APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2004/11/29 Active Directory


Some material is very old and may be incorrect today

© November 2004 Tony Lawrence

Microsoft's replacement for the awful Domain Controller concept. Two important things you need to understand here are that it is really LDAP, and that it is (or can be) distributed.

Unless you are working in a really big organization, you probably won't run into the distributed features, but it's just something to remember: one server doesn't necessarily have to be the central location for changes. In a small business, there probably will be just one server that handles it all, but it doesn't have to be that way.

As the base of Active Directory is LDAP, that immediately suggests that it could be holding a lot more information than just user account info, and in fact it does. See http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp for an overview of that.

AD also uses Kerberos for security. Again, that function could involve multiple machines, but probably won't in a small shop. Because of the possibility of all these distributed servers, AD makes heavy use of DNS. In the Unix world, particularly in small networks, we usually don't care too much about local DNS: if we pay any attention at all, it's often just /etc/hosts. Few of us bother to set up real DNS for the local network. However, AD, needs local DNS. For most of the folks reading this page, your only concern with that will be getting Samba to play happily with AD. Fortunately, the underlying LDAP/Kerboros/DNS of AD makes that a little easier than it was with the entirely proprietary Domain Controller concepts, but it isn't easy getting there. Truthfully, you and the client would be better of if they weren't using AD at all, but we don't always get to do what's right when Microsoft has a strong grip in a company. At this writing (Samba 3.09), the best you can do is work with AD:

(http://it.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id2520142)
As of the release of MS Windows 2000 and Active Directory, this
information is now stored in a directory that can be replicated
and for which partial or full administrative control can be delegated.
Samba-3 is not able to be a Domain Controller within an Active
Directory tree, and it cannot be an Active Directory server. This
means that Samba-3 also cannot act as a Backup Domain Controller
to an Active Directory Domain Controller.
 

That means that you can get Samba to authenticate from an AD controller, but it can't BE the AD controller or an AD server. Not yet, anyway. (If you happen to stumble across this at some later time when Samba no longer has to play second fiddle, please do let me know that I need to update this page.) However, unlike Domain Controllers that could more easily be asked for authentication, AD requires more work.


If you found something useful today, please consider a small donation.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Active Directory

2 comments


Inexpensive and informative Apple related e-books:

Take Control of Automating Your Mac

Photos for Mac: A Take Control Crash Course

Take Control of iCloud

Take control of Apple TV, Second Edition

Digital Sharing Crash Course





More Articles by © Tony Lawrence




"Microsoft's replacement for the awful Domain Controller concept."

You mean to say that AD is actually an improvement??? <Grin>

Truth is, Microsoft suceeded in developing one of the most convoluted and gawd-awful authentication messes ever devised for a computer system. And, despite all that, their stuff is still woefully insecure. So, what did we gain with AD? It might be some form of LDAP, but that doesn't make it any good, in my opinion. Better we should call it ADD, maybe?

--BigDumbDinosaur





Sat Jul 2 12:23:24 2005: 744   anonymous


There are some concerns about Samba that it doesn't support software deployment, and Active Directory does.
It is not true.

Active Directory can only deploy software that is available in MSI format, which is rare - most installers are in EXE format.
So Active Directory is not that good for software deployment.

With Samba, you can distribute software in many formats (MSI, EXE, other) with a tool called WPKG - it is GPL and can be downloaded from (link)

You can use WPKG with Active Directory, too.

------------------------


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





On two occasions, I have been asked [by members of Parliament], "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?"...I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. (Charles Babbage)




Linux posts

Troubleshooting posts


This post tagged:

Misc.

UnixWords



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode