Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Networking Software Linux

Active Directory Comes To Linux With Samba 4 276

Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."
This discussion has been archived. No new comments can be posted.

Active Directory Comes To Linux With Samba 4

Comments Filter:
  • About Time... (Score:2, Insightful)

    by Mydnight ( 817141 )
    After the headaches Active Directory has caused the company I work at over the last couple weeks (things like Windows telling the backup software that it wasn't allowed to backup anything to do with AD except the transaction logs), I can't wait!
    • Re:About Time... (Score:5, Informative)

      by Z00L00K ( 682162 ) on Monday January 19, 2009 @02:46AM (#26513569) Homepage Journal

      Actually - the AD support in Samba is a bit of old news, since that has been promoted before.

      But it's still good news, especially since lately the configuration of Microsoft's softwares and platforms has started to get incredibly complex and very hard to penetrate - as well as configure in a secure way.

      • Re: (Score:2, Insightful)

        by Klootzak ( 824076 )

        But it's still good news,

        Why is it good news? Is the Open-Source community embracing the concept "If you can't beat 'em join 'em?".

        Pish-Posh, Linux can have, and has its own "Directory" functionality, and the members of the OS community are more than capable of implementing their own standards.
        My opinion of this is that it's good for cross-compatibility, but not so much that it advances the concept that OSS products can compete in their own right.

        I will be more impressed when Microsoft adds standards compatibility for integration

        • Re:About Time... (Score:5, Insightful)

          by Architect_sasyr ( 938685 ) on Monday January 19, 2009 @05:00AM (#26514097)
          Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office. It's "big news" here when we find a government organisation or a school going with a Linux installation, and until it stops being so we can never consider Linux *as good* as MS or OS X, purely because of usage base. This functionality is an excellent step in the right direction for the office software, because we (as sysadmin's) can build a server that silently integrates with all the XP/Vista machines on a network, without "telling" anybody about it. After a few months of having a stable linux server in place, we can start pushing stable Linux onto the less-than-important PC's - like the receptionist (who can/should be trained) or the marketing department. Slowly (but surely) bringing across all the machines possible we can to Linux. Having AD functionality is definitely the first step. Getting a decent-free Exchange-replacement will be the next (and I mean free in the same way that Debian is free, unrestricted as much as possible) in the chain. Simply put, any OSS supporter needs to make some compromises to get their software into the enterprise. People grow up on Windows, or on OS X (as a rule it is one or the other) not (necessarly) on Linux, so we need to ease them in.

          Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.

          My $0.02 AU.
          • Re: (Score:3, Insightful)

            by Klootzak ( 824076 )

            Perhaps Linux is used ALOT more than you think, you're just not aware of the installations ;)

            I know of at least 2 places which are very large and influential organizations that run ALOT of Linux and other Open-Source Systems - in one of the organizations I'm thinking of I implemented Linux in combination with MRTG, PHP and MYSQL for an application I wrote for the purposes of systems monitoring and server inventory, something I whipped up because Tivoli [ibm.com], a large, expensive "enterprise" product was proving t

            • Re: (Score:3, Insightful)

              by Cowmonaut ( 989226 )

              I'm sorry, but you didn't really counter any of his arguments. You say you are under an NDA so you can't name "two big organizations" that are using more Linux than Windows/OSX. Since you can't prove it, its useless. Hearsay. Moot.

              And not just for our little argument here either. You apparently can't point to these places for other sysadmins and say "it works there, why not where you do business?" because of your NDA. The problem with Linux is visibility in certain marketplaces. "Invisible ripples" d

              • Although it sounds a little pathetic in the wake of the GP comment I can tell you that Linux support for Tivoli was originally hacked together in the support department by Mike P., a level 2 tech. And it was done due to customer demand. Tivoli is pretty much only used on networks beginning at around 10,000 nodes because of the prohibitive cost. (It does a lot, too, but it is definitely pretty heavy. CORBA FT...W?)

