[Samba] GPO on a DC

samba-ml-en samba-ml-en at protonmail.com
Fri Jun 24 15:45:32 UTC 2022


This is a long term project I am working on (now almost 2 years during my spare time), it satisfies several requirements, like being deployed on Raspi, VM, physical with either a trunk or multi honed lan (ahh policy routing with systemd is certainly a lot of fun and time consuming). It implements an ISO 3166 like AD OU structure with security (delegations, roles like partial domain admin, HR etc...), GPOs  attached to regions and countries.

It can adapt to homes, small medium and very large companies (where I come from, I worked on the design of the @thetime largest single domain AD in the world - albeit, it was a MS shop).

So I embarked quickly into scripting all of it (about 2500 lines now). So as for technologies, well I tried everything available with Samba (prospective customers may request...), hence LDAPS, since I am now a "security expert", would you be kind enough to elaborate on security issues with it ? Do you consider TLS insecure ? My understanding of the protocol is that LDAP is required and should always be available (to AD and others), and LDAPS is an extra (most probably you would use it with applications - if no other choice is available like tunneling or VPN)

Development is now finished, and I am quite happy with the result, I tested everything and hit the wall with this problem. My script does everything I wanted (FSMO and DC roles, member role) with the exception of coffee while you wait (ISO 3166), and GPOs on Linux members and DCs.


> You may have, but don't use ldaps, use kerberos instead, it is more secure.
> Rowland

More information about the samba mailing list