Forgot your password?
typodupeerror
Microsoft Networking Windows Linux IT

Ask Slashdot: Is Samba4 a Viable Alternative To Active Directory? 388

Posted by timothy
from the they-weigh-the-same dept.
First time accepted submitter BluPhenix316 writes "I'm currently in school for Network Administration. I was discussing Linux with my instructor and he said the problem he has with Linux is he doesn't know of a good alternative to Active Directory. I did some research and from what I've read Samba4 seems very promising. What are your thoughts?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Is Samba4 a Viable Alternative To Active Directory?

Comments Filter:
  • No (Score:4, Interesting)

    by im_thatoneguy (819432) on Sunday November 04, 2012 @03:23PM (#41874017)

    We finally switched out our last NAS that was running Samba. Too many small glitches. Not worth the hassle.

    • Re:No (Score:4, Informative)

      by Hylandr (813770) on Sunday November 04, 2012 @03:34PM (#41874085) Homepage

      Poor administration is not the software / OS fault.

      • Re:No (Score:5, Funny)

        by Revotron (1115029) on Sunday November 04, 2012 @03:40PM (#41874149)
        Because clearly, they're not holding it right.
        • Re:No (Score:5, Insightful)

          by Hylandr (813770) on Sunday November 04, 2012 @03:50PM (#41874215) Homepage

          Samba has been around literally for decades and has seen constant reliable use.

          You're suggestion that the software is new and poorly designed is invalid.

          There are good admins and bad admins. If software that has been successfully deployed for multitudes of years has been a problem then bad admins are far more likely to blame.

          - Dan.

          • Re:No (Score:5, Insightful)

            by localman57 (1340533) on Sunday November 04, 2012 @03:56PM (#41874253)
            Is it fair, to say, then, that Samba4 and AD are both good choices for people with strong admin background, but perhaps AD is a beter choice for someone who, for instance, administers the server in addition to other business tasks? Not everybody has the time to become a good admin. They tell their boss that, but the boss also doesn't have funding to go and hire one.
            • Re:No (Score:5, Funny)

              by Anonymous Coward on Sunday November 04, 2012 @04:59PM (#41874615)

              No, it's not. When it involves Linux or OSS, it's always the admin's fault. When it's a proprietary solution, it's bad software. You must be new here, get with it.

              • Re: (Score:3, Insightful)

                by Lev Lafayette (625897)
                There is a degree that this comment is fair however. With FOSS if there is a problem, the admin can fix it even if it is poorly written. So if the admin *doesn't* fix it, or *can't*, yes, they do have to shoulder that responsibility. With proprietary software however, the admin can't make these changes. So if the software is bad, even if the user knows what is wrong there is little that they can do. Ultimately it *is* bad software, because software that you can't fix is a damaged good.
            • Re:No (Score:4, Informative)

              by ozmanjusri (601766) <aussie_bob&hotmail,com> on Sunday November 04, 2012 @06:34PM (#41875109) Journal

              Is it fair, to say, then, that Samba4 and AD are both good choices for people with strong admin background, but perhaps AD is a beter choice for someone who, for instance, administers the server in addition to other business tasks?

              Not really.

              If you want to admin Windows, then admin Windows, but don't pretend there's anything particularly challenging about setting up and managing Samba4 on Linux. Just step through one of the many guides. e.g: http://praxis.edoceo.com/howto/samba4 [edoceo.com]

              Slashdot's an Apple/Microsoft site now, so most of the comments here will be FUD. That shouldn't deter anyone with an interest from trying Samba4. It's simple enough that even a MSCE shouldn't have a problem.

              • Re:No (Score:4, Informative)

                by Compaqt (1758360) on Monday November 05, 2012 @03:58AM (#41878157) Homepage

                Your link itself noted glitches in Samba4:

                No More Network Browsing
                In Windows based AD you can still browse a network, Samba3 had this but Samba4 does not. So, you will not see your domain, or browse machines in the domain.

                Samba4 and Homes
                The [homes] share and the browseable directive don't work as expected.

                Cannot contact any KDC for requested realm: unable to reach any KDC in realm $DOMAIN
                This is a DNS related issue, it's likely the above SRV records are not present, fix your DNS.

                The first one is kind of major, I would think: You can't even browse a network?!

                • by ulzeraj (1009869)

                  That link describes the process of an old alpha11 installation. Samba is on RC4 last time I've checked.

                  As soon as they release a stable version I'll finally get rid of Windows 2003 HVMs and replace them with faster and lighter Linux PVs.

