讓linux使用者利用winbind認證windows AD

環境: centos 5.5 x64

安裝套件

yum install krb5-server samba3x samba3x-winbind

samba的設定

[global]
workgroup = SSORC
realm = SSORC.TW
netbios name = LOGINSERVER
server string = Samba Server Version %v
security = ADS
password server = dc1.ssorc.tw dc2.ssorc.tw
passdb backend = tdbsam
log file = /var/log/samba/log.%m
max log size = 50
ldap ssl ads = Yes
idmap uid = 16777000-33550000
idmap gid = 16777000-33550000
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
inherit permissions = Yes
nt acl support = No
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

編輯 /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SSORC.TW
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
WIS.LOCAL = {
kdc = dc1.ssorc.tw:88
kdc = dc2.ssorc.tw:88
admin_server = dc1.ssorc.tw:749
default_domain = ssorc.tw
}

[domain_realm]
.ssorc.tw = SSORC.TW
ssorc.tw = SSORC.TW

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

編輯 /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88

[realms]
SSORC.TW = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}

編輯 /etc/openldap/ldap.conf 全部只留一行，假如連線過程沒有使用TLS的話

TLS_REQCERT never

讓系統使用winbind，執行 authconfig-tui
選擇 Use Winbind 與 Use Winbind Authentication

啟動samba與 winbind

service smb start
service winbind start

記得設定開機啟動

chkconfig smb on
chkconfig winbind on

驗證測試可否連線AD (SSORC.TW要大寫) (OK即無錯誤訊息)

kinit administrator@SSORC.TW

加入AD群組 (OK即顯示 joined sambahost to realm SSORC.TW)

net ads join -U administrator

雖然authconfig-tui  讓 /etc/nsswitch.conf 設定了 files winbind

/etc/pam.d/system-auth 檔也有相關winbind的設定

但用ssh確無法登入

所以還要加入

vi /etc/pam.d/login

auth            sufficient    pam_winbind.so
account         sufficient    pam_winbind.so
password        sufficient    pam_winbind.so
session         sufficient    pam_winbind.so

到這邊登入ssh時，會有錯誤訊息是沒有家目錄產生 (雖然無礙登入操作)

所以

vi /etc/pam.d/system-auth

session required pam_mkhomedir.so skel=/etc/skel umask=0022

這樣就可在第一次登入時自動產生家目錄了

成功加入AD後，可以測試

取得AD帳號: wbinfo -u

取得本機與AD帳號資訊: net ads info

取得帳號資訊: net ads status -U cross

以上