Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Is Samba4 a Viable Alternative To Active Directory?

timothy posted about 2 years ago | from the they-weigh-the-same dept.

Microsoft 388

First time accepted submitter BluPhenix316 writes "I'm currently in school for Network Administration. I was discussing Linux with my instructor and he said the problem he has with Linux is he doesn't know of a good alternative to Active Directory. I did some research and from what I've read Samba4 seems very promising. What are your thoughts?"

Sorry! There are no comments related to the filter you selected.

hahahahahah (-1, Troll)

Anonymous Coward | about 2 years ago | (#41874003)

lolololol ahahahaha lolollol

Samba, alternative to AD, ahahahha! stop please!


It is... (-1)

Anonymous Coward | about 2 years ago | (#41874021) the same sense that Lance Armstrong won the Tour 7 times.

Re:hahahahahah (1)

Anonymous Coward | about 2 years ago | (#41874119)

You are right, Samba is not. But Samba4 is.

Re:hahahahahah (-1)

Anonymous Coward | about 2 years ago | (#41874251)

Samba 4 a _replacement_ for AD, ahahhahaha!

seriously, stop, please! i can't take it!

Re:hahahahahah (-1)

Anonymous Coward | about 2 years ago | (#41874351)

Finally you got it. Yes it is.

No (4, Interesting)

im_thatoneguy (819432) | about 2 years ago | (#41874017)

We finally switched out our last NAS that was running Samba. Too many small glitches. Not worth the hassle.

Re:No (4, Informative)

Hylandr (813770) | about 2 years ago | (#41874085)

Poor administration is not the software / OS fault.

Re:No (5, Funny)

Revotron (1115029) | about 2 years ago | (#41874149)

Because clearly, they're not holding it right.

Re:No (5, Insightful)

Hylandr (813770) | about 2 years ago | (#41874215)

Samba has been around literally for decades and has seen constant reliable use.

You're suggestion that the software is new and poorly designed is invalid.

There are good admins and bad admins. If software that has been successfully deployed for multitudes of years has been a problem then bad admins are far more likely to blame.

- Dan.

Re:No (5, Insightful)

localman57 (1340533) | about 2 years ago | (#41874253)

Is it fair, to say, then, that Samba4 and AD are both good choices for people with strong admin background, but perhaps AD is a beter choice for someone who, for instance, administers the server in addition to other business tasks? Not everybody has the time to become a good admin. They tell their boss that, but the boss also doesn't have funding to go and hire one.

Re:No (5, Funny)

Anonymous Coward | about 2 years ago | (#41874615)

No, it's not. When it involves Linux or OSS, it's always the admin's fault. When it's a proprietary solution, it's bad software. You must be new here, get with it.

Re:No (-1)

Anonymous Coward | about 2 years ago | (#41874709)

Nice way to twist another person's comment to suit your argument, but it's pretty much a FAIL. You're extrapolating a basic statement to conform to your more rigid definition and interpretation of a situation. Go away please, what the OP was asking for was some honest and useful opinions.

Re:No (5, Insightful)

Revotron (1115029) | about 2 years ago | (#41874265)

Software being around for decades doesn't magically cure all the bugs.

The OP stated that there were too many small glitches with the features they were trying to use, to which your response was that these glitches were imaginary and he just wasn't using it right. That sounds like something Steve Jobs would say.

You're suggesting that Samba is absolutely perfect and has nothing wrong with it at all just because people have been using it for 20 years. I doubt that. Would you like to take that logic and apply it to Windows and see where that gets us?

Re:No (0, Troll)

ameen.ross (2498000) | about 2 years ago | (#41874465)

Wait - I must be missing something. Since when is Windows open source?

You really don't compare an open source project to a proprietary one like that. Apples and orange anyone?

Re:No (2, Insightful)

interval1066 (668936) | about 2 years ago | (#41874749)

Agreed. You whiny bitches appear to be expecting a drop-in replacement for Active Directory. If that's the expectation I think you're gonna be very disappointed. For sundry and basic AD duties Samba4 is great contender. If you want all the bells and whistles your gonna need to fork up that license fee.

Re:No (2, Insightful)

Anonymous Coward | about 2 years ago | (#41874691)

The real question is does AD work better than Samba4 and if so is it significant enough that the costs are lower after taking into consideration time, expertise (after some time with the technology), and license costs, etc. It may be Samba4 is easier to setup and get working than AD although there are potential bugs that you will need to spend money on to get fixed.

Re:No (4, Insightful)

sjames (1099) | about 2 years ago | (#41874849)

No, but successful use for decades does indicate that it works.

Re:No (5, Informative)

Peachy (21944) | about 2 years ago | (#41874533)

The basic samba code has indeed been around for decades, and it's great.

Do be aware that samba4 release candidate 4 only got released on 30th October 2012 and as the announcement says "This is the first release candidate of Samba 4.0.0! This is *not* intended for production environments and is designed for testing purposes only.". []

Re:No (0)

Anonymous Coward | about 2 years ago | (#41874739)

Nice straw man there.

First you claim the argument is invalid, then you waver all the way to unlikely.

I hope you're not as wishy-washy with your wife.