            • by account_deleted ( 4530225 ) on Monday January 19, 2009 @03:13PM (#26519523)
              Comment removed based on user account deletion
          • Re:About Time... (Score:5, Insightful)

            by Kjella ( 173770 ) on Monday January 19, 2009 @06:51AM (#26514553) Homepage

            Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office.

            Honestly? Gaming does not count. There was a nice market breakdown I saw not that long ago from AMD, breaking it down into laptop/desktop/server and low-end/mainstream/enthusiast and the gaming segments are honestly not that large. Replacing every Windows/MS Office with a Linux/OpenOffice solution would be 1000x greater than turning LAN parties into LUGs. Nor is it easy fruit - a game requires a lot of software infrastructure, it's got limited actuality (Linux support two years after is a big meh) and is full of bleeding edge performance optimizations. Just to take that college drop-out article we had recently - the school could have said "MS Office or OpenOffice". The DSL installation disc could have said "For Linux do steps X instead". Lots of things in that article was her fault but it's quite clear that Linux could be a lot more supported in ways that would matter a lot more to the masses that a few FPS junkies.

            • by umghhh ( 965931 )

              I work for R&D organisation of a big corporation and ever since I learned unix and about open thingy I found it strange that our company sticks to the old guns, Last year I was stunned to find out that the replacement for my sun WS could be a Linux box - I directly ordered one in hope of having at last functioning machine that is smooth in working with the rest of our unix environment and do it safely as well as allowing me to boot windows box (virtualization) if I find it necessary. There were few coll

              • Re:About Time... (Score:5, Insightful)

                by walt-sjc ( 145127 ) on Monday January 19, 2009 @09:52AM (#26515629)

                Nice anecdote, but all that says is that the IT people in your company don't have a clue. Once upon a time, IT people were just as clueless about Windows / PC's. It's sad really - people call themselves professionals and then behave like that, refusing to educate themselves (If you are not CONSTANTLY educating yourself in IT, you will very very quickly become a dinosaur.)

              • Re: (Score:3, Insightful)

                by profplump ( 309017 )
                So what you're saying is that you're 1 rescue-disk boot away from having root access, right?
            • Re:About Time... (Score:4, Insightful)

              by DrgnDancer ( 137700 ) on Monday January 19, 2009 @10:47AM (#26516309) Homepage

              But gaming is a weird animal. Many gamers (not all, maybe not even most, but many) are influential in other people's tech decisions. Whether it be the kids who his parent's assume "knows about computers" because he spends lots of time on one and can spout jargon he read on game sites, the programmer or sys admin who games as a hobby, or the "Tech Site" writers who's primary measure of performance is game FPS; lots of gamers have some level of influence on various numbers of people's technical decisions.

              On top of that, even many people who don't game take an attitude of "Well, if it'll play that game, it will certainly be able to handle my $trivaltask". Gamers may be a small part of the market, but they are a much bigger part of marketing.

          • Re:About Time... (Score:5, Insightful)

            by HangingChad ( 677530 ) on Monday January 19, 2009 @07:56AM (#26514831) Homepage

            It's "big news" here when we find a government organisation or a school going with a Linux installation...

            We're not a big office but we run on Linux. Primary application servers and most of the desktops. So far it hasn't been any big news outside and not a big deal inside. It was a quiet transition, no user upheaval. The best part is we (the IT department) don't have to spend part of our day handling the crisis/virus/trojan/black screen crisis of the moment. We actually have time to document, plan upgrades, and spend time on development instead of serving the Redmond machine. The stress level comes way down.

            You don't realize how much time you spend servicing Microsoft until you get away from them. Not just servicing the machines but the whole ecosystem. It's so complex, you need so many supporting services to keep it running right that the Windows admins I've seen are in a constant state of stress. And I think they like it, even though they tend to complain about how busy they are. Maybe it's job security. Don't know and honestly don't care.

            All I know is I can go to a partner integration meeting today knowing everything is working fine and, in the absence of hardware failure or massive internet outage, will stay working. That there won't be a stack of trouble tickets in the queue or bill for some piece of software that does...something...that we need because MS didn't include it in the base server package.

          • Re: (Score:2, Troll)

            by LingNoi ( 1066278 )

            I have no particular beef with what you are saying however I'd like to give a warning about just converting peoples machines over without doing a full investigation how that person works.

            Although you might deem marketing to be unimportant there are specific applications which marketing uses for analysis such the statistics software called SPSS.

            Also when my GF (who works in marketing) tried out Ubuntu for the week she was constantly frustrated because it ruined her work flow. For example, although the abilit

            • Re: (Score:3, Insightful)

              by Xabraxas ( 654195 )

              People have to be willing to adapt and do things differently when the switch operating systems. People seem perfectly capable of adapting to OSX. I don't think it's because its less difficult to adapt to OSX than it is to Linux but because people that do switch to OSX are willing to do it. They do it because it's "cool" or because they are artists, or for many other reasosns. They've been convinced that it is an option for them and a lot of them will make it work even if that means they have to do thing

              • by jcnnghm ( 538570 )

                People seem perfectly capable of adapting to OSX.

                That's because for the most part it's the same software with the same interfaces and functions. Having to drop to a shell and edit config files on a desktop system to make minor configuration tweaks is unacceptable.

            • Although you might deem marketing to be unimportant there are specific applications which marketing uses for analysis such the statistics software called SPSS.

              I don't think anyone here who actually HAS a job where they might be in charge of something would fail to consider the needs of the users, specifically, what software they need to run.

              If it doesn't run on Wine, then you either decide to keep them on Windows, or have them run it in a virtual machine which doesn't even need to be located on their system and which they can access via the web, for nothing more than the cost of hardware and the Windows licenses, via VMware Server.

              Also when my GF (who works in marketing) tried out Ubuntu for the week she was constantly frustrated because it ruined her work flow. For example, although the ability to add comments to a PDF may not be important to most of us that's how she reviews work. So now she couldn't do her work.

              Besides the fact that it's possi

            • Re: (Score:3, Interesting)

              by KagatoLNX ( 141673 )

              Ironically, SPSS was cloned fairly early on in the OSS wars.

              http://www.gnu.org/software/pspp/ [gnu.org]

              I've found that making employees accountable for knowing their software is a huge benefit. Before a number of OSS shifts I've administered, nobody knew what was important. The entire workflow was undocumented. In some ways, tracking down this information is quite valuable in it's own right--and you'd never get it if you couldn't make people's jobs depend on it.

              The key is to do it in responsible phases. Pick a re

        • Re: (Score:3, Insightful)

          by Skrapion ( 955066 )

          I'm sorry, I missed the part where the GP was talking about OSS.

          Look, I'm an OSS fan too, but not everything is about OSS. The fact that a good product is being released would be good news even if it wasn't OSS.

    • Re: (Score:3, Informative)

      by rmallico ( 831443 )
      headache of AD? uh.. backing up? are you serious? there are command line tools, 3rd part tools as well that handle backing up of AD as well as full forest recovery (and even restoring a single attribute for one use to ALL users in minutes... google is your friend..
    • Re: (Score:3, Insightful)

      by afidel ( 530433 )
      Um, you DO realize that you need a VSS aware backup program to get a usable backup of the domain controller, correct? Backing up the AD database files will do you zero good, and in fact if you could somehow get them to restore you would cause all sorts of problems.
  • by Darkk ( 1296127 )

    Finally an alternative to Microsoft's insane licensing model.

    It brings one step closer for those who want to move to linux or least convert some windows to linux.

  • I've got a line of outfits that can benefit from this!

    There are so many companies I know that have little to know real dependence upon AD other than the fact that it's all they're really known...

