Yeah. Find a corporate building and shift through the trash. You'll be able
to find a machine with 50x more resources that people regularly throw away.
If that is not appealing then just buy a SheevaPlug for less then 100 bucks
and get a 1ghz cpu and 512MB of RAM.
Active Directory itself has massive amounts of important functionality that makes is far superior solution then what Samba 3.x can offer, even for simple file server solutions. It makes spending a trivial amount of cash completely worth while.
I mean you can't really even find Windows 2003 or 2008 server floating around that is not using AD in some fashion, unless it was set up by a non- technical person. The advantages of having a integrated and easy to deploy system that you can hook many other services up to at a later date is just insurmountable. If you have a windows admin and they are NOT using, at minimum, Small Business Server when deploying a bunch of Windows system.. even for a simple file server.. then they have no business working as a admin.
Here is a easy example:
Care about Security?
Samba relies on NTLM for authentication.
NTML v1 and v2 rely on MS-CHAP (v1 and v2) to do the network stuff. Which means that for network security you are depending on DES encrypted MD5 hashes; which we now is increasingly worthless when it comes to security.
And what is even worse is that unless you specifically specify things in the Samba config your server will accept plain text passwords. Which is something even that Microsoft Windows does not even support anymore.
Even not considering that DES and MD5 stuff is weak, the actual MS-CHAP and NTLM protocols themselves has many known weaknesses and vulnerability. This is compared to Active Directory that uses Kerberos, which is a well know, very widely used, and very secure protocol. Why do you suppose people recommend not using PPTP, for example? Because the authentication stuff is weak and it is the same stuff that Samba 3.x depends entirely on.
So if I was a IT network security guru type person and I held network security as the highest requirement then there would be no way I could allow any Samba server to exist on my network, nor could I allow any Linux desktop to exist in a Windows environment.
Despite the fact that people here will (quite correctly) will scoff at the poor quality of Windows host-based security.. Microsoft's AD network security far surpasses anything that is _reasonable_ to deploy using Linux systems. Sure if you have people that are highly knowledgeable Linux folks working in a professional environment can deploy a very secure network setup with available tools, I don't see how anybody can reasonably do it for Linux desktops for any sort of small or medium enterprise.
After putting weeks of effort into figuring out to use OpenSSL and use TLS with OpenLDAP and Kerberosv4 on Debian and actually using that sort of domain at home for months and running into issues and bugs and other such things.. I could not be depended on successfully run a KRB/LDAP-based domain using Linux and OSS tools. Even with a full month of effort the best I could do would be to get to work well... I still would not be comfortable with it without having to have a third party come in and audit my setup. Meanwhile a A+ network cert with barely enough knowledge to pop a CDROM into a PC can deploy a SBS setup with far superior results in less then a day of effort.
A experienced Windows admin can then come in and lock down things quite a bit by a few group policies. Eliminating old vulnerabilities kept around due to requirements for backwards compatibility. Things associated with password caching and all that. Be able to use modern and secure protocols like IPSEC to do tunneling and get all sorts of nice integration with Single Sign On and with a bunch of Web services, Email, Groupware, and even a very large amount of open source software. Eliminating a whole host of security issues associated with having to send passwords over HTTP or IMAP or SMNP and all that.
If you want a simple example of how AD features can improve the security of running Linux look no further then OpenSSH.
No more having to have shared keys. No more 3DES encrypted files that will give unfettered access to all your servers.
Servers and Clients have to have proper credentials. Pretty much complete and total elimination of any sort of possibility for a Man-in-the-middle attack. No having to guess that server you just logged into for the first time is the right one (How many times have you wrote down your server's ssh fingerprints so you can compare them with what shows up the first time you log into it?). Unless the server you ssh'ng into has proper kerberos credentials then they cannot even pretend that they accept your user's credentials.
You can disable password support altogether and eliminate the ability for people to try to brute force your OpenSSH servers fishing for weak passwords.
When Samba4 AD stuff reaches prime-time and IF distros pick it up and run with it then it should make it massively easier to do all sorts of things that would not make deploying Linux systems and Linux-based services cheaper, but also massively more secure.
Think about all the effort of having to setup MIT Kerberos + OpenSSL + OpenLDAP + GSSAPI + whatever on a Ubuntu system and having to go through large amounts tedious and error prone configurations versus being able to walk down to a store and spend a 150 dollars on a NAS device with Samba AD integration in it. It would do to the server market what the netbook did to the laptop market and if distros do a good job of integrating Samba4 features then it can make deploying Linux desktops in a small or medium business very close to being trivial.
It should be as easy as a admin logging in locally to a Ubuntu or Fedora machine and choose 'join domain' during installation, provide a admin domain password, and then *poof* your done. Users are automatically able to use the machine, the machine automatically is able to use any services on the network in SSO fashion. DNS names are automatically setup and configured correctly. Make it easy to lock down the desktop.. deny access to flash drives if you want or not. All sorts of stuff that right now is very tedious to do.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds