[Samba] Suggestions for argument for Samba over Windows 2003?

[Andy Jones]

Hi

We've recently been through a merger of 2 equal sized Schools,
 . one School was using Windows 2000 servers and W2K desktops, AD etc
 . the other was using Samba 2.x servers to control a "domain",
   with mostly Windows 98 desktops. 

We then worked out what services were running and deliberated on
where to run them in the new merged systems. As it turned out, the
decision was to go for Windows Server 2003 for email, printing,
virus scanning and so on.   However Web, Web Proxy, DHCP, DNS etc
will continue to live on Unix. 

The shared network drives might end up on Unix, or Windows.
It depends if people need fine-grained ACLs which Windows offers,
or maybe even if end-users themselves need to be able to apply the
ACLs, rather than IT admins having to do it.

The Home directories however, are still a sticking point...

I'm currently running a RedHat 9 (which means Samba 2.2.7) on a DELL
server.  The hardware should be fine to handle the load for the whole
school, which comprises about 200 - 250 users.   (This server is currently
controlling the Samba "domain" for one of the former schools).

We're getting close to making a final determination of whether the Home
directories should stay on this box, or move them to a box running
Windows Server 2003.  I've been using Samba as my Domain Controller
with a lot of good results and very little pain for a long time,
so my preference is to stay with it (and Unix-like systems).

However the new domain will be one controlled by AD, the IT guys 
from the other School aren't Unix-skilled, and so I need to produce
sound technical arguments for keeping Samba, not just my personal
preference based on what is familiar/known...

Reasons FOR moving the home dirs to Windows 2003 are largely the
same ones which got it decided upon in the first place.
 ie. stability;  reliability;  complete integration with AD;
     only one password source and so a single password across servers;
     that it is adminnable by any IT support staff, not just Unix guys;
     that it is an officially supported product.

The other side of the coin, concerns against keeping it on Unix include
     that home directories are absolutely vital which MUST NOT break;
     that a hetrogenous mix of servers must somehow lead to problems
     which won't arise if all servers run the same OS;
     that we will have users and/or passwords stored in 2 places, so
     they will get out of sync, or only Unix guys will be able to 
     fix things, or that we won't be able to use the Windows Admin
     tools to admin everything, or that end users won't be able to
     use the Windows change password utils, but will instead have to
     use a custom web page or something;

The advantages for us of Samba, as far as I can see, are that
     some of our admins have experience in it, know it, and like it;
     we can restrict access to SMB services based on IP ranges;
     we can automatically run scripts when shares are mounted/umounted,
     so we can make truly dynamic shares based on user privs;
     the new version integrates with AD, so password syncing issues
     should all go away, at least as far as end users are concerned;
     we could probably use SWAT to give non-Unix guys admin access;

Problem is, that to management types, I dunno if these sorts of reasons
are going to outweigh the safety/security of a more homogenous environment.

I apologise for the length of this post, but I'd also like to give the
people who have coordinated the Samba 3 documentation a huge rap.
Documentation isn't fun or sexy, and previously there were lots of
small docs, which were correct at the time of writing, and written
with good intentions, but which had been superceded and were in many
cases erroneous.  And at the end of the day, it doesn't matter how
brilliant the software is if the only people who know how to utilitise
it, are the people who coded it.

So the new "Samba Project Doco" is brilliant!  It's big and I'm still
ploughing through it, but so far it's doing a great job of explaining
the underlying issues and then getting into the technical nitty gritty.
It brings you up to speed, so you can then consult the man pages for the
exact specifics of what is needed.  Congratulations to John/Jerry et al

So, anyway, from my reading of the doco so far, it would seem that
we could integrate the Unix box one of two ways:

 . Upgrade it to Samba 3, and have it join the Win 2003 domain.
   Since the only access we're supporting into the box is SMB,
   we don't need to worry about setting or syncing the Unix password.

   I still need some way to create the underlying unix account though,
   preferably with consistent, rather than randomly assigned uids/gids.

   I could use normal Unix commands to manually create the Unix accounts,
   but since I have previously set up an OpenLDAP box and made accounts
   on it for everyone, I could probably homebrew some sort of
   web-based  makeuser  script, and point NSS at it.

 . leave it on Samba 2.2.7, leave it off the whole domain thingo,
   set  security=server  and point the password server at one of
   the AD boxes, and touch wood.  

   Even if we don't have 2 passwords and password syncing, we still
   have a small issue of having 2 sets of accounts, and needing to
   create/delete accounts in 2 places.

Any comments appreciated.

cheers,
/\ndy