NS 7 development status

Since someone already asked, I would like to share how the NS 7 development is going on.

We are focusing on one main aspect: replace the current user management layer with SSSD.
What does it mean? It means that we are trying to create a flexible system which can support authentication and authorization on both OpenLDAP and AD (as Samba 4 or even a real Windows machine).

As you can imagine, this is a huge change at many levels, from e-smith layer to web interface.

At the moment this work is not tracked using issues, since we are experimenting and trying many paths.
But you can follow the progress by looking to the v7 branch of all core packages.

We are focusing on the following parts:

  • SSSD/pam/nss configuration for Samba 4 (see http://wiki.nethserver.org/doku.php?id=samba_dc for a working prototype)
  • SSSD/pam/nss configuration for OpenLDAP
  • Password policies on both backends
  • Backup of the Samba 4 container
  • Password expiration notification on both backends
  • Dovecot configuration for SSSD
  • New NethServer library for LDAP and user handling

Next steps? Here you are (in random order):

  • SSSD + ejabberd
  • SSSD + webtop
  • SSSD + sogo
  • SSSD + httpd
  • SSSD + samba (only with guest user access)
  • SSSD + hylafax
  • SSSD + libvirt
  • SSSD + ipsec
  • SSSD + openvpn
  • SSSD + squid
  • SSSD + squidguard
  • SSSD + vsftpd
  • SSSD + lightsquid
  • SSSD + openssh
  • SSSD + ocsinventory
  • SSSD + roundcube
  • SSSD + backup

When this will be released?

We have no idea, since there isn’t much documentation nor expertise out there. But I will try to keep you posted any time we reach a new goal! :wink:

9 Likes

Just a few news on NS 7 development.

We have a working prototype which can handle authentication and authorization both on OpenLDAP and Samba 4 (or Windows AD) with custom password policies.

What is working with SSSD/OpenLDAP/AD authentication:

  • backup for Samba 4
  • password policies
  • ejabberd
  • webtop
  • hylafax
  • libvirt
  • openvpn
  • squid (LDAP and NTLM)
  • squidguard
  • vstftpd
  • openssh (of course!)

What will (probably) work with some efforts:

  • sogo
  • samba
  • GSSAPI on squid
  • ocsinventory
  • roundcube

Caveats
L2TP will be temporary discontinued since we can’t authenticate users: actual implementation uses NT password hashes which are now discontinued.
Probably we will have a new implementation where L2TP users will be separated from system accounts.

The mail server has been completely rewritten with some new features like:

  • new interfaces for IMAP shared folder creation
  • custom distribution lists
  • root user as master users

Also the admin user is dead, long life to root user!

If NS is running as Samba AD primary domain controller, you will not be able to change the server domain name after the first configuration.

What we are focusing on starting from today:

  • everything listed in “what will (probably) work”
  • under the hood API to manager users, groups and password on both backends
5 Likes

I verified samba ibays in the past. Obviously they work only inside AD domain, both GSSAPI and PAM auth.

Also we can add dovecot and postfix (mail) to the list :wink:

3 Likes

That will be very important for me. I don’t like to install additional Software for VPN, so I was happy that Nethserver can handle this. This was one of several reasons why I use Nethserver. So please don’t discontinue the L2TP-Support. If it is a System user or sperate L2TP-users doesn’t matter to me.

@Hunv, you automatically qualify as tester for the new L2TP implementation. :slight_smile:

Sure, when it’s ready to test, I can do it.

1 Like

Is there a formal target release date for a Beta version of NS7? I’m stuck right now with 6.7 and based on its features, I can’t deploy it. Compared to what I have, 6.7 is worthless. With over 800 users, I need full Ad integration (importing, email, etc.) 7 sounds like the answer.

Hi Chris,
I think that you are expecting NS 7 to be something like the old NT style Backup DC ?
Integration with AD, as stated by M$, is: A member of the domain, can use any resource in the AD tree… Not replicate the AD tree…

Also Importing the LDAP will mean that you will need to have them in sync. Meaning that more that one DC active in your organisation (I’m guessing correct here?)

Integration is possible. Domain takeover not yet, unless you completely remove the AD server and let NS control the domain
I suggest to plan and think about what exactly you want to achieve before making any modifications to your setup.

I think that maybe, is better to write here what exactly you intend to do so we can all chip in with suggestions.

BR
Bogdan

Thanks for the quick reply. I have three AD Windows servers. I don’t want NS to do anything with AD except be a member machine.

I just want to use NS for email and owncloud. That’s it. Nothing else. Pretty easy implementation but it is proving very difficult to get it working. I will manage all my users in Windows AD.

If you will use AD, the right tools to manage users will be the M$ consoles. There is not yet a substitute for that in NS.
NS beeing a domain member can be used with success as Mail server for the AD users (IT will not keep the AD replicated but it will query the main server for each user).

While this sounds good here in the forums, I am not seeing any success with NS as an email server. Thought NS7 would help solve that.

I think that Samba 4 will meet the expectations and NS will have full integration to AD domain :slight_smile:

1 Like