Stefan Kania
2023-Oct-19 09:48 UTC
[Samba] Question about silos and Authentication policies
Do you know wich of the RSAT I need to use to manage auth-policies and silos. With samba-tool I can't assign users and hosts to the policies. I can only create, delete, list and view policies and silos Am 19.10.23 um 09:03 schrieb Daniel M?ller via samba:> Hello, > > You cannot use Active Directory Administrativ Center because samba has no ADWS implented. > There where efforts and but ADWS did no reach production status. I think Catalyst, Andrew Bartlett tried someting, did not finish it. > Yes you need to use the old RSAT. > > Gretings > Daniel > > > EDV Daniel M?ller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > > > > -----Urspr?ngliche Nachricht----- > Von: Stefan Kania via samba [mailto:samba at lists.samba.org] > Gesendet: Mittwoch, 18. Oktober 2023 17:43 > An: Samba List <samba at lists.samba.org> > Betreff: [Samba] Question about silos and Authentication policies > > I just installed Samba 4.19.1 (Sernet-packages). Here is my smb.conf on my DC > ----------------- > # Global parameters > [global] > ad dc functional level = 2016 > netbios name = ADDC-01 > realm = EXAMPLE.NET > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = EXAMPLE > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = No > ----------------- > > I provisioned my DC with: > > ----------- > samba-tool domain provision --option="ad dc functional level = 2016" > --function-level=2016 --domain=example --realm=example.net > --host-ip=192.168.56.201 --backend-store=mdb --dns-backend=BIND9_DLZ --adminpass=Gansgehe1m > ----------- > > Then I did: > --------- > samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 > --------- > > I joined a Windows 10 client. I can start ADUC sites-and-services DNS-manager from RSAT. But if I try to start "Active Directory Administrativ Center" to manage auth-policies and silos I getting the > message: > -------- > It's not possible to get a connection to any domain > -------- > So even if I had switch to FL 2016 I still can't manage auth-policies and silos via Windows RSAT? > > Or did I forget something? > > > > > >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html Neuer GPG-Key der public key befindet sich im Anhang -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20231019/1722e694/OpenPGP_signature.sig>
Stefan Kania
2023-Oct-19 13:09 UTC
[Samba] Question about silos and Authentication policies
I looked around a little bit, but as far as I can see, at the moment it's not possible to use auth-policies and silos with Samba-DCs only. So I need at least one Windows DC :-( Am 19.10.23 um 11:48 schrieb Stefan Kania via samba:> Do you know wich of the RSAT I need to use to manage auth-policies and > silos. With samba-tool I can't assign users and hosts to the policies. I > can only create, delete, list and view policies and silos > > > Am 19.10.23 um 09:03 schrieb Daniel M?ller via samba: >> Hello, >> >> You cannot use Active Directory Administrativ Center because samba has >> no ADWS implented. >> There where efforts and but ADWS did no reach production status. I >> think Catalyst, Andrew Bartlett tried someting, did not finish it. >> Yes you need to use the old RSAT. >> >> Gretings >> Daniel >> >> >> EDV Daniel M?ller >> >> Leitung EDV >> Tropenklinik Paul-Lechler-Krankenhaus >> >> >> >> -----Urspr?ngliche Nachricht----- >> Von: Stefan Kania via samba [mailto:samba at lists.samba.org] >> Gesendet: Mittwoch, 18. Oktober 2023 17:43 >> An: Samba List <samba at lists.samba.org> >> Betreff: [Samba] Question about silos and Authentication policies >> >> I just installed Samba 4.19.1 (Sernet-packages). Here is my smb.conf >> on my DC >> ----------------- >> # Global parameters >> [global] >> ????????? ad dc functional level = 2016 >> ????????? netbios name = ADDC-01 >> ????????? realm = EXAMPLE.NET >> ????????? server role = active directory domain controller >> ????????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> ????????? workgroup = EXAMPLE >> >> [sysvol] >> ????????? path = /var/lib/samba/sysvol >> ????????? read only = No >> >> [netlogon] >> ????????? path = /var/lib/samba/sysvol/example.net/scripts >> ????????? read only = No >> ----------------- >> >> I provisioned my DC with: >> >> ----------- >> samba-tool domain provision --option="ad dc functional level = 2016" >> --function-level=2016 --domain=example --realm=example.net >> --host-ip=192.168.56.201 --backend-store=mdb --dns-backend=BIND9_DLZ >> --adminpass=Gansgehe1m >> ----------- >> >> Then I did: >> --------- >> samba-tool domain schemaupgrade --schema=2019 samba-tool domain >> functionalprep --function-level=2016 samba-tool domain level raise >> --domain-level=2016 --forest-level=2016 >> --------- >> >> I joined a Windows 10 client. I can start ADUC sites-and-services >> DNS-manager from RSAT. But if I try to start "Active Directory >> Administrativ Center" to manage auth-policies and silos I getting the >> message: >> -------- >> It's not possible to get a connection to any domain >> -------- >> So even if I had switch to FL 2016 I still can't manage auth-policies >> and silos via Windows RSAT? >> >> Or did I forget something? >> >>