Using Active Directory for CentOS

火星人 @ 2014-03-05 , reply:0
←手機掃碼閱讀

Using Active Directory for CentOS

I am using a default server installation of CentOS with X, KDE and Gnome added. Also I enabled the text editor option for VIM in the package selection section of the installer.

Also this guide is specific to Samba 3.

Where block capitals are used in the config files below, then you should use them also.

Contents 1 Step 1: Edit /etc/krb5.conf
2 Step 2: Edit /etc/samba/smb.conf
3 Step 4: make the home directories
4 Step 5: edit /etc/nsswitch.conf
5 Step 6: Edit /etc/pam.d/system-auth
6 Step 7: Stop and start samba and winbind
7 Step 8: Initialise Kerberos
8 Step 9: Join the active directory

editStep 1: Edit /etc/krb5.conf
Edit /etc/krb5.conf to look like the following, substituting SWEETNAM.EU and sweetnam.eu with your active directory domain name. Where ever block capitals are used then make sure your own domain name is in block capitals also. The line in the realms section kdc = 172.20.1.1 should be replaced with the hostname or the IP address of your active directory controller.


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log


default_realm = SWEETNAM.EU
dns_lookup_realm = true
dns_lookup_kdc = true


SWEETNAM.EU = {
  kdc = 172.20.1.1:88
  admin_server = 172.20.1.1:749
  default_domain = sweetnam.eu
  kdc = 172.20.1.1
}


.sweetnam.eu = SWEETNAM.EU
sweetnam.eu = SWEETNAM.EU


profile = /var/kerberos/krb5kdc/kdc.conf


pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
editStep 2: Edit /etc/samba/smb.conf

security = ads
netbios name = CENTOS
realm = SWEETNAM.EU
password server = adpdc.sweetnam.eu
workgroup = SWEETNAM
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
editStep 4: make the home directories
mkdir /home/SWEETNAM
editStep 5: edit /etc/nsswitch.conf
passwd:     compat winbind files
shadow:     compat winbind files
group:      compat winbind files
hosts:      files dns
bootparams: nisplus files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus
editStep 6: Edit /etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_krb5.so
account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
editStep 7: Stop and start samba and winbind
/etc/init.d/smb stop
/etc/init.d/winbind stop
/etc/init.d/smb start
/etc/init.d/winbind start
editStep 8: Initialise Kerberos
kinit administrator@SWEETNAM.EU
editStep 9: Join the active directory
net ads join -U administrator@SWEETNAM.EU
You should now be able to log in to your CentOS machine using a Windows Active directory user account. Also note that the time on the Samba server has to be within 5 minutes of the time on the Active Directory controller for kerberos authentication to work.

Retrieved from "http://sweetnam.eu/mediawiki/index.php/Using_Active_Directory_for_CentOS"
《解決方案》

你總是很熱心
《解決方案》

資料共享!大家受益!




[火星人 via ] Using Active Directory for CentOS已經有372次圍觀

http://www.coctec.com/docs/service/show-post-42764.html