Setup
Account setup
ADMan requires a privileged domain account (because it does privileged things
in the domain). This account can be named anything, but here we use
domain-janitor.
Samba
On a Samba 4 Active Directory domain:
Create the domain-janitor user and set its password to not expire:
samba-tool user create domain-janitor --random-password
samba-tool user setexpiry --noexpiry domain-janitor
Add the user to Domain Admins:
samba-tool group addmembers 'Domain Admins' domain-janitor
Export the user’s Kerberos keytab:
samba-tool domain exportkeytab --principal='domain-janitor' domain-janitor.keytab
Configuration
First, we’ll create a minimal config file to get up and going.
Create
adman/config.ymlin the appropriate path:domain: ad.example.com ldap_auth: mode: gssapi krb_username: domain-janitor krb_keytab: domain-janitor.keytab krb_cache: /tmp/domain-janitor.cc
Copy the exported keytab to the path specified in
config.yml. (The above example specifiesdomain-janitor.keytabin the same directory).Warning
domain-janitor.keytabis password-equivalent; ensure it is carefully protected!
First run
To test LDAP connectivity and authentication, run the user list command:
adman user list
Before uidNumber/gidNumber values can be assigned, the next-id state
(stored in LDAP) must be initialized using the state init
command:
adman state init
Run automatically
To perform all automated maintenance (assign IDs, UPNs) every minute, run
crontab -e and add this line (changing the path to adman if
necessary) to run the allmaint command:
*/1 * * * * /usr/local/bin/adman allmaint
Note
adman will likely be installed in a path not normally searched by
cron, so we use the full path (revealed by which adman).