linux中的scampus用户,Linux 加入域的那些事儿！

说明：本文为LINUX加入WINDOWS域的具体情况作一些说明，关于如何加入到域，本文不再详述，仅提供一个配置样板，如果有不了解的，可以再查看相关文章。

*-====================-*

* Linux To Windows AD

*-====================-*

- 基本概念

* PDC - 主域控制器

* BDC - 备份域控制器

* KDC - 密钥颁发中心，Kerberos服务器

* PAM - 可插拨认证模块

* SRV - DNS服务资源记录

- 域模式

* PRC - LINUX以Windows2000/NT4样式加入到域中

* ADS - 活动目录，Windows2003,WindowsXP

* 混合 - 有最好的兼容性

- 软件包Sw

* Samba: yum install samba.* samba-common.* samba-winbind-client.*

* Winbind: yum install samba-winbind.*

* Samba4: yum install samba4.* ;A newer version of samba

* Kerberos5: yum install pam_krb5.* krb5-workstation.* krb5-libs.*

* ldconfig

* ldconfig -v | grep winbind

* ls /usr/lib/libnss_winbind.so

- 配置文件

- NSS: /etc/nsswitch.conf

; 指示系统如何查找系统配置文件

; ACTION=Modify

* password: files winbind

* group: files winbind

- Samba: /etc/smb.conf

; 与共享文件夹相关的配置

; DomainMode = ActiveDirectory

*-------------------------------*

[global]

client use spnego = no

server signing = auto

workgroup = CAMPUS

# The SHORT-DOMAIN name of your domain, you need to modify

wins support = yes

wins server = 10.0.0.4

# Controller of the domain, You need to modify it to your own

wins proxy = yes

security = ADS

# or AD,ADS,domain, DOMAIN is the RPC mode

acl compatibility = win2k

idmap uid = 16777216-33554431

# Set based on your user count

idmap gid = 16777216-33554431

password server = 10.0.0.4

# Domain Controller

map to guest = bad user

guest ok = no

realm = CAMPUS.COM

# You need to keep the same with file krb5.conf defined

# encrypt psswords = yes

# Encrypt PASS, not supported by some version of samba

winbind use default domain = yes

# winbind separator = %

template homedir = /home/%D/%U

# A mode 777 should be set on /home/%D

template shell = /bin/bash

[homes]

comment = %S

path =/home/%D/%S

writeable = yes

browsable = yes

; valid users = %S

valid users = CAMPUS/%S

*-------------------------------*

* Kerberos: /etc/krb5.conf

*-------------------------------*

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = CAMPUS.COM

dns_lookup_realm = false

dns_lookup_kdc = false

[realms]

CAMPUS.COM = {

kdc = ADS.CAMPUS.COM:88

admin_server = ADS.CAMPUS.COM:749

default_domain = campus.com

}

# This is a REALMS to DOMAIN MAPPING, REALMS Format is uppercase

[domain_realm]

.campus.com = CAMPUS.COM

campus.com = CAMPUS.COM

# Build the mapping

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

*-------------------------------*

* 重启samba: service smb restart

* 重启Winbind: service winbind restart

* 初始化KDC: net ads kerberos kinit

* 加域: net rpc join -S ADS.CAMPUS.COM -U Administrator%

* 查看信息: net rpc info; net ads testjoin; net ads

* 退域: net ads leave -S ADS.CAMPUS.COM -U Administrator%

* 查看用户信息: wbinfo -u, wbinfo -t

* 查看本机用户: getent passwd K-id, getent group K-id

* 获取SID: net rpc getsid -U Administrator% -I x.x.x.x

* NTLM-AUTH: ntlm_auth --username=$USER

- 通过AD认证SSH

* 用户名如下: ADU/admin/DOMAINNAME => root/admin/CAMPUS

* 如果只进行网络认证，仅用户名也可以登录如 ssh imwk2011@SYS

* PAM认证文件，仅网络认证

*-------------------------------*

#%PAM-1.0

#AUTHENTICATION

auth          sufficient     pam_winbind.so

#AM

account       sufficient     pam_winbind.so

#SM

session       required       pam_limits.so

session       required       pam_mkhomedir.so

session       optional       pam_console.so

*-------------------------------*

- 总结#LINUX ADS#部署过程

* 安装软件包

* 依次对配置文件进行修改

/etc/nsswitch.conf

/etc/samba/smb.conf

/etc/krb5.conf

* 模板见上，修改的重要地方已标出

- 排错

* 检查服务是否正常运行

* 检查配置文件是否正确

* 检查日志

* 检查DNS设置: 应该为Windows域主DNS

* 检查防火墙配置与SELINUX配置

# 调错

* "BAD SIG"

注释掉smb.conf中的"client use spnego = no"选项

* “DNS UPDATE FAILED”

检查DNS设定

检查DNS上的更新权限

* nsupdate

> Server x.x.x.x

> Add CMS.CAMPUS.COM 10 A 10.0.0.2

> Send

* Kerberos 密钥初始化问题

kinit xxx@CAMPUS.COM ;申请用户xxx在域CAMPUS中的票据

时钟问题，域控与客户端时钟差距过大

密码问题，用户或者密码错误

域名问题，KINIT找不到域控制器，也即KDC，注意检查DNS配置

* PAM模块中的认证问题

使用 tail -f /var/log/secure 追踪其认证问题

确认在"smb.conf"文件中打开"winbind use default domain=yes"选项，系统会自动传入域名

* 加域并不需要SMB服务运行，WINBIND需要"smb.conf"文件

* 旧的主机(含LINUX、UNIX等)登录域的用户名为: CAMPUS\cc,前为域名，后为用户名

# 数据查询

* net ads search '(objectCategory=group)' sAMAccountName ;查询系统组

* net ads search '(objectCategory=user) sAMAccountName ;查询用户

* net ads search '(sAMAccountName=cc)' ;查询用户CC相关信息

* ldapsearch -x -b "dc=CAMPUS,dc=COM" -D "CAMPUS\cc" -w "PASSWD" -h ADS.CAMPUS.COM

# 常用数据结构

* 用户: "CN=users,DC=CAMPUS,DC=COM"

* 计算机: "CN=Computers,DC=CAMPUS,DC=COM"

* 组织单位: "OU=GRPS,DC=CAMPUS,DC=COM"

# 认证

* wbinfo -a USER%PASS

* wbinfo -K USER%PASS

* wbinfo -m

* ntlm_auth --username=CC

*-====================-*

* Linux To Windows AD

*-====================-*

- 基本概念

* PDC - 主域控制器

* BDC - 备份域控制器

* KDC - 密钥颁发中心，Kerberos服务器

* PAM - 可插拨认证模块

* SRV - DNS服务资源记录

- 域模式

* PRC - LINUX以Windows2000/NT4样式加入到域中

* ADS - 活动目录，Windows2003,WindowsXP

* 混合 - 有最好的兼容性

- 软件包Sw

* Samba: yum install samba.* samba-common.* samba-winbind-client.*

* Winbind: yum install samba-winbind.*

* Samba4: yum install samba4.* ;A newer version of samba

* Kerberos5: yum install pam_krb5.* krb5-workstation.* krb5-libs.*

* ldconfig

* ldconfig -v | grep winbind

* ls /usr/lib/libnss_winbind.so

- 配置文件

- NSS: /etc/nsswitch.conf ;指示系统如何查找系统配置文件

; 修改以下内容

password: files winbind

group: files winbind

- Samba: /etc/smb.conf

; 与共享文件夹相关的配置

[global]

client use spnego = no

server signing = auto

workgroup = CAMPUS

# The SHORT-DOMAIN name of your domain, you need to modify

wins support = yes

wins server = 10.0.0.4

# Controller of the domain, You need to modify it to your own

wins proxy = yes

security = ADS

# or AD,ADS,domain, DOMAIN is the RPC mode

acl compatibility = win2k

idmap uid = 16777216-33554431

# Set based on your user count

idmap gid = 16777216-33554431

password server = 10.0.0.4

# Domain Controller

map to guest = bad user

guest ok = no

realm = CAMPUS.COM

# You need to keep the same with file krb5.conf defined

# encrypt psswords = yes

# Encrypt PASS, not supported by some version of samba

winbind use default domain = yes

# winbind separator = %

template homedir = /home/%D/%U

# A mode 777 should be set on /home/%D

template shell = /bin/bash

[homes]

comment = %S

path =/home/%D/%S

writeable = yes

browsable = yes

; valid users = %S

valid users = CAMPUS\%S

* Kerberos配置文件: /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = CAMPUS.COM

dns_lookup_realm = false

dns_lookup_kdc = false

[realms]

CAMPUS.COM = {

kdc = ADS.CAMPUS.COM:88

admin_server = ADS.CAMPUS.COM:749

default_domain = campus.com

}

# This is a REALMS to DOMAIN MAPPING, REALMS Format is uppercase

[domain_realm]

.campus.com = CAMPUS.COM

campus.com = CAMPUS.COM

# Build the mapping

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

* 重启samba: service smb restart

; 汪: 如果只作认证，SMB服务可以不启动，但smb.conf必须配置好

* 重启Winbind: service winbind restart

* 初始化KDC: net ads kerberos kinit

* 加域: net rpc join -S ADS.CAMPUS.COM -U Administrator%

* 查看信息: net rpc info; net ads testjoin; net ads

* 退域: net ads leave -S ADS.CAMPUS.COM -U Administrator%

* 查看用户信息: wbinfo -u, wbinfo -t

* 查看本机用户: getent passwd K-id, getent group K-id

* 获取SID: net rpc getsid -U Administrator% -I x.x.x.x

* NTLM-AUTH: ntlm_auth --username=$USER

- 总结#LINUX ADS#部署过程

* 安装软件包

* 依次对配置文件进行修改

/etc/nsswitch.conf

/etc/samba/smb.conf

/etc/krb5.conf

* 模板见上，修改的重要地方已标出

- 排错

* 检查服务是否正常运行

* 检查配置文件是否正确

* 检查日志

* 检查DNS设置: 应该为Windows域主DNS

* 检查防火墙配置与SELINUX配置

# 调错

* "BAD SIG"

注释掉smb.conf中的"client use spnego = no"选项

* “DNS UPDATE FAILED”

检查DNS设定

检查DNS上的更新权限

* nsupdate

> Server x.x.x.x

> Add CMS.CAMPUS.COM 10 A 10.0.0.2

> Send

* Kerberos 密钥初始化问题

kinit xxx@CAMPUS.COM ;申请用户xxx在域CAMPUS中的票据

时钟问题，域控与客户端时钟差距过大

密码问题，用户或者密码错误

域名问题，KINIT找不到域控制器，也即KDC，注意检查DNS配置

* PAM模块中的认证问题

使用 tail -f /var/log/secure 追踪其认证问题

确认在"smb.conf"文件中打开"winbind use default domain=yes"选项，系统会自动传入域名

* 加域并不需要SMB服务运行，WINBIND需要"smb.conf"文件

* 旧的主机(含LINUX、UNIX等)登录域的用户名为: CAMPUS\cc,前为域名，后为用户名

# 数据查询

* net ads search '(objectCategory=group)' sAMAccountName ;查询系统组

* net ads search '(objectCategory=user) sAMAccountName ;查询用户

* net ads search '(sAMAccountName=cc)' ;查询用户CC相关信息

* ldapsearch -x -b "dc=CAMPUS,dc=COM" -D "CAMPUS\cc" -w "PASSWD" -h ADS.CAMPUS.COM ;列出CAMPUS.COM域的所有记录，其中LDAP服务器为ADS.CAMPUS.COM，查询所使用的用户为

# 常用数据结构

* 用户: "CN=users,DC=CAMPUS,DC=COM"

* 计算机: "CN=Computers,DC=CAMPUS,DC=COM"

* 组织单位: "OU=GRPS,DC=CAMPUS,DC=COM"

# 认证测试

* wbinfo -a USER%PASS

* wbinfo -K USER%PASS ;采用Kerberos方式测试KDC是否正常

* wbinfo -m ;查看配置的域(工作组)

* ntlm_auth --username=CC ;使用CC测试，如果认证成功，可从另一个方面说明系统加域已经成功