Differences between revisions 4 and 40 (spanning 36 versions)
Revision 4 as of 2017-02-19 12:03:58
Size: 980
Editor: DavidAdam
Comment: formatting
Revision 40 as of 2018-09-15 23:07:20
Size: 8518
Editor: frekk
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
The primary DNS server for domain is `molmol.ucc.gu.uwa.edu.au`. The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`, and the domain name is `UCCDOMAYNE`.
The primary DNS server for domain is `samson.ucc.gu.uwa.edu.au`.
The primary DC for domain is also `samson.ucc.gu.uwa.edu.au`, and a second DC is `samurai.ucc.gu.uwa.edu.au`.

== Diagnostics ==
Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:
 * `sss_cache -E` if using sssd
 * `net cache flush` if using winbind
 * Or if the above fails to have an effect, try rejoining to the domain using the instructions below.
Line 6: Line 14:

The Active Directory domain at UCC is `ad.ucc.gu.uwa.edu.au`.

The Active Directory test domain at UCC is `adtest.ucc.gu.uwa.edu.au`.

The primary DNS server for the domain is `molmol.ucc.gu.uwa.edu.au`.

The primary DNS server for the test domain is `mulmul.ucc.gu.uwa.edu.au`.

`ad{,test}.ucc.gu.uwa.edu.au` is delegated in the Zonemake config in Mooneye's `/etc/bind/domains/primary/ucc.machines`
=== Domain Controllers ===
`ad.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`

Samson's domain is set up by:
 * `apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss`
 * Disable the systemd units for the non-DC setup & default configuration:
 . {{{
systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf
}}}

If upgrading from the old NT domain do:
 * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc`
 * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/`
 * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/`
 * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc`
 * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`.
 * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc`

Otherwise when adding additional DC's to an existing domain:
 * Set the following settings in /etc/krb5.conf:
 . {{{
   [libdefaults]
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * verify kerberos with: `kinit <username>`
 * join the domain with: `samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'`
  * You may see an error saying something about DNS not being configured, you can probably ignore it.
 * replicate the SYSVOL directory to the new DC, then fix the permissions with: `samba-tool ntacl sysvolreset`
 * start the samba service, the service may have a different name depending on the samba version used.
 . {{{
  service samba-ad-dc enable
  service samba-ad-dc start
}}}


For all domain controllers
 * copy `/etc/nsswitch.conf` and `/etc/sssd/sssd.conf` from another domain controller
 * enable sssd auth in pam via `pam-auth-update`
 * DO NOT use winbind on a Domain controller, it sucks for[[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC| multiple reasons]].

=== Windows systems ===

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

=== Linux systems ===

==== Automatically using realmd ====

Thanks to [[https://freedesktop.org/software/realmd/docs|realmd]], joining machines to the domain is extremely simple.
 * Install packages: `apt install realmd`
 * Test to make sure you can connect to the domain: `realm discover ad.ucc.gu.uwa.edu.au`
 . This should produce output similar to the following: {{{
ad.ucc.gu.uwa.edu.au
  type: kerberos
  realm-name: AD.UCC.GU.UWA.EDU.AU
  domain-name: ad.ucc.gu.uwa.edu.au
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
}}}
 * Join to the domain using `realm join -v -U <user> ad.ucc.gu.uwa.edu.au`
   * realmd defaults to using sssd, which is fine
   * It installs any necessary packages.
   * IT JUST WORKS!!
    * Except for one thing: comment the line `use_fully_qualified_names = True` in `/etc/sssd/sssd.conf` (prefix with a `#`)
    * Then it works!
 * Done.

==== Manual Method ====

Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]]
Before configuring the domain ensure the following:
 * Install the required packages: `apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind`

 * Ensure the system is configured according to the [[StandardOperatingEnvironment|SOE]].

 * edit `/etc/krb5.conf` to point to the new domain:
 . {{{
   [libdefaults]
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * Make the following `/etc/samba/smb.conf`:
 . {{{
[global]
# Configure the domain infomation
        security = ads
        realm = ad.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config UCCDOMAYNE:unix_nss_info = yes
        idmap config UCCDOMAYNE:unix_primary_group = yes

}}}

 * Join the machine to the domain with: `net ads join -U <username>`.

 * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`.

 * configure `nsswitch.conf`
 . {{{
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: files
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

}}}
 * start the services:
 . {{{
winbindd
nmbd
smbd
}}}

 * Make sure the computer can fetch the domain users and groups with:
 . {{{
wbinfo -g` and `wbinfo -u`
}}}

== Things using LDAP ==
Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-<servicename>, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server.
Line 19: Line 188:
Nothing yet!

== Unconverted systems ==
Line 24: Line 190:
 * Linux servers
  * Motsugo
  * Merlo
  * Mooneye
 * FreeBSD servers
  * Molmol
 * Webmail?
 * Adduser scripts
 * Proxmox
 * RADIUS (VPN & wireless)
Line 25: Line 201:
 * Mail delivery (dovecot)


== Unconverted systems ==

Line 27: Line 209:
  * Motsugo
 
* Other machines
 * Other machines 
Line 30: Line 211:
  * Molmol
Line 33: Line 213:
 * Dispense
 * Webmail
 * RADIUS (VPN & wireless)
Line 37: Line 214:
 * Adduser scripts
 * Proxmox
 * Mail delivery (postfix, procmail, all that fun stuff)

This page is for describing the migration and current setup of the Active Directory domain at UCC.

