Debian-ads-client: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(7 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 22: Zeile 22:
  
 
==hosts anpassen==
 
==hosts anpassen==
*hostnamectl ads-client
+
*hostnamectl set-hostname fenetre.lab34.linuggs.de
 
*vi /etc/hosts
 
*vi /etc/hosts
 
  127.0.0.1      localhost
 
  127.0.0.1      localhost
  127.0.1.1      ads-client.hack.lab    ads-client
+
  127.0.1.1      fenetre.lab34.linuggs.de      fenetre
  
 
=resolv.conf=
 
=resolv.conf=
  nameserver 10.0.10.85
+
nameserver 2a02:24d8:71:3036::101
  search hack.lab
+
  nameserver 10.114.214.101
 +
  search lab34.linuggs.de
  
 
'''reboot'''
 
'''reboot'''
Zeile 38: Zeile 39:
 
=Update der Pam=
 
=Update der Pam=
 
*pam-auth-update
 
*pam-auth-update
 
+
[[Datei:Debian-ads1.png]]
 
==/etc/samba/smb.conf==
 
==/etc/samba/smb.conf==
 
<pre>
 
<pre>
 
[global]
 
[global]
   workgroup = HACK
+
   workgroup = lab34
   realm = HACK.LAB
+
   realm = lab34.linuggs.de
 
   security = ADS
 
   security = ADS
  
Zeile 62: Zeile 63:
 
   idmap config * : range = 3000-7999
 
   idmap config * : range = 3000-7999
  
   idmap config HACK : backend = rid
+
   idmap config lab34.linuggs.de : backend = rid
   idmap config HACK : range = 10000-99999
+
   idmap config lab34.linuggs.de : range = 10000-99999
  
 
   template homedir = /home/%U
 
   template homedir = /home/%U
Zeile 73: Zeile 74:
 
   kerberos method = dedicated keytab
 
   kerberos method = dedicated keytab
 
   dedicated keytab file = /etc/krb5.keytab
 
   dedicated keytab file = /etc/krb5.keytab
 +
  
 
</pre>
 
</pre>
Zeile 79: Zeile 81:
 
<pre>
 
<pre>
 
[libdefaults]
 
[libdefaults]
       default_realm = HACK.LAB
+
       default_realm = LAB34.LINUGGS.DE
 
       dns_lookup_realm = true
 
       dns_lookup_realm = true
 
       dns_lookup_kdc = true
 
       dns_lookup_kdc = true
  
 
[realms]
 
[realms]
       HACK.LAB( = {
+
       LAB34.LINUGGS.DE = {
             kdc = 10.0.10.85
+
             kdc = 10.114.214.101
             admin_server = 10.0.10.85
+
             admin_server = 10.114.214.101
 
       }
 
       }
  
 
[domain_realm]
 
[domain_realm]
       .mydomain.com = HACK.LAB
+
       .mydomain.com = lab34.linuggs.de
       mydomain.com = HACK.LAB
+
       mydomain.com = lab34.linuggs.de
 +
 
  
 
</pre>
 
</pre>
Zeile 97: Zeile 100:
 
==Initiieren Sie ein Kerberos-Ticket==
 
==Initiieren Sie ein Kerberos-Ticket==
 
*kinit administrator
 
*kinit administrator
 +
 
=List=
 
=List=
 
*klist  
 
*klist  
 
  Ticket cache: FILE:/tmp/krb5cc_0
 
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administrator@HACK.LAB
+
  Default principal: administrator@LAB34.LINUGGS.DE
 
   
 
   
 
  Valid starting      Expires              Service principal
 
  Valid starting      Expires              Service principal
  01/12/2023 14:28:49 01/13/2023 00:28:49 krbtgt/HACK.LAB@HACK.LAB
+
  10/02/2024 10:49:53 10/02/2024 20:49:53 krbtgt/LAB34.LINUGGS.DE@LAB34.LINUGGS.DE
  renew until 01/13/2023 14:28:45
+
  renew until 10/03/2024 10:49:47
 +
 