Re:No (4, Interesting)

im_thatoneguy (819432) | about 2 years ago | (#41874323)

You're right. It is the administration not the software. We have a couple file servers running Small Business Server and a couple that were running Samba. The SBSs required no administration. We turned them on and they just kept trucking. Our samba box would have random drop outs where it would deny access unless you restarted the file server.

We also had trouble with user group permissions not getting picked up properly. We also had a problem where the clock would get out of sync and then deny access.

It seemed like there was a new unique "Administration" necessary every couple weeks.

Re:No (3, Interesting)

Anonymous Coward | about 2 years ago | (#41874507)

You don't know what you're doing then.

I have a samba box with Win7 auth via AD working fine, and serving 118MB/s over gig-e. Never had a problem with it, and I sometimes forget which shares are Win hosted and which are hosted from the FreeNAS box (samba).

Re:No (4, Interesting)

im_thatoneguy (819432) | about 2 years ago | (#41874581)

Good for you. If you want to come setup my Samba box then be my guest. All I know is that one set of file servers works great without any administration and one has been a non-stop headache.

We have a grand total of 0 IT staff. That's possible with AD. I haven't found that to be possible with any Active Directory replacements.

Re:No (1)

Anonymous Coward | about 2 years ago | (#41874809)

We had 1 guy who was part time managing our AD and replaced it with Samba4 because it was cheaper. Never had any problems with AD mind you and it just kept running with no issues, but we needed to reduce costs. We now have a staff of 10 IT guys just for the Samba4 servers, each with 100 years of hands on experience, all vetted by slashdot as linux gods, and yet there is some major issue every other day.

Just sayin' as an AC I can post anything. Especially if I'm just talking shit out of my ass, and don't want to actually put my name to it. I mean, if a slashdot user feels it necessary to hide his username because he won't stand behind it, why would YOU?

Re:No (0)

Anonymous Coward | about 2 years ago | (#41874815)

If you have 0 IT staff, I can guarantee you're using active directory incorrectly.

Re:No (4, Insightful)

rtfa-troll (1340807) | about 2 years ago | (#41874817)

Our samba box would have random drop outs where it would deny access unless you restarted the file server.

You probably had a minor misconfiguration. Would have happened whichever box you had it on. What did your support company say? [....] Oh; you set up a system without a support company? You thought that "Open Source" was a magic word which meant "fixes its self without any support company" ; you thought that Red Hat stood for "nice company that fixes everything for free even if we install a clone distro" and forgot that it actually means "fixes stuff their paying customers care about".

Okay, I might be wrong in this case, but 98% of the time when asked it turns out that the people have spent thousands on Microsoft, Cisco and so on certificates. They have support contracts coming out of their ears for Oracle. Then they install an open source load balancer or database or something and suddenly the fact they saved money on the software license means they want to save even more money on the support. This is a bad mistake; everyone should look for competent support and if they can't find it then they should find a way to set it up themselves. If there's nothing, then you can probably employ some of the people who wrote the project really cheap and get a bunch of good developers in the price.

Re:No (5, Insightful)

Mike Buddha (10734) | about 2 years ago | (#41874515)

If Samba is difficult to administer, that's a problem. That makes it inferior to the competition.

Re:No (1)

Compaqt (1758360) | about 2 years ago | (#41874105)

You seem like you would have enough information to really let the rest of us know something (like specific versions of servers and clients) and what exactly happened as opposed to a cryptic remark.

i think you need to stay in school (-1)

Anonymous Coward | about 2 years ago | (#41874025)

or maybe even get an internship somewhere.
whatever you do, don't have this discussion with your prospective employer. they don't care about your religious beliefs - until it starts costing them money.

What for? What do you need to do with it? (5, Insightful)

rtfa-troll (1340807) | about 2 years ago | (#41874027)

It's important to realise that Active Directory has a bunch of overlapping different features. Samba4 is a great for part of it. Puppet is great for a different part of it (the ability to configure systems - like a superset of Active Directory Group Policies) LDAP covers some other parts etc. etc. You need to be really careful with this question because it is already loaded. Essentially, if the answer is "Active Directory" you are asking the wrong question. Your overall system administration story with Linux will be much better than Windows but you need to start thinking more from the beginning since it isn't always as obvious which tool is the right tool.

Re:What for? What do you need to do with it? (-1)

Anonymous Coward | about 2 years ago | (#41874075)

In other words, "no".

Re: Puppet for config/package to Windows? (1)

Jonah Hex (651948) | about 2 years ago | (#41874513)

Off topic, but how does Puppet do with Windows clients, both server and workstations? Can it handle the standard packages I'd deploy via AD? I've been perusing their website but only see that Windows can be a client, not seeing the extent of it yet. Thx for any info in advance, I'm a rollout and installation pro from the Windows side of the data center and always looking for more config/app management skills. - HEX

Re: Puppet for config/package to Windows? (3, Informative)

dodobh (65811) | about 2 years ago | (#41874659)

Puppet has a server and client setup. The Puppet server process is Unix only.

MSI packages are supported. I'm not sure about group policies yet.

Re:What for? What do you need to do with it? (-1)

Anonymous Coward | about 2 years ago | (#41874619)

Your overall system administration story with Linux will be much better than Windows [snip]

Absolute bullshit. Spoken like a true freetard.

