Feature #1746
Samba: joining Active Directory domain
| Status: | CLOSED | Start date: | 03/29/2013 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | 04/03/2013 | |
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-samba | |||
| Target version: | v6.4-beta2 | |||
| Resolution: | NEEDINFO: | No |
Description
AD mode a domain user
- becomes a unix user (through
winbindd) and filesystem permissions can be assigned to him. - can access ibays
- can access his IMAP mailbox (this must be implemented by nethserver-mail-server or similar), see related issues.
Related issues
Associated revisions
/etc/krb5.conf: extensible output generator. Refs #1746
/etc/krb5.conf: Set default realm to uppercase DomainName. Refs #1746
smb.conf: removed deprecated idmap parmeters. Refs #1746
migration of ldap key is no longer needed. Refs #1746
libuser.conf: DB libuser key no longer used. Refs #1746
nsswitch.conf template: dropped DB nsswitch key, using template fragments only. Refs #1746
nsswitch.conf template: add ldap modules by template fragment instead of DB nsswitch key. Refs #1746
krb5.conf: implemented new template interface. Refs #1746
nsswitch.conf: add winbind as NSS module, when role is ADS. Refs #1746
/etc/pam.d/system-auth-nh template: refactored template with output formatter 90config_expand. Refs #1746
/etc/pam.d/system-auth-nh: use new template format. Refs #1746
/etc/pam.d/system-auth-nh: use new template format for ADS setup. Refs #1746
nethserver-samba-conf action: store idmap ldap backend password. Refs #1746
/etc/samba/smb.conf template (20active_directory): use kerberos system keytab /etc/krb5.keytab for service credentials. Refs #1746
NethServer\Tool\PasswordStash: added setAutoUnlink() method. Refs #1746
Configuration DB defaults: kerberos setup for dovecot and postfix. Refs #1746
nethserver-samba-{update,save} events: expand krb5.conf, nsswitch.conf and pam.d/{password,system}-auth-nh templates. Refs #1746
*.spec: Require cyrus-sasl-gssapi, krb5-workstation. Refs #1746
Workgroup/Configure UI module: restored AD panel. Refs #1746
nethserver-samba-adsjoin event: create machine account on directory controller and initialize system keytabs and cronjobs. Refs #1746
Workgroup/Configure UI module: signal nethserver-samba-adsjoin event when authentication is not required to re-expand templates and reload services. Refs #1746
Workgroup\Configure UI: removed Controller field. The value is probed by "net ads" command and pushed into /etc/hosts. Refs #1746
smbads: fixed command line parameters list. Refs #1746
smbads_changepassword monthly cronjob: change the machine password every month. Refs #1746
configuration DB: set default smb/Workgroup prop value. Refs #1746
Moved nethserver-hosts RPM from nethserver-dns-dhcp group to nethserver-core. Changing DNS is required by Samba ADS role. Refs #1746
/etc/hosts template (30hosts_remote): add short hostname alias if FQDN is in DomainName. Refs #1746
smbads (tgt_status): added a 5% of tolerance to deadline time, to avoid ticket expiration during renewal. Refs #1746
History
#1
Updated by Davide Principi over 8 years ago
- Due date set to 04/03/2013
- Status changed from NEW to ON_DEV
- Assignee set to Davide Principi
- Start date set to 03/29/2013
- % Done changed from 0 to 10
#2
Updated by Davide Principi over 8 years ago
See http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#ID_Mapping_Changes on how to remove idmap warnings:
WARNING: The "idmap backend" option is deprecated WARNING: The "idmap uid" option is deprecated WARNING: The "idmap gid" option is deprecated
#3
Updated by Filippo Carletti over 8 years ago
- Target version changed from v6.4-beta1 to ~FUTURE
- % Done changed from 10 to 30
#4
Updated by Giacomo Sanchietti over 8 years ago
- Target version changed from ~FUTURE to v6.4-beta2
#5
Updated by Davide Principi about 8 years ago
- Status changed from ON_DEV to ON_QA
- % Done changed from 30 to 80
In testing repo: nethserver-samba-1.3.0-1.ns6.noarch.rpm
#6
Updated by Davide Principi about 8 years ago
- Assignee deleted (
Davide Principi)
Test case
- Follow instructions to join Active Directory on nethserver-samba wiki page
- Install ibays and mail-server (see also #1747 for a test case)
- Test email delivery #1747
- Test ibay access
#7
Updated by Davide Principi about 8 years ago
- Status changed from ON_QA to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 80 to 30
Back ON_DEV. A not-so-rare issue: a ticket expired while the cronjob was renewing it, probably because the validity check is exactly on hour in the future (as the cronjob period).
