Forgot your password?
typodupeerror
Software Microsoft Networking Windows Linux

Samba 4.0 Released: the First Free Software Active Directory Compatible Server 343

Posted by Soulskill
from the opening-up dept.
Jeremy Allison - Sam writes "We released Samba 4.0 today, containing the first compatible Free Software implementation of Microsoft's Active Directory protocols. 'Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8. The Samba 4.0 Active Directory Compatible Server provides support for features such as Group Policy, Roaming Profiles, Windows Administration tools and integrates with Microsoft Exchange and Free Software compatible services such as OpenChange.'" Full release notes are available, and you grab the files from the download page.
This discussion has been archived. No new comments can be posted.

Samba 4.0 Released: the First Free Software Active Directory Compatible Server

Comments Filter:
  • by bluefoxlucid (723572) on Tuesday December 11, 2012 @04:10PM (#42253615) Journal
    We got a giant monolith instead of a bunch of core libraries and services.
    • Re: (Score:3, Informative)

      Gates is forked.

      This will be embeddable on ARM appliances, and baked into VM management software, etc.

      It only took 12 years... :-)

    • by abartlet (64597) <abartlet@samba.org> on Wednesday December 12, 2012 @06:14AM (#42258655)

      The AD DC is actually is a bunch of core libraries and services. To make things easiest for our users, the services are linked into and started up by one binary, but internally each different task ends up in a forked process (if appropriate). But we do one better, and allow this to be controlled at runtime, so with '-M single' it essentially becomes a giant state machine, and can be handled with a single gdb. Inter-process communication is via a unix domain socket based messaging system or full DCE/RPC pipes.

      External processes can register specific named pipes (when, as we do by default, we use smbd as the file server, this is actually a key part of the design), or DCE/RPC server modules can be loaded (the OpenChange project provides such a module).

      We could discuss if more or less of Samba's internal communication should use one design pattern or another, but what is more interesting is that without fanfare or bother, some of those ideas, implemented pragmatically rather than dogmatically, have become an essential part of how Samba is implemented. That pragmatism has then brought us the AD DC that we are so proud to announce today.

      I also love that the shared libraries that we now use internally make Samba much smaller as well, reducing the disk space overhead.

      Finally, a surprising amount of the code is actually in modules on ldb, our ldap-like database at the core of the system.

      I know you were hoping to troll with what has been a long-running design philosophy, but when you spend the time building the system, you find the pragmatism rules the day, and we use a variety of tools to get the job done, and to get it done is a way that is most seamless to our users.

      Andrew Bartlett
      Samba Team

  • by somersault (912633) on Tuesday December 11, 2012 @04:10PM (#42253617) Homepage Journal

    Oh hell yes

    • by jhoegl (638955)
      Shhhhh, they will hear you.
      BTW, licenses will still be required for these machines/users, but not for the OS.
      • by somersault (912633) on Tuesday December 11, 2012 @04:41PM (#42253871) Homepage Journal

        I already have loads of client licenses, but this means no more server licensing, so it will be significantly cheaper for small businesses to build a small network with full redundancy, and massively cheaper to build out large networks. Get this onto Ubuntu Server with a friendly interface, and MS will be close to dead in the water as far as servers go.

        • by erroneus (253617) on Tuesday December 11, 2012 @05:09PM (#42254105) Homepage

          Sorry, but no. There are bunches and bunches of PHBs out there who will perpetually doubt that anyone can make a Microsoft server as good as Microsoft and would be more than a little afraid that by doing this, they would be in violation of some sort of license requirement. At the very least, it would void any support services if an exchange server were to connect to a Samba 4 AD domain. PHBs care a lot about stuff like that even if people rarely if ever use Microsoft's support.

          For that dream to become a reality, a big player out there would have to step up and put their branding and reputation behind it. For example, IBM might be a great candidate for that. PHBs still know who IBM is. RedHat might not get the reception Linux users might think they deserve. Oracle, as much as I would like to see them die in a fire, might also be able to pull it off.

          For now, the IT world is ruled by PHBs and one must always consider what things they might believe regardless of how ridiculous it may actually be.

          • by jeffmeden (135043)

            You are right, but the bottom line (to steal the adage) is that "no one gets fired for choosing microsoft". Yes you are locked in, but you are locked in to an ecosystem that 90%+ of the world's businesses run on, so it is seen as the safest of all choices (and cost is a small factor compared to job safety).

            This will take off when Samba can integrate with Google Apps and let companies throw away anything microsoft-related (but still be microsoft-like)...