Not yet. (5, Insightful)

phoenix_V (16542) | about 2 years ago | (#41874035)

Samba 4 is in it's Alpha release stage and is not recommended for production. That said it's a remains to be seen thing if it will be.
It also depends a great deal on how and what you use AD for. For simple authentication you can use samba 3 + LDAP for that now.
For programs that require AD not so much with either.

Re:Not yet. (1)

CastIronStove (2602755) | about 2 years ago | (#41874093)

The linked Samba wiki claims that Samba4 is at the release candidate stage. I still wouldn't use it in a production environment, however.

Re:Not yet. (3, Informative)

phoenix_V (16542) | about 2 years ago | (#41874133)

I may have to put up a test copy then. I suspect there are few real world test cases being run, but an RC is far enough along
for me to justify spending some cycles at work on it. There are more samba 3 + LDAP setups out there than people may realise
and all of them stand to benefit from Samba 4.

Re:Not yet. (5, Informative)

Anonymous Coward | about 2 years ago | (#41874235)

I've got four offices running various versions of Samba4 on ZFS, up to the latest git head pull. Some of those offices have been running alpha versions for two years without an issue, we mostly use it for roaming profiles and AD user management. Some portions don't work as well as a pure Microsoft environment may, like how many GPO setting changes appear to do nothing (like to try disabling CTRL+ALT+DEL before entering a password).

It works for roaming profiles and it works well, but managing permissions (userid mapping, etc) between SMB4 and Linux is a pain the ass. Maybe I just haven't looked hard enough.

Several of the AD configurators don't really do anything to the Samba4 installation, like managing shares. Changing ownership and making sure things are world-readable (like a common share) is also a kludge, something that shouldn't be true in a production ready software package.

Re:Not yet. (4, Funny)

sprior (249994) | about 2 years ago | (#41874109)

What a coincidence - Windows 8 just made its Alpha release too.

Re:Not yet. (5, Informative)

jmintha (56956) | about 2 years ago | (#41874269)

Unless I missed something, Samba 4 is not in Alpha release anymore. It has gone through beta, and is now in release candidate stage. (rc4 currently) It is designed as a full Active Directory implementation (including DNS and LDAP)

Dumb Question is Dumb (-1)

Anonymous Coward | about 2 years ago | (#41874049)

Samba 4 (like Samba 3) is a replacement for Windows SMB. Its supposed to be compatible with SMB v2 (what you get with Vista). It is not a replacement for Active Directory. If you want something to replace AD, try OpenLDAP. IF you want to just be able to authenticate with AD, try likewise.

Re:Dumb Question is Dumb (5, Informative)

phoenix_V (16542) | about 2 years ago | (#41874067)

Samba 4 *is* intended to be a full AD implementation. Currently it has a built in LDAP and Kerberos server set in the same daemon. That is a problem
for some, like myself, that use Samba 3 + LDAP for shared auth. When complete is *should* be a fairly complete implementation of the AD specs, all
of them. I have no idea how long this will take, or just how complete it is, but those are the design goals. All of this is a result of Microsoft releasing the
full spec due to the European Union lawsuit.

Misunderstand of what SAMBA actually is...... (-1)

Kr1ll1n (579971) | about 2 years ago | (#41874051)

SAMBA is an open-source implementation of Windows SMB (Server Message Block), which runs on top of CIFS.

In essence, SMB extends the CIFS functionality out for windows networks. SAMBA was designed to allow better CIFS interoperability between *nix and Windows hosts.

Currently, I cannot pull up the SAMBA4 page to even find out what it may be doing different in comparison to previous releases, but if the intent is the same, than no, SAMBA4 would not suffice as an AD replacement, as it would still lack things such as;

Group Policy
Domain Membership
DNS Integration

Re:Misunderstand of what SAMBA actually is...... (5, Informative)

phoenix_V (16542) | about 2 years ago | (#41874089)

I also commented above, Samba 4 *is* intended to be a full AD server implementation. It is using the documents Microsoft was forced to release
as a result of an EU lawsuit.

How complete an implementation it ends up being and how well it works will have to wait to be seen once it exits Alpha status and gets a few
beta releases under it's belt.

It's a whole new samba in the end.

Samba3 could fool XP (1, Interesting)

CodeheadUK (2717911) | about 2 years ago | (#41874053)

I've managed to get XP clients to join an NT domain using Samba as a PDC. Samba 4 wasn't an option at the time, but I don't see why AD emulation should be beyond the realms of posibility.

The biggest problems I had were the cryptic errors from the Windows boxes, not Samba.

Re:Samba3 could fool XP (0)

Anonymous Coward | about 2 years ago | (#41874181)

How many days of configuring and reading documentation did you need? What about server replication for high availability? Replication bandwidth and scheduling? Integration with other domains/forest? And so on and so on and so much on....

Re:Samba3 could fool XP (2)

tibit (1762298) | about 2 years ago | (#41874409)

I don't think these days there's much "configuring and reading documentation". There's one samba-provided registry file you need to import on every Windows Vista/7/8 host before joining them to the domain, and that' sit. It pretty much works. Server-based printers w/ drivers don't work for some printers because said printer drivers are buggy and won't take anything but only certain windows server versions. If you use IPP printing, things are fine. I still keep drivers on the server and push them to clients using windows-native print server configurator.

