AD DC+SAMBA share+Windows Clients works, now how to work with Linux clients?

HI @sashaluda

I think you’re completly missing the point with this statement:

LDAP will not allow ANY user or group based shares!!!
That alone is the reason to evade using LDAP on NethServer, even though it works well.

AD use on NethServer (Or any other server platform for that matter) is NOT about using Windows!

From a security point of view, not even for a home server usable!
“Public” Shares, based on a “per-share” Password is an absolute No-Go in 2023!
You don’t want your kids overwriting their pocket money allowance on the home budget spreadsheet!

Side Note: Spreadsheet does NOT mean MS Excel - or the now dormant Lotus 1-2-3. There are LibreOffice and other variants of Office suites including Spreadsheets and all. The same as AD use does not imply a MS-Usage or Environment! It makes plenty of sense to use AD even in a complete Mac or Linux environment!

My 2 cents
Andy

Hi @Andy_Wismer,

Wait a minute! Are you saying that Linux (apart from AD and Samba) is not capable of creating a single-sign-on authentication with user-group regulated shares?

I thought it is accomplished with LDAP+NFS. Right? I thought one could have a lab of users and network shares without Samba and AD authentication…

NethServer, out of the box, is not capable of using LDAP / NFS to create shares…
NFS does not really support any user or group authentification, NFS only supports Host or IP based authentification.

→ This is valid at least until NFSv3, I don’t touch NFSv4, as it’s not supported by a lot of systems and it’s unstable / unreliable.

There is a addon (Module) by Stephdl which allows you to create NFS shares, but only per IP/host…

Most current OSes have moved from using native file sharing (eg NFS for UN*X/Linux, AFP for Apple) to use CIFS (Samba, also known as Windows File sharing).

No, as it seems even die-hard Linux users will often choose AD/Samba, even without a single Windows box. It just works with all NAS, printers, workstations and others.

Note:

All the above is specifically for NethServer. As NethServer is based on Centos7, itself a copy of RHEL7, the real issue is that RedHat didn’t include AD capable components. The Samba released by RedHat can’t be AD, due to RedHat compiling “standard” Samba, not Samba4AD, which requires Heimdal Kerberos, not the standard Kerberos used by RedHat. RHEL7 compatible can be AD members, but not run AD themselves. (A long story cut short…).

My 2 cents
Andy

Oh… That’s a complete worldview change! I thought that UNIX pre-existed SAMBA by decades… and that UNIX was most of it’s existence a multi-user environment. The only thing that was added over time is good encryption (especially asymmetric kind, followed by certificates, certificate authorities…) instead of just sending things over network unencrypted.
So, the entire hierarchy of user directories… I understand that it was driven by “Terminal Server”-design.

But even in a “non-terminal server” scenario, for an authentication – just create link to proper files from one computer on the network to the other and a client will use the remote files in /etc for authentications rather than local… Although this sounds like a stone age solution.
… Never mind that… just thinking out-loud in astonishment…

So, there was never in the history of Linux/UNIX a network share solution with user and group access rights?

Anyway, I found this: FreeIPA. Of course the project had it’s 1st version only in 2007… but this is a completely Linux solution that supposed to be able to replace AD. Or am I wrong in this case also?

Keep increase your knowledge of the world of IT and systems.
Take a run here…

What Microsoft put in place (and arm-twisted 4 to 5 times) as paradigm was not the only one for network connected systems.
So centralized management and SSO are one way to design a system, not the only one. SSO has some nice pros but so fearful cons.

Oh… So, what is a way to be able not to assign in a lab each user a particular computer (with credentials saved locally), but allow users change workstations being able to login wherever computer is available? Is it to sync accounts and files across network? Or have /etc files responsible for authentication stored on the network?

I believe that Microsoft way of development of their tech was and is a most painful way of slow upgrades with keeping old tech under the hood. They, so to speak, slowly upgraded a bicycle to a jeep. You can still find old parts in some places, but it is a Frankenstein’s monster.

On the other hand the philosophy of UNIX that everything is a file (and many other fundamental ideas) prepared it for a future upgrade of hardware and software capabilities.

So, I thing that there must be the “UNIX” way (or a Linux way) that a lab or a business should be able to successfully operate in the world of PCs (and not the mainframes). Or is it an inherited problem of UNIX based systems to be by their nature a mainframe based system (a terminal server)?

Sincerely,
Sasha

Thanks for explain and expose your personal believe about that. Now that you done it, you might want to look for is there any translation on that in the real world.
And don’t forget that there are more mobile phones and tablets than computers in the world…

That is exactly my point: Android and iOS are based on UNIX concepts (FreeBSD and Linux) and not Microsoft technologies. So, there must be a away.

Yes, I understand that FAT32 is the most popular freely supported file system in all devices – because there are no legal limitations, and that (just like Samba) Microsoft popularized it.

Yet, I hope to find the right way to do my lab. … So, have you heard of FreeIPA? Moreover, (returning to subject of discussion) I looked around Nethserver file system and found this:
# find / -type f -name “ldap.conf”
/etc/openldap/ldap.conf
/etc/e-smith/events/nethserver-sssd-save/templates2expand/etc/openldap/ldap.conf
/etc/e-smith/events/nethserver-sssd-update/templates2expand/etc/openldap/ldap.conf
/var/lib/machines/nsdc/etc/openldap/ldap.conf

But looking at the settings of ldap.conf saved in each copy – they are all default:

# ================= DO NOT MODIFY THIS FILE =================
**# **
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer’s guide, which is available
# at NethServer official site: https://www.nethserver.org
#
**# **
#
# 10default
#

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

TLS_CACERTDIR /etc/openldap/certs

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on

#
# 20tls
#
TLS_REQCERT never

So, the question is, where are the settings shown in “Users&Groups–Local Active Directory Details” are stored and how to use them?

Yes. That (a long story cut short…) is the history of development of protocols injured by legal issues. So, have you heard of FreeIPA? The project is based on Fedora, but there are compiled versions for CentOS and Debian.

Yes, I have… Unfortunately, I heard the Big Bad Blue news first, then the early discontinuation of Centos…

I don’t really think I can trust anything from either Big Blue or Red…

Besides which: FreeIPA uses MIT Kerberos, so will most likely NEVER support any Windows.
If my clients have 1 Linux Workstation for every 30-50 Windows workstations. Even Macs outnumber Linux 4:1… I use (also) a Linux workstation, but reality in workplaces is still Windoze…

At the moment, version 4 of FreeIPA allows FreeIPA as a client of Windows AD…
Any decent Linux Desktop can join ActiveDirectory as is - without any need to put FreeIPA in between.
Why add on software with no additional functionality? Bloatware?

I do not see any realistic reason to support FreeIPA at all!

My 2 cents
Andy

Oh… Well… FreeIPA has LDAP in its bases, and AFAIK LDAP is more widely supported and used by modern tech than AD (online services…). There is a project pGina which allows Windows workstations authenticate against LDAP. I really want to try it.

Why I’m looking for another way than AD… mostly because I see that the “Workstation way” is dying as much as “Mainframe way”. I installed Nextcloud on Nethserver and can make a script that would connect Nextcloud “user home folder” to Windows or Linux via Webdav at the login. This is all thanks to LDAP, not AD. Although Webdav felt slower than Samba access, but this might be due to the setup or hardware I used to test it (I might be wrong and Webdav might be the outdated thing altogether). I am also able to quickly access Webdav resources on my cellphone and tablet, none of which thanks to AD or Samba.

There are more and more solutions online to manage devices: this is what AD allows for PCs… And those services support all devices (PCs, phones, tablets…) I know, this sounds like the “one ring to rule them all”, but I don’t see much future for a desktop if it is stuck with AD and Samba instead of learning how to integrate with clouds (not the MS way – like a slap on ad-on OneDrive or Google drive app, but as a system service – the way it’s done in Linux when you mount whatever file-system via whatever connection).

But that’s all the impression I have from my limited experience with tech I have.

So, speaking of integration into AD of a Linux computer:
I was so surprised to start seeing (probably from 20.04) an option in Ubuntu during installation “Add this computer to a domain”. I was really excited to have it done the official way (unlike a manual or scripts solutions). So, I jumped at an opportunity and quickly installed Ubuntu trying to add it to my Nethserver AD domain during its installation… But failed miserably multiple times. There must be glitch or disconnect in what Ubuntu expects from AD domain and what NethServer offered – there is no love
{Just think about how wrong it sounds to join Ubuntu into CentOS’s implementation of Microsoft developed domain controller – another reason I’m looking around for another more natural solution)

Can anybody test and see if you can join your Nethserver AD with a new installation of Ubuntu? Maybe there is a problem with my settings. I tried to debug … but this will probably have to do with debugging Kerberos handshakes … which might be difficult.

