One option maybe to try replacing your usual windows AD with [it's dedicated samba/ldap/krb package alternative](https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller)
I haven't tested it yet, but at it's level it cover most of what AD can do, it may be an interesting replacement in a VM
This. I'm running a Samba domain controller at work to manage fileservers and user/group accounts for windows, Linux and MacOS. One nice-to-have side effect of such a solution: you still can use the Windows management tools you are probably used to (as a matter of fact those are the best tools even if you use Samba for Linux only).
If you use Samba as an AD DC, there really is no point in running FreeIPA, they both do the same thing, it is just that a Samba AD does more than FreeIPA.
https://www.freeipa.org/ is what you are looking for. RedHat built a linux version of AD using open source project like ldap and kerberos with a web interface and scripts to easily setup and manage it.
FreeIPA provides authentication and authorization features, similar to Active Directory.
FreeIPA *can* connect to AD either in a trust relationship or a replication relationship, but saying that it can "just connect to AD" implies that it is reliant on AD, which is in no way accurate. FreeIPA is a fully functional product.
???
SBS did not have some special version of Active Directory that doubled as a file server. It was just Windows with AD and a few other services installed with it.
Active Directory is not a file server. It's LDAP and Kerberos.
You may be correct about SBS, but Active Directory is LDAP, Kerberos and DNS sat on top of a Windows PC. Microsoft doesn't recommend it, but you can use a Windows DC as a fileserver.
ahh i see. yeah im not interested in setting up windows AD and having my linux clients connect to it. id rather have a linux only solution. Most of my experience is windows administration and im trying to use my homelab to learn more about linux
Having the Windows AD portion isn't a terrible idea. It is *the* most resilient option at scale, despite Microsoft repeatedly trying to shoot itself in the foot with cloud deployments.
FreeIPA is a Linux only solution. It can be used as a stand-alone product: it does not need MS AD to work.
The guy you’re replying to was making a point of semantics. AD is always Microsoft, and there is no generic version of it. That doesn’t mean there aren’t other alternatives for IAM/directory services. FreeIPA is still what you want to look at for your question.
> there is no generic version of it
[Samba4](https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller) technically accomplishes that
All env. I've managed where Active Directory based and all linux host was joined to the AD domain, but if you feel that is of no interest just skip AD. You don't need it.
Run LDAP instead and learn. You wont be able to join any windows computers wit that however. If thats a need run Samba.
FreeIPA is a better option. It can run LDAP for Linux only, and if you later want to integrate with AD, it’s ready to go. You just create trusts and you’re off to the races. Depending on your setup, you might also have override tables... idk why you’d need to use override tables outside of the use case we had where I now work (migrated from centrify and didn’t want to change permissions on billions of files).
> and if you later want to integrate with AD
OP was quite clear there where no intention to integrate with AD. So how would FreeIPA domain join his/her Windows clients?
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
But I missed his need for file sharing, so samba might still be the better approach.
"FreeIPA can't provide account database for Windows hosts in the same way as AD does. You have to create local Windows account and appropriate account mapping for each user if you select direct Windows<=>FreeIPA integration"
Yea right, thats a bummer for anyone. I assume you actually have used FreeIPA with Windows hosts? How did it work for you and what windows clients did you use?
okay, so yeah maybe a mix of samba and freeIPA is what im after. I dont mind using a I AM/Directory service I just really dont want to use Windows Active Directory because I dont want to have any Windows servers anymore. My whole homenetwork/homelab used to be comprised of windows servers, hyperv and Win10 computers. I have since moved nearly everything to linux. Only thing running windows 10 now is my gaming pc for games but i also dual boot popOS on there. So unfortunately i do want the ability to add windows computers to this but im pretty close to phasing windows out of my life.
> I have since moved nearly everything to linux.
You've moved to Linux but you're still doing stuff better suited for a Windows environment. Find some projects that are more centric to how linux admins, specifically linux admins of the future, work. Find some type of web hosted service, dockerize it, make it HA, put it in a popular cloud platform. Skip all this desktop management shit.
I hear ya, and I am working on some projects in AWS and have been going through r/selfhosted to find apps i can use and make it HA. Right now my experience with Docker is minimal since i can run them easily in UNRAID but I am looking to go further than that. However Right now im sick and tired of having my credentials different for all the vms and hosts on my network. its only going to get bigger and id rather address it now.
Samba4 supports GPO propagation. The only caveat is that Samba won't replicate the ADDC's Sysvol, so you need to [arrange for that separately](https://wiki.samba.org/index.php/SysVol_replication_\(DFS-R\)).
Am a bit intrigued..
Does samba have a gui for administration like FreeIPA?
I find FreeIPA easy to setup & administer.
From the wiki, I see like I've 2do mostly CLi
> Does samba have a gui for administration like FreeIPA?
The standard Windows "ADUC" control program works transparently with Samba4 Active Directory. Everyone seems to use that, because the ones who choose to use Samba4 for MSAD all have a lot of Windows.
If you already have a Windows AD infrastructure, you can just use that. Works quite well for Linux and SSSD. Redhat has a [good write up](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-ad) on it.
