Differences between revisions 1 and 14 (spanning 13 versions)
Revision 1 as of 2018-10-27 11:54:23
Size: 8261
Editor: frekk
Comment:
Revision 14 as of 2018-10-30 13:42:43
Size: 10027
Editor: frekk
Comment:
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
`v.ucc.asn.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`. `dnsmasq` on the (virtualised) Proxmox VM host `vucc0.ucc.asn.au` then delegates the `ad.v.ucc.asn.au` domain to the domain controller(s).

Samson's domain is set up by:
 * `apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss`
 * Disable the systemd units for the non-DC setup & default configuration:
 . {{{
`v.ucc.asn.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`.
 . {{{
zone "v.ucc.asn.au" {
        type forward;
        forward only;
        forwarders {
                130.95.13.35; // vucc0 (proxmox VM on maltair, running dnsmasq)
        };
};
}}}
`dnsmasq` on the (virtualised) Proxmox VM host `vucc0.ucc.asn.au` then delegates the `ad.v.ucc.asn.au` domain to the domain controller(s).
The domain controller `dc0.v.ucc.asn.au` is based off a clone of `samurai`, with clean samba configuration.

A fresh domain controller can probably be set up using the following instructions: (which is how `dc0` was configured).
'''Note:''' These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.
 * Configure name resolution
   * Edit `/etc/hosts` {{{
127.0.0.1 localhost
192.168.9.2 dc0.v.ucc.asn.au dc0
192.168.9.3 dc1.v.ucc.asn.au dc1
}}}
   * Edit `/etc/resolv.conf` {{{
search ad.v.ucc.asn.au
search v.ucc.asn.au
search ucc.asn.au
# This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver
nameserver 192.168.9.35
}}}
 * Purge existing configs and packages: {{{
apt-get purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-*
rm -rvf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/
}}}
 * Configure the apt repositories and preferences
   * Edit `/etc/apt/preferences.d/80-ucc-samba`, add the following: {{{
Package: *
Pin: release a=stable
Pin-Priority: 900

Package: *
Pin: release a=stable-backports
Pin-Priority: 800

Package: *
Pin: release a=testing
Pin-Priority: 99

Package: *
Pin: release a=unstable
Pin-Priority: 98
}}}
  * Edit `/etc/apt/sources.list.d/debian-unstable.list`: {{{
# Testing repository - main, contrib and non-free branches
deb http://mirror.waia.asn.au/debian testing main non-free contrib
deb-src http://mirror.waia.asn.au/debian testing main non-free contrib

# Testing security updates repository
deb http://security.debian.org/ testing/updates main contrib non-free
deb-src http://security.debian.org/ testing/updates main contrib non-free

# Unstable repo main, contrib and non-free branches, no security updates here
deb http://mirror.waia.asn.au/debian unstable main non-free contrib
deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
}}}
 * Install packages: {{{
apt-get update
apt-get -t testing install samba sssd-ad sssd-tools sssd-krb5 libpam-sss libnss-sss libgpgme11 smbclient
apt-get install net-tools vim less molly-guard chrony krb5-user libpam-krb5 rsync nfs-common finger sudo zsh git dnsutils mlocate
}}}

The rest of these instructions are based off the [[https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller|official Samba AD setup guide]].
 * Disable the systemd units for the non-DC setup & default configuration: {{{
Line 25: Line 90:
rm /etc/samba/smb.conf
}}}

If upgrading from the old NT domain do:
 * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc`
 * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/`
 * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/`
 * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc`
 * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`.
 * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc`

Otherwise when adding additional DC's to an existing domain:
 * Set the following settings in /etc/krb5.conf:
 . {{{
   [libdefaults]
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * verify kerberos with: `kinit <username>`
 * join the domain with: `samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'`
  * You may see an error saying something about DNS not being configured, you can probably ignore it.
 * replicate the SYSVOL directory to the new DC, then fix the permissions with: `samba-tool ntacl sysvolreset`
 * start the samba service, the service may have a different name depending on the samba version used.
 . {{{
  service samba-ad-dc enable
  service samba-ad-dc start
}}}


For all domain controllers
 * copy `/etc/nsswitch.conf` and `/etc/sssd/sssd.conf` from another domain controller
}}}
 * Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. {{{
rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab
find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -fv
}}}
 * Provision the new domain: {{{
samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
}}}
 * Copy `/var/lib/samba/private/krb5.conf` to `/etc/krb5.conf`: {{{
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
}}}
   * Make sure `/etc/krb5.conf` looks something like this, add lines where necessary. {{{
[libdefaults]
        default_realm = AD.V.UCC.ASN.AU
        dns_lookup_realm = false
        dns_lookup_kdc = true
        rdns = false
        forwardable = yes
}}}
 * Export the domain's keytab {{{
samba-tool domain exportkeytab /etc/krb5.keytab
}}}
 * Edit `/etc/nsswitch.conf` {{{
# /etc/nsswitch.conf
# See http://wiki.ucc.asn.au/ActiveDirectoryNew

passwd: files sss
group: files sss
shadow: files
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files sss
ethers: db files
rpc: db files

netgroup: nis sss
sudoers: files
}}}
 * and `/etc/sssd/sssd.conf` {{{
[sssd]
config_file_version = 2
domains = ad.v.ucc.asn.au
services = nss, pam

[domain/AD.V.UCC.ASN.AU]
enumerate = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_id_mapping = false
}}}
 * fix sssd.conf permissions {{{
chmod 600 /etc/sssd/sssd.conf
}}}
Line 59: Line 150:
 * DO NOT use winbind on a Domain controller, it sucks for[[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC| multiple reasons]].  * Start the samba service: {{{
systemctl enable samba-ad-dc
systemctl restart samba-ad-dc
systemctl enable sssd
systemctl restart sssd
}}}
* DO NOT use winbind on a fomain controller, it sucks for [[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC|multiple reasons]].
Line 63: Line 160:
Just join them to the domain. Doesn't look like you need to create a machine account before joining? Just join them to the domain. It Just Works (TM) - thanks Microsoft / Red Hat / IBM?!!
Line 67: Line 164:
AD wasn't designed for Linux, and since most of our machines run Linux we have made things difficult for ourselves.

''' This is copied from [[ActiveDirectory]] and has not been tested yet, feel free to fix that.'''
Line 72: Line 172:
 . This should produce output similar to the following: {{{
ad.ucc.gu.uwa.edu.au
  type: kerberos
  realm-name: AD.UCC.GU.UWA.EDU.AU
  domain-name: ad.ucc.gu.uwa.edu.au
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
}}}

This page describes the plan to fix Active Directory at UCC, potentially used in place of the previous AD from 2019 onwards.

Note that this document and the system it describes are in an early development stage.

> In a virtually perfect world, our servers will be named after what they do and not after species of fish.

For testing, a temporary virtual domain at UCC will be configured as ad.v.ucc.asn.au, and the domain name is VUCC, on a separate virtual network using only virtual machines (nested inside other virtual machines). The primary DNS server for domain is dc0.v.ucc.asn.au. The "primary" DC for domain will also be dc0.v.ucc.asn.au, and a second DC will be dc1.v.ucc.asn.au. Hopefully these can both be writable, although given the difficulty of making replication work reliably with Samba this may not be the case.

Setup Process

Domain Controllers

v.ucc.asn.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local.

  • zone "v.ucc.asn.au" {
            type forward;
            forward only;
            forwarders {
                    130.95.13.35; // vucc0 (proxmox VM on maltair, running dnsmasq)
            };
    };

dnsmasq on the (virtualised) Proxmox VM host vucc0.ucc.asn.au then delegates the ad.v.ucc.asn.au domain to the domain controller(s). The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, with clean samba configuration.

A fresh domain controller can probably be set up using the following instructions: (which is how dc0 was configured). Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.

  • Configure name resolution
    • Edit /etc/hosts

      127.0.0.1       localhost
      192.168.9.2     dc0.v.ucc.asn.au        dc0
      192.168.9.3     dc1.v.ucc.asn.au        dc1
    • Edit /etc/resolv.conf

      search ad.v.ucc.asn.au
      search v.ucc.asn.au
      search ucc.asn.au
      # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver
      nameserver 192.168.9.35
  • Purge existing configs and packages:

    apt-get purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-*
    rm -rvf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/
  • Configure the apt repositories and preferences
    • Edit /etc/apt/preferences.d/80-ucc-samba, add the following:

      Package: *
      Pin: release a=stable
      Pin-Priority: 900
      
      Package: *
      Pin: release a=stable-backports
      Pin-Priority: 800
      
      Package: *
      Pin: release a=testing
      Pin-Priority: 99
      
      Package: *
      Pin: release a=unstable
      Pin-Priority: 98
    • Edit /etc/apt/sources.list.d/debian-unstable.list:

      # Testing repository - main, contrib and non-free branches
      deb http://mirror.waia.asn.au/debian testing main non-free contrib
      deb-src http://mirror.waia.asn.au/debian testing main non-free contrib
      
      # Testing security updates repository
      deb http://security.debian.org/ testing/updates main contrib non-free
      deb-src http://security.debian.org/ testing/updates main contrib non-free
      
      # Unstable repo main, contrib and non-free branches, no security updates here
      deb http://mirror.waia.asn.au/debian unstable main non-free contrib
      deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
  • Install packages:

    apt-get update
    apt-get -t testing install samba sssd-ad sssd-tools sssd-krb5 libpam-sss libnss-sss libgpgme11 smbclient
    apt-get install net-tools vim less molly-guard chrony krb5-user libpam-krb5 rsync nfs-common finger sudo zsh git dnsutils mlocate

The rest of these instructions are based off the official Samba AD setup guide.

