I wonder if that'll spread to other distributions? I can see some of those features being useful for OS testing and deployments, working offsite, and lots of other uses.

Since this is another Micrononical development I assume haters gon hate.

Is there a non-Microsoft alternative to AD? I think I remeber seeing something in samba for AD, but what about an alternative that doesn't try to conform to their protocols? I heard the terms Kerberos (login and SSO?) and LDAP (no idea what it does) and understand that they seem related. I just don't know how it all fits together and if it is equivalent to AD or just has partial overlap with the functionality of AD.

Enterprise stuff is not really something I interact with or know much about, so this may be a silly question.

For an on-prem AD alternative, Samba is pretty much the way to go, *especially* if you have Windows clients in the mix. Once it's up, you can manage it with a Windows client same as you could if it were actual Active Directory. if you for sure don't need to support Windows, something like FreeIPA might be better. AD, Samba (as a domain controller), and FreeIPA are implementations of LDAP. LDAP is an open standard, but vendors will put their own special spice into how it works - particularly Microsoft Active Directory. For example, along with the directory and authentication, Active Directory bundles in Group Policy (so does Samba). This is extremely useful if you're wrangling a Windows clients on your domain. On the other hand, FreeIPA can manage a lot of settings specific to Linux clients (like who can use sudo). But they're both based on LDAP. My explanation is a simplification, but you get the idea.

Looks like Ubuntu is requiring an "Advantage subscription" for this (ADsys.) This seems like a great feature. I'll be looking for other distributions to package and deliver this too.

Disappointing that they chose to reinvent the wheel instead of contributing to established battle-tested solutions in this space like sssd and realmd.

Anything that can help Linux get into the enterprise is welcome. I'm sick of IT departments only caring about Windows and Mac.

Because that's 99.9% of the corporate desktop excluding the few stupid enough to use Google docs. :P

sssd/realmd is not "battle tested", it's often extremely buggy, often to the point of locking you out for no darned reason. Clear cache, or worse, remove from domain, rejoin domain, and suddenly everything's working again. Garbage.

Other times it decides to dislike one specific group policy, and fails auth altogether. Let me reiterate: sssd can't parse a correctly formatted group policy XML file THAT IT CAN'T EVEN USE FOR ANYTHING, because it's for Windows clients, but it fails auth for your Linux system.

We had to delete and redo that group policy entry just for this.

I could go on but it's pointless.

Battle tested my arse.

You confuse a couple of things.

First, LDAP is designed to be extensible. AD adds its "own spice", but all that means is extensions. Standard LDAP clients will ALWAYS continue to work. You CAN use AD specific stuff if you want, and that's it.

Then there's Group Policy, but that has nothing to do with LDAP, it's its own thing. Let alone Samba. It's just a protocol for file transfers. And it works horribly with Linux clients, I might add. The biggest issue is the enormous gap between Linux and Windows file permissions. There's _some_ mapping, but it's not perfect. Also the random disconnects, IO errors, etc. particularly via VPN. It's really not that robust at all. I'm saying this is as someone who's been managing Linux servers connected to SMB shares for pretty much a decade now.

I might also add that you don't need FreeIPA to centrally manage sudo rights, it's just that most people haven't even heard about this.



The schema extension is part of the official sudo tarballs though. We've been using this for 7 years now. You set your sudorole in AD in the GUI, sssd eventually syncs it on the client, and bam, you have sudo. Yeah, sometimes it's not that simple, it might take a reboot, or even an sssd cache clear, but more or less it works. (and I'm fairly certain FreeIPA isn't free from bugs either)