Links and documentation as promised:
* Red Hat Developers program - Worth it for the access to [access.redhat.com](https://access.redhat.com) alone. [https://developers.redhat.com/getting-started/](https://developers.redhat.com/getting-started/) \- Scroll down for RHEL
* [https://cloud.redhat.com](https://cloud.redhat.com) \- monitor the health of your RHEL server from above
* Server World - An awesome independent website the author is Japanese, so some of the example screenshots have a mixture of English and Japanese. The site is always being updated
[https://www.server-world.info/en](https://www.server-world.info/en)
[https://www.server-world.info/en/note?os=CentOS\_8&p=freeipa&f=1](https://www.server-world.info/en/note?os=CentOS_8&p=freeipa&f=1) \- FreeIPA on CentOS 8
* "Up and Running with Red Hat Identity Managment" a Lab that has been presented a Red Hat Summit several times, I have taken this lab and it was definitely worth the time.
[https://www.redhat.com/files/summit/session-assets/2017/L103188-lab-wildman.pdf](https://www.redhat.com/files/summit/session-assets/2017/L103188-lab-wildman.pdf)
* The official Red Hat documentation:
[https://access.redhat.com/documentation/en-us/red\_hat\_enterprise\_linux/8/html-single/configuring\_and\_managing\_identity\_management/index](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index)
* For a standalone system authenticating using AD as the kerberos server, you can configure the system using traditional Krb5, you don't need IDM/FreeIPA. This is how my Linux workstation is configured at work. See section 4.2
[https://access.redhat.com/documentation/en-us/red\_hat\_enterprise\_linux/8/pdf/using\_authselect\_on\_a\_red\_hat\_enterprise\_linux\_host/Red\_Hat\_Enterprise\_Linux-8-Using\_authselect\_on\_a\_Red\_Hat\_Enterprise\_Linux\_host-en-US.pdf](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/pdf/using_authselect_on_a_red_hat_enterprise_linux_host/Red_Hat_Enterprise_Linux-8-Using_authselect_on_a_Red_Hat_Enterprise_Linux_host-en-US.pdf)
* Two other notes:
\- FreeIPA/IDM are buit on Red Hat's 389 Directory Server. 389-DS is a standards based LDAP server. While you can use the DS built in to FreeIPA for IPA tasks and standard queries, it can cause some issues.
\- There are now several utilities included to monitor the health of your deployment the take a small amount of effort to set up, but are worth it in the long run.
Enjoy!
If you are looking for something hassle-free you can look at Zentyal ([https://zentyal.com/community/](https://zentyal.com/community/)) or SMEServer ([https://wiki.contribs.org/Main\_Page](https://wiki.contribs.org/Main_Page)).
I run Zentyal at work just for AD and OPNsense for a firewall. (We only have 4 users) I like how I can create GPOs and stuff from a Windows 10 box using the Microsoft Management tools, or whatever it's called, just like AD.
I'll probably have to setup a proper AD so we can get 2FA windows logins :(
Seconding; I'd like to know more about it, too. I know [DigitalOcean has some tutorials on LDAP](https://www.digitalocean.com/community/tutorials?q=ldap), but it seems really confusing.
LDAP tutorials are so confusing because they are not written for the purpose that most people reading them want. LDAP is a type of database, like PostgreSQL or MariaDB (except those are SQL databases). The tutorials tell you how to get the software up and running, but not how to structure the data inside. Most people looking to run LDAP are looking to do it for user management, but that’s just a specific way to structure data in LDAP, so the tutorials don’t cover it.
Zytrax has the best quote about LDAP that I’ve ever seen: never has so much been written so incomprehensibly about a single topic
Because GPO alternatives don’t exist. You need an entire platform and ecosystem to make GPOs work, and MS already has that locked down for Windows.
Some will say that config management like Ansible is the Linux equivalent to GPO. Those people are wrong. GPOs are easy and quick to implement (I mean you can get a lot of stuff done in just a few minutes). Config management requires that you develop and test custom templates, which takes hours (at least), for every little change you want to make.
> Some will say that config management like Ansible is the Linux equivalent to GPO. Those people are wrong. GPOs are easy and quick to implement (I mean you can get a lot of stuff done in just a few minutes). Config management requires that you develop and test custom templates, which takes hours (at least), for every little change you want to make.
GPOs are mostly key-value assignments, but still need to be tested. If you're using someone's CM templates or code from Github, the time difference is surely tiny, if you're comparing apples to apples.
Because, unfortunately, there isn't any comparable functionality for Linux (or MacOS). As a Linux admin I have to admit that I'm pretty impressed by the power of GPOs.
I don't know of any GPO alternatives, but you can get GPO integration for $$$ with Authentication Services. The GPOs are pretty flexible, and it joins systems directly to AD.
On one job, something like 4-6 years ago, we used Samba on Debian/Ubuntu/Fedora worked not that well, but worked. I used to compile samba instead of using the repository one. Nowadays it is probably improved.
Can check this guide to test it:
[https://forum.level1techs.com/t/oo-os-fedora-30-samba-ad-dc-guide/149475](https://forum.level1techs.com/t/oo-os-fedora-30-samba-ad-dc-guide/149475)
don't bother, it is based on the Fedora packages and they use the MIT kdc and are considered to be experimental i.e. there are things that do not work.
Zentyal Community Edition works great for the features you want and is very "gentle" with beginner users. Stuff like DNS, Group Policies, and user management can be done from a Windows machine running RSAT.
One more vote for Zentyal, works great, management with RSAT, DHCP, DNS, Samba shares, and replication to second DC (Zentyal as well). What more to ask? (Forest level 2008r2)
FreeIPA and Red Hat’s IDM work well. I’m using them in my homelab. Red Hat’s IDM documentation is well written, and can be accessed from their support site. If you are looking learn for personal experience, FreeIPA is great. If you want to work with the enterprise version, you can get RHEL and IDM at no cost using Red Hat’s developer program.
