Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Anybody here running AD on-prem in your homelab?

I'm curious as to why someone would need to do that short of having a bunch of users and a small office at home. Or maybe managing the family's computers is easier that way?

I was considering a domain controller (biased towards linux since most servers/VMs are linux) but right now, for the homelab, it just seems like a shiny new toy to play with rather than something that can make life easier/more secure. There's also the problem of HA and being locked out of your computer if the DC is down.

Tell me why you're running it and the setup you've got that makes having a DC worth it.

Thanks!

kylian0087 ,

I in fact run a AD domain controller *and *a rhel IDM controller. For me other then it is fun to play with, makes it a load more simple to manage the user accounts of my famalie. Also auto mounting network shares and setting a few policys for updates and security is great to from a central location. having SSO for many if my services also makes it more easy to use for the fam. The rhel IDM controller I use to manage a few user accounts. I also use it to manage the ssh keys and set sudo rules on all my servers.

huskypenguin ,

I am, and I'm using Neth Server. I use it only for an AD, TrueNAS for file storage and a few VMs, portainer for applications. It was for practice, but Neth makes it so easy, why not? And it can help with some LDAP applications (but I haven't set them up yet)

redfox ,
@redfox@infosec.pub avatar

I think I'm the most ridiculous, but for the same career reasons as the rest:

Active directory, yes, plus:
Azure cloud sync with entra active directory
Hybrid exchange on prem and office/exchange online.

For better or worse, large enterprise isn't going away from M$.

Also, I have transparent proxy sophos IPS, security Onion IDS, Trellix ePO, and other security products all being integrated for info security testing.

Not suggesting this is normal, just my test/dev playground I don't have to worry about breaking.

MigratingtoLemmy OP ,

Wow, that's real enterprise software!

How do you like Sophos? Is it the free version? I came across another commenter who uses it in my previous post.

redfox ,
@redfox@infosec.pub avatar

I have the old school utm 9, which was self managed. Now it's a cloud managed. I haven't used new cloud portal, sorry.

They still have free home use last I checked. I really like nfr, ce, home use companies.

alomsimoy ,

I'm running truenas scale with truecharts and I manage all users and groups with the LLDAP chart, which is an stripped down version of ldap. I'm considering deploying another server and running 389ds with replication to increase the features and to learn more about ldap, but overall lldap covers all my necessities regarding user and group managment in all my homelab apps

MigratingtoLemmy OP , (edited )

I am considering FreeIPA myself too! Thanks!

h3ndrik , (edited )

Uh, why use a Microsoft product that doesn't even tie into the rest of the selfhosted services very well? There are easier and way better solutions for SSO and web services. And I don't have a pool of 30 windows laptops that'd need to share a set of login credentials and software rollout, at home.

I'd rather use the time I'd put into such a project that is just work and little to no benefit for something else. For example doing backups, deleting the Windows on those laptops and replacing it with free software.

redfox ,
@redfox@infosec.pub avatar

Sometimes it's for career progression or familiarity.

Just for SSO, might be easier ways, sure.

MigratingtoLemmy OP ,

The main idea was to see if AD will bring any benefit to my homelab. The idea of running a domain controller is very intriguing, and it doesn't need to be AD specifically, although I'd like to get some hands-on time with it too.

Treczoks ,

Keep in mind that AD, Office, and Exchange is he holy trinity of getting hacked in the last years.

redfox ,
@redfox@infosec.pub avatar

Also the cornerstone of enterprise, for better or worse at the moment.

MigratingtoLemmy OP ,

I'll keep that in mind, I've been warned by quite a few people in the comments haha

aldalire ,

Im out of the loop here. What’s an AD? 🤔

slazer2au ,

Active Directory. Manages users, devices, and permissions.

Nollij ,

You're overlooking a very common reason that people setup a homelab - practice for their careers. Many colleges offer a more legitimate setup for the same purpose, and a similar design. But if you're choosing to learn AD from a free/cheap book instead of a multi-thousand dollar course, you still need a lab to absorb the information and really understand it.

Granted, AD is of limited value to learn these days, but it's still a backbone for countless other tools that are highly relevant.

