Ubuntu-ads-client: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 164: Zeile 164:
  
 
===common-session===
 
===common-session===
  session [default=1]                     pam_permit.so
+
  session [default=1] pam_permit.so
  session requisite                       pam_deny.so
+
  session requisite pam_deny.so
  session required                       pam_permit.so
+
  session required pam_permit.so
  session optional                        pam_umask.so
+
  '''session required pam_mkhomedir.so umask=0022 skel=/etc/skel'''
#add this if you want automatic creation of home dirs
+
  session required pam_unix.so  
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
+
  session optional pam_winbind.so  
#end
+
  session optional pam_systemd.so
  session required       pam_unix.so
+
 
  session optional                       pam_winbind.so
 
  session optional       pam_systemd.so
 
 
===common-password===
 
===common-password===
 
  password [success=2 default=ignore] pam_unix.so obscure yescrypt
 
  password [success=2 default=ignore] pam_unix.so obscure yescrypt

Version vom 12. Januar 2023, 13:42 Uhr

new


Installation

Interface anpassen

  • vi /etc/network/interfaces
auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
 address 10.0.10.96/24
 gateway 10.0.10.1

hosts anpassen

  • hostnamectl ads-client
  • vi /etc/hosts
127.0.0.1       localhost
127.0.1.1       ads-client.hack.lab     ads-client

resolv.conf

nameserver 10.0.10.85
search hack.lab

samba4 installieren

  • apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

Update der Pam

  • pam-auth-update

/etc/samba/smb.conf

[global]
  workgroup = HACK
  realm = HACK.LAB
  security = ADS

  log level = 1 winbind:5

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  winbind use default domain = yes
  winbind nss info = template

  winbind enum users = yes
  winbind enum groups = yes

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999

  idmap config HACK : backend = rid
  idmap config HACK : range = 10000-99999

  template homedir = /home/%U
  template shell = /bin/bash

  # Mapping domain Administrator to local root
  username map = /etc/samba/user.map

/etc/krb5.conf

[libdefaults]
      default_realm = HACK.LAB
      dns_lookup_realm = true
      dns_lookup_kdc = true

[realms]
      HACK.LAB( = {
            kdc = 10.0.10.85
            admin_server = 10.0.10.85
      }

[domain_realm]
      .mydomain.com = HACK.LAB
      mydomain.com = HACK.LAB

Initiieren Sie ein Kerberos-Ticket

  • kinit administrator

List

  • klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@HACK.LAB

Valid starting       Expires              Service principal
01/12/2023 14:28:49  01/13/2023 00:28:49  krbtgt/HACK.LAB@HACK.LAB
	renew until 01/13/2023 14:28:45

Erstellen Sie eine Kerberos-Keytab-Datei

  • net ads keytab create -U administrator

Treten Sie der AD-Domäne bei

  • net ads join -U administrator

domaine beitreten


root@lang:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- LINUGGS
Joined 'LANG' to dns domain 'linuggs.lan'


/etc/nsswitch.conf ändern

passwd:         files systemd winbind
group:          files systemd winbind

services neustarten

  • systemctl restart smbd
  • systemctl restart nmbd
  • systemctl restart winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

anzeigen der passwd

hier solten nun benutzer aus der ad autauchen
  • getent passwd
 
benutzer03:*:11107:10513::/home/benutzer03:/bin/bash
administrator:*:10500:10513::/home/administrator:/bin/bash
benutzer04:*:11108:10513::/home/benutzer04:/bin/bash
benutzer01:*:11105:10513::/home/benutzer01:/bin/bash
krbtgt:*:10502:10513::/home/krbtgt:/bin/bash
benutzer02:*:11106:10513::/home/benutzer02:/bin/bash
guest:*:10501:10513::/home/guest:/bin/bash
thomas:*:11104:10513::/home/thomas:/bin/bash

LIBPAM

libpam-winbind

apt-get install libpam-winbind

änderungen in /etc/pam.d/

sollten automatisch geändert worden sein

common-auth

auth	[success=2 default=ignore]	pam_unix.so nullok
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so

common-account

account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	[success=1 new_authtok_reqd=done default=ignore]	pam_winbind.so 
account	requisite			pam_deny.so
account	required			pam_permit.so

common-session

session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session	required	pam_unix.so 
session	optional			pam_winbind.so 
session	optional	pam_systemd.so

common-password

password	[success=2 default=ignore]	pam_unix.so obscure yescrypt
password	[success=1 default=ignore]	pam_winbind.so try_authtok try_first_pass
password	requisite			pam_deny.so
password	required			pam_permit.so

sudo

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required   pam_deny.so
@include common-account
Abgerufen von „http://wiki.ixheim.de/index.php?title=Ubuntu-ads-client&oldid=39615