Thank you,
Sasha

Hi @sashaluda

Globally, there are way more hosts authenticating with AD than with pure LDAP.

You’re writing as though LDAP and AD are complete different animals!

You do know that AD is based on LDAP (propreiety changes by MS)?
It’s almost completly compatible to one anotther, so much that almost anything capable of using LDAP could also use AD.

Both are essentially Enterprise Directory Systems - for large and largest organizations. It has nothing to do with Workstation nor Mainframe “way”, all of this also has nothing to do with Clouds or “Online services”. Both LDAP / AD predate the first clouds by at least 20-30 years. LDAP and AD are both actually modelled after Novells NDS / eDirectory, which was around before AD - and supported / tested with over a million users!

RedHat never supported AD, therefore also never implemented an “AD” as server. As you know, Centos was always RHEL, one to one compiled from source - so also never supported an AD as server.
→ This is well known!

WebDAV is way slower than any form of drive connection, be it NFS, AFP, CIFS or whatever, and it also has much more security “gotchas”! This is well known!

Ubuntu / Canonical have moved away from OpenSource. The snap installer isn’t completly open source - especially the “shop” part is not available at all as code. No, Ubuntu is no more the open-source like it maybe once was…

Many people think the cloud is simply the mainframe “way” in a new dress. It’s not far off, both are centralized, powerful systems, controlled from a single point.

I’m not critising you personally, @sashaluda , please don’t take this as personal critic. It is, however, a major debunking of certain myths, like thinking AD and LDAP are two completly different things.

Almost all online (“cloud”) apps can use AD in place of LDAP. They all do require use of a proper Internet domain (LDAP on the Internet also can’t work with .local!) and both need valid SSL certs to be used safely. Both actually need an well encrypted connection between authenticator and client (or completly private connection) , ssl is actually not enough!

And: There are, have been Linux out there that could join any AD since at least 10 years, just like any Mac has been able to join MS-AD (and NethServers AD) just as easily. It’s just that Ubuntu isn’t one of them!

And: personally I moved away from MS more than ten years ago. As Desktop, I use Macs and Debian with Mate. As I do need to deal with Windows professionally, I only have virtual Windows for testing / learning and a now 11 year old PC with Win10 installed. I use this to test and perfect distribution and other stuff like FOG-Project. None of my clients run an AD on Microsoft OS, all use AD on NethServer.

→ When running AD, at least on NethServer, please make sure your AD uses a valid ssl cert, like LetsEncrypt, and not a self generated one like it does out of the box. All it takes is a valid ssl cert pointing to your NethServer with your ADs name as alias, and about 5 lines of code, less than 5 minutes work! PHP and JAVA apps are both VERY fussy about the ssl cert being valid!

I see this text as an exercise in “debunking”.
Most are facts, very little above is my opinion.

My 2 cents
Andy

PS: Simple question / Test:

Can you name the one major difference between any relational Database (RDBMS) like MS-SQL, MariaDB, Oracle, PostgreSQL and LDAP (Seeing AD as compatible)?

Any responce to a query to any RDBMS will result in a field with exactly a single value.

The same responce to any LDAP compatible can result in a Field containing multiple values - like an array in programming - as an example think e-mail.

A RDBMS has often fields like email, email2, email3, as each field can contain exactly ne responce.
LDAP doesn’t need this “crutch”.

Another major difference (generall, not as specific as above) is that RDBMS are more or less optimized for read/write operation to have equal pririty / speed, wheras LDAP is optimized for fast reads (How often do users change their home address or password?)…

Wow. That was very educational and revealing. Thank you.