            • by ArsonSmith (13997) on Tuesday December 11, 2012 @11:28PM (#42256849) Journal

              My anecdote: 5 years ago we were a 95% Windows shop with only 15 Linux servers. Today we are a 90% Linux shop with near 1000 Linux servers. We went from 5 Windows Admins and 1 Linux admin to 6 Linux admins and 3 Windows Admins. Yet we are unlikely to convert AD to this for the exact same reasons. It's not just AD it's the plugins to AD the monitoring and the fact that, while it rarely breaks anyway, if something does break the amount of repair tools and articles on how to fix it are numerous. As that original 1 Linux admin I would like to see this as an option. But it's not very likely.

            • by mjwx (966435)

              You are right, but the bottom line (to steal the adage) is that "no one gets fired for choosing microsoft". Yes you are locked in, but you are locked in to an ecosystem that 90%+ of the world's businesses run on, so it is seen as the safest of all choices (and cost is a small factor compared to job safety).

              They used to say "no-one gets fired for buying IBM". Is that still true?

            • by dbIII (701233)

              "no one gets fired for choosing microsoft"

              That's a misquote of an old thing about IBM. Guess what one of the platforms IBM are selling support for is? A clue is it (and probably all the other platforms IBM supports) can run SAMBA.

          • by aquarajustin (1070708) on Tuesday December 11, 2012 @05:30PM (#42254319)
            This is why I don't work for a PHB. In fact, he's balding a bit. I have the best boss ever. He just gave me the green light to be early adopters and run this in production (once it passes a few sanity checks). We've been running the alphas and betas with much success. Samba team ftw!! Thanks guys! I've been waiting for this for so long.
          • by Anonymous Coward on Tuesday December 11, 2012 @07:20PM (#42255179)

            Sorry to point this out so bluntly, but I'm sick to death of this argument. that Microsoft is better than open source, because they offer full support to business customers. As a sys admin with 15 years under the belt, I can tell you that I have never gotten anything from Microsoft past a link to a technet support wizard that asks 4 obvious, general questions and always ends with "Sorry we cannot provide a solution to this problem, Do you find this article helpful?"

            NO I FUCKIN' DON'T.

            Microsoft would be the last place I would ever call if there was a critical server failure where downtime is money.

            In the real world, this kind of support is provided by 3rd party Managed Service Companies who are paid separately anyways, so you might as well pay for support on a nix based system, as they are well known to be much more stable (look at your average local nix admin with his feet up knitting or making chainmail, because he's got his systems singing and cron-grepping him hourly reports about how awesome he is and why he deserves a raise, compare this you your best of breed bad ass wizard windows admin, stressed as fuck, up till 4am fixing stupid shit for peanuts)

            • by jp10558 (748604)

              IDK, I have no problems with my basic windows servers. I find that Server 2008R2 is very similar to our RHEL6 boxes - once you get it going, it just keeps going until you fuck with it for some reason like an upgrade of software.

              And MS doesn't provide any more or less support than RedHat - if you pay for a support contract, you get the help you paid for. But as far as I can tell, you get almost nothing from any proprietary vendor just because you bought the software - you still have to pay extra for actual s

      • by erroneus (253617)

        Wait what?

        I get that the client OS (presuming it is Microsoft Windows) must be licensed, but why the user?

        This is the kind of thing I have been waiting for. A means to wedge other OSes into an AD oriented business network. Microsoft can just change a few things and make it required to run this or that server. They have played that game before where F/OSS has to catch up with changes Microsoft makes, but in the end they will lose because they can only make so many tweaks and changes before they risk compa

    • Having said that, or accounts software (shudder) requires SQL server, but it will be nice to move that off to a VM and have all other network services running on Linux at last. Thankyou SAMBA team :)

      • by na1led (1030470)
        All we really need now is a Free SQL equivalent. Doubt that will ever happen.
        • by Synerg1y (2169962)
          Nope, enjoy MS licensing fees. Don't google mysql... don't do it...
          ...
          ...
          ...
          What did I just say? Now forget everything you've read here and enjoy MS licensing fees, don't forget to buy those CALs.
          • by LurkerXXX (667952) on Tuesday December 11, 2012 @07:31PM (#42255275)

            MySQL is utter crap. It's not a replacement for MS SQL, it's not a replacement for any decent SQL server. It took those bozos YEARS to finally get MySQL to not recognize Feb 31st as a valid date.

            PostgreSQL is a potential replacement, but certainly not a drop-in replacement. Lots and lots of work would need to be done to convert between the different lingo's they speak and way features are implemented.

  • Slashdot does it again....

    • by alphatel (1450715) *

      Slashdot does it again....

      I have a feeling that Microsoft slapped them with RIAA, MPAA and a few federal agents before anyone could finish downloading. What a shame, I got cutoff at "Active Director ".

  • fsck yeah! (Score:5, Insightful)

    by Netdoctor (95217) on Tuesday December 11, 2012 @04:19PM (#42253689)

    Oh My Gawd.

    I have been waiting literally *years* for this.

    This just made up for an otherwise very crappy day. No, this just fixed my whole year.

  • Wow (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 11, 2012 @04:19PM (#42253693)

    I'll be interested to see the reviews on this over the next several months. I'm interested to see how well this performs under different levels of load, and how it utilized group policy. Kind of exciting in an extremely nerdy sort of way.

  • by gstoddart (321705) on Tuesday December 11, 2012 @04:21PM (#42253703) Homepage

    I'm assuming if Microsoft could legally stop this, they would.

    Likely the interfaces aren't copyrightable and this is probably a clean implementation -- but I'm sure if Microsoft could trot out a patent or something else to stop people they would.

    I can't imagine they want implementations of their stuff out there. (Granted, they mostly started out by implementing other people's stuff, so there may not be much they can do about it.)

    • by mcl630 (1839996) on Tuesday December 11, 2012 @04:33PM (#42253811)

      Microsoft provided them with documentation and helped them with interoperability testing. From TFA:

      The Samba 4.0 Active Directory Compatible Server was created with help from the official protocol documentation published by Microsoft Corporation and the Samba Team would like acknowledge the documentation help and interoperability testing by Microsoft engineers that made our implementation interoperable.

      "Active Directory is a mainstay of enterprise IT environments, and Microsoft is committed to support for interoperability across platforms," said Thomas Pfenning, director of development, Windows Server. "We are pleased that the documentation and interoperability labs that Microsoft has provided have been key in the development of the Samba 4.0 Active Directory functionality."

      • by gstoddart (321705)

        Microsoft provided them with documentation and helped them with interoperability testing.

        Well, then allow me to say ... holy crap. As much as I have a hard time believing "Microsoft is committed to support for interoperability across platforms". They haven't historically been interested in that.

      • by leoxx (992) on Tuesday December 11, 2012 @04:44PM (#42253907) Homepage Journal

        Of course what you failed to mention is that Microsoft only did this because the European Commission forced them to [samba.org]:

        December 20th 2007. Today the Protocol Freedom Information Foundation (PFIF), a non-profit organization created by the Software Freedom Law Center, signed an agreement with Microsoft to receive the protocol documentation needed to fully interoperate with the Microsoft Windows workgroup server products and to make them available to Free Software projects such as Samba. Microsoft was required to make this information available to competitors as part of the European Commission March 24th 2004 Decision in the antitrust lawsuit, after losing their appeal against that decision on September 17th 2007.

        • Of course what you failed to mention is that Microsoft only did this because the European Commission forced them to

          Perhaps this is so NOW. But it will be interesting to see what direction Microsoft takes after Steve Ballmer's departure in 2013.

      • by Aaden42 (198257) on Tuesday December 11, 2012 @04:46PM (#42253923) Homepage

        Wasn't Microsoft *required* by a court judgement or two to provide documentation and interoperability for several of their protocols? I don't think this was entirely out of the goodness of their hearts

        See the heading "February 2008 fine" here: http://en.wikipedia.org/wiki/Microsoft_litigation [wikipedia.org]

      • by Tailhook (98486)

        Microsoft provided them with documentation

        As per European Commission order and enforced with massive punitive fines levied over a decade. It had to be beat out of them. Don't think for a moment this is volitional. They just can't tolerate any more shareholder meetings where another billion euro fine is on the agenda.

    • I'm assuming if Microsoft could legally stop this, they would.

      Likely the interfaces aren't copyrightable and this is probably a clean implementation -- but I'm sure if Microsoft could trot out a patent or something else to stop people they would.

      I can't imagine they want implementations of their stuff out there. (Granted, they mostly started out by implementing other people's stuff, so there may not be much they can do about it.)

      Well if this article is still valid, then I would say they don't mind Samba. http://linux.slashdot.org/story/08/10/23/1441200/microsoft-working-for-samba-interoperability [slashdot.org]

    • Microsoft helped (Score:5, Informative)

      by Gazzonyx (982402) on Tuesday December 11, 2012 @04:37PM (#42253843)
      Stop them? Microsoft helped the Samba team. Microsoft even uses the samba torture testing framework internally for their own products as I understand it. The torture tests catch crap that their own testing wouldn't since it tries to send packets that Windows clients would never send.

      The EU is still a bit angry at Microsoft (remember when they had to release all of the documentation on their implementation of the SMB protocol?) and they don't need to be stoking that flame.
      • By the way, if anybody asks, it IS Microsoft's intent that other non-MS clients connect to AD. They specifically built a framework and API to allow 3rd party apps add their own schema to the database and query for user permissions. A few things I've worked with that do this are VMware vCenter and Cisco ACS firewall.

        And no, that isn't because the EU made them, they've been doing this since the earlier days of active directory (at least, Server 2003 has this functionality anyways.)

        • by moogla (118134)

          I'd like to think that the whole Active Directory ecosystem is moving in a positive direction because of efforts like these. I have no problem with the LDAP + Kerberos + DNS + "Forests" and standardized structures model that Microsoft has championed; it is a very successful, flexible, and apparently extensible model and technology stack.

    • by Bengie (1121981) on Tuesday December 11, 2012 @05:08PM (#42254091)
      Microsoft actually invited several of the SAMBA team over, had 2 senior engineers on hand to answer any questions they had about SMB and even gave the SAMBA team their own VM environment complete with Win7/Win8/Linux to run SMB2/3 compatibility testing. Lots of questions about RDMA, Interface teaming, and multi-pathing.

      The SAMBA team said they received a lot of insight and understanding from their time with the MS engineers and were impressed and excited.

      I'm not sure Microsoft is too concerned about SAMBA 4 being released.
  • by AlphaWolf_HK (692722) on Tuesday December 11, 2012 @04:21PM (#42253709)

    I did a network integration capstone course where we had linux and windows in a single active directory domain, with single sign on and all users and objects in one database. How is this different?

    More power to them though, active directory is HUGE in the enterprise space. If you could integrate its security controls and policies into android tablets and smartphones, windows 8 and its lame tablet UI will never see the light of day in big business.

  • This might work for small networks, but what about Virtualization environments, Hyper-V, Multiple AD servers, Proxies, etc. I'm sure it's going to have limitations.
    • It's just an AD server. Why would running under Virtualization environments, Hyper-V, Multiple AD servers, matter ?

      Jeremy.

    • You're going to have to catch me up why Hyper-V and Visualization matter in your sentence. If your V-Server depends on AD which is on the V-Server you're going to have an issue.

      http://www.vmware.com/files/pdf/Virtualizing_Windows_Active_Directory.pdf [vmware.com]

      People have already setup Samba4 and W2K8 ADs working together

      http://admingeeks.blogspot.com/2011/05/samba-4-domain-controller-part-4-adding.html [blogspot.com]

      The other issues are potentially a problem as there are thousands of different AD configurations out there, and all o

    • by Xtifr (1323)

      Didn't most of that stuff already work with OpenLDAP and Kerberos? Wasn't the only remaining issue the MS-specific bits of the protocol? I mean, yes, those are questions worth asking, but you seem to be assuming the answer is no; I would tend to assume the answer is, mostly, yes.

      This is not some upstart, fly-by-night system. Samba has been in heavy use in the enterprise space for many years. I've been amazed at some of the companies I've stumbled across that were using Samba servers even before the AD suppo

      • by Zombie Ryushu (803103) on Tuesday December 11, 2012 @05:20PM (#42254233)

        Samba 3+OpenLDAP+Heimdal Kerberos created what were often termed "Open Directory Services" by the Apple Crowd. They were mutant NT 4.0 Domains that had broken a bunch of the limitations of NT4, (such as multiple PDCs and levels of trusts.) provided LDAP and Kerberos, but to Windows, they were still just NT Domains to Windows. Not true ADs. XP and 2000 would disable Kerberos because it thought it was talking to NT4. Windows 7 dropped support for NT4 EXCEPT there was a special mode just for Samba 3 to work, and you had to edit the registry to get it working.

        • by abartlet (64597) <abartlet@samba.org> on Wednesday December 12, 2012 @05:40AM (#42258495)

          Indeed, it was seeing the limitations of the NT4 modal that held back these domains that was one of the major reasons I started on the AD DC effort for Samba. I deployed (and indeed was involved in the creation of) a mixed Heimdal/Samba/LDAP domain, and saw how the lack of Group Policy caused real issues for a large network of Windows PCs. In my specialist area of Authentication, I also saw how NTLM authentication did and did not work, particularly in the load it put on the DCs. Kerberos is a much better authentication prototcol than NTLM, and I'm glad that Samba now not only can accept Kerberos authentication, but as the Domain Controller, it can now be the KDC too!

          In the same way, I saw the writing on the wall for NT4 support for a long time, and I'm just very glad that the interoperability environment changed enough in time that we were able to get changes made to Samba and Windows to allow Samba NT4-like 'classic' domains to continue, long past when NT4 DCs became not only unsupported, but deliberately broken (in the name of increased security). As you mention it still requires a registry patch however, and so with the release of Samba 4.0 as an AD DC I look forward to Samba administrators being able to deploy a 'just works' solution again, even for the latest windows versions.

          Andrew Bartlett
          Samba Team

  • It's funny that this happens (and gets posted on Slashdot) today, not long after the announcement of the live interview with Luke Leighton, who started the Samba TNG fork.

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...