8261
Comment:
|
10027
|
Deletions are marked like this. | Additions are marked like this. |
Line 13: | Line 13: |
`v.ucc.asn.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`. `dnsmasq` on the (virtualised) Proxmox VM host `vucc0.ucc.asn.au` then delegates the `ad.v.ucc.asn.au` domain to the domain controller(s). Samson's domain is set up by: * `apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss` * Disable the systemd units for the non-DC setup & default configuration: . {{{ |
`v.ucc.asn.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`. . {{{ zone "v.ucc.asn.au" { type forward; forward only; forwarders { 130.95.13.35; // vucc0 (proxmox VM on maltair, running dnsmasq) }; }; }}} `dnsmasq` on the (virtualised) Proxmox VM host `vucc0.ucc.asn.au` then delegates the `ad.v.ucc.asn.au` domain to the domain controller(s). The domain controller `dc0.v.ucc.asn.au` is based off a clone of `samurai`, with clean samba configuration. A fresh domain controller can probably be set up using the following instructions: (which is how `dc0` was configured). '''Note:''' These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently. * Configure name resolution * Edit `/etc/hosts` {{{ 127.0.0.1 localhost 192.168.9.2 dc0.v.ucc.asn.au dc0 192.168.9.3 dc1.v.ucc.asn.au dc1 }}} * Edit `/etc/resolv.conf` {{{ search ad.v.ucc.asn.au search v.ucc.asn.au search ucc.asn.au # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver nameserver 192.168.9.35 }}} * Purge existing configs and packages: {{{ apt-get purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* rm -rvf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ }}} * Configure the apt repositories and preferences * Edit `/etc/apt/preferences.d/80-ucc-samba`, add the following: {{{ Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=stable-backports Pin-Priority: 800 Package: * Pin: release a=testing Pin-Priority: 99 Package: * Pin: release a=unstable Pin-Priority: 98 }}} * Edit `/etc/apt/sources.list.d/debian-unstable.list`: {{{ # Testing repository - main, contrib and non-free branches deb http://mirror.waia.asn.au/debian testing main non-free contrib deb-src http://mirror.waia.asn.au/debian testing main non-free contrib # Testing security updates repository deb http://security.debian.org/ testing/updates main contrib non-free deb-src http://security.debian.org/ testing/updates main contrib non-free # Unstable repo main, contrib and non-free branches, no security updates here deb http://mirror.waia.asn.au/debian unstable main non-free contrib deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib }}} * Install packages: {{{ apt-get update apt-get -t testing install samba sssd-ad sssd-tools sssd-krb5 libpam-sss libnss-sss libgpgme11 smbclient apt-get install net-tools vim less molly-guard chrony krb5-user libpam-krb5 rsync nfs-common finger sudo zsh git dnsutils mlocate }}} The rest of these instructions are based off the [[https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller|official Samba AD setup guide]]. * Disable the systemd units for the non-DC setup & default configuration: {{{ |
Line 25: | Line 90: |
rm /etc/samba/smb.conf }}} If upgrading from the old NT domain do: * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc` * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/` * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/` * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc` * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`. * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc` Otherwise when adding additional DC's to an existing domain: * Set the following settings in /etc/krb5.conf: . {{{ [libdefaults] default_realm = ad.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true }}} * verify kerberos with: `kinit <username>` * join the domain with: `samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'` * You may see an error saying something about DNS not being configured, you can probably ignore it. * replicate the SYSVOL directory to the new DC, then fix the permissions with: `samba-tool ntacl sysvolreset` * start the samba service, the service may have a different name depending on the samba version used. . {{{ service samba-ad-dc enable service samba-ad-dc start }}} For all domain controllers * copy `/etc/nsswitch.conf` and `/etc/sssd/sssd.conf` from another domain controller |
