为什么80%的码农都做不了架构师?>>>
前提条件
目的
为了在Windows Active Directory上管理的用户也能在Linux服务器上使用。
注意:本文不包含AD服务器的搭建过程。
环境
-
AD服务器环境: Windows Server 2008 R2
- 全域名(FQDN)为: wins.example.com
-
Linux服务器: Oracle Linux 6.4(64bit)
- 全域名(FQDN)为: demo.example.com
配置Linux服务器网络
首先请禁用 SELinux和iptables防火墙。
在HOST文件中加入AD服务器
vi /etc/hosts
127.0.0.1 demo localhost localhost.localdomain
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.13 demo.example.com
192.168.56.5 wins.example.com
修改resolv.conf文件
这里要配置DNS服务器得地址,你可以使用Winodws Server来配置一个简单的DNS服务器。 也可以参考 这篇文档 来用linux搭建一个DNS服务器。
vi /etc/resolv.conf
search example.com
nameserver 192.168.56.254
重启网络服务
service network restart
安装相关软件包
确认Winbind和Samba的包
[root@demo ~]# rpm -qa | grep samba
samba4-libs-4.0.0-55.el6.rc4.x86_64
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-common-3.6.9-151.el6.x86_64
samba-3.6.9-151.el6.x86_64
samba-client-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64
如果与以上列出的软件不同,请使用下面的命令进行安装:
yum install samba-winbind ...
对于Winbind来说,需要安装下面的包:
[root@demo ~]# rpm -qa | grep winbind
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64
在安装好上面的软件包之后, ntlm_auth命令就可以使用了。
配置服务
配置smb.conf
cp -p /etc/samba/smb.conf /etc/samba/smb.conf.orig
vim /etc/samba/smb.conf
# ---- Settings for Winbind ----
security = ads
workgroup = EXAMPLE
realm = EXAMPLE.COM
password server = wins.example.com
encrypt passwords = true
idmap uid = 10000-25000
idmap gid = 10000-20000
winbind use default domain = yes
winbind cache time = 90
# winbind nested groups = yes
template shell = /bin/bash
# template homedir = /home/%U
修改 nsswitch.conf
cp -p /etc/nsswitch.conf /etc/nsswitch.conf.orig
vi /etc/nsswitch.conf
#-----
passwd: files winbind
shadow: files winbind
group: files winbind
修改 krb5.conf
cp -p /etc/krb5.conf /etc/krb5.conf.orig
vi /etc/krb5.conf
#-----
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = wins.example.com
admin_server = wins.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
启动服务
先启动samba服务:
service smb start
再启动winbind服务:
service winbind start
加入到Windows Domain
[root@demo ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'DEMO' to dns domain 'example.com'
No DNS domain configured for demo. Unable to perform DNS Update.
DNS update failed!
如果出现错误的话,先尝试与AD服务器同步一下时间:
net time set -I wins.example.com
net ads join -U administrator
测试服务
AD服务器连接确认
[root@demo etc]# net ads info
LDAP server: 192.168.56.5
LDAP server name: wins.example.com
Realm: EXAMPLE.COM
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Tue, 28 Oct 2014 13:57:05 CST
KDC server: 192.168.56.5
Server time offset: 0
[root@demo etc]# net ads testjoin
Join is OK
列出AD服务器上的用户和组信息
[root@demo etc]# wbinfo -u
EXAMPLE\administrator
EXAMPLE\guest
EXAMPLE\krbtgt
EXAMPLE\test
EXAMPLE\aduser1
EXAMPLE\aduser2
[root@demo etc]# wbinfo -g
EXAMPLE\domain computers
EXAMPLE\domain controllers
EXAMPLE\schema admins
EXAMPLE\enterprise admins
EXAMPLE\cert publishers
EXAMPLE\domain admins
EXAMPLE\domain users
EXAMPLE\domain guests
EXAMPLE\group policy creator owners
EXAMPLE\ras and ias servers
EXAMPLE\allowed rodc password replication group
EXAMPLE\denied rodc password replication group
EXAMPLE\read-only domain controllers
EXAMPLE\enterprise read-only domain controllers
EXAMPLE\dnsadmins
EXAMPLE\dnsupdateproxy
EXAMPLE\ts web access computers
测试用户认证
[root@demo ~]# id EXAMPLE\\aduser1
uid=16777216(EXAMPLE\aduser1) gid=16777222(EXAMPLE\domain users) groups=16777222(EXAMPLE\domain users),16777217(BUILTIN\users)
[root@demo ~]# ntlm_auth --username=EXAMPLE\\aduser1
password:
NT_STATUS_OK: Success (0x0)