Active Directory Comes To Linux With Samba 4 276
Da Massive writes in with another possible answer to a recent Ask Slashdot about FOSS replacements for Microsoft AD server. "Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."
About Time... (Score:2, Insightful)
Re:About Time... (Score:5, Informative)
Actually - the AD support in Samba is a bit of old news, since that has been promoted before.
But it's still good news, especially since lately the configuration of Microsoft's softwares and platforms has started to get incredibly complex and very hard to penetrate - as well as configure in a secure way.
Re: (Score:2, Insightful)
But it's still good news,
Why is it good news? Is the Open-Source community embracing the concept "If you can't beat 'em join 'em?".
Pish-Posh, Linux can have, and has its own "Directory" functionality, and the members of the OS community are more than capable of implementing their own standards.
My opinion of this is that it's good for cross-compatibility, but not so much that it advances the concept that OSS products can compete in their own right.
I will be more impressed when Microsoft adds standards compatibility for integration
Re:About Time... (Score:5, Insightful)
Oh and Linux has its own Directory functionality, it's OpenLDAP. It's just not necessarily as easy to maintain as Open/Active Directory.
My $0.02 AU.
Re: (Score:3, Insightful)
Perhaps Linux is used ALOT more than you think, you're just not aware of the installations ;)
I know of at least 2 places which are very large and influential organizations that run ALOT of Linux and other Open-Source Systems - in one of the organizations I'm thinking of I implemented Linux in combination with MRTG, PHP and MYSQL for an application I wrote for the purposes of systems monitoring and server inventory, something I whipped up because Tivoli [ibm.com], a large, expensive "enterprise" product was proving t
Re: (Score:3, Insightful)
I'm sorry, but you didn't really counter any of his arguments. You say you are under an NDA so you can't name "two big organizations" that are using more Linux than Windows/OSX. Since you can't prove it, its useless. Hearsay. Moot.
And not just for our little argument here either. You apparently can't point to these places for other sysadmins and say "it works there, why not where you do business?" because of your NDA. The problem with Linux is visibility in certain marketplaces. "Invisible ripples" d
Re: (Score:2)
Although it sounds a little pathetic in the wake of the GP comment I can tell you that Linux support for Tivoli was originally hacked together in the support department by Mike P., a level 2 tech. And it was done due to customer demand. Tivoli is pretty much only used on networks beginning at around 10,000 nodes because of the prohibitive cost. (It does a lot, too, but it is definitely pretty heavy. CORBA FT...W?)
Re: (Score:3, Interesting)
Comment removed (Score:5, Funny)
Re:About Time... (Score:5, Insightful)
Whether you agree with it or not, Linux has a very small market share in the two places it counts: gaming and the office.
Honestly? Gaming does not count. There was a nice market breakdown I saw not that long ago from AMD, breaking it down into laptop/desktop/server and low-end/mainstream/enthusiast and the gaming segments are honestly not that large. Replacing every Windows/MS Office with a Linux/OpenOffice solution would be 1000x greater than turning LAN parties into LUGs. Nor is it easy fruit - a game requires a lot of software infrastructure, it's got limited actuality (Linux support two years after is a big meh) and is full of bleeding edge performance optimizations. Just to take that college drop-out article we had recently - the school could have said "MS Office or OpenOffice". The DSL installation disc could have said "For Linux do steps X instead". Lots of things in that article was her fault but it's quite clear that Linux could be a lot more supported in ways that would matter a lot more to the masses that a few FPS junkies.
Re: (Score:2)
I work for R&D organisation of a big corporation and ever since I learned unix and about open thingy I found it strange that our company sticks to the old guns, Last year I was stunned to find out that the replacement for my sun WS could be a Linux box - I directly ordered one in hope of having at last functioning machine that is smooth in working with the rest of our unix environment and do it safely as well as allowing me to boot windows box (virtualization) if I find it necessary. There were few coll
Re:About Time... (Score:5, Insightful)
Nice anecdote, but all that says is that the IT people in your company don't have a clue. Once upon a time, IT people were just as clueless about Windows / PC's. It's sad really - people call themselves professionals and then behave like that, refusing to educate themselves (If you are not CONSTANTLY educating yourself in IT, you will very very quickly become a dinosaur.)