}}} * Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. {{{ rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -fv }}} * Provision the new domain: {{{ samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD }}} * Copy `/var/lib/samba/private/krb5.conf` to `/etc/krb5.conf`: {{{ cp /var/lib/samba/private/krb5.conf /etc/krb5.conf }}} * Make sure `/etc/krb5.conf` looks something like this, add lines where necessary. {{{ [libdefaults] default_realm = AD.V.UCC.ASN.AU dns_lookup_realm = false dns_lookup_kdc = true rdns = false forwardable = yes }}} * Export the domain's keytab {{{ samba-tool domain exportkeytab /etc/krb5.keytab }}} * Edit `/etc/nsswitch.conf` {{{ # /etc/nsswitch.conf # See http://wiki.ucc.asn.au/ActiveDirectoryNew passwd: files sss group: files sss shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files }}} * and `/etc/sssd/sssd.conf` {{{ [sssd] config_file_version = 2 domains = ad.v.ucc.asn.au services = nss, pam [domain/AD.V.UCC.ASN.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false }}} * fix sssd.conf permissions {{{ chmod 600 /etc/sssd/sssd.conf }}} |
Line 59: | Line 150: |
* DO NOT use winbind on a Domain controller, it sucks for[[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC| multiple reasons]]. | * Start the samba service: {{{ systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd }}} * DO NOT use winbind on a fomain controller, it sucks for [[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC|multiple reasons]]. |
Line 63: | Line 160: |
Just join them to the domain. Doesn't look like you need to create a machine account before joining? | Just join them to the domain. It Just Works (TM) - thanks Microsoft / Red Hat / IBM?!! |
Line 67: | Line 164: |
AD wasn't designed for Linux, and since most of our machines run Linux we have made things difficult for ourselves. ''' This is copied from [[ActiveDirectory]] and has not been tested yet, feel free to fix that.''' |
|
Line 72: | Line 172: |
. This should produce output similar to the following: {{{ ad.ucc.gu.uwa.edu.au type: kerberos realm-name: AD.UCC.GU.UWA.EDU.AU domain-name: ad.ucc.gu.uwa.edu.au configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin }}} |
This page describes the plan to fix Active Directory at UCC, potentially used in place of the previous AD from 2019 onwards.
Note that this document and the system it describes are in an early development stage.
> In a virtually perfect world, our servers will be named after what they do and not after species of fish.
For testing, a temporary virtual domain at UCC will be configured as ad.v.ucc.asn.au, and the domain name is VUCC, on a separate virtual network using only virtual machines (nested inside other virtual machines). The primary DNS server for domain is dc0.v.ucc.asn.au. The "primary" DC for domain will also be dc0.v.ucc.asn.au, and a second DC will be dc1.v.ucc.asn.au. Hopefully these can both be writable, although given the difficulty of making replication work reliably with Samba this may not be the case.
Setup Process
Domain Controllers
v.ucc.asn.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local.
zone "v.ucc.asn.au" { type forward; forward only; forwarders { 130.95.13.35; // vucc0 (proxmox VM on maltair, running dnsmasq) }; };
dnsmasq on the (virtualised) Proxmox VM host vucc0.ucc.asn.au then delegates the ad.v.ucc.asn.au domain to the domain controller(s). The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, with clean samba configuration.
A fresh domain controller can probably be set up using the following instructions: (which is how dc0 was configured). Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.