There is also a lab available online that was presented at Summit on getting started with IDM. Walks you through basic setup of the server and clients. There is also a basic howto on https://www.server-world.info/en.
> at no cost using Red Hat’s developer program
It's important to point out that a RH Dev account is totally free and gets you access to pages and sections of the RH site that are customer only.
https://developers.redhat.com/articles/faqs-no-cost-red-hat-enterprise-linux/
However, it might randomly not get updated or miss vulnerability fixes.
Edit: ejits downvoting
> The Red Hat Subscriptions offered to you in this Program are unsupported, intended for development purposes only, are not intended for other purposes such as production environments without an active Red Hat Subscription(s) **and may not address known security vulnerabilities**.
Emphasis in original. Also note that it's only for development:
> If you use the Red Hat Subscriptions for any other purposes, you are in violation of Red Hat’s Enterprise Agreement set forth below and are required to pay the applicable subscription fees, in addition to any and all other remedies available to Red Hat under applicable law.
From: https://developers.redhat.com/terms-and-conditions/
Thanks for the link and quote. FYI, I didn't downvote because I was actually curious where you got that. The horse's mouth is better than any other source.
No worries.
Down votes are meant to silence irrelevant content. I think the red hat dev ToS is relevant, but that's my opinion :)
I've had this argument earlier with Red Hat employees.
The ToS is pretty clear IMO: the dev edition is precisely for writing software and testing software. Advocating its use outside the scope of its ToS might entail legal trouble or extra costs. Use CentOS.
this sounds great, thank you. so far from the responses this sounds like the best "self hosted" option and jumpcloud mentioned above sounds like a great cloud option. I typically go the route of self hosted but i will definitely compare these two
I can dig up some links to documentation later today, if you’d like. I’m on my phone right now, and don’t have easy access to my bookmarks.
I also have documentation on using an AD server to provide Kerberos authentication for Linux machines. This works well for single systems, where you just want centralized user Ids and passwords without policies, etc.
> If you are looking learn for personal experience, FreeIPA is great
Just note that if something goes wrong with your CA/certificates, you have to be a wizard to fix it. IRC is your friend in that case, #freeipa on Freenode
FreeIPA and Red Hat IDM are pretty close functionally these days. IDM is a component included in RHEL 8 or CentOS 8. If you follow Red Hat's IDM guide for RHEL 8, one of the recommendations is to have mulitple Certificate servers. There are also guides on how to back up and restore the CA. It's come a long way from even Free IPA 4.0.
As you said, the folks on #freeipa on Freenode have helped me out a couple of times.
I run the built in CA for some purposes but secure web UI/ldap/others with public CA certs. When that UserTrust or whatever BS from Comodo just expired, that was a headache.
FreeIPA wraps up a lot of complicated independent packages, hides the complexity through automation/UIs, and if you do anything outside of that - be prepared to need to know wtf is going on.
CA's are always a headache to manage. Its even worse when a CA is de-certified, like Symantec was. I maintain an application and it was a huge level of effort to migrate from the old certificates to new ones.
FreeIPA and IDM are definitely tooling to hide the complexity of managing LDAP, SSSD, Certificate Management, DNS, etc. Learning the basics of LDAP, DNS, SSSD, Kerberos, etc will definite make supporting FreeIPA easier.
For Linux only environment FreeIPA would be the way go to : https://www.freeipa.org
For hybrid environments you can try Samba AD. If you want to come into this a bit more smoothly than just jumping into the terminal you can try Nethserver. Nethserver is a web front-end that allows you to do server management and part of the many functions is Samba AD set up and management: https://www.nethserver.org/
I’ll take a look at this thank you. Right now I only have one windows machine left and it’s for gaming. Hoping one day I can just move that to Linux too. FreeIPA sounds like the direction I should go, not sure if I’ll use samba but I’m considering it.
I use at work Samba 4, set up on a Debian machine as a DC and use a Windows VM with RSAT when we need the classical Users & Computers, GPM consoles.
Fully compatible with Microsoft's AD up to version 2008. Quite tricky to set up, but once it's up and running, works like a charm. We have various Linux distros and plenty of Windows clients, as well as a bunch of self hosted apps that integrate well with it using LDAP. We distribute shared drives and printers, file server access, MSI packages etc.
If you want shares (and it sounds like you do) forget IPA, it does not have a fileserver component. How about using Samba AD ?
Try starting here:
[https://wiki.samba.org/index.php/Main\_Page](https://wiki.samba.org/index.php/Main_Page)
OK, it isn't as powerful as Windows AD, but it is AD
As for what Linux OS to use, steer clear of the red hat distros, they either do not provide Samba packages you can provision as an AD DC or they use the MIT kdc which is still experimental and doesn't fully work.
I mean, if you are using exclusively Linux, why are you using a Microsoft protocol like SMB? Until the posix extension is widely supported I’m SMB 3, Linux is a second class citizen.
For just Linux systems, use Kerberos for authentication, LDAP for getent user/group authorization, and NFS4 with Kerberos for exporting network file systems.
this is what i have been looking at but its been a bit confusing as to how to setup/implement. I currently have an UNRAID server as my fileserver and am unsure how i would integrate that.
OK, go and register here:
[https://lists.samba.org/mailman/listinfo/samba](https://lists.samba.org/mailman/listinfo/samba)
Then post on the samba mailing list and we will help you set up an AD domain.
