Difference between revisions of "Howto Add a Samba4 Domain Controller"

From Pumping Station One
Jump to navigation Jump to search
VisualWikitext
m (Robot: Cosmetic changes)
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== DNS Records ==
+
{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }}
  
* Set an A record for auth.pumpingstationone.org
+
== Setup ==
* Set a NS record for ad.pumpingstationone.org to auth.pumpingstationone.org
 
  
== Install packages ==
+
* Follow the Arch provision guide
 +
* Add role: dc to the salt minion config.
  
    sudo apt-get install libpam0g-dev
 
  
== Host Setup ==
+
Create a file called /etc/salt/minion.d/dc.conf
 +
<pre>
 +
grains:
 +
  roles:
 +
    - dc
 +
</pre>
  
=== hostname ===
+
== Joining As a Domain Controller ==
  
  echo "auth.pumpingstationone.org" > /etc/hostname
+
    samba-tool domain join AD.PUMPINGSTATIONONE.ORG DC -U hef
  
=== hosts file ===
+
=== Checking and Fixing DNS ===
in /etc/hosts
 
  1.2.3.4 auth.ad.pumpingstationone.org auth
 
  
=== fstab ===
+
DNS doesn't always register correctly.
add “acl,user_xattr” to the / drive in /etc/fstab
 
e.g.
 
  /dev/xvda  /            ext3    acl,user_xattr,noatime,errors=remount-ro      0
 
  
== Samba ==
+
check it:
There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works
 
  
  git clone -b v4-0-stable git://git.samba.org/samba.git samba
+
    host -t dc01.ad.pumpingstationone.org.
  ./configure
 
  make
 
  make install
 
  
=== Provisioning ===
+
If nothing comes back, re add it by hand.
  
 +
    samba-tool dns add bob ad.pumpingstationone.org dc01 A 10.100.0.112
  
  /usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc --use-rfc2307
+
At this point you need the guid for the new server. The [https://wiki.samba.org/index.php/Join_a_domain_as_a_DC Samba Guide] References the ldbsearch commmand. I couldn't get it to work, so I grabbed the objectGuid field from CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org in ldap.
  
Make a note of the admin password. You may need it later.
+
    host -t CNAME af4c9efd-56f6-4160-8335-cf8e5a5ada8f._msdcs.ad.pumpingstationone.org
  
=== Kerberos ===
+
If it's missing add it:
  
  apt-get install kerberos
+
    samba-tool dns add bob _msdcs.ad.pumpingstationone.org af4c9efd-56f6-4160-8335-cf8e5a5ada8f CNAME dc01.ad.pumpingstationone.org
  
/etc/krb5.conf
+
== Joining As a Domain Member ==
  [libdefaults]
 
      default_realm = AD.ARBITRARION.COM
 
      dns_lookup_realm = false
 
      dns_lookup_kdc = true
 
  
=== Adding Users ===
+
    net ads join -U hef
  
To create the user "hef" and set the user password, use the following command:
+
The samba-tool domain join command does not get winbindd working correctly. The <code>net</code> command is required.
  /usr/local/samba/bin/samba-tool user add hef
 
  
  
To add the user "hef" to the "Domain Admins" group, use the following command:
+
== Adding Users ==
  /usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef
 
  
== Services ==
+
Regular users need to get there account through https://members.pumpingstationone.org.
  
=== Wordpress ===
+
service and test accounts can be created with the following procedire
  
# Log in as admin user.
 
# Install the active-directory-integration plugin.
 
  
 +
To create the user "hef" and set the user password, use the following command:
 +
  samba-tool user add hef
  
==== ADI Settings ====
 
Under Settings >> Active Directory Integration set the following:
 
  
{| class="wikitable"
+
To add the user "hef" to the "Domain Admins" group, use the following command:
|Server || Domain Controllers || auth.pumpingstationonei.org
+
  samba-tool group addmembers "Domain Admins" hef
|-
 
| || Base DN ||cn=Users,dc=ad,dc=pumpingstationone,dc=org
 
|-
 
|User || Account Suffix || @ad.pumpingstationone.org
 
|-
 
| || Automatic User Creation || check
 
|-
 
| || Automatic User Update || check
 
|-
 
| || Prevent Email Change || check (maybe not, might be an easy way for users to update email address)
 
|-
 
|Authorization || Role Equivalent Groups || Domain Admins=administrator
 
|-
 
|Security || User Notification || check
 
|}
 
 
 
=== MediaWiki ===
 
 
 
At the bottom of Mediawikis LocalSettings.php
 
 
 
  require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
 
  $wgAuth = new LdapAuthenticationPlugin();
 
  $wgLDAPDomainNames = array( 'PS1' );
 
  $wgLDAPServerNames = array( 'PS1' => 'auth.pumpingstationone.org' );
 
  $wgLDAPSearchSrings = array( 'PS1' => '[email protected]' );
 
  $wgLDAPEncryptionType = array( 'PS1' => 'clear' );
 
  $wgLDAPUseLocal = false;
 
 
 
  #proxy agent
 
  # TODO this shouldn't use the Administrator account, another service account should suffice.
 
  $wgLDAPProxyAgent = array( 'PS1' => 'CN=Administrator,CN=Users,DC=ad,DC=pumpingstationone,DC=org' );
 
  $wgLDAPProxyAgentPassword = array( 'PS1' => 'password’);
 
 
 
  $wgMinimalPasswordLength = 1;
 
  $wgLDAPBaseDNs = array( 'PS1' => 'CN=Users,DC=AD,DC=pumpingstationone,DC=org' );
 
  $wgLDAPSearchAttributes = array( 'PS1' => 'sAMAccountName' );
 
  $wgLDAPRetrivePrefs = array( "PS1" => "true" );
 
  
 
[[Category:IT Equipment]]
 
[[Category:IT Equipment]]

Latest revision as of 14:02, 1 November 2018

This information is out of date. Up-to-date IT information can be found here

Setup

  • Follow the Arch provision guide
  • Add role: dc to the salt minion config.


Create a file called /etc/salt/minion.d/dc.conf 

grains:
  roles:
    - dc

Joining As a Domain Controller

   samba-tool domain join AD.PUMPINGSTATIONONE.ORG DC -U hef

Checking and Fixing DNS

DNS doesn't always register correctly.

check it: 

   host -t dc01.ad.pumpingstationone.org.

If nothing comes back, re add it by hand. 

   samba-tool dns add bob ad.pumpingstationone.org dc01 A 10.100.0.112

At this point you need the guid for the new server. The Samba Guide References the ldbsearch commmand. I couldn't get it to work, so I grabbed the objectGuid field from CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org in ldap. 

   host -t CNAME af4c9efd-56f6-4160-8335-cf8e5a5ada8f._msdcs.ad.pumpingstationone.org

If it's missing add it: 

   samba-tool dns add bob _msdcs.ad.pumpingstationone.org af4c9efd-56f6-4160-8335-cf8e5a5ada8f CNAME dc01.ad.pumpingstationone.org

Joining As a Domain Member

   net ads join -U hef

The samba-tool domain join command does not get winbindd working correctly. The net command is required.


Adding Users

Regular users need to get there account through https://members.pumpingstationone.org.

service and test accounts can be created with the following procedire


To create the user "hef" and set the user password, use the following command: 

  samba-tool user add hef


To add the user "hef" to the "Domain Admins" group, use the following command: 

  samba-tool group addmembers "Domain Admins" hef
Retrieved from "https://ps1.mywikis.wiki/w/index.php?title=Howto_Add_a_Samba4_Domain_Controller&oldid=38280"