On Mon, Sep 19, 2016 at 8:11 PM, alexbm...@gmail.com
<alexbm...@gmail.com> wrote:
> Gentlemen,
> It would be interesting to insert GPO referring to samba.
> To: Relevance of NT4 domains vs. AD domains.

So, I'm going to step back, to where this all starts.

First off, I can be "snarky" at times in public discussions.  I fully
admit that.  Part of that reason is that I hear these comments all too
often, and I have to ask people's managers to not include them in
meetings until later.  That way we can get things done.

Because, secondly, as I mentioned before ...

    o  The cringe-worthy ...

  The sad thing here is, AD architects follow me better than Linux
  "enthusiasts."  Especially when I explain SSSD modular stack as being
  like the NT LSA modular stack.

  I literally _cringe_ when Linux "enthusiasts" tell client
  stakeholders, "Oh, Linux doesn't have something like that, or it's not
  easy to support, so just buy" ... (insert really expensive,
  proprietary client).

So, when people say "Why doesn't Linux use GPOs?", and "Samba can
replace AD" and even "Linux doesn't have something like AD," etc...,
it gets exceedingly difficult, especially since some of these
facilities have little to do with real-world, corporate deployments.
They are all standalone, division or SMB deployments.

Most corporate deployments of "mixed environments" already have
separate AD and LDAP, some with some sort of exchange, others possibly
with AD for all Kerberos authentication, while LDAP is used for all
POSIX attributes.  In nearly all cases of the last few years, most are
now using SSSD, instead of any legacy, client-side setup.  With SSSD
comes the ability for true, universal Policy Objects on Linux.

And IPA as a drop-in, which then adds AD Forest Trusts.

Again, since we've gone from Mixed Environments, to Security, let's
look at how IPA works with AD, and how Samba does not.  Especially
since Microsoft is basically forcing IPA adoption, after dropping IDMU
in Windows 10/Server 2016.  To start, I'll include this reddit post
from 2015. [1]  It highlights the real issues a lot of corporations
have with the Samba AD DC functionality.

Again, the biggest issue with Samba AD DC is that it really doesn't
like AD Forests, with lots of domains, and the underlying Linux system
that the Samba service is running on cannot be managed by AD well at
all.  In fact, it was the SSSD/IPA guys that basically ported most of
the multi-domain code over to Samba, as many are also Samba
contributors.  SSSD/IPA's origins are heavily with major Samba
contributors who wanted a more "universal Winbindd" and a "AD for
POSIX," respectively.

This is why more and more organizations would rather keep their Samba
services under a solution where it can be managed, especially since
there are so many issues with non-Windows systems, and utter lack of
attributes for POSIX (sans only "basic" IDMU, which is going away).
Windows stays AD, POSIX stays IPA, and the two have an AD Forest Trust
between.  That's where mixed environments are going, which is really
just a refinement of the separate LDAP and AD trees in corporations.
But now one where they can use each other's resources, and be managed
by the teams on each.

Which even Microsoft is nodding its head, because its own AD
architects don't want any POSIX systems in AD, because its own AD
admins don't even know how to manage even basic attributes.  The stats
on even just basic IDMU population is a somber reminder.

-- bjs

lpi-examdev mailing list

Reply via email to