Alternatives for Microsoft server products: Active Directory & Domain Controller

coliver

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.

Using Microsofts RSAT tools or something like that?

Well, let's assume we want a full featured domain with two sites connected via VPN with like 100 windows clients. We need things like machine accounts, managed service accounts and so on.

Yes, you can manage a Samba4 domain with RSAT tools. It will also work across a VPN. Not sure about service accounts but those would also probably work.

thwr

@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.

Using Microsofts RSAT tools or something like that?

Well, let's assume we want a full featured domain with two sites connected via VPN with like 100 windows clients. We need things like machine accounts, managed service accounts and so on.

Yes, you can manage a Samba4 domain with RSAT tools. It will also work across a VPN. Not sure about service accounts but those would also probably work.

Will setup a test VM tomorrow Thank you

travisdh1

SAMBA is currently limited to 2008R2 level functionality. So if you've already made the move to 2012, I don't know that SAMBA will work very well.

I have it running as the only AD/LDAP service on the network, so it's not an issue.

brianlittlejohn

If you just have linux clients, FreeIPA works well.

scottalanmiller

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

Samba is quite capable of running AD, but what about management options or multi-site environments?
What is the issue with management (the Windows tools should work with it) and what happens with multi-site?

scottalanmiller

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.

Using Microsofts RSAT tools or something like that?

Yes, that's how it is expected to be managed because no one would run Samba as an AD unless you had Windows somewhere, right? So if you do, you have RSAT. So the RSAT make the most sense. If you lack RSAT, you don't need Samba.

tonyshowoff

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@tonyshowoff Microsoft is quite powerful in client management, something I'm missing in the *NIX world. Puppet or Ansible for example could be a starting point, but not a replacement as far as I can tell.

Edit: Sorry, mixed Samba and OpenLDAP. Fixed that in my initial post.

Definitely lacking in client side, though you can use LDAP with KDE's login system if you have X running on boot. That's pretty close, though your GPOs are often meaningless. I always used to hold out hope for ReactOS, it was promising, but the project is too mismanaged and team unmotivated. I've always wanted an NT-POSIX kernel, but I'm afraid maybe that train has sailed.

ReactOS is definitely interesting, I'm following it for years. But it seems to like the HURD kernel somehow

Unlike HURD, ReactOS is actually contributing something and has, primarily back into Wine and other projects, but something. HURD is basically the ghost of Stallman's dream which he now lives vicariously through Torvalds by taking credit for his work. I've said it before, and I'll say it again, if it truly is GNU/Linux, then it's also Zend/WordPress, Borland/YourCPrograms, NodeJS/MangoLassi, etc. Give me a break.

thwr

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

Samba is quite capable of running AD, but what about management options or multi-site environments?

What is the issue with management (the Windows tools should work with it) and what happens with multi-site?

Sorry, didn't see your question because of the formatting. FTFY.

Like I said, the whole topic is just about discussing valid alternatives for the typical SMB / EDU environment. I was aware that Samba 4 got full DC capabilities, at least when it comes to authentication. I did not know about its GPO support and other things like replication between "DC"s or the possibility to use Microsoft's RSAT tools for management.

@coliver (and you) mentioned one can use RSAT for management. That's good and would mean that the Samba4-team is trying hard to get to a high level of compatibility. How to say... looks like a perfect replacement for a real DC.

Back to your question, multi-site (and/or subdomain) is a quite important feature in case you got a branch office, for example.

thwr

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.

Using Microsofts RSAT tools or something like that?

Yes, that's how it is expected to be managed because no one would run Samba as an AD unless you had Windows somewhere, right? So if you do, you have RSAT. So the RSAT make the most sense. If you lack RSAT, you don't need Samba.

Sure, just asked because I wanted to know if you can use RSAT or if you have to use some Samba-made tools. Using RSAT is perfectly fine.

thwr

@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@tonyshowoff Microsoft is quite powerful in client management, something I'm missing in the *NIX world. Puppet or Ansible for example could be a starting point, but not a replacement as far as I can tell.

Edit: Sorry, mixed Samba and OpenLDAP. Fixed that in my initial post.

Definitely lacking in client side, though you can use LDAP with KDE's login system if you have X running on boot. That's pretty close, though your GPOs are often meaningless. I always used to hold out hope for ReactOS, it was promising, but the project is too mismanaged and team unmotivated. I've always wanted an NT-POSIX kernel, but I'm afraid maybe that train has sailed.

ReactOS is definitely interesting, I'm following it for years. But it seems to like the HURD kernel somehow

Unlike HURD, ReactOS is actually contributing something and has, primarily back into Wine and other projects, but something. HURD is basically the ghost of Stallman's dream which he now lives vicariously through Torvalds by taking credit for his work. I've said it before, and I'll say it again, if it truly is GNU/Linux, then it's also Zend/WordPress, Borland/YourCPrograms, NodeJS/MangoLassi, etc. Give me a break.

That was more or less a joke or an anecdote. But you are right, we have yet to see something from HURD. ReactOS is something to take serious, their problem is just the small contributor/dev base. But building a system which is binary compatible to Windows and even looking like that is just an awesome job.

scottalanmiller

GPOs are handled completely through SMB shares, not Active Directory itself. So Linux has handled GPOs since the beginning. It was only the AD functionality that had to come recently. Even in the Windows 2000 you could use Linux for the GPO handling.

tonyshowoff

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

GPOs are handled completely through SMB shares, not Active Directory itself. So Linux has handled GPOs since the beginning. It was only the AD functionality that had to come recently. Even in the Windows 2000 you could use Linux for the GPO handling.

I don't deny that, to clarify, I was referring to GPOs not being served by Linux, but rather the other way around, Linux obeying them, or even knowing what they are, e.g. the GPO to hide cmd from the start menu won't hide the xterm icon. That seems obvious, I'm just saying it'd be great to have that sort of full coverage, perhaps at least a fork of KDE or something which implemented this.

coliver

@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

GPOs are handled completely through SMB shares, not Active Directory itself. So Linux has handled GPOs since the beginning. It was only the AD functionality that had to come recently. Even in the Windows 2000 you could use Linux for the GPO handling.

I don't deny that, to clarify, I was referring to GPOs not being served by Linux, but rather the other way around, Linux obeying them, or even knowing what they are, e.g. the GPO to hide cmd from the start menu won't hide the xterm icon.

Is that expected? I think I missed part of the conversation.

tonyshowoff

@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

GPOs are handled completely through SMB shares, not Active Directory itself. So Linux has handled GPOs since the beginning. It was only the AD functionality that had to come recently. Even in the Windows 2000 you could use Linux for the GPO handling.

I don't deny that, to clarify, I was referring to GPOs not being served by Linux, but rather the other way around, Linux obeying them, or even knowing what they are, e.g. the GPO to hide cmd from the start menu won't hide the xterm icon.

Is that expected? I think I missed part of the conversation.

Not exactly, but I thought maybe it was unclear since SAM responded about serving GPO which perhaps what I wrote earlier may seem like I was suggesting there was no GPO capabilities anywhere. I had edited my post to reflect this too.

Dashrender

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

Samba is quite capable of running AD, but what about management options or multi-site environments?

What is the issue with management (the Windows tools should work with it) and what happens with multi-site?

Sorry, didn't see your question because of the formatting. FTFY.

Like I said, the whole topic is just about discussing valid alternatives for the typical SMB / EDU environment. I was aware that Samba 4 got full DC capabilities, at least when it comes to authentication. I did not know about its GPO support and other things like replication between "DC"s or the possibility to use Microsoft's RSAT tools for management.

@coliver (and you) mentioned one can use RSAT for management. That's good and would mean that the Samba4-team is trying hard to get to a high level of compatibility. How to say... looks like a perfect replacement for a real DC.

Back to your question, multi-site (and/or subdomain) is a quite important feature in case you got a branch office, for example.

I've run many branch offices with no local DC. AD authentication is extremely light traffic wise. installing software via GPO could give you problems, or needing a local server for file access might be needed, but and AD in most branch offices isn't. Unless your branch is like 100+ people.

scottalanmiller

@Dashrender said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

Samba is quite capable of running AD, but what about management options or multi-site environments?

What is the issue with management (the Windows tools should work with it) and what happens with multi-site?

Sorry, didn't see your question because of the formatting. FTFY.

Like I said, the whole topic is just about discussing valid alternatives for the typical SMB / EDU environment. I was aware that Samba 4 got full DC capabilities, at least when it comes to authentication. I did not know about its GPO support and other things like replication between "DC"s or the possibility to use Microsoft's RSAT tools for management.

@coliver (and you) mentioned one can use RSAT for management. That's good and would mean that the Samba4-team is trying hard to get to a high level of compatibility. How to say... looks like a perfect replacement for a real DC.

Back to your question, multi-site (and/or subdomain) is a quite important feature in case you got a branch office, for example.

I've run many branch offices with no local DC. AD authentication is extremely light traffic wise. installing software via GPO could give you problems, or needing a local server for file access might be needed, but and AD in most branch offices isn't. Unless your branch is like 100+ people.

you can put Linux fileservers in branch offices to handle the load locally.