[Samba] Why Samba AD is the single-source of truth, not augmentation to unix

Andrew Bartlett abartlet at samba.org
Fri Apr 28 23:59:40 UTC 2023

On Fri, 2023-04-28 at 16:51 +0100, Rowland Penny via samba wrote:
> On 28/04/2023 15:17, Gary Dale via samba wrote:
> > What you are arguing for (and what Samba is now doing) is the
> > former - a 
> > single instance of everything - instead of extending the AD
> > strategy to 
> > propagate changes between domain controllers and Unix
> > authentication. 
> > Given that the AD propagation strategy provides redundancy and
> > better 
> > performance, this seems like a strange choice.
> > 
> > When you combine this with the harm it does to existing Unix 
> > infrastructure, the idea appears indefensible.
> > 
> > 
> Whilst looking through my deleted bin for an email that got deleted
> by 
> mistake, I found this post.
> Gary, These are just my personal thoughts and have nothing to do
> with 
> any other person or entity.
> Samba was from the very start an attempt to emulate the SMB protocol,
> it 
> is in its very name: SaMBa. It was an attempt to connect Windows and
> Unix.
> Now some of what was done in the past was probably not a good idea,
> but 
> you cannot change the past.
> Samba (at the moment) can operate as an NT4-style PDC, but they rely
> on 
> SMBv1 and Microsoft stopped supporting NT4 over 20 years ago, they 
> replaced it with AD and they are doing all they can to remove SMBv1.
> Samba, after a lot of hard work, released their version of AD about
> 10 
> years ago and it was and is a success. It is a success because it 
> closely follows Microsoft AD, it has to, or it wouldn't be AD. This 
> means that a lot of what used to work is either not required any
> more 
> (local users on Linux) or just doesn't work or make sense.
> Running a Samba AD domain is a lot easier than running an NT4-style 
> domain, where you could have just one PDC and multiple BDC's, which
> may 
> or not take over (after you make them do it) if the PDC failed. You
> can 
> have multiple AD DC's where the only difference is the FSMO roles
> and 
> they can be easily moved to any DC.
> You want Samba changing to do what you want, but I am sorry, this
> isn't 
> likely to happen, you need to change the way you do things and if
> you 
> do, I think you will find things are easier than you think, want to 
> change a password ? Just do it in one place, AD, rather than
> multiple 
> places. Want to create users or groups on multiple machines, do it
> in 
> AD. I could go on and on, but I think you get the point, AD beats 
> anything else, hands down.
> Now, unless you are prepared to accept that Samba AD is never going
> to 
> work like an NT4-style domain, I suggest you go and find another way
> of 
> doing things.

Kia Ora Rowland.

This describes the situation well.  The deliberate design decision,
almost two decades ago, was that Samba4 (as it was then) would be the
single source of truth, not an augmentation to an existing external
source of truth.

Unix users are then provisioned out from Samba, using things like

This came from the real world experience of building and runinng Samba3
LDAP-backed DCs, with the choose-your-own-adventure of possible
deployment methodologies.  

The fact that AD provides LDAP sealed the deal.

The deliberate design was for a product, not a 'kit of parts' as Samba
was seen as prior, that provided a fully working AD DC out of the box. 

We know that for some, the older behaviour was a key part of the
successful use of Samba, because that 'kit of parts' was exactly the
thing required, and we can only express our sadness that in serving the
many, we do not serve this use case as an AD DC as well.  

The other components, with the 'augmentation' pattern, are still in
Samba, at least for now, and work as they always did.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst.Net Limited

Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source

More information about the samba mailing list