Large network of Windows machines without AD - GO!
-
@marcinozga said in Large network of Windows machines without AD - GO!:
This is completely bullshit argument. Setting up Samba as DC takes 5-10 mins, installing Ansible literally takes seconds, setting up windows machines for Ansible management is a single powershell script. Neither is time consuming or complex, it's even easier than setting up native Windows DC.
Compare the same things. Just enabling the DC roles is a matter of minutes too. Windows Server is a not any more or less complicated.
@marcinozga said in Large network of Windows machines without AD - GO!:
And if your IT staff can't handle basic stuff, it's time to replace them with competent ones, or outsource it.
There is no such thing as basic when it comes to Network Design/Engineering tasks. You have no clue what you are talking about.
-
@marcinozga said in Large network of Windows machines without AD - GO!:
Again, nonsense. It does take some work to create Ansible playbooks or roles, but so it does setting up things in AAD or Intune.
Except you just argued that exact thing in the open of your post. that it only takes 5-10 minutes.
-
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Dashrender said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
@IRJ said in Large network of Windows machines without AD - GO!:
@Obsolesce said in Large network of Windows machines without AD - GO!:
At that point you're needing to use something like Ansible Tower with Okta or similar anyways. Does Samba do 2FA/MFA? I have never looked. Maybe Okta and Samba work together, i don't know. To me, it seems like the MSP will have a full time job on their hands for a long time, for a single client.
Yes you can sync your on prem LDAP to Okta, but thats still not changing the environement you are still basically using AD.
I was under the impression no on-prem stuff like that.
AFAIK the only person mentioning on or off prem was you. I only mentioned it in response to you, not to the OP.
To me this basically breaks down to LAN-centric or LANless...
Right, which can both be on or off prem.
Oh he did mention on-prem LAN based file shares, printers, apps, etc., also roaming users and system patching management and monitoring.
Just looking at that and the 200 Windows devices... no other considerations....
Sure, Ansible. Samba. I'd question why keep Windows then, with only those considerations.
because local apps require windows.
I see. Well you could dish it out to an MSP for super cheap and quit your job!
LOL - it's not my network - someone else asked me - and I figured it was better to have a discussion here.
Ah, i see. There's so many options, and there's no single-size-fits-all option either. So it, as always, depends on the full picture, all things considered IMHO.
That's true of essentially everything in IT. Every good product has a valid use somewhere.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@notverypunny said in Large network of Windows machines without AD - GO!:
Would something like Zentyal be appropriate?
Just a package of Samba 4 which is just a third party AD. So this is just another way of saying to use Samba, which is another way of saying "keep AD."
If the question is "how can I more affordably do AD", then Zentyal is a great AD distro. But if the question is "how do I ditch AD", Zentyal isn't ditching it at all.
Fair enough, I read "without AD" and my mind went to "without M$"
-
Would this be an option if you wanted central authentication in Windows without any AD or AD clone?
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
The way I understand it you could use this setup to authenticate your local account on Windows.
-
@Pete-S said in Large network of Windows machines without AD - GO!:
Would this be an option if you wanted central authentication in Windows without any AD or AD clone?
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
The way I understand it you could use this setup to authenticate your local account on Windows.
Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Pete-S said in Large network of Windows machines without AD - GO!:
Would this be an option if you wanted central authentication in Windows without any AD or AD clone?
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
The way I understand it you could use this setup to authenticate your local account on Windows.
Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.
But the point wasn't the product. The point was that it looks like you can authenticate local users on Windows against anything that supports Kerberos. So you can still use central authentication for your Windows clients (that can be be shared with linux, web apps and whatever) without using AD or anything in the entire windows ecosystem. I didn't know that was even possible but maybe it is old news for you guys working with this stuff everyday.
-
@Pete-S said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Pete-S said in Large network of Windows machines without AD - GO!:
Would this be an option if you wanted central authentication in Windows without any AD or AD clone?
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
The way I understand it you could use this setup to authenticate your local account on Windows.
Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.
But the point wasn't the product. The point was that it looks like you can authenticate local users on Windows against anything that supports Kerberos. So you can still use central authentication for your Windows clients (that can be be shared with linux, web apps and whatever) without using AD or anything in the entire windows ecosystem. I didn't know that was even possible but maybe it is old news for you guys working with this stuff everyday.
You can do full AD without anything in the Windows ecosystem. You can do Linux AD server side, and Linux clients and never have Windows code at all and be all on AD. You don't, normally, as it is too heavy to bother with if you don't have Windows somewhere. But it works. AD is just a heavy version of LDAP that is classic to UNIX.
FreeIPA is expected to be used either in an all Linux world, or in a hybrid world with AD handling the Windows side of things (but they recommend Linux based AD.)
-
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Pete-S said in Large network of Windows machines without AD - GO!:
@scottalanmiller said in Large network of Windows machines without AD - GO!:
@Pete-S said in Large network of Windows machines without AD - GO!:
Would this be an option if you wanted central authentication in Windows without any AD or AD clone?
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
The way I understand it you could use this setup to authenticate your local account on Windows.
Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.
But the point wasn't the product. The point was that it looks like you can authenticate local users on Windows against anything that supports Kerberos. So you can still use central authentication for your Windows clients (that can be be shared with linux, web apps and whatever) without using AD or anything in the entire windows ecosystem. I didn't know that was even possible but maybe it is old news for you guys working with this stuff everyday.
You can do full AD without anything in the Windows ecosystem. You can do Linux AD server side, and Linux clients and never have Windows code at all and be all on AD. You don't, normally, as it is too heavy to bother with if you don't have Windows somewhere. But it works. AD is just a heavy version of LDAP that is classic to UNIX.
FreeIPA is expected to be used either in an all Linux world, or in a hybrid world with AD handling the Windows side of things (but they recommend Linux based AD.)
OK, thanks.
-
-