查看“ActiveDirectoryWinbindHowto”的源代码
来自Ubuntu中文
←
ActiveDirectoryWinbindHowto
跳到导航
跳到搜索
因为以下原因,您没有权限编辑该页面:
您请求的操作仅限属于该用户组的用户执行:
用户
您可以查看和复制此页面的源代码。
== 活动目录与 Winbind 指南 == 原文出处: 原文作者: 授权许可: * [http://creativecommons.org/licenses/by-sa/2.0/ 创作共用协议Attribution-ShareAlike 2.0] * [http://www.gnu.org/copyleft/fdl.html GNU自由文档许可证] 翻译人员:xiaotian0127 校正人员: 贡献人员: 适用版本: 文章状态:等待校正 ---- This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD. 这是一个关于怎样在一个Active Directory domain中增加一个ubuntu box并使用AD进行用户验证的介绍. === Used software === {|border="1" cellspacing="0" |<rowbgcolor="#e5e5e5">'''Name''' ||'''Version''' |- |MS Windows Server || 2003 standard sp1 |- |Linux ||Ubuntu Breezy 5.10 |- |Winbind ||3.0.14a-Ubuntu |- |Samba ||3.0.14a-Ubuntu |- |krb5-user ||1.3.6-1 |- |libpam-krb5 ||1.0-12 |} === Used terms === {|border="1" cellspacing="0" |<rowbgcolor="#e5e5e5">'''term''' ||'''definition''' |- |AD || Active Directory(活动目录) |- |DC ||Domain Controller(域控制器) |- |lab.example.com ||AD domain |- |win2k3.lab.example.com || DC FQDN |- |10.0.0.1 ||DC IP |- |LAB.EXAMPLE.COM ||Kerberos Realm |- |linuxwork ||computername of the Ubuntu workstation(Ubuntu工作站的计算机名) |- |linuxwork.lab.example.com ||FQDN of the Ubuntu workstation(Ubuntu工作站的完整域名) |- |ntp.example.com ||timeserver (NTP) |} === Confirm Connectivity === The first step to configuring an Ubuntu client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network. 确认连接畅通 第一步是配置活动目录(AD)所在网络的Ubuntu客户端以确保网络的畅通和ActiveDirectory的域控制器的名字解析无误. 可以用一个简单的方法来验证这两点,那就是ping你的网络上的活动目录的域控制器的完整域名(FQDN) <pre><nowiki> root@linuxwork:~# ping win2k3.lab.example.com PING win2k3.lab.example.com (10.0.0.1) 56(84) bytes of data. 64 bytes from win2k3.lab.example.com (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms </nowiki></pre> The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Ubuntu workstation and the AD DC. ping的输出显示FQDN已经被成功的解析为一个IP地址了,并且您ubuntu工作站和AD DC之间的连接已经畅通. === Time settings === Time is essential for Kerberos, which is used for authentication in Active Directory networks. The easiest way to ensure correct time syncronization is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in Ubuntu's default ''ntpdate'' application, which syncs time at startup or on demand. 时间设置 时间对于kerberos是必不可少的,他用于ActiveDirectory网络中的认证. 最简单的方法是使用一个NTP服务器来确保时间的正确同步 每一个活动目录域控制器同时也是一个NTP服务器,为了达到最佳效果,在Ubuntu默认的ntpdate应用中使用AD DC的完整域名,他将在开机时或者按指定的要求来同步时间。 file: <code><nowiki>/etc/default/ntpdate</nowiki></code> <pre><nowiki> # servers to check NTPSERVERS="win2k3.lab.example.com" # additional options for ntpdate NTPOPTIONS="-u" </nowiki></pre> <pre><nowiki> root@linuxwork:~# /etc/init.d/ntpdate restart * Synchronizing clock to win2k3.lab.example.com... [ ok ] </nowiki></pre> === FQDN === A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Ubuntu workstation to make sure that your FQDN is resolvable. FQDN(Fully Qualified Domain Name,正式完整域名) 对于Kerberos和活动目录来说,一个有效的FQDN是必不可少的 活动目录非常依赖于DNS,因此很可能您的ActiveDirectory域控制器也在运行着Microsoft的DNS服务器组件. 在这里,我们将在您的ubuntu工作站上编辑本地hosts文件,以确保您的域名是可以解析的. file: <code><nowiki>/etc/hosts</nowiki></code> <pre><nowiki> 127.0.0.1 linuxwork.lab.example.com localhost linuxwork </nowiki></pre> You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1). 您也可以通过ping您自己的完整域名来测试您的配置 输出的结果应该类似于上面的ping输出的结果,在网络中连线测试(当然, 这个域名将是您自己,而IP地址,将将是127.0.0.1). === Set up Kerberos === The first step in setting up Kerberos is to install the appropriate client software. This process assumes that you have opened up all the Breezy main and security sources in your ''sources.list'' as well as the Universe repository. 