[Samba] GPO on a DC

Rowland Penny rpenny at samba.org
Fri Jun 24 16:39:35 UTC 2022

On Fri, 2022-06-24 at 15:45 +0000, samba-ml-en wrote:
> Rowland,
> This is a long term project I am working on (now almost 2 years
> during my spare time), it satisfies several requirements, like being
> deployed on Raspi, VM, physical with either a trunk or multi honed
> lan (ahh policy routing with systemd is certainly a lot of fun and
> time consuming). It implements an ISO 3166 like AD OU structure with
> security (delegations, roles like partial domain admin, HR etc...),
> GPOs  attached to regions and countries.
> It can adapt to homes, small medium and very large companies (where I
> come from, I worked on the design of the @thetime largest single
> domain AD in the world - albeit, it was a MS shop).
> So I embarked quickly into scripting all of it (about 2500 lines
> now). So as for technologies, well I tried everything available with
> Samba (prospective customers may request...), hence LDAPS, since I am
> now a "security expert", would you be kind enough to elaborate on
> security issues with it ? Do you consider TLS insecure ? My
> understanding of the protocol is that LDAP is required and should
> always be available (to AD and others), and LDAPS is an extra (most
> probably you would use it with applications - if no other choice is
> available like tunneling or VPN)
> Development is now finished, and I am quite happy with the result, I
> tested everything and hit the wall with this problem. My script does
> everything I wanted (FSMO and DC roles, member role) with the
> exception of coffee while you wait (ISO 3166), and GPOs on Linux
> members and DCs.

Try reading this:



More information about the samba mailing list