Re:Samba3 could fool XP (0)

Anonymous Coward | about 2 years ago | (#41874477)

Funny perspective you have when the question is about whether Samba4 is viable AD replacement. You call it bugs on the Windows side, but it's really an incompatibility on the Linux+Samba4 side. It's those annoying little glitches that the first post alluded to.

I can't see the effort of making a non-native implementation work worthwhile. This guy will be locked in to support 24x7 once he's figured it out. Pretty shit from a work-life perspective, and a massive risk for his employer.

Nein. (5, Informative)

doubledown00 (2767069) | about 2 years ago | (#41874095)

It works for small environments. But as you start getting above 50 people AD is the way to go for two reasons: 1) Less admin overhead time. Like it or not, AD "just works" unless you really snork it up; and 2) AD credentials integrate with more stuff and it's not tenable to have to maintain different user databases for each one. Sooner or later an enterprise will want exchange.,,,,,,,and spam filtering......and internet proxies etc. There are a multitude of products out there that will integrate with AD. To get the same with Linux / Samba (if it can be done at all) will require cobbling together services and solutions that will complicate your life. The bottom line: I went through my Linux zealotry phase too. Then I got a life and couldn't spend hours on end reading docs and fiddling with services and config files. Towards that end AD just simplifies user admin and frees you up to deal with other stuff. Linux has its place in the enterprise, but it ain't as an AD replacement.

Re:Nein. (1)

Anonymous Coward | about 2 years ago | (#41874183)

mmm no. Linux / Samba is one way to go, AD is another one. AD will take you to Exchange. Linux/Samba will take you to better solutions.

Lok Zentyal (, an integrated Linux distro with LDAP / Samba / Mail / eGroupware / VoIP / Messaging services. No need to fiddle with config files, easy to setup in 10 minutes through your web browser.

Re:Nein. (3, Informative)

doubledown00 (2767069) | about 2 years ago | (#41874273)

>No need to fiddle with config files

A simple browse through the forums quickly showed this is simply not true. Reading on how to enable Outlook integration confirmed that. Same old same old. It's alright if you have available time, a client willing to pay for the learning curve, and users comfortable with "out of mainstream" software. If you have clients like these, count yourself lucky.

Re:Nein. (0)

Anonymous Coward | about 2 years ago | (#41874295)

You do not know seem to have a lot of recent knowledge about samba. It is practically a requirement for all but the smallest site to use LDAP as the backed database. This effectively means you don't need to maintain different user databases.

Why exactly do you need AD authentication for spam filtering and internet proxies?

Re:Nein. (1)

doubledown00 (2767069) | about 2 years ago | (#41874399)

>You do not know seem to have a lot of recent knowledge about samba. It is practically a requirement for all but the smallest site to use LDAP as the backed database. This effectively means you don't need to maintain different user databases.

All the more reason I don't want to putz with it.

>Why exactly do you need AD authentication for spam filtering and internet proxies?

Because in my consulting gigs it is all about reducing *my* pain and aggravation. It gets annoying having users constantly complain about the indignity of having to enter credentials to get into a web-managed spam queue or having to login with a special password to be able to view Facebook on their workstations. Or any number of problems with having to identify not just the workstation but who is logged into it etc.

With the products that integrate with AD (Palo Alto's internet appliance line for one) none of the above are issues. Done. I don't get any angry user calls, and the client pays my invoices without hassle because everything "just works".

Re:Nein. (1)

smooc (59753) | about 2 years ago | (#41874385)

You're out of date. Samba 4 (although at RC now) does Active Directory. Don't spread FUD please.

Re:Nein. (1, Insightful)

doubledown00 (2767069) | about 2 years ago | (#41874493)

No, not out of date. Just got tired of Samba 3 not fulfilling my clients' needs and said fuck it.

On a broader level your assertion is absurd. You're prepared to say Samba 4 does AD and call it good based on an RC. Slashdot rightfully doesn't give Microsoft a pass on something like that, I don't see why an open source project should be any different.

Re:Nein. (1)

ThatsMyNick (2004126) | about 2 years ago | (#41874751)

Because Samba 3 never claimed to do AD, and Samba 4 claims to do AD. That is why.

Re:Nein. (0)

Anonymous Coward | about 2 years ago | (#41874651)

It doesn't do GPO, among other things, AD is more than just file sharing, Kerberos and LDAP, stop spreading FUD please.

Re:Nein. (0, Informative)

Anonymous Coward | about 2 years ago | (#41874785)

SOGo [] is a groupware server which recently added Exchange protocol compatibility using Samba4 - just sayin...

Back in the day .. well June (4, Informative)

OzPeter (195038) | about 2 years ago | (#41874101)

Slashdot discussion about Samba 4's Beta release Samba 4 Enters Beta []

AD for what? (0)

Anonymous Coward | about 2 years ago | (#41874113)

Please excuse my ignorance on Samba 4, I know it allows authentication but I don't know how robust the feature set is.

Some people hardly use AD. All it does for them is authentication. In that case, I would expect it to be an easy fit.

