Re: [Samba] samba 4 for new authentication domain?
On Mon, 2010-04-26 at 21:59 -0700, Kevin Keane wrote: > Exactly WHY do you need AD instead of NT domains? Without > understanding that, I don't think your question can be answered. In > some cases, you can use a stand-alone Kerberos and/or LDAP server. Or > conversely, some application you use may require a Microsoft AD > server, sometimes even a specific version. > > Basically, your tradeoff is between cost and risk. Windows 2008 R2 is > all but guaranteed to work no matter what AD issue you throw at it, > but it can get expensive, especially if you have many users. > > On the other hand, Samba is free, but Samba 4 is pretty unproven at > this point. I would strongly contradict your assertion that Samba4 is unproven. Could you please try Samba4 before you comment on it with such authority? We are still at the alpha stage, but given the very real production use I've personally assisted administrators with, I can attest that it does really work. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
On Tue, 2010-04-27 at 00:18 -0400, Morty wrote: > The various pages about samba 4 warn about rough edges, upgrade, file > services, and print services. I have some domains that have never had > a Windows domain that now need Windows AD authentication. I don't > need file services and print services, and upgrade is not a problem. > Is samba 4 ready for this use case, or should we still go with > Microsoft's AD? Samba4 is ready to be used by Administrators who are willing to help with any rough edges they encounter. There will be some, but the vast majority of those who try out Samba4 are actually surprised by how overstated our warnings were for their actual use case. Even file services work well - and are a critical part of group policy and roaming profiles. Have a look at the videos we have recently produced. We are very much working on Samba4, but it is also very much working for our users. http://wiki.samba.org/index.php/Samba4/videos Give it a try - particularly if you can put your traditional file-server and printer roles on a Samba3 member server. You will quickly find out what works for you, and what does not. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
On Tue, Apr 27, 2010 at 01:27:35AM -0700, Kevin Keane wrote: > You can usually find out simply by reading the documentation on how > to set up authentication. Just as David said, almost all of them > would use LDAP. The only exception is anything that supports > Single-Sign-On via Internet Exploder. In that case, it's probably > Kerberos. I'm reading the docs for one of the major apps, and unfortunately, it doesn't say. Although regardless, I wouldn't want to be pigeonholed. We could be required to install something new at any time. I'd prefer to be maximally AD-compatible. > You won't find true drop-in replacements anywhere. Sounds like AD is the most AD-compatible package. :( - Morty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
What I found works exceedingly well (although not flawlessly) is a Windows AD Domain Controller, and then Samba servers for file and print sharing. Hello Kevin, but what if you already have >1000 users in a samba domain. Is there a way to migrate them to a MS AD without loosing the uidNumber, Samba SID and such things ? We don't like the idea to set new users an groups for every directory we have on ous samba servers Bye Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
> -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of Morty > Sent: Tuesday, April 27, 2010 1:08 AM > To: samba@lists.samba.org > Subject: Re: [Samba] samba 4 for new authentication domain? > > On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote: > > > You should clarify what mechanisms those web apps use for > authentication. > > I don't know. :) The apps are black-box COTS apps which "use AD" for > authentication. You can usually find out simply by reading the documentation on how to set up authentication. Just as David said, almost all of them would use LDAP. The only exception is anything that supports Single-Sign-On via Internet Exploder. In that case, it's probably Kerberos. > I didn't pick them, and don't have much insight into > them. More apps might come later, so even if I can research and > answer this question based on the current profiles, requirements might > change. What I want to do is spec hardware and any necessary software > to support authentication for the apps. I'd prefer to use free/open > source software if it will work as a drop-in replacement for AD. You won't find true drop-in replacements anywhere. Even Samba 3 isn't a drop-in replacement for file sharing or NT domains; certain things won't work. For instance, some accounting packages (Quickbooks or Peachtree) also require a database component on the server. I'm sure there will be similar issues with Samba 4 vs. Active Directory. > > Generally most web apps use LDAP/NTML for authentication and LDAP for > > pulling user information. > > These two things you can achieve more reliably using Samba3 with an > LDAP > > backend compared to Samba 4 (at this stage). > > I've played with samba3+openldap+kerberos+bind9 as a replacement for > AD before. It was extremely complex to setup and maintain, so I don't > want to do that in production. Agreed. Basically, that simplicity (and the tools to do it) is what you buy with the $$$ from Microsoft. Or with the $$$ to a RedHat consultant to make it all work for you. > samba4 seemed like it would be > simpler and more compatible with AD. Ah, well. :( What I found works exceedingly well (although not flawlessly) is a Windows AD Domain Controller, and then Samba servers for file and print sharing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote: > You should clarify what mechanisms those web apps use for authentication. I don't know. :) The apps are black-box COTS apps which "use AD" for authentication. I didn't pick them, and don't have much insight into them. More apps might come later, so even if I can research and answer this question based on the current profiles, requirements might change. What I want to do is spec hardware and any necessary software to support authentication for the apps. I'd prefer to use free/open source software if it will work as a drop-in replacement for AD. > Generally most web apps use LDAP/NTML for authentication and LDAP for > pulling user information. > These two things you can achieve more reliably using Samba3 with an LDAP > backend compared to Samba 4 (at this stage). I've played with samba3+openldap+kerberos+bind9 as a replacement for AD before. It was extremely complex to setup and maintain, so I don't want to do that in production. samba4 seemed like it would be simpler and more compatible with AD. Ah, well. :( It's a shame that samba4 is waiting on file+print services to ship. samba3 is already a fine file+print services server. It might be better to just ship samba4 as AD-style authentication-only for now, and people who need AD-style auth, file, and print can run separate instances of samba4 and samba3 on separate VMs or separate physical servers. It wouldn't be as ideal as having a single combined server that could run everything, but at least all functionality would be shipped, and y'all would still have a roadmap towards an integrated product. - Morty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
On Tue, Apr 27, 2010 at 6:30 PM, Morty > wrote: > On Mon, Apr 26, 2010 at 09:59:02PM -0700, Kevin Keane wrote: > > > Exactly WHY do you need AD instead of NT domains? Without > > understanding that, I don't think your question can be answered. > > I have some COTS Windows web apps that want to authenticate either > using local accounts or against AD. > You should clarify what mechanisms those web apps use for authentication. Generally most web apps use LDAP/NTML for authentication and LDAP for pulling user information. These two things you can achieve more reliably using Samba3 with an LDAP backend compared to Samba 4 (at this stage). Another pathway you should investigate is whether a single sign-on (SSO) system is applicable/appropriate. There are plenty of choices out there, but it does depend on what your COTS applications are. The benefit of SSO is that it abstracts web application authentication from your underlying authentication service. It is a bit more work, and not all web applications work with it, but once in place the results are very good. David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
On Mon, Apr 26, 2010 at 09:59:02PM -0700, Kevin Keane wrote: > Exactly WHY do you need AD instead of NT domains? Without > understanding that, I don't think your question can be answered. In > some cases, you can use a stand-alone Kerberos and/or LDAP > server. Or conversely, some application you use may require a > Microsoft AD server, sometimes even a specific version. I have some COTS Windows web apps that want to authenticate either using local accounts or against AD. They've been doing local accounts, but account and password management is increasingly problematic, so it would really help to have central password mangement. The apps doesn't support NT domain auth. It might be possible to do this with OpenLDAP+kerberos, but that sounds like a whole lot of manual work, so I'd rather get something more integrated (AD or samba4). I like *nix servers better than Windows, so I'd rather do samba4, but don't have a good feel for samba4's stability as an authentication server. Hence the earlier question. > Basically, your tradeoff is between cost and risk. Windows 2008 R2 > is all but guaranteed to work no matter what AD issue you throw at > it, but it can get expensive, especially if you have many users. > On the other hand, Samba is free, but Samba 4 is pretty unproven at > this point. Software cost will probably not be a factor. Functionality is. Sounds like I/we need AD. :( - Morty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
Exactly WHY do you need AD instead of NT domains? Without understanding that, I don't think your question can be answered. In some cases, you can use a stand-alone Kerberos and/or LDAP server. Or conversely, some application you use may require a Microsoft AD server, sometimes even a specific version. Basically, your tradeoff is between cost and risk. Windows 2008 R2 is all but guaranteed to work no matter what AD issue you throw at it, but it can get expensive, especially if you have many users. On the other hand, Samba is free, but Samba 4 is pretty unproven at this point. > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of Morty > Sent: Monday, April 26, 2010 9:19 PM > To: samba@lists.samba.org > Subject: [Samba] samba 4 for new authentication domain? > > The various pages about samba 4 warn about rough edges, upgrade, file > services, and print services. I have some domains that have never had > a Windows domain that now need Windows AD authentication. I don't > need file services and print services, and upgrade is not a problem. > Is samba 4 ready for this use case, or should we still go with > Microsoft's AD? > > Thanks! > > - Morty > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 4 for new authentication domain?
The various pages about samba 4 warn about rough edges, upgrade, file services, and print services. I have some domains that have never had a Windows domain that now need Windows AD authentication. I don't need file services and print services, and upgrade is not a problem. Is samba 4 ready for this use case, or should we still go with Microsoft's AD? Thanks! - Morty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