              • Re:No (Score:5, Interesting)

                by CAIMLAS (41445) on Monday November 05, 2012 @05:56AM (#41878619) Homepage

                You realize that the guide you link is not only horribly out of date (over a year IIRC since alpha11 came out) and won't work with any of the current alpha (yeah, ALPHA) releases, but that Samba 4 has it's own dNS server now, basically requiring it operate autonomously from existing infrastructure?

                Yes, building/installing and then provisioning Samba 4 takes all of about 5 minutes. Now integrate it with something which was in existence before you decide to stroke your balls with Samba 4... good luck, let me know how it goes.

              • Re:No (Score:4, Insightful)

                by cyber-vandal (148830) on Monday November 05, 2012 @06:22AM (#41878725) Homepage

                An Apple/Microsoft site? What fucking planet are you on?

          • Re:No (Score:5, Insightful)

            by Revotron (1115029) on Sunday November 04, 2012 @03:58PM (#41874265)
            Software being around for decades doesn't magically cure all the bugs.

            The OP stated that there were too many small glitches with the features they were trying to use, to which your response was that these glitches were imaginary and he just wasn't using it right. That sounds like something Steve Jobs would say.

            You're suggesting that Samba is absolutely perfect and has nothing wrong with it at all just because people have been using it for 20 years. I doubt that. Would you like to take that logic and apply it to Windows and see where that gets us?
            • Re: (Score:2, Insightful)

              by Anonymous Coward

              The real question is does AD work better than Samba4 and if so is it significant enough that the costs are lower after taking into consideration time, expertise (after some time with the technology), and license costs, etc. It may be Samba4 is easier to setup and get working than AD although there are potential bugs that you will need to spend money on to get fixed.

            • Re:No (Score:5, Insightful)

              by sjames (1099) on Sunday November 04, 2012 @05:47PM (#41874849) Homepage

              No, but successful use for decades does indicate that it works.

            • As opposed to AD which has no glitches or bugs at all ... lol

          • Re:No (Score:5, Informative)

            by Peachy (21944) on Sunday November 04, 2012 @04:40PM (#41874533)

            The basic samba code has indeed been around for decades, and it's great.

            Do be aware that samba4 release candidate 4 only got released on 30th October 2012 and as the announcement says "This is the first release candidate of Samba 4.0.0! This is *not* intended for production environments and is designed for testing purposes only.".

            http://lists.samba.org/archive/samba-announce/2012/000277.html [samba.org]

          • Re:No (Score:4, Insightful)

            by hairyfeet (841228) <bassbeast1968 AT gmail DOT com> on Sunday November 04, 2012 @09:40PM (#41876421) Journal
            That is like saying WinRT has been around for decades since Windows 1.0 came out 30 years ago. I draw you to the very first line of TFA: " Samba4 is an ambitious, yet achievable, reworking of the Samba code." Whenever you hear the words "ambitious and reworking" the words that SHOULD pop into your mind immediately is "buggy as fuck" and I don't give a damned WHO wrote the code you NEVER use words like ambitious unless you are doing some serious flying without a net and are trying to warn folks things aren't gonna be business as usual.
          • iPhone maps have been around for years and have seen constant reliable use, so surely people who are complaining about it now are wrong?

            SAMBA 4 most definitely has not been deployed for decades and is a virtually entirely new system. Of course, it hasn't even been released yet! (The publically downloadable versions are alphas, betas, and RCs.) I don't doubt it'll be a great system, but faulting sysadmins for anything other than using unfinished software in a production environment is absurd.

      • Re:No (Score:4, Interesting)

        by im_thatoneguy (819432) on Sunday November 04, 2012 @04:04PM (#41874323)

        You're right. It is the administration not the software. We have a couple file servers running Small Business Server and a couple that were running Samba. The SBSs required no administration. We turned them on and they just kept trucking. Our samba box would have random drop outs where it would deny access unless you restarted the file server.

        We also had trouble with user group permissions not getting picked up properly. We also had a problem where the clock would get out of sync and then deny access.

        It seemed like there was a new unique "Administration" necessary every couple weeks.

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          You don't know what you're doing then.

          I have a samba box with Win7 auth via AD working fine, and serving 118MB/s over gig-e. Never had a problem with it, and I sometimes forget which shares are Win hosted and which are hosted from the FreeNAS box (samba).

          • Re:No (Score:5, Interesting)

            by im_thatoneguy (819432) on Sunday November 04, 2012 @04:50PM (#41874581)

            Good for you. If you want to come setup my Samba box then be my guest. All I know is that one set of file servers works great without any administration and one has been a non-stop headache.

            We have a grand total of 0 IT staff. That's possible with AD. I haven't found that to be possible with any Active Directory replacements.

