This page is for describing the migration and current setup of the Active Directory domain at UCC.
The primary DNS server for domain is molmol.ucc.gu.uwa.edu.au.
Upgrade/Setup Process
The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au.
The Active Directory test domain at UCC is adtest.ucc.gu.uwa.edu.au. The primary server for the test domain is samson.ucc.gu.uwa.edu.au.
ad{,test}.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local
Samson's test domain is set up by:
apt-get install samba winbind chrony
Disable the systemd units for the non-DC setup & default configuration:
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind rm /etc/samba/smb.conf
scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc
scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/
scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/
Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc
Comment out the ZFS-specific entries in /opt/smb.conf.pdc.
samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc
Windows systems
Just join them to the domain. Doesn't look like you need to create a machine account before joining?
Linux systems
Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Adding a Linux system is as follows:
ensure the system is configured according to the standard SOE edit /etc/krb5.conf with:
[libdefaults] default_realm = adtest.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true
Change /etc/samba/smb.conf:
# Global parameters [global] netbios name = SAMSON realm = ADTEST.UCC.GU.UWA.EDU.AU workgroup = UCCDOMAYNE server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/adtest.ucc.gu.uwa.edu.au/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
* Join the domain with: net ads join -U <username>.
- - This needs to be done by a Domain Admin.
Converted systems
Nothing yet!
dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work
Unconverted systems
- Windows desktops
- Linux desktops
- Windows server (Maaxen)
- Linux servers
- Mussel
- Motsugo
- Other machines
- FreeBSD servers
- Molmol
- Musdea
- Solaris machines
- Webmail
RADIUS (VPN & wireless)
- Mac machines
- Adduser scripts
- Proxmox