模板
教程
环境
性能
功能
管理
SUSE FAQ 系列 -- 用 Windows Active Directory 认证
原文以 Redhat 为例,其实对于 SuSE 来说,同样的方法也可以应用。
用 Windows Active Directory 作 SUSE Linux Enterprise Server 9 认证
一篇好文章,转自 http://www.timkennedy.net/docs/Linux+Active_Directory.html
原文以 Redhat 为例,其实对于 SuSE 来说,同样的方法也可以应用。
用 Windows Active Directory 作 SUSE Linux Enterprise Server 9 认证
Linux integration with Active Directory Authentication
with Winbind and PAM (Pluggable Authentication Modules)
Q. What separates this effort from the all the other Samba + Active Directory
+ User Authentication documents that are already available?
A. We don't use shares, we use ADS only as the authoritative repository
for authentication data, and we needed a way to restrict to specific
users or groups, or combinations thereof, the ability to login to hosts.
This document assumes you have a basic familiarity with PAM and Fedora Core
Linux, and the ability to install RPM based packages using YUM. Other than
the installation of the packages, and possibly the location of some files, most
of the information contained herein should be portable to other flavors of
Linux.
The large portion of the data presented here is taken directly from Chapter
21 of the Samba Documentation "Winbind: Use of Domain Aclearcase/" target="_blank" >ccounts", under Part 3
Advanced Configuration.
The Winbindd Daemon is a part of the Samba Installation. The winbindd daemon
listens on a UNIX domain socket for AAA requests generated by NSS or PAM.
Winbindd allows a *nix system to use PAM requests, translated into MSRPC calls,
to directly query a Windows PDC for user and group information. Winbind then
maps the NT accounts and groups onto UNIX uids/gids.
INSTALLATION
To install Winbind on SLES9, if you have YaST working:
as root: 'yast -i samba-winbind'
CONFIGURATION
change in /etc/nsswitch.conf:
-------------------------------------------------------------
passwd: files
shadow: files
group: files
-------------------------------------------------------------
to:
-------------------------------------------------------------
passwd: files winbind
shadow: files winbind
group: files winbind
-------------------------------------------------------------
create the file /etc/samba/smb.conf:
replace: DOMAIN with your domain
CONTROLLER1 with the ip address of your 1st DC
CONTROLLER2 with the ip address of your 2nd DC
DOMAIN.TLD with your realm DOMAIN and TLD
-------------------------------------------------------------
[global]
winbind separator = +
winbind cache time = 10
workgroup = DOMAIN
password server = CONTROLLER1 CONTROLLER1
winbind use default domain = yes
realm = DOMAIN.COM
security = ads
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U
-------------------------------------------------------------
join the linux server to the domain:
-------------------------------------------------------------
root# net ads join -U
the username you use must have administrative privileges on
the domain. if successful you will see a message like:
Joined 'LINUXSERVER1' to realm 'DOMAIN.TLD'
-------------------------------------------------------------
start winbindd:
-------------------------------------------------------------
root# /etc/init.d/winbind start
winbind by default runs as two processes. One answers client
queries, and the other updates the winbind cache with the
most current answer for the query the first process just
answered for.
-------------------------------------------------------------
make sure you have a backup of /etc/pam.d directory:
-------------------------------------------------------------
root# cp -a /etc/pam.d /etc/pam.d.bak
-------------------------------------------------------------
These are the relevant lines for the various pam controlled
methods: account, auth, password, and session.
Just place these lines into the pam.d file of any service
for which you'd like to control authorization by ADS.
-------------------------------------------------------------
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
-------------------------------------------------------------
And this goes into /etc/pam.d/system-auth:
-------------------------------------------------------------
session required pam_mkhomedir.so skel=/etc/skel umask=0022
-------------------------------------------------------------
Now. All of that sets up your linux box to allow Active Directory
Domain users to log in, with a bash shell, into a homedir in
/home/DOMAIN/user. It will even create the home directories for
any user that doesn't already have one, provided the session
portion of the file contains the call to system-auth.
Now. let's say you want to be able to limit access to the
server to only users from certain groups. well, it actually
turned out to be kind of simple to do.
Well, it's actually quite simple. As we know, all users and
groups from active directory are mapped to unix uids and gids.
Well, we can make that work for us.
first, let's see what groups I'm in (tkennedy):
-------------------------------------------------------------
root# getent group | grep tkennedy
Domain Users:x:10000:tkennedy,mmouse,ckent,gbush,bclinton,cpowell
Domain Admins:x:10001:tkennedy,cpowell,ckent
Enterprise Admins:x:10002:tkennedy,ckent
Unix Admins:x:10003:tknenedy,bschmidt,eroberts
-------------------------------------------------------------
by replacing the account entries in /etc/pam.d/sshd with:
account sufficient pam_succeed_if.so gid = 10003
you can limit ssh access to the server to only members of the
Unix Admins group.
-------------------------------------------------------------
By using lines like that in other per-service pam.d files, you
set up quite complex authentication rules to control logins on
a per service/per group basis.
Any questions? You can reach me at tim@timkennedy.net
