[Samba] Managing Samba Active directory.

Luke Bigum luke.bigum at lmax.com
Wed May 6 02:21:09 MDT 2015


Replying back to the list :-)

The Sudoers functionality is achieved by modifing the Samba schema, the sudo package itself distributes the schema change LDIF:

$ rpm -ql sudo | grep schema
/usr/share/doc/sudo/schema.ActiveDirectory
/usr/share/doc/sudo/schema.OpenLDAP
/usr/share/doc/sudo/schema.iPlanet

Technically if you could find the correct schema to store autofs data in AD then it should work.

Red Hat even appear to allow you to specify the LDAP attributes and object classes to use:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-config-autofs-LDAP.html

In fact, someone's already got Samba 4 serving automount data:

https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

Note the warning at the top of the page.

-Luke

--
Luke Bigum
Senior Systems Engineer

Information Systems

----- Original Message -----
From: "A. James Lewis" <james at fsck.co.uk>
To: "Luke Bigum" <luke.bigum at lmax.com>
Sent: Tuesday, 5 May, 2015 6:33:15 PM
Subject: Re: [Samba] Managing Samba Active directory.


Hmm, thanks to all who replied... you've actually made me think of 
another question... I gues it's a bit odd on this list to see someone 
who's looking at using AD that doesn't know anything about it... last 
time I was tempted down the Windows path it was Win9x.

Anyway, you mentioned "netgroup management", which makes me wonder if 
the other NIS style maps can be hosted in AD, such as autofs maps.. is 
there any guide for how to do that.

I guess it's a shame there's no native GUI for doing this since 
Microsoft's directory management stuff does seem to be rather ubiquitous 
and perhaps if it can support all the maps we would want in Unix then we 
could leverage that...

James

On 05/05/15 13:14, Luke Bigum wrote:
> Hi James,
>
> We use Samba 4.2 DCs and have Linux talking to the DC fine. This is using Kerberos via SSSD on CentOS 6 and various Fedoras - Password expiry works, nested Groups work, Sudo rules and Netgroups can be placed inside the AD tree as well.
>
> A combination of the samba-tool command and pdbedit can achieve most things, however you will still need the Windows Management tools to interact with the Windows side of things, for example Group Policy Management. The ADUC tools are also very useful for visualising your LDAP tree and moving things around. Our internal documentation also says you need to use the ADUC tools to add UNIX Attributes to a Security Group. There might be a way to do it on the command line but none of us have seemed to have bothered to figure it out :-)
>
> I would recommend a single Windows Server (2012) with the ADUC tools installed for management (you could probably get by with Win8.1 but Server is less "graphical"). The server just needs to be joined to your domain, it doesn't need to be DC as well. Then just install the "AD Management Tools" role and you should be set.
>
> I do not recommend other Linux based LDAP management tools, eg: LAM (https://www.ldap-account-manager.org/lamcms/). Our staff are under strict instructions only to use LAM for Netgroup management. You can create users and groups in LAM that badly break things on the AD side, like not creating the correct password expiry attributes.
>
> -Luke
>
> ----- Original Message -----
> From: "A. James Lewis" <james at fsck.co.uk>
> To: samba at lists.samba.org
> Sent: Tuesday, 5 May, 2015 12:32:34 PM
> Subject: [Samba] Managing Samba Active directory.
>
>
> Hi,
>
> I've never been a Windows user, but I'm curious to see how the AD
> integration works in Linux, since it looks like we may need to have one
> or two Windows desktops and I don't realy want to start setting up
> Windows infrastructure.  If I can have Samba as a domain controller that
> makes things a lot simpler.
>
> I have one question tho, the documentation suggests using the Microsoft
> tools to administer the domain... is there any equivalent on Linux for
> doing this?  I'd hate to have to install a Windows machine simply to
> administer a Samba domain controller that was set up to avoid having to
> install Windows infrastructure.
>
> If Windows is required, what's the minimum installation/setup to
> correctly administer a Samba domain, I guess I could run something in
> Virtualbox to achieve this.
>


-- 
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
---

LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN
http://www.LMAX.com/

---
#1 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100 (2014)

Awards
2015 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards
2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards
2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading Awards
2013 #15 Fastest Growing Tech Company in UK - Sunday Times Tech Track 100
2013 Best Overall Testing Project - The European Software Testing Awards
2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards
2013 Best Executing Venue - Forex Magnates Awards
2011 Best Trading System - Financial Sector Technology Awards
2011 Innovative Programming Framework - Oracle Duke's Choice Awards
---

FX and CFDs are leveraged products that can result in
losses exceeding your deposit. They are not suitable
for everyone so please ensure you fully understand
the risks involved.

This message and its attachments are confidential,
may not be disclosed or used by any person other
than the addressee and are intended only for the
named recipient(s). This message is not intended for
any recipient(s) who based on their nationality,
place of business, domicile or for any other
reason, is/are subject to local laws or regulations
which prohibit the provision of such products and
services. This message is subject to the terms at
http://www.lmax.com/pdf/general-disclaimers.pdf
however if you cannot access these, please notify
us by replying to this email and we will send you
the terms. If you are not the intended recipient,
please notify the sender immediately and delete any
copies of this message.

LMAX Exchange is the trading name of LMAX Limited. LMAX
Limited operates a multilateral trading facility. LMAX
Limited is authorised and regulated by the Financial
Conduct Authority (firm registration number 509778)
and is a company registered in England and Wales
(number 6505809).

LMAX Hong Kong Limited is a wholly-owned subsidiary
of LMAX Limited. LMAX Hong Kong is licensed by the
Securities and Futures Commission in Hong Kong to
conduct Type 3 (leveraged foreign exchange trading)
regulated activity with CE Number BDV088.


More information about the samba mailing list