Howto install NethServer as Samba AD domain controller v0.2

@planet_jeroen, @robb : I feel my hardware short after reading your comments:
This is a Dell server R320 24 GB RAM and 4 SATA DISK 1 TB each.
The four disks in ZFS as RAID 10; and limited to 8GB the ZFS system.

options zfs zfs_arc_max=8589934592

Because it haven’t any load right now, I can’t see if I’ll hit a wall; need more tests before going to production. I really need to replace our old w2k server.

What I like is the idea of ZFS snapshots for safety upgrades in NS and peace of mind.

So, if I see that I only can have the NS in this hardware; I will give less RAM to NS, and extend the 8GB RAM for ZFS. I hope that I can have at least to VMs: 1 NS, and other one for a payroll system in windows, so I can take out another hardware at least.


Edit1: sadly, this system can’t hold more disks. Just more ram and hopefully bigger disks later.

Reading this guide avidly. :crazy_face:

If you wont be running a lot of virtual machines, and the systems you named are not very demanding, you can probably get away with it. If you are going to install clients as well on there, this becomes a must.

If your server can hold them, get a few more disks tho. They are relatively cheap and it makes it so much more versatile.

I only run 2 2TB disks on my ProxMox server. But it is a home server and not very extensively used. So in the end it all depends on your use.

But as @planet_jeroen said, as soon you are going to run a lot of VM’s and containers, Have very larghe mailboxes that need to be synced all the time for a lot of users, the best thing you can do, (maybe even before adding RAM) is adding disks/spindels so you increase I/O.

3 posts were split to a new topic: Domain controller IP unreachable

3 posts were split to a new topic: AD: domain not available

Maybe this could serve you

3 Likes

I, too, would like to know if this setup is compatible with RSAT and which tools are working properly - e.g. DNS, DHCP, ADUC, GPO, etc.

Also, can Windows computers connect as domain members without issue?

What about domain trusts, specifically Nethserver Samba ADDC <–> FreeIPA ?? On same subnet / network segment, or separate subnets?

Thanks for the writeup!

Unless you have a real specific scenario, that I have not encountered, yes to all of the above.

You will have a bit of extra work setting the DNS up correctly according to MS standards, but that can be done using the appropriate snapin.
Trusts should work, I have never tested it. Samba documentation states they should work tho, and since Samba is running in a very default mode in a container, that should pose little issue.

Subnets have no influence on trusts. If there is a route from a to b, they will work.

For specific questions about how compatible it is, the SAMBA project page is the best resource. For implementation specifics on NethServer, NethServer is the best source.

Let me know if this answered you questions, and feel free to add to them :stuck_out_tongue:

1 Like

Thank you, yes that is very helpful!

I think the thing that has been hardest for me to figure out about integrating FreeIPA with AD is the suggestion that they be on separate subnets, so I think that will require Zebra/Quagga/RIP or something similar that can handle a next-hop situation (I guess standard Linux routing could suffice).

Right now I’m just using WS 2012R2 which still has the Unix Attributes for managing Linux/FreeBSD/Solarish clients on AD, all networking on a single /24 subnet, but from what I understand 2012 is going to stop getting updates in 2020, so not a viable long-term solution… was thinking FreeIPA looked pretty nice specifically for *NIX clients. Do you have any experience with it?

Also, Samba will continue getting updates and is functionally compatible with WS 2008R2 so that suggests that it should be compatible with Unix Attributes/IDMU and NIS, so I suppose I could just move to Samba once Microsoft stops supporting WS 2012…

…as long as you are aware it is a suggestion, and usually these are aimed at the larger corporations that have different vlans active anyway, and where possitioning is a strategic choice.
If you dont currently have them, you can do without, and in the mean while get some experience and search for a reason to use vlans in the future :wink:

Not yet, but you prompted me to spend longer then intended on their webpage, and it looks like I want to give that a spin as well. Thanks!

Main issue will be not having an Exchange mailserver, if that is what you are running now. If you have a cloud based version or use something else entirely, there wont be much issues. People used to Exchange will make all kinds of noises when their agendas start behaving differently :laughing:

Nope, no Exchange here so not encumbered by that mess… just need something for authenticating and dealing with users on a mix of Windows and *NIX boxes. Not really a big deal, but having software meant specifically for managing each one has always appealed to me more than the one-size-fits-all AD used to try to be but gave up on in Windows 2016.

I’m surprised Nethserver doesn’t have FreeIPA, it’s a Red Hat development and it seems like they’re pretty geared toward carrying Red Hat stuff, being on CentOS and all.

I have pfsense that is issuing my dhcp addresses and I know it runs unbound, but I am wondering if I switch from unbound to bind can it share records between the 2 or how would I setup my AD dns so it knows to look at pfsense for dns outside of AD?

I can ping stuff outside of my network by name, but I can’t ping stuff inside unless they reside in AD DNS, which I guess I can create records for and I wonder if I create a host record for my pfsense if that will help in setting up a forwarder because I get a validation error.

If you use NethServer as DNS for your clients (the server DNS service, not SAmba4 DNS of the NSDC) you can add records to DNS trhough the servermanager interface. Then clients on your LAN will resolve those records…

2 Likes

Thanks, I guess I didn’t realize that samba was using it’s own dns and not any of the existing records.

A little late to the party here, but in your setup you only have one NIC ( IP 10.0.2.5 ), yet you made the AD 10.0.2.6.

How does this work ?

@uncle_numpty This is how the implementation of Samba4 active directory works. The Samba4 domain controller is created in a linux container and has an other ip address on the same green subnet as the NethServer instance. The interface is bridged.
In this howto nethserver is configured with 1 interface as it does not perform the gateway function.

1 Like

If possible, a “how to” backup & restore de container of the Samba4 domain controller, wouldn’t be nice?

Edit. In fact, I’m searching for the best strategies to backup/restore for a VM Nethserver… Just to feel safe if possible. Busy to search with success I’m afraid.:sweat:

Thanks for the clarification - makes sense now.

Hi all,

Can you add somewhere on the page that if you use a Virtual Machine, you have to enable PROMISCUOUS MODE on the NICs as stated here: http://docs.nethserver.org/en/v7/accounts.html#installing-on-a-virtual-machine

Michel-André

2 posts were split to a new topic: Migrate from LDAP to AD