[Samba] Managing Samba Active directory.

Tim lists at kiuni.de
Tue May 5 16:38:49 MDT 2015

What is your infrastructure. What kind of clients do you have and how many?
Possibly a samba AD DC is "too much" for you.
If you have much Linux clients you should take a look at freeipa where you can also authenticate windows clients - if only identity management is important.


Am 5. Mai 2015 19:47:30 MESZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 05/05/15 18:34, A. James Lewis wrote:
>> Hmm, thanks to all who replied... you've actually made me think of 
>> another question... I gues it's a bit odd on this list to see someone
>> who's looking at using AD that doesn't know anything about it... last
>> time I was tempted down the Windows path it was Win9x.
>> Anyway, you mentioned "netgroup management", which makes me wonder if
>> the other NIS style maps can be hosted in AD, such as autofs maps..
>> there any guide for how to do that.
>> I guess it's a shame there's no native GUI for doing this since 
>> Microsoft's directory management stuff does seem to be rather 
>> ubiquitous and perhaps if it can support all the maps we would want
>> Unix then we could leverage that...
>> James
>> On 05/05/15 13:14, Luke Bigum wrote:
>>> Hi James,
>>> We use Samba 4.2 DCs and have Linux talking to the DC fine. This is 
>>> using Kerberos via SSSD on CentOS 6 and various Fedoras - Password 
>>> expiry works, nested Groups work, Sudo rules and Netgroups can be 
>>> placed inside the AD tree as well.
>>> A combination of the samba-tool command and pdbedit can achieve most
>>> things, however you will still need the Windows Management tools to 
>>> interact with the Windows side of things, for example Group Policy 
>>> Management. The ADUC tools are also very useful for visualising your
>>> LDAP tree and moving things around. Our internal documentation also 
>>> says you need to use the ADUC tools to add UNIX Attributes to a 
>>> Security Group. There might be a way to do it on the command line
>>> none of us have seemed to have bothered to figure it out :-)
>>> I would recommend a single Windows Server (2012) with the ADUC tools
>>> installed for management (you could probably get by with Win8.1 but 
>>> Server is less "graphical"). The server just needs to be joined to 
>>> your domain, it doesn't need to be DC as well. Then just install the
>>> "AD Management Tools" role and you should be set.
>>> I do not recommend other Linux based LDAP management tools, eg: LAM 
>>> (https://www.ldap-account-manager.org/lamcms/). Our staff are under 
>>> strict instructions only to use LAM for Netgroup management. You can
>>> create users and groups in LAM that badly break things on the AD 
>>> side, like not creating the correct password expiry attributes.
>>> -Luke
>>> ----- Original Message -----
>>> From: "A. James Lewis" <james at fsck.co.uk>
>>> To: samba at lists.samba.org
>>> Sent: Tuesday, 5 May, 2015 12:32:34 PM
>>> Subject: [Samba] Managing Samba Active directory.
>>> Hi,
>>> I've never been a Windows user, but I'm curious to see how the AD
>>> integration works in Linux, since it looks like we may need to have
>>> or two Windows desktops and I don't realy want to start setting up
>>> Windows infrastructure.  If I can have Samba as a domain controller
>>> makes things a lot simpler.
>>> I have one question tho, the documentation suggests using the
>>> tools to administer the domain... is there any equivalent on Linux
>>> doing this?  I'd hate to have to install a Windows machine simply to
>>> administer a Samba domain controller that was set up to avoid having
>>> install Windows infrastructure.
>>> If Windows is required, what's the minimum installation/setup to
>>> correctly administer a Samba domain, I guess I could run something
>>> Virtualbox to achieve this.
>If you do not need GPOs, then you can do pretty much all you need to do
>from a terminal using samba-tool, create users and groups etc, what you
>cannot do at the present is keep track of the next uid & gidNumber
>somebody who can write python programs please extend samba-tool to do 
>this, I can do it with bash and ldb-tools, so it shouldn't be that
>You could run a copy of windows in a VM and use ADUC from there, but I 
>get the feeling that you are like me and prefer to most admin from a 
>terminal, it is faster for one thing.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list