LinuxWorld: Samba guru says be lazy, use Winbind
By Jack Loftus, News Writer
15 Feb 2007 | SearchEnterpriseLinux.com
But when Jerry Carter, release manager for Samba 3.0, talks about laziness as he did during a session at the LinuxWorld Open Solutions Summit, what he really meant is eliminate redundancy in Linux and Unix environments, specifically, when dealing with identity management and user authentication. In the Windows world, he said, much of the group policy work in the Linux IT guy's day is already done for him.
"Generally, a named service switch layer does not provide for nested group unrolling," Carter said. "You would stick one group in another group, and then expand that so one member of the group is a member of another group. In Windows, you just have this kind of stuff happen. It just works."
Getting stuff to "just work" between Linux, Unix and Windows boxes has been described by some as a "holy grail" of technological achievements -- especially when you begin to talk about a unified logon between each of these operating systems.
The Samba.org Website describes Winbind as a component of Samba that solves the unified logon problem. Winbind uses a Unix implementation of Microsoft [remote procedure] calls, Pluggable Authentication Modules (PAM) and the name service switch (NSS) to allow Windows NT domain users to appear and operate as Unix users on a Unix machine.
"It is the [Samba team's] general design philosophy to take Unix machines and wrap eye candy around them so Windows will like them," Carter said. "Think of it as a blind date; Samba takes a Unix object and makes it look like a Windows object."
Samba allows IT administrators to "play pretend," said Jeremy Moskowitz, co-author of Windows and Linux integration: Hands-on solutions for a mixed environment. "Samba lets us have Windows file servers when we don't really have them, and for authentication it allows us to pretend we have Windows NT4 [capability]," he said.
It is on that point where Carter's idea of the "lazy user" begins to take shape. During his session on unifying authorization models between Linux and Windows machines, Carter asked the audience to get comfortable building upon what was perfected in Windows NT 4.0.
The Windows NT 4.0 model employs a local group model that allows a server to designate a group that contains local and domain users, as well as domain groups. These Windows groups, called nested groups, were added to the latest build of Samba, version 3.03. "Does Windbind do nested groups? Yes," Carter said. "Windbind acts as another database of local groups and group memberships.
This means that -- through Samba and the policies established in Windows NT 4.0 -- IT managers can eliminate localized ID management and authentication on Linux boxes and access those privileges from a central location. Managing Linux with Microsoft applications may seem like sacrilege to some open source advocates, but for Carter it's just common sense.
"If you'd rather take 30 minutes to write a script for something that really takes 5 minutes to do, then you've probably already taken a trip and are drinking the Kool-Aid," he said.