Creating and managing GPO's

gpo
samba4

(Rob Bosch) #1

With the introduction of Nethserver ‘Mayo’ 7 beta we also have Samba4. Besides filesharing, Samba is also managing network objects like workstations, servers groups and users. Samba 4 is (more or less) compatible with Active Directory.
In Active Directory a lot is managed through GPO’s (Group policy objects). Microsoft has a decent application for that in RSAT tools. However, as far as I know, there is no opensource alternative for that.
Does this mean we are still stuck with at least 1 Windows machine running RSAT? Or is it possible to run RSAT under wine?
Ok, there is sambatool, but to be honest, that has by far not the options RSAT has.

Maybe this can be seen as a feature request: Having a webgui for managing GPO’s


Logon scripts question
(Davide Principi) #2

Full open source alternative to Active Directory?

FreeIPA!

It does not sound like a limitation…

GPO make sense in a Windows network. At least one Windows OS must exist :wink:


(Stefano Zamboni) #3

does it have any sense with windows clients?


(Davide Principi) #4

AFAIK Windows is not open source (by now) :smile:


(Stefano Zamboni) #5

ROTFL

ok… but… does freeIPA work with windows…

unfortunately having non windows clients is really difficult


(Vhinz Sanchez) #6

In one forum I’m following, they’re saying that Samba4 is Active Directory in itself. Note, not just compatible, but AD in itself in a sense that you can make it a DC without Windows server.

More or less, this is what Samba4 is aiming, a replacement for Windows Domain Controller/Active Directory, but not the Windows desktop clients. This in mind, I think that the aim, more-or-less, have something to do with managing Windows desktop clients, which, in-turn can run RSAT. In anyways, it will be great if GPO can be managed through Linux as well.


(Rob Bosch) #7

I do know what Samba4 is about. If you have followed the development of Samba4, you could say that journey was and is a ‘bumpy road’ (to say the least). It took like 10 years to come up with something workable. Now we are at samba 4.5 released sept 7th.
I was searching for recent articles comparing Samba4 to Windows AD, but couldn’t find them. Still I believe that Samba4 lacks features Windows AD has. That’s not a strange assumption since everything in Windows AD has to be reverse engineered for Samba4 and that takes time.

Anyway, it would be great to be able to create GPO’s in a grafical (application or webgui) way using a linux machine. Oh, and it must be opensource… :slight_smile: Anyone that finds one that will be implemented for NS gets a free beer at next fosdem… (if you prefer a coffee or soda that’s ok too… :stuck_out_tongue: )

Would creating a (web)gui around sambatool be an option? As a non devver this seems a very difficult task… And implementing webmin just for the samba part is a bit overkill. Which looks by far not doing everything RSAT or even sambatool can do.


(Alessio Fattorini) #8

Honestly @robb I’m more interested in this question do you have deeply tested GPO using windows tools yet? :frowning:


(Rob Bosch) #9

I don’t have a windows machine, so the answer is no.


(Emiliano Vavassori) #10

Sorry to open-up again this issue, but the interest here is high (at least, from our side).

Yes, but you don’t want to steal a user PC just to check a policy, right?

I have situations in which RSAT tools were installed on users’ PCs and it is really frustrating waiting for them to free up their workplace (or not freeing it up because of deadlines).

I know the task is costly to say the less, and it will require a lot of retro-engineering and trials/errors, but I think if this is going to be a distinctive trait of the future NS, this would also be a killer feature.


(Jeroen Visser) #11

I was reading the question and wondering what the point was going to be of having an open-souce alternative for creating GPO’s, only used on Windows machines. It seems taking the long road for no good reason at all.

I am testing the water here. GPO’s seem to function, there are some limitations that do not come from the GPO implementation but seem to stem from config parameters on the samba end. They do not hinder any use-case scenario that would be realistic or not easily worked around.

If I run into issues I will document them for future reference, I intend to heavily utilize them.

Get yourself a nice Igel thinclient, or an Igel UDC .iso, install that windows machine on your Nethserver’s KVM and connect to it using a thin-client or a use a bootable USB to that end. It’s even backed up that way :wink:

nah, seriously, any virtual windows will do. I was running VirtualBox on Mint to that end, till we moved everything to virtualization, and it became a matter of creating an extra vm and claiming a TC.


(Emiliano Vavassori) #12

Which you should license, BTW (and licenses are the big part of the issue). And that also you should not virtualize, if you are already virtualizing NS (on Proxmox VE or VMWare ESXi). Please remember that no/less license costs is the winning point to a non-technical decision maker.

We usually are able to justify anyways the license for a single additional Windows client for the management; still, an open-source and platform independent GUI to manage GPOs would help greatly the appeal of the solution.


(Rob Bosch) #13

Would you use a rock to put a nail in a piece of wood because you can find rocks freely in the street when a hammer, you have to buy, can do the job with so much more ease?

If you have the opinion that it is because you only want opensource, because it is open, you are right to use the rock. If it is about money, then I would suggest to reconsider and buy the hammer.

btw, I would love to see an opensource hammer… :slight_smile:


(Dominik) #14

I have used Samba4 and RSAT tools at my company (currently testing NS7 as AD), and like @planet_jeroen said there are some limitations but what you can (with RSAT):

  • auto map shares,
  • auto map user home dir as a shared drive,
  • auto map share from NAS servers connected to AD,
  • set up password restrictions, (NS7 has it but i haven’t test it yet),
  • block access to Control Panel, Network, RegEdit, Task Manager…
  • don’t remember… :wink: more

I was not able to setup GPO for auto install application - but this could be maybe my mistake somewhere

This was the main use of RSAT.

If you don’t have a spare Windows machine I suggest download ISO with Windows 10 90 day trial install in VM, connect to AD, install RSAT and this is working (for 90 days) and you can test it.


(Stéphane de Labrusse) #15

I would the input of @davidep on the feasibility of a GPO panel and how to do it in netgui or cockpit ?

of course each feature must be implemented :’(


(Dominik) #16

That would be great :slight_smile:

If I remember when I was testing Zentyal there was option to setup:
GPO, OU - organisation units, Roaming profiles

If we have it here it would be awesome


(Davide Principi) #17

Do you have a screenshot? Could you describe it?


(Dominik) #18

I was testing it about year ago, but now quick look at their homepage and they saying/writing this:

i can test this today - but later this evening and can tell you what they have


(Dominik) #19

Ok i have made a quick look at Zentyal. What they have:

  • roaming profiles
  • user quota
  • organisation units
  • list of computers joined to AD

but i was mistaken about GPO’s - they use RSAT :wink:


(Jeroen Visser) #20

You will want a virtual or physical windoze anyway. How else will you test, evacuate that user again?