Samba with Active Directory: getting bigger?
Posted Feb 5, 2010 15:40 UTC (Fri) by drag
In reply to: Samba with Active Directory: getting bigger?
Parent article: Samba with Active Directory: getting closer
Since it only considered GConf-based applications, and was started after
the projects (shipping KDE only) for which I had time to look at some of
these issues, I haven't investigated sabayon much, but documentation on
LDAP support in Sabayon is by no means easy to find. Old links no longer
work, and searches don't return any relevant results. Very little
documentation is shipped with the packages, and I see no obvious way to do
this in the sabayon admin GUI.
Yeah. Your right on both the Gconf accounts. My bad. Sayabon is useful for
building gconf configurations. You still need some way to deliver them.
I knew that Likewise's commercial product supported using AD to integrate
Gnome support. I thought it used a gconf backend, but actually it just
turns out to be backed by the use of generated zip files to deliver
lease do (although, documentation should be sufficient, it has been for
me for OpenLDAP, Heimdal, nss_ldap, pam_ldap, samba, sudo etc. etc.).
Difficulty depends on many factors, for me it would probably take less time
on a pure OSS solution than trying to arrange a Windows server license from
the windows guys ...
Dude. Setting up a domain using Samba 4 involves a single command line
(after it has been installed). For
setting up a SBS requires even less effort then that. The basic
functionality for most of this stuff has been around for nearly 20 years.
It should be there by default.
And I know for a fact that setting up a active directory system, even with
licensing, will be dramatically cheaper then trying to train a bunch of
admins to create their own LDAP schema...
In the company I am at at present, HR sends a mail to the Windows admins,
who create accounts in AD. In non-AD environments I have made web
interfaces available, or (if samba is a requirement) made User Manager for
Yes _you_made_it_yourself_. Right. How much does your salary cost? How much
time did it take for you to set it up and get it working? How much training
did you have to do and how many times did it take for people running into
problems with your web interface before you got all the bugs worked out? In
terms of dollars try to guestimate how much time and money was spent on
Yes it is very possible for people to use OSS solution to setup a Kerberos
and LDAP domain for a large business. Its going to take a lot of time and
it is going to be very expensive for them to do this.
And you STILL will need a Active Directory server for Windows support
Go and look at a average small or medium business (which is the VAST
majority of people. Large corps only employee a minority number of people
compared to small/medium enterprises) with 50-500 employees or so. People
that cannot afford a full time IT staff or anything of that nature. Their
IT person is probably on the level of "some guy that built his own
computer". They rely on external support and buying out of the box
can have the choice of hundreds of Microsoft certified folks that can come
in and bang out a AD solution for them in a matter of a couple
Now tell me how well a OSS solution is going to work out for them. (and
don't try to tell me that AD is overkill and they should not be using a
domain. Small/Medium business still need proper ways to manage resources
and security is still important. Also OSS is competing with a established
player here and not on equal ground.)
Too much focus is given on "We need an AD-compatible server", and too
little on "We need to ensure that we provide means of lowering the cost of
configuration, allow less costly implementation of controls", deferring
until the gaps are so obvious because a Samba4 deployment with Linux
desktops doesn't do what people had hoped.
Right. Active Directory includes the administrative tools as well as the
Windows RFC support and other things necessary to manipulate the Windows
registry and various scripts integrated into Windows by default to get
(very important things)
So yes the AD requires integration on the client side. This is true for
Linux. I hinted at this in my other posts by saying you need to have
distros with proper integration. I should have emphasized this point more.
The support for integration into a proper domain must be improved on the
distro-side. Even with Samba4 making it trivial to create a domain system
it still requires more client side configurations to make it work and that
should be trivial for end users to accomplish also. Unless that happens
then the whole thing is mute.
The other concern is that focusing on Samba4 may worsen the situation
where people rely on Windows-based technologies unnecessarily, such as many
cases I have seen where people struggle to set up CUPS to Samba to CUPS
printing, when CUPS to CUPS works with so little effort.
For XP, at least, IPP support sucks. (this hopefully improved with Vista
and Windows 7) So you will still need Samba printing support for Windows
clients for the most part. Especially seeing how many businesses try to
control costs by monitoring who uses what printer.
But your right that in many cases if your just using Linux/OS X clients
then going from CUPS to CUPS is much easier then going from CUPS to
Samba+CUPS. Unfortunately that does not eliminate the need for people to
configure Samba to work with a CUPS server for most people, unless they go
with a fully networked printer (which is likely running Samba anyways... ;)
to post comments)