samba - Jun 2024 - Group Policy alternative (Looking for feedback on a project)

Hello all,

So I am working on a group policy-like system based around Ansible. 
Essentially, I am going to use Ansible playbooks as a cross-platform 
alternative to the Windows registry and Group Policy Objects (GPOs). In 
Samba, the way the group policy is applied is that it reads the set 
registry values and then tries to translate that into Linux language. 
This is inefficient and limiting as from my understanding it effectively 
requires a hand-built translator. I figured using Ansible for this might 
be smart as Ansible playbooks are just configs that get translated into 
commands, which makes them portable and flexible. Additionally, Ansible 
has a large community backing it with lots of plugins, so doing 
administration with Ansible should be easier. With this approach, you 
could even have a domain-joined machine run playbooks on other machines. 
I envision this to be a more decentralized approach to administration 
that takes advantage of the nature of Active Directory.

For the design, the Ansible playbooks will be stored in the sysvol 
folder. On each host, Ansible will be set up by a daemon and then it 
will run the playbooks against the local host based on the objects in 
Lightweight Directory Access Protocol (LDAP). It will read LDAP and 
execute the proper playbooks. I am not sure if I can reuse some parts of 
group policy for this but I am hoping not to reinvent the wheel. I know 
that the Windows Remote Server Administration Tools (RSAT) are unlikely 
to work for this kind of thing so I probably will need to built a 
management tool.

When I was working on coming up with a design for this I noticed is that 
there is an apparent lack of free and open-source cross-platform tools 
for Active Directory. It seems like Microsoft RSAT is the only tool 
suite that can easily manage AD systems. You could argue that Apache 
Directory is an alternative, but in my experience, software coming from 
Apache isn't always the most reliable or up to date. I also could use 
Samba-tool, but as far as I can tell, Samba tool is fairly limited and 
only works on Samba domain controllers. I actually started initial work 
on a GUI tool for managing users in AD but quickly figured out that I am 
very bad at GUI programming. If someone is working on a cross-platform 
GUI for AD, please let me know.

To sum it up, I am aiming to build an Active Directory toolset that can 
administer Linux machines from Active Directory. I am looking for 
feedback on this design as I fairly new at this.

Thank you for your time,

Darin

Love this! I can?t help with other than testing once you have something up
and running.
Good luck with your project.


------ -------------------- 8 ------------------ ------
"A *wise* man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders ?stling
+46 768 716 165 (Mobil)


tis 11 juni 2024 kl. 23:01 skrev Darin via samba <samba at
lists.samba.org>:
> Hello all,
>
> So I am working on a group policy-like system based around Ansible.
> Essentially, I am going to use Ansible playbooks as a cross-platform
> alternative to the Windows registry and Group Policy Objects (GPOs). In
> Samba, the way the group policy is applied is that it reads the set
> registry values and then tries to translate that into Linux language.
> This is inefficient and limiting as from my understanding it effectively
> requires a hand-built translator. I figured using Ansible for this might
> be smart as Ansible playbooks are just configs that get translated into
> commands, which makes them portable and flexible. Additionally, Ansible
> has a large community backing it with lots of plugins, so doing
> administration with Ansible should be easier. With this approach, you
> could even have a domain-joined machine run playbooks on other machines.
> I envision this to be a more decentralized approach to administration
> that takes advantage of the nature of Active Directory.
>
> For the design, the Ansible playbooks will be stored in the sysvol
> folder. On each host, Ansible will be set up by a daemon and then it
> will run the playbooks against the local host based on the objects in
> Lightweight Directory Access Protocol (LDAP). It will read LDAP and
> execute the proper playbooks. I am not sure if I can reuse some parts of
> group policy for this but I am hoping not to reinvent the wheel. I know
> that the Windows Remote Server Administration Tools (RSAT) are unlikely
> to work for this kind of thing so I probably will need to built a
> management tool.
>
> When I was working on coming up with a design for this I noticed is that
> there is an apparent lack of free and open-source cross-platform tools
> for Active Directory. It seems like Microsoft RSAT is the only tool
> suite that can easily manage AD systems. You could argue that Apache
> Directory is an alternative, but in my experience, software coming from
> Apache isn't always the most reliable or up to date. I also could use
> Samba-tool, but as far as I can tell, Samba tool is fairly limited and
> only works on Samba domain controllers. I actually started initial work
> on a GUI tool for managing users in AD but quickly figured out that I am
> very bad at GUI programming. If someone is working on a cross-platform
> GUI for AD, please let me know.
>
> To sum it up, I am aiming to build an Active Directory toolset that can
> administer Linux machines from Active Directory. I am looking for
> feedback on this design as I fairly new at this.
>
> Thank you for your time,
>
> Darin
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Check sambabox.io

On Wed, Jun 12, 2024 at 00:01 Darin via samba <samba at lists.samba.org>
wrote:
> Hello all,
>
> So I am working on a group policy-like system based around Ansible.
> Essentially, I am going to use Ansible playbooks as a cross-platform
> alternative to the Windows registry and Group Policy Objects (GPOs). In
> Samba, the way the group policy is applied is that it reads the set
> registry values and then tries to translate that into Linux language.
> This is inefficient and limiting as from my understanding it effectively
> requires a hand-built translator. I figured using Ansible for this might
> be smart as Ansible playbooks are just configs that get translated into
> commands, which makes them portable and flexible. Additionally, Ansible
> has a large community backing it with lots of plugins, so doing
> administration with Ansible should be easier. With this approach, you
> could even have a domain-joined machine run playbooks on other machines.
> I envision this to be a more decentralized approach to administration
> that takes advantage of the nature of Active Directory.
>
> For the design, the Ansible playbooks will be stored in the sysvol
> folder. On each host, Ansible will be set up by a daemon and then it
> will run the playbooks against the local host based on the objects in
> Lightweight Directory Access Protocol (LDAP). It will read LDAP and
> execute the proper playbooks. I am not sure if I can reuse some parts of
> group policy for this but I am hoping not to reinvent the wheel. I know
> that the Windows Remote Server Administration Tools (RSAT) are unlikely
> to work for this kind of thing so I probably will need to built a
> management tool.
>
> When I was working on coming up with a design for this I noticed is that
> there is an apparent lack of free and open-source cross-platform tools
> for Active Directory. It seems like Microsoft RSAT is the only tool
> suite that can easily manage AD systems. You could argue that Apache
> Directory is an alternative, but in my experience, software coming from
> Apache isn't always the most reliable or up to date. I also could use
> Samba-tool, but as far as I can tell, Samba tool is fairly limited and
> only works on Samba domain controllers. I actually started initial work
> on a GUI tool for managing users in AD but quickly figured out that I am
> very bad at GUI programming. If someone is working on a cross-platform
> GUI for AD, please let me know.
>
> To sum it up, I am aiming to build an Active Directory toolset that can
> administer Linux machines from Active Directory. I am looking for
> feedback on this design as I fairly new at this.
>
> Thank you for your time,
>
> Darin
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 11-06-2024 23:00, Darin via samba wrote:
> Hello all,
>
> So I am working on a group policy-like system based around Ansible. 
> Essentially, I am going to use Ansible playbooks as a cross-platform 
> alternative to the Windows registry and Group Policy Objects (GPOs). 
> In Samba, the way the group policy is applied is that it reads the set 
> registry values and then tries to translate that into Linux language. 
> This is inefficient and limiting as from my understanding it 
> effectively requires a hand-built translator. I figured using Ansible 
> for this might be smart as Ansible playbooks are just configs that get 
> translated into commands, which makes them portable and flexible. 
> Additionally, Ansible has a large community backing it with lots of 
> plugins, so doing administration with Ansible should be easier. With 
> this approach, you could even have a domain-joined machine run 
> playbooks on other machines. I envision this to be a more 
> decentralized approach to administration that takes advantage of the 
> nature of Active Directory.
>
> For the design, the Ansible playbooks will be stored in the sysvol 
> folder. On each host, Ansible will be set up by a daemon and then it 
> will run the playbooks against the local host based on the objects in 
> Lightweight Directory Access Protocol (LDAP). It will read LDAP and 
> execute the proper playbooks. I am not sure if I can reuse some parts 
> of group policy for this but I am hoping not to reinvent the wheel. I 
> know that the Windows Remote Server Administration Tools (RSAT) are 
> unlikely to work for this kind of thing so I probably will need to 
> built a management tool.
>
> When I was working on coming up with a design for this I noticed is 
> that there is an apparent lack of free and open-source cross-platform 
> tools for Active Directory. It seems like Microsoft RSAT is the only 
> tool suite that can easily manage AD systems. You could argue that 
> Apache Directory is an alternative, but in my experience, software 
> coming from Apache isn't always the most reliable or up to date. I 
> also could use Samba-tool, but as far as I can tell, Samba tool is 
> fairly limited and only works on Samba domain controllers. I actually 
> started initial work on a GUI tool for managing users in AD but 
> quickly figured out that I am very bad at GUI programming. If someone 
> is working on a cross-platform GUI for AD, please let me know.
LAM is a webbased tool for many AD/LDAP related to tasks.

