Differences between revisions 22 and 32 (spanning 10 versions)
Revision 22 as of 2018-10-30 18:09:35
Size: 11592
Editor: frekk
Comment:
Revision 32 as of 2022-11-10 10:00:22
Size: 10822
Editor: 192
Comment: set samba-ad-dc restart on-failure
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
This page describes the plan to fix Active Directory at UCC, potentially used in place of the previous AD from 2019 onwards.

'''Note that this document and the system it describes are in an early development stage.'''
## page was renamed from ActiveDirectoryNew
Line 7: Line 5:
> In a virtually perfect world, our servers will be named after what they do and not after species of fish.

For testing, a temporary virtual domain at UCC will be configured as `ad.v.ucc.asn.au`, and the domain name is `VUCC`, on a separate virtual network using only virtual machines (nested inside other virtual machines).
The primary DNS server for domain is `dc0.v.ucc.asn.au`.
The "primary" DC for domain will also be `dc0.v.ucc.asn.au`, and a second DC will be `dc1.v.ucc.asn.au`. Hopefully these can both be writable, although given the difficulty of making replication work reliably with Samba this may not be the case.

`v.ucc.asn.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`.
 . {{{
zone "v.ucc.asn.au" {
        type forward;
        forward only;
        forwarders {
                130.95.13.35; // vucc0 (proxmox VM on maltair, running dnsmasq)
        };
};
}}}
`dnsmasq` on the (virtualised) Proxmox VM host `vucc0.ucc.asn.au` then delegates the `ad.v.ucc.asn.au` domain to the domain controller(s).

Line 27: Line 6:
=== Domain Controllers ===
==== C
lean Installation of samba & dependencies ====
The domain controller `dc0.v.ucc.asn.au` is based off a clone of `samurai`, cleaned up and configured using the steps below.
=== Clean Installation of samba & dependencies ===
The domain controller `dc0.v.ucc.asn.au` is based off a clone of `samurai`, cleaned up and configured using the steps below. `dc1.v.ucc.asn.au` was set up as a fresh install based on [[https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/|Debian 9.5.0]] (netinst).
Line 47: Line 25:
apt-get purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind
rm -rvf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss
apt-get -y purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind
rm -rf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss
Line 83: Line 61:
apt-get -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind
apt-get install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate
apt-get -y -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind
apt-get -y install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate
Line 96: Line 74:
 * Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. {{{  * Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. (note: when installing the packages, some of these files may have been recreated since the purge step above, so don't skip this step. {{{
Line 98: Line 76:
find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -fv
}}}

==== Provisioning a new AD Domain ====
find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -f
}}}

=== Provisioning a new AD Domain ===
Make sure you start with a [[#Clean_Installation_of_samba_.26_dependencies|clean installation]].
'''Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.'''
Line 164: Line 144:
 * DO NOT use winbind on a domain controller, it sucks for [[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC|multiple reasons]].

==== Joining a new DC to an existing AD domain ====
 * DO NOT use winbind on a domain controller, it sucks for [[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC|multiple reasons]]. Note that `winbindd` will still run for internal use by samba - it just isn't being used for nss.

 * Make it restart automatically if something crashes: {{{systemctl edit samba-ad-dc}}} {{{
# this will end up in /etc/systemd/system/samba-ad-dc.service.d/override.conf when it gets saved
[Service]
Restart=on-failure
}}}

=== Joining a new DC to an existing AD domain ===
Make sure you start with a [[#Clean_Installation_of_samba_.26_dependencies|clean installation]].
Line 185: Line 172:

==== Sysvol replication ====
Samba doesn't support sysvol replication and probably never will, so someday I need to fix it, probably using one of the [[https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)|suggested workarounds]].
=== Sysvol replication ===
Samba doesn't support sysvol replication and probably never will, but they have some (old) [[https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)|suggested workarounds]]. At the most basic level, the directory `/var/lib/samba/sysvol` must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and `rsync` is painful when it comes to two-way synchronisation.

