On 2/26/07 5:56 AM, "Laurent Pinchart"
<laurent.pinchart@skynet.be> wrote:
> Hi everybody.
>
> I attended the Samba conference at the FOSDEM yesterday. Jeremy Allison was
> great, and explained very clearly the problems faced by implementing an
> Active Directory controller.
>
> The CIFS protocol is required in heterogenous environments. Jeremy made it
> pretty clear that even in pure Unix environments, CIFS is quite superior to
> NFSv4. Samba is thus a required component of pretty much any network, even
> when using Unix workstations and servers only.
>
> Implementing a Samba Active Directory domain controller requires more
> components than for an NT4 domain controller. Samba will have to integrate
an
> LDAP server, a Kerberos server, a DNS server and a DHCP server. It will
have
> to implement remote registry access and many Windows-related DCE/RPC calls.
> Those don't make much sense in Unix-only environments. Moreover, the
LDAP
> directory schema will have to match the Microsoft AD schema, which is badly
> documented to say the least.
>
This is one of the more interesting components, at least to me. While I
cannot say that I have kept up too much with the development of Samba 4, I
do believe that an Active Directory compatible schema could be implemented
using OpenLDAP, or a variety of the other LDAP servers available.
As such, I am not too worried about integrating Samba 4 with my UNIX LDAP
structure. What I am more worried about is integrating Samba 4 with my
existing Kerberos infrastructure. IIRC, Samba 4 includes a modified Heimdal
Kerberos implementation, which it obviously is designed to integrate well
with, but who is to say how well it will work (or if it will work) with the
standard MIT implementation (as Microsoft's implementation uses the NTLM
hash as the shared Kerberos key - See Andrew Bartlett's thesis for
confirmation of said fact), or what additional principals would be necessary
for it to work correctly.
As far as DNS changes are concerned, those seem to be fairly well known, and
compatible with BIND, aside from perhaps some issues regarding dynamic DNS
updates, though I have personally done regular old DNS updates from Windows
machines to BIND DNS servers via the ISC DHCP daemon. It's not flawless, but
it does work.
As far as Samba 4 acting as an AD controller, your best bet is to refer to
the Wiki site at:
http://wiki.samba.org/index.php/Samba4/ActiveDirectory
The knowledge might not be exactly what you are looking for, but if nothing
else, it should be a good start.
> I'm concerned about all the unneeded features that will be introduced
by
> Samba4 in pure Unix environments, as well as by the implications that
Samba4
> will have on other services. The LDAP directory will have to implement the
> Microsoft AD schema, which is not compatible with any current Unix
> application. How will Samba4 interoperate with groupware softwares for
> instance ? Has anyone thought about how to mix Unix LDAP-aware applications
> with Samba4 ? Aren't we pushing bloated, buggy and badly thought
> Microsoft "standards" to the Unix platform in the name of
interoperability
> without thinking about the consequences this will have on other services
and
> on the overall stability ?
>
> Thanks in advance to all of those who will prove me wrong and let me sleep
> peacefully again :-)
>
> Laurent Pinchart
--
+-------------------------------------------------+
| Sean Elble |
| Virginia Tech, Class of 2008 |
| Vice President, VTLUUG |
| E-Mail: elbles@sessys.com |
| Web: http://www.sessys.com/~elbles/ |
+-------------------------------------------------+