Alternatives for Microsoft server products: Active Directory & Domain Controller
-
You can hack together a non-Microsoft Microsoft environment pretty well, but the ease of use, and general multisite scalability really is, as far as I am aware, only available with actual AD. I think that's a shame too. I'd love to see the Unix world have something just as dynamic, there are similar native things, but nothing at all like it. AD/LDAP is pretty slow, but actually fairly impressive for all it can provide and do on a "Microsoft network."
Anyway, OpenLDAP is definitely a start, you can pretty much run a Windows domain off it, though like I said, with some limitations. Certainly better than Samba, which isn't even designed for that use case, nor can it scale with it like OpenLDAP can.
-
@tonyshowoff Microsoft is quite powerful in client management, something I'm missing in the *NIX world. Puppet or Ansible for example could be a starting point, but not a replacement as far as I can tell.
Edit: Sorry, mixed Samba and OpenLDAP. Fixed that in my initial post.
-
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@tonyshowoff Microsoft is quite powerful in client management, something I'm missing in the *NIX world. Puppet or Ansible for example could be a starting point, but not a replacement as far as I can tell.
Edit: Sorry, mixed Samba and OpenLDAP. Fixed that in my initial post.
Definitely lacking in client side, though you can use LDAP with KDE's login system if you have X running on boot. That's pretty close, though your GPOs are often meaningless. I always used to hold out hope for ReactOS, it was promising, but the project is too mismanaged and team unmotivated. I've always wanted an NT-POSIX kernel, but I'm afraid maybe that train has sailed.
-
@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@tonyshowoff Microsoft is quite powerful in client management, something I'm missing in the *NIX world. Puppet or Ansible for example could be a starting point, but not a replacement as far as I can tell.
Edit: Sorry, mixed Samba and OpenLDAP. Fixed that in my initial post.
Definitely lacking in client side, though you can use LDAP with KDE's login system if you have X running on boot. That's pretty close, though your GPOs are often meaningless. I always used to hold out hope for ReactOS, it was promising, but the project is too mismanaged and team unmotivated. I've always wanted an NT-POSIX kernel, but I'm afraid maybe that train has sailed.
ReactOS is definitely interesting, I'm following it for years. But it seems to like the HURD kernel somehow
Authentication on the *NIX side shouldn't be much of a problem at all, there are PAM LDAP modules available and widely in use.
-
How do the big boys do it for client machines I wonder? I've heard the argument that a Linux admin can manage more servers than a Windows admin but what about client machines?
-
@Breffni-Potter That's the point...
-
What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.
-
@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.
Using Microsofts RSAT tools or something like that?
Well, let's assume we want a full featured domain with two sites connected via VPN with like 100 windows clients. We need things like machine accounts, managed service accounts and so on.
-
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.
Using Microsofts RSAT tools or something like that?
Well, let's assume we want a full featured domain with two sites connected via VPN with like 100 windows clients. We need things like machine accounts, managed service accounts and so on.
Yes, you can manage a Samba4 domain with RSAT tools. It will also work across a VPN. Not sure about service accounts but those would also probably work.
-
@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.
Using Microsofts RSAT tools or something like that?
Well, let's assume we want a full featured domain with two sites connected via VPN with like 100 windows clients. We need things like machine accounts, managed service accounts and so on.
Yes, you can manage a Samba4 domain with RSAT tools. It will also work across a VPN. Not sure about service accounts but those would also probably work.
Will setup a test VM tomorrow
Thank you -
SAMBA is currently limited to 2008R2 level functionality. So if you've already made the move to 2012, I don't know that SAMBA will work very well.
I have it running as the only AD/LDAP service on the network, so it's not an issue.
-
If you just have linux clients, FreeIPA works well.
-
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
Samba is quite capable of running AD, but what about management options or multi-site environments?
What is the issue with management (the Windows tools should work with it) and what happens with multi-site? -
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.
Using Microsofts RSAT tools or something like that?
Yes, that's how it is expected to be managed because no one would run Samba as an AD unless you had Windows somewhere, right? So if you do, you have RSAT. So the RSAT make the most sense. If you lack RSAT, you don't need Samba.
-
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@tonyshowoff Microsoft is quite powerful in client management, something I'm missing in the *NIX world. Puppet or Ansible for example could be a starting point, but not a replacement as far as I can tell.
