環境: centos 5.5 x64

安裝套件

yum install krb5-server samba3x samba3x-winbind

samba的設定

[global]
        workgroup = SSORC
        realm = SSORC.TW
        netbios name = LOGINSERVER
        server string = Samba Server Version %v
        security = ADS
        password server = dc1.ssorc.tw dc2.ssorc.tw
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        ldap ssl ads = Yes
        idmap uid = 16777000-33550000
        idmap gid = 16777000-33550000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        inherit permissions = Yes
        nt acl support = No
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        browseable = No

編輯 /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SSORC.TW
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 WIS.LOCAL = {
  kdc = dc1.ssorc.tw:88
  kdc = dc2.ssorc.tw:88
  admin_server = dc1.ssorc.tw:749
  default_domain = ssorc.tw
 }

[domain_realm]
 .ssorc.tw = SSORC.TW
 ssorc.tw = SSORC.TW

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

編輯 /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 SSORC.TW = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }

編輯 /etc/openldap/ldap.conf 全部只留一行,假如連線過程沒有使用TLS的話

TLS_REQCERT never

讓系統使用winbind,執行 authconfig-tui
選擇 Use Winbind 與 Use Winbind Authentication

啟動samba與 winbind

service smb start
service winbind start

記得設定開機啟動

chkconfig smb on
chkconfig winbind on

驗證測試可否連線AD (SSORC.TW要大寫) (OK即無錯誤訊息)

加入AD群組 (OK即顯示 joined sambahost to realm SSORC.TW)

net ads join -U administrator

雖然authconfig-tui  讓 /etc/nsswitch.conf 設定了 files winbind

/etc/pam.d/system-auth 檔也有相關winbind的設定

但用ssh確無法登入

所以還要加入

vi /etc/pam.d/login

auth            sufficient    pam_winbind.so
account         sufficient    pam_winbind.so
password        sufficient    pam_winbind.so
session         sufficient    pam_winbind.so

到這邊登入ssh時,會有錯誤訊息是沒有家目錄產生 (雖然無礙登入操作)

所以

vi /etc/pam.d/system-auth

session required pam_mkhomedir.so skel=/etc/skel umask=0022

這樣就可在第一次登入時自動產生家目錄了

成功加入AD後,可以測試

取得AD帳號: wbinfo -u

取得本機與AD帳號資訊: net ads info

取得帳號資訊: net ads status -U cross

以上

最後修改日期: 2011 年 03 月 26 日

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。