[Samba] Group Policy alternative (Looking for feedback on a project)

Wed Jun 12 17:18:01 UTC 2024

On 11-06-2024 23:00, Darin via samba wrote:
> Hello all,
>
> So I am working on a group policy-like system based around Ansible. 
> Essentially, I am going to use Ansible playbooks as a cross-platform 
> alternative to the Windows registry and Group Policy Objects (GPOs). 
> In Samba, the way the group policy is applied is that it reads the set 
> registry values and then tries to translate that into Linux language. 
> This is inefficient and limiting as from my understanding it 
> effectively requires a hand-built translator. I figured using Ansible 
> for this might be smart as Ansible playbooks are just configs that get 
> translated into commands, which makes them portable and flexible. 
> Additionally, Ansible has a large community backing it with lots of 
> plugins, so doing administration with Ansible should be easier. With 
> this approach, you could even have a domain-joined machine run 
> playbooks on other machines. I envision this to be a more 
> decentralized approach to administration that takes advantage of the 
> nature of Active Directory.
>
> For the design, the Ansible playbooks will be stored in the sysvol 
> folder. On each host, Ansible will be set up by a daemon and then it 
> will run the playbooks against the local host based on the objects in 
> Lightweight Directory Access Protocol (LDAP). It will read LDAP and 
> execute the proper playbooks. I am not sure if I can reuse some parts 
> of group policy for this but I am hoping not to reinvent the wheel. I 
> know that the Windows Remote Server Administration Tools (RSAT) are 
> unlikely to work for this kind of thing so I probably will need to 
> built a management tool.
>
> When I was working on coming up with a design for this I noticed is 
> that there is an apparent lack of free and open-source cross-platform 
> tools for Active Directory. It seems like Microsoft RSAT is the only 
> tool suite that can easily manage AD systems. You could argue that 
> Apache Directory is an alternative, but in my experience, software 
> coming from Apache isn't always the most reliable or up to date. I 
> also could use Samba-tool, but as far as I can tell, Samba tool is 
> fairly limited and only works on Samba domain controllers. I actually 
> started initial work on a GUI tool for managing users in AD but 
> quickly figured out that I am very bad at GUI programming. If someone 
> is working on a cross-platform GUI for AD, please let me know.

LAM is a webbased tool for many AD/LDAP related to tasks.

If you are looking for a desktop management client, you can find admc on 
github.

>
> To sum it up, I am aiming to build an Active Directory toolset that 
> can administer Linux machines from Active Directory. I am looking for 
> feedback on this design as I fairly new at this.
>
> Thank you for your time,
>
> Darin
>