47 lines
1.2 KiB
ReStructuredText
47 lines
1.2 KiB
ReStructuredText
==================
|
|
Active Directory
|
|
==================
|
|
|
|
Kerberos Realm and Settings
|
|
---------------------------
|
|
|
|
The AD domain (ie the Kerberos realm) is D.PSI.CH, **not** PSI.CH. The maximum
|
|
lifetime of a ticket is about a day, and a ticket can be renewed for about a
|
|
week.
|
|
|
|
|
|
Domain Controllers
|
|
------------------
|
|
|
|
In most networks ``d.psi.ch`` resolves to the correct names/IPs. One exception
|
|
is the DMZ.
|
|
|
|
The domain controllers that are used internally are:
|
|
|
|
- dc00
|
|
- dc01
|
|
- dc02
|
|
|
|
In the DMZ we need to use these instead:
|
|
|
|
- rodc00
|
|
- rodc01
|
|
|
|
It is important to note that the SSL certificates for the internal DCs are
|
|
**not** signed for ``dc0n.psi.ch``, but ``dc0n.d.psi.ch`` (note the extra `d`).
|
|
In certain contexts (eg in :manpage:`sssd.conf(5)`) specifying the DCs as
|
|
``dc0n.psi.ch`` fails because of this.
|
|
|
|
|
|
Linux Computer Objects
|
|
----------------------
|
|
|
|
Computer objects for Linux systems are created in
|
|
``OU=linux,OU=computers,OU=psi,DC=d,DC=psi,DC=ch``. We do not distinguish
|
|
between servers and workstations in AD (unlike the Windows team), as the
|
|
distinction isn't clear and it wouldn't help us anyway (as we don't use AD group
|
|
policies).
|
|
|
|
We perform the join password-less, by pre-creating the computer object using a
|
|
script running on the Puppet master.
|