Differences between revisions 1 and 2
Revision 1 as of 2018-11-13 18:18:45
Size: 5172
Editor: frekk
Revision 2 as of 2018-11-21 13:02:22
Size: 1938
Editor: frekk
Deletions are marked like this. Additions are marked like this.
Line 26: Line 26:
See [[NewActiveDirectory/DomainControllers]] '''See [[NewActiveDirectory/DomainControllers]]'''
Line 29: Line 29:
Line 35: Line 34:
 * TODO: roaming profiles
Line 37: Line 38:
AD wasn't designed for Linux, and since most of our machines run Linux we have made things difficult for ourselves. '''See [[NewActiveDirectory/LinuxClients]]'''
Line 39: Line 40:
''' This is copied from [[ActiveDirectory]] and has not been tested yet, feel free to fix that.'''
==== Automatically using realmd ====
=== Mac OS ===
Line 42: Line 42:
'''Make sure you can install samba version 4.6 or above, otherwise certain useful features (such as configuring id mapping) may not work.'''

Thanks to [[https://freedesktop.org/software/realmd/docs|realmd]], joining machines to the domain is extremely simple.
 * Install packages: `apt install realmd krb5-user`
 * Test to make sure you can connect to the domain: `realm discover ad.v.ucc.asn.au`
 * Join to the domain using `realm join -v -U <user> ad.v.ucc.asn.au`
   * realmd defaults to using sssd, which is fine
   * It installs any necessary packages.
    * Except for one thing: comment the line `use_fully_qualified_names = True` in `/etc/sssd/sssd.conf` (prefix with a `#`)
    * Then it works!
 * Done.

==== Manual Method ====

Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]]
Before configuring the domain ensure the following:
 * Install the required packages: `apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind`

 * Ensure the system is configured according to the [[StandardOperatingEnvironment|SOE]].

 * edit `/etc/krb5.conf` to point to the new domain:
 . {{{
 default_realm = ad.ucc.gu.uwa.edu.au
 dns_lookup_realm = false
 dns_lookup_kdc = true

 * Make the following `/etc/samba/smb.conf`:
 . {{{
# Configure the domain infomation
        security = ads
        realm = ad.ucc.gu.uwa.edu.au
        workgroup = UCCDOMAYNE

# use winbind to map users and groups
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab

#Config gid/sid mapping based on AD attributes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 13000-17999
        #idmap config for UCCDOMAYNE
        idmap config UCCDOMAYNE:backend = ad
        idmap config UCCDOMAYNE:schema_mode = rfc2307
        idmap config UCCDOMAYNE:range = 1-999999
        idmap config UCCDOMAYNE:unix_nss_info = yes
        idmap config UCCDOMAYNE:unix_primary_group = yes


 * Join the machine to the domain with: `net ads join -U <username>`.

 * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`.

 * configure `nsswitch.conf`
 . {{{
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: files
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

 * start the services:
 . {{{

 * Make sure the computer can fetch the domain users and groups with:
 . {{{
wbinfo -g` and `wbinfo -u`
'''TODO'''; joining to the domain for authentication is pretty simple but the process has not been rigorously tested yet. Google is your friend for now.

This page describes the plan to fix Active Directory at UCC, potentially used in place of the previous AD from 2019 onwards.

Note that this document and the system it describes are in an early development stage.

> In a virtually perfect world, our servers will be named after what they do and not after species of fish.

For testing, a subdomain for the "Virtual" AD will be configured as ad.v.ucc.asn.au with NETBIOS domain name VUCC, on a separate virtual network using a virtualised Proxmox VE instance (yes, running VMs inside of VMs). The primary DNS server for domain is vucc0.v.ucc.asn.au, which is also the (virtual) Proxmox VE host. The "primary" DC for domain will also be dc0.v.ucc.asn.au, and a second DC will be dc1.v.ucc.asn.au. Note that whilst RODCs can be configured using Samba, replication makes things just so much cooler (and more prone to inexplicable breakage) so we might be stuck with that for the time being.

v.ucc.asn.au is delegated using separate zones in Mooneye's /etc/bind/named.conf.local.

  • zone "v.ucc.asn.au" {
            type forward;
            forward only;
            forwarders {
          ; // vucc0 (proxmox VM on maltair, running dnsmasq)

dnsmasq on the (virtualised) Proxmox VM host vucc0.ucc.asn.au then delegates the ad.v.ucc.asn.au domain to the domain controller(s).

Domain Controller Configuration

See NewActiveDirectory/DomainControllers

Client configuration

Windows systems

Just join them to the domain. It Just Works (TM) - thanks Microsoft / Red Hat / IBM?!!

  • TODO: roaming profiles

Linux systems

See NewActiveDirectory/LinuxClients

Mac OS

TODO; joining to the domain for authentication is pretty simple but the process has not been rigorously tested yet. Google is your friend for now.