Ubuntu-ads-client: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
David (Diskussion | Beiträge) |
|||
| (31 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| + | =new= | ||
| + | *https://docs.vmware.com/de/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-F8F0CFCF-C4D6-4784-85FF-E7C6DF575F49.html | ||
| + | |||
| + | |||
=Installation= | =Installation= | ||
==Interface anpassen== | ==Interface anpassen== | ||
| − | + | *vi /etc/network/interfaces | |
<pre> | <pre> | ||
auto lo | auto lo | ||
iface lo inet loopback | iface lo inet loopback | ||
| − | auto | + | |
| − | iface | + | auto enp0s3 |
| − | address | + | iface enp0s3 inet static |
| − | + | address 10.0.10.96/24 | |
| − | + | gateway 10.0.10.1 | |
| − | + | ||
| − | |||
</pre> | </pre> | ||
==hosts anpassen== | ==hosts anpassen== | ||
| − | + | *hostnamectl ads-client | |
| + | *vi /etc/hosts | ||
127.0.0.1 localhost | 127.0.0.1 localhost | ||
| − | + | 127.0.1.1 ads-client.hack.lab ads-client | |
| + | =resolv.conf= | ||
| + | nameserver 10.0.10.85 | ||
| + | search hack.lab | ||
| − | + | '''reboot''' | |
| − | |||
| − | |||
==samba4 installieren== | ==samba4 installieren== | ||
| − | + | *apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind | |
| + | |||
| + | =Update der Pam= | ||
| + | *pam-auth-update | ||
==/etc/samba/smb.conf== | ==/etc/samba/smb.conf== | ||
<pre> | <pre> | ||
| + | [global] | ||
| + | workgroup = HACK | ||
| + | realm = HACK.LAB | ||
| + | security = ADS | ||
| − | + | log level = 1 winbind:5 | |
| − | + | ||
| − | + | winbind refresh tickets = Yes | |
| − | + | vfs objects = acl_xattr | |
| − | + | map acl inherit = Yes | |
| + | store dos attributes = Yes | ||
| + | |||
| + | winbind use default domain = yes | ||
| + | winbind nss info = template | ||
| + | |||
| + | winbind enum users = yes | ||
| + | winbind enum groups = yes | ||
| + | |||
| + | idmap config * : backend = tdb | ||
| + | idmap config * : range = 3000-7999 | ||
| + | |||
| + | idmap config HACK : backend = rid | ||
| + | idmap config HACK : range = 10000-99999 | ||
| + | |||
| + | template homedir = /home/%U | ||
| + | template shell = /bin/bash | ||
| − | + | # Mapping domain Administrator to local root | |
| − | + | username map = /etc/samba/user.map | |
| − | |||
| − | |||
| − | |||
| − | + | kerberos method = dedicated keytab | |
| − | + | dedicated keytab file = /etc/krb5.keytab | |
| − | |||
| − | |||
| − | |||
| − | |||
</pre> | </pre> | ||
| Zeile 54: | Zeile 75: | ||
<pre> | <pre> | ||
[libdefaults] | [libdefaults] | ||
| − | . | + | default_realm = HACK.LAB |
| + | dns_lookup_realm = true | ||
| + | dns_lookup_kdc = true | ||
| + | |||
[realms] | [realms] | ||
| − | + | HACK.LAB( = { | |
| − | + | kdc = 10.0.10.85 | |
| − | + | admin_server = 10.0.10.85 | |
| − | .... | + | } |
| + | |||
| + | [domain_realm] | ||
| + | .mydomain.com = HACK.LAB | ||
| + | mydomain.com = HACK.LAB | ||
| + | |||
</pre> | </pre> | ||
| + | |||
| + | ==Initiieren Sie ein Kerberos-Ticket== | ||
| + | *kinit administrator | ||
| + | =List= | ||
| + | *klist | ||
| + | Ticket cache: FILE:/tmp/krb5cc_0 | ||
| + | Default principal: administrator@HACK.LAB | ||
| + | |||
| + | Valid starting Expires Service principal | ||
| + | 01/12/2023 14:28:49 01/13/2023 00:28:49 krbtgt/HACK.LAB@HACK.LAB | ||
| + | renew until 01/13/2023 14:28:45 | ||
| + | ==Erstellen Sie eine Kerberos-Keytab-Datei== | ||
| + | *net ads keytab create -U administrator | ||
| + | ==Treten Sie der AD-Domäne bei== | ||
| + | *net ads join -U administrator | ||
==domaine beitreten== | ==domaine beitreten== | ||
<pre> | <pre> | ||
| − | net ads join -U administrator | + | |
| + | root@lang:~# net ads join -U administrator | ||
Enter administrator's password: | Enter administrator's password: | ||
| − | Using short domain name -- | + | Using short domain name -- LINUGGS |
| − | Joined ' | + | Joined 'LANG' to dns domain 'linuggs.lan' |
| + | |||
| + | |||
</pre> | </pre> | ||
| − | ===nsswitch.conf ändern=== | + | ===/etc/nsswitch.conf ändern=== |
| − | passwd: | + | passwd: files systemd winbind |
| − | group: | + | group: files systemd winbind |
| + | |||
| + | ===services neustarten=== | ||
| + | *systemctl restart smbd | ||
| + | *systemctl restart nmbd | ||
| + | *systemctl restart winbind | ||
===ist winbind is "pingbar=== | ===ist winbind is "pingbar=== | ||
| Zeile 84: | Zeile 136: | ||