  • Release date? (Score:2, Insightful)

    by russlar ( 1122455 )
    Nice features, but when will it be released?
  • AD licensing (Score:3, Interesting)

    by ani23 ( 899493 ) on Monday January 19, 2009 @01:58AM (#26513393)
    Can someone tell me how AD is licensed? I thought it was a part of server 2003 and once you buy that there should be no additional costs right? Our Sys Admin is planning to install ad for our office (we used never had AD before) and I am trying to figure out what if any the advantages of getting AD will be.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      You are correct.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      You need a CAL for every user in the AD.

      Gets expensive. Wait for samba4

      • Re:AD licensing (Score:5, Informative)

        by Darkk ( 1296127 ) on Monday January 19, 2009 @02:27AM (#26513489)

        Exactly. You need CALs for stuff like:

        AD
        Exchange
        Terminal Server
        etc.

        It adds up pretty quickly.

        It's really a nightmare for IT Depts as they have to keep track of the CALs and ensure they have enough licenses to cover the number of users.

        • Re:AD licensing (Score:5, Informative)

          by betacha ( 1388285 ) on Monday January 19, 2009 @06:08AM (#26514369) Homepage
          I had the pleasure of formatting our Windows 2003 server this summer and completely replacing it with an Ubuntu Samba OpenLDAP Domain server using this tutorial... http://ubuntuforums.org/showthread.php?t=640760 [ubuntuforums.org] The server has been working flawlessly at our school since September! We ran out of CAL's and our school is expanding very quickly. It didn't make sense to purchase more and continue paying the micro$oft tax..
          • by Darkk ( 1296127 )

            Thanks for the link to the tutorial and glad to see the school is able to benefit from it.

            I think what made Samba daunting in the first place is lack of GUI-like tools for those been in the window shop for a long time. Now there are tools like Webmin which makes it a breeze to maintain a linux server. A seasoned linux user would modify the scripts directly but for those who have little experience with linux's inner workings the GUI helps. They should, however, learn how to modify the scripts so they have

            • Re: (Score:2, Interesting)

              by betacha ( 1388285 )
              Glad you find the link useful! There is still some playing around with scripts... I had to learn how to use vim etc... which wasn't too easy to figure out... I recommend running through the tutorial once with a virtual machine following it verbatim using the exact version of ubuntu server recommended 7.10... and using the same domain name etc... It took me a few tries to get through it successfully... Then I created my own on the real server using my own domain personalization...
          • by bbbaldie ( 935205 ) on Monday January 19, 2009 @10:25AM (#26516045) Homepage
            Hmmm...Obviously the teachings of KARL MARX figure prominently in your school's curricula... ;-)
      • Re: (Score:3, Informative)

        by El Lobo ( 994537 )
        The CAL has NOTHING to do with active directory at all. If you don't use active directory you need to buy a cal license anyway to access the server's resources.
    • Re:AD licensing (Score:5, Informative)

      by Anonymous Coward on Monday January 19, 2009 @02:34AM (#26513519)

      A careful reading of the TOS says that it is licensed via user or device CALs based on authenticated users..

      They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.

      Really, it is just a tax. A MS shop typically has to pay:
        - For a OEM license on windows
        - For a volume license upgrade on windows
        - For a device or user CAL for the windows machine/user
        - For a windows server license (per VM!)
        - For exchange server (and a windows server license)
        - Per user exchange CALs (yay!)
        - Office CALs for outlook

      It used to be a CAL came along with NT4 so you didn't need a separate one, but that is not the case anymore. MS said their customers wanted the simpler model of paying more for the same thing.

      Of course, CALs and VLK upgrades are locked to specific versions so you have to keep buying them again and again to keep the additional rights.

      The only happy area is that the CALs apply to all servers at once, so if you have a thousand users and a thousand servers you only need a thousand CALs.

      No software checks this, but these are the terms.

      It is really quite insane, but maximizes MS's profits.

      See http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx
      And keep in mind that MS thinks performing an authentication against AD is accessing the server.

