samba - Jan 2012 - Can Samba + (OpenLDAP & Kerberos) completely replace ActiveDirectory?

I am sure this pops up on the list ever once in a while. I have inherited a LAN
that have a large amount of Mac OS X, FreeBSD, Linux and of course because bean
counters have to use financial apps that only run on Windows. My long term goal
is to install some sort of central management system and really feel that AD is
not in my best interest considering that 90% of the 300+ computers are not
Windows based. Unfortunately the 20 or so Windows machines are running mostly
Win7 and there are some 2k8r2 servers in the mix somewhere.

Does anyone know of any good how-to, best practices/guidelines sites or
documents?

Thoughts? Suggestions?

Respectfully,
Mikel King

On Mon, 2012-01-09 at 10:47 -0500, mikel king wrote:
> I am sure this pops up on the list ever once in a while. I have
> inherited a LAN that have a large amount of Mac OS X, FreeBSD, Linux
> and of course because bean counters have to use financial apps that
> only run on Windows. My long term goal is to install some sort of
> central management system and really feel that AD is not in my best
> interest considering that 90% of the 300+ computers are not Windows
> based. Unfortunately the 20 or so Windows machines are running mostly
> Win7 and there are some 2k8r2 servers in the mix somewhere. 
> Does anyone know of any good how-to, best practices/guidelines sites or
documents?
> Thoughts? Suggestions?
Well, for the question in subject - 
"Can Samba + (OpenLDAP & Kerberos) completely replace
ActiveDirectory?"

Emphatically - NO.

At least if your using Samba3.

Use Samba4 and you get Active Directory for free.

-- 
System & Network Administrator [ LPI & NCLA ]
<http://www.whitemiceconsulting.com>
OpenGroupware Developer <http://www.opengroupware.us>
Adam Tauno Williams

On 01/09/2012 04:48 PM, Adam Tauno Williams wrote:
> On Mon, 2012-01-09 at 10:47 -0500, mikel king wrote:
>> I am sure this pops up on the list ever once in a while. I have
>> inherited a LAN that have a large amount of Mac OS X, FreeBSD, Linux
>> and of course because bean counters have to use financial apps that
>> only run on Windows. My long term goal is to install some sort of
>> central management system and really feel that AD is not in my best
>> interest considering that 90% of the 300+ computers are not Windows
>> based. Unfortunately the 20 or so Windows machines are running mostly
>> Win7 and there are some 2k8r2 servers in the mix somewhere.
>> Does anyone know of any good how-to, best practices/guidelines sites or
documents?
>> Thoughts? Suggestions?
> Well, for the question in subject -
> "Can Samba + (OpenLDAP&  Kerberos) completely replace
ActiveDirectory?"
>
> Emphatically - NO.
>
> At least if your using Samba3.
>
> Use Samba4 and you get Active Directory for free.
>
Similar situation here using samba3+ldap for Linux/win 7. We are trying 
to migrate from Samba 3 to Samba 4, but the latter does not make it easy 
to add Linux clients to the lan. We have it working (mostly) with this hack:
http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
but would like to see S4 released with a bit more help for Linux 
integration.
hth,
Steve

On Jan 9, 2012, at 10:48 AM, Adam Tauno Williams wrote:
> On Mon, 2012-01-09 at 10:47 -0500, mikel king wrote:
>> I am sure this pops up on the list ever once in a while. I have
>> inherited a LAN that have a large amount of Mac OS X, FreeBSD, Linux
>> and of course because bean counters have to use financial apps that
>> only run on Windows. My long term goal is to install some sort of
>> central management system and really feel that AD is not in my best
>> interest considering that 90% of the 300+ computers are not Windows
>> based. Unfortunately the 20 or so Windows machines are running mostly
>> Win7 and there are some 2k8r2 servers in the mix somewhere. 
>> Does anyone know of any good how-to, best practices/guidelines sites or
documents?
>> Thoughts? Suggestions?
> 
> Well, for the question in subject - 
> "Can Samba + (OpenLDAP & Kerberos) completely replace
ActiveDirectory?"
> 
> Emphatically - NO.
> 
> At least if your using Samba3.
> 
> Use Samba4 and you get Active Directory for free.
> 

Thanks Adam,

I really appreciate the response. I am reading the docs on s4 now. Are there any
gotchas that I should be on the look out for?

Cheers,
Mikel

On Mon, Jan 9, 2012 at 4:47 PM, mikel king <mikel.king at olivent.com>
wrote:
> I am sure this pops up on the list ever once in a while. I have inherited a
LAN that have a large amount of Mac OS X, FreeBSD, Linux and of course because
bean counters have to use financial apps that only run on Windows. My long term
goal is to install some sort of central management system and really feel that
AD is not in my best interest considering that 90% of the 300+ computers are not
Windows based. Unfortunately the 20 or so Windows machines are running mostly
Win7 and there are some 2k8r2 servers in the mix somewhere.
for the unix side of things I would recommend ipa from redhat (you can
read about it in http://freeipa.org). It accomplishes for linux/unix
most of what AD does for Windows. For the Windows side, use samba4. To
get best of both worlds, use a kerberos trust between both realms.

IPA is also available out of the box for the redhat clones, obviously.
As this is not a topic for the samba list, I will leave it at that,
but not before saying that it really rocks.

-- 
natxo

On Jan 9, 2012, at 2:34 PM, Natxo Asenjo wrote:
> On Mon, Jan 9, 2012 at 4:47 PM, mikel king <mikel.king at
olivent.com> wrote:
>> I am sure this pops up on the list ever once in a while. I have
inherited a LAN that have a large amount of Mac OS X, FreeBSD, Linux and of
course because bean counters have to use financial apps that only run on
Windows. My long term goal is to install some sort of central management system
and really feel that AD is not in my best interest considering that 90% of the
300+ computers are not Windows based. Unfortunately the 20 or so Windows
machines are running mostly Win7 and there are some 2k8r2 servers in the mix
somewhere.
> 
> for the unix side of things I would recommend ipa from redhat (you can
> read about it in http://freeipa.org). It accomplishes for linux/unix
> most of what AD does for Windows. For the Windows side, use samba4. To
> get best of both worlds, use a kerberos trust between both realms.
> 
> IPA is also available out of the box for the redhat clones, obviously.
> As this is not a topic for the samba list, I will leave it at that,
> but not before saying that it really rocks.
> 
> -- 
> natxo
Thanks Natxo,

I am not sure if this would be a fit for us as we only have one Red Hat based
Linux box. The majority are FreeBSD or Debian. Still it is an interesting
prospect and I really appreciate your sharing it.

Cheers,
m