[Samba] Having Samba integrate/replace existing mixed Unix/Windows network

John H Terpstra jht at samba.org
Thu Nov 20 08:08:35 GMT 2003 

On Thu, 20 Nov 2003, Fran Fabrizio wrote:

>
> Sorry if I came off as wanting Samba to be a clone of AD - not at all the
> case.  :-)  In fact, I speak as someone who has -never- admin'ed a Windows
> network, has no idea what AD is capable of, etc.... I've spent all of 5
> minutes in front of an AD server, and that's about it.  I suddenly find
> this network dropped in my lap and need to solve these problems
> quickly.  My interest in minimizing the role of AD is as much about
> self-preservation as anything else. :-)

What a great opportunity to learn. The problem you will find is that
Microsoft Windows will be very opaque to you until you understand it. The
learning curve is significant. Once you have mastered MS Windows, Samba
really is a cinch.

> All I'm trying to assure is that the types of things that we -do- rely on
> AD for right now can be sufficently replaced by some alternative
> functionality that Samba provides.  It certainly sounds like this is the
> case.  I just think that either the language of that excerpt was a little
> vague, or (more likely) it's my fault for jumping right to that section and
> thus not realizing that the context was "XP operating natively as a member
> of an AD domain", and that there were other options available.

I've had enough of the feedback that says:

	1. Samba-3 can not do Win2K ADS
	2. I need ADS
	3. Therefore Samba is not good enough

ADS is just one solution to a particular problem. Samba provides another.
Each has its own strengths and weaknesses. There are no silver bullets and
no panaceas.

> I think the angle that I want to see is this - I think there are a lot of
> people like me who are traditionally on the Unix/Linux side of the fence,
> and are suddenly faced with people wanting Windows clients (or inheriting
> such a network).  Instead of embracing that, they fear it, they wall it
> off, they make Windows it's own world and their network suffers for it.  So
> the angle I want is "Samba: Making Windows Play In Unix's Ballpark" (as
> opposed to how Samba is more often billed at making Unix play more nicely
> on a Windows network or appear more like a Windows network....it's a blurry
> distinction but one which does make things less transparent for me).  You'd
> be surprised (well maybe not -you- seeing as how you've already seen the
> need for more documentation on this topic) at how most literature on Samba
> sort of touches on these topics, but ultimately dances around them, or
> fails to answer them concisely all in one place.

Become a writer. Write more Samba books. Explain it all to the masses.
We are doing our best (all the contributors to the HOWTOs), and believe me
- it's not enough and it never will be. I am writing another book, this
one will be a prescriptive guide to deploying Samba. It will have
step-by-step implementations of working solutions. It will explain the
nuts and bolts of the logic behind the configuration, but it will refer
you to the HOWTO for further information.

The HOWTO is the reference document. The new book will be prescriptive -
if you want this working configuration follow the following steps line by
line. Two different books - totally differet purposes - complementary, not
necessarily stand-alone.

> I have enough info to start playing with things - I am currently setting up
> a testbed consisting of a Linux laptop with a VMWare'd Windows XP on it.  I
> will be sure to document the project and share that documentation with this
> list.  Thanks for the kick-start and the assurance that what I will end up
> with will be highly functional.  :-)

The HOWTO (as with the book version)  has two chapters that you may want
to refer to: One on policies, the other on desktop profiles.

Cheers,
John T.

>
> -Fran
>
> At 07:19 AM 11/20/2003 +0000, you wrote:
> >On Thu, 20 Nov 2003, Fran Fabrizio wrote:
> >
> >>
> >>Hrmm.  It seems that this (from the HOWTO) puts a MAJOR damper on things....
> >
> >A damper is a state of mind and an attitude that is routed in what you can
> >not do. Let's focus on what we CAN do - that's more productive. :)
> >
> >>
> >>-------------------------------------
> >>Samba can act as a NT4-style DC in a Windows 2000/XP environment. However,
> >>there are certain compromises:
> >>·       No machine policy files.
> >>·       No Group Policy Objects.
> >>·       No synchronously executed AD logon scripts.
> >>·       Can't use Active Directory management tools to manage users and
> >>machines.
> >>·       Registry changes tattoo the main registry, while with AD they do
> >>not leave permanent changes in effect.
> >>·       Without AD you cannot perform the function of exporting specific
> >>applications to specific users or groups.
> >>--------------------------------------
> >>
> >>Considering my goal #6....
> >>
> >>6.  Preserve as much of the functionality that Active Directory is
> >> >>currently providing.  This includes login scripts, roaming profiles, all
> >> >>the permissions management and authentication, serving a dfs, etc....I
> >> >>understand that Samba cannot be an Active Directory server, but I also
> >> >>understand that it can do a lot of the same things AD does.
> >>
> >>So...no login scripts and some of these other things (policy files, temp
> >
> >You can have a logon script. You can use NTConfig.POL files.
> >
> >When we figure out how to implement Group Policy Objects, we will document
> >how to do that. Right now you can have Group settings in NTConfig.POL, and
> >then apply that Policy File to a group.
> >
> >>changes to the registry that get wiped at logout, etc...) are common on our
> >>network.  Almost all of our Windows clients are XP.  Do you truly lose the
> >
> >What I have described as being possible works perfectly with Windows XP
> >Professional clients.
> >
> >>ability to do all of those things, or can you do older, NT-style versions
> >>of some of them by having the XP clients fallback into NT domain
> >>compatibility?
> >
> >You can do with Samba-3 most of what you can do with Windows NT4. There
> >are still millions of networks that have only Windows NT4 servers that are
> >running fine with Windows XP Professional clients. Samba-3 is perfect
> >alternative, which when fully deployed significantly reduces the need for
> >Active Directory.
> >
> >You can get a highly scalable Samba-3 based network (using an LDAP
> >backend). You can store UNIX POSIX account information in LDAP. You can
> >get a very functional Windows network with Samba-3.
> >
> >Samba-3 is not a cake that has no icing on it. The issue is that Samba-3
> >gives you most of what Windows NT4 Server gives you. Samba-3 offers a more
> >scalable solution that NT4 (through use of LDAP). Samba-3 is NOT an Active
> >Directory Server -but do you need Active Directory for you site? In most
> >cases the answer is not, Samba-3 is a more than adequate and
> >provides a total solution architecture that can more than suffice.
> >
> >I am writing a new book that documents step-by-step how to implement the
> >type of solution you described as what would meet your needs. It expands
> >on chapter 2 of "The Official Samba-3 HOWTO and Reference Guide" and goes
> >all the way to providing detailed complex solutions. That chapter is not
> >in the Samba-HOWTO-Collection.pdf because until April next year it is
> >under delayed release - at that time it will come out under the GPL and
> >will become part of the Samba-HOWTO-Collection.pdf.
> >
> >The comments I put in the HOWTO documents regarding Samba-3 not being an
> >AD Server (and what you can no do with it) are specific answers to people
> >who absolutely must have a total and complete knock-off of Windows 200x
> >and Active Directory. I can tell you now, that will never happen. Samba is
> >Samba, it will never be a Microsoft server. Samba has enhancements (yes,
> >even now) that give it distinctive advantages over Windows NT4 and 200x.
> >My advice is to use its strengths and do not focus on what Microsoft do
> >and how they do it. If the documentation can do with improvement (I sure
> >it can) and you see an angle that will help someone else, then document it
> >and your name may also end up in the attribution list.
> >
> >Above all, if you have a specific problem or question - ask me. If I can
> >possibly spare the time, or have something to contribute I will.
> >
> >- John T.
> >--
> >John H Terpstra
> >Email: jht at samba.org
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list