all choices (and cost is a small factor compared to job safety).

They used to say "no-one gets fired for buying IBM". Is that still true?

Re:No more licensing fees :)

[dbIII]

"no one gets fired for choosing microsoft"

That's a misquote of an old thing about IBM. Guess what one of the platforms IBM are selling support for is? A clue is it (and probably all the other platforms IBM supports) can run SAMBA.

Samba Slashdotted

[sergioag]

Slashdot does it again....

fsck yeah!

[Netdoctor]

Oh My Gawd.

I have been waiting literally *years* for this.

This just made up for an otherwise very crappy day. No, this just fixed my whole year.

Re:fsck yeah!

[neokushan]

I'm going to take a wild stab in the dark and assume you're a sysadmin.

Re:fsck yeah!

[MightyMartian]

Or he's into some really bizarre porn.

"Ooh yeah baby. That's it. Shove that NTFS ACL into a Posix ACL. Come on, harder... deeper... Oooh yeah! Map it to that sticky bit, baby! Map it!"

Re:fsck yeah!

[berashith]

its getting warm in here !

Re:fsck yeah!

[MrHanky]

Ah, POSIX porn. Most people never even thought it existed, yet there it is, already a standard.

Wow

I'll be interested to see the reviews on this over the next several months. I'm interested to see how well this performs under different levels of load, and how it utilized group policy. Kind of exciting in an extremely nerdy sort of way.

How does Microsoft feel about this?

[gstoddart]

I'm assuming if Microsoft could legally stop this, they would.

Likely the interfaces aren't copyrightable and this is probably a clean implementation -- but I'm sure if Microsoft could trot out a patent or something else to stop people they would.

I can't imagine they want implementations of their stuff out there. (Granted, they mostly started out by implementing other people's stuff, so there may not be much they can do about it.)

Re:How does Microsoft feel about this?

[mcl630]

Microsoft provided them with documentation and helped them with interoperability testing. From TFA:

The Samba 4.0 Active Directory Compatible Server was created with help from the official protocol documentation published by Microsoft Corporation and the Samba Team would like acknowledge the documentation help and interoperability testing by Microsoft engineers that made our implementation interoperable.

"Active Directory is a mainstay of enterprise IT environments, and Microsoft is committed to support for interoperability across platforms," said Thomas Pfenning, director of development, Windows Server. "We are pleased that the documentation and interoperability labs that Microsoft has provided have been key in the development of the Samba 4.0 Active Directory functionality."

Re:How does Microsoft feel about this?

[Jeremy+Allison+-+Sam]

Ahem. Microsoft provided a positive quote for the press release, and were involved in bug fixing to ensure interoperability.

So no, I don't think they hate it :-).

Jeremy.

Re:How does Microsoft feel about this?

[MooMooFarm]

I'm assuming if Microsoft could legally stop this, they would.

Likely the interfaces aren't copyrightable and this is probably a clean implementation -- but I'm sure if Microsoft could trot out a patent or something else to stop people they would.

I can't imagine they want implementations of their stuff out there. (Granted, they mostly started out by implementing other people's stuff, so there may not be much they can do about it.)

Well if this article is still valid, then I would say they don't mind Samba. http://linux.slashdot.org/story/08/10/23/1441200/microsoft-working-for-samba-interoperability

Re:How does Microsoft feel about this?

[ArhcAngel]

O_o

You've never seen two politicians who couldn't stand each other stand together and say nice things about one another in front of a large enthusiastic crowd?

Or are you just really bad a sarcasm?

Re:How does Microsoft feel about this?

[Xtifr]

Really? I was about to post a snarky reply when I noticed the name and the low-enough-to-be-convincing slashdot ID, so I'll make it more of a simple question.:Given that Microsoft was required to publish the documentation by the EU, and the fact that this basically proves they did comply with the courts orders, can you really be sure they don't hate it? Sure, it gets them off the hook, which is reason enough for them to have helped with the effort, but they can still hate it.

