[tech] Active Directory migration status

Mon Feb 27 12:29:32 AWST 2017

TLDR: more work to be done.

Thanks to [*OX], [JVB], [TPG] and [BOB], we got a test environment for the 
migration from LDAP + NT Domain to Active Directory up and running.

This took a while. Some notes as follows:

I abused the current LDAP setup somewhat; there is now another entry for a 
classic domain called UCCDOMAYNE, which happens to have the same SID as 
the production domain UCCDOMAIN. This allows for a test setup using live 
data initially.

We initially started with a FreeBSD VM, in order to closely mimic the 
current setup with the domain controller on Molmol. This caused a lot of 
problems; the binary packages for Samba 4.4 on FreeBSD crash with a 
segmentation fault when trying to provision a new domain. We spent a 
couple of hours working out whether there was some problem with our data 
affecting the upgrade process, but then I discovered that even a 
clean-slate provision operation segfaults! I've reported this upstream 
[1].

We decided to move to a Debian VM (samson.ucc) running testing for two 
reasons: the segfault above, and also the guidance from Samba[2] 
suggesting that running a fileserver on the DC is unwise.

Using Samba 4.5.4-Debian, the migration process was a lot smoother and we 
have a running test domain (UCCDOMAYNE / adtest.ucc.gu.uwa.edu.au). 
Windows computers are able to join the domain and logons work; 
interestingly, users are still pointed at Molmol home directories and 
Windows tries to use the same password, which works!

Getting the Linux machines on the domain is proving trickier. Although the 
upgrade process cleanly migrates the users and groups, including home 
directory and shell data, exposing that data to NSS and PAM on Linux is 
proving a bit tricky. We have Winbind working, but it requires a lot of 
annoying setup on local machines and doesn't appear to allow users to have 
a GID of 0. Other options include using nss-pam-ldapd backed by Kerberos, 
which I have not managed to get working yet.

[TPG] managed to separate the handling of MIFARE cards from LDAP, instead 
storing them in the dispense database. This led to problems, although I 
don't know what they were; perhaps he can comment.

There is no adduser capabiility yet. I was hoping we could just use the 
standard Active Directory tools, but that doesn't seem to allocate a Unix 
user ID or shell, so we probably have to stick to a custom script for now.

Some bright spark - I hope it wasn't me - has previously set the winadmin 
group to have the same Windows security ID as the Domain Controllers 
group (using net groupmap in our current live system). We need to change 
this.

Password changing has not been tested.

RADIUS has not been tested (required for VPN and wireless).

Webmail has not been tested.

Proxmox has been tested, and [BOB] tells me that it works.

David Adam
zanchey at ucc.gu.uwa.edu.au

[1]: https://lists.freebsd.org/pipermail/freebsd-questions/2017-February/276273.html
[2]: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server