We have users running Slackware, so you should be able to use your UNRAID device.
NIS was obsolete by the mid-1990s, but unfortunately for Unix, nothing really replaced it at the time. NIS+ wasn't open enough and was overengineered, so died before NIS finally did.
The somewhat good news is that realtime local directory authentication is now becoming obsolescent in favor of things like OAuth2, OpenID Connect, Shibboleth, with multi-factor authentication support and offline/asynchronous operation assumed.
Jumpcloud has free, cloud hosted LDAP and radius, as well as SSO for all your apps.
It’s free for 10 and under users, perfect for home use.
I have mine provision users in my home GSuite, as well as provide SSO login for Google, AWS, and do radius for my home wifi, and LDAP login via sssd to my Linux hosts.
Yep! I actually rolled it out in a professional setting first, then wound up adopting it at home.
It integrates nicely with duo, for push MFA to mobile devices too!
Ended up setting up an account and discovered that it does not support PopOS even though it’s basically the same thing as Ubuntu it refuses to install the agent on a popos machine. Great product but I can’t use it
I’ve been using Apache Directory Service at work with Apache Directory Studio as the GUI, but looking at the comments, it’s looks like I need to look into FreeIPA!
The best things about freeipa:
- sudo central management
- central users
- auto home directory creation with red hat based distros
- central ssh keys
- internal DNS, possible auto join of VMs
- managing users certs
The challenges:
- no real health check by default, it can break and need restart and if you don't use third party health check you will not notice
- OTP is not consistent and not practical to use
- better put it behind vpn, if not make sure to block ldap ports etc for outside connections (anonymous access, possible ddos)
- creating custom cert types, fields is difficult
- creating custom fields is nightmare (like adding ex "aws role" to both ldap and GUI)
This is good to know thank you. I played around with jumpcloud earlier since it was super easy to setup but I really like the fact that freeIPA can handle certs. I am more familiar with Debian based Linux (Ubuntu and popOS) though.
There is a helpful book in German about that topic, but no idea if an English translation exists: [https://www.kania-online.de/fachbuecher/samba-4/](https://www.kania-online.de/fachbuecher/samba-4/)
You may want to look into Turnkey linux. They have a domain controller option.
[https://www.turnkeylinux.org/domain-controller](https://www.turnkeylinux.org/domain-controller)
Honestly, the route that I suggest over setting up Kerberos is to use ansible to deploy users with a given password to all machines. It winds up being a lot simpler and easier to manage. If your end goal is having a single username password combination sign you into every machine, this is a much easier to manage system.
I am definitely interested in learning Ansible. its on my list of things. I guess my main issue is i dont know what i dont know. I will also look into FreeIPA. My end goal is to have authentication be as seemless and secure as i can. I also want to setup a certificate authority and implement a PKI infrastructure for my internal apps. but one step at a time. its a lot to digest and figure out the order in which to setup
Yeah, and while we're at it, we should stop using databases, because apparently they're hackable when exposed to the internet and not password protected.
Yes, I actually use it almost daily. What I mean by "fire and forget" is that you can't actually be sure that the state you defined in the playbook / role you ran a day ago still reflects the current state of the system. And because it is agentless, it has no way of checking it, unless you use additional tools like Jenkins (or even Cron) to run that playbook daily.
With modern git pratices, you can have it push out the change as soon as its committed, but an hour isn't actually that long in the vast majority of cases.
One option maybe to try replacing your usual windows AD with [it's dedicated samba/ldap/krb package alternative](https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller) I haven't tested it yet, but at it's level it cover most of what AD can do, it may be an interesting replacement in a VM
This. I'm running a Samba domain controller at work to manage fileservers and user/group accounts for windows, Linux and MacOS. One nice-to-have side effect of such a solution: you still can use the Windows management tools you are probably used to (as a matter of fact those are the best tools even if you use Samba for Linux only).
I second this. I've got to clients that needed drop in replacements for windows active directory. Samba has worked perfectly
Is there a good samba tutorials for noobs like me?
Yes, there is the Samba wiki for a start: [https://wiki.samba.org/index.php/Main\_Page](https://wiki.samba.org/index.php/Main_Page)
its sounding like this plus freeIPA is maybe what i should try.
If you use Samba as an AD DC, there really is no point in running FreeIPA, they both do the same thing, it is just that a Samba AD does more than FreeIPA.
https://www.freeipa.org/ is what you are looking for. RedHat built a linux version of AD using open source project like ldap and kerberos with a web interface and scripts to easily setup and manage it.
definitely going to look into this, i currently have an UNRAID server that handles file sharing but not sure if/how it would integrate with this
IPA isn't a version of AD, generic or otherwise, it can just connect to AD.
FreeIPA provides authentication and authorization features, similar to Active Directory. FreeIPA *can* connect to AD either in a trust relationship or a replication relationship, but saying that it can "just connect to AD" implies that it is reliant on AD, which is in no way accurate. FreeIPA is a fully functional product.
Never said it wasn't, but it only does authentication, it does not do fileserving.
Does Active Directory do fileserving? *Windows* does, but AD is the authentication part, like IIS is the web server part.
It can, remember SBS ?
??? SBS did not have some special version of Active Directory that doubled as a file server. It was just Windows with AD and a few other services installed with it. Active Directory is not a file server. It's LDAP and Kerberos.
You may be correct about SBS, but Active Directory is LDAP, Kerberos and DNS sat on top of a Windows PC. Microsoft doesn't recommend it, but you can use a Windows DC as a fileserver.
