Differences between revisions 1 and 28 (spanning 27 versions)
Revision 1 as of 2017-02-19 11:59:16
Size: 913
Editor: DavidAdam
Comment:
Revision 28 as of 2018-03-11 21:39:43
Size: 4758
Editor: BobAdamson
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`.
The primary DNS server for domain is `samson.ucc.gu.uwa.edu.au`.
The primary DC for domain is also `samson.ucc.gu.uwa.edu.au`.
Line 5: Line 8:
The Active Directory domain at UCC is {{{ad.ucc.gu.uwa.edu.au}}}
The Active Directory test domain at UCC is {{{adtest.ucc.gu.uwa.edu.au}}}
`ad.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`
Line 8: Line 10:
The primary DNS server for the domain is {{{molmol.ucc.gu.uwa.edu.au}}. Samson's test domain is set up by:
 * `apt install samba winbind chrony sssd`
 * Disable the systemd units for the non-DC setup & default configuration:
{{{
systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf
}}}
 * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc`
 * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/`
 * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/`
 * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc`
 * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`.
 * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc`
Line 10: Line 29:
The primary DNS server for the test domain is {{{mulmul.ucc.gu.uwa.edu.au}}. === Windows systems ===
Line 12: Line 31:
{{{ad{,test}.ucc.gu.uwa.edu.au}}} is delegated in the Zonemake config in Mooneye's {{{/etc/bind/domains/primary/ucc.machines}}} Just join them to the domain. Doesn't look like you need to create a machine account before joining?

=== Linux systems ===
Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]]
Before configuring the domain ensure the following:
 * Install the required packages: `apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind`

 * Ensure the system is configured according to the [[http://http://wiki.ucc.asn.au/SOE|SOE]].

 * edit `/etc/krb5.conf` to point to the new domain:
{{{
   [libdefaults]
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * Make the following `/etc/samba/smb.conf`:
{{{
[global]
# Configure the domain infomation
        security = ads
        realm = ad.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config UCCDOMAYNE:unix_primary_group = yes

}}}

 * Join the machine to the domain with: `net ads join -U <username>`.

 * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`.

 * configure `nsswitch.conf`
{{{
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: files
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

}}}
 * start the services:
{{{
winbindd
nmbd
smbd
}}}

 * Make sure the computer can fetch the domain users and groups with:
`wbinfo -g` and `wbinfo -u`

== Things using LDAP ==
Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-<servicename>, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server.
Line 16: Line 120:
Nothing yet!  * Windows desktops
 * Linux desktops
 * Linux servers
  * Motsugo
  * Merlo
  * Mooneye
 * FreeBSD servers
  * Molmol
 * Webmail?
 * Adduser scripts
 * Proxmox
 * RADIUS (VPN & wireless)

dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work
Line 19: Line 136:
* Windows desktops
* Linux desktops
* Windows server (Maaxen)
* Linux servers
 * Mussel
 * Motsugo
 * Other machines
* FreeBSD servers
 * Molmol
 * Musdea
* Solaris machines
* Dispense
* Webmail
* RADIUS (VPN & wireless)
* Mac machines
* Adduser scripts
* Proxmox

 * Windows server (Maaxen)
 * Linux servers
  * Mussel
  * Other machines
 * FreeBSD servers
  * Musdea
 * Solaris machines
 * Mac machines
 * Mail delivery (postfix, procmail, dovecot, all that fun stuff)

This page is for describing the migration and current setup of the Active Directory domain at UCC.

The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au. The primary DNS server for domain is samson.ucc.gu.uwa.edu.au. The primary DC for domain is also samson.ucc.gu.uwa.edu.au.

Upgrade/Setup Process

ad.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local

Samson's test domain is set up by:

  • apt install samba winbind chrony sssd

  • Disable the systemd units for the non-DC setup & default configuration:

systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf
  • scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc

  • scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/

  • scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/

  • Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc

  • Comment out the ZFS-specific entries in /opt/smb.conf.pdc.

  • samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc

Windows systems

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

Linux systems

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:

  • Install the required packages: apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind

  • Ensure the system is configured according to the SOE.

  • edit /etc/krb5.conf to point to the new domain:

   [libdefaults]
        default_realm = ad.ucc.gu.uwa.edu.au
        dns_lookup_realm = false
        dns_lookup_kdc = true
  • Make the following /etc/samba/smb.conf:

[global]
# Configure the domain infomation
        security = ads
        realm = ad.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config UCCDOMAYNE:unix_primary_group = yes
  • Join the machine to the domain with: net ads join -U <username>.

  • configure pam using pam-auth-update and enable Winbind NT/AD authentication.

  • configure nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files 
ethers:         db files
rpc:            db files

netgroup:       nis 
  • start the services:

winbindd
nmbd
smbd
  • Make sure the computer can fetch the domain users and groups with:

wbinfo -g and wbinfo -u

Things using LDAP

Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-<servicename>, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server.

Converted systems

  • Windows desktops
  • Linux desktops
  • Linux servers
    • Motsugo
    • Merlo
    • Mooneye
  • FreeBSD servers
    • Molmol
  • Webmail?
  • Adduser scripts
  • Proxmox
  • RADIUS (VPN & wireless)

dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work

Unconverted systems

  • Windows server (Maaxen)
  • Linux servers
    • Mussel
    • Other machines
  • FreeBSD servers
    • Musdea
  • Solaris machines
  • Mac machines
  • Mail delivery (postfix, procmail, dovecot, all that fun stuff)