Ubuntu-ads-client
Zur Navigation springen
Zur Suche springen
new
Installation
Interface anpassen
- vi /etc/network/interfaces
auto lo iface lo inet loopback auto enp0s3 iface enp0s3 inet static address 10.0.10.96/24 gateway 10.0.10.1
hosts anpassen
- hostnamectl ads-client
- vi /etc/hosts
127.0.0.1 localhost 127.0.1.1 ads-client.hack.lab ads-client
resolv.conf
nameserver 10.0.10.85 search hack.lab
reboot
samba4 installieren
- apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
Update der Pam
- pam-auth-update
/etc/samba/smb.conf
[global] workgroup = HACK realm = HACK.LAB security = ADS log level = 1 winbind:5 winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes winbind use default domain = yes winbind nss info = template winbind enum users = yes winbind enum groups = yes idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config HACK : backend = rid idmap config HACK : range = 10000-99999 template homedir = /home/%U template shell = /bin/bash # Mapping domain Administrator to local root username map = /etc/samba/user.map kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab
/etc/krb5.conf
[libdefaults]
default_realm = HACK.LAB
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
HACK.LAB( = {
kdc = 10.0.10.85
admin_server = 10.0.10.85
}
[domain_realm]
.mydomain.com = HACK.LAB
mydomain.com = HACK.LAB
Initiieren Sie ein Kerberos-Ticket
- kinit administrator
List
- klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@HACK.LAB Valid starting Expires Service principal 01/12/2023 14:28:49 01/13/2023 00:28:49 krbtgt/HACK.LAB@HACK.LAB renew until 01/13/2023 14:28:45
Erstellen Sie eine Kerberos-Keytab-Datei
- net ads keytab create -U administrator
Treten Sie der AD-Domäne bei
- net ads join -U administrator
domaine beitreten
root@lang:~# net ads join -U administrator Enter administrator's password: Using short domain name -- LINUGGS Joined 'LANG' to dns domain 'linuggs.lan'
/etc/nsswitch.conf ändern
passwd: files systemd winbind group: files systemd winbind
services neustarten
- systemctl restart smbd
- systemctl restart nmbd
- systemctl restart winbind
ist winbind is "pingbar
root@fenetre:~# wbinfo -p Ping to winbindd succeeded
anzeigen der userliste
root@fenetre:~# wbinfo -u Administrator Guest krbtgt
anzeigen der passwd
- hier solten nun benutzer aus der ad autauchen
- getent passwd
benutzer03:*:11107:10513::/home/benutzer03:/bin/bash administrator:*:10500:10513::/home/administrator:/bin/bash benutzer04:*:11108:10513::/home/benutzer04:/bin/bash benutzer01:*:11105:10513::/home/benutzer01:/bin/bash krbtgt:*:10502:10513::/home/krbtgt:/bin/bash benutzer02:*:11106:10513::/home/benutzer02:/bin/bash guest:*:10501:10513::/home/guest:/bin/bash thomas:*:11104:10513::/home/thomas:/bin/bash
LIBPAM
änderungen in /etc/pam.d/
sollten automatisch geändert worden sein
common-auth
auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so
common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so
common-session
- einfügen
- session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session required pam_unix.so session optional pam_winbind.so session optional pam_systemd.so
common-password
password [success=2 default=ignore] pam_unix.so obscure yescrypt password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so
sudo
auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass auth required pam_deny.so @include common-account