Microsoft AD offers a lot of features and many things integrate with it. The more of a Microsoft shop you are, the more you can become dependent on Microsoft's AD. Group policy is what jumps to mind the most for me. I don't know if you can use it with Samba 4, but it does make a lot of things easier. Most of what it does could be solved with scripts, I find myself using scripts less and less.

I find myself wanting to get our domain functionality level up to 2012 already for the new features, but I know many others that could care less. I would not be surprised to find a domain running 2000 or 2003 functionality levels. Those are the people that could get away with something else.

release software... (0)

Anonymous Coward | about 2 years ago | (#41874137)

You would be well advised to research the difference between release candidates and released software. Samba4 is not yet released... it is coming but not there yet.

NDS is seen as an alternative to active directory... Yet mostly in larger deployments. Whether this is licensing or complexity... Im not sure yet

All-Linux network (1)

Compaqt (1758360) | about 2 years ago | (#41874147)

The poster didn't say whether his instructor had a problem with a Windows client/Linux server setup or with a Linux network in general.

E.g., what if you just cut Win clients out of the picture? Just have straight up Linux. Would he still have a problem?

Secondly, if you did have straight Linux, what kind of software stack would you have?

How well does LDAP work when you get to the nitty gritty? Is Kerberos something you'd be using? What's the best NAS? FreeNAS? 7 or 8? Or NAS4Free? Just a Linux box running NAS-type packages?

Single signon?

Re:All-Linux network (1)

Zombie Ryushu (803103) | about 2 years ago | (#41874281)

Yes, For all Linux networks, Samba does change things. Samba 4 is backward compatible with all of OpenLDAP's and Heimdal Kerberos's clients. In a purely Linux network, Linux machines would connect to the Samba 4 Active Directory as Open Directory Clients.

for-profit schools (-1)

Anonymous Coward | about 2 years ago | (#41874161)

First're paying a school to teach your Linux/Network Administration..guessing it's a for-profit school. Read a /. post a few weeks ago on for-profit schools. They're worthless...

Re:for-profit schools (1)

ArchieBunker (132337) | about 2 years ago | (#41874185)

Pretty sure most collages and universities also turn a profit. At least the all the deans and administrators do.

Re:for-profit schools (-1, Flamebait)

Billly Gates (198444) | about 2 years ago | (#41874293)

U of Michigan has such a program now. Let me tell yo the kids out of there knew more than the 35 year olds!

Computer science is worthless in comparison. Sure everyone older learned on the job knows his or her own speciality but the kids coming out of these admin programs know every nook and cranny of AD. Not just how to do a task, but actually how it works. Not wasting time with calculus where it is not used on the job.

I probably will get modded down from the CS grads on this but I wish more universities would start this. As a result my opinion is changed and if I were hiring an entry level 23 year old out of school I would prefer the Network admin degree over the CS one if I needed help managing an enterprise.

Love Samba (1)

kilodelta (843627) | about 2 years ago | (#41874171)

Samba has had NT support since way back and now has AD compatibility. So it works as a drop in for Windows servers that cost $$$$.

Mixed results in a mixed environment (4, Interesting)

93 Escort Wagon (326346) | about 2 years ago | (#41874175)

We have, for many years, had a computing environment that, on the server side, is a mix of Red Hat Enterprise and Windows. Users and groups are (ostensibly) the same in both environments. The servers running Samba were in AD but were not acting as DCs.

Samba has always handled the user accounts perfectly. Groups, on the other hand, break fairly frequently - and by "break" I mean it stops realizing that group "foo" on Windows is also group "foo" on Linux. Since most of our end users are on Windows boxes, and most of the authorization on the web server (my main concern) is handled using groups, this has been a big headache for me. Fortunately we were able to convince our manager it wasn't worth the continued investment in man-hours by our Linux and Windows guys to keep debugging this group issue, and we just pulled the plug - now everyone has to use scp/sftp, and everything works well.

Admittedly this is a narrow use case I'm describing. Also I wouldn't be surprised if everything would be peachy if 100% of the AD stuff was being handled by Samba (and ONLY by Samba). But if this is a mixed environment, you should do some serious testing before making a decision.

Re:Mixed results in a mixed environment (4, Informative)

ruir (2709173) | about 2 years ago | (#41874207)

Back here we are also handling the file servers, users and groups in a +10 thousand user infra-strutucture, and things work pretty well.

Re:Mixed results in a mixed environment (0)

Anonymous Coward | about 2 years ago | (#41874807)

Why even bother with Samba? Just configure pam_ldap and nslcd to map users & group directly from AD.

NOT Recommended. (3, Insightful)

Anonymous Coward | about 2 years ago | (#41874231)

Samba may be able to do some of the windows file and printer sharing... even acting as a domain controller. BUT. Trust me. It will be hell to administer. For what you pay for Windows 2012 standard... with Hyper-V, and all the roles and services you just get... I dont see how you can compete with the ease of use and administrations. In the other-hand, if you are hard core UNIX/Linux and you need to support a few windows boxen in your environment.. then this is a great fit for you. Otherwise, stay away... far away. Anything you save in dollars you will spend in time... ten times over.

Depends on what your requirements are (2)

Nkwe (604125) | about 2 years ago | (#41874233)

When you talk about alternatives to Active Directory you need to be specific as to what features of Active Directory you refer to. Active Directory is a lot of things: Distributed multi-master database, Authentication provider, Authorization provider, Configuration management system, and more. The Active Directory infrastructure provides: File services, Print services, Group policy, LDAP, DNS, DHCP, and other services.

I haven't read in detail about Samba 4, and it appears that the Samba Wiki [] is down at the moment, but there is a decent description on the Fedora Project site [] . According to the Fedora site, Samba 4 includes the ability to be a domain controller and implements the Kerberos stack, but it is not clear that it provides the centralized configuration management that Active Directory does. This centralized management (Group Policy) and the ability to delegate administration (Organizational Unit based delegation) are very powerful features of Active Directory and what keep large organizations on the platform.

If what all you are looking for is a shared account database and the ability for multiple workstations to authenticate against it, Samba 4 may be just the ticket. If however you are looking for a replacement for Active Directory at an enterprise level, I doubt it is there yet.

Re:Depends on what your requirements are (2)

domatic (1128127) | about 2 years ago | (#41874401)

It does. Install the RSAT tools on a Windows client and use to manage Group Policies on the Samba4 controller. []

The HOWTOs for Samba4 all emphasize this.

Re:Depends on what your requirements are (0)

Anonymous Coward | about 2 years ago | (#41874637)

A lot of the GPOs do nothing when you change their defaults.

Samba 4 changes everythying (5, Informative)

Zombie Ryushu (803103) | about 2 years ago | (#41874245)

Since 2005, The combination of OpenLDAP, Heimdal Kerberos, and Samba 3 has been a staple in the Linux Infrastructure, with other services such as FreeRadius, NFSv4, and AFS being tacked on for good measure.
Many if not most Linux based utilities support LDAP. Unlike Samba 3, which functioned as an OpenLDAP based application, Samba 4 completely replaces OpenLDAP, and Heimdal Kerberos. Consider the following. Samba 3, while far beyond what Windows NT4 was ever capable of, expanded the NT4 Domain concept far beyond it' design limiations. In the most recent era, Samba 3.5 and 3.6, created an enhanced form of NT Domain Authentication just for interoperability with Windows 7. (This is very fascinating because it uses Windows 2003 Sign and Seal with NT4 Authentication, something NT4 never could do.) So it can be be said, while Windows 7 expressly drops support for Windows NT4, Windows 7 has express support for Samba 3.

Yet the sword of Damoclese has swung over the head of Samba 3.x for a long while. Vista dropped support for NT4 Style System Policies, requiring administrators to resort to registry Trickery with Wine and third party policy tools such as NitroBit.

Samba 3 brought about a form of NT Domain that supported LDAP as a backend, could use Kerberos for Authentication both for file shares and joining the Domain. (Although only other Samba clients could utilize the Kerberos aspects of Samba 3.) Could delf out policy by OU. With help from OpenLDAP, Samba 3 could overcome the single PDC limitation, and all Samba Domain Controllers could be writable PDCs because OpenLDAP supported Multi-master Replication.

Beyond Samba, FreeRadius could use LDAP for authentication, Evolution could garner configuration information from OpenLDAP, for IMAP and SMTP settings (CalDAV Support was never added, even though there were feilds in the OpenLDAP schema for the three CalDAV based Calendar, Addressbook, and Task List.) This cooperated with eGroupware. Sudo could draw Sudoers from OpenLDAP, as could NSS. Each had their own unique Schemas.

Unlike when Windows moved from NT4 Domains too AD, the movement was simple, before, you had no Directory Service, and now, boom! you do. In the Linux world LDAP has been a reality for a long time. Many applications are built to participate in Open Directory based Domains based on OpenLDAP Schemas. What happens if the Schemas conflict definitions? How will this be resolved?"

The real world (5, Insightful)

Billly Gates (198444) | about 2 years ago | (#41874249)

Ask yourself why?

I used to be like you when I was 20 a decade ago. Here is what I have learned. Your enterprise hates change and looks at you as a financial burden and unnecessary cost unless you work for an IT company. If they have AD why switch? If what they have works don't mess with it.

I saw this pop up last week on slashdot when Microsoft suggested business users stop using XP. Shockingly a decade ago on slashdot people would be laughing at everyone using a 11 year old platform who refuses change all based on Microsoft. Fast forward today you see folks under 35 freak out and DEMAND XP BE SUPPORTED FOREVER because changing is something you never ever do! Those over 35 got modded down saying upgrading is part of your job. The point is to put SAMBA 4 in you have to fight such people. They hate change and will cling to obsolete products as their behaviors in the last decade taught htem to lock versions with no updates and view everything as a cost center. Even a free product like Samba as such.

If it breaks who do you sue? Who do you call for support? Will you be handed a pink slip with a boot up your ass out of the door if something breaks? AD is standard, it is used by everyone else, other products like SQL Server, Sharepoint, and Exchange use it. It is part of the proprietary eco system at work and even though slashdotters breathe down Linux as the end all for everything it is not in an already established enterprise environment.

Just stick with AD. It is what you will be quizzed on and expected to know in your first job interview. If you do not know it they will find someone else who will. It is that simple.

