Join domain
Prerequisites for joining a Windows Active Directory domain are:
- DNS is set to domain’s DNS servers
- NTP is properly configured (Kerberos requires <5 minute time skew)
- Domain administrator credentials
DNS is important. Fusion supports NTLM pass-through which Windows clients will default to if the SMB share is accessed via IP address. However, Kerberos is expected for authentication in most environments which requires DNS for resolving IP addresses to hostnames. In multi-homed network setups, please confer with your network administrator to ensure DNS access is properly routed for Fusion servers and Windows clients.
NTP is also important. In newly deployed nodes, the system time may appear to match the domain controller’s time but the time zone is incorrect. It is important that server and client have their time synchronized (ideally with NTP) with the domain since Kerberos tickets are time stamped and are invalid after short periods.
Finally, Fusion should not be on a subnet isolated from any domain controllers. Although Kerberos authentication traffic does not include communication between Fusion and a DC, Fusion relies on domain controllers for querying RFC2307 UID/GIDs, LDAP lookups, etc.
Below is a demonstration utilizing SSSD (but you can certainly use net and winbind if you choose)
Both nodes:
Update and install the necessary packages:
$ sudo yum update -y
$ sudo yum install -y sssd krb5-workstation passwd corosynclib
$ sudo dnf --enablerepo=ha -y install pacemaker corosync pcs
Setup hostname to include domain component
$ sudo set hostnamectl set-hostname dhcp-200.fusion.tuxera
Configure Kerberos /etc/krb5.conf file on both nodes. Note that the ‘default_realm’ must be capitalized.
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = FUSION.TUXERA
default_ccache_name = KEYRING:persistent:%{uid}
Confirm domain discovery
[tux@dhcp-200 ~]$ adcli info fusion.tuxera
[domain]
domain-name = fusion.tuxera
domain-short = FUSION
domain-forest = fusion.tuxera
domain-controller = FusionDC.fusion.tuxera
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web
domain-controller-usable = yes
domain-controllers = FusionDC.fusion.tuxera
[computer]
computer-site = Default-First-Site-Name
Do the following on only one node: Create SSSD /etc/sssd/sssd.conf file to match below (replacing bolded ‘fusion.tuxera’ with your domain and maintaining case-sensitivity) and chmod to 600:
[sssd]
domains = fusion.tuxera
config_file_version = 2
services = nss
[domain/fusion.tuxera]
ad_domain = fusion.tuxera
krb5_realm = FUSION.TUXERA
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = false
access_provider = ad
Create computer account and keytab file for cluster:
$sudo adcli join --domain FUSION.TUXERA --service-name=cifs --computer-name SMBCLUSTER --host-fqdn smbcluster.FUSION.TUXERA -v
The --domain and --computer-name MUST be capitalized. Additionally, you should verify with hostnamectl that the system hostname includes the domain component so that it is a fully qualified domain name. The cluster name and system hostname don’t need to match however, only the domain component of their FQDNs.