[Samba] Managing Samba Active directory.
Rowland Penny
rowlandpenny at googlemail.com
Tue May 5 11:47:30 MDT 2015
On 05/05/15 18:34, A. James Lewis wrote:
>
> Hmm, thanks to all who replied... you've actually made me think of
> another question... I gues it's a bit odd on this list to see someone
> who's looking at using AD that doesn't know anything about it... last
> time I was tempted down the Windows path it was Win9x.
>
> Anyway, you mentioned "netgroup management", which makes me wonder if
> the other NIS style maps can be hosted in AD, such as autofs maps.. is
> there any guide for how to do that.
>
> I guess it's a shame there's no native GUI for doing this since
> Microsoft's directory management stuff does seem to be rather
> ubiquitous and perhaps if it can support all the maps we would want in
> Unix then we could leverage that...
>
> James
>
> On 05/05/15 13:14, Luke Bigum wrote:
>> Hi James,
>>
>> We use Samba 4.2 DCs and have Linux talking to the DC fine. This is
>> using Kerberos via SSSD on CentOS 6 and various Fedoras - Password
>> expiry works, nested Groups work, Sudo rules and Netgroups can be
>> placed inside the AD tree as well.
>>
>> A combination of the samba-tool command and pdbedit can achieve most
>> things, however you will still need the Windows Management tools to
>> interact with the Windows side of things, for example Group Policy
>> Management. The ADUC tools are also very useful for visualising your
>> LDAP tree and moving things around. Our internal documentation also
>> says you need to use the ADUC tools to add UNIX Attributes to a
>> Security Group. There might be a way to do it on the command line but
>> none of us have seemed to have bothered to figure it out :-)
>>
>> I would recommend a single Windows Server (2012) with the ADUC tools
>> installed for management (you could probably get by with Win8.1 but
>> Server is less "graphical"). The server just needs to be joined to
>> your domain, it doesn't need to be DC as well. Then just install the
>> "AD Management Tools" role and you should be set.
>>
>> I do not recommend other Linux based LDAP management tools, eg: LAM
>> (https://www.ldap-account-manager.org/lamcms/). Our staff are under
>> strict instructions only to use LAM for Netgroup management. You can
>> create users and groups in LAM that badly break things on the AD
>> side, like not creating the correct password expiry attributes.
>>
>> -Luke
>>
>> ----- Original Message -----
>> From: "A. James Lewis" <james at fsck.co.uk>
>> To: samba at lists.samba.org
>> Sent: Tuesday, 5 May, 2015 12:32:34 PM
>> Subject: [Samba] Managing Samba Active directory.
>>
>>
>> Hi,
>>
>> I've never been a Windows user, but I'm curious to see how the AD
>> integration works in Linux, since it looks like we may need to have one
>> or two Windows desktops and I don't realy want to start setting up
>> Windows infrastructure. If I can have Samba as a domain controller that
>> makes things a lot simpler.
>>
>> I have one question tho, the documentation suggests using the Microsoft
>> tools to administer the domain... is there any equivalent on Linux for
>> doing this? I'd hate to have to install a Windows machine simply to
>> administer a Samba domain controller that was set up to avoid having to
>> install Windows infrastructure.
>>
>> If Windows is required, what's the minimum installation/setup to
>> correctly administer a Samba domain, I guess I could run something in
>> Virtualbox to achieve this.
>>
>
>
If you do not need GPOs, then you can do pretty much all you need to do
from a terminal using samba-tool, create users and groups etc, what you
cannot do at the present is keep track of the next uid & gidNumber (will
somebody who can write python programs please extend samba-tool to do
this, I can do it with bash and ldb-tools, so it shouldn't be that hard).
You could run a copy of windows in a VM and use ADUC from there, but I
get the feeling that you are like me and prefer to most admin from a
terminal, it is faster for one thing.
Rowland
More information about the samba
mailing list