Linux

LinuxのActive Directory 参画

参考サイト

注意点

  • Linux であっても Active Directory に参画するには Microsoft の Cal ライセンスが必要です。

前提条件(サーバの構成情報)

ドメイン名domain.tar3.net
ADサーバのIPアドレス1192.168.7.5
ADサーバのIPアドレス2192.168.7.5
ADサーバのホスト名1addc1.domain.tar3.net
ADサーバのホスト名2addc2.domain.tar3.net
共有ディレクトリローカルPATH/mnt/share
共有フォルダ名share
Client Host名client1.domain.tar3.net

DNS レゾルバの設定

  • DNS の参照先をADに設定します。
    192.168.7.5;192.168.7.6

ubuntu の場合

samba のインストール

sudo apt-get install winbind libpam-winbind samba krb5-user

デフォルトのケルベロスバージョン 5 レルム
    DOMAIN.TAR3.NET

samba の設定

[global]
    workgroup = DOMAIN
    max protocol =SMB2
    
    realm = DOMAIN.TAR3.NET
    security = ads
    
    allow trusted domains = No
    
    idmap uid = 10000-99999
    idmap gid = 10000-99999
    idmap backend = rid
    
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind expand groups = yes
    winbind refresh tickets = yes
    winbind offline logon = yes


    server string = %h server (Samba, Ubuntu)

    dns proxy = no

    log file = /var/log/samba/log.%m

    max log size = 1000

    syslog = 0

    panic action = /usr/share/samba/panic-action %d

    server role = standalone server

    passdb backend = tdbsam
    obey pam restrictions = yes

    unix password sync = yes

    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

    pam password change = yes
    
    map to guest = bad user
    
    usershare allow guests = yes
    
[Share]
    comment=
    path=/mnt/share
    writable=Yes

ドメインへ参画

  • sudo net ads join -U Administrator
    dramsuko@client1:$ sudo net ads join -U Administrator
    Enter Administrator's password:
    Using short domain name -- DOMAIN
    Joined 'CLIENT1' to dns domain 'domain.tar3.net'
    DNS Update for client1.tar3.net failed: ERROR_DNS_GSS_ERROR
    DNS update failed: NT_STATUS_UNSUCCESSFUL

Kerberosクライアント設定

  • sudo vi /etc/krb5.conf
    [libdefaults]
        default_realm = DOMAIN.TAR3.NET
        
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        
        #dns_lookup_realm = false
        dns_lookup_realm = true
        #dns_lookup_kdc = false
        dns_lookup_kdc = true
        #ticket_lifetime = 24h
        ticket_lifetime = 1h
        renew_lifetime = 7d
        #forwardable = true
        
        v4_instance_resolve = false
        v4_name_convert = {
               host = {
                       rcmd = host
                       ftp = ftp
               }
               plain = {
                       something = something-else
               }
        }
        fcc-mit-ticketflags = true
    
    [realms]
           DOMAIN.TAR3.NET = {
                   kdc = ADDC1.DOMAIN.TAR3.NET
                   admin_server = ADDC1.DOMAIN.TAR3.NET
           }
    
    [domain_realm]
           .domain.tar3.net = DOMAIN.TAR3.NET
           domain.tar3.net = DOMAIN.TAR3.NET
    
    [login]
           krb4_convert = true
           krb4_get_tickets = false

samba と winbind の起動

sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

確認

  • wbinfo -g
  • wbinfo -u

/etc/nsswitch.conf の編集

#passwd:         compat
passwd:         compat winbind
#group:          compat
group:          compat winbind
#shadow:         compat
shadow:         compat winbind

#hosts:          files dns
hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/pam.d/common-session の編集

  • sudo vi /etc/pam.d/common-session
  • 以下の行を挿入
    session required /lib/x86_64-linux-gnu/security/pam_mkhomedir.so skel=/etc/skel umask=0077

自動実行設定

  • 自動実行ソフトのインストール
    sudo apt-get install sysv-rc-conf
  • 以下のサービスを自動実行
    • sudo sysv-rc-conf nmbd on
    • sudo sysv-rc-conf smbd on
    • sudo sysv-rc-conf winbind on

winbindにてSID / UID,GID間の紐付けがおかしい対処

  • sudo service winbind stop
  • rm -fr /var/cache/samba/*
  • sudo service winbind start

トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2019-02-23 (土) 14:58:11 (60d)