Forgot your password?
typodupeerror
Microsoft Networking Windows Linux IT

Ask Slashdot: Is Samba4 a Viable Alternative To Active Directory? 388

Posted by timothy
from the they-weigh-the-same dept.
First time accepted submitter BluPhenix316 writes "I'm currently in school for Network Administration. I was discussing Linux with my instructor and he said the problem he has with Linux is he doesn't know of a good alternative to Active Directory. I did some research and from what I've read Samba4 seems very promising. What are your thoughts?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Is Samba4 a Viable Alternative To Active Directory?

Comments Filter:
  • by phoenix_V (16542) on Sunday November 04, 2012 @03:31PM (#41874067)

    Samba 4 *is* intended to be a full AD implementation. Currently it has a built in LDAP and Kerberos server set in the same daemon. That is a problem
    for some, like myself, that use Samba 3 + LDAP for shared auth. When complete is *should* be a fairly complete implementation of the AD specs, all
    of them. I have no idea how long this will take, or just how complete it is, but those are the design goals. All of this is a result of Microsoft releasing the
    full spec due to the European Union lawsuit.

  • Re:No (Score:4, Informative)

    by Hylandr (813770) on Sunday November 04, 2012 @03:34PM (#41874085) Homepage

    Poor administration is not the software / OS fault.

  • by phoenix_V (16542) on Sunday November 04, 2012 @03:34PM (#41874089)

    I also commented above, Samba 4 *is* intended to be a full AD server implementation. It is using the documents Microsoft was forced to release
    as a result of an EU lawsuit.

    How complete an implementation it ends up being and how well it works will have to wait to be seen once it exits Alpha status and gets a few
    beta releases under it's belt.

    It's a whole new samba in the end.

  • Nein. (Score:5, Informative)

    by doubledown00 (2767069) on Sunday November 04, 2012 @03:34PM (#41874095)
    It works for small environments. But as you start getting above 50 people AD is the way to go for two reasons: 1) Less admin overhead time. Like it or not, AD "just works" unless you really snork it up; and 2) AD credentials integrate with more stuff and it's not tenable to have to maintain different user databases for each one. Sooner or later an enterprise will want exchange.,,,,,,,and spam filtering......and internet proxies etc. There are a multitude of products out there that will integrate with AD. To get the same with Linux / Samba (if it can be done at all) will require cobbling together services and solutions that will complicate your life. The bottom line: I went through my Linux zealotry phase too. Then I got a life and couldn't spend hours on end reading docs and fiddling with services and config files. Towards that end AD just simplifies user admin and frees you up to deal with other stuff. Linux has its place in the enterprise, but it ain't as an AD replacement.
  • by OzPeter (195038) on Sunday November 04, 2012 @03:35PM (#41874101)

    Slashdot discussion about Samba 4's Beta release Samba 4 Enters Beta [slashdot.org]

  • Re:Not yet. (Score:3, Informative)

    by phoenix_V (16542) on Sunday November 04, 2012 @03:38PM (#41874133)

    I may have to put up a test copy then. I suspect there are few real world test cases being run, but an RC is far enough along
    for me to justify spending some cycles at work on it. There are more samba 3 + LDAP setups out there than people may realise
    and all of them stand to benefit from Samba 4.

  • by ruir (2709173) on Sunday November 04, 2012 @03:48PM (#41874207) Homepage
    Back here we are also handling the file servers, users and groups in a +10 thousand user infra-strutucture, and things work pretty well.
  • Re:Not yet. (Score:5, Informative)

    by Anonymous Coward on Sunday November 04, 2012 @03:54PM (#41874235)

    I've got four offices running various versions of Samba4 on ZFS, up to the latest git head pull. Some of those offices have been running alpha versions for two years without an issue, we mostly use it for roaming profiles and AD user management. Some portions don't work as well as a pure Microsoft environment may, like how many GPO setting changes appear to do nothing (like to try disabling CTRL+ALT+DEL before entering a password).

    It works for roaming profiles and it works well, but managing permissions (userid mapping, etc) between SMB4 and Linux is a pain the ass. Maybe I just haven't looked hard enough.

    Several of the AD configurators don't really do anything to the Samba4 installation, like managing shares. Changing ownership and making sure things are world-readable (like a common share) is also a kludge, something that shouldn't be true in a production ready software package.

  • by Zombie Ryushu (803103) on Sunday November 04, 2012 @03:55PM (#41874245)

    Since 2005, The combination of OpenLDAP, Heimdal Kerberos, and Samba 3 has been a staple in the Linux Infrastructure, with other services such as FreeRadius, NFSv4, and AFS being tacked on for good measure.
    Many if not most Linux based utilities support LDAP. Unlike Samba 3, which functioned as an OpenLDAP based application, Samba 4 completely replaces OpenLDAP, and Heimdal Kerberos. Consider the following. Samba 3, while far beyond what Windows NT4 was ever capable of, expanded the NT4 Domain concept far beyond it' design limiations. In the most recent era, Samba 3.5 and 3.6, created an enhanced form of NT Domain Authentication just for interoperability with Windows 7. (This is very fascinating because it uses Windows 2003 Sign and Seal with NT4 Authentication, something NT4 never could do.) So it can be be said, while Windows 7 expressly drops support for Windows NT4, Windows 7 has express support for Samba 3.

