Samba as a full AD replacement? Easiest deployment?
Posted by tr33mendous@reddit | linuxadmin | View on Reddit | 6 comments
I have web service I'm setting up which integrates with AD for user management. I don't have a Windows Server infrastructure. I use samba for file services, but not domain controller functions. So, I'm wondering if others can comment on how completely Samba implements the AD DC feature set.
Two specific things it needs are: LDAP support for user management, and "Global Catalog" support for enumerating the domain components.
Are there any suggestions for easy deployment? For example, are there any pre-build VM images which act as domain controllers?
denverpilot@reddit
The first question should be:
What are you currently using for centralized user management?
If the answer today is “nothing”, you need to evaluate whether it’s time to set up real AD or not.
Because setting up an alternative works fine until you later need real AD, and then you’ll just be doing it all over again. Massive waste of time.
If you have ANY intention of ever having centralized “stuff” managing Windows boxes, none of the alternatives handle it as well as AD. Just the nature of the beast.
Conversely, all of the other OS platforms (even OSX but it’s crappy) will all talk natively to AD.
So... don’t paint yourself into a corner later on... if you’re going to have Windows in the shop, of any scale larger than a few machines, you’re eventually going to need AD.
The reverse, isn’t true.
Setting up FreeIPA is good advice IF... you’re never going to support any significant number of Windows machines. Or not for a long time on your growth path.
BosonCollider@reddit
For some people, effectively banning windows machines is a feature.
The question to me is if there are any other features of AD that it provides to linux boxes
denverpilot@reddit
Wow. A reply from four years ago. Haha.
The “if there will be any Windows in the shop” was critical path for the question, as stated. Grin.
Realistically it’s really rare to not have some of it somewhere in a business. I’ve only worked adjacent to one that had not a single Windows machine anywhere in their company, wasn’t us… just a vendor and sysadmins I knew.
It did hamper them on some things their uppers wanted. Whether that was wise four years ago or today, I’d say is a new topic altogether.
They were a tiny shop too. Not exactly “Enterprise” sized. Any place at scale is likely going to have Windows around somewhere.
I’m agnostic. Use whatever you like. I got over being religious about OSes a decade ago and it took me twenty plus years. Hahah. Don’t care.
I do know using raw LDAP at one shop for auth was unnecessarily painful. Doable but painful. It’s a LOT easier to find self service tools for other departments that know how to speak AD than raw OpenLDAP that also have decent user auth security on the TOOL front end. Haha.
Of course the era of off site third party auth mechanisms came along too. Duo and the like.
Zealousideal_Seat_43@reddit
FreeIPA using 389DS as the LDAP server is a viable solution if no Windows Boxes are involved, I've found that Samba4 AD DC may not be a perfect alternative to MS AD, but it it so close, other Windows boxes integrate perfectly.as well as of course Linux boxes can authenticate to it a few different ways
1) SSSD
2) Kerberos5
3) Winbind
I've been messing around with a samba4 active directory setup at home now for over a year and its support is pretty comprehensive.
denverpilot@reddit
Yeah. You’re replying to a post six years old. FreeIPA was a shit show back then. lol
Zealousideal_Seat_43@reddit
Samba's implementation of AD is very good, as long as your alright with command line administration or you could use a windows machine (or virtual machine) to do the admin work. Samba has no GUI, but it does have its own LDAP implementation, DNS, etc. It mimics a Windows AD domain controller as far as functionality almost perfectly. Lets face it, even Windows AD is buggy with some well known issues and hiccups. I'm running it right now on my own home lab 2x HP DL360 Gen 8 servers both running Xen on openSUSE and each host 10 virtual machines. it is a seamless integration as far as Windows clients and Linux clients are concerned. Its main drawback is no GUI, and they now made it so that you have to use their internal LDAP server it won't work with openLDAP or 389DS. You can use BIND9 for DNS or you could use their built in DNS server, either option works perfectly fine