MigratingtoLemmy OP ,

Learning was definitely a goal, but I'd like to actually find use for what I'm hosting than just "learning", which would affect my motivation and I'd probably delete it right away if I didn't get much use out of it

conorab ,

Run at home/lab to learn AD and also gives you a place to test out ideas before pushing to production. You may be able to run a legit AD server with licensing on AWS or similar if they have a free tier.

possiblylinux127 ,
@possiblylinux127@lemmy.zip avatar

If you do go for samba ad dc

assembly ,

I run AD at home but it’s because my job is in enterprise software engineering and so running these programs in my home lab requires AD integrations. It’s also needed for HyperV and SCVMM along with things like SQL server auth and GMSA which I can’t get out of testing. Ironically most of my work is in open source/Linux but Windows servers are all over the Enterprise so I don’t have a choice but to run this stuff. No real users on it and just used for the lab.

Kid_Thunder ,

Personally I use FreeIPA for my LDAP. I like that I can create sudoers rules from one centralized place and manage ssh keys across all clients. Granted I could just use Ansible I suppose, which is how I update multiple distributions in my network and online but I like that I can just change SSH keys and sudoers from one place easily instead of changing tasks/roles. I also usually run cockpit even on my non-Red Hat distros with SSH keys just so I don't have to log into everything though it is somewhat limited outside of the Red Hat sphere.

If you don't want to use ProxMox or some other specialized HyperVisor ecosystem, you can also use Cockpit to manager your VMs along with your Pods. I wish there'd be more attention to it for features because it feels like it could do a lot more.

I also don't really worry about locking myself out for two reasons:

  1. I use SSH keys.
  2. I also have a break-glass local account on every system...with SSH keys. If its on your local network, you can use VNC/VM console/Remote Desktop with a local account while only allowing SSH with keys if you'd like. Just make sure if you're going to allow remote access outside of your network that you never forward the VNC/RDP ports. For SSH when I do this I always pick some random port -- never default and never common ones like 2222 to at least keep my logs less noisy from the botnet auto attacks.

For my online VPS' I use a firewall with geoIP from Maxmind and drop all ports but 443 from the world, except for whatever country I'm in. I drop all packets from certain countries that seem to auto-attack more often than others. I try to drop packets from all known (to me) Shodan scanners. If I'm not traveling I just restrict all other ports to my public IP's subnet though my IP hasn't changed for years. For status checking services like StatusCake, I use the "push" method instead using a simple cron job with curl instead of relying on servers around the world checking my ports. In this case, the services just check that my server has successfully hit them within X minutes to be "up".

MigratingtoLemmy OP ,

Thank you for your experience using FreeIPA, your comment really got me re-thinking about AD, about trust setups and if I really needed a Windows domain controller other than for learning. Being able to manage Sudoers centrally is fantastic!

I plan to use XCP-ng as my hypervisor.

Unfortunately, I didn't quite catch how using SSH keys will keep you from getting locked out if your domain controller goes down. That sounds exactly like what I want, and great idea having a spare account on each machine!

Thanks for your comment, very informative!

Kid_Thunder ,

The SSH keys don't help me if I get locked out of a Domain Controller unless you're using OpenSSH (which is now a native feature you can turn on). In that case you can actually still log into the DC via command line because it authenticates based on authorized_keys and not the LDAP of the DC. I actually do this on the enterprise, not because I may get locked out but because it is just convenient. Granted you'll have to execute powershell on the command line once in to use the AD cmdlets.

On the other hand when you create a DC now-a-days (Server 2019...I don't remember if this is asked in the wizard when in Server 2016) you can create a "Directory Services Restore Mode" password which is basically a local admin account on the DC that you can log into only when the DC is booted into safe mode. You'll be asked to create it when you promote your DC.

MigratingtoLemmy OP ,

Thanks, great to know about Restore Mode.

MigratingtoLemmy OP ,

Hey, I'd like to ask you one more thing: is it possible to set up short-term credentials which can be provisioned and invalidated automatically with policies? I'm looking towards an idea of a self-hosted AWS STS without installing a secrets manager like Conjur and I think it should technically be possible with FreeIPA. Please let me know what you think.

Decronym Bot , (edited )

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
Git Popular version control system, primarily for code
IP Internet Protocol
Plex Brand of media server package
SSH Secure Shell for remote terminal access
SSO Single Sign-On
VNC Virtual Network Computing for remote desktop access
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

[Thread for this sub, first seen 13th Feb 2024, 02:55]
[FAQ] [Full list] [Contact] [Source code]

technohacker ,
@technohacker@programming.dev avatar

I find it funny it didn't point out Active Directory

taladar ,

Possibly because ad also exists as a word?

ako946659663 ,
@ako946659663@lemm.ee avatar

Thank you!
I was curious why someone would use Azure DevOps for their homelab. Lol.

azl ,

I do. 4 or 5 users and several computers plus virtual server members. I still use Linux for DNS which works surprisingly well after the initial setup.

I did it half for practice and half for fun, but having the authentication backend makes it good enough to keep around.

MigratingtoLemmy OP ,

Could you tell me how you use your own DNS server with AD? I was under the impression that AD wanted to control DNS in the network.

azl ,

There are some SRV and other records which you add for the AD-provided services (kerberos, gc, ldap). This allows your Windows clients to find the domain controllers for authentication via your non-Windows DNS. I think I might have followed a Microsoft or other article when doing the initial setup, but once getting those items in place I haven't had many issues.

cm0002 ,

I do, for a multitude of reasons

  • Easier management of family computers
  • an authoritative source for Authentik SSO
  • Learning experience, I'm also heavy Linux, but I try to maintain an OS agnostic philosophy with my skill set so I can have options in my career
  • I was bored
  • Again, since I like to maintain an OS agnostic philosophy I have a healthy mix of Windows, Linux and MacOS devices, and you CAN in fact join Linux (w/ SSSD) and MacOS to a domain too

In addition to what others have said with roaming profiles and such:

DO NOT SET YOUR AD DOMAIN AS THE SAME DOMAIN OF A WEB ADDRESS YOU USE

I..er...someone... Found themselves in this situation and have been in a mess since lmao

BigMikeInAustin ,

Some of the best and worst decisions people have made started with, "I was bored." Ha!

cooljacob204 ,

Is there costs associated with this?

cm0002 ,

To deploy AD, that depends.

If you like to sail the high seas AND aren't trying to use it for a business, then no.

If you don't want to sail the high seas or need to use it for a business, then yes, you'll need to buy a Windows Server license

infeeeee ,

You can have ad dc on samba, without windows. Nice all in one solution is UCS univention, works really well and free: https://www.univention.com/products/ucs/

Even in docker, last time i tried this, it was buggy: https://github.com/Fmstrat/samba-domain

Dashi ,

Windows server license and CALs... don't forget that extra little cost just because from MS

huskypenguin ,

Samba v4 has been able to be a domain server forever and it's free. You can also use Synology if you want it off the shelf.

MigratingtoLemmy OP , (edited )

Thank you for the wonderful comment.

Indeed, I was hoping to have a good SSO setup alongside learning about AD and domain services (also looking at the *nix alternatives like FreeIPA).

Could you tell me more about the DNS setup with regards to AD? I'd like to use my own DNS and not have AD be the DNS provider in my network. The idea to put it in its own subdomain is excellent and I'll remember that.

People here also mention an increase in attack surface and security vulnerabilities in running AD/domain services on a network. Now, I agree that letting free access to the domain server and having rogue accounts causing havoc on the network is not great, but I'd like to know more. What has been your experience?

huskypenguin ,

Not the original commenter, but I don't understand how that would increase your attack surface. The AD is inside the network, and if an attacker is already in, you're compromised. There might be way to refrence a DNS server with a windows server, but then you're running windows and your life is now much more difficult.

As per DNS, the AD server must be the DNS provider. If you run something like nethserver in a VM you can use it as a dns & ad server.

The domain thing, the AD server is the authorative for its domain. So if you set it as top level, like myhouse.c()m, it will refrence all dns requests to itself, and any subdomains will not appear. The reccomended way to get around this is to use a subdomain, like ad.myhouse.c()m. Or, maybe you have a domain name to burn and you just want to use that?

MigratingtoLemmy OP ,

Thanks, you're the second person who spoke about Neth server to me. I'll take a look.

I was planning to create a subdomain for it anyway, it's just that I was misled that if I didn't give it control over DNS for the network it wouldn't function properly. That doesn't seem to be case (which I'm glad for).

I do not quite understand how the attack surface is increased other than running Windows on my network. I will have to look deeper into it myself.

Thanks

huskypenguin ,

It may have been me both times. I went down a deep AD hole recently, and was trying to find an easy open source way to do it.

My advice is to put whatever you choose into a vm and snapshot it right before you configure the AD. I think I reconfigured mine 8 times before I was happy.

MigratingtoLemmy OP ,

Will do

  • All
  • Subscribed
  • Moderated
  • Favorites
  • selfhosted@lemmy.world
  • random
  • incremental_games
  • meta
  • All magazines
    •