个人工具

“UbuntuHelp:ActiveDirectoryHowto”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
 
(未显示同一用户的12个中间版本)
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/ActiveDirectoryHowto}}
 
{{From|https://help.ubuntu.com/community/ActiveDirectoryHowto}}
 
{{Languages|UbuntuHelp:ActiveDirectoryHowto}}
 
{{Languages|UbuntuHelp:ActiveDirectoryHowto}}
== Active Directory ==
+
== Introduction ==
 
'''Active Directory''' from Microsoft is a directory service that uses some open protocols, like
 
'''Active Directory''' from Microsoft is a directory service that uses some open protocols, like
Kerberos, ldap and SSL.
+
Kerberos, LDAP and SSL.
 
There are several ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto].
 
There are several ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto].
=== Kerberos: pam_krb5 ===
+
The purpose of this document is to provide a guide to configuring Samba on Ubuntu to act as a file server in a Windows environment integrated into Active Directory. The goal is to create a file server that is as close to a one to one replacement for a Microsoft Windows file server as possible from the client's perspective.
==== Configuration  and Installation ====
+
=== Background ===
To install pam_krb5 you need to install '''krb5-user''' and '''libpam-krb5''' from the '''Universe Repository'''. Also you don't have to configure anything in Active Directory for pam_krb5.
+
It is important to keep in mind that the Samba developers have to play detective to try to basically reverse engineer the Microsoft implementation of the SMB protocol. The end result is that there are occasional issues that must be worked around if a bug fix does not exist. With the instructions below, expected behavior should be acceptable in most corporate environments.
<code><nowiki>$ sudo apt-get install krb5-user libpam-krb5</nowiki></code>
+
Samba allows for a great deal of flexibility in how shares behave on a per-share basis. It is outside the scope of this document to cover each configuration setting and how they behave. It would be very beneficial to first read the smb.conf documentation found at the Samba web page. There are quite a few settings in the documentation, but getting a general feel of what they are and what they do will help in understanding this document and how you can take a step beyond by changing settings for your own tastes and environment.
Then to setup pam_krb5 go to /etc/krb5.conf and open it up using your favorite text editor.
+
=== Prerequisites ===
 +
Security updates need to be enabled for not only the main repository, but for the universe repository as well (as now documented below). If this is not done, any security updates for the main (supported) packages create failed dependencies for the relevant universe packages.
 +
Here is the list of prerequisites specific to this document:
 +
* Ubuntu Server Edition default installation.
 +
* Windows 2003 Native Domain (mixed-mode not tested, but may work)
 +
* Ample hard drive space to accommodate packages and shares.
 +
* Proper IP DNS settings configured so that internal names can be resolved.
 +
== Installation ==
 +
Install the '''samba''', '''acl''', and '''attr''' packages if you wish to enable extended attributes which enable a greater level of control for file Access Control Lists.  See [[UbuntuHelp:InstallingSoftware|InstallingSoftware]] for information regarding Package Managers and installing packages.
 +
You can edit <code><nowiki>/etc/fstab</nowiki></code> similar to the following to enable extended attributes on boot:
 
<pre><nowiki>
 
<pre><nowiki>
[logging]
+
<main file system> / ext3 defaults,acl,user_xattr,errors=remount-ro 0 1
default = FILE:/var/log/krb5lib.log
+
[libdefaults]
+
ticket_lifetime = 24000
+
default_realm = EXAMPLE.COM
+
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
+
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
+
[realms]
+
EXAMPLE.COM = {
+
kdc = windc.example.com
+
admin_server = windc.example.com
+
default_domain = example.com
+
}
+
[domain_realm]
+
.example.com = EXAMPLE.COM
+
example.com = EXAMPLE.COM
+
 
</nowiki></pre>
 
</nowiki></pre>
You need to replace windc.example.com with the IP or FQDN of your Windows domain controller and EXAMPLE.COM with your
+
Then remount the filesystem:
kerberos realm, typically is this the domain name in uppercase.
+
Then try to see if you can receive a kerberos ticket:
+
 
<pre><nowiki>
 
<pre><nowiki>
# kinit user
+
mount -o remount /
Password for [email protected]: ...
+
# klist
+
Ticket cache: FILE:/tmp/krb5cc_1003
+
Default principal: [email protected]
+
Valid starting    Expires            Service principal
+
11/26/04 11:23:53  11/26/04 21:23:53  krbtgt/[email protected]
+
Kerberos 4 ticket cache: /tmp/tkt0
+
klist: You have no tickets cached
+
 
