Howto Add a Samba4 Domain Controller: Difference between revisions
From PS:1 Wiki Dev
Jump to navigationJump to search
Content deleted Content added
m Hef moved page Central Authentication Server to Howto Add a Samba4 Domain Controller: initializing a DC is not longer useful |
the new version |
||
| Line 1: | Line 1: | ||
== DNS Records == |
|||
| ⚫ | |||
* Set an A record for auth.pumpingstationone.org |
|||
* Set a NS record for ad.pumpingstationone.org to auth.pumpingstationone.org |
|||
* Follow the Arch provision guide |
|||
== Install packages == |
|||
* Add role: dc to the salt minion config. |
|||
| ⚫ | |||
sudo apt-get install libpam0g-dev |
|||
samba-tool domain join AD.PUMPINGSTATIONONE.ORG -U hef |
|||
| ⚫ | |||
== Adding Users == |
|||
echo "auth.pumpingstationone.org" > /etc/hostname |
|||
=== hosts file === |
|||
in /etc/hosts |
|||
1.2.3.4 auth.ad.pumpingstationone.org auth |
|||
=== fstab === |
|||
add “acl,user_xattr” to the / drive in /etc/fstab |
|||
e.g. |
|||
/dev/xvda / ext3 acl,user_xattr,noatime,errors=remount-ro 0 |
|||
| ⚫ | |||
There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works |
|||
git clone -b v4-0-stable git://git.samba.org/samba.git samba |
|||
./configure |
|||
make |
|||
make install |
|||
=== Provisioning === |
|||
/usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc --use-rfc2307 |
|||
Make a note of the admin password. You may need it later. |
|||
=== Kerberos === |
|||
apt-get install kerberos |
|||
/etc/krb5.conf |
|||
[libdefaults] |
|||
default_realm = AD.ARBITRARION.COM |
|||
dns_lookup_realm = false |
|||
dns_lookup_kdc = true |
|||
=== Adding Users === |
|||
To create the user "hef" and set the user password, use the following command: |
To create the user "hef" and set the user password, use the following command: |
||
| Line 56: | Line 17: | ||
To add the user "hef" to the "Domain Admins" group, use the following command: |
To add the user "hef" to the "Domain Admins" group, use the following command: |
||
/usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef |
/usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef |
||
== Services == |
|||
=== Wordpress === |
|||
# Log in as admin user. |
|||
# Install the active-directory-integration plugin. |
|||
==== ADI Settings ==== |
|||
Under Settings >> Active Directory Integration set the following: |
|||
{| class="wikitable" |
|||
|Server || Domain Controllers || auth.pumpingstationonei.org |
|||
|- |
|||
| || Base DN ||cn=Users,dc=ad,dc=pumpingstationone,dc=org |
|||
|- |
|||
|User || Account Suffix || @ad.pumpingstationone.org |
|||
|- |
|||
| || Automatic User Creation || check |
|||
|- |
|||
| || Automatic User Update || check |
|||
|- |
|||
| || Prevent Email Change || check (maybe not, might be an easy way for users to update email address) |
|||
|- |
|||
|Authorization || Role Equivalent Groups || Domain Admins=administrator |
|||
|- |
|||
|Security || User Notification || check |
|||
|} |
|||
=== MediaWiki === |
|||
At the bottom of Mediawikis LocalSettings.php |
|||
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); |
|||
$wgAuth = new LdapAuthenticationPlugin(); |
|||
$wgLDAPDomainNames = array( 'PS1' ); |
|||
$wgLDAPServerNames = array( 'PS1' => 'auth.pumpingstationone.org' ); |
|||
$wgLDAPSearchSrings = array( 'PS1' => 'USER-NAME@ad.arbitrarion.com' ); |
|||
$wgLDAPEncryptionType = array( 'PS1' => 'clear' ); |
|||
$wgLDAPUseLocal = false; |
|||
#proxy agent |
|||
# TODO this shouldn't use the Administrator account, another service account should suffice. |
|||
$wgLDAPProxyAgent = array( 'PS1' => 'CN=Administrator,CN=Users,DC=ad,DC=pumpingstationone,DC=org' ); |
|||
$wgLDAPProxyAgentPassword = array( 'PS1' => 'password’); |
|||
$wgMinimalPasswordLength = 1; |
|||
$wgLDAPBaseDNs = array( 'PS1' => 'CN=Users,DC=AD,DC=pumpingstationone,DC=org' ); |
|||
$wgLDAPSearchAttributes = array( 'PS1' => 'sAMAccountName' ); |
|||
$wgLDAPRetrivePrefs = array( "PS1" => "true" ); |
|||
[[Category:IT Equipment]] |
[[Category:IT Equipment]] |
||
Revision as of 15:49, 22 May 2014
Setup
- Follow the Arch provision guide
- Add role: dc to the salt minion config.
Joining
samba-tool domain join AD.PUMPINGSTATIONONE.ORG -U hef
Adding Users
To create the user "hef" and set the user password, use the following command:
/usr/local/samba/bin/samba-tool user add hef
To add the user "hef" to the "Domain Admins" group, use the following command:
/usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef
