|
Size: 11592
Comment:
|
Size: 14170
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| For testing, a temporary virtual domain at UCC will be configured as `ad.v.ucc.asn.au`, and the domain name is `VUCC`, on a separate virtual network using only virtual machines (nested inside other virtual machines). The primary DNS server for domain is `dc0.v.ucc.asn.au`. The "primary" DC for domain will also be `dc0.v.ucc.asn.au`, and a second DC will be `dc1.v.ucc.asn.au`. Hopefully these can both be writable, although given the difficulty of making replication work reliably with Samba this may not be the case. |
For testing, a subdomain for the "Virtual" AD will be configured as `ad.v.ucc.asn.au` with NETBIOS domain name `VUCC`, on a separate virtual network using a virtualised Proxmox VE instance (yes, running VMs inside of VMs). The primary DNS server for domain is `vucc0.v.ucc.asn.au`, which is also the (virtual) Proxmox VE host. The "primary" DC for domain will also be `dc0.v.ucc.asn.au`, and a second DC will be `dc1.v.ucc.asn.au`. Note that whilst RODCs can be configured using Samba, replication makes things just so much cooler (and more prone to inexplicable breakage) so we might be stuck with that for the time being. |
| Line 102: | Line 102: |
| '''Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.''' | |
| Line 185: | Line 186: |
| Line 187: | Line 187: |
| Samba doesn't support sysvol replication and probably never will, so someday I need to fix it, probably using one of the [[https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)|suggested workarounds]]. | Samba doesn't support sysvol replication and probably never will, but they have some (old) [[https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)|suggested workarounds]]. At the most basic level, the directory `/var/lib/samba/sysvol` must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and `rsync` is painful when it comes to two-way synchronisation. Fortunately `csync2` does exactly what we want (minus ACLs/xattr, but those can be fixed using `samba-tool ntacl sysvolreset`). Here's how you can set it up. * put the following into `/etc/csync2.cfg` (and update with the correct domain controller hostnames): see the [[https://web.archive.org/web/20160316143058/http://oss.linbit.com/csync2/paper.pdf|documentation]] {{{ #### csync2 configuration # disable nossl dc[01] dc[01]; group vucc-domain-controllers { host dc0 dc1; key /etc/csync2.key-vucc; include /var/lib/samba/sysvol; # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced action { pattern /etc/samba/smb.conf; exec "/bin/systemctl samba-ad-dc reload"; do-local; } # fix xattrs on files when they are updated action { pattern /var/lib/samba/sysvol; exec "/usr/bin/samba-tool ntacl sysvolreset"; do-local; } # Store backups (with logical names) somewhere reasonable backup-directory /var/lib/samba/sysvol-backups; backup-generations 3; # automatically resolve conflicts by overwriting older files with newer ones auto younger; } }}} * edit the crontab on one node: {{{ dc0# crontab -e # sync every minute * * * * * /usr/sbin/csync2 -x }}} * csync2 is run as an inetd service, so you can check that the following line is present in `/etc/inetd.conf` on all servers in the cluster {{{ csync2 stream tcp nowait root /usr/sbin/csync2 csync2 -i -l }}} * generate a csync2 pre-shared key (PSK) and copy it and `/etc/csync2.cfg` to all the DCs in the cluster: {{{ csync2 -k /etc/csync2.key-vucc scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ... }}} * make sure the directory `/var/lib/samba/sysvol-backups` exists on all nodes of the cluster * Done! It ''should'' work now. |
This page describes the plan to fix Active Directory at UCC, potentially used in place of the previous AD from 2019 onwards.
Note that this document and the system it describes are in an early development stage.
Contents
> In a virtually perfect world, our servers will be named after what they do and not after species of fish.
For testing, a subdomain for the "Virtual" AD will be configured as ad.v.ucc.asn.au with NETBIOS domain name VUCC, on a separate virtual network using a virtualised Proxmox VE instance (yes, running VMs inside of VMs). The primary DNS server for domain is vucc0.v.ucc.asn.au, which is also the (virtual) Proxmox VE host. The "primary" DC for domain will also be dc0.v.ucc.asn.au, and a second DC will be dc1.v.ucc.asn.au. Note that whilst RODCs can be configured using Samba, replication makes things just so much cooler (and more prone to inexplicable breakage) so we might be stuck with that for the time being.
v.ucc.asn.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local.
zone "v.ucc.asn.au" { type forward; forward only; forwarders { 130.95.13.35; // vucc0 (proxmox VM on maltair, running dnsmasq) }; };
dnsmasq on the (virtualised) Proxmox VM host vucc0.ucc.asn.au then delegates the ad.v.ucc.asn.au domain to the domain controller(s).
Setup Process
Domain Controllers
Clean Installation of samba & dependencies
The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, cleaned up and configured using the steps below.
A fresh domain controller can probably be set up using the same steps; Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.
- Configure name resolution
Edit /etc/hosts
127.0.0.1 localhost 192.168.9.2 dc0.v.ucc.asn.au dc0 192.168.9.3 dc1.v.ucc.asn.au dc1
Edit /etc/resolv.conf
search ad.v.ucc.asn.au search v.ucc.asn.au search ucc.asn.au # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver nameserver 192.168.9.35
Purge existing configs and packages:
apt-get purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind rm -rvf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss
- Configure the apt repositories and preferences
Edit /etc/apt/preferences.d/80-ucc-samba, add the following:
Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=stable-backports Pin-Priority: 800 Package: * Pin: release a=testing Pin-Priority: 99 Package: * Pin: release a=unstable Pin-Priority: 98
Edit /etc/apt/sources.list.d/debian-unstable.list:
# Testing repository - main, contrib and non-free branches deb http://mirror.waia.asn.au/debian testing main non-free contrib deb-src http://mirror.waia.asn.au/debian testing main non-free contrib # Testing security updates repository deb http://security.debian.org/ testing/updates main contrib non-free deb-src http://security.debian.org/ testing/updates main contrib non-free # Unstable repo main, contrib and non-free branches, no security updates here deb http://mirror.waia.asn.au/debian unstable main non-free contrib deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
Install packages:
apt-get update && apt-get -y upgrade apt-get -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind apt-get install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate
The rest of these instructions are based off the official Samba AD setup guide.
Disable the systemd units for the non-DC setup & default configuration:
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind
Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation.
rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -fv
Provisioning a new AD Domain
Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.
Provision the new domain:
samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Make sure /etc/krb5.conf looks something like this, add lines where necessary.
[libdefaults] default_realm = AD.V.UCC.ASN.AU dns_lookup_realm = false dns_lookup_kdc = true rdns = false forwardable = yes
Export the domain's keytab
samba-tool domain exportkeytab /etc/krb5.keytab
Edit /etc/nsswitch.conf
# /etc/nsswitch.conf # See http://wiki.ucc.asn.au/ActiveDirectoryNew passwd: files sss group: files sss shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files
and /etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = ad.v.ucc.asn.au services = nss, pam, pac [domain/AD.V.UCC.ASN.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false
fix sssd.conf permissions
chmod 600 /etc/sssd/sssd.conf
enable sssd auth in pam via pam-auth-update
Start the samba service:
systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd
DO NOT use winbind on a domain controller, it sucks for multiple reasons.
Joining a new DC to an existing AD domain
Copy /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf from an existing domain controller.
verify kerberos with: kinit <username>
join the domain with: samba-tool domain join ad.v.ucc.asn.au DC -U"VUCC\Administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
- You may see an error saying something about DNS not being configured, you can probably ignore it.
replicate the SYSVOL directory to the new DC, then fix the permissions with: samba-tool ntacl sysvolreset
- start the samba service, the service may have a different name depending on the samba version used.
samba-tool domain exportkeytab /etc/krb5.keytab chmod 600 /etc/sssd/sssd.conf systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd
enable sssd auth in pam via pam-auth-update
Sysvol replication
Samba doesn't support sysvol replication and probably never will, but they have some (old) suggested workarounds. At the most basic level, the directory /var/lib/samba/sysvol must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and rsync is painful when it comes to two-way synchronisation.
Fortunately csync2 does exactly what we want (minus ACLs/xattr, but those can be fixed using samba-tool ntacl sysvolreset). Here's how you can set it up.
put the following into /etc/csync2.cfg (and update with the correct domain controller hostnames): see the documentation
#### csync2 configuration # disable nossl dc[01] dc[01]; group vucc-domain-controllers { host dc0 dc1; key /etc/csync2.key-vucc; include /var/lib/samba/sysvol; # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced action { pattern /etc/samba/smb.conf; exec "/bin/systemctl samba-ad-dc reload"; do-local; } # fix xattrs on files when they are updated action { pattern /var/lib/samba/sysvol; exec "/usr/bin/samba-tool ntacl sysvolreset"; do-local; } # Store backups (with logical names) somewhere reasonable backup-directory /var/lib/samba/sysvol-backups; backup-generations 3; # automatically resolve conflicts by overwriting older files with newer ones auto younger; }edit the crontab on one node:
dc0# crontab -e # sync every minute * * * * * /usr/sbin/csync2 -x
csync2 is run as an inetd service, so you can check that the following line is present in /etc/inetd.conf on all servers in the cluster
csync2 stream tcp nowait root /usr/sbin/csync2 csync2 -i -l
generate a csync2 pre-shared key (PSK) and copy it and /etc/csync2.cfg to all the DCs in the cluster:
csync2 -k /etc/csync2.key-vucc scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ...
make sure the directory /var/lib/samba/sysvol-backups exists on all nodes of the cluster
Done! It should work now.
To manually replicate the sysvol directories between DCs:
dc0# scp -ar /var/lib/samba/sysvol dc1:/var/lib/samba/sysvol dc1# samba-tool ntacl sysvolreset
Windows systems
Just join them to the domain. It Just Works (TM) - thanks Microsoft / Red Hat / IBM?!!
Linux systems
AD wasn't designed for Linux, and since most of our machines run Linux we have made things difficult for ourselves.
This is copied from ActiveDirectory and has not been tested yet, feel free to fix that.
Automatically using realmd
Thanks to realmd, joining machines to the domain is extremely simple.
Install packages: apt install realmd
Test to make sure you can connect to the domain: realm discover ad.ucc.gu.uwa.edu.au
Join to the domain using realm join -v -U <user> ad.ucc.gu.uwa.edu.au
- realmd defaults to using sssd, which is fine
- It installs any necessary packages.
- IT JUST WORKS!!
Except for one thing: comment the line use_fully_qualified_names = True in /etc/sssd/sssd.conf (prefix with a #)
- Then it works!
- Done.
Manual Method
Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:
Install the required packages: apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind
Ensure the system is configured according to the SOE.
edit /etc/krb5.conf to point to the new domain:
[libdefaults] default_realm = ad.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = trueMake the following /etc/samba/smb.conf:
[global] # Configure the domain infomation security = ads realm = ad.ucc.gu.uwa.edu.au workgroup = UCCDOMAYNE # use winbind to map users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes kerberos method = secrets and keytab #Config gid/sid mapping based on AD attributes winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 13000-17999 #idmap config for UCCDOMAYNE idmap config UCCDOMAYNE:backend = ad idmap config UCCDOMAYNE:schema_mode = rfc2307 idmap config UCCDOMAYNE:range = 1-999999 idmap config UCCDOMAYNE:unix_nss_info = yes idmap config UCCDOMAYNE:unix_primary_group = yesJoin the machine to the domain with: net ads join -U <username>.
configure pam using pam-auth-update and enable Winbind NT/AD authentication.
configure nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
- start the services:
winbindd nmbd smbd
- Make sure the computer can fetch the domain users and groups with:
wbinfo -g` and `wbinfo -u`
Diagnostics
Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:
sss_cache -E if using sssd
net cache flush if using winbind
- Or if the above fails to have an effect, try rejoining to the domain using the instructions below.
