[Samba] Group Policy alternative (Looking for feedback on a project)
Kees van Vloten
keesvanvloten at gmail.com
Wed Jun 12 17:18:01 UTC 2024
On 11-06-2024 23:00, Darin via samba wrote:
> Hello all,
>
> So I am working on a group policy-like system based around Ansible.
> Essentially, I am going to use Ansible playbooks as a cross-platform
> alternative to the Windows registry and Group Policy Objects (GPOs).
> In Samba, the way the group policy is applied is that it reads the set
> registry values and then tries to translate that into Linux language.
> This is inefficient and limiting as from my understanding it
> effectively requires a hand-built translator. I figured using Ansible
> for this might be smart as Ansible playbooks are just configs that get
> translated into commands, which makes them portable and flexible.
> Additionally, Ansible has a large community backing it with lots of
> plugins, so doing administration with Ansible should be easier. With
> this approach, you could even have a domain-joined machine run
> playbooks on other machines. I envision this to be a more
> decentralized approach to administration that takes advantage of the
> nature of Active Directory.
>
> For the design, the Ansible playbooks will be stored in the sysvol
> folder. On each host, Ansible will be set up by a daemon and then it
> will run the playbooks against the local host based on the objects in
> Lightweight Directory Access Protocol (LDAP). It will read LDAP and
> execute the proper playbooks. I am not sure if I can reuse some parts
> of group policy for this but I am hoping not to reinvent the wheel. I
> know that the Windows Remote Server Administration Tools (RSAT) are
> unlikely to work for this kind of thing so I probably will need to
> built a management tool.
>
> When I was working on coming up with a design for this I noticed is
> that there is an apparent lack of free and open-source cross-platform
> tools for Active Directory. It seems like Microsoft RSAT is the only
> tool suite that can easily manage AD systems. You could argue that
> Apache Directory is an alternative, but in my experience, software
> coming from Apache isn't always the most reliable or up to date. I
> also could use Samba-tool, but as far as I can tell, Samba tool is
> fairly limited and only works on Samba domain controllers. I actually
> started initial work on a GUI tool for managing users in AD but
> quickly figured out that I am very bad at GUI programming. If someone
> is working on a cross-platform GUI for AD, please let me know.
LAM is a webbased tool for many AD/LDAP related to tasks.
If you are looking for a desktop management client, you can find admc on
github.
>
> To sum it up, I am aiming to build an Active Directory toolset that
> can administer Linux machines from Active Directory. I am looking for
> feedback on this design as I fairly new at this.
>
> Thank you for your time,
>
> Darin
>
More information about the samba
mailing list