补充理论
PDC:主域控制器,一般用来做验证
BDC:备份域控制器,一般用于和主域做同步帐号等操作
KDC:密钥分发中心,说白了,就是kerbrose服务器。这个需要对kerbrose有一定的了解,这里不多说了
PAM:可插拔认证模块,这玩意就是使用不同的验证方法来验证你所需要的服务,比如sshd,login,ftp等。这些服务都对应一个配置文件,这个配置文件位于/etc/pam.d/下。而支持这些验证的动态库位于/lib/security/下。
SRV:服务器定位资源记录,要使活动目录正常工作,DNS必须支持SRV。活动目录客户端和域控制器使用SRV记录决定域控制器的ip地址
一、使用图形处理
环境:linux redhat5.3(64位) windowserver2003
AD域名 :edi.com AD域主机:ediad.edi.com
AD域成员:ss1.edi.com(linux) ss2.edi.com(linux)
AD域请自己建立,包括DNS,能够正向解析和反向解析。
1.linux下必须安装的软件包
krb5-libs
krb5-workstation
samba-client
samba
samba-common
2.修改linux下的环境
主机名:
/etc/hosts添加记录
192.168.1.211 ss1.edi.com ss1
/etc/sysconfig/network添加内容
HOSTNAME=ss1.edi.com
NETWORKING=yes
DNS解析:
/etc/resolv.conf
nameserver 192.168.1.1
测试DNS解析:
[root@ss1 ~]# nslookup
> ss1.edi.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: ss1.edi.com
Address: 192.168.1.211
>
在加入前先停止连个服务:
/etc/init.d/smb stop
/etc/init.d/winbind stop
通过图形化加入域
1.运行setup命令,进入验证配置选项。
2.选择用*标识出来的选项,然后进行下一步。
3.输入AD的域名和AD域主机的主机名如图内所示:
4.选择安全模型ads,输入域,域名控制器和ADS域如图所示:
5.然后选择加入域,进入下一步。
6提示输入域管理员密码。输入后确定进入下一步。
7.回到加入域的界面,选择确定,然后退出setup。
8.此时执行加入域操作,然后启动winbind服务。在启动smb服务。
/etc/init.d/smb restart
/etc/init.d/windbind restart
9.在域服务器上查看结果,如图所示。
二、编辑配置文件方式
(1)配置/etc/samba/smb.conf
workgroup = edi # 你要加入的域
# winbind
netbios name = ss1.edi.com #你的linux机器名,samba服务器
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
; winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
security = domain
password server = 192.168.1.1#这里是你的安装ad的机器的ip
encrypt passwords = yes
[homes]
comment = Home Directories
path = /home/%D/%U
browseable = no
writable = yes
valid users = %U
(2)配置/etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
(3)启用samba和winbind服务
/etc/init.d/smb start
/etc/init.d/winbind start
(4)使用net加入AD域
[root@ss1 pam.d]# net join -w edi -S ediad.edi.com -U administrator
Password:
Joined domain edi.
(5)测试是否加入成功
[root@ss1 pam.d]# net rpc testjoin
Join to 'edi' is OK
[root@ss1 pam.d]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@ss1 pam.d]# wbinfo -u
EDI\administrator
EDI\guest
EDI\support_388945a0
EDI\krbtgt
[root@ss1 pam.d]# wbinfo -g
EDI\administrator
EDI\guest
EDI\support_388945a0
EDI\krbtgt
[root@ss1 ~]# wbinfo -g
BUILTIN\administrators
BUILTIN\users
EDI\domain computers
EDI\domain controllers
EDI\schema admins
EDI\enterprise admins
EDI\domain admins
EDI\domain users
EDI\domain guests
EDI\group policy creator owners
EDI\dnsupdateproxy
[root@ss1 pam.d]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
redhat:x:500:500:redhat:/home/redhat:/bin/bash
ibrix:x:501:503::/home/ibrix:/bin/bash
[root@leeldap pam.d]# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
nscd:x:28:
floppy:x:19:
vcsa:x:69:
pcap:x:77:
utmp:x:22:
utempter:x:35:
slocate:x:21:
rpc:x:32:
mailnull:x:47:
smmsp:x:51:
rpcuser:x:29:
nfsnobody:x:4294967294:
sshd:x:74:
dbus:x:81:
haldaemon:x:68:
avahi-autoipd:x:101:
avahi:x:70:
ntp:x:38:
xfs:x:43:
gdm:x:42:
sabayon:x:86:
stapdev:x:102:
stapusr:x:103:
redhat:x:500:
ibrix:x:501:
ibrix-admin:x:502:root,ibrix
ibrix-user:x:503:ibrix
(5) 现在可以到ad机器上的活动目录中可以看到该机器了
接下来介绍加入AD域后的一个简单应用,要不就不知道这样加有啥子用了。既然samba服务器已经加入AD域中,那自然会想到,window域中的本地帐号是否能访问linux机器呢?答案是肯定的。这就是winbind的作用了,当window域中的本地帐号需要登录linux主机时,winbind服务去ad服务器去验证该帐号是否合法,而不是到linux本地的/etc/passwd中去验证,当然如果要用不同的验证方式,就可以用pam去进行复杂的设定.
(1)确保/etc/samba/smb.conf中配置了passwd server选项
(2)配置/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
好了,接下来享受下用ad帐号登录linux主机,以上是用RPC注册的。下面谈一下krb.
先谈下krb那些支持的包如何装,还是那句老话,图省事,就默认安装吧,虽然用的空间多点,但是知识可是无价的.呵呵.如果实在不放心,可以用rpm -qa | grep krb查看下是否安装了必要的包.
(1)接下来的工作当然是配置/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false #改成true
ticket_lifetime = 24h
forwardable = yes
default_realm = edi.com #改成自己所属的AD域
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
edi.com = { #照着example.com编写自己AD域
kdc = edi.com:88
kdc = edi.com
}
EDI.COM = {
kdc = ediad.edi.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
edi.com = edi.com #可以自己加上,也可以修改上面的example
.edi.com = edi.com
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
(2)文件配置好了,现在要用kerbrose自带的命令来操作了.
[root@ss1 etc]# kinit
[email protected]
kinit(v5): Cannot find KDC for requested realm while getting initial credentials
别慌,google,baidu一下.修改krb5.conf中的dns_lookup_kdc = true,继续
[root@leeldap etc]# kinit
[email protected]
Cannot resolve network address for KDC in requested realm while getting initial credentials
又是错误,错误关键字resolve,马上想到/etc/resolv.conf,打开一看,原来用的公司的dns,改用自己的
1 nameserver 192.168.1.1 # ad服务器
2 #nameserver 202.96.134.133
3 #nameserver 192.168.0.3
go on,
终于出现密码输入框了,一阵窃喜,但又蹦出个时间不同步,查资料,原来要求在5分钟以内.马上查AD服务器和LINUX服务器的时间,faint,居然是一样,那你怎么还报错,突然想起linux安装的时候有提示是否同步时间服务器的过程,查资料.最后用命令
[root@ss1 etc]# ntpdate -b 192.168.1.1 # ad服务器
17 Aug 18:08:23 ntpdate[1959]: step time server 192.168.1.1 offset 0.080875 sec
同步了时间,再次kinit,终于不报错了.谢天谢地.
(3)修改/etc/samba.conf配置文件
和net rpc join差不多,只是需要更改security = ads就可以了
(4)然后启动smb和winbind服务
(5)使用net ads join(不用带参数)加入域
[root@leeldap var]# net ads join
Using short domain name -- edi
Joined 'ss1' to realm 'EDI.COM'