设置Kerberos的第一步是要安装适当的客户端软件. 这个过程假设你已经在你的sources.list以及Univers repository中打开了所有breezy的main和security源. ==== Required software ==== 需要的软件To properly install the necessary Kerberos packages, you should use the following ''apt-get'' command to install the software: 恰当的安装必需的Kerberos软件包,您需要下列的apt-get命令来安装软件: <pre><nowiki> root@linuxwork:~# apt-get install krb5-user libpam-krb5 </nowiki></pre> https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png For ''krb5-user'' you will need the ''universe'' repository. 对于''krb5-user'' 您将需要''universe'' repository. https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If you do not intend to acquire a Kerberos ticket at login, you need not install the ''libpam-krb5'' package. 如果你不打算在登录时要求Kerberos ticket,你不用安装libpam-krb5软件包. This command will also fetch the additional packages ''krb5-config'', ''libkrb53'', and ''libkadm55''. 该命令还将去取得附加软件包krb5-config,libkrb53,libkadm55。 The ''krb5-config'' installation will present a prompt: 该krb5-config安装将会提示: <pre><nowiki> What are the Kerberos servers for your realm? win2k3.lab.example.com What is the administrative server for your Kerberos realm? win2k3.lab.example.com </nowiki></pre> These prompts should be answered according to the Active Directory Domain Controller in charge of your domain. The ''krb5-config'' process customize the <code><nowiki>/etc/krb5.conf</nowiki></code> file for your installation. In most cases, this config file will work successfully, but if you want a more streamlined config file (e.g., without all the Kerberos 4 cruft), you can use the following as a template: 这些提示应该根据您负责的域的ActiveDirectory的域控制器来回答. 该krb5-config程序将定制<code><nowiki>/etc/krb5.conf</nowiki></code>文件以供安装使用. 在大多数情况下, 这个配置文件将正常工作, 但是,如果你想要一个更精简的配置文件 (例如, without all the Kerberos 4 cruft), 您可以使用下列模板: file: <code><nowiki>/etc/krb5.conf</nowiki></code> <pre><nowiki> [logging] default = FILE:/var/log/krb5.log [libdefaults] ticket_lifetime = 24000 clock_skew = 300 default_realm = LAB.EXAMPLE.COM # dns_lookup_realm = false # dns_lookup_kdc = true [realms] LAB.EXAMPLE.COM = { kdc = win2k3.lab.example.com:88 admin_server = win2k3.lab.example.com:464 default_domain = LAB.EXAMPLE.COM } [domain_realm] .lab.example.com = LAB.EXAMPLE.COM lab.example.com = LAB.EXAMPLE.COM </nowiki></pre> Notice the two "DNS" directive are commented out. You can elect to use DNS to find Kerberos realm servers, or you can elect to use the <code><nowiki>krb5.conf</nowiki></code> file to define Kerberos realm servers. If you elect to use DNS, uncomment the two lines above and instead comment or remove the entire directive for your realm under the <code><nowiki>[realms]</nowiki></code> heading. 注意这两个"dns"指令已经被注释掉. 你可以选择使用dns寻找kerberos realm服务器 或者你可以选择使用<code><nowiki>krb5.conf</nowiki></code>文件来定义kerberos realm的服务器. 如果你选择使用DNS, 取消上面的两行注释而代之以在<code><nowiki>[realms]</nowiki></code>标题下注释或移除完整的指令. ''' Testing''' '''测试 ''' Request a Ticket-Granting Ticket (TGT) by issuing the <code><nowiki>kinit</nowiki></code> command, as shown (you can use any valid domain account; it doesn't have to be Administrator. You can also omit the domain name from the command if the "default_realm" directive is properly applied in the <code><nowiki>/etc/krb5.conf</nowiki></code> file. 通过发出<code><nowiki>kinit</nowiki></code>命令来获得Ticket-Granting Ticket (TGT),如上所示(你可以使用任何有效域帐户; 它不必是管理员. 你也可以在命令中省略域名,如果"default_realm"指令在 <code><nowiki>/etc/krb5.conf</nowiki></code> 文件中被妥善应用的话. <pre><nowiki> root@linuxwork:~# kinit Administrator@LAB.EXAMPLE.COM Password for Administrator@LAB.EXAMPLE.COM: **** </nowiki></pre> Check if ticket request was valid using the <code><nowiki>klist</nowiki></code> command. 使用 <code><nowiki>klist</nowiki></code> 命令检查一下ticket是否有效. <pre><nowiki> root@linuxwork:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@LAB.EXAMPLE.COM Valid starting Expires Service principal 01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM renew until 01/21/05 20:28:51 </nowiki></pre> At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the <code><nowiki>kdestroy</nowiki></code> command. 此时,你的Kerberos已经被正确的安装和配置,你可以使用 <code><nowiki>kdestroy</nowiki></code> 命令来释放你的测试ticket. === Join AD domain === 加入AD域 ==== Required software ==== 需要的软件 https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy. 需要的软件 Windows 2003 Server SP1 Winbind version 3.0.14a是必需的。在Hoary中仅有 3.0.10版,但是在Breezy中你能找到3.0.14a。 <pre><nowiki> root@linuxwork:~# apt-get install winbind samba [smbfs smbclient] </nowiki></pre> https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The package ''smbfs'' is optional, but includes useful client utilities, including the '''smbmount''' command. Also useful is the ''smbclient'' package, which includes an FTP-like client for SMB shares. 软件包"smbfs"是可选的,但是他包含了许多有用的客户端工具,包括"smbmount"命令. "smbclient"软件包也是有用的,其中包括为SMB共享建立一个类ftp客户端. ==== Join ==== 加入下列参数 file: <code><nowiki> /etc/samba/smb.conf </nowiki></code> <pre><nowiki> [global] security = ads realm = LAB.EXAMPLE.COM password server = 10.0.0.1 workgroup = LAB # winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client use ntlmv2 = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 </nowiki></pre> https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment. "winbind use default domain"参数在单域环境中是非常有用的,使winbind采取所有用户应当在域中进行认证来决定哪一个winbind加入. 如果您的环境包含多个域或假如你的帐户域与资源域不同,请省略这个参数. "winbind separator"选项是可选的,默认值是通常的反斜线"\"域和用户分隔符. 你可以使用"+"号,如果在您的环境因为某个特定原因"\"不能用的话 Be sure to restart the Samba and Winbind services after changing the <code><nowiki>/etc/samba/smb.conf</nowiki></code> file: 一定要重启samba和winbind服务在修改 <code><nowiki>/etc/samba/smb.conf</nowiki></code> 文件后: <pre><nowiki> root@linuxwork:~# /etc/init.d/winbind stop root@linuxwork:~# /etc/init.d/samba restart root@linuxwork:~# /etc/init.d/winbind start </nowiki></pre> Request a valid Kerberos TGT for an account, which is allowed to join a workstation into the AD domain. 一个帐号要求,要增加一个工作站到AD域需要一个帐号,该帐号要求有效的Kerberos TGT. <pre><nowiki> root@linuxwork:~# net ads join Using short domain name – LAB Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM' </nowiki></pre> https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command <code><nowiki>sudo net ads join -U username</nowiki></code> and supply your password when prompted. Otherwise, you will be asked to authenticate as root@LAB.EXAMPLE.COM instead of a valid account name. 如果Kerberos认证是有效的, 你不应当为密码设置问题。但是, 如果你不能以root用户工作,那么你将使用sudo命令来完成必要的任务,使用命令 <code><nowiki>sudo net ads join -U username</nowiki></code> ,当提示要求时输入您的密码 否则, 你会被要求作为root@lab.example.com进行认证 ,以代替一个有效的帐号名. ==== Testing ==== 测试 <pre><nowiki> # wbinfo -u </nowiki></pre> You should get a list of the users of the domain. 你会得到一个域用户列表。 