[Samba] Having Samba integrate/replace existing mixed Unix/Windows network

Fran Fabrizio fran at cis.uab.edu
Thu Nov 20 07:37:50 GMT 2003 

Sorry if I came off as wanting Samba to be a clone of AD - not at all the 
case.  :-)  In fact, I speak as someone who has -never- admin'ed a Windows 
network, has no idea what AD is capable of, etc.... I've spent all of 5 
minutes in front of an AD server, and that's about it.  I suddenly find 
this network dropped in my lap and need to solve these problems 
quickly.  My interest in minimizing the role of AD is as much about 
self-preservation as anything else. :-)

All I'm trying to assure is that the types of things that we -do- rely on 
AD for right now can be sufficently replaced by some alternative 
functionality that Samba provides.  It certainly sounds like this is the 
case.  I just think that either the language of that excerpt was a little 
vague, or (more likely) it's my fault for jumping right to that section and 
thus not realizing that the context was "XP operating natively as a member 
of an AD domain", and that there were other options available.

I think the angle that I want to see is this - I think there are a lot of 
people like me who are traditionally on the Unix/Linux side of the fence, 
and are suddenly faced with people wanting Windows clients (or inheriting 
such a network).  Instead of embracing that, they fear it, they wall it 
off, they make Windows it's own world and their network suffers for it.  So 
the angle I want is "Samba: Making Windows Play In Unix's Ballpark" (as 
opposed to how Samba is more often billed at making Unix play more nicely 
on a Windows network or appear more like a Windows network....it's a blurry 
distinction but one which does make things less transparent for me).  You'd 
be surprised (well maybe not -you- seeing as how you've already seen the 
need for more documentation on this topic) at how most literature on Samba 
sort of touches on these topics, but ultimately dances around them, or 
fails to answer them concisely all in one place.

I have enough info to start playing with things - I am currently setting up 
a testbed consisting of a Linux laptop with a VMWare'd Windows XP on it.  I 
will be sure to document the project and share that documentation with this 
list.  Thanks for the kick-start and the assurance that what I will end up 
with will be highly functional.  :-)

-Fran

At 07:19 AM 11/20/2003 +0000, you wrote:
>On Thu, 20 Nov 2003, Fran Fabrizio wrote:
>
>>
>>Hrmm.  It seems that this (from the HOWTO) puts a MAJOR damper on things....
>
>A damper is a state of mind and an attitude that is routed in what you can
>not do. Let's focus on what we CAN do - that's more productive. :)
>
>>
>>-------------------------------------
>>Samba can act as a NT4-style DC in a Windows 2000/XP environment. However,
>>there are certain compromises:
>>·       No machine policy files.
>>·       No Group Policy Objects.
>>·       No synchronously executed AD logon scripts.
>>·       Can't use Active Directory management tools to manage users and
>>machines.
>>·       Registry changes tattoo the main registry, while with AD they do
>>not leave permanent changes in effect.
>>·       Without AD you cannot perform the function of exporting specific
>>applications to specific users or groups.
>>--------------------------------------
>>
>>Considering my goal #6....
>>
>>6.  Preserve as much of the functionality that Active Directory is
>> >>currently providing.  This includes login scripts, roaming profiles, all
>> >>the permissions management and authentication, serving a dfs, etc....I
>> >>understand that Samba cannot be an Active Directory server, but I also
>> >>understand that it can do a lot of the same things AD does.
>>
>>So...no login scripts and some of these other things (policy files, temp
>
>You can have a logon script. You can use NTConfig.POL files.
>
>When we figure out how to implement Group Policy Objects, we will document
>how to do that. Right now you can have Group settings in NTConfig.POL, and
>then apply that Policy File to a group.
>
>>changes to the registry that get wiped at logout, etc...) are common on our
>>network.  Almost all of our Windows clients are XP.  Do you truly lose the
>
>What I have described as being possible works perfectly with Windows XP
>Professional clients.
>
>>ability to do all of those things, or can you do older, NT-style versions
>>of some of them by having the XP clients fallback into NT domain
>>compatibility?
>
>You can do with Samba-3 most of what you can do with Windows NT4. There
>are still millions of networks that have only Windows NT4 servers that are
>running fine with Windows XP Professional clients. Samba-3 is perfect
>alternative, which when fully deployed significantly reduces the need for
>Active Directory.
>
>You can get a highly scalable Samba-3 based network (using an LDAP
>backend). You can store UNIX POSIX account information in LDAP. You can
>get a very functional Windows network with Samba-3.
>
>Samba-3 is not a cake that has no icing on it. The issue is that Samba-3
>gives you most of what Windows NT4 Server gives you. Samba-3 offers a more
>scalable solution that NT4 (through use of LDAP). Samba-3 is NOT an Active
>Directory Server -but do you need Active Directory for you site? In most
>cases the answer is not, Samba-3 is a more than adequate and
>provides a total solution architecture that can more than suffice.
>
>I am writing a new book that documents step-by-step how to implement the
>type of solution you described as what would meet your needs. It expands
>on chapter 2 of "The Official Samba-3 HOWTO and Reference Guide" and goes
>all the way to providing detailed complex solutions. That chapter is not
>in the Samba-HOWTO-Collection.pdf because until April next year it is
>under delayed release - at that time it will come out under the GPL and
>will become part of the Samba-HOWTO-Collection.pdf.
>
>The comments I put in the HOWTO documents regarding Samba-3 not being an
>AD Server (and what you can no do with it) are specific answers to people
>who absolutely must have a total and complete knock-off of Windows 200x
>and Active Directory. I can tell you now, that will never happen. Samba is
>Samba, it will never be a Microsoft server. Samba has enhancements (yes,
>even now) that give it distinctive advantages over Windows NT4 and 200x.
>My advice is to use its strengths and do not focus on what Microsoft do
>and how they do it. If the documentation can do with improvement (I sure
>it can) and you see an angle that will help someone else, then document it
>and your name may also end up in the attribution list.
>
>Above all, if you have a specific problem or question - ask me. If I can
>possibly spare the time, or have something to contribute I will.
>
>- John T.
>--
>John H Terpstra
>Email: jht at samba.org

More information about the samba mailing list