[tech] Active Directory migration status

David Adam zanchey at ucc.gu.uwa.edu.au
Fri May 19 23:24:29 AWST 2017 

On Mon, 27 Feb 2017, David Adam wrote:
> Using Samba 4.5.4-Debian, the migration process was a lot smoother and we 
> have a running test domain (UCCDOMAYNE / adtest.ucc.gu.uwa.edu.au). 
> Windows computers are able to join the domain and logons work; 
> interestingly, users are still pointed at Molmol home directories and 
> Windows tries to use the same password, which works!

Tonight I reset the test domain and re-migrated it. Any machines that have 
been joined to the test domain will need to be rejoined (catfish is the 
only production machine that I'm aware of). There is a new adminstrator 
password, which is in uccpass (UCC/adtest) for Wheel members.

> Getting the Linux machines on the domain is proving trickier. Although the 
> upgrade process cleanly migrates the users and groups, including home 
> directory and shell data, exposing that data to NSS and PAM on Linux is 
> proving a bit tricky. We have Winbind working, but it requires a lot of 
> annoying setup on local machines and doesn't appear to allow users to have 
> a GID of 0. Other options include using nss-pam-ldapd backed by Kerberos, 
> which I have not managed to get working yet.

Neither winbindd nor SSSD support groups with a group ID of 0, so if we 
end up using either of those solutions then we will need to move Wheel 
group to a new GID. This is not all that painful, but will require 
rewriting the group of most of the files in /home, /away and some in 
/services. It also has the benefit of making Apache suexec work out of the 
box - the fact that we've been having to patch that for years should 
probably encourage a move away from wheel group having GID 0.

Using nss-pam-ldapd seems like a world of pain; the basic problem is that 
all authentication attempts need to be themselves authenticated. 
Samba-joined machines have a machine account which is used as a Kerberos 
identity; getting this out of the Samba keystore and into a keytab which 
can be owned by the nslcd process has not ben trivial.

[DAA]

More information about the tech mailing list