Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
40bcbbb1d3de7287cb700a5baf6800d2ece24efd
gitea-pages/engineering-guide/active-directory.md

2.4 KiB
Raw Blame History

Active Directory

Kerberos Realm and Settings

The AD domain (ie the Kerberos realm) is D.PSI.CH, not PSI.CH. The maximum lifetime of a ticket is about a day, and a ticket can be renewed for about a week.

Domain Controllers

In most networks d.psi.ch resolves to the correct names/IPs. One exception is the DMZ.

The domain controllers that are used internally are:

  • dc00
  • dc01
  • dc02

In the DMZ we need to use these instead:

  • rodc00
  • rodc01

It is important to note that the SSL certificates for the internal DCs are not signed for dc0n.psi.ch, but dc0n.d.psi.ch (note the extra d). In certain contexts (eg in sssd.conf(5)) specifying the DCs as dc0n.psi.ch fails because of this.

Linux Computer Objects

Computer objects for Linux systems are created in OU=linux,OU=servers,OU=psi,DC=d,DC=psi,DC=ch or OU=linux,OU=computers,OU=psi,DC=d,DC=psi,DC=ch (workstation and consoles).

We perform the join password-less, by pre-creating the computer object using a script running on the Puppet master.

As the AD only support computer account aka NetBIOS names with maximum 15 characters it shortens longer hostnames down to the first 15 characters. This is a bit unfortunate as this name has to be unique as it serves as primary identifier in the AD. To work around this limitation we use a different NetBIOS name if the hostname is longer than 15 characters which is less prone to collisions (inspiration).

The actual NetBIOS name we use for these hosts is the first 7 characters of the name, then a - followed by the last 7 characters of the SHA256 hash of the fully qualified domain name. To check the NetBIOS name of a given host run

klist -t -k /etc/krb5.keytab

and look at the first entry, here for an example with a sufficiently short name:

  15 07.03.2023 09:23:02 PUPPET01$@D.PSI.CH

here lx-sysdb-test-00.psi.ch which gets a hashed NetBIOS hostname

   3 05/12/23 08:39:15 lx-sysd-3563a67$@D.PSI.CH

or merlin-export-01.psi.ch which has an automatically shortend NetBIOS name which was joined before we started to use the hashed NetBIOS hostnames:

   7 29.10.2019 11:24:04 MERLIN-EXPORT-0$@D.PSI.CH
View Git Blame Copy Permalink