linux加入域的配置

代碼:


cat /etc/resolv.conf
nameserver 192.168.5.10

複製內容到剪貼板

代碼:


cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = 51CTO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
51CTO.COM = {
kdc = ad.51cto.com:88
admin_server = ad.51cto.com:749
default_domain = 51cto.com
}

[domain_realm]
.51cto.com = 51CTO.COM
51cto.com = 51CTO.COM
[kdc]
profile=/var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

複製內容到剪貼板

代碼:


cat /etc/samba/smb.conf |grep -v ";"|grep -v "#" |grep -v "^$"
[global]
workgroup = 51CTO
netbios name = linux
server string = Samba Server
printcap name = /etc/printcap
password server = ad.51cto.com
realm = 51CTO.COM
security = ads
idmap uid = 500-33554431
idmap gid = 500-33554431
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = true
template homedir = /home/%U
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
 server string = Samba Server Version %v
 passdb backend = tdbsam
 load printers = yes
 cups options = raw
[homes]
 comment = Home Directories
 browseable = no
 writable = yes
 create mode = 0777
 directory mode = 0777
 path = /home/%U
 valid users = %S
 valid users = MYDOMAIN\%S
[printers]
 comment = All Printers
 path = /var/spool/samba
 browseable = no
 guest ok = no
 writable = no
 printable = yes

以上是圖解。。

下面說說

vi /etc/krb5.conf

例如個人linux 名是linux,域控名是2003-r2-4.ccna.local

根據配置修改如下內容:
[libdefaults]
default_realm = CCNA.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h #這個很重要
forwrdable = yes
[realms]

CCNA.LOCAL = {
kdc = 2003-r2-4.ccna.local
admin_server = 2003-r2-4.ccna.local
default_domain = ccna.local
}

[domain_realm]
.kerberos.server = CCNA.LOCAL

保存,測試通訊

kinitdomainusername@CCNA.LOCAL


若是正常通訊會返回到命令行,不然會顯示出錯
配置/etc/samba/smb.conf
修改如下幾點
 workgroup = CCNA
 realm = CCNA.LOCAL
 server string = Samba Server
 security = ADS
 password server = 192.168.10.234 #這是域控IP
 log file = /var/log/samba/%m.log
 max log size = 50
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 printcap name = /etc/printcap
 preferred master = No
 dns proxy = No
 idmap uid = 16777216-33554431
 idmap gid = 16777216-33554431
 template shell = /bin/bash #這樣AD用戶就能夠登陸linux本機了,若是不想讓其登陸,就不分配shell 如 template shell = /bin/null
 winbind separator = /  #域名跟用戶之間的分隔符,例:CCNA/test
 winbind use default domain = Yes #設yes,則用戶能夠不用輸域名前輟就能夠驗證,設no,則需輸域名前輟
 cups options = raw
winbind cache time = 3600
保存後用testparm檢查配置有沒有錯,重啓samba服務
加域: net ads join -S ccna.local -U domanadminusername

另外一種方法加域

 net rpc join -S snoopy.echo -U Administrator

最後一步,配置WINDBIND,將/etc/nsswitch.conf前面三行改成
passwd:  files winbind
shadow:  files winbind
group:  files winbind

保存後重啓winbind 服務
如今驗證winbind是否工做
wbinfo -u
若是返回域用戶信息,則配置成功



創建AD用戶家目錄,默認狀況下,AD用戶的家目錄會在/home/domian/下,不過要本身建立,若是想改變AD用戶家目錄路徑,
能夠在sam.conf的全局設置裏添加 template homedir = /home/%U ,這是把目錄 設在/home/下
更改權限:
先設默認目錄跟文件的權限
umask 077 (這樣新建的目錄權限變爲 drwx---------了)
更改AD用戶家目錄的擁有者
更改時,要用ad組的id才成功,如 chown domainuser:domaingroupid filename #能夠用getent group查看
更改其它用戶權限:
chmod 700 filename
若是想用acl管理其它用戶對文件的權限,須要在/etc/fstab 中掛載的分區的第四列加上acl
eg:/dev/sda4 /mnt/sda4 ext3 defaults,acl 0 0
作到這裏有一個小問題,就是剛起動winbind服務時,讀取不到域用戶信息,日誌顯示
make_server_info_info3: pdb_init_sam failed!
要 用webinfo -u才行

再一種方法詳解：

1、實驗環境：

AD server：windows server 2003

AD samba：centos 5.2

AD server的hostname和IP地址：

rocdk890  192.168.1.142/24

AD samba的hostname和IP地址：

lamp    192.168.1.144/24

Domain name：rocdk890.tt.com

DNS：192.168.1.142

安裝NTP時間驗證套件：

# mount /dev/cdrom /media

# rpm -ivh /cdrom/CentOS/RPMS/ntp-4.2.2p1-7.el5.i386.rpm

固然也能夠用yum來安裝

#yum -y install ntp （注意ntp要小寫）

再來與AD server校準時間

# ntpdate 192.168.1.142

# hwclock -w

安裝Samba服務器軟件需求：

krb5-workstation-1.2.7-19

pam_krb5-1.70-1

krb5-devel-1.2.7-19

krb5-libs-1.2.7-19

samba-3.0.5-2

固然我在這裏偷了下懶，我直接用yum進行的安裝，畢竟只是瞭解下這個實驗的思路，因此就不用管安全性了。

#yum -y install samba

安裝完後，若是你要確認samba安裝成功沒有能夠用下述命令來檢查samba包的基礎庫支持，通常用yum安裝或RPM安裝是不會有問題的。

# smbd -b | grep LDAP

HAVE_LDAP_H

HAVE_LDAP

HAVE_LDAP_DOMAIN2HOSTLIST

...

# smbd -b | grep KRB

HAVE_KRB5_H

HAVE_ADDRTYPE_IN_KRB5_ADDRESS

HAVE_KRB5

...

# smbd -b | grep ADS

WITH_ADS

WITH_ADS

# smbd -b | grep WINBIND

WITH_WINBIND

WITH_WINBIND

2、編輯設定檔

一、krb5配置

#vi /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = TT.COM # 大寫域名

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

TT.COM = { # 大寫域名

kdc = 192.168.1.142:88 # 域伺服器IP

admin_server = 192.168.1.142:749 # 域伺服器IP

default_domain = tt.com # 這裏就不用大寫了

}

[domain_realm]

.tt.com = TT.COM # 域驗證範圍

tt.com = TT.COM

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

鏈接AD server

kinit administrator@TT.COM

Kerberos 的 kinit 命令將測試服務器間的通訊，後面的域名TT.COM 是你的活動目錄的域名，必須大寫，不然會收到錯誤信息：

kinit(v5): Cannot find KDC for requested realm while getting initial credentials.

若是通訊正常，你會提示輸入口令，口令正確的話，就返回 bash 提示符，若是錯誤則報告：

kinit(v5): Preauthentication failed while getting initial credentials.

這一步表明了已經能夠和AD server作溝通了，但並不表明Samba Server已經加入域了。

二、smb.conf配置

#vi /etc/samba/smb.conf

#===================== Global Settings =========================

[global]

   workgroup = TT # 必定要填本身的domain名稱

   netbios name = lamp #你的linux主機名

   idmap uid  = 15000-20000

   idmap gid  = 15000-20000

   winbind enum groups = yes

   winbind enum users = yes

   winbind separator  = /

;    winbind use default domain = yes

   template homedir = /home/%D/%U

   template shell  = /bin/bash

;    interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24

   hosts allow =192.168.1. 127. 192.168.12. 192.168.13.

# ----------------------- Domain Members Options ------------------------

   security = domain

;    passdb backend = tdbsam

；   realm = TT.COM  #這裏我以爲仍是註釋起好點

   encrypt passwords = yes #這句是必須添加的，否則後面驗證會提示不成功

   password server = 192.168.1.142

[homes]

 path = /home/%D/%U

 browseable = no

 writable = yes

 valid users = tt.com/%U#這裏記得把域名帶上，不然你用ad賬號訪問samba服務器時輸入正確的ad賬號和密碼仍然不能訪問共享目錄

 create mode = 0777

 directory mode = 0777

三、配置nsswitch.conf

#vi /etc/nsswitch.conf

修改如下位置

passwd:   files winbind

shadow:   files

group:   files winbind

四、啓用samba和winbind服務

service smb reload  #加這一句是用來解決有時候samba啓動不了的問題

service smb start

service winbind start

五、加入AD域

[root@lamp ~]# net rpc join -S rocdk890.tt.com -U administrator

Password:

Joined domain TT.

六、驗證加入是否成功

[root@lamp ~]# net rpc testjoin

Join to 'TT' is OK

[root@lamp ~]# wbinfo -t

checking the trust secret via RPC calls succeeded

[root@lamp ~]# wbinfo -u

TT/administrator

TT/guest

TT/support_388945a0

TT/krbtgt

[root@lamp ~]# wbinfo -g

TT/domain computers

TT/domain controllers

TT/schema admins

TT/enterprise admins

TT/domain admins

TT/domain users

TT/domain guests

TT/group policy creator owners

TT/dnsupdateproxy

[root@lamp ~]# getent passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

TT/administrator:*:15000:15000:Administrator:/home/TT/administrator:/bin/bash

TT/guest:*:15001:15001:Guest:/home/TT/guest:/bin/bash

TT/support_388945a0:*:15002:15000:SUPPORT_388945a0:/home/TT/support_388945a0:/bin/bash

TT/krbtgt:*:15003:15000:krbtgt:/home/TT/krbtgt:/bin/bash

[root@lamp ~]# getent group

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

sys:x:3:root,bin,adm

adm:x:4:root,adm,daemon

tty:x:5:

disk:x:6:root

lp:x:7:daemon,lp

mem:x:8:

kmem:x:9:

wheel:x:10:root

mail:x:12:mail

news:x:13:news

uucp:x:14:uucp

man:x:15:

games:x:20:

gopher:x:30:

dip:x:40:

ftp:x:50:

lock:x:54:

nobody:x:99:

users:x:100:

rpm:x:37:

dbus:x:81:

utmp:x:22:

mailnull:x:47:

smmsp:x:51:

nscd:x:28:

floppy:x:19:

vcsa:x:69:

rpc:x:32:

rpcuser:x:29:

nfsnobody:x:65534:

sshd:x:74:

pcap:x:77:

utempter:x:35:

slocate:x:21:

haldaemon:x:68:

ntp:x:38:

TT/domain computers:*:15002:

TT/domain controllers:*:15003:

TT/schema admins:*:15004:TT/administrator

TT/enterprise admins:*:15005:TT/administrator

TT/domain admins:*:15006:TT/administrator

TT/domain users:*:15000:

TT/domain guests:*:15001:

TT/group policy creator owners:*:15007:TT/administrator

TT/dnsupdateproxy:*:15008:

七、作完這些，就能夠到AD server上的活動目錄中看到該機器了，剩下的就不用我說了吧。