Linux 輕鬆上手 架設 CentOS 6.4 DNS+FTP –(八)、補充VSFTP AD整合
CentOS-6.4 加入Windows 2008 R2 網域
1.利用下列指令安裝所需要的套件,利用yum 也會將相關套件一併安裝上去
yum install samba
yum install krb5-server
yum install krb5-workstation
yum install samba-winbind
網域相關資訊
DC :
ip : 192.168.100.240
hosname : dc-srv3
網域 : ABC.com.tw
CentOS 6.4
ip : 192.168.100.240
hostname : Centos
步驟 :
修改 /etc/sysconfig/network 檔案中的 HOSTNAME 為Centos
修改 /etc/samba/smb.conf (直接在global部分新增即可)
workgroup = ABC (大寫)
server string = (描述)
realm = ABC.COM.TW (完整網域名稱)
netbios name =centos (Linux 主機名稱)
security = ads ( 設定為ads 表示帳號認證交給DC)
password server = adsrv2008.ABC.com.tw (密碼伺服器指的就是DC主機)
encrypt passwords = yes (編碼方式傳遞密碼)
idmap uid = 16777000-33550000
idmap gid = 16777000-33550000
winbind enum users = yes
winbind enum group = yes
winbind separator = +
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%D/%U
修改 /etc/hosts 檔案a
192.168.100.240 adsrv.ABC.com.tw ABC.com.tw
修該kerberos 檔案:q:: /etc/krb5.conf (修改黑色粗體字部分)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ABC.COM.TW
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ABC.COM.TW = {
kdc = DC-SRV3.ABC.COM.TW:88
admin_server = DC-SRV3.ABC.COM.TW:749
default_domain = ABC.COM.TW
}
[domain_realm]
.example.com = ABC.COM.TW
example.com = ABC.COM.TW
修改/var/kerberos/krb5kdc/kdc.conf (黑色粗體字改成網域名稱)
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
ABC.COM.TW = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
將samba 服務啟動,並設定開機自動啟動該服務
service smb start
chkconfig smb on
校正時間
ntpdate 192.168.100.240
測試連線指令如下
kinit administrator@ABC.COM.TW
(administrator 是網域帳號,網域MIS888.COM 一定要大寫)
下完此指令後會要輸入密碼,正確就直接回到命令提示字元
[root@Centos ~]# kinit administrator@ABC.COM.TW
Password for administrator@ABC.COM.TW:
[root@Centos ~]#
將linux 主機加入網域 指令如下
net rpc join -U administrator
===========================================
[root@Centos ~]# net rpc join -U administrator
Enter administrator’s password:
Joined domain ABC.
設定本機 UID 與 GID 發放範圍,避免 AD 帳號與 Linux 本機帳號衝突
# vi /etc/login.defs
UID_MIN 500
UID_MAX 9999 <- 改為9999
GID_MIN 500
GID_MAX 9999 <- 改為9999
上述即將centos 加入網域
加入網域時出現下列訊息應該是防火牆問題
先關閉iptables 後就可以加入網域了
===========================================
[root@Centos ~]# net rpc join -U administrator
Unable to find a suitable server for domain ABC
Unable to find a suitable server for domain ABC
===========================================
利用winbind 服務取得ad帳號
執行authconfig-tui 並將 Use Winbind 與 Use Winbind Authentication 勾選
修改 vim /etc/nsswitch.conf
============================
passwd: files winbind
group: files winbind
shadow: files winbind
============================
將winbind 服務啟動,並設定開機自動啟動該服務
service winbind start
chkconfig winbind on
取的 AD 帳號指令
wbinfo -u
[root@Centos ~]# wbinfo -u
administrator
guest
krbtgt
rli01
rlee01
sm_5ab0c1229c5a471ba
sm_aebbc4e2362a49bab
sm_c6e11dbebfb647b38
sm_eac96c4f1ed84b1a8
7fa
test
[root@Centos ~]#
建立主機(Linux Samba)使用者家目錄scripts:
當使用AD帳號登入時,可以找到自己所擁有的家目錄。
vi mkADhome.awk
=========================================================
#!/bin/awk
BEGIN {
FS=":"
uidmin=16777000
uidmax=33550000
}
{
if ( $3 >= uidmin && $3 <= uidmax ) {
print " make directory " $6 " chown " $3 "." $4 " " $6
system( "mkdir -p " $6 ";chown " $3 "." $4 " " $6 )
}
}
=========================================================
產生AD使用者的家目錄
getent passwd | awk -f mkADhome.awk
設定Linux本身系統登入使用AD驗證。
vi /etc/pam.d/system-auth (系統所有的) 或vi/etc/pam.d/vsftpd/做驗證
=========================================================
# 加入以下這四行
auth sufficient /lib64/security/pam_winbind.so
account sufficient /lib64/security/pam_winbind.so
password sufficient /lib64/security/pam_winbind.so
session sufficient /lib64/security/pam_winbind.so
=========================================================
測試AD帳號登入CentOS 主機
登入後,執行id 指令即可看到是網域身份