My experience with IT is very limited and focuses more on devices and their local software than networking: ZX Spectrum, CP/M, Z80 Assembler, MS DOS, BASIC, Pascal, C++, MS Visual FoxPro, 68k Macs+Networking, Proxy servers and Windows 3.1 networking, bunch of different Linux on PC, Palm, first Android, bunch of WiFi routers, NT4 DC Ubuntu server 12.04, smart switches, and finally bunch of beautiful and fun Linux server software (NethServer, Nextcloud, Jellyfin, Webmin, pfSense, ntopng, Moodle, Joomla…)

Since I graduated in 1996, you can imagine that most of the things I learned – I learned myself. I’m even trying to do a little Kotlin. But I am truly captivated by Linux server software. How amazing it is, and how well developed it is, and how quickly it is growing.

So, what you explained is really cool. I understand that in reality the concepts of communication and protocols, files and file systems, data and databases – not an area for reinventing a wheel. The only reason to “reinvent a wheel” is to avoid legal fees, or try to improve the speed. That is why Mac desktop interface in 1984 conceptually isn’t much different from 2023. Reason and simplicity rule.

So, returning to the topic, yes, adding LDAP to AD resolves all online authentication problems… So, there is no need to try to do away with AD. I see this now. Then I should focus on learning how to join Linux clients to AD domain the least painful way (I have lots of such clients). I’ll be looking for options. Ubuntu was a surprise to me when they started including “join AD domain” during install. I wanted to try it. Although currently I like Manjaro better. Maybe there is a nice solution for Manjaro (their AUR is awesome).

Thank you,
Sasha

Yeah… no.
The rise of Linux ended at mittle tens, Linux currently is an important reality and an asset for a huge load of developers and customers.
Linux is a base from all biggest company take from for not deal with some kind of issues, feeding with money or developers or both the projects that are more interesting to them. No one is developing OS or stacks from scratch, everyone using old things and evolving them, sometimes with patches, sometimes with deep rewrote.
From Cupertino brags about Unix, but elsewere… Linux is king. And as a Redmond user, i have to admit that. Android Phones? Linux. Lots of CPEs? Linux. Firewall appliances? Linux. Switches and network equipment? Linux. Azure base OS? AFAIK, Linux. Not kidding. GPLv3 frees the necessity for acquire licenses. However, everything “spicy” built on top need to share not even a smidge of the code, or copyright not goes into shares.
Some says it’s useless to reinvent the wheel. Well, sometimes i’d love that someone redesign from scratch the whole mechanism. Kernel started with i386, one core and less than 100mhz. It passed through i don’t know how many revamps and rewrote, implementing different kind of cores, more cache than of older PCs (latest Genoa Epyc hit 384mb L3 cache!), several kinds of pipelining and jumping around so many different kind of architectures.
Ok, snap back to reality, here goes gravity.
SaaS paradigm want to tel the people “don’t buy your infrastructure, lend ours”. On updates, has quite a lot of sense; on information control and dependancy well… I’m still telling customers if they want to make receipts and factures only when internet works.
This leads to a lot of interesting decisions…

Hi @sashaluda

Sounds you might be familiar with some of these…

ASIP_WebAdmin_04a1022×740 119 KB

Basilisk_01806×625 168 KB

Basilisk_021024×768 236 KB

Basilisk_031024×768 330 KB

Todays playpen:

Bildschirmfoto 2022-12-24 um 02.20.471920×839 73.5 KB

Not productive, but suitable for testing, learning, software trials or just for fun.
Can’t beat a real Mac, but still’s fun…

My 2 cents
Andy

To join Nethservers AD from almost any Linux, see here:

@pike

One of the only mainstays of Apple is:

It just works, then when you need it.

Creative Users like musicians, artists and the like still prefer Mac to any Windows or Linux…

And finance people?

Well, they buy either Apple or MS stocks, hardly any Linux.

In any case, in 2023 ALL of us are using more than 640K RAM…

My 2 cents
Andy

Oh yeah! Basilisk II (still using it for my 7 y.o. daughter), Shapeshifter, PearPC (never got off the ground PowerPC CPU emulation). MacOS 7.6 (sweet and best). It’s amazing that Basilisk II could run MacOS 8.1 and get online via Netscape Navigator… Just the sound of those words put in one sentence … Oh…

