09.04.2024 15:13, Patrick Hibbs wrote:
The net command in samba-common-bin, specifically: `/usr/bin/net ads join`,
allows joining the domain without having the main samba package installed.
Does `net ads join` need any python stuff?
sssd-ad with it's ad_update_samba_machine_account_password flag set to true in it's config will keep the machine creds up-to-date without the main
samba package installed.
samba-gpupdate handles downloading and managing group policies on the domain
member, just like the gpupdate utility under Windows.
samba-gpupdate is just a python script. It's dependencies are in python3-samba. Which samba-common-bin already depends on. That script is invoked
either by winbind,
the alternative for sssd systems (and not packaged in Debian) oddjob-gpupdate (https://github.com/altlinux/oddjob-gpupdate), or manually by the system
admin. (The script takes arguments similar to the Windows utility.)
Okay, I don't know most of this.
But we come across another idea meanwhile.
How about we split out another package out of samba (and samba-common[-bin]),
named samba-ad?
The idea is to have minimal samba-common[-bin] to contain stuff absolutely
necessary for smbclient and all servers (without python deps), samba binary
package (also without python deps) being a minimal stand-alone file server,
samba-ad (depends on python and samba) being AD part of the story, and
samba-ad-dc is the, well, AD-DC part.
This way, samba-gpupdate will be part of samba-ad package, instead of
samba-common[-bin].
I'm not yet know if it is doable, but at first look I think it is.
If you can help to better figure out what is what, it would be great.
Maybe samba-ad should not depend on samba though, to suit your needs
expressed in this bug report.
Personally, I have samba-gpupdate invoked as an hourly cron job. Which is pushed out to the client machines via Samba's crontab group policy
extension. (So after the initial join, I have to invoke samba-gpupdate myself once, but after that,
cron is configured automatically to call it based on the policy that was pulled.) Of course, this will break if the host gets put into an OU in the
domain that removes the cronjob, but that can be fixed by recalling samba-gpupdate after fixing the policy on the domain side. (And can even be
triggered via a script calling ssh.)
Yes, this can be done too, for sure. I'd use a systemd timer for this
stuff, and ship it disabled.
Thanks,
/mjt
--
GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24.
New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98
ECDF 2C8E
Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0
8044 65C5
Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt
