Ubuntu-ads-client
Version vom 15. Dezember 2016, 08:07 Uhr von David (Diskussion | Beiträge)
Installation
Interface anpassen
vi /etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.244.152 netmask 255.255.248.0 gateway 192.168.240.100 dns-nameservers 192.168.242.13 dns-search linuggs.lan
hosts anpassen
vi /etc/hosts 127.0.0.1 localhost 192.168.241.153 lang lang.linuggs.lan
Console: echo lang.linuggs.lan > /etc/hostname reboot
samba4 installieren
apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl
/etc/samba/smb.conf
[global] workgroup = XINUX security = ADS realm = XINUX.LAN encrypt passwords = yes idmap config XINUX:backend = ad idmap config *:backend = tdb idmap config * : range = 1000000-1999999 idmap config XINUX:schema_mode = rfc2307 idmap config XINUX:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes
/etc/krb5.conf
default_realm = LINUGGS.LAN v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] LINUGGS.LAN = { kdc = 192.168.242.13 admin_server = 192.168.242.13 } [login] krb4_convert = true krb4_get_tickets = false
kerberos testen
root@lang:~# kinit administrator Password for administrator@LINUGGS.LAN: root@lang:~#
domaine beitreten
root@lang:~# net ads join -U administrator Enter administrator's password: Using short domain name -- LINUGGS Joined 'LANG' to dns domain 'linuggs.lan'
nsswitch.conf ändern
passwd: compat winbind group: compat winbind
ist winbind is "pingbar
root@fenetre:~# wbinfo -p Ping to winbindd succeeded
anzeigen der userliste
root@fenetre:~# wbinfo -u Administrator Guest krbtgt
anzeigen der passwd
getent passwd ... LINUGGS\administrator:*:10500:10513:Administrator:/home/LINUGGS/administrator:/bin/bash LINUGGS\franz.walter:*:11117:10513:Franz Walter:/home/LINUGGS/franz.walter:/bin/bash ...
hier solten nun benutzer aus der ad autauchen
function of nsswitch
getent passwd | grep 700 administrator:*:70001:70005:Administrator:/home/XINUX/administrator:/bin/bash dns-gondor:*:70002:70005:dns-gondor:/home/XINUX/dns-gondor:/bin/bash krbtgt:*:70003:70005:krbtgt:/home/XINUX/krbtgt:/bin/bash thomas:*:70004:70005:thomas:/home/XINUX/thomas:/bin/bash guest:*:70005:70006:Guest:/home/XINUX/guest:/bin/bash squid:*:70006:70005:squid:/home/XINUX/squid:/bin/bash
LIBPAM
libpam-winbind
apt-get install libpam-winbind
änderungen in /etc/pam.d/
sollten automatisch geändert worden sein
common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so
common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so
common-session
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so #add this if you want automatic creation of home dirs session required pam_mkhomedir.so umask=0022 skel=/etc/skel #end session required pam_unix.so session optional pam_winbind.so session optional pam_systemd.so
sudo
auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass auth required pam_deny.so @include common-account