            • Re:No (Score:4, Informative)

              by MikeBabcock (65886) <mtb-slashdot@mikebabcock.ca> on Sunday November 04, 2012 @07:21PM (#41875465) Homepage Journal

              Your problem isn't AD, its that grand total of zero IT staff.

              Get an external IT person, have them come in and configure and manage the servers for you periodically, and call them when you need things changed instead of hacking at it yourself and you'll have a much better experience no matter which software they use.

              I administer over a dozen Samba sites remotely via SSH and have no issues with it, I'd expect you can find admins to do the same if you shop around.

            • Re:No (Score:4, Interesting)

              by Bert64 (520050) <bert@@@slashdot...firenzee...com> on Sunday November 04, 2012 @08:44PM (#41876101) Homepage

              There's a difference between something possible and being a good idea...
              I have seen samba networks setup with zero ongoing maintenance too...

              If you don't maintain your servers, they will become more and more of a security liability as time goes on.

              AD domains are terribly insecure at the best of times, find a single box in the domain thats got any vulnerability, exploit it and pull off some hashes then spray them across the network to get more boxes, eventually you own the whole domain. And if you think WSUS will ensure everything is updated, try updating a big network and then go around and thoroughly audit it (ie using something that checks for actual vulns or old file versions rather than querying the windows update apis)... You will usually find that a bunch of updates are marked as installed, when in reality they aren't... And all you need is one vulnerable box.

        • Re:No (Score:4, Insightful)

          by rtfa-troll (1340807) on Sunday November 04, 2012 @05:41PM (#41874817)

          Our samba box would have random drop outs where it would deny access unless you restarted the file server.

          You probably had a minor misconfiguration. Would have happened whichever box you had it on. What did your support company say? [....] Oh; you set up a system without a support company? You thought that "Open Source" was a magic word which meant "fixes its self without any support company" ; you thought that Red Hat stood for "nice company that fixes everything for free even if we install a clone distro" and forgot that it actually means "fixes stuff their paying customers care about".

          Okay, I might be wrong in this case, but 98% of the time when asked it turns out that the people have spent thousands on Microsoft, Cisco and so on certificates. They have support contracts coming out of their ears for Oracle. Then they install an open source load balancer or database or something and suddenly the fact they saved money on the software license means they want to save even more money on the support. This is a bad mistake; everyone should look for competent support and if they can't find it then they should find a way to set it up themselves. If there's nothing, then you can probably employ some of the people who wrote the project really cheap and get a bunch of good developers in the price.

          • Support is always valuable, but when the mail box is filling up with often the same problems, you have to make a value judgment.

            Sometimes it's the fact that Microsoft training is somewhat rigorous and people *tend* to apply AD settings according to a well known set of formulas. I find that a lot of serious professionals lacking AD training depend on SAMBA documentation to try to make AD run, thus creating chasms linking OpenLDAP, SAMBA, and AD structures, and they're different beasts.

            Yes, it's great to have

        • Re:No (Score:5, Informative)

          by DigiShaman (671371) on Sunday November 04, 2012 @07:07PM (#41875353) Homepage

          Certified SBS guy here.

          Why would you be running multiple SBS boxes? You do realize that each SBS server is its own Forrest/Domain, right? You can't just join these boxes to the same domain without breaking some serious functionality. That's because each SBS box *must* hold all the FSMO roles. About the only time you can temporarily break an SBS box is when performing a migration to a new SBS box. You can join a standard server as a secondary DC, but again, you can not have two or more SBS servers in the same Forest!

          I'm guessing one of two things here.
          1. You performed an epic hack.
          2. You really don't know what the hell your doing.

          • I'm guessing one of two things here.
            1. You performed an epic hack.
            2. You really don't know what the hell your doing.

            3. I wasn't interested in pedantic product naming. And always assumed they were part of the SBS family of products. Apparently only SBS is SBS and the other SKUs are a different family of servers.

            For those who are truly interested, and I can't possibly imagine why...

            Domain Controller: Microsoft Windows Small Business Server 2008
            File Servers: Microsoft Windows Server Standard Edition 2008 R2(tm)(c) for primary RAID and then we're replacing Samba boxes with Microsoft Windows Storage Server 2008 R2 (tm)(c).

      • Re:No (Score:5, Insightful)

        by Mike Buddha (10734) on Sunday November 04, 2012 @04:38PM (#41874515)

        If Samba is difficult to administer, that's a problem. That makes it inferior to the competition.

        • Re:No (Score:5, Insightful)

          by jythie (914043) on Sunday November 04, 2012 @06:24PM (#41875057)
          Yeah, I never understood the whole 'tools that require more training to use are better!'. If two tools do similar jobs in the same use case, but one can be administered by someone who isn't a dedicated professional, and the other one requires a specialist, then within that use case, the easier to use tool is better. Additional complexity without additional benefit is not superior.
        • If.