Fortunately `csync2` does exactly what we want (minus ACLs/xattr, but those can be fixed using `samba-tool ntacl sysvolreset`). Here's how you can set it up.
 * put the following into `/etc/csync2.cfg` (and update with the correct domain controller hostnames): see the [[https://web.archive.org/web/20160316143058/http://oss.linbit.com/csync2/paper.pdf|documentation]] {{{
#### csync2 configuration
# disable
nossl dc[01] dc[01];
group vucc-domain-controllers
{
        host dc0 dc1;
        key /etc/csync2.key-vucc;
        include /var/lib/samba/sysvol;

        # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced
        action
        {
                pattern /etc/samba/smb.conf;
                exec "/bin/systemctl samba-ad-dc reload";
                do-local;
        }

        # fix xattrs on files when they are updated
        action
        {
                pattern /var/lib/samba/sysvol;
                exec "/usr/bin/samba-tool ntacl sysvolreset";
                do-local;
        }

        # Store backups (with logical names) somewhere reasonable
        backup-directory /var/lib/samba/sysvol-backups;
        backup-generations 3;

        # automatically resolve conflicts by overwriting older files with newer ones
        auto younger;
}
}}}
 * edit the crontab on one node: {{{
dc0# crontab -e
# sync every minute
* * * * * /usr/sbin/csync2 -x
}}}
 * csync2 is run as an inetd service, so you can check that the following line is present in `/etc/inetd.conf` on all servers in the cluster {{{
csync2 stream tcp nowait root /usr/sbin/csync2 csync2 -i -l
}}}
 * generate a csync2 pre-shared key (PSK) and copy it and `/etc/csync2.cfg` to all the DCs in the cluster: {{{
csync2 -k /etc/csync2.key-vucc
scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ...
}}}
 * make sure the directory `/var/lib/samba/sysvol-backups` exists on all nodes of the cluster
 * Done! It ''should'' work now.
Line 192: Line 228:
}}}

=== Windows systems ===

Just join them to the domain. It Just Works (TM) - thanks Microsoft / Red Hat / IBM?!!

=== Linux systems ===

AD wasn't designed for Linux, and since most of our machines run Linux we have made things difficult for ourselves.

''' This is copied from [[ActiveDirectory]] and has not been tested yet, feel free to fix that.'''
==== Automatically using realmd ====

Thanks to [[https://freedesktop.org/software/realmd/docs|realmd]], joining machines to the domain is extremely simple.
 * Install packages: `apt install realmd`
 * Test to make sure you can connect to the domain: `realm discover ad.ucc.gu.uwa.edu.au`
 * Join to the domain using `realm join -v -U <user> ad.ucc.gu.uwa.edu.au`
   * realmd defaults to using sssd, which is fine
   * It installs any necessary packages.
   * IT JUST WORKS!!
    * Except for one thing: comment the line `use_fully_qualified_names = True` in `/etc/sssd/sssd.conf` (prefix with a `#`)
    * Then it works!
 * Done.

==== Manual Method ====

Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]]
Before configuring the domain ensure the following:
 * Install the required packages: `apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind`

 * Ensure the system is configured according to the [[StandardOperatingEnvironment|SOE]].

 * edit `/etc/krb5.conf` to point to the new domain:
 . {{{
   [libdefaults]
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * Make the following `/etc/samba/smb.conf`:
 . {{{
[global]
# Configure the domain infomation
        security = ads
        realm = ad.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config UCCDOMAYNE:unix_nss_info = yes
        idmap config UCCDOMAYNE:unix_primary_group = yes

}}}

 * Join the machine to the domain with: `net ads join -U <username>`.

 * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`.

 * configure `nsswitch.conf`
 . {{{
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: files
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

}}}
 * start the services:
 . {{{
winbindd
nmbd
smbd
}}}

 * Make sure the computer can fetch the domain users and groups with:
 . {{{
wbinfo -g` and `wbinfo -u`
Line 306: Line 235:

Sometimes, everything may break rather catastrophically. This may be due to the keytabs at `/etc/krb5.keytab` and `/var/lib/samba/private/secrets.keytab` becoming out of sync.
 * The current solution (on samson) is to symlink the keytabs as follows: {{{
# ln -s /etc/krb5.keytab /var/lib/samba/private/secrets.keytab
# ls -l /etc/krb5.keytab
lrwxrwxrwx 1 root root 37 Nov 26 16:51 /etc/krb5.keytab -> /var/lib/samba/private/secrets.keytab
}}}
 * Verify that the host principal is present in the keytab: {{{
# klist -k | grep -i $(hostname)
   3 [email protected]
}}}
 * The same principal and variations including the same hostname may appear multiple times. This is normal (and maybe necessary?).

