Difference between revisions of "Howto Add a Samba4 Domain Controller"
Jump to navigation
Jump to search
(noting pam dependency) |
m (Robot: Cosmetic changes) |
||
| Line 24: | Line 24: | ||
== Samba == | == Samba == | ||
| − | There is no stable, working version of Samba 4 shipping with ubuntu. | + | There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works |
git clone -b v4-0-stable git://git.samba.org/samba.git samba | git clone -b v4-0-stable git://git.samba.org/samba.git samba | ||
| Line 36: | Line 36: | ||
/usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc --use-rfc2307 | /usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc --use-rfc2307 | ||
| − | Make a note of the admin password. | + | Make a note of the admin password. You may need it later. |
=== Kerberos === | === Kerberos === | ||
Revision as of 00:09, 18 March 2014
DNS Records
- Set an A record for auth.pumpingstationone.org
- Set a NS record for ad.pumpingstationone.org to auth.pumpingstationone.org
Install packages
sudo apt-get install libpam0g-dev
Host Setup
hostname
echo "auth.pumpingstationone.org" > /etc/hostname
hosts file
in /etc/hosts
1.2.3.4 auth.ad.pumpingstationone.org auth
fstab
add “acl,user_xattr” to the / drive in /etc/fstab e.g.
/dev/xvda / ext3 acl,user_xattr,noatime,errors=remount-ro 0
Samba
There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works
git clone -b v4-0-stable git://git.samba.org/samba.git samba ./configure make make install
Provisioning
/usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc --use-rfc2307
Make a note of the admin password. You may need it later.
Kerberos
apt-get install kerberos
/etc/krb5.conf
[libdefaults]
default_realm = AD.ARBITRARION.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Adding Users
To create the user "hef" and set the user password, use the following command:
/usr/local/samba/bin/samba-tool user add hef
To add the user "hef" to the "Domain Admins" group, use the following command:
/usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef
Services
Wordpress
- Log in as admin user.
- Install the active-directory-integration plugin.
ADI Settings
Under Settings >> Active Directory Integration set the following:
| Server | Domain Controllers | auth.pumpingstationonei.org |
| Base DN | cn=Users,dc=ad,dc=pumpingstationone,dc=org | |
| User | Account Suffix | @ad.pumpingstationone.org |
| Automatic User Creation | check | |
| Automatic User Update | check | |
| Prevent Email Change | check (maybe not, might be an easy way for users to update email address) | |
| Authorization | Role Equivalent Groups | Domain Admins=administrator |
| Security | User Notification | check |
MediaWiki
At the bottom of Mediawikis LocalSettings.php
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( 'PS1' ); $wgLDAPServerNames = array( 'PS1' => 'auth.pumpingstationone.org' ); $wgLDAPSearchSrings = array( 'PS1' => '[email protected]' ); $wgLDAPEncryptionType = array( 'PS1' => 'clear' ); $wgLDAPUseLocal = false; #proxy agent # TODO this shouldn't use the Administrator account, another service account should suffice. $wgLDAPProxyAgent = array( 'PS1' => 'CN=Administrator,CN=Users,DC=ad,DC=pumpingstationone,DC=org' ); $wgLDAPProxyAgentPassword = array( 'PS1' => 'password’); $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array( 'PS1' => 'CN=Users,DC=AD,DC=pumpingstationone,DC=org' ); $wgLDAPSearchAttributes = array( 'PS1' => 'sAMAccountName' ); $wgLDAPRetrivePrefs = array( "PS1" => "true" );