Re: (Score:3, Insightful)
Re:About Time... (Score:4, Insightful)
But gaming is a weird animal. Many gamers (not all, maybe not even most, but many) are influential in other people's tech decisions. Whether it be the kids who his parent's assume "knows about computers" because he spends lots of time on one and can spout jargon he read on game sites, the programmer or sys admin who games as a hobby, or the "Tech Site" writers who's primary measure of performance is game FPS; lots of gamers have some level of influence on various numbers of people's technical decisions.
On top of that, even many people who don't game take an attitude of "Well, if it'll play that game, it will certainly be able to handle my $trivaltask". Gamers may be a small part of the market, but they are a much bigger part of marketing.
Re:About Time... (Score:5, Insightful)
It's "big news" here when we find a government organisation or a school going with a Linux installation...
We're not a big office but we run on Linux. Primary application servers and most of the desktops. So far it hasn't been any big news outside and not a big deal inside. It was a quiet transition, no user upheaval. The best part is we (the IT department) don't have to spend part of our day handling the crisis/virus/trojan/black screen crisis of the moment. We actually have time to document, plan upgrades, and spend time on development instead of serving the Redmond machine. The stress level comes way down.
You don't realize how much time you spend servicing Microsoft until you get away from them. Not just servicing the machines but the whole ecosystem. It's so complex, you need so many supporting services to keep it running right that the Windows admins I've seen are in a constant state of stress. And I think they like it, even though they tend to complain about how busy they are. Maybe it's job security. Don't know and honestly don't care.
All I know is I can go to a partner integration meeting today knowing everything is working fine and, in the absence of hardware failure or massive internet outage, will stay working. That there won't be a stack of trouble tickets in the queue or bill for some piece of software that does...something...that we need because MS didn't include it in the base server package.
Re: (Score:2, Troll)
I have no particular beef with what you are saying however I'd like to give a warning about just converting peoples machines over without doing a full investigation how that person works.
Although you might deem marketing to be unimportant there are specific applications which marketing uses for analysis such the statistics software called SPSS.
Also when my GF (who works in marketing) tried out Ubuntu for the week she was constantly frustrated because it ruined her work flow. For example, although the abilit
Re: (Score:3, Insightful)
People have to be willing to adapt and do things differently when the switch operating systems. People seem perfectly capable of adapting to OSX. I don't think it's because its less difficult to adapt to OSX than it is to Linux but because people that do switch to OSX are willing to do it. They do it because it's "cool" or because they are artists, or for many other reasosns. They've been convinced that it is an option for them and a lot of them will make it work even if that means they have to do thing
Re: (Score:2)
People seem perfectly capable of adapting to OSX.
That's because for the most part it's the same software with the same interfaces and functions. Having to drop to a shell and edit config files on a desktop system to make minor configuration tweaks is unacceptable.
Re: (Score:2)
I don't have to edit the registry to get more than one monitor to work with Compiz Fusion.
Re: (Score:2)
Although you might deem marketing to be unimportant there are specific applications which marketing uses for analysis such the statistics software called SPSS.
I don't think anyone here who actually HAS a job where they might be in charge of something would fail to consider the needs of the users, specifically, what software they need to run.
If it doesn't run on Wine, then you either decide to keep them on Windows, or have them run it in a virtual machine which doesn't even need to be located on their system and which they can access via the web, for nothing more than the cost of hardware and the Windows licenses, via VMware Server.
Also when my GF (who works in marketing) tried out Ubuntu for the week she was constantly frustrated because it ruined her work flow. For example, although the ability to add comments to a PDF may not be important to most of us that's how she reviews work. So now she couldn't do her work.
Besides the fact that it's possi
Re: (Score:3, Interesting)
Ironically, SPSS was cloned fairly early on in the OSS wars.
http://www.gnu.org/software/pspp/ [gnu.org]
I've found that making employees accountable for knowing their software is a huge benefit. Before a number of OSS shifts I've administered, nobody knew what was important. The entire workflow was undocumented. In some ways, tracking down this information is quite valuable in it's own right--and you'd never get it if you couldn't make people's jobs depend on it.
The key is to do it in responsible phases. Pick a re
Re: (Score:3, Insightful)
I'm sorry, I missed the part where the GP was talking about OSS.
Look, I'm an OSS fan too, but not everything is about OSS. The fact that a good product is being released would be good news even if it wasn't OSS.
Re: (Score:2)
Apologies for the AC post. (Score:3, Insightful)
Easy. You're "Anonymous Coward". You're anyone and no one.
Well, even posting under my Slashdot "handle" I could be everyone and no-one too ;)
A novice administrator would know this. I think you've been talking to the average joeish end users.
No, the person I had to correct that issue for considered himself an "experienced" Linux Administrator (and Zealot - "Linux should be used for EVERYTHING"), having worked with various distros for 3 or 4 years. He was also employed by the Victorian Department of Education [vic.gov.au] at the time - the problem he was having was at a client he was moonlighting for. I was the poor Bastard who had to drive on-site when he eventually called me
Re: (Score:2, Troll)
I didn't ask that... (Score:2)
I didn't ask if Samba had AD support... I asked why the PP thought this was a "Good Thing"... Because an Open-Source product was integrating itself with a Non-Standard one that Microsoft produces?
Not that I mind really, I just think it's not that great of a leap ahead for Open Source Software, just more Integration with Commercial Closed-Source software that already exists.
Do you understand that a "Directory" [wikipedia.org] and SMB [wikipedia.org] are two different things?
Re: (Score:3, Informative)
Re: (Score:2)
Not only that, but Sambo (using the word that is actually spelled like the slur) is also legitimately the name of a Russian martial art originally developed for the Red Army [wikipedia.org].
Re:About Time... (Score:5, Informative)
It is every bit as racist as niggardly is; as in "Microsoft behaves niggardly with its protocols while at the same time preaches interoperability."
That legitimate words "sound kinda like" racist slurs does not mean the common words are racist. On the other hand, we have just been trolled.
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
I'm guessing he doesn't want to pay for it.
Re: (Score:3, Insightful)
Re: (Score:2, Informative)
A few documentation links:
Also, you do know that ntbackup.exe is "a VSS aware backup progr
Finally..an alternative (Score:2, Interesting)
Finally an alternative to Microsoft's insane licensing model.
It brings one step closer for those who want to move to linux or least convert some windows to linux.
Re:Finally..an alternative (Score:5, Funny)
What's wrong with Micosoft's licensing model? You pay either per server or per seat. If you license some servers per server, and some per seat their monitoring software tells you how often you need to "true up", and if their software fails to do its math correctly they get to sue you and seize all your computers [cnet.com]. That makes a lot more sense than Linux or BSD's licensing model where no matter how many clients or servers you have you don't have to pay. That's just anarchy.
Re: (Score:2)
All joking aside, you ever looked at software auditing packages?
With few exceptions, most of them have substantially more obnoxious licenses than the software you'd be wanting to audit in the first place.
Re: (Score:2, Informative)
Re:Finally..an alternative (Score:5, Funny)
Re: (Score:2, Insightful)
Just waiting the release... (Score:2, Interesting)
I've got a line of outfits that can benefit from this!
There are so many companies I know that have little to know real dependence upon AD other than the fact that it's all they're really known...
Release date? (Score:2, Insightful)
AD licensing (Score:3, Interesting)
Re: (Score:2, Funny)
You are correct.
Re: (Score:2, Informative)
You need a CAL for every user in the AD.
Gets expensive. Wait for samba4
Re:AD licensing (Score:5, Informative)
Exactly. You need CALs for stuff like:
AD
Exchange
Terminal Server
etc.
