Differences between revisions 41 and 42
Revision 41 as of 2019-06-24 20:22:12
Size: 8589
Editor: cobra
Comment: Funky UID funnies in new versions of realmd
Revision 42 as of 2019-07-16 19:03:23
Size: 6352
Editor: frekk
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
This page is for describing the migration and current setup of the Active Directory domain at UCC. '''This page describes the current (2019) Active Directory configuration at UCC.'''
Line 3: Line 3:
The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`, and the domain name is `UCCDOMAYNE`.
The primary DNS server for domain is `samson.ucc.gu.uwa.edu.au`.
The primary DC for domain is also `samson.ucc.gu.uwa.edu.au`, and a second DC is `samurai.ucc.gu.uwa.edu.au`.
The Active Directory (AD) domain at UCC is `ad.ucc.gu.uwa.edu.au` with the NETBIOS domain name `UCCDOMAYNE`.
The primary Domain Controller (DC) `samson.ucc.gu.uwa.edu.au` which also serves authoritative DNS for `ad.ucc.gu.uwa.edu.au`.
Line 7: Line 6:
== Diagnostics == For some background on why the [[StandardOperatingEnvironment|Standard Operating Environment]] does what it does, see [[NewActiveDirectory]]. For outdated documentation and some info about the migration from the old LDAP domain, see [[OldActiveDirectory]].

This page describes how to configure Linux systems to connect to an Active Directory domain as the database for users and groups.

<<TableOfContents>>

== Windows ==

Assumed you are using Windows 10.

 1. Open File Explorer, right click on '''My PC''' and select '''Properties'''.
 2. Under the '''Computer Name''' tab, select '''Change...''' and enter `ad.ucc.gu.uwa.edu.au` as the domain. Make sure the computer name is also correct, change it if necessary (Windows 10 generates a random name when you install it).
 3. When you click OK, enter a UCC wheel username/password (aka someone who has domain admin permissions). Restart the computer at your convenience.
 4. Congratulations, you have joined a computer to the domain.

== Linux ==

=== System Security Services Daemon (sssd) or winbind - an introduction ===

Full section [[https://wiki.ucc.asn.au/NewActiveDirectory/LinuxClients#sssd_or_winbind_-_an_introduction|here]].

'''TL;DR:''' [[https://pagure.io/SSSD/sssd|sssd]] is great and [[https://www.samba.org/samba/docs/current/man-html/winbindd.8.html|winbind]] generally sucks, I recommend configuring `sssd` manually because [[https://www.freedesktop.org/software/realmd/|realmd]] is a bit unreliable.

=== Configuring SSSD ===

There is a very informative [[https://access.redhat.com/articles/3023951|Red Hat article]] about configuring `sssd` manually. The following instructions are a functional adaptation. For a more detailed understanding of what these config files and options mean, please start by reading the manpages for sssd, sssd-ad, sssd-krb5, sssd-ldap, sssd.conf, krb5.conf and smb.conf and the above article.

These instructions are confirmed working on Linux Mint 19.1 (Tara), using `sssd` version 1.16.1 and `samba-common-bin` package version 4.7.6.

 1. Install the necessary packages and uninstall the bad ones: {{{
apt-get -y install samba-common-bin samba-dsdb-modules sssd sssd-ad sssd-krb5 sssd-ldap sssd-tools krb5-user krb5-doc libpam-sss libnss-sss adcli libsasl2-modules-gssapi-mit
apt-get -y remove winbind realmd libpam-krb5 libpam-ldap libpam-winbind libnss-ldap libnss-winbind
}}}
 2. Remove any configuration files if they exist and stop services: {{{
mv /etc/samba/smb.conf /etc/samba/smb.conf.old
mv /etc/nsswitch.conf /etc/nsswitch.conf.old
rm /etc/krb5.conf /etc/krb5.keytab /etc/sssd/sssd.conf
systemctl stop sssd winbind samba-ad-dc smbd nmbd
}}}
 3. Install the configs semi-automatically: {{{
wget -O /tmp/ucc-ad-config.tar.gz https://www.ucc.asn.au/ucc-ad-config.tar.gz && tar -C / -xvzf /tmp/ucc-ad-config.tar.gz
}}}
 4. Run `pam-auth-update` and check that `SSS authentication` is enabled and that `winbind authentication` (if present) is disabled.
 5. Create the machine account in AD and produce a keytab for sssd containing the machine account credentials. If using a user other than `Administrator`, ensure they have sufficient privileges to join a machine to the domain. {{{
rm /etc/krb5.keytab
kinit <wheel username here>
net ads join --no-dns-updates -k
# verify the machine account credentials are in the keytab:
klist -k
}}}
 6. Start the necessary services: {{{
systemctl restart sssd
}}}
 7. Verify that you can see the correct user and group info using `getent passwd` and `getent group` respectively. The output format is equivalent to the `/etc/passwd` and `/etc/group` files.

=== Diagnostics ===
Line 13: Line 67:
== Upgrade/Setup Process ==
=== Domain Controllers ===
`ad.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local`
=== Config file examples ===
Line 17: Line 69:
Samson's domain is set up by:
 * `apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss`
 * Disable the systemd units for the non-DC setup & default configuration:
 . {{{
systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf
These should be the same as in the config package ([[https://www.ucc.asn.au/ucc-ad-config.tar.gz]] but here they are in case something gets broken or that archive goes missing.

  * `/etc/sssd/sssd.conf` {{{
[sssd]
config_file_version = 2
domains = ad.ucc.gu.uwa.edu.au
services = nss, pam, pac

# domain configuration: see manpages sssd.conf, sssd-ldap, sssd-krb5 and sssd-ad
# see https://access.redhat.com/articles/3023951
# needs correct configution for: /etc/nsswitch.conf /etc/samba/smb.conf /etc/resolv.conf `pam-auth-update`
[domain/AD.UCC.GU.UWA.EDU.AU]
enumerate = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_id_mapping = false

cache_credentials = true
# if you want to use a custom CA certificate for AD
#ldap_tls_cacert = /etc/sssd/ucc-ad-ca.cer
# or just allow invalid (self-signed) certificates
ldap_tls_reqcert = allow

# allow local users to be included in AD groups
ldap_rfc2307_fallback_to_local_users = true
Line 29: Line 97:
  * `/etc/nsswitch.conf` {{{
# /etc/nsswitch.conf
Line 30: Line 100:
If upgrading from the old NT domain do:
 * `scp [email protected]:/usr/local/etc/smb4.conf /opt/smb.conf.pdc`
 * `scp [email protected]:/var/db/samba4/\*.tdb /opt/samba-db/`
 * `scp [email protected]:/var/db/samba4/private/\*.tdb /opt/samba-db/`
 * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc`
 * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`.
 * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc`

Otherwise when adding additional DC's to an existing domain:
 * Set the following settings in /etc/krb5.conf:
 . {{{
   [libdefaults]
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * verify kerberos with: `kinit <username>`
 * join the domain with: `samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'`
  * You may see an error saying something about DNS not being configured, you can probably ignore it.
 * replicate the SYSVOL directory to the new DC, then fix the permissions with: `samba-tool ntacl sysvolreset`
 * start the samba service, the service may have a different name depending on the samba version used.
 . {{{
  service samba-ad-dc enable
  service samba-ad-dc start
}}}


For all domain controllers
 * copy `/etc/nsswitch.conf` and `/etc/sssd/sssd.conf` from another domain controller
 * enable sssd auth in pam via `pam-auth-update`
 * DO NOT use winbind on a Domain controller, it sucks for[[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC| multiple reasons]].

=== Windows systems ===

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

=== Linux systems ===

==== Automatically using realmd ====

Thanks to [[https://freedesktop.org/software/realmd/docs|realmd]], joining machines to the domain is extremely simple.
 * Install packages: `apt install realmd`
 * Test to make sure you can connect to the domain: `realm discover ad.ucc.gu.uwa.edu.au`
 . This should produce output similar to the following: {{{
ad.ucc.gu.uwa.edu.au
  type: kerberos
  realm-name: AD.UCC.GU.UWA.EDU.AU
  domain-name: ad.ucc.gu.uwa.edu.au
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
}}}
 * Join to the domain using `realm join -v -U <user> ad.ucc.gu.uwa.edu.au`
   * realmd defaults to using sssd, which is fine
   * It installs any necessary packages.
   * IT JUST WORKS!!
    * Except for two things:
      * comment the line `use_fully_qualified_names = True` in `/etc/sssd/sssd.conf` (prefix with a `#`)
      * Set `ldap_id_mapping = False` (fixes UID mappings)
    * Then it works!
 * Done.

==== Manual Method ====

Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]]
Before configuring the domain ensure the following:
 * Install the required packages: `apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind`

 * Ensure the system is configured according to the [[StandardOperatingEnvironment|SOE]].

 * edit `/etc/krb5.conf` to point to the new domain:
 . {{{
   [libdefaults]
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true
}}}

 * Make the following `/etc/samba/smb.conf`:
 . {{{
[global]
# Configure the domain infomation
        security = ads
        realm = ad.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config UCCDOMAYNE:unix_nss_info = yes
        idmap config UCCDOMAYNE:unix_primary_group = yes

}}}

 * Join the machine to the domain with: `net ads join -U <username>`.

 * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`.

 * configure `nsswitch.conf`
 . {{{
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: files
passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
Line 161: Line 105:
hosts: files mdns4_minimal [NOTFOUND=return] dns hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
Line 165: Line 109:
services: db files services: db files sss
Line 169: Line 113:
netgroup: nis
netgroup: nis sss
Line 172: Line 115:
 * start the services:
 . {{{
winbindd
nmbd
smbd
  * `/etc/krb5.conf` {{{
[libdefaults]
    default_realm = AD.UCC.GU.UWA.EDU.AU
    dns_lookup_realm = true
    dns_lookup_kdc = true
    rdns = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes
Line 178: Line 125:

 * Make sure the computer can fetch the domain users and groups with:
 . {{{
wbinfo -g` and `wbinfo -u`
  * `/etc/samba/smb.conf` {{{
[global]
        realm = AD.UCC.GU.UWA.EDU.AU
        workgroup = UCCDOMAYNE
        security = ads
        client signing = mandatory
        client use spnego = yes
        tls enabled = yes
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        log file = /var/log/samba/%m.log
Line 183: Line 137:

== Things using LDAP ==
Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-<servicename>, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server.


== Converted systems ==

 * Windows desktops
 * Linux desktops
 * Linux servers
  * Motsugo
  * Merlo
  * Mooneye
 * FreeBSD servers
  * Molmol
 * Webmail?
 * Adduser scripts
 * Proxmox
 * RADIUS (VPN & wireless)
 * Windows server (Maaxen)
 * Mail delivery (dovecot)


== Unconverted systems ==


 * Linux servers
  * Mussel
 * Other machines
 * FreeBSD servers
  * Musdea
 * Solaris machines
 * Mac machines
 * Mail delivery (postfix, procmail, all that fun stuff)

This page describes the current (2019) Active Directory configuration at UCC.

The Active Directory (AD) domain at UCC is ad.ucc.gu.uwa.edu.au with the NETBIOS domain name UCCDOMAYNE. The primary Domain Controller (DC) samson.ucc.gu.uwa.edu.au which also serves authoritative DNS for ad.ucc.gu.uwa.edu.au.

For some background on why the Standard Operating Environment does what it does, see NewActiveDirectory. For outdated documentation and some info about the migration from the old LDAP domain, see OldActiveDirectory.

This page describes how to configure Linux systems to connect to an Active Directory domain as the database for users and groups.

Windows

Assumed you are using Windows 10.

  1. Open File Explorer, right click on My PC and select Properties.

  2. Under the Computer Name tab, select Change... and enter ad.ucc.gu.uwa.edu.au as the domain. Make sure the computer name is also correct, change it if necessary (Windows 10 generates a random name when you install it).

  3. When you click OK, enter a UCC wheel username/password (aka someone who has domain admin permissions). Restart the computer at your convenience.
  4. Congratulations, you have joined a computer to the domain.

Linux

System Security Services Daemon (sssd) or winbind - an introduction

Full section here.

TL;DR: sssd is great and winbind generally sucks, I recommend configuring sssd manually because realmd is a bit unreliable.

