Differences between revisions 1 and 24 (spanning 23 versions)
Revision 1 as of 2017-02-19 11:59:16
Size: 913
Editor: DavidAdam
Comment:
Revision 24 as of 2017-10-08 16:04:43
Size: 4415
Editor: 172
Comment: fixed some typos and finished "Linux Systems" section
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

The primary DNS server for domain is `molmol.ucc.gu.uwa.edu.au`.
Line 5: Line 7:
The Active Directory domain at UCC is {{{ad.ucc.gu.uwa.edu.au}}}
The Active Directory test domain at UCC is {{{adtest.ucc.gu.uwa.edu.au}}}		 The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`.
Line 8: Line 9:
The primary DNS server for the domain is {{{molmol.ucc.gu.uwa.edu.au}}. The Active Directory test domain at UCC is `adtest.ucc.gu.uwa.edu.au`. The primary server for the test domain is `samson.ucc.gu.uwa.edu.au`.
Line 10: Line 11:
The primary DNS server for the test domain is {{{mulmul.ucc.gu.uwa.edu.au}}. `ad{,test}.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`
Line 12: Line 13:
{{{ad{,test}.ucc.gu.uwa.edu.au}}} is delegated in the Zonemake config in Mooneye's {{{/etc/bind/domains/primary/ucc.machines}}} Samson's test domain is set up by:
 * `apt-get install samba winbind chrony`
 * Disable the systemd units for the non-DC setup & default configuration:
{{{
systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf
}}}
 * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc`
 * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/`
 * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/`
 * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc`
 * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`.
 * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc`

=== Windows systems ===

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

=== Linux systems ===
Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]]
Before configuring the domain ensure the following:
 * Install the required packages: `apt-get install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind`

 * Ensure the system is configured according to the [[http://http://wiki.ucc.asn.au/SOE|SOE]].

 * edit `/etc/krb5.conf` to point to the new domain:
{{{
   [libdefaults]
 default_realm = adtest.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * Make the following `/etc/samba/smb.conf`:
{{{
[global]
# Configure the domain infomation
        security = ads
        realm = adtest.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config SAMDOM:unix_primary_group = yes

}}}

 * Join the machine to the domain with: `net ads join -U <username>`.

 * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`.

 * configure `nsswitch.conf`
{{{
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: files
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

}}}
 * start the services:
{{{
winbindd
nmbd
smbd
}}}

 * Make sure the computer can fetch the domain users and groups with:
`wbinfo -g` and `wbinfo -u`
Line 16: Line 119:
Nothing yet! Windows
 * Catfish

Linux
 * Chubsucker


dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work
Line 19: Line 129:
* Windows desktops
* Linux desktops
* Windows server (Maaxen)
* Linux servers
 * Mussel
 * Motsugo
 * Other machines
* FreeBSD servers
 * Molmol
 * Musdea
* Solaris machines
* Dispense
* Webmail
* RADIUS (VPN & wireless)
* Mac machines
* Adduser scripts
* Proxmox		  * Windows desktops
 * Linux desktops
 * Windows server (Maaxen)
 * Linux servers
  * Mussel
  * Motsugo
  * Other machines
 * FreeBSD servers
  * Molmol
  * Musdea
 * Solaris machines
 * Webmail
 * RADIUS (VPN & wireless)
 * Mac machines
 * Adduser scripts
 * Proxmox

This page is for describing the migration and current setup of the Active Directory domain at UCC.

The primary DNS server for domain is molmol.ucc.gu.uwa.edu.au.

Upgrade/Setup Process

The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au.

The Active Directory test domain at UCC is adtest.ucc.gu.uwa.edu.au. The primary server for the test domain is samson.ucc.gu.uwa.edu.au.

ad{,test}.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local

Samson's test domain is set up by:

  • apt-get install samba winbind chrony

  • Disable the systemd units for the non-DC setup & default configuration: 

systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf

  • scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc

  • scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/

  • scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/

  • Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc

  • Comment out the ZFS-specific entries in /opt/smb.conf.pdc.

  • samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc

Windows systems

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

Linux systems

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:

  • Install the required packages: apt-get install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind

  • Ensure the system is configured according to the SOE.

  • edit /etc/krb5.conf to point to the new domain: 

   [libdefaults]
        default_realm = adtest.ucc.gu.uwa.edu.au
        dns_lookup_realm = false
        dns_lookup_kdc = true

  • Make the following /etc/samba/smb.conf: 

[global]
# Configure the domain infomation
        security = ads
        realm = adtest.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config SAMDOM:unix_primary_group = yes

  • Join the machine to the domain with: net ads join -U <username>.

  • configure pam using pam-auth-update and enable Winbind NT/AD authentication.

  • configure nsswitch.conf 

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files 
ethers:         db files
rpc:            db files

netgroup:       nis
  • start the services: 

winbindd
nmbd
smbd
  • Make sure the computer can fetch the domain users and groups with:

wbinfo -g and wbinfo -u

Converted systems

Windows

  • Catfish

Linux

  • Chubsucker

dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work

Unconverted systems

  • Windows desktops
  • Linux desktops
  • Windows server (Maaxen)
  • Linux servers
    • Mussel
    • Motsugo
    • Other machines
  • FreeBSD servers
    • Molmol
    • Musdea
  • Solaris machines
  • Webmail

  • RADIUS (VPN & wireless)

  • Mac machines
  • Adduser scripts
  • Proxmox

uccwiki: ActiveDirectory (last edited 2024-01-22 21:35:45 by GaryODonovan)

MoinMoin Powered | Python Powered
Written to be specifications compliant.

UCC

Wiki content is publicly editable, and as such does not necessarily reflect
the views of the University Computer Club, the Guild or the University of
Western Australia.

Contact the webmasters.