Hmm, thanks to all who replied... you've actually made me think of another question... I gues it's a bit odd on this list to see someone who's looking at using AD that doesn't know anything about it... last time I was tempted down the Windows path it was Win9x. Anyway, you mentioned "netgroup management", which makes me wonder if the other NIS style maps can be hosted in AD, such as autofs maps.. is there any guide for how to do that. I guess it's a shame there's no native GUI for doing this since Microsoft's directory management stuff does seem to be rather ubiquitous and perhaps if it can support all the maps we would want in Unix then we could leverage that... James On 05/05/15 13:14, Luke Bigum wrote:> Hi James, > > We use Samba 4.2 DCs and have Linux talking to the DC fine. This is using Kerberos via SSSD on CentOS 6 and various Fedoras - Password expiry works, nested Groups work, Sudo rules and Netgroups can be placed inside the AD tree as well. > > A combination of the samba-tool command and pdbedit can achieve most things, however you will still need the Windows Management tools to interact with the Windows side of things, for example Group Policy Management. The ADUC tools are also very useful for visualising your LDAP tree and moving things around. Our internal documentation also says you need to use the ADUC tools to add UNIX Attributes to a Security Group. There might be a way to do it on the command line but none of us have seemed to have bothered to figure it out :-) > > I would recommend a single Windows Server (2012) with the ADUC tools installed for management (you could probably get by with Win8.1 but Server is less "graphical"). The server just needs to be joined to your domain, it doesn't need to be DC as well. Then just install the "AD Management Tools" role and you should be set. > > I do not recommend other Linux based LDAP management tools, eg: LAM (https://www.ldap-account-manager.org/lamcms/). Our staff are under strict instructions only to use LAM for Netgroup management. You can create users and groups in LAM that badly break things on the AD side, like not creating the correct password expiry attributes. > > -Luke > > ----- Original Message ----- > From: "A. James Lewis" <james at fsck.co.uk> > To: samba at lists.samba.org > Sent: Tuesday, 5 May, 2015 12:32:34 PM > Subject: [Samba] Managing Samba Active directory. > > > Hi, > > I've never been a Windows user, but I'm curious to see how the AD > integration works in Linux, since it looks like we may need to have one > or two Windows desktops and I don't realy want to start setting up > Windows infrastructure. If I can have Samba as a domain controller that > makes things a lot simpler. > > I have one question tho, the documentation suggests using the Microsoft > tools to administer the domain... is there any equivalent on Linux for > doing this? I'd hate to have to install a Windows machine simply to > administer a Samba domain controller that was set up to avoid having to > install Windows infrastructure. > > If Windows is required, what's the minimum installation/setup to > correctly administer a Samba domain, I guess I could run something in > Virtualbox to achieve this. >-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On 05/05/15 18:34, A. James Lewis wrote:> > Hmm, thanks to all who replied... you've actually made me think of > another question... I gues it's a bit odd on this list to see someone > who's looking at using AD that doesn't know anything about it... last > time I was tempted down the Windows path it was Win9x. > > Anyway, you mentioned "netgroup management", which makes me wonder if > the other NIS style maps can be hosted in AD, such as autofs maps.. is > there any guide for how to do that. > > I guess it's a shame there's no native GUI for doing this since > Microsoft's directory management stuff does seem to be rather > ubiquitous and perhaps if it can support all the maps we would want in > Unix then we could leverage that... > > James > > On 05/05/15 13:14, Luke Bigum wrote: >> Hi James, >> >> We use Samba 4.2 DCs and have Linux talking to the DC fine. This is >> using Kerberos via SSSD on CentOS 6 and various Fedoras - Password >> expiry works, nested Groups work, Sudo rules and Netgroups can be >> placed inside the AD tree as well. >> >> A combination of the samba-tool command and pdbedit can achieve most >> things, however you will still need the Windows Management tools to >> interact with the Windows side of things, for example Group Policy >> Management. The ADUC tools are also very useful for visualising your >> LDAP tree and moving things around. Our internal documentation also >> says you need to use the ADUC tools to add UNIX Attributes to a >> Security Group. There might be a way to do it on the command line but >> none of us have seemed to have bothered to figure it out :-) >> >> I would recommend a single Windows Server (2012) with the ADUC tools >> installed for management (you could probably get by with Win8.1 but >> Server is less "graphical"). The server just needs to be joined to >> your domain, it doesn't need to be DC as well. Then just install the >> "AD Management Tools" role and you should be set. >> >> I do not recommend other Linux based LDAP management tools, eg: LAM >> (https://www.ldap-account-manager.org/lamcms/). Our staff are under >> strict instructions only to use LAM for Netgroup management. You can >> create users and groups in LAM that badly break things on the AD >> side, like not creating the correct password expiry attributes. >> >> -Luke >> >> ----- Original Message ----- >> From: "A. James Lewis" <james at fsck.co.uk> >> To: samba at lists.samba.org >> Sent: Tuesday, 5 May, 2015 12:32:34 PM >> Subject: [Samba] Managing Samba Active directory. >> >> >> Hi, >> >> I've never