ActiveDirectoryHowto

来自Ubuntu中文
218.74.101.206留言2008年12月24日 (三) 20:56的版本 →‎libnss-ldap
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳到导航跳到搜索

使用活动目录认证指南

原文出处:https://wiki.ubuntu.com/ActiveDirectoryHowto

原文作者:UbuntuWiki

授权许可:

翻译人员:StarBear

校对人员:MillenniumDark

贡献人员:

适用版本: 文章状态:翻译完成


Active Directory from Microsoft is a directory service, that uses some open protocols, like Kerberos, ldap and SSL.

活动目录作为微软的一种目录服务,它使用了像Kerberos,ldap和SSL等一些开放的协议。

There are some ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see UbuntuHelp:ActiveDirectoryWinbindHowto.

有多种方法可以通过使用AD进行身份认证,你可以使用pam_krb5, LDAP 或 winbind。Winbind的使用详见[ActiveDirectoryWinbindHowto]

Kerberos: pam_krb5

Kerberos: pam_krb5

Configure AD:

Kerberos: pam_krb5

For pam_krb5 you do not need to configure anything.

pam_krb5不需要任何配置。

pam_krb5
     
# apt-get install krb5-user libpam-krb5

Packetinfo: krb5-user-1.3.4-4 MIT Kerberos5, libpam-krb5-1.0-8 MIT Kerberos5

set up /etc/krb5.conf, e.g.

配置 /etc/krb5.conf, 例如,

[logging]
default = FILE:/var/log/krb5lib.log

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
EXAMPLE.COM = {
kdc = windc.example.com
admin_server = windc.example.com
default_domain = example.com
}


[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Replace windc.example.com with the IP or FQDN of your Windows domain controller and EXAMPLE.COM with your kerberos realm, typically is this the domainname in uppercase.

用你Windows域控制器的IP或完整的域名替换配置文件中的 windc.example.com,用你的kerberos域替换EXAMPLE.COM,这里的 域名必须是大写的。

Try if you can receive a kerberos ticket:

如果你能收到这样一份kerberos的证书那我们就可以接着往下做:

# kinit user
Password for [email protected]: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: [email protected]

Valid starting     Expires            Service principal
11/26/04 11:23:53  11/26/04 21:23:53  krbtgt/[email protected]


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

set up /etc/pam.d/common-auth, e.g.

设置 /etc/pam.d/common-auth,例如,

auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
auth    sufficient      pam_unix.so likeauth nullok use_first_pass
auth    required        pam_deny.so

set up /etc/pam.d/common-session, e.g.

设置 /etc/pam.d/common-session,例如

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077

IconsPage?action=AttachFile&do=get&target=IconNote.png kpasswd for password changing does not work.

IconsPage?action=AttachFile&do=get&target=IconNote.png kpasswd 因为密码改变了而不能工作。

IconsPage?action=AttachFile&do=get&target=IconNote.png The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD.

IconsPage?action=AttachFile&do=get&target=IconNote.png ubuntu的工作站里必须存在来自AD的IconNote.png用户,可以使用 libnss-ldap获取AD中的帐户信息。

LDAP: libnss-ldap

Configure AD(配置 AD)

It is necessary to extend the LDAP schema from AD with the UNIX attributes , install "UNIX Services for Windows" from Microsoft (I used version 3.5).

首先必须为AD的LDAP项扩展UNIX属性,安装来自Microsoft(我用的是3.5版本)的“UNIX Services for Windows”

SFU: http://www.microsoft.com/windows/sfu/

libnss-ldap

Install libnss-ldap and the Name Service Caching Deamon for a better performance.

安装libnss-ldap和名称缓存服务程序

# apt-get install libnss-ldap nscd

Packetinfo: libnss-ldap-211-4, nscd-2.3.2-ds1-13ubuntu2

set up /etc/nsswitch.conf for ldap, e.g.

设置/etc/nsswitch.conf for ldap,例如

passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

set up /etc/libnss-ldap.conf, e.g.

设置/etc/libnss-ldap.conf,例如

# Replace windc.example.com with your Windows DC
uri ldap://windc.example.com/

base dc=example,dc=com
ldap_version 3

# Add a user to AD, that can read the container
# with the users, that you want use.
binddn cn=ldapreader,cn=Users,dc=example,dc=com
bindpw cvfd123

scope sub
timelimit 30


pam_filter objectclass=User

pam_login_attribute sAMAccountName
pam_lookup_policy yes

# Modify ou=User,dc=e... to your container with your users.
nss_base_passwd ou=User,dc=example,dc=com?sub
nss_base_shadow ou=User,dc=example,dc=com?sub
nss_base_group  ou=User,dc=example,dc=com?sub

# For MSSFU:
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute cn sAMAccountName

With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL

使用这个配置,LDAP流量是未加密的,可被嗅探,使用SSL可使它变得安全。

set up /etc/pam.d/common-auth

设置/etc/pam.d/common-account

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass

set up /etc/pam.d/common-account

设置/etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account sufficient      pam_ldap.so
account required        pam_unix.so

other usseful config files:

其他有用的一些配置文件:

login.defs

nscd.conf

FIXME 翻译以下部分

From GuyVanSanden Tue Jun 7 13:34:50 +0100 2005 From: Guy Van Sanden Date: Tue, 07 Jun 2005 13:34:50 +0100 Subject: Sudo Message-ID: <20050607133450+0100@https://www.ubuntulinux.org>

I'm using pam_krb5 against a MIT server. gksu(do) does not work with this module (because it queries your password with username@DOMAIN). Is there a way arround this?