Configuring SSSD

There is a very informative Red Hat article about configuring sssd manually. The following instructions are a functional adaptation. For a more detailed understanding of what these config files and options mean, please start by reading the manpages for sssd, sssd-ad, sssd-krb5, sssd-ldap, sssd.conf, krb5.conf and smb.conf and the above article.

These instructions are confirmed working on Linux Mint 19.1 (Tara), using sssd version 1.16.1 and samba-common-bin package version 4.7.6.

  1. Install the necessary packages and uninstall the bad ones:

    apt-get -y install samba-common-bin samba-dsdb-modules sssd sssd-ad sssd-krb5 sssd-ldap sssd-tools krb5-user krb5-doc libpam-sss libnss-sss adcli libsasl2-modules-gssapi-mit
    apt-get -y remove winbind realmd libpam-krb5 libpam-ldap libpam-winbind libnss-ldap libnss-winbind
  2. Remove any configuration files if they exist and stop services:

    mv /etc/samba/smb.conf /etc/samba/smb.conf.old
    mv /etc/nsswitch.conf /etc/nsswitch.conf.old
    rm /etc/krb5.conf /etc/krb5.keytab /etc/sssd/sssd.conf
    systemctl stop sssd winbind samba-ad-dc smbd nmbd
  3. Install the configs semi-automatically:

    wget -O /tmp/ucc-ad-config.tar.gz https://www.ucc.asn.au/ucc-ad-config.tar.gz && tar -C / -xvzf /tmp/ucc-ad-config.tar.gz
  4. Run pam-auth-update and check that SSS authentication is enabled and that winbind authentication (if present) is disabled.

  5. Create the machine account in AD and produce a keytab for sssd containing the machine account credentials. If using a user other than Administrator, ensure they have sufficient privileges to join a machine to the domain.

    rm /etc/krb5.keytab
    kinit <wheel username here>
    net ads join --no-dns-updates -k
    # verify the machine account credentials are in the keytab:
    klist -k
  6. Start the necessary services:

    systemctl restart sssd
  7. Verify that you can see the correct user and group info using getent passwd and getent group respectively. The output format is equivalent to the /etc/passwd and /etc/group files.

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

  • sss_cache -E if using sssd

  • net cache flush if using winbind

  • Or if the above fails to have an effect, try rejoining to the domain using the instructions below.

Config file examples

These should be the same as in the config package (https://www.ucc.asn.au/ucc-ad-config.tar.gz but here they are in case something gets broken or that archive goes missing.

  • /etc/sssd/sssd.conf

    [sssd]
    config_file_version = 2
    domains = ad.ucc.gu.uwa.edu.au
    services = nss, pam, pac
    
    # domain configuration: see manpages sssd.conf, sssd-ldap, sssd-krb5 and sssd-ad
    # see https://access.redhat.com/articles/3023951
    # needs correct configution for: /etc/nsswitch.conf /etc/samba/smb.conf /etc/resolv.conf `pam-auth-update`
    [domain/AD.UCC.GU.UWA.EDU.AU]
    enumerate = true
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    ldap_id_mapping = false
    
    cache_credentials = true
    # if you want to use a custom CA certificate for AD
    #ldap_tls_cacert = /etc/sssd/ucc-ad-ca.cer
    # or just allow invalid (self-signed) certificates
    ldap_tls_reqcert = allow
    
    # allow local users to be included in AD groups
    ldap_rfc2307_fallback_to_local_users = true
  • /etc/nsswitch.conf

    # /etc/nsswitch.conf
    
    passwd:         compat systemd sss
    group:          compat systemd sss
    shadow:         compat sss
    gshadow:        files
    
    hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
    networks:       files
    
    protocols:      db files
    services:       db files sss
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis sss
  • /etc/krb5.conf

    [libdefaults]
        default_realm = AD.UCC.GU.UWA.EDU.AU
        dns_lookup_realm = true
        dns_lookup_kdc = true
        rdns = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = yes
  • /etc/samba/smb.conf

    [global]
            realm = AD.UCC.GU.UWA.EDU.AU
            workgroup = UCCDOMAYNE
            security = ads
            client signing = mandatory
            client use spnego = yes
            tls enabled = yes
            kerberos method = secrets and keytab
            dedicated keytab file = /etc/krb5.keytab
            log file = /var/log/samba/%m.log