Bind to external AD controller

NethServer Version: 7
Module: Account provider

I am still around … and kicking.

Our Nethserver 6.9 is running flawlessly since March last year and our office came to relay entirely on it. As I said before, thanks to Nethserver we could remove our dependance from SBS Server and the whole MS chain of software (server side). Our desktops are still Win 10 (or Win7), but that will be more difficult to change…
Kudos to the whole team for making such a product and supporting it so well.

Now to the matter at hand. I am currently experimenting with Nethserver 7 and an old Xeon workstation; the objective of such experiments are :

  • Virtualize our server environment (vmware ESXi - vSphere)

  • Migrate to Nethserver 7

  • Migrate from Owncloud to Nextcloud (in or out of NS)

  • Add more VMs for UniFi, etc.

This is my current test bench :

  • Dell Precision T5500 workstation
  • Xeon processor
  • 6GB Ram
  • 2 x 500 GB HD
  • ESXi 6.5a (free version)

My initial approach was to create a CentOS 7 VM and install NS7 on it. Base installation went quite well (I am new to virtualization, so I took some time to make sure I was doing it right) but I could not make the AD provider to work (nested virtualization) despite following the manual and configuring the virtual switch in promiscuous mode. Initial installation worked (got the binding message) but as soon as I restart the VM the AD provider do not start.

For the sake of experimenting, I tried a different approach : I spun a Ubuntu VM and installed SAMBA as AD controller. I managed to have it work and I can configure the Domain properties and Users/Groups with RSAT from a Win10 PC as well as Join PC to the domain.

As could see, I created 3 users and 3 groups, in addition tho the standard domain administrator. All users and group are configured and including the respective email address (also for the groups).

Once the domain was working, I joined my instance on NS7 and I managed to get it connected to the AD controller and all users and groups listed.

Mailboxes were created :

Now the problems :

When using Roundcube, the public address book is not populated; this despite having created the dummy user for the LDAP binding.

Sending messages to other users is working (as expected) but not to groups. As said, all groups are configured with the related email address (in the AD controller) but whenever I try to send the mail I get the following error message ;

Groups are very important to us; we use them for mail distribution and to regulate access to shared folders (not tested yet in my environment), therefore it is important for me to have it working.

Any suggestion?



In ns7 mail addresses are no longer read from AD. Group mailboxes can be created as shared mailboxes or as mail aliases with multiple recipients

let me see if I got it straight.
Groups read from AD are no more used for mail distribution; to implement that function you have to use now group mailboxes. I thought I tested it, but I will clean up the setup and try again…

As far as I can understand, groups read from AD are still used access control on shared folders, is that right?

What about the problem with the address book in Roundcube? Do you have any hint?


yes, right

Mail aliases associated to shared mailboxes are not in AD LDAP; as such they can’t be listed in the addressbook.

By now, the “public” roundcube addressbook lists userPrincipalName and mail attributes of user entries. There’s a bug for UPN synchronization:

About the SMTP error: as the error message says, I guess you didn’t create

I retraced my steps and created a shared mailbox and assigned to a group (those from AD) but it did not work.
I created a mail alias with proper recipients and it worked. With few users this is not a problem, but when the number of mail accounts/users increases this could be not convenient.

One more question : now that the AD users are read only, are the password expiry warning still issued by NS?

Thank you


1 Like

I want to allow setting a group alias as destination for another alias. In this way the list of recipients must be specified only once.

For instance:

  group@domain => member1@domain, member2@domain, ... 
  group-alias@domain => group@domain

In the future we could read the member list directly from the accounts provider. This enhancement requires a special postfix configuration with a custom server process. It’s quite complex and I’m not sure it’s worth the effort, but it would bring back the same ns6 feature.

It seems there’s no action sending such warnings in ns7✓

I guess we should file a bug /cc @dev_team

Notification will not be sent.
Joined Windows machines will be required to change user password from the AD itself.

No, this an actual limitation of sssd, see these commits:

1 Like

Thanks for the references @giacomo, I completely forgot about it!