[Samba] Group Policy alternative (Looking for feedback on a project)

contactdarin at posteo.net contactdarin at posteo.net
Tue Jun 11 21:00:33 UTC 2024

Hello all,

So I am working on a group policy-like system based around Ansible. 
Essentially, I am going to use Ansible playbooks as a cross-platform 
alternative to the Windows registry and Group Policy Objects (GPOs). In 
Samba, the way the group policy is applied is that it reads the set 
registry values and then tries to translate that into Linux language. 
This is inefficient and limiting as from my understanding it effectively 
requires a hand-built translator. I figured using Ansible for this might 
be smart as Ansible playbooks are just configs that get translated into 
commands, which makes them portable and flexible. Additionally, Ansible 
has a large community backing it with lots of plugins, so doing 
administration with Ansible should be easier. With this approach, you 
could even have a domain-joined machine run playbooks on other machines. 
I envision this to be a more decentralized approach to administration 
that takes advantage of the nature of Active Directory.

For the design, the Ansible playbooks will be stored in the sysvol 
folder. On each host, Ansible will be set up by a daemon and then it 
will run the playbooks against the local host based on the objects in 
Lightweight Directory Access Protocol (LDAP). It will read LDAP and 
execute the proper playbooks. I am not sure if I can reuse some parts of 
group policy for this but I am hoping not to reinvent the wheel. I know 
that the Windows Remote Server Administration Tools (RSAT) are unlikely 
to work for this kind of thing so I probably will need to built a 
management tool.

When I was working on coming up with a design for this I noticed is that 
there is an apparent lack of free and open-source cross-platform tools 
for Active Directory. It seems like Microsoft RSAT is the only tool 
suite that can easily manage AD systems. You could argue that Apache 
Directory is an alternative, but in my experience, software coming from 
Apache isn't always the most reliable or up to date. I also could use 
Samba-tool, but as far as I can tell, Samba tool is fairly limited and 
only works on Samba domain controllers. I actually started initial work 
on a GUI tool for managing users in AD but quickly figured out that I am 
very bad at GUI programming. If someone is working on a cross-platform 
GUI for AD, please let me know.

To sum it up, I am aiming to build an Active Directory toolset that can 
administer Linux machines from Active Directory. I am looking for 
feedback on this design as I fairly new at this.

Thank you for your time,


More information about the samba mailing list