[Samba] Managing Samba Active directory.

Rowland Penny rowlandpenny at googlemail.com
Tue May 5 11:47:30 MDT 2015

On 05/05/15 18:34, A. James Lewis wrote:
> Hmm, thanks to all who replied... you've actually made me think of 
> another question... I gues it's a bit odd on this list to see someone 
> who's looking at using AD that doesn't know anything about it... last 
> time I was tempted down the Windows path it was Win9x.
> Anyway, you mentioned "netgroup management", which makes me wonder if 
> the other NIS style maps can be hosted in AD, such as autofs maps.. is 
> there any guide for how to do that.
> I guess it's a shame there's no native GUI for doing this since 
> Microsoft's directory management stuff does seem to be rather 
> ubiquitous and perhaps if it can support all the maps we would want in 
> Unix then we could leverage that...
> James
> On 05/05/15 13:14, Luke Bigum wrote:
>> Hi James,
>> We use Samba 4.2 DCs and have Linux talking to the DC fine. This is 
>> using Kerberos via SSSD on CentOS 6 and various Fedoras - Password 
>> expiry works, nested Groups work, Sudo rules and Netgroups can be 
>> placed inside the AD tree as well.
>> A combination of the samba-tool command and pdbedit can achieve most 
>> things, however you will still need the Windows Management tools to 
>> interact with the Windows side of things, for example Group Policy 
>> Management. The ADUC tools are also very useful for visualising your 
>> LDAP tree and moving things around. Our internal documentation also 
>> says you need to use the ADUC tools to add UNIX Attributes to a 
>> Security Group. There might be a way to do it on the command line but 
>> none of us have seemed to have bothered to figure it out :-)
>> I would recommend a single Windows Server (2012) with the ADUC tools 
>> installed for management (you could probably get by with Win8.1 but 
>> Server is less "graphical"). The server just needs to be joined to 
>> your domain, it doesn't need to be DC as well. Then just install the 
>> "AD Management Tools" role and you should be set.
>> I do not recommend other Linux based LDAP management tools, eg: LAM 
>> (https://www.ldap-account-manager.org/lamcms/). Our staff are under 
>> strict instructions only to use LAM for Netgroup management. You can 
>> create users and groups in LAM that badly break things on the AD 
>> side, like not creating the correct password expiry attributes.
>> -Luke
>> ----- Original Message -----
>> From: "A. James Lewis" <james at fsck.co.uk>
>> To: samba at lists.samba.org
>> Sent: Tuesday, 5 May, 2015 12:32:34 PM
>> Subject: [Samba] Managing Samba Active directory.
>> Hi,
>> I've never been a Windows user, but I'm curious to see how the AD
>> integration works in Linux, since it looks like we may need to have one
>> or two Windows desktops and I don't realy want to start setting up
>> Windows infrastructure.  If I can have Samba as a domain controller that
>> makes things a lot simpler.
>> I have one question tho, the documentation suggests using the Microsoft
>> tools to administer the domain... is there any equivalent on Linux for
>> doing this?  I'd hate to have to install a Windows machine simply to
>> administer a Samba domain controller that was set up to avoid having to
>> install Windows infrastructure.
>> If Windows is required, what's the minimum installation/setup to
>> correctly administer a Samba domain, I guess I could run something in
>> Virtualbox to achieve this.

If you do not need GPOs, then you can do pretty much all you need to do 
from a terminal using samba-tool, create users and groups etc, what you 
cannot do at the present is keep track of the next uid & gidNumber (will 
somebody who can write python programs please extend samba-tool to do 
this, I can do it with bash and ldb-tools, so it shouldn't be that hard).

You could run a copy of windows in a VM and use ADUC from there, but I 
get the feeling that you are like me and prefer to most admin from a 
terminal, it is faster for one thing.


More information about the samba mailing list