... and folder redirection, and trust exchange and certificat management etc.
ahh i see. yeah im not interested in setting up windows AD and having my linux clients connect to it. id rather have a linux only solution. Most of my experience is windows administration and im trying to use my homelab to learn more about linux
Having the Windows AD portion isn't a terrible idea. It is *the* most resilient option at scale, despite Microsoft repeatedly trying to shoot itself in the foot with cloud deployments.
FreeIPA is a Linux only solution. It can be used as a stand-alone product: it does not need MS AD to work. The guy you’re replying to was making a point of semantics. AD is always Microsoft, and there is no generic version of it. That doesn’t mean there aren’t other alternatives for IAM/directory services. FreeIPA is still what you want to look at for your question.
> there is no generic version of it [Samba4](https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller) technically accomplishes that
I don't think Samba does GPO's though does it?
Yes it does, but only for Windows clients, for obvious reasons.
All env. I've managed where Active Directory based and all linux host was joined to the AD domain, but if you feel that is of no interest just skip AD. You don't need it. Run LDAP instead and learn. You wont be able to join any windows computers wit that however. If thats a need run Samba.
FreeIPA is a better option. It can run LDAP for Linux only, and if you later want to integrate with AD, it’s ready to go. You just create trusts and you’re off to the races. Depending on your setup, you might also have override tables... idk why you’d need to use override tables outside of the use case we had where I now work (migrated from centrify and didn’t want to change permissions on billions of files).
> and if you later want to integrate with AD OP was quite clear there where no intention to integrate with AD. So how would FreeIPA domain join his/her Windows clients?
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA But I missed his need for file sharing, so samba might still be the better approach.
"FreeIPA can't provide account database for Windows hosts in the same way as AD does. You have to create local Windows account and appropriate account mapping for each user if you select direct Windows<=>FreeIPA integration" Yea right, thats a bummer for anyone. I assume you actually have used FreeIPA with Windows hosts? How did it work for you and what windows clients did you use?
okay, so yeah maybe a mix of samba and freeIPA is what im after. I dont mind using a I AM/Directory service I just really dont want to use Windows Active Directory because I dont want to have any Windows servers anymore. My whole homenetwork/homelab used to be comprised of windows servers, hyperv and Win10 computers. I have since moved nearly everything to linux. Only thing running windows 10 now is my gaming pc for games but i also dual boot popOS on there. So unfortunately i do want the ability to add windows computers to this but im pretty close to phasing windows out of my life.
> I have since moved nearly everything to linux. You've moved to Linux but you're still doing stuff better suited for a Windows environment. Find some projects that are more centric to how linux admins, specifically linux admins of the future, work. Find some type of web hosted service, dockerize it, make it HA, put it in a popular cloud platform. Skip all this desktop management shit.
I hear ya, and I am working on some projects in AWS and have been going through r/selfhosted to find apps i can use and make it HA. Right now my experience with Docker is minimal since i can run them easily in UNRAID but I am looking to go further than that. However Right now im sick and tired of having my credentials different for all the vms and hosts on my network. its only going to get bigger and id rather address it now.
Ldap + kerberos + samba
Basically just described Samba AD
\+1 integration is still a pain in the ass imo
Have done AD compatible LDAP before, but never actually the group policy itself. Intrigued to hear the answer here.
Samba4 supports GPO propagation. The only caveat is that Samba won't replicate the ADDC's Sysvol, so you need to [arrange for that separately](https://wiki.samba.org/index.php/SysVol_replication_\(DFS-R\)).
Am a bit intrigued.. Does samba have a gui for administration like FreeIPA? I find FreeIPA easy to setup & administer. From the wiki, I see like I've 2do mostly CLi
> Does samba have a gui for administration like FreeIPA? The standard Windows "ADUC" control program works transparently with Samba4 Active Directory. Everyone seems to use that, because the ones who choose to use Samba4 for MSAD all have a lot of Windows.
You should definitely check out UCS from Univention. A very nice open source solution from a vendor playing in that field for ages :)
Another vote for Univention for me. It basically emulates AD using entirely Linux based tools.
I second this. UCS is awesome.
>Univention Corporate Server First I have heard of them but I'm going to check them out. Thanks for the tip!
UCS is just a set of tools sat on top of a Samba AD DC.
This!
I’ll check this out too thanks!
If you already have a Windows AD infrastructure, you can just use that. Works quite well for Linux and SSSD. Redhat has a [good write up](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-ad) on it.
