Active Directory Comes To Linux With Samba 4 276
Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."
Finally..an alternative (Score:2, Interesting)
Finally an alternative to Microsoft's insane licensing model.
It brings one step closer for those who want to move to linux or least convert some windows to linux.
Just waiting the release... (Score:2, Interesting)
I've got a line of outfits that can benefit from this!
There are so many companies I know that have little to know real dependence upon AD other than the fact that it's all they're really known...
AD licensing (Score:3, Interesting)
This is good for industry, what about end user? (Score:3, Interesting)
My last tussle with samba was yet another try with ubuntu on this old macbook.
Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually, and samba did not respond properly to the config.
Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?
Re:Jumping the Gun (Score:5, Interesting)
One thing I find it interesting in the article is that Microsoft been working with Samba developers to provide them the inner workings of AD. Hell, even Samba developers discovered a bug about random passwords in AD and told Microsoft about it.
AD in it's present form is still closed source project so I find it interesting Microsoft team is willing to provide them some of the secrets knowing that eventually it'll take away some of their profits like they'll miss it anyway.
So what exactly the direction is Microsoft taking?
Wow... /.'s contextual ad for this page is fitting (Score:4, Interesting)
"A new year... A new hope?" "Let us know your predictions for 2009".
And, right on par with my hope of seeing Half-Life 2 Episode 3 in "early 2009", my hope of seeing a fully working, easy to set up and maintain, "it just works" Active Directory server for Linux this year has diminished due to the fact that this same exact story was posted here over 3 years ago. (or on Digg)
Re:AD licensing (Score:2, Interesting)
Windows is licensed like so....
Yeah, that makes a lot of sense compared to the completely irrational "use all the copies you want, but if you make changes you have to share them back" model.
Who would take a completely insane deal like "use all you want. We'll make more." rather than the more rational "pay us per seat or per user, but no changes are possible and if you overdeploy, we'll sue you." Or the even more rational "Pay us per seat and per server, annually, and you get the right to update to our latest software... if we ever do update our software - oh, and if you overdeploy, we'll sue you" model.
That's just crazy talk. It's like choosing to not be sued. Who in their right mind would choose to not be sued even if choosing not to be sued would save them tons of cash? Especially when the alternative is free and contains no lawsuit exposure? Please, please don't throw me in that briar patch [wikipedia.org].
Re:Security (Score:3, Interesting)
The windows counterpart to samba also runs as SYSTEM...
Not sure if samba needs root for anything other than binding to the ports it uses and accessing files as specific users... I wonder how hard it would be to make it run as a normal user, losing filesystem permissions in the process ofcourse.
Re:just 4 more years and it'll be stable. (Score:3, Interesting)
mark my words, it'll have bugs which will result in 1000's of "RTFM n00b" or "it's ms's protocol that sucks" responses.
Just as Slashdot is full of trolls and OT comments help forums often have people posting unhelpful comments. Just ignore them. Life is too short for arguing with idiots.
I find the Samba help forums are generally excellent if you take the time to ask a sensible question instead of just posting the first problem that comes up. Often the task of formulating a sensible question solves a problem without actually having to ask on the forums at all. I also generally find my query has already been answered in the forum and all I need to do is search.
The Samba documentation is an excellent resource and generally answers most of the questions you may have. Try starting with John Terpstra's Samba 3 by example [samba.org] which is a practical guide to implementing Samba 3. I don't know if John is working on a Samba 4 update to the book, but there is a WIKI [samba.org], HowTO [samba.org] and a FAQ [samba.org] available. If you are risk averse you may not want to use Samba 4 in production just yet :)
Re:AD licensing (Score:3, Interesting)
They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.
Not only that, but it gets more complicated depending on how many MS server products you use.
For example, if you have a SharePoint system accessible on the internet that users can log into, you need a SharePoint CAL, a SQL Server CAL, and a Windows CAL for each of the users.
I've even read a Gartner paper that claims it's not just AD users, but users who log in using credentials of any kind. IE if you run an online store on IIS, you need to purchase a user CAL for each of your customers (assuming they can log in), whether you write your own auth system or give them AD accounts. Alternately, you can purchase a very expensive blanket CAL that covers them all. Either way, those CALs are going to cost more than most small businesses ever make off of single transactions from casual customers.
