Line 1: |
Line 1: |
− | == DNS Records ==
| |
| | | |
− | * Set an A record for auth.pumpingstationone.org
| + | == Setup == |
− | * Set a NS record for ad.pumpingstationone.org to auth.pumpingstationone.org
| |
| | | |
− | == Install packages ==
| + | * Follow the Arch provision guide |
| + | * Add role: dc to the salt minion config. |
| | | |
− | sudo apt-get install libpam0g-dev
| + | == Joining == |
| | | |
− | == Host Setup ==
| + | samba-tool domain join AD.PUMPINGSTATIONONE.ORG -U hef |
| | | |
− | === hostname ===
| + | == Adding Users == |
− | | |
− | echo "auth.pumpingstationone.org" > /etc/hostname
| |
− | | |
− | === hosts file ===
| |
− | in /etc/hosts
| |
− | 1.2.3.4 auth.ad.pumpingstationone.org auth
| |
− | | |
− | === fstab ===
| |
− | add “acl,user_xattr” to the / drive in /etc/fstab
| |
− | e.g.
| |
− | /dev/xvda / ext3 acl,user_xattr,noatime,errors=remount-ro 0
| |
− | | |
− | == Samba ==
| |
− | There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works
| |
− | | |
− | git clone -b v4-0-stable git://git.samba.org/samba.git samba
| |
− | ./configure
| |
− | make
| |
− | make install
| |
− | | |
− | === Provisioning ===
| |
− | | |
− | | |
− | /usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc --use-rfc2307
| |
− | | |
− | Make a note of the admin password. You may need it later.
| |
− | | |
− | === Kerberos ===
| |
− | | |
− | apt-get install kerberos
| |
− | | |
− | /etc/krb5.conf
| |
− | [libdefaults]
| |
− | default_realm = AD.ARBITRARION.COM
| |
− | dns_lookup_realm = false
| |
− | dns_lookup_kdc = true
| |
− | | |
− | === Adding Users ===
| |
| | | |
| To create the user "hef" and set the user password, use the following command: | | To create the user "hef" and set the user password, use the following command: |
Line 56: |
Line 17: |
| To add the user "hef" to the "Domain Admins" group, use the following command: | | To add the user "hef" to the "Domain Admins" group, use the following command: |
| /usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef | | /usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef |
− |
| |
− | == Services ==
| |
− |
| |
− | === Wordpress ===
| |
− |
| |
− | # Log in as admin user.
| |
− | # Install the active-directory-integration plugin.
| |
− |
| |
− |
| |
− | ==== ADI Settings ====
| |
− | Under Settings >> Active Directory Integration set the following:
| |
− |
| |
− | {| class="wikitable"
| |
− | |Server || Domain Controllers || auth.pumpingstationonei.org
| |
− | |-
| |
− | | || Base DN ||cn=Users,dc=ad,dc=pumpingstationone,dc=org
| |
− | |-
| |
− | |User || Account Suffix || @ad.pumpingstationone.org
| |
− | |-
| |
− | | || Automatic User Creation || check
| |
− | |-
| |
− | | || Automatic User Update || check
| |
− | |-
| |
− | | || Prevent Email Change || check (maybe not, might be an easy way for users to update email address)
| |
− | |-
| |
− | |Authorization || Role Equivalent Groups || Domain Admins=administrator
| |
− | |-
| |
− | |Security || User Notification || check
| |
− | |}
| |
− |
| |
− | === MediaWiki ===
| |
− |
| |
− | At the bottom of Mediawikis LocalSettings.php
| |
− |
| |
− | require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
| |
− | $wgAuth = new LdapAuthenticationPlugin();
| |
− | $wgLDAPDomainNames = array( 'PS1' );
| |
− | $wgLDAPServerNames = array( 'PS1' => 'auth.pumpingstationone.org' );
| |
− | | |
− | $wgLDAPEncryptionType = array( 'PS1' => 'clear' );
| |
− | $wgLDAPUseLocal = false;
| |
− |
| |
− | #proxy agent
| |
− | # TODO this shouldn't use the Administrator account, another service account should suffice.
| |
− | $wgLDAPProxyAgent = array( 'PS1' => 'CN=Administrator,CN=Users,DC=ad,DC=pumpingstationone,DC=org' );
| |
− | $wgLDAPProxyAgentPassword = array( 'PS1' => 'password’);
| |
− |
| |
− | $wgMinimalPasswordLength = 1;
| |
− | $wgLDAPBaseDNs = array( 'PS1' => 'CN=Users,DC=AD,DC=pumpingstationone,DC=org' );
| |
− | $wgLDAPSearchAttributes = array( 'PS1' => 'sAMAccountName' );
| |
− | $wgLDAPRetrivePrefs = array( "PS1" => "true" );
| |
| | | |
| [[Category:IT Equipment]] | | [[Category:IT Equipment]] |