This page is for describing the migration and current setup of the Active Directory domain at UCC.

The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au, and the domain name is UCCDOMAYNE. The primary DNS server for domain is samson.ucc.gu.uwa.edu.au. The primary DC for domain is also samson.ucc.gu.uwa.edu.au, and a second DC is samurai.ucc.gu.uwa.edu.au.

Diagnostics

Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache:

• sss_cache -E if using sssd

• net cache flush if using winbind

• Or if the above fails to have an effect, try rejoining to the domain using the instructions below.

Upgrade/Setup Process

Domain Controllers

ad.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local

Samson's domain is set up by:

• apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss

• Disable the systemd units for the non-DC setup & default configuration:

• systemctl stop smbd
  systemctl stop nmbd
  systemctl stop winbind
  systemctl disable smbd
  systemctl disable nmbd
  systemctl disable winbind
  rm /etc/samba/smb.conf

If upgrading from the old NT domain do:

• scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc

• scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/

• scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/

• Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc

• Comment out the ZFS-specific entries in /opt/smb.conf.pdc.

• samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc

Otherwise when adding additional DC's to an existing domain:

• Set the following settings in /etc/krb5.conf:

•    [libdefaults]
          default_realm = ad.ucc.gu.uwa.edu.au
          dns_lookup_realm = false
          dns_lookup_kdc = true

• verify kerberos with: kinit <username>

• join the domain with: samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'

  • You may see an error saying something about DNS not being configured, you can probably ignore it.

• replicate the SYSVOL directory to the new DC, then fix the permissions with: samba-tool ntacl sysvolreset

• start the samba service, the service may have a different name depending on the samba version used.

•   service samba-ad-dc enable
    service samba-ad-dc start

For all domain controllers

• copy /etc/nsswitch.conf and /etc/sssd/sssd.conf from another domain controller

• enable sssd auth in pam via pam-auth-update

• DO NOT use winbind on a Domain controller, it sucks formultiple reasons.

Windows systems

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

Linux systems

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following:

• Install the required packages: apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind

• Ensure the system is configured according to the SOE.

• edit /etc/krb5.conf to point to the new domain:

•    [libdefaults]
          default_realm = ad.ucc.gu.uwa.edu.au
          dns_lookup_realm = false
          dns_lookup_kdc = true

• Make the following /etc/samba/smb.conf:

• [global]
  # Configure the domain infomation
          security = ads
          realm = ad.ucc.gu.uwa.edu.au
          workgroup = UCCDOMAYNE
  
  # use winbind to map users and groups
          winbind enum users = yes
          winbind enum groups = yes
          winbind use default domain = yes
          kerberos method = secrets and keytab
  
  #Config gid/sid mapping based on AD attributes
          winbind nss info = rfc2307
  
          idmap config * : backend = tdb
          idmap config * : range = 13000-17999
          
          #idmap config for UCCDOMAYNE
          idmap config UCCDOMAYNE:backend = ad
          idmap config UCCDOMAYNE:schema_mode = rfc2307
          idmap config UCCDOMAYNE:range = 1-999999
          idmap config UCCDOMAYNE:unix_nss_info = yes
          idmap config UCCDOMAYNE:unix_primary_group = yes

• Join the machine to the domain with: net ads join -U <username>.

• configure pam using pam-auth-update and enable Winbind NT/AD authentication.

• configure nsswitch.conf

• # /etc/nsswitch.conf
  #
  # Example configuration of GNU Name Service Switch functionality.
  # If you have the `glibc-doc-reference' and `info' packages installed, try:
  # `info libc "Name Service Switch"' for information about this file.
  
  passwd:         compat winbind
  group:          compat winbind
  shadow:         files
  gshadow:        files
  
  hosts:          files mdns4_minimal [NOTFOUND=return] dns
  networks:       files
  
  protocols:      db files
  services:       db files 
  ethers:         db files
  rpc:            db files
  
  netgroup:       nis 

• start the services:

• winbindd
  nmbd
  smbd

• Make sure the computer can fetch the domain users and groups with:

• wbinfo -g` and `wbinfo -u`

Things using LDAP

Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-<servicename>, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server.

Converted systems

• Windows desktops
• Linux desktops
• Linux servers
  • Motsugo
  • Merlo
  • Mooneye
• FreeBSD servers
  • Molmol
• Webmail?
• Adduser scripts
• Proxmox

• RADIUS (VPN & wireless)

• Windows server (Maaxen)
• Mail delivery (dovecot)

Unconverted systems

• Linux servers
  • Mussel
• Other machines
• FreeBSD servers
  • Musdea
• Solaris machines
• Mac machines
• Mail delivery (postfix, procmail, all that fun stuff)