我相信,很多公司都有統一身份認證的需求,只是這個統一認證很多公司都沒有徹底完成,比如我見到的很多企業都使用Windows AD來管理辦公電腦,筆記本等運行windows操作系統的計算機,而IDC機房大多是linux系統的服務器,這些都采用ldap(如openldap)來做身份認證,但是Windows AD和ldap基本上就沒有什麽關系了。問過一兩個企業的系統管理員,也基本清楚,主要是服務器的數量就那麽多,而且大部分用戶是不需要登錄服務器的,所以只有運維人員才需要進行服務器管理,所以使用ldap統一來認證就可以了(當然有些應用是需要使用ldap登錄的,比如內部的OA系統,當然很多應用系統也都能結合Windows AD或ldap使用)。其次,就是windows AD無法很好的結合其他的ldap認證,當然通過samba等也可以實現,只不過方法比較復雜,所以在基本滿足要求的情況下Windows AD就和ldap“和平共處了”。
由於將windows操作系統計算機加入ldap中相對復雜,所以很多情況下,為了能實現統一身份認證,大家一般采取的方式是將Linux加入到Windows AD中去,而且Windows AD是微軟推出的較早的活動目錄服務,穩定性還是比較好的,另外就是外圍的一些軟件,比如微軟自帶的Active Directory管理工具有較好的易用性,再者在網上看到Windows AD的數據存儲讀取上速度是相對快的,大約是mysql等數據庫的幾倍吧(不太確定,只是瀏覽過類似內容,記不太清了),所以有很多公司都選擇Windows AD作為ldap的數據源。下面就以CentOS 6.5為例,將它加入到Windows AD中。
1、準備工作
/etc/init.d/iptables stop iptables -L -n setenforce 0 getenforce hostname centos6
另外,需要準備一臺Windows Server並安裝Windows AD,我這裏使用Windows Server 2008 R2安裝一個AD,域名為contoso.com,是windows 2003級別的域,詳細信息如下圖所示:
這是域名的詳細信息
這是用戶組信息,其中sadmin是我新創建的一個用戶。
這是域控制器的網絡信息。
2、安裝需要的軟件包
yum -y install krb5-libs krb5-devel pam_krb5 krb5-workstation krb5-auth-dialog krb5-auth-dialog yum -y install samba-winbind samba samba-common samba-client samba-winbind-clients samba-swat
[root@localhost ~]# rpm -qa|grep krb5
krb5-libs-1.10.3-57.el6.x86_64
krb5-devel-1.10.3-57.el6.x86_64
krb5-workstation-1.10.3-57.el6.x86_64
krb5-auth-dialog-0.13-5.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
[root@localhost ~]# rpm -qa|grep samba
samba-client-3.6.23-36.el6_8.x86_64
samba-swat-3.6.23-36.el6_8.x86_64
samba-common-3.6.23-36.el6_8.x86_64
samba-winbind-3.6.23-36.el6_8.x86_64
samba-3.6.23-36.el6_8.x86_64
samba-winbind-clients-3.6.23-36.el6_8.x86_64
啟動服務
/etc/init.d/smb start chkconfig smb on service winbind start chkconfig winbind on
3、使用圖形化工具配置kerberos和samba
這裏主要是因為使用配置文件去更改,工作量大而且容易出錯,所以選擇圖形界面進行配置,我會在後面把配置成功後的相關配置文件貼出來,這樣如果需要使用配置文件也有正確的配置可以參考。
在進入setup圖形界面之前執行下面兩條命令,以免圖形界面亂碼或者python代碼執行出錯:
LANG=en export LC_ALL=C
在命令行界面輸入setup進入圖形化配置界面
這裏除了原來已經默認選中的Use MD5 Passwords和Use Shadow Passwords之外,需要把Use Winbind、Use Kerberos以及Use Winbind Authentication這三個選項勾選上。
配置Kerberos,需要把Admin Server刪掉,然後其他的按照真實情況填寫。這裏,Realm是你的域名,比如我的windows AD域名為contoso.com,註意:域名一定要大寫!KDC為域控制器的IP地址,這裏是192.168.49.201,下面兩項關於DNS的都不選。
Winbind的配置,Domain為域名的第一個“.”左側的部分,如這裏是CONTOSO,註意只要是域名的部分都需要大寫。Domain Controllers依然是域控制器的IP地址,ADS Realm是域名,Template Shell為給AD用戶設置使用的shell。
這裏保存配置,選擇Yes,其實這裏只要保存了之後,配置文件就已經將更改寫入了。
這裏需要輸入Windows AD中的管理員密碼,有點類似將Windows加入AD中的步驟,如果配置都正常的話,這裏就會顯示Joined CONTOSO.
4、排錯步驟
上面是我在使用setup圖形界面添加到Windows AD時遇到的問題,很多方法我都去嘗試了,由於錯誤信息並不充分,所以很多也沒有找到相對應的原因。所幸在新浪博客看到一篇文章,裏面有很多測試解決的方法,按照上面的方法最終配置成功,文章見於:http://blog.sina.com.cn/s/blog_596dc5a30100bzwy.html
1)測試連接AD Server
kinit [email protected]
Kerberos 的 kinit 命令將測試服務器間的通信,後面的域名TT.COM 是你的活動目錄的域名,必須大寫,否則會收到錯誤信息:
kinit(v5): Cannot find KDC for requested realm while getting initial credentials.
如果通信正常,你會提示輸入口令,口令正確的話,就返回 bash 提示符,如果錯誤則報告:
kinit(v5): Preauthentication failed while getting initial credentials.