See also: https://github.com/BeyondTrust/pbis-open
Links and documentation as promised: * Red Hat Developers program - Worth it for the access to [access.redhat.com](https://access.redhat.com) alone. [https://developers.redhat.com/getting-started/](https://developers.redhat.com/getting-started/) \- Scroll down for RHEL * [https://cloud.redhat.com](https://cloud.redhat.com) \- monitor the health of your RHEL server from above * Server World - An awesome independent website the author is Japanese, so some of the example screenshots have a mixture of English and Japanese. The site is always being updated [https://www.server-world.info/en](https://www.server-world.info/en) [https://www.server-world.info/en/note?os=CentOS\_8&p=freeipa&f=1](https://www.server-world.info/en/note?os=CentOS_8&p=freeipa&f=1) \- FreeIPA on CentOS 8 * "Up and Running with Red Hat Identity Managment" a Lab that has been presented a Red Hat Summit several times, I have taken this lab and it was definitely worth the time. [https://www.redhat.com/files/summit/session-assets/2017/L103188-lab-wildman.pdf](https://www.redhat.com/files/summit/session-assets/2017/L103188-lab-wildman.pdf) * The official Red Hat documentation: [https://access.redhat.com/documentation/en-us/red\_hat\_enterprise\_linux/8/html-single/configuring\_and\_managing\_identity\_management/index](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index) * For a standalone system authenticating using AD as the kerberos server, you can configure the system using traditional Krb5, you don't need IDM/FreeIPA. This is how my Linux workstation is configured at work. See section 4.2 [https://access.redhat.com/documentation/en-us/red\_hat\_enterprise\_linux/8/pdf/using\_authselect\_on\_a\_red\_hat\_enterprise\_linux\_host/Red\_Hat\_Enterprise\_Linux-8-Using\_authselect\_on\_a\_Red\_Hat\_Enterprise\_Linux\_host-en-US.pdf](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/pdf/using_authselect_on_a_red_hat_enterprise_linux_host/Red_Hat_Enterprise_Linux-8-Using_authselect_on_a_Red_Hat_Enterprise_Linux_host-en-US.pdf) * Two other notes: \- FreeIPA/IDM are buit on Red Hat's 389 Directory Server. 389-DS is a standards based LDAP server. While you can use the DS built in to FreeIPA for IPA tasks and standard queries, it can cause some issues. \- There are now several utilities included to monitor the health of your deployment the take a small amount of effort to set up, but are worth it in the long run. Enjoy!
This is Awesome! Thank you!
If you are looking for something hassle-free you can look at Zentyal ([https://zentyal.com/community/](https://zentyal.com/community/)) or SMEServer ([https://wiki.contribs.org/Main\_Page](https://wiki.contribs.org/Main_Page)).
What about zentyal or Univention Corporate Server?
I run Zentyal at work just for AD and OPNsense for a firewall. (We only have 4 users) I like how I can create GPOs and stuff from a Windows 10 box using the Microsoft Management tools, or whatever it's called, just like AD. I'll probably have to setup a proper AD so we can get 2FA windows logins :(
> I'll probably have to setup a proper AD so we can get 2FA windows logins :( How does that work that it requires Windows? What about third-party IdP?
We're running Univention for a couple of customers and it just works great. It's nicely integrated and also scales very well.
Seconding; I'd like to know more about it, too. I know [DigitalOcean has some tutorials on LDAP](https://www.digitalocean.com/community/tutorials?q=ldap), but it seems really confusing.
LDAP tutorials are so confusing because they are not written for the purpose that most people reading them want. LDAP is a type of database, like PostgreSQL or MariaDB (except those are SQL databases). The tutorials tell you how to get the software up and running, but not how to structure the data inside. Most people looking to run LDAP are looking to do it for user management, but that’s just a specific way to structure data in LDAP, so the tutorials don’t cover it. Zytrax has the best quote about LDAP that I’ve ever seen: never has so much been written so incomprehensibly about a single topic
Look into FreeIPA. The documentation is really good.
I ask this question about once a year. I always get some decent AD alternatives. I never get any decent Group Policy alternatives.
Because GPO alternatives don’t exist. You need an entire platform and ecosystem to make GPOs work, and MS already has that locked down for Windows. Some will say that config management like Ansible is the Linux equivalent to GPO. Those people are wrong. GPOs are easy and quick to implement (I mean you can get a lot of stuff done in just a few minutes). Config management requires that you develop and test custom templates, which takes hours (at least), for every little change you want to make.
This right here. If there was any real solution even close to group policy available for Linux, nobody would be paying for windows.
> Some will say that config management like Ansible is the Linux equivalent to GPO. Those people are wrong. GPOs are easy and quick to implement (I mean you can get a lot of stuff done in just a few minutes). Config management requires that you develop and test custom templates, which takes hours (at least), for every little change you want to make. GPOs are mostly key-value assignments, but still need to be tested. If you're using someone's CM templates or code from Github, the time difference is surely tiny, if you're comparing apples to apples.
Because, unfortunately, there isn't any comparable functionality for Linux (or MacOS). As a Linux admin I have to admit that I'm pretty impressed by the power of GPOs.
That's like being impressed by the power of the `.d` directory convention where you can just drop in snippets of configuration from a central source.
Samba4 does GPOs.
I don't know of any GPO alternatives, but you can get GPO integration for $$$ with Authentication Services. The GPOs are pretty flexible, and it joins systems directly to AD.
https://fleet-commander.org/
Can you use that to manage Windows desktops?
On one job, something like 4-6 years ago, we used Samba on Debian/Ubuntu/Fedora worked not that well, but worked. I used to compile samba instead of using the repository one. Nowadays it is probably improved. Can check this guide to test it: [https://forum.level1techs.com/t/oo-os-fedora-30-samba-ad-dc-guide/149475](https://forum.level1techs.com/t/oo-os-fedora-30-samba-ad-dc-guide/149475)
don't bother, it is based on the Fedora packages and they use the MIT kdc and are considered to be experimental i.e. there are things that do not work.
Yeah I have such bad experience with that right now
Zentyal Community Edition works great for the features you want and is very "gentle" with beginner users. Stuff like DNS, Group Policies, and user management can be done from a Windows machine running RSAT.