 
==Erstellen Sie eine Kerberos-Keytab-Datei==
 
==Erstellen Sie eine Kerberos-Keytab-Datei==
 
*net ads keytab create -U administrator
 
*net ads keytab create -U administrator

Aktuelle Version vom 4. Oktober 2024, 06:50 Uhr

new


Installation

Interface anpassen

  • vi /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto enp0s3
iface enp0s3 inet static
 address 10.114.14.2/24
 gateway 10.114.14.1
iface enp0s3 inet6 static
 address 2a02:24d8:71:3037::2/64
 gateway 2a02:24d8:71:3037::1

hosts anpassen

  • hostnamectl set-hostname fenetre.lab34.linuggs.de
  • vi /etc/hosts
127.0.0.1       localhost
127.0.1.1       fenetre.lab34.linuggs.de      fenetre

resolv.conf

nameserver 2a02:24d8:71:3036::101 
nameserver 10.114.214.101
search lab34.linuggs.de

reboot

samba4 installieren

  • apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

Update der Pam

  • pam-auth-update

Debian-ads1.png

/etc/samba/smb.conf

[global]
  workgroup = lab34
  realm = lab34.linuggs.de
  security = ADS

  log level = 1 winbind:5

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  winbind use default domain = yes
  winbind nss info = template

  winbind enum users = yes
  winbind enum groups = yes

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999

  idmap config lab34.linuggs.de : backend = rid
  idmap config lab34.linuggs.de : range = 10000-99999

  template homedir = /home/%U
  template shell = /bin/bash

  # Mapping domain Administrator to local root
  username map = /etc/samba/user.map

  kerberos method = dedicated keytab
  dedicated keytab file = /etc/krb5.keytab

/etc/krb5.conf

[libdefaults]
      default_realm = LAB34.LINUGGS.DE
      dns_lookup_realm = true
      dns_lookup_kdc = true

[realms]
      LAB34.LINUGGS.DE = {
            kdc = 10.114.214.101
            admin_server = 10.114.214.101
      }

[domain_realm]
      .mydomain.com = lab34.linuggs.de
      mydomain.com = lab34.linuggs.de

Initiieren Sie ein Kerberos-Ticket

  • kinit administrator

List

  • klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@LAB34.LINUGGS.DE 

Valid starting       Expires              Service principal
10/02/2024 10:49:53  10/02/2024 20:49:53  krbtgt/LAB34.LINUGGS.DE@LAB34.LINUGGS.DE
	renew until 10/03/2024 10:49:47

Erstellen Sie eine Kerberos-Keytab-Datei

  • net ads keytab create -U administrator

Treten Sie der AD-Domäne bei

  • net ads join -U administrator

domaine beitreten


root@lang:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- LINUGGS
Joined 'LANG' to dns domain 'linuggs.lan'


/etc/nsswitch.conf ändern

passwd:         files systemd winbind
group:          files systemd winbind

services neustarten

  • systemctl restart smbd
  • systemctl restart nmbd
  • systemctl restart winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

anzeigen der passwd

hier solten nun benutzer aus der ad autauchen
  • getent passwd
 
benutzer03:*:11107:10513::/home/benutzer03:/bin/bash
administrator:*:10500:10513::/home/administrator:/bin/bash
benutzer04:*:11108:10513::/home/benutzer04:/bin/bash
benutzer01:*:11105:10513::/home/benutzer01:/bin/bash
krbtgt:*:10502:10513::/home/krbtgt:/bin/bash
benutzer02:*:11106:10513::/home/benutzer02:/bin/bash
guest:*:10501:10513::/home/guest:/bin/bash
thomas:*:11104:10513::/home/thomas:/bin/bash

LIBPAM

Abgerufen von „http://wiki.ixheim.de/index.php?title=Debian-ads-client&oldid=56802