samba 4 for new authentication domain?
in [Samba]
|
From: Kevin Keane on 27 Apr 2010 01:30 Exactly WHY do you need AD instead of NT domains? Without understanding that, I don't think your question can be answered. In some cases, you can use a stand-alone Kerberos and/or LDAP server. Or conversely, some application you use may require a Microsoft AD server, sometimes even a specific version. Basically, your tradeoff is between cost and risk. Windows 2008 R2 is all but guaranteed to work no matter what AD issue you throw at it, but it can get expensive, especially if you have many users. On the other hand, Samba is free, but Samba 4 is pretty unproven at this point. > -----Original Message----- > From: samba-bounces(a)lists.samba.org [mailto:samba- > bounces(a)lists.samba.org] On Behalf Of Morty > Sent: Monday, April 26, 2010 9:19 PM > To: samba(a)lists.samba.org > Subject: [Samba] samba 4 for new authentication domain? > > The various pages about samba 4 warn about rough edges, upgrade, file > services, and print services. I have some domains that have never had > a Windows domain that now need Windows AD authentication. I don't > need file services and print services, and upgrade is not a problem. > Is samba 4 ready for this use case, or should we still go with > Microsoft's AD? > > Thanks! > > - Morty > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Morty on 27 Apr 2010 02:40 On Mon, Apr 26, 2010 at 09:59:02PM -0700, Kevin Keane wrote: > Exactly WHY do you need AD instead of NT domains? Without > understanding that, I don't think your question can be answered. In > some cases, you can use a stand-alone Kerberos and/or LDAP > server. Or conversely, some application you use may require a > Microsoft AD server, sometimes even a specific version. I have some COTS Windows web apps that want to authenticate either using local accounts or against AD. They've been doing local accounts, but account and password management is increasingly problematic, so it would really help to have central password mangement. The apps doesn't support NT domain auth. It might be possible to do this with OpenLDAP+kerberos, but that sounds like a whole lot of manual work, so I'd rather get something more integrated (AD or samba4). I like *nix servers better than Windows, so I'd rather do samba4, but don't have a good feel for samba4's stability as an authentication server. Hence the earlier question. > Basically, your tradeoff is between cost and risk. Windows 2008 R2 > is all but guaranteed to work no matter what AD issue you throw at > it, but it can get expensive, especially if you have many users. > On the other hand, Samba is free, but Samba 4 is pretty unproven at > this point. Software cost will probably not be a factor. Functionality is. Sounds like I/we need AD. :( - Morty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: David Harrison on 27 Apr 2010 03:40 On Tue, Apr 27, 2010 at 6:30 PM, Morty <morty+samba(a)frakir.org<morty%2Bsamba(a)frakir.org> > wrote: > On Mon, Apr 26, 2010 at 09:59:02PM -0700, Kevin Keane wrote: > > > Exactly WHY do you need AD instead of NT domains? Without > > understanding that, I don't think your question can be answered. > > I have some COTS Windows web apps that want to authenticate either > using local accounts or against AD. > You should clarify what mechanisms those web apps use for authentication. Generally most web apps use LDAP/NTML for authentication and LDAP for pulling user information. These two things you can achieve more reliably using Samba3 with an LDAP backend compared to Samba 4 (at this stage). Another pathway you should investigate is whether a single sign-on (SSO) system is applicable/appropriate. There are plenty of choices out there, but it does depend on what your COTS applications are. The benefit of SSO is that it abstracts web application authentication from your underlying authentication service. It is a bit more work, and not all web applications work with it, but once in place the results are very good. David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Morty on 27 Apr 2010 04:10 On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote: > You should clarify what mechanisms those web apps use for authentication. I don't know. :) The apps are black-box COTS apps which "use AD" for authentication. I didn't pick them, and don't have much insight into them. More apps might come later, so even if I can research and answer this question based on the current profiles, requirements might change. What I want to do is spec hardware and any necessary software to support authentication for the apps. I'd prefer to use free/open source software if it will work as a drop-in replacement for AD. > Generally most web apps use LDAP/NTML for authentication and LDAP for > pulling user information. > These two things you can achieve more reliably using Samba3 with an LDAP > backend compared to Samba 4 (at this stage). I've played with samba3+openldap+kerberos+bind9 as a replacement for AD before. It was extremely complex to setup and maintain, so I don't want to do that in production. samba4 seemed like it would be simpler and more compatible with AD. Ah, well. :( It's a shame that samba4 is waiting on file+print services to ship. samba3 is already a fine file+print services server. It might be better to just ship samba4 as AD-style authentication-only for now, and people who need AD-style auth, file, and print can run separate instances of samba4 and samba3 on separate VMs or separate physical servers. It wouldn't be as ideal as having a single combined server that could run everything, but at least all functionality would be shipped, and y'all would still have a roadmap towards an integrated product. - Morty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Kevin Keane on 27 Apr 2010 04:30 > -----Original Message----- > From: samba-bounces(a)lists.samba.org [mailto:samba- > bounces(a)lists.samba.org] On Behalf Of Morty > Sent: Tuesday, April 27, 2010 1:08 AM > To: samba(a)lists.samba.org > Subject: Re: [Samba] samba 4 for new authentication domain? > > On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote: > > > You should clarify what mechanisms those web apps use for > authentication. > > I don't know. :) The apps are black-box COTS apps which "use AD" for > authentication. You can usually find out simply by reading the documentation on how to set up authentication. Just as David said, almost all of them would use LDAP. The only exception is anything that supports Single-Sign-On via Internet Exploder. In that case, it's probably Kerberos. > I didn't pick them, and don't have much insight into > them. More apps might come later, so even if I can research and > answer this question based on the current profiles, requirements might > change. What I want to do is spec hardware and any necessary software > to support authentication for the apps. I'd prefer to use free/open > source software if it will work as a drop-in replacement for AD. You won't find true drop-in replacements anywhere. Even Samba 3 isn't a drop-in replacement for file sharing or NT domains; certain things won't work. For instance, some accounting packages (Quickbooks or Peachtree) also require a database component on the server. I'm sure there will be similar issues with Samba 4 vs. Active Directory. > > Generally most web apps use LDAP/NTML for authentication and LDAP for > > pulling user information. > > These two things you can achieve more reliably using Samba3 with an > LDAP > > backend compared to Samba 4 (at this stage). > > I've played with samba3+openldap+kerberos+bind9 as a replacement for > AD before. It was extremely complex to setup and maintain, so I don't > want to do that in production. Agreed. Basically, that simplicity (and the tools to do it) is what you buy with the $$$ from Microsoft. Or with the $$$ to a RedHat consultant to make it all work for you. > samba4 seemed like it would be > simpler and more compatible with AD. Ah, well. :( What I found works exceedingly well (although not flawlessly) is a Windows AD Domain Controller, and then Samba servers for file and print sharing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Next
|
Last
Pages: 1 2 Prev: [Samba] samba 4 for new authentication domain? Next: [Samba] Samba ADS on AIX 6.1 TL04 |