|
|
| (20 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| == DNS Records == | | {{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }} |
|
| |
|
| * Set an A record for auth.pumpingstationone.org
| | == Setup == |
| * Set a NS record for ad.pumpingstationone.org to auth.pumpingstationone.org
| |
|
| |
|
| == Host Setup ==
| | * Follow the Arch provision guide |
| | * Add role: dc to the salt minion config. |
|
| |
|
| echo "auth.pumpingstationone.org" > /etc/hostname
| |
|
| |
|
| in /etc/hosts
| | Create a file called /etc/salt/minion.d/dc.conf |
| 1.2.3.4 auth.ad.pumpingstationone.org auth | | <pre> |
| | grains: |
| | roles: |
| | - dc |
| | </pre> |
|
| |
|
| == Samba == | | == Joining As a Domain Controller == |
| There is no stable, working version of Samba 4 shipping with ubuntu. You have to download it from source for now. As of writing, version 4.0.5 works
| |
|
| |
|
| git clone -b v4-0-stable git://git.samba.org/samba.git samba
| | samba-tool domain join AD.PUMPINGSTATIONONE.ORG DC -U hef |
| ./configure
| |
| make
| |
| make install
| |
|
| |
|
| === Provisioning === | | === Checking and Fixing DNS === |
|
| |
|
| | DNS doesn't always register correctly. |
|
| |
|
| /usr/local/samba/bin/samba-tool domain provision --realm=ad.pumpingstationone.org --domain=PS1 --server-role=dc
| | check it: |
|
| |
|
| Make a note of the admin password. You may need it later.
| | host -t dc01.ad.pumpingstationone.org. |
|
| |
|
| === Kerberos ===
| | If nothing comes back, re add it by hand. |
|
| |
|
| apt-get install kerberos
| | samba-tool dns add bob ad.pumpingstationone.org dc01 A 10.100.0.112 |
|
| |
|
| /etc/krb5.conf | | At this point you need the guid for the new server. The [https://wiki.samba.org/index.php/Join_a_domain_as_a_DC Samba Guide] References the ldbsearch commmand. I couldn't get it to work, so I grabbed the objectGuid field from CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumpingstationone,DC=org in ldap. |
| [libdefaults]
| |
| default_realm = AD.ARBITRARION.COM
| |
| dns_lookup_realm = false
| |
| dns_lookup_kdc = true
| |
|
| |
|
| === Adding Users ===
| | host -t CNAME af4c9efd-56f6-4160-8335-cf8e5a5ada8f._msdcs.ad.pumpingstationone.org |
|
| |
|
| To create the user "hef" and set the user password, use the following command:
| | If it's missing add it: |
| /usr/local/samba/bin/samba-tool user add hef
| | |
| | samba-tool dns add bob _msdcs.ad.pumpingstationone.org af4c9efd-56f6-4160-8335-cf8e5a5ada8f CNAME dc01.ad.pumpingstationone.org |
| | |
| | == Joining As a Domain Member == |
|
| |
|
| | net ads join -U hef |
|
| |
|
| To add the user "hef" to the "Domain Admins" group, use the following command:
| | The samba-tool domain join command does not get winbindd working correctly. The <code>net</code> command is required. |
| /usr/local/samba/bin/samba-tool group addmembers "Domain Admins" hef
| |
|
| |
|
| == Services ==
| |
|
| |
|
| === Wordpress === | | == Adding Users == |
|
| |
|
| # Log in as admin user.
| | Regular users need to get there account through https://members.pumpingstationone.org. |
| # Install the active-directory-integration plugin.
| |
|
| |
|
| | service and test accounts can be created with the following procedire |
|
| |
|
| ==== ADI Settings ====
| |
| Under Settings >> Active Directory Integration set the following:
| |
|
| |
|
| {| class="wikitable"
| | To create the user "hef" and set the user password, use the following command: |
| |Server || Domain Controllers || auth.pumpingstationonei.org
| | samba-tool user add hef |
| |-
| |
| | || Base DN ||cn=Users,dc=ad,dc=pumpingstationone,dc=org
| |
| |-
| |
| |User || Account Suffix || @ad.pumpingstationone.org
| |
| |-
| |
| | || Automatic User Creation || check
| |
| |-
| |
| | || Automatic User Update || check
| |
| |-
| |
| | || Prevent Email Change || check (maybe not, might be an easy way for users to update email address)
| |
| |-
| |
| |Authorization || Role Equivalent Groups || Domain Admins=administrator
| |
| |-
| |
| |Security || User Notification || check
| |
| |}
| |
|
| |
|
| === MediaWiki ===
| |
|
| |
|
| At the bottom of Mediawikis LocalSettings.php
| | To add the user "hef" to the "Domain Admins" group, use the following command: |
| | samba-tool group addmembers "Domain Admins" hef |
|
| |
|
| require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
| | [[Category:IT Equipment]] |
| $wgAuth = new LdapAuthenticationPlugin();
| |
| $wgLDAPDomainNames = array( 'PS1' );
| |
| $wgLDAPServerNames = array( 'PS1' => 'auth.pumpingstationone.org' );
| |
| $wgLDAPSearchSrings = array( 'PS1' => 'USER-NAME@ad.arbitrarion.com' );
| |
| $wgLDAPEncryptionType = array( 'PS1' => 'clear' );
| |
| $wgLDAPUseLocal = false;
| |
|
| |
| #proxy agent
| |
| # TODO this shouldn't use the Administrator account, another service account should suffice.
| |
| $wgLDAPProxyAgent = array( 'PS1' => 'CN=Administrator,CN=Users,DC=ad,DC=pumpingstationone,DC=org' );
| |
| $wgLDAPProxyAgentPassword = array( 'PS1' => 'password’);
| |
|
| |
| $wgMinimalPasswordLength = 1;
| |
| $wgLDAPBaseDNs = array( 'PS1' => 'CN=Users,DC=AD,DC=pumpingstationone,DC=org' );
| |
| $wgLDAPSearchAttributes = array( 'PS1' => 'sAMAccountName' );
| |
| $wgLDAPRetrivePrefs = array( "PS1" => "true" );
| |
