As probably one of the more AD-focused participants on HN, I have to approach this with a good dose of skepticism w.r.t. large companies adopting Samba for complex AD environments. AD + DFSN + (DFSR|NTFRS) + LDAP + SSL + RPC + NTP + GPO + CIFS + NTFS + SDDL + WMI + ADWS + etc., is an extremely complex set of stuff to implement, and the cost of supporting a third-party version could, IMHO, easily dwarf the cost of a few Windows licenses to run the domain controllers.
So many examples come to mind that it is hard to pick just one or two... consider an organization that configures access to Windows event logs (audit trails) and SMB signing requirements via GPO; will Samba 4 Domain Controllers honor that? What does it even mean to have access to modify the security auditing policy on a Samba DC without totally reimplementing the eventing system (syslog is not even close)?
In other words, AD sits on top of a ton of mature but sophisticated Windows services, the failure of any of which could be a critical problem, and make for a tough sell unless one has a pathological hatred of Microsoft yet still wishes to use AD anyway.
I think you don't really understand what Samba is for: OEMs. There are several very large companies selling rock solid enterprise NAS devices that need a rock solid implementation of CIFS on top of the seamless ability to join an AD domain. When large companies want to setup Windows file servers, they don't exactly want to stick a bunch of hard drives in a server and pray it doesn't go down - even clustered Windows file servers are extremely complex and have all kinds of failure modes that can cause hours or even days of downtime. Large companies simply want to buy a NetApp or some other enterprise class NAS storage device and have it integrate seamlessly with their Windows AD infrastructure. Samba now offers that. Storage companies that are experts at building highly redundant no single point of failure systems can now use open source software to deliver technology to the enterprise.
Hmm, you're arguing against a point I didn't make... my concerns are around replacing AD Domain Controllers with Samba. I think Samba's core bits do a fine job as a SMB/CIFS server along with krb5/PAM and Winbind.
> my concerns are around replacing AD Domain Controllers with Samba.
Here for us (not OEM) the whole AD stack you mentioned is completely overkill, and the stuff implemented by this Samba release looks terribly like covering 99% of what we use and need in our half windows (customer TSE access, networked file store), half linux (web hosting + many services) infrastructure.
In my tech environment, 3 cost-driven retailer clients with ~1000 branches have some 3rd party software which requires some AD to be present. Samba 4.x will be a nice option. They will start by migrating some branches from Windows Servers to Linux based AD services and move ahead as they see success.
Most people try to measure the cost benefit of free software, with TCOs, CALs, admin salaries etc. That is fine, but the true benefit of free and open source software in my experience:
1) The absence of license considerations in designing and developing systems; this frees the designer's mind in planning, and building. Now the system components can be planned without fear of a multitude of diverse, artificial license schemes.
2) The absence of a license-selling company; this frees the management's mind in estimating and revising the costs moving ahead. License-sellers like Oracle, Microsoft are well known for figuring out diverse sets of confusing licensing schemes. They spend their money in hiring the best sales people which are famous for hunting and then farming clients in the span of 5-10 years ahead by first locking them down.
I counted 21 references to "Active Directory" in the release announcement (out of 26 paragraphs). Judging from this, AD may actually be a primary target use.
It's not the cost of a few domain controllers...it's the $50-60/user cost of client access license (CALS). I have 2500 users...that's quite a pricey (approx. $62K) system for directory services.
If getting AD Domain Services off of Windows will actually avoid the need to buy any Windows Server CALs, then it certainly makes the proposition more interesting. But, this presumes that nearly all the other services (file sharing, http, etc.) are also not Windows.
I have to buy user CALs for #1 and #2. One CAL gives me the right to connect that user to any of our file shares and to AD. IIRC, that cost when we last purchased was around $50/user.
We also have to buy a separate CAL for Exchange.
I would love to replace AD and our Windows file shares with Samba 4, provided that it was a stable, viable replacement which didn't add a lot of overhead for our admins. Exchange is a separate issue, and one we're currently exploring Zimbra as a possibility. It's early days yet there.
Almost everything else in our environment is Linux.
I have to say that Microsoft convincing businesses that they need to pay to connect to servers that they've already paid for is a shear piece of economic genius. Morally abject, but still brilliant financially none the less.
1. I wouldn't need to hire an extra IT person. I already have very capable Linux admins.
2. Bad Windows sysadmins are less expensive than good Linux sysadmins. I agree with you there. Good Windows admins, however, are just as expensive. Trust me...I've hired quite a few.
3. Again, I have well-trained Linux guys on staff.
4. This is a very valid possibility we'll need to consider.
5. Not worried about that at all. We use a lot of open source without commercial support options, and our experience with Microsoft support is four hours of scripted troubleshooting on average, with about a 60% success rate of resolution.
6. Not concerned with this at all. Samba has been here for a long while and I don't think it's going anywhere.
But IT departments are expensive, why can't we just hire kids without college degrees to work minimum wage and make millions of dollars of hardware sing in harmonious chorus? The kids are good with the computers right?
If it potentially could save licensing costs of about one sysadmin it is worth looking at. It is unlikely (but possible) an entire additional sysadmin will need to be employed just to support Samba.
Agreed. We currently have to keep a Windows admin on staff (who actually costs a lot more than the CALs) just to manage our shares, Exchange, and file servers. It'd be nice to get these final pieces of the Windows puzzle out of our environment and staff solely Linux admins.
But I do agree with the dbrain's sentiment. If it was going to have a significantly higher TCO, I wouldn't do it.
There's definitely a benefit for having those "one off" admins around. I'm the one Linux guy surrounded by 4 Windows admins. The services I'm responsible for can easily be pushed on to Windows servers... but I'm kept around for the off chance that some software will only run on Redhat or Citrix or whatever. But I'm also useful in how I approach tasks. My coworkers are quick to search Google for an answer, download a tool and have it do the dirty work. I'd rather look at the documentation, source code or API, raw log files, or even write my own tool to do whatever's necessary. Neither philosophies are wrong. But some are definitely better.
All that being said, I'm also underpaid (80% regional average). Maybe that's the real reason they keep me around.
... and if you have enough control over your environment to replace Windows Server as a domain controller, why would you be using the AD stack to begin with?
Aye, if one has that much motivation to chuck Windows for AD, then it's only logical that Windows on the desktop, Exchange, etc., are not on the scene.
I've done a lot of work with other directory servers too, and AD does the best job of any when it comes to multimaster replication and a few other things. However, using it purely for LDAP for an environment full of Linux and OS X machines is a tough call...
Why? I have such motivation, yet I have no intent on eliminating Windows from our desktops. That would be very disruptive to our 2.5K users, and Windows does a pretty decent job there. However, AD is very pricey due to CALs, and what it gives me is IMO not worth the price if I can replace it with Samba 4. That said, we're only beginning to explore this option, so it may not be viable or wise.
Just like many existing development companies have Windows-based infrastructure with both Windows and Linux on end-user systems, it makes sense to have Linux-based infrastructure while still supporting Windows end-user systems.
Linux support for AD also allows incremental migration of this infrastructure.
Rsyslog is way beyond Windows Event Logger. Audit trails should still work but I don't know if your GPO maps to server configuration automatically. It's easy to test, though. If you want to get started with Samba quickly, you can use Zentyal.
I didn't mean to say that the Windows Event Log is better than syslog or Rsyslog, but it has a particular structure that is really dissimilar, as well as access patterns (WMI, WinRM) that lack an analog.
That's MSFT and their NIH syndrome for you. Fortunately, there are several projects which allow you to map Event Log to syslog such as the aptly named "Eventlog To Syslog" ( http://code.google.com/p/eventlog-to-syslog/ ). This allows you to replace WMI with actual SQL (as Event Log can't use an SQL backend itself), and leverage all of the functionality of an RDBMS.
Similarly, my employer offers a product[1], which I have worked on, that can subscribe to Event Logs, syslog, ZMQ, etc., and do whatever you like with them. The inspiration to write this was the near-impossibility of getting the interesting, mostly AD-related stuff before all the super-chatty, useless crap pushes it out of the circular logs.
Any news on if Samba 4.0 is still single-threaded? (the page isn't loading for me) I recently wanted to use Samba, but was limited by performance on a low-end dual core processor: it'd max out one core, and be unable to use the other. I'm sure they have (or have had) good reasons for not doing this, but with so many low-power multicore processors out there now it seems a shame...