這一步代表了已經可以和AD server做溝通了,但並不代表Samba Server已經加入域了。
2)設置CentOS DNS為Windows AD的IP地址
[root@centos6 ~]# vi /etc/sysconfig/Network-scripts/ifcfg-eth0
[root@centos6 ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: Determining if ip address 192.168.49.134 is already in use for device eth0...
[ OK ]
[root@centos6 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search localdomain
nameserver 192.168.49.201
nameserver 192.168.49.2
[root@centos6 ~]# nslookup contoso.com
Server:192.168.49.201
Address:192.168.49.201#53
Name:contoso.com
Address: 192.168.49.201
3)檢查/etc/nsswith.conf文件
確認其中存在以下內容:
passwd: files winbind
shadow: files
group: files winbind
4)重啟samba和winbind服務
service smb reload #加這一句是用來解決有時候samba啟動不了的問題 service smb restart service winbind restart
5)Windows AD的防火墻暫時關閉
6)加入AD域
net rpc join -S dc.contoso.com -U administrator
[root@centos6 ~]# net rpc join -S dc.contoso.com -U administrator
Enter administrator's password:
Joined domain CONTOSO.
7)驗證是否加入成功
[root@centos6 ~]# net rpc testjoin
Join to 'CONTOSO' is OK
[root@centos6 ~]# wbinfo -t
checking the trust secret for domain CONTOSO via RPC calls succeeded
[root@centos6 ~]# wbinfo -u
administrator
guest
krbtgt
sadmin
[root@centos6 ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
[root@centos6 ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:system message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
administrator:*:16777216:16777219:Administrator:/home/administrator:/bin/bash
guest:*:16777217:16777220:Guest:/home/guest:/bin/bash
krbtgt:*:16777218:16777219:krbtgt:/home/krbtgt:/bin/bash
sadmin:*:16777219:16777219:sadmin:/home/sadmin:/bin/bash
[root@centos6 ~]# getent group
root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sys:x:3:bin,adm
adm:x:4:adm,daemon
tty:x:5:
disk:x:6:
lp:x:7:daemon
mem:x:8:
kmem:x:9:
wheel:x:10:
mail:x:12:mail,postfix
uucp:x:14:
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
abrt:x:173:
cdrom:x:11:
tape:x:33:
dialout:x:18:
haldaemon:x:68:haldaemon
ntp:x:38:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
stapusr:x:156:
stapsys:x:157:
stapdev:x:158:
sshd:x:74:
tcpdump:x:72:
slocate:x:21:
wbpriv:x:88:
domain computers:*:16777226:
domain controllers:*:16777227:
schema admins:*:16777224:sadmin,administrator
enterprise admins:*:16777223:sadmin,administrator
cert publishers:*:16777228:
domain admins:*:16777225:sadmin,administrator
domain users:*:16777219:
domain guests:*:16777220:
group policy creator owners:*:16777229:administrator
ras and ias servers:*:16777230:
allowed rodc password replication group:*:16777231:
denied rodc password replication group:*:16777221:krbtgt
read-only domain controllers:*:16777232:
enterprise read-only domain controllers:*:16777233:
dnsadmins:*:16777222:sadmin
dnsupdateproxy:*:16777234:
[root@centos6 ~]# id sadmin
uid=16777219(sadmin) gid=16777219(domain users) groups=16777219(domain users),16777221(denied rodc password replication group),16777222(dnsadmins),16777223(enterprise admins),16777224(schema admins),16777225(domain admins),16777217(BUILTIN/users),16777216(BUILTIN/administrators)
[root@centos6 ~]# id administrator
uid=16777216(administrator) gid=16777219(domain users) groups=16777219(domain users),16777221(denied rodc password replication group),16777223(enterprise admins),16777224(schema admins),16777229(group policy creator owners),16777225(domain admins),16777217(BUILTIN/users),16777216(BUILTIN/administrators)
8)到Windows AD中查看
已經在AD上的用戶和計算機管理工具中找到新添加的centos6了。
9)測試Windows用戶登錄centos6
[root@centos6 ~]# su - administrator
su: warning: cannot change directory to /home/administrator: No such file or directory
-bash-4.1$ pwd
/root
-bash-4.1$ ll
ls: cannot open directory .: Permission denied
-bash-4.1$
好的,windows用戶登錄成功,至此,將centos6.5加入Windows AD成功完成。
10)下面把相關的配置文件貼出來
/etc/nsswitch.conf:
[root@centos6 ~]# egrep -v "#|^$" /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
/etc/samba/smb.conf:
[root@centos6 ~]# egrep -v ";|^$|#" /etc/samba/smb.conf
[global]
workgroup = CONTOSO
password server = 192.168.49.201
realm = CONTOSO.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
template homedir = /home/%U
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
server string = Samba Server version %v
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
security = domain
encrypt passwords = yes
password server = 192.168.49.201
load printers = yes
cups options = raw
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
valid users = CONTOSO.COM/%U
create mode = 0777
directory mode = 0777
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
/etc/krb5.conf:
[root@centos6 ~]# egrep -v "#|^$" /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
CONTOSO.COM = {
kdc = 192.168.49.201
kdc = 192.168.49.201
}
[domain_realm]
contoso.com = CONTOSO.COM
.contoso.com = CONTOSO.COM
本文出自 “IT小二郎” 博客,請務必保留此出處http://jerry12356.blog.51cto.com/4308715/1852826
Tags: Windows windows 系統管理員 筆記本 IDC機房
文章來源: