Linux機器Centos6和rhel6系統主機加入W2K8 AD域環境
實驗環境搭建linux
基礎架構圖以下:shell
AD同時配置DNS功能,實現互通及域名正反解析功能!windows
Linux機器配置centos
系統及本版信息以下bash
Krb5軟件安裝服務器
須要安裝如下4個軟件:session
krb5-workstation架構
krb5-develdom
krb5-libsssh
pam_krb5
[root@centos6-server ~]# rpm -qa | grep krb
krb5-libs-1.10.3-10.el6.i686
krb5-devel-1.10.3-10.el6.i686
[root@centos6-server ~]# yum install krb5-workstation pam_krb5 -y
[root@centos6-server ~]# rpm -qa | grep krb5
krb5-libs-1.10.3-10.el6.i686
krb5-devel-1.10.3-10.el6.i686
krb5-workstation-1.10.3-10.el6.i686
pam_krb5-2.3.11-9.el6.i686
krb5-auth-dialog-0.13-3.el6.i686
krb5軟件需求安裝完成!
Samba軟件安裝
須要安裝如下5個軟件:
samba
samba-common
samba-client
samba-winbind
samba-winbind-clients
[root@centos6-server ~]# rpm -qa | grep samba
samba-winbind-3.6.9-151.el6.i686
samba-common-3.6.9-151.el6.i686
samba-winbind-clients-3.6.9-151.el6.i686
[root@centos6-server ~]# yum install samba-client samba -y
3、Linux機器經過圖形界面加入域
出現報錯信息以下:
[root@centos6-server ~]# net ads join -U administrator
Enter administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket expired
Failed to join domain: failed to connect to AD: Ticket expired
系統時間不一樣步問題(最好保持時間間隔在5分鐘內!)
[root@centos6-server ~]# clock
Tue 22 Jul 2014 01:16:55 PM CST -0.157382 seconds
[root@centos6-server ~]# date -s 2014-07-23
Wed Jul 23 00:00:00 CST 2014
[root@centos6-server ~]# date -s 13:18:30
Wed Jul 23 13:18:30 CST 2014
[root@centos6-server ~]# hwclock --systohc
[root@centos6-server ~]# clock
Wed 23 Jul 2014 01:18:36 PM CST -0.235184 seconds
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TEST
Joined 'CENTOS6-SERVER' to dns domain 'test.com'
DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!
緣由:DNS設置問題
DNS服務器IP爲127.0.0.1 修改成本機IP192.168.4.172
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TEST
Joined 'CENTOS6-SERVER' to dns domain 'test.com'
DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!
刷新Linux機器的dns
[root@centos6-server ~]# yum install nscd -y
[root@centos6-server ~]# service nscd restart
Stopping nscd: [FAILED]
Starting nscd: [ OK ]
[root@centos6-server ~]# service nscd restart
Stopping nscd: [ OK ]
Starting nscd: [ OK ]
[root@centos6-server ~]#
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TEST
Joined 'CENTOS6-SERVER' to dns domain 'test.com'
DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!
最終經過圖形界面仍是沒有成功加入到域環境中!(改用配置方式,發現有些配置文件中缺乏參數設置!)
4、經過配置文件設定加入域(主要爲3個配置文件,修改紅色框內的)
1、vi /etc/nsswitch.conf
2、vi /etc/krb5.conf
3、vi /etc/samba/smb.conf
[root@centos6-server ~]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@centos6-server ~]# chkconfig smb on
/添加smb服務隨系統自動啓動
[root@centos6-server ~]# chkconfig --list smb
smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@centos6-server ~]# service smb start
Starting SMB services:
[root@centos6-server ~]# hostname
centos6-server
[root@centos6-server ~]# net ads info
LDAP server: 192.168.4.172
LDAP server name: dc.test.com
Realm: TEST.COM
Bind Path: dc=TEST,dc=COM
LDAP port: 389
Server time: Wed, 23 Jul 2014 15:46:25 CST
KDC server: 192.168.4.172
Server time offset: -26
/查看域相關信息
[root@centos6-server ~]# net ads testjoin
Join is OK
/測試加域成功
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TEST
Joined 'CENTOS6-SERVER' to dns domain 'test.com'
/centos6-server機器加入域test.com成功
查看w2k8 AD截圖以下:
[root@centos6-server ~]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
/查看域內的用戶
對應w2k8 AD上也可看到用戶zhang3和test11
[root@centos6-server ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
/查看域內的組
5、實現用戶登陸時自動建立用戶目錄
[root@centos6-server ~]# vi /etc/pam.d/system-auth
添加以下信息:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
[root@centos6-server ~]# vi /etc/pam.d/sshd
添加以下信息:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
用戶SSH登陸測試:
test11和zhang3用戶均ssh登陸成功!
圖像界面登陸測試:
圖像界面下test11和zhang3用戶均登陸成功!
從Linux機器上能夠看到administrator,test11,zhang3幾個用戶均爲域用戶。
6、RHEL6機器加入域:
[root@rhel6-client ~]# cat /etc/issue
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel \r on an \m
[root@rhel6-client ~]# uname -r
2.6.32-220.el6.i686
[root@rhel6-client ~]# hostname
rhel6-client
[root@rhel6-client ~]# date
Thu Jul 24 14:17:38 CST 2014
[root@rhel6-client ~]# cat /etc/resolv.conf
nameserver 192.168.4.172
[root@rhel6-client ~]# nslookup dc.test.com
Server: 192.168.4.172
Address: 192.168.4.172#53
Name: dc.test.com
Address: 192.168.4.172
[root@rhel6-client ~]# nslookup 192.168.4.172
Server: 192.168.4.172
Address: 192.168.4.172#53
172.4.168.192.in-addr.arpa name = dc.test.com.
解決時間同步和DNS解析問題!
參照Centos6環境來安裝和配置:
[root@rhel6-client ~]# yum install krb5-workstation pam_krb5 –y
[root@rhel6-client ~]# yum install samba samba-client samba-common samba-winbind samba-winbind-client –y
[root@rhel6-client ~]# vi /etc/nsswitch.conf
修改部分:
passwd: files winbind
shadow: files winbind
group: files winbind
[root@rhel6-client ~]# vi /etc/krb5.conf
修改部分:
[realms]
TEST.COM = {
kdc = 192.168.4.172:88
admin_server = 192.168.4.172:749
default_domain = test.com
kdc = 192.168.4.172
}
[domain_realm]
test.com = TEST.COM
.test.com = TEST.COM
[root@rhel6-client ~]# vi /etc/samba/smb.conf
修改部分:
workgroup = TEST
; security = user
; passdb backend = tdbsam
/註釋點以上2行
password server = 192.168.4.172
realm = TEST.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = /
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
[homes]
comment = Home Directories
path = /home/D%%U
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
valid users = TEST.COM\%U
create mode = 0644
directory mode = 0755
[root@rhel6-client ~]# service smb start
Starting SMB services: [ OK ]
[root@rhel6-client ~]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@rhel6-client ~]# chkconfig smb on
[root@rhel6-client ~]# chkconfig --list smb
smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@rhel6-client ~]# net ads info
[2014/07/24 15:00:42.789987, 0] param/loadparm.c:7619(lp_do_parameter)
Ignoring unknown parameter "idmap conifg *"
LDAP server: 192.168.4.172
LDAP server name: dc.test.com
Realm: TEST.COM
Bind Path: dc=TEST,dc=COM
LDAP port: 389
Server time: Thu, 24 Jul 2014 15:01:13 CST
KDC server: 192.168.4.172
Server time offset: 31
[root@rhel6-client ~]# net ads join -U administrator
[2014/07/24 14:52:20.186378, 0] param/loadparm.c:7619(lp_do_parameter)
Ignoring unknown parameter "idmap conifg *"
Enter administrator's password:
Using short domain name -- TEST
Joined 'RHEL6-CLIENT' to realm 'test.com'
[root@rhel6-client ~]# wbinfo -u
[root@rhel6-client ~]# wbinfo –g
還未獲取到域內的信息,稍等片刻!
[root@rhel6-client ~]# service winbind restart
Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[root@rhel6-client ~]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
[root@rhel6-client ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
[root@rhel6_client ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
administrator:*:16777216:16777220:Administrator:/home/TEST/administrator:/bin/bash
guest:*:16777217:16777221:Guest:/home/TEST/guest:/bin/bash
krbtgt:*:16777218:16777220:krbtgt:/home/TEST/krbtgt:/bin/bash
zhang3:*:16777219:16777220:zhang3:/home/TEST/zhang3:/bin/bash
test11:*:16777220:16777220:test11:/home/TEST/test11:/bin/bash
[root@rhel6_client ~]# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail,postfix
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
cdrom:x:11:
tape:x:33:
dialout:x:18:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
sshd:x:74:
nscd:x:28:
ldap:x:55:
wbpriv:x:88:
domain computers:*:16777222:
domain controllers:*:16777223:
schema admins:*:16777224:administrator
enterprise admins:*:16777225:administrator
cert publishers:*:16777226:
domain admins:*:16777227:administrator
domain users:*:16777220:
domain guests:*:16777221:
group policy creator owners:*:16777228:administrator
ras and ias servers:*:16777229:
allowed rodc password replication group:*:16777230:
denied rodc password replication group:*:16777231:krbtgt
read-only domain controllers:*:16777232:
enterprise read-only domain controllers:*:16777233:
dnsadmins:*:16777234:
dnsupdateproxy:*:16777235:
rhel6-client加域成功!
[root@rhel6-client ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
[root@rhel6-client ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_ldap.so
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
登陸測試
[root@rhel6_client ~]# su - test11
su: user test11 does not exist
[root@rhel6_client ~]# su - zhang3
su: user zhang3 does not exist
[root@rhel6_client ~]#cat /var/log/secure
報錯信息:
Jul 24 15:39:41 rhel6-client sshd[1734]: pam_succeed_if(sshd:auth): error retrieving information about user zhang3
Jul 24 15:39:43 rhel6-client sshd[1734]: Failed password for invalid user zhang3 from 192.168.4.240 port 62095 ssh2
Jul 24 15:39:46 rhel6-client sshd[1735]: Received disconnect from 192.168.4.240: 13: The user canceled authentication.
Jul 24 15:40:01 rhel6-client sshd[1736]: Invalid user test11 from 192.168.4.240
Jul 24 15:40:01 rhel6-client sshd[1737]: input_userauth_request: invalid user test11
Jul 24 15:40:08 rhel6-client sshd[1736]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 15:40:08 rhel6-client sshd[1736]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.240
Jul 24 15:40:08 rhel6-client sshd[1736]: pam_succeed_if(sshd:auth): error retrieving information about user test11
Jul 24 15:40:10 rhel6-client sshd[1736]: Failed password for invalid user test11 from 192.168.4.240 port 62122 ssh2
Jul 24 15:40:13 rhel6-client sshd[1737]: Received disconnect from 192.168.4.240: 13: The user canceled authentication
[root@rhel6-client Packages]# yum rpcbind –y
[root@rhel6-client Packages]# /etc/init.d/winbind restart
Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[root@rhel6-client Packages]# wbinfo -t
checking the trust secret for domain TEST via RPC calls succeeded
[root@rhel6-client Packages]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
[root@rhel6-client Packages]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
因爲沒法自動建立域用戶目錄,須要手動創建域用戶目錄,rhel6這點不一樣於centos6系統能夠自動創建登陸用戶目錄!
[root@rhel6-client Packages]#cd /home
[root@rhel6-client home]# ls -al
total 8
drwxr-xr-x. 2 root root 4096 Jul 25 10:37 .
dr-xr-xr-x. 21 root root 4096 Jul 25 10:28 ..
[root@rhel6-client ]#cd
[root@rhel6-client ]# mkdir /home/TEST
[root@rhel6-client ]# chmod -R 755 /home/TEST
[root@rhel6-client ]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@rhel6-client home]# service winbind restart
Shutting down Winbind services: [FAILED]
Starting Winbind services: [ OK ]
[root@rhel6-client]# wbinfo -t
checking the trust secret for domain TEST via RPC calls succeeded
[root@rhel6-client ]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
[root@rhel6-client ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
[root@rhel6-client ~]# su - zhang3
[zhang3@rhel6-client ~]$ exit
logout
[root@rhel6-open*** ~]# su - test11
[test11@rhel6-open*** ~]$
[root@rhel6-open*** ~]# ls -al /home/
total 12
drwxr-xr-x. 3 root root 4096 Jul 25 10:37 .
dr-xr-xr-x. 21 root root 4096 Jul 25 10:28 ..
drwxr-xr-x 4 root root 4096 Jul 25 10:39 TEST
[root@rhel6-open*** ~]# cd /home/TEST/
[root@rhel6-open*** TEST]# ls -al
total 16
drwxr-xr-x 4 root root 4096 Jul 25 10:39 .
drwxr-xr-x. 3 root root 4096 Jul 25 10:37 ..
drwxr-xr-x 2 test11 domain users 4096 Jul 25 11:08 test11
drwxr-xr-x 2 zhang3 domain users 4096 Jul 25 10:39 zhang3
域用戶test11和zhang3用戶成功可成功登陸到rhel6機器。
至此,市面上主流Linux系統centos6,rhel6機器已成功加入windows 2008 server AD域中;
期間遇到的主要問題爲1、時間同步問題,2、DNS解析問題,3、smb.conf和krb5.conf配置參數細節問題。
- 1. Linux機器Centos6和rhel6系統主機加入W2K8 AD域環境
- 2. 客戶機加入AD域
- 3. AD域環境搭建
- 4. Linux加入windows AD域
- 5. Linux samba加入AD域
- 6. Windows AD域搭建及Linux加入域
- 7. 域主機搭建,windows,linux的加域
- 8. 如何將CentOS 7桌面系統加入到Samba4 AD域環境中
- 9. Linux系統下主機加固
- 10. 雲主機服務器系統加固
- 更多相關文章...
- • SQL 主機 - SQL 教程
- • 網站主機提供商 - 網站主機教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • 漫談MySQL的鎖機制
-
每一个你不满意的现在,都有一个你没有努力的曾经。