5863
Comment:
|
← Revision 49 as of 2024-01-22 21:35:45 ⇥
7014
Fixed formatting
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
This page is for describing the migration and current setup of the Active Directory domain at UCC. | '''This page describes the current (2019) Active Directory configuration at UCC.''' |
Line 3: | Line 3: |
The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`. The primary DNS server for domain is `samson.ucc.gu.uwa.edu.au`. The primary DC for domain is also `samson.ucc.gu.uwa.edu.au`. == Upgrade/Setup Process == === Domain Controllers === `ad.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local` |
The Active Directory (AD) domain at UCC is `ad.ucc.gu.uwa.edu.au` with the NETBIOS domain name `UCCDOMAYNE`. The primary Domain Controller (DC) `samson.ucc.gu.uwa.edu.au` which also serves authoritative DNS for `ad.ucc.gu.uwa.edu.au`. |
Line 10: | Line 6: |
Samson's domain is set up by: * `apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss` * Disable the systemd units for the non-DC setup & default configuration: {{{ systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind rm /etc/samba/smb.conf |
For some background on why the [[StandardOperatingEnvironment|Standard Operating Environment]] does what it does, see [[NewActiveDirectory]]. For outdated documentation and some info about the migration from the old LDAP domain, see [[OldActiveDirectory]]. This page describes how to configure Linux systems to connect to an Active Directory domain as the database for users and groups. <<TableOfContents>> == Windows == Assumed you are using Windows 10. 1. Open File Explorer, right click on '''My PC''' and select '''Properties'''. You might need to click the rename (advanced) option on the rightmost pane of the window. 2. Under the '''Computer Name''' tab, select '''Change...''' and enter `ad.ucc.gu.uwa.edu.au` as the domain. Make sure the computer name is also correct, change it if necessary (Windows 10 generates a random name when you install it). 3. When you click OK, enter a UCC wheel username/password (aka someone who has domain admin permissions). Restart the computer at your convenience. 4. Congratulations, you have joined a computer to the domain. == Linux == === Configuring SSSD === Full section and alternative client configurations: [[https://wiki.ucc.asn.au/NewActiveDirectory/LinuxClients]] There is a very informative [[https://access.redhat.com/articles/3023951|Red Hat article]] about configuring `sssd` manually. The following instructions are a functional adaptation. For a more detailed understanding of what these config files and options mean, please start by reading the manpages for sssd, sssd-ad, sssd-krb5, sssd-ldap, sssd.conf, krb5.conf and smb.conf and the above article. These instructions are confirmed working on Linux Mint 19.1 (Tara), using `sssd` version 1.16.1 and `samba-common-bin` package version 4.7.6. 1. Install the necessary packages and uninstall any conflicting ones: {{{ apt -y install samba-common-bin samba-dsdb-modules sssd sssd-ad sssd-krb5 sssd-ldap sssd-tools krb5-user krb5-doc libpam-sss libnss-sss adcli libsasl2-modules-gssapi-mit apt -y purge winbind realmd libpam-krb5 libpam-ldap libpam-winbind libnss-ldap libnss-winbind |
Line 22: | Line 35: |
2. Remove any configuration files if they exist and stop services: {{{ mv /etc/samba/smb.conf /etc/samba/smb.conf.old mv /etc/nsswitch.conf /etc/nsswitch.conf.old rm /etc/krb5.conf /etc/krb5.keytab /etc/sssd/sssd.conf systemctl stop sssd winbind samba-ad-dc smbd nmbd }}} 3. Install the configs semi-automatically: {{{ wget -O /tmp/ucc-ad-config.tar.gz https://www.ucc.asn.au/ucc-ad-config.tar.gz && tar -C / -xvzf /tmp/ucc-ad-config.tar.gz }}} 4. Run `pam-auth-update` and check that `SSS authentication` is enabled and that `winbind authentication` (if present) is disabled. 5. Create the machine account in AD and produce a keytab for sssd containing the machine account credentials. If using a user other than `Administrator`, ensure they have sufficient privileges to join a machine to the domain. {{{ rm /etc/krb5.keytab kinit <wheel username here> net ads join --no-dns-updates -k # verify the machine account credentials are in the keytab: klist -k }}} 6. Start the necessary services: {{{ systemctl restart sssd }}} 7. Verify that you can see the correct user and group info using `getent passwd` and `getent group` respectively. The output format is equivalent to the `/etc/passwd` and `/etc/group` files. |
