[BBLISA] Chucking samba

Sean Lutner sean at rentul.net
Sun Apr 25 18:52:52 EDT 2010


On Apr 25, 2010, at 5:13 PM, Toby Burress wrote:

> On Sun, Apr 25, 2010 at 07:56:12AM -0400, Edward Ned Harvey wrote:
>>> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
>>> Behalf Of Toby Burress
>>> 
>> 
>> "We don't have AD, and don't want one."
>> "Samba in quasi-domain, with LDAP password backend"
>> "works some of the time"
>> "very often does not work from version to version"
>> "So I was thinking of ditching Samba for AFS."
>> 
>> Wow, you want to replace the native, included for free industry standard
>> protocol for something that has barely seen the light of day.  And you think
>> this will somehow be more stable or more manageable than AD?
> 
> I'm not sure AFS can be considered immature.

Immature and widely deployed are very different things.

> 
>> 
>> Sorry I'm not being helpful toward going the direction you want to go. But
>> you're way wrong here, and it sounds like you have a religious objection to
>> MS.
> 
> We don't have any Windows servers at the moment, and we have OpenLDAP
> running with custom schemas.  If you think OpenLDAP + MIT Kerberos +
> Samba is a workable replacement for Windows as an AD controller, that's
> something I'm willing to investigate, but (a) I've heard it doesn't
> work very well, and (b) many (most?) of our workers are on laptops,
> which they probably would not want to join to the domain, and we also
> have a significant population of OS X users.  While I know that AD
> and group policy work very well in a homogeneous environment, I'm not
> convinced it's the best tool here.

If you have to support a large number Windows clients and you don't have a domain controller, you're doing yourself a disservice. It's the best tool/solution for the job and you should be implementing things on that basis. You can support Windows client, OS X clients and *NIX clients with relative ease from AD. I have all three in my environment. OS X has very simple to setup and built-in support for authenticating against AD and for *NIX clients you simply install the IDMU tools and you're done.

> 
> Also, I'm really only trying to solve one problem, which is reliable
> authentication to reliable file shares.  It seems AD is a big hammer
> that hits more nails than I have.

AD is very reliable for authentication and authorization to file shares and with DFS used in conjunction it's the easiest and most well supported solution you'll find.

> 
> That said, if everyone with AFS experience says "oh man I tried it
> once and now I'm sterile", then sure, I'll look at other solutions.
> AD's (simulated, or with Windows servers) not off the list, but it's
> very low.  Right now, AFS is at the top.

You might get AFS to work, but who are you calling when it has been broken for 12 hours and you have a enterprise full of irate users? I'm the last person to recommend Microsoft solutions (having been a Unix admin my entire career), but sometimes picking the right solution for your user base means putting your pre-conceived notions aside.

> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
> 



More information about the bblisa mailing list