我相信,很多公司都有统一身份认证的需求,只是这个统一认证很多公司都没有彻底完成,比如我见到的很多企业都使用Windows AD来管理办公电脑,笔记本等运行windows操作系统的计算机,而IDC机房大多是Linux系统的服务器,这些都采用ldap(如openldap)来做身份认证,但是Windows AD和ldap基本上就没有什么关系了。问过一两个企业的系统管理员,也基本清楚,主要是服务器的数量就那么多,而且大部分用户是不需要登录服务器的,所以只有运维人员才需要进行服务器管理,所以使用ldap统一来认证就可以了(当然有些应用是需要使用ldap登录的,比如内部的OA系统,当然很多应用系统也都能结合Windows AD或ldap使用)。其次,就是windows AD无法很好的结合其他的ldap认证,当然通过samba等也可以实现,只不过方法比较复杂,所以在基本满足要求的情况下Windows AD就和ldap“和平共处了”。
由于将windows操作系统计算机加入ldap中相对复杂,所以很多情况下,为了能实现统一身份认证,大家一般采取的方式是将Linux加入到Windows AD中去,而且Windows AD是微软推出的较早的活动目录服务,稳定性还是比较好的,另外就是外围的一些软件,比如微软自带的Active Directory管理工具有较好的易用性,再者在网上看到Windows AD的数据存储读取上速度是相对快的,大约是MySQL等数据库的几倍吧(不太确定,只是浏览过类似内容,记不太清了),所以有很多公司都选择Windows AD作为ldap的数据源。下面就以CentOS 6.5为例,将它加入到Windows AD中。
1、准备工作
/etc/init.d/iptables stop iptables -L -n setenforce 0 getenforce hostname centos6
另外,需要准备一台Windows Server并安装Windows AD,我这里使用Windows Server 2008 R2安装一个AD,域名为contoso.com,是windows 2003级别的域,详细信息如下图所示:
这是域名的详细信息
这是用户组信息,其中sadmin是我新创建的一个用户。
这是域控制器的网络信息。
2、安装需要的软件包
yum -y install krb5-libs krb5-devel pam_krb5 krb5-workstation krb5-auth-dialog krb5-auth-dialog yum -y install samba-winbind samba samba-common samba-client samba-winbind-clients samba-swat
[root@localhost ~]# rpm -qa|grep krb5
krb5-libs-1.10.3-57.el6.x86_64
krb5-devel-1.10.3-57.el6.x86_64
krb5-workstation-1.10.3-57.el6.x86_64
krb5-auth-dialog-0.13-5.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
[root@localhost ~]# rpm -qa|grep samba
samba-client-3.6.23-36.el6_8.x86_64
samba-swat-3.6.23-36.el6_8.x86_64
samba-common-3.6.23-36.el6_8.x86_64
samba-winbind-3.6.23-36.el6_8.x86_64
samba-3.6.23-36.el6_8.x86_64
samba-winbind-clients-3.6.23-36.el6_8.x86_64
启动服务
/etc/init.d/smb start chkconfig smb on service winbind start chkconfig winbind on
3、使用图形化工具配置kerberos和samba
这里主要是因为使用配置文件去更改,工作量大而且容易出错,所以选择图形界面进行配置,我会在后面把配置成功后的相关配置文件贴出来,这样如果需要使用配置文件也有正确的配置可以参考。
在进入setup图形界面之前执行下面两条命令,以免图形界面乱码或者python代码执行出错:
LANG=en export LC_ALL=C
在命令行界面输入setup进入图形化配置界面
这里除了原来已经默认选中的Use MD5 Passwords和Use Shadow Passwords之外,需要把Use Winbind、Use Kerberos以及Use Winbind Authentication这三个选项勾选上。
配置Kerberos,需要把Admin Server删掉,然后其他的按照真实情况填写。这里,Realm是你的域名,比如我的windows AD域名为contoso.com,注意:域名一定要大写!KDC为域控制器的IP地址,这里是192.168.49.201,下面两项关于DNS的都不选。
Winbind的配置,Domain为域名的第一个“.”左侧的部分,如这里是CONTOSO,注意只要是域名的部分都需要大写。Domain Controllers依然是域控制器的IP地址,ADS Realm是域名,Template Shell为给AD用户设置使用的shell。
这里保存配置,选择Yes,其实这里只要保存了之后,配置文件就已经将更改写入了。
这里需要输入Windows AD中的管理员密码,有点类似将Windows加入AD中的步骤,如果配置都正常的话,这里就会显示Joined CONTOSO.
4、排错步骤
上面是我在使用setup图形界面添加到Windows AD时遇到的问题,很多方法我都去尝试了,由于错误信息并不充分,所以很多也没有找到相对应的原因。所幸在新浪博客看到一篇文章,里面有很多测试解决的方法,按照上面的方法最终配置成功,文章见于:http://blog.sina.com.cn/s/blog_596dc5a30100bzwy.html
1)测试连接AD Server
kinit administrator@CONTOSO.COM
Kerberos 的 kinit 命令将测试服务器间的通信,后面的域名TT.COM 是你的活动目录的域名,必须大写,否则会收到错误信息:
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.
如果通信正常,你会提示输入口令,口令正确的话,就返回 bash 提示符,如果错误则报告:
kinit(v5): Preauthentication failed while getting initial credentials.
這一步代表了已经可以和AD server做沟通了,但并不代表Samba Server已经加入域了。
2)设置CentOS DNS为Windows AD的IP地址
[root@centos6 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
[root@centos6 ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: Determining if ip address 192.168.49.134 is already in use for device eth0...
[ OK ]
[root@centos6 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search localdomain
nameserver 192.168.49.201
nameserver 192.168.49.2
[root@centos6 ~]# nslookup contoso.com
Server:192.168.49.201
Address:192.168.49.201#53
Name:contoso.com
Address: 192.168.49.201
3)检查/etc/nsswith.conf文件
确认其中存在以下内容:
passwd: files winbind
shadow: files
group: files winbind
4)重启samba和winbind服务
service smb reload #加这一句是用来解决有时候samba启动不了的问题 service smb restart service winbind restart
5)Windows AD的防火墙暂时关闭
6)加入AD域
net rpc join -S dc.contoso.com -U administrator
[root@centos6 ~]# net rpc join -S dc.contoso.com -U administrator
Enter administrator's password:
Joined domain CONTOSO.
7)验证是否加入成功
[root@centos6 ~]# net rpc testjoin
Join to 'CONTOSO' is OK
[root@centos6 ~]# wbinfo -t
checking the trust secret for domain CONTOSO via RPC calls succeeded
[root@centos6 ~]# wbinfo -u
administrator
guest
krbtgt
sadmin
[root@centos6 ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
[root@centos6 ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
administrator:*:16777216:16777219:Administrator:/home/administrator:/bin/bash
guest:*:16777217:16777220:Guest:/home/guest:/bin/bash
krbtgt:*:16777218:16777219:krbtgt:/home/krbtgt:/bin/bash
sadmin:*:16777219:16777219:sadmin:/home/sadmin:/bin/bash
[root@centos6 ~]# getent group
root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sys:x:3:bin,adm
adm:x:4:adm,daemon
tty:x:5:
disk:x:6:
lp:x:7:daemon
mem:x:8:
kmem:x:9:
wheel:x:10:
mail:x:12:mail,postfix
uucp:x:14:
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
abrt:x:173:
cdrom:x:11:
tape:x:33:
dialout:x:18:
haldaemon:x:68:haldaemon
ntp:x:38:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
stapusr:x:156:
stapsys:x:157:
stapdev:x:158:
sshd:x:74:
tcpdump:x:72:
slocate:x:21:
wbpriv:x:88:
domain computers:*:16777226:
domain controllers:*:16777227:
schema admins:*:16777224:sadmin,administrator
enterprise admins:*:16777223:sadmin,administrator
cert publishers:*:16777228:
domain admins:*:16777225:sadmin,administrator
domain users:*:16777219:
domain guests:*:16777220:
group policy creator owners:*:16777229:administrator
ras and ias servers:*:16777230:
allowed rodc password replication group:*:16777231:
denied rodc password replication group:*:16777221:krbtgt
read-only domain controllers:*:16777232:
enterprise read-only domain controllers:*:16777233:
dnsadmins:*:16777222:sadmin
dnsupdateproxy:*:16777234:
[root@centos6 ~]# id sadmin
uid=16777219(sadmin) gid=16777219(domain users) groups=16777219(domain users),16777221(denied rodc password replication group),16777222(dnsadmins),16777223(enterprise admins),16777224(schema admins),16777225(domain admins),16777217(BUILTIN/users),16777216(BUILTIN/administrators)
[root@centos6 ~]# id administrator
uid=16777216(administrator) gid=16777219(domain users) groups=16777219(domain users),16777221(denied rodc password replication group),16777223(enterprise admins),16777224(schema admins),16777229(group policy creator owners),16777225(domain admins),16777217(BUILTIN/users),16777216(BUILTIN/administrators)
8)到Windows AD中查看
已经在AD上的用户和计算机管理工具中找到新添加的centos6了。
9)测试Windows用户登录centos6
[root@centos6 ~]# su - administrator
su: warning: cannot change directory to /home/administrator: No such file or directory
-bash-4.1$ pwd
/root
-bash-4.1$ ll
ls: cannot open directory .: Permission denied
-bash-4.1$
好的,windows用户登录成功,至此,将centos6.5加入Windows AD成功完成。
10)下面把相关的配置文件贴出来
/etc/nsswitch.conf:
[root@centos6 ~]# egrep -v "#|^$" /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
/etc/samba/smb.conf:
[root@centos6 ~]# egrep -v ";|^$|#" /etc/samba/smb.conf
[global]
workgroup = CONTOSO
password server = 192.168.49.201
realm = CONTOSO.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
template homedir = /home/%U
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
security = domain
encrypt passwords = yes
password server = 192.168.49.201
load printers = yes
cups options = raw
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
valid users = CONTOSO.COM/%U
create mode = 0777
directory mode = 0777
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
/etc/krb5.conf:
[root@centos6 ~]# egrep -v "#|^$" /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
CONTOSO.COM = {
kdc = 192.168.49.201
kdc = 192.168.49.201
}
[domain_realm]
contoso.com = CONTOSO.COM
.contoso.com = CONTOSO.COM