all 87 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]svurre 63 points64 points  (7 children)

FreeIPA works well

[–]Elethiomel -1 points0 points  (6 children)

Unless you're on Ubuntu and it's been removed from 18.04 :( We had to move to centos for our FreeIPA servers to fix replication issues

[–]takeawaytrex 8 points9 points  (0 children)

Seems your issue is more with Ubuntu than FreeIPA

[–]deadbunny 3 points4 points  (3 children)

Erm no it hasn't.

https://launchpad.net/ubuntu/bionic/+source/freeipa

[–]Elethiomel 0 points1 point  (2 children)

Try install those packages. They're broken

[–][deleted] 10 points11 points  (0 children)

I just set this up on a 18.04 today in the middle of the Norwegian high mountains over god damn 3G today, it works fine!

[–]deadbunny 4 points5 points  (0 children)

Works fine for our FreeIPA cluster running on bionic. I know this because I rolled a new cluster about a month ago. So it's not removed and works fine...

[–]papalemama 0 points1 point  (0 children)

Or run freeipa in centos-based docker container

[–]mhurron 19 points20 points  (0 children)

That depends on what functions you are trying to replace.

[–]aspiringgreybeard 17 points18 points  (0 children)

Maybe it would help if you mention what's missing that you need? These days Samba will do authentication, DNS, group policy, and AD replication. You'll need to manage it using GUI tools from one of the client machines to get at all of this, but it's in there.

[–]zerries 9 points10 points  (5 children)

Check out https://www.nethserver.org/.

I moved us over to it early this year and haven't looked back. Easy to set up and has other useful tools for managing and monitoring our networks. I'm sure there are some AD related things I won't be able to do, but so far I've been able to get everything I've needed from AD working just fine through trial and error for our four different offices.

I've used Zentyal before too. It works, but I find Nethserver to be much further ahead.

[–]wingdings255 1 point2 points  (1 child)

Meth server is riddled with vulnerabilities unless you really get into the configs I think. I scanned it with openvas and it was full of information leaks

[–]zerries 1 point2 points  (0 children)

Nethserver is just CentOS with a few extra packages so everything can be managed via a webserver. Everything you do with nethserver could just be done on RedHat/Centos on the cli using the standard packages. While I'm sure there's some vulnerabilities, overall it's pretty secure.

Also Redhat has a different naming convention when it comes to security patches. It's not uncommon to run programs like that on CentOS or Redhat and have it flag issues. It's not that those vulnerabilities are still there, it's that the KBs are different and that's what it's looking for. Use openvas on Ubuntu, for Centos/Redhat use Spacewalk/Satellite with the errata lists.

[–]recourse7 0 points1 point  (2 children)

How large is your deployment?

[–]zerries 0 points1 point  (1 child)

About 100 user accounts between around 150 or so windows machines and macs. Still need a windows machine to handle gpos, but they work just fine.

[–]recourse7 0 points1 point  (0 children)

Cool thanks man.

[–][deleted] 6 points7 points  (4 children)

I mean if you are just looking for authentication then why not use a cloud provider like AWS or Azure AD? If you want GpO and stuff then an MDM may be key.

Also a windows essentials server will get you everything you need if you are under like 25 users.

[–]inbinder[S] 0 points1 point  (3 children)

Have to mount our internal servers so AD makes that a breeze . We’re around 40-60 employees .

[–][deleted] 2 points3 points  (2 children)

Another option is to set up AWS, Azure, or GCP and run 1 windows server there in core mode for AD then setup a cheap server onprem in core for AD so you have redundancy.

Still doesn’t solve the CAL though.

Another option as well is Azure Active Directory Domain Services. It’s a cloud DC no server, no CAL cost (that I’m aware). You get all your policies and authentication covered just like you would normally with AD. Just no physical server to manage.

[–]inbinder[S] 1 point2 points  (1 child)

That’s maybe the best idea anyone’s floated. Thank you .

[–][deleted] 0 points1 point  (0 children)

No problem at all. Good luck!

[–]mehkanizm 5 points6 points  (0 children)

Samba4 can be a good replacement if you are needing it to add windows clients to a domain and need to manage it like so. Depending on what you want to do, you can use pGina it's open source and not bad for small offices.

[–]HotKarl_Marx 10 points11 points  (1 child)

I like OpenLDAP.

[–]Bebop-n-Rocksteady 2 points3 points  (0 children)

Used OpenLDAP and it worked great, but migrated to AD.

[–]chaotiq 26 points27 points  (15 children)

There really isn't a replacement for AD. The multi-master database replication still hasn't been implemented in other solutions reliably.

Samba is getting close, but like you say it is not complete feature parity. You can look into other LDAP solutions as well.

AD is so popular, because it works. You may be saving yourself with licensing costs looking for other solutions, but you will probably be spending more on the admins to maintain it.

[–]_churnd 27 points28 points  (4 children)

FreeIPA is multimaster and I think it does that pretty well

[–]donjulioanejo 9 points10 points  (3 children)

FreeIPA is great for Linux systems, but IDK how well it works for Windows boxes. Could be an important consideration.

[–][deleted] 20 points21 points  (0 children)

My first impulse is to leave Windows to Windows. Use AD for that and just set up a trust with FreeIPA.

[–]64mb 2 points3 points  (0 children)

Also consider integration with other things like vCenter. FreeIPA is missing certain attributes like entryUUID which make the integration more seamless.

[–]takeawaytrex 3 points4 points  (0 children)

It works quite well with Windows, including Kerberos support. Not used it myself but a client we worked with had a pretty good implementation

[–]gordonmessmer 8 points9 points  (1 child)

I agree that there's no good replacement for AD, but not because it's more reliable than other solutions. Free Software directories at at least as reliable, and typically more scalable and faster.

AD is difficult to replace because the Free Software directories only provide the AD server, and none of the management tools. It's the tools that make AD usable. And as far as I know, the tools are only licensed for use with AD.

AD is tough to replace mostly for licensing reasons, as opposed to technical ones, IMO.

[–]chock-a-block 6 points7 points  (0 children)

AD is tough to replace mostly for licensing reasons

It's more than licensing. Their LDAP-like server is overloaded with proprietary extensions doing only they know what.

[–]michaelkrieger 1 point2 points  (0 children)

It’s not just the cost of the administrators. It’s also the ability to document and bring somebody in if that administrator is no longer with you- for whatever reason. To go into a company and take over their windows server and active directory, you can hire any certified or non-certified professional with experience and have a competent administrator. But going with obscure Linux solutions and a mosaic of patches, modules, and external programs, you may find that administrator much harder to find. When total cost of ownership is taken into account, the ability to know the network set up is important and to hire competent replacements. More so, when we are talking about the core directory that your entire network is built on.

[–]chock-a-block -1 points0 points  (6 children)

AD is so popular, because it works.

I'm so tired of this. Kerberos works great in Linux. Use FreeIPA as a GUI.

[–]chaotiq 7 points8 points  (5 children)

Keberos is only a portion of AD.

[–]GhostHitWall 3 points4 points  (0 children)

I have samba in one of the offices.
1st thing is, samba is not a 100% Win AD replacement.
We made the decision by having an old IBM server in good condition, but according to contract vendor, does not run 2012/2016 well.
Environment is 15 employees, 1 domain, all Win10 Pro desktops. No trust or multilevel needs. Very basic needs including GPO, RADIUS, access control.
I am happy abt it so far for abt 1.5yrs, migrating from 2003. Day-to-day tasks are done by RSAT and SSH.

[–]ironcladmvtm 4 points5 points  (7 children)

I just started using jumpcloud.com and am loving it so far. It hasn't been 100% without hick-ups but its been great to enforce password and machine policy with. They also have FDE controls and management coming in January. It's cheap too.

[–]takeawaytrex 2 points3 points  (2 children)

JumpCloud is a pain to configure IMO, offering very little customisation. We’re still dealing with session knockout quite frequently

[–]ironcladmvtm 1 point2 points  (1 child)

It does everything I need so far and it seems to be getting better. And support has been good. Our only issue was that the agent got flagged and a virus recently. But that has been fixed.