|
Line 23: | Line 57: |
If upgrading from the old NT domain do: * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc` * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/` * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/` * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc` * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`. * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc` |
=== Diagnostics === Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache: * `sss_cache -E` if using sssd * `net cache flush` if using winbind * Or if the above fails to have an effect, try rejoining to the domain using the instructions below. |
Line 31: | Line 63: |
Otherwise when adding additional DC's to an existing domain: * Set the following settings in /etc/krb5.conf: {{{ [libdefaults] default_realm = ad.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true |
You can edit things with `kinit; ldapvi -b dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au --host AD.UCC.GU.UWA.EDU.AU -Y GSSAPI` or more easily with `samba-tool user edit <username>` === Config file examples === These should be the same as in the config package ([[https://www.ucc.asn.au/ucc-ad-config.tar.gz]] but here they are in case something gets broken or that archive goes missing. * `/etc/sssd/sssd.conf` {{{ [sssd] config_file_version = 2 domains = ad.ucc.gu.uwa.edu.au services = nss, pam, pac # domain configuration: see manpages sssd.conf, sssd-ldap, sssd-krb5 and sssd-ad # see https://access.redhat.com/articles/3023951 # needs correct configution for: /etc/nsswitch.conf /etc/samba/smb.conf /etc/resolv.conf `pam-auth-update` [domain/AD.UCC.GU.UWA.EDU.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false cache_credentials = true # if you want to use a custom CA certificate for AD #ldap_tls_cacert = /etc/sssd/ucc-ad-ca.cer # or just allow invalid (self-signed) certificates ldap_tls_reqcert = allow # allow local users to be included in AD groups ldap_rfc2307_fallback_to_local_users = true |
Line 39: | Line 98: |
* `/etc/nsswitch.conf` {{{ # /etc/nsswitch.conf |
|
Line 40: | Line 101: |
* verify kerberos with: `kinit <username>` * join the domain with: `samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'` * replicate the SYSVOL directory to the new DC, then fix the permissions with: `samba-tool ntacl sysvolreset` * start the samba service, the service may have a different name depending on the samba version used. {{{ service samba-ad-dc enable service samba-ad-dc start |
passwd: compat systemd sss group: compat systemd sss shadow: compat sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss }}} * `/etc/krb5.conf` {{{ [libdefaults] default_realm = AD.UCC.GU.UWA.EDU.AU dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes }}} * `/etc/samba/smb.conf` {{{ [global] realm = AD.UCC.GU.UWA.EDU.AU workgroup = UCCDOMAYNE security = ads client signing = mandatory client use spnego = yes tls enabled = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab log file = /var/log/samba/%m.log |
Line 50: | Line 140: |
For all domain controllers * copy `/etc/nsswitch.conf` and `/etc/sssd/sssd.conf` from another domain controller * enable sssd auth in pam via `pam-auth-update` * DO NOT use winbind on a Domain controller, it sucks for[[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC| multiple reasons]]. |
== OpenLDAP == |
Line 55: | Line 142: |
=== Windows systems === | If for some reason you need to authenticate using our AD over OpenLDAP (e.g. OpenVPN or Octoprint), you will need two things to actually talk LDAP to samson. |
Line 57: | Line 144: |
Just join them to the domain. Doesn't look like you need to create a machine account before joining? | The UCC-CA certificate, and a custom OpenLDAP config file. |
Line 59: | Line 146: |
=== Linux systems === Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]] Before configuring the domain ensure the following: * Install the required packages: `apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind` |
