Table of Contents
We want redundant storage for our couple of hundred Linux PCs.
These are the surroundings: an open (as in: not firewalled) network. About 15,007 Windows PCs, and expect to have as many virtual Windows workplaces in the near future. Around 50,000 accounts. Two dozen terabytes of data. Hundreds of servers for all kinds of purposes and with various OSes. Many more Linux nodes in compute clusters.
Instead of maintaining a shadow infrastructure for Linux, we want to use a common infrastructure with Windows. This article is about using AD authentication (i.c. LDAP and Kerberos) on Debian and/or Ubuntu Linux. And it is about setting up redundant storage, accessible from both Linux, Windows and other platforms.
For Linux hosts, we are now still using an NFS4 server with Kerberos, as described in my NFS4-HOWTO. That old HOWTO may still be interesting if you want to have your own Kerberos server before trying to use AD, or if explanations here are too brief.
Table 1. Relevant Hosts
hostname | IP number | function |
---|---|---|
wspace.mydomain.com | 192.168.85.0/24 | the domain the AD servers sit in |
wspace.mydomain.com | 192.168.85.? | round-robin (?) DNS name for all AD servers |
adsvr01.wspace.mydomain.com | 192.168.85.3 | a Windows 2008R2 AD server |
adsvr02.wspace.mydomain.com | 192.168.85.1 | a Windows 2008R2 AD server |
adsvr03.wspace.mydomain.com | 192.168.85.2 | a Windows 2008R2 AD server |
adsvr04.wspace.mydomain.com | 192.168.85.4 | a Windows 2008R2 AD server |
srv25.srvlan.mydomain.com | 192.168.63.120 | a rack-mounted testserver serving storage, runs Debian Squeeze |
clnt-3-53.ict.mydomain.com | 192.168.3.53 | a PC posing as a Linux client for the storage, runs Ubuntu Precise |
nfsserv-pc.ict.mydomain.com | 192.168.3.163 | a PC acting as an NFS server, runs Ubuntu Precise |
Table 2. Relevant AD Accounts
username | permission description | function |
---|---|---|
ENUMuser | read only | look up users, groups, machines |
unixJOINer | edit machines | join machines to domain |
All computer objects in the LDAP tree are created by the unixJOINer
through commands from Linux, in the unit OU=Extra Workstations
(see below for its DN).
To do that, the account needs the following permissions on the OU:
Create Computer Objects
Delete Computer Objects
Read All Properties
Write All Properties
Read Permissions
Modify Permissions
Change Password
Reset Password
Validated write to DNS host name
Validated write to service principle name
If your setup doesn't permit an account with these permissions, you can also add machines to the domain from within the AD server, see this TechNet blog by Jose Barreto.
The ENUMuser
account has the permissions of a Domain User.
I.e. on Supplemental Workstations it has list
and read
permissions.
Note | |
---|---|
There is one more ingredient to these experiments, of paramount importance: a friendly AD admin, or a couple of them, who will deal out accounts, tell you DNs, Wireshark around, and generally cooperate. Without one, don't even try. |