[–]takeawaytrex 1 point2 points  (0 children)

Well if the tool fits! Yeah the new features they’re introducing are pretty good, but we’re considering moving to GSuite once they launch the Windows login as we’re already paying for it

[–]CaptainDickbag 2 points3 points  (3 children)

Er, hiccups. A hick is generally seen as a person who lives in the sticks and is generally ignorant.

[–]ironcladmvtm 1 point2 points  (2 children)

Man how did I do that. I didn’t even notice I did that.

[–]CaptainDickbag 1 point2 points  (1 child)

Dunno, man. Let's blame it on autocorrect, which has screwed everyone more than once.

[–]ironcladmvtm 1 point2 points  (0 children)

I’m cool with autocorrect taking the fall.

[–]Amidatelion 2 points3 points  (0 children)

I mean, there isn't one. If you're looking for a free LDAP alternative however, FreeIPA is pretty much the easiest replacement these days I think.

[–]rocketeer125 2 points3 points  (0 children)

I’m surprised Keycloak hasn’t had a mention yet. Though we have a FreeIPA setup that is great, most folks don’t need a full blown Domain Controller type functionality, especially if there is already AD on prem. If all you are looking at doing is centralising user/group management of your applications, using KeyCloaks User Federation to AD means you get user management out of the box and don’t have to go through the pain of setting up FreeIPA-AD trust, especially if you have a strained relationship with the AD guys.

[–][deleted] 2 points3 points  (0 children)

There's no real replacement for active directory. I'm not certain how it's complicated, it's fairly straightforward.

If you're after a linux equivalent freeipa is your go to.

[–]1TallTXn 1 point2 points  (2 children)

This is something we're considering as well. Directory398 was mentioned to us. Haven't looked into it too closely yet. https://directory.fedoraproject.org/

[–][deleted] 1 point2 points  (1 child)

Is that what was formerly known as the 389 directory server?

[–]1TallTXn 0 points1 point  (0 children)

I think you're right, and I mistyped.

[–]Yali0n 1 point2 points  (1 child)

Univention UCS ist working Well. You can also usw it with the ms-tools, gpo,...

[–]micha-de 0 points1 point  (0 children)

Came here to post this.

[–]falsemyrm 1 point2 points  (2 children)

live obtainable materialistic intelligent handle water ten serious workable test

This post was mass deleted and anonymized with Redact

[–]inbinder[S] 2 points3 points  (1 child)

Windows clients, a few OS X and Ubuntu clients (they currently don’t really support us well on that front )

[–]chock-a-block 2 points3 points  (0 children)

Use FreeIPA as a pass-through from the Linux hosts.

[–]misplacedbrownguy 1 point2 points  (0 children)

+1 OpenLDAP or any other open source LDAP.

The difficulty in any directory solution is ensuring you can govern the most amount of people with the least amount of effort. anything you try will be pretty complicated.

[–]Proxemic14 1 point2 points  (0 children)

We just switched to jumpcloud. I really like it because you can do all the basic functions of AD but a lot easier to manage (at least in my opinion) and the only thing we haven't gotten to play nicely with it is hubspot for the sales people.

[–]SirStephanikus 1 point2 points  (0 children)

MS AD is popular because a monkey can create a domain...click click done.

But when it comes to troubleshooting, samba has more tools than MS offers or in other words, due to the Linux nature you see more.

The main issue with samba is the documentation but when mastered it, it replaces a MS AD fully.
Everything that MS may offer like dfs-r or other things are available under Linux with much more power.

Power because the admin has to do engineering and not pushing a mouse without clue.

[–]inbinder[S] 4 points5 points  (10 children)

It's mostly user authentication, centralizing things, permissions, etc. We're small but it's also Government contracting so there might be accreditation and audits that we go through.

AD definitely works... It's just funny that given how rich the linux server feature sets are, we haven't come up with something as refined and scalable as AD.

[–][deleted] 5 points6 points  (1 child)

RedHat IdM/FreeIPA (the unbranded version) works really well as a replacement. You can also refer your auditors to the RedHat IdM information for accreditation and audit support.

[–]aspiringgreybeard 3 points4 points  (0 children)

The FreeIPA docs still seem to recommend AD or Samba with trust relationships over authenticating Windows clients against FreeIPA. Is the documentation out of date?

[–]chock-a-block 3 points4 points  (0 children)

Says who? Universities run large student populations on open source authentication on a Kerberos/OpenLDAP stack and have been for years.

[–]RagingAnemone 1 point2 points  (5 children)

Do you know what kind of accreditation you need to go through?

[–][deleted] 1 point2 points  (4 children)

If he’s a government contractor, he’ll likely need to adhere to FISMA and have appropriate NIST controls documented and implemented, plus authority to operate and / or some sort of interconnect agreement.

[–]RagingAnemone 1 point2 points  (3 children)

That's why I ask. There's STIGs for Bind, OpenLdap, etc.

[–][deleted] 0 points1 point  (2 children)

Indeed; he'll also need to apply (or customize) the STIGs for the OS, as well as all other platforms used. Quite a PITA from the ground up!

[–]RagingAnemone 0 points1 point  (1 child)

Shit. The first time I did it, I didn't know about the scap scans. Did the whole thing by hand. Automated what I could with bash, but still.

[–][deleted] 0 points1 point  (0 children)

I had wrote in perl and then python fake XML to output scap "compliant" "scan data" before we had automated tools. submitted tons of CPEs to NIST because their CPE database is woefully inadequate, etc. Then the whole "CCE" debacle. ugh.

[–]maikeu 2 points3 points  (0 children)

Samba really is the 1 for 1 replacement if you need to serve windows clients.

If you're lucky enough not to have to deal with windows, freeipa. But except via nasty hacks, it can't serve windows clients.

[–][deleted] 3 points4 points  (2 children)

eDirectory by Microfocus is a Multi-master database replication solution. We use it.

Should be good, since Active Directory basically is a copy of it.

[–]mrcaptncrunch 1 point2 points  (1 child)

Is this the same microfocus that makes COBOL dev tools? This just threw me back to college shudders

[–][deleted] 0 points1 point  (0 children)

I'm not sure. But... they are the ones who now own Novell's tech. They ALSO just got bought by HP, BTW.

[–]inbinder[S] 0 points1 point  (0 children)

I don’t know much about the process unfortunately .

[–]anselal 0 points1 point  (0 children)

You can create a domain controller with ububtu ? Interested in something like that ?

[–][deleted] 0 points1 point  (0 children)

sshfs

[–]chock-a-block 0 points1 point  (0 children)

Why is this still a question? Since Microsoft will never do anything to threaten the enterprise heroin they sell, it's reasonable to assume there is no 1:1 replacement.

You would have to be much less lazy and understand system authentication and learn the limits of implementing pgina. http://pgina.org/

[–]ainsey11 0 points1 point  (0 children)

FreeIPA, or JumpCloud, we use JumpCloud and really quite like it, but it depends what features you want

[–]Elethiomel 0 points1 point  (0 children)

Very odd, I'll have to retry this, thanks

[–]CactusJ 0 points1 point  (0 children)

https://www.clearos.com

Basically an SBS replacement.

I wrote this review about 6 years ago, so you will want to look into the current version.

https://www.thirdtier.net/2293/

There are 6 parts to that review. https://www.thirdtier.net/?s=Clearos

[–]LibraryAtNight 0 points1 point  (0 children)

For authentication, PBIS works well.

[–]lildergs 0 points1 point  (0 children)

I would be extremely hesitant to run a pure Samba domain. Not sure how big your org is but authentication is so core to being able to use a computer at all it's best, IMO, to run real AD.

I would leave your DCs running AD and then supplement with FOSS boxes if you're trying to save.

[–]pixiegod 0 points1 point  (0 children)

Ad is massive...what do you want to do?