  • Disable the systemd units for the non-DC setup & default configuration:

    systemctl stop smbd
    systemctl stop nmbd
    systemctl stop winbind
    systemctl disable smbd
    systemctl disable nmbd
    systemctl disable winbind
  • Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation.

    rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab
    find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -fv
  • Provision the new domain:

    samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
  • Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:

    cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
    • Make sure /etc/krb5.conf looks something like this, add lines where necessary.

      [libdefaults]
              default_realm = AD.V.UCC.ASN.AU
              dns_lookup_realm = false
              dns_lookup_kdc = true
              rdns = false
              forwardable = yes
  • Export the domain's keytab

    samba-tool domain exportkeytab /etc/krb5.keytab
  • Edit /etc/nsswitch.conf

    # /etc/nsswitch.conf
    # See http://wiki.ucc.asn.au/ActiveDirectoryNew
    
    passwd:         files sss
    group:          files sss
    shadow:         files
    gshadow:        files
    
    hosts:          files dns
    networks:       files
    
    protocols:      db files
    services:       db files sss
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis sss
    sudoers:        files
  • and /etc/sssd/sssd.conf

    [sssd]
    config_file_version = 2
    domains = ad.v.ucc.asn.au
    services = nss, pam
    
    [domain/AD.V.UCC.ASN.AU]
    enumerate = true
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    ldap_id_mapping = false
  • fix sssd.conf permissions

    chmod 600 /etc/sssd/sssd.conf
  • enable sssd auth in pam via pam-auth-update

  • Start the samba service:

    systemctl enable samba-ad-dc
    systemctl restart samba-ad-dc
    systemctl enable sssd
    systemctl restart sssd
  • DO NOT use winbind on a fomain controller, it sucks for multiple reasons.

Windows systems

Just join them to the domain. It Just Works (TM) - thanks Microsoft / Red Hat / IBM?!!

Linux systems

AD wasn't designed for Linux, and since most of our machines run Linux we have made things difficult for ourselves.

This is copied from ActiveDirectory and has not been tested yet, feel free to fix that.

Automatically using realmd

Thanks to realmd, joining machines to the domain is extremely simple.

  • Install packages: apt install realmd

  • Test to make sure you can connect to the domain: realm discover ad.ucc.gu.uwa.edu.au

  • Join to the domain using realm join -v -U <user> ad.ucc.gu.uwa.edu.au

    • realmd defaults to using sssd, which is fine
    • It installs any necessary packages.
    • IT JUST WORKS!!
      • Except for one thing: comment the line use_fully_qualified_names = True in /etc/sssd/sssd.conf (prefix with a #)

      • Then it works!
  • Done.

Manual Method

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:

  • Install the required packages: apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind

  • Ensure the system is configured according to the SOE.

  • edit /etc/krb5.conf to point to the new domain:

  •    [libdefaults]
            default_realm = ad.ucc.gu.uwa.edu.au
            dns_lookup_realm = false
            dns_lookup_kdc = true
  • Make the following /etc/samba/smb.conf:

  • [global]
    # Configure the domain infomation
            security = ads
            realm = ad.ucc.gu.uwa.edu.au
            workgroup = UCCDOMAYNE
    
    # use winbind to map users and groups
            winbind enum users = yes
            winbind enum groups = yes
            winbind use default domain = yes
            kerberos method = secrets and keytab
    
    #Config gid/sid mapping based on AD attributes
            winbind nss info = rfc2307
    
            idmap config * : backend = tdb
            idmap config * : range = 13000-17999
            
            #idmap config for UCCDOMAYNE
            idmap config UCCDOMAYNE:backend = ad
            idmap config UCCDOMAYNE:schema_mode = rfc2307
            idmap config UCCDOMAYNE:range = 1-999999
            idmap config UCCDOMAYNE:unix_nss_info = yes
            idmap config UCCDOMAYNE:unix_primary_group = yes
  • Join the machine to the domain with: net ads join -U <username>.

  • configure pam using pam-auth-update and enable Winbind NT/AD authentication.

  • configure nsswitch.conf

  • # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    
    passwd:         compat winbind
    group:          compat winbind
    shadow:         files
    gshadow:        files
    
    hosts:          files mdns4_minimal [NOTFOUND=return] dns
    networks:       files
    
    protocols:      db files
    services:       db files 
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis 
  • start the services:
  • winbindd
    nmbd
    smbd
  • Make sure the computer can fetch the domain users and groups with:
  • wbinfo -g` and `wbinfo -u`

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

  • sss_cache -E if using sssd

  • net cache flush if using winbind

  • Or if the above fails to have an effect, try rejoining to the domain using the instructions below.