      • Re:AD licensing (Score:5, Informative)

        by gallwapa ( 909389 ) on Monday January 19, 2009 @02:48AM (#26513583) Homepage

        No...no...no

        There are "per device" or "per user" licenses.
        If you have 5000 computers but 40,000 users, it is probably cheaper to buy device licenses...so you can do that.

        In addition, each server DOES require a server license (which is different than a CAL).

        Windows is licensed like so

        Standard edition license includes 1 phys server + 1 VM (on the same server)
        Enterprise includes 1 phys server + 4 VM (again on the same server)
        Datacenter includes unlimited server licenses of any type

        Users with enterprise agreements or software assurance don't have to repurchase - they're covered under their contract.

        • Re: (Score:2, Interesting)

          by symbolset ( 646467 )

          Windows is licensed like so....

          Yeah, that makes a lot of sense compared to the completely irrational "use all the copies you want, but if you make changes you have to share them back" model.

          Who would take a completely insane deal like "use all you want. We'll make more." rather than the more rational "pay us per seat or per user, but no changes are possible and if you overdeploy, we'll sue you." Or the even more rational "Pay us per seat and per server, annually, and you get the right to update to our latest software... if we ever do u

          • > Yeah, that makes a lot of sense compared to the completely irrational "use all the
            > copies you want, but if you make changes you have to share them back" model.

            If you use the changes only internally you have no obligation to share them.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Really, it is just a tax. A MS shop typically has to pay:
        - For a OEM license on windows
        - For a volume license upgrade on windows
        - For a device or user CAL for the windows machine/user
        - For a windows server license (per VM!)
        - For exchange server (and a windows server license)
        - Per user exchange CALs (yay!)
        - Office CALs for outlook

        In comparison, a Linux shop typically has to pay:
        - Nothing for a vol

        • Re:AD licensing (Score:5, Informative)

          by Jezza ( 39441 ) on Monday January 19, 2009 @04:58AM (#26514087)

          Well really they probably pay for "service".

          Now some think this is a total waste of money and the whole point of Linux is you don't pay for anything. While it's true you can do this, if you're multi-million wonga business is relying on your IT that may not be too smart.

          But buying "service" isn't some nasty con, you're actually getting something. Also you can shop around for it, and even switch suppliers.

          Now the "free" aspect of Linux really helps you (as a business) as all your "computer wonks" can have a copy (for free) and take it home, use it outside the office (so they learn the product inside out). It does work out cheaper than Microsoft. The product evolves quicker, but you're not forced on some insane upgrade cycle.

          You can get lots of certified hardware (which is important) and you're not alone (lots of other businesses have done the same).

          Business get very twitchy when Linux advocates talk about "free" and the reason is they want to know: "Who's accountable if this stops working". A word of advice if you're trying to get your employer to consider Linux, keep the talk about "free" to a minimum (even "cheap" has negative connotations) instead talk about:

          Lower Total Cost of Ownership
          Competition in the market for Linux Support
          No vendor lock-in
          Hardware support from all major suppliers
          Plenty of success stories

          Oh and don't forget Sun make great Linux kit (not just Solaris)

      • I was about to correct you on the Outlook CAL requirement for Exchange, but nope, your right. All versions prior to Exchange 2007 included Outlook CALs so that you had some software to connect to the server. Apparently, this isn't correct any longer unless you had Software Assurance on your Exchange server.

        Now, normally any larger client has an EA (Enterprise Agreement) and negotiates a standard per user CAL which would include whatever of the backoffice components are required (SQL server, Exchange, Host A

      • Re: (Score:3, Interesting)

        by blincoln ( 592401 )

        They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.

        Not only that, but it gets more complicated depending on how many MS server products you use.

        For example, if you have a SharePoint system accessible on the internet that users can log into, you need a SharePoint CAL, a SQL Server CAL, and a Windows CAL for each of the users.

        I've even read a Gartner paper that claims it's not just AD users, but users

    • by CAIMLAS ( 41445 )

      You need a CAL for either every device or every user, which would depend on what kind of environment you're in and what the machine/user ratio is.

    • by Jezza ( 39441 )

      Err, "CALs"?

      Microsoft don't just charge "per server", you also buy "CALs". All server products come with some, but that can be as few as five. That means you can't connect more than five clients to the server.

      You buy them in blocks. Seriously, if this looks like it might be a problem you might like to look at getting a MOLP which often works out "cheaper". (Some would argue that this "rental" agreement isn't cheaper than buying as you pay the "rental" forever. In reality it often is, because you don't pay f

    • by jimicus ( 737525 )

      On its own? The same login details work for each PC, if your PC is replaced you don't need to mess around with setting up local user accounts.

      You can also do quite a lot of management centrally.

      To be fair, you could do most of this with Samba 3.x as an NT-4 type domain but it's not as refined.

      AD is also a prerequisite for Exchange.

  • by plasmacutter ( 901737 ) on Monday January 19, 2009 @02:08AM (#26513421)

    My last tussle with samba was yet another try with ubuntu on this old macbook.

    Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually, and samba did not respond properly to the config.

    Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?

    • Re: (Score:3, Informative)

      Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?

      I think SWAT was meant to be that, and it kind of sucked.

    • by Bert64 ( 520050 )

      Samba comes with SWAT, which is a web based admin tool... Not sure how good it is.

    • "Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually .."

      Generally, GUI config tools get in the way, editing the dreaded config file is simpler and more straight forward.

      "and samba did not respond properly to the config"

      What you mean is you don't understand SAMBA enough to configure it ..
  • Jumping the Gun (Score:5, Informative)

    by TechForensics ( 944258 ) on Monday January 19, 2009 @02:09AM (#26513431) Homepage Journal

    According to TFA FOSS AD is not here yet by a long shot, in early alpha, many missing features. Summary is *terrible* in suggesting non-M$ AD is already here.

    • Re:Jumping the Gun (Score:5, Interesting)

      by Darkk ( 1296127 ) on Monday January 19, 2009 @02:21AM (#26513471)

      One thing I find it interesting in the article is that Microsoft been working with Samba developers to provide them the inner workings of AD. Hell, even Samba developers discovered a bug about random passwords in AD and told Microsoft about it.

      AD in it's present form is still closed source project so I find it interesting Microsoft team is willing to provide them some of the secrets knowing that eventually it'll take away some of their profits like they'll miss it anyway.

      So what exactly the direction is Microsoft taking?

      • Re:Jumping the Gun (Score:5, Informative)

        by b4dc0d3r ( 1268512 ) on Monday January 19, 2009 @02:35AM (#26513527)

        I'm just guessing here, but there was something about interoperability in, what was it, oh, every monopoly-related judgment they ever lost. Otherwise they wouldn't be helping.

        • by Yvanhoe ( 564877 )
          I also begin to think that management has become more and more incompetent these years at Microsoft. That means a lot of teams having rogue behaviors like this one which are aligned with what most team members want and that ignore any secret-strategic-world-domination order they could receive from higher management.
      • Re:Jumping the Gun (Score:5, Informative)

        by shutdown -p now ( 807394 ) on Monday January 19, 2009 @02:44AM (#26513563) Journal

        Ever since the EU antitrust/monopoly judgement and fines, MS has significantly increased the emphasis on open standards. It's still NIH syndrome more often than note, but at least the results are now documented, and usually come with a no-patent-enforcing pledge ("Open Specification Promise" - this covers e.g. OOXML and older Office formats, XPS, Silverlight, and so on). Also, I recall that EU specifically named SMB/CIFS & AD as something that should be opened up, and Samba as the beneficiary.

        Whether it's just a coincidence or one followed from another is up for you to judge.

  • mark my words, it'll have bugs which will result in 1000's of "RTFM n00b" or "it's ms's protocol that sucks" responses.
    • by CAIMLAS ( 41445 )

      and why would it have those problems? Samba has been very stale for quite a while, v3 took a long time to get here, and they seem to be spending quite a lot of time this time around for version 4 to assure it works right.

