Accounts provider - Service Pack 1

davidep · March 22, 2017, 9:39am

I was talking with @giacomo and @filippo_carletti about the Accounts provider page and all around. We would like to improve it, by adding (or exposing) some useful features and make the resulting server configuration more flexible.

Please, join this discussion and provide your thoughts!

Set a custom Realm name in local DC configuration

Today the Realm has the same value of the domain suffix of the machine FQDN. Let’s say the FQDN is seven.nethserver.org, the domain suffix is nethserver.org and the AD Realm is forced be the same.

If the Realm becomes a separate parameter, a new AD forest could be provisioned with an invented nethserver.local realm or a separate third level domain, like ad.nethserver.org. This would help to solve many DNS configuration issues!

Moreover, the same parameter helps with existing AD environments and mail server configuration. It would be easy to configure predefined mailboxes like user@nethserver.org, and limit AD to its specific DNS zone.

Who comes from ns6 already knows this kind of configuration!

Install/Uninstall a local accounts provider

During the development of the upgrade procedure for ns6 we implemented some uninstall procedures! We can now generalize them and expose on the UI too.

An import_users script from CSV already exist in nethserver-sssd package. We could dump the users and groups lists to a CSV file when the accounts provider is uninstalled, so that they can be re-imported to a different one. Passwords cannot be migrated between LDAP and AD because are encrypted with one-way algorithms.

Moreover, we would like to install a local account provider directly from the Accounts provider page. Going to Software center should not be a pre-requisite to install a local accounts provider!

Add NethServer DC to an existing AD forest

We must verify the new Samba release (4.6) compatibility. Some successful cases have been already reported with 4.4 and we are positive!

Change the IP of the nsdc Linux Container

A manual procedure is already documented. We can expose it on the UI!

Other improvements to Server Manager

Add GSSAPI authentication method to Server Manager LDAP client, to retrieve Users and Groups lists without requiring an additional account with remote AD accounts provider
Raise the maximum number of entries retrieved by the Server Manager LDAP client to a configurable parameter (like RSAT tools do)
Upgrade the Samba DC to 4.6. Make available updates visible from Server Manager (shown as a “todo”?).

References

There are many support requests that turn around the current Active Directory configuration. This is a brief list:

alefattorini · March 22, 2017, 2:14pm

It seems like the Egg of Columbus to me.
We can tackle all our issue and brilliantly resolve them.

Do you see any side effect of using a .local domain?

Could you explain this point better? Can I change my NethServer FQDN and see that change in my user list?

I’d like to tag here some people like @ambassadors_group @flatspin @NethMaex @ka.rot @dj_marian @laframba @hazell20 @asl @gbr @sdrose @Bryan_Lumagbas @iglqut @greavette

davidep · March 22, 2017, 2:33pm

No, I don’t see any side effect. However, as @uliversal said in a previous post, recent guidelines from Microsoft prefer a third level DNS domain (i.e. ad.nethserver.org) over a non-existing TLD suffix (i.e. nethserver.local).

Today the choice of the machine FQDN is bound to the Active Directory realm name. If we split them and implement a Realm parameter it would be easy to configure a mail server. The machine FQDN is free from AD requirements and vice versa. Accounts names with @domain suffix can correspond to public email addresses by default.

It could be possible. We want to fill any possible gap with ns6 features. Changing the FQDN is one of them.

As usual this is a gradual process: NethServer is a rolling-release distro and we just entered the v7 stable branch. I think the best is yet to come

flatspin · March 22, 2017, 5:21pm

Hi guys, I had just a little spare time and used it to come back to my favorite community.
Dont’t get me wrong, but “Service Pack” is so MS-like. I’d like “Improvement Pack”!
Beside that, it would be a great improvement to have all this in NS!

davidep · March 23, 2017, 1:36pm

This is an initial mockup, please provide your feedback!

screen 0: LDAP or AD

The current first choice is between “local” or “remote”. I want to change it because it leads to the most important consequence for the sysadmin: is it required user auth on shared folders?

screen 1.1 LDAP

Local -> install nethserver-directory
Remote -> ask for remote LDAP IP and try to guess best configuration from it

screen 1.2 Active Directory

stephdl · March 23, 2017, 5:36pm

screen0 the button ‘active directory’ could it be named ‘samba AD’

davidep · March 23, 2017, 5:37pm

Nope, remote MS AD is included!

davidep · March 27, 2017, 9:13am

UI enhancements are tracked by

github.com/NethServer/dev

Accounts provider guided configuration

opened 09:11AM - 27 Mar 17 UTC

closed 09:58AM - 10 May 17 UTC

DavidePrincipi

verified

The "Accounts provider" UI page must guide the sysadmin through some configurati…on steps to obtain a fully functional system. Add the following enhancements: **Active directory** - [x] Specify custom Realm and NetBIOS values - [x] Join as AD member, - [x] LDAP client auth kerberos/simple bind - [x] Install/uninstall local AD provider (#5252) - [x] Upgrade nsdc to new Samba release (#5251) - [x] Check the given nsdc IP address is free - [x] Remove bridge creation checkbox **LDAP** - [x] Install/uninstall local LDAP provider (#5252) - [x] Upgrade ns6 directory to AD - [x] Bind remote LDAP, auth method choice: anonymous/simple bind **See also** http://community.nethserver.org/t/accounts-provider-service-pack-1/6351

This has been deferred: it’s a new use case.

I want to stabilize the UI code before implementing it
the join procedure already works from CLI
a modification to the backup/restore procedure is required

laframba · March 27, 2017, 1:14pm

The Ui improvement make it alot easier end clear to use, I like it!

saitobenkei · March 29, 2017, 7:45am

Ciao,

there’s something in roadmap about this topic?

Thank you

Nicola

alefattorini · March 29, 2017, 9:34am

As Far as I know, for technical reasons already explained in that discussion Open LDAP account provider has no options to set share permissions. We can’t support it and there isn’t a workaround, you have to install the DC module . Right @davidep ?
This thread is about account providers page, so I guess it’s not related.

davidep · April 19, 2017, 3:42pm

There are some packages in nethserver-testing repo. We can move on to testing phase! /cc @quality_team

The nethserver-testing repository must be enabled. Please follow instructions on https://github.com/NethServer/dev/issues/5253#issuecomment-295299514

Please review also the headers, labels, texts, messages and inline help! It must be clear as day

Feedback is warmly welcomed!

des · April 19, 2017, 3:55pm

I like those screens regarding Active Directory !

alefattorini · April 19, 2017, 3:58pm

Help us to test it and please report here your feedback

des · April 19, 2017, 4:07pm

Not a problem i will add test repo to my vm and we will see how it is working

Francenildo · April 19, 2017, 4:37pm

Great news I’m going to test.

davidep · April 19, 2017, 6:45pm

Two issues have been already discovered:

the nsdc service fails to start after reboot, or restart
the remote LDAP probe procedure does not validate server/port combination - it always fall back to default values which do not make sense

des · April 19, 2017, 8:06pm

I’ve got a problem during installing nethserver-sssd from testing it does’nt works with my current nethserver-dc, so I had to do it like this:
yum update nethserver-sssd nethserver-dc

[edit]
Because i had allready a AD controller here on VM i had to unjoin it from the domain, from Software Center uninstall Account provider: Samba Active Directory and after that i have a posibility to go on