[Samba] Question about silos and Authentication policies

Thu Oct 19 21:42:58 UTC 2023

We are writing a set of command line tools to provide the
administration. 

It would be great to see someone want to take up implementing/funding
the ADWS server, but for now we hope the command-line clients will be
enough.

Please do try them out and give feedback.  The current effort is at
this MR: 

https://gitlab.com/samba-team/samba/-/merge_requests/3325

Andrew Bartlett

On Thu, 2023-10-19 at 15:09 +0200, Stefan Kania via samba wrote:
> 	Error verifying signature: parse error
> 
> --------------ms020002050408010000020809
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 8bit
> 
> I looked around a little bit, but as far as I can see, at the moment 
> it's not possible to use auth-policies and silos with Samba-DCs only.
> So 
> I need at least one Windows DC :-(
> 
> Am 19.10.23 um 11:48 schrieb Stefan Kania via samba:
> > Do you know wich of the RSAT I need to use to manage auth-policies
> > and 
> > silos. With samba-tool I can't assign users and hosts to the
> > policies. I 
> > can only create, delete, list and view policies and silos
> > 
> > 
> > Am 19.10.23 um 09:03 schrieb Daniel Müller via samba:
> > > Hello,
> > > 
> > > You cannot use Active Directory Administrativ Center because
> > > samba has 
> > > no ADWS implented.
> > > There where efforts and but ADWS did no reach production status.
> > > I 
> > > think Catalyst, Andrew Bartlett tried someting, did not finish
> > > it.
> > > Yes you need to use the old RSAT.
> > > 
> > > Gretings
> > > Daniel
> > > 
> > > 
> > > EDV Daniel Müller
> > > 
> > > Leitung EDV
> > > Tropenklinik Paul-Lechler-Krankenhaus
> > > 
> > > 
> > > 
> > > -----Ursprüngliche Nachricht-----
> > > Von: Stefan Kania via samba [mailto:
> > > samba at lists.samba.org
> > > ]
> > > Gesendet: Mittwoch, 18. Oktober 2023 17:43
> > > An: Samba List <
> > > samba at lists.samba.org
> > > >
> > > Betreff: [Samba] Question about silos and Authentication policies
> > > 
> > > I just installed Samba 4.19.1 (Sernet-packages). Here is my
> > > smb.conf 
> > > on my DC
> > > -----------------
> > > # Global parameters
> > > [global]
> > >           ad dc functional level = 2016
> > >           netbios name = ADDC-01
> > >           realm = EXAMPLE.NET
> > >           server role = active directory domain controller
> > >           server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> > > kdc, 
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >           workgroup = EXAMPLE
> > > 
> > > [sysvol]
> > >           path = /var/lib/samba/sysvol
> > >           read only = No
> > > 
> > > [netlogon]
> > >           path = /var/lib/samba/sysvol/example.net/scripts
> > >           read only = No
> > > -----------------
> > > 
> > > I provisioned my DC with:
> > > 
> > > -----------
> > > samba-tool domain provision --option="ad dc functional level =
> > > 2016"
> > > --function-level=2016 --domain=example --realm=example.net
> > > --host-ip=192.168.56.201 --backend-store=mdb --dns-
> > > backend=BIND9_DLZ 
> > > --adminpass=Gansgehe1m
> > > -----------
> > > 
> > > Then I did:
> > > ---------
> > > samba-tool domain schemaupgrade --schema=2019 samba-tool domain 
> > > functionalprep --function-level=2016 samba-tool domain level
> > > raise 
> > > --domain-level=2016 --forest-level=2016
> > > ---------
> > > 
> > > I joined a Windows 10 client. I can start ADUC sites-and-
> > > services 
> > > DNS-manager from RSAT. But if I try to start "Active Directory 
> > > Administrativ Center" to manage auth-policies and silos I getting
> > > the
> > > message:
> > > --------
> > > It's not possible to get a connection to any domain
> > > --------
> > > So even if I had switch to FL 2016 I still can't manage auth-
> > > policies 
> > > and silos via Windows RSAT?
> > > 
> > > Or did I forget something?
> > > 
> > > 
> 
> 
> --------------ms020002050408010000020809--
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions