Stupid question - how do I keep my user accounts sync’d between Windows and Linux?
My home “lab” environment consists of myself, my wife, and my tiny humans.
My server runs Proxmox 7.4-3.
I have multiple Windows and Linux (mostly Ubuntu) VMs and/or LXC containers.
I think that Samba handles the user mapping between my Windows systems to Proxmox.
But for my Linux systems, how do I keep the user ID and group ID synchronised between my Ubuntu VMs/LXC containers such that I am not just copying the last few lines of /etc/passwd over and over again?
Do I have to run LDAP and/or OpenLDAP for this or is there a simpler way (that doesn’t require *LDAP), but that’s also a little bit more “intelligent” than just copying said last few lines of /etc/passwd over and over again?
Your help is greatly appreciated.
Thank you.
(Previously, I didn’t really have to think about this before, but now I want to manage pictures from my wife’s phone separate from everything else.)
The usual, have them both dance to the same master.
Your question isn’t about a mix of Linux and Windows, it’s about a mix of systems: it would be the same if it was many Windows or Linux machines.
So you want a directory or identity management server that will serve Windows and Linux and for that there are plenty of options, but it’s a bit of an effort when you just want sync two machines…
But that’s how it always starts, like marriage. It only seems to get relatively easier, once you’ve learned that skill and are able to manage a newcomer in a big family without much hassle.
I’ve used Univention for years now, with the least amount of depth and features possible. It’s become a jack of all trades, but its root was really a Linux based domain controller that would play nice with Windows, too. I only use it for that, because then it remains a manageable effort. But I’ve been sorely tempted by their Nextcloud integration…
Since you’re running Proxmox, adding two Univention VMs as primary and secondary domain controllers for Linux and Windows is as easy as it gets. A container might be lighter, but I don’t think it’s supported or offered officially.
Of course you can then have Proxmox use Univention for its permission management, …but that’s for when your kids start doing your admin stuff (if only!).
Actually I’d love those two companies to collaborate a bit, as they aren’t too far apart in terms of language and ideology.
SAMBA4 as a domain controller and bind everything to Active Directory. it is what i do. then management of folders, logins, security, all is handled as singularly. plus password resets are easy. Proxmox can be bound to AD in the GUI even so it is about a 10 second setup.
some rogue linux distros are a little challenging to bind, but most of them have a utility and it is all pretty easy. SAMBA4 as an AD DC is a bit of effort, but there are tons of guides on the World Wide Wibble for it.
Single point control as a service is obviously the correct answer when having to manage a large number of data points (depending on number of people and number of devices).
On the other hand there is a non-zero cost of infrastructure know-how acquisition, setup, and maintenance.
In my household I have decided that the fixed cost of a shared AD or similar infrastructure is higher than the cost of keeping the data for myself, my wife, and my tiny humans (<<10) in sync across devices.
I make sure that uid/gid for my family accounts are identical across Linux devices. I accept that Samba passwords are maintained separately from Linux passwords. So are local windows passwords, but thanks to Windows Hello nobody knows nor remembers that password anyways.
All the passwords are stored centrally in Bitwarden and my family is comfortable with that.
Remember that you want your login server to come up before everything that needs it to be present to login. As soon as you make it a proxmox VM, and then require it to be present in order for proxmox to boot, you will find yourself in trouble as the next time you boot.
This may be something where the backup sits on a different physical host, though the primary can reside on your proxmox.
Can Samba in the Debian install that Proxmox is based off of take on this role/responsibility?
What issues can I potentially face by deploying the AD DC ex post facto?
Would I need to “rebuild” my Proxmox systems and/or VMs/CTs “from scratch” so that it will know to interact with the AD rather than using Linux PAM for user login authentication?
I would think/assume that I would want to run the SAMBA4 AD DC in a 3-node HA cluster or something like that, so that if one of the system goes down, people are still able to log in and do what they need to do, correct?
If so – would that be the same as just deploying a Proxmox cluster or is there a way to use a Windows client as a part of the 3-node SAMBA4 AD DC HA cluster?
Yeah – so this is kind of the issue that I am starting to run into where I started the deployment primarily for myself.
And then, whilst trying to back up photos from wife’s iPhone, I started running into issues with permissions and such on the data store/dataset (because I started the initial backup under my username, but then decided that I wanted to manage wife’s stuff under her own account, so that I can separate out the data from a management perspective).
And that’s when my uid/gids started to become misaligned and mismatched and my “dumb” way of fixing that would be to push /etc/passwd to a central location that everything can get access to, and then downloading/cascading that passwd file to all systems, and then running passwd <<user>> to make sure that the passwords for each account are correctly hashed.
The problem is that now I am running something like 20-25 containers, and 12 VMs, so I would have to do this about 40 times, which I would REALLY like to avoid, so I am trying to learn from the experts and from other people’s experiences in terms of what other people to deal with this problem (as I can’t possible be the only person with this issue).
Yeah, we don’t use Windows Hello (thankfully).
And we also have a mixed OS environment where wife is on a Mac, tiny human #1 uses Windows, and I use a mix of Windows, Linux, and macOS.
It is my assumption and untested theory that if I deploy this as a LXC container (or deploy e.g. Ubuntu as a LXC container, and then set this up in there, and assign it a low enough container ID, then I should be able to set the container to auto-start on boot, so that no long after the Proxmox server is up, the container would start to immediately spin up, so that as you mentioned, everything downstream of it that requires the AD, would already be up and running, and that should take care of that, no?
Or…alternatively, if I set up the AD DC in a 3-node HA cluster, then so long as at least ONE of the three nodes are running, that should be able to take care of that, correct?
The other question that I have for the community members here is why not use something like LDAP or OpenLDAP?
Just trying to learn the difference between AD vs. LDAP – and why one would be better or recommend over the other.
The other thing that I also noticed as well is that under Proxmox, I have the option to download and deploy the Turnkey Linux Domain Controller which is supposed to be based on the SAMBA4 AD DC.
i can not think of any really, even if you deploy and build out an entire environment based on AD, you could still retake ownership of everything if something catastrophic happened.
nope.
that would be overkill, but it would work. all i do is run 1 server and keep a reasonably current proxmox clone of it in my backups.
i have a reasonable mix of different OS as well. even OSX can bind to the domain.
LDAP in any form is typically just a connector. you CAN manually manage users in LDAP and just use it as an AUTH device, but it is barely more than just manually matching UIDs.
one note, the SAMBA4 AD DC can be managed entirely from console, but it is actually gui friendly if you set up a windows PC with Windows Remote Server Admin Tools (RSAT)
The reason why I ask about setting up a 3-node HA cluster for the AD DC is because in the event that, if I only had the AD DC installed on one system, and that system needs to reboot due to updates or some other silly reason like that – I wouldn’t want to prevent people from being able to log in and needing to do their thing on account of that.
And then the other stupid question that I have is that if I have different VLANs, how do I get the AD DC to work for all of the different VLANs?
Would the system (whether that’s a bare metal deployment/system or VM or CT) that is running the AD DC only need to have multiple NICs such that each NIC interface is on the respective VLANs for the AD DC to serve everything or would I need separate AD DCs with the same database/information (i.e. second AD that joins the domain?)
How would that work?
Again, my apologies for my dumb questions.
I’ve never really thought about a multi-user environment before, but as things grow and change, I am now kinda forced to.
Your help is greatly appreciated.
Yeah, I was reading about that.
(Or more specifically, in reading about the turnkey domain controller which it says is based on the SAMBA4 AD DC, it recommended that a Windows client install RSAT so that a lot of the administrative work can be performed via that GUI. And I am sure that it can be handled with the console, but probably vastly easier to do it with RSAT.)
it is not the AD DC that would be the issue there, as cached profiles would allow for logins for a while. but DNS would probably be offline depending on your config.
this is all handled via gateway and router addresses. DHCP is easiest to have handled by the core router or something anyway as it will be handling the VLAN routing. DNS is a core function of an AD DC though, it does take a bit of thinking, but it is easy enough when you get the idea.
no, not necessarily, this is a cat with multiple ways to be skinned. do keep in mind that even if you virtualize the AD DC, it will need a real NIC passed thorugh, but you probably only need one real NIC even if you have VLANS.
i love Turnkey, i have been doing this since before the SAMBA4 DC was available there though. wouldnt hurt to investigate there way.
Given the objective that I am trying to accomplish (with just synchronising the logins), do I have to run the DNS?
Right now, almost all of my systems, on the different VLANs, have static IP addresses (primarily to facilitate remote administration, even with my Windows clients).
The only thing that’s really using DHCP are mobile devices (phones, tablets, etc.).
I maintain a tracking list for the IPv4 addresses for each of the VLANs so that I can keep them all straight. (As I mentioned, with running something like 40 CT/VMs now in total, I need a spreadsheet to help keep track of all of this stuff.)
Stupid question – why is that?
Or asking the same stupid question in another way – Proxmox (and most Linux distros) creates a network bridge automatically. Can you explain a little bit further in terms of why passing through a physical NIC would be required?
I’m not sure that I understand this piece of it yet.
Yeah, I’m JUST starting to learn more about them via Proxmox.
They make doing stuff that would normally be complicated and/or time consume to deploy RIDICULOUSLY easy such that non-sysadmins like myself can deploy services/applications.
There are a LOT that I haven’t tried yet, but I have also found that one of the best ways for me to learn about Turnkey is because of a need or a problem that I am trying to solve. Actually doing it, helps with my learning.
there are not separate pieces, they are stacked pieces. for AD DC to function it must reside on DNS. this is OS independent.
OMG WtH… (DEEP BREATH) you should try reservations on a DHCP environment. it is less work and accomplishes the same thing. (and fits with DNS)
yeah, and trust me here, i have a fair amount of experience with linux bridges. but the kerberos key that passes through when attempting to join a device to a domain will not transition a linux bridge. i am sure there is a way to fix it, as NUTANIX is also a KVM Linux hypervisor and it is possible to get this functioning there. but i have never wanted to put in the effort to make it work on Proxmox when i always have more available NICs anyway.
yes, yes it does.
i thought i linked this, maybe it was elsewhere…
this is not exactly how i would handle the VLANS to DHCP, but it is good reading on the functionality at least.
I am not 100% sure that I understand why the synchronisation of logins will need a domain name server, but okies.
More stupid questions from my end – how do you effectively do this if, when you are creating containers and/or VMs, the MAC address for the virtual NICs would be randomly created?
So…
How would systems on different VLANs be able to communicate with the AD DC if one of the NICs on the server is physically passed through to the VM/CT?
(I’m asking my dumb questions in my effort to learn more about it, as part of my pre-deployment education, so that when I DO deploy it, I will be slightly less clueless when that happens vs. trying to deploy it when I am more clueless in regards to this topic.)
Would this be a reason/purpose why people buy the four-port fanless firewall systems (like the Topton unit that Patrick and his team from ServeTheHome reviews)?
Or would this whole idea of deploying an AD DC be something that either pfSense and/or OPNSense would be better suited for?
(i.e. I’m not specifically tied to the Proxmox ecosystem for deploying this, but the Turnkey Domain Controller, would, presumably, make it a LOT easier.)
And on that topic, if I were to deploy this as a container, how would I passthrough a physical NIC to the CT?
(I am only aware of passing through devices to a VM. I am not aware of this capability for passing through devices to a CT.)
Thank you for those links. I’ll have to read through them.
Its because domain joined machines rely heavily on service autodiscovery via service dns records. Its actually beautiful system once you see it in action.
here is an example DNS query from a domain PC, this was probably a login request or file permission activation (still a login request really)
_ldap._tcp.default-first-site-name._sites.dc._msdcs.XXXXXXXXXX.local
so if your DNS is not handled by the DC these requests never authenticate. (yes, the line of XX is where my actual name portion was.)
the absolute laziest way is to just boot the device and let it get a random MAC and IP address and then go into the DHCP server (on router or wherever you do DHCP) and select the ‘reservation’ check. personally, i too like to use certain IP addresses for things so in the reservations i manually config the IP i want it to have.
the gateway address is agined a DHCP router address. then in your network you can use a IPHELPER to hand DHCP accross anything you need to. and the device will grab an IP address out of the pool that the VLAN is asigned based on the gateway address.
some people do like to physically identify those things yes. you can do that but it is not required.
truenas actually has the ability to either join a domain or be a DC, it actually works fine. i have not dabled with it on top of a router distro, i know some of them actually have some support for it, but that just is not how i have ever designed a network.
that is also something i have not done. the DC barely uses any resources though so a real VM deployment should have minimal impact on any host.
This would imply that it’s a two step process unless you’re “handcoding” the MAC addresses yourself.
I think that I am going to likely need an idiots guide to this if you have it because right now – I am reading the words, but I think that without me actually following along in said idiot’s guide (I’m the idiot) – I am not sure that I am going to understand how this works.
(My DHCP right now is handled by the router that’s attached to each of the VLANs.)
So, my Proxmox server has four onboard NICs.
I should be able to use that, so that each physical NIC has a connection to each of the VLANs and then it would be at the Proxmox server where they would be able to “come together” for that DHCP handoff/assignment, correct?
I only ask because I have found LXC containers to use the host/physical resources more efficient than an actual VM.