      • by jimicus ( 737525 )

        and why would it have those problems? Samba has been very stale for quite a while, v3 took a long time to get here, and they seem to be spending quite a lot of time this time around for version 4 to assure it works right.

        Yes, and the differences between NT4 and Active Directory are so huge that large chunks of Samba have had to be rewritten.

        It's fantastic to see the project hasn't died but it's taken oh-so-long to get from 3.x to 4 alpha that I'm not holding my breath for 4 stable.

    • mark my words, it'll have bugs

      It's an alpha release you goddamn fool - if you'd bothered to read the article rather than rushing to try & get first post you'd know that.

    • Re: (Score:3, Interesting)

      mark my words, it'll have bugs which will result in 1000's of "RTFM n00b" or "it's ms's protocol that sucks" responses.

      Just as Slashdot is full of trolls and OT comments help forums often have people posting unhelpful comments. Just ignore them. Life is too short for arguing with idiots.

      I find the Samba help forums are generally excellent if you take the time to ask a sensible question instead of just posting the first problem that comes up. Often the task of formulating a sensible question solves a problem without actually having to ask on the forums at all. I also generally find my query has already been answered in the f

  • by Doug52392 ( 1094585 ) on Monday January 19, 2009 @02:28AM (#26513493)

    "A new year... A new hope?" "Let us know your predictions for 2009".

    And, right on par with my hope of seeing Half-Life 2 Episode 3 in "early 2009", my hope of seeing a fully working, easy to set up and maintain, "it just works" Active Directory server for Linux this year has diminished due to the fact that this same exact story was posted here over 3 years ago. (or on Digg)

  • Security (Score:3, Insightful)

    by RiotingPacifist ( 1228016 ) on Monday January 19, 2009 @03:35AM (#26513793)

    While i appreciate that this will be very usefull, I'd rather they worked on not requiring samba to run as root (or at least not the networked part) as it seams to be the victim of an increasing number of attacks because of this. Perhaps SELINUX and apparmour have me protected but seeing a network demon running as root always seams like a dumb idea to me.

    • Re: (Score:3, Interesting)

      by Bert64 ( 520050 )

      The windows counterpart to samba also runs as SYSTEM...
      Not sure if samba needs root for anything other than binding to the ports it uses and accessing files as specific users... I wonder how hard it would be to make it run as a normal user, losing filesystem permissions in the process ofcourse.

      • Doesn't samba already spawn a separate smbd process for each server connection? If so it seems like it ought to be deliriously easy any time the users are actually available on the machine itself. Which ought to be easy enough since you're using LDAP... :)

      • by rs232 ( 849320 )
        "Not sure if samba needs root for anything other than binding to the ports it uses and accessing files as specific users"

        Yea, I think he needs to RTFM [comptechdoc.org]
    • Samba and root (Score:3, Informative)

      by DragonHawk ( 21256 )

      Samba runs as root for a few different reasons that I know of:
      1. bind to privileged ports (1024)
      2. set{e,r}{u,g}id for the user being authenticated
      3. RPC-based system administration

      If it was just the first, I bet it could prolly drop root soon after startup. If it was just the first and the second, it might be able to drop root after authenticating, since each connection gets its own process. Samba may already do some of this, for all I know. Alternatively, implementing this may be difficult for architec

  • Well everybody here says "Linux" but let me point out that Apples Xserve uses Samba as well.

    So there will be even more interesting alternatives ahead.

    Martin

  • Not very realistic (Score:3, Informative)

    by Krokant ( 956646 ) on Monday January 19, 2009 @05:55AM (#26514321)
    It is not very comforting to read the following statement:

    "My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."

    "Something to do with...". This is in every AD 101 book (machine accounts, password renewal, ... thing). I would at least expect that the Samba developers have experience in installing, running and maintaining a "realistic" Active Directory environment (read: more than 1000 client machines) before delving into the real messy details. I am not sure I even want to know how they are going to handle disaster recovery (one of the fun parts of AD, rest assured).

