[GRLUG] Samba 4

Adam Tauno Williams awilliam at whitemice.org
Fri Feb 15 06:21:49 EST 2013


On Fri, 2013-02-15 at 02:19 -0500, Dave Chiodo wrote:
> Out of curiosity, in an all-Linux setup, why would you need to use an
> MS protocol for anything?

(0) It is not an "MS protocol".  Documentation is on file with standards
bodies.  It was developed at Microsoft.

(a) Having an all-Linux setup is just this side of impossible.  Unless
you really never need to deal with proprietary third-party crap [and
yes, most if it is *CRAP*, but there it is].   Given vertical devices
[which includes things like lathes, fork-lifts, and CNC machines...] and
<cough>web</cough> services ["web" my *#&^]...

(b) A network of any significant size requires some means of centralized
authentication, authorization, DNS, etc...   Active Directory does this
*VERY* well.  It is pretty much the only de-facto standard.  Integrating
DNS, Kerberos, and even Time, into a directory service is just fabulous.
And fabulous + 1 when the proprietary bits will play along as well.
Running stand-alone Kerberos, and DNS services is a PITA [as each of
these services requires the other to function properly], solving that
problem by integrating them into LDAP (Directory Service) is tedious
[and sadly neither of those projects are terribly eager to help you out
- something I've never been able to understand] - and Kerberos and DNS
*are* directory services [yeah, those projects will object that they are
not.... but they are used to index services on a network... sooo... if
it walks like a duck, quacks like a duck....]

Machine says: hey, I got a DHCP lease that says I am in "EXAMPLE.COM"
and my DNS server is A.B.C.D

Machine says: I have a secret in my cache for
_kerberos._tcp_example.com... does that still work?  Oh, it does.
Everything must be OK.  It is annoying when those people power me off.

Machine says: OK, I'll look up users and groups on
_ldap._tcp.example.com find.

Machine say: Hey, someone is trying to authenticate... yep, that is a
valid login.  Let's take that password and try to get a ticket from
_kerberos._tcp_example.com.  Oh my, it worked. Logging you in now sir.

Machine says: Alright I'm logging this person in, is there anything
special I should do for them first thing?  Lets check the sysvol on the
machine that gave me the ticket to see if there is a login script or
anything.

That it should work this way is simply drop-dead obvious.   Active
Directory is a documented standard that delivers the above and has a
GPL'd implementation.  No bad.

And who doesn't love Kerberos?

> On Thu, Feb 14, 2013 at 3:53 PM, Michael Mol <mikemol at gmail.com> wrote:
> > On Thu, Feb 14, 2013 at 3:50 PM, L. V. Lammert <lvl at omnitec.net> wrote:
> >> Has anyone started using Samba 4 as a DC? Appears to be on releast 4.0.4
> >> and pretty close to reality, ..
> > In theory, it should work just fine. Was actually trying to get that
> > working earlier today, but I ran into a conflict between the kerberos
> > realm name and the domain name. (I'm guessing the lack of a FQDN is
> > where the problem is.) Probably going to try setting up an all-Linux
> > AD setup at home.
-- 
Adam Tauno Williams <awilliam at whitemice.org>



More information about the grlug mailing list