Active Directory Comes To Linux With Samba 4 276
Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."
Jumping the Gun (Score:5, Informative)
According to TFA FOSS AD is not here yet by a long shot, in early alpha, many missing features. Summary is *terrible* in suggesting non-M$ AD is already here.
Re:AD licensing (Score:2, Informative)
You need a CAL for every user in the AD.
Gets expensive. Wait for samba4
Re:AD licensing (Score:5, Informative)
Exactly. You need CALs for stuff like:
AD
Exchange
Terminal Server
etc.
It adds up pretty quickly.
It's really a nightmare for IT Depts as they have to keep track of the CALs and ensure they have enough licenses to cover the number of users.
Re:This is good for industry, what about end user? (Score:3, Informative)
Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?
I think SWAT was meant to be that, and it kind of sucked.
Re:AD licensing (Score:5, Informative)
A careful reading of the TOS says that it is licensed via user or device CALs based on authenticated users..
They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.
Really, it is just a tax. A MS shop typically has to pay:
- For a OEM license on windows
- For a volume license upgrade on windows
- For a device or user CAL for the windows machine/user
- For a windows server license (per VM!)
- For exchange server (and a windows server license)
- Per user exchange CALs (yay!)
- Office CALs for outlook
It used to be a CAL came along with NT4 so you didn't need a separate one, but that is not the case anymore. MS said their customers wanted the simpler model of paying more for the same thing.
Of course, CALs and VLK upgrades are locked to specific versions so you have to keep buying them again and again to keep the additional rights.
The only happy area is that the CALs apply to all servers at once, so if you have a thousand users and a thousand servers you only need a thousand CALs.
No software checks this, but these are the terms.
It is really quite insane, but maximizes MS's profits.
See http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx
And keep in mind that MS thinks performing an authentication against AD is accessing the server.
Re:Jumping the Gun (Score:5, Informative)
I'm just guessing here, but there was something about interoperability in, what was it, oh, every monopoly-related judgment they ever lost. Otherwise they wouldn't be helping.
Re:Jumping the Gun (Score:5, Informative)
Ever since the EU antitrust/monopoly judgement and fines, MS has significantly increased the emphasis on open standards. It's still NIH syndrome more often than note, but at least the results are now documented, and usually come with a no-patent-enforcing pledge ("Open Specification Promise" - this covers e.g. OOXML and older Office formats, XPS, Silverlight, and so on). Also, I recall that EU specifically named SMB/CIFS & AD as something that should be opened up, and Samba as the beneficiary.
Whether it's just a coincidence or one followed from another is up for you to judge.
Re:About Time... (Score:5, Informative)
Actually - the AD support in Samba is a bit of old news, since that has been promoted before.
But it's still good news, especially since lately the configuration of Microsoft's softwares and platforms has started to get incredibly complex and very hard to penetrate - as well as configure in a secure way.
Re:AD licensing (Score:5, Informative)
No...no...no
There are "per device" or "per user" licenses.
If you have 5000 computers but 40,000 users, it is probably cheaper to buy device licenses...so you can do that.
In addition, each server DOES require a server license (which is different than a CAL).
Windows is licensed like so
Standard edition license includes 1 phys server + 1 VM (on the same server)
Enterprise includes 1 phys server + 4 VM (again on the same server)
Datacenter includes unlimited server licenses of any type
Users with enterprise agreements or software assurance don't have to repurchase - they're covered under their contract.
Re:About Time... (Score:3, Informative)
Re:AD licensing (Score:3, Informative)
Re:About Time... (Score:3, Informative)
Re:AD licensing (Score:1, Informative)
The CAL has NOTHING to do with active directory at all. If you don't use active directory you need to buy a cal license anyway to access the server's resources.
If you do want to use active directory, then now you don't need to buy a cal license to access the server's resources, because the server would be running Samba 4 under Linux.
There, fixed it for you.
Re:AD licensing (Score:5, Informative)
Well really they probably pay for "service".
Now some think this is a total waste of money and the whole point of Linux is you don't pay for anything. While it's true you can do this, if you're multi-million wonga business is relying on your IT that may not be too smart.
But buying "service" isn't some nasty con, you're actually getting something. Also you can shop around for it, and even switch suppliers.
Now the "free" aspect of Linux really helps you (as a business) as all your "computer wonks" can have a copy (for free) and take it home, use it outside the office (so they learn the product inside out). It does work out cheaper than Microsoft. The product evolves quicker, but you're not forced on some insane upgrade cycle.
You can get lots of certified hardware (which is important) and you're not alone (lots of other businesses have done the same).
Business get very twitchy when Linux advocates talk about "free" and the reason is they want to know: "Who's accountable if this stops working". A word of advice if you're trying to get your employer to consider Linux, keep the talk about "free" to a minimum (even "cheap" has negative connotations) instead talk about:
Lower Total Cost of Ownership
Competition in the market for Linux Support
No vendor lock-in
Hardware support from all major suppliers
Plenty of success stories
Oh and don't forget Sun make great Linux kit (not just Solaris)
Re:AD licensing (Score:4, Informative)
SCO is dead. They'll convert to liquidation any day now. At least one would hope so. Nobody knows how long that zombie has to shamble.
there's no such thing as no lawsuit exposure.
That [arstechnica.com] is [bbc.co.uk] true [eolas.com] enough [cnet.com] but to accept that as a premise is to refuse to do business. There is some middle ground where businesses can still operate in where the risk is acceptible. Limiting your exposure by avoiding licensing agreements that include the right to sue you if you overdeploy seems wise, and licensing agreements that include the right to audit you more so. Especially when there are options available that include terms like "use all you want for free".
(i'd like to see documented example of it)
Meet Ernie Ball [slashdot.org]. But wait... that wasn't Microsoft... that was their representatives, the Business Software Alliance! Same same. Evil by proxy is still evil.
Not very realistic (Score:3, Informative)
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
"Something to do with...". This is in every AD 101 book (machine accounts, password renewal,
Honestly, I cannot imagine why anyone would want to run a FOSS equivalent Active Directory. After having spent months in setting up a full mixed Windows/Linux environment (OpenLDAP, Kerberos, Samba, the works), I can say that setting up AD is a breeze: for me, it is a prime example where Microsoft took existing technologies (LDAP, DNS, Kerberos) and actually turned it into something useful without the typically associated configuration nightmares. And it works very stable indeed.
And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
Re:AD licensing (Score:5, Informative)
Comment removed (Score:3, Informative)
Re:Finally..an alternative (Score:2, Informative)
Re:About Time... (Score:5, Informative)
It is every bit as racist as niggardly is; as in "Microsoft behaves niggardly with its protocols while at the same time preaches interoperability."
That legitimate words "sound kinda like" racist slurs does not mean the common words are racist. On the other hand, we have just been trolled.
Re:About Time... (Score:2, Informative)
A few documentation links:
Also, you do know that ntbackup.exe is "a VSS aware backup program," right? Bonus: It's included at no charge from Microsoft.
In short, RTFM and STFU.
--Whizzmo
Re:About Time... (Score:2, Informative)
Just one example I'm aware of is ADP (www.adp.com).
Most of their core application servers run Linux. And they are everywhere, but you'd never know it even if you used those systems every day. They provide Payroll, HR, Benefits management etc. systems that are accessed with a Windows Based PC client. The users might never know about the servers being Linux based. They also sell dealer management systems (the backend for car dealers) to a vast portion of the auto dealer market. Again, users might not know this, even though they use it every day. Though in this case this is probably a good thing since the client side of the application is not exactly 5 star. However, it still remains that they have millions of users working on Linux server based applications every day without the users ever even knowing it.
I'm sure there are a lot of other such examples, but there's no one spending millions to put ads bragging about it like Microsoft does every time they win a contract somewhere.
Anyway, my point is that I agree with Klootzak that there are probably a huge number of Linux based systems out there in real business use that the general public and even the basic IT community are not generally aware of.
Finally, I for one am thrilled to have an alternative to Windows Server and AD for our corporate network. Not for Linux fanboy reasons, but because I have to manage and budget whatever solution we use and my experience is that Windows causes me more work and more expense, where once you get a Linux solution configured and running, you can generally ignore it from then on as it continues to just work without magically breaking itself every few weeks/months/days.
Linux solutions generally mean less of my time spent working late nights troubleshooting things and more time home with my family. And THAT is something I place real value on.
As for the ease of use argument, I'd rather spend a day setting up a Linux solution than 2 hours setting up a Windows one because I know I'll more than get that time back in the future.
Samba and root (Score:3, Informative)
Samba runs as root for a few different reasons that I know of:
1. bind to privileged ports (1024)
2. set{e,r}{u,g}id for the user being authenticated
3. RPC-based system administration
If it was just the first, I bet it could prolly drop root soon after startup. If it was just the first and the second, it might be able to drop root after authenticating, since each connection gets its own process. Samba may already do some of this, for all I know. Alternatively, implementing this may be difficult for architectural reasons, which may or may be solvable via code restructuring.
But for the third, it has to run as root all the time. What this refers to is the ability to perform system administration tasks (like adding/changing/deleting users, groups, computers, etc.) via Microsoft's RPC mechanism. This is how Windows does this, and Samba supports quite a bit of it. Notably, if you're doing to support Windows domains on Samba, it needs to be able to create host OS (Unix) accounts for users and machines.
It's probably theoretically possible to develop some kind of frontend/backend layer for process privilage separation, but at that point, you're basically just implementing all the protocol work Samba has to do all over again, in an internal protocol. If you couldn't get it right the first time, I wouldn't expect this try to be much better.
Remember, Samba aims to be bug-for-bug compatible with Microsoft Windows, which means inheriting any brain damage present in SMB/CIFS. If you want a clean design, this is the wrong place to look.