linux加入windows域
一、实验环境:
AD server:windows server 2003
AD samba:centos 5.2
AD server的hostname和IP地址:
rocdk890 192.168.1.142/24
AD samba的hostname和IP地址:
lamp 192.168.1.144/24
Domain name:rocdk890.tt.com
DNS:192.168.1.142
安装NTP时间验证套件:
# mount /dev/cdrom /media
# rpm -ivh /cdrom/CentOS/RPMS/ntp-4.2.2p1-7.el5.i386.rpm
当然也可以用yum来安装
#yum -y install ntp (注意ntp要小写)
再来与AD server校准时间
# ntpdate 192.168.1.142
# hwclock -w
安装Samba服务器软件需求:
krb5-workstation-1.2.7-19
pam_krb5-1.70-1
krb5-devel-1.2.7-19
krb5-libs-1.2.7-19
samba-3.0.5-2
当然我在这里偷了下懒,我直接用yum进行的安装,毕竟只是了解下这个实验的思路,所以就不用管安全性了。
#yum -y install samba
安装完后,如果你要确认samba安装成功没有可以用下述命令来检查samba包的基础库支持,一般用yum安装或RPM安装是不会有问题的。
# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
…
# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
…
# smbd -b | grep ADS
WITH_ADS
WITH_ADS
# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND
二、编辑设定档
1、krb5配置
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TT.COM # 大写域名称
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
TT.COM = { # 大写域名称
kdc = 192.168.1.142:88 # 域伺服器IP
admin_server = 192.168.1.142:749 # 域伺服器IP
default_domain = tt.com # 预设域名称,这里就不用大写了
}
[domain_realm]
.tt.com = TT.COM # 域验证范围
tt.com = TT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
连接AD server
kinit administrator@TT.COM
Kerberos 的 kinit 命令将测试服务器间的通信,后面的域名TT.COM 是你的活动目录的域名,必须大写,否则会收到错误信息:
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.
如果通信正常,你会提示输入口令,口令正确的话,就返回 bash 提示符,如果错误则报告:
kinit(v5): Preauthentication failed while getting initial credentials.
這一步代表了已经可以和AD server做沟通了,但并不代表Samba Server已经加入域了。
2、smb.conf配置
#vi /etc/samba/smb.conf
#===================== Global Settings =========================
[global]
workgroup = TT # 一定要填自己的domain名称
netbios name = lamp #你的linux主机名
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
; winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
hosts allow =192.168.1. 127. 192.168.12. 192.168.13.
# ———————– Domain Members Options ————————
security = domain
; passdb backend = tdbsam
; realm = TT.COM #这里我觉得还是注释起好点
encrypt passwords = yes #这句是必须添加的,不然后面验证会提示不成功
password server = 192.168.1.142
[homes]
path = /home/%D/%U
browseable = no
writable = yes
valid users = tt.com/%U#这里记得把域名带上,否则你用ad帐号访问samba服务器时输入正确的ad帐号和密码仍然不能访问共享目录
create mode = 0777
directory mode = 0777
3、配置nsswitch.conf
#vi /etc/nsswitch.conf
修改以下位置
passwd: files winbind
shadow: files
group: files winbind
4、启用samba和winbind服务
service smb reload #加这一句是用来解决有时候samba启动不了的问题
service smb start
service winbind start
5、加入AD域
[root@lamp ~]# net rpc join -S rocdk890.tt.com -U administrator
Password:
Joined domain TT.
6、验证加入是否成功
[root@lamp ~]# net rpc testjoin
Join to 'TT' is OK
[root@lamp ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@lamp ~]# wbinfo -u
TT/administrator
TT/guest
TT/support_388945a0
TT/krbtgt
[root@lamp ~]# wbinfo -g
TT/domain computers
TT/domain controllers
TT/schema admins
TT/enterprise admins
TT/domain admins
TT/domain users
TT/domain guests
TT/group policy creator owners
TT/dnsupdateproxy
[root@lamp ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
TT/administrator:*:15000:15000:Administrator:/home/TT/administrator:/bin/bash
TT/guest:*:15001:15001:Guest:/home/TT/guest:/bin/bash
TT/support_388945a0:*:15002:15000:SUPPORT_388945a0:/home/TT/support_388945a0:/bin/bash
TT/krbtgt:*:15003:15000:krbtgt:/home/TT/krbtgt:/bin/bash
[root@lamp ~]# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
rpm:x:37:
dbus:x:81:
utmp:x:22:
mailnull:x:47:
smmsp:x:51:
nscd:x:28:
floppy:x:19:
vcsa:x:69:
rpc:x:32:
rpcuser:x:29:
nfsnobody:x:65534:
sshd:x:74:
pcap:x:77:
utempter:x:35:
slocate:x:21:
haldaemon:x:68:
ntp:x:38:
TT/domain computers:*:15002:
TT/domain controllers:*:15003:
TT/schema admins:*:15004:TT/administrator
TT/enterprise admins:*:15005:TT/administrator
TT/domain admins:*:15006:TT/administrator
TT/domain users:*:15000:
TT/domain guests:*:15001:
TT/group policy creator owners:*:15007:TT/administrator
TT/dnsupdateproxy:*:15008:
7、做完这些,就可以到AD server上的活动目录中看到该机器了。
接下来介绍加入AD域后的一个简单应用,要不就不知道这样加有啥子用了。既然samba服务器已经加入AD域中,那自然会想到,window域中的本地帐号是否能访问linux机器呢?答案是肯定的。这就是winbind的作用了,当window域中的本地帐号需要登录linux主机时,winbind服务去ad服务器去验证该帐号是否合法,而不是到linux本地的/etc/passwd中去验证,当然如果要用不同的验证方式,就可以用pam去进行复杂的设定.
8、配置/etc/pam.d/system_auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
配置/etc/pam.d/sshd,使用ad帐号登录时,自动创建/home/LIZL/ad帐号目录
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session required /lib/security/pam_mkhomedir.so
session optional /lib/security/pam_console.so
顺便配置下samba这个pam
#auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
#session required pam_stack.so service=system-auth
#session required pam_mkhomedir.so skel=/etc/skel umask=0022
#password required pam_stack.so service=system-auth
好了,接下来享受下用ad帐号登录linux主机的快乐吧。