    Yet the sword of Damoclese has swung over the head of Samba 3.x for a long while. Vista dropped support for NT4 Style System Policies, requiring administrators to resort to registry Trickery with Wine and third party policy tools such as NitroBit.

    Samba 3 brought about a form of NT Domain that supported LDAP as a backend, could use Kerberos for Authentication both for file shares and joining the Domain. (Although only other Samba clients could utilize the Kerberos aspects of Samba 3.) Could delf out policy by OU. With help from OpenLDAP, Samba 3 could overcome the single PDC limitation, and all Samba Domain Controllers could be writable PDCs because OpenLDAP supported Multi-master Replication.

    Beyond Samba, FreeRadius could use LDAP for authentication, Evolution could garner configuration information from OpenLDAP, for IMAP and SMTP settings (CalDAV Support was never added, even though there were feilds in the OpenLDAP schema for the three CalDAV based Calendar, Addressbook, and Task List.) This cooperated with eGroupware. Sudo could draw Sudoers from OpenLDAP, as could NSS. Each had their own unique Schemas.

    Unlike when Windows moved from NT4 Domains too AD, the movement was simple, before, you had no Directory Service, and now, boom! you do. In the Linux world LDAP has been a reality for a long time. Many applications are built to participate in Open Directory based Domains based on OpenLDAP Schemas. What happens if the Schemas conflict definitions? How will this be resolved?"

  • Re:Not yet. (Score:5, Informative)

    by jmintha (56956) on Sunday November 04, 2012 @03:58PM (#41874269) Homepage

    Unless I missed something, Samba 4 is not in Alpha release anymore. It has gone through beta, and is now in release candidate stage. (rc4 currently) It is designed as a full Active Directory implementation (including DNS and LDAP)

  • Re:Nein. (Score:3, Informative)

    by doubledown00 (2767069) on Sunday November 04, 2012 @03:58PM (#41874273)
    >No need to fiddle with config files

    A simple browse through the forums quickly showed this is simply not true. Reading on how to enable Outlook integration confirmed that. Same old same old. It's alright if you have available time, a client willing to pay for the learning curve, and users comfortable with "out of mainstream" software. If you have clients like these, count yourself lucky.
  • by fang0654 (1805224) on Sunday November 04, 2012 @04:03PM (#41874313)
    So far I've set up several small offices using Samba4 as a drop in replacement for Active Directory. Here is what I've found it does well: Windows Authentication, AD DNS, Group Policy, Easy scripting (python tools and libraries). What it doesn't do well yet: Replicating AD with other servers. I haven't had much experience using subdomains, etc, mainly because I haven't been able to get it to replicate. But for a small office, it works fine.
  • Re:No (Score:5, Informative)

    by Peachy (21944) on Sunday November 04, 2012 @04:40PM (#41874533)

    The basic samba code has indeed been around for decades, and it's great.

    Do be aware that samba4 release candidate 4 only got released on 30th October 2012 and as the announcement says "This is the first release candidate of Samba 4.0.0! This is *not* intended for production environments and is designed for testing purposes only.".

    http://lists.samba.org/archive/samba-announce/2012/000277.html [samba.org]

  • by dodobh (65811) on Sunday November 04, 2012 @05:10PM (#41874659) Homepage

    Puppet has a server and client setup. The Puppet server process is Unix only.

    MSI packages are supported. I'm not sure about group policies yet.

  • Re:Nein. (Score:0, Informative)

    by Anonymous Coward on Sunday November 04, 2012 @05:36PM (#41874785)

    SOGo [www.sogo.nu] is a groupware server which recently added Exchange protocol compatibility using Samba4 - just sayin...

  • by Anonymous Coward on Sunday November 04, 2012 @05:56PM (#41874887)

    ...it has a built in LDAP and Kerberos server set in the same daemon. That is a problem...

    The reason is that M$'s implementation of things like LDAP is broken. So a standard LDAP (or Kerberos) server is not going to work.

    E.g., OUs that really aren't (In AD, OUs are just cosmetic). There are attributes associated with objects that break LDAP spec. etc.

    Microsoft broke Kerberos just enough to prevent using a standard Kerberos server setup, but works to use std. clients against AD.

    Microsoft broke DNS in the 90s. They allowed things like underscores in names which are illegal according to spec-- all standard DNS servers now allow underscores to allow interop with the broken M$ implementation. There is even a DNS RFC that comes just short of naming M$ which calls out that they butchered and abused DNS in their AD implementation-- this abuse interoperates with current DNS servers, though. so this isn't a reason for including their own DNS.