      • Re:No (Score:5, Interesting)

        by CAIMLAS (41445) on Monday November 05, 2012 @05:40AM (#41878555) Homepage

        Sorry, what? Have you run Samba in a business environment? I have, and I can completely understand the sentiments here: there's a lot of little stuff that goes amiss or requires seemingly excessive management.

        There are a LOT of "small glitches" while using Samba 3 in any not-just-Linux environment. It has nothing to do with 'poor administration'. Over the years, I have had problems with Windows - 98, XP, 2k, 2k3,Vista, and now W7 - operating properly against a Samba host. This isn't a matter of 'improperly administered' so much as it's a "Microsoft released a patch which broke things which worked previously" problem, and it seems to be getting worse as time goes on.

        To add insult to injury, Samba 3 development has basically been in 'maintenance' mode for years, with Samba 4 getting seemingly preferential treatment. There have been very few new features of functionality added to Samba 3 aside from the odd "needed to keep things working well" patch or a backport from Samba 4 by an intrepid sysadmin (or so it seems). Really, what used to seem like a very nice and mature project now feels like something on life support, with half the features present having been backported from the development branch, often without a full implementation, inconsistencies, and no/poor documentation.

        As for Samba 4, (which neither you nor my post's GP seem to realize we're talking about here): it's an entirely different beast than Samba 3. The only significant thing it appears to share in common with Samba 3 is the smb.conf format and actual file/print services (which is a fairly recent change). It is still in HEAVY development. What they started out to implement was really quite awesome and interesting: Active Directory based on open source tools currently in existence. At one point, they were using BIND for DNS integration and Heimdal for the directory. Their team members made many valiant attempts and efforts in providing patches to these supporting projects.

        However...

        Both those things are now internal to Samba 4. That's right: the directory itself as well as a DNS server are components to Samba 4. IMO, this is the biggest mistake they've made, and waiting would've been worth it if they could've gotten BIND to work (they couldn't, due to design differences between it and Windows AD/DNS frequency, chain of authority, etc. IIRC - not without making a mess).

        Integration of their own directory (based on a heimdal fork, IIRC) makes sense. But not DNS, at least as its implemented now. The DNS server is not BIND compatible and will not take a zone transfer, and doesn't even do reverse records yet (not properly, at least).

        THAT SAID, Samba 4 is still not hitting a 1.0 release. Who knows if 1.0 will mean 'beta, we're polishing' or 'production ready' - but I will bet you anything that it will be lacking documentation on how the tools work and have quite a few bugs. :(

        I've been a follower of Samba 4 since I was in college, and that was close to a decade ago. I don't think there's much hope of it ever being production ready, not anymore. They tried to do too much, and as a result, Samba 4 won't be all that usable in an existing Samba 3 network where DNS is also used - it just won't be possible without making a huge mess of things due to a pre-existing DNS system which won't be able to be fully compatible.

        Samba 4 works "OK" at home, but only if you've got very limited needs and you're starting from scratch. It's not nearly as flexible as Samba 3 (eg. different authentication backends, for instance) and from my point of view will not be 'production ready' for many years at its current pace.

        • by ulzeraj (1009869)

          "That's right: the directory itself as well as a DNS server are components to Samba 4. IMO, this is the biggest mistake"

          The DNS is needed for Kerberos (for Windows at least) and other Active Directory features like GPO.

          "The DNS server is not BIND compatible and will not take a zone transfer, and doesn't even do reverse records yet (not properly, at least)."

          What? Of the 3 DNS implementations of SAMBA4 2 of them use Bind. One is a DLZ plugin and the other is a flat file generated by samba. Both need to be inc

    • by Compaqt (1758360)

      You seem like you would have enough information to really let the rest of us know something (like specific versions of servers and clients) and what exactly happened as opposed to a cryptic remark.

  • by rtfa-troll (1340807) on Sunday November 04, 2012 @03:25PM (#41874027)

    It's important to realise that Active Directory has a bunch of overlapping different features. Samba4 is a great for part of it. Puppet is great for a different part of it (the ability to configure systems - like a superset of Active Directory Group Policies) LDAP covers some other parts etc. etc. You need to be really careful with this question because it is already loaded. Essentially, if the answer is "Active Directory" you are asking the wrong question. Your overall system administration story with Linux will be much better than Windows but you need to start thinking more from the beginning since it isn't always as obvious which tool is the right tool.