It adds up pretty quickly.
It's really a nightmare for IT Depts as they have to keep track of the CALs and ensure they have enough licenses to cover the number of users.
Re:AD licensing (Score:5, Informative)
Re: (Score:2)
Thanks for the link to the tutorial and glad to see the school is able to benefit from it.
I think what made Samba daunting in the first place is lack of GUI-like tools for those been in the window shop for a long time. Now there are tools like Webmin which makes it a breeze to maintain a linux server. A seasoned linux user would modify the scripts directly but for those who have little experience with linux's inner workings the GUI helps. They should, however, learn how to modify the scripts so they have
Re: (Score:2, Interesting)
Re:AD licensing (Score:4, Funny)
Re: (Score:3, Informative)
Re:AD licensing (Score:5, Informative)
A careful reading of the TOS says that it is licensed via user or device CALs based on authenticated users..
They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.
Really, it is just a tax. A MS shop typically has to pay:
- For a OEM license on windows
- For a volume license upgrade on windows
- For a device or user CAL for the windows machine/user
- For a windows server license (per VM!)
- For exchange server (and a windows server license)
- Per user exchange CALs (yay!)
- Office CALs for outlook
It used to be a CAL came along with NT4 so you didn't need a separate one, but that is not the case anymore. MS said their customers wanted the simpler model of paying more for the same thing.
Of course, CALs and VLK upgrades are locked to specific versions so you have to keep buying them again and again to keep the additional rights.
The only happy area is that the CALs apply to all servers at once, so if you have a thousand users and a thousand servers you only need a thousand CALs.
No software checks this, but these are the terms.
It is really quite insane, but maximizes MS's profits.
See http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx
And keep in mind that MS thinks performing an authentication against AD is accessing the server.
Re:AD licensing (Score:5, Informative)
No...no...no
There are "per device" or "per user" licenses.
If you have 5000 computers but 40,000 users, it is probably cheaper to buy device licenses...so you can do that.
In addition, each server DOES require a server license (which is different than a CAL).
Windows is licensed like so
Standard edition license includes 1 phys server + 1 VM (on the same server)
Enterprise includes 1 phys server + 4 VM (again on the same server)
Datacenter includes unlimited server licenses of any type
Users with enterprise agreements or software assurance don't have to repurchase - they're covered under their contract.
Re: (Score:2, Interesting)
Windows is licensed like so....
Yeah, that makes a lot of sense compared to the completely irrational "use all the copies you want, but if you make changes you have to share them back" model.
Who would take a completely insane deal like "use all you want. We'll make more." rather than the more rational "pay us per seat or per user, but no changes are possible and if you overdeploy, we'll sue you." Or the even more rational "Pay us per seat and per server, annually, and you get the right to update to our latest software... if we ever do u
Re: (Score:2)
> Yeah, that makes a lot of sense compared to the completely irrational "use all the
> copies you want, but if you make changes you have to share them back" model.
If you use the changes only internally you have no obligation to share them.
Re:AD licensing (Score:4, Informative)
SCO is dead. They'll convert to liquidation any day now. At least one would hope so. Nobody knows how long that zombie has to shamble.
there's no such thing as no lawsuit exposure.
That [arstechnica.com] is [bbc.co.uk] true [eolas.com] enough [cnet.com] but to accept that as a premise is to refuse to do business. There is some middle ground where businesses can still operate in where the risk is acceptible. Limiting your exposure by avoiding licensing agreements that include the right to sue you if you overdeploy seems wise, and licensing agreements that include the right to audit you more so. Especially when there are options available that include terms like "use all you want for free".
(i'd like to see documented example of it)
Meet Ernie Ball [slashdot.org]. But wait... that wasn't Microsoft... that was their representatives, the Business Software Alliance! Same same. Evil by proxy is still evil.
Re:AD licensing (Score:5, Insightful)
Look, you seem like the average unbiased poster so I'm going to give you a few tips even though I'm going to be modded off topic.
If you're going to defend Microsoft or one of their products on /., you need to observe a few simple rules:
Don't ask for proof of Microsoft malfeasance. You'll just get proof, and that doesn't serve your goal. Read the series of Halloween documents [wikipedia.org] for an introduction to how much we know. It's scary.
Don't ask questions you don't know the answer to. That's good guidance for lawyers, too. You'll get answers you don't want.
Don't ask about someone else's experience. Their experience isn't going to help your cause, and you'll get replies from the least helpful people.
Do brag features, but do it with some understanding of the features. Don't just list the marketing babble. Don't brag more than three features at a time because it's then obvious you're typing them from a list. Do brag features that seem important to the parent poster.
If you must employ "anecdotes are not proof" be prepared for a swarm of people who confirm the anecdote. Nearly a billion people use MS software. Given enough experience, every failure mode is common. Every anecdote is common here and you would be surprised how selection bias draws people with shared anecdotes to slashdot just in time to skew the replies.
If it's allowed in your contract, do be specific: What platform worked well on Vista, how much RAM did you have? What video card? If you must avoid vendor bias, split the vendors by market share and let the astroturfers brag up proportionate systems - if they work. And if they don't work, leave it alone.
Slashdot has a grand bullshit detector, so don't lie. If you lie, the lie is not just going to be modded down - the responses to the lie are going to be modded up and be the only thing that people see, so the lie does more damage than silence would.
There are more rules, but this should help quite a bit for now.
Re: (Score:3, Funny)
Probably somebody who knows how to spell "sheriff [reference.com]".
Re: (Score:3, Funny)
In comparison, a Linux shop typically has to pay:
- Nothing for a vol
Re:AD licensing (Score:5, Informative)
Well really they probably pay for "service".
Now some think this is a total waste of money and the whole point of Linux is you don't pay for anything. While it's true you can do this, if you're multi-million wonga business is relying on your IT that may not be too smart.
But buying "service" isn't some nasty con, you're actually getting something. Also you can shop around for it, and even switch suppliers.
Now the "free" aspect of Linux really helps you (as a business) as all your "computer wonks" can have a copy (for free) and take it home, use it outside the office (so they learn the product inside out). It does work out cheaper than Microsoft. The product evolves quicker, but you're not forced on some insane upgrade cycle.
You can get lots of certified hardware (which is important) and you're not alone (lots of other businesses have done the same).
Business get very twitchy when Linux advocates talk about "free" and the reason is they want to know: "Who's accountable if this stops working". A word of advice if you're trying to get your employer to consider Linux, keep the talk about "free" to a minimum (even "cheap" has negative connotations) instead talk about:
Lower Total Cost of Ownership
Competition in the market for Linux Support
No vendor lock-in
Hardware support from all major suppliers
Plenty of success stories
Oh and don't forget Sun make great Linux kit (not just Solaris)
Re: (Score:3, Insightful)
Microsoft isn't accountable for windows doing anything. Red Hat, by the other way, will work at your place to solve every little problem that your unique configuration causes. But your CEO doesn't know that, he thinks that it is MS that solves all Windows' problems, and that those guys that run around every time your computers have problems are just making some cooper. So, don't expect him to understand. To make things worse, every time you try to point that MS support never did something useful for your co
Re: (Score:2)
I was about to correct you on the Outlook CAL requirement for Exchange, but nope, your right. All versions prior to Exchange 2007 included Outlook CALs so that you had some software to connect to the server. Apparently, this isn't correct any longer unless you had Software Assurance on your Exchange server.
Now, normally any larger client has an EA (Enterprise Agreement) and negotiates a standard per user CAL which would include whatever of the backoffice components are required (SQL server, Exchange, Host A
Re: (Score:3, Interesting)
They actually have an example if you use AD as back end authentication on a web site you have to buy a CAL for ever user, or magic uber-CALs for the web server.
Not only that, but it gets more complicated depending on how many MS server products you use.
For example, if you have a SharePoint system accessible on the internet that users can log into, you need a SharePoint CAL, a SQL Server CAL, and a Windows CAL for each of the users.
