使用samba将linux主机加入AD域

2007-10-28 23:06:59

　标签：windows samba AD samba加入域　samba加入2003的域　　　[推送到技术圈]

使用samba将linux主机加入AD域(一)

在研究中经常看到下面这些东东，还是先了解下理论依据
PDC：主域控制器，一般用来做验证
BDC：备份域控制器，一般用于和主域做同步帐号等操作
KDC：密钥分发中心，说白了，就是kerbrose服务器。这个需要对kerbrose有一定的了解，这里不多说了
PAM：可插拔认证模块，这玩意就是使用不同的验证方法来验证你所需要的服务，比如sshd，login，ftp等。这些服务都对应一个配置文件，这个配置文件位于/etc/pam.d/下。而支持这些验证的动态库位于/lib/security/下。
SRV：服务器定位资源记录，要使活动目录正常工作，DNS必须支持SRV。活动目录客户端和域控制器使用SRV记录决定域控制器的ip地址，具体请参见 http://www.cnblogs.com/LCX/archive/2007/02/05/640843.html

下面言归正传，介绍如何将samba服务器加入到AD域中
(1)配置/etc/samba/smb.conf

workgroup = LIZL # 你要加入的域
# winbind
   netbios name = leeldap        #你的linux机器名,samba服务器
   idmap uid    = 15000-20000
   idmap gid    = 15000-20000
   winbind enum groups = yes
   winbind enum users  = yes
   winbind separator   = /
  ; winbind use default domain = yes
   template homedir = /home/%D/%U
   template shell   = /bin/bash
security = domain
password server = 192.168.115.108 #这里是你的安装ad的机器的ip
encrypt passwords = yes
[homes]
   comment = Home Directories
   path = /home/%D/%U
   browseable = no
   writable = yes
   valid users = %U

(2)配置/etc/nsswitch.conf

passwd:     files winbind
shadow:     files
group:      files winbind

(3)启用samba和winbind服务

service smb start
service winbind start

(4)使用net加入AD域

[root@leeldap pam.d]# net rpc join -S lee -U administrator
Password:
Joined domain LIZL.

(5)测试是否加入成功

[root@leeldap pam.d]# net rpc testjoin
Join to 'LIZL' is OK
[root@leeldap pam.d]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@leeldap pam.d]# wbinfo -u
LIZL/Administrator
LIZL/brown
LIZL/bruce
LIZL/Guest
LIZL/jet
LIZL/krbtgt
LIZL/lee
LIZL/lili
LIZL/lizl
LIZL/samba
LIZL/SUPPORT_388945a0
LIZL/test
[root@leeldap pam.d]# wbinfo -g
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
BUILTIN/Power Users
BUILTIN/Print Operators
BUILTIN/Administrators
BUILTIN/Account Operators
BUILTIN/Backup Operators
BUILTIN/Users
[root@leeldap pam.d]# getent passwd
root:x:0:0:root:/root:/bin/bash
。。。。。。。
LIZL/administrator:x:15000:15000::/home/LIZL/administrator:/bin/bash
LIZL/brown:x:15001:15000:Brown Lee:/home/LIZL/brown:/bin/bash
LIZL/bruce:x:15002:15000:Bruce Lee:/home/LIZL/bruce:/bin/bash
LIZL/guest:x:15003:15000::/home/LIZL/guest:/bin/bash
LIZL/jet:x:15004:15000:Jet Chen:/home/LIZL/jet:/bin/bash
LIZL/krbtgt:x:15005:15000::/home/LIZL/krbtgt:/bin/bash
LIZL/lee:x:15006:15000:Jackie Lee:/home/LIZL/lee:/bin/bash
LIZL/lili:x:15007:15000:lily:/home/LIZL/lili:/bin/bash
LIZL/lizl:x:15008:15000:lizhili:/home/LIZL/lizl:/bin/bash
LIZL/samba:x:15013:15000:samba:/home/LIZL/samba:/bin/bash
LIZL/support_388945a0:x:15009:15000:CN=Microsoft Corporation,L=Redmond,S=Washington,C=US:/home/LIZL/support_388945a0:/bin/bash
LIZL/test:x:15014:15000:test:/home/LIZL/test:/bin/bash
[root@leeldap pam.d]# getent group
root:x:0:root
。。。。。
BUILTIN/System Operators:x:15009:
BUILTIN/Replicators:x:15010:
BUILTIN/Guests:x:15011:
BUILTIN/Power Users:x:15012:
BUILTIN/Print Operators:x:15013:
BUILTIN/Administrators:x:15014:
BUILTIN/Account Operators:x:15015:
BUILTIN/Backup Operators:x:15016:
BUILTIN/Users:x:15017:

(5) 现在可以到ad机器上的活动目录中可以看到该机器了

接下来介绍加入AD域后的一个简单应用，要不就不知道这样加有啥子用了。既然samba服务器已经加入AD域中，那自然会想到，window域中的本地帐号是否能访问linux机器呢？答案是肯定的。这就是winbind的作用了，当window域中的本地帐号需要登录linux主机时，winbind服务去ad服务器去验证该帐号是否合法，而不是到linux本地的/etc/passwd中去验证，当然如果要用不同的验证方式，就可以用pam去进行复杂的设定.
(1)确保/etc/samba/smb.conf中配置了passwd server选项

(2)配置system-auth

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account     required     /lib/security/$ISA/pam_permit.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

好了，接下来享受下用ad帐号登录linux主机的快乐吧。。如果要结合samba控制目录访问等权限的话，继续努力研究吧。。。

使用samba将linux主机加入AD域(二)

自从上次用net rpc把linux主机加入到AD域后,着实兴奋了几天.但上次也有些遗留的问题没有搞明白,比如和net ads join加入域的区别.kerbrose认证基本没用到.于是琢磨着用net ads再加一次.趁着老大去北京出差的机会,公司的事情又不是很忙,还是好好来研究一番.

先谈下krb那些支持的包如何装,还是那句老话,图省事,就默认安装吧,虽然用的空间多点,但是知识可是无价的.呵呵.如果实在不放心,可以用rpm -qa | grep krb查看下是否安装了必要的包.

(1)接下来的工作当然是配置/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = LIZL.COM #改成自己的
dns_lookup_realm = false
dns_lookup_kdc = true    #这个地方有改动

[realms]
    LIZL.COM = {
      kdc = 192.168.51.33:88   #一个字,改
      admin_server = 192.168.51.33:749 #再改
      default_domain = LIZL.COM  #还是改
    }

[domain_realm]
.lizl.com = LIZL.COM  #改成自己的AD
lizl.com = LIZL.COM   #改成自己的AD

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
     pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
    }

(2)文件配置好了,现在要用kerbrose自带的命令来操作了.

[root@leeldap etc]# kinit administrator@LIZL.COM
kinit(v5): Cannot find KDC for requested realm while getting initial credentials

别慌,google,baidu一下.修改krb5.conf中的dns_lookup_kdc = true,继续

[root@leeldap etc]# kinit administrator@LIZL.COM
Cannot resolve network address for KDC in requested realm while getting initial credentials

又是错误,错误关键字resolve,马上想到/etc/resolv.conf,打开一看,原来用的公司的dns,改用自己的

1 nameser

lanfox

使用samba将linux主机加入AD域