ubuntu加入Windows的AD域(使用SSSD和Realm的方式)

ubuntu加入Windows的AD域(使用SSSD和Realm的方式)

Step 1: Initial Configurations to Join Ubuntu to Samba4 AD

1.首先要修改好自己电脑的hostname,可以使用hostnamectl命令或者直接编辑/etc/hostname 文件

# hostnamectl set-hostname your_machine_short_name

$ cat /etc/hostname  
mamh-PC

$ hostnamectl                           
   Static hostname: mamh-PC
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: 4165ee77f3a840b880478065c5624a98
           Boot ID: 0b179497ee0a4ffdb5d5a1a288693fa9
  Operating System: Ubuntu 16.04.6 LTS
            Kernel: Linux 4.18.0-15-generic
      Architecture: x86-64


2.然后一个重要的步骤是设置好ip。尤其是DNS 。


3.最后是重启网络,或者重启电脑。

systemctl restart networking.service

ping -c2 your_domain_name

4.最后一个步骤是安装时间同步服务器ntpdate

$ sudo apt-get install ntpdate
$ sudo ntpdate -q your_domain_name
$ sudo ntpdate your_domain_name

Step 2: 安装需要的软件

5.这一步安装Realmd and SSSD 相关的软件

$ sudo apt-get install adcli realmd krb5-user samba-common-bin samba-libs samba-dsdb-modules sssd sssd-tools libnss-sss libpam-sss packagekit policykit-1 

