[Samba] Question about silos and Authentication policies

Thu Oct 19 13:09:32 UTC 2023

I looked around a little bit, but as far as I can see, at the moment 
it's not possible to use auth-policies and silos with Samba-DCs only. So 
I need at least one Windows DC :-(

Am 19.10.23 um 11:48 schrieb Stefan Kania via samba:
> Do you know wich of the RSAT I need to use to manage auth-policies and 
> silos. With samba-tool I can't assign users and hosts to the policies. I 
> can only create, delete, list and view policies and silos
> 
> 
> Am 19.10.23 um 09:03 schrieb Daniel Müller via samba:
>> Hello,
>>
>> You cannot use Active Directory Administrativ Center because samba has 
>> no ADWS implented.
>> There where efforts and but ADWS did no reach production status. I 
>> think Catalyst, Andrew Bartlett tried someting, did not finish it.
>> Yes you need to use the old RSAT.
>>
>> Gretings
>> Daniel
>>
>>
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Stefan Kania via samba [mailto:samba at lists.samba.org]
>> Gesendet: Mittwoch, 18. Oktober 2023 17:43
>> An: Samba List <samba at lists.samba.org>
>> Betreff: [Samba] Question about silos and Authentication policies
>>
>> I just installed Samba 4.19.1 (Sernet-packages). Here is my smb.conf 
>> on my DC
>> -----------------
>> # Global parameters
>> [global]
>>           ad dc functional level = 2016
>>           netbios name = ADDC-01
>>           realm = EXAMPLE.NET
>>           server role = active directory domain controller
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>           workgroup = EXAMPLE
>>
>> [sysvol]
>>           path = /var/lib/samba/sysvol
>>           read only = No
>>
>> [netlogon]
>>           path = /var/lib/samba/sysvol/example.net/scripts
>>           read only = No
>> -----------------
>>
>> I provisioned my DC with:
>>
>> -----------
>> samba-tool domain provision --option="ad dc functional level = 2016"
>> --function-level=2016 --domain=example --realm=example.net
>> --host-ip=192.168.56.201 --backend-store=mdb --dns-backend=BIND9_DLZ 
>> --adminpass=Gansgehe1m
>> -----------
>>
>> Then I did:
>> ---------
>> samba-tool domain schemaupgrade --schema=2019 samba-tool domain 
>> functionalprep --function-level=2016 samba-tool domain level raise 
>> --domain-level=2016 --forest-level=2016
>> ---------
>>
>> I joined a Windows 10 client. I can start ADUC sites-and-services 
>> DNS-manager from RSAT. But if I try to start "Active Directory 
>> Administrativ Center" to manage auth-policies and silos I getting the
>> message:
>> --------
>> It's not possible to get a connection to any domain
>> --------
>> So even if I had switch to FL 2016 I still can't manage auth-policies 
>> and silos via Windows RSAT?
>>
>> Or did I forget something?
>>
>>