[Samba] samba 4 for new authentication domain?

[Morty]

On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote:

> You should clarify what mechanisms those web apps use for authentication.

I don't know.  :)  The apps are black-box COTS apps which "use AD" for
authentication.  I didn't pick them, and don't have much insight into
them.  More apps might come later, so even if I can research and
answer this question based on the current profiles, requirements might
change.  What I want to do is spec hardware and any necessary software
to support authentication for the apps.  I'd prefer to use free/open
source software if it will work as a drop-in replacement for AD.

> Generally most web apps use LDAP/NTML for authentication and LDAP for
> pulling user information.
> These two things you can achieve more reliably using Samba3 with an LDAP
> backend compared to Samba 4 (at this stage).

I've played with samba3+openldap+kerberos+bind9 as a replacement for
AD before.  It was extremely complex to setup and maintain, so I don't
want to do that in production.  samba4 seemed like it would be
simpler and more compatible with AD.  Ah, well.  :(

It's a shame that samba4 is waiting on file+print services to ship.
samba3 is already a fine file+print services server.  It might be
better to just ship samba4 as AD-style authentication-only for now,
and people who need AD-style auth, file, and print can run separate
instances of samba4 and samba3 on separate VMs or separate physical
servers.  It wouldn't be as ideal as having a single combined server
that could run everything, but at least all functionality would be
shipped, and y'all would still have a roadmap towards an integrated
product.

- Morty