[Samba] Open Source W2k Policy Implementation (was Re: Windows2000 policies in a Samba PDC)

John H Terpstra jht at samba.org
Mon Dec 29 18:26:30 GMT 2003


Thanks for responding. As I think through the issues and consider what is
safe to document it is important that I do not overlook material that
ought to be documented. On the other hand, experience has taught me that
anything that goes into print becomes law. For that reason I am reluctant
to point readers at marginal, speculative, or shifting-sand technologies
and methods.

Great intentions are seldom met. Despite my objectives, I have included
more marginal material than I should, but it is hard to draw the line in a
safe place. :)

I am aware of LAM and am documenting it in the Appendix. I have also been
in touch with the author (nice guy) and am confident that there will be a
few refinements in the near term that will benefit users of LAM.

In many areas Open Source software has a technology edge, but what it
offers in technology edge it more than loses through lack of integration.
Microsoft have an undeniable edge in terms of the total solution they
deliver. It is therefore not suprising that we always seem to be playing

I too, am earnestly seeking input from people who have developed smart
ways to implement open source solutions. The best I can contribute is
through documentation. I do not aim to compete with Microsoft, rather to
help Open Source oriented users to get the best mileage they can get. I
also have to be brutally honest and point out where the strong points are
on both sides of the debate.

Samba is great technology for integrating UNIX and Windows networks. It's
file and print services are legendary. Samba can replace MS Windows
solutions. OpenLDAP can provide a great directory for use by Samba. But
these solutions are simply not "the same" as ADS and Win2Kx.

My simple goal in writing the "Samba-3 by Example" book was to document
HOW example network problems could be solved using Samba-3. I thought it
would be easy to do in under 200 pages. So far I am 70% done, and have
already written 280 pages. There is so much more material that I could
cover that it scares me.

John T.

On Mon, 29 Dec 2003, Sharp, Clint wrote:

> John,
> What I've done so far is mostly a hack.  I've implemented some custom
> VBS scripts at login to install software (that only works part of the
> time because my method for granting the users admin priviledges is a UI
> based VBS hack which types the password in for them from an encrypted
> VBS script) and I've yet to implement any Windows policies as I've not
> been motivated enough to dig up poledit.exe or figure out how to
> implement them with Samba (although admittedly I'm sure your book would
> go great strides to helping me with that).  Right now we're implementing
> policies the old fashioned way, "Screw up the computer you're fired." :)
> For the same reason LDAP and it's associated open source management
> tools (I'm a big fan of LAM which is in beta now at
> http://sf.net/project/lam) are great for allowing us to get away from
> NT4 based management tools, I've become increasingly aware there's no
> way to implement NT4 based policies w/o having to have NT based
> management tools (of which I'm not sure Microsoft's license allows one
> to use them w/o NT4 installed).  I've begun thinking an expandable
> architecture based on an open-source NT service installed on the clients
> could help us solve many of the problems we're still relying on NT tools
> for.  This could possibly even allow us to implement new ideas since we
> would have a priveledged executable running on the workstations.
> However, I'm merely thinking at this point, and I don't want to
> re-invent the wheel either (well, anyone but Microsoft's wheel, as their
> tools are becoming dated and may not be supported in future Windows
> desktop releases).  If someone has a way to solve the problems I've
> listed below in an easily manageable way w/o using Microsoft tools, I'd
> be glad to help them as I've said previously.
> So in summary, I'm interested if someone has started work like this, and
> in response to your last post, I don't have anything worth putting in
> your book at this point, I'm merely looking for other people who might
> have started work on something like this.
> Clint
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Monday, December 29, 2003 11:11 AM
> > To: Sharp, Clint
> > Cc: samba
> > Subject: Re: [Samba] Open Source W2k Policy Implementation
> > (was Re: Windows2000 policies in a Samba PDC)
> >
> >
> > Clint,
> >
> > In my new book "Samba-3 by Example", which will be released
> > to open source when the book is in print, I have given
> > step-by-step prescriptive guidance on how to implement total
> > control over client Windows workstations. I have restricted
> > coverage to NT4 style profiles, even though I am fully aware
> > that SYSVOL type Win2kx profiles do partly work.
> >
> > That book will be available in April, and will be part of the
> > samba-docs project (that is where the Samba-HOWTO-Collection
> > also has its home).
> >
> > The reasons for which I have not provided guidance specific
> > to Win2K GPO implementation are:
> >
> > 	1. Part of the protocol is dependant on Active Directory queries
> > 		that Samba-3 can not support.
> > 	2. NT4 Policies allow almost everything that must be achieved
> > 		without a whole lot more complicated steps that are
> > 		very easy to get wrong.
> >
> > But if you wish to help document what you have done I am most
> > willing to put it in the appendix and to point readers at it
> > from appropriate locations in the text.
> >
> > Cheers,
> > John T.
> >
> > On Mon, 29 Dec 2003, Sharp, Clint wrote:
> >
> > >
> > > Sorry for badly hacking up your reply since most of this could be
> > > taken out of context w/o his message, but I wanted to leave
> > a couple
> > > of the lines in there.
> > >
> > > The reason I joined the list was to ask this question.  I'm
> > aware of
> > > the current situation with W2k policies, and I was
> > wondering if anyone
> > > has undertaken work to implement all or part of the W2k GPO
> > outside of
> > > Active Directory.  Since essentially GPOs are simply an ACL which
> > > implements registry changes dependent on the policy defined in the
> > > GPO, I would think this is definitely possible.  Maybe I'm over
> > > simplifying what GPOs do or possibly I only used GPO features which
> > > were NT4 compatible (which would mean that I could get by with .POL
> > > files).
> > >
> > > I'm currently trying to solve three problems in my Samba
> > > implementation. Two of these are irrelevant to this
> > discussion, but I
> > > want to include them as I'm considering solving them with the same
> > > software:
> > >
> > > * Microsoft implemented roaming profiles suck and are incredibly
> > > ineffecient over slow links.  I'm considering re-implementing them
> > > using a client-side process and librsync. * Patching systems is a
> > > pain, as well as installating software for users.  This is
> > generally
> > > part of SUS or could be part of GPO (maybe SUS creates GPOs
> > to install
> > > the updates, I dunno).  The problem I've always found is getting
> > > around my users not having admin priviledges on their
> > machines.  I've
> > > found several free su-like implementations for Windows, but
> > all still
> > > require a password on the command line or are just too
> > insecure for me
> > > if they don't.  I'm considering implementing a service which would
> > > patch software on the Windows machine based on output from a server
> > > process running on my Samba servers (possibly only the PDC). * As
> > > mentioned before, I'd like an open-source implementation of
> > W2k GPOs.
> > > This wouldn't run using Microsoft's GPO process, instead it
> > would be
> > > implemented by a client-side process which would make the necessary
> > > changes.
> > >
> > > Has anyone currently started work fixing any of these?  I'm
> > ready to
> > > trash all the custom work I've done to solve these problems
> > and start
> > > fresh with something that'll work cleanly and smoothly.
> > I've got some
> > > ideas for architecture including development language,
> > communications
> > > protocols, etc, but nothing's firm, and I'd be glad to
> > contribute to
> > > someone who's already started a project which solves one or more of
> > > the above problems.  If not, if anyone else is interested
> > in the above
> > > problems and wants to start work on a new project which would solve
> > > those, I'd be happy to discuss with you offline.
> > >
> > > Cheers,
> > > Clint
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> >
> > --
> > John H Terpstra
> > Email: jht at samba.org
> >

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list