Re:AD licensing (Score:2, Interesting)
Re:Waiting for samba (Score:2, Interesting)
I'm not surprised. Anyone who has followed Samba's development as religiously as I have knows that Active Directory was always not fully documented and has always been a moving target. Samba 4 has been in development a very long time -- I remember hearing about "Samba TNG" (what they used to call it) years ago.
Slowly but surely they added Active Directory client integration and server development happened in parallel.
What will surprise you is how stable Samba 4 is right now. Even the alphas were stable enough that some people have been using them in production a while.
Re:Not very realistic (Score:4, Interesting)
Samba 4 is not really production ready yet. That is why it is labeled as an alpha version. Those using it in production, do so at their own risk. That said, I use it in a home network and it does run beautifully. However, I would be leery of using it in a business environment just yet.
Something to do with...". This is in every AD 101 book (machine accounts, password renewal, ... thing). I would at least expect that the Samba developers have experience in installing, running and maintaining a "realistic" Active Directory environment (read: more than 1000 client machines) before delving into the real messy details. I am not sure I even want to know how they are going to handle disaster recovery (one of the fun parts of AD, rest assured).
Disaster recovery will be far easier on a Samba 4 DC because access to AD itself will be far less obscured and convuluded. A simple raw LDAP call could restore the entire database at the linux command line. I have seen countless problems restoring AD after a DC failure. I created a mock scenario with a Samba 4 DC wherein the entire database was wiped. I simply used Samba's own LDB toolset and had it up and running again in seconds.
And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
You're missing the point. It isn't about cost at all. The point of having an open source replacement for AD is to make it easier for software developers to take advantage of the largely undocumented protocols. This is designed to facilitate interoperability. Even Microsoft, from the light of the anti-trust lawsuit it lost, extended an olive branch to the Samba team to assist in providing documentation. Plus, the work that Samba does stands to benefit Microsoft as well because they might be able to see where the Samba team has had some really good ideas and legally incorporate them into mainstream AD. And, before you express such confidence, I would try using Samba 4 myself. Some parts of the code are very mature and work well.
Re:About Time... (Score:3, Interesting)
Re:About Time... (Score:3, Interesting)
Ironically, SPSS was cloned fairly early on in the OSS wars.
http://www.gnu.org/software/pspp/ [gnu.org]
I've found that making employees accountable for knowing their software is a huge benefit. Before a number of OSS shifts I've administered, nobody knew what was important. The entire workflow was undocumented. In some ways, tracking down this information is quite valuable in it's own right--and you'd never get it if you couldn't make people's jobs depend on it.
The key is to do it in responsible phases. Pick a representative set of really good people in your workflow. Make them into a "conversion team". Incentivize them to make the conversion process a success. Just doubling existing incentives works really well for sales people. They are notoriously hard to sell on OSS, but 2x-commission brings out the gambler in them. Most importantly--listen to them when they "can't do their work". If you've picked the right people, it'll be due to legitimate concerns.
Go department by department. Be tactical. Allow islands of resistance to form. If they can't be ignored, exploit existing divisions in the company to prevent them from uniting. When they're all that's left in a sea of OSS users, they're easier to deal with. Let their case be about real needs, not "everybody's doing it". Indeed, you don't even have to argue it, their arguments change on their own. It's a remarkably social phenomenon.
The legal department can be your friend. Most organizations are woefully out of compliance in licensing. If legal is made aware of this, they often just can't ignore it and will take it to the top. Ignoring it any any level can make people personally liable. The lawyers will tell them this.
Conversely, if you are in compliance, accounting is your friend. When software licenses are properly budgeted, they show up and they're ugly. It's also fairly easy to demonstrate that, once stabilized, OSS departments require less administrative labor than proprietary ones.
Most importantly, determine where there aren't OSS alternatives. In a big enough organization, you'll invariably have a few MS boxen just for interoperability or niche software. It's fine. That's what virtualization is for, and you can deal with that at your leisure. Rest assured that this is a dwindling list of software.
Be careful. Like any large IT shift, a bad roll-out can negate years of cost savings. No vendor, especially not the OSS community, should be blamed for your botched implementation.
In the end, the dream of an OSS organization is achievable. It can be worth the trouble. Rather you breathe Unix, sleep with a copy of the GPL, hate that your company is probably way out of license compliance, or just want that money in your bank instead of Redmond, there are plenty of reasons to do it.
Re:About Time... (Score:3, Interesting)