个人工具
119.28.94.63
该IP地址的讨论
登录
查看“UbuntuHelp:ADAuthentication”的源代码 - Ubuntu中文
UbuntuHelp
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“UbuntuHelp:ADAuthentication”的源代码
来自Ubuntu中文
←
UbuntuHelp:ADAuthentication
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
{{From|https://help.ubuntu.com/community/ADAuthentication}} {{Languages|UbuntuHelp:ADAuthentication}} === Goal === To configure a Linux box (in this case Ubuntu 8.04) to authenticate user logins and samba users via a separate Active Directory server (in this case tested with Win2K3). This is the process as was used to get a Ubuntu Samba box playing nice-nice with "adserver". === Assumptions === Observe that there's the assumption here that the DNS hostname of your Active Directory box is '''adserver.example.local''' and has an ip '''192.168.1.2'''. So naturally, this means you should swap out what I'm calling it here for whatever you've got. Also note that the caps names such as '''EXAMPLE.LOCAL''' are required. I forget why, but I'm pretty sure it's explained in one of the reference docs. === Packages === <pre><nowiki> sudo apt-get install krb5-user winbind samba ntp </nowiki></pre> === Edit Config Files === ==== /etc/krb5.conf ==== <pre><nowiki> [logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = EXAMPLE.LOCAL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.LOCAL = { kdc = adserver.example.local admin_server = adserver.example.local default_domain = EXAMPLE.LOCAL } [domain_realm] .adserver.example.local = EXAMPLE.LOCAL adserver.example.local = EXAMPLE.LOCAL </nowiki></pre> ==== smb.conf ==== <pre><nowiki> [global] security = ads realm = EXAMPLE.LOCAL password server = 192.168.1.2 workgroup = WORKGROUP use kerberos keytab = true idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true winbind use default domain = yes restrict anonymous = 2 ;Communal Files [files] comment = Shared Files Stuff path = /Storage/ writable = yes ;Individual Files - sym link /home/%D to /Storage/ </nowiki></pre> ==== nsswitch.conf ==== <pre><nowiki> passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis </nowiki></pre> ==== ntp.conf ==== Set time server to the active directory server - sufficiently large clock skews can mess with authentication <pre><nowiki> ... server adserver ... </nowiki></pre> ==== /etc/pam.d/common-account ==== <pre><nowiki> account sufficient pam_winbind.so account required pam_unix.so </nowiki></pre> ==== /etc/pam.d/common-auth ==== <pre><nowiki> auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass </nowiki></pre> ==== /etc/pam.d/common-password ==== <pre><nowiki> password required pam_unix.so nullok obscure min=4 max=50 md5 password optional pam_smbpass.so nullok use_authtok use_first_pass missingok </nowiki></pre> ==== /etc/pam.d/common-session ==== <pre><nowiki> session required pam_mkhomedir.so umask=0022 skel=/etc/skel </nowiki></pre> === Make User Home Dir === <pre><nowiki> mkdir /home/WORKGROUP </nowiki></pre> === Work around potential DNS pitfalls === Edit /etc/hosts to contain: <pre><nowiki> 192.168.1.2 adserver.example.local example.local adserver '''<local ip>''' '''<hostname>'''.example.local '''<hostname>''' </nowiki></pre> === Test Kerberos === <pre><nowiki> kinit '''<your username>'''@EXAMPLE.LOCAL </nowiki></pre> Check that a ticket was issued: <pre><nowiki> klist </nowiki></pre> === Join the Active Directory Domain === <pre><nowiki> net ads join -U administrator@EXAMPLE.LOCAL </nowiki></pre> Note that any domain administrator user could be used instead of administrator === Restart key services === <pre><nowiki> /etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/samba start /etc/init.d/winbind start </nowiki></pre> === Restart ssh and test login === <pre><nowiki> /etc/init.d/ssh restart ssh '''<your username>'''@'''<smb server>''' </nowiki></pre> === Allowing sudo for some users === One approach is to add the Active Directory group name of sudoer users to the /etc/sudoers file (of course, you may have to create said group) ''Example '''/etc/sudoers''':'' <pre><nowiki> %BUILTIN\administrators ALL=(ALL) ALL %"domain admins" ALL=(ALL) ALL </nowiki></pre> === References === Largely derived from: [http://ubuntuforums.org/showthread.php?t=91510 this page] === What's next === Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the [[UbuntuHelp:LinuxApache2ActiveDirectoryAuthentication | page]] here. ---- [[category:CategoryNetworking]] [[category:UbuntuHelp]]
该页面使用的模板:
模板:From
(
查看源代码
)
模板:Languages
(
查看源代码
)(受保护)
模板:Languages/Lang
(
查看源代码
)(受保护)
返回至
UbuntuHelp:ADAuthentication
。