    So, rather than breaking every other existing software package, or trying to maintain a bunch of patch sets, Samba just includes its own implementation of the above with breakage compatible with M$'s breakage.

  • Re:No (Score:4, Informative)

    by ozmanjusri (601766) <aussie_bob@NOsPam.hotmail.com> on Sunday November 04, 2012 @06:34PM (#41875109) Journal

    Is it fair, to say, then, that Samba4 and AD are both good choices for people with strong admin background, but perhaps AD is a beter choice for someone who, for instance, administers the server in addition to other business tasks?

    Not really.

    If you want to admin Windows, then admin Windows, but don't pretend there's anything particularly challenging about setting up and managing Samba4 on Linux. Just step through one of the many guides. e.g: http://praxis.edoceo.com/howto/samba4 [edoceo.com]

    Slashdot's an Apple/Microsoft site now, so most of the comments here will be FUD. That shouldn't deter anyone with an interest from trying Samba4. It's simple enough that even a MSCE shouldn't have a problem.

  • Re:No (Score:5, Informative)

    by DigiShaman (671371) on Sunday November 04, 2012 @07:07PM (#41875353) Homepage

    Certified SBS guy here.

    Why would you be running multiple SBS boxes? You do realize that each SBS server is its own Forrest/Domain, right? You can't just join these boxes to the same domain without breaking some serious functionality. That's because each SBS box *must* hold all the FSMO roles. About the only time you can temporarily break an SBS box is when performing a migration to a new SBS box. You can join a standard server as a secondary DC, but again, you can not have two or more SBS servers in the same Forest!

    I'm guessing one of two things here.
    1. You performed an epic hack.
    2. You really don't know what the hell your doing.

  • Re:No (Score:4, Informative)

    by MikeBabcock (65886) <mtb-slashdot@mikebabcock.ca> on Sunday November 04, 2012 @07:21PM (#41875465) Homepage Journal

    Your problem isn't AD, its that grand total of zero IT staff.

    Get an external IT person, have them come in and configure and manage the servers for you periodically, and call them when you need things changed instead of hacking at it yourself and you'll have a much better experience no matter which software they use.

    I administer over a dozen Samba sites remotely via SSH and have no issues with it, I'd expect you can find admins to do the same if you shop around.

  • Re:hahahahahah (Score:5, Informative)

    by rubycodez (864176) on Sunday November 04, 2012 @08:14PM (#41875885)

    to do which functions and to scale to what size? login authentication for 100 users in a medium sized business works very well, the medical office management company I set up with vmware and linux servers (but windows desktops) has been working very well that way for 3 years already.....

  • Re:No (Score:5, Informative)

    by Rutulian (171771) on Sunday November 04, 2012 @10:54PM (#41876851)

    You need to install Kerberos. That is what Active Directory is, see: LDAP, Kerberos, DNS, and file/print sharing, all rolled up into a nice package. It appears the Ubuntu package doesn't include it as a dependency, which it should, so I would blame the package manager.

    I agree, the docs need to be better, but Samba4 hasn't officially been released yet.

  • by kevmeister (979231) on Monday November 05, 2012 @02:23AM (#41877769)

    Microsoft broke DNS in the 90s. They allowed things like underscores in names which are illegal according to spec-- all standard DNS servers now allow underscores to allow interop with the broken M$ implementation. There is even a DNS RFC that comes just short of naming M$ which calls out that they butchered and abused DNS in their AD implementation-- this abuse interoperates with current DNS servers, though. so this isn't a reason for including their own DNS.

    Not really correct. The DNS specification in RFC1035 from 1987 allows the use of underscores in names. This has never changed.

    This is a common misconception because the use of underscores in hostnames IS prohibited and this remains true. Microsoft chose the use of underscores in thier AD implementation to remove the possibility of name-space collision with hostnames. BIND, the most popular DNS server in use only permits underscores in hostnames when an option is set to override the default.

    Microsoft has broken lots of standards either because they didn't understand them or found it advantageous to ignore them, but this is NOT one of them.

  • Re:No (Score:4, Informative)

    by Compaqt (1758360) on Monday November 05, 2012 @03:58AM (#41878157) Homepage

    Your link itself noted glitches in Samba4:

    No More Network Browsing
    In Windows based AD you can still browse a network, Samba3 had this but Samba4 does not. So, you will not see your domain, or browse machines in the domain.

    Samba4 and Homes
    The [homes] share and the browseable directive don't work as expected.

    Cannot contact any KDC for requested realm: unable to reach any KDC in realm $DOMAIN
    This is a DNS related issue, it's likely the above SRV records are not present, fix your DNS.

    The first one is kind of major, I would think: You can't even browse a network?!

Cobol programmers are down in the dumps.

Working...