$ sudo apt-get install samba # 如果需要samba共享目录给Windows。需要安装这个


root@bf-pc04:~# echo 'apt-get install adcli realmd krb5-user samba-common-bin samba-libs samba-dsdb-modules sssd sssd-tools libnss-sss libpam-sss packagekit policykit-1 '>install.sh
root@bf-pc04:~# chmod 755 install.sh 
root@bf-pc04:~# ls
install.sh
root@bf-pc04:~# cat install.sh 
apt-get install adcli realmd krb5-user \
samba-common-bin samba-libs samba-dsdb-modules \
sssd sssd-tools libnss-sss libpam-sss packagekit policykit-1 
#开始安装需要的软件
root@bf-pc04:~# ./install.sh 
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
将会安装下列额外的软件包:
  cracklib-runtime gdebi-core krb5-config ldap-utils libarchive13
  libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0
  libc-ares2 libcollection2 libcrack2 libcups2 libdhash1 libelfg0 libglib2.0-0
  libglib2.0-bin libgmp10 libgssapi-krb5-2 libgssrpc4 libgstreamer1.0-0
  libini-config3 libipa-hbac0 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7
  libkrb5-3 libkrb5support0 libldap-2.4-2 libldb1 liblzo2-2 libnettle4
  libnl-3-200 libnl-genl-3-200 libnl-route-3-200 libnspr4 libnss3
  libnss3-nssdb libpackagekit-glib2-16 libpam-pwquality libpath-utils1
  libpwquality-common libpwquality1 libref-array1 libsasl2-modules-gssapi-mit
  libsss-idmap0 libsss-sudo libsystemd-journal0 libtalloc2 libtdb1 libtevent0
  libwbclient0 packagekit-backend-aptcc packagekit-tools python-crypto
  python-ldb python-samba python-sss python-talloc python-tdb python3-chardet
  python3-debian python3-packagekit python3-pkg-resources python3-six
  samba-common sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5
  sssd-krb5-common sssd-ldap sssd-proxy wamerican
建议安装的软件包:
  lrzip cups-common krb5-doc gstreamer1.0-tools gstreamer1.0-plugins-base
  packagekit-backend-smart python-crypto-dbg python-crypto-doc
  python3-setuptools heimdal-clients libsasl2-modules-ldap
下列【新】软件包将被安装:
  adcli cracklib-runtime gdebi-core krb5-config krb5-user ldap-utils
  libarchive13 libavahi-client3 libavahi-common-data libavahi-common3
  libbasicobjects0 libc-ares2 libcollection2 libcrack2 libcups2 libdhash1
  libelfg0 libglib2.0-bin libgmp10 libgssrpc4 libgstreamer1.0-0 libini-config3
  libipa-hbac0 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libldb1 liblzo2-2
  libnettle4 libnl-route-3-200 libnspr4 libnss-sss libnss3 libnss3-nssdb
  libpackagekit-glib2-16 libpam-pwquality libpam-sss libpath-utils1
  libpwquality-common libpwquality1 libref-array1 libsasl2-modules-gssapi-mit
  libsss-idmap0 libsss-sudo libsystemd-journal0 libtalloc2 libtdb1 libtevent0
  libwbclient0 packagekit packagekit-backend-aptcc packagekit-tools
  python-crypto python-ldb python-samba python-sss python-talloc python-tdb
  python3-chardet python3-debian python3-packagekit python3-pkg-resources
  python3-six realmd samba-common samba-common-bin samba-dsdb-modules
  samba-libs sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5
  sssd-krb5-common sssd-ldap sssd-proxy sssd-tools wamerican
下列软件包将被升级:
  libglib2.0-0 libgssapi-krb5-2 libkrb5-3 libkrb5support0 libldap-2.4-2
  libnl-3-200 libnl-genl-3-200 policykit-1
升级了 8 个软件包,新安装了 79 个软件包,要卸载 0 个软件包,有 174 个软件包未被升级。
需要下载 15.3 MB 的软件包。
解压缩后会消耗掉 63.2 MB 的额外空间。
您希望继续执行吗? [Y/n] y
获取:1 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libglib2.0-0 amd64 2.40.2-0ubuntu1.1 [1,059 kB]
获取:2 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libgssapi-krb5-2 amd64 1.12+dfsg-2ubuntu5.4 [114 kB]
获取:3 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libkrb5-3 amd64 1.12+dfsg-2ubuntu5.4 [262 kB]
获取:4 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libkrb5support0 amd64 1.12+dfsg-2ubuntu5.4 [31.1 kB]
获取:5 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libldap-2.4-2 amd64 2.4.31-1+nmu2ubuntu8.5 [153 kB]
获取:6 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main liblzo2-2 amd64 2.06-1.2ubuntu1.1 [46.1 kB]
获取:7 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnettle4 amd64 2.7.1-1ubuntu0.2 [102 kB]
获取:8 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libarchive13 amd64 3.1.2-7ubuntu2.8 [262 kB]
获取:9 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libavahi-common-data amd64 0.6.31-4ubuntu1.3 [21.1 kB]
获取:10 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libavahi-common3 amd64 0.6.31-4ubuntu1.3 [21.7 kB]
获取:11 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libavahi-client3 amd64 0.6.31-4ubuntu1.3 [25.2 kB]
获取:12 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libcrack2 amd64 2.9.1-1build1 [27.2 kB]
获取:13 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libcups2 amd64 1.7.2-0ubuntu1.11 [178 kB]
获取:14 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libelfg0 amd64 0.8.13-5 [37.6 kB]
获取:15 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libgmp10 amd64 2:5.1.3+dfsg-1ubuntu1 [218 kB]
获取:16 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libgssrpc4 amd64 1.12+dfsg-2ubuntu5.4 [53.1 kB]
获取:17 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libgstreamer1.0-0 amd64 1.2.4-0ubuntu1.1 [598 kB]
获取:18 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libkadm5clnt-mit9 amd64 1.12+dfsg-2ubuntu5.4 [36.2 kB]
获取:19 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libkdb5-7 amd64 1.12+dfsg-2ubuntu5.4 [36.2 kB]
获取:20 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libkadm5srv-mit9 amd64 1.12+dfsg-2ubuntu5.4 [50.3 kB]
获取:21 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libtalloc2 amd64 2.1.5-0ubuntu0.14.04.1 [28.6 kB]
获取:22 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libtdb1 amd64 1.3.8-0ubuntu0.14.04.1 [38.3 kB]
获取:23 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libtevent0 amd64 0.9.28-0ubuntu0.14.04.1 [26.2 kB]
获取:24 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libldb1 amd64 1:1.1.24-0ubuntu0.14.04.2 [107 kB]
获取:25 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnl-genl-3-200 amd64 3.2.21-1ubuntu4.1 [10.2 kB]
获取:26 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnl-3-200 amd64 3.2.21-1ubuntu4.1 [45.3 kB]
获取:27 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnl-route-3-200 amd64 3.2.21-1ubuntu4.1 [96.2 kB]
获取:28 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnspr4 amd64 2:4.13.1-0ubuntu0.14.04.1 [110 kB]
获取:29 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnss3-nssdb all 2:3.28.4-0ubuntu0.14.04.5 [10.6 kB]
获取:30 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnss3 amd64 2:3.28.4-0ubuntu0.14.04.5 [1,124 kB]
获取:31 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libpackagekit-glib2-16 amd64 0.8.12-1ubuntu5 [102 kB]
获取:32 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libpwquality-common all 1.2.3-1ubuntu1.1 [5,400 B]
获取:33 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libpwquality1 amd64 1.2.3-1ubuntu1.1 [11.7 kB]
