Maybe this could serve you
3 Likes
I, too, would like to know if this setup is compatible with RSAT and which tools are working properly - e.g. DNS, DHCP, ADUC, GPO, etc.
Also, can Windows computers connect as domain members without issue?
What about domain trusts, specifically Nethserver Samba ADDC <–> FreeIPA ?? On same subnet / network segment, or separate subnets?
Thanks for the writeup!
Unless you have a real specific scenario, that I have not encountered, yes to all of the above.
You will have a bit of extra work setting the DNS up correctly according to MS standards, but that can be done using the appropriate snapin.
Trusts should work, I have never tested it. Samba documentation states they should work tho, and since Samba is running in a very default mode in a container, that should pose little issue.
Subnets have no influence on trusts. If there is a route from a to b, they will work.
For specific questions about how compatible it is, the SAMBA project page is the best resource. For implementation specifics on NethServer, NethServer is the best source.
Let me know if this answered you questions, and feel free to add to them 
1 Like
Thank you, yes that is very helpful!
I think the thing that has been hardest for me to figure out about integrating FreeIPA with AD is the suggestion that they be on separate subnets, so I think that will require Zebra/Quagga/RIP or something similar that can handle a next-hop situation (I guess standard Linux routing could suffice).
Right now I’m just using WS 2012R2 which still has the Unix Attributes for managing Linux/FreeBSD/Solarish clients on AD, all networking on a single /24 subnet, but from what I understand 2012 is going to stop getting updates in 2020, so not a viable long-term solution… was thinking FreeIPA looked pretty nice specifically for *NIX clients. Do you have any experience with it?
Also, Samba will continue getting updates and is functionally compatible with WS 2008R2 so that suggests that it should be compatible with Unix Attributes/IDMU and NIS, so I suppose I could just move to Samba once Microsoft stops supporting WS 2012…
…as long as you are aware it is a suggestion, and usually these are aimed at the larger corporations that have different vlans active anyway, and where possitioning is a strategic choice.
If you dont currently have them, you can do without, and in the mean while get some experience and search for a reason to use vlans in the future 
Not yet, but you prompted me to spend longer then intended on their webpage, and it looks like I want to give that a spin as well. Thanks!
Main issue will be not having an Exchange mailserver, if that is what you are running now. If you have a cloud based version or use something else entirely, there wont be much issues. People used to Exchange will make all kinds of noises when their agendas start behaving differently 
Nope, no Exchange here so not encumbered by that mess… just need something for authenticating and dealing with users on a mix of Windows and *NIX boxes. Not really a big deal, but having software meant specifically for managing each one has always appealed to me more than the one-size-fits-all AD used to try to be but gave up on in Windows 2016.
I’m surprised Nethserver doesn’t have FreeIPA, it’s a Red Hat development and it seems like they’re pretty geared toward carrying Red Hat stuff, being on CentOS and all.
I have pfsense that is issuing my dhcp addresses and I know it runs unbound, but I am wondering if I switch from unbound to bind can it share records between the 2 or how would I setup my AD dns so it knows to look at pfsense for dns outside of AD?
I can ping stuff outside of my network by name, but I can’t ping stuff inside unless they reside in AD DNS, which I guess I can create records for and I wonder if I create a host record for my pfsense if that will help in setting up a forwarder because I get a validation error.
If you use NethServer as DNS for your clients (the server DNS service, not SAmba4 DNS of the NSDC) you can add records to DNS trhough the servermanager interface. Then clients on your LAN will resolve those records…
2 Likes
Thanks, I guess I didn’t realize that samba was using it’s own dns and not any of the existing records.
A little late to the party here, but in your setup you only have one NIC ( IP 10.0.2.5 ), yet you made the AD 10.0.2.6.
How does this work ?
@uncle_numpty This is how the implementation of Samba4 active directory works. The Samba4 domain controller is created in a linux container and has an other ip address on the same green subnet as the NethServer instance. The interface is bridged.
In this howto nethserver is configured with 1 interface as it does not perform the gateway function.
1 Like
If possible, a “how to” backup & restore de container of the Samba4 domain controller, wouldn’t be nice?
Edit. In fact, I’m searching for the best strategies to backup/restore for a VM Nethserver… Just to feel safe if possible. Busy to search with success I’m afraid.
Thanks for the clarification - makes sense now.
Hi all,
Can you add somewhere on the page that if you use a Virtual Machine, you have to enable PROMISCUOUS MODE on the NICs as stated here: http://docs.nethserver.org/en/v7/accounts.html#installing-on-a-virtual-machine
Michel-André
On the other hand I have a concern to define my AD as a Public FQDN such as my.domain.com and I would recommend more something like my.domain.local, unless the IP of your AD is really exposed to the Internet. More so with Windows, but I had a lot of issue in the pass with this kind of configuration.
This is probably a specific case (such as with ESX and ESXi) because with Proxmox I don’t have to do anything.
The best practice for fqdn of your active directory is using a not externaly used subdomain of your external domain. Names ending on .local or .lan are not recommended (according to MS Technet)
Here a clear explanation: https://www.varonis.com/blog/active-directory-domain-naming-best-practices/
Naming conventions for users and computers in AD: https://support.microsoft.com/en-gb/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
5 Likes
for my instance I change the bash script to:
#!/bin/bash
cp -f /etc/letsencrypt/live/(your site here)/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f /etc/letsencrypt/live/(your site here)/cert.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
1 Like
If you want to force overwrite you may need to use \cp instead of cp -f like
\cp /etc/letsencrypt/live/(your site here)/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
1 Like
I wanted to revisit and update this solution as I began to have problems with my nsdc and an “peer cert untrusted or revoked” error as well as give some guidance on troubleshooting.
First, the error: to get the error I had to run ldapsearch from the environment that was attempting to connect to the AD server with the -d 1 parameter.
ldapsearch -x -H ldaps://nsdc-HOST.DOMAIN.TLD:636 -b "dc=DOMAIN,dc=TLD" -D ldapservice@DOMAIN.TLD -w SECRETPASSWORD -v -d 1
Then using these commandlette which I stole from:
https://www.ibm.com/support/pages/how-test-ca-certificate-and-ldap-connection-over-ssltls
openssl s_client -showcerts -verify 5 -connect nsdc-HOST.DOMAIN.TLD:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="nsdc-cert"a".pem"; print >out}'
and
for cert in *.pem; do openssl verify -show_chain $cert ; done
I was able to see that the server that lost the ability to authinticate over ldap wasn’t able to validate the NSDC certificate.
The solution was for me to change the source of the cert.perm in the /etc/e-smith/events/certificate-update/nsdc-cert we built following this guide to match below:
#!/bin/bash
cp -f /etc/letsencrypt/live/(your site here)/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f /etc/letsencrypt/live/(your site here)/fullchain.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
Then I stopped and started the NSDC service via the GUI. I hope this helps the next sentient being that is stuck. 
2 Likes