特殊:Badtitle/NS100:ADAuthentication:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第16行: | 第16行: | ||
[logging] | [logging] | ||
default = FILE:/var/log/krb5.log | default = FILE:/var/log/krb5.log | ||
[libdefaults] | [libdefaults] | ||
default_realm = EXAMPLE.LOCAL | default_realm = EXAMPLE.LOCAL | ||
第22行: | 第23行: | ||
forwardable = true | forwardable = true | ||
proxiable = true | proxiable = true | ||
[realms] | [realms] | ||
EXAMPLE.LOCAL = { | EXAMPLE.LOCAL = { | ||
第28行: | 第30行: | ||
default_domain = EXAMPLE.LOCAL | default_domain = EXAMPLE.LOCAL | ||
} | } | ||
[domain_realm] | [domain_realm] | ||
.adserver.example.local = EXAMPLE.LOCAL | .adserver.example.local = EXAMPLE.LOCAL | ||
第33行: | 第36行: | ||
.kerberos.server = EXAMPLE.LOCAL | .kerberos.server = EXAMPLE.LOCAL | ||
[login] | [login] | ||
krb4_convert = true | krb4_convert = true | ||
krb4_get_tickets = false | krb4_get_tickets = false | ||
</nowiki></pre> | </nowiki></pre> | ||
==== /etc/samba/smb.conf ==== | ==== /etc/samba/smb.conf ==== | ||
第58行: | 第63行: | ||
winbind use default domain = yes | winbind use default domain = yes | ||
restrict anonymous = 2 | restrict anonymous = 2 | ||
;Communal Files | ;Communal Files | ||
[files] | [files] | ||
comment = Shared Files Stuff | comment = Shared Files Stuff | ||
path = /Storage/ | path = /Storage/ | ||
writable = yes | writable = yes | ||
;Individual Files - sym link /home/%D to /Storage/ | ;Individual Files - sym link /home/%D to /Storage/ | ||
</nowiki></pre> | </nowiki></pre> | ||
第75行: | 第82行: | ||
group: compat winbind | group: compat winbind | ||
shadow: compat | shadow: compat | ||
hosts: files mdns4_minimal dns mdns4 wins [NOTFOUND=return] | hosts: files mdns4_minimal dns mdns4 wins [NOTFOUND=return] | ||
networks: files | networks: files | ||
protocols: db files | protocols: db files | ||
services: db files | services: db files | ||
ethers: db files | ethers: db files | ||
rpc: db files | rpc: db files | ||
netgroup: nis | netgroup: nis | ||
</nowiki></pre> | </nowiki></pre> | ||
第87行: | 第97行: | ||
<pre><nowiki> | <pre><nowiki> | ||
... | ... | ||
server adserver | server adserver | ||
... | ... | ||
</nowiki></pre> | </nowiki></pre> | ||
第156行: | 第166行: | ||
<pre><nowiki> | <pre><nowiki> | ||
/etc/init.d/ssh restart | /etc/init.d/ssh restart | ||
ssh '''<your username>'''@'''<smb server>''' | ssh '''<your username>'''@'''<smb server>''' | ||
</nowiki></pre> | </nowiki></pre> | ||
第166行: | 第177行: | ||
</nowiki></pre> | </nowiki></pre> | ||
=== References === | === References === | ||
Largely derived from: | Largely derived from: [http://ubuntuforums.org/showthread.php?t=91510 this page] | ||
More reading :[[UbuntuHelp:ActiveDirectoryWinbindHowto | Winbind Howto]] | More reading :[[UbuntuHelp:ActiveDirectoryWinbindHowto|| Winbind Howto]] | ||
=== What's next === | === What's next === | ||
Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the [[LinuxApache2ActiveDirectoryAuthentication | page]] here. | Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the [[UbuntuHelp:LinuxApache2ActiveDirectoryAuthentication | page]] here. | ||
---- | ---- | ||
[[category:CategoryNetworking]] | [[category:CategoryNetworking]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2010年5月19日 (三) 17:16的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/ADAuthentication }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/af | • {{#if: UbuntuHelp:ADAuthentication|Afrikaans| [[::ADAuthentication/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ar | • {{#if: UbuntuHelp:ADAuthentication|العربية| [[::ADAuthentication/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/az | • {{#if: UbuntuHelp:ADAuthentication|azərbaycanca| [[::ADAuthentication/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/bcc | • {{#if: UbuntuHelp:ADAuthentication|جهلسری بلوچی| [[::ADAuthentication/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/bg | • {{#if: UbuntuHelp:ADAuthentication|български| [[::ADAuthentication/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/br | • {{#if: UbuntuHelp:ADAuthentication|brezhoneg| [[::ADAuthentication/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ca | • {{#if: UbuntuHelp:ADAuthentication|català| [[::ADAuthentication/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/cs | • {{#if: UbuntuHelp:ADAuthentication|čeština| [[::ADAuthentication/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/de | • {{#if: UbuntuHelp:ADAuthentication|Deutsch| [[::ADAuthentication/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/el | • {{#if: UbuntuHelp:ADAuthentication|Ελληνικά| [[::ADAuthentication/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/es | • {{#if: UbuntuHelp:ADAuthentication|español| [[::ADAuthentication/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/fa | • {{#if: UbuntuHelp:ADAuthentication|فارسی| [[::ADAuthentication/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/fi | • {{#if: UbuntuHelp:ADAuthentication|suomi| [[::ADAuthentication/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/fr | • {{#if: UbuntuHelp:ADAuthentication|français| [[::ADAuthentication/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/gu | • {{#if: UbuntuHelp:ADAuthentication|ગુજરાતી| [[::ADAuthentication/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/he | • {{#if: UbuntuHelp:ADAuthentication|עברית| [[::ADAuthentication/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/hu | • {{#if: UbuntuHelp:ADAuthentication|magyar| [[::ADAuthentication/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/id | • {{#if: UbuntuHelp:ADAuthentication|Bahasa Indonesia| [[::ADAuthentication/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/it | • {{#if: UbuntuHelp:ADAuthentication|italiano| [[::ADAuthentication/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ja | • {{#if: UbuntuHelp:ADAuthentication|日本語| [[::ADAuthentication/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ko | • {{#if: UbuntuHelp:ADAuthentication|한국어| [[::ADAuthentication/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ksh | • {{#if: UbuntuHelp:ADAuthentication|Ripoarisch| [[::ADAuthentication/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/mr | • {{#if: UbuntuHelp:ADAuthentication|मराठी| [[::ADAuthentication/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ms | • {{#if: UbuntuHelp:ADAuthentication|Bahasa Melayu| [[::ADAuthentication/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/nl | • {{#if: UbuntuHelp:ADAuthentication|Nederlands| [[::ADAuthentication/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/no | • {{#if: UbuntuHelp:ADAuthentication|norsk| [[::ADAuthentication/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/oc | • {{#if: UbuntuHelp:ADAuthentication|occitan| [[::ADAuthentication/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/pl | • {{#if: UbuntuHelp:ADAuthentication|polski| [[::ADAuthentication/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/pt | • {{#if: UbuntuHelp:ADAuthentication|português| [[::ADAuthentication/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ro | • {{#if: UbuntuHelp:ADAuthentication|română| [[::ADAuthentication/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/ru | • {{#if: UbuntuHelp:ADAuthentication|русский| [[::ADAuthentication/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/si | • {{#if: UbuntuHelp:ADAuthentication|සිංහල| [[::ADAuthentication/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/sq | • {{#if: UbuntuHelp:ADAuthentication|shqip| [[::ADAuthentication/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/sr | • {{#if: UbuntuHelp:ADAuthentication|српски / srpski| [[::ADAuthentication/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/sv | • {{#if: UbuntuHelp:ADAuthentication|svenska| [[::ADAuthentication/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/th | • {{#if: UbuntuHelp:ADAuthentication|ไทย| [[::ADAuthentication/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/tr | • {{#if: UbuntuHelp:ADAuthentication|Türkçe| [[::ADAuthentication/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/vi | • {{#if: UbuntuHelp:ADAuthentication|Tiếng Việt| [[::ADAuthentication/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/yue | • {{#if: UbuntuHelp:ADAuthentication|粵語| [[::ADAuthentication/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/zh | • {{#if: UbuntuHelp:ADAuthentication|中文| [[::ADAuthentication/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/zh-hans | • {{#if: UbuntuHelp:ADAuthentication|中文(简体)| [[::ADAuthentication/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ADAuthentication | UbuntuHelp:ADAuthentication | {{#if: | :}}ADAuthentication}}/zh-hant | • {{#if: UbuntuHelp:ADAuthentication|中文(繁體)| [[::ADAuthentication/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:ADAuthentication|:ADAuthentication|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :ADAuthentication/zh | | {{#ifexist: ADAuthentication/zh | | {{#ifeq: {{#titleparts:ADAuthentication|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:ADAuthentication|1|-1|}} | zh | | }}
Goal
To configure a Linux box (in this case Ubuntu 8.04) to authenticate user logins and samba users via a separate Active Directory server (in this case tested with Win2K3). This is the process as was used to get a Ubuntu Samba box playing nice-nice with "adserver".
Assumptions
Observe that there's the assumption here that the DNS hostname of your Active Directory box is adserver.example.local and has an ip 192.168.1.2. So naturally, this means you should swap out what I'm calling it here for whatever you've got. Also note that the caps names such as EXAMPLE.LOCAL are required. I forget why, but I'm pretty sure it's explained in one of the reference docs.
Packages
sudo apt-get install krb5-user winbind samba ntp
Edit Config Files
/etc/krb5.conf
For some reason the logging does not work.
[logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = EXAMPLE.LOCAL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.LOCAL = { kdc = adserver.example.local admin_server = adserver.example.local default_domain = EXAMPLE.LOCAL } [domain_realm] .adserver.example.local = EXAMPLE.LOCAL adserver.example.local = EXAMPLE.LOCAL .kerberos.server = EXAMPLE.LOCAL [login] krb4_convert = true krb4_get_tickets = false
/etc/samba/smb.conf
Note the work group is the left most part of the realm.
[global] log file = /var/log/samba/log.%m max log size = 1000 security = ADS realm = EXAMPLE.LOCAL password server = 192.168.1.2 workgroup = EXAMPLE use kerberos keytab = true idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true winbind use default domain = yes restrict anonymous = 2 ;Communal Files [files] comment = Shared Files Stuff path = /Storage/ writable = yes ;Individual Files - sym link /home/%D to /Storage/
A samba share of files\Storage is created. The directory should be created and permissions assigned
mkdir /Storage chmod a+rwx /Storage
/etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal dns mdns4 wins [NOTFOUND=return] networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
/etc/ntp.conf
Set time server to the active directory server - sufficiently large clock skews can mess with authentication. Best off to install ntpd
... server adserver ...
/etc/pam.d/common-account
account sufficient pam_winbind.so account required pam_unix.so
/etc/pam.d/common-auth
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=50 md5 password optional pam_smbpass.so nullok use_authtok use_first_pass missingok
/etc/pam.d/common-session
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
/etc/pam.d/sshd
You may need to add the following line in order to get user home directory auto-creation working:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
I added this towards the bottom of /etc/pam.d/sshd, right before the last line, an "@include" statement.
Make User Home Dir
Directory name is the same as the workgroup.
mkdir /home/EXAMPLE
Work around potential DNS pitfalls
Edit /etc/hosts to contain:
192.168.1.2 adserver.example.local example.local adserver 127.0.0.1 <hostname>.example.local localhost <hostname> <local ip> <hostname>.example.local <hostname>
Restart key services
/etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/samba start /etc/init.d/winbind start
Testing
To test Kerberos:
kinit '''<your username>'''@EXAMPLE.LOCAL
Check that a ticket was issued:
klist
Query LDAP server:
ldapsearch
List all users to test LDAP configuration:
getent passwd
Make sure you time is correct:
net time
Join the Active Directory Domain
net ads join -U [email protected]
Note that any domain administrator user could be used instead of administrator If it does not work remover @EXAMPLE.LOCAL. If problems persist add -d5 for extra debugging information.
Restart ssh and test login
/etc/init.d/ssh restart ssh '''<your username>'''@'''<smb server>'''
Allowing sudo for some users
One approach is to add the Active Directory group name of sudoer users to the /etc/sudoers file (of course, you may have to create said group) Example /etc/sudoers:
%BUILTIN\administrators ALL=(ALL) ALL %"domain admins" ALL=(ALL) ALL
References
Largely derived from: this page More reading :| Winbind Howto
What's next
Once this is working Apache2 user authentication via Active Directory can quite easily be added on. Check out the page here.