Linux 加入Windows 域試驗(yàn)環(huán)境:DC:Server 2003 R2 IP: 192.168.1.236 Name:wfserver01 Domain:wf01 Linux:CentOS

Linux 加入Windows 域

試驗(yàn)環(huán)境:

DC:Server 2003 R2 IP: 192.168.1.236 Name:wfserver01 Domain:wf01 Linux:CentOS 5.5

一. 編輯設(shè)定檔

配置[Kerberos 網(wǎng)絡(luò)認(rèn)證協(xié)議, 讓Linux 通過windows 域的驗(yàn)證] #vi /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = WF01 #大寫域名

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

WF01= {

kdc = 192.168.1.236:88 # 域伺服器IP

admin_server = 192.168.1.236:749 # 域伺服器IP

default_domain = WF01

}

[domain_realm]

.wf01=WF01 #域驗(yàn)證范圍

wf01=WF01

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

二、連接AD server

1、kinit WF01

Kerberos 的 kinit 命令將測試服務(wù)器間的通信，后面的域名WF01是你的活動目錄的域名，必須大寫，否則會收到錯(cuò)誤信息：

kinit(v5): Cannot find KDC for requested realm while getting initial credentials.

如果通信正常，你會提示輸入口令，口令正確的話，就返回 bash 提示符，如果錯(cuò)誤則報(bào)告：

kinit(v5): Preauthentication failed while getting initial credentials.

這一步代表了已經(jīng)可以和AD server做溝通了，但并不代表Samba Server已經(jīng)加入域了。

2、smb.conf 配置

#vi /etc/samba/smb.conf

[global]

workgroup = HF01T # 一定要填自己的domain 名稱

Reale=WF01

netbios name = VBIRDSERVER

#你的linux 主機(jī)名

idmap uid = 10000-20000 #Window 用戶在linux 上的uid

idmap gid = 10000-20000 #Window 組在Linux 上的gid

winbind enum groups = yes

winbind enum users = yes

winbind separator = / #域分割符

; winbind use default domain = yes

template homedir = /home/U

template shell = /bin/bash

security = ads

encrypt passwords = yes

password server = 192.168.1.236

[homes]

path = /home/U

browseable = no

writable = yes

valid users =wf01/U

create mode = 0777

directory mode = 0777

3、配置nsswitch.conf

#vi /etc/nsswitch.conf

修改以下位置

passwd: files winbind #先查找Linux 本地用戶, 然后查找windows 用戶

shadow: files winbind

group: files winbind

4、啟用samba 和winbind 服務(wù)

service smb start

service winbind start

5、加入AD 域

使用命令：net ads join –S 192.168.1.236 –U admistrator,然后會提示輸入密碼

成功則提示如下：

Using short domain name – WF01

Joined 'VBIRDSERVER' to realm 'WF01’

使用者自動建立家目錄:

vi /etc/pam.d/system-auth,加入以下內(nèi)容

session required /lib/security/$ISA/pam_mkhomedir.so umask=0022

skel=/etc/skel

其它一些命令:

Linux 從windows 中退域命令

Net ads leave –S ad的IP -U administrator

一些測試命令:

Wbinfo –t 測試與AD SERVER是否連接

Wbinfo –u 查詢AD 內(nèi)的用戶

Wbinfo –g 查詢AD 內(nèi)的組

Getent passwd 查詢密碼