Edit: Sorry, mixed Samba and OpenLDAP. Fixed that in my initial post.
Definitely lacking in client side, though you can use LDAP with KDE's login system if you have X running on boot. That's pretty close, though your GPOs are often meaningless. I always used to hold out hope for ReactOS, it was promising, but the project is too mismanaged and team unmotivated. I've always wanted an NT-POSIX kernel, but I'm afraid maybe that train has sailed.
ReactOS is definitely interesting, I'm following it for years. But it seems to like the HURD kernel somehow
Unlike HURD, ReactOS is actually contributing something and has, primarily back into Wine and other projects, but something. HURD is basically the ghost of Stallman's dream which he now lives vicariously through Torvalds by taking credit for his work. I've said it before, and I'll say it again, if it truly is GNU/Linux, then it's also Zend/WordPress, Borland/YourCPrograms, NodeJS/MangoLassi, etc. Give me a break.
-
@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
Samba is quite capable of running AD, but what about management options or multi-site environments?
What is the issue with management (the Windows tools should work with it) and what happens with multi-site?
Sorry, didn't see your question because of the formatting. FTFY.
Like I said, the whole topic is just about discussing valid alternatives for the typical SMB / EDU environment. I was aware that Samba 4 got full DC capabilities, at least when it comes to authentication. I did not know about its GPO support and other things like replication between "DC"s or the possibility to use Microsoft's RSAT tools for management.
@coliver (and you) mentioned one can use RSAT for management. That's good and would mean that the Samba4-team is trying hard to get to a high level of compatibility. How to say... looks like a perfect replacement for a real DC.
Back to your question, multi-site (and/or subdomain) is a quite important feature in case you got a branch office, for example.
-
@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@coliver said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
What abilities are you, theoretically, looking for? Samba4 is a full DC drop in. You can manage Group Policies with a Windows desktop on a Samba4 domain.
Using Microsofts RSAT tools or something like that?
Yes, that's how it is expected to be managed because no one would run Samba as an AD unless you had Windows somewhere, right? So if you do, you have RSAT. So the RSAT make the most sense. If you lack RSAT, you don't need Samba.
Sure, just asked because I wanted to know if you can use RSAT or if you have to use some Samba-made tools. Using RSAT is perfectly fine.
-
@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@tonyshowoff said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
@tonyshowoff Microsoft is quite powerful in client management, something I'm missing in the *NIX world. Puppet or Ansible for example could be a starting point, but not a replacement as far as I can tell.
Edit: Sorry, mixed Samba and OpenLDAP. Fixed that in my initial post.
Definitely lacking in client side, though you can use LDAP with KDE's login system if you have X running on boot. That's pretty close, though your GPOs are often meaningless. I always used to hold out hope for ReactOS, it was promising, but the project is too mismanaged and team unmotivated. I've always wanted an NT-POSIX kernel, but I'm afraid maybe that train has sailed.
ReactOS is definitely interesting, I'm following it for years. But it seems to like the HURD kernel somehow
Unlike HURD, ReactOS is actually contributing something and has, primarily back into Wine and other projects, but something. HURD is basically the ghost of Stallman's dream which he now lives vicariously through Torvalds by taking credit for his work. I've said it before, and I'll say it again, if it truly is GNU/Linux, then it's also Zend/WordPress, Borland/YourCPrograms, NodeJS/MangoLassi, etc. Give me a break.
That was more or less a joke or an anecdote. But you are right, we have yet to see something from HURD. ReactOS is something to take serious, their problem is just the small contributor/dev base. But building a system which is binary compatible to Windows and even looking like that is just an awesome job.
-
GPOs are handled completely through SMB shares, not Active Directory itself. So Linux has handled GPOs since the beginning. It was only the AD functionality that had to come recently. Even in the Windows 2000 you could use Linux for the GPO handling.
-
@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:
GPOs are handled completely through SMB shares, not Active Directory itself. So Linux has handled GPOs since the beginning. It was only the AD functionality that had to come recently. Even in the Windows 2000 you could use Linux for the GPO handling.
I don't deny that, to clarify, I was referring to GPOs not being served by Linux, but rather the other way around, Linux obeying them, or even knowing what they are, e.g. the GPO to hide cmd from the start menu won't hide the xterm icon. That seems obvious, I'm just saying it'd be great to have that sort of full coverage, perhaps at least a fork of KDE or something which implemented this.
