#author("2018-04-06T20:54:34+09:00","default:dramsukohome","dramsukohome")
[[Linux]]
#ShadowHeader(1,LinuxのActive Directory 参画);
#Contents
* 参考サイト [#rce625e8]
-[[Ubuntu マシンに Active Directory 認証でログイン出来るようにする(シナジーマーケティング株式会社 R&D):http://lab.synergy-marketing.co.jp/blog/tech/active-directory-auth-on-ubuntu]]
-[[ADのアカウントでLinuxサーバにログインする(海馬のかわり):http://extrea.hatenablog.com/entry/2012/01/13/234810]]
-[[winbind で Linux の認証を ActiveDirectory にまかせる(daily dayflower):http://d.hatena.ne.jp/dayflower/20070705/1183620884]]
-[[LinuxをActiveDirectoryドメインに参加させる(qiita):http://qiita.com/gitya107/items/fcf32350ac9e25ab65d1]]
-[[【Samba TIPS】idmap_ridの活用---Windows連携時にサーバー間のユーザーID不一致を防ぐ(ITPro):http://itpro.nikkeibp.co.jp/article/COLUMN/20070125/259692/]]
* 注意点 [#ib9b03f6]
- Linux であっても Active Directory に参画するには
Microsoft の Cal ライセンスが必要です。
* 前提条件(サーバの構成情報) [#xdc33776]
|ドメイン名|domain.tar3.net|
|ADサーバのIPアドレス1|192.168.7.5|
|ADサーバのIPアドレス2|192.168.7.5|
|ADサーバのホスト名1|addc1.domain.tar3.net|
|ADサーバのホスト名2|addc2.domain.tar3.net|
|共有ディレクトリローカルPATH|/mnt/share|
|共有フォルダ名|share|
|Client Host名|client1.domain.tar3.net|
* DNS レゾルバの設定 [#j5279575]
- DNS の参照先をADに設定します。
192.168.7.5;192.168.7.6
* ubuntu の場合 [#q72b0f1c]
** samba のインストール [#j81f7fac]
sudo apt-get install winbind libpam-winbind samba krb5-user
デフォルトのケルベロスバージョン 5 レルム
DOMAIN.TAR3.NET
** samba の設定 [#l7c4cea7]
[global]
workgroup = DOMAIN
max protocol =SMB2
realm = DOMAIN.TAR3.NET
security = ads
allow trusted domains = No
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap backend = rid
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[Share]
comment=
path=/mnt/share
writable=Yes
** ドメインへ参画 [#h2b8f48b]
-sudo net ads join -U Administrator
dramsuko@client1:$ sudo net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'CLIENT1' to dns domain 'domain.tar3.net'
DNS Update for client1.tar3.net failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL
** Kerberosクライアント設定 [#o8442769]
-sudo vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.TAR3.NET
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
#dns_lookup_realm = false
dns_lookup_realm = true
#dns_lookup_kdc = false
dns_lookup_kdc = true
#ticket_lifetime = 24h
ticket_lifetime = 1h
renew_lifetime = 7d
#forwardable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.TAR3.NET = {
kdc = ADDC1.DOMAIN.TAR3.NET
admin_server = ADDC1.DOMAIN.TAR3.NET
}
[domain_realm]
.domain.tar3.net = DOMAIN.TAR3.NET
domain.tar3.net = DOMAIN.TAR3.NET
[login]
krb4_convert = true
krb4_get_tickets = false
** samba と winbind の起動 [#n9c38ed0]
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart
** 確認 [#r75f8945]
- wbinfo -g
- wbinfo -u
** /etc/nsswitch.conf の編集 [#ld5981fc]
#passwd: compat
passwd: compat winbind
#group: compat
group: compat winbind
#shadow: compat
shadow: compat winbind
#hosts: files dns
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
** /etc/pam.d/common-session の編集 [#l248470e]
- sudo vi /etc/pam.d/common-session
- 以下の行を挿入
session required /lib/x86_64-linux-gnu/security/pam_mkhomedir.so skel=/etc/skel umask=0077
** 自動実行設定 [#n35f73ac]
- 自動実行ソフトのインストール
sudo apt-get install sysv-rc-conf
- 以下のサービスを自動実行
-- sudo sysv-rc-conf nmbd on
-- sudo sysv-rc-conf smbd on
-- sudo sysv-rc-conf winbind on
** winbindにてSID / UID,GID間の紐付けがおかしい対処 [#xde67347]
-sudo service winbind stop
-rm -fr /var/cache/samba/*
-sudo service winbind start