Samba с авторизацией в AD (upd:24.09.2008) Опции

[Leo]

Было использовано на Fedora 7-9 c AD поднятом на Windows Server 2003.

Проверяем и если необходимо устанавливаем

# yum install -y samba samba-common krb5-workstation

Правим файл /etc/hosts:

# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.254.254 ads.domain.local ads

Теперь настроим Керберос для добавления linux-сервера в windows-домен

# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]java script:void(0)
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
DOMAIN.LOCAL = {
kdc = ads.domain.local:88
admin_server = ads.domain.local:749
default_domain = domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Необходимо провести синхронизацию времени с контролером домена
net time set ads
и желательно сие действо прописать в cron

# kinit administrator@DOMAIN.LOCAL
Password for administrator@DOMAIN.LOCAL:


Hастройка samba

[root@vm01 ~]# /etc/samba/smb.conf
[global]
workgroup = DOMAIN
netbios name = srvfile
server string = Samba Server
security = ads
encrypt passwords = yes
realm = DOMAIN.LOCAL
password server = ads.domain.local
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 1800
winbind use default domain = yes
winbind refresh tickets = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%U
printing =
load printers = no


Входим в домен

# net ads join -U administrator
administrator's password:
Using short domain name -- DOMAIN
Joined 'srvfile' to realm 'DOMAIN.LOCAL'


Добавить описание pam_winbind.so модуля для аутентификации в системе. Модуль pam_mkhomedir.so для автоматического создания домашней директории при первом присоединении пользователя.

vim /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


Настраиваем nsswitch, для того чтобы он мог использовать данные (о пользователях и групппах) AD с помощью winbind-сервиса и стартуем сервис

vim /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind

/etc/init.d/winbind start
Starting Winbind services: [ OK ]
chkconfig winbind on