User domains
Access the leader node:
Uninstall the current NS8 version (all data will be lost):
bash /var/lib/nethserver/node/uninstall.sh
🛠️ Now install a testing release (RC2):
curl https://raw.githubusercontent.com/NethServer/ns8-core/main/core/install.sh > install.sh
TESTING=1 bash install.sh ghcr.io/nethserver/core:2.2.0-rc.1
Then, initialize the leader node (quick and dirty from command line):
create-cluster dn1.leader.cluster0.gs.nethserver.net:55820 10.5.4.0/24 Nethesis,1234
Access the web interface and login with default credentials:
- user:
admin - password:
Nethesis,1234
Access the Software Center, and click Core Apps to verify that you installed the testing releases of core module.
Click on Software repositories, make sure testing is enabled on the main repository:
🛠️ The main repository is hosted on a CDN, it's automatically update from this repo
Samba 4 Active Directory module can be installed only once per node.
To install it, access the Domains and users page, then click on Create domain:
Select Internal and click Next
Next select Samba:
You can now provision the domain:
Remember to follow the naming conventions!
💁♂️ NS8 can have as many network interfaces as you want!
You can manage the users from the UI, but let's see how to do it by using command line.
🛠️ List the configured users using samba-tool
runagent -m samba1 /bin/bash
podman exec -ti samba-dc samba-tool user list
krbtgt
ldapservice
Guest
Administrator
During the provision, enable the file server:
Go to the user domain page, click on File server:
Access the Share folders page and click on Create shared folder. Configuration of a folder:
You can edit the ACLs from a Windows client.
🛠️ List the configured folders using smbclient
runagent -m samba1 /bin/bash
podman exec -ti samba-dc smbclient -L \\localhost
You can install another Samba instance on a different node. Samba instances will be configured as master-master replica.
Replicas talk to each other using the WireGuard VPN, with a start topology: beware of this when configuring on worker nodes!
OpenLDAP module can be installed multiple time per node.
Install it from Domain and users page, then provision it:
🛠️ Enable OpenLDAP debug:
runagent -m openldap1 /bin/bash
podman exec -i openldap ldapmodify <<EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: config stats sync
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=101+uidNumber=100,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
See LDAP content:
runagent -m openldap1 /bin/bash
podman exec -i openldap ldapsearch
All OpenLDAP instance for the same domain are configured as replica in master-master mode.
💁♂️ Install instances on different nodes to have a real high availability for the user domain provider!
You can change password strength and expiration policies from the provider page:
The user portal can be used by users to change their own password.
It's available at https://<fqdn>/users-admin/<domain> Example: https://dn1.leader.cluster0.gs.nethserver.net/users-admin/ad.leader.cluster0.gs.nethserver.net/#/login`
Access it with the Administrator user and try it:
You can connect also external LDAP servers:
- How many Active Directory instances can ne installed on a cluster? Why?
- How OpenLDAP instances can be be installed on a cluster?
- On which IPs is reachable the Active Directory instance?
- On which IPs is reachable the OpenLDAP instance?
❓ ❓ ❓ Questions? ❓ ❓ ❓