I've even read a Gartner paper that claims it's not just AD users, but users
Re: (Score:2)
You need a CAL for either every device or every user, which would depend on what kind of environment you're in and what the machine/user ratio is.
Re: (Score:2)
Err, "CALs"?
Microsoft don't just charge "per server", you also buy "CALs". All server products come with some, but that can be as few as five. That means you can't connect more than five clients to the server.
You buy them in blocks. Seriously, if this looks like it might be a problem you might like to look at getting a MOLP which often works out "cheaper". (Some would argue that this "rental" agreement isn't cheaper than buying as you pay the "rental" forever. In reality it often is, because you don't pay f
Re: (Score:2)
On its own? The same login details work for each PC, if your PC is replaced you don't need to mess around with setting up local user accounts.
You can also do quite a lot of management centrally.
To be fair, you could do most of this with Samba 3.x as an NT-4 type domain but it's not as refined.
AD is also a prerequisite for Exchange.
This is good for industry, what about end user? (Score:3, Interesting)
My last tussle with samba was yet another try with ubuntu on this old macbook.
Samba refused to accept proper config messages through gnome's graphical tools, I had to go in and edit the config manually, and samba did not respond properly to the config.
Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?
Re: (Score:3, Informative)
Why not just create a front end for samba and distribute it with the server and client software rather than depend on distributors?
I think SWAT was meant to be that, and it kind of sucked.
Re: (Score:2)
Samba comes with SWAT, which is a web based admin tool... Not sure how good it is.
samba did not respond properly to the config .. (Score:2)
Generally, GUI config tools get in the way, editing the dreaded config file is simpler and more straight forward.
"and samba did not respond properly to the config"
What you mean is you don't understand SAMBA enough to configure it
Jumping the Gun (Score:5, Informative)
According to TFA FOSS AD is not here yet by a long shot, in early alpha, many missing features. Summary is *terrible* in suggesting non-M$ AD is already here.
Re:Jumping the Gun (Score:5, Interesting)
One thing I find it interesting in the article is that Microsoft been working with Samba developers to provide them the inner workings of AD. Hell, even Samba developers discovered a bug about random passwords in AD and told Microsoft about it.
AD in it's present form is still closed source project so I find it interesting Microsoft team is willing to provide them some of the secrets knowing that eventually it'll take away some of their profits like they'll miss it anyway.
So what exactly the direction is Microsoft taking?
Re:Jumping the Gun (Score:5, Informative)
I'm just guessing here, but there was something about interoperability in, what was it, oh, every monopoly-related judgment they ever lost. Otherwise they wouldn't be helping.
Re: (Score:2)
Re:Jumping the Gun (Score:5, Informative)
Ever since the EU antitrust/monopoly judgement and fines, MS has significantly increased the emphasis on open standards. It's still NIH syndrome more often than note, but at least the results are now documented, and usually come with a no-patent-enforcing pledge ("Open Specification Promise" - this covers e.g. OOXML and older Office formats, XPS, Silverlight, and so on). Also, I recall that EU specifically named SMB/CIFS & AD as something that should be opened up, and Samba as the beneficiary.
Whether it's just a coincidence or one followed from another is up for you to judge.
just 4 more years and it'll be stable. (Score:2, Flamebait)
Re: (Score:2)
and why would it have those problems? Samba has been very stale for quite a while, v3 took a long time to get here, and they seem to be spending quite a lot of time this time around for version 4 to assure it works right.
Re: (Score:2)
and why would it have those problems? Samba has been very stale for quite a while, v3 took a long time to get here, and they seem to be spending quite a lot of time this time around for version 4 to assure it works right.
Yes, and the differences between NT4 and Active Directory are so huge that large chunks of Samba have had to be rewritten.
It's fantastic to see the project hasn't died but it's taken oh-so-long to get from 3.x to 4 alpha that I'm not holding my breath for 4 stable.