The cert is available from the main website at the top, or from /etc/ssl/certs on most of the main servers. |
Line 64: | Line 148: |
* Ensure the system is configured according to the [[http://http://wiki.ucc.asn.au/SOE|SOE]]. | * `/etc/ldap/ldap.conf` {{{ URI ldaps://samson.ad.ucc.gu.uwa.edu.au BASE dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au |
Line 66: | Line 152: |
* edit `/etc/krb5.conf` to point to the new domain: {{{ [libdefaults] default_realm = ad.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true |
SSL on TLS_REQCERT allow TLS_CACERT /etc/ssl/certs/UCC-CA.crt |
Line 74: | Line 157: |
* Make the following `/etc/samba/smb.conf`: {{{ [global] # Configure the domain infomation security = ads realm = ad.ucc.gu.uwa.edu.au workgroup = UCCDOMAYNE |
Once you have both of these, both ldapsearch and actual LDAP calls will actually contact samson properly. |
Line 82: | Line 159: |
# use winbind to map users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes kerberos method = secrets and keytab #Config gid/sid mapping based on AD attributes winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 13000-17999 #idmap config for UCCDOMAYNE idmap config UCCDOMAYNE:backend = ad idmap config UCCDOMAYNE:schema_mode = rfc2307 idmap config UCCDOMAYNE:range = 1-999999 idmap config UCCDOMAYNE:unix_primary_group = yes }}} * Join the machine to the domain with: `net ads join -U <username>`. * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`. * configure `nsswitch.conf` {{{ # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis }}} * start the services: {{{ winbindd nmbd smbd }}} * Make sure the computer can fetch the domain users and groups with: `wbinfo -g` and `wbinfo -u` == Things using LDAP == Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-<servicename>, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server. == Converted systems == * Windows desktops * Linux desktops * Linux servers * Motsugo * Merlo * Mooneye * FreeBSD servers * Molmol * Webmail? * Adduser scripts * Proxmox * RADIUS (VPN & wireless) * Windows server (Maaxen) * Mail delivery (dovecot) * Other machines == Unconverted systems == * Linux servers * Mussel * FreeBSD servers * Musdea * Solaris machines * Mac machines * Mail delivery (postfix, procmail, all that fun stuff) |
Also use `ldaps://ad.ucc.gu.uwa.edu.au` to talk to it. |
This page describes the current (2019) Active Directory configuration at UCC.
The Active Directory (AD) domain at UCC is ad.ucc.gu.uwa.edu.au with the NETBIOS domain name UCCDOMAYNE. The primary Domain Controller (DC) samson.ucc.gu.uwa.edu.au which also serves authoritative DNS for ad.ucc.gu.uwa.edu.au.
For some background on why the Standard Operating Environment does what it does, see NewActiveDirectory. For outdated documentation and some info about the migration from the old LDAP domain, see OldActiveDirectory.
This page describes how to configure Linux systems to connect to an Active Directory domain as the database for users and groups.
Windows
Assumed you are using Windows 10.
Open File Explorer, right click on My PC and select Properties. You might need to click the rename (advanced) option on the rightmost pane of the window.
Under the Computer Name tab, select Change... and enter ad.ucc.gu.uwa.edu.au as the domain. Make sure the computer name is also correct, change it if necessary (Windows 10 generates a random name when you install it).
- When you click OK, enter a UCC wheel username/password (aka someone who has domain admin permissions). Restart the computer at your convenience.
- Congratulations, you have joined a computer to the domain.
Linux
Configuring SSSD
Full section and alternative client configurations: https://wiki.ucc.asn.au/NewActiveDirectory/LinuxClients
There is a very informative Red Hat article about configuring sssd manually. The following instructions are a functional adaptation. For a more detailed understanding of what these config files and options mean, please start by reading the manpages for sssd, sssd-ad, sssd-krb5, sssd-ldap, sssd.conf, krb5.conf and smb.conf and the above article.
These instructions are confirmed working on Linux Mint 19.1 (Tara), using sssd version 1.16.1 and samba-common-bin package version 4.7.6.
Install the necessary packages and uninstall any conflicting ones:
apt -y install samba-common-bin samba-dsdb-modules sssd sssd-ad sssd-krb5 sssd-ldap sssd-tools krb5-user krb5-doc libpam-sss libnss-sss adcli libsasl2-modules-gssapi-mit apt -y purge winbind realmd libpam-krb5 libpam-ldap libpam-winbind libnss-ldap libnss-winbind
Remove any configuration files if they exist and stop services:
mv /etc/samba/smb.conf /etc/samba/smb.conf.old mv /etc/nsswitch.conf /etc/nsswitch.conf.old rm /etc/krb5.conf /etc/krb5.keytab /etc/sssd/sssd.conf systemctl stop sssd winbind samba-ad-dc smbd nmbd
Install the configs semi-automatically:
wget -O /tmp/ucc-ad-config.tar.gz https://www.ucc.asn.au/ucc-ad-config.tar.gz && tar -C / -xvzf /tmp/ucc-ad-config.tar.gz
Run pam-auth-update and check that SSS authentication is enabled and that winbind authentication (if present) is disabled.
Create the machine account in AD and produce a keytab for sssd containing the machine account credentials. If using a user other than Administrator, ensure they have sufficient privileges to join a machine to the domain.
rm /etc/krb5.keytab kinit <wheel username here> net ads join --no-dns-updates -k # verify the machine account credentials are in the keytab: klist -k
Start the necessary services:
systemctl restart sssd
Verify that you can see the correct user and group info using getent passwd and getent group respectively. The output format is equivalent to the /etc/passwd and /etc/group files.
Diagnostics
Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:
sss_cache -E if using sssd
net cache flush if using winbind
- Or if the above fails to have an effect, try rejoining to the domain using the instructions below.
You can edit things with
kinit; ldapvi -b dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au --host AD.UCC.GU.UWA.EDU.AU -Y GSSAPI
or more easily with
samba-tool user edit <username>
Config file examples
These should be the same as in the config package (https://www.ucc.asn.au/ucc-ad-config.tar.gz but here they are in case something gets broken or that archive goes missing.
/etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = ad.ucc.gu.uwa.edu.au services = nss, pam, pac # domain configuration: see manpages sssd.conf, sssd-ldap, sssd-krb5 and sssd-ad # see https://access.redhat.com/articles/3023951 # needs correct configution for: /etc/nsswitch.conf /etc/samba/smb.conf /etc/resolv.conf `pam-auth-update` [domain/AD.UCC.GU.UWA.EDU.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false cache_credentials = true # if you want to use a custom CA certificate for AD #ldap_tls_cacert = /etc/sssd/ucc-ad-ca.cer # or just allow invalid (self-signed) certificates ldap_tls_reqcert = allow # allow local users to be included in AD groups ldap_rfc2307_fallback_to_local_users = true
/etc/nsswitch.conf
# /etc/nsswitch.conf passwd: compat systemd sss group: compat systemd sss shadow: compat sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss
/etc/krb5.conf
[libdefaults] default_realm = AD.UCC.GU.UWA.EDU.AU dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
/etc/samba/smb.conf
[global] realm = AD.UCC.GU.UWA.EDU.AU workgroup = UCCDOMAYNE security = ads client signing = mandatory client use spnego = yes tls enabled = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab log file = /var/log/samba/%m.log
OpenLDAP
If for some reason you need to authenticate using our AD over OpenLDAP (e.g. OpenVPN or Octoprint), you will need two things to actually talk LDAP to samson.
The UCC-CA certificate, and a custom OpenLDAP config file.
The cert is available from the main website at the top, or from /etc/ssl/certs on most of the main servers.
/etc/ldap/ldap.conf
URI ldaps://samson.ad.ucc.gu.uwa.edu.au BASE dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au SSL on TLS_REQCERT allow TLS_CACERT /etc/ssl/certs/UCC-CA.crt
Once you have both of these, both ldapsearch and actual LDAP calls will actually contact samson properly.
Also use ldaps://ad.ucc.gu.uwa.edu.au to talk to it.