Active_Directory_参画

Linux

LinuxのActive Directory 参画

参考サイト †

• Ubuntu マシンに Active Directory 認証でログイン出来るようにする(シナジーマーケティング株式会社 R&D)
• ADのアカウントでLinuxサーバにログインする(海馬のかわり)
• winbind で Linux の認証を ActiveDirectory にまかせる(daily dayflower)
• LinuxをActiveDirectoryドメインに参加させる(qiita)
• 【Samba TIPS】idmap_ridの活用---Windows連携時にサーバー間のユーザーID不一致を防ぐ(ITPro)

注意点 †

• Linux であっても Active Directory に参画するには Microsoft の Cal ライセンスが必要です。

前提条件(サーバの構成情報) †

DNS レゾルバの設定 †

• DNS の参照先をADに設定します。

  192.168.7.5;192.168.7.6

ubuntu の場合 †

samba のインストール †

sudo apt-get install winbind libpam-winbind samba krb5-user

デフォルトのケルベロスバージョン 5 レルム
    DOMAIN.TAR3.NET

samba の設定 †

[global]
    workgroup = DOMAIN
    max protocol =SMB2
    
    realm = DOMAIN.TAR3.NET
    security = ads
    
    allow trusted domains = No
    
    idmap uid = 10000-99999
    idmap gid = 10000-99999
    idmap backend = rid
    
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind expand groups = yes
    winbind refresh tickets = yes
    winbind offline logon = yes


    server string = %h server (Samba, Ubuntu)

    dns proxy = no

    log file = /var/log/samba/log.%m

    max log size = 1000

    syslog = 0

    panic action = /usr/share/samba/panic-action %d

    server role = standalone server

    passdb backend = tdbsam
    obey pam restrictions = yes

    unix password sync = yes

    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

    pam password change = yes
    
    map to guest = bad user
    
    usershare allow guests = yes
    
[Share]
    comment=
    path=/mnt/share
    writable=Yes

ドメインへ参画 †

• sudo net ads join -U Administrator

  dramsuko@client1:$ sudo net ads join -U Administrator
  Enter Administrator's password:
  Using short domain name -- DOMAIN
  Joined 'CLIENT1' to dns domain 'domain.tar3.net'
  DNS Update for client1.tar3.net failed: ERROR_DNS_GSS_ERROR
  DNS update failed: NT_STATUS_UNSUCCESSFUL

Kerberosクライアント設定 †

• sudo vi /etc/krb5.conf

  [libdefaults]
      default_realm = DOMAIN.TAR3.NET
      
      krb4_config = /etc/krb.conf
      krb4_realms = /etc/krb.realms
      kdc_timesync = 1
      ccache_type = 4
      forwardable = true
      proxiable = true
      
      #dns_lookup_realm = false
      dns_lookup_realm = true
      #dns_lookup_kdc = false
      dns_lookup_kdc = true
      #ticket_lifetime = 24h
      ticket_lifetime = 1h
      renew_lifetime = 7d
      #forwardable = true
      
      v4_instance_resolve = false
      v4_name_convert = {
             host = {
                     rcmd = host
                     ftp = ftp
             }
             plain = {
                     something = something-else
             }
      }
      fcc-mit-ticketflags = true
  
  [realms]
         DOMAIN.TAR3.NET = {
                 kdc = ADDC1.DOMAIN.TAR3.NET
                 admin_server = ADDC1.DOMAIN.TAR3.NET
         }
  
  [domain_realm]
         .domain.tar3.net = DOMAIN.TAR3.NET
         domain.tar3.net = DOMAIN.TAR3.NET
  
  [login]
         krb4_convert = true
         krb4_get_tickets = false

samba と winbind の起動 †

sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

確認 †

• wbinfo -g
• wbinfo -u

/etc/nsswitch.conf の編集 †

#passwd:         compat
passwd:         compat winbind
#group:          compat
group:          compat winbind
#shadow:         compat
shadow:         compat winbind

#hosts:          files dns
hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

/etc/pam.d/common-session の編集 †

• sudo vi /etc/pam.d/common-session
• 以下の行を挿入

  session required /lib/x86_64-linux-gnu/security/pam_mkhomedir.so skel=/etc/skel umask=0077

自動実行設定 †

• 自動実行ソフトのインストール

  sudo apt-get install sysv-rc-conf

• 以下のサービスを自動実行
  • sudo sysv-rc-conf nmbd on
  • sudo sysv-rc-conf smbd on
  • sudo sysv-rc-conf winbind on

winbindにてSID / UID,GID間の紐付けがおかしい対処 †

• sudo service winbind stop
• rm -fr /var/cache/samba/*
• sudo service winbind start