Howto Add a Samba4 Domain Controller: Difference between revisions

From PS:1 Wiki Dev
Jump to navigationJump to search
← Older edit
Content deleted Content added
VisualWikitext
No edit summary
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }}
== DNS Records ==


== Setup ==
* Set an A record for auth.pumpingstationone.org
* Set a NS record for ad.pumpingstationone.org to auth.pumpingstationone.org


* Follow the Arch provision guide
== Host Setup ==
* Add role: dc to the salt minion config.


=== hostname ===


Create a file called /etc/salt/minion.d/dc.conf
echo "auth.pumpingstationone.org" > /etc/hostname
<pre>
grains:
roles:
- dc
</pre>


== Joining As a Domain Controller ==
=== hosts file ===
in /etc/hosts
1.2.3.4 auth.ad.pumpingstationone.org auth


samba-tool domain join AD.PUMPINGSTATIONONE.ORG DC -U hef
=== fstab ===
add “acl,user_xattr” to the / drive in /etc/fstab
e.g.
/dev/xvda / ext3 acl,user_xattr,noatime,errors=remount-ro 0


=== Checking and Fixing DNS ===
== Samba ==
There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works


DNS doesn't always register correctly.
git clone -b v4-0-stable git://git.samba.org/samba.git samba
./configure
make
make install


check it:
=== Provisioning ===


host -t dc01.ad.pumpingstationone.org.


If nothing comes back, re add it by hand.
/usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc --use-rfc2307


samba-tool dns add bob ad.pumpingstationone.org dc01 A 10.100.0.112
Make a note of the admin password. You may need it later.


At this point you need the guid for the new server. The [https://wiki.samba.org/index.php/Join_a_domain_as_a_DC Samba Guide] References the ldbsearch commmand. I couldn't get it to work, so I grabbed the objectGuid field from CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org in ldap.
=== Kerberos ===


host -t CNAME af4c9efd-56f6-4160-8335-cf8e5a5ada8f._msdcs.ad.pumpingstationone.org
apt-get install kerberos


If it's missing add it:
/etc/krb5.conf
[libdefaults]
default_realm = AD.ARBITRARION.COM
dns_lookup_realm = false
dns_lookup_kdc = true


samba-tool dns add bob _msdcs.ad.pumpingstationone.org af4c9efd-56f6-4160-8335-cf8e5a5ada8f CNAME dc01.ad.pumpingstationone.org
=== Adding Users ===


== Joining As a Domain Member ==
To create the user "hef" and set the user password, use the following command:
/usr/local/samba/bin/samba-tool user add hef


net ads join -U hef


The samba-tool domain join command does not get winbindd working correctly. The <code>net</code> command is required.
To add the user "hef" to the "Domain Admins" group, use the following command:
/usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef


== Services ==


=== Wordpress ===
== Adding Users ==


Regular users need to get there account through https://members.pumpingstationone.org.
# Log in as admin user.
# Install the active-directory-integration plugin.


service and test accounts can be created with the following procedire


==== ADI Settings ====
Under Settings >> Active Directory Integration set the following:


To create the user "hef" and set the user password, use the following command:
{| class="wikitable"
samba-tool user add hef
|Server || Domain Controllers || auth.pumpingstationonei.org
|-
| || Base DN ||cn=Users,dc=ad,dc=pumpingstationone,dc=org
|-
|User || Account Suffix || @ad.pumpingstationone.org
|-
| || Automatic User Creation || check
|-
| || Automatic User Update || check
|-
| || Prevent Email Change || check (maybe not, might be an easy way for users to update email address)
|-
|Authorization || Role Equivalent Groups || Domain Admins=administrator
|-
|Security || User Notification || check
|}


=== MediaWiki ===


To add the user "hef" to the "Domain Admins" group, use the following command:
At the bottom of Mediawikis LocalSettings.php
samba-tool group addmembers "Domain Admins" hef

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'PS1' );
$wgLDAPServerNames = array( 'PS1' => 'auth.pumpingstationone.org' );
$wgLDAPSearchSrings = array( 'PS1' => 'USER-NAME@ad.arbitrarion.com' );
$wgLDAPEncryptionType = array( 'PS1' => 'clear' );
$wgLDAPUseLocal = false;
#proxy agent
# TODO this shouldn't use the Administrator account, another service account should suffice.
$wgLDAPProxyAgent = array( 'PS1' => 'CN=Administrator,CN=Users,DC=ad,DC=pumpingstationone,DC=org' );
$wgLDAPProxyAgentPassword = array( 'PS1' => 'password’);
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( 'PS1' => 'CN=Users,DC=AD,DC=pumpingstationone,DC=org' );
$wgLDAPSearchAttributes = array( 'PS1' => 'sAMAccountName' );
$wgLDAPRetrivePrefs = array( "PS1" => "true" );


[[Category:IT Equipment]]
[[Category:IT Equipment]]

Latest revision as of 14:02, 1 November 2018

{{ 

 {{#switch:
 {{#if: 
   | 
   | {{#if: 
     | 
       {{#ifeq:|
       | talk
       |  
       }}
     | 
       {{#ifeq:|talk
       | talk
       |  
       }}
     }}
   }}

| main | = ambox | talk = tmbox | user = ombox | project = ombox | file | image = imbox | mediawiki = ombox | template = ombox | help = ombox | category = cmbox | book = ombox | extension = ombox | other | #default = ombox

}} | type = warning | image = | imageright = | class = | style = | textstyle = | text = This information is out of date. Up-to-date IT information can be found here | small = | smallimage = | smallimageright = | smalltext = | subst = | date = | name = }}

Setup

  • Follow the Arch provision guide
  • Add role: dc to the salt minion config.


Create a file called /etc/salt/minion.d/dc.conf 

grains:
  roles:
    - dc

Joining As a Domain Controller

   samba-tool domain join AD.PUMPINGSTATIONONE.ORG DC -U hef

Checking and Fixing DNS

DNS doesn't always register correctly.

check it: 

   host -t dc01.ad.pumpingstationone.org.

If nothing comes back, re add it by hand. 

   samba-tool dns add bob ad.pumpingstationone.org dc01 A 10.100.0.112

At this point you need the guid for the new server. The Samba Guide References the ldbsearch commmand. I couldn't get it to work, so I grabbed the objectGuid field from CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org in ldap. 

   host -t CNAME af4c9efd-56f6-4160-8335-cf8e5a5ada8f._msdcs.ad.pumpingstationone.org

If it's missing add it: 

   samba-tool dns add bob _msdcs.ad.pumpingstationone.org af4c9efd-56f6-4160-8335-cf8e5a5ada8f CNAME dc01.ad.pumpingstationone.org

Joining As a Domain Member

   net ads join -U hef

The samba-tool domain join command does not get winbindd working correctly. The net command is required.


Adding Users

Regular users need to get there account through https://members.pumpingstationone.org.

service and test accounts can be created with the following procedire


To create the user "hef" and set the user password, use the following command: 

  samba-tool user add hef


To add the user "hef" to the "Domain Admins" group, use the following command: 

  samba-tool group addmembers "Domain Admins" hef
Retrieved from "https://wiki-dev.pumpingstationone.org/mediawiki/index.php?title=Howto_Add_a_Samba4_Domain_Controller&oldid=38280"