Setup Process

Clean Installation of samba & dependencies

The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, cleaned up and configured using the steps below. dc1.v.ucc.asn.au was set up as a fresh install based on Debian 9.5.0 (netinst).

A fresh domain controller can probably be set up using the same steps; Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.

  • Configure name resolution
    • Edit /etc/hosts

      127.0.0.1       localhost
      192.168.9.2     dc0.v.ucc.asn.au        dc0
      192.168.9.3     dc1.v.ucc.asn.au        dc1
    • Edit /etc/resolv.conf

      search ad.v.ucc.asn.au
      search v.ucc.asn.au
      search ucc.asn.au
      # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver
      nameserver 192.168.9.35
  • Purge existing configs and packages:

    apt-get -y purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind
    rm -rf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss
  • Configure the apt repositories and preferences
    • Edit /etc/apt/preferences.d/80-ucc-samba, add the following:

      Package: *
      Pin: release a=stable
      Pin-Priority: 900
      
      Package: *
      Pin: release a=stable-backports
      Pin-Priority: 800
      
      Package: *
      Pin: release a=testing
      Pin-Priority: 99
      
      Package: *
      Pin: release a=unstable
      Pin-Priority: 98
    • Edit /etc/apt/sources.list.d/debian-unstable.list:

      # Testing repository - main, contrib and non-free branches
      deb http://mirror.waia.asn.au/debian testing main non-free contrib
      deb-src http://mirror.waia.asn.au/debian testing main non-free contrib
      
      # Testing security updates repository
      deb http://security.debian.org/ testing/updates main contrib non-free
      deb-src http://security.debian.org/ testing/updates main contrib non-free
      
      # Unstable repo main, contrib and non-free branches, no security updates here
      deb http://mirror.waia.asn.au/debian unstable main non-free contrib
      deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
  • Install packages:

    apt-get update && apt-get -y upgrade
    apt-get -y -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind
    apt-get -y install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate

The rest of these instructions are based off the official Samba AD setup guide.

  • Disable the systemd units for the non-DC setup & default configuration:

    systemctl stop smbd
    systemctl stop nmbd
    systemctl stop winbind
    systemctl disable smbd
    systemctl disable nmbd
    systemctl disable winbind
  • Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. (note: when installing the packages, some of these files may have been recreated since the purge step above, so don't skip this step.

    rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab
    find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -f

Provisioning a new AD Domain

Make sure you start with a clean installation. Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.

  • Provision the new domain:

    samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
  • Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:

    cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
    • Make sure /etc/krb5.conf looks something like this, add lines where necessary.

      [libdefaults]
              default_realm = AD.V.UCC.ASN.AU
              dns_lookup_realm = false
              dns_lookup_kdc = true
              rdns = false
              forwardable = yes
  • Export the domain's keytab

    samba-tool domain exportkeytab /etc/krb5.keytab
  • Edit /etc/nsswitch.conf

    # /etc/nsswitch.conf
    # See http://wiki.ucc.asn.au/ActiveDirectoryNew
    
    passwd:         files sss
    group:          files sss
    shadow:         files
    gshadow:        files
    
    hosts:          files dns
    networks:       files
    
    protocols:      db files
    services:       db files sss
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis sss
    sudoers:        files
  • and /etc/sssd/sssd.conf

    [sssd]
    config_file_version = 2
    domains = ad.v.ucc.asn.au
    services = nss, pam, pac
    
    [domain/AD.V.UCC.ASN.AU]
    enumerate = true
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    ldap_id_mapping = false
  • fix sssd.conf permissions

    chmod 600 /etc/sssd/sssd.conf
  • enable sssd auth in pam via pam-auth-update

  • Start the samba service:

    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc
    systemctl restart samba-ad-dc
    systemctl enable sssd
    systemctl restart sssd
  • DO NOT use winbind on a domain controller, it sucks for multiple reasons. Note that winbindd will still run for internal use by samba - it just isn't being used for nss.

