Feature #1746

Samba: joining Active Directory domain

Added by Davide Principi over 8 years ago. Updated about 8 years ago.

Status:CLOSEDStart date:03/29/2013
Priority:NormalDue date:04/03/2013
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Description

In AD mode a domain user
  • becomes a unix user (through winbindd) and filesystem permissions can be assigned to him.
  • can access ibays
  • can access his IMAP mailbox (this must be implemented by nethserver-mail-server or similar), see related issues.

Related issues

Related to NethServer 6 - Feature #1747: Mail-server: IMAP access for AD users CLOSED 03/25/2013 03/27/2013
Related to NethServer 6 - Feature #2000: SOGo: Active Directory integration CLOSED 06/10/2013 06/11/2013

Associated revisions

Revision b1d9271c
Added by Davide Principi over 8 years ago

/etc/krb5.conf: extensible output generator. Refs #1746

Revision c48f2132
Added by Davide Principi over 8 years ago

/etc/krb5.conf: Set default realm to uppercase DomainName. Refs #1746

Revision f52e23f3
Added by Davide Principi over 8 years ago

smb.conf: removed deprecated idmap parmeters. Refs #1746

Revision ddc7b33b
Added by Davide Principi over 8 years ago

migration of ldap key is no longer needed. Refs #1746

Revision 25988eee
Added by Davide Principi over 8 years ago

libuser.conf: DB libuser key no longer used. Refs #1746

Revision d027d374
Added by Davide Principi over 8 years ago

nsswitch.conf template: dropped DB nsswitch key, using template fragments only. Refs #1746

Revision d17132ef
Added by Davide Principi over 8 years ago

nsswitch.conf template: add ldap modules by template fragment instead of DB nsswitch key. Refs #1746

Revision 40a7ede6
Added by Davide Principi over 8 years ago

krb5.conf: implemented new template interface. Refs #1746

Revision e2eb7b19
Added by Davide Principi over 8 years ago

nsswitch.conf: add winbind as NSS module, when role is ADS. Refs #1746

Revision a2779e3e
Added by Davide Principi over 8 years ago

/etc/pam.d/system-auth-nh template: refactored template with output formatter 90config_expand. Refs #1746

Revision 711ed662
Added by Davide Principi over 8 years ago

/etc/pam.d/system-auth-nh: use new template format. Refs #1746

Revision 150dc517
Added by Davide Principi over 8 years ago

/etc/pam.d/system-auth-nh: use new template format for ADS setup. Refs #1746

Revision d6a0b355
Added by Davide Principi over 8 years ago

nethserver-samba-conf action: store idmap ldap backend password. Refs #1746

Revision c0f43629
Added by Davide Principi over 8 years ago

/etc/samba/smb.conf template (20active_directory): use kerberos system keytab /etc/krb5.keytab for service credentials. Refs #1746

Revision 654c6b72
Added by Davide Principi about 8 years ago

NethServer\Tool\PasswordStash: added setAutoUnlink() method. Refs #1746

Revision 8c99d677
Added by Davide Principi about 8 years ago

Configuration DB defaults: kerberos setup for dovecot and postfix. Refs #1746

Revision 29b9a005
Added by Davide Principi about 8 years ago

nethserver-samba-{update,save} events: expand krb5.conf, nsswitch.conf and pam.d/{password,system}-auth-nh templates. Refs #1746

Revision c87fd037
Added by Davide Principi about 8 years ago

*.spec: Require cyrus-sasl-gssapi, krb5-workstation. Refs #1746

Revision b6ac0e44
Added by Davide Principi about 8 years ago

Workgroup/Configure UI module: restored AD panel. Refs #1746

Revision cf49b8bb
Added by Davide Principi about 8 years ago

nethserver-samba-adsjoin event: create machine account on directory controller and initialize system keytabs and cronjobs. Refs #1746

Revision ce71c61f
Added by Davide Principi about 8 years ago

Workgroup/Configure UI module: signal nethserver-samba-adsjoin event when authentication is not required to re-expand templates and reload services. Refs #1746

Revision d6b35bf0
Added by Davide Principi about 8 years ago

Workgroup\Configure UI: removed Controller field. The value is probed by "net ads" command and pushed into /etc/hosts. Refs #1746

Revision 5476aa3f
Added by Davide Principi about 8 years ago

smbads: fixed command line parameters list. Refs #1746

Revision b4eebb87
Added by Davide Principi about 8 years ago

smbads_changepassword monthly cronjob: change the machine password every month. Refs #1746

Revision 5521df21
Added by Davide Principi about 8 years ago

configuration DB: set default smb/Workgroup prop value. Refs #1746

Revision 0514afd7
Added by Davide Principi about 8 years ago

Moved nethserver-hosts RPM from nethserver-dns-dhcp group to nethserver-core. Changing DNS is required by Samba ADS role. Refs #1746

Revision a118900b
Added by Davide Principi about 8 years ago

/etc/hosts template (30hosts_remote): add short hostname alias if FQDN is in DomainName. Refs #1746

Revision 01519ec8
Added by Davide Principi about 8 years ago

smbads (tgt_status): added a 5% of tolerance to deadline time, to avoid ticket expiration during renewal. Refs #1746

History

#1 Updated by Davide Principi over 8 years ago

  • Due date set to 04/03/2013
  • Status changed from NEW to ON_DEV
  • Assignee set to Davide Principi
  • Start date set to 03/29/2013
  • % Done changed from 0 to 10

#2 Updated by Davide Principi over 8 years ago

See http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#ID_Mapping_Changes on how to remove idmap warnings:

WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated

#3 Updated by Filippo Carletti over 8 years ago

  • Target version changed from v6.4-beta1 to ~FUTURE
  • % Done changed from 10 to 30

#4 Updated by Giacomo Sanchietti over 8 years ago

  • Target version changed from ~FUTURE to v6.4-beta2

#5 Updated by Davide Principi about 8 years ago

  • Status changed from ON_DEV to ON_QA
  • % Done changed from 30 to 80

In testing repo: nethserver-samba-1.3.0-1.ns6.noarch.rpm

#6 Updated by Davide Principi about 8 years ago

  • Assignee deleted (Davide Principi)

Test case

  • Follow instructions to join Active Directory on nethserver-samba wiki page
  • Install ibays and mail-server (see also #1747 for a test case)
  • Test email delivery #1747
  • Test ibay access

#7 Updated by Davide Principi about 8 years ago

  • Status changed from ON_QA to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 80 to 30

Back ON_DEV. A not-so-rare issue: a ticket expired while the cronjob was renewing it, probably because the validity check is exactly on hour in the future (as the cronjob period).

source:nethserver-samba|/root/usr/libexec/nethserver/smbads@62880c9527#L345

Consider the minute-second values in the timestamps below.

I got this message from the hourly cronjob:

From: root@nsrv2.ads1.tld (Cron Daemon)
To: root@nsrv2.ads1.tld
Subject: Cron <root@nsrv2> run-parts /etc/cron.hourly
Date: Wed, 12 Jun 2013 11:01:03 +0200 (CEST)

/etc/cron.hourly/smbads_tgt:

kinit: Ticket expired while renewing credentials

In /var/log/cron:

Jun 12 10:01:01 nsrv2 CROND[30833]: (root) CMD (run-parts /etc/cron.hourly)
Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30833]: starting 0anacron
Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30842]: finished 0anacron
Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30833]: starting smbads_tgt
Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30849]: finished smbads_tgt
Jun 12 11:01:01 nsrv2 CROND[30853]: (root) CMD (run-parts /etc/cron.hourly)
Jun 12 11:01:01 nsrv2 run-parts(/etc/cron.hourly)[30853]: starting 0anacron
Jun 12 11:01:01 nsrv2 run-parts(/etc/cron.hourly)[30862]: finished 0anacron
Jun 12 11:01:01 nsrv2 run-parts(/etc/cron.hourly)[30853]: starting smbads_tgt
Jun 12 11:01:02 nsrv2 run-parts(/etc/cron.hourly)[30872]: finished smbads_tgt

The kerberos ticket cache that caused the failure:

Ticket cache: FILE:/tmp/krb5cc_89
Default principal: NSRV2$@ADS1.TLD

Valid starting     Expires            Service principal
06/12/13 01:01:03  06/12/13 11:01:03  krbtgt/ADS1.TLD@ADS1.TLD
        renew until 06/19/13 01:01:03

#8 Updated by Davide Principi about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 70

Added a 5% of tolerance to renewal period in commit:01519ec8

#9 Updated by Davide Principi about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 70 to 80

In nethserver-testing:
nethserver-samba-1.3.3-1.ns6.noarch.rpm

#10 Updated by Giacomo Sanchietti about 8 years ago

  • Assignee set to Giacomo Sanchietti

#11 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 80 to 100

Join is OK:

[root@test dovecot]# net -k ads testjoin
Join is OK

[root@test dovecot]# klist  -c /tmp/krb5cc_89
Ticket cache: FILE:/tmp/krb5cc_89
Default principal: TEST$@ADS1.TLD

Valid starting     Expires            Service principal
07/24/13 13:32:12  07/24/13 23:32:21  krbtgt/ADS1.TLD@ADS1.TLD
    renew until 07/31/13 13:32:12

[root@test dovecot]# klist  -c /tmp/krb5cc_97
Ticket cache: FILE:/tmp/krb5cc_97
Default principal: TEST$@ADS1.TLD

Valid starting     Expires            Service principal
07/24/13 13:32:11  07/24/13 23:32:20  krbtgt/ADS1.TLD@ADS1.TLD
    renew until 07/31/13 13:32:11

Mariking VERIFIED

#12 Updated by Davide Principi about 8 years ago

  • Status changed from VERIFIED to CLOSED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF