Forgot your password?
Software Microsoft Networking Windows Linux

Samba 4.0 Released: the First Free Software Active Directory Compatible Server 343

Posted by Soulskill
from the opening-up dept.
Jeremy Allison - Sam writes "We released Samba 4.0 today, containing the first compatible Free Software implementation of Microsoft's Active Directory protocols. 'Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8. The Samba 4.0 Active Directory Compatible Server provides support for features such as Group Policy, Roaming Profiles, Windows Administration tools and integrates with Microsoft Exchange and Free Software compatible services such as OpenChange.'" Full release notes are available, and you grab the files from the download page.
This discussion has been archived. No new comments can be posted.

Samba 4.0 Released: the First Free Software Active Directory Compatible Server

Comments Filter:
  • by bluefoxlucid (723572) on Tuesday December 11, 2012 @04:10PM (#42253615) Journal
    We got a giant monolith instead of a bunch of core libraries and services.
    • by Jeremiah Cornelius (137) on Tuesday December 11, 2012 @04:24PM (#42253735) Homepage Journal

      Gates is forked.

      This will be embeddable on ARM appliances, and baked into VM management software, etc.

      It only took 12 years... :-)

    • by abartlet (64597) <> on Wednesday December 12, 2012 @06:14AM (#42258655)

      The AD DC is actually is a bunch of core libraries and services. To make things easiest for our users, the services are linked into and started up by one binary, but internally each different task ends up in a forked process (if appropriate). But we do one better, and allow this to be controlled at runtime, so with '-M single' it essentially becomes a giant state machine, and can be handled with a single gdb. Inter-process communication is via a unix domain socket based messaging system or full DCE/RPC pipes.

      External processes can register specific named pipes (when, as we do by default, we use smbd as the file server, this is actually a key part of the design), or DCE/RPC server modules can be loaded (the OpenChange project provides such a module).

      We could discuss if more or less of Samba's internal communication should use one design pattern or another, but what is more interesting is that without fanfare or bother, some of those ideas, implemented pragmatically rather than dogmatically, have become an essential part of how Samba is implemented. That pragmatism has then brought us the AD DC that we are so proud to announce today.

      I also love that the shared libraries that we now use internally make Samba much smaller as well, reducing the disk space overhead.

      Finally, a surprising amount of the code is actually in modules on ldb, our ldap-like database at the core of the system.

      I know you were hoping to troll with what has been a long-running design philosophy, but when you spend the time building the system, you find the pragmatism rules the day, and we use a variety of tools to get the job done, and to get it done is a way that is most seamless to our users.

      Andrew Bartlett
      Samba Team

  • by somersault (912633) on Tuesday December 11, 2012 @04:10PM (#42253617) Homepage Journal

    Oh hell yes

    • by jhoegl (638955) on Tuesday December 11, 2012 @04:28PM (#42253765)
      Shhhhh, they will hear you.
      BTW, licenses will still be required for these machines/users, but not for the OS.
      • by somersault (912633) on Tuesday December 11, 2012 @04:41PM (#42253871) Homepage Journal

        I already have loads of client licenses, but this means no more server licensing, so it will be significantly cheaper for small businesses to build a small network with full redundancy, and massively cheaper to build out large networks. Get this onto Ubuntu Server with a friendly interface, and MS will be close to dead in the water as far as servers go.

        • by erroneus (253617) on Tuesday December 11, 2012 @05:09PM (#42254105) Homepage

          Sorry, but no. There are bunches and bunches of PHBs out there who will perpetually doubt that anyone can make a Microsoft server as good as Microsoft and would be more than a little afraid that by doing this, they would be in violation of some sort of license requirement. At the very least, it would void any support services if an exchange server were to connect to a Samba 4 AD domain. PHBs care a lot about stuff like that even if people rarely if ever use Microsoft's support.

          For that dream to become a reality, a big player out there would have to step up and put their branding and reputation behind it. For example, IBM might be a great candidate for that. PHBs still know who IBM is. RedHat might not get the reception Linux users might think they deserve. Oracle, as much as I would like to see them die in a fire, might also be able to pull it off.

          For now, the IT world is ruled by PHBs and one must always consider what things they might believe regardless of how ridiculous it may actually be.

          • by jeffmeden (135043) on Tuesday December 11, 2012 @05:30PM (#42254315) Homepage Journal

            You are right, but the bottom line (to steal the adage) is that "no one gets fired for choosing microsoft". Yes you are locked in, but you are locked in to an ecosystem that 90%+ of the world's businesses run on, so it is seen as the safest of all choices (and cost is a small factor compared to job safety).

            This will take off when Samba can integrate with Google Apps and let companies throw away anything microsoft-related (but still be microsoft-like)...

            • by ArsonSmith (13997) on Tuesday December 11, 2012 @11:28PM (#42256849) Journal

              My anecdote: 5 years ago we were a 95% Windows shop with only 15 Linux servers. Today we are a 90% Linux shop with near 1000 Linux servers. We went from 5 Windows Admins and 1 Linux admin to 6 Linux admins and 3 Windows Admins. Yet we are unlikely to convert AD to this for the exact same reasons. It's not just AD it's the plugins to AD the monitoring and the fact that, while it rarely breaks anyway, if something does break the amount of repair tools and articles on how to fix it are numerous. As that original 1 Linux admin I would like to see this as an option. But it's not very likely.

            • by mjwx (966435) on Wednesday December 12, 2012 @04:01AM (#42258077)

              You are right, but the bottom line (to steal the adage) is that "no one gets fired for choosing microsoft". Yes you are locked in, but you are locked in to an ecosystem that 90%+ of the world's businesses run on, so it is seen as the safest of all choices (and cost is a small factor compared to job safety).

              They used to say "no-one gets fired for buying IBM". Is that still true?

            • by dbIII (701233) on Wednesday December 12, 2012 @04:29AM (#42258197)

              "no one gets fired for choosing microsoft"

              That's a misquote of an old thing about IBM. Guess what one of the platforms IBM are selling support for is? A clue is it (and probably all the other platforms IBM supports) can run SAMBA.

          • by aquarajustin (1070708) on Tuesday December 11, 2012 @05:30PM (#42254319)
            This is why I don't work for a PHB. In fact, he's balding a bit. I have the best boss ever. He just gave me the green light to be early adopters and run this in production (once it passes a few sanity checks). We've been running the alphas and betas with much success. Samba team ftw!! Thanks guys! I've been waiting for this for so long.
          • by Anonymous Coward on Tuesday December 11, 2012 @07:20PM (#42255179)

            Sorry to point this out so bluntly, but I'm sick to death of this argument. that Microsoft is better than open source, because they offer full support to business customers. As a sys admin with 15 years under the belt, I can tell you that I have never gotten anything from Microsoft past a link to a technet support wizard that asks 4 obvious, general questions and always ends with "Sorry we cannot provide a solution to this problem, Do you find this article helpful?"

            NO I FUCKIN' DON'T.

            Microsoft would be the last place I would ever call if there was a critical server failure where downtime is money.

            In the real world, this kind of support is provided by 3rd party Managed Service Companies who are paid separately anyways, so you might as well pay for support on a nix based system, as they are well known to be much more stable (look at your average local nix admin with his feet up knitting or making chainmail, because he's got his systems singing and cron-grepping him hourly reports about how awesome he is and why he deserves a raise, compare this you your best of breed bad ass wizard windows admin, stressed as fuck, up till 4am fixing stupid shit for peanuts)

            • by jp10558 (748604) on Wednesday December 12, 2012 @09:51AM (#42259827)

              IDK, I have no problems with my basic windows servers. I find that Server 2008R2 is very similar to our RHEL6 boxes - once you get it going, it just keeps going until you fuck with it for some reason like an upgrade of software.

              And MS doesn't provide any more or less support than RedHat - if you pay for a support contract, you get the help you paid for. But as far as I can tell, you get almost nothing from any proprietary vendor just because you bought the software - you still have to pay extra for actual support.

              Which is why I agree with you that buying Microsoft products because they provide support is quite naive, you buy support from a vendor because they provide support - it has nothing to do with if you bought a license.

              My cheap out slow option is Technet - it gets you 2 phonecalls and unlimited forum support where actual MS reps often reply, with reasonable solutions much of the time. That only works if you can spend days on the forum, but is very cheap. Price (and hopefully support speed) go up from there.

      • by erroneus (253617) on Tuesday December 11, 2012 @05:04PM (#42254061) Homepage

        Wait what?

        I get that the client OS (presuming it is Microsoft Windows) must be licensed, but why the user?

        This is the kind of thing I have been waiting for. A means to wedge other OSes into an AD oriented business network. Microsoft can just change a few things and make it required to run this or that server. They have played that game before where F/OSS has to catch up with changes Microsoft makes, but in the end they will lose because they can only make so many tweaks and changes before they risk compatibility with their existing software and clients.

        So to set up an AD domain based off of this and be able to manage devices other than Windows clients would be a classic example of embrace and extend which could work against Microsoft. I know... it's just a dream now...

    • by somersault (912633) on Tuesday December 11, 2012 @04:31PM (#42253797) Homepage Journal

      Having said that, or accounts software (shudder) requires SQL server, but it will be nice to move that off to a VM and have all other network services running on Linux at last. Thankyou SAMBA team :)

      • by na1led (1030470) on Tuesday December 11, 2012 @04:46PM (#42253917)
        All we really need now is a Free SQL equivalent. Doubt that will ever happen.
  • by sergioag (1246996) on Tuesday December 11, 2012 @04:11PM (#42253623)

    Slashdot does it again....

  • fsck yeah! (Score:5, Insightful)

    by Netdoctor (95217) on Tuesday December 11, 2012 @04:19PM (#42253689)

    Oh My Gawd.

    I have been waiting literally *years* for this.

    This just made up for an otherwise very crappy day. No, this just fixed my whole year.

  • Wow (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 11, 2012 @04:19PM (#42253693)

    I'll be interested to see the reviews on this over the next several months. I'm interested to see how well this performs under different levels of load, and how it utilized group policy. Kind of exciting in an extremely nerdy sort of way.

  • by gstoddart (321705) on Tuesday December 11, 2012 @04:21PM (#42253703) Homepage

    I'm assuming if Microsoft could legally stop this, they would.

    Likely the interfaces aren't copyrightable and this is probably a clean implementation -- but I'm sure if Microsoft could trot out a patent or something else to stop people they would.

    I can't imagine they want implementations of their stuff out there. (Granted, they mostly started out by implementing other people's stuff, so there may not be much they can do about it.)

  • by AlphaWolf_HK (692722) on Tuesday December 11, 2012 @04:21PM (#42253709)

    I did a network integration capstone course where we had linux and windows in a single active directory domain, with single sign on and all users and objects in one database. How is this different?

    More power to them though, active directory is HUGE in the enterprise space. If you could integrate its security controls and policies into android tablets and smartphones, windows 8 and its lame tablet UI will never see the light of day in big business.

  • by na1led (1030470) on Tuesday December 11, 2012 @04:34PM (#42253819)
    This might work for small networks, but what about Virtualization environments, Hyper-V, Multiple AD servers, Proxies, etc. I'm sure it's going to have limitations.
    • by Jeremy Allison - Sam (8157) on Tuesday December 11, 2012 @04:43PM (#42253885) Homepage

      It's just an AD server. Why would running under Virtualization environments, Hyper-V, Multiple AD servers, matter ?


    • by PlusFiveTroll (754249) on Tuesday December 11, 2012 @04:49PM (#42253945) Homepage

      You're going to have to catch me up why Hyper-V and Visualization matter in your sentence. If your V-Server depends on AD which is on the V-Server you're going to have an issue. []

      People have already setup Samba4 and W2K8 ADs working together []

      The other issues are potentially a problem as there are thousands of different AD configurations out there, and all of them have not been tested.

    • by Xtifr (1323) on Tuesday December 11, 2012 @04:56PM (#42254007) Homepage

      Didn't most of that stuff already work with OpenLDAP and Kerberos? Wasn't the only remaining issue the MS-specific bits of the protocol? I mean, yes, those are questions worth asking, but you seem to be assuming the answer is no; I would tend to assume the answer is, mostly, yes.

      This is not some upstart, fly-by-night system. Samba has been in heavy use in the enterprise space for many years. I've been amazed at some of the companies I've stumbled across that were using Samba servers even before the AD support was available.

      • by Zombie Ryushu (803103) on Tuesday December 11, 2012 @05:20PM (#42254233)

        Samba 3+OpenLDAP+Heimdal Kerberos created what were often termed "Open Directory Services" by the Apple Crowd. They were mutant NT 4.0 Domains that had broken a bunch of the limitations of NT4, (such as multiple PDCs and levels of trusts.) provided LDAP and Kerberos, but to Windows, they were still just NT Domains to Windows. Not true ADs. XP and 2000 would disable Kerberos because it thought it was talking to NT4. Windows 7 dropped support for NT4 EXCEPT there was a special mode just for Samba 3 to work, and you had to edit the registry to get it working.

        • by abartlet (64597) <> on Wednesday December 12, 2012 @05:40AM (#42258495)

          Indeed, it was seeing the limitations of the NT4 modal that held back these domains that was one of the major reasons I started on the AD DC effort for Samba. I deployed (and indeed was involved in the creation of) a mixed Heimdal/Samba/LDAP domain, and saw how the lack of Group Policy caused real issues for a large network of Windows PCs. In my specialist area of Authentication, I also saw how NTLM authentication did and did not work, particularly in the load it put on the DCs. Kerberos is a much better authentication prototcol than NTLM, and I'm glad that Samba now not only can accept Kerberos authentication, but as the Domain Controller, it can now be the KDC too!

          In the same way, I saw the writing on the wall for NT4 support for a long time, and I'm just very glad that the interoperability environment changed enough in time that we were able to get changes made to Samba and Windows to allow Samba NT4-like 'classic' domains to continue, long past when NT4 DCs became not only unsupported, but deliberately broken (in the name of increased security). As you mention it still requires a registry patch however, and so with the release of Samba 4.0 as an AD DC I look forward to Samba administrators being able to deploy a 'just works' solution again, even for the latest windows versions.

          Andrew Bartlett
          Samba Team

  • by HaZardman27 (1521119) on Tuesday December 11, 2012 @04:39PM (#42253855)
    It's funny that this happens (and gets posted on Slashdot) today, not long after the announcement of the live interview with Luke Leighton, who started the Samba TNG fork.

"There is no distinctly American criminal class except Congress." -- Mark Twain