CENTOS 配置域控制器 linux 域控制

说明：本文为LINUX加入WINDOWS域的具体情况作一些说明，关于如何加入到域，本文不再详述，仅提供一个配置样板，如果有不了解的，可以再查看相关文章。

 

  

    *-====================-* 
   
 * Linux To Windows AD 
   
 *-====================-* 
   

 - 基本概念 
   
 * PDC - 主域控制器 
   
 * BDC - 备份域控制器 
   
 * KDC - 密钥颁发中心，Kerberos服务器 
   
 * PAM - 可插拨认证模块 
   
 * SRV - DNS服务资源记录 
   
 - 域模式 
   
 * PRC - LINUX以Windows2000/NT4样式加入到域中 
   
 * ADS - 活动目录，Windows2003,WindowsXP 
   
 * 混合 - 有最好的兼容性 
   

 - 软件包Sw 
   
 * Samba: yum install samba.* samba-common.* samba-winbind-client.* 
   
 * Winbind: yum install samba-winbind.* 
   
 * Samba4: yum install samba4.* ;A newer version of samba 
   
 * Kerberos5: yum install pam_krb5.* krb5-workstation.* krb5-libs.* 
   
 * ldconfig 
   
 * ldconfig -v | grep winbind 
   
 * ls /usr/lib/libnss_winbind.so 
   

 - 配置文件 
   
 - NSS: /etc/nsswitch.conf 
   
 ; 指示系统如何查找系统配置文件 
   
 ; ACTION=Modify 
   
 * password: files winbind 
   
 * group: files winbind 
   

 - Samba: /etc/smb.conf 
   
 ; 与共享文件夹相关的配置 
   
 ; DomainMode = ActiveDirectory 
   
 *-------------------------------* 
   
 [global] 
   
   client use spnego = no 
   
   server signing = auto 
   
   workgroup = CAMPUS 
   
 # The SHORT-DOMAIN name of your domain, you need to modify 
   
   wins support = yes 
   
   wins server = 10.0.0.4 
   
 # Controller of the domain, You need to modify it to your own 
   
   wins proxy = yes 
   
   security = ADS 
   
 # or AD,ADS,domain, DOMAIN is the RPC mode 
   
   acl compatibility = win2k 
   
   idmap uid = 16777216-33554431 
   
 # Set based on your user count 
   
   idmap gid = 16777216-33554431 
   
   password server = 10.0.0.4 
   
 # Domain Controller 
   
   map to guest = bad user 
   
   guest ok = no 
   
   realm = CAMPUS.COM 
   
 # You need to keep the same with file krb5.conf defined 
   
 # encrypt psswords = yes 
   
 # Encrypt PASS, not supported by some version of samba 
   
   winbind use default domain = yes 
   
 # winbind separator = % 
   
   template homedir = /home/%D/%U 
   
   # A mode 777 should be set on /home/%D 
   
   template shell = /bin/bash 
   
 [homes] 
   
   comment = %S 
   
   path =/home/%D/%S 
   
   writeable = yes 
   
   browsable = yes 
   
 ; valid users = %S 
   
   valid users = CAMPUS/%S 
   
 *-------------------------------* 
   

 * Kerberos: /etc/krb5.conf 
   
 *-------------------------------* 
   
 [logging] 
   
   default = FILE:/var/log/krb5libs.log 
   
   kdc = FILE:/var/log/krb5kdc.log 
   
   admin_server = FILE:/var/log/kadmind.log 
   
 [libdefaults] 
   
   default_realm = CAMPUS.COM 
   
   dns_lookup_realm = false 
   
   dns_lookup_kdc = false 
   
 [realms] 
   
   CAMPUS.COM = { 
   
   kdc = ADS.CAMPUS.COM:88 
   
   admin_server = ADS.CAMPUS.COM:749 
   
   default_domain = campus.com 
   
 } 
   
 # This is a REALMS to DOMAIN MAPPING, REALMS Format is uppercase 
   
 [domain_realm] 
   
   .campus.com = CAMPUS.COM 
   
   campus.com = CAMPUS.COM 
   
 # Build the mapping 
   
 [kdc] 
   
   profile = /var/kerberos/krb5kdc/kdc.conf 
   
 [appdefaults] 
   
   pam = { 
   
   debug = false 
   
   ticket_lifetime = 36000 
   
   renew_lifetime = 36000 
   
   forwardable = true 
   
   krb4_convert = false 
   
 } 
   
 *-------------------------------* 
   

 * 重启samba: service smb restart 
   
 * 重启Winbind: service winbind restart 
   
 * 初始化KDC: net ads kerberos kinit 
   
 * 加域: net rpc join -S ADS.CAMPUS.COM -U Administrator% 
   
 * 查看信息: net rpc info; net ads testjoin; net ads 
   
 * 退域: net ads leave -S ADS.CAMPUS.COM -U Administrator% 
   
 * 查看用户信息: wbinfo -u, wbinfo -t 
   
 * 查看本机用户: getent passwd K-id, getent group K-id 
   
 * 获取SID: net rpc getsid -U Administrator% -I x.x.x.x 
   
 * NTLM-AUTH: ntlm_auth --username=$USER 
   

 - 通过AD认证SSH 
   
 * 用户名如下: ADU/admin/DOMAINNAME => root/admin/CAMPUS 
   
 * 如果只进行网络认证，仅用户名也可以登录如 ssh imwk2011@SYS 
   
 * PAM认证文件，仅网络认证 
   
 *-------------------------------* 
   
 #%PAM-1.0 
   
 #AUTHENTICATION 
   
 auth          sufficient     pam_winbind.so 
   
 #AM 
   
 account       sufficient     pam_winbind.so 
   
 #SM 
   
 session       required       pam_limits.so 
   
 session       required       pam_mkhomedir.so 
   
 session       optional       pam_console.so 
   
 *-------------------------------* 
   

 - 总结#LINUX ADS#部署过程 
   
 * 安装软件包 
   
 * 依次对配置文件进行修改 
   
   /etc/nsswitch.conf 
   
   /etc/samba/smb.conf 
   
   /etc/krb5.conf 
   
 * 模板见上，修改的重要地方已标出 
   
 - 排错 
   
 * 检查服务是否正常运行 
   
 * 检查配置文件是否正确 
   
 * 检查日志 
   
 * 检查DNS设置: 应该为Windows域主DNS 
   
 * 检查防火墙配置与SELINUX配置 
   

 # 调错 
   
 * "BAD SIG" 
   
   注释掉smb.conf中的"client use spnego = no"选项 
   
 * “DNS UPDATE FAILED” 
   
   检查DNS设定 
   
   检查DNS上的更新权限 
   
 * nsupdate 
   
 > Server x.x.x.x 
   
 > Add CMS.CAMPUS.COM 10 A 10.0.0.2 
   
 > Send 
   
 * Kerberos 密钥初始化问题 
   
   kinit xxx@CAMPUS.COM ;申请用户xxx在域CAMPUS中的票据 
   
   时钟问题，域控与客户端时钟差距过大 
   
   密码问题，用户或者密码错误 
   
   域名问题，KINIT找不到域控制器，也即KDC，注意检查DNS配置 
   
 * PAM模块中的认证问题 
   
   使用 tail -f /var/log/secure 追踪其认证问题 
   
   确认在"smb.conf"文件中打开"winbind use default domain=yes"选项，系统会自动传入域名 
   
 * 加域并不需要SMB服务运行，WINBIND需要"smb.conf"文件 
   
 * 旧的主机（含LINUX、UNIX等）登录域的用户名为: CAMPUS\cc,前为域名，后为用户名 
   

 # 数据查询 
   
 * net ads search '(objectCategory=group)' sAMAccountName ;查询系统组 
   
 * net ads search '(objectCategory=user) sAMAccountName ;查询用户 
   
 * net ads search '(sAMAccountName=cc)' ;查询用户CC相关信息 
   
 * ldapsearch -x -b "dc=CAMPUS,dc=COM" -D "CAMPUS\cc" -w "PASSWD" -h ADS.CAMPUS.COM 
   
 # 常用数据结构 
   
 * 用户: "CN=users,DC=CAMPUS,DC=COM" 
   
 * 计算机: "CN=Computers,DC=CAMPUS,DC=COM" 
   
 * 组织单位: "OU=GRPS,DC=CAMPUS,DC=COM" 
   



 # 认证 
   
 * wbinfo -a USER%PASS 
   
 * wbinfo -K USER%PASS 
   
 * wbinfo -m 
   
 * ntlm_auth --username=CC 
   










   
   
  
*-====================-*
 * Linux To Windows AD
 *-====================-*

 - 基本概念
 * PDC - 主域控制器
 * BDC - 备份域控制器
 * KDC - 密钥颁发中心，Kerberos服务器
 * PAM - 可插拨认证模块
 * SRV - DNS服务资源记录- 域模式
 * PRC - LINUX以Windows2000/NT4样式加入到域中
 * ADS - 活动目录，Windows2003,WindowsXP
 * 混合 - 有最好的兼容性

 - 软件包Sw
 * Samba: yum install samba.* samba-common.* samba-winbind-client.*
 * Winbind: yum install samba-winbind.*
 * Samba4: yum install samba4.* ;A newer version of samba
 * Kerberos5: yum install pam_krb5.* krb5-workstation.* krb5-libs.** ldconfig
 * ldconfig -v | grep winbind
 * ls /usr/lib/libnss_winbind.so

 - 配置文件
 - NSS: /etc/nsswitch.conf ;指示系统如何查找系统配置文件
 ; 修改以下内容password: files winbind
 group: files winbind
- Samba: /etc/smb.conf
 ; 与共享文件夹相关的配置 [global]
   client use spnego = no
   server signing = auto
   workgroup = CAMPUS
 # The SHORT-DOMAIN name of your domain, you need to modify
   wins support = yes
   wins server = 10.0.0.4
 # Controller of the domain, You need to modify it to your own
   wins proxy = yes
   security = ADS
 # or AD,ADS,domain, DOMAIN is the RPC mode
   acl compatibility = win2k
   idmap uid = 16777216-33554431
 # Set based on your user count
   idmap gid = 16777216-33554431
   password server = 10.0.0.4
 # Domain Controller
   map to guest = bad user
   guest ok = no
   realm = CAMPUS.COM
 # You need to keep the same with file krb5.conf defined
 # encrypt psswords = yes
 # Encrypt PASS, not supported by some version of samba
   winbind use default domain = yes
 # winbind separator = %
   template homedir = /home/%D/%U
   # A mode 777 should be set on /home/%D
   template shell = /bin/bash
 [homes]
   comment = %S
   path =/home/%D/%S
   writeable = yes
   browsable = yes
 ; valid users = %S
   valid users = CAMPUS\%S
* Kerberos配置文件: /etc/krb5.conf
 [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
 [libdefaults]
   default_realm = CAMPUS.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false
 [realms]
   CAMPUS.COM = {
   kdc = ADS.CAMPUS.COM:88
   admin_server = ADS.CAMPUS.COM:749
   default_domain = campus.com
 }
 # This is a REALMS to DOMAIN MAPPING, REALMS Format is uppercase
 [domain_realm]
   .campus.com = CAMPUS.COM
   campus.com = CAMPUS.COM
 # Build the mapping
 [kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf
 [appdefaults]
   pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
* 重启samba: service smb restart
; 汪: 如果只作认证，SMB服务可以不启动，但smb.conf必须配置好
 * 重启Winbind: service winbind restart
 * 初始化KDC: net ads kerberos kinit
 * 加域: net rpc join -S ADS.CAMPUS.COM -U Administrator%
 * 查看信息: net rpc info; net ads testjoin; net ads
 * 退域: net ads leave -S ADS.CAMPUS.COM -U Administrator%
 * 查看用户信息: wbinfo -u, wbinfo -t
 * 查看本机用户: getent passwd K-id, getent group K-id
 * 获取SID: net rpc getsid -U Administrator% -I x.x.x.x* NTLM-AUTH: ntlm_auth --username=$USER


 - 总结#LINUX ADS#部署过程
 * 安装软件包
 * 依次对配置文件进行修改
   /etc/nsswitch.conf
   /etc/samba/smb.conf
   /etc/krb5.conf
 * 模板见上，修改的重要地方已标出
 - 排错
 * 检查服务是否正常运行
 * 检查配置文件是否正确
 * 检查日志
 * 检查DNS设置: 应该为Windows域主DNS
 * 检查防火墙配置与SELINUX配置

 # 调错
 * "BAD SIG"
   注释掉smb.conf中的"client use spnego = no"选项
 * “DNS UPDATE FAILED”
   检查DNS设定
   检查DNS上的更新权限
 * nsupdate
 > Server x.x.x.x
 > Add CMS.CAMPUS.COM 10 A 10.0.0.2
 > Send
 * Kerberos 密钥初始化问题
   kinit xxx@CAMPUS.COM ;申请用户xxx在域CAMPUS中的票据
   时钟问题，域控与客户端时钟差距过大
   密码问题，用户或者密码错误
   域名问题，KINIT找不到域控制器，也即KDC，注意检查DNS配置
 * PAM模块中的认证问题
   使用 tail -f /var/log/secure 追踪其认证问题
   确认在"smb.conf"文件中打开"winbind use default domain=yes"选项，系统会自动传入域名
 * 加域并不需要SMB服务运行，WINBIND需要"smb.conf"文件
 * 旧的主机（含LINUX、UNIX等）登录域的用户名为: CAMPUS\cc,前为域名，后为用户名

 # 数据查询
 * net ads search '(objectCategory=group)' sAMAccountName ;查询系统组
 * net ads search '(objectCategory=user) sAMAccountName ;查询用户
 * net ads search '(sAMAccountName=cc)' ;查询用户CC相关信息
 * ldapsearch -x -b "dc=CAMPUS,dc=COM" -D "CAMPUS\cc" -w "PASSWD" -h ADS.CAMPUS.COM ;列出CAMPUS.COM域的所有记录，其中LDAP服务器为ADS.CAMPUS.COM，查询所使用的用户为
 # 常用数据结构
 * 用户: "CN=users,DC=CAMPUS,DC=COM"
 * 计算机: "CN=Computers,DC=CAMPUS,DC=COM"
 * 组织单位: "OU=GRPS,DC=CAMPUS,DC=COM"


 # 认证测试
 * wbinfo -a USER%PASS
 * wbinfo -K USER%PASS ;采用Kerberos方式测试KDC是否正常
 * wbinfo -m ;查看配置的域（工作组）
 * ntlm_auth --username=CC ;使用CC测试，如果认证成功，可从另一个方面说明系统加域已经成功 
   

 https://blog.51cto.com/cc2011/641471