Linux鏈接Windows AD服務器配置

前提條件

目的

爲了在Windows Active Directory上管理的用戶也能在Linux服務器上使用。

注意：本文不包含AD服務器的搭建過程。

環境

• AD服務器環境： Windows Server 2008 R2

  • 全域名（FQDN）爲： wins.example.com

• Linux服務器： Oracle Linux 6.4（64bit）

  • 全域名(FQDN)爲： demo.example.com

配置Linux服務器網絡

首先請禁用 SELinux和iptables防火牆。

在HOST文件中加入AD服務器

vi /etc/hosts
127.0.0.1   demo localhost localhost.localdomain
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.56.13  demo.example.com
192.168.56.5   wins.example.com

修改resolv.conf文件

這裏要配置DNS服務器得地址，你能夠使用Winodws Server來配置一個簡單的DNS服務器。 也能夠參考 這篇文檔 來用linux搭建一個DNS服務器。

vi /etc/resolv.conf
search example.com
nameserver 192.168.56.254

重啓網絡服務

service network restart

安裝相關軟件包

確認Winbind和Samba的包

[root@demo ~]# rpm -qa | grep samba
samba4-libs-4.0.0-55.el6.rc4.x86_64
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-common-3.6.9-151.el6.x86_64
samba-3.6.9-151.el6.x86_64
samba-client-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64

若是與以上列出的軟件不一樣，請使用下面的命令進行安裝：

yum install samba-winbind ...

對於Winbind來講，須要安裝下面的包：

[root@demo ~]# rpm -qa | grep winbind
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64

在安裝好上面的軟件包以後， ntlm_auth命令就能夠使用了。

配置服務

配置smb.conf

cp -p /etc/samba/smb.conf /etc/samba/smb.conf.orig 
vim /etc/samba/smb.conf
# ---- Settings for Winbind ----
  security = ads
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  password server = wins.example.com
  encrypt passwords = true
  idmap uid = 10000-25000
  idmap gid = 10000-20000
  winbind use default domain = yes
  winbind cache time = 90
#  winbind nested groups = yes
  template shell = /bin/bash
#  template homedir = /home/%U

修改 nsswitch.conf

cp -p /etc/nsswitch.conf /etc/nsswitch.conf.orig
vi /etc/nsswitch.conf
#----- 
passwd:     files winbind
shadow:     files winbind
group:      files winbind

修改 krb5.conf

cp -p /etc/krb5.conf /etc/krb5.conf.orig
vi /etc/krb5.conf
#----- 
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
    
    [realms]
     EXAMPLE.COM = {
      kdc = wins.example.com
      admin_server = wins.example.com
     }
    
    [domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM

啓動服務

先啓動samba服務：

service smb start

再啓動winbind服務：

service winbind start

加入到Windows Domain

[root@demo ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'DEMO' to dns domain 'example.com'
No DNS domain configured for demo. Unable to perform DNS Update.
DNS update failed!

若是出現錯誤的話，先嚐試與AD服務器同步一下時間：

net time set -I wins.example.com
net ads join -U administrator

測試服務

AD服務器鏈接確認

[root@demo etc]# net ads info
LDAP server: 192.168.56.5
LDAP server name: wins.example.com
Realm: EXAMPLE.COM
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Tue, 28 Oct 2014 13:57:05 CST
KDC server: 192.168.56.5
Server time offset: 0
[root@demo etc]# net ads testjoin
Join is OK

列出AD服務器上的用戶和組信息

[root@demo etc]# wbinfo -u
EXAMPLE\administrator
EXAMPLE\guest
EXAMPLE\krbtgt
EXAMPLE\test
EXAMPLE\aduser1
EXAMPLE\aduser2

[root@demo etc]# wbinfo -g
EXAMPLE\domain computers
EXAMPLE\domain controllers
EXAMPLE\schema admins
EXAMPLE\enterprise admins
EXAMPLE\cert publishers
EXAMPLE\domain admins
EXAMPLE\domain users
EXAMPLE\domain guests
EXAMPLE\group policy creator owners
EXAMPLE\ras and ias servers
EXAMPLE\allowed rodc password replication group
EXAMPLE\denied rodc password replication group
EXAMPLE\read-only domain controllers
EXAMPLE\enterprise read-only domain controllers
EXAMPLE\dnsadmins
EXAMPLE\dnsupdateproxy
EXAMPLE\ts web access computers

測試用戶認證

[root@demo ~]# id EXAMPLE\\aduser1
uid=16777216(EXAMPLE\aduser1) gid=16777222(EXAMPLE\domain users) groups=16777222(EXAMPLE\domain users),16777217(BUILTIN\users)

[root@demo ~]# ntlm_auth --username=EXAMPLE\\aduser1
password: 
NT_STATUS_OK: Success (0x0)