Differences between revisions 21 and 23 (spanning 2 versions)
Revision 21 as of 2017-10-04 14:55:17
Size: 3033
Editor: ZackWong
Comment:
Revision 23 as of 2017-10-06 14:16:41
Size: 3563
Editor: chubsucker
Comment:
Deletions are marked like this. Additions are marked like this.
Line 51: Line 51:
# Global parameters
Line 53: Line 52:
        netbios name = SAMSON
        realm = ADTEST.UCC.GU.UWA.EDU.AU		 # Configure the domain infomation
        security = ads
        realm = adtest.ucc.gu.uwa.edu.au
Line 56: Line 56:
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
Line 59: Line 57:
[netlogon]
        path = /var/lib/samba/sysvol/adtest.ucc.gu.uwa.edu.au/scripts
        read only = No		 # use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab
Line 63: Line 63:
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No		 #Config gid/sid mapping based on AD attributes
        winbind nss info = rfc3207

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config SAMDOM:unix_primary_group = yes
Line 70: Line 78:
  - This needs to be done by a Domain Admin.
Line 72: Line 79:
* configure pam
Line 73: Line 81:
* configure `nssswitch.conf`

* start the services:
{{{
winbindd
nmbd
smbd
}}}

* test the to make sure it works with:
`getent group`

* run `pam-auth-update` and enable the winbind module.

This page is for describing the migration and current setup of the Active Directory domain at UCC.

The primary DNS server for domain is molmol.ucc.gu.uwa.edu.au.

Upgrade/Setup Process

The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au.

The Active Directory test domain at UCC is adtest.ucc.gu.uwa.edu.au. The primary server for the test domain is samson.ucc.gu.uwa.edu.au.

ad{,test}.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local

Samson's test domain is set up by:

  • apt-get install samba winbind chrony

  • Disable the systemd units for the non-DC setup & default configuration: 

systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf

  • scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc

  • scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/

  • scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/

  • Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc

  • Comment out the ZFS-specific entries in /opt/smb.conf.pdc.

  • samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc

Windows systems

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

Linux systems

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Adding a Linux system is as follows:

ensure the system is configured according to the standard SOE edit /etc/krb5.conf with: 

   [libdefaults]
        default_realm = adtest.ucc.gu.uwa.edu.au
        dns_lookup_realm = false
        dns_lookup_kdc = true

Change /etc/samba/smb.conf: 

[global]
# Configure the domain infomation
        security = ads
        realm = adtest.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc3207

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config SAMDOM:unix_primary_group = yes

* Join the domain with: net ads join -U <username>.

* configure pam

* configure nssswitch.conf

* start the services: 

winbindd
nmbd
smbd

* test the to make sure it works with: getent group

* run pam-auth-update and enable the winbind module.

Converted systems

Nothing yet!

dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work

Unconverted systems

  • Windows desktops
  • Linux desktops
  • Windows server (Maaxen)
  • Linux servers
    • Mussel
    • Motsugo
    • Other machines
  • FreeBSD servers
    • Molmol
    • Musdea
  • Solaris machines
  • Webmail

  • RADIUS (VPN & wireless)

  • Mac machines
  • Adduser scripts
  • Proxmox

uccwiki: ActiveDirectory (last edited 2024-01-22 21:35:45 by GaryODonovan)

MoinMoin Powered | Python Powered
Written to be specifications compliant.

UCC

Wiki content is publicly editable, and as such does not necessarily reflect
the views of the University Computer Club, the Guild or the University of
Western Australia.

Contact the webmasters.