</nowiki></pre>
 
</nowiki></pre>
Then you need to set up /etc/pam.d/common-auth and then
+
== Kerberos ==
 +
The first step in joining an Active Directory domain is to install and configure Kerberos. See [[UbuntuHelp:Samba/Kerberos|Samba/Kerberos]] for details.
 +
== Pam ==
 +
After '''Kerberos''' has been installed and configured, the authentication system (PAM) needs to be configured to use Active Directory. Edit <code><nowiki>/etc/pam.d/common-auth</nowiki></code> and add:
 
<pre><nowiki>
 
<pre><nowiki>
 
auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
 
auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
第48行: 第35行:
 
auth    required        pam_deny.so
 
auth    required        pam_deny.so
 
</nowiki></pre>
 
</nowiki></pre>
set up /etc/pam.d/common-session.
+
Then edit <code><nowiki>/etc/pam.d/common-session</nowiki></code>:
 
<pre><nowiki>
 
<pre><nowiki>
 
session required        pam_unix.so
 
session required        pam_unix.so
 
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
 
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
 
</nowiki></pre>
 
</nowiki></pre>
https://help.ubuntu.com/community/[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:[[UbuntuHelp:IconsPage|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]?|IconsPage]]??action=AttachFile&do=get&target=IconNote.png kpasswd for password changing does not work.
+
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png kpasswd for password changing works, but note that AD by default disallows users from changing passwords more than once a day.
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD.  
+
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The users from AD have to exist in <code><nowiki>/etc/passwd</nowiki></code> on the Ubuntu workstation, you can also use libnss-ldap to get the account info from AD.  
=== LDAP ===
+
== LDAP ==
==== TestQuery: Windows ====
+
=== TestQuery: Windows ===
Assuming you do not maintain the Active Directory, You will want to determine the structure of AD before trying to connect to it from Linux. From a windows PC connected to AD you should perform a query using Microsoft's Active Directory Application Mode (ADAM).  ADAM is a package of tools that includes CSVDE, which we will be using to perform our queries.   
+
Assuming you '''do not''' maintain the Active Directory you will want to determine the structure of AD before trying to connect to it from Linux. From a windows PC connected to AD you should perform a query using Microsoft's Active Directory Application Mode (ADAM).  '''ADAM''' is a package of tools that includes '''CSVDE''', which we will be using to perform our queries.   
Type this into google, the download page should be the second hit.
+
Type this into Google, the download page should be the second hit.
 
<pre><nowiki>
 
<pre><nowiki>
 
adam microsoft
 
adam microsoft
第64行: 第51行:
 
Install.
 
Install.
 
Open the command prompt.
 
Open the command prompt.
Start>RUN and type 'cmd'
+
Start > RUN and type 'cmd'
 
Navigate to the installation directory, default is c:\windows\ADAM
 
Navigate to the installation directory, default is c:\windows\ADAM
 
Example Queries:
 
Example Queries:
第86行: 第73行:
 
For more on querying with ADAM's CSVDE
 
For more on querying with ADAM's CSVDE
 
[www.computerperformance.co.uk/Logon/Logon_CSVDE.htm]
 
[www.computerperformance.co.uk/Logon/Logon_CSVDE.htm]
==== Configure AD ====
+
== Configure AD ==
 
In Windows Server versions prior to WS03 R2, it is necessary to extend the LDAP schema from AD with the UNIX attributes.  Install "Windows Services for UNIX" from Microsoft (I used version 3.5).
 
In Windows Server versions prior to WS03 R2, it is necessary to extend the LDAP schema from AD with the UNIX attributes.  Install "Windows Services for UNIX" from Microsoft (I used version 3.5).
 
SFU: http://www.microsoft.com/windows/sfu/
 
SFU: http://www.microsoft.com/windows/sfu/
第92行: 第79行:
 
In order to extend the LDAP schema, it is necessary to install the "Server for NIS" component.  The installation needs to be performed using an account that has Enterprise Admin privileges in order for the schema to be extended successfully (indeed, Enterprise Admin privileges are required even if the schema has already been extended).  In Active Directory, schema extensions are non-reversible, so if the NIS Server is not required, it can be removed once the schema extension is complete.  If the SFU Server for NIS is installed however, it will extend the Active Directory Users and Computers tool with a UNIX Attributes tab which allows GUI editing of the UNIX attributes for users, groups and computers.   
 
