前提条件
目的
为了在Windows Active Directory上管理的用户也能在Linux服务器上使用。
注意:本文不包含AD服务器的搭建过程。
环境
-
AD服务器环境: Windows Server 2008 R2
- 全域名(FQDN)为: wins.example.com
-
Linux服务器: Oracle Linux 6.4(64bit)
- 全域名(FQDN)为: demo.example.com
配置Linux服务器网络
首先请禁用 SELinux和iptables防火墙。
在HOST文件中加入AD服务器
vi /etc/hosts 127.0.0.1 demo localhost localhost.localdomain ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.56.13 demo.example.com 192.168.56.5 wins.example.com
修改resolv.conf文件
这里要配置DNS服务器得地址,你可以使用Winodws Server来配置一个简单的DNS服务器。
也可以参考 这篇文档 来用linux搭建一个DNS服务器。
vi /etc/resolv.conf search example.com nameserver 192.168.56.254
重启网络服务
service network restart
安装相关软件包
确认Winbind和Samba的包
[root@demo ~]# rpm -qa | grep samba samba4-libs-4.0.0-55.el6.rc4.x86_64 samba-winbind-clients-3.6.9-151.el6.x86_64 samba-common-3.6.9-151.el6.x86_64 samba-3.6.9-151.el6.x86_64 samba-client-3.6.9-151.el6.x86_64 samba-winbind-3.6.9-151.el6.x86_64
如果与以上列出的软件不同,请使用下面的命令进行安装:
yum install samba-winbind ...
对于Winbind来说,需要安装下面的包:
[root@demo ~]# rpm -qa | grep winbind samba-winbind-clients-3.6.9-151.el6.x86_64 samba-winbind-3.6.9-151.el6.x86_64
在安装好上面的软件包之后, ntlm_auth命令就可以使用了。
配置服务
配置smb.conf
cp -p /etc/samba/smb.conf /etc/samba/smb.conf.orig vim /etc/samba/smb.conf # ---- Settings for Winbind ---- security = ads workgroup = EXAMPLE realm = EXAMPLE.COM password server = wins.example.com encrypt passwords = true idmap uid = 10000-25000 idmap gid = 10000-20000 winbind use default domain = yes winbind cache time = 90 # winbind nested groups = yes template shell = /bin/bash # template homedir = /home/%U
修改 nsswitch.conf
cp -p /etc/nsswitch.conf /etc/nsswitch.conf.orig vi /etc/nsswitch.conf #----- passwd: files winbind shadow: files winbind group: files winbind
修改 krb5.conf
cp -p /etc/krb5.conf /etc/krb5.conf.orig vi /etc/krb5.conf #----- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = wins.example.com admin_server = wins.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
启动服务
先启动samba服务:
service smb start
再启动winbind服务:
service winbind start
加入到Windows Domain
[root@demo ~]# net ads join -U administrator Enter administrator‘s password: Using short domain name -- EXAMPLE Joined ‘DEMO‘ to dns domain ‘example.com‘ No DNS domain configured for demo. Unable to perform DNS Update. DNS update failed!
如果出现错误的话,先尝试与AD服务器同步一下时间:
net time set -I wins.example.com net ads join -U administrator
测试服务
AD服务器连接确认
[root@demo etc]# net ads info LDAP server: 192.168.56.5 LDAP server name: wins.example.com Realm: EXAMPLE.COM Bind Path: dc=EXAMPLE,dc=COM LDAP port: 389 Server time: Tue, 28 Oct 2014 13:57:05 CST KDC server: 192.168.56.5 Server time offset: 0 [root@demo etc]# net ads testjoin Join is OK
列出AD服务器上的用户和组信息
[root@demo etc]# wbinfo -u EXAMPLE\administrator EXAMPLE\guest EXAMPLE\krbtgt EXAMPLE\test EXAMPLE\aduser1 EXAMPLE\aduser2 [root@demo etc]# wbinfo -g EXAMPLE\domain computers EXAMPLE\domain controllers EXAMPLE\schema admins EXAMPLE\enterprise admins EXAMPLE\cert publishers EXAMPLE\domain admins EXAMPLE\domain users EXAMPLE\domain guests EXAMPLE\group policy creator owners EXAMPLE\ras and ias servers EXAMPLE\allowed rodc password replication group EXAMPLE\denied rodc password replication group EXAMPLE\read-only domain controllers EXAMPLE\enterprise read-only domain controllers EXAMPLE\dnsadmins EXAMPLE\dnsupdateproxy EXAMPLE\ts web access computers
测试用户认证
[root@demo ~]# id EXAMPLE\\aduser1 uid=16777216(EXAMPLE\aduser1) gid=16777222(EXAMPLE\domain users) groups=16777222(EXAMPLE\domain users),16777217(BUILTIN\users) [root@demo ~]# ntlm_auth --username=EXAMPLE\\aduser1 password: NT_STATUS_OK: Success (0x0)