PBIS可以很方便的加域然后使用域认证,比起winbind+samba方便多了。这东西原来叫LikeWise,现在换了这个名字,有开源版本,功能上也够用了。
#1:下载 https://github.com/BeyondTrust/pbis-open/releases #2:安装,默认设置即可 sh pbis-open-8.5.4.334.linux.x86_64.deb.sh #3:加域 domainjoin-cli join test.net admin #4:可能用得到的自定义设置 /opt/pbis/bin/config HomeDirTemplate '%H/%D/%U' /opt/pbis/bin/config LoginShellTemplate /bin/bash /opt/pbis/bin/config HomeDirUmask 077 /opt/pbis/bin/config UserDomainPrefix test.net /opt/pbis/bin/config AssumeDefaultDomain true #/opt/pbis/bin/config Requiremembershipof test\\LinuxUser test\\new # 允许LinuxUser用户组 及 new用户登录 #允许用户组为sudoer %test\\LinuxAdmins ALL=(ALL:ALL) ALL
如果用来使用的是winbind+samba认证
1:先退出域
net ads leave -U test.net administrator
2:把原来/etc/pam.d/ 下面的winbind相关项删除,还有/etc/nsswitch.conf 里面的winbind删除
cat /etc/pam.d/common-account account [success=ok new_authtok_reqd=ok default=ignore] pam_lsass.so unknown_ok account [success=2 new_authtok_reqd=done default=ignore] pam_lsass.so account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so #-------------------------------------------------- cat /etc/pam.d/common-auth auth [success=2 default=ignore] pam_lsass.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so #-------------------------------------------------- cat /etc/pam.d/common-password password [success=2 default=ignore] pam_lsass.so password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512 password requisite pam_deny.so password required pam_permit.so #-------------------------------------------------- cat /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session optional pam_lsass.so session required pam_unix.so session optional pam_systemd.so #-------------------------------------------------- cat /etc/pam.d/common-session-noninteractive session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session optional pam_lsass.so session required pam_unix.so #-------------------------------------------------- cat /etc/nsswitch.conf passwd: compat lsass group: compat lsass shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
3:如果还要使用samba,可以删除winbind(用不到了)。
net cache flush #不执行此操作,samba还是使用原来winbind的UID #-------------------------------------------------- cat /etc/samba/smb.conf [global] server string = %h server (Samba, Ubuntu) security = ads workgroup = TEST realm = TEST.NET client ntlmv2 auth = yes encrypt passwords = yes log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d machine password timeout = 0 [homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700
/opt/pbis/bin/samba-interop-install --install #这样就可以使用pbis认证samba了
另外bash提示符是 test\username 这样的格式,然后为了美观把格式改为 username 这样
sed -i "58s#^.*\$#&\nmodify_username()\n{\n echo \$USER | awk -F\\\\\\\\ '{print \$NF}'\n}\n#;s#\\\\u#\$(modify_username)#g" /etc/skel/.bashrc
centos
#!/bin/bash for i in `ls /home` do grep TESTDOMAIN /home/$i/.bashrc || cat >> /home/$i/.bashrc << EOF modify_username() { echo \$USER | awk -F\\\\\\\\ '{print \$NF}' } if [[ \$USER =~ "TESTDOMAIN" ]]; then PS1='[\$(modify_username)@\H:\w]\\$ ' fi EOF done grep TESTDOMAIN /etc/skel/.bashrc || cat >> /etc/skel/.bashrc << EOF modify_username() { echo \$USER | awk -F\\\\\\\\ '{print \$NF}' } if [[ \$USER =~ "TESTDOMAIN" ]]; then PS1='[\$(modify_username)@\H:\w]\\$ ' fi EOF
#samba出现这样的错误
#Bad talloc magic value - access after free apt-get install libtalloc2
#加域时出现
#Error: ERROR_GEN_FAILURE [code 0x0000001f] apt-get remove avahi-daemon
转载于:https://blog.51cto.com/abian/1947099