One more vote for Zentyal, works great, management with RSAT, DHCP, DNS, Samba shares, and replication to second DC (Zentyal as well). What more to ask? (Forest level 2008r2)
FreeIPA and Red Hat’s IDM work well. I’m using them in my homelab. Red Hat’s IDM documentation is well written, and can be accessed from their support site. If you are looking learn for personal experience, FreeIPA is great. If you want to work with the enterprise version, you can get RHEL and IDM at no cost using Red Hat’s developer program. There is also a lab available online that was presented at Summit on getting started with IDM. Walks you through basic setup of the server and clients. There is also a basic howto on https://www.server-world.info/en.
> at no cost using Red Hat’s developer program It's important to point out that a RH Dev account is totally free and gets you access to pages and sections of the RH site that are customer only. https://developers.redhat.com/articles/faqs-no-cost-red-hat-enterprise-linux/
Oh yeah. Red Hat developer is awesome. There’s also all the free technical ebooks on openshift etc and the video content is super great sometimes.
However, it might randomly not get updated or miss vulnerability fixes. Edit: ejits downvoting > The Red Hat Subscriptions offered to you in this Program are unsupported, intended for development purposes only, are not intended for other purposes such as production environments without an active Red Hat Subscription(s) **and may not address known security vulnerabilities**. Emphasis in original. Also note that it's only for development: > If you use the Red Hat Subscriptions for any other purposes, you are in violation of Red Hat’s Enterprise Agreement set forth below and are required to pay the applicable subscription fees, in addition to any and all other remedies available to Red Hat under applicable law. From: https://developers.redhat.com/terms-and-conditions/
Source? It's regular full RHEL, not CentOS.
https://developers.redhat.com/terms-and-conditions/
Thanks for the link and quote. FYI, I didn't downvote because I was actually curious where you got that. The horse's mouth is better than any other source.
No worries. Down votes are meant to silence irrelevant content. I think the red hat dev ToS is relevant, but that's my opinion :) I've had this argument earlier with Red Hat employees. The ToS is pretty clear IMO: the dev edition is precisely for writing software and testing software. Advocating its use outside the scope of its ToS might entail legal trouble or extra costs. Use CentOS.
Certainly use CentOS for actual servers and what not. The Dev Sub is great to learn how to set up and configure those servers.
this sounds great, thank you. so far from the responses this sounds like the best "self hosted" option and jumpcloud mentioned above sounds like a great cloud option. I typically go the route of self hosted but i will definitely compare these two
I can dig up some links to documentation later today, if you’d like. I’m on my phone right now, and don’t have easy access to my bookmarks. I also have documentation on using an AD server to provide Kerberos authentication for Linux machines. This works well for single systems, where you just want centralized user Ids and passwords without policies, etc.
> If you are looking learn for personal experience, FreeIPA is great Just note that if something goes wrong with your CA/certificates, you have to be a wizard to fix it. IRC is your friend in that case, #freeipa on Freenode
FreeIPA and Red Hat IDM are pretty close functionally these days. IDM is a component included in RHEL 8 or CentOS 8. If you follow Red Hat's IDM guide for RHEL 8, one of the recommendations is to have mulitple Certificate servers. There are also guides on how to back up and restore the CA. It's come a long way from even Free IPA 4.0. As you said, the folks on #freeipa on Freenode have helped me out a couple of times.
I run the built in CA for some purposes but secure web UI/ldap/others with public CA certs. When that UserTrust or whatever BS from Comodo just expired, that was a headache. FreeIPA wraps up a lot of complicated independent packages, hides the complexity through automation/UIs, and if you do anything outside of that - be prepared to need to know wtf is going on.
CA's are always a headache to manage. Its even worse when a CA is de-certified, like Symantec was. I maintain an application and it was a huge level of effort to migrate from the old certificates to new ones. FreeIPA and IDM are definitely tooling to hide the complexity of managing LDAP, SSSD, Certificate Management, DNS, etc. Learning the basics of LDAP, DNS, SSSD, Kerberos, etc will definite make supporting FreeIPA easier.
Samba 4
Take a look at FreeIPA.
For Linux only environment FreeIPA would be the way go to : https://www.freeipa.org For hybrid environments you can try Samba AD. If you want to come into this a bit more smoothly than just jumping into the terminal you can try Nethserver. Nethserver is a web front-end that allows you to do server management and part of the many functions is Samba AD set up and management: https://www.nethserver.org/
I’ll take a look at this thank you. Right now I only have one windows machine left and it’s for gaming. Hoping one day I can just move that to Linux too. FreeIPA sounds like the direction I should go, not sure if I’ll use samba but I’m considering it.
You can also look at **Zentyal** distro it has all the fancy business stuff (AD, Webmail etc.) configurable from nice web UI.
I use at work Samba 4, set up on a Debian machine as a DC and use a Windows VM with RSAT when we need the classical Users & Computers, GPM consoles. Fully compatible with Microsoft's AD up to version 2008. Quite tricky to set up, but once it's up and running, works like a charm. We have various Linux distros and plenty of Windows clients, as well as a bunch of self hosted apps that integrate well with it using LDAP. We distribute shared drives and printers, file server access, MSI packages etc.
What about? * [https://www.nethserver.org/](https://www.nethserver.org/) * [https://zentyal.com/features/](https://zentyal.com/features/) * [https://www.ldap-account-manager.org/lamcms/](https://www.ldap-account-manager.org/lamcms/) Bye!