获取:34 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libpam-pwquality amd64 1.2.3-1ubuntu1.1 [9,952 B]
获取:35 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libwbclient0 amd64 2:4.3.11+dfsg-0ubuntu0.14.04.20 [30.3 kB]
获取:36 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python-ldb amd64 1:1.1.24-0ubuntu0.14.04.2 [29.0 kB]
获取:37 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python-talloc amd64 2.1.5-0ubuntu0.14.04.1 [7,628 B]
获取:38 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common all 2:4.3.11+dfsg-0ubuntu0.14.04.20 [84.1 kB]
获取:39 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-libs amd64 2:4.3.11+dfsg-0ubuntu0.14.04.20 [5,129 kB]
获取:40 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libbasicobjects0 amd64 0.3.0.1-4 [5,628 B]
获取:41 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libc-ares2 amd64 1.10.0-2ubuntu0.2 [34.1 kB]
获取:42 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libcollection2 amd64 0.3.0.1-4 [20.2 kB]
获取:43 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libdhash1 amd64 0.3.0.1-4 [8,442 B]
获取:44 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libpath-utils1 amd64 0.3.0.1-4 [8,410 B]
获取:45 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libref-array1 amd64 0.3.0.1-4 [7,072 B]
获取:46 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libini-config3 amd64 0.3.0.1-4 [27.9 kB]
获取:47 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libnss-sss amd64 1.11.8-0ubuntu0.7 [18.3 kB]
获取:48 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libsystemd-journal0 amd64 204-5ubuntu20.31 [50.5 kB]
获取:49 http://cn.archive.ubuntu.com/ubuntu/ trusty/main libsasl2-modules-gssapi-mit amd64 2.1.25.dfsg1-17build1 [47.4 kB]
获取:50 http://cn.archive.ubuntu.com/ubuntu/ trusty/universe adcli amd64 0.7.5-1 [59.4 kB]
获取:51 http://cn.archive.ubuntu.com/ubuntu/ trusty/main cracklib-runtime amd64 2.9.1-1build1 [138 kB]
获取:52 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python3-pkg-resources all 3.3-1ubuntu2 [31.7 kB]
获取:53 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python3-chardet all 2.2.1-2~ubuntu1 [96.5 kB]
获取:54 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python3-six all 1.5.2-1ubuntu1.1 [8,438 B]
获取:55 http://cn.archive.ubuntu.com/ubuntu/ trusty/main python3-debian all 0.1.21+nmu2ubuntu2 [34.9 kB]
获取:56 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main gdebi-core all 0.9.5.3ubuntu3 [9,518 B]
获取:57 http://cn.archive.ubuntu.com/ubuntu/ trusty/main krb5-config all 2.3 [23.4 kB]
获取:58 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/universe krb5-user amd64 1.12+dfsg-2ubuntu5.4 [96.6 kB]
获取:59 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main ldap-utils amd64 2.4.31-1+nmu2ubuntu8.5 [122 kB]
获取:60 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libglib2.0-bin amd64 2.40.2-0ubuntu1.1 [34.9 kB]
获取:61 http://cn.archive.ubuntu.com/ubuntu/ trusty/main python3-packagekit all 0.8.12-1ubuntu5 [17.9 kB]
获取:62 http://cn.archive.ubuntu.com/ubuntu/ trusty/main packagekit-backend-aptcc amd64 0.8.12-1ubuntu5 [97.2 kB]
获取:63 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main policykit-1 amd64 0.105-4ubuntu3.14.04.6 [51.9 kB]
获取:64 http://cn.archive.ubuntu.com/ubuntu/ trusty/main packagekit amd64 0.8.12-1ubuntu5 [269 kB]
获取:65 http://cn.archive.ubuntu.com/ubuntu/ trusty/main packagekit-tools amd64 0.8.12-1ubuntu5 [46.2 kB]
获取:66 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python-crypto amd64 2.6.1-4ubuntu0.3 [239 kB]
获取:67 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python-tdb amd64 1.3.8-0ubuntu0.14.04.1 [10.8 kB]
获取:68 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python-samba amd64 2:4.3.11+dfsg-0ubuntu0.14.04.20 [1,070 kB]
获取:69 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/universe realmd amd64 0.15.0-1ubuntu0.1 [173 kB]
获取:70 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common-bin amd64 2:4.3.11+dfsg-0ubuntu0.14.04.20 [508 kB]
获取:71 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-dsdb-modules amd64 2:4.3.11+dfsg-0ubuntu0.14.04.20 [219 kB]
获取:72 http://cn.archive.ubuntu.com/ubuntu/ trusty/main wamerican all 7.1-1 [269 kB]
获取:73 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libipa-hbac0 amd64 1.11.8-0ubuntu0.7 [8,836 B]
获取:74 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libpam-sss amd64 1.11.8-0ubuntu0.7 [20.2 kB]
获取:75 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libsss-idmap0 amd64 1.11.8-0ubuntu0.7 [13.4 kB]
获取:76 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main libsss-sudo amd64 1.11.8-0ubuntu0.7 [13.1 kB]
获取:77 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main python-sss amd64 1.11.8-0ubuntu0.7 [47.2 kB]
获取:78 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-common amd64 1.11.8-0ubuntu0.7 [525 kB]
获取:79 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-ad-common amd64 1.11.8-0ubuntu0.7 [34.2 kB]
获取:80 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-krb5-common amd64 1.11.8-0ubuntu0.7 [72.1 kB]
获取:81 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-ad amd64 1.11.8-0ubuntu0.7 [56.2 kB]
获取:82 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-ipa amd64 1.11.8-0ubuntu0.7 [101 kB]
获取:83 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-krb5 amd64 1.11.8-0ubuntu0.7 [19.3 kB]
获取:84 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-ldap amd64 1.11.8-0ubuntu0.7 [48.9 kB]
获取:85 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-proxy amd64 1.11.8-0ubuntu0.7 [30.0 kB]
获取:86 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd amd64 1.11.8-0ubuntu0.7 [4,138 B]
获取:87 http://cn.archive.ubuntu.com/ubuntu/ trusty-updates/main sssd-tools amd64 1.11.8-0ubuntu0.7 [101 kB]
下载 15.3 MB,耗时 38秒 (397 kB/s)                                             
正在从软件包中解出模板:100%
正在预设定软件包 ...
(正在读取数据库 ... 系统当前共安装有 58989 个文件和目录。)
正准备解包 .../libglib2.0-0_2.40.2-0ubuntu1.1_amd64.deb  ...
正在将 libglib2.0-0:amd64 (2.40.2-0ubuntu1.1) 解包到 (2.40.2-0ubuntu1) 上 ...
正准备解包 .../libgssapi-krb5-2_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在将 libgssapi-krb5-2:amd64 (1.12+dfsg-2ubuntu5.4) 解包到 (1.12+dfsg-2ubuntu5.2) 上 ...
正准备解包 .../libkrb5-3_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在将 libkrb5-3:amd64 (1.12+dfsg-2ubuntu5.4) 解包到 (1.12+dfsg-2ubuntu5.2) 上 ...
正准备解包 .../libkrb5support0_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在将 libkrb5support0:amd64 (1.12+dfsg-2ubuntu5.4) 解包到 (1.12+dfsg-2ubuntu5.2) 上 ...
正准备解包 .../libldap-2.4-2_2.4.31-1+nmu2ubuntu8.5_amd64.deb  ...
正在将 libldap-2.4-2:amd64 (2.4.31-1+nmu2ubuntu8.5) 解包到 (2.4.31-1+nmu2ubuntu8.3) 上 ...
正在选中未选择的软件包 liblzo2-2:amd64。
正准备解包 .../liblzo2-2_2.06-1.2ubuntu1.1_amd64.deb  ...
正在解包 liblzo2-2:amd64 (2.06-1.2ubuntu1.1) ...
正在选中未选择的软件包 libnettle4:amd64。