Re:The real world (-1)

Anonymous Coward | about 2 years ago | (#41874329)

There is a fairly large difference between the XP thing and trying to go to samba 4. The biggest aspect is that XP, with its many faults, worked. Trying to get samba to do AD's job is a turd polishing endeavor. But then again, most open source stuff is.

Re:The real world (0)

doubledown00 (2767069) | about 2 years ago | (#41874341)

To quote Dave Hester, "YUUUUUUUP!"

Re:The real world (-1)

Anonymous Coward | about 2 years ago | (#41874703)

Please don't.

Bahahahahaaa (0)

Anonymous Coward | about 2 years ago | (#41874309)

Maybe it's mediocre at mimicking NT4's domain system but AD is way out of Samba's league. That's OK though, AD has only been out for 12 years so it's still got some time to catch up.

Samba4 works great for small offices (5, Informative)

fang0654 (1805224) | about 2 years ago | (#41874313)

So far I've set up several small offices using Samba4 as a drop in replacement for Active Directory. Here is what I've found it does well: Windows Authentication, AD DNS, Group Policy, Easy scripting (python tools and libraries). What it doesn't do well yet: Replicating AD with other servers. I haven't had much experience using subdomains, etc, mainly because I haven't been able to get it to replicate. But for a small office, it works fine.

Context? (1)

fm6 (162816) | about 2 years ago | (#41874317)

This question needs some context. My first reaction was, "Hey, what about LDAP?" Then it occurred to me that the instructor was assuming a lot of MS-centric infrastructure that needs AD support. But that's just an assumption.

I've noticed a certain MS-centric viewpoint in many community college course on networking,. This probably has to do with MS giving schools a lot of resources.

Rather than looking at a replacement... (4, Insightful)

HerculesMO (693085) | about 2 years ago | (#41874331)

Look at the use case.

I know too many Windows and Linux folks who try to shoehorn one way of doing things so it runs the way they want them to. This post reeks of that.

Find the best business reason to use one thing or another. I don't disqualify MS because it's not open source, or Linux because it's free. There are costs to doing everything, and usually made up outside of what infrastructure you decide on.

That said, Windows is best on the desktop because of Group Policy, its extension into things like System Center, IT Asset Management systems, reporting, workflow, automation, etc. I know it "can be done" with Linux but the process is usually smushed together and kludgy. Windows is simpler because of the software that supports it, many of them made by MS themselves.

I will stick with *nix for my backend requirements, and Windows for my front end. Until something changes drastically, I don't see much point in trying Linux on the desktop -- it's clearly not its strong suit.

Re:Rather than looking at a replacement... (1)

DragonTHC (208439) | about 2 years ago | (#41874479)

No one was ever asking if they should use Linux on their desktop. The question was about replacing an active directory windows server with Linux/Samba.

Re:Rather than looking at a replacement... (2)

HerculesMO (693085) | about 2 years ago | (#41874591)

Fair point... but if you're talking about having a server with Windows clients and trying to supplant AD, it's a futile exercise. It all works together really well because it's designed to. Once you lose control of being able to administer huge swaths of clients via GPO, you lose an organizational edge.

Unless you're a software firm intent on showing you can do without. But most people aren't software firms in that position.

Typical Instructor (1, Flamebait)

Murdoch5 (1563847) | about 2 years ago | (#41874373)

Samba 4 is an EXCELLENT replacement for Active Directory. Any first year IT / Networking student should be able to configure a complete domain controller and master PC using Samba. In many cases Samba out preforms Active Directory on Windows. Samba uses less resources, less over head and that all get returned in speed. Infact the only case where I would consider using Windows Server in place of a Linux Server is if I could only hire grade 10 IT nerds who have no idea what there doing. If you want a server you want Linux, Windows is for people who want to show off there GUI instead of getting work done.

Re:Typical Instructor (0)

Anonymous Coward | about 2 years ago | (#41874561)

Samba 4 is still in the release candidate stage (RC4) - so I'm not sure in what alternate reality it is considered to be an 'EXCELLENT' replacement.

What "Group Policy is" (4, Interesting)

Zombie Ryushu (803103) | about 2 years ago | (#41874377)

Keep in mind that "Group Policy" is, truly, is merely Windows Registry keys stored in the LDAP database in Active Directory. Samba 4 will store these in it's LDAP database. Something Samba 3.x+OpenLDAP Couldn't do.

Linux has no Registry, Linux approaches the Group policy concept differently by having application level Sub-Schemas that have to be imported into the tree. Linux applications then have to be configured to call on the LDAP Database instead of using it's local files. There are OpenLDAP Schemas for:

Samba 3 of course
Bind (Deprecated)
Posix Accounts (/etc/password, NIS and NFS related)
CUPS (Printers)
urpmi (Exclusive to Mandriva)
Apache (Can store httpd cluster information)
Zimbra ...and more.

When Samba 4 is released, you have to import all these OpenLDAP entries into the Samba 4 LDAP tree.

Depends on what you want to do... (2)

bevenhall (724111) | about 2 years ago | (#41874417)

Take a look at [] .

it's an excellent replacement (1)

DragonTHC (208439) | about 2 years ago | (#41874457)

Samba + OpenLDAP is a fine choice for AD replacement.

