Active_Directory_参画
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
単語検索
|
最終更新
|
ヘルプ
]
開始行:
[[Linux]]
#ShadowHeader(1,LinuxのActive Directory 参画);
#Contents
* 参考サイト [#rce625e8]
-[[Ubuntu マシンに Active Directory 認証でログイン出来る...
-[[ADのアカウントでLinuxサーバにログインする(海馬のかわり...
-[[winbind で Linux の認証を ActiveDirectory にまかせる(d...
-[[LinuxをActiveDirectoryドメインに参加させる(qiita):http...
-[[【Samba TIPS】idmap_ridの活用---Windows連携時にサーバ...
* 注意点 [#ib9b03f6]
- Linux であっても Active Directory に参画するには
Microsoft の Cal ライセンスが必要です。
* 前提条件(サーバの構成情報) [#xdc33776]
|ドメイン名|domain.tar3.net|
|ADサーバのIPアドレス1|192.168.7.5|
|ADサーバのIPアドレス2|192.168.7.5|
|ADサーバのホスト名1|addc1.domain.tar3.net|
|ADサーバのホスト名2|addc2.domain.tar3.net|
|共有ディレクトリローカルPATH|/mnt/share|
|共有フォルダ名|share|
|Client Host名|client1.domain.tar3.net|
* DNS レゾルバの設定 [#j5279575]
- DNS の参照先をADに設定します。
192.168.7.5;192.168.7.6
* ubuntu の場合 [#q72b0f1c]
** samba のインストール [#j81f7fac]
sudo apt-get install winbind libpam-winbind samba krb5-u...
デフォルトのケルベロスバージョン 5 レルム
DOMAIN.TAR3.NET
** samba の設定 [#l7c4cea7]
[global]
workgroup = DOMAIN
max protocol =SMB2
realm = DOMAIN.TAR3.NET
security = ads
allow trusted domains = No
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap backend = rid
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retyp...
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[Share]
comment=
path=/mnt/share
writable=Yes
** ドメインへ参画 [#h2b8f48b]
-sudo net ads join -U Administrator
dramsuko@client1:$ sudo net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'CLIENT1' to dns domain 'domain.tar3.net'
DNS Update for client1.tar3.net failed: ERROR_DNS_GSS_ER...
DNS update failed: NT_STATUS_UNSUCCESSFUL
** Kerberosクライアント設定 [#o8442769]
-sudo vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.TAR3.NET
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
#dns_lookup_realm = false
dns_lookup_realm = true
#dns_lookup_kdc = false
dns_lookup_kdc = true
#ticket_lifetime = 24h
ticket_lifetime = 1h
renew_lifetime = 7d
#forwardable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.TAR3.NET = {
kdc = ADDC1.DOMAIN.TAR3.NET
admin_server = ADDC1.DOMAIN.TAR3.NET
}
[domain_realm]
.domain.tar3.net = DOMAIN.TAR3.NET
domain.tar3.net = DOMAIN.TAR3.NET
[login]
krb4_convert = true
krb4_get_tickets = false
** samba と winbind の起動 [#n9c38ed0]
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart
** 確認 [#r75f8945]
- wbinfo -g
- wbinfo -u
** /etc/nsswitch.conf の編集 [#ld5981fc]
#passwd: compat
passwd: compat winbind
#group: compat
group: compat winbind
#shadow: compat
shadow: compat winbind
#hosts: files dns
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
** /etc/pam.d/common-session の編集 [#l248470e]
- sudo vi /etc/pam.d/common-session
- 以下の行を挿入
session required /lib/x86_64-linux-gnu/security/pam_mkho...
** 自動実行設定 [#n35f73ac]
- 自動実行ソフトのインストール
sudo apt-get install sysv-rc-conf
- 以下のサービスを自動実行
-- sudo sysv-rc-conf nmbd on
-- sudo sysv-rc-conf smbd on
-- sudo sysv-rc-conf winbind on
** winbindにてSID / UID,GID間の紐付けがおかしい対処 [#xde...
-sudo service winbind stop
-rm -fr /var/cache/samba/*
-sudo service winbind start
終了行:
[[Linux]]
#ShadowHeader(1,LinuxのActive Directory 参画);
#Contents
* 参考サイト [#rce625e8]
-[[Ubuntu マシンに Active Directory 認証でログイン出来る...
