特殊:Badtitle/NS100:ADAuthentication:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Wikibot留言 | 贡献
无编辑摘要
Wikibot留言 | 贡献
无编辑摘要
 
第16行: 第16行:
[logging]
[logging]
default = FILE:/var/log/krb5.log
default = FILE:/var/log/krb5.log
[libdefaults]
[libdefaults]
default_realm = EXAMPLE.LOCAL
default_realm = EXAMPLE.LOCAL
第22行: 第23行:
forwardable = true
forwardable = true
proxiable = true
proxiable = true
[realms]
[realms]
EXAMPLE.LOCAL = {
EXAMPLE.LOCAL = {
第28行: 第30行:
default_domain = EXAMPLE.LOCAL
default_domain = EXAMPLE.LOCAL
}
}
[domain_realm]
[domain_realm]
.adserver.example.local = EXAMPLE.LOCAL
.adserver.example.local = EXAMPLE.LOCAL
第33行: 第36行:
.kerberos.server = EXAMPLE.LOCAL
.kerberos.server = EXAMPLE.LOCAL
[login]
[login]
krb4_convert = true
        krb4_convert = true
krb4_get_tickets = false
        krb4_get_tickets = false
 
 
</nowiki></pre>
</nowiki></pre>
==== /etc/samba/smb.conf ====
==== /etc/samba/smb.conf ====
第58行: 第63行:
winbind use default domain = yes
winbind use default domain = yes
restrict anonymous = 2
restrict anonymous = 2
;Communal Files
;Communal Files
[files]
[files]
comment = Shared Files Stuff
  comment = Shared Files Stuff
path = /Storage/
  path = /Storage/
writable = yes
  writable = yes
 
;Individual Files - sym link /home/%D to /Storage/  
;Individual Files - sym link /home/%D to /Storage/  
</nowiki></pre>
</nowiki></pre>
第75行: 第82行:
group:          compat winbind
group:          compat winbind
shadow:        compat
shadow:        compat
hosts:          files mdns4_minimal dns mdns4 wins [NOTFOUND=return]
hosts:          files mdns4_minimal dns mdns4 wins [NOTFOUND=return]
networks:      files
networks:      files
protocols:      db files
protocols:      db files
services:      db files
services:      db files
ethers:        db files
ethers:        db files
rpc:            db files
rpc:            db files
netgroup:      nis
netgroup:      nis
</nowiki></pre>
</nowiki></pre>
第87行: 第97行:
<pre><nowiki>
<pre><nowiki>
...
...
server    adserver
  server    adserver
...
...
</nowiki></pre>
</nowiki></pre>
第156行: 第166行:
<pre><nowiki>
<pre><nowiki>
/etc/init.d/ssh restart
/etc/init.d/ssh restart
ssh '''<your username>'''@'''<smb server>'''
ssh '''<your username>'''@'''<smb server>'''
</nowiki></pre>
</nowiki></pre>
第166行: 第177行:
</nowiki></pre>
</nowiki></pre>
=== References ===
=== References ===
Largely derived from: [[http://ubuntuforums.org/showthread.php?t=91510 | this page]]
Largely derived from: [http://ubuntuforums.org/showthread.php?t=91510   this page]
More reading :[[UbuntuHelp:ActiveDirectoryWinbindHowto | Winbind Howto]]
More reading :[[UbuntuHelp:ActiveDirectoryWinbindHowto|| Winbind Howto]]
=== What's next ===
=== What's next ===
Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the [[LinuxApache2ActiveDirectoryAuthentication | page]] here.
Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the [[UbuntuHelp:LinuxApache2ActiveDirectoryAuthentication | page]] here.
----
----
[[category:CategoryNetworking]]
[[category:CategoryNetworking]]


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2010年5月19日 (三) 17:16的最新版本

{{#ifexist: :ADAuthentication/zh | | {{#ifexist: ADAuthentication/zh | | {{#ifeq: {{#titleparts:ADAuthentication|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:ADAuthentication|1|-1|}} | zh | | }}

Goal

To configure a Linux box (in this case Ubuntu 8.04) to authenticate user logins and samba users via a separate Active Directory server (in this case tested with Win2K3). This is the process as was used to get a Ubuntu Samba box playing nice-nice with "adserver".

Assumptions

Observe that there's the assumption here that the DNS hostname of your Active Directory box is adserver.example.local and has an ip 192.168.1.2. So naturally, this means you should swap out what I'm calling it here for whatever you've got. Also note that the caps names such as EXAMPLE.LOCAL are required. I forget why, but I'm pretty sure it's explained in one of the reference docs.

Packages

sudo apt-get install krb5-user winbind samba ntp

Edit Config Files

/etc/krb5.conf

For some reason the logging does not work.

[logging]
	default = FILE:/var/log/krb5.log

[libdefaults]
	default_realm = EXAMPLE.LOCAL
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

[realms]
	EXAMPLE.LOCAL = {
		kdc = adserver.example.local
		admin_server = adserver.example.local
		default_domain = EXAMPLE.LOCAL
	}

[domain_realm]
	.adserver.example.local = EXAMPLE.LOCAL
	adserver.example.local = EXAMPLE.LOCAL
	.kerberos.server = EXAMPLE.LOCAL
[login]
        krb4_convert = true
        krb4_get_tickets = false


/etc/samba/smb.conf

Note the work group is the left most part of the realm.

[global]
	log file = /var/log/samba/log.%m
	max log size = 1000
	security = ADS
	realm = EXAMPLE.LOCAL
	password server = 192.168.1.2
	workgroup = EXAMPLE
	use kerberos keytab = true
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = yes
	winbind enum groups = yes
	template homedir = /home/%D/%U
	template shell = /bin/bash
	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = true
	winbind use default domain = yes
	restrict anonymous = 2

;Communal Files
[files]
   comment = Shared Files Stuff
   path = /Storage/
   writable = yes

;Individual Files - sym link /home/%D to /Storage/ 

A samba share of files\Storage is created. The directory should be created and permissions assigned

mkdir /Storage
chmod a+rwx /Storage

/etc/nsswitch.conf

passwd:         compat	winbind
group:          compat	winbind
shadow:         compat

hosts:          files mdns4_minimal dns mdns4 wins [NOTFOUND=return]
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/ntp.conf

Set time server to the active directory server - sufficiently large clock skews can mess with authentication. Best off to install ntpd

...
   server    adserver
...

/etc/pam.d/common-account

account sufficient	pam_winbind.so
account	required	pam_unix.so

/etc/pam.d/common-auth

auth	sufficient	pam_winbind.so
auth	required	pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-password

password	required	pam_unix.so nullok obscure min=4 max=50 md5
password	optional	pam_smbpass.so nullok use_authtok use_first_pass missingok

/etc/pam.d/common-session

session	required	pam_mkhomedir.so umask=0022 skel=/etc/skel

/etc/pam.d/sshd

You may need to add the following line in order to get user home directory auto-creation working:

session    required     pam_mkhomedir.so        skel=/etc/skel/ umask=0022

I added this towards the bottom of /etc/pam.d/sshd, right before the last line, an "@include" statement.

Make User Home Dir

Directory name is the same as the workgroup.

mkdir /home/EXAMPLE

Work around potential DNS pitfalls

Edit /etc/hosts to contain:

192.168.1.2	adserver.example.local example.local adserver
127.0.0.1 	<hostname>.example.local localhost <hostname>
<local ip> 	<hostname>.example.local <hostname>

Restart key services

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start

Testing

To test Kerberos:

kinit '''<your username>'''@EXAMPLE.LOCAL

Check that a ticket was issued: klist Query LDAP server: ldapsearch List all users to test LDAP configuration: getent passwd Make sure you time is correct: net time

Join the Active Directory Domain

net ads join -U [email protected]

Note that any domain administrator user could be used instead of administrator If it does not work remover @EXAMPLE.LOCAL. If problems persist add -d5 for extra debugging information.

Restart ssh and test login

/etc/init.d/ssh restart

ssh '''<your username>'''@'''<smb server>'''

Allowing sudo for some users

One approach is to add the Active Directory group name of sudoer users to the /etc/sudoers file (of course, you may have to create said group) Example /etc/sudoers:

%BUILTIN\administrators ALL=(ALL) ALL
%"domain admins" ALL=(ALL) ALL

References

Largely derived from: this page More reading :| Winbind Howto

What's next

Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the page here.