Samba with Active Directory: getting bigger?
Posted Feb 4, 2010 17:14 UTC (Thu) by drag
In reply to: Samba with Active Directory: getting bigger?
Parent article: Samba with Active Directory: getting closer
Sorry. I pressed the wrong button. Here is my post again in a more readable
Mandriva had a feature (in Corporate Desktop 4 I think) allowing KDE
configuration deployment in LDAP, and this was supposed to be merged into
KDE 4.4 (it's probably been deferred again), but currently none of the
desktop configuration technologies have any support for remote
Yeah they do.
Policykit is designed allow policies to be distributed when it comes to
system permissions. Whether or not users are allowed to update or install
software, mount drives, configure network, etc etc.
Then for the Gnome desktop you have Sabayon for building profiles (default
apps, configurations, etc) and Pessulus for providing lock-down policies
for the Gnome desktop. These all use Gconf, which by default uses the
directory tree + XML method, but can be configured to use LDAP backend.
I can show you how to use AD to deploy those things. It is certainly much
easier then trying to do it with a pure OSS solution.
However, what I am concerned about is that, while there has been no
obstacle to doing this kind of thing for Unix-based deployments
Yes there is. There are huge obstacles to this, like I said in my previous
post. It's very hard to do and very error prone and there are huge holes in
functionality and management systems not even addressed. Almost nobody does
it properly out of the box. Redhat comes closest
and they have their Identity management packages and other related items,
but that currently mostly for people that need to migrate away from NIS for
regulatory reasons. (and most of those people will just migrate from NIS to
AD for obvious sanity reasons)
Mandriva MDS seems 'OK' also, but almost nobody uses Mandriva anymore.
There are dozens of configuration changes you have to make. OpenLDAP is a
pain to work with, and nsswitch and other things can cause really huge
headaches and even booting problems unless you configure them exactly
right. PAM is regularly abused by people deploying LDAP and Kerberos and is
used improperly. You still have to integrate PKI support and properly
securing access to LDAP with TLS is a whole hell in itself.
Documentation is lacking. Distro integration is lacking. Administrative
tools are lacking. What are you going to do when 'Human Resource' folks,
who barely know the difference between a monitor and their computer, are
going to have to make name badges and add users to your OpenLDAP system?
Give them a bash script?
suddenly people will look at doing it the MS way (which, again, they could
have done before, without Samba4), locking Unix into requiring MS
technologies, when Unix technologies could have been used from the
Well just so you know how the things work in the real world... do you know
the best way there is to deploy a directory system for Linux?
It's buy a Windows 2008 server and use Samba to integrate Linux into it.
That's the most practical and cost effective solution right now for Linux
people wanting to use it in the enterprise.
The basic fact here is that Active Directory DOES do it the 'Unix way' with
Kerberos and LDAP (it's just that they did the embrace and extend, but
their extensions are now well documented and support for them exist in MIT
Kerberos and RFC docs). And AD is lightyears ahead of what is available
from a pure OSS solution based on Linux _right_now_.
Sure you have support for the protocols and most useful software does have
kerberos and ldap support, but having pieces of software and support for
the protocols does not make it really that useful or cost effective to
deploy. All this stuff existed for years in Linux and most of it mostly
worked, but things are not really improving that well. Even going back 10
years ago with Windows 2000.. that is still a more viable directory
solution for the majority of people then anything possible to do with pure
And the major kicker here is that you _CANNOT_ escape from the fact that
Windows support is going to be a requirement for 99.99% of everybody out
there. There is just too much Windows-only software; too many people stuck
on the Windows desktop and Microsoft Office. Even if 80-95% of the PCs in a
organization are running Linux your still going to need Windows integration
support. You simply cannot escape it. You _CANT_. To simply say that "well
it's possible to do Kerberos and LDAP in Linux" is completely ignoring the
hard requirements for virtually everybody out there.
So Samba is going to get used one way or another. With Samba4 we have a
real opportunity to make these things easy to deal with allow a pure
OSS/Linux based solution to seriously start displacing Windows server
systems in many organizations.
In fact Samba4 is probably one of the most critical pieces of software
being developed today.
to post comments)