  • Not yet. (Score:5, Insightful)

    by phoenix_V (16542) on Sunday November 04, 2012 @03:26PM (#41874035)

    Samba 4 is in it's Alpha release stage and is not recommended for production. That said it's a remains to be seen thing if it will be.
    It also depends a great deal on how and what you use AD for. For simple authentication you can use samba 3 + LDAP for that now.
    For programs that require AD not so much with either.

    • Re:Not yet. (Score:5, Funny)

      by sprior (249994) on Sunday November 04, 2012 @03:35PM (#41874109) Homepage

      What a coincidence - Windows 8 just made its Alpha release too.

    • Re:Not yet. (Score:5, Informative)

      by jmintha (56956) on Sunday November 04, 2012 @03:58PM (#41874269) Homepage

      Unless I missed something, Samba 4 is not in Alpha release anymore. It has gone through beta, and is now in release candidate stage. (rc4 currently) It is designed as a full Active Directory implementation (including DNS and LDAP)

  • Samba3 could fool XP (Score:2, Interesting)

    by CodeheadUK (2717911)

    I've managed to get XP clients to join an NT domain using Samba as a PDC. Samba 4 wasn't an option at the time, but I don't see why AD emulation should be beyond the realms of posibility.

    The biggest problems I had were the cryptic errors from the Windows boxes, not Samba.

  • Nein. (Score:5, Informative)

    by doubledown00 (2767069) on Sunday November 04, 2012 @03:34PM (#41874095)
    It works for small environments. But as you start getting above 50 people AD is the way to go for two reasons: 1) Less admin overhead time. Like it or not, AD "just works" unless you really snork it up; and 2) AD credentials integrate with more stuff and it's not tenable to have to maintain different user databases for each one. Sooner or later an enterprise will want exchange.,,,,,,,and spam filtering......and internet proxies etc. There are a multitude of products out there that will integrate with AD. To get the same with Linux / Samba (if it can be done at all) will require cobbling together services and solutions that will complicate your life. The bottom line: I went through my Linux zealotry phase too. Then I got a life and couldn't spend hours on end reading docs and fiddling with services and config files. Towards that end AD just simplifies user admin and frees you up to deal with other stuff. Linux has its place in the enterprise, but it ain't as an AD replacement.
    • by smooc (59753)

      You're out of date. Samba 4 (although at RC now) does Active Directory. Don't spread FUD please.

  • by OzPeter (195038) on Sunday November 04, 2012 @03:35PM (#41874101)

    Slashdot discussion about Samba 4's Beta release Samba 4 Enters Beta [slashdot.org]

  • The poster didn't say whether his instructor had a problem with a Windows client/Linux server setup or with a Linux network in general.

    E.g., what if you just cut Win clients out of the picture? Just have straight up Linux. Would he still have a problem?

    Secondly, if you did have straight Linux, what kind of software stack would you have?

    How well does LDAP work when you get to the nitty gritty? Is Kerberos something you'd be using? What's the best NAS? FreeNAS? 7 or 8? Or NAS4Free? Just a Linux box running NA

    • Yes, For all Linux networks, Samba does change things. Samba 4 is backward compatible with all of OpenLDAP's and Heimdal Kerberos's clients. In a purely Linux network, Linux machines would connect to the Samba 4 Active Directory as Open Directory Clients.

  • Samba has had NT support since way back and now has AD compatibility. So it works as a drop in for Windows servers that cost $$$$.
  • by 93 Escort Wagon (326346) on Sunday November 04, 2012 @03:43PM (#41874175)

    We have, for many years, had a computing environment that, on the server side, is a mix of Red Hat Enterprise and Windows. Users and groups are (ostensibly) the same in both environments. The servers running Samba were in AD but were not acting as DCs.

    Samba has always handled the user accounts perfectly. Groups, on the other hand, break fairly frequently - and by "break" I mean it stops realizing that group "foo" on Windows is also group "foo" on Linux. Since most of our end users are on Windows boxes, and most of the authorization on the web server (my main concern) is handled using groups, this has been a big headache for me. Fortunately we were able to convince our manager it wasn't worth the continued investment in man-hours by our Linux and Windows guys to keep debugging this group issue, and we just pulled the plug - now everyone has to use scp/sftp, and everything works well.

    Admittedly this is a narrow use case I'm describing. Also I wouldn't be surprised if everything would be peachy if 100% of the AD stuff was being handled by Samba (and ONLY by Samba). But if this is a mixed environment, you should do some serious testing before making a decision.