The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au, and the domain name is UCCDOMAYNE. The primary DNS server for domain is samson.ucc.gu.uwa.edu.au. The primary DC for domain is also samson.ucc.gu.uwa.edu.au, and a second DC is samurai.ucc.gu.uwa.edu.au.

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

  • sss_cache -E if using sssd

  • net cache flush if using winbind

  • Or if the above fails to have an effect, try rejoining to the domain using the instructions below.

Upgrade/Setup Process

Domain Controllers

ad.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local

Samson's domain is set up by:

  • apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss

  • Disable the systemd units for the non-DC setup & default configuration:

  • systemctl stop smbd
    systemctl stop nmbd
    systemctl stop winbind
    systemctl disable smbd
    systemctl disable nmbd
    systemctl disable winbind
    rm /etc/samba/smb.conf

If upgrading from the old NT domain do:

  • scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc

  • scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/

  • scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/

  • Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc

  • Comment out the ZFS-specific entries in /opt/smb.conf.pdc.

  • samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc

Otherwise when adding additional DC's to an existing domain:

  • Set the following settings in /etc/krb5.conf:
  •    [libdefaults]
            default_realm = ad.ucc.gu.uwa.edu.au
            dns_lookup_realm = false
            dns_lookup_kdc = true
  • verify kerberos with: kinit <username>

  • join the domain with: samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'

    • You may see an error saying something about DNS not being configured, you can probably ignore it.
  • replicate the SYSVOL directory to the new DC, then fix the permissions with: samba-tool ntacl sysvolreset

  • start the samba service, the service may have a different name depending on the samba version used.
  •   service samba-ad-dc enable
      service samba-ad-dc start

For all domain controllers

  • copy /etc/nsswitch.conf and /etc/sssd/sssd.conf from another domain controller

  • enable sssd auth in pam via pam-auth-update

  • DO NOT use winbind on a Domain controller, it sucks formultiple reasons.

Windows systems

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

Linux systems

Automatically using realmd

Thanks to realmd, joining machines to the domain is extremely simple.

  • Install packages: apt install realmd

  • Test to make sure you can connect to the domain: realm discover ad.ucc.gu.uwa.edu.au

  • This should produce output similar to the following:

    ad.ucc.gu.uwa.edu.au                                                                                                  
      type: kerberos                                                                                                      
      realm-name: AD.UCC.GU.UWA.EDU.AU                                                                                    
      domain-name: ad.ucc.gu.uwa.edu.au                                                                                   
      configured: no                                                                                                      
      server-software: active-directory                                                                                   
      client-software: sssd                                                                                               
      required-package: sssd-tools                                                                                        
      required-package: sssd                                                                                              
      required-package: libnss-sss                                                                                        
      required-package: libpam-sss           
      required-package: adcli                  
      required-package: samba-common-bin                    
  • Join to the domain using realm join -v -U <user> ad.ucc.gu.uwa.edu.au

    • realmd defaults to using sssd, which is fine
    • It installs any necessary packages.
    • IT JUST WORKS!!
      • Except for one thing: comment the line use_fully_qualified_names = True in /etc/sssd/sssd.conf (prefix with a #)

      • Then it works!
  • Done.

Manual Method

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:

  • Install the required packages: apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind

  • Ensure the system is configured according to the SOE.

  • edit /etc/krb5.conf to point to the new domain:

  •    [libdefaults]
            default_realm = ad.ucc.gu.uwa.edu.au
            dns_lookup_realm = false
            dns_lookup_kdc = true
  • Make the following /etc/samba/smb.conf:

  • [global]
    # Configure the domain infomation
            security = ads
            realm = ad.ucc.gu.uwa.edu.au
            workgroup = UCCDOMAYNE
    
    # use winbind to map users and groups
            winbind enum users = yes
            winbind enum groups = yes
            winbind use default domain = yes
            kerberos method = secrets and keytab
    
    #Config gid/sid mapping based on AD attributes
            winbind nss info = rfc2307
    
            idmap config * : backend = tdb
            idmap config * : range = 13000-17999
            
            #idmap config for UCCDOMAYNE
            idmap config UCCDOMAYNE:backend = ad
            idmap config UCCDOMAYNE:schema_mode = rfc2307
            idmap config UCCDOMAYNE:range = 1-999999
            idmap config UCCDOMAYNE:unix_nss_info = yes
            idmap config UCCDOMAYNE:unix_primary_group = yes
  • Join the machine to the domain with: net ads join -U <username>.

  • configure pam using pam-auth-update and enable Winbind NT/AD authentication.

  • configure nsswitch.conf

  • # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    
    passwd:         compat winbind
    group:          compat winbind
    shadow:         files
    gshadow:        files
    
    hosts:          files mdns4_minimal [NOTFOUND=return] dns
    networks:       files
    
    protocols:      db files
    services:       db files 
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis 
  • start the services:
  • winbindd
    nmbd
    smbd
  • Make sure the computer can fetch the domain users and groups with:
  • wbinfo -g` and `wbinfo -u`

Things using LDAP

Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-<servicename>, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server.

Converted systems

  • Windows desktops
  • Linux desktops
  • Linux servers
    • Motsugo
    • Merlo
    • Mooneye
  • FreeBSD servers
    • Molmol
  • Webmail?
  • Adduser scripts
  • Proxmox
  • RADIUS (VPN & wireless)

  • Windows server (Maaxen)
  • Mail delivery (dovecot)

Unconverted systems

  • Linux servers
    • Mussel
  • Other machines
  • FreeBSD servers
    • Musdea
  • Solaris machines
  • Mac machines
  • Mail delivery (postfix, procmail, all that fun stuff)