Active Directory infrastructure

General notes

  • Two domain controllers -- turing-1.math.ucsb.edu (128.111.88.14) and turing-2.math.ucsb.edu (128.111.88.15)
  • Hosts seeking to authenticate must use these two as their DNS servers
  • SysVol replication is one-way, so group policy changes must be made on turing-1
    • Replication happens every five minutes
  • We are using the idmap ad backend, so all users and groups that need to be visible from UNIX need to have uidNumber or gidNumber set.

Useful web references

  • Installation guide for Windows administration tools (group policy, etc)
  • Ubuntu Active Directory Domain Controller installation guide -- nicely complete and detailed
  • Samba wiki information
  • Roaming user profiles
  • Folder redirection
  • Backup and restore
    • The easiest way to recover from a dead domain controller is probably to do a fresh install, then join the remaining DC and allow replication to happen.
      • SysVol will have to be dealt with manually -- it has one-way replication with rsync.
    • If both controllers are dead, the Bacula backup for turing-1 will have online domain backups in /var/lib/samba/backup/. These are self-contained bundles (including SysVol) that can be used to initialize a new DC. They're also useful in the event the Active Directory becomes corrupt, since you can "go back in time" to a previous one.

Domain joining and authentication

Prerequisites

  • DNS servers must be set to 128.111.88.14 and 128.111.88.15.
  • (Recommended) NTP sync should be set up with 128.111.88.14 and 128.111.88.15. Otherwise clock drift may cause authentication failures.

Joining the domain

macOS

  • Managed workstations can be automatically joined by adding them to the "Active Directory clients" device group in Profile Manager.
  • To manually join, open Users & Groups, unlock, click "Login Options", then click "Join".

Linux

Authentication

Kerberos

If authorization is not needed, only authentication, then the Active Directory can be treated as an ordinary Kerberos realm. This can be useful when you want to share passwords with a Linux server but want to control logins with the local /etc/passwd file. It is not necessary to install Samba or join the domain for this to function.

The Kerberos configuration in /etc/krb5.conf is very simple:
[libdefaults]
   default_realm = MATH.UCSB.EDU
   dns_lookup_realm = false
   dns_lookup_kdc = true

TODO: pam configuration example.

Winbind

Winbind is useful if you want all domain users to be authorized. A server authenticating via winbind needs to be a full domain member.

TODO: Winbind configuration example.

User management

Adding a user

  1. Log in to a domain member computer using an account with Domain Admin privileges, and open Active Directory Users and Computers.
  2. Create a new user object in the Users container.
  3. After setting the user's basic info, right-click the user and choose Properties. Set the following:
    1. Group membership ("Member Of"): For a typical lab user this should be Domain Users and Roaming Profile Users.
    2. Profile: Select "Connect", drive H:, to "\\zeta.math.ucsb.edu\UserHome\" followed by the username.
    3. Attribute Editor: Set "uidNumber" to the next available UNIX user ID. This unfortunately has to be tracked by hand. You can use "getent passwd" on zeta (or any other Linux domain member) to get a list, and find the highest number, then add one. Double-check your new value with "getent passwd " just to make sure it isn't taken. Domain member UIDs start with 100000.
  4. Windows will create the home directory for you, but unfortunately it will create it with the wrong ownership. Browse to \\zeta.math.ucsb.edu\UserHome\username, click Security, Advanced, then across from "Owner" click "Change." Set the new user as the folder's owner.

That's it. The user should be able to log in and have their various folders (Desktop, Documents, Downloads, etc.) redirected to their home directory.

Quota management

Users are automatically assigned the default quota (currently 20GiB.) Samba is quota-aware and will reflect this when showing the disk space available.

Making exceptions
You can set exceptions for individual users by logging into zeta and using the xfs_quota tool. (See "man xfs_quota" for details.)

Example: Set brodbeck's hard quota limit to 100GiB:
sudo xfs_quota -x -c "limit bhard=100G -u MATH\\brodbeck" /export

Changing the default
Same as above but put "-d" in place of the username.

Quota status
sudo xfs_quota -x -c "report" /export

Note that the limits shown for "root" are actually the default limits. They will be enforced on any account with a limit of "0", but will not be enforced on root.