[Samba] Having Samba integrate/replace existing mixed Unix/Windows network

John H Terpstra jht at samba.org
Thu Nov 20 07:19:28 GMT 2003 

On Thu, 20 Nov 2003, Fran Fabrizio wrote:

>
> Hrmm.  It seems that this (from the HOWTO) puts a MAJOR damper on things....

A damper is a state of mind and an attitude that is routed in what you can
not do. Let's focus on what we CAN do - that's more productive. :)

>
> -------------------------------------
> Samba can act as a NT4-style DC in a Windows 2000/XP environment. However,
> there are certain compromises:
> ·       No machine policy files.
> ·       No Group Policy Objects.
> ·       No synchronously executed AD logon scripts.
> ·       Can't use Active Directory management tools to manage users and
> machines.
> ·       Registry changes tattoo the main registry, while with AD they do
> not leave permanent changes in effect.
> ·       Without AD you cannot perform the function of exporting specific
> applications to specific users or groups.
> --------------------------------------
>
> Considering my goal #6....
>
> 6.  Preserve as much of the functionality that Active Directory is
> >>currently providing.  This includes login scripts, roaming profiles, all
> >>the permissions management and authentication, serving a dfs, etc....I
> >>understand that Samba cannot be an Active Directory server, but I also
> >>understand that it can do a lot of the same things AD does.
>
> So...no login scripts and some of these other things (policy files, temp

You can have a logon script. You can use NTConfig.POL files.

When we figure out how to implement Group Policy Objects, we will document
how to do that. Right now you can have Group settings in NTConfig.POL, and
then apply that Policy File to a group.

> changes to the registry that get wiped at logout, etc...) are common on our
> network.  Almost all of our Windows clients are XP.  Do you truly lose the

What I have described as being possible works perfectly with Windows XP
Professional clients.

> ability to do all of those things, or can you do older, NT-style versions
> of some of them by having the XP clients fallback into NT domain
> compatibility?

You can do with Samba-3 most of what you can do with Windows NT4. There
are still millions of networks that have only Windows NT4 servers that are
running fine with Windows XP Professional clients. Samba-3 is perfect
alternative, which when fully deployed significantly reduces the need for
Active Directory.

You can get a highly scalable Samba-3 based network (using an LDAP
backend). You can store UNIX POSIX account information in LDAP. You can
get a very functional Windows network with Samba-3.

Samba-3 is not a cake that has no icing on it. The issue is that Samba-3
gives you most of what Windows NT4 Server gives you. Samba-3 offers a more
scalable solution that NT4 (through use of LDAP). Samba-3 is NOT an Active
Directory Server -but do you need Active Directory for you site? In most
cases the answer is not, Samba-3 is a more than adequate and
provides a total solution architecture that can more than suffice.

I am writing a new book that documents step-by-step how to implement the
type of solution you described as what would meet your needs. It expands
on chapter 2 of "The Official Samba-3 HOWTO and Reference Guide" and goes
all the way to providing detailed complex solutions. That chapter is not
in the Samba-HOWTO-Collection.pdf because until April next year it is
under delayed release - at that time it will come out under the GPL and
will become part of the Samba-HOWTO-Collection.pdf.

The comments I put in the HOWTO documents regarding Samba-3 not being an
AD Server (and what you can no do with it) are specific answers to people
who absolutely must have a total and complete knock-off of Windows 200x
and Active Directory. I can tell you now, that will never happen. Samba is
Samba, it will never be a Microsoft server. Samba has enhancements (yes,
even now) that give it distinctive advantages over Windows NT4 and 200x.
My advice is to use its strengths and do not focus on what Microsoft do
and how they do it. If the documentation can do with improvement (I sure
it can) and you see an angle that will help someone else, then document it
and your name may also end up in the attribution list.

Above all, if you have a specific problem or question - ask me. If I can
possibly spare the time, or have something to contribute I will.

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list