HURD can largely be regarded as a cruel joke. It's been under development for over twenty years (since 1990!) without yet producing a usable product. Pretty much every operating system kernel that's in use today (Linux, the BSD family, Windows NT, and XNU) is younger than HURD, and yet far more mature.
If you are measuring the current hurd kernel's age as starting from 1990, then the BSD kernels are far older, not younger. The initial release was in 1977, and obviously development started before that.
That said, hurd is essentially abandoned at this point. Even RMS has accepted that it will never be completed, and has said that it really doesn't matter since there's already a free kernel available (linux).
"Get Xorg + gnome/kde/xfce (xfce should work, kde is missing working dbus (due to local socket auth and bugs in select() cornercases)) + some webbrowser working (iceweasel 9 works, though not https)."
One more stake in Microsoft's coffin? With their Win8 tablet/mobile strategy not doing too great and rapidly improving office alternatives... Is the MS legendary lock-in cracking apart?
The rise of mobile gaming and more interest in MacOSX and Linux brought more attention to OpenGL, SDL and etc. It definitely threatened the dominance of DirectX.
UPDATE: I tried restarting my browser, and then it worked BUT after trying to do a binary search on which cipher setting was the "fix", I got to where everything was back to default, and the site still works. Probably there was a site problem that was fixed in the interim.
There are few people running Windows AD who are going to view this as their next step, largely because they've already become used to running those Windows boxes.
For groups who aren't fully invested in AD, or need compatibility with those who are, this is a major win.
Microsoft AD is the ONLY reason many companies (Apple shops included) have Microsoft servers. People cannot imagine how disruptive is a fully operational Samba 4.0 AD for Microsoft. (like a fully operational space station with a planet destroying laser :p)
How are the GUIs for Samba 4.0 AD features? I usually prefer nice configuration files, but the Windows Server features were very easy to learn. Another nice thing about Windows Server, updates are "free" after a high up-front cost.
Not immediately, but the thing that people can set up and try and say "yeah, sure, problem solved" has a funny way of making it's way into the rack. Whether it does or doesn't in a specific case usually just comes down to whether the one supporting it likes Vi, Emacs, or Word.
Google Docs has no relation to OpenOffice iirc. The word processor came from writely and the spreadsheets was some other company's source code, the rest was just extensions on that.
When people start mentioning price for these sorts of things I get a little confused, volume licensing for a bunch of hyper-v servers running 20-30 windows guests is actually quite cheap (you only have to pay for each licensed host server) I also have seen mention of a per user cost for ad? not sure where you got that from... I think exchange goes for about 6 bucks a user or so.. the next office setup ill be looking at will be three beefy hyper-v servers and running most applications on windows core... windows is now getting to the point where the only time I need to do any work is for weekly windows updates.
Windows licensing is somewhat a mess, between user CALs, device CALs, processor CALs, or combinations thereof. You can see why Google's $50/user/year price is attractive - no hardware to buy, no CALs to buy, no client software to buy.
Some companies have more than 20-30 employees. All these "quite cheap" expenses quickly add up. This is money better spent towards getting a better product on the shelves.
Now when you consider that managing unix machines requires much less work to begin with, you can't look at "quite cheap" the same way anymore - it's actually "quite expensive".
Not to mention I often see improved performance of server applications just by switching them to a linux host. Samba 4 is indeed very good news.
Fortuitously for this article, I've spent the entire day today trying to get samba sharing with AD. Oh, NT_USER_NOT_PERMITTED? Bbbut, the user is there; I even have it working on another server!
I'm sure it's my fault, but still, as of this moment, I hate samba more than almost everything.
So many examples come to mind that it is hard to pick just one or two... consider an organization that configures access to Windows event logs (audit trails) and SMB signing requirements via GPO; will Samba 4 Domain Controllers honor that? What does it even mean to have access to modify the security auditing policy on a Samba DC without totally reimplementing the eventing system (syslog is not even close)?
In other words, AD sits on top of a ton of mature but sophisticated Windows services, the failure of any of which could be a critical problem, and make for a tough sell unless one has a pathological hatred of Microsoft yet still wishes to use AD anyway.