linux下加入windows ad域的

发布时间:2019-09-07 08:11:19编辑:auto阅读(1468)

    下面是3 种linux下加入 Windows Acitve Directory 并用 AD 验证帐号的方法。
    假设您的环境是  AD server:    server.redhat.com

                                 realm:    redhat.com 

    方法1:

    该方法适用于有图形界面的环境。

    执行命令

    # system-config-authentication 

    方法2:

    该方法适用于文本界面环境。

    执行命令

    # setup

    选择

    Authentication 

    方法3:

    该方法适用于文本界面环境。

    修改 /etc/krb5.conf

    [root@client1 ~]# cat /etc/krb5.conf

    [logging]

     default = FILE:/var/log/krb5libs.log

     kdc = FILE:/var/log/krb5kdc.log

     admin_server = FILE:/var/log/kadmind.log

    [libdefaults]

     default_realm = REDHAT.COM

     dns_lookup_realm = false

     dns_lookup_kdc = false

     ticket_lifetime = 24h

     forwardable = yes

    [realms]

     REDHAT.COM = {

      kdc = server.redhat.com.com:88

      admin_server = server.redhat.com:749

      default_domain = redhat.com

     }

    [domain_realm]

     redhat.com = REDHAT.COM

     .redhat.com = REDHAT.COM

    [appdefaults]

     pam = {

       debug = false

       ticket_lifetime = 36000

       renew_lifetime = 36000

       forwardable = true

       krb4_convert = false

     }

    [root@client1 ~]#
     

    2 修改 /etc/samba/smb.conf

    [global]

    #--authconfig--start-line--

       workgroup = redhat.com

       password server = server.redhat.com

       realm = REDHAT.COM

       security = ads

       idmap uid = 16777216-33554431

       idmap gid = 16777216-33554431

       template shell = /bin/bash

       winbind use default domain = false

       winbind offline logon = false

    #--authconfig--end-line-- 

    3 修改 /etc/nsswitch.conf

    passwd:     files winbind

    shadow:     files winbind

    group:      files winbind 

    4 修改 pam 认证模块

    添加

    [root@client1 ~]# cat /etc/pam.d/system-auth-ac

    #%PAM-1.0

    # This file is auto-generated.

    # User changes will be destroyed the next time authconfig is run.

    auth        required      pam_env.so

    auth        sufficient    pam_unix.so nullok try_first_pass

    auth        requisite     pam_succeed_if.so uid  >= 500 quiet

    auth        sufficient    pam_winbind.so use_first_pass

    auth        required      pam_deny.so

    account     required      pam_unix.so broken_shadow

    account     sufficient    pam_succeed_if.so uid  < 500 quiet

    account     [default=bad success=ok user_unknown=ignore] pam_winbind.so

    account     required      pam_permit.so

    password    requisite     pam_cracklib.so try_first_pass retry=3

    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass

    use_authtok

    password    sufficient    pam_winbind.so use_authtok

    password    required      pam_deny.so

    session     optional      pam_keyinit.so revoke

    session     required      pam_limits.so

    session     [success=1 default=ignore] pam_succeed_if.so service in

    crond quiet use_uid

    session     required      pam_unix.so

    session     optional      pam_mkhomedir.so 

    5 加入 Windows Active Directory 域

    [root@client1 ~]# net ads join -S server.redhat.com -W REDHAT.COM -U

    Administrator 

    6 启动 winbind

    # chkconfig --level 35 winbind on

    # service winbind restart

关键字