[Samba] samba 4 for new authentication domain?

Kevin Keane subscription at kkeane.com
Tue Apr 27 02:27:35 MDT 2010 

> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-
> bounces at lists.samba.org] On Behalf Of Morty
> Sent: Tuesday, April 27, 2010 1:08 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] samba 4 for new authentication domain?
> 
> On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote:
> 
> > You should clarify what mechanisms those web apps use for
> authentication.
> 
> I don't know.  :)  The apps are black-box COTS apps which "use AD" for
> authentication.

You can usually find out simply by reading the documentation on how to set up authentication. Just as David said, almost all of them would use LDAP. The only exception is anything that supports Single-Sign-On via Internet Exploder. In that case, it's probably Kerberos.

> I didn't pick them, and don't have much insight into
> them.  More apps might come later, so even if I can research and
> answer this question based on the current profiles, requirements might
> change.  What I want to do is spec hardware and any necessary software
> to support authentication for the apps.  I'd prefer to use free/open
> source software if it will work as a drop-in replacement for AD.

You won't find true drop-in replacements anywhere. Even Samba 3 isn't a drop-in replacement for file sharing or NT domains; certain things won't work. For instance, some accounting packages (Quickbooks or Peachtree) also require a database component on the server.

I'm sure there will be similar issues with Samba 4 vs. Active Directory.

> > Generally most web apps use LDAP/NTML for authentication and LDAP for
> > pulling user information.
> > These two things you can achieve more reliably using Samba3 with an
> LDAP
> > backend compared to Samba 4 (at this stage).
> 
> I've played with samba3+openldap+kerberos+bind9 as a replacement for
> AD before.  It was extremely complex to setup and maintain, so I don't
> want to do that in production.

Agreed. Basically, that simplicity (and the tools to do it) is what you buy with the $$$ from Microsoft. Or with the $$$ to a RedHat consultant to make it all work for you.

> samba4 seemed like it would be
> simpler and more compatible with AD.  Ah, well.  :(

What I found works exceedingly well (although not flawlessly) is a Windows AD Domain Controller, and then Samba servers for file and print sharing.

More information about the samba mailing list