1750
Comment:
|
3563
|
Deletions are marked like this. | Additions are marked like this. |
Line 7: | Line 7: |
The Active Directory domain at UCC is `ad.ucc.gu.uwa.edu.au`. | The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`. |
Line 9: | Line 9: |
The Active Directory test domain at UCC is `adtest.ucc.gu.uwa.edu.au`. | The Active Directory test domain at UCC is `adtest.ucc.gu.uwa.edu.au`. The primary server for the test domain is `samson.ucc.gu.uwa.edu.au`. |
Line 11: | Line 11: |
The primary DNS server for the domain is `molmol.ucc.gu.uwa.edu.au`. | `ad{,test}.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local` |
Line 13: | Line 13: |
The primary DNS server for the test domain is `mulmul.ucc.gu.uwa.edu.au`. | Samson's test domain is set up by: * `apt-get install samba winbind chrony` * Disable the systemd units for the non-DC setup & default configuration: {{{ systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind rm /etc/samba/smb.conf }}} * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc` * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/` * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/` * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc` * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`. * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc` |
Line 15: | Line 32: |
`ad{,test}.ucc.gu.uwa.edu.au` is delegated in the Zonemake config in Mooneye's `/etc/bind/domains/primary/ucc.machines` | === Windows systems === |
Line 17: | Line 34: |
Mulmul's test domain is set up by: * `pkg install samba44 cpu` * Copy Molmol's `/usr/local/etc/smb4.conf` to `/usr/local/etc/smb4.conf` * Copy Molmol's `/usr/local/etc/cpu-samba.conf` to `/usr/local/etc/cpu-samba.conf` * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/usr/local/etc/smb4.conf` * Set up LDAP per the SOE (for NIS at least) * `mkdir -p /var/db/samba-migration` * `cp -p /var/db/samba4/private/{secrets.tdb,schannel_store.tdb} /var/db/samba4/gencache_notrans.tdb /var/db/samba4/account_policy.tdb /var/db/samba-migration/` * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/var/db/samba-migration --dns-backend=SAMBA_INTERNAL --verbose /usr/local/etc/smb4.conf` |
Just join them to the domain. Doesn't look like you need to create a machine account before joining? |
Line 27: | Line 36: |
=== Linux systems === Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]] Adding a Linux system is as follows: ensure the system is configured according to the standard [[http://http://wiki.ucc.asn.au/SOE|SOE]] edit `/etc/krb5.conf` with: {{{ [libdefaults] default_realm = adtest.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true }}} Change `/etc/samba/smb.conf`: {{{ [global] # Configure the domain infomation security = ads realm = adtest.ucc.gu.uwa.edu.au workgroup = UCCDOMAYNE # use winbind to map users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes kerberos method = secrets and keytab #Config gid/sid mapping based on AD attributes winbind nss info = rfc3207 idmap config * : backend = tdb idmap config * : range = 13000-17999 #idmap config for UCCDOMAYNE idmap config UCCDOMAYNE:backend = ad idmap config UCCDOMAYNE:schema_mode = rfc2307 idmap config UCCDOMAYNE:range = 1-999999 idmap config SAMDOM:unix_primary_group = yes }}} * Join the domain with: `net ads join -U <username>`. * configure pam * configure `nssswitch.conf` * start the services: {{{ winbindd nmbd smbd }}} * test the to make sure it works with: `getent group` * run `pam-auth-update` and enable the winbind module. |
|
Line 30: | Line 97: |
dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work |
|
Line 43: | Line 112: |
* Dispense |
This page is for describing the migration and current setup of the Active Directory domain at UCC.
The primary DNS server for domain is molmol.ucc.gu.uwa.edu.au.
Upgrade/Setup Process
The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au.
The Active Directory test domain at UCC is adtest.ucc.gu.uwa.edu.au. The primary server for the test domain is samson.ucc.gu.uwa.edu.au.
ad{,test}.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local
Samson's test domain is set up by:
apt-get install samba winbind chrony
Disable the systemd units for the non-DC setup & default configuration:
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind rm /etc/samba/smb.conf
scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc
scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/
scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/
Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc
Comment out the ZFS-specific entries in /opt/smb.conf.pdc.
samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc
Windows systems
Just join them to the domain. Doesn't look like you need to create a machine account before joining?
Linux systems
Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Adding a Linux system is as follows:
ensure the system is configured according to the standard SOE edit /etc/krb5.conf with:
[libdefaults] default_realm = adtest.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true
Change /etc/samba/smb.conf:
[global] # Configure the domain infomation security = ads realm = adtest.ucc.gu.uwa.edu.au workgroup = UCCDOMAYNE # use winbind to map users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes kerberos method = secrets and keytab #Config gid/sid mapping based on AD attributes winbind nss info = rfc3207 idmap config * : backend = tdb idmap config * : range = 13000-17999 #idmap config for UCCDOMAYNE idmap config UCCDOMAYNE:backend = ad idmap config UCCDOMAYNE:schema_mode = rfc2307 idmap config UCCDOMAYNE:range = 1-999999 idmap config SAMDOM:unix_primary_group = yes
* Join the domain with: net ads join -U <username>.
* configure pam
* configure nssswitch.conf
* start the services:
winbindd nmbd smbd
* test the to make sure it works with: getent group
* run pam-auth-update and enable the winbind module.
Converted systems
Nothing yet!
dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work
Unconverted systems
- Windows desktops
- Linux desktops
- Windows server (Maaxen)
- Linux servers
- Mussel
- Motsugo
- Other machines
- FreeBSD servers
- Molmol
- Musdea
- Solaris machines
- Webmail
RADIUS (VPN & wireless)
- Mac machines
- Adduser scripts
- Proxmox