OpenWrt as AD controller

Hello,
since OpenWRT supports samba - i have an idea. Can an OpenWRT act as domain controller ?
Inclusive updates to dnsmasq to cover the domain controller.
Is there a GUI to manage the domain ?

regards

This looks like a bad idea.
Deploying and supporting a Samba AD DC on a home network is overkill.
And in case of a business/enterprise, it won't be reliable and secure enough.

You never want a MS master service as important as AD running as a compatoble/emulation service but as a native MS service. This service is way too important to run in emulation mode, if running for actual business needs. If its just to fool around, maybe.

However, it is very unwise to run such a service on an Internet facing computer/device, you should always hide behind the front line, in the event the front line is under attack, compromised or rendered disfunctionnal, the front line can be taken offline and the LAN is still functional, the AD being still on active duty fullfilling its job. Furthmore, Samba is a “prized” service for active attack on a front line device, far from secturity “best practice”.

I suggest you read this page on gardening you router :
Hardening your OpenWrt device
Notice at the end of page the 4 high-value targets, Samba being one of them.

Just a thought...

I replied to the topic, I meant to reply to you...

Sure - don't want it to run on an devce running as internet-router.

To be running on an retired router, but acting as simple device. No routing involved. As used devices they could be bought for cheap. A second as fallback could be obtained also.

I have no idea how much space/memory is required.

This idea comes to me as NAS (QNAP/Synology) also provides a DC/LDAP service. Why OpenWRT could not do the same ?

I actually have added "experimental" AD-DC support to my samba4 package for a while, but since its too niche and takes more test time per update, i do not build it by default or have luci-ui for the DC stuff.
So you need to build it as a custom package separately or build it directly into your custom firmware and enable the AD-DC option in the samba4 package via "make menuconfig".
The custom package can also be build via my docker based package-builder.
Its been a while since i got feedback or tested myself, so you need to follow the samba AD-DC setup guide.

Yet all components and files should be available for a manual setup and the actual proc/init script should support it too, via starting the "samba" meta-service if found, instead of just the file-server (smbd).

PS: If something is missing/broken report back and i can try add the missing parts.

1 Like

That's some "questionable" remark, since securing a windows server edition running native AD-DC is as error prone as setting up samba4 + internal or external krb5/heimdal. Each setup has pro/cons, so as example using something like CentOS and a well maintained docker/Kubernetes image, is much easier to update/maintain than a native Windows Server, while also being harder to setup initially. So everyone should use whatever fits there needs and knowledge level.

PS: Just to clarify, yes i also would advice to invest in a full server license and run native Microsoft AD-DC on it for your business, but that's mainly because i rarely seen a company admin that has the relevant Linux credential to correctly/securely setup this stuff for a mid-sizes company. I suspect that has to-do with the MS courses and certificates you usually get paid by your company to acquire the knowledge.

1 Like

Where I come from is from the 80’s trough early 2000’s, where MS or any other company for that matter would rapidly evolve their technologies and emulation/compatible software was alway in serious catchup mode with serious compatibility/issues/caveats/dealbreakers that would refrain mass adoption, therefore the Master Player, be it MS, Novell, 3COM, AT&T, etc, to name a few, was the only “ sensible” choice in the corporate world.

However, most server technology has now evolved where you choose your brand/vendor/devellopers and live with that choice, This applies to SQL, Mail, File Share and other business critical services now well documented and well served through these choices as most are now public domain technologies and well supported as “choices”.

However, unless I am mistaken, MS AD-DC technology is not yet in the public domain, as such any major change from MS in their AD-DC technology would cause serious catchup/issues with compatible/emulation solutions. Maybe I am wrong here, but this is MS stronghold technology and that why there is so much support from the Certification Industry. Making a “choice” to go emulation/compatible/open source might a fatal career choice in the event of a serious business outage.

In the Mainframe age, nobody got fired for buying IBM.
In today’s age, nobody gets fired for buying MS.

Your still recommending MS makes my point all the more...

My “questionable” comment generated other comments as yours, so I guess I’m a positive contributor and so are you...

I appreciate the chalenge though !

1 Like

Note that flash memory resource exhaustion can become an issue since the Samba AD DC database is usually quite actively modified in a production environment.
In addition, the lack of hardware resources may significantly impact performance.

1 Like

But i also gave context on why that's the case, which has nothing to-do with bad or in-stable implementation on sambas side. I just have anecdotal evidence that samba4 ad-dc works reasonably well and is fully production ready for at least 8+ years.
The main reason is that for a mid sizes company there are not many incentive's to switch or use none MS, most have not even cached-up to the cloud let alone container or native-cloud-services platforms. So the license cost + maintenance is seen as "doing business" and only hardcore linux admins will push for a MS alternative.

Back to the OP, there is nothing wrong to tinker with samba's-4 AD-DC, but you are kinda on your own, since i ever got like 3 persons requesting this feature and one seems to successfully use it for a while.

1 Like

I don’t want to keep arguing until one of us gives up...

No sane person should bet their career on Samba AD-DC, period.

You’re making the point yourself :

I would’n bet my career on “anectotal evidence”, but that’s me...

As I said earlier :

Sounds very much like “tinker” to me...

Enough said, I think you made your point quite clear that my comment was not “questionable” but quite reasonable in the context, as you back it up with numerous affirmations of your own...

1 Like

The intended use is for a small association with some tenths of members - not for business. So i expect not much traffic go to the DC. But i may be wrong.

To what i've read here the quintessence is not to continue this idea due to memory exhaustion and the duration of the flash memory.

So instead i could go for a small box in the Intel NUC class. Getting a nice management WEB-GUI would be a bonus. Mostly on Users/Groups management.
I found a lot of guides for managing samba via command line, but GUIs seems to be very rare.

Paying several hundred euros for a MS Server license is not an option for us.

Thanks for contributing and giving some insights.

1 Like

It should be feasible on a suitable container/VM/hardware platform.
I've been using Samba AD DC for several years on my previous work.
My experience is mostly positive, but it requires quite some skill to manage properly.

You can perform most management tasks from a Windows client using the Remote Server Administration Tools.

1 Like