been a Windows user, but I'm curious to see how the AD >> integration works in Linux, since it looks like we may need to have one >> or two Windows desktops and I don't realy want to start setting up >> Windows infrastructure. If I can have Samba as a domain controller that >> makes things a lot simpler. >> >> I have one question tho, the documentation suggests using the Microsoft >> tools to administer the domain... is there any equivalent on Linux for >> doing this? I'd hate to have to install a Windows machine simply to >> administer a Samba domain controller that was set up to avoid having to >> install Windows infrastructure. >> >> If Windows is required, what's the minimum installation/setup to >> correctly administer a Samba domain, I guess I could run something in >> Virtualbox to achieve this. >> > >If you do not need GPOs, then you can do pretty much all you need to do from a terminal using samba-tool, create users and groups etc, what you cannot do at the present is keep track of the next uid & gidNumber (will somebody who can write python programs please extend samba-tool to do this, I can do it with bash and ldb-tools, so it shouldn't be that hard). You could run a copy of windows in a VM and use ADUC from there, but I get the feeling that you are like me and prefer to most admin from a terminal, it is faster for one thing. Rowland
What is your infrastructure. What kind of clients do you have and how many? Possibly a samba AD DC is "too much" for you. If you have much Linux clients you should take a look at freeipa where you can also authenticate windows clients - if only identity management is important. Regards Tim Am 5. Mai 2015 19:47:30 MESZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 05/05/15 18:34, A. James Lewis wrote: >> >> Hmm, thanks to all who replied... you've actually made me think of >> another question... I gues it's a bit odd on this list to see someone > >> who's looking at using AD that doesn't know anything about it... last > >> time I was tempted down the Windows path it was Win9x. >> >> Anyway, you mentioned "netgroup management", which makes me wonder if > >> the other NIS style maps can be hosted in AD, such as autofs maps.. >is >> there any guide for how to do that. >> >> I guess it's a shame there's no native GUI for doing this since >> Microsoft's directory management stuff does seem to be rather >> ubiquitous and perhaps if it can support all the maps we would want >in >> Unix then we could leverage that... >> >> James >> >> On 05/05/15 13:14, Luke Bigum wrote: >>> Hi James, >>> >>> We use Samba 4.2 DCs and have Linux talking to the DC fine. This is >>> using Kerberos via SSSD on CentOS 6 and various Fedoras - Password >>> expiry works, nested Groups work, Sudo rules and Netgroups can be >>> placed inside the AD tree as well. >>> >>> A combination of the samba-tool command and pdbedit can achieve most > >>> things, however you will still need the Windows Management tools to >>> interact with the Windows side of things, for example Group Policy >>> Management. The ADUC tools are also very useful for visualising your > >>> LDAP tree and moving things around. Our internal documentation also >>> says you need to use the ADUC tools to add UNIX Attributes to a >>> Security Group. There might be a way to do it on the command line >but >>> none of us have seemed to have bothered to figure it out :-) >>> >>> I would recommend a single Windows Server (2012) with the ADUC tools > >>> installed for management (you could probably get by with Win8.1 but >>> Server is less "graphical"). The server just needs to be joined to >>> your domain, it doesn't need to be DC as well. Then just install the > >>> "AD Management Tools" role and you should be set. >>> >>> I do not recommend other Linux based LDAP management tools, eg: LAM >>> (https://www.ldap-account-manager.org/lamcms/). Our staff are under >>> strict instructions only to use LAM for Netgroup management. You can > >>> create users and groups in LAM that badly break things on the AD >>> side, like not creating the correct password expiry attributes. >>> >>> -Luke >>> >>> ----- Original Message ----- >>> From: "A. James Lewis" <james at fsck.co.uk> >>> To: samba at lists.samba.org >>> Sent: Tuesday, 5 May, 2015 12:32:34 PM >>> Subject: [Samba] Managing Samba Active directory. >>> >>> >>> Hi, >>> >>> I've never been a Windows user, but I'm curious to see how the AD >>> integration works in Linux, since it looks like we may need to have >one >>> or two Windows desktops and I don't realy want to start setting up >>> Windows infrastructure. If I can have Samba as a domain controller >that >>> makes things a lot simpler. >>> >>> I have one question tho, the documentation suggests using the >Microsoft >>> tools to administer the domain... is there any equivalent on Linux >for >>> doing this? I'd hate to have to install a Windows machine simply to >>> administer a Samba domain controller that was set up to avoid having >to >>> install Windows infrastructure. >>> >>> If Windows is required, what's the minimum installation/setup to >>> correctly administer a Samba domain, I guess I could run something >in >>> Virtualbox to achieve this. >>> >> >> > >If you do not need GPOs, then you can do pretty much all you need to do > >from a terminal using samba-tool, create users and groups etc, what you > >cannot do at the present is keep track of the next uid & gidNumber >(will >somebody who can write python programs please extend samba-tool to do >this, I can do it with bash and ldb-tools, so it shouldn't be that >hard). > >You could run a copy of windows in a VM and use ADUC from there, but I >get the feeling that you are like me and prefer to most admin from a >terminal, it is faster for one thing. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba