## page was renamed from ActiveDirectoryNew <> == Setup Process == === Clean Installation of samba & dependencies === The domain controller `dc0.v.ucc.asn.au` is based off a clone of `samurai`, cleaned up and configured using the steps below. `dc1.v.ucc.asn.au` was set up as a fresh install based on [[https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/|Debian 9.5.0]] (netinst). A fresh domain controller can probably be set up using the same steps; '''Note:''' These instructions are valid for Samba 4.7 and 4.8.5, older versions of Samba may be missing important configuration options and newer ones may behave slightly differently. * Configure name resolution * Edit `/etc/hosts` {{{ 127.0.0.1 localhost 192.168.9.2 dc0.v.ucc.asn.au dc0 192.168.9.3 dc1.v.ucc.asn.au dc1 }}} * Edit `/etc/resolv.conf` {{{ search ad.v.ucc.asn.au search v.ucc.asn.au search ucc.asn.au # This is configured to forward ad.* queries back to us and also deals with other DNS magic, so use it instead of ourselves as primary nameserver nameserver 192.168.9.35 }}} * Purge existing configs and packages: {{{ apt-get -y purge samba* libpam-sss libnss-sss libgpgme11 krb5-* sssd-* libsss-* winbind rm -rf /etc/samba /etc/krb5.conf /etc/krb5.keytab /var/run/samba/ /var/lib/samba/ /var/cache/samba/ /var/lib/sss }}} * Configure the apt repositories and preferences * Edit `/etc/apt/preferences.d/80-ucc-samba`, add the following: {{{ Package: * Pin: release a=stable Pin-Priority: 900 Package: * Pin: release a=stable-backports Pin-Priority: 800 Package: * Pin: release a=testing Pin-Priority: 99 Package: * Pin: release a=unstable Pin-Priority: 98 }}} * Edit `/etc/apt/sources.list.d/debian-unstable.list`: {{{ # Testing repository - main, contrib and non-free branches deb http://mirror.waia.asn.au/debian testing main non-free contrib deb-src http://mirror.waia.asn.au/debian testing main non-free contrib # Testing security updates repository deb http://security.debian.org/ testing/updates main contrib non-free deb-src http://security.debian.org/ testing/updates main contrib non-free # Unstable repo main, contrib and non-free branches, no security updates here deb http://mirror.waia.asn.au/debian unstable main non-free contrib deb-src http://mirror.waia.asn.au/debian unstable main non-free contrib }}} * Install packages: {{{ apt-get update && apt-get -y upgrade apt-get -y -t testing install samba sssd-ad sssd-tools sssd-krb5 krb5-user libpam-krb5 libpam-sss libnss-sss libgpgme11 smbclient winbind apt-get -y install net-tools vim less molly-guard chrony rsync csync2 nfs-common finger sudo zsh git dnsutils mlocate }}} The rest of these instructions are based off the [[https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller|official Samba AD setup guide]]. * Disable the systemd units for the non-DC setup & default configuration: {{{ systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind }}} * Remove all Samba database and config files, such as *.tdb and *.ldb files, so we can start with a clean installation. (note: when installing the packages, some of these files may have been recreated since the purge step above, so don't skip this step. {{{ rm -fv /etc/samba/smb.conf /etc/krb5.conf /etc/krb5.keytab find /var/run/samba/ /var/lib/samba/ /var/cache/samba/ | grep -e tdb -e ldb | xargs rm -f }}} === Provisioning a new AD Domain === Make sure you start with a [[#Clean_Installation_of_samba_.26_dependencies|clean installation]]. '''Note: Don't do this unless you want to set up a fresh domain, in which case you will need to change all the settings below to appropriate values.''' * Provision the new domain: {{{ samba-tool domain provision --use-rfc2307 --realm=ad.v.ucc.asn.au --domain=VUCC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=$PASSWORD }}} * Copy `/var/lib/samba/private/krb5.conf` to `/etc/krb5.conf`: {{{ cp /var/lib/samba/private/krb5.conf /etc/krb5.conf }}} * Make sure `/etc/krb5.conf` looks something like this, add lines where necessary. {{{ [libdefaults] default_realm = AD.V.UCC.ASN.AU dns_lookup_realm = false dns_lookup_kdc = true rdns = false forwardable = yes }}} * Export the domain's keytab {{{ samba-tool domain exportkeytab /etc/krb5.keytab }}} * Edit `/etc/nsswitch.conf` {{{ # /etc/nsswitch.conf # See http://wiki.ucc.asn.au/ActiveDirectoryNew passwd: files sss group: files sss shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files }}} * and `/etc/sssd/sssd.conf` {{{ [sssd] config_file_version = 2 domains = ad.v.ucc.asn.au services = nss, pam, pac [domain/AD.V.UCC.ASN.AU] enumerate = true id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false }}} * fix sssd.conf permissions {{{ chmod 600 /etc/sssd/sssd.conf }}} * enable sssd auth in pam via `pam-auth-update` * Start the samba service: {{{ systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd }}} * DO NOT use winbind on a domain controller, it sucks for [[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC|multiple reasons]]. Note that `winbindd` will still run for internal use by samba - it just isn't being used for nss. * Make it restart automatically if something crashes: {{{systemctl edit samba-ad-dc}}} {{{ # this will end up in /etc/systemd/system/samba-ad-dc.service.d/override.conf when it gets saved [Service] Restart=on-failure }}} === Joining a new DC to an existing AD domain === Make sure you start with a [[#Clean_Installation_of_samba_.26_dependencies|clean installation]]. * Copy `/etc/sssd/sssd.conf`, `/etc/krb5.conf`, `/etc/nsswitch.conf` from an existing domain controller. * verify kerberos with: `kinit ` * join the domain with: `samba-tool domain join ad.v.ucc.asn.au DC -U"VUCC\Administrator" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'` * You may see an error saying something about DNS not being configured, you can probably ignore it. * replicate the SYSVOL directory to the new DC, then fix the permissions with: `samba-tool ntacl sysvolreset` * start the samba service, the service may have a different name depending on the samba version used. . {{{ samba-tool domain exportkeytab /etc/krb5.keytab chmod 600 /etc/sssd/sssd.conf systemctl unmask samba-ad-dc systemctl enable samba-ad-dc systemctl restart samba-ad-dc systemctl enable sssd systemctl restart sssd }}} * enable sssd auth in pam via `pam-auth-update` === Sysvol replication === Samba doesn't support sysvol replication and probably never will, but they have some (old) [[https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)|suggested workarounds]]. At the most basic level, the directory `/var/lib/samba/sysvol` must be synchronised between DCs to keep things working smoothly. Unfortunately the filesystem needs to support xattr and POSIX ACLs so using a simple NFS share isn't possible, and `rsync` is painful when it comes to two-way synchronisation. Fortunately `csync2` does exactly what we want (minus ACLs/xattr, but those can be fixed using `samba-tool ntacl sysvolreset`). Here's how you can set it up. * put the following into `/etc/csync2.cfg` (and update with the correct domain controller hostnames): see the [[https://web.archive.org/web/20160316143058/http://oss.linbit.com/csync2/paper.pdf|documentation]] {{{ #### csync2 configuration # disable nossl dc[01] dc[01]; group vucc-domain-controllers { host dc0 dc1; key /etc/csync2.key-vucc; include /var/lib/samba/sysvol; # restart samba-ad-dc if changes to the configuration file /etc/samba/smb.conf are synced action { pattern /etc/samba/smb.conf; exec "/bin/systemctl samba-ad-dc reload"; do-local; } # fix xattrs on files when they are updated action { pattern /var/lib/samba/sysvol; exec "/usr/bin/samba-tool ntacl sysvolreset"; do-local; } # Store backups (with logical names) somewhere reasonable backup-directory /var/lib/samba/sysvol-backups; backup-generations 3; # automatically resolve conflicts by overwriting older files with newer ones auto younger; } }}} * edit the crontab on one node: {{{ dc0# crontab -e # sync every minute * * * * * /usr/sbin/csync2 -x }}} * csync2 is run as an inetd service, so you can check that the following line is present in `/etc/inetd.conf` on all servers in the cluster {{{ csync2 stream tcp nowait root /usr/sbin/csync2 csync2 -i -l }}} * generate a csync2 pre-shared key (PSK) and copy it and `/etc/csync2.cfg` to all the DCs in the cluster: {{{ csync2 -k /etc/csync2.key-vucc scp /etc/csync2.key-vucc /etc/csync2.cfg dc1:/etc dc2:/etc dc3:/etc ... }}} * make sure the directory `/var/lib/samba/sysvol-backups` exists on all nodes of the cluster * Done! It ''should'' work now. To manually replicate the sysvol directories between DCs: {{{ dc0# scp -ar /var/lib/samba/sysvol dc1:/var/lib/samba/sysvol dc1# samba-tool ntacl sysvolreset }}} == Diagnostics == Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache: * `sss_cache -E` if using sssd * `net cache flush` if using winbind * Or if the above fails to have an effect, try rejoining to the domain using the instructions below. Sometimes, everything may break rather catastrophically. This may be due to the keytabs at `/etc/krb5.keytab` and `/var/lib/samba/private/secrets.keytab` becoming out of sync. * The current solution (on samson) is to symlink the keytabs as follows: {{{ # ln -s /etc/krb5.keytab /var/lib/samba/private/secrets.keytab # ls -l /etc/krb5.keytab lrwxrwxrwx 1 root root 37 Nov 26 16:51 /etc/krb5.keytab -> /var/lib/samba/private/secrets.keytab }}} * Verify that the host principal is present in the keytab: {{{ # klist -k | grep -i $(hostname) 3 SAMSON$@AD.UCC.GU.UWA.EDU.AU }}} * The same principal and variations including the same hostname may appear multiple times. This is normal (and maybe necessary?).