[quote] Anyhow, I'm finally in a position where I can make decisions, and I've always wondered how feasible Samba would be as a domain controller in a real-world environment. We have about 500 users and 300 computers. What advantages would it offer over Windows Server 2008's Active Directory? (Free being the primary example.) [/quote]
I've not tried anything heavy duty with Samba recently, last time was in college with somebody else doing most of the work and bringing me in to figure out why things weren't working right. That was before a lot of the newer enhancements were made and the stuff where MS released some stuff to help the Samba folks out. The few people I know who are actively trying to do this, still cannot take full advantage of group policies, group policy client side extensions or use the native windows management tool packages to manage their machines and networks. I was trying to help somebody setup WSUS recently and after about 6 hours of fighting finally figured out he wasn't running Windows domain controllers and his "active directory" was really Samba systems looking like NT 4 domain controllers (don't know what version he was using); he was trying to do things free but was really having a tough time managing his 18 site windows network when the rest of us at the conference were comparing notes about scripts and figuring out the best way to map printers to legacy our cobol apps. Items I would consider to be critical to make sure that I could do would be: - Group Policies, Group Policy Preferences --- you can really manage your desktops - Along the same lines of group policies, make sure you can deploy security settings for your desktops, including logging preferences, file system lockdown settings, overriding users & groups - Starting with Windows 2003 native, nested groups for both security & distribution were supported which really made a lot of membership options easier, your domain controllers have to return the membership results right to utilities such as ifmember.exe and to any applicable vbs scripts or directory searcher routines - See if Samba functioning as a domain controller supports AD integrated application partitions, depending on what network applications you want to deploy some require this (and thus you need to make sure you can easily extend your AD schema and replication patterns) - Active Directory does have concepts of PDC and BDC's but DC's are usually peers; last time I was working on a Samba system it was looking like an NT4 PDC and BDC model which caused some issues - - that was however 5 years ago so hopefully this has changed - One problem I'm having is I am trying to have my Mac desktops, and some older computers I'm trying to run Linux on log into my AD. I am requiring encryption to certain servers and different servers have different policies which I use GPO's for and push these settings out to Windows desktops through GPO's. Even though I can authenticate to AD and login, I am having trouble accessing resources on these servers. An example is the server which serves the accounting department and their apps -- is set to require a particular key (its not all that complex either, just a shared secret word) -- I apply that through a GPO setting up computer configuration, so even if an accounting user logs in some place else, they can't access that server since the computer they are at doesn't have the key being applied to it. This is VERY seamless in AD, just have to make sure the computer's group and OU membership is right and the policies do the rest. Even though my Linux boes when I join them are in these OU's the policies don't apply (or if they do, it uses features Samba does not support). - With AD you can push out software installation policies, printer drivers, etc - I'm a one man show - I depend on these settings and would feel completely lost without them. - I would HOPE that no matter what "directory" based system you use - and I'm assuming that Samba would just provide you could store extra attributes for your users other than username and password. I don't have quite the network size you do but I keep phone numbers, locations, manager information, etc. I use this in a number of applications as a central data source. One place, less error. I have certain rights to maintain user information delegated to my HR people, our store managers have rights to reset passwords only for people in their store, etc. All of these are attributes within AD which the desktop tools that come on every desktop support (our store managers have to take out their cheat sheet but they can drop to a command line, net user JoeSmith newPassword /domain for their staff, but they can't do another store or corporate) - again, I depend on AD's configurability and would hope Samba can do the same. Something to also consider with the number of machines you have is migration of your machines and users, I wouldn't want to manually have to set everybody back up. If/WHEN you migrate over, hopefully you can bring your Samba "DC" up as an AD peer and wait for replication for it to get everything it needs. Probably my biggest factor, personally, to consider would be do you get 100% fully integrated group policies to your desktops, servers, etc. I'm not a fan of the cost of MS licensing and maybe there are a lot of good desktop management tools out there, but the ones I've researched don't appear to be free whereas you get all the native windows stuff with your servers and their desktop management packs. Just my opinion, realize that I tinker with Linux and am starting to deploy it some but am hitting a lot of road blocks (it does not pass the control characters for our barcode scanners to our terminal servers properly for our system to recognize it), I don't have the single sign on advantage so far, I can't just right click on my computer and say "ok, copy these desktop icons out to everybody wherever they login with these settings to launch this remote TS app this way". I'm a Windows creature running a Windows environment and just play in the Linux world more than anything. ML Mark A. Lappin, CCNA, MCSE:Security | Lee Michaels Fine Jewelry Director of Information Technology 11314 Cloverland Ave | Baton Rouge, LA 70809 Ph: 225.291.9094 ext 245 | Fax: 225-291-5778 | Mobile: 225-362-2770 www.lmfj.com This communication is privileged and confidential. If you are not the intended recipient, please notify the sender by reply e-mail and destroy all copies of this communication . _______________________________________________ General mailing list General@brlug.net http://mail.brlug.net/mailman/listinfo/general_brlug.net