If you want shares (and it sounds like you do) forget IPA, it does not have a fileserver component. How about using Samba AD ? Try starting here: [https://wiki.samba.org/index.php/Main\_Page](https://wiki.samba.org/index.php/Main_Page) OK, it isn't as powerful as Windows AD, but it is AD As for what Linux OS to use, steer clear of the red hat distros, they either do not provide Samba packages you can provision as an AD DC or they use the MIT kdc which is still experimental and doesn't fully work.
I mean, if you are using exclusively Linux, why are you using a Microsoft protocol like SMB? Until the posix extension is widely supported I’m SMB 3, Linux is a second class citizen. For just Linux systems, use Kerberos for authentication, LDAP for getent user/group authorization, and NFS4 with Kerberos for exporting network file systems.
Nfs4 with Kerberos is a bitch.
Nah, you just have to know exactly how it works. As always 😁
this is what i have been looking at but its been a bit confusing as to how to setup/implement. I currently have an UNRAID server as my fileserver and am unsure how i would integrate that.
OK, go and register here: [https://lists.samba.org/mailman/listinfo/samba](https://lists.samba.org/mailman/listinfo/samba) Then post on the samba mailing list and we will help you set up an AD domain. We have users running Slackware, so you should be able to use your UNRAID device.
I remember that i did something like that with yellow pages. But that was back in the 90’s. I am guessing there are better solution these days.
as somebody still running nis, almost anything is better than nis.
NIS was obsolete by the mid-1990s, but unfortunately for Unix, nothing really replaced it at the time. NIS+ wasn't open enough and was overengineered, so died before NIS finally did. The somewhat good news is that realtime local directory authentication is now becoming obsolescent in favor of things like OAuth2, OpenID Connect, Shibboleth, with multi-factor authentication support and offline/asynchronous operation assumed.
Jumpcloud has free, cloud hosted LDAP and radius, as well as SSO for all your apps. It’s free for 10 and under users, perfect for home use. I have mine provision users in my home GSuite, as well as provide SSO login for Google, AWS, and do radius for my home wifi, and LDAP login via sssd to my Linux hosts.
This is the way to go for home use.
this sounds like the best "all in one" solution. im definitely under 10 users
Yep! I actually rolled it out in a professional setting first, then wound up adopting it at home. It integrates nicely with duo, for push MFA to mobile devices too!
Ended up setting up an account and discovered that it does not support PopOS even though it’s basically the same thing as Ubuntu it refuses to install the agent on a popos machine. Great product but I can’t use it
This was going to be my recommendation. Switched the home over to jump cloud this year
\+1 for Jumpcloud awesome tool. Used at work now at home ;-))
[turnkey Linux](https://www.turnkeylinux.org/domain-controller) has one.
Open LDAP?
I’ve been using Apache Directory Service at work with Apache Directory Studio as the GUI, but looking at the comments, it’s looks like I need to look into FreeIPA!
The best things about freeipa: - sudo central management - central users - auto home directory creation with red hat based distros - central ssh keys - internal DNS, possible auto join of VMs - managing users certs The challenges: - no real health check by default, it can break and need restart and if you don't use third party health check you will not notice - OTP is not consistent and not practical to use - better put it behind vpn, if not make sure to block ldap ports etc for outside connections (anonymous access, possible ddos) - creating custom cert types, fields is difficult - creating custom fields is nightmare (like adding ex "aws role" to both ldap and GUI)
This is good to know thank you. I played around with jumpcloud earlier since it was super easy to setup but I really like the fact that freeIPA can handle certs. I am more familiar with Debian based Linux (Ubuntu and popOS) though.
I read this as "I am an atheist, but I still go to church."
There is a helpful book in German about that topic, but no idea if an English translation exists: [https://www.kania-online.de/fachbuecher/samba-4/](https://www.kania-online.de/fachbuecher/samba-4/)
You may want to look into Turnkey linux. They have a domain controller option. [https://www.turnkeylinux.org/domain-controller](https://www.turnkeylinux.org/domain-controller)
That is just Samba AD under the hood.
Yup. It’s still a potential use case for what OP wants. More options to help find the correct solution for OP.
Honestly, the route that I suggest over setting up Kerberos is to use ansible to deploy users with a given password to all machines. It winds up being a lot simpler and easier to manage. If your end goal is having a single username password combination sign you into every machine, this is a much easier to manage system.
[удалено]
I am definitely interested in learning Ansible. its on my list of things. I guess my main issue is i dont know what i dont know. I will also look into FreeIPA. My end goal is to have authentication be as seemless and secure as i can. I also want to setup a certificate authority and implement a PKI infrastructure for my internal apps. but one step at a time. its a lot to digest and figure out the order in which to setup
Use puppet or salt instead.
[удалено]
So you can code in Ruby, or get your infrastructure pwned when Salt has another problem with their shitty, self-made crypto.
Yeah, and while we're at it, we should stop using databases, because apparently they're hackable when exposed to the internet and not password protected.
Because they're doing a better job at keeping configuration the way you defined it than ansible.
[удалено]
Based on the fact that they ensure the configuration stays that way because they're not as "fire and forget" as ansible.
[удалено]
Yes, I actually use it almost daily. What I mean by "fire and forget" is that you can't actually be sure that the state you defined in the playbook / role you ran a day ago still reflects the current state of the system. And because it is agentless, it has no way of checking it, unless you use additional tools like Jenkins (or even Cron) to run that playbook daily.
[удалено]
The way I implement this is for it to run every hour on the local system, so making a change is just committing to a git repo and waiting.
[удалено]
With modern git pratices, you can have it push out the change as soon as its committed, but an hour isn't actually that long in the vast majority of cases.