In order to extend the LDAP schema, it is necessary to install the "Server for NIS" component.  The installation needs to be performed using an account that has Enterprise Admin privileges in order for the schema to be extended successfully (indeed, Enterprise Admin privileges are required even if the schema has already been extended).  In Active Directory, schema extensions are non-reversible, so if the NIS Server is not required, it can be removed once the schema extension is complete.  If the SFU Server for NIS is installed however, it will extend the Active Directory Users and Computers tool with a UNIX Attributes tab which allows GUI editing of the UNIX attributes for users, groups and computers.   
 
In Windows Server 2003 R2, the Active Directory schema is already extended with an RFC2307-compliant schema. This differs from the schema extensions used in SFU3.5, requiring a different libnss-ldap configuration. It is still necessary to install Server for NIS to extend the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users, groups and computers.   
 
In Windows Server 2003 R2, the Active Directory schema is already extended with an RFC2307-compliant schema. This differs from the schema extensions used in SFU3.5, requiring a different libnss-ldap configuration. It is still necessary to install Server for NIS to extend the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users, groups and computers.   
==== TestQuery: Linux ====
+
=== TestQuery: Linux ===
We will want to perform a testquery in linux before we attempt to configure AD.  Its much simpler to determine how to connect on the commandline, and then configure, rather than reconfigure a file repeatedly.
+
We will want to perform a testquery in Linux before we attempt to configure AD.  It is much simpler to determine how to connect on the command line and then configure rather than reconfigure a file repeatedly.
 
We will need at least these two packages to perform test queries on Active Directory.
 
We will need at least these two packages to perform test queries on Active Directory.
 
<pre><nowiki>
 
<pre><nowiki>
第105行: 第92行:
 
</nowiki></pre>
 
</nowiki></pre>
 
and the authentication type: simple or SASL
 
and the authentication type: simple or SASL
 +
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If we have an active directory account and proper libraries installed, you can also authenticate using SASL-GSSAPI, and you will not need -D or -W options
 +
<pre><nowiki>
 +
sudo apt-get install libsasl2-modules-gssapi-mit
 +
kinit ADuser
 +
ldapwhoami -h medcenterdc01 -Y EXTERNAL
 +
</nowiki></pre>
 
SASL authentication off, simple on
 
SASL authentication off, simple on
 
<pre><nowiki>
 
<pre><nowiki>
第129行: 第122行:
 
CN=last name\\, firstname
 
CN=last name\\, firstname
 
</nowiki></pre>
 
</nowiki></pre>
==== libnss-ldap ====
+
== libnss-ldap ==
 
You can install '''libnss-ldap''' and '''nscd''' from the '''Universe''' Repository.
 
You can install '''libnss-ldap''' and '''nscd''' from the '''Universe''' Repository.
 
Now you need to set up /etc/nsswitch.conf for ldap.
 
Now you need to set up /etc/nsswitch.conf for ldap.
 
<pre><nowiki>
 
<pre><nowiki>
passwd:        compat
+
    passwd:        compat
group:          compat
+
    group:          compat
shadow:        compat
+
    shadow:        compat
passwd_compat:  ldap
+
    passwd_compat:  ldap
group_compat:  ldap
+
    group_compat:  ldap
shadow_compat:  ldap
+
    shadow_compat:  ldap
hosts:      files dns
+
 
networks:    files dns
+
    hosts:      files dns
services:    db files
+
    networks:    files dns
protocols:  db files
+
 
rpc:        db files
+
    services:    db files
ethers:      db files
+
    protocols:  db files
netmasks:    files
+
    rpc:        db files
netgroup:    files
+
    ethers:      db files
bootparams:  files
+
    netmasks:    files
automount:  files
+
    netgroup:    files
aliases:    files
+
    bootparams:  files
 +
 
 +
    automount:  files
 +
    aliases:    files
 
</nowiki></pre>
 
</nowiki></pre>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If you have trouble when you attempt to ping and your network has a wins server you will want to append 'wins' to the hosts line of nsswitch.conf - you may only notice this only when you try to ping a static ip linux pc from another linux pc - I believe wins is a part of the samba package and the IP addresses for wins servers are stored in /etc/samba/dhcp.conf, the static ip machine also needs to specify its netbios name within /etc/samba/smb.conf
+
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If you have trouble when you attempt to ping and your network has a wins server you will want to append 'wins' to the hosts line of nsswitch.conf - you may only notice this only when you try to ping a static IP Linux PC from another Linux PC - I believe WINS is a part of the samba package and the IP addresses for WINS servers are stored in /etc/samba/dhcp.conf, the static IP machine also needs to specify its NetBIOS name within /etc/samba/smb.conf
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off - ''/etc/init.d/nscd stop'' or you will be confused by cached results. Turn it on afterwards.
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off - ''/etc/init.d/nscd stop'' or you will be confused by cached results. Turn it on afterwards.
 
Then you need to set up /etc/libnss-ldap.conf.  
 
Then you need to set up /etc/libnss-ldap.conf.  
 
AKA: /etc/ldap.conf
 
AKA: /etc/ldap.conf
 
<pre><nowiki>
 
<pre><nowiki>
# Replace windc.example.com with your Windows DC
+
    # Replace windc.example.com with your Windows DC
uri ldap://windc.example.com/
+
    uri ldap://windc.example.com/
base dc=example,dc=com
+
 
ldap_version 3
+
    base dc=example,dc=com
# Add a user to AD, that can read the container
+
    ldap_version 3
# with the users, that you want use.
+
 
binddn cn=ldapreader,cn=Users,dc=example,dc=com
+
    # Add a user to AD, that can read the container
bindpw cvfd123
+
    # with the users, that you want use.
scope sub
+
    binddn cn=ldapreader,cn=Users,dc=example,dc=com
timelimit 30
+
    bindpw cvfd123
pam_filter objectclass=User
+
 
pam_login_attribute sAMAccountName
+
    scope sub
pam_lookup_policy yes
+
    timelimit 30
# Modify cn=User,dc=e... to your container with your users.
+
 
nss_base_passwd cn=User,dc=example,dc=com?sub
+
 
nss_base_shadow cn=User,dc=example,dc=com?sub
+
    pam_filter objectclass=User
nss_base_group  cn=User,dc=example,dc=com?sub
+
 
# For MSSFU:
+
    pam_login_attribute sAMAccountName
nss_map_objectclass posixAccount User
+
    pam_lookup_policy yes
nss_map_objectclass shadowAccount User
+
 
nss_map_attribute uid sAMAccountName
+
    # Modify cn=User,dc=e... to your container with your users.
nss_map_attribute uniqueMember member
+
    nss_base_passwd cn=User,dc=example,dc=com?sub
nss_map_attribute uidNumber msSFU30UidNumber
+
    nss_base_shadow cn=User,dc=example,dc=com?sub
nss_map_attribute gidNumber msSFU30GidNumber
+
    nss_base_group  cn=User,dc=example,dc=com?sub
nss_map_attribute userPassword msSFU30Password
+
 
nss_map_attribute homeDirectory msSFU30HomeDirectory
+
    # For MSSFU:
nss_map_attribute loginShell msSFU30LoginShell
+
    nss_map_objectclass posixAccount User
nss_map_attribute gecos name
+
    nss_map_objectclass shadowAccount User
nss_map_attribute cn sAMAccountName
+
    nss_map_attribute uid sAMAccountName
 +
    nss_map_attribute uniqueMember member
 +
    nss_map_attribute uidNumber msSFU30UidNumber
 +
    nss_map_attribute gidNumber msSFU30GidNumber
 +
    nss_map_attribute userPassword msSFU30Password
 +
    nss_map_attribute homeDirectory msSFU30HomeDirectory
 +
    nss_map_attribute loginShell msSFU30LoginShell
 +
    nss_map_attribute gecos name
 +
    nss_map_attribute cn sAMAccountName
 
</nowiki></pre>
 
</nowiki></pre>
 
''I think it only needs rootbinddn, no binddn, with the bindpw in /etc/libnss-ldap.secret, not here.
 
''I think it only needs rootbinddn, no binddn, with the bindpw in /etc/libnss-ldap.secret, not here.
 
