Linux 加入域說(shuō)明：本文為L(zhǎng)INUX 加入WINDOWS 域的具體情況作一些說(shuō)明，關(guān)于如何加入到域，本文不再詳述，僅提供一個(gè)配置樣板，如果有不了解的，可以再查看相關(guān)文章。 *-==========

Linux 加入域

說(shuō)明：本文為L(zhǎng)INUX 加入WINDOWS 域的具體情況作一些說(shuō)明，關(guān)于如何加入到域，本文不再詳述，僅提供一個(gè)配置樣板，如果有不了解的，可以再查看相關(guān)文章。 *-====================-* * Linux To Windows AD

*-====================-*

- 基本概念

* PDC - 主域控制器

* BDC - 備份域控制器

* KDC - 密鑰頒發(fā)中心，Kerberos 服務(wù)器

* PAM - 可插撥認(rèn)證模塊

* SRV - DNS服務(wù)資源記錄

- 域模式

* PRC - LINUX以Windows2000/NT4樣式加入到域中

* ADS - 活動(dòng)目錄，Windows2003,WindowsXP

* 混合 - 有最好的兼容性

- 軟件包Sw * Samba: yum install samba.* samba-common.* samba-winbind-client.* * Winbind: yum install samba-winbind.* * Samba4: yum install samba4.* ;A newer version of samba * Kerberos5: yum install pam_krb5.* krb5-workstation.* krb5-libs.* * ldconfig * ldconfig -v | grep winbind

* ls /usr/lib/libnss_winbind.so

- 配置文件

- NSS: /etc/nsswitch.conf ;指示系統(tǒng)如何查找系統(tǒng)配置文件 ; 修改以下內(nèi)容

password: files winbind

group: files winbind

- Samba: /etc/smb.conf ; 與共享文件夾相關(guān)的配置

[global]

client use spnego = no

server signing = auto

workgroup = CAMPUS

# The SHORT-DOMAIN name of your domain, you need to modify

wins support = yes

wins server = 10.0.0.4

# Controller of the domain, You need to modify it to your own wins proxy = yes

security = ADS

# or AD,ADS,domain, DOMAIN is the RPC mode

acl compatibility = win2k

idmap uid = 16777216-33554431

# Set based on your user count

idmap gid = 16777216-33554431

password server = 10.0.0.4

# Domain Controller

map to guest = bad user

guest ok = no

realm = CAMPUS.COM

# You need to keep the same with file krb5.conf defined # encrypt psswords = yes

# Encrypt PASS, not supported by some version of samba winbind use default domain = yes

# winbind separator =

template homedir = /home/D/U

# A mode 777 should be set on /home/D

template shell = /bin/bash

[homes]

comment = S

path =/home/D/S

writeable = yes

browsable = yes

; valid users = S

valid users = CAMPUSS

* Kerberos配置文件: /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = CAMPUS.COM

dns_lookup_realm = false

dns_lookup_kdc = false

[realms]

CAMPUS.COM = {

kdc = ADS.CAMPUS.COM:88

admin_server = ADS.CAMPUS.COM:749

default_domain = campus.com

} # This is a REALMS to DOMAIN MAPPING, REALMS Format is uppercase

[domain_realm] .campus.com = CAMPUS.COM

campus.com = CAMPUS.COM

# Build the mapping

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults]

pam = { debug = false

ticket_lifetime = 36000 renew_lifetime = 36000

forwardable = true krb4_convert = false

}

* 重啟samba: service smb restart

; 汪: 如果只作認(rèn)證，SMB 服務(wù)可以不啟動(dòng)，但smb.conf 必須配置好 * 重啟Winbind: service winbind restart

* 初始化KDC: net ads kerberos kinit

* 加域: net rpc join -S ADS.CAMPUS.COM -U Administrator * 查看信息: net rpc info; net ads testjoin; net ads

* 退域: net ads leave -S ADS.CAMPUS.COM -U Administrator * 查看用戶信息: wbinfo -u, wbinfo -t

* 查看本機(jī)用戶: getent passwd K-id, getent group K-id * 獲取SID: net rpc getsid -U Administrator -I x.x.x.x * NTLM-AUTH: ntlm_auth --username=$USER

- 總結(jié)#LINUX ADS#部署過(guò)程

* 安裝軟件包

* 依次對(duì)配置文件進(jìn)行修改

/etc/nsswitch.conf

/etc/samba/smb.conf

/etc/krb5.conf

* 模板見(jiàn)上，修改的重要地方已標(biāo)出

- 排錯(cuò)

* 檢查服務(wù)是否正常運(yùn)行

* 檢查配置文件是否正確

* 檢查日志

* 檢查DNS 設(shè)置: 應(yīng)該為Windows 域主DNS

* 檢查防火墻配置與SELINUX 配置

# 調(diào)錯(cuò) * "BAD SIG"

注釋掉smb.conf 中的"client use spnego = no"選項(xiàng)

* “DNS UPDATE FAILED”

檢查DNS 設(shè)定

檢查DNS 上的更新權(quán)限 * nsupdate > Server x.x.x.x > Add CMS.CAMPUS.COM 10 A 10.0.0.2 > Send

* Kerberos 密鑰初始化問(wèn)題

kinit xxx@CAMPUS.COM ;申請(qǐng)用戶xxx 在域CAMPUS 中的票據(jù)

時(shí)鐘問(wèn)題，域控與客戶端時(shí)鐘差距過(guò)大

密碼問(wèn)題，用戶或者密碼錯(cuò)誤

域名問(wèn)題，KINIT 找不到域控制器，也即KDC ，注意檢查DNS 配置

* PAM模塊中的認(rèn)證問(wèn)題

使用 tail -f /var/log/secure 追蹤其認(rèn)證問(wèn)題

確認(rèn)在"smb.conf" 文件中打開(kāi)"winbind use default domain=yes"選項(xiàng)，系統(tǒng)會(huì)自動(dòng)傳入域名 * 加域并不需要SMB 服務(wù)運(yùn)行，WINBIND 需要"smb.conf" 文件

* 舊的主機(jī)（含LINUX 、UNIX 等）登錄域的用戶名為: CAMPUS?,前為域名，后為用戶名

# 數(shù)據(jù)查詢

* net ads search '(objectCategory=group)' sAMAccountName ;查詢系統(tǒng)組

* net ads search '(objectCategory=user) sAMAccountName ;查詢用戶

* net ads search '(sAMAccountName=cc)' ;查詢用戶CC 相關(guān)信息

* ldapsearch -x -b "dc=CAMPUS,dc=COM" -D "CAMPUS?" -w "PASSWD" -h ADS.CAMPUS.COM ;列出CAMPUS.COM 域的所有記錄，其中LDAP 服務(wù)器為ADS.CAMPUS.COM ，查詢所使用的用戶為

# 常用數(shù)據(jù)結(jié)構(gòu)

* 用戶: "CN=users,DC=CAMPUS,DC=COM"

* 計(jì)算機(jī): "CN=Computers,DC=CAMPUS,DC=COM"

* 組織單位: "OU=GRPS,DC=CAMPUS,DC=COM"

# 認(rèn)證測(cè)試 * wbinfo -a USERPASS

* wbinfo -K USERPASS ;采用Kerberos 方式測(cè)試KDC 是否正常

* wbinfo -m ;查看配置的域（工作組）

* ntlm_auth --username=CC ;使用CC 測(cè)試，如果認(rèn)證成功，可從另一個(gè)方面說(shuō)明系統(tǒng)加域已經(jīng)成功