Stefan Kania
2023-Oct-18 15:42 UTC
[Samba] Question about silos and Authentication policies
I just installed Samba 4.19.1 (Sernet-packages). Here is my smb.conf on
my DC
-----------------
# Global parameters
[global]
ad dc functional level = 2016
netbios name = ADDC-01
realm = EXAMPLE.NET
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = No
-----------------
I provisioned my DC with:
-----------
samba-tool domain provision --option="ad dc functional level = 2016"
--function-level=2016 --domain=example --realm=example.net
--host-ip=192.168.56.201 --backend-store=mdb --dns-backend=BIND9_DLZ
--adminpass=Gansgehe1m
-----------
Then I did:
---------
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016
---------
I joined a Windows 10 client. I can start ADUC sites-and-services
DNS-manager from RSAT. But if I try to start "Active Directory
Administrativ Center" to manage auth-policies and silos I getting the
message:
--------
It's not possible to get a connection to any domain
--------
So even if I had switch to FL 2016 I still can't manage auth-policies
and silos via Windows RSAT?
Or did I forget something?
Daniel Müller
2023-Oct-19 07:03 UTC
[Samba] Question about silos and Authentication policies
Hello,
You cannot use Active Directory Administrativ Center because samba has no ADWS
implented.
There where efforts and but ADWS did no reach production status. I think
Catalyst, Andrew Bartlett tried someting, did not finish it.
Yes you need to use the old RSAT.
Gretings
Daniel
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
-----Urspr?ngliche Nachricht-----
Von: Stefan Kania via samba [mailto:samba at lists.samba.org]
Gesendet: Mittwoch, 18. Oktober 2023 17:43
An: Samba List <samba at lists.samba.org>
Betreff: [Samba] Question about silos and Authentication policies
I just installed Samba 4.19.1 (Sernet-packages). Here is my smb.conf on my DC
-----------------
# Global parameters
[global]
ad dc functional level = 2016
netbios name = ADDC-01
realm = EXAMPLE.NET
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = EXAMPLE
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/example.net/scripts
read only = No
-----------------
I provisioned my DC with:
-----------
samba-tool domain provision --option="ad dc functional level = 2016"
--function-level=2016 --domain=example --realm=example.net
--host-ip=192.168.56.201 --backend-store=mdb --dns-backend=BIND9_DLZ
--adminpass=Gansgehe1m
-----------
Then I did:
---------
samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep
--function-level=2016 samba-tool domain level raise --domain-level=2016
--forest-level=2016
---------
I joined a Windows 10 client. I can start ADUC sites-and-services DNS-manager
from RSAT. But if I try to start "Active Directory Administrativ
Center" to manage auth-policies and silos I getting the
message:
--------
It's not possible to get a connection to any domain
--------
So even if I had switch to FL 2016 I still can't manage auth-policies and
silos via Windows RSAT?
Or did I forget something?
Stefan Kania
2023-Oct-20 17:57 UTC
[Samba] Question about silos and Authentication policies
Now I created a policy with: --------- samba-tool domain auth policy create --enforce --name winclient-pol --------- and a silo with: --------- samba-tool domain auth silo create --enforce --name=winclient-silo The I add the following objects to the silo --------- samba-tool domain auth silo member add --name=winclient-silo --member=padmin samba-tool domain auth silo member add --name=winclient-silo --member=winclient\$ --------- Then assigning the policy to the silo with: ------------- samba-tool domain auth silo modify --name=winclient-silo --policy=winclient-pol ------------- The next step would be to assign the silo to the user and the host, but I don't see any option in "samba-tool domain auth ..." to do this. The same with adding the host to the policy. On a windows-System I would do this with "ADAC" But I can't use it with a samba-DC. Is there a way to do it with samba-tool, or any other tool?