[Samba] Question about silos and Authentication policies

Daniel Müller mueller at tropenklinik.de
Thu Oct 19 07:03:02 UTC 2023 

Hello,

You cannot use Active Directory Administrativ Center because samba has no ADWS implented.
There where efforts and but ADWS did no reach production status. I think Catalyst, Andrew Bartlett tried someting, did not finish it.
Yes you need to use the old RSAT.

Gretings
Daniel


EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus



-----Ursprüngliche Nachricht-----
Von: Stefan Kania via samba [mailto:samba at lists.samba.org] 
Gesendet: Mittwoch, 18. Oktober 2023 17:43
An: Samba List <samba at lists.samba.org>
Betreff: [Samba] Question about silos and Authentication policies

I just installed Samba 4.19.1 (Sernet-packages). Here is my smb.conf on my DC
-----------------
# Global parameters
[global]
         ad dc functional level = 2016
         netbios name = ADDC-01
         realm = EXAMPLE.NET
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = EXAMPLE

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[netlogon]
         path = /var/lib/samba/sysvol/example.net/scripts
         read only = No
-----------------

I provisioned my DC with:

-----------
samba-tool domain provision --option="ad dc functional level = 2016" 
--function-level=2016 --domain=example --realm=example.net
--host-ip=192.168.56.201 --backend-store=mdb --dns-backend=BIND9_DLZ --adminpass=Gansgehe1m
-----------

Then I did:
---------
samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016
---------

I joined a Windows 10 client. I can start ADUC sites-and-services DNS-manager from RSAT. But if I try to start "Active Directory Administrativ Center" to manage auth-policies and silos I getting the
message:
--------
It's not possible to get a connection to any domain
--------
So even if I had switch to FL 2016 I still can't manage auth-policies and silos via Windows RSAT?

Or did I forget something?

More information about the samba mailing list