前提条件

目的

为了在Windows Active Directory上管理的用户也能在Linux服务器上使用。

注意：本文不包含AD服务器的搭建过程。

环境

• AD服务器环境： Windows Server 2008 R2
  • 全域名（FQDN）为：wins.example.com
• Linux服务器： Oracle Linux 6.4（64bit）
  • 全域名(FQDN)为：demo.example.com

配置Linux服务器网络

首先请禁用 SELinux和iptables防火墙。

在HOST文件中加入AD服务器

vi /etc/hosts
127.0.0.1   demo localhost localhost.localdomain
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.13  demo.example.com
192.168.56.5   wins.example.com

修改resolv.conf文件

这里要配置DNS服务器得地址，你可以使用Winodws Server来配置一个简单的DNS服务器。

也可以参考这篇文档来用linux搭建一个DNS服务器。

vi /etc/resolv.conf
search example.com
nameserver 192.168.56.254

重启网络服务

service network restart

安装相关软件包

确认Winbind和Samba的包

[root@demo ~]# rpm -qa | grep samba
samba4-libs-4.0.0-55.el6.rc4.x86_64
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-common-3.6.9-151.el6.x86_64
samba-3.6.9-151.el6.x86_64
samba-client-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64

如果与以上列出的软件不同，请使用下面的命令进行安装：

yum install samba-winbind ...

对于Winbind来说，需要安装下面的包：

[root@demo ~]# rpm -qa | grep winbind
samba-winbind-clients-3.6.9-151.el6.x86_64
samba-winbind-3.6.9-151.el6.x86_64

在安装好上面的软件包之后， ntlm_auth命令就可以使用了。

配置服务

配置smb.conf

cp -p /etc/samba/smb.conf /etc/samba/smb.conf.orig 
vim /etc/samba/smb.conf
# ---- Settings for Winbind ----
  security = ads
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  password server = wins.example.com
  encrypt passwords = true
  idmap uid = 10000-25000
  idmap gid = 10000-20000
  winbind use default domain = yes
  winbind cache time = 90
#  winbind nested groups = yes
  template shell = /bin/bash
#  template homedir = /home/%U

修改 nsswitch.conf

cp -p /etc/nsswitch.conf /etc/nsswitch.conf.orig
vi /etc/nsswitch.conf
#----- 
passwd:     files winbind
shadow:     files winbind
group:      files winbind

修改 krb5.conf

    cp -p /etc/krb5.conf /etc/krb5.conf.orig
    vi /etc/krb5.conf
    #----- 
        [logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log
        [libdefaults]
         default_realm = EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = false
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true
        [realms]
         EXAMPLE.COM = {
          kdc = wins.example.com
          admin_server = wins.example.com
         }
        [domain_realm]
         .example.com = EXAMPLE.COM
         example.com = EXAMPLE.COM
```language

启动服务

先启动samba服务：

service smb start

再启动winbind服务：

service winbind start

加入到Windows Domain

[root@demo ~]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- EXAMPLE
Joined 'DEMO' to dns domain 'example.com'
No DNS domain configured for demo. Unable to perform DNS Update.
DNS update failed!

如果出现错误的话，先尝试与AD服务器同步一下时间：

net time set -I wins.example.com
net ads join -U administrator

测试服务

AD服务器连接确认

[root@demo etc]# net ads info
LDAP server: 192.168.56.5
LDAP server name: wins.example.com
Realm: EXAMPLE.COM
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Tue, 28 Oct 2014 13:57:05 CST
KDC server: 192.168.56.5
Server time offset: 0
[root@demo etc]# net ads testjoin
Join is OK

列出AD服务器上的用户和组信息

[root@demo etc]# wbinfo -u
EXAMPLE\administrator
EXAMPLE\guest
EXAMPLE\krbtgt
EXAMPLE\test
EXAMPLE\aduser1
EXAMPLE\aduser2

[root@demo etc]# wbinfo -g
EXAMPLE\domain computers
EXAMPLE\domain controllers
EXAMPLE\schema admins
EXAMPLE\enterprise admins
EXAMPLE\cert publishers
EXAMPLE\domain admins
EXAMPLE\domain users
EXAMPLE\domain guests
EXAMPLE\group policy creator owners
EXAMPLE\ras and ias servers
EXAMPLE\allowed rodc password replication group
EXAMPLE\denied rodc password replication group
EXAMPLE\read-only domain controllers
EXAMPLE\enterprise read-only domain controllers
EXAMPLE\dnsadmins
EXAMPLE\dnsupdateproxy
EXAMPLE\ts web access computers

测试用户认证

[root@demo ~]# id EXAMPLE\\aduser1
uid=16777216(EXAMPLE\aduser1) gid=16777222(EXAMPLE\domain users) groups=16777222(EXAMPLE\domain users),16777217(BUILTIN\users)

[root@demo ~]# ntlm_auth --username=EXAMPLE\\aduser1
password: 
NT_STATUS_OK: Success (0x0)