This page is for describing the migration and current setup of the Active Directory domain at UCC. The Active Directory domain at UCC will be `ad.ucc.gu.uwa.edu.au`, and the domain name is `UCCDOMAYNE`. The primary DNS server for domain is `samson.ucc.gu.uwa.edu.au`. The primary DC for domain is also `samson.ucc.gu.uwa.edu.au`, and a second DC is `samurai.ucc.gu.uwa.edu.au`. == Diagnostics == Sometimes group memberships don't seem to be updated, this can often be fixed by clearing the cache: * `sss_cache -E` if using sssd * `net cache flush` if using winbind * Or if the above fails to have an effect, try rejoining to the domain using the instructions below. == Upgrade/Setup Process == === Domain Controllers === `ad.ucc.gu.uwa.edu.au` is delegated using separate zones in Mooneye's `/etc/bind/named.conf.local` Samson's domain is set up by: * `apt install samba chrony krb5-user sssd sssd-ad sssd-krb5 sssd-tools libpam-krb5 libpam-sss libnss-sss` * Disable the systemd units for the non-DC setup & default configuration: . {{{ systemctl stop smbd systemctl stop nmbd systemctl stop winbind systemctl disable smbd systemctl disable nmbd systemctl disable winbind rm /etc/samba/smb.conf }}} If upgrading from the old NT domain do: * `scp root@molmol:/usr/local/etc/smb4.conf /opt/smb.conf.pdc` * `scp root@molmol:/var/db/samba4/\*.tdb /opt/samba-db/` * `scp root@molmol:/var/db/samba4/private/\*.tdb /opt/samba-db/` * Change "UCCDOMAIN" to "UCCDOMAYNE" and Mussel's hostname to an IP address in `/opt/smb.conf.pdc` * Comment out the ZFS-specific entries in `/opt/smb.conf.pdc`. * `samba-tool domain classicupgrade --use-xattrs=yes --realm adtest.ucc.gu.uwa.edu.au --dbdir=/opt/samba-db --dns-backend=SAMBA_INTERNAL --verbose /opt/smb.conf.pdc` Otherwise when adding additional DC's to an existing domain: * Set the following settings in /etc/krb5.conf: . {{{ [libdefaults] default_realm = ad.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true }}} * verify kerberos with: `kinit ` * join the domain with: `samba-tool domain join ad.ucc.gu.uwa.edu.au DC -U"UCCDOMAYNE\username" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'` * You may see an error saying something about DNS not being configured, you can probably ignore it. * replicate the SYSVOL directory to the new DC, then fix the permissions with: `samba-tool ntacl sysvolreset` * start the samba service, the service may have a different name depending on the samba version used. . {{{ service samba-ad-dc enable service samba-ad-dc start }}} For all domain controllers * copy `/etc/nsswitch.conf` and `/etc/sssd/sssd.conf` from another domain controller * enable sssd auth in pam via `pam-auth-update` * DO NOT use winbind on a Domain controller, it sucks for[[https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC| multiple reasons]]. === Windows systems === Just join them to the domain. Doesn't look like you need to create a machine account before joining? === Linux systems === ==== Automatically using realmd ==== Thanks to [[https://freedesktop.org/software/realmd/docs|realmd]], joining machines to the domain is extremely simple. * Install packages: `apt install realmd` * Test to make sure you can connect to the domain: `realm discover ad.ucc.gu.uwa.edu.au` . This should produce output similar to the following: {{{ ad.ucc.gu.uwa.edu.au type: kerberos realm-name: AD.UCC.GU.UWA.EDU.AU domain-name: ad.ucc.gu.uwa.edu.au configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin }}} * Join to the domain using `realm join -v -U ad.ucc.gu.uwa.edu.au` * realmd defaults to using sssd, which is fine * It installs any necessary packages. * IT JUST WORKS!! * Except for two things: * comment the line `use_fully_qualified_names = True` in `/etc/sssd/sssd.conf` (prefix with a `#`) * Set `ldap_id_mapping = False` (fixes UID mappings) * Then it works! * Done. ==== Manual Method ==== Based on the instructions from [[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member]] and [[https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM]] Before configuring the domain ensure the following: * Install the required packages: `apt install samba winbind krb5-user libpam-krb5 libpam-winbind libnss-winbind` * Ensure the system is configured according to the [[StandardOperatingEnvironment|SOE]]. * edit `/etc/krb5.conf` to point to the new domain: . {{{ [libdefaults] default_realm = ad.ucc.gu.uwa.edu.au dns_lookup_realm = false dns_lookup_kdc = true }}} * Make the following `/etc/samba/smb.conf`: . {{{ [global] # Configure the domain infomation security = ads realm = ad.ucc.gu.uwa.edu.au workgroup = UCCDOMAYNE # use winbind to map users and groups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes kerberos method = secrets and keytab #Config gid/sid mapping based on AD attributes winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 13000-17999 #idmap config for UCCDOMAYNE idmap config UCCDOMAYNE:backend = ad idmap config UCCDOMAYNE:schema_mode = rfc2307 idmap config UCCDOMAYNE:range = 1-999999 idmap config UCCDOMAYNE:unix_nss_info = yes idmap config UCCDOMAYNE:unix_primary_group = yes }}} * Join the machine to the domain with: `net ads join -U `. * configure pam using `pam-auth-update` and enable `Winbind NT/AD authentication`. * configure `nsswitch.conf` . {{{ # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis }}} * start the services: . {{{ winbindd nmbd smbd }}} * Make sure the computer can fetch the domain users and groups with: . {{{ wbinfo -g` and `wbinfo -u` }}} == Things using LDAP == Anything that needs to bind to ldap to get a list of users can no longer do so anonymously. Encryption is still required. In AD, create a new bind user for the service called bind-, put it in the Service Accounts group, and remove it from the Domain Users group. Then you can use this user to bind to the server. == Converted systems == * Windows desktops * Linux desktops * Linux servers * Motsugo * Merlo * Mooneye * FreeBSD servers * Molmol * Webmail? * Adduser scripts * Proxmox * RADIUS (VPN & wireless) * Windows server (Maaxen) * Mail delivery (dovecot) == Unconverted systems == * Linux servers * Mussel * Other machines * FreeBSD servers * Musdea * Solaris machines * Mac machines * Mail delivery (postfix, procmail, all that fun stuff)