-[[ADのアカウントでLinuxサーバにログインする(海馬のかわり...
-[[winbind で Linux の認証を ActiveDirectory にまかせる(d...
-[[LinuxをActiveDirectoryドメインに参加させる(qiita):http...
-[[【Samba TIPS】idmap_ridの活用---Windows連携時にサーバ...
* 注意点 [#ib9b03f6]
- Linux であっても Active Directory に参画するには
Microsoft の Cal ライセンスが必要です。
* 前提条件(サーバの構成情報) [#xdc33776]
|ドメイン名|domain.tar3.net|
|ADサーバのIPアドレス1|192.168.7.5|
|ADサーバのIPアドレス2|192.168.7.5|
|ADサーバのホスト名1|addc1.domain.tar3.net|
|ADサーバのホスト名2|addc2.domain.tar3.net|
|共有ディレクトリローカルPATH|/mnt/share|
|共有フォルダ名|share|
|Client Host名|client1.domain.tar3.net|
* DNS レゾルバの設定 [#j5279575]
- DNS の参照先をADに設定します。
192.168.7.5;192.168.7.6
* ubuntu の場合 [#q72b0f1c]
** samba のインストール [#j81f7fac]
sudo apt-get install winbind libpam-winbind samba krb5-u...
デフォルトのケルベロスバージョン 5 レルム
DOMAIN.TAR3.NET
** samba の設定 [#l7c4cea7]
[global]
workgroup = DOMAIN
max protocol =SMB2
realm = DOMAIN.TAR3.NET
security = ads
allow trusted domains = No
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap backend = rid
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retyp...
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[Share]
comment=
path=/mnt/share
writable=Yes
** ドメインへ参画 [#h2b8f48b]
-sudo net ads join -U Administrator
dramsuko@client1:$ sudo net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'CLIENT1' to dns domain 'domain.tar3.net'
DNS Update for client1.tar3.net failed: ERROR_DNS_GSS_ER...
DNS update failed: NT_STATUS_UNSUCCESSFUL
** Kerberosクライアント設定 [#o8442769]
-sudo vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.TAR3.NET
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
#dns_lookup_realm = false
dns_lookup_realm = true
#dns_lookup_kdc = false
dns_lookup_kdc = true
#ticket_lifetime = 24h
ticket_lifetime = 1h
renew_lifetime = 7d
#forwardable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.TAR3.NET = {
kdc = ADDC1.DOMAIN.TAR3.NET
admin_server = ADDC1.DOMAIN.TAR3.NET
}
[domain_realm]
.domain.tar3.net = DOMAIN.TAR3.NET
domain.tar3.net = DOMAIN.TAR3.NET
[login]
krb4_convert = true
krb4_get_tickets = false
** samba と winbind の起動 [#n9c38ed0]
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart
** 確認 [#r75f8945]
- wbinfo -g
- wbinfo -u
** /etc/nsswitch.conf の編集 [#ld5981fc]
#passwd: compat
passwd: compat winbind
#group: compat
group: compat winbind
#shadow: compat
shadow: compat winbind
#hosts: files dns
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
** /etc/pam.d/common-session の編集 [#l248470e]
- sudo vi /etc/pam.d/common-session
- 以下の行を挿入
session required /lib/x86_64-linux-gnu/security/pam_mkho...
** 自動実行設定 [#n35f73ac]
- 自動実行ソフトのインストール
sudo apt-get install sysv-rc-conf
- 以下のサービスを自動実行
-- sudo sysv-rc-conf nmbd on
-- sudo sysv-rc-conf smbd on
-- sudo sysv-rc-conf winbind on
** winbindにてSID / UID,GID間の紐付けがおかしい対処 [#xde...
-sudo service winbind stop
-rm -fr /var/cache/samba/*
-sudo service winbind start
ページ名: