On 4/8/24 09:15, Michael Tokarev wrote:
How would you join a computer without main samba component to a
domain, and how
would you process group policy in this case?
/mjt
The net command in samba-common-bin, specifically: `/usr/bin/net ads
join`, allows joining the domain without having the main samba package
installed.
sssd-ad with it's ad_update_samba_machine_account_password flag set to
true in it's config will keep the machine creds up-to-date without the
main samba package installed.
samba-gpupdate handles downloading and managing group policies on the
domain member, just like the gpupdate utility under Windows.
samba-gpupdate is just a python script. It's dependencies are in
python3-samba. Which samba-common-bin already depends on. That script is
invoked either by winbind,
the alternative for sssd systems (and not packaged in Debian)
oddjob-gpupdate (https://github.com/altlinux/oddjob-gpupdate), or
manually by the system admin. (The script takes arguments similar to the
Windows utility.)
Personally, I have samba-gpupdate invoked as an hourly cron job. Which
is pushed out to the client machines via Samba's crontab group policy
extension. (So after the initial join, I have to invoke samba-gpupdate
myself once, but after that,
cron is configured automatically to call it based on the policy that was
pulled.) Of course, this will break if the host gets put into an OU in
the domain that removes the cronjob, but that can be fixed by recalling
samba-gpupdate after fixing the policy on the domain side. (And can even
be triggered via a script calling ssh.)
