为了在Windows Active Directory上管理的用户也能在Linux服务器上使用。
注意:本文不包含AD服务器的搭建过程。
首先请禁用 SELinux和iptables防火墙。
vi /etc/hosts
127.0.0.1 demo localhost localhost.localdomain
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.13 demo.example.com
192.168.56.5 wins.example.com
这里要配置DNS服务器得地址,你可以使用Winodws Server来配置一个简单的DNS服务器。
也可以参考这篇文档来用linux搭建一个DNS服务器。
vi /etc/resolv.conf
search example.com
nameserver 192.168.56.254
service network restart
[root@demo ~]# rpm -qa | grep samba
samba4-libs-4.0.0-55.el6.rc4.x86_64
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-common-3.6.9-151.el6.x86_64
samba-3.6.9-151.el6.x86_64
samba-client-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64
如果与以上列出的软件不同,请使用下面的命令进行安装:
yum install samba-winbind ...
对于Winbind来说,需要安装下面的包:
[root@demo ~]# rpm -qa | grep winbind
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64
在安装好上面的软件包之后, ntlm_auth命令就可以使用了。
cp -p /etc/samba/smb.conf /etc/samba/smb.conf.orig
vim /etc/samba/smb.conf
# ---- Settings for Winbind ----
security = ads
workgroup = EXAMPLE
realm = EXAMPLE.COM
password server = wins.example.com
encrypt passwords = true
idmap uid = 10000-25000
idmap gid = 10000-20000
winbind use default domain = yes
winbind cache time = 90
# winbind nested groups = yes
template shell = /bin/bash
# template homedir = /home/%U
cp -p /etc/nsswitch.conf /etc/nsswitch.conf.orig
vi /etc/nsswitch.conf
#-----
passwd: files winbind
shadow: files winbind
group: files winbind
cp -p /etc/krb5.conf /etc/krb5.conf.orig
vi /etc/krb5.conf
#-----
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = wins.example.com
admin_server = wins.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
```language
先启动samba服务:
service smb start
再启动winbind服务:
service winbind start
[root@demo ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'DEMO' to dns domain 'example.com'
No DNS domain configured for demo. Unable to perform DNS Update.
DNS update failed!
如果出现错误的话,先尝试与AD服务器同步一下时间:
net time set -I wins.example.com
net ads join -U administrator
[root@demo etc]# net ads info
LDAP server: 192.168.56.5
LDAP server name: wins.example.com
Realm: EXAMPLE.COM
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Tue, 28 Oct 2014 13:57:05 CST
KDC server: 192.168.56.5
Server time offset: 0
[root@demo etc]# net ads testjoin
Join is OK
[root@demo etc]# wbinfo -u
EXAMPLE\administrator
EXAMPLE\guest
EXAMPLE\krbtgt
EXAMPLE\test
EXAMPLE\aduser1
EXAMPLE\aduser2
[root@demo etc]# wbinfo -g
EXAMPLE\domain computers
EXAMPLE\domain controllers
EXAMPLE\schema admins
EXAMPLE\enterprise admins
EXAMPLE\cert publishers
EXAMPLE\domain admins
EXAMPLE\domain users
EXAMPLE\domain guests
EXAMPLE\group policy creator owners
EXAMPLE\ras and ias servers
EXAMPLE\allowed rodc password replication group
EXAMPLE\denied rodc password replication group
EXAMPLE\read-only domain controllers
EXAMPLE\enterprise read-only domain controllers
EXAMPLE\dnsadmins
EXAMPLE\dnsupdateproxy
EXAMPLE\ts web access computers
[root@demo ~]# id EXAMPLE\\aduser1
uid=16777216(EXAMPLE\aduser1) gid=16777222(EXAMPLE\domain users) groups=16777222(EXAMPLE\domain users),16777217(BUILTIN\users)
[root@demo ~]# ntlm_auth --username=EXAMPLE\\aduser1
password:
NT_STATUS_OK: Success (0x0)