- 论坛徽章:
- 0
|
本帖最后由 forestiger 于 2013-05-14 15:15 编辑
先配置Linux与AD服务时间同步(5分钟以内)
安装相关软件:
rpm -ihv samba-winbind-3.5.10-114.el6.x86_64.rpm
chkconfig winbind on
/etc/init.d/winbuild start
pam_winbind.so模块一般用于混和集中式认证环境的用户认证中所。使用Samba验证AD用户,允许AD用户登录到Linux,步骤如下:
1、先把Samba加入到AD域中
2、在smb.conf中添加一行,让登录进来的用户使用bash
template shell = /bin/bash
3、运行authconfig,在验证中选择 使用smb验证
如果命令行的语言设置不兼容的话,这个命令的输出可能是乱码。为了避免这样的问题出现,你可以在命令之前加上一段字符串 LANG=C
----------通过工具进行配置
#LANG=C authconfig-tui
Use Winbind
Use Kerberos
Use Winbind Authentication
配置Kerberos
Realm: TESTAD.COM
KDC: devad.testad.com:88
Admin Server: devad.testad.com:749
配置winbind
Security Model: ads
Domain: TESTAD
Domain Controllers: devad.testad.com
ADS Realm: TESTAD.COM
Template Shell: /bin/bash
选择加入域:Join Domain
(需要输入管理帐号密码)
----------直接修改配置方式
vi /etc/nssswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTAD.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
TESTAD.COM = {
kdc = devad.testad.com:88
admin_server = devad.testad.com:794
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
testad.com = TESTAD.COM
.testad.com = TESTAD.COM
vim /etc/samba/smb.conf
[global]
workgroup = TESTAD//域名
password server = 192.168.1.241//域服务器
//这里是DC的FQDN,也可以写ip,但是有时候会出问题,建议写FQDN
encrypt passwords = yes //加密在网络上传输的用户密码
#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
realm = TESTAD.COM
security = ads//必须启用
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false (改成true)#设置它为true是在显示的时候屏蔽掉域名与用户名之间的分隔符,否则用户在登录linux系统的时候,就要很烦琐地键入类似tail/work这样的用户名了。
winbind offline logon = false(改成true)
template homedir = /homes/%U #有网友说此处是homes而不是home,否则会有很多问题,我一直没设置通过还有待验证。
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
load printers = yes
cups options = raw
passdb backend = tdbsam
[home]
[printers]
Samba访问用户
valid users = %U或 %D/%U或TESTAD.COM/%U
4、编辑system-auth文件,更改成如下(做完步骤3,会自动修改)
vi /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_krb5.so
account sufficient pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
#session optional pam_oddjob_mkhomedir.so skell=/etc/skell
#session sufficient pam_mkhomedir.so skell=/etc/skell
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
AD用户登录自动挂载NFS共享家目录(关闭自动创建目录功能pam_mkhomedir.so):
配置NFS共享:
#/home 10.100.1.201(rw,all_squash,insecure,sync)
#/home 10.100.1.201(rw,anonuid=0,anongid=0,insecure,sync)
/home 10.100.1.201(rw,no_all_squash,insecure,sync)
配置autofs
vi /etc/auto.master
/home/TESTAD /etc/auto.ldap
vi /etc/auto.ldap
* -fstype=nfs,rw,soft,intr 10.100.1.201:/rhome/&
#冒号:和/rhome中间没有空格
|
|