|
Size: 3563
Comment:
|
Size: 4415
Comment: fixed some typos and finished "Linux Systems" section
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 38: | Line 38: |
| Adding a Linux system is as follows: | Before configuring the domain ensure the following: * Install the required packages: `apt-get install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind` |
| Line 40: | Line 41: |
| ensure the system is configured according to the standard [[http://http://wiki.ucc.asn.au/SOE|SOE]] edit `/etc/krb5.conf` with: |
* Ensure the system is configured according to the [[http://http://wiki.ucc.asn.au/SOE|SOE]]. * edit `/etc/krb5.conf` to point to the new domain: |
| Line 49: | Line 51: |
| Change `/etc/samba/smb.conf`: | * Make the following `/etc/samba/smb.conf`: |
| Line 64: | Line 66: |
| winbind nss info = rfc3207 | winbind nss info = rfc2307 |
| Line 77: | Line 79: |
| * Join the domain with: `net ads join -U <username>`. | * Join the machine to the domain with: `net ads join -U <username>`. |
| Line 79: | Line 81: |
| * configure pam | * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`. |
| Line 81: | Line 83: |
| * configure `nssswitch.conf` | * configure `nsswitch.conf` {{{ # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. |
| Line 83: | Line 91: |
| * start the services: | passwd: compat winbind group: compat winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis }}} * start the services: |
| Line 90: | Line 114: |
| * test the to make sure it works with: `getent group` |
* Make sure the computer can fetch the domain users and groups with: `wbinfo -g` and `wbinfo -u` |
| Line 93: | Line 117: |
| * run `pam-auth-update` and enable the winbind module. | |
| Line 96: | Line 119: |
| Nothing yet! | Windows * Catfish Linux * Chubsucker |
This page is for describing the migration and current setup of the Active Directory domain at UCC.
The primary DNS server for domain is molmol.ucc.gu.uwa.edu.au.
Upgrade/Setup Process
The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au.
The Active Directory test domain at UCC is adtest.ucc.gu.uwa.edu.au. The primary server for the test domain is samson.ucc.gu.uwa.edu.au.
ad{,test}.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local
Samson's test domain is set up by:
apt-get install samba winbind chrony
Disable the systemd units for the non-DC setup & default configuration:
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind rm /etc/samba/smb.conf
scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc
scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/
scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/
Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc
Comment out the ZFS-specific entries in /opt/smb.conf.pdc.
samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc
Windows systems
Just join them to the domain. Doesn't look like you need to create a machine account before joining?
Linux systems
Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:
Install the required packages: apt-get install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind
Ensure the system is configured according to the SOE.
edit /etc/krb5.conf to point to the new domain:
[libdefaults]
default_realm = adtest.ucc.gu.uwa.edu.au
dns_lookup_realm = false
dns_lookup_kdc = trueMake the following /etc/samba/smb.conf:
[global]
# Configure the domain infomation
security = ads
realm = adtest.ucc.gu.uwa.edu.au
workgroup = UCCDOMAYNE
# use winbind to map users and groups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
kerberos method = secrets and keytab
#Config gid/sid mapping based on AD attributes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 13000-17999
#idmap config for UCCDOMAYNE
idmap config UCCDOMAYNE:backend = ad
idmap config UCCDOMAYNE:schema_mode = rfc2307
idmap config UCCDOMAYNE:range = 1-999999
idmap config SAMDOM:unix_primary_group = yesJoin the machine to the domain with: net ads join -U <username>.
configure pam using pam-auth-update and enable Winbind NT/AD authentication.
configure nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
- start the services:
winbindd nmbd smbd
- Make sure the computer can fetch the domain users and groups with:
wbinfo -g and wbinfo -u
Converted systems
Windows
- Catfish
Linux
- Chubsucker
dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work
Unconverted systems
- Windows desktops
- Linux desktops
- Windows server (Maaxen)
- Linux servers
- Mussel
- Motsugo
- Other machines
- FreeBSD servers
- Molmol
- Musdea
- Solaris machines
- Webmail
RADIUS (VPN & wireless)
- Mac machines
- Adduser scripts
- Proxmox
