This page describes the current (2019) Active Directory configuration at UCC.

The Active Directory (AD) domain at UCC is ad.ucc.gu.uwa.edu.au with the NETBIOS domain name UCCDOMAYNE. The primary Domain Controller (DC) samson.ucc.gu.uwa.edu.au which also serves authoritative DNS for ad.ucc.gu.uwa.edu.au.

For some background on why the Standard Operating Environment does what it does, see NewActiveDirectory. For outdated documentation and some info about the migration from the old LDAP domain, see OldActiveDirectory.

This page describes how to configure Linux systems to connect to an Active Directory domain as the database for users and groups.

Windows

Assumed you are using Windows 10.

  1. Open File Explorer, right click on My PC and select Properties. You might need to click the rename (advanced) option on the rightmost pane of the window.

  2. Under the Computer Name tab, select Change... and enter ad.ucc.gu.uwa.edu.au as the domain. Make sure the computer name is also correct, change it if necessary (Windows 10 generates a random name when you install it).

  3. When you click OK, enter a UCC wheel username/password (aka someone who has domain admin permissions). Restart the computer at your convenience.
  4. Congratulations, you have joined a computer to the domain.

Linux

Configuring SSSD

Full section and alternative client configurations: https://wiki.ucc.asn.au/NewActiveDirectory/LinuxClients

There is a very informative Red Hat article about configuring sssd manually. The following instructions are a functional adaptation. For a more detailed understanding of what these config files and options mean, please start by reading the manpages for sssd, sssd-ad, sssd-krb5, sssd-ldap, sssd.conf, krb5.conf and smb.conf and the above article.

These instructions are confirmed working on Linux Mint 19.1 (Tara), using sssd version 1.16.1 and samba-common-bin package version 4.7.6.

  1. Install the necessary packages and uninstall any conflicting ones:

    apt -y install samba-common-bin samba-dsdb-modules sssd sssd-ad sssd-krb5 sssd-ldap sssd-tools krb5-user krb5-doc libpam-sss libnss-sss adcli libsasl2-modules-gssapi-mit
    apt -y purge winbind realmd libpam-krb5 libpam-ldap libpam-winbind libnss-ldap libnss-winbind
  2. Remove any configuration files if they exist and stop services:

    mv /etc/samba/smb.conf /etc/samba/smb.conf.old
    mv /etc/nsswitch.conf /etc/nsswitch.conf.old
    rm /etc/krb5.conf /etc/krb5.keytab /etc/sssd/sssd.conf
    systemctl stop sssd winbind samba-ad-dc smbd nmbd
  3. Install the configs semi-automatically:

    wget -O /tmp/ucc-ad-config.tar.gz https://www.ucc.asn.au/ucc-ad-config.tar.gz && tar -C / -xvzf /tmp/ucc-ad-config.tar.gz
  4. Run pam-auth-update and check that SSS authentication is enabled and that winbind authentication (if present) is disabled.

  5. Create the machine account in AD and produce a keytab for sssd containing the machine account credentials. If using a user other than Administrator, ensure they have sufficient privileges to join a machine to the domain.

    rm /etc/krb5.keytab
    kinit <wheel username here>
    net ads join --no-dns-updates -k
    # verify the machine account credentials are in the keytab:
    klist -k
  6. Start the necessary services:

    systemctl restart sssd
  7. Verify that you can see the correct user and group info using getent passwd and getent group respectively. The output format is equivalent to the /etc/passwd and /etc/group files.

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

  • sss_cache -E if using sssd

  • net cache flush if using winbind

  • Or if the above fails to have an effect, try rejoining to the domain using the instructions below.

You can edit things with

  • kinit; ldapvi -b dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au --host AD.UCC.GU.UWA.EDU.AU -Y GSSAPI

or more easily with

  • samba-tool user edit <username>

Config file examples

These should be the same as in the config package (https://www.ucc.asn.au/ucc-ad-config.tar.gz but here they are in case something gets broken or that archive goes missing.

  • /etc/sssd/sssd.conf

    [sssd]
    config_file_version = 2
    domains = ad.ucc.gu.uwa.edu.au
    services = nss, pam, pac
    
    # domain configuration: see manpages sssd.conf, sssd-ldap, sssd-krb5 and sssd-ad
    # see https://access.redhat.com/articles/3023951
    # needs correct configution for: /etc/nsswitch.conf /etc/samba/smb.conf /etc/resolv.conf `pam-auth-update`
    [domain/AD.UCC.GU.UWA.EDU.AU]
    enumerate = true
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    ldap_id_mapping = false
    
    cache_credentials = true
    # if you want to use a custom CA certificate for AD
    #ldap_tls_cacert = /etc/sssd/ucc-ad-ca.cer
    # or just allow invalid (self-signed) certificates
    ldap_tls_reqcert = allow
    
    # allow local users to be included in AD groups
    ldap_rfc2307_fallback_to_local_users = true
  • /etc/nsswitch.conf

    # /etc/nsswitch.conf
    
    passwd:         compat systemd sss
    group:          compat systemd sss
    shadow:         compat sss
    gshadow:        files
    
    hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
    networks:       files
    
    protocols:      db files
    services:       db files sss
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis sss
  • /etc/krb5.conf

    [libdefaults]
        default_realm = AD.UCC.GU.UWA.EDU.AU
        dns_lookup_realm = true
        dns_lookup_kdc = true
        rdns = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = yes
  • /etc/samba/smb.conf

    [global]
            realm = AD.UCC.GU.UWA.EDU.AU
            workgroup = UCCDOMAYNE
            security = ads
            client signing = mandatory
            client use spnego = yes
            tls enabled = yes
            kerberos method = secrets and keytab
            dedicated keytab file = /etc/krb5.keytab
            log file = /var/log/samba/%m.log

OpenLDAP

If for some reason you need to authenticate using our AD over OpenLDAP (e.g. OpenVPN or Octoprint), you will need two things to actually talk LDAP to samson.

The UCC-CA certificate, and a custom OpenLDAP config file.

The cert is available from the main website at the top, or from /etc/ssl/certs on most of the main servers.

  • /etc/ldap/ldap.conf

            URI ldaps://samson.ad.ucc.gu.uwa.edu.au
            BASE dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    
            SSL on
            TLS_REQCERT allow
            TLS_CACERT /etc/ssl/certs/UCC-CA.crt

Once you have both of these, both ldapsearch and actual LDAP calls will actually contact samson properly.

Also use ldaps://ad.ucc.gu.uwa.edu.au to talk to it.