# Active Directory

## Kerberos Realm and Settings

The AD domain (ie the Kerberos realm) is D.PSI.CH, **not** PSI.CH. The maximum
lifetime of a ticket is about a day, and a ticket can be renewed for about a
week.


## Domain Controllers

In most networks `d.psi.ch` resolves to the correct names/IPs. One exception
is the DMZ.

The domain controllers that are used internally are:

- `dc00`
- `dc01`
- `dc02`

In the DMZ we need to use these instead:

- `rodc00`
- `rodc01`

It is important to note that the SSL certificates for the internal DCs are
**not** signed for `dc0n.psi.ch`, but `dc0n.d.psi.ch` (note the extra `d`).
In certain contexts (eg in [`sssd.conf(5)`](https://linux.die.net/man/5/sssd.conf)) specifying the DCs as
`dc0n.psi.ch` fails because of this.


## Linux Computer Objects

Computer objects for Linux systems are created in
`OU=linux,OU=servers,OU=psi,DC=d,DC=psi,DC=ch` or `OU=linux,OU=computers,OU=psi,DC=d,DC=psi,DC=ch` (workstation and consoles).

We perform the join password-less, by pre-creating the computer object using a
script running on the Puppet master.

As the AD only support [computer account aka NetBIOS names with maximum 15 characters](https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#netbios-computer-names) it shortens longer hostnames down to the first 15 characters. This is a bit unfortunate as this name has to be unique as it serves as primary identifier in the AD.
To work around this limitation we use a different NetBIOS name if the hostname is longer than 15 characters which is less prone to collisions ([inspiration](https://www.beyondtrust.com/docs/ad-bridge/how-to/delegate-domain-join-privileges/ad-naming-limitations.htm)).

The actual NetBIOS name we use for these hosts is the first 7 characters of the name, then a `-` followed by the last 7 characters of the SHA256 hash of the fully qualified domain name. To check the NetBIOS name of a given host run

```
klist -t -k /etc/krb5.keytab
```
and look at the first entry, here for an example with a sufficiently short name:
```
  15 07.03.2023 09:23:02 PUPPET01$@D.PSI.CH
```
here `lx-sysdb-test-00.psi.ch` which gets a hashed NetBIOS hostname
```
   3 05/12/23 08:39:15 lx-sysd-3563a67$@D.PSI.CH
```
or `merlin-export-01.psi.ch` which has an automatically shortend NetBIOS name which was joined before we started to use the hashed NetBIOS hostnames:
```
   7 29.10.2019 11:24:04 MERLIN-EXPORT-0$@D.PSI.CH
```