  • NOT Recommended. (Score:3, Insightful)

    by Anonymous Coward on Sunday November 04, 2012 @03:53PM (#41874231)

    Samba may be able to do some of the windows file and printer sharing... even acting as a domain controller. BUT. Trust me. It will be hell to administer. For what you pay for Windows 2012 standard... with Hyper-V, and all the roles and services you just get... I dont see how you can compete with the ease of use and administrations. In the other-hand, if you are hard core UNIX/Linux and you need to support a few windows boxen in your environment.. then this is a great fit for you. Otherwise, stay away... far away. Anything you save in dollars you will spend in time... ten times over.

  • by Nkwe (604125) on Sunday November 04, 2012 @03:54PM (#41874233)
    When you talk about alternatives to Active Directory you need to be specific as to what features of Active Directory you refer to. Active Directory is a lot of things: Distributed multi-master database, Authentication provider, Authorization provider, Configuration management system, and more. The Active Directory infrastructure provides: File services, Print services, Group policy, LDAP, DNS, DHCP, and other services.

    I haven't read in detail about Samba 4, and it appears that the Samba Wiki [samba.org] is down at the moment, but there is a decent description on the Fedora Project site [fedoraproject.org]. According to the Fedora site, Samba 4 includes the ability to be a domain controller and implements the Kerberos stack, but it is not clear that it provides the centralized configuration management that Active Directory does. This centralized management (Group Policy) and the ability to delegate administration (Organizational Unit based delegation) are very powerful features of Active Directory and what keep large organizations on the platform.

    If what all you are looking for is a shared account database and the ability for multiple workstations to authenticate against it, Samba 4 may be just the ticket. If however you are looking for a replacement for Active Directory at an enterprise level, I doubt it is there yet.
  • by Zombie Ryushu (803103) on Sunday November 04, 2012 @03:55PM (#41874245)

    Since 2005, The combination of OpenLDAP, Heimdal Kerberos, and Samba 3 has been a staple in the Linux Infrastructure, with other services such as FreeRadius, NFSv4, and AFS being tacked on for good measure.
    Many if not most Linux based utilities support LDAP. Unlike Samba 3, which functioned as an OpenLDAP based application, Samba 4 completely replaces OpenLDAP, and Heimdal Kerberos. Consider the following. Samba 3, while far beyond what Windows NT4 was ever capable of, expanded the NT4 Domain concept far beyond it' design limiations. In the most recent era, Samba 3.5 and 3.6, created an enhanced form of NT Domain Authentication just for interoperability with Windows 7. (This is very fascinating because it uses Windows 2003 Sign and Seal with NT4 Authentication, something NT4 never could do.) So it can be be said, while Windows 7 expressly drops support for Windows NT4, Windows 7 has express support for Samba 3.

    Yet the sword of Damoclese has swung over the head of Samba 3.x for a long while. Vista dropped support for NT4 Style System Policies, requiring administrators to resort to registry Trickery with Wine and third party policy tools such as NitroBit.

    Samba 3 brought about a form of NT Domain that supported LDAP as a backend, could use Kerberos for Authentication both for file shares and joining the Domain. (Although only other Samba clients could utilize the Kerberos aspects of Samba 3.) Could delf out policy by OU. With help from OpenLDAP, Samba 3 could overcome the single PDC limitation, and all Samba Domain Controllers could be writable PDCs because OpenLDAP supported Multi-master Replication.

    Beyond Samba, FreeRadius could use LDAP for authentication, Evolution could garner configuration information from OpenLDAP, for IMAP and SMTP settings (CalDAV Support was never added, even though there were feilds in the OpenLDAP schema for the three CalDAV based Calendar, Addressbook, and Task List.) This cooperated with eGroupware. Sudo could draw Sudoers from OpenLDAP, as could NSS. Each had their own unique Schemas.

    Unlike when Windows moved from NT4 Domains too AD, the movement was simple, before, you had no Directory Service, and now, boom! you do. In the Linux world LDAP has been a reality for a long time. Many applications are built to participate in Open Directory based Domains based on OpenLDAP Schemas. What happens if the Schemas conflict definitions? How will this be resolved?"

  • The real world (Score:5, Insightful)

    by Billly Gates (198444) on Sunday November 04, 2012 @03:55PM (#41874249) Journal

    Ask yourself why?

    I used to be like you when I was 20 a decade ago. Here is what I have learned. Your enterprise hates change and looks at you as a financial burden and unnecessary cost unless you work for an IT company. If they have AD why switch? If what they have works don't mess with it.

    I saw this pop up last week on slashdot when Microsoft suggested business users stop using XP. Shockingly a decade ago on slashdot people would be laughing at everyone using a 11 year old platform who refuses change all based on Microsoft. Fast forward today you see folks under 35 freak out and DEMAND XP BE SUPPORTED FOREVER because changing is something you never ever do! Those over 35 got modded down saying upgrading is part of your job. The point is to put SAMBA 4 in you have to fight such people. They hate change and will cling to obsolete products as their behaviors in the last decade taught htem to lock versions with no updates and view everything as a cost center. Even a free product like Samba as such.

    If it breaks who do you sue? Who do you call for support? Will you be handed a pink slip with a boot up your ass out of the door if something breaks? AD is standard, it is used by everyone else, other products like SQL Server, Sharepoint, and Exchange use it. It is part of the proprietary eco system at work and even though slashdotters breathe down Linux as the end all for everything it is not in an already established enterprise environment.

    Just stick with AD. It is what you will be quizzed on and expected to know in your first job interview. If you do not know it they will find someone else who will. It is that simple.

  • by fang0654 (1805224) on Sunday November 04, 2012 @04:03PM (#41874313)
    So far I've set up several small offices using Samba4 as a drop in replacement for Active Directory. Here is what I've found it does well: Windows Authentication, AD DNS, Group Policy, Easy scripting (python tools and libraries). What it doesn't do well yet: Replicating AD with other servers. I haven't had much experience using subdomains, etc, mainly because I haven't been able to get it to replicate. But for a small office, it works fine.
  • by fm6 (162816)

    This question needs some context. My first reaction was, "Hey, what about LDAP?" Then it occurred to me that the instructor was assuming a lot of MS-centric infrastructure that needs AD support. But that's just an assumption.

    I've noticed a certain MS-centric viewpoint in many community college course on networking,. This probably has to do with MS giving schools a lot of resources.

  • by HerculesMO (693085) on Sunday November 04, 2012 @04:06PM (#41874331)

    Look at the use case.

    I know too many Windows and Linux folks who try to shoehorn one way of doing things so it runs the way they want them to. This post reeks of that.

    Find the best business reason to use one thing or another. I don't disqualify MS because it's not open source, or Linux because it's free. There are costs to doing everything, and usually made up outside of what infrastructure you decide on.

    That said, Windows is best on the desktop because of Group Policy, its extension into things like System Center, IT Asset Management systems, reporting, workflow, automation, etc. I know it "can be done" with Linux but the process is usually smushed together and kludgy. Windows is simpler because of the software that supports it, many of them made by MS themselves.

    I will stick with *nix for my backend requirements, and Windows for my front end. Until something changes drastically, I don't see much point in trying Linux on the desktop -- it's clearly not its strong suit.

    • by DragonTHC (208439)

      No one was ever asking if they should use Linux on their desktop. The question was about replacing an active directory windows server with Linux/Samba.

      • Fair point... but if you're talking about having a server with Windows clients and trying to supplant AD, it's a futile exercise. It all works together really well because it's designed to. Once you lose control of being able to administer huge swaths of clients via GPO, you lose an organizational edge.

        Unless you're a software firm intent on showing you can do without. But most people aren't software firms in that position.

  • by Zombie Ryushu (803103) on Sunday November 04, 2012 @04:13PM (#41874377)

    Keep in mind that "Group Policy" is, truly, is merely Windows Registry keys stored in the LDAP database in Active Directory. Samba 4 will store these in it's LDAP database. Something Samba 3.x+OpenLDAP Couldn't do.

    Linux has no Registry, Linux approaches the Group policy concept differently by having application level Sub-Schemas that have to be imported into the tree. Linux applications then have to be configured to call on the LDAP Database instead of using it's local files. There are OpenLDAP Schemas for:

    Sudoers
    Evolution
    eGroupware/phpGroupware
    DHCP
    Samba 3 of course
    Bind (Deprecated)
    Posix Accounts (/etc/password, NIS and NFS related)
    CUPS (Printers)
    Kerberos
    Posix
    Puppet
    urpmi (Exclusive to Mandriva)
    Apache (Can store httpd cluster information)
    Zimbra ...and more.

    When Samba 4 is released, you have to import all these OpenLDAP entries into the Samba 4 LDAP tree.

  • Samba + OpenLDAP is a fine choice for AD replacement.

  • Let the kids have their toys, put your efforts into the man tools.

  • by Shuntros (1059306) on Sunday November 04, 2012 @05:27PM (#41874725)
    I realise Novell aren't exactly a powerhouse any more, but does anyone else remember about 5 years ago when they released Domain Services for Windows? That was basically Samba 4, but using eDirectory and NSS (that's a proper man's filesystem, for you young kids) as the back end. I only played with it briefly whilst at my last employer, but damn did it rock... All the NSS clustering and good bits of Novell tech were totally transparent. The only time you knew you were talking to a Linux box was if you opened up a DC in MMC and looked at its properties, where it said something along the lines of "SuSE Linux Open Enterprise Server".

