|
Size: 1803
Comment:
|
Size: 6471
Comment: kinit
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| This page is for describing the migration and current setup of the Active Directory domain at UCC. | '''This page describes the current (2019) Active Directory configuration at UCC.''' |
| Line 3: | Line 3: |
| The primary DNS server for domain is `molmol.ucc.gu.uwa.edu.au`. | The Active Directory (AD) domain at UCC is `ad.ucc.gu.uwa.edu.au` with the NETBIOS domain name `UCCDOMAYNE`. The primary Domain Controller (DC) `samson.ucc.gu.uwa.edu.au` which also serves authoritative DNS for `ad.ucc.gu.uwa.edu.au`. |
| Line 5: | Line 6: |
| == Upgrade/Setup Process == | For some background on why the [[StandardOperatingEnvironment|Standard Operating Environment]] does what it does, see [[NewActiveDirectory]]. For outdated documentation and some info about the migration from the old LDAP domain, see [[OldActiveDirectory]]. |
| Line 7: | Line 8: |
| The Active Directory domain at UCC is `ad.ucc.gu.uwa.edu.au`. | This page describes how to configure Linux systems to connect to an Active Directory domain as the database for users and groups. |
| Line 9: | Line 10: |
| The Active Directory test domain at UCC is `adtest.ucc.gu.uwa.edu.au`. | <<TableOfContents>> |
| Line 11: | Line 12: |
| The primary DNS server for the domain is `molmol.ucc.gu.uwa.edu.au`. | == Windows == |
| Line 13: | Line 14: |
| The primary DNS server for the test domain is `mulmul.ucc.gu.uwa.edu.au`. | Assumed you are using Windows 10. |
| Line 15: | Line 16: |
| `ad{,test}.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local` | 1. Open File Explorer, right click on '''My PC''' and select '''Properties'''. 2. Under the '''Computer Name''' tab, select '''Change...''' and enter `ad.ucc.gu.uwa.edu.au` as the domain. Make sure the computer name is also correct, change it if necessary (Windows 10 generates a random name when you install it). 3. When you click OK, enter a UCC wheel username/password (aka someone who has domain admin permissions). Restart the computer at your convenience. 4. Congratulations, you have joined a computer to the domain. |
| Line 17: | Line 21: |
| Mulmul's test domain is set up by: * `pkg install samba44 cpu` * Copy Molmol's `/usr/local/etc/smb4.conf` to `/usr/local/etc/smb4.conf` * Copy Molmol's `/usr/local/etc/cpu-samba.conf` to `/usr/local/etc/cpu-samba.conf` * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/usr/local/etc/smb4.conf` * Set up LDAP per the SOE (for NIS at least) * `mkdir -p /var/db/samba-migration` * `cp -p /var/db/samba4/private/{secrets.tdb,schannel_store.tdb} /var/db/samba4/gencache_notrans.tdb /var/db/samba4/account_policy.tdb /var/db/samba-migration/` * `mv /usr/local/etc/smb4.conf /usr/local/etc/smb4.PDC.conf` * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/var/db/samba-migration --dns-backend=SAMBA_INTERNAL --verbose /usr/local/etc/smb4.PDC.conf` |
== Linux == |
| Line 28: | Line 23: |
| == Converted systems == | === System Security Services Daemon (sssd) or winbind - an introduction === |
| Line 30: | Line 25: |
| Nothing yet! | Full section [[https://wiki.ucc.asn.au/NewActiveDirectory/LinuxClients#sssd_or_winbind_-_an_introduction|here]]. |
| Line 32: | Line 27: |
| == Unconverted systems == * Windows desktops * Linux desktops * Windows server (Maaxen) * Linux servers * Mussel * Motsugo * Other machines * FreeBSD servers * Molmol * Musdea * Solaris machines * Dispense * Webmail * RADIUS (VPN & wireless) * Mac machines * Adduser scripts * Proxmox |
'''TL;DR:''' [[https://pagure.io/SSSD/sssd|sssd]] is great and [[https://www.samba.org/samba/docs/current/man-html/winbindd.8.html|winbind]] generally sucks, I recommend configuring `sssd` manually because [[https://www.freedesktop.org/software/realmd/|realmd]] is a bit unreliable. === Configuring SSSD === There is a very informative [[https://access.redhat.com/articles/3023951|Red Hat article]] about configuring `sssd` manually. The following instructions are a functional adaptation. For a more detailed understanding of what these config files and options mean, please start by reading the manpages for sssd, sssd-ad, sssd-krb5, sssd-ldap, sssd.conf, krb5.conf and smb.conf and the above article. These instructions are confirmed working on Linux Mint 19.1 (Tara), using `sssd` version 1.16.1 and `samba-common-bin` package version 4.7.6. 