[Samba] Samba4 + FreeIPA

Patrick Goetz pgoetz at math.utexas.edu
Fri Nov 5 10:57:40 UTC 2021

On 11/5/21 02:52, Rowland Penny via samba wrote:
> On Thu, 2021-11-04 at 19:15 -0400, Robert Marcano via samba wrote:
>> On Thu, Nov 4, 2021, 3:37 PM David Mulder via samba <
>> samba at lists.samba.org>
>> wrote:
>>> On 11/3/21 7:45 AM, Cyrus via samba wrote:
>>>> Thanks a lot. For this environment we have a 20/80 distribution,
>>>> being
>>> 80%
>>>> Linux servers, workstations & kiosks.
>>>> Windows is indeed limited to some limited administrative user
>>>> group
>>> (higher
>>>> management & accounting department).
>>>> I'm find with the dual realm, with all the users on one side &
>>>> trust
>>>> between both parties.
>>>> Probably it makes sense to go dual setup in this case. Sudoers &
>>>> HBAC
>>> feel
>>>> more convenient with FreeIPAs WGUI/CLI.
>>> Samba sudoers and hbac are deployed via either `samba-tool gpo`
>>> command
>>> or Windows RSAT. It's no less convenient than the FreeIPA tools.
>> There is a reason I mentioned that this depends on the relationship
>> between
>> how many Linux (in reality 'unixy' OSs) vs Windows you have. If you
>> are
>> mainly a Linux shop with a few Windows, the need to use a Windows
>> client
>> for some management functions is definitely an inconvenience. Nothing
>> more
>> convenient that a browser GUI.
>> Don't get me wrong, I understand that reason for the lack of open
>> GUIs to
>> manage Samba AD is a community issue, mainly contributions. Ah! And
>> having
>> to reverse engineer MS protocols and file formats.
> It may just be myself, but I cannot really see the point of using
> freeipa. Everything it can do, Samba can do, but you cannot say the
> same in reverse, Samba can do more than freeipa.

A hard truth:

I've followed open source projects for decades. The one single thing 
that determines whether or not an open source project will be 
successful?  Good, reasonably comprehensive documentation.  You can have 
the most elegant, functional code ever written, and no one will use it 
if it's not documented properly.  Look at how long it's taken for 
nftables to gain *any* market penetration. No one would still be using 
it if people hadn't starting writing transparent iptables to nftables 
backend translators. Why? Because the people working on that code base 
refuse to document it properly. Documentation isn't their thing. Why has 
the Django project been so successful? Because it was written by media 
people, so one of the first things they did was write clear and 
comprehensive documentation. Terrible code, but great documentation.

Currently, the Samba project is hurt by a lack of good documentation. 
Samba 3 documentation was really good, but that effort wasn't repeated 
for v. 4 for some reason. There are no current books available, and the 
Wiki is littered with lacunas and inaccuracies like the one that threw 
me off in my previous post today. Time wasted because I labored under 
the assumption I was getting correct information from the Wiki. That's 
all there is to it. It's extremely frustrating to potential users, so 
people start to look for alternatives. If you already know something, it 
can be hard to distinguish between hard and easy; confusing and obvious. 
That's you: you know Samba, so can't fathom why everyone else doesn't 
use it - it's obviously the superior solution. But me, as someone who is 
for all practical purposes a modern Samba novice, I probably would have 
given up long ago save for all the help I get from yourself and this 
list. And that's coming from a very experienced admin who has used Samba 
in the past. Not everyone has time to camp out on a listserv, though; 
they want to read a book or some well organized online resources 
implement, and move on to the next thing.  So many IT projects, so 
little time ...

This is a shame, because it's a great project; the more I use 4.15.x, 
the better I like it and the more impressed I am by how it works. But 
yeah, you asked, so I'm explaining what the issue is. I see many 
complaints on Stack Exchange and elsewhere about the state of Samba 
documentation. I recall one recent response to a question "yeah, you 
could try to use Samba, but the documentation is a mess". And then the 
OP is directed to try FreeIPA.

This is why I suggested you write a book in a post you probably didn't 
read. <:)

> As for GUI's (other than ADUC), then the GUI being produced by Alt
> Linux is well worth looking at and it looks very familiar.
> Rowland

More information about the samba mailing list