Re: (Score:2)
mark my words, it'll have bugs
It's an alpha release you goddamn fool - if you'd bothered to read the article rather than rushing to try & get first post you'd know that.
Re: (Score:3, Interesting)
mark my words, it'll have bugs which will result in 1000's of "RTFM n00b" or "it's ms's protocol that sucks" responses.
Just as Slashdot is full of trolls and OT comments help forums often have people posting unhelpful comments. Just ignore them. Life is too short for arguing with idiots.
I find the Samba help forums are generally excellent if you take the time to ask a sensible question instead of just posting the first problem that comes up. Often the task of formulating a sensible question solves a problem without actually having to ask on the forums at all. I also generally find my query has already been answered in the f
Wow... /.'s contextual ad for this page is fitting (Score:4, Interesting)
"A new year... A new hope?" "Let us know your predictions for 2009".
And, right on par with my hope of seeing Half-Life 2 Episode 3 in "early 2009", my hope of seeing a fully working, easy to set up and maintain, "it just works" Active Directory server for Linux this year has diminished due to the fact that this same exact story was posted here over 3 years ago. (or on Digg)
Security (Score:3, Insightful)
While i appreciate that this will be very usefull, I'd rather they worked on not requiring samba to run as root (or at least not the networked part) as it seams to be the victim of an increasing number of attacks because of this. Perhaps SELINUX and apparmour have me protected but seeing a network demon running as root always seams like a dumb idea to me.
Re: (Score:3, Interesting)
The windows counterpart to samba also runs as SYSTEM...
Not sure if samba needs root for anything other than binding to the ports it uses and accessing files as specific users... I wonder how hard it would be to make it run as a normal user, losing filesystem permissions in the process ofcourse.
Re: (Score:2)
Doesn't samba already spawn a separate smbd process for each server connection? If so it seems like it ought to be deliriously easy any time the users are actually available on the machine itself. Which ought to be easy enough since you're using LDAP... :)
Re: (Score:2)
Yea, I think he needs to RTFM [comptechdoc.org]
Samba and root (Score:3, Informative)
Samba runs as root for a few different reasons that I know of:
1. bind to privileged ports (1024)
2. set{e,r}{u,g}id for the user being authenticated
3. RPC-based system administration
If it was just the first, I bet it could prolly drop root soon after startup. If it was just the first and the second, it might be able to drop root after authenticating, since each connection gets its own process. Samba may already do some of this, for all I know. Alternatively, implementing this may be difficult for architec
XServe (Score:2)
Well everybody here says "Linux" but let me point out that Apples Xserve uses Samba as well.
So there will be even more interesting alternatives ahead.
Martin
Re: (Score:3, Informative)
Not very realistic (Score:3, Informative)
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
"Something to do with...". This is in every AD 101 book (machine accounts, password renewal,
Honestly, I cannot imagine why anyone would want to run a FOSS equivalent Active Directory. After having spent months in setting up a full mixed Windows/Linux environment (OpenLDAP, Kerberos, Samba, the works), I can say that setting up AD is a breeze: for me, it is a prime example where Microsoft took existing technologies (LDAP, DNS, Kerberos) and actually turned it into something useful without the typically associated configuration nightmares. And it works very stable indeed.
And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
Re:Not very realistic (Score:5, Insightful)
Clearly you havent priced the full costs of a full set of servers (and addons) for Exchange. AD etc. Not to mention all the client licenses you need (CALs or whatever they are).
I am sure there are quite a lot of people who would LOVE to be able to replace a windows server machine with a linux machine running Samba + OpenChange + whatever else
Re:Not very realistic (Score:4, Insightful)
The costs for AD/Exchange, etc. pale in comparison to the administrative salary costs associated with supporting an IT infrastructure and the lost productivity costs of down time.
I've found Samba in a Domain environment to be kind of flaky, and while it's useful for accessing the file system on a Linux server (though I prefer scp) there's no way I would look at replacing any Windows file server that had an SLA with a Samba server. The licensing costs for a Windows server (especially virtualized) are negligible.
