Howto Add a Samba4 Domain Controller: Difference between revisions

From PS:1 Wiki Dev
Jump to navigationJump to search
← Older edit
Content deleted Content added
VisualWikitext
No edit summary
 
(29 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }}
== DNS Records ==


== Setup ==
* Set an A record for auth.pumpingstationone.org
* Set a NS record for ad.pumpingstationone.org to auth.pumpingstationone.org


* Follow the Arch provision guide
== Host Setup ==
* Add role: dc to the salt minion config.


echo "auth.pumpingstationone.org" > /etc/hostname
add 66.228.35.181 auth.ad.arbitrarion.com auth to beginning of /etc/hosts


Create a file called /etc/salt/minion.d/dc.conf
== Samba ==
<pre>
There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works
grains:
roles:
- dc
</pre>


== Joining As a Domain Controller ==
git clone -b v4-0-stable git://git.samba.org/samba.git samba
./configure
make
make install


samba-tool domain join AD.PUMPINGSTATIONONE.ORG DC -U hef
=== Provisioning ===


=== Checking and Fixing DNS ===


DNS doesn't always register correctly.
/usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc


check it:
Make a note of the admin password. You may need it later.


host -t dc01.ad.pumpingstationone.org.
=== Kerberos ===


If nothing comes back, re add it by hand.
apt-get install kerberos


samba-tool dns add bob ad.pumpingstationone.org dc01 A 10.100.0.112
/etc/krb5.conf
[libdefaults]
default_realm = AD.ARBITRARION.COM
dns_lookup_realm = false
dns_lookup_kdc = true


At this point you need the guid for the new server. The [https://wiki.samba.org/index.php/Join_a_domain_as_a_DC Samba Guide] References the ldbsearch commmand. I couldn't get it to work, so I grabbed the objectGuid field from CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org in ldap.
=== Adding Users ===


host -t CNAME af4c9efd-56f6-4160-8335-cf8e5a5ada8f._msdcs.ad.pumpingstationone.org
To create the user "hef" and set the user password, use the following command:
/usr/local/samba/bin/samba-tool user add hef


If it's missing add it:


samba-tool dns add bob _msdcs.ad.pumpingstationone.org af4c9efd-56f6-4160-8335-cf8e5a5ada8f CNAME dc01.ad.pumpingstationone.org
To add the user "hef" to the "Domain Admins" group, use the following command:
/usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef


== Joining As a Domain Member ==
== Services ==


net ads join -U hef
=== Wordpress ===


The samba-tool domain join command does not get winbindd working correctly. The <code>net</code> command is required.
# Log in as admin user.
# Install the active-directory-integration plugin.


Under Settings >> Active Directory Integration set the following:


== Adding Users ==
{| class="wikitable"
|Server || Domain Controllers || auth.pumpingstationonei.org
|-
| || Base DN ||cn=Users,dc=ad,dc=pumpingstationone,dc=org
|-
|User || Account Suffix || @ad.pumpingstationone.org
|-
| || Automatic User Creation || check
|-
| || Automatic User Update || check
|-
| || Prevent Email Change || check (maybe not, might be an easy way for users to update email address)
|-
|Authorization || Role Equivalent Groups || Domain Admins=administrator
|-
|Security || User Notification || check
|}


Regular users need to get there account through https://members.pumpingstationone.org.
=== MediaWiki ===


service and test accounts can be created with the following procedire
At the bottom of Mediawikis LocalSettings.php


To create the user "hef" and set the user password, use the following command:
samba-tool user add hef


To add the user "hef" to the "Domain Admins" group, use the following command:
samba-tool group addmembers "Domain Admins" hef


[[Category:IT Equipment]]
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'PS1' );
$wgLDAPServerNames = array( 'PS1' => 'auth.pumpingstationone.org' );
$wgLDAPSearchSrings = array( 'PS1' => 'USER-NAME@ad.arbitrarion.com' );
$wgLDAPEncryptionType = array( 'PS1' => 'clear' );
$wgLDAPUseLocal = false;
#proxy agent
# TODO this shouldn't use the Administrator account, another service account should suffice.
$wgLDAPProxyAgent = array( 'PS1' => 'CN=Administrator,CN=Users,DC=ad,DC=pumpingstationone,DC=org' );
$wgLDAPProxyAgentPassword = array( 'PS1' => 'password’);
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( 'PS1' => 'CN=Users,DC=AD,DC=pumpingstationone,DC=org' );
$wgLDAPSearchAttributes = array( 'PS1' => 'sAMAccountName' );
$wgLDAPRetrivePrefs = array( "PS1" => "true" );

Latest revision as of 14:02, 1 November 2018

{{ 

 {{#switch:
 {{#if: 
   | 
   | {{#if: 
     | 
       {{#ifeq:|
       | talk
       |  
       }}
     | 
       {{#ifeq:|talk
       | talk
       |  
       }}
     }}
   }}

| main | = ambox | talk = tmbox | user = ombox | project = ombox | file | image = imbox | mediawiki = ombox | template = ombox | help = ombox | category = cmbox | book = ombox | extension = ombox | other | #default = ombox

}} | type = warning | image = | imageright = | class = | style = | textstyle = | text = This information is out of date. Up-to-date IT information can be found here | small = | smallimage = | smallimageright = | smalltext = | subst = | date = | name = }}

Setup

  • Follow the Arch provision guide
  • Add role: dc to the salt minion config.


Create a file called /etc/salt/minion.d/dc.conf 

grains:
  roles:
    - dc

Joining As a Domain Controller

   samba-tool domain join AD.PUMPINGSTATIONONE.ORG DC -U hef

Checking and Fixing DNS

DNS doesn't always register correctly.

check it: 

   host -t dc01.ad.pumpingstationone.org.

If nothing comes back, re add it by hand. 

   samba-tool dns add bob ad.pumpingstationone.org dc01 A 10.100.0.112

At this point you need the guid for the new server. The Samba Guide References the ldbsearch commmand. I couldn't get it to work, so I grabbed the objectGuid field from CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org in ldap. 

   host -t CNAME af4c9efd-56f6-4160-8335-cf8e5a5ada8f._msdcs.ad.pumpingstationone.org

If it's missing add it: 

   samba-tool dns add bob _msdcs.ad.pumpingstationone.org af4c9efd-56f6-4160-8335-cf8e5a5ada8f CNAME dc01.ad.pumpingstationone.org

Joining As a Domain Member

   net ads join -U hef

The samba-tool domain join command does not get winbindd working correctly. The net command is required.


Adding Users

Regular users need to get there account through https://members.pumpingstationone.org.

service and test accounts can be created with the following procedire


To create the user "hef" and set the user password, use the following command: 

  samba-tool user add hef


To add the user "hef" to the "Domain Admins" group, use the following command: 

  samba-tool group addmembers "Domain Admins" hef
Retrieved from "https://wiki-dev.pumpingstationone.org/mediawiki/index.php?title=Howto_Add_a_Samba4_Domain_Controller&oldid=38280"