在本教程中,我们将讨论如何将 Linux 服务器(Centos/RHEL)与 Windows Active Directory 集成以进行身份验证。
就我而言,我有 Centos/RHEL 6 服务器。
按照以下步骤使用 samba、winbind 和 Kerberos 将这些服务器与 AD 集成。
步骤 1:安装 samba-winbind 和 kerberos 包。
# yum install samba-winbind samba-winbind-clients samba krb5-libs krb5-workstation pam_krb5
步骤 2:时间同步。
AD 对认证过程中的时间匹配非常挑剔。
所以linux服务器和AD服务器时间应该同步到ntp服务器。
使用以下命令将 Linux 服务器的时间与 ntp 服务器同步。
# ntpdate [ntp-server-ip-address/dns-name]
要使上述配置永久编辑,请编辑文件“/etc/ntp.conf”,然后将其中的内容替换为我们域中的一个或者多个 NTP 服务器,例如:
# vi /etc/ntp.conf server [ntp-server-ip-address/dns-name]
启动服务:
# /etc/init.d/ntpd start # chkconfig ntpd on
步骤 3:编辑 /etc/hosts 文件。
# vi /etc/hosts [ip-address] adserver.yourdomain adserver
步骤 4:编辑 /etc/krb5.conf。
# vi /etc/krb5.conf
[domain_realm]
yourdomain = YOURDOMAIN
[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN
dns_lookup_realm = true
dns_lookup_kdc = false
cache_type = 1
forwardable = true
proxiable = true
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
allow_weak_crypto = no
[realms]
YOURDOMAIN = {
kdc = [ip address of AD server:Port]
admin_server = [ip address of AD server:Port]
default_domain = yourdomain
}
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
admin_server = FILE:/var/log/kadmind.log
步骤 5:现在测试 Kerberos 身份验证。
# kinit [user-name]
如果它提示输入密码,输入用户AD密码,如果一切正常,那么我们会得到提示,否则重新检查 krb5.conf 文件。
步骤 6:现在配置 Samba 和 Winbind。
编辑 /etc/samba/smb.conf 。
# vi /etc/samba/smb.conf
[global]
workgroup = [Workgroup-Name]
netbios name = site2 ## replace the site2 with hostname
realm =
security = ADS
template shell = /bin/bash
idmap backend = tdb
idmap uid = 1-100000000
idmap gid = 1-100000000
winbind use default domain = Yes
winbind nested groups = Yes
winbind enum users = Yes
winbind enum groups = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
winbind separator = /
winbind nss info = sfu
winbind offline logon = true
hosts allow = 127.0.0.1 0.0.0.0/0
obey pam restrictions = yes
socket options = TCP_NODELAY
max log size = 150
passdb backend = tdbsam
printing = cups
load printers = yes
cups options = raw
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
interfaces = eth0 lo
bind interfaces only = yes
winbind refresh tickets = true
log file = /var/log/samba/log.%m
max log size = 50
log level = 3
encrypt passwords = yes
#map untrusted to domain = yes
#auth methods = winbind guest sam
map untrusted to domain = Yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
public = yes
guest ok = yes
writable = no
printable = yes
步骤 7:配置 /etc/nsswitch.conf 文件以处理身份验证。
# vi /etc/nsswitch.conf passwd: compat winbind shadow: winbind group: compat winbind
步骤 8:现在重新启动 winbind 和 Samba 服务。
# /etc/init.d/smb restart # /etc/init.d/winbind restart
现在加入域:
# net ads join -U [User Name]
如果上述命令报告“Join is OK”,则测试winbind:
列出所有 AD 用户的命令:
# wbinfo -u
步骤 9:现在进行测试并尝试通过 AD 用户凭据登录到 linux 服务器。
# ssh [username]@[ipaddress or hostname of linux server]
日期:2020-09-17 00:14:00 来源:oir作者:oir