I have also successfully combined /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, and /etc/pam_ldap.conf, symlinking them all to /etc/ldap/ldap.conf - [[UbuntuHelp:AndyRabagliati|AndyRabagliati]]''
 
I have also successfully combined /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, and /etc/pam_ldap.conf, symlinking them all to /etc/ldap/ldap.conf - [[UbuntuHelp:AndyRabagliati|AndyRabagliati]]''
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=warning.png Incorrect nss_map settings will prevent one from authenticating, and reading AD in general.  These settings are dependent on the column names within your AD database.  In older systems the database (schema) needs to be extended as described in the 'Configure AD' section.  Once these *NIX attributes are part of the schema they can be modified with the MMC snap-in Active directory Users and Groups, as long as idmu.exe has been installed from the Windows Server 2003 R2 Administration Tools Pack. If *NIX group membership has been administered by modifying the list in the UNIX attributes tab of AD Users and Computers (which is REQUIRED in a NIS environment), then 'uniqueMember' should be mapped to 'msSFU30PosixMember' (or 'posixMember' for WS03R2) as 'member' only includes the membership listed in the Windows group.  
+
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=warning.png Incorrect nss_map settings will prevent one from authenticating and reading AD in general.  These settings are dependent on the column names within your AD database.  In older systems the database (schema) needs to be extended as described in the 'Configure AD' section.  Once these *NIX attributes are part of the schema they can be modified with the MMC snap-in Active Directory Users and Groups, as long as idmu.exe has been installed from the Windows Server 2003 R2 Administration Tools Pack. If *NIX group membership has been administered by modifying the list in the UNIX attributes tab of AD Users and Computers (which is REQUIRED in a NIS environment), then 'uniqueMember' should be mapped to 'msSFU30PosixMember' (or 'posixMember' for WS03R2) as 'member' only includes the membership listed in the Windows group.  
 
For Windows Server 2003 R2, the schema extensions are RFC2307 compliant - no longer prefixed 'msSFU30' and with the next letter in lower case (e.g. msSFU30UidNumber is now uidNumber).  
 
For Windows Server 2003 R2, the schema extensions are RFC2307 compliant - no longer prefixed 'msSFU30' and with the next letter in lower case (e.g. msSFU30UidNumber is now uidNumber).  
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Further optimizations of the queries can be made for the nss_base properties:
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Further optimizations of the queries can be made for the nss_base properties:
第195行: 第199行:
 
nss_base_shadow dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*))
 
nss_base_shadow dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*))
 
nss_base_group          dc=mydomain,dc=com?sub?(&(objectClass=group)(gidnumber=*))
 
nss_base_group          dc=mydomain,dc=com?sub?(&(objectClass=group)(gidnumber=*))
 +
 +
 
The ampersand in the queries above merely specifies AND logic
 
The ampersand in the queries above merely specifies AND logic
 +
 
AND (&(filter)(filter))
 
AND (&(filter)(filter))
 
OR  (|(filter)(filter))
 
OR  (|(filter)(filter))
NOT (!(filter)(filter))
+
NOT (!(filter))
 
</nowiki></pre>
 
</nowiki></pre>
===== Debugging =====
+
== Troubleshooting ==
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconBug.png To debug LDAP queries one should make sure nscd is off and use the getent command
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconBug.png To debug LDAP queries one should make sure nscd is off and use the getent command
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo /etc/init.d/nscd stop
 
sudo /etc/init.d/nscd stop
 +
 
getent passwd
 
getent passwd
 
getent shadow
 
getent shadow
第220行: 第228行:
 
Now you need to set up /etc/pam.d/common-auth and
 
Now you need to set up /etc/pam.d/common-auth and
 
<pre><nowiki>
 
<pre><nowiki>
#
+
    #
# /etc/pam.d/common-auth - authentication settings common to all services
+
    # /etc/pam.d/common-auth - authentication settings common to all services
#
+
    #
# This file is included from other service-specific PAM config files,
+
    # This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
+
    # and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
+
    # the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
+
    # traditional Unix authentication mechanisms.
#
+
    #
auth    sufficient      pam_ldap.so
+
    auth    sufficient      pam_ldap.so
auth    required        pam_unix.so nullok_secure use_first_pass
+
    auth    required        pam_unix.so nullok_secure use_first_pass
 
</nowiki></pre>
 
</nowiki></pre>
 
set up /etc/pam.d/common-account.
 
set up /etc/pam.d/common-account.
 
<pre><nowiki>
 
<pre><nowiki>
#
+
    #
# /etc/pam.d/common-account - authorization settings common to all services
+
    # /etc/pam.d/common-account - authorization settings common to all services
#
+
    #
# This file is included from other service-specific PAM config files,
+
    # This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
+
    # and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
+
    # the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
+
    # only deny service to users whose accounts are expired in /etc/shadow.
#
+
    #
account sufficient      pam_ldap.so
+
    account sufficient      pam_ldap.so
account required        pam_unix.so
+
    account required        pam_unix.so
 
</nowiki></pre>
 
</nowiki></pre>
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png We are still using Kerberos for authentication, but now we are storing the information that would normally be stored in /etc/passwd using Active Directory.
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png We are still using Kerberos for authentication, but now we are storing the information that would normally be stored in /etc/passwd using Active Directory.
第249行: 第257行:
 
* login.defs
 
* login.defs
 
* nscd.conf
 
* nscd.conf
 +
Here is an alternative configuration example:
 +
[[UbuntuHelp:Alternate_Pam_Krb5LDAP_Authentication|Patched|pam_krb5]] to include support for directory service users]
 
----
 
----
 
[[category:CategorySecurity]]
 
[[category:CategorySecurity]]
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2010年5月19日 (三) 17:15的最新版本


Introduction

Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL. There are several ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto]. The purpose of this document is to provide a guide to configuring Samba on Ubuntu to act as a file server in a Windows environment integrated into Active Directory. The goal is to create a file server that is as close to a one to one replacement for a Microsoft Windows file server as possible from the client's perspective.

Background

It is important to keep in mind that the Samba developers have to play detective to try to basically reverse engineer the Microsoft implementation of the SMB protocol. The end result is that there are occasional issues that must be worked around if a bug fix does not exist. With the instructions below, expected behavior should be acceptable in most corporate environments. Samba allows for a great deal of flexibility in how shares behave on a per-share basis. It is outside the scope of this document to cover each configuration setting and how they behave. It would be very beneficial to first read the smb.conf documentation found at the Samba web page. There are quite a few settings in the documentation, but getting a general feel of what they are and what they do will help in understanding this document and how you can take a step beyond by changing settings for your own tastes and environment.

Prerequisites

Security updates need to be enabled for not only the main repository, but for the universe repository as well (as now documented below). If this is not done, any security updates for the main (supported) packages create failed dependencies for the relevant universe packages. Here is the list of prerequisites specific to this document:

  • Ubuntu Server Edition default installation.
  • Windows 2003 Native Domain (mixed-mode not tested, but may work)
  • Ample hard drive space to accommodate packages and shares.
  • Proper IP DNS settings configured so that internal names can be resolved.

Installation

Install the samba, acl, and attr packages if you wish to enable extended attributes which enable a greater level of control for file Access Control Lists. See InstallingSoftware for information regarding Package Managers and installing packages. You can edit /etc/fstab similar to the following to enable extended attributes on boot:

<main file system> / ext3 defaults,acl,user_xattr,errors=remount-ro 0 1

Then remount the filesystem:

mount -o remount /

Kerberos

The first step in joining an Active Directory domain is to install and configure Kerberos. See Samba/Kerberos for details.

Pam

After Kerberos has been installed and configured, the authentication system (PAM) needs to be configured to use Active Directory. Edit /etc/pam.d/common-auth and add:

auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
auth    sufficient      pam_unix.so likeauth nullok use_first_pass
auth    required        pam_deny.so

Then edit /etc/pam.d/common-session:

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077

IconsPage?action=AttachFile&do=get&target=IconNote.png kpasswd for password changing works, but note that AD by default disallows users from changing passwords more than once a day. IconsPage?action=AttachFile&do=get&target=IconNote.png The users from AD have to exist in /etc/passwd on the Ubuntu workstation, you can also use libnss-ldap to get the account info from AD.

LDAP

TestQuery: Windows

Assuming you do not maintain the Active Directory you will want to determine the structure of AD before trying to connect to it from Linux. From a windows PC connected to AD you should perform a query using Microsoft's Active Directory Application Mode (ADAM). ADAM is a package of tools that includes CSVDE, which we will be using to perform our queries. Type this into Google, the download page should be the second hit.

adam microsoft

Install. Open the command prompt. Start > RUN and type 'cmd' Navigate to the installation directory, default is c:\windows\ADAM Example Queries: Query a user entry

CSVDE -f export.csv -r "(&(objectClass=user)(sn=lastname))"

wildcards work as well

CSVDE -f export.csv -r "(&(objectClass=user)(sn=last*))"

Query a computer entry

CSVDE -f export.csv -r "(&(objectClass=computer)(cn=computername))"

Return everything in the following AD folder

CSVDE -d "OU=Pathology,OU=Departmental OUs,OU=Medcenter,DC=Med,DC=University,DC=edu" -f export.csv