1. Install the necessary packages and uninstall the bad ones: {{{ apt -y install samba-common-bin samba-dsdb-modules sssd sssd-ad sssd-krb5 sssd-ldap sssd-tools krb5-user krb5-doc libpam-sss libnss-sss adcli libsasl2-modules-gssapi-mit apt -y purge winbind realmd libpam-krb5 libpam-ldap libpam-winbind libnss-ldap libnss-winbind }}} 2. Remove any configuration files if they exist and stop services: {{{ mv /etc/samba/smb.conf /etc/samba/smb.conf.old mv /etc/nsswitch.conf /etc/nsswitch.conf.old rm /etc/krb5.conf /etc/krb5.keytab /etc/sssd/sssd.conf systemctl stop sssd winbind samba-ad-dc smbd nmbd }}} 3. Install the configs semi-automatically: {{{ wget -O /tmp/ucc-ad-config.tar.gz https://www.ucc.asn.au/ucc-ad-config.tar.gz && tar -C / -xvzf /tmp/ucc-ad-config.tar.gz }}} 4. Run `pam-auth-update` and check that `SSS authentication` is enabled and that `winbind authentication` (if present) is disabled. 5. Create the machine account in AD and produce a keytab for sssd containing the machine account credentials. If using a user other than `Administrator`, ensure they have sufficient privileges to join a machine to the domain. {{{ rm /etc/krb5.keytab kinit <wheel username here> net ads join --no-dns-updates -k # verify the machine account credentials are in the keytab: klist -k }}} 6. Start the necessary services: {{{ systemctl restart sssd }}} 7. Verify that you can see the correct user and group info using `getent passwd` and `getent group` respectively. The output format is equivalent to the `/etc/passwd` and `/etc/group` files. === Diagnostics === Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache: * `sss_cache -E` if using sssd * `net cache flush` if using winbind * Or if the above fails to have an effect, try rejoining to the domain using the instructions below. You can edit things with `kinit; ldapvi -b dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au --host AD.UCC.GU.UWA.EDU.AU -Y GSSAPI` === Config file examples === These should be the same as in the config package ([[https://www.ucc.asn.au/ucc-ad-config.tar.gz]] but here they are in case something gets broken or that archive goes missing. * `/etc/sssd/sssd.conf` {{{ [sssd] config_file_version = 2 domains = ad.ucc.gu.uwa.edu.au services = nss, pam, pac # domain configuration: see manpages sssd.conf, sssd-ldap, sssd-krb5 and sssd-ad # see https://access.redhat.com/articles/3023951 # needs correct configution for: /etc/nsswitch.conf /etc/samba/smb.conf /etc/resolv.conf `pam-auth-update` [domain/AD.UCC.GU.UWA.EDU.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false cache_credentials = true # if you want to use a custom CA certificate for AD #ldap_tls_cacert = /etc/sssd/ucc-ad-ca.cer # or just allow invalid (self-signed) certificates ldap_tls_reqcert = allow # allow local users to be included in AD groups ldap_rfc2307_fallback_to_local_users = true }}} * `/etc/nsswitch.conf` {{{ # /etc/nsswitch.conf passwd: compat systemd sss group: compat systemd sss shadow: compat sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss }}} * `/etc/krb5.conf` {{{ [libdefaults] default_realm = AD.UCC.GU.UWA.EDU.AU dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes }}} * `/etc/samba/smb.conf` {{{ [global] realm = AD.UCC.GU.UWA.EDU.AU workgroup = UCCDOMAYNE security = ads client signing = mandatory client use spnego = yes tls enabled = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab log file = /var/log/samba/%m.log }}} |
This page describes the current (2019) Active Directory configuration at UCC.
The Active Directory (AD) domain at UCC is ad.ucc.gu.uwa.edu.au with the NETBIOS domain name UCCDOMAYNE. The primary Domain Controller (DC) samson.ucc.gu.uwa.edu.au which also serves authoritative DNS for ad.ucc.gu.uwa.edu.au.
For some background on why the Standard Operating Environment does what it does, see NewActiveDirectory. For outdated documentation and some info about the migration from the old LDAP domain, see OldActiveDirectory.
This page describes how to configure Linux systems to connect to an Active Directory domain as the database for users and groups.
Contents
Windows
Assumed you are using Windows 10.
Open File Explorer, right click on My PC and select Properties.
Under the Computer Name tab, select Change... and enter ad.ucc.gu.uwa.edu.au as the domain. Make sure the computer name is also correct, change it if necessary (Windows 10 generates a random name when you install it).
- When you click OK, enter a UCC wheel username/password (aka someone who has domain admin permissions). Restart the computer at your convenience.
- Congratulations, you have joined a computer to the domain.
Linux
System Security Services Daemon (sssd) or winbind - an introduction
Full section here.
TL;DR: sssd is great and winbind generally sucks, I recommend configuring sssd manually because realmd is a bit unreliable.
Configuring SSSD
There is a very informative Red Hat article about configuring sssd manually. The following instructions are a functional adaptation. For a more detailed understanding of what these config files and options mean, please start by reading the manpages for sssd, sssd-ad, sssd-krb5, sssd-ldap, sssd.conf, krb5.conf and smb.conf and the above article.
These instructions are confirmed working on Linux Mint 19.1 (Tara), using sssd version 1.16.1 and samba-common-bin package version 4.7.6.
Install the necessary packages and uninstall the bad ones:
apt -y install samba-common-bin samba-dsdb-modules sssd sssd-ad sssd-krb5 sssd-ldap sssd-tools krb5-user krb5-doc libpam-sss libnss-sss adcli libsasl2-modules-gssapi-mit apt -y purge winbind realmd libpam-krb5 libpam-ldap libpam-winbind libnss-ldap libnss-winbind
Remove any configuration files if they exist and stop services:
mv /etc/samba/smb.conf /etc/samba/smb.conf.old mv /etc/nsswitch.conf /etc/nsswitch.conf.old rm /etc/krb5.conf /etc/krb5.keytab /etc/sssd/sssd.conf systemctl stop sssd winbind samba-ad-dc smbd nmbd
Install the configs semi-automatically:
wget -O /tmp/ucc-ad-config.tar.gz https://www.ucc.asn.au/ucc-ad-config.tar.gz && tar -C / -xvzf /tmp/ucc-ad-config.tar.gz
Run pam-auth-update and check that SSS authentication is enabled and that winbind authentication (if present) is disabled.
Create the machine account in AD and produce a keytab for sssd containing the machine account credentials. If using a user other than Administrator, ensure they have sufficient privileges to join a machine to the domain.
rm /etc/krb5.keytab kinit <wheel username here> net ads join --no-dns-updates -k # verify the machine account credentials are in the keytab: klist -k
Start the necessary services:
systemctl restart sssd
Verify that you can see the correct user and group info using getent passwd and getent group respectively. The output format is equivalent to the /etc/passwd and /etc/group files.
Diagnostics
Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:
sss_cache -E if using sssd
net cache flush if using winbind
- Or if the above fails to have an effect, try rejoining to the domain using the instructions below.
You can edit things with
kinit; ldapvi -b dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au --host AD.UCC.GU.UWA.EDU.AU -Y GSSAPI
Config file examples
These should be the same as in the config package (https://www.ucc.asn.au/ucc-ad-config.tar.gz but here they are in case something gets broken or that archive goes missing.
/etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = ad.ucc.gu.uwa.edu.au services = nss, pam, pac # domain configuration: see manpages sssd.conf, sssd-ldap, sssd-krb5 and sssd-ad # see https://access.redhat.com/articles/3023951 # needs correct configution for: /etc/nsswitch.conf /etc/samba/smb.conf /etc/resolv.conf `pam-auth-update` [domain/AD.UCC.GU.UWA.EDU.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false cache_credentials = true # if you want to use a custom CA certificate for AD #ldap_tls_cacert = /etc/sssd/ucc-ad-ca.cer # or just allow invalid (self-signed) certificates ldap_tls_reqcert = allow # allow local users to be included in AD groups ldap_rfc2307_fallback_to_local_users = true
/etc/nsswitch.conf
# /etc/nsswitch.conf passwd: compat systemd sss group: compat systemd sss shadow: compat sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss
/etc/krb5.conf
[libdefaults] default_realm = AD.UCC.GU.UWA.EDU.AU dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes/etc/samba/smb.conf
[global] realm = AD.UCC.GU.UWA.EDU.AU workgroup = UCCDOMAYNE security = ads client signing = mandatory client use spnego = yes tls enabled = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab log file = /var/log/samba/%m.log