正准备解包 .../libnettle4_2.7.1-1ubuntu0.2_amd64.deb  ...
正在解包 libnettle4:amd64 (2.7.1-1ubuntu0.2) ...
正在选中未选择的软件包 libarchive13:amd64。
正准备解包 .../libarchive13_3.1.2-7ubuntu2.8_amd64.deb  ...
正在解包 libarchive13:amd64 (3.1.2-7ubuntu2.8) ...
正在选中未选择的软件包 libavahi-common-data:amd64。
正准备解包 .../libavahi-common-data_0.6.31-4ubuntu1.3_amd64.deb  ...
正在解包 libavahi-common-data:amd64 (0.6.31-4ubuntu1.3) ...
正在选中未选择的软件包 libavahi-common3:amd64。
正准备解包 .../libavahi-common3_0.6.31-4ubuntu1.3_amd64.deb  ...
正在解包 libavahi-common3:amd64 (0.6.31-4ubuntu1.3) ...
正在选中未选择的软件包 libavahi-client3:amd64。
正准备解包 .../libavahi-client3_0.6.31-4ubuntu1.3_amd64.deb  ...
正在解包 libavahi-client3:amd64 (0.6.31-4ubuntu1.3) ...
正在选中未选择的软件包 libcrack2:amd64。
正准备解包 .../libcrack2_2.9.1-1build1_amd64.deb  ...
正在解包 libcrack2:amd64 (2.9.1-1build1) ...
正在选中未选择的软件包 libcups2:amd64。
正准备解包 .../libcups2_1.7.2-0ubuntu1.11_amd64.deb  ...
正在解包 libcups2:amd64 (1.7.2-0ubuntu1.11) ...
正在选中未选择的软件包 libelfg0:amd64。
正准备解包 .../libelfg0_0.8.13-5_amd64.deb  ...
正在解包 libelfg0:amd64 (0.8.13-5) ...
正在选中未选择的软件包 libgmp10:amd64。
正准备解包 .../libgmp10_2%3a5.1.3+dfsg-1ubuntu1_amd64.deb  ...
正在解包 libgmp10:amd64 (2:5.1.3+dfsg-1ubuntu1) ...
正在选中未选择的软件包 libgssrpc4:amd64。
正准备解包 .../libgssrpc4_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在解包 libgssrpc4:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在选中未选择的软件包 libgstreamer1.0-0:amd64。
正准备解包 .../libgstreamer1.0-0_1.2.4-0ubuntu1.1_amd64.deb  ...
正在解包 libgstreamer1.0-0:amd64 (1.2.4-0ubuntu1.1) ...
正在选中未选择的软件包 libkadm5clnt-mit9:amd64。
正准备解包 .../libkadm5clnt-mit9_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在解包 libkadm5clnt-mit9:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在选中未选择的软件包 libkdb5-7:amd64。
正准备解包 .../libkdb5-7_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在解包 libkdb5-7:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在选中未选择的软件包 libkadm5srv-mit9:amd64。
正准备解包 .../libkadm5srv-mit9_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在解包 libkadm5srv-mit9:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在选中未选择的软件包 libtalloc2:amd64。
正准备解包 .../libtalloc2_2.1.5-0ubuntu0.14.04.1_amd64.deb  ...
正在解包 libtalloc2:amd64 (2.1.5-0ubuntu0.14.04.1) ...
正在选中未选择的软件包 libtdb1:amd64。
正准备解包 .../libtdb1_1.3.8-0ubuntu0.14.04.1_amd64.deb  ...
正在解包 libtdb1:amd64 (1.3.8-0ubuntu0.14.04.1) ...
正在选中未选择的软件包 libtevent0:amd64。
正准备解包 .../libtevent0_0.9.28-0ubuntu0.14.04.1_amd64.deb  ...
正在解包 libtevent0:amd64 (0.9.28-0ubuntu0.14.04.1) ...
正在选中未选择的软件包 libldb1:amd64。
正准备解包 .../libldb1_1%3a1.1.24-0ubuntu0.14.04.2_amd64.deb  ...
正在解包 libldb1:amd64 (1:1.1.24-0ubuntu0.14.04.2) ...
正准备解包 .../libnl-genl-3-200_3.2.21-1ubuntu4.1_amd64.deb  ...
正在将 libnl-genl-3-200:amd64 (3.2.21-1ubuntu4.1) 解包到 (3.2.21-1ubuntu3) 上 ...
正准备解包 .../libnl-3-200_3.2.21-1ubuntu4.1_amd64.deb  ...
正在将 libnl-3-200:amd64 (3.2.21-1ubuntu4.1) 解包到 (3.2.21-1ubuntu3) 上 ...
正在选中未选择的软件包 libnl-route-3-200:amd64。
正准备解包 .../libnl-route-3-200_3.2.21-1ubuntu4.1_amd64.deb  ...
正在解包 libnl-route-3-200:amd64 (3.2.21-1ubuntu4.1) ...
正在选中未选择的软件包 libnspr4:amd64。
正准备解包 .../libnspr4_2%3a4.13.1-0ubuntu0.14.04.1_amd64.deb  ...
正在解包 libnspr4:amd64 (2:4.13.1-0ubuntu0.14.04.1) ...
正在选中未选择的软件包 libnss3-nssdb。
正准备解包 .../libnss3-nssdb_2%3a3.28.4-0ubuntu0.14.04.5_all.deb  ...
正在解包 libnss3-nssdb (2:3.28.4-0ubuntu0.14.04.5) ...
正在选中未选择的软件包 libnss3:amd64。
正准备解包 .../libnss3_2%3a3.28.4-0ubuntu0.14.04.5_amd64.deb  ...
正在解包 libnss3:amd64 (2:3.28.4-0ubuntu0.14.04.5) ...
正在选中未选择的软件包 libpackagekit-glib2-16:amd64。
正准备解包 .../libpackagekit-glib2-16_0.8.12-1ubuntu5_amd64.deb  ...
正在解包 libpackagekit-glib2-16:amd64 (0.8.12-1ubuntu5) ...
正在选中未选择的软件包 libpwquality-common。
正准备解包 .../libpwquality-common_1.2.3-1ubuntu1.1_all.deb  ...
正在解包 libpwquality-common (1.2.3-1ubuntu1.1) ...
正在选中未选择的软件包 libpwquality1:amd64。
正准备解包 .../libpwquality1_1.2.3-1ubuntu1.1_amd64.deb  ...
正在解包 libpwquality1:amd64 (1.2.3-1ubuntu1.1) ...
正在选中未选择的软件包 libpam-pwquality:amd64。
正准备解包 .../libpam-pwquality_1.2.3-1ubuntu1.1_amd64.deb  ...
正在解包 libpam-pwquality:amd64 (1.2.3-1ubuntu1.1) ...
正在选中未选择的软件包 libwbclient0:amd64。
正准备解包 .../libwbclient0_2%3a4.3.11+dfsg-0ubuntu0.14.04.20_amd64.deb  ...
正在解包 libwbclient0:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在选中未选择的软件包 python-ldb。
正准备解包 .../python-ldb_1%3a1.1.24-0ubuntu0.14.04.2_amd64.deb  ...
正在解包 python-ldb (1:1.1.24-0ubuntu0.14.04.2) ...
正在选中未选择的软件包 python-talloc。
正准备解包 .../python-talloc_2.1.5-0ubuntu0.14.04.1_amd64.deb  ...
正在解包 python-talloc (2.1.5-0ubuntu0.14.04.1) ...
正在选中未选择的软件包 samba-common。
正准备解包 .../samba-common_2%3a4.3.11+dfsg-0ubuntu0.14.04.20_all.deb  ...
正在解包 samba-common (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在选中未选择的软件包 samba-libs:amd64。
正准备解包 .../samba-libs_2%3a4.3.11+dfsg-0ubuntu0.14.04.20_amd64.deb  ...
正在解包 samba-libs:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在选中未选择的软件包 libbasicobjects0:amd64。
正准备解包 .../libbasicobjects0_0.3.0.1-4_amd64.deb  ...
正在解包 libbasicobjects0:amd64 (0.3.0.1-4) ...
正在选中未选择的软件包 libc-ares2:amd64。
正准备解包 .../libc-ares2_1.10.0-2ubuntu0.2_amd64.deb  ...
正在解包 libc-ares2:amd64 (1.10.0-2ubuntu0.2) ...
正在选中未选择的软件包 libcollection2:amd64。
正准备解包 .../libcollection2_0.3.0.1-4_amd64.deb  ...
正在解包 libcollection2:amd64 (0.3.0.1-4) ...
正在选中未选择的软件包 libdhash1:amd64。
正准备解包 .../libdhash1_0.3.0.1-4_amd64.deb  ...
正在解包 libdhash1:amd64 (0.3.0.1-4) ...
正在选中未选择的软件包 libpath-utils1:amd64。
正准备解包 .../libpath-utils1_0.3.0.1-4_amd64.deb  ...
正在解包 libpath-utils1:amd64 (0.3.0.1-4) ...
正在选中未选择的软件包 libref-array1:amd64。
正准备解包 .../libref-array1_0.3.0.1-4_amd64.deb  ...
正在解包 libref-array1:amd64 (0.3.0.1-4) ...
正在选中未选择的软件包 libini-config3:amd64。
正准备解包 .../libini-config3_0.3.0.1-4_amd64.deb  ...
正在解包 libini-config3:amd64 (0.3.0.1-4) ...
正在选中未选择的软件包 libnss-sss:amd64。
正准备解包 .../libnss-sss_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 libnss-sss:amd64 (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 libsystemd-journal0:amd64。
正准备解包 .../libsystemd-journal0_204-5ubuntu20.31_amd64.deb  ...
正在解包 libsystemd-journal0:amd64 (204-5ubuntu20.31) ...
正在选中未选择的软件包 libsasl2-modules-gssapi-mit:amd64。
正准备解包 .../libsasl2-modules-gssapi-mit_2.1.25.dfsg1-17build1_amd64.deb  ...
正在解包 libsasl2-modules-gssapi-mit:amd64 (2.1.25.dfsg1-17build1) ...
正在选中未选择的软件包 adcli。
正准备解包 .../adcli_0.7.5-1_amd64.deb  ...
正在解包 adcli (0.7.5-1) ...
正在选中未选择的软件包 cracklib-runtime。
正准备解包 .../cracklib-runtime_2.9.1-1build1_amd64.deb  ...
正在解包 cracklib-runtime (2.9.1-1build1) ...
正在选中未选择的软件包 python3-pkg-resources。
正准备解包 .../python3-pkg-resources_3.3-1ubuntu2_all.deb  ...
正在解包 python3-pkg-resources (3.3-1ubuntu2) ...
正在选中未选择的软件包 python3-chardet。
正准备解包 .../python3-chardet_2.2.1-2~ubuntu1_all.deb  ...
正在解包 python3-chardet (2.2.1-2~ubuntu1) ...
正在选中未选择的软件包 python3-six。
正准备解包 .../python3-six_1.5.2-1ubuntu1.1_all.deb  ...
正在解包 python3-six (1.5.2-1ubuntu1.1) ...
正在选中未选择的软件包 python3-debian。
正准备解包 .../python3-debian_0.1.21+nmu2ubuntu2_all.deb  ...
正在解包 python3-debian (0.1.21+nmu2ubuntu2) ...
正在选中未选择的软件包 gdebi-core。
正准备解包 .../gdebi-core_0.9.5.3ubuntu3_all.deb  ...
正在解包 gdebi-core (0.9.5.3ubuntu3) ...
正在选中未选择的软件包 krb5-config。
正准备解包 .../krb5-config_2.3_all.deb  ...
正在解包 krb5-config (2.3) ...
正在选中未选择的软件包 krb5-user。
正准备解包 .../krb5-user_1.12+dfsg-2ubuntu5.4_amd64.deb  ...
正在解包 krb5-user (1.12+dfsg-2ubuntu5.4) ...
正在选中未选择的软件包 ldap-utils。
正准备解包 .../ldap-utils_2.4.31-1+nmu2ubuntu8.5_amd64.deb  ...
正在解包 ldap-utils (2.4.31-1+nmu2ubuntu8.5) ...
正在选中未选择的软件包 libglib2.0-bin。
正准备解包 .../libglib2.0-bin_2.40.2-0ubuntu1.1_amd64.deb  ...
正在解包 libglib2.0-bin (2.40.2-0ubuntu1.1) ...
正在选中未选择的软件包 python3-packagekit。
正准备解包 .../python3-packagekit_0.8.12-1ubuntu5_all.deb  ...
正在解包 python3-packagekit (0.8.12-1ubuntu5) ...
正在选中未选择的软件包 packagekit-backend-aptcc。
正准备解包 .../packagekit-backend-aptcc_0.8.12-1ubuntu5_amd64.deb  ...
正在解包 packagekit-backend-aptcc (0.8.12-1ubuntu5) ...
正准备解包 .../policykit-1_0.105-4ubuntu3.14.04.6_amd64.deb  ...
正在将 policykit-1 (0.105-4ubuntu3.14.04.6) 解包到 (0.105-4ubuntu3.14.04.1) 上 ...
正在选中未选择的软件包 packagekit。
正准备解包 .../packagekit_0.8.12-1ubuntu5_amd64.deb  ...
正在解包 packagekit (0.8.12-1ubuntu5) ...
正在选中未选择的软件包 packagekit-tools。
正准备解包 .../packagekit-tools_0.8.12-1ubuntu5_amd64.deb  ...
正在解包 packagekit-tools (0.8.12-1ubuntu5) ...
正在选中未选择的软件包 python-crypto。
正准备解包 .../python-crypto_2.6.1-4ubuntu0.3_amd64.deb  ...
正在解包 python-crypto (2.6.1-4ubuntu0.3) ...
正在选中未选择的软件包 python-tdb。
正准备解包 .../python-tdb_1.3.8-0ubuntu0.14.04.1_amd64.deb  ...
正在解包 python-tdb (1.3.8-0ubuntu0.14.04.1) ...
正在选中未选择的软件包 python-samba。
正准备解包 .../python-samba_2%3a4.3.11+dfsg-0ubuntu0.14.04.20_amd64.deb  ...
正在解包 python-samba (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在选中未选择的软件包 realmd。
正准备解包 .../realmd_0.15.0-1ubuntu0.1_amd64.deb  ...
正在解包 realmd (0.15.0-1ubuntu0.1) ...
正在选中未选择的软件包 samba-common-bin。
正准备解包 .../samba-common-bin_2%3a4.3.11+dfsg-0ubuntu0.14.04.20_amd64.deb  ...
正在解包 samba-common-bin (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在选中未选择的软件包 samba-dsdb-modules。
正准备解包 .../samba-dsdb-modules_2%3a4.3.11+dfsg-0ubuntu0.14.04.20_amd64.deb  ...
正在解包 samba-dsdb-modules (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在选中未选择的软件包 wamerican。
正准备解包 .../wamerican_7.1-1_all.deb  ...
正在解包 wamerican (7.1-1) ...
正在选中未选择的软件包 libipa-hbac0。
正准备解包 .../libipa-hbac0_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 libipa-hbac0 (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 libpam-sss:amd64。
正准备解包 .../libpam-sss_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 libpam-sss:amd64 (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 libsss-idmap0。
正准备解包 .../libsss-idmap0_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 libsss-idmap0 (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 libsss-sudo。
正准备解包 .../libsss-sudo_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 libsss-sudo (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 python-sss。
正准备解包 .../python-sss_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 python-sss (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-common。
正准备解包 .../sssd-common_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-common (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-ad-common。
正准备解包 .../sssd-ad-common_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-ad-common (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-krb5-common。
正准备解包 .../sssd-krb5-common_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-krb5-common (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-ad。
正准备解包 .../sssd-ad_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-ad (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-ipa。
正准备解包 .../sssd-ipa_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-ipa (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-krb5。
正准备解包 .../sssd-krb5_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-krb5 (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-ldap。
正准备解包 .../sssd-ldap_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-ldap (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-proxy。
正准备解包 .../sssd-proxy_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-proxy (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd。
正准备解包 .../sssd_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd (1.11.8-0ubuntu0.7) ...
正在选中未选择的软件包 sssd-tools。
正准备解包 .../sssd-tools_1.11.8-0ubuntu0.7_amd64.deb  ...
正在解包 sssd-tools (1.11.8-0ubuntu0.7) ...
正在处理用于 man-db (2.6.7.1-1ubuntu1) 的触发器 ...
正在处理用于 shared-mime-info (1.2-0ubuntu3) 的触发器 ...
正在处理用于 ureadahead (0.100.0-16) 的触发器 ...
ureadahead will be reprofiled on next reboot
正在设置 libglib2.0-0:amd64 (2.40.2-0ubuntu1.1) ...
No schema files found: doing nothing.
正在设置 libkrb5support0:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在设置 libkrb5-3:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在设置 libgssapi-krb5-2:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在设置 libldap-2.4-2:amd64 (2.4.31-1+nmu2ubuntu8.5) ...
正在设置 liblzo2-2:amd64 (2.06-1.2ubuntu1.1) ...
正在设置 libnettle4:amd64 (2.7.1-1ubuntu0.2) ...
正在设置 libarchive13:amd64 (3.1.2-7ubuntu2.8) ...
正在设置 libavahi-common-data:amd64 (0.6.31-4ubuntu1.3) ...
正在设置 libavahi-common3:amd64 (0.6.31-4ubuntu1.3) ...
正在设置 libavahi-client3:amd64 (0.6.31-4ubuntu1.3) ...
正在设置 libcrack2:amd64 (2.9.1-1build1) ...
正在设置 libcups2:amd64 (1.7.2-0ubuntu1.11) ...
正在设置 libelfg0:amd64 (0.8.13-5) ...
正在设置 libgmp10:amd64 (2:5.1.3+dfsg-1ubuntu1) ...
正在设置 libgssrpc4:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在设置 libgstreamer1.0-0:amd64 (1.2.4-0ubuntu1.1) ...
正在设置 libkadm5clnt-mit9:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在设置 libkdb5-7:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在设置 libkadm5srv-mit9:amd64 (1.12+dfsg-2ubuntu5.4) ...
正在设置 libtalloc2:amd64 (2.1.5-0ubuntu0.14.04.1) ...
正在设置 libtdb1:amd64 (1.3.8-0ubuntu0.14.04.1) ...
正在设置 libtevent0:amd64 (0.9.28-0ubuntu0.14.04.1) ...
正在设置 libldb1:amd64 (1:1.1.24-0ubuntu0.14.04.2) ...
正在设置 libnl-3-200:amd64 (3.2.21-1ubuntu4.1) ...
正在设置 libnl-genl-3-200:amd64 (3.2.21-1ubuntu4.1) ...
正在设置 libnl-route-3-200:amd64 (3.2.21-1ubuntu4.1) ...
正在设置 libnspr4:amd64 (2:4.13.1-0ubuntu0.14.04.1) ...
正在设置 libpackagekit-glib2-16:amd64 (0.8.12-1ubuntu5) ...
正在设置 libpwquality-common (1.2.3-1ubuntu1.1) ...
正在设置 libpwquality1:amd64 (1.2.3-1ubuntu1.1) ...
正在设置 libpam-pwquality:amd64 (1.2.3-1ubuntu1.1) ...
正在设置 libwbclient0:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在设置 python-ldb (1:1.1.24-0ubuntu0.14.04.2) ...
正在设置 python-talloc (2.1.5-0ubuntu0.14.04.1) ...
正在设置 samba-common (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...

Creating config file /etc/samba/smb.conf with new version
正在设置 samba-libs:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在设置 libbasicobjects0:amd64 (0.3.0.1-4) ...
正在设置 libc-ares2:amd64 (1.10.0-2ubuntu0.2) ...
正在设置 libcollection2:amd64 (0.3.0.1-4) ...
正在设置 libdhash1:amd64 (0.3.0.1-4) ...
正在设置 libpath-utils1:amd64 (0.3.0.1-4) ...
正在设置 libref-array1:amd64 (0.3.0.1-4) ...
正在设置 libini-config3:amd64 (0.3.0.1-4) ...
正在设置 libnss-sss:amd64 (1.11.8-0ubuntu0.7) ...
First installation detected...
Checking NSS setup...
正在设置 libsystemd-journal0:amd64 (204-5ubuntu20.31) ...
正在设置 libsasl2-modules-gssapi-mit:amd64 (2.1.25.dfsg1-17build1) ...
正在设置 adcli (0.7.5-1) ...
正在设置 cracklib-runtime (2.9.1-1build1) ...
正在设置 python3-pkg-resources (3.3-1ubuntu2) ...
正在设置 python3-chardet (2.2.1-2~ubuntu1) ...
正在设置 python3-six (1.5.2-1ubuntu1.1) ...
正在设置 python3-debian (0.1.21+nmu2ubuntu2) ...
正在设置 gdebi-core (0.9.5.3ubuntu3) ...
正在设置 krb5-config (2.3) ...
正在设置 krb5-user (1.12+dfsg-2ubuntu5.4) ...
正在设置 ldap-utils (2.4.31-1+nmu2ubuntu8.5) ...
正在设置 libglib2.0-bin (2.40.2-0ubuntu1.1) ...
正在设置 python3-packagekit (0.8.12-1ubuntu5) ...
正在设置 packagekit-backend-aptcc (0.8.12-1ubuntu5) ...
正在设置 policykit-1 (0.105-4ubuntu3.14.04.6) ...
正在设置 packagekit (0.8.12-1ubuntu5) ...
正在设置 packagekit-tools (0.8.12-1ubuntu5) ...
正在设置 python-crypto (2.6.1-4ubuntu0.3) ...
正在设置 python-tdb (1.3.8-0ubuntu0.14.04.1) ...
正在设置 python-samba (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在设置 realmd (0.15.0-1ubuntu0.1) ...
正在设置 samba-common-bin (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在设置 samba-dsdb-modules (2:4.3.11+dfsg-0ubuntu0.14.04.20) ...
正在设置 wamerican (7.1-1) ...
正在设置 libipa-hbac0 (1.11.8-0ubuntu0.7) ...
正在设置 libpam-sss:amd64 (1.11.8-0ubuntu0.7) ...
正在设置 libsss-idmap0 (1.11.8-0ubuntu0.7) ...
正在设置 libsss-sudo (1.11.8-0ubuntu0.7) ...
First installation detected...
Checking NSS setup...
正在设置 python-sss (1.11.8-0ubuntu0.7) ...
正在设置 libnss3-nssdb (2:3.28.4-0ubuntu0.14.04.5) ...
正在设置 libnss3:amd64 (2:3.28.4-0ubuntu0.14.04.5) ...
正在设置 sssd-common (1.11.8-0ubuntu0.7) ...
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
sssd stop/pre-start, process 3956
sssd-autofs start/running, process 3990
正在处理用于 ureadahead (0.100.0-16) 的触发器 ...
正在设置 sssd-proxy (1.11.8-0ubuntu0.7) ...
正在设置 sssd-tools (1.11.8-0ubuntu0.7) ...
正在设置 sssd-ad-common (1.11.8-0ubuntu0.7) ...
正在设置 sssd-krb5-common (1.11.8-0ubuntu0.7) ...
正在设置 sssd-ad (1.11.8-0ubuntu0.7) ...
正在设置 sssd-ipa (1.11.8-0ubuntu0.7) ...
正在设置 sssd-krb5 (1.11.8-0ubuntu0.7) ...
正在设置 sssd-ldap (1.11.8-0ubuntu0.7) ...
正在设置 sssd (1.11.8-0ubuntu0.7) ...
正在处理用于 libc-bin (2.19-0ubuntu6.9) 的触发器 ...

