環境: centos 5.5 x64
安裝套件
yum install krb5-server samba3x samba3x-winbind
samba的設定
[global]
workgroup = SSORC
realm = SSORC.TW
netbios name = LOGINSERVER
server string = Samba Server Version %v
security = ADS
password server = dc1.ssorc.tw dc2.ssorc.tw
passdb backend = tdbsam
log file = /var/log/samba/log.%m
max log size = 50
ldap ssl ads = Yes
idmap uid = 16777000-33550000
idmap gid = 16777000-33550000
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
inherit permissions = Yes
nt acl support = No
cups options = raw[homes]
comment = Home Directories
read only = No
browseable = No
編輯 /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log[libdefaults]
default_realm = SSORC.TW
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes[realms]
WIS.LOCAL = {
kdc = dc1.ssorc.tw:88
kdc = dc2.ssorc.tw:88
admin_server = dc1.ssorc.tw:749
default_domain = ssorc.tw
}[domain_realm]
.ssorc.tw = SSORC.TW
ssorc.tw = SSORC.TW[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
編輯 /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88[realms]
SSORC.TW = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
編輯 /etc/openldap/ldap.conf 全部只留一行,假如連線過程沒有使用TLS的話
TLS_REQCERT never
讓系統使用winbind,執行 authconfig-tui
選擇 Use Winbind 與 Use Winbind Authentication
啟動samba與 winbind
service smb start
service winbind start
記得設定開機啟動
chkconfig smb on
chkconfig winbind on
驗證測試可否連線AD (SSORC.TW要大寫) (OK即無錯誤訊息)
kinit [email protected]
加入AD群組 (OK即顯示 joined sambahost to realm SSORC.TW)
net ads join -U administrator
雖然authconfig-tui 讓 /etc/nsswitch.conf 設定了 files winbind
/etc/pam.d/system-auth 檔也有相關winbind的設定
但用ssh確無法登入
所以還要加入
vi /etc/pam.d/login
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so
session sufficient pam_winbind.so
到這邊登入ssh時,會有錯誤訊息是沒有家目錄產生 (雖然無礙登入操作)
所以
vi /etc/pam.d/system-auth
session required pam_mkhomedir.so skel=/etc/skel umask=0022
這樣就可在第一次登入時自動產生家目錄了
成功加入AD後,可以測試
取得AD帳號: wbinfo -u
取得本機與AD帳號資訊: net ads info
取得帳號資訊: net ads status -U cross
以上
留言