[Samba] Managing Samba Active directory.

A. James Lewis james at fsck.co.uk
Tue May 5 11:34:19 MDT 2015

Hmm, thanks to all who replied... you've actually made me think of 
another question... I gues it's a bit odd on this list to see someone 
who's looking at using AD that doesn't know anything about it... last 
time I was tempted down the Windows path it was Win9x.

Anyway, you mentioned "netgroup management", which makes me wonder if 
the other NIS style maps can be hosted in AD, such as autofs maps.. is 
there any guide for how to do that.

I guess it's a shame there's no native GUI for doing this since 
Microsoft's directory management stuff does seem to be rather ubiquitous 
and perhaps if it can support all the maps we would want in Unix then we 
could leverage that...


On 05/05/15 13:14, Luke Bigum wrote:
> Hi James,
> We use Samba 4.2 DCs and have Linux talking to the DC fine. This is using Kerberos via SSSD on CentOS 6 and various Fedoras - Password expiry works, nested Groups work, Sudo rules and Netgroups can be placed inside the AD tree as well.
> A combination of the samba-tool command and pdbedit can achieve most things, however you will still need the Windows Management tools to interact with the Windows side of things, for example Group Policy Management. The ADUC tools are also very useful for visualising your LDAP tree and moving things around. Our internal documentation also says you need to use the ADUC tools to add UNIX Attributes to a Security Group. There might be a way to do it on the command line but none of us have seemed to have bothered to figure it out :-)
> I would recommend a single Windows Server (2012) with the ADUC tools installed for management (you could probably get by with Win8.1 but Server is less "graphical"). The server just needs to be joined to your domain, it doesn't need to be DC as well. Then just install the "AD Management Tools" role and you should be set.
> I do not recommend other Linux based LDAP management tools, eg: LAM (https://www.ldap-account-manager.org/lamcms/). Our staff are under strict instructions only to use LAM for Netgroup management. You can create users and groups in LAM that badly break things on the AD side, like not creating the correct password expiry attributes.
> -Luke
> ----- Original Message -----
> From: "A. James Lewis" <james at fsck.co.uk>
> To: samba at lists.samba.org
> Sent: Tuesday, 5 May, 2015 12:32:34 PM
> Subject: [Samba] Managing Samba Active directory.
> Hi,
> I've never been a Windows user, but I'm curious to see how the AD
> integration works in Linux, since it looks like we may need to have one
> or two Windows desktops and I don't realy want to start setting up
> Windows infrastructure.  If I can have Samba as a domain controller that
> makes things a lot simpler.
> I have one question tho, the documentation suggests using the Microsoft
> tools to administer the domain... is there any equivalent on Linux for
> doing this?  I'd hate to have to install a Windows machine simply to
> administer a Samba domain controller that was set up to avoid having to
> install Windows infrastructure.
> If Windows is required, what's the minimum installation/setup to
> correctly administer a Samba domain, I guess I could run something in
> Virtualbox to achieve this.

A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list