Re:How does Microsoft feel about this?

[leoxx]

Of course what you failed to mention is that Microsoft only did this because the European Commission forced them to:

December 20th 2007. Today the Protocol Freedom Information Foundation (PFIF), a non-profit organization created by the Software Freedom Law Center, signed an agreement with Microsoft to receive the protocol documentation needed to fully interoperate with the Microsoft Windows workgroup server products and to make them available to Free Software projects such as Samba. Microsoft was required to make this information available to competitors as part of the European Commission March 24th 2004 Decision in the antitrust lawsuit, after losing their appeal against that decision on September 17th 2007.

Re:How does Microsoft feel about this?

[Aaden42]

Wasn't Microsoft *required* by a court judgement or two to provide documentation and interoperability for several of their protocols? I don't think this was entirely out of the goodness of their hearts

See the heading "February 2008 fine" here: http://en.wikipedia.org/wiki/Microsoft_litigation

Re:How does Microsoft feel about this?

[Jeremy+Allison+-+Sam]

In the words of Francis Urquart:

"You might think that. I couldn't possibly comment.." :-).

Re:How does Microsoft feel about this?

[Jeremy+Allison+-+Sam]

Possibly their marketing and senior exec's hate it (although I doubt that - Thomas Pfenning is at director level in the Windows org and he think's it's pretty cool.

But I know their engineers think it's cool :-).

Jeremy.

Re:How does Microsoft feel about this?

[Bengie]

Microsoft actually invited several of the SAMBA team over, had 2 senior engineers on hand to answer any questions they had about SMB and even gave the SAMBA team their own VM environment complete with Win7/Win8/Linux to run SMB2/3 compatibility testing. Lots of questions about RDMA, Interface teaming, and multi-pathing.

The SAMBA team said they received a lot of insight and understanding from their time with the MS engineers and were impressed and excited.

I'm not sure Microsoft is too concerned about SAMBA 4 being released.

Re:How does Microsoft feel about this?

[erroneus]

From the Groklaw article, the documentation for active directory was sold to the Samba project. The Samba project then went about using the documentation as a reference. Microsoft did not want to sell this documentation to the Samba project and were required to do so under court order. So no. They weren't all that willing to help out.

And if Microsoft starts playing "undocumented features" games again to break compatibility, they will find themselves in court again.

Re:How does Microsoft feel about this?

[Jeremy+Allison+-+Sam]

There isn't a court-ordered requirement for them to test it. There's a market enforced requirement :-).

Go into Frys (or local Geek store). Look at all the NAS boxes on the shelf. That's all Samba. Every one.

Now imagine you're Microsoft. A new version of Windows comes out and it doesn't work against all the "home NAS media servers" people have. Ooops :-(.

They test against Samba *all the time*, as it's good for their business to do so.

They also go a little above and beyond by helping test the AD server part of Samba (which isn't in wide production use yet) - they do that in their interop labs up in Redmond.

They provide free food for the engineers working late up there. It's not as good as the free Google food (but then again, hey - what is ? :-) :-).

Jeremy.

Re:How does Microsoft feel about this?

Not really. Integrated Linux clients into an AD authentication framework is a bit of a pain in the bum, because ADs view of the world is different to the POSIX view of the view, so any implementation (I.e. nslcd/pam_ldapd) goes to a lot of effort to map Microsoft-y concepts to POSIX-y concepts.

If you need a centralised authentication framework for POSIX clients, OpenLDAP or NIS+ is a better bet. The only real reason to use AD for POSIX clients is because the AAA in AD is miles above anything like OpenLDAP: I use AD for several thousand Linux clients because the auditors would never sign off on OpenLDAP, for example. Samba4 doesn't solve the AAA problem (as far as I am aware) so it's still not a drop in replacement for lots of places where AD is used for POSIX clients.

