[Samba] Group Policy alternative (Looking for feedback on a project)

Kees van Vloten keesvanvloten at gmail.com
Wed Jun 12 17:34:56 UTC 2024 

On 11-06-2024 23:00, Darin via samba wrote:
> Hello all,
>
> So I am working on a group policy-like system based around Ansible. 
> Essentially, I am going to use Ansible playbooks as a cross-platform 
> alternative to the Windows registry and Group Policy Objects (GPOs). 
> In Samba, the way the group policy is applied is that it reads the set 
> registry values and then tries to translate that into Linux language. 
> This is inefficient and limiting as from my understanding it 
> effectively requires a hand-built translator. 

David Mulder is doing a lot of work in this direction, you could consult 
and/or him to improve GPO support on Linux instead of starting a new 
MS-AD incompatible piece of work (which will also require a lot of work).

It is already possible in Samba to generate GPOs from a json file 
containing the registry settings, if it were for Windows. With that you 
do not need any GUI to create GPOs. Another advantage is that you have 
them as source code instead of some binary regpol file, so you can 
version it for example in git.

- Kees.

> I figured using Ansible for this might be smart as Ansible playbooks 
> are just configs that get translated into commands, which makes them 
> portable and flexible. Additionally, Ansible has a large community 
> backing it with lots of plugins, so doing administration with Ansible 
> should be easier. With this approach, you could even have a 
> domain-joined machine run playbooks on other machines. I envision this 
> to be a more decentralized approach to administration that takes 
> advantage of the nature of Active Directory.
>
> For the design, the Ansible playbooks will be stored in the sysvol 
> folder. On each host, Ansible will be set up by a daemon and then it 
> will run the playbooks against the local host based on the objects in 
> Lightweight Directory Access Protocol (LDAP). It will read LDAP and 
> execute the proper playbooks. I am not sure if I can reuse some parts 
> of group policy for this but I am hoping not to reinvent the wheel. I 
> know that the Windows Remote Server Administration Tools (RSAT) are 
> unlikely to work for this kind of thing so I probably will need to 
> built a management tool.
>
> When I was working on coming up with a design for this I noticed is 
> that there is an apparent lack of free and open-source cross-platform 
> tools for Active Directory. It seems like Microsoft RSAT is the only 
> tool suite that can easily manage AD systems. You could argue that 
> Apache Directory is an alternative, but in my experience, software 
> coming from Apache isn't always the most reliable or up to date. I 
> also could use Samba-tool, but as far as I can tell, Samba tool is 
> fairly limited and only works on Samba domain controllers. I actually 
> started initial work on a GUI tool for managing users in AD but 
> quickly figured out that I am very bad at GUI programming. If someone 
> is working on a cross-platform GUI for AD, please let me know.
>
> To sum it up, I am aiming to build an Active Directory toolset that 
> can administer Linux machines from Active Directory. I am looking for 
> feedback on this design as I fairly new at this.
>
> Thank you for your time,
>
> Darin
>

More information about the samba mailing list