特殊:Badtitle/NS100:ActiveDirectoryHowto

文章出处:

{{#if: | {{{2}}} | https://help.ubuntu.com/community/ActiveDirectoryHowto }}

点击翻译:

English {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/af | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Afrikaans| [[::ActiveDirectoryHowto/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ar | • {{#if: UbuntuHelp:ActiveDirectoryHowto|العربية| [[::ActiveDirectoryHowto/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/az | • {{#if: UbuntuHelp:ActiveDirectoryHowto|azərbaycanca| [[::ActiveDirectoryHowto/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/bcc | • {{#if: UbuntuHelp:ActiveDirectoryHowto|جهلسری بلوچی| [[::ActiveDirectoryHowto/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/bg | • {{#if: UbuntuHelp:ActiveDirectoryHowto|български| [[::ActiveDirectoryHowto/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/br | • {{#if: UbuntuHelp:ActiveDirectoryHowto|brezhoneg| [[::ActiveDirectoryHowto/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ca | • {{#if: UbuntuHelp:ActiveDirectoryHowto|català| [[::ActiveDirectoryHowto/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/cs | • {{#if: UbuntuHelp:ActiveDirectoryHowto|čeština| [[::ActiveDirectoryHowto/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/de | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Deutsch| [[::ActiveDirectoryHowto/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/el | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Ελληνικά| [[::ActiveDirectoryHowto/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/es | • {{#if: UbuntuHelp:ActiveDirectoryHowto|español| [[::ActiveDirectoryHowto/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/fa | • {{#if: UbuntuHelp:ActiveDirectoryHowto|فارسی| [[::ActiveDirectoryHowto/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/fi | • {{#if: UbuntuHelp:ActiveDirectoryHowto|suomi| [[::ActiveDirectoryHowto/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/fr | • {{#if: UbuntuHelp:ActiveDirectoryHowto|français| [[::ActiveDirectoryHowto/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/gu | • {{#if: UbuntuHelp:ActiveDirectoryHowto|ગુજરાતી| [[::ActiveDirectoryHowto/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/he | • {{#if: UbuntuHelp:ActiveDirectoryHowto|עברית| [[::ActiveDirectoryHowto/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/hu | • {{#if: UbuntuHelp:ActiveDirectoryHowto|magyar| [[::ActiveDirectoryHowto/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/id | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Bahasa Indonesia| [[::ActiveDirectoryHowto/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/it | • {{#if: UbuntuHelp:ActiveDirectoryHowto|italiano| [[::ActiveDirectoryHowto/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ja | • {{#if: UbuntuHelp:ActiveDirectoryHowto|日本語| [[::ActiveDirectoryHowto/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ko | • {{#if: UbuntuHelp:ActiveDirectoryHowto|한국어| [[::ActiveDirectoryHowto/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ksh | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Ripoarisch| [[::ActiveDirectoryHowto/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/mr | • {{#if: UbuntuHelp:ActiveDirectoryHowto|मराठी| [[::ActiveDirectoryHowto/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ms | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Bahasa Melayu| [[::ActiveDirectoryHowto/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/nl | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Nederlands| [[::ActiveDirectoryHowto/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/no | • {{#if: UbuntuHelp:ActiveDirectoryHowto|norsk| [[::ActiveDirectoryHowto/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/oc | • {{#if: UbuntuHelp:ActiveDirectoryHowto|occitan| [[::ActiveDirectoryHowto/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/pl | • {{#if: UbuntuHelp:ActiveDirectoryHowto|polski| [[::ActiveDirectoryHowto/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/pt | • {{#if: UbuntuHelp:ActiveDirectoryHowto|português| [[::ActiveDirectoryHowto/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ro | • {{#if: UbuntuHelp:ActiveDirectoryHowto|română| [[::ActiveDirectoryHowto/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/ru | • {{#if: UbuntuHelp:ActiveDirectoryHowto|русский| [[::ActiveDirectoryHowto/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/si | • {{#if: UbuntuHelp:ActiveDirectoryHowto|සිංහල| [[::ActiveDirectoryHowto/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/sq | • {{#if: UbuntuHelp:ActiveDirectoryHowto|shqip| [[::ActiveDirectoryHowto/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/sr | • {{#if: UbuntuHelp:ActiveDirectoryHowto|српски / srpski| [[::ActiveDirectoryHowto/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/sv | • {{#if: UbuntuHelp:ActiveDirectoryHowto|svenska| [[::ActiveDirectoryHowto/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/th | • {{#if: UbuntuHelp:ActiveDirectoryHowto|ไทย| [[::ActiveDirectoryHowto/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/tr | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Türkçe| [[::ActiveDirectoryHowto/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/vi | • {{#if: UbuntuHelp:ActiveDirectoryHowto|Tiếng Việt| [[::ActiveDirectoryHowto/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/yue | • {{#if: UbuntuHelp:ActiveDirectoryHowto|粵語| [[::ActiveDirectoryHowto/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/zh | • {{#if: UbuntuHelp:ActiveDirectoryHowto|中文| [[::ActiveDirectoryHowto/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/zh-hans | • {{#if: UbuntuHelp:ActiveDirectoryHowto|中文（简体）| [[::ActiveDirectoryHowto/zh-hans|中文（简体）]]}}|}} {{#ifexist: {{#if: UbuntuHelp:ActiveDirectoryHowto | UbuntuHelp:ActiveDirectoryHowto | {{#if: | :}}ActiveDirectoryHowto}}/zh-hant | • {{#if: UbuntuHelp:ActiveDirectoryHowto|中文（繁體）| [[::ActiveDirectoryHowto/zh-hant|中文（繁體）]]}}|}}

{{#ifeq:UbuntuHelp:ActiveDirectoryHowto|:ActiveDirectoryHowto|请不要直接编辑翻译本页，本页将定期与来源同步。}}

{{#ifexist: :ActiveDirectoryHowto/zh | | {{#ifexist: ActiveDirectoryHowto/zh | | {{#ifeq: {{#titleparts:ActiveDirectoryHowto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:ActiveDirectoryHowto|1|-1|}} | zh | | }}

Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, ldap and SSL.

There are some ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto].

Kerberos: pam_krb5

Configure AD:

For pam_krb5 you do not need to configure anything.

pam_krb5

     
# apt-get install krb5-user libpam-krb5

Packetinfo: krb5-user-1.3.4-4 MIT Kerberos5, libpam-krb5-1.0-8 MIT Kerberos5

set up /etc/krb5.conf, e.g.

[logging]
default = FILE:/var/log/krb5lib.log

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
EXAMPLE.COM = {
kdc = windc.example.com
admin_server = windc.example.com
default_domain = example.com
}


[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Replace windc.example.com with the IP or FQDN of your Windows domain controller and EXAMPLE.COM with your kerberos realm, typically is this the domainname in uppercase.

Try if you can receive a kerberos ticket:

# kinit user
Password for [email protected]: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: [email protected]

Valid starting     Expires            Service principal
11/26/04 11:23:53  11/26/04 21:23:53  krbtgt/[email protected]


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

set up /etc/pam.d/common-auth, e.g.

auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
auth    sufficient      pam_unix.so likeauth nullok use_first_pass
auth    required        pam_deny.so

set up /etc/pam.d/common-session, e.g.

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077

IconsPage?action=AttachFile&do=get&target=IconNote.png kpasswd for password changing does not work.

IconsPage?action=AttachFile&do=get&target=IconNote.png The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD.

LDAP: libnss-ldap

Configure AD

In Windows Server versions prior to WS03 R2, it is necessary to extend the LDAP schema from AD with the UNIX attributes. Install "Windows Services for UNIX" from Microsoft (I used version 3.5). SFU: http://www.microsoft.com/windows/sfu/

note: Installing SFU 3.5 on Windows Server 2003 (non R2) does not appear to add the necessary LDAP schema extensions. Can someone confirm this? What options in the installation should be selected and which options are not necessary? added by uid000.NOSPAM[at]gmail[dot]com 2006/10/12

In order to extend the LDAP schema, it is necessary to install the "Server for NIS" component. The installation needs to be performed using an account that has Enterprise Admin privileges in order for the schema to be extended successfully (indeed, Enterprise Admin privileges are required even if the schema has already been extended). In Active Directory, schema extensions are non-reversible, so if the NIS Server is not required, it can be removed once the schema extension is complete. If the SFU Server for NIS is installed however, it will extend the Active Directory Users and Computers tool with a UNIX Attributes tab which allows GUI editing of the UNIX attributes for users, groups and computers.

In Windows Server 2003 R2, the Active Directory schema is already extended with an RFC2307-compliant schema. This differs from the schema extensions used in SFU3.5, requiring a different libnss-ldap configuration. It is still necessary to install Server for NIS to extend the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users, groups and computers.

libnss-ldap

Install libnss-ldap and the Name Service Caching Daemon for a better performance.

# apt-get install libnss-ldap nscd

Packetinfo: libnss-ldap-211-4, nscd-2.3.2-ds1-13ubuntu2

set up /etc/nsswitch.conf for ldap, e.g.

passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off - /etc/init.d/nscd stop or you will be confused by cached results. Turn it on afterwards.

set up /etc/libnss-ldap.conf, e.g.

# Replace windc.example.com with your Windows DC
uri ldap://windc.example.com/

base dc=example,dc=com
ldap_version 3

# Add a user to AD, that can read the container
# with the users, that you want use.
binddn cn=ldapreader,cn=Users,dc=example,dc=com
bindpw cvfd123

scope sub
timelimit 30


pam_filter objectclass=User

pam_login_attribute sAMAccountName
pam_lookup_policy yes

# Modify cn=User,dc=e... to your container with your users.
nss_base_passwd cn=User,dc=example,dc=com?sub
nss_base_shadow cn=User,dc=example,dc=com?sub
nss_base_group  cn=User,dc=example,dc=com?sub

# For MSSFU:
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute cn sAMAccountName

I think it only needs rootbinddn, no binddn, with the bindpw in /etc/libnss-ldap.secret, not here. I have also successfully combined /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, and /etc/pam_ldap.conf, symlinking them all to /etc/ldap/ldap.conf - AndyRabagliati

There are choices to be made here, depending on how the AD environment is configured. For Windows Server 2003 R2, the schema extensions are RFC2307 compliant - no longer prefixed 'msSFU30' and with the next letter in lower case (e.g. msSFU30UidNumber is now uidNumber). If UNIX group membership has been administered by modifying the list in the UNIX attributes tab of AD Users and Computers (which is required in a NIS environment), then 'uniqueMember' should be mapped to 'msSFU30PosixMember' (or 'posixMember' for WS03R2) as 'member' only includes the membership listed in the Windows group.

IconsPage?action=AttachFile&do=get&target=IconNote.png With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL

set up /etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass

set up /etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account sufficient      pam_ldap.so
account required        pam_unix.so

other useful config files: login.defs

nscd.conf

From GuyVanSanden Tue Jun 7 13:34:50 +0100 2005 From: Guy Van Sanden Date: Tue, 07 Jun 2005 13:34:50 +0100 Subject: Sudo Message-ID: <20050607133450+0100@https://www.ubuntulinux.org>

I'm using pam_krb5 against a MIT server. gksu(do) does not work with this module (because it queries your password with username@DOMAIN). Is there a way arround this?