    Honestly, I cannot imagine why anyone would want to run a FOSS equivalent Active Directory. After having spent months in setting up a full mixed Windows/Linux environment (OpenLDAP, Kerberos, Samba, the works), I can say that setting up AD is a breeze: for me, it is a prime example where Microsoft took existing technologies (LDAP, DNS, Kerberos) and actually turned it into something useful without the typically associated configuration nightmares. And it works very stable indeed.

    And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
    • by jonwil ( 467024 ) on Monday January 19, 2009 @07:05AM (#26514609)

      Clearly you havent priced the full costs of a full set of servers (and addons) for Exchange. AD etc. Not to mention all the client licenses you need (CALs or whatever they are).

      I am sure there are quite a lot of people who would LOVE to be able to replace a windows server machine with a linux machine running Samba + OpenChange + whatever else

      • by spazimodo ( 97579 ) on Monday January 19, 2009 @09:34AM (#26515399)

        The costs for AD/Exchange, etc. pale in comparison to the administrative salary costs associated with supporting an IT infrastructure and the lost productivity costs of down time.

        I've found Samba in a Domain environment to be kind of flaky, and while it's useful for accessing the file system on a Linux server (though I prefer scp) there's no way I would look at replacing any Windows file server that had an SLA with a Samba server. The licensing costs for a Windows server (especially virtualized) are negligible.

        On the other hand, there's still no great solution for something similar to AD on Linux. NIS+ is old and sucks. Going through the whole LDAP rigmarole only gets you part of the way and requires a hell of a lot of upkeep depending on the server. Winbind against AD isn't bad though again it's flaky and requires way too much work to setup. I supposed there's the tried and true method of rsync-ing passwd, group and shadow files around.

        The combo of AD and Group Policy is pretty killer, It would be really nice to see something similar for Linux, or at the very least improved AD integration would be awesome.

    • by rs232 ( 849320 )
      It is not very comforting to read the following statement:

      "My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."


      It goes on to say:

      We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the
    • by DaMattster ( 977781 ) on Monday January 19, 2009 @11:09AM (#26516583)
      "My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."

      Samba 4 is not really production ready yet. That is why it is labeled as an alpha version. Those using it in production, do so at their own risk. That said, I use it in a home network and it does run beautifully. However, I would be leery of using it in a business environment just yet.

      Something to do with...". This is in every AD 101 book (machine accounts, password renewal, ... thing). I would at least expect that the Samba developers have experience in installing, running and maintaining a "realistic" Active Directory environment (read: more than 1000 client machines) before delving into the real messy details. I am not sure I even want to know how they are going to handle disaster recovery (one of the fun parts of AD, rest assured).

      Disaster recovery will be far easier on a Samba 4 DC because access to AD itself will be far less obscured and convuluded. A simple raw LDAP call could restore the entire database at the linux command line. I have seen countless problems restoring AD after a DC failure. I created a mock scenario with a Samba 4 DC wherein the entire database was wiped. I simply used Samba's own LDB toolset and had it up and running again in seconds.

      And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.

      You're missing the point. It isn't about cost at all. The point of having an open source replacement for AD is to make it easier for software developers to take advantage of the largely undocumented protocols. This is designed to facilitate interoperability. Even Microsoft, from the light of the anti-trust lawsuit it lost, extended an olive branch to the Samba team to assist in providing documentation. Plus, the work that Samba does stands to benefit Microsoft as well because they might be able to see where the Samba team has had some really good ideas and legally incorporate them into mainstream AD. And, before you express such confidence, I would try using Samba 4 myself. Some parts of the code are very mature and work well.

  • by rs232 ( 849320 ) on Monday January 19, 2009 @09:21AM (#26515277)
    I like Samba 4 except it doesn't have $RANDOM feature :)

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...