Join domain
Prerequisites for joining a Windows Active Directory domain are:
- DNS is set to domain’s DNS servers
- NTP is properly configured (Kerberos requires <5 minute time skew)
- Domain administrator credentials
DNS is important. Fusion supports NTLM pass-through which Windows clients will default to if the SMB share is accessed via IP address. However, Kerberos is expected for authentication in most environments which requires DNS for resolving IP addresses to hostnames. In multi-homed network setups, please confer with your network administrator to ensure DNS access is properly routed for Fusion servers and Windows clients. NTP is also important. In newly deployed nodes, the system time may appear to match the domain controller’s time but the time zone is incorrect. It is important that server and client have their time synchronized (ideally with NTP) with the domain since Kerberos tickets are time stamped and are invalid after short periods. Finally, Fusion should not be on a subnet isolated from any domain controllers. Although Kerberos authentication traffic does not include communication between Fusion and a DC, Fusion relies on domain controllers for querying RFC2307 UID/GIDs, LDAP lookups, etc.
Below is a demonstration utilizing SSSD (but you can certainly use net and winbind if you choose) Both nodes: Update and install the necessary packages:
$ sudo apt -y update && sudo apt upgrade -y
$ sudo apt -y install libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin packagekit krb5-user
Setup hostname to include domain component
$ sudo hostnamectl set-hostname dhcp-142.tux.local
Configure Kerberos /etc/krb5.conf file on both nodes. Note that the ‘default_realm’ must be capitalized.
[libdefaults]
default_realm = TUX.LOCAL
rdns = false
Confirm domain discovery
tux@dhcp-142:~$ adcli info tux.local
[domain]
domain-name = tux.local
domain-short = TUX
domain-forest = tux.local
domain-controller = WIN-GGOG9V8AQ2V.tux.local
domain-controller-site = Default-First-Site-Name
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable
full-secret ads-web
domain-controller-usable = yes
domain-controllers = WIN-GGOG9V8AQ2V.tux.local
[computer]
computer-site = Default-First-Site-Name
Do the following on only one node: Create SSSD /etc/sssd/sssd.conf file to match below (replacing bolded ‘fusion.tuxera’ with your domain and maintaining case-sensitivity) and chmod to 600:
[sssd]
domains = tux.local
config_file_version = 2
services = nss
[domain/tux.local]
ad_domain = tux.local
krb5_realm = TUX.LOCAL
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = false
access_provider = ad
Create computer account and keytab file for cluster:
$sudo adcli join --domain TUX.LOCAL --service-name=cifs --computer-name SMBCLUSTER --host-fqdn smbcluster.TUX.LOCAL -v
The --domain and --computer-name MUST be capitalized. Additionally, you should verify with hostnamectl that the system hostname includes the domain component so that it is a fully qualified domain name. The cluster name and system hostname don’t need to match however, only the domain component of their FQDNs.