If you are looking for a desktop management client, you can find admc on 
github.
>
> To sum it up, I am aiming to build an Active Directory toolset that 
> can administer Linux machines from Active Directory. I am looking for 
> feedback on this design as I fairly new at this.
>
> Thank you for your time,
>
> Darin
>

On 11-06-2024 23:00, Darin via samba wrote:
> Hello all,
>
> So I am working on a group policy-like system based around Ansible. 
> Essentially, I am going to use Ansible playbooks as a cross-platform 
> alternative to the Windows registry and Group Policy Objects (GPOs). 
> In Samba, the way the group policy is applied is that it reads the set 
> registry values and then tries to translate that into Linux language. 
> This is inefficient and limiting as from my understanding it 
> effectively requires a hand-built translator. 
David Mulder is doing a lot of work in this direction, you could consult 
and/or him to improve GPO support on Linux instead of starting a new 
MS-AD incompatible piece of work (which will also require a lot of work).

It is already possible in Samba to generate GPOs from a json file 
containing the registry settings, if it were for Windows. With that you 
do not need any GUI to create GPOs. Another advantage is that you have 
them as source code instead of some binary regpol file, so you can 
version it for example in git.

- Kees.
> I figured using Ansible for this might be smart as Ansible playbooks 
> are just configs that get translated into commands, which makes them 
> portable and flexible. Additionally, Ansible has a large community 
> backing it with lots of plugins, so doing administration with Ansible 
> should be easier. With this approach, you could even have a 
> domain-joined machine run playbooks on other machines. I envision this 
> to be a more decentralized approach to administration that takes 
> advantage of the nature of Active Directory.
>
> For the design, the Ansible playbooks will be stored in the sysvol 
> folder. On each host, Ansible will be set up by a daemon and then it 
> will run the playbooks against the local host based on the objects in 
> Lightweight Directory Access Protocol (LDAP). It will read LDAP and 
> execute the proper playbooks. I am not sure if I can reuse some parts 
> of group policy for this but I am hoping not to reinvent the wheel. I 
> know that the Windows Remote Server Administration Tools (RSAT) are 
> unlikely to work for this kind of thing so I probably will need to 
> built a management tool.
>
> When I was working on coming up with a design for this I noticed is 
> that there is an apparent lack of free and open-source cross-platform 
> tools for Active Directory. It seems like Microsoft RSAT is the only 
> tool suite that can easily manage AD systems. You could argue that 
> Apache Directory is an alternative, but in my experience, software 
> coming from Apache isn't always the most reliable or up to date. I 
> also could use Samba-tool, but as far as I can tell, Samba tool is 
> fairly limited and only works on Samba domain controllers. I actually 
> started initial work on a GUI tool for managing users in AD but 
> quickly figured out that I am very bad at GUI programming. If someone 
> is working on a cross-platform GUI for AD, please let me know.
>
> To sum it up, I am aiming to build an Active Directory toolset that 
> can administer Linux machines from Active Directory. I am looking for 
> feedback on this design as I fairly new at this.
>
> Thank you for your time,
>
> Darin
>

Mandi! Darin via samba
  In chel di` si favelave...
> So I am working on a group policy-like system based around Ansible. 
> Essentially, I am going to use Ansible playbooks as a cross-platform 
> alternative to the Windows registry and Group Policy Objects (GPOs). In 
Apart LAM (LDAP Account Manager), i make a note for WPKG (http://wpkg.org);
not strcting related to AD, but it is a powerful (and FLOSS) installation
and configuration management system.

--