3

As part of an undergoing IT infrastructure building, I need to implement LDAP directory using opensource communities backed solution.
I'm not pretty sure about Openldap and Samba. Do they offer roughly the same features as Active Directory ?
Any insight will be appreciated.

elsadek
  • 211
  • 2
  • 12
  • 5
    Active Directory is much more than just a LDAP directory, if it only is LDAP that you need there are many perfectly adequate directory servers, if in fact you need to manage a Windows domain, why not use AD? – HBruijn Feb 26 '16 at 16:06
  • @HBruijn; sure, AD is more than LDAP. and I'm not looking only for ldap directory server. My question is meant to choose alternative to AD main features – elsadek Feb 26 '16 at 17:32

1 Answers1

12

Starting with v4.0, Samba is (or can be):

  • a file server
  • a DNS server
  • an LDAP server
  • a Kerberos server
  • an AD server

The most compelling use case for Samba4 is if you want (most of) the benefits of a Windows domain but don't want to use Windows server, either to save on licensing costs or because you want to stick with a Linux-based infrastructure.

If what you're looking for is just an LDAP directory server, it doesn't really make sense to use Samba4. If you want LDAP for a bunch of non-Windows applications to authenticate against, you're probably better off with OpenLDAP.

But if you want LDAP and need to support Windows clients, Samba4 gives you many of the same domain functions of Windows server:

  1. integrated login from Windows clients, i.e. they join the domain
  2. server management using Windows tools (RSAT - this link is for the Windows 7 version of the tools)
  3. Windows-style ACLs on file shares
  4. Group Policy support
  5. replication to other AD servers

How well do all of these work?

  1. Basic Windows client functionality - very good. PCs join a domain and log in the same way they would with Windows servers.

  2. Server management - good. You need to use both the Windows RSAT tools and the Linux command line to manage Samba4. You can do most day-to-day things with the RSAT tools (e.g. AD Users and Computers), but need to edit smb.conf to add shares.

If you were going to use Samba4 just as an LDAP server, you'd probably still want to use the RSAT tools to manage it.

  1. ACLs - In theory you can manage ACLs from the Linux side, but in practice forget it, you need to right-click and select properties/Security. You can create ACLs using any or all of the groups you create in ADU&C.

  2. Group Policy - good. I don't have much experience with Group Policy in a purely Windows environment, but in Samba I found that everything seemed to work. We customized desktops, deployed printers, installed software.

One notable limitation of Samba is that you have to set up your own directory replication. In a Windows domain, the sysvol share replicates between DCs, but with Samba you need to set up rsync or something to handle the replication.

  1. I've never done it (we only had Linux servers), but Samba will replicate to an existing Windows Server environment. (Of course, all the Samba DCs in a domain replicate among themselves.)

But note: Samba won't replicate to OpenLDAP servers. The way AD implements LDAP and replicates is too different from the way OpenLDAP and other open source LDAP server work, so the Samba team only supports AD.

Support

You have fewer options for support with Samba4 compared to Windows server. With Samba you'll need to become familiar with the Samba wiki. There are lots of tutorials around, but the Wiki is almost always the most accurate source. If you implement Samba, you really should join the mailing list and learn how to search the mailing list archives.

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59