6.Enter the name of the default realm with uppercases and press Enter key to continue the installation.
在安装过程中会提示,然后输入域地址

┌────────────────────────────────────────────────────────────────────────┤ Configuring Kerberos Authentication ├────────────────────────────────────────────────────────────────────────│ 
│ When users attempt to use Kerberos and specify a principal or user name without specifying what administrative Kerberos realm that principal belongs to, the system appends the       │  
│ default realm.  The default realm may also be used as the realm of a Kerberos service running on the local machine.  Often, the default realm is the uppercase version of the local   │  
│ DNS domain.                                                                                                                                                                           │  
│                                                                                                                                                                                       │  
│ Default Kerberos version 5 realm:                                                                                                                                                     │  
│                                                                                                                                                                                       │  
│ _____________________________________________________________________________________________________________________________________________________________________________________ │  
│                                                                                                                                                                                       │  
│                                                                                                                                                                                   │  
│                                                                                                                                                                                       │  
└────────────────────────────────────────────────────────────────────────────────────────────                                                                                             
                                                   
                                                                                                                                                                                             

7.创建 SSSD 配置文件.

$ sudo vi  /etc/sssd/sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains = tecmint.lan
config_file_version = 2
services = nss, pam
default_domain_suffix = TECMINT.LAN


[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

以下是我们自己的

root@bf-pc04:~# cat  /etc/sssd/sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains = company.com
config_file_version = 2
services = nss, pam
default_domain_suffix = company.COM


[domain/company.com]
ad_domain = company.com
krb5_realm = company.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True 这个后来注释掉了 ???
full_name_format = %1$s
fallback_homedir = /home/%u
access_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

尤其是下面几个地方要修改为自己公司的域控地址、名称

domains = tecmint.lan
default_domain_suffix = TECMINT.LAN
[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN

8.下一步,修改 /etc/sssd/sssd.conf文件的权限为600.不然会启动报错的。

启动报错日志可以在/var/log/sssd/sssd.log中查看

$ sudo chmod 600 /etc/sssd/sssd.conf

9.接下来,配置/etc/realmd.conf文件.

$ sudo vi  /etc/realmd.conf

输入以下内容

[active-directory]
os-name = Linux Ubuntu
os-version = 17.04

[service]
automatic-install = yes

 [users]
default-home = /home/%d/%u
default-shell = /bin/bash

[tecmint.lan]
user-principal = yes
fully-qualified-names = no

这里是我们自己的配置

root@bf-pc04:~# cat /etc/realmd.conf 
[active-directory]
os-name = Linux Ubuntu bf-pc04
os-version = 14.04

[service]
automatic-install = no

[users]
default-home = /home/%u
default-shell = /bin/bash

[company.com]
user-principal = yes
fully-qualified-names = no

10.最后一部修改/etc/samba/smb.conf 配置文件

workgroup = TECMINT
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = TECMINT.LAN
security = ads

测试samba配置文件参数是否正确

$ sudo testparm
root@bf-pc04:~# cat /etc/samba/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

#can access symbol link file in windows with samba
	unix extensions = no
	follow symlinks = yes
	wide links = yes

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = company
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = company.COM
   security = ads

# server string is the equivalent of the NT Description field
	server string = %h server (Samba, Ubuntu)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan < for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
[homes]
   comment = %h server Home Directories
   browseable = yes

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = no

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin


使用testparm命令测试samba配置文件是否正确

root@bf-pc04:/etc/samba# testparm 
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
	workgroup = company
	realm = company.COM
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	security = ADS
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	kerberos method = secrets and keytab
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	client signing = if_required
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb


[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
	browseable = No


[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

11.、当所有的配置都修改好了之后,我们就可以测试kerberos权限。这里需要使用域控管理员账号

$ sudo kinit [email protected]
$ sudo klist
 
root@bf-pc04:/etc/samba# kinit [email protected]
Password for [email protected]: 

root@bf-pc04:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
2019-05-17T17:12:28  2019-05-18T03:12:28  krbtgt/[email protected]
	renew until 2019-05-18T17:12:21

Step 3: Join Ubuntu to Samba4 Realm

12、使用realm加入域控

$ sudo realm discover -v DOMAIN.TLD
$ sudo realm list
$ sudo realm join TECMINT.LAN -U ad_admin_user -v
$ sudo net ads join -k  # 这一步要执行

root@bf-pc04:/etc/samba# realm discover -v company.COM
 * Resolving: _ldap._tcp.company.com
 * Performing LDAP DSE lookup on: 10.0.13.253
 * Performing LDAP DSE lookup on: 10.0.17.228
 * Performing LDAP DSE lookup on: 10.0.13.252
 * Successfully discovered: company.com
company.com
  type: kerberos
  realm-name: company.COM
  domain-name: company.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins


root@bf-pc04:/etc/samba# realm list
company.com
  type: kerberos
  realm-name: company.COM
  domain-name: company.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: winbind
  required-package: libpam-winbind
  required-package: samba-common-bin
  login-formats: company\%U
  login-policy: allow-any-login
company.com
  type: kerberos
  realm-name: company.COM
  domain-name: company.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins


root@bf-pc04:/etc/samba# realm join company.COM -U admin- -v
 * Resolving: _ldap._tcp.company.com
 * Performing LDAP DSE lookup on: 10.0.13.253
 * Performing LDAP DSE lookup on: 10.0.13.252
 * Successfully discovered: company.com
realm: 已加入该域
root@bf-pc04:/etc/samba# 

13、After the domain binding took place, run the below command to assure that all domain accounts are permitted to authenticate on the machine.

$ sudo realm permit --all
$ sudo realm deny -a
$ realm permit --groups ‘domain.tld\Linux Admins’
$ realm permit [email protected]
$ realm permit DOMAIN\\User2

这一步会报错.目前还没查明怎么弄???

root@bf-pc04:/var/log# realm deny -a
See: journalctl REALMD_OPERATION=r151224.2915
realm: Couldn't change permitted logins: The Samba provider cannot restrict permitted logins.

14、从Windows域控上就可以看到这台linux计算机了

Step 4: Configure AD Accounts Authentication

15、In order to authenticate on Ubuntu machine with domain accounts you need to run pam-auth-update command with root privileges and enable all PAM profiles including the option to automatically create home directories for each domain account at the first login.

$ sudo pam-auth-update

16、On systems manually edit /etc/pam.d/common-account file and the following line in order to automatically create homes for authenticated domain users.

session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022

17、If Active Directory users can’t change their password from command line in Linux, open /etc/pam.d/common-password file and remove the use_authtok statement from password line to finally look as on the below excerpt.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass

23、To use a domain account with root privileges on your Ubuntu machine, you need to add the AD username to the sudo system group by issuing the below command:

$ sudo usermod -aG sudo [email protected]

24、To add root privileges for a domain group, open end edit /etc/sudoers file using visudo command and add the following line as illustrated.

%domain\ [email protected]       		 ALL=(ALL:ALL) ALL

25、To use domain account authentication for Ubuntu Desktop modify LightDM display manager by editing /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, append the following two lines and restart lightdm service or reboot the machine apply changes.

greeter-show-manual-login=true
greeter-hide-users=true

26、To use short name format for Samba AD accounts, edit /etc/sssd/sssd.conf file, add the following line in [sssd] block as illustrated below.

full_name_format = %1$s

27、In case you cannot login due to enumerate=true argument set in sssd.conf you must clear sssd cached database by issuing the below command:

$ rm /var/lib/sss/db/cache_tecmint.lan.ldb

补充

The Pluggable Authentication Modules library, or PAM

To enable this module we need to add the following line to /etc/pam.d/common-account:

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

The common-account file is included by several other authentication files, so it will take effect for remote SSH logins, local GDM logins, and console logins too.

This is very handy but if your users are also able to access through Samba no home directory will be created, since it does not authenticate through PAM. The only way around this I found was through using the ‘root preexec’ directive in smb.conf for the home share. Like this:

root preexec = /usr/sbin/smb-mkhomedir.sh %U
root preexec = mkhomedir_helper "%u"

#!/bin/bash
#smb-mkhomedir.sh

DHOME="/home"
USERS_GID="1000"
SKEL="/etc/skel"

# Reads config file (will override defaults above)
[ -r /etc/adduser.conf ] && . /etc/adduser.conf


if [ -z $1 ]; then
        echo "Usage: $0 username" 1>&2
        exit 1
fi

if [ ! -e $DHOME/$1 ]; then
        mkdir -m $DIR_MODE -p $DHOME/$1
        cp -R $SKEL/* $DHOME/$1
        chown -R $1:$USERS_GID $DHOME/$1
fi

exit 0

pam exec 模块

#!/bin/sh
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
  echo "User: $PAM_USER"
  echo "Ruser: $PAM_RUSER"
  echo "Rhost: $PAM_RHOST"
  echo "Service: $PAM_SERVICE"
  echo "TTY: $PAM_TTY"
  echo "Date: `date`"
  echo "Server: `uname -a`"
} 
root@fs-share:/var/log# cat pam_exec.log
# 登陆账户
*** Tue Jun  4 13:32:39 2019
MAIL=/var/mail/bright.ma
PAM_USER=bright.ma
PAM_TYPE=open_session
PAM_RUSER=root
PAM_SERVICE=su
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
PAM_TTY=/dev/pts/0
LANG=en_US.UTF-8
PWD=/tmp

# 下面是 退出登陆
*** Tue Jun  4 13:32:50 2019
PAM_USER=bright.ma
PAM_TYPE=close_session
PAM_RUSER=root
PAM_SERVICE=su
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
PAM_TTY=/dev/pts/0
LANG=en_US.UTF-8
PWD=/tmp


默认配置 
ldap_id_mapping = true
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 2000000000

你可能感兴趣的:(linux)