Samba server as a domain controller

[dhicks]

Hello All,

 

We want to expand our network and offer logons to all staff, pupils and parents via various web-based services (Moodle, email, file servers, whatever other random stuff I write). We want to avoid having to pay Microsoft any money to do this. The answer would seem to be a Samba server of some kind acting as a domain controller. Does anyone have any thoughts on the best way to go about this?

 

Do I use Samba 3 or 4?

 

Is it worth waiting for Ubuntu 10.4 LTS to come out next month? Should I install 9.10 and upgrade to 9.10 later, or should I use Debian instead?

 

Do I need an OpenLDAP backend, or does Samba supply its own LDAP server these days?

 

What's the best way of distributing policy changes to Windows workstations? I understand I can create and edit ADM files to set policies on workstations, how do I get those on to workstations? Can I install them via a share on each workstation?

 

--

David Hicks

[Michael]

If you're using Windows workstations stick with at least one Windows Server. Education get Windows Server for a fraction of the RRP.

[dhicks]

Education get Windows Server for a fraction of the RRP.

 

But, if I understand correctly, if we wanted all our pupils, staff and parents to use a Moodle server that used our Active Directory server as an authentication backend we would have to pay for either device CALs for each machine that authenticated or user CALs for each user in Active Directory.

 

Is there some let-any-number-of-web-based-users-authenticate MS license available, does anyone know?

 

--

David Hicks

[Soulfish]

You'd need an external connector license. Although if you purchase CALs for all students then according to Microsoft UK Schools : Licensing parents for SharePoint ? what?s free and what isn?t you could be "granted" an external connector by MS.

[Michael]

Moodle supports LDAP which I believe requires no further finances, just some tweaking

 

There are ways around Active Directory, but you'll create yourself work locking down computers when using GPOs is straight forward. I would keep one Windows Server and host Moodle either on a seperate Windows box or indeed Linux.

[dhicks]

Moodle supports LDAP

 

Then you have two separate authentication servers - if a user sets their password via Windows then their password on the LDAP server doesn't change.

 

There are ways around Active Directory

 

Do you have any more details?

 

--

David Hicks

[dhicks]

You'd need an external connector license.

 

A quick Google search suggests a price of around £200 for an external connector license, which sounds okay. Anyone any idea if that's about right? Is that all I need to allow people to use (any number of) web-based applications that authenticate against our Active Directory server?

 

--

David Hicks

[DMcCoy]

That's about right for windows server. There are others for Sharepoint (very expensive), Exchange (quite expensive). CPU licenses will cover things like SQL not needing any CALs.

[Michael]

Do you have any more details?

 

Registry hacks in other words for locking down machines To be honest I would still recommend AD as your primary naming source for usernames and link applications to it.

[CyberNerd]

What's the best way of distributing policy changes to Windows workstations? I understand I can create and edit ADM files to set policies on workstations, how do I get those on to workstations?

 

ADM files are mostly a bunch of registry keys and microsoft publishes which key each setting modifies.

 

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb

 

If you know what the key is you can easily implement that in a login or startup script with samba. Active directory is the GUI for the registry keys, but you could script it.

http://oreilly.com/catalog/samba/chapter/book/ch06_06.html

 

Alternately you could set the policy on base images and then override them with scripts.

[dhicks]

Active directory is the GUI for the registry keys, but you could script it.

 

Hmm. It all certainly sounds plausibly easy enough - if the external connector license thing doesn't work out then this definatly looks worth a try.

 

--

David Hicks

[sjatkn]

At a previous school we used OpenLDAP for authentication and Samba for file serving. For configuration we used ntconfig.pol with a number of custom ADM files to add extra functionality. The only Microsoft servers we had were for the MSSQL server for CMIS & IIS for ePortal. Edited April 15, 2010 by sjatkn
Fixed a minor spelling error.

[prad]

Connecting Moodle to active directory is really easy. Yes, having moodle installed on a LAMP server (Linux, Apache, MySQL, PHP) is highly recommended, but all you need to do is to confirgure the Moodle LDAP authentication module to point to a domain controller and set a few mapping tweaks (can provide more detail if required). I've set this up in many schools and to date it's very stable. I personally choose Ubuntu because it's sooooo easy.

[prad]

Oh sorry, forgot to mention... Samba as a member server to be used as a file or print server is excellent, but I wouldn't attempt as a domain controller, stick with Microsoft.

[dhicks]

Connecting Moodle to active directory is really easy.

 

The ease of setting up Moodle to authenticate against Active Directory isn't the issue here, I need to check that we are appropriatly licensed to allow external users (in the sense of pupils having out-of-hours accesss and probably parents having accounts) to use our system.

 

Samba as a member server to be used as a file or print server is excellent, but I wouldn't attempt as a domain controller, stick with Microsoft.

 

Why?

 

--

David Hicks

[prad]

Only a single CAL required when using LDAP module in Moodle to authenticate.

 

and Samba as a domain controller = schema issues (although i haven't had first hand experience of this)

[powdarrmonkey]

Only a single CAL required when using LDAP module in Moodle to authenticate.

[citation needed]