Now I have four Raspberry Pi 4 (8GB, 8GB, 4GB, 2GB). 4 watt consumption server passive cooling – one with family Nextcloud+Jellyfin (Ubuntu Server 20.04) 128GB M.2 external system + 2TB external HDD data, the other my son’s Minecraft server (Ubuntu Server 20.04), 3rd – Recalbox (with my favorite 8bit and 16bit games + Kodi. We actually played original Mario Bros with my son and daughter – the one with Mario and Luigi on one screen flipping turtles/crabs/flies/…), and 4th pi is just waiting to become another useful server…

Toys for boys

So, I’m ready to install ARM version of Nethserver (actually there was one port already…). It would be great to use it as my firewall+file server+Nextcloud…

P.S. There is a real working Mac Performa in my daughter’s room with Mac OS 7.6

Not nowadays.
A lot of System 9 users stopped considering Cupertino reliable after Mountain Lion, and I keep asking myself why Apple want to do both worst email clients ever for computers and portable devices with Mail for Mac OS XI and iOs.
Apple took five giant leaps during its history and came out wonderfully, the biggest was MacOS X, throwing away all the legacy code for the ground-up NeXTSTEP newborn.
But the quality of code and releases sunked, which was not for Redmond, increasing stability, performances, flexibility and patching. I mean… PrintNightMare was patched for OSes date 2009! Cupertino asks for money every 5 years…

But getting back to the clients devices, there are more android phones than laptops in the world. And I know you know perfectly which is the kernel of Android…

@pike

Android is the first, large scale commercialized, special use Linux OS.

And from it’s creator: One of their WORST mistakes ever!

Why?
It does work as a phone and can be considered the second smartphone after iPhone…

But?
It wasn’t intended to be a phone, it’s main use is data-collector, second use as phone…

And?
They forgot / overlooked the most important thing: system wide or almost system wide internal communications… Apple “enhanced” SMS. Google missed that lesson in school…

Facebook, the second largest advertising evil in the world, bought WhatsApp, which covered what was missing on Android…

Just like buying your opponent a baseball bat, to give you “clues” why…
They gave their biggest competitor a free access platform, called Android, to run WhatsApp - and collect data before Google using Google’s tool…

Apple

Since Jobs left, a lot of the quality, genius, ingenieuity that Apple had is gone. Tim has too small feet to wear Steve’s shoes!

It’s the same with a lot of music / musicians…

Look at Roger Waters - he thinks he’s the greatness which made Pink Floyd great…
The sum of all members made the greatness of Pink Floyd, not the musical Nobody Roger Waters is alone.

The Wall, one of Pink Floyds greatest Epos, and created almost exclusively by Roger Waters, was also ruined by the same man, inviting Cyndi Lauper to be on stage during the Wall in Berlin…

Maybe his greed for money made him mentally as sick as John McAfee, who became sicker when he sold his company McAffee for a lot of $$$ (to Intel)…

Note: The Enterprise AV of McAfee was really good, but not the packaged consumer version sold in the stores…

I’ll still say, Apple, with CCC, is still by far the easiest OS to clone to newer hardware. Once on target, the OS recognizes “all” hardware it will run on, and starts the right drivers.
A cloned Linux Desktop will often still be stuck with older drivers / resolutions, Sound often will not work right away, and Networking has often the MAC adresses of the previious NICs, resulting in not working LAN. Wireless on Linux is even worse…

Mac Mail, once installed, will work for the life of the hardware, and longer, often without ANY issue.
Even if the mail Server is MS Exchange, the Mac is often the mail client with the least issues.

Even as Groupware, the three involved Apps (Mail, Calendar and Addressbook) are often more seamless than MS All-In-One product Outlook - and over a longer time!

There are a (very) few cases, where I’ll install Thunderbird in Addition to Mac Mail on MacOS, but as said, there are very few use cases which require this…

My 2 cents
Andy

@pike
@sashaluda

Android and iOS are much more common than any PC workstation, true!

But how relevant is including exclusively single user systems in a discussion about user logins and profiles (Do note the intended plural!) ?

Both iOS and Android are almost exclusively single user devices - most of their whole lifetime. If anyone disagrees, send a screenshot how a user can log out, and another user can log in…

→ Not on a “rooted” iOS or Android system, I asked for users, not systemadmins, which root effectively is…!

Being a multitasking system doesn’t mean a system is multi-user capable!
Windows Workstations (and all MS servers except Terminal Service servers) being a very good example of a multitasking but single user system!

My 2 cents
Andy