Samba4 AD, DNS and DHCP on Nethserver

dc
dns
v7

(Juan Carlos Fernandez) #1

NethServer Version: 7.4.1708
Module: nethserver-dc

So I’m testing nethserver-dc module. I created a VM with Win7, installed RSAT , joined the domain and tried opening DNS from my VM RSAT, I couldn’t connect to the service. I did some digging and turns out that one must have a certain version of RSAT in order to remotely connect to each Windows Server. I assumed this will also apply to Samba4 so I created a VM with Win10, installed RSAT, joined the domain and got a DNS error due to my Win 7 and Win10 VMs using the same IP. When I rebooted my Win10 VM and remotely connected to the DC DNS, I saw in the Foward Zone the name of the Win7 VM (The first one I joined). Looks like the DC doesn’t updated the A record.


(Juan Carlos Fernandez) #2

It seems this behavior was related to no having all permissions on the account I was using to remotely connect to the DC DNS (I created the account using the web interface). Using the administrator account I was able to use all the RSAT tools. I deleted the account I created on the web interface and recreated as a copy of administrator using RSAT.

As a suggestion, could it be possible to add the copy account feature to the web interface?

Also, did someone already have a production server using Samba4 AD, DNS and DHCP ? I want to know if there is any issues I should be aware of.


(Jeroen Visser) #3

I am running a production server with Samba4 AD and ofcourse DNS, but DHCP is not and will not be run on that server. I will likely use the firewall for that.

There is some confusion due to how the Samba container is used. Under AD rules, the AD server has to be DNS server as well. Not setting the IP of the Samba container as DNS for the clients, or using the DNS page on Nethserver to add DNS entries will yield loads of confusion.

When using Samba AD, do NOT use the DNS page on the Nethserver.
Instead, use Microsoft Management Console and it’s DNS snap-in to connect to the Samba container from a domain joined machine with an account that is member of the domain admins group, and you should be able to administer it as per normal.

We are a 15 people company, with below 100 customers, and we have all accounts in the AD, it works as full fletched AD replacement if you ask me, barring roaming profiles, but I swear to HHTFSM that I will get that to work…

ACL’s are posix, which sux a bit, but is doable for most practical purposes, and shares should be banned anyway … get Alfresco Share Community and have them versioned and better stored or see what any regular Owncloud installation can do for you. Shares should be a dying race, used only for specific purposes that need them for some odd reason, if you ask me.


(Juan Carlos Fernandez) #4

@planet_jeroen thanks for the reply, though I didn’t gey what you mean by this:

full fletched AD replacement -> I asume that Samba AD supplies all your company’s needs for this service

I swear to HHTFSM -> ???

Also my company end users use shares a lot (I haven’t find a way to convince them not to) so maybe I will use a Win2012R2 for the time been.


(Jeroen Visser) #5

For basic sharing, Nethserver could be used. As long as you do not require windows like ACL’s. Posix doesnt give you much more then read, write, no access. This works, but not for scenario’s where users can place files, but not edit afterwards. This is not possible in an intuitive way in posix.

Shares work fine, with basic rights.

hhtfsm: his holyness the flying spaghetti monster :wink:

And yes, our Samba AD meets our needs, with a few minor changes here and there, like aforementioned user-rights.