Samba with Active Directory: getting bigger?
Posted Feb 4, 2010 11:04 UTC (Thu) by drag
In reply to: Samba with Active Directory: getting bigger?
Parent article: Samba with Active Directory: getting closer
Yeah. Find a corporate building and shift through the trash. You'll be able
to find a machine with 50x more resources that people regularly throw away.
If that is not appealing then just buy a SheevaPlug for less then 100 bucks
and get a 1ghz cpu and 512MB of RAM.
Active Directory itself has massive amounts of important functionality that
makes is far superior solution then what Samba 3.x can offer, even for
simple file server solutions. It makes spending a trivial amount of cash
completely worth while.
I mean you can't really even find Windows 2003 or 2008 server floating
around that is not using AD in some fashion, unless it was set up by a non-
technical person. The advantages of having a integrated and easy to deploy
system that you can hook many other services up to at a later date is just
insurmountable. If you have a windows admin and they are NOT using, at
minimum, Small Business Server when deploying a bunch of Windows system..
even for a simple file server.. then they have no business working as a
Here is a easy example:
Care about Security?
Samba relies on NTLM for authentication.
NTML v1 and v2 rely on MS-CHAP (v1 and v2) to do the network stuff. Which
means that for network security you are depending on DES encrypted MD5
which we now is increasingly worthless when it comes to security.
And what is even worse is that unless you specifically specify things in
the Samba config your server will accept plain text passwords. Which is
something even that Microsoft Windows does not even support anymore.
Even not considering that DES and MD5 stuff is weak, the actual MS-CHAP and
NTLM protocols themselves has many known weaknesses and vulnerability.
This is compared to Active Directory that uses Kerberos, which is a well
know, very widely used, and very secure protocol. Why do you suppose people
recommend not using PPTP, for example? Because
the authentication stuff is weak and it is the same stuff that Samba 3.x
depends entirely on.
So if I was a IT network security guru type person and I held network
security as the highest requirement then there would be no way I could
allow any Samba server to exist on my network, nor could I allow any Linux
desktop to exist in a Windows environment.
Despite the fact that people here will (quite correctly) will scoff at the
poor quality of Windows host-based security.. Microsoft's AD network
security far surpasses anything that is _reasonable_ to deploy using Linux
systems. Sure if you have people that are highly knowledgeable Linux folks
in a professional environment can deploy a very secure network setup with
available tools, I don't see how anybody can reasonably do it for Linux
desktops for any sort of small or medium enterprise.
After putting weeks of effort into figuring out to use OpenSSL and use TLS
with OpenLDAP and Kerberosv4 on Debian and actually using that sort of
domain at home for months and running into issues and bugs and other such
things.. I could not be depended on successfully run a KRB/LDAP-based
domain using Linux and OSS tools. Even with a full month of effort the best
I could do would be to get to work well... I still would not be comfortable
with it without having to have a third party come in and audit my setup.
Meanwhile a A+ network cert with barely enough knowledge to pop a CDROM
into a PC can deploy a SBS setup with far superior results in less then a
day of effort.
A experienced Windows admin can then come in and lock down things quite a
bit by a few group policies. Eliminating old vulnerabilities kept around
due to requirements for backwards compatibility. Things associated with
password caching and all that. Be able to use modern and secure protocols
like IPSEC to do tunneling and get all sorts of nice integration with
Single Sign On and with a bunch of Web services, Email, Groupware, and even
a very large amount of open source software. Eliminating a whole host of
security issues associated with having to send passwords over HTTP or IMAP
or SMNP and all that.
If you want a simple example of how AD features can improve the security of
running Linux look no further then OpenSSH.
No more having to have shared keys. No more 3DES encrypted files that will
give unfettered access to all your servers.
Servers and Clients have to have proper credentials. Pretty much complete
and total elimination of any sort of possibility for a Man-in-the-middle
attack. No having to guess that server you just logged into for the first
time is the right one (How many times have you wrote down your server's ssh
fingerprints so you can compare them with what shows up the first time you
log into it?). Unless the server you ssh'ng into has proper kerberos
credentials then they cannot even pretend that they accept your user's
You can disable password support altogether and eliminate the ability for
people to try to brute force your OpenSSH servers fishing for weak
When Samba4 AD stuff reaches prime-time and IF distros pick it up and run
with it then it should make it massively easier to do all sorts of things
that would not make deploying Linux systems and Linux-based services
cheaper, but also massively more secure.
Think about all the effort of having to setup MIT Kerberos + OpenSSL +
OpenLDAP + GSSAPI + whatever on a Ubuntu system and having to go through
large amounts tedious and error prone configurations versus being able to
walk down to a store and spend a 150 dollars on a NAS device with Samba AD
integration in it. It would do to the server market what the netbook did to
the laptop market and if distros do a good job of integrating Samba4
features then it can make deploying Linux desktops in a small or medium
close to being trivial.
It should be as easy as a admin logging in locally to a Ubuntu or Fedora
machine and choose 'join domain' during installation, provide a admin
domain password, and then *poof* your done. Users are automatically able to
use the machine, the machine automatically is able to use any services on
the network in SSO fashion. DNS names are automatically setup and
configured correctly. Make it easy to lock down the desktop.. deny access
to flash drives if you want or not. All sorts of stuff that right now is
very tedious to do.
to post comments)