On the other hand, there's still no great solution for something similar to AD on Linux. NIS+ is old and sucks. Going through the whole LDAP rigmarole only gets you part of the way and requires a hell of a lot of upkeep depending on the server. Winbind against AD isn't bad though again it's flaky and requires way too much work to setup. I supposed there's the tried and true method of rsync-ing passwd, group and shadow files around.
The combo of AD and Group Policy is pretty killer, It would be really nice to see something similar for Linux, or at the very least improved AD integration would be awesome.
it goes on to say .. (Score:3, Insightful)
"My Russian connection has had Samba 4 running in production since last June and has discovered a few missing features. They also discovered that machines would stop working after 28 days which was something to do with password expiry."
It goes on to say:
We spent a week at Microsoft and discovered Windows would use a call with a string and fill it with random crap. Samba just sent a password of zero to the string and this is probably not the
Re: (Score:2, Insightful)
For more information (just some google hits):
http://blogs.technet.com/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx [technet.com]
http://technet.microsoft.com/en-us/library/cc785826.aspx [microsoft.com]
Re:Not very realistic (Score:4, Interesting)
Samba 4 is not really production ready yet. That is why it is labeled as an alpha version. Those using it in production, do so at their own risk. That said, I use it in a home network and it does run beautifully. However, I would be leery of using it in a business environment just yet.
Something to do with...". This is in every AD 101 book (machine accounts, password renewal, ... thing). I would at least expect that the Samba developers have experience in installing, running and maintaining a "realistic" Active Directory environment (read: more than 1000 client machines) before delving into the real messy details. I am not sure I even want to know how they are going to handle disaster recovery (one of the fun parts of AD, rest assured).
Disaster recovery will be far easier on a Samba 4 DC because access to AD itself will be far less obscured and convuluded. A simple raw LDAP call could restore the entire database at the linux command line. I have seen countless problems restoring AD after a DC failure. I created a mock scenario with a Samba 4 DC wherein the entire database was wiped. I simply used Samba's own LDB toolset and had it up and running again in seconds.
And please, cost is not a reason for not going with Active Directory. The cost of a single Windows Server license is absolutely peanuts compared to what *you* cost your employer. The operational costs are what matter in long term and I am pretty confident that Microsoft's AD will do much better than that for the years to come.
You're missing the point. It isn't about cost at all. The point of having an open source replacement for AD is to make it easier for software developers to take advantage of the largely undocumented protocols. This is designed to facilitate interoperability. Even Microsoft, from the light of the anti-trust lawsuit it lost, extended an olive branch to the Samba team to assist in providing documentation. Plus, the work that Samba does stands to benefit Microsoft as well because they might be able to see where the Samba team has had some really good ideas and legally incorporate them into mainstream AD. And, before you express such confidence, I would try using Samba 4 myself. Some parts of the code are very mature and work well.
I like Samba 4 except .. (Score:3, Insightful)
Waiting for samba (Score:3, Insightful)
I'm also surprised it has taken this long. Which is why I'm not waiting.
Re: (Score:2, Interesting)
I'm not surprised. Anyone who has followed Samba's development as religiously as I have knows that Active Directory was always not fully documented and has always been a moving target. Samba 4 has been in development a very long time -- I remember hearing about "Samba TNG" (what they used to call it) years ago.
Slowly but surely they added Active Directory client integration and server development happened in parallel.
What will surprise you is how stable Samba 4 is right now. Even the alphas were stable en
Re: (Score:2)
Re: (Score:2)
All that crap would have to be implemented separately. It would be easy to do with a script, though; You can do anything you want to AD with perl (and probably python too these days) and can certainly manipulate gconf thusly (or via the commandline tool.)
Re: (Score:2)
The only potential problem with this is that this is Mr. Steve Ballmer we're talking about. The same person who believes that if you own an iPod, you are stealing music illegally even if you purchased it from iTunes! I do not trust anything about Mr. Ballmer, nor anything that emanates from his oral device!