[RT-AC66U] [380.62] Samba as PDC Possible?

[Digital Noise]

Greetings,

I tried searching existing threads in this forum to see if someone has already answered this question, but I didn't find anything specific - so I do apologize if this is a repeat.

Is it possible to run Samba as a Primary Domain Controller on an RT-AC66U running the Asuswrt-Merlin firmware? I'm running the just-released 380.62.

I've already got a USB disk installed + Entware NG, with the swap mounted on the USB. I've got one custom script that's running - and works beautifully - so far.

All I want to accomplish with a Samba-based PDC is user/password consistency on all domain-joined machines and to ease the headache of fileshare access between the domain-joined machines. No GPO's (such as they are with Samba), etc.

Does the included Samba with Merlin support what I'm looking to do, or would I need to install the samba36-server package from the EntwareNG repo?

 

[sfx2000]

All I want to accomplish with a Samba-based PDC is user/password consistency on all domain-joined machines and to ease the headache of fileshare access between the domain-joined machines. No GPO's (such as they are with Samba), etc.

Are you trying to replace or just join a domain controller?

 

[Digital Noise]

Are you trying to replace or just join a domain controller?

I don't have one currently, and I want to put one in place - the number of devices we have keeps growing; I want to enable user consistency among all of them without using Microsoft Accounts.

Since the router is on 24/7, it seems like the logical place - if at all possible - to put the PDC; all of the other machines are set to sleep after inactivity due to heating and electric costs.

 

[sfx2000]

You'll have to go under the hood, and not sure if the Asus has enough resources to do a good job...

Fair amount of how-to's here - https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

Might just consider using local accounts on the machines, and a workgroup defined in Samba, this is much easier...

 

[john9527]

Fair amount of how-to's here

From the first line.....
Since version 4.0, Samba can, additionally to a NT4 PDC, act as a Domain Controller that is compatible with Microsoft Active Directory.

Router is version 3.6

 

[sfx2000]

Remember that a DC pretty much is Win*** pro/enterprise versions...

Workgroups are much easier to deal with - and easier to implement inside a small footprint Samba server...

For example - this is relatively secure from a Samba perspective...

[global]
# uncomment the line below for better performance on some platforms
# on gigabit ethernet, with an untuned kernel we're seeing about 115MB/Sec on large files
# socket options = TCP_NODELAY
workgroup = WORKGROUP
netbios name = TESTBOX
security = user
hosts allow = 192.168.1.0/24
restrict anonymous = 2

[share]
comment = Home File Server
path = /var/share
force user = fileserver901
force group = fileserver901
read only = no
browsable = yes
create mask = 0755

[media]
comment = Home Media Server
path = /var/media
force user = fileserver901
force group = fileserver901
read only = no
browsable = yes
create mask = 0755

And then just create SMBUsers...

sudo useradd alice
sudo smbpasswd -a alice
sudo useradd bob
sudo smbpasswd -a bob

Don't really need a PDC on a home network... and this solution is more secure that what most big-honking routers offer, and easier to maintain...

 

[sfx2000]

I wrote this up a while back - here's the article in full context...

Enjoy...

 

[ColinTaylor]

Remember that the router is predominantly is single-user device. As such it is missing commands such as sudo, useradd and passwd. That makes user administration a bit cumbersome.

 

[Digital Noise]

Remember that a DC pretty much is Win*** pro/enterprise versions...

Yes, all of my machines run at least Pro.

Workgroups are much easier to deal with - and easier to implement inside a small footprint Samba server...

Indeed, but that doesn't achieve the primary goal - consistent users across all machines, etc. All that achieves is sharing files from the Samba host, which is not the issue I'm running into.

 

[sfx2000]

Remember that the router is predominantly is single-user device. As such it is missing commands such as sudo, useradd and passwd. That makes user administration a bit cumbersome.

Remember, routers are routers, and shouldn't be servers... but with a bit of effort they can...

But $35 spent on a RPi3 is a good investment...

 

[sfx2000]

Indeed, but that doesn't achieve the primary goal - consistent users across all machines, etc. All that achieves is sharing files from the Samba host, which is not the issue I'm running into.

Well then, a PDC is not what you need then - you need a RADIUS perhaps - and then that makes things even more interesting... and complicated.

Sure you want to go down this particular rat-hole? Is this a "need" or a "want" - needs are easy to address, but wants are not all that important...

 

[eddiez]

Well then, a PDC is not what you need then - you need a RADIUS perhaps - and then that makes things even more interesting... and complicated.

Sure you want to go down this particular rat-hole? Is this a "need" or a "want" - needs are easy to address, but wants are not all that important...

You can run a Radius server from a Synology if you have one.

 

[Digital Noise]

Ultimately it appears that the answer is "No" to this question - and that's fine; I'll look for a different approach.

 

[Digital Noise]

Well then, a PDC is not what you need then - you need a RADIUS perhaps - and then that makes things even more interesting... and complicated.

Sure you want to go down this particular rat-hole? Is this a "need" or a "want" - needs are easy to address, but wants are not all that important...

No, RADIUS isn't what I need. I need a solution that unifies users across all Microsoft systems on a network - that would be Active Directory, unless I use Microsoft Accounts, which I strongly refuse to use for a great number of reasons.

As a side effect of having a Domain, it is much easier to unify windows share permissions across all machines.

As noted, Samba 4 has the capability as serving as the Primary Domain Controller, which would serve to authenticate all users on all domain-joined machines. However, Samba 4 isn't able to run on the RT-AC66U, and that's fine - the whole point of my question was to determine if it was possible or not.

I have no need for, nor do I want, any remote access to my home network.

 

[sfx2000]

Keep in mind that Windows Home edition cannot join domains, at least not without a little bit of extra "effort"...

 

[Digital Noise]

Keep in mind that Windows Home edition cannot join domains, at least not without a little bit of extra "effort"...

Yes, I'm aware, but as I stated earlier in the thread, I don't run anything below Pro.

 

[sfx2000]

Again - it's pretty straightforward to set up Samba as a PDC, at least on a full featured Linux distro - the key thing is the config files, along with Kerberos for the authentication side - and that is where you might run into trouble unless there is something in the entware package tree...

http://www.thegeekstuff.com/2014/03/samba-as-pdc