APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2004/11/29 Active Directory

Microsoft's replacement for the awful Domain Controller concept. Two important things you need to understand here are that it is really LDAP, and that it is (or can be) distributed.

Unless you are working in a really big organization, you probably won't run into the distributed features, but it's just something to remember: one server doesn't necessarily have to be the central location for changes. In a small business, there probably will be just one server that handles it all, but it doesn't have to be that way.

As the base of Active Directory is LDAP, that immediately suggests that it could be holding a lot more information than just user account info, and in fact it does. See http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp for an overview of that.

AD also uses Kerberos for security. Again, that function could involve multiple machines, but probably won't in a small shop. Because of the possibility of all these distributed servers, AD makes heavy use of DNS. In the Unix world, particularly in small networks, we usually don't care too much about local DNS: if we pay any attention at all, it's often just /etc/hosts. Few of us bother to set up real DNS for the local network. However, AD, needs local DNS. For most of the folks reading this page, your only concern with that will be getting Samba to play happily with AD. Fortunately, the underlying LDAP/Kerboros/DNS of AD makes that a little easier than it was with the entirely proprietary Domain Controller concepts, but it isn't easy getting there. Truthfully, you and the client would be better of if they weren't using AD at all, but we don't always get to do what's right when Microsoft has a strong grip in a company. At this writing (Samba 3.09), the best you can do is work with AD:

(http://it.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id2520142)
As of the release of MS Windows 2000 and Active Directory, this
information is now stored in a directory that can be replicated
and for which partial or full administrative control can be delegated.
Samba-3 is not able to be a Domain Controller within an Active
Directory tree, and it cannot be an Active Directory server. This
means that Samba-3 also cannot act as a Backup Domain Controller
to an Active Directory Domain Controller.
 

That means that you can get Samba to authenticate from an AD controller, but it can't BE the AD controller or an AD server. Not yet, anyway. (If you happen to stumble across this at some later time when Samba no longer has to play second fiddle, please do let me know that I need to update this page.) However, unlike Domain Controllers that could more easily be asked for authentication, AD requires more work.



Got something to add? Send me email.



2 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Tony Lawrence




"Microsoft's replacement for the awful Domain Controller concept."

You mean to say that AD is actually an improvement??? <Grin>

Truth is, Microsoft suceeded in developing one of the most convoluted and gawd-awful authentication messes ever devised for a computer system. And, despite all that, their stuff is still woefully insecure. So, what did we gain with AD? It might be some form of LDAP, but that doesn't make it any good, in my opinion. Better we should call it ADD, maybe?

--BigDumbDinosaur





Sat Jul 2 12:23:24 2005: 744   anonymous


There are some concerns about Samba that it doesn't support software deployment, and Active Directory does.
It is not true.

Active Directory can only deploy software that is available in MSI format, which is rare - most installers are in EXE format.
So Active Directory is not that good for software deployment.

With Samba, you can distribute software in many formats (MSI, EXE, other) with a tool called WPKG - it is GPL and can be downloaded from (link)

You can use WPKG with Active Directory, too.

------------------------
Kerio Samepage


Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





There is no programming language, no matter how structured, that will prevent programmers from making bad programs. (Larry Flon)

Beware of bugs in the above code; I have only proved it correct, not tried it. (Donald Knuth)












This post tagged: