Accounts provider - Service Pack 1

I was talking with @giacomo and @filippo_carletti about the Accounts provider page and all around. We would like to improve it, by adding (or exposing) some useful features and make the resulting server configuration more flexible.

Please, join this discussion and provide your thoughts!

Set a custom Realm name in local DC configuration

Today the Realm has the same value of the domain suffix of the machine FQDN. Let’s say the FQDN is seven.nethserver.org, the domain suffix is nethserver.org and the AD Realm is forced be the same.

If the Realm becomes a separate parameter, a new AD forest could be provisioned with an invented nethserver.local realm or a separate third level domain, like ad.nethserver.org. This would help to solve many DNS configuration issues!

Moreover, the same parameter helps with existing AD environments and mail server configuration. It would be easy to configure predefined mailboxes like user@nethserver.org, and limit AD to its specific DNS zone.

Who comes from ns6 already knows this kind of configuration!

Install/Uninstall a local accounts provider

During the development of the upgrade procedure for ns6 we implemented some uninstall procedures! We can now generalize them and expose on the UI too.

An import_users script from CSV already exist in nethserver-sssd package. We could dump the users and groups lists to a CSV file when the accounts provider is uninstalled, so that they can be re-imported to a different one. Passwords cannot be migrated between LDAP and AD because are encrypted with one-way algorithms.

Moreover, we would like to install a local account provider directly from the Accounts provider page. Going to Software center should not be a pre-requisite to install a local accounts provider!

Add NethServer DC to an existing AD forest

We must verify the new Samba release (4.6) compatibility. Some successful cases have been already reported with 4.4 and we are positive!

Change the IP of the nsdc Linux Container

A manual procedure is already documented. We can expose it on the UI!

Other improvements to Server Manager

  • Add GSSAPI authentication method to Server Manager LDAP client, to retrieve Users and Groups lists without requiring an additional account with remote AD accounts provider
  • Raise the maximum number of entries retrieved by the Server Manager LDAP client to a configurable parameter (like RSAT tools do)
  • Upgrade the Samba DC to 4.6. Make available updates visible from Server Manager (shown as a “todo”?).

References

There are many support requests that turn around the current Active Directory configuration. This is a brief list:

11 Likes

It seems like the Egg of Columbus to me.
We can tackle all our issue and brilliantly resolve them.

Do you see any side effect of using a .local domain?

Could you explain this point better? Can I change my NethServer FQDN and see that change in my user list?

I’d like to tag here some people like @ambassadors_group @flatspin @NethMaex @ka.rot @dj_marian @laframba @hazell20 @asl @gbr @sdrose @Bryan_Lumagbas @iglqut @greavette

2 Likes

No, I don’t see any side effect. However, as @uliversal said in a previous post, recent guidelines from Microsoft prefer a third level DNS domain (i.e. ad.nethserver.org) over a non-existing TLD suffix (i.e. nethserver.local).

Today the choice of the machine FQDN is bound to the Active Directory realm name. If we split them and implement a Realm parameter it would be easy to configure a mail server. The machine FQDN is free from AD requirements and vice versa. Accounts names with @domain suffix can correspond to public email addresses by default.

It could be possible. We want to fill any possible gap with ns6 features. Changing the FQDN is one of them.

As usual this is a gradual process: NethServer is a rolling-release distro and we just entered the v7 stable branch. I think the best is yet to come :blue_heart:

3 Likes

Hi guys, I had just a little spare time and used it to come back to my favorite community.
Dont’t get me wrong, but “Service Pack” is so MS-like. I’d like “Improvement Pack”! :smile:
Beside that, it would be a great improvement to have all this in NS!

3 Likes

This is an initial mockup, please provide your feedback!

screen 0: LDAP or AD

The current first choice is between “local” or “remote”. I want to change it because it leads to the most important consequence for the sysadmin: is it required user auth on shared folders?


screen 1.1 LDAP

  • Local -> install nethserver-directory
  • Remote -> ask for remote LDAP IP and try to guess best configuration from it

screen 1.2 Active Directory

8 Likes

screen0 the button ‘active directory’ could it be named ‘samba AD’

Nope, remote MS AD is included!

1 Like

UI enhancements are tracked by

This has been deferred: it’s a new use case.

  • I want to stabilize the UI code before implementing it
  • the join procedure already works from CLI
  • a modification to the backup/restore procedure is required
1 Like

The Ui improvement make it alot easier end clear to use, I like it!

2 Likes

Ciao,

there’s something in roadmap about this topic?

Thank you

Nicola

As Far as I know, for technical reasons already explained in that discussion Open LDAP account provider has no options to set share permissions. We can’t support it and there isn’t a workaround, you have to install the DC module . Right @davidep ?
This thread is about account providers page, so I guess it’s not related.

1 Like

There are some packages in nethserver-testing repo. We can move on to testing phase! /cc @quality_team

The nethserver-testing repository must be enabled. Please follow instructions on https://github.com/NethServer/dev/issues/5253#issuecomment-295299514

Please review also the headers, labels, texts, messages and inline help! It must be clear as day :sunny:

Feedback is warmly welcomed!

4 Likes

I like those screens regarding Active Directory !

1 Like

Help us to test it and please report here your feedback

1 Like

Not a problem i will add test repo to my vm and we will see how it is working

2 Likes

Great news I’m going to test.

1 Like

Two issues have been already discovered:

  • the nsdc service fails to start after reboot, or restart

  • the remote LDAP probe procedure does not validate server/port combination - it always fall back to default values which do not make sense

1 Like

I’ve got a problem during installing nethserver-sssd from testing it does’nt works with my current nethserver-dc, so I had to do it like this:
yum update nethserver-sssd nethserver-dc

[edit]
Because i had allready a AD controller here on VM i had to unjoin it from the domain, from Software Center uninstall Account provider: Samba Active Directory and after that i have a posibility to go on :slight_smile:

2 Likes