The output of these queries would be placed within export.csv inside c:\windows\ADAM. Which can then be viewed as a spreadsheet editor. For more on querying with ADAM's CSVDE [www.computerperformance.co.uk/Logon/Logon_CSVDE.htm]

Configure AD

In Windows Server versions prior to WS03 R2, it is necessary to extend the LDAP schema from AD with the UNIX attributes. Install "Windows Services for UNIX" from Microsoft (I used version 3.5). SFU: http://www.microsoft.com/windows/sfu/ IconsPage?action=AttachFile&do=get&target=IconNote.png Installing SFU 3.5 on Windows Server 2003 (non R2) does not appear to add the necessary LDAP schema extensions. In order to extend the LDAP schema, it is necessary to install the "Server for NIS" component. The installation needs to be performed using an account that has Enterprise Admin privileges in order for the schema to be extended successfully (indeed, Enterprise Admin privileges are required even if the schema has already been extended). In Active Directory, schema extensions are non-reversible, so if the NIS Server is not required, it can be removed once the schema extension is complete. If the SFU Server for NIS is installed however, it will extend the Active Directory Users and Computers tool with a UNIX Attributes tab which allows GUI editing of the UNIX attributes for users, groups and computers. In Windows Server 2003 R2, the Active Directory schema is already extended with an RFC2307-compliant schema. This differs from the schema extensions used in SFU3.5, requiring a different libnss-ldap configuration. It is still necessary to install Server for NIS to extend the Active Directory Users and Computers tool with the UNIX Attributes tab to allow GUI editing of UNIX attributes for users, groups and computers.

TestQuery: Linux

We will want to perform a testquery in Linux before we attempt to configure AD. It is much simpler to determine how to connect on the command line and then configure rather than reconfigure a file repeatedly. We will need at least these two packages to perform test queries on Active Directory.

sudo apt-get install libnss-ldap ldap-utils

We perform queries with 'ldapsearch' We must specify these minimum parameters: We need to specify the LDAP Server (Domain Controller)

ldapsearch -h medcenterdc01

and the authentication type: simple or SASL IconsPage?action=AttachFile&do=get&target=IconNote.png If we have an active directory account and proper libraries installed, you can also authenticate using SASL-GSSAPI, and you will not need -D or -W options

sudo apt-get install libsasl2-modules-gssapi-mit
kinit ADuser
ldapwhoami -h medcenterdc01 -Y EXTERNAL

SASL authentication off, simple on

ldapsearch -h medcenterdc01 -x

and the folder we want to search in

ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu"  

and who to authenticate as

ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu"  

we'll have it prompt for the password, instead of specifying it in the command

ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -W  

and lets search for sammy's account

ldapsearch -h medcenterdc01 -x -b "OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -D "CN=last name\\, firstname,OU=Users,OU=Pathology,OU=Departmental OUs,OU=medcenter,DC=mc,DC=university,DC=edu" -W "sAMAccountName=sammy"  

IconsPage?action=AttachFile&do=get&target=IconNote.png One doesn't need to worry about spaces, but to specify a comma as part of the path we need to prefix the comma with '\\'

CN=last name\\, firstname

libnss-ldap

You can install libnss-ldap and nscd from the Universe Repository. Now you need to set up /etc/nsswitch.conf for ldap.

    passwd:         compat
    group:          compat
    shadow:         compat
    passwd_compat:  ldap
    group_compat:   ldap
    shadow_compat:  ldap

    hosts:       files dns
    networks:    files dns

    services:    db files
    protocols:   db files
    rpc:         db files
    ethers:      db files
    netmasks:    files
    netgroup:    files
    bootparams:  files

    automount:   files
    aliases:     files

IconsPage?action=AttachFile&do=get&target=IconNote.png If you have trouble when you attempt to ping and your network has a wins server you will want to append 'wins' to the hosts line of nsswitch.conf - you may only notice this only when you try to ping a static IP Linux PC from another Linux PC - I believe WINS is a part of the samba package and the IP addresses for WINS servers are stored in /etc/samba/dhcp.conf, the static IP machine also needs to specify its NetBIOS name within /etc/samba/smb.conf IconsPage?action=AttachFile&do=get&target=IconNote.png When fiddling with /etc/nsswitch.conf, it is best to turn the Name Services Caching Daemon off - /etc/init.d/nscd stop or you will be confused by cached results. Turn it on afterwards. Then you need to set up /etc/libnss-ldap.conf. AKA: /etc/ldap.conf

