9262
Comment:
|
9142
|
Deletions are marked like this. | Additions are marked like this. |
Line 27: | Line 27: |
'''Note:''' These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently. | |
Line 45: | Line 46: |
* Edit `/etc/apt/sources.list.d/debian-unstable.list`: . {{{ |
* Edit `/etc/apt/sources.list.d/debian-unstable.list`: {{{ |
Line 59: | Line 59: |
* Install packages: . {{{ |
* Install packages: {{{ |
Line 67: | Line 66: |
* Disable the systemd units for the non-DC setup & default configuration: . {{{ |
* Disable the systemd units for the non-DC setup & default configuration: {{{ |
Line 75: | Line 73: |
}}} * Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. {{{ |
|
Line 76: | Line 76: |
}}} * Remove all Samba database files, such as *.tdb and *.ldb files. To list the folders containing Samba databases: . {{{ |
|
Line 81: | Line 78: |
* Provision the new domain: . {{{ samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=INTERNAL --adminpass=$PASSWORD }}} * start the samba service, the service may have a different name depending on the samba version used. . {{{ |
* Provision the new domain: {{{ samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD }}} * Copy `/var/lib/samba/private/krb5.conf` to `/etc/krb5.conf`: {{{ cp /var/lib/samba/private/krb5.conf /etc/krb5.conf }}} * Make sure `/etc/krb5.conf` looks something like this, add lines where necessary. {{{ [libdefaults] default_realm = AD.V.UCC.ASN.AU dns_lookup_realm = false dns_lookup_kdc = true rdns = false forwardable = yes }}} * Edit `/etc/resolv.conf` {{{ search ad.v.ucc.asn.au search v.ucc.asn.au search ucc.asn.au nameserver 192.168.9.35 }}} * Edit `/etc/nsswitch.conf` {{{ # /etc/nsswitch.conf # See http://wiki.ucc.asn.au/ActiveDirectoryNew passwd: files sss group: files sss shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files }}} * and `/etc/sssd/sssd.conf` {{{ [sssd] config_file_version = 2 domains = ad.v.ucc.asn.au services = nss, pam [domain/AD.V.UCC.ASN.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false }}} * enable sssd auth in pam via `pam-auth-update` * Start the samba service: {{{ |
Line 90: | Line 137: |
For all domain controllers * copy `/etc/nsswitch.conf` and `/etc/sssd/sssd.conf` from another domain controller * enable sssd auth in pam via `pam-auth-update` |
|
Line 104: | Line 147: |
''' This is copied from [[ActiveDirectory]] and has not been tested yet, feel free to fix that. |
|
Line 107: | Line 152: |
. This should produce output similar to the following: {{{ ad.ucc.gu.uwa.edu.au type: kerberos realm-name: AD.UCC.GU.UWA.EDU.AU domain-name: ad.ucc.gu.uwa.edu.au configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin }}} |
This page describes the plan to fix Active Directory at UCC, potentially used in place of the previous AD from 2019 onwards.
Note that this document and the system it describes are in an early development stage.
> In a virtually perfect world, our servers will be named after what they do and not after species of fish.
For testing, a temporary virtual domain at UCC will be configured as ad.v.ucc.asn.au, and the domain name is VUCC, on a separate virtual network using only virtual machines (nested inside other virtual machines). The primary DNS server for domain is dc0.v.ucc.asn.au. The "primary" DC for domain will also be dc0.v.ucc.asn.au, and a second DC will be dc1.v.ucc.asn.au. Hopefully these can both be writable, although given the difficulty of making replication work reliably with Samba this may not be the case.
Setup Process
Domain Controllers
v.ucc.asn.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local.
zone "v.ucc.asn.au" { type forward; forward only; forwarders { 130.95.13.35; // vucc0 (proxmox VM on maltair, running dnsmasq) }; };
dnsmasq on the (virtualised) Proxmox VM host vucc0.ucc.asn.au then delegates the ad.v.ucc.asn.au domain to the domain controller(s). The domain controller dc0.v.ucc.asn.au is based off a clone of samurai, with clean samba configuration.
A fresh domain controller can probably be set up using the following instructions: (which is how dc0 was configured). Note: These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently.