More, new, dumb questions from my end:
I am running a Steam cache (with instructions from lancache.net) and I think that it says that it needs or prefers to be the primary DNS.
So how does that interact with the AD DC, or would mixing the two be a terrible idea as they’re both wanting to fight to be the primary DNS?
I am watching a Techno Tim YouTube video right now about netboot.xyz where I can PXE boot installers, but of course, it needs its own DHCP server so that it can serve up the PXE boot images.
On the surface of all of this – it would appear that there is strong competition amongst the three services as they all want to be primary DNS (and/or DHCP servers, for their respective purposes).
So…should it be:
AD DC
lancache
netboot.xyz
or should it be something different?
Your help is greatly appreciated.
edit
Another stupid question from me:
If I were to run the Turnkey domain controller in Proxmox and then I point the Proxmox login to said Turnkey domain controller – would that create like a cyclical redundancy problem (where the underlying Debian that Proxmox sits on top of won’t be able to log in because the VM/CT hasn’t started up yet)?
it could be, but then how many steps is logging this in spreadsheets?
read the DHCP windows server article i posted. even though you are not using a windows server the base level functions are the same.
sure, like i said, that is the simplest ‘i am not a network engineer’ method of accomplishing this goal.
that is correct, but in this world of vast resources, i just do not end up using a lot of container installs.
not a problem, you can either daisy chain them via DNS next hop configuration (you will have to configure a next hop anyways) or DNS redirect your domain address via something like PIHOLE if you want to do ad blocking and some of that stuff while you are building things out.
you just need your DHCP to be PXE server aware. this is configurable VIA DHCP options option number 67 maybe, or 64, or was it 62? anyway DHCP options are standard so you just need to know how to configure them on your DHCP server and then bobs your uncle. if netboot.xyz requires you use their DHCP server than either use it for everything, or find a different PXE manager. FOG Project used to be amazing.
no, proxmox will always have a local root user that you can get into and do the bump start if something happened. i have actually caused myself weird issues like that several times over the years and there is always a window back in. Those are stories to have over beer (or coffee?) though.
That was my thinking originally, too, but it’s actually not that bad.
Proxmox itsself will alway boot and so will any virtual machines you configure to boot with it. And then just like the management engine in RHV/oVirt isn’t required to handle server faults or HA VM restarts, your IDM isn’t required to handle log-ins, only account management.
Both Windows and Linux clients have long started being laptops and those travel or aren’t always connected to the network.
So they have all learned to cache credentials (and profiles) for quite a significant amount of time, so you can use your “laptop” (in fact any dependent system) typically even when the AD/LDAP/Kerberos server is down.
I tried Univention because it had such a nice GUI and promised perfect Windows integration on a Linux base. I set it up knowing practically nothing about AD nor about LDAP with a bit of background in old-style Windows domain controllers and a bit of Sun yellow pages and NFS.
I never really had to learn more in the last four years to make it work across countless upgrades, several network reorganizations and recently moving between oVirt/RHV major releases or from there to Proxmox.
In fact Univention doesn’t have a seamless high-availability setup, backup domain controllers aren’t really doing much of anything but synchronize with the primary, no clustering or load-sharing that I could see. But again, because of locally stored credentials, nothing much is needed after the first login for any user.
And promoting a backup DC to primary is somewhat nerve-wrecking the first time around (much less with a checkpointed VM…), but essentially an easy operation.
Migrating VMs between hypervisors from different vendors is rarely ever bi-directional or easy, so I’ve used that mechanism to migrate Univention domain controllers very easily, while VM migrations always required much more manual work.
I tend not to mix AD/LDAP, DNS and DHCP on Univention, mostly because pfSense does just such a good job with DNS and DHCP. A full integration there might raise the bar a bit and I don’t see myself using Univention for the Proxmox management either.
In the home-lab there really is only me anyway and if you need to manage dozens of very differentiated privilege levels on Proxmox, you need to go professional …and probably beyond that base.
P.S. I used the “external” management engine approach for Xcp-ng. It’s been a while but I believe those appliances replicate the farm state automatically any each management appliance can manage the whole farm. So having a secondary there independently say as a VM on VirtualBox or VMware workstation was simply the better backup.
Most hypervisor orchestration engines really started as bare metal machines (and without fault tolerance) and it was only after Nutanix proved a VM could do it from the inside, that everybody tried to steal that magic… which wasn’t all that new either, because batch schedulers had used that separation between planning and execution engines for decades on mainframes.