samba 将 linux主机 加入AD域
在研究中经常看到下面这些东东,还是先了解下理论依据
PDC:主域控制器,一般用来做验证
BDC:备份域控制器,一般用于和主域做同步帐号等操作
KDC:密钥分发中心,说白了,就是kerbrose服务器。这个需要对kerbrose有一定的了解,这里不多说了
PAM:可插拔认证模块,这玩意就是使用不同的验证方法来验证你所需要的服务,比如sshd,login,ftp等。这些服务都对应一个配置文件,这个配置文件位于/etc/pam.d/下。而支持这些验证的动态库位于/lib/security/下。
SRV:服务器定位资源记录,要使活动目录正常工作,DNS必须支持SRV。活动目录客户端和域控制器使用SRV记录决定域控制器的ip地址,具体请参见
下面言归正传,介绍如何将samba服务器加入到AD域中
(1)配置/etc/samba/smb.conf
# winbind
netbios name = leeldap #你的linux机器名,samba服务器
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = /
; winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
security = domain
password server = 192.168.115.108 #这里是你的安装ad的机器的ip
encrypt passwords = yes
[homes]
comment = Home Directories
path = /home/%D/%U
browseable = no
writable = yes
valid users = %U
(2)配置/etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
(3)启用samba和winbind服务
service smb start
service winbind start
(4)使用net加入AD域
[root@leeldap pam.d]# net rpc join -S lee -U administrator
Password:
Joined domain LIZL.
(5)测试是否加入成功
[root@leeldap pam.d]# net rpc testjoin
Join to 'LIZL' is OK
[root@leeldap pam.d]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@leeldap pam.d]# wbinfo -u
LIZL/Administrator
LIZL/brown
LIZL/bruce
LIZL/Guest
LIZL/jet
LIZL/krbtgt
LIZL/lee
LIZL/lili
LIZL/lizl
LIZL/samba
LIZL/SUPPORT_388945a0
LIZL/test
[root@leeldap pam.d]# wbinfo -g
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
BUILTIN/Power Users
BUILTIN/Print Operators
BUILTIN/Administrators
BUILTIN/Account Operators
BUILTIN/Backup Operators
BUILTIN/Users
[root@leeldap pam.d]# getent passwd
root:x:0:0:root:/root:/bin/bash
。。。。。。。
LIZL/administrator:x:15000:15000::/home/LIZL/administrator:/bin/bash
LIZL/brown:x:15001:15000:Brown Lee:/home/LIZL/brown:/bin/bash
LIZL/bruce:x:15002:15000:Bruce Lee:/home/LIZL/bruce:/bin/bash
LIZL/guest:x:15003:15000::/home/LIZL/guest:/bin/bash
LIZL/jet:x:15004:15000:Jet Chen:/home/LIZL/jet:/bin/bash
LIZL/krbtgt:x:15005:15000::/home/LIZL/krbtgt:/bin/bash
LIZL/lee:x:15006:15000:Jackie Lee:/home/LIZL/lee:/bin/bash
LIZL/lili:x:15007:15000:lily:/home/LIZL/lili:/bin/bash
LIZL/lizl:x:15008:15000:lizhili:/home/LIZL/lizl:/bin/bash
LIZL/samba:x:15013:15000:samba:/home/LIZL/samba:/bin/bash
LIZL/support_388945a0:x:15009:15000:CN=Microsoft Corporation,L=Redmond,S=Washington,C=US:/home/LIZL/support_388945a0:/bin/bash
LIZL/test:x:15014:15000:test:/home/LIZL/test:/bin/bash
[root@leeldap pam.d]# getent group
root:x:0:root
。。。。。
BUILTIN/System Operators:x:15009:
BUILTIN/Replicators:x:15010:
BUILTIN/Guests:x:15011:
BUILTIN/Power Users:x:15012:
BUILTIN/Print Operators:x:15013:
BUILTIN/Administrators:x:15014:
BUILTIN/Account Operators:x:15015:
BUILTIN/Backup Operators:x:15016:
BUILTIN/Users:x:15017:
(5) 现在可以到ad机器上的活动目录中可以看到该机器了
接 下来介绍加入AD域后的一个简单应用,要不就不知道这样加有啥子用了。既然samba服务器已经加入AD域中,那自然会想到,window域中的本地帐号 是否能访问linux机器呢?答案是肯定的。这就是winbind的作用了,当window域中的本地帐号需要登录linux时,winbind服务 去ad服务器去验证该帐号是否合法,而不是到linux本地的/etc/passwd中去验证,当然如果要用不同的验证方式,就可以用pam去进行复杂的 设定.
(1)确保/etc/samba/smb.conf中配置了passwd server选项,这个折磨过我2天,一定要切记
(2)配置system-auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
好了,接下来享受下用ad帐号登录linux主机的快乐吧。。如果要结合samba控制目录访问等权限的话,继续努力研究吧。。。
- 最新评论