- Configure the apt repositories and preferences
Edit /etc/apt/preferences.d/80-ucc-samba, add the following:
Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=stable-backports Pin-Priority: 800 Package: * Pin: release a=testing Pin-Priority: 99 Package: * Pin: release a=unstable Pin-Priority: 98
Edit /etc/apt/sources.list.d/debian-unstable.list:
# Testing repository - main, contrib and non-free branches deb http://mirror.waia.asn.au/debian testing main non-free contrib deb-src http://mirror.waia.asn.au/debian testing main non-free contrib # Testing security updates repository deb http://security.debian.org/ testing/updates main contrib non-free deb-src http://security.debian.org/ testing/updates main contrib non-free # Unstable repo main, contrib and non-free branches, no security updates here deb http://mirror.waia.asn.au/debian unstable main non-free contrib deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib
Install packages:
apt-get update apt-get -t testing install samba sssd-ad sssd-tools sssd-krb5 libpam-sss libnss-sss libgpgme11 apt-get install net-tools vim less molly-guard chrony krb5-user libpam-krb5 rsync nfs-common finger sudo zsh git dnsutils mlocate
The rest of these instructions are based off the official Samba AD setup guide.
Disable the systemd units for the non-DC setup & default configuration:
systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind
Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation.
rm -v /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -v
Provision the new domain:
samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD
Copy /var/lib/samba/private/krb5.conf to /etc/krb5.conf:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
Make sure /etc/krb5.conf looks something like this, add lines where necessary.
[libdefaults] default_realm = AD.V.UCC.ASN.AU dns_lookup_realm = false dns_lookup_kdc = true rdns = false forwardable = yes
Edit /etc/resolv.conf
search ad.v.ucc.asn.au search v.ucc.asn.au search ucc.asn.au nameserver 192.168.9.35
Edit /etc/nsswitch.conf
# /etc/nsswitch.conf # See http://wiki.ucc.asn.au/ActiveDirectoryNew passwd: files sss group: files sss shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files
and /etc/sssd/sssd.conf
[sssd] config_file_version = 2 domains = ad.v.ucc.asn.au services = nss, pam [domain/AD.V.UCC.ASN.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false
enable sssd auth in pam via pam-auth-update
Start the samba service:
service samba-ad-dc enable service samba-ad-dc start
DO NOT use winbind on a fomain controller, it sucks for multiple reasons.
Windows systems
Just join them to the domain. Doesn't look like you need to create a machine account before joining?
Linux systems
Automatically using realmd
This is copied from ActiveDirectory and has not been tested yet, feel free to fix that. Thanks to realmd, joining machines to the domain is extremely simple. Install packages: apt install realmd Test to make sure you can connect to the domain: realm discover ad.ucc.gu.uwa.edu.au Join to the domain using realm join -v -U <user> ad.ucc.gu.uwa.edu.au Except for one thing: comment the line use_fully_qualified_names = True in /etc/sssd/sssd.conf (prefix with a #)
Based on the instructions from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM Before configuring the domain ensure the following: Install the required packages: apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind Ensure the system is configured according to the SOE. edit /etc/krb5.conf to point to the new domain: Make the following /etc/samba/smb.conf: Join the machine to the domain with: net ads join -U <username>. configure pam using pam-auth-update and enable Winbind NT/AD authentication. configure nsswitch.conf
Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache: sss_cache -E if using sssd net cache flush if using winbind Manual Method
[libdefaults]
default_realm = ad.ucc.gu.uwa.edu.au
dns_lookup_realm = false
dns_lookup_kdc = true
[global]
# Configure the domain infomation
security = ads
realm = ad.ucc.gu.uwa.edu.au
workgroup = UCCDOMAYNE
# use winbind to map users and groups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
kerberos method = secrets and keytab
#Config gid/sid mapping based on AD attributes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 13000-17999
#idmap config for UCCDOMAYNE
idmap config UCCDOMAYNE:backend = ad
idmap config UCCDOMAYNE:schema_mode = rfc2307
idmap config UCCDOMAYNE:range = 1-999999
idmap config UCCDOMAYNE:unix_nss_info = yes
idmap config UCCDOMAYNE:unix_primary_group = yes
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: files
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
winbindd
nmbd
smbd
wbinfo -g` and `wbinfo -u`
Diagnostics