Differences between revisions 1 and 23 (spanning 22 versions)
Revision 1 as of 2017-02-19 11:59:16
Size: 913
Editor: DavidAdam
Comment:
Revision 23 as of 2017-10-06 14:16:41
Size: 3563
Editor: chubsucker
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

The primary DNS server for domain is `molmol.ucc.gu.uwa.edu.au`.
Line 5: Line 7:
The Active Directory domain at UCC is {{{ad.ucc.gu.uwa.edu.au}}}
The Active Directory test domain at UCC is {{{adtest
.ucc.gu.uwa.edu.au}}}
The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`.
Line 8: Line 9:
The primary DNS server for the domain is {{{molmol.ucc.gu.uwa.edu.au}}. The Active Directory test domain at UCC is `adtest.ucc.gu.uwa.edu.au`. The primary server for the test domain is `samson.ucc.gu.uwa.edu.au`.
Line 10: Line 11:
The primary DNS server for the test domain is {{{mulmul.ucc.gu.uwa.edu.au}}. `ad{,test}.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`
Line 12: Line 13:
{{{ad{,test}.ucc.gu.uwa.edu.au}}} is delegated in the Zonemake config in Mooneye's {{{/etc/bind/domains/primary/ucc.machines}}} Samson's test domain is set up by:
 * `apt-get install samba winbind chrony`
 * Disable the systemd units for the non-DC setup & default configuration:
{{{
systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf
}}}
 * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc`
 * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/`
 * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/`
 * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc`
 * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`.
 * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc`
Line 14: Line 32:
=== Windows systems ===

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

=== Linux systems ===
Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]]
Adding a Linux system is as follows:

ensure the system is configured according to the standard [[http://http://wiki.ucc.asn.au/SOE|SOE]]
edit `/etc/krb5.conf` with:
{{{
   [libdefaults]
 default_realm = adtest.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

Change `/etc/samba/smb.conf`:
{{{
[global]
# Configure the domain infomation
        security = ads
        realm = adtest.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc3207

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config SAMDOM:unix_primary_group = yes

}}}

* Join the domain with: `net ads join -U <username>`.

* configure pam

* configure `nssswitch.conf`

* start the services:
{{{
winbindd
nmbd
smbd
}}}

* test the to make sure it works with:
`getent group`

* run `pam-auth-update` and enable the winbind module.
Line 18: Line 98:
dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work
Line 19: Line 101:
* Windows desktops
* Linux desktops
* Windows server (Maaxen)
* Linux servers
 * Mussel
* Motsugo
 * Other machines
* FreeBSD servers
 * Molmol
 * Musdea
* Solaris machines
* Dispense
* Webmail
* RADIUS (VPN & wireless)
* Mac machines
* Adduser scripts
* Proxmox
 * Windows desktops
 * Linux desktops
 * Windows server (Maaxen)
 * Linux servers
  * Mussel
 
* Motsugo
  * Other machines
 * FreeBSD servers
  * Molmol
  * Musdea
 
* Solaris machines
 * Webmail
 * RADIUS (VPN & wireless)
 * Mac machines
 
* Adduser scripts
 * Proxmox

This page is for describing the migration and current setup of the Active Directory domain at UCC.

The primary DNS server for domain is molmol.ucc.gu.uwa.edu.au.

Upgrade/Setup Process

The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au.

The Active Directory test domain at UCC is adtest.ucc.gu.uwa.edu.au. The primary server for the test domain is samson.ucc.gu.uwa.edu.au.

ad{,test}.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local

Samson's test domain is set up by:

  • apt-get install samba winbind chrony

  • Disable the systemd units for the non-DC setup & default configuration:

systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf
  • scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc

  • scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/

  • scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/

  • Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc

  • Comment out the ZFS-specific entries in /opt/smb.conf.pdc.

  • samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc

Windows systems

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

Linux systems

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Adding a Linux system is as follows:

ensure the system is configured according to the standard SOE edit /etc/krb5.conf with:

   [libdefaults]
        default_realm = adtest.ucc.gu.uwa.edu.au
        dns_lookup_realm = false
        dns_lookup_kdc = true

Change /etc/samba/smb.conf:

[global]
# Configure the domain infomation
        security = ads
        realm = adtest.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc3207

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config SAMDOM:unix_primary_group = yes

* Join the domain with: net ads join -U <username>.

* configure pam

* configure nssswitch.conf

* start the services:

winbindd
nmbd
smbd

* test the to make sure it works with: getent group

* run pam-auth-update and enable the winbind module.

Converted systems

Nothing yet!

dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work

Unconverted systems

  • Windows desktops
  • Linux desktops
  • Windows server (Maaxen)
  • Linux servers
    • Mussel
    • Motsugo
    • Other machines
  • FreeBSD servers
    • Molmol
    • Musdea
  • Solaris machines
  • Webmail
  • RADIUS (VPN & wireless)

  • Mac machines
  • Adduser scripts
  • Proxmox