What is the nsdc?

v7
activedirectory
(Derek Blechinger) #1

What is the exact relationship between the NethServer install and the nsdc? Is the nsdc a container? VM? Docker image? When pointing to a Domain Controller should I be asking for AD DC services from the NethServer IP or the nsdc?

I assume the DNSMasq DNS running on NethServer should essentially be ignored when using the nsdc. Correct?

Also: What DNS solution is the nsdc using? BIND9? If so: is the nsdc’s bind instance using the DLZ module?

Thanks!

(Marc) #2

nsdc is a systemd-nspawn container. There’s some more info in the developers manual.

(Rob Bosch) #3

To explain in non tech terms: The NSDC is the NethServer way to implement a Samba4 Active Directory account provider. In the past we had lengthy discussions about this.
The reason for this implementation is that Samba4 natively supports Heimdal Kerberos. Centos/RH supports MIT KErberos natively.
In order to have a limited as possible development for Heimdal kerberos on CentOS, it was decided to use a default Linux container that supports Heimdal Kerberos and is able to run Samba4 natively.
So our Samba4 implementation needed a seperate container with a seperate IP address on the same subnet of one of the green interfaces of your NethServer install.

(Derek Blechinger) #4

Neat. Thank you both for the info and for linking documentation. :slightly_smiling_face:

I assume the DNSMasq DNS running on NethServer should essentially be ignored when using the nsdc. Correct?

What DNS solution is the nsdc using? BIND9? If so: is the nsdc’s bind instance using the DLZ module?

Is there a way to change how the nsdc gets named? Will the name always be nsdc-nethServerHostname?

(Davide Principi) #5

Yes and no. It depends on what you want to achieve. In my small LAN for instance PCs (mostly Linux) point to dnsmasq because it runs as DHCP server and provides the reverse zone.

The built-in samba DNS service.

Nobody asked it before, but there surely exists one! Probably the easiest path is creating some e-smith custom templates.

(Rob Bosch) #6

Amazing nobody did… Biigest pitfall in naming convention is the 15 character limit for (Netbios) hostnames. And adding nsdc- takes 5 of them. So, the NethServer that will host nsdc, can have a max of 10 character hostname.
@davidep: since Netbios is very old protocol, couldn’t we do without it? Or are there still situations and/or applications that depend on Netbios name resolution?

(Derek Blechinger) #7

I still adhere to the NetBIOS limit in any environment I’m architecting. M$ claims they fully support 16+ characters in their newer operating systems but, as pointed out by icky3000 in their comment, there are still some issues/buggy behavior when using names longer than the NetBIOS (at least in my experience).

I’d like to be able to manually name the nsdc in order to comply with an agreed/mandated naming scheme. The main drive for my using NS is its utility in easily standing up an AD environment without the need for Microsoft licensing. NS itself isn’t really the Domain Controller though. The nsdc is! :slight_smile: That made us break a bit with the standardized naming scheme.

I can live without being able to change the name. It would be a very handsome (and useful!) feature though.

Just my two cents. Hope it’s helpful!

(Markus Neuberger) #8

I had to replace templates with custom templates, this may be a problem if the original templates get updates. Maybe it’s better to create a db prop for the nsdc hostname?

In this example the hostname of the nsdc is changed to NSADSRV.

Create the template-custom directories:

mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/hostname
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/hosts

Create /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/hostname/10base with following content (just one line):

nsadsrv.{lc($sssd{'Realm'})}

Create /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/hosts/10base with these 3 lines:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
{$nsdc{'IpAddress'}} nsadsrv.{lc($sssd{'Realm'})} nsadsrv

Edit /var/lib/machines/nsdc/etc/samba/smb.conf and change the netbios name:

netbios name = NSADSRV

I had to uninstall and reinstall the AD account provider. I think it’s because the wrong “nsdc-hostname” was saved in AD too.

After that a domain join from Win7 and share access worked. Don’t try on production servers…