1.2 KiB
Active Directory
Kerberos Realm and Settings
The AD domain (ie the Kerberos realm) is D.PSI.CH, not PSI.CH. The maximum lifetime of a ticket is about a day, and a ticket can be renewed for about a week.
Domain Controllers
In most networks d.psi.ch resolves to the correct
names/IPs. One exception is the DMZ.
The domain controllers that are used internally are:
- dc00
- dc01
- dc02
In the DMZ we need to use these instead:
- rodc00
- rodc01
It is important to note that the SSL certificates for the internal
DCs are not signed for dc0n.psi.ch, but
dc0n.d.psi.ch (note the extra d). In certain contexts (eg in sssd.conf(5)) specifying
the DCs as dc0n.psi.ch fails because of this.
Linux Computer Objects
Computer objects for Linux systems are created in
OU=linux,OU=computers,OU=psi,DC=d,DC=psi,DC=ch. We do not
distinguish between servers and workstations in AD (unlike the Windows
team), as the distinction isn't clear and it wouldn't help us anyway (as
we don't use AD group policies).
We perform the join password-less, by pre-creating the computer object using a script running on the Puppet master.