场景:用户的linux机器想使用AD账号登录,这里采用winbind服务实现以上需求
1、下载软件:
yum -y install samba samba-client samba-common samba-winbind samba-winbind-clients krb5-workstation ntpdate
注:本机已默认配置好dns和ntp,这里忽略相关配置内容
2、开启smb和winbind服务:
[root@file-share-linux ~]# chkconfig smb on
Note: Forwarding request to 'systemctl enable smb.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
[root@file-share-linux ~]# chkconfig winbind on
Note: Forwarding request to 'systemctl enable winbind.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/winbind.service to /usr/lib/systemd/system/winbind.service.
[root@file-share-linux ~]# service smb start
Redirecting to /bin/systemctl start smb.service
[root@file-share-linux ~]# service winbind start
Redirecting to /bin/systemctl start winbind.service
3、hosts文件添加主机信息
[root@file-share-linux ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.22.1.8 file-share-linux.test.cn file-share-linux
4、使用Kerberos进行身份认证
先销毁已有票据,再生成新的票据,这里域名需要大写
[root@file-share-linux ~]# kdestroy
[root@file-share-linux ~]# klist
klist: Credentials cache keyring 'persistent:0:0' not found
[root@fileshare ~]# kinit test@TEST.CN
Password for test@TEST.CN:
[root@fileshare ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: test@TEST.CN
Valid starting Expires Service principal
10/08/2019 11:18:48 10/08/2019 21:18:48 krbtgt/TEST.CN@TEST.CN
renew until 10/15/2019 11:18:41
5、加入AD域,SA.test.cn为windows域控服务器主机名
[root@fileshare ~]# authconfig --enablewinbind --enablewins --enablewinbindauth --smbsecurity=ads --smbworkgroup=TEST --smbrealm=TEST.CN --smbservers=SA.test.cn --enablekrb5 --krb5realm=TEST.CN --krb5kdc=SA.test.cn --krb5adminserver=SA.test.cn --enablekrb5kdcdns --enablekrb5realmdns --enablewinbindoffline --winbindtemplateshell=/bin/bash --winbindjoin=mailadmin --update --enablelocauthorize --enablemkhomedir --enablewinbindusedefaultdomain
[/usr/bin/net join -w TEST -S SA.test.cn -U admin]
Enter admin's password:
Using short domain name -- TEST
Joined 'FILESHARE' to dns domain 'test.cn'
troubleshooting
报错:
Oct 8 16:19:12 fileshare sshd[3340]: PAM unable to dlopen(/usr/lib64/security/pam_krb5.so): /usr/lib64/security/pam_krb5.so: cannot open shared object file: No such file or directory
Oct 8 16:19:12 fileshare sshd[3340]: PAM adding faulty module: /usr/lib64/security/pam_krb5.so
解决:
yum install -y pam_krb5