  • Make it restart automatically if something crashes: systemctl edit samba-ad-dc

    # this will end up in /etc/systemd/system/samba-ad-dc.service.d/override.conf when it gets saved
    [Service]
    Restart=on-failure

Joining a new DC to an existing AD domain

Make sure you start with a clean installation.

  • Copy /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf from an existing domain controller.

  • verify kerberos with: kinit <username>

  • join the domain with: samba-tool domain join ad.v.ucc.asn.au DC -U"VUCC\Administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'

    • You may see an error saying something about DNS not being configured, you can probably ignore it.
  • replicate the SYSVOL directory to the new DC, then fix the permissions with: samba-tool ntacl sysvolreset

  • start the samba service, the service may have a different name depending on the samba version used.
  • samba-tool domain exportkeytab /etc/krb5.keytab
    chmod 600 /etc/sssd/sssd.conf
    systemctl unmask samba-ad-dc
    systemctl enable samba-ad-dc
    systemctl restart samba-ad-dc
    systemctl enable sssd
    systemctl restart sssd
  • enable sssd auth in pam via pam-auth-update

Sysvol replication

Samba doesn't support sysvol replication and probably never will, but they have some (old) suggested workarounds. At the most basic level, the directory /var/lib/samba/sysvol must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and rsync is painful when it comes to two-way synchronisation.

Fortunately csync2 does exactly what we want (minus ACLs/xattr, but those can be fixed using samba-tool ntacl sysvolreset). Here's how you can set it up.

  • put the following into /etc/csync2.cfg (and update with the correct domain controller hostnames): see the documentation

    #### csync2 configuration
    # disable 
    nossl dc[01] dc[01];
    group vucc-domain-controllers
    {
            host dc0 dc1;
            key /etc/csync2.key-vucc;
            include /var/lib/samba/sysvol;
    
            # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced
            action
            {
                    pattern /etc/samba/smb.conf;
                    exec "/bin/systemctl samba-ad-dc reload";
                    do-local;
            }
    
            # fix xattrs on files when they are updated
            action
            {
                    pattern /var/lib/samba/sysvol;
                    exec "/usr/bin/samba-tool ntacl sysvolreset";
                    do-local;
            }
    
            # Store backups (with logical names) somewhere reasonable
            backup-directory /var/lib/samba/sysvol-backups;
            backup-generations 3;
    
            # automatically resolve conflicts by overwriting older files with newer ones
            auto younger;
    }
  • edit the crontab on one node:

    dc0# crontab -e
    # sync every minute
    * * * * * /usr/sbin/csync2 -x
  • csync2 is run as an inetd service, so you can check that the following line is present in /etc/inetd.conf on all servers in the cluster

    csync2          stream  tcp     nowait  root    /usr/sbin/csync2        csync2 -i -l
  • generate a csync2 pre-shared key (PSK) and copy it and /etc/csync2.cfg to all the DCs in the cluster:

    csync2 -k /etc/csync2.key-vucc
    scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ...
  • make sure the directory /var/lib/samba/sysvol-backups exists on all nodes of the cluster

  • Done! It should work now.

To manually replicate the sysvol directories between DCs:

dc0# scp -ar /var/lib/samba/sysvol dc1:/var/lib/samba/sysvol
dc1# samba-tool ntacl sysvolreset

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

  • sss_cache -E if using sssd

  • net cache flush if using winbind

  • Or if the above fails to have an effect, try rejoining to the domain using the instructions below.

Sometimes, everything may break rather catastrophically. This may be due to the keytabs at /etc/krb5.keytab and /var/lib/samba/private/secrets.keytab becoming out of sync.

  • The current solution (on samson) is to symlink the keytabs as follows:

    # ln -s /etc/krb5.keytab /var/lib/samba/private/secrets.keytab
    # ls -l /etc/krb5.keytab
    lrwxrwxrwx 1 root root 37 Nov 26 16:51 /etc/krb5.keytab -> /var/lib/samba/private/secrets.keytab
  • Verify that the host principal is present in the keytab:

    # klist -k | grep -i $(hostname)
       3 [email protected]
  • The same principal and variations including the same hostname may appear multiple times. This is normal (and maybe necessary?).