linux加入域的配置


代码:

cat /etc/resolv.conf
nameserver 192.168.5.10
复制内容到剪贴板
代码:

cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = 51CTO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
51CTO.COM = {
kdc = ad.51cto.com:88
admin_server = ad.51cto.com:749
default_domain = 51cto.com
}

[domain_realm]
.51cto.com = 51CTO.COM
51cto.com = 51CTO.COM
[kdc]
profile=/var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
复制内容到剪贴板
代码:

cat /etc/samba/smb.conf |grep -v ";"|grep -v "#" |grep -v "^$"
[global]
workgroup = 51CTO
netbios name = linux
server string = Samba Server
printcap name = /etc/printcap
password server = ad.51cto.com
realm = 51CTO.COM
security = ads
idmap uid = 500-33554431
idmap gid = 500-33554431
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = true
template homedir = /home/%U
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
 server string = Samba Server Version %v
 passdb backend = tdbsam
 load printers = yes
 cups options = raw
[homes]
 comment = Home Directories
 browseable = no
 writable = yes
 create mode = 0777
 directory mode = 0777
 path = /home/%U
 valid users = %S
 valid users = MYDOMAIN\%S
[printers]
 comment = All Printers
 path = /var/spool/samba
 browseable = no
 guest ok = no
 writable = no
 printable = yes


以上是图解。。


下面说说

vi /etc/krb5.conf

例如我的linux 名是linux,域控名是2003-r2-4.ccna.local

根据配置修改以下内容:
[libdefaults]
default_realm = CCNA.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h #这个很重要
forwrdable = yes
[realms]

CCNA.LOCAL = {
kdc = 2003-r2-4.ccna.local
admin_server = 2003-r2-4.ccna.local
default_domain = ccna.local
}

[domain_realm]
.kerberos.server = CCNA.LOCAL

保存,测试通信

kinit[email protected]


如果正常通信会返回到命令行,否则会显示出错
配置/etc/samba/smb.conf
修改以下几点
 workgroup = CCNA
 realm = CCNA.LOCAL
 server string = Samba Server
 security = ADS
 password server = 192.168.10.234 #这是域控IP
 log file = /var/log/samba/%m.log
 max log size = 50
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 printcap name = /etc/printcap
 preferred master = No
 dns proxy = No
 idmap uid = 16777216-33554431
 idmap gid = 16777216-33554431
 template shell = /bin/bash #这样AD用户就可以登录linux本机了,如果不想让其登录,就不分配shell 如 template shell = /bin/null
 winbind separator = /  #域名跟用户之间的分隔符,例:CCNA/test
 winbind use default domain = Yes #设yes,则用户可以不用输域名前辍就可以验证,设no,则需输域名前辍
 cups options = raw
winbind cache time = 3600
保存后用testparm检查配置有没有错,重启samba服务
加域: net ads join -S ccna.local -U domanadminusername

另一种方法加域

 net rpc join -S snoopy.echo -U Administrator


最后一步,配置WINDBIND,将/etc/nsswitch.conf前面三行改为
passwd:  files winbind
shadow:  files winbind
group:  files winbind

保存后重启winbind 服务
现在验证winbind是否工作
wbinfo -u
如果返回域用户信息,则配置成功



建立AD用户家目录,默认情况下,AD用户的家目录会在/home/domian/下,不过要自己创建,如果想改变AD用户家目录路径,
可以在sam.conf的全局设置里添加 template homedir = /home/%U ,这是把目录 设在/home/下
更改权限:
先设默认目录跟文件的权限
umask 077 (这样新建的目录权限变为 drwx---------了)
更改AD用户家目录的拥有者
更改时,要用ad组的id才成功,如 chown domainuser:domaingroupid filename #可以用getent group查看
更改其它用户权限:
chmod 700 filename
如果想用acl管理其它用户对文件的权限,需要在/etc/fstab 中挂载的分区的第四列加上acl
eg:/dev/sda4 /mnt/sda4 ext3 defaults,acl 0 0
做到这里有一个小问题,就是刚起动winbind服务时,读取不到域用户信息,日志显示
make_server_info_info3: pdb_init_sam failed!
要 用webinfo -u才行




再一种方法详解:



一、实验环境:

AD server:windows server 2003

AD samba:centos 5.2

AD server的hostname和IP地址:

rocdk890  192.168.1.142/24

AD samba的hostname和IP地址:

lamp    192.168.1.144/24

Domain name:rocdk890.tt.com

DNS:192.168.1.142

安装NTP时间验证套件:

# mount /dev/cdrom /media

# rpm -ivh /cdrom/CentOS/RPMS/ntp-4.2.2p1-7.el5.i386.rpm

当然也可以用yum来安装

#yum -y install ntp (注意ntp要小写)

再来与AD server校准时间

# ntpdate 192.168.1.142

# hwclock -w

安装Samba服务器软件需求:

krb5-workstation-1.2.7-19

pam_krb5-1.70-1

krb5-devel-1.2.7-19

krb5-libs-1.2.7-19

samba-3.0.5-2

当然我在这里偷了下懒,我直接用yum进行的安装,毕竟只是了解下这个实验的思路,所以就不用管安全性了。

#yum -y install samba

安装完后,如果你要确认samba安装成功没有可以用下述命令来检查samba包的基础库支持,一般用yum安装或RPM安装是不会有问题的。

# smbd -b | grep LDAP

HAVE_LDAP_H

HAVE_LDAP

HAVE_LDAP_DOMAIN2HOSTLIST

...

# smbd -b | grep KRB

HAVE_KRB5_H

HAVE_ADDRTYPE_IN_KRB5_ADDRESS

HAVE_KRB5

...

# smbd -b | grep ADS

WITH_ADS

WITH_ADS

# smbd -b | grep WINBIND

WITH_WINBIND

WITH_WINBIND

二、编辑设定档

1、krb5配置

#vi /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log


[libdefaults]

default_realm = TT.COM # 大写域名

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

TT.COM = { # 大写域名

kdc = 192.168.1.142:88 # 域伺服器IP

admin_server = 192.168.1.142:749 # 域伺服器IP

default_domain = tt.com # 这里就不用大写了

}

[domain_realm]

.tt.com = TT.COM # 域验证范围

tt.com = TT.COM

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

连接AD server

kinit [email protected]

Kerberos 的 kinit 命令将测试服务器间的通信,后面的域名TT.COM 是你的活动目录的域名,必须大写,否则会收到错误信息:

kinit(v5): Cannot find KDC for requested realm while getting initial credentials.

如果通信正常,你会提示输入口令,口令正确的话,就返回 bash 提示符,如果错误则报告:

kinit(v5): Preauthentication failed while getting initial credentials.

�@一步代表了已经可以和AD server做沟通了,但并不代表Samba Server已经加入域了。

2、smb.conf配置

#vi /etc/samba/smb.conf

#===================== Global Settings =========================

[global]

   workgroup = TT # 一定要填自己的domain名�Q

   netbios name = lamp #你的linux主机名

   idmap uid  = 15000-20000

   idmap gid  = 15000-20000

   winbind enum groups = yes

   winbind enum users = yes

   winbind separator  = /

;    winbind use default domain = yes

   template homedir = /home/%D/%U

   template shell  = /bin/bash

;    interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24

   hosts allow =192.168.1. 127. 192.168.12. 192.168.13.

# ----------------------- Domain Members Options ------------------------

   security = domain

;    passdb backend = tdbsam

;   realm = TT.COM  #这里我觉得还是注释起好点

   encrypt passwords = yes #这句是必须添加的,不然后面验证会提示不成功

   password server = 192.168.1.142

[homes]

 path = /home/%D/%U

 browseable = no

 writable = yes

 valid users = tt.com/%U#这里记得把域名带上,否则你用ad帐号访问samba服务器时输入正确的ad帐号和密码仍然不能访问共享目录

 create mode = 0777

 directory mode = 0777

3、配置nsswitch.conf

#vi /etc/nsswitch.conf

修改以下位置

passwd:   files winbind

shadow:   files

group:   files winbind

4、启用samba和winbind服务

service smb reload  #加这一句是用来解决有时候samba启动不了的问题

service smb start

service winbind start

5、加入AD域

[root@lamp ~]# net rpc join -S rocdk890.tt.com -U administrator

Password:

Joined domain TT.

6、验证加入是否成功

[root@lamp ~]# net rpc testjoin

Join to 'TT' is OK

[root@lamp ~]# wbinfo -t

checking the trust secret via RPC calls succeeded

[root@lamp ~]# wbinfo -u

TT/administrator

TT/guest

TT/support_388945a0

TT/krbtgt

[root@lamp ~]# wbinfo -g

TT/domain computers

TT/domain controllers

TT/schema admins

TT/enterprise admins

TT/domain admins

TT/domain users

TT/domain guests

TT/group policy creator owners

TT/dnsupdateproxy

[root@lamp ~]# getent passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

TT/administrator:*:15000:15000:Administrator:/home/TT/administrator:/bin/bash

TT/guest:*:15001:15001:Guest:/home/TT/guest:/bin/bash

TT/support_388945a0:*:15002:15000:SUPPORT_388945a0:/home/TT/support_388945a0:/bin/bash

TT/krbtgt:*:15003:15000:krbtgt:/home/TT/krbtgt:/bin/bash

[root@lamp ~]# getent group

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

sys:x:3:root,bin,adm

adm:x:4:root,adm,daemon

tty:x:5:

disk:x:6:root

lp:x:7:daemon,lp

mem:x:8:

kmem:x:9:

wheel:x:10:root

mail:x:12:mail

news:x:13:news

uucp:x:14:uucp

man:x:15:

games:x:20:

gopher:x:30:

dip:x:40:

ftp:x:50:

lock:x:54:

nobody:x:99:

users:x:100:

rpm:x:37:

dbus:x:81:

utmp:x:22:

mailnull:x:47:

smmsp:x:51:

nscd:x:28:

floppy:x:19:

vcsa:x:69:

rpc:x:32:

rpcuser:x:29:

nfsnobody:x:65534:

sshd:x:74:

pcap:x:77:

utempter:x:35:

slocate:x:21:

haldaemon:x:68:

ntp:x:38:

TT/domain computers:*:15002:

TT/domain controllers:*:15003:

TT/schema admins:*:15004:TT/administrator

TT/enterprise admins:*:15005:TT/administrator

TT/domain admins:*:15006:TT/administrator

TT/domain users:*:15000:

TT/domain guests:*:15001:

TT/group policy creator owners:*:15007:TT/administrator

TT/dnsupdateproxy:*:15008:

7、做完这些,就可以到AD server上的活动目录中看到该机器了,剩下的就不用我说了吧。




你可能感兴趣的:(linux,配置,加入域)