- Configure name resolution
Edit /etc/hosts
127.0.0.1 localhost 192.168.9.2 dc0.v.ucc.asn.au dc0 192.168.9.3 dc1.v.ucc.asn.au dc1
Edit /etc/resolv.conf
search ad.v.ucc.asn.au search v.ucc.asn.au search ucc.asn.au # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver nameserver 192.168.9.35
Purge existing configs and packages:
apt-get purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* rm -rvf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/
- Configure the apt repositories and preferences
Edit /etc/apt/preferences.d/80-ucc-samba, add the following:
Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=stable-backports Pin-Priority: 800 Package: * Pin: release a=testing Pin-Priority: 99 Package: * Pin: release a=unstable Pin-Priority: 98
Edit /etc/apt/sources.list.d/debian-unstable.list:
# Testing repository - main, contrib and non-free branches deb http://mirror.waia.asn.au/debian testing main non-free contrib deb-src http://mirror.waia.asn.au/debian testing main non-free contrib # Testing security updates repository deb http://security.debian.org/ testing/updates main contrib non-free deb-src http://security.debian.org/ testing/updates main contrib non-free # Unstable repo main, contrib and non-free branches, no security updates here deb http://mirror.waia.asn.au/debian unstable main non-free contrib deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
Install packages:
apt-get update apt-get -t testing install samba sssd-ad sssd-tools sssd-krb5 libpam-sss libnss-sss libgpgme11 smbclient apt-get install net-tools vim less molly-guard chrony krb5-user libpam-krb5 rsync nfs-common finger sudo zsh git dnsutils mlocate
The rest of these instructions are based off the official Samba AD setup guide.
Disable the systemd units for the non-DC setup & default configuration:
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind
Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation.
rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -fv
Provision the new domain:
samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Make sure /etc/krb5.conf looks something like this, add lines where necessary.
[libdefaults] default_realm = AD.V.UCC.ASN.AU dns_lookup_realm = false dns_lookup_kdc = true rdns = false forwardable = yes
Export the domain's keytab
samba-tool domain exportkeytab /etc/krb5.keytab
Edit /etc/nsswitch.conf
# /etc/nsswitch.conf # See http://wiki.ucc.asn.au/ActiveDirectoryNew passwd: files sss group: files sss shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files
and /etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = ad.v.ucc.asn.au services = nss, pam [domain/AD.V.UCC.ASN.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false
fix sssd.conf permissions
chmod 600 /etc/sssd/sssd.conf
enable sssd auth in pam via pam-auth-update
Start the samba service:
systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd
DO NOT use winbind on a fomain controller, it sucks for multiple reasons.
Windows systems
Just join them to the domain. It Just Works (TM) - thanks Microsoft / Red Hat / IBM?!!
Linux systems
AD wasn't designed for Linux, and since most of our machines run Linux we have made things difficult for ourselves.
This is copied from ActiveDirectory and has not been tested yet, feel free to fix that.
Automatically using realmd
Thanks to realmd, joining machines to the domain is extremely simple.
Install packages: apt install realmd
Test to make sure you can connect to the domain: realm discover ad.ucc.gu.uwa.edu.au
Join to the domain using realm join -v -U <user> ad.ucc.gu.uwa.edu.au
- realmd defaults to using sssd, which is fine
- It installs any necessary packages.
- IT JUST WORKS!!
Except for one thing: comment the line use_fully_qualified_names = True in /etc/sssd/sssd.conf (prefix with a #)
- Then it works!
- Done.
Manual Method
Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:
Install the required packages: apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind
Ensure the system is configured according to the SOE.
edit /etc/krb5.conf to point to the new domain:
[libdefaults] default_realm = ad.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true
Make the following /etc/samba/smb.conf:
[global] # Configure the domain infomation security = ads realm = ad.ucc.gu.uwa.edu.au workgroup = UCCDOMAYNE # use winbind to map users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes kerberos method = secrets and keytab #Config gid/sid mapping based on AD attributes winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 13000-17999 #idmap config for UCCDOMAYNE idmap config UCCDOMAYNE:backend = ad idmap config UCCDOMAYNE:schema_mode = rfc2307 idmap config UCCDOMAYNE:range = 1-999999 idmap config UCCDOMAYNE:unix_nss_info = yes idmap config UCCDOMAYNE:unix_primary_group = yes
Join the machine to the domain with: net ads join -U <username>.
configure pam using pam-auth-update and enable Winbind NT/AD authentication.
configure nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
- start the services:
winbindd nmbd smbd
- Make sure the computer can fetch the domain users and groups with:
wbinfo -g` and `wbinfo -u`
Diagnostics
Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:
sss_cache -E if using sssd
net cache flush if using winbind
- Or if the above fails to have an effect, try rejoining to the domain using the instructions below.