Re:How does Microsoft feel about this?

[moonflower1]

What does "AAA" mean with respect to this topic?

Re:How does Microsoft feel about this?

[abartlet]

I do have to say, the AD interop labs were some of the most fun I've had in IT. And yes, it was great having the food brought in as we worked late into the night, night after night.

The best bits were being able to work side-by-side with their engineers solving some of the trickiest parts of the puzzle, or working over the results of running their testsuite. These things made Samba much better, and I'm happy to say how much we appreciate these opportunities.

Andrew Bartlett
Samba Team

What's new?

[AlphaWolf_HK]

I did a network integration capstone course where we had linux and windows in a single active directory domain, with single sign on and all users and objects in one database. How is this different?

More power to them though, active directory is HUGE in the enterprise space. If you could integrate its security controls and policies into android tablets and smartphones, windows 8 and its lame tablet UI will never see the light of day in big business.

Re:What's new?

[bluefoxlucid]

The domain is run by Samba straight on Linux, not by an Active Directory Domain Controller on Windows 2008 Server.

Re:What's new?

[jon3k]

This didn't require a windows DC.

Re:First post

[HaZardman27]

I'm not a sysadmin, but I believe the whole point is that you can avoid running Windows servers (and all the high costs associated with them) and retain communication and sharing over a non-homogeneous network.

Re:First post

[MachineShedFred]

Because if you have several hundred VMs in an organization that do nothing but act as local domain controllers for AD, you can now not spend that money on Windows licensing and instead do it with Linux?

But I guess that wasn't incredibly obvious.

Re:First post

[Jerslan]

Because Windows isn't always the best tool for the job? Because having a diverse ecosystem of IT appliances that can all share authentication and other such services is a VERY valuable thing?

Microsoft helped

[Gazzonyx]

Stop them? Microsoft helped the Samba team. Microsoft even uses the samba torture testing framework internally for their own products as I understand it. The torture tests catch crap that their own testing wouldn't since it tries to send packets that Windows clients would never send.

The EU is still a bit angry at Microsoft (remember when they had to release all of the documentation on their implementation of the SMB protocol?) and they don't need to be stoking that flame.

Re:Microsoft helped

[AlphaWolf_HK]

By the way, if anybody asks, it IS Microsoft's intent that other non-MS clients connect to AD. They specifically built a framework and API to allow 3rd party apps add their own schema to the database and query for user permissions. A few things I've worked with that do this are VMware vCenter and Cisco ACS firewall.

And no, that isn't because the EU made them, they've been doing this since the earlier days of active directory (at least, Server 2003 has this functionality anyways.)

Re:Microsoft helped

[moogla]

I'd like to think that the whole Active Directory ecosystem is moving in a positive direction because of efforts like these. I have no problem with the LDAP + Kerberos + DNS + "Forests" and standardized structures model that Microsoft has championed; it is a very successful, flexible, and apparently extensible model and technology stack.

Re:Administrative UI

[Jeremy+Allison+-+Sam]

Yes :-). That's why you can use the Windows tools to administer Samba4.0 AD server :-).

Jeremy.

Re:Too Late

[X0563511]

Where the fuck do you think all that web-based administration plugs into, a unicorn?

Re:I wouldn't jump the gun just yet

[PlusFiveTroll]

You're going to have to catch me up why Hyper-V and Visualization matter in your sentence. If your V-Server depends on AD which is on the V-Server you're going to have an issue.

http://www.vmware.com/files/pdf/Virtualizing_Windows_Active_Directory.pdf

People have already setup Samba4 and W2K8 ADs working together

http://admingeeks.blogspot.com/2011/05/samba-4-domain-controller-part-4-adding.html

The other issues are potentially a problem as there are thousands of different AD configurations out there, and all of them have not been tested.

Re:I wouldn't jump the gun just yet

[Xtifr]

Didn't most of that stuff already work with OpenLDAP and Kerberos? Wasn't the only remaining issue the MS-specific bits of the protocol? I mean, yes, those are questions worth asking, but you seem to be assuming the answer is no; I would tend to assume the answer is, mostly, yes.

This is not some upstart, fly-by-night system. Samba has been in heavy use in the enterprise space for many years. I've been amazed at some of the companies I've stumbled across that were using Samba servers even before the AD support was available.

Re:GPLv3

[Jeremy+Allison+-+Sam]

Oh you mean corporations like IBM, EMC, Netgear, WDC,Google ? Yeah, the GPLv3 really scared them :-).

Listen to my presentation here:

http://www.softwarefreedom.org/podcast/2011/may/10/why-samba-switched-to-GPLv3/

to explain why GPLv3 is a *better* license for commercial use the GPLv2.

Jeremy.

Re:I wouldn't jump the gun just yet

[Zombie+Ryushu]

Samba 3+OpenLDAP+Heimdal Kerberos created what were often termed "Open Directory Services" by the Apple Crowd. They were mutant NT 4.0 Domains that had broken a bunch of the limitations of NT4, (such as multiple PDCs and levels of trusts.) provided LDAP and Kerberos, but to Windows, they were still just NT Domains to Windows. Not true ADs. XP and 2000 would disable Kerberos because it thought it was talking to NT4. Windows 7 dropped support for NT4 EXCEPT there was a special mode just for Samba 3 to work, and you had to edit the registry to get it working.

Re:GPLv3

[erroneus]

Wait, what? Tell me more. I'm dumb about these details.

Why would the GPLv3 prevent anyone from running this anywhere on any scale?

Re:GPLv3

[AlphaWolf_HK]

You seem to know a lot about Microsoft's position on Samba, are you part of the Samba team? I used to have a lot to do with Tridge during his TiVo hacking days.

Re:GPLv3

[Jeremy+Allison+-+Sam]

Yes, I'm Jeremy Allison - the original poster. I created Samba along with tridge (he was there first, and is much smarter than me though :-). I thought that was obvious, sorry :-).

Jeremy.

Re:Can someone mod this gentleman up please?

[jamesh]

Can someone mod this gentleman up please?

It's a sad reflection on slashdot if it's languishing at +2. Sort it out mods!

Will do.

Microsoft Don't support Shit

Sorry to point this out so bluntly, but I'm sick to death of this argument. that Microsoft is better than open source, because they offer full support to business customers. As a sys admin with 15 years under the belt, I can tell you that I have never gotten anything from Microsoft past a link to a technet support wizard that asks 4 obvious, general questions and always ends with "Sorry we cannot provide a solution to this problem, Do you find this article helpful?"

NO I FUCKIN' DON'T.

Microsoft would be the last place I would ever call if there was a critical server failure where downtime is money.

In the real world, this kind of support is provided by 3rd party Managed Service Companies who are paid separately anyways, so you might as well pay for support on a nix based system, as they are well known to be much more stable (look at your average local nix admin with his feet up knitting or making chainmail, because he's got his systems singing and cron-grepping him hourly reports about how awesome he is and why he deserves a raise, compare this you your best of breed bad ass wizard windows admin, stressed as fuck, up till 4am fixing stupid shit for peanuts)

Re:Microsoft Don't support Shit

[jp10558]

IDK, I have no problems with my basic windows servers. I find that Server 2008R2 is very similar to our RHEL6 boxes - once you get it going, it just keeps going until you fuck with it for some reason like an upgrade of software.

And MS doesn't provide any more or less support than RedHat - if you pay for a support contract, you get the help you paid for. But as far as I can tell, you get almost nothing from any proprietary vendor just because you bought the software - you still have to pay extra for actual support.

Which is why I agree with you that buying Microsoft products because they provide support is quite naive, you buy support from a vendor because they provide support - it has nothing to do with if you bought a license.

My cheap out slow option is Technet - it gets you 2 phonecalls and unlimited forum support where actual MS reps often reply, with reasonable solutions much of the time. That only works if you can spend days on the forum, but is very cheap. Price (and hopefully support speed) go up from there.

Re:GPLv3

[Jeremy+Allison+-+Sam]

/. is not what it was, but then again it never was :-).

I miss the .bruce.perens/bruce.perens/bruce.perens./ wars.. and the "information wants to be wiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiide" guy :-). And who could forget sig11's "will the real Bruce Perens please stand up" ?

But Tim Potter (old Samba Team member) and I loved the trolls :-).

Jeremy.

Re:No more job security :)

[somersault]

Good thing I'm the boss then :p I don't hate MS as much as when I was a student, but I'm definitely going to look into this. I'm not going to completely get rid of our Windows servers right now either. But when Server 2003 goes out of support, I expect I won't be upgrading.

I've done Windows Server and Exchange installs and upgrades without assistance. I did need help the first time I messed up Exchange I'll admit, but it's not that bad once you figure it out and do your research.

This just makes it way, way easier to provide network service redundancy (all the VMs you can eat) and simplify backup/restore procedures without paying for extra licenses. I think it's great.

Re:No more job security :)

[Jeremy+Allison+-+Sam]

You do realize that many enterprise storage servers made by companies like IBM, Symantec, EMC, Dell etc. are or have been based on Samba code, right ?

Nah, probably not... :-). After all, you know that only Windows storage servers work with Windows clients don't you :-).

Jeremy

Re:GPLv3

Yep, thinking the same thing. Well, at least the ACs are still around.

Donkey balls.

Existing OpenLDAP setups

[abartlet]

I agree, existing OpenLDAP sites using Samba 3.x in cooperation with a host of other packages, using the traditional LDAP directory structure deployed on many Linux oriented sites are not going to migrate to Samba 4.0 as an AD DC any time soon. The change is just as big as the change to migrate to Microsoft's Active Directory, except that we provide a tested upgrade tool to handle the Samba-essential parts.

We want this to be easier, and the tools can certainly be extended to cover other schema items, and integration of these services can improve, because many of these can work well against a Microsoft Windows AD. However, we know this is a big leap, so we continue to support existing configurations (with the existing features. (For want of a better term, we call it a 'classic' domain).

The issue isn't as much being unable to use an LDAP server as a data store (but this became more difficult as we became more like AD), as that unless we were to implement on the fly schema translation, most of the same issues would remain (assumptions about AD or traditional schema and layout between Samba and the other tools on the LDAP backend), and so the result would not have be useful anyway!

As such, the LDAP backend has been put aside as an interesting technical modal that didn't work out. If a plausible use case ever comes up, then interested developers might revive some of it (the code and some tests remain where they are not impeding development), but for now there are no plans for support of anything other than local LDB files and native replication with other AD servers.

Andrew Bartlett
Samba Team

Not Invented Here

[abartlet]

Samba uses Heimdal Kerberos precisely because we did not wish to re-invent Kerberos. We bundle a known-working copy of that in the tree, and launch the KDC inside the samba process so it behaves as a seamless part of the AD DC. We provide plugins for the things that need to be AD-specific (such as PAC handling and reading the AD Database) for the Heimdal codebase to use.

For LDAP, we took a different approach, and instead wrote our own LDAP-like database on top of tdb. LDAP is in many ways much simpler at the core, and the hard parts are all the schema rules and special cases that are AD-specific anyway, and which we have special modules to handle (on top of LDB, which remains quite lightweight). That isn't to say that this would not have been possible - indeed, Luke Howard's XAD shows it is - but just that we decided to do that part in-house. I'm quite comfortable with that choice.