    Fairly obvious that Jeremy A was largely responsible for DSfW, just a shame that stuff was most likely locked up as Novell IP and off limits to Samba 4.
  • I don't think you can replace Active Directory for things like Group Policy, etc. The functionality just isn't there, as far as I know. On the other hand check out the FreeIPA project in Fedora (and IPA in RHEL) - they now support creating trusts with Active Directory domains which allows sharing resources, etc. This is the gist of how it works: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust [fedoraproject.org]
    • by Daltorak (122403)

      I don't think you can replace Active Directory for things like Group Policy, etc.

      Strictly speaking, Group Policy and user settings management stuff is not "Active Directory". It is a layer on top of Active Directory, which was originally called IntelliMirror but now just goes by the name Group Policy. All "Active Directory" gives you is a scalable authentication layer based on DNS and Kerberos with some interesting hierarchy features, the ability to "trust" other AD organizations to varying degrees, as well as a schema-based object system that anyone can expand on. AD objects can rep

  • by whois (27479) on Sunday November 04, 2012 @05:43PM (#41874825) Homepage

    I don't think it's bad for what it does, but the inability to rollback changes or even to know what's been changed is a serious oversight. There are third party tools that fix this (Google search for active directory change control), but for a large scale environment you shouldn't have to rely on third parties to make a tool usable.

    Contrast this to a UNIX based ldap server (openldap) where the entire directory can be saved and reloaded as a text file over and over again.

    AD also has the tendency to bury lots of information behind properties windows that have 30 or so tabs. Even if you look at all of those you'll still miss disconnected pieces like group policies or if an AD account has an exchange account.

    I don't think "replace AD with Samba" is a good idea though. If you're going to be using lots of Windows systems then you're better off managing them with the tools provided by the vendor.

  • I assume the fixation with AD specifically to the point of referencing Samba 4 means Windows will be a way of life.

    Once released and incorporated into something like RHEL, then I'd say Samba 4 becomes worthy of consideration. At that point in time:

    -If your infrastructure is mostly Windows, stick with AD.

    -If your infrastructure/clients is mostly Linux (or clients aren't going to be traditional Windows workstations either way) or you have *realistic* ambitions of this being the case, then Samba 4 will probab

  • The answer is no, Samba4 is not a good idea for admining a network of linux desktops. The point of Samba is to admin a windows network with a linux server. The poster never mentioned windows, and is asking about a tool like Active Directory for linux. He likely just means distributed authentication management. The answer is likely openldap (with or without kerberos) For all the other functions, there are tools, like chef, puppet, dsh, etc... that are better than anything in the Windows world.
  • Overall, no, it isn't even close. Samba 4 may offer the core features of AD its self, but it doesn't offer all the powerful management and Group Policy tools, system deployment facilities, etc. Some of it could probably be hacked in on top, but IMO, it's really not worth it.

    I was running a Samba3 domain on an LDAP directory for years. It was OK, but always had annoying warts and problems, plus it was a pain to run. Automatic printer drive deployment was fiddly and never that reliable. Group Policy wasn't even an option.

    Eventually I gave in and moved over to win2k8. As a heavy Linux user and long-time *nix sysadmin, I have to say, for running Windows networks I am NEVER going to use anything else. Sure it has its issues, but it's reliable and it has an amazing array of system management tools.

    The Microsoft Deployment Toolkit alone is worth running a Win2k8 box for : just PXE boot your clients and have them auto-re-install themselves, install software and printers, change settings, add local users, install updates, and reboot almost ready to use. You can do this with a USB key and a manually copied Windows PE image, but it's fiddly and annoying.

    Then there's Group Policy. Group Policy actually makes me want to use Windows. It makes me want to get rid of my Linux thin clients - despite their reliability - because with Group Policy I can just push changes out to all machines (or defined subsets) with a few simple changes in a central directory. It's seriously impressive.

    About the only irritation is that so many software packages use custom installers rather than the Microsoft Installer (MSI), so it's not always easy to roll them out via Group Policy server push. Some of those that do (I'm looking at you, Adobe) don't make it easy to just download their updates whenever they come out and push them via Group Policy; you have to go and check for updates by hand. Fail.

    Despite the irritations, there's just nothing like it for booting a client off the network and having it come up ready to use. Redirect the user's desktop and documents folder and you don't even need to worry about the machine breaking or having client backups; you back up the redirected folders, and if the machine breaks you just re-image it because it has no local data of any importance on it.

    The sad fact is that tools like this are no fun to work on, so they're not something we're going to be seeing in Linux/BSD land in a hurry.

Prediction is very difficult, especially of the future. - Niels Bohr

Working...