    # Replace windc.example.com with your Windows DC
    uri ldap://windc.example.com/

    base dc=example,dc=com
    ldap_version 3

    # Add a user to AD, that can read the container
    # with the users, that you want use.
    binddn cn=ldapreader,cn=Users,dc=example,dc=com
    bindpw cvfd123

    scope sub
    timelimit 30


    pam_filter objectclass=User

    pam_login_attribute sAMAccountName
    pam_lookup_policy yes

    # Modify cn=User,dc=e... to your container with your users.
    nss_base_passwd cn=User,dc=example,dc=com?sub
    nss_base_shadow cn=User,dc=example,dc=com?sub
    nss_base_group  cn=User,dc=example,dc=com?sub

    # For MSSFU:
    nss_map_objectclass posixAccount User
    nss_map_objectclass shadowAccount User
    nss_map_attribute uid sAMAccountName
    nss_map_attribute uniqueMember member
    nss_map_attribute uidNumber msSFU30UidNumber
    nss_map_attribute gidNumber msSFU30GidNumber
    nss_map_attribute userPassword msSFU30Password
    nss_map_attribute homeDirectory msSFU30HomeDirectory
    nss_map_attribute loginShell msSFU30LoginShell
    nss_map_attribute gecos name
    nss_map_attribute cn sAMAccountName

I think it only needs rootbinddn, no binddn, with the bindpw in /etc/libnss-ldap.secret, not here. I have also successfully combined /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, and /etc/pam_ldap.conf, symlinking them all to /etc/ldap/ldap.conf - AndyRabagliati IconsPage?action=AttachFile&do=get&target=warning.png Incorrect nss_map settings will prevent one from authenticating and reading AD in general. These settings are dependent on the column names within your AD database. In older systems the database (schema) needs to be extended as described in the 'Configure AD' section. Once these *NIX attributes are part of the schema they can be modified with the MMC snap-in Active Directory Users and Groups, as long as idmu.exe has been installed from the Windows Server 2003 R2 Administration Tools Pack. If *NIX group membership has been administered by modifying the list in the UNIX attributes tab of AD Users and Computers (which is REQUIRED in a NIS environment), then 'uniqueMember' should be mapped to 'msSFU30PosixMember' (or 'posixMember' for WS03R2) as 'member' only includes the membership listed in the Windows group. For Windows Server 2003 R2, the schema extensions are RFC2307 compliant - no longer prefixed 'msSFU30' and with the next letter in lower case (e.g. msSFU30UidNumber is now uidNumber). IconsPage?action=AttachFile&do=get&target=IconNote.png Further optimizations of the queries can be made for the nss_base properties:

nss_base_passwd		dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*))
nss_base_shadow		dc=mydomain,dc=com?sub?(&(objectClass=user)(uidnumber=*))
nss_base_group          dc=mydomain,dc=com?sub?(&(objectClass=group)(gidnumber=*))


The ampersand in the queries above merely specifies AND logic

AND (&(filter)(filter))
OR  (|(filter)(filter))
NOT (!(filter))

Troubleshooting

IconsPage?action=AttachFile&do=get&target=IconBug.png To debug LDAP queries one should make sure nscd is off and use the getent command

sudo /etc/init.d/nscd stop

getent passwd
getent shadow
getent group

To follow the actions of the command use strace

strace getent passwd

If thats not enough you can place a line in the configuration file for output:

debug 10

This can be a value anywhere from 1 to 10, 10 being the most verbose. IconsPage?action=AttachFile&do=get&target=IconNote.png With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL Now you need to set up /etc/pam.d/common-auth and

    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
    # traditional Unix authentication mechanisms.
    #
    auth    sufficient      pam_ldap.so
    auth    required        pam_unix.so nullok_secure use_first_pass

set up /etc/pam.d/common-account.

    #
    # /etc/pam.d/common-account - authorization settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authorization modules that define
    # the central access policy for use on the system.  The default is to
    # only deny service to users whose accounts are expired in /etc/shadow.
    #
    account sufficient      pam_ldap.so
    account required        pam_unix.so

IconsPage?action=AttachFile&do=get&target=IconNote.png We are still using Kerberos for authentication, but now we are storing the information that would normally be stored in /etc/passwd using Active Directory. Here are some other useful config files:

  • login.defs
  • nscd.conf

Here is an alternative configuration example: Patched|pam_krb5 to include support for directory service users]