Andrew Bartlett
Samba Team

Samba 4.0 vs 'classic' NT4 like domains on LDAP

[abartlet]

Indeed, it was seeing the limitations of the NT4 modal that held back these domains that was one of the major reasons I started on the AD DC effort for Samba. I deployed (and indeed was involved in the creation of) a mixed Heimdal/Samba/LDAP domain, and saw how the lack of Group Policy caused real issues for a large network of Windows PCs. In my specialist area of Authentication, I also saw how NTLM authentication did and did not work, particularly in the load it put on the DCs. Kerberos is a much better authentication prototcol than NTLM, and I'm glad that Samba now not only can accept Kerberos authentication, but as the Domain Controller, it can now be the KDC too!

In the same way, I saw the writing on the wall for NT4 support for a long time, and I'm just very glad that the interoperability environment changed enough in time that we were able to get changes made to Samba and Windows to allow Samba NT4-like 'classic' domains to continue, long past when NT4 DCs became not only unsupported, but deliberately broken (in the name of increased security). As you mention it still requires a registry patch however, and so with the release of Samba 4.0 as an AD DC I look forward to Samba administrators being able to deploy a 'just works' solution again, even for the latest windows versions.

Andrew Bartlett
Samba Team

Re:If only it were samba-tng

[abartlet]

The AD DC is actually is a bunch of core libraries and services. To make things easiest for our users, the services are linked into and started up by one binary, but internally each different task ends up in a forked process (if appropriate). But we do one better, and allow this to be controlled at runtime, so with '-M single' it essentially becomes a giant state machine, and can be handled with a single gdb. Inter-process communication is via a unix domain socket based messaging system or full DCE/RPC pipes.

External processes can register specific named pipes (when, as we do by default, we use smbd as the file server, this is actually a key part of the design), or DCE/RPC server modules can be loaded (the OpenChange project provides such a module).

We could discuss if more or less of Samba's internal communication should use one design pattern or another, but what is more interesting is that without fanfare or bother, some of those ideas, implemented pragmatically rather than dogmatically, have become an essential part of how Samba is implemented. That pragmatism has then brought us the AD DC that we are so proud to announce today.

I also love that the shared libraries that we now use internally make Samba much smaller as well, reducing the disk space overhead.

Finally, a surprising amount of the code is actually in modules on ldb, our ldap-like database at the core of the system.

I know you were hoping to troll with what has been a long-running design philosophy, but when you spend the time building the system, you find the pragmatism rules the day, and we use a variety of tools to get the job done, and to get it done is a way that is most seamless to our users.

Andrew Bartlett
Samba Team

Re:What vendors are using Samba?

[Bilbo]

You do realize that many enterprise storage servers made by companies like IBM, Symantec, EMC, Dell etc. are or have been based on Samba code, right ?

Nah, probably not... :-). After all, you know that only Windows storage servers work with Windows clients don't you :-).

Jeremy

Arrrgh!! I just realized that I hadn't logged in, so I'm posting this again under my /. name, not as Anonymous Coward...

Actually, this is a question I just got from some of my IT friends: A lot of smaller shops are (perhaps justifiably) hesitant to custom build a Samba4 based AD server, but they would be happy to run a nicely boxed solution like ClearOS or FreeNAS or some of the other "enterprise storage servers" like you mention.

My question is, has anyone gathered a list of what Linux savvy solution providers are planning to move to Samba4?

Back in July, I made a partial list for a presentation I was doing on Samba4 at a technical conference. I don't know if this list is still accurate, or if more vendors have been added, but it's a starting point:

- Restara Server (AD replacement – recent Samba beta)
- ClearOS 6.x
- The ZEG (Zero Effort Groupware) edition of SOGo
- SerNet Samba 4 Appliance
- OpenChange (Open Source Exchange replacement)
- Zentyal 3.0 Beta

OpenChange

[abartlet]

OpenChange, mentioned in the summary, handles the Exchange protocols. We are very proud of the close way we work with the OpenChange team.

Andrew Bartlett
Samba Team