Let the kids have their toys (1)

codepunk (167897) | about 2 years ago | (#41874523)

Let the kids have their toys, put your efforts into the man tools.

i believe (0)

Anonymous Coward | about 2 years ago | (#41874537)

Samba4 is on the verge of being a viable alternative to AD. Check back in a few years.

There is a commercial AD replacement that i believe uses Samba4 at its core: Centrify.

How Bout Noe. (0)

Anonymous Coward | about 2 years ago | (#41874545)

SAMBA 4 as a simple directory replacement for Active Directory is no where near ready. But, even if it was close, it would still be lacking "minor" things like a dead simple and reliable GUI that even end users can use. It would still lack integration into third party application capabilities for Share Point and Exchange-like apps as well as reporting, monitoring and so much more.

The fact of the matter is that a directory far technically superior to Active Directory has been available for a couple of decades. That is Novell eDirectory. Yet, the defacto decision has been to cast it aside in favor of Active Directory, which is slowly approaching a similar capability. Even if SAMBA 4 were vastly superior technically, it would still have no chance against the integration and ease of use that Active Directory has over the most prevalent and widely used operating systems and applications on the planet.

Novell has AD emulation (0)

Anonymous Coward | about 2 years ago | (#41874589)

Novell in its SLES/OES has an install option that you can use with eDirectory called Domain Services for Windows (Google dsfw).

It essentially has a Novell written (ie: well tested "enterprise" quality software) that has a translation layer that converts active directory calls to eDirectory. The translation occurs transparently and works with at least win2k3 as a AD server. New versions should work with 2k8 soon (if not already). What else is nice is that when you use dsfw, you no longer need to use the Novell client or their tools (ie: Console 1 or eDirectory via http) to manage the windows machine; you just join it to a domain like usual and manage it entirely via MMS (group policies, etc.). And yes, they use Samba to provide the file access.

It works. Use it. Otheriwise, just stick with MS and go with AD if you _really_ need flawless AD compatibility.

it is cool! (0)

Anonymous Coward | about 2 years ago | (#41874623)

i dunno about samba 4 but v.3. could do the roaming profile thing with winXP.
so all your stuff is on the samba server. if a XP box acts up or breaks, just move to another box (or plugin a spare)
put in your username and password (on the domain) and continue your work (which the XP will fetch
from the samba server).
doing it for the first time was a nightmare, but with all things linux-y, the "IT WORKS!" -or "IT'S ALIVE"
is a real dr. frankenstein moment and definitely worth it : )

The closed source bit of Samba... (3, Interesting)

Shuntros (1059306) | about 2 years ago | (#41874725)

I realise Novell aren't exactly a powerhouse any more, but does anyone else remember about 5 years ago when they released Domain Services for Windows? That was basically Samba 4, but using eDirectory and NSS (that's a proper man's filesystem, for you young kids) as the back end. I only played with it briefly whilst at my last employer, but damn did it rock... All the NSS clustering and good bits of Novell tech were totally transparent. The only time you knew you were talking to a Linux box was if you opened up a DC in MMC and looked at its properties, where it said something along the lines of "SuSE Linux Open Enterprise Server".

Fairly obvious that Jeremy A was largely responsible for DSfW, just a shame that stuff was most likely locked up as Novell IP and off limits to Samba 4.

Not replace, but maybe work with. (1)

xaoslaad (590527) | about 2 years ago | (#41874737)

I don't think you can replace Active Directory for things like Group Policy, etc. The functionality just isn't there, as far as I know. On the other hand check out the FreeIPA project in Fedora (and IPA in RHEL) - they now support creating trusts with Active Directory domains which allows sharing resources, etc. This is the gist of how it works: []

several alternatives... (1)

pouar (2629833) | about 2 years ago | (#41874765)

OpenLDAP, OpenDJ, FreeIPA. does anyone bother to use google anymore.

Novell still has solutions (0)

Anonymous Coward | about 2 years ago | (#41874787)

Check out products from Novell for really good stuff that integrates well across Windows and *nix.

Samba4 is miles beyond M$ AD. (-1)

Anonymous Coward | about 2 years ago | (#41874797)

Samba can do anything Active Dickery can do and more. Users, group policies, authentication. AD is an ancient piece of shit that Micro$oft is hardly using itself anymore. I suspect the OP is a M$ shill trying to troll Samba users.

AD has serious problems (2)

whois (27479) | about 2 years ago | (#41874825)

I don't think it's bad for what it does, but the inability to rollback changes or even to know what's been changed is a serious oversight. There are third party tools that fix this (Google search for active directory change control), but for a large scale environment you shouldn't have to rely on third parties to make a tool usable.

Contrast this to a UNIX based ldap server (openldap) where the entire directory can be saved and reloaded as a text file over and over again.

AD also has the tendency to bury lots of information behind properties windows that have 30 or so tabs. Even if you look at all of those you'll still miss disconnected pieces like group policies or if an AD account has an exchange account.

I don't think "replace AD with Samba" is a good idea though. If you're going to be using lots of Windows systems then you're better off managing them with the tools provided by the vendor.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?