Revision 23 as of 2017-10-06 14:16:41

Clear message

This page is for describing the migration and current setup of the Active Directory domain at UCC.

The primary DNS server for domain is molmol.ucc.gu.uwa.edu.au.

Upgrade/Setup Process

The Active Directory domain at UCC will be ad.ucc.gu.uwa.edu.au.

The Active Directory test domain at UCC is adtest.ucc.gu.uwa.edu.au. The primary server for the test domain is samson.ucc.gu.uwa.edu.au.

ad{,test}.ucc.gu.uwa.edu.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local

Samson's test domain is set up by:

  • apt-get install samba winbind chrony

  • Disable the systemd units for the non-DC setup & default configuration: 

systemctl stop smbd
systemctl stop nmbd
systemctl stop winbind
systemctl disable smbd
systemctl disable nmbd
systemctl disable winbind
rm /etc/samba/smb.conf

  • scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc

  • scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/

  • scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/

  • Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in /opt/smb.conf.pdc

  • Comment out the ZFS-specific entries in /opt/smb.conf.pdc.

  • samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc

Windows systems

Just join them to the domain. Doesn't look like you need to create a machine account before joining?

Linux systems

Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Adding a Linux system is as follows:

ensure the system is configured according to the standard SOE edit /etc/krb5.conf with: 

   [libdefaults]
        default_realm = adtest.ucc.gu.uwa.edu.au
        dns_lookup_realm = false
        dns_lookup_kdc = true

Change /etc/samba/smb.conf: 

[global]
# Configure the domain infomation
        security = ads
        realm = adtest.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc3207

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config SAMDOM:unix_primary_group = yes

* Join the domain with: net ads join -U <username>.

* configure pam

* configure nssswitch.conf

* start the services: 

winbindd
nmbd
smbd

* test the to make sure it works with: getent group

* run pam-auth-update and enable the winbind module.

Converted systems

Nothing yet!

dispense no longer has to back onto LDAP, so once Merlo is converted then things should just work

Unconverted systems

  • Windows desktops
  • Linux desktops
  • Windows server (Maaxen)
  • Linux servers
    • Mussel
    • Motsugo
    • Other machines
  • FreeBSD servers
    • Molmol
    • Musdea
  • Solaris machines
  • Webmail

  • RADIUS (VPN & wireless)

  • Mac machines
  • Adduser scripts
  • Proxmox
MoinMoin Powered | Python Powered
Written to be specifications compliant.

UCC

Wiki content is publicly editable, and as such does not necessarily reflect
the views of the University Computer Club, the Guild or the University of
Western Australia.

Contact the webmasters.