And a list of the groups. <pre><nowiki> # wbinfo -g </nowiki></pre> === Setup Authentication === ==== nsswitch ==== file: <code><nowiki>/etc/nsswitch.conf</nowiki></code> <pre><nowiki> passwd: compat winbind group: compat winbind shadow: compat </nowiki></pre> ==== Testing ==== Check Winbind nsswitch module with '''getent'''. <pre><nowiki> root@linuxwork:~# getent passwd root:x:0:0:root:/root:/bin/bash ... LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash ... </nowiki></pre> <pre><nowiki> root@linuxwork:~# getent group root:x:0: daemon:x:1: bin:x:2: ... LAB+organisations-admins:x:10005:administrator LAB+domänen-admins:x:10006:manuel,administrator LAB+domänen-benutzer:x:10000: LAB+domänen-gäste:x:10001: LAB+linux-admins:x:10004:manuel ... </nowiki></pre> ==== PAM ==== With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of ''pam_winbind.so'' and ''pam_unix.so'' should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed. 这个配置下,你可以利用本地用户或域用户访问工作站 域用户第一次登录时会创建一个home目录. 这个PAM配置假定这个系统将主要用于域帐户. 如果相反(即,该系统将主要用于本地用户), 当使用本地用户时,pam_winbind.so和pam_unix.so顺序应当翻转. 这儿显示的配置将导致登录时和使用sudo时Windows/samba DC认证失败. 这样可能丢失DC的事件日志 同样的,如果先检查本地帐户, 每次当一个域帐户被访问,/var/log/auth.log将满布失败的登录尝试. This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use ''kinit'' after logging in, and consider using ''kdestroy'' in a logout script. 登录时这个PAM配置不需要Kerberos TGT. 需要ticket,登录后使用kinit,并考虑在登出脚本内使用"kdestroy". file: <code><nowiki>/etc/pam.d/common-account</nowiki></code> <pre><nowiki> account sufficient pam_winbind.so account required pam_unix.so </nowiki></pre> file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code> <pre><nowiki> auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so </nowiki></pre> file: <code><nowiki>/etc/pam.d/common-session</nowiki></code> <pre><nowiki> session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel </nowiki></pre> file: <code><nowiki>/etc/pam.d/sudo</nowiki></code> <pre><nowiki> auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass auth required pam_deny.so @include common-account </nowiki></pre> === Final configuration === Each domain needs a directory in /home/. 最终配置 每个域在/home/中需要一个目录 <pre><nowiki> root@linuxwork:~# mkdir /home/LAB </nowiki></pre> === Usage === 用法 Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your ''smb.conf'', in which case you may log in using only USERNAME. 除了在你的smb.conf中包括了"winbind use default domain"时你可以用"域+用户名"登录外,在其他任何情况下,你可登录使用只有用户名. <pre><nowiki> login: LAB+manuel Password: ***** ... LAB+manuel@linuxwork:~$ </nowiki></pre> === Troubleshooting === 疑难解答 If the Winbind PAM module in <code><nowiki>/var/log/auth.log</nowiki></code> says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation. 如果 <code><nowiki>/var/log/auth.log</nowiki></code> 文件中的Winbind PAM模块显示, 即该AD-user是不存在的,重启winbind. 可能最好也要重新启动整个工作站. <pre><nowiki> root@linuxwork:~# /etc/init.d/winbind start </nowiki></pre> ==== External Docs ==== Also see [http://wiki.randompage.org/index.php/Using_Samba_on_Debian_Linux_to_authenticate_against_Active_Directory Using Samba on Debian Linux to authenticate against Active Directory] on randompage.org. It largely mirrors this page but has a little more detail. 另见 [http://wiki.randompage.org/index.php/Using_Samba_on_Debian_Linux_to_authenticate_against_Active_Directory Using Samba on Debian Linux to authenticate against Active Directory] 在 randompage.org上. 除了一点细节外,它在很大程度上与这页相似.
返回
ActiveDirectoryWinbindHowto
。
导航菜单
页面操作
页面
讨论
阅读
查看源代码
历史
页面操作
页面
讨论
更多
工具
个人工具
登录
导航
首页
最近更改
随机页面
页面分类
帮助
搜索
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息