source:nethserver-samba|/root/usr/libexec/nethserver/smbads@62880c9527#L345
Consider the minute-second values in the timestamps below.
I got this message from the hourly cronjob:
From: root@nsrv2.ads1.tld (Cron Daemon) To: root@nsrv2.ads1.tld Subject: Cron <root@nsrv2> run-parts /etc/cron.hourly Date: Wed, 12 Jun 2013 11:01:03 +0200 (CEST) /etc/cron.hourly/smbads_tgt: kinit: Ticket expired while renewing credentials
In /var/log/cron:
Jun 12 10:01:01 nsrv2 CROND[30833]: (root) CMD (run-parts /etc/cron.hourly) Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30833]: starting 0anacron Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30842]: finished 0anacron Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30833]: starting smbads_tgt Jun 12 10:01:01 nsrv2 run-parts(/etc/cron.hourly)[30849]: finished smbads_tgt Jun 12 11:01:01 nsrv2 CROND[30853]: (root) CMD (run-parts /etc/cron.hourly) Jun 12 11:01:01 nsrv2 run-parts(/etc/cron.hourly)[30853]: starting 0anacron Jun 12 11:01:01 nsrv2 run-parts(/etc/cron.hourly)[30862]: finished 0anacron Jun 12 11:01:01 nsrv2 run-parts(/etc/cron.hourly)[30853]: starting smbads_tgt Jun 12 11:01:02 nsrv2 run-parts(/etc/cron.hourly)[30872]: finished smbads_tgt
The kerberos ticket cache that caused the failure:
Ticket cache: FILE:/tmp/krb5cc_89
Default principal: NSRV2$@ADS1.TLD
Valid starting Expires Service principal
06/12/13 01:01:03 06/12/13 11:01:03 krbtgt/ADS1.TLD@ADS1.TLD
renew until 06/19/13 01:01:03
#8
Updated by Davide Principi about 8 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 70
Added a 5% of tolerance to renewal period in commit:01519ec8
#9
Updated by Davide Principi about 8 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 70 to 80
In nethserver-testing:
nethserver-samba-1.3.3-1.ns6.noarch.rpm
#10
Updated by Giacomo Sanchietti about 8 years ago
- Assignee set to Giacomo Sanchietti
#11
Updated by Giacomo Sanchietti about 8 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 80 to 100
Join is OK:
[root@test dovecot]# net -k ads testjoin
Join is OK
[root@test dovecot]# klist -c /tmp/krb5cc_89
Ticket cache: FILE:/tmp/krb5cc_89
Default principal: TEST$@ADS1.TLD
Valid starting Expires Service principal
07/24/13 13:32:12 07/24/13 23:32:21 krbtgt/ADS1.TLD@ADS1.TLD
renew until 07/31/13 13:32:12
[root@test dovecot]# klist -c /tmp/krb5cc_97
Ticket cache: FILE:/tmp/krb5cc_97
Default principal: TEST$@ADS1.TLD
Valid starting Expires Service principal
07/24/13 13:32:11 07/24/13 23:32:20 krbtgt/ADS1.TLD@ADS1.TLD
renew until 07/31/13 13:32:11
Mariking VERIFIED
#12
Updated by Davide Principi about 8 years ago
- Status changed from VERIFIED to CLOSED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 90 to 100
Moved to nethserver-updates repository