ad.k-space.ee does not exist anymore. It was replaced by auth2.k-space.ee (passmower).
Decomission notes:
Nextcloud LDAP users were converted to local users with OIDC social logon plugin (previously in use). user_oidc could've been used, but the day has come to an end. No real point in migrating to user_oidc.
NAS - No function with domain
Windows - only few users, transitioning to local accounts
VPN - Certidude is long dead, and VPN stack will be replaced anyway.
Computers
- windows-admin - migrate accounts to local? can keep passwd or not?
- NAS - last checkin 14.09.2023, last logon/auth 15.09.2023, likely online
- dev.k-space.ee - last 13.08.2023; machine does not check-in to ldap; login broken on machine, prols lauri-only access and use
- ca5 - last 17.07.2021
- DESKTOP-4R02SRQ - last 04.12.2020
Users
- Nextcloud - uses auth2 to link to ldap users, last used today
- Certidude - down/deprecated, but without replacement, last use 24.08.2023
- Bitwarden - it used to be a thing, where were the passwords migrated to? last used 27.12.2020
- Proxmox Hypervisor - auth2, never used
- Vault - no idea, last used 24.12.2020
- Git - auth2, account last used 29.07.2023
- Freescout - last logon 20.07.2023
- Harbora - auth2, account last used 09.12.2021
- Wiki - auth2, account last used 28.07.2023
- Authelia - deprecated, last used 23.07.2023
We use Samba as our directory service for multiple services. Samba provides Microsoft Active Directory (AD) compatible setup. The members site provisions user accounts automatically in Samba filling in desired username, e-mail, telephone number.
AD makes heavy use of Kerberos protocol, to install Kerberos client utilities:
sudo apt install krb5-user smbclient ldap-utils libsasl2-modules-gssapi-heimdal
Likely you're not using Kerberos for anything else so you can just run:
cat | sudo tee /etc/krb5.conf << EOF
[libdefaults]
default_realm = AD.K-SPACE.EE
rdns = false
[realms]
AD.K-SPACE.EE = {
kdc = 172.21.39.1
kdc = 172.21.39.2
kdc = 172.21.39.3
default_domain = ad.k-space.ee
}
EOF
To authenticate against one of the domain controllers:
kinit lauri@AD.K-SPACE.EE
We started with Samba instances running under Overnode/Docker, but now it's back to running on traditional VM-s in Proxmox via local storage due to various reasons: AD implements it's own replication mechanism (LDAP object timestamp based); it binds to numerous privileged ports and it runs as root.
The very first domain controller was deployed with approximately following commands:
samba-tool domain provision \
--option="dns forwarder = 8.8.8.8 1.1.1.1" \
--option="disable netbios = yes" \
--server-role=dc \
--dns-backend=SAMBA_INTERNAL \
--realm=AD.K-SPACE.EE \
--domain=AD \
--adminpass=S4l4k4l4
# Create reverse DNS zones
kinit administrator@AD.K-SPACE.EE
samba-tool dns zonecreate -k yes dc1.ad.k-space.ee \
39.21.172.in-addr.arpa
samba-tool dns zonecreate -k yes dc1.ad.k-space.ee \
.9.3.0.0.1.2.0.0.2.7.1.0.1.2.0.0.8.0.0.4.8.b.b.0.1.0.0.2.ip6.arpa
# Setup keypair for signing LDAPS certificate
openssl req -x509 \
-newkey rsa:4096 \
-keyout cakey.pem \
-days 1825 \
-out ca.pem \
-subj '/CN=Samba at ad.k-space.ee' -nodes
To add/replace domain controller node in the domain first authenticate with domain administrator account via kinit and proceed to:
sudo apt install samba winbind
samba-tool domain join -k yes AD.K-SPACE.EE dc \
--option="dns forwarder = 8.8.8.8 1.1.1.1" \
--option="disable netbios = yes"
Since Samba does not handle TLS secret replication you must manually make use of the cakey.pem on one of the existing nodes and issue following to sign a signed keypair. Make sure you replace dc1.ad.k-space.ee accordingly:
cat > openssl.cnf << EOF
[ server ]
# X509 extensions for a server
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = @alt_names
[alt_names]
DNS.1 = ad.k-space.ee
EOF
openssl req -nodes -new -newkey rsa:2048 \
-out req.pem \
-keyout key.pem \
-subj '/CN=dc1.ad.k-space.ee'
openssl x509 \
-req -sha256 -days 1825 \
-extfile openssl.cnf -extensions server \
-CAcreateserial \
-CA ca.pem \
-CAkey cakey.pem \
-CAserial ca.srl \
-in req.pem \
-out cert.pem
cp ca.pem /var/lib/samba/private/tls/
mv cert.pem /var/lib/samba/private/tls/
mv key.pem /var/lib/samba/private/tls/
chmod 0600 /var/lib/samba/private/tls/key.pem
Finally to start service during VM boot:
systemctl mask smbd
systemctl disable smbd
systemctl stop smbd
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
Enable automatic upgrades and reboot:
cat > /etc/apt/apt.conf.d/99auto-reboot << EOF
Unattended-Upgrade::Automatic-Reboot "true";
EOF
echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades
When user is provisioned from members site, following attributes are copied:
WIP: When tier is upgraded/downgraded
When users are listed on members page:
When password is reset at authelia.k-space.ee
Lightweight Directory Protocol is used to access accounts on Samba/AD.
The DNS record to access the deployment is ad.k-space.ee which provides redundancy as it is balanced over three replicas:
It is located in infra VLAN (21) and it is accessible from Zoo VLAN, and over VPN.
Make sure machine uses AD for DNS, so /etc/resolv.conf points to:
nameserver 172.21.39.1
nameserver 172.21.39.2
nameserver 172.21.39.3
In the service configure:
Note that TLS configuration is pulled from /etc/ldap/ldap.conf and some libraries default to reading LDAP server from ldap.conf as well.
To make LDAPS usable you need to supply CA certificate:
cat | sudo tee /etc/ldap/ldap.conf << EOF
BASE ou=Membership,dc=ad,dc=k-space,dc=ee
URI ldap://ad.k-space.ee
TLS_CACERT /etc/ldap/ad.pem
EOF
cat | sudo tee /etc/ldap/ad.pem << EOF
-----BEGIN CERTIFICATE-----
MIIFIzCCAwugAwIBAgIUG3Zbr40eU2TGjMKzNWh8NL2dD4YwDQYJKoZIhvcNAQEL
BQAwITEfMB0GA1UEAwwWU2FtYmEgYXQgYWQuay1zcGFjZS5lZTAeFw0yMTEyMTQw
NzI4NTFaFw0yNjEyMTMwNzI4NTFaMCExHzAdBgNVBAMMFlNhbWJhIGF0IGFkLmst
c3BhY2UuZWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDnoxDdYbr0
TRG8A+vM1OB5G88gNX/ZWxSKoEZ3jtzAt4G7nUtiHhW25qHDyvFTa3O2b1AUHHso
UAzUMcUWQQorvF1x/Ulb+iry4BLENIZU7X1ZqofJax0e7+n+uaS7GMyvpxUyb4iX
Gwv7YdHyJc8Z6Q8wv17MWavz3Z8NBXWhxmqsycNZaVIvKYMEZFk3TNp7Om/I1ivF
X2n5Smogv6gAVjU88Ryg66TEU+bhf9AgbSEqZ8LiWzsm1tw4ZrW05U+nIV4sLwei
vIzinQLbaLNG6eItqKPdelYhQ4yBxs7AzS8+byUAfOcFKsQ29jQUuLMlMiRkz25y
w9QFqHenF3HarjSRS/vYWrw+DMnj6N+wAWmwmRGssVlO21R/0358A+HyW8r/9lNo
WQh2kwTdOv7q31pFfPAHGRAHNvT7GQ+5BxQcto7pmFCkv97inhbdntwebJc5Ub75
AxsVT/n6OZN2RSOMWDJcZcVJWb41u3S/iATyol0n8FLFTQfoquwoVD5RzpSClVnt
7uxCrhclaxSbxTP8jkoDEt3sSrqj2JnO6XmCtvVVd2d/YVPCmjBnxMg5nWuXL0e8
6Hw17yLkXxX3TDdv1vU8oa7iNfr6g7VW+wflRBhUnVEIn5vDvo4I5RudWhBqpszU
7ld+P5cdNFXGcRTPtQemy1RYJ0nYz92lkQIDAQABo1MwUTAdBgNVHQ4EFgQUcgRk
vxSuuBsEjKsmt/7wiDr1luQwHwYDVR0jBBgwFoAUcgRkvxSuuBsEjKsmt/7wiDr1
luQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEASe5s5iM8B46j
zmvL9D8uBkCEH9of2w5TYn/SOfAQVxA8lAbwNF+eZh2jGFICzr+MbiS2XYvLI6uk
VypRk7o/tLfvf4jZjftixIbXC526+RMq8G/WlFo2gXVtynAqzymrUb5u1VIpnwAf
50s4yC9DEQquha+c2BY0QCvrJu/c/JMK7A7X8WQK5CS/0fCOw0Ocldg04suVVU6y
t0FfWI/NXTDQkSbVUsy8IfiwxkJ96clN1MYP+CMy2Huyati6rJxUdPDm/mc7QYsO
SSK425rP8QY2gn6SWQrWuBbsgKHJhW4Ab7SNWdoD4C+pT06WS3Uza2xYwOSWR/Mc
GUyatp/9qGNm9c5wdECqmvEPskpBJyedz1I6Wiqv4n+E/FOjDitUZEwpEetTBKWf
2FvQkZFFjQSuHtnJON4qToZiZ5n/n+8gY6gV9Zwt4s98iivu0LW8RVFI3dKKbbne
F5+9m4Oo21tJU6A8WTjjUzKRqJtFRkRiXkNLdhcc+u7L8Qee1NR22jX97cZT3FPj
bjNRZHwy9+Wa0msp/DaDyFyZ9+OQHQyBIk7BI/KuM+OgmkweHpMHNB1K54vPzvJk
GhSuACHy4rngoA0o33ag2zkyDcshqTm+d7QqV9e3SjN4ZTQySycikB5lRJTp2uQd
NcV0mpngDIuhUeHTJZBtIVBfzxlwGwg=
-----END CERTIFICATE-----
EOF
To test LDAPS with basic authentication:
ldapsearch -H ldaps://dc1.ad.k-space.ee -D lauri@AD.K-SPACE.EE -W -x -b dc=AD,dc=K-SPACE,dc=EE
Note this certificate expires Dec 13 07:28:51 2026 at which point it must be swapped out in all nodes.