Guest | Guest | ||
krbtgt | krbtgt | ||
| − | + | ==anzeigen der passwd== | |
| − | == | + | ;hier solten nun benutzer aus der ad autauchen |
| + | *getent passwd | ||
<pre> | <pre> | ||
| − | + | benutzer03:*:11107:10513::/home/benutzer03:/bin/bash | |
| − | administrator:*: | + | administrator:*:10500:10513::/home/administrator:/bin/bash |
| − | + | benutzer04:*:11108:10513::/home/benutzer04:/bin/bash | |
| − | krbtgt:*: | + | benutzer01:*:11105:10513::/home/benutzer01:/bin/bash |
| − | + | krbtgt:*:10502:10513::/home/krbtgt:/bin/bash | |
| − | guest:*: | + | benutzer02:*:11106:10513::/home/benutzer02:/bin/bash |
| − | + | guest:*:10501:10513::/home/guest:/bin/bash | |
| + | thomas:*:11104:10513::/home/thomas:/bin/bash | ||
</pre> | </pre> | ||
| Zeile 99: | Zeile 153: | ||
=LIBPAM= | =LIBPAM= | ||
| − | |||
| − | |||
==änderungen in /etc/pam.d/== | ==änderungen in /etc/pam.d/== | ||
sollten automatisch geändert worden sein | sollten automatisch geändert worden sein | ||
===common-auth=== | ===common-auth=== | ||
| − | auth | + | auth [success=2 default=ignore] pam_unix.so nullok |
| − | auth | + | auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass |
| − | auth | + | auth requisite pam_deny.so |
| − | auth | + | auth required pam_permit.so |
| − | + | ||
===common-account=== | ===common-account=== | ||
| − | account [success=2 new_authtok_reqd=done default=ignore] | + | account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so |
| − | account [success=1 new_authtok_reqd=done default=ignore] | + | account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so |
| − | account requisite | + | account requisite pam_deny.so |
| − | account required | + | account required pam_permit.so |
| + | |||
===common-session=== | ===common-session=== | ||
| − | session [default=1] | + | *einfügen |
| − | session requisite | + | ;session required pam_mkhomedir.so umask=0022 skel=/etc/skel |
| − | session required | + | session [default=1] pam_permit.so |
| − | + | session requisite pam_deny.so | |
| − | + | session required pam_permit.so | |
| − | + | '''session required pam_mkhomedir.so umask=0022 skel=/etc/skel''' | |
| − | + | session required pam_unix.so | |
| − | session required | + | session optional pam_winbind.so |
| − | session optional | + | session optional pam_systemd.so |
| − | session optional | + | |
| + | ===common-password=== | ||
| + | password [success=2 default=ignore] pam_unix.so obscure yescrypt | ||
| + | password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass | ||
| + | password requisite pam_deny.so | ||
| + | password required pam_permit.so | ||
===sudo=== | ===sudo=== | ||
Aktuelle Version vom 12. Januar 2023, 14:56 Uhr
new
Installation
Interface anpassen
- vi /etc/network/interfaces
auto lo iface lo inet loopback auto enp0s3 iface enp0s3 inet static address 10.0.10.96/24 gateway 10.0.10.1
hosts anpassen
- hostnamectl ads-client
- vi /etc/hosts
127.0.0.1 localhost 127.0.1.1 ads-client.hack.lab ads-client
resolv.conf
nameserver 10.0.10.85 search hack.lab
reboot
samba4 installieren
- apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
Update der Pam
- pam-auth-update
/etc/samba/smb.conf
[global] workgroup = HACK realm = HACK.LAB security = ADS log level = 1 winbind:5 winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes winbind use default domain = yes winbind nss info = template winbind enum users = yes winbind enum groups = yes idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config HACK : backend = rid idmap config HACK : range = 10000-99999 template homedir = /home/%U template shell = /bin/bash # Mapping domain Administrator to local root username map = /etc/samba/user.map kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab
/etc/krb5.conf
[libdefaults]
default_realm = HACK.LAB
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
HACK.LAB( = {
kdc = 10.0.10.85
admin_server = 10.0.10.85
}
[domain_realm]
.mydomain.com = HACK.LAB
mydomain.com = HACK.LAB
Initiieren Sie ein Kerberos-Ticket
- kinit administrator
List
- klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@HACK.LAB Valid starting Expires Service principal 01/12/2023 14:28:49 01/13/2023 00:28:49 krbtgt/HACK.LAB@HACK.LAB renew until 01/13/2023 14:28:45
Erstellen Sie eine Kerberos-Keytab-Datei
- net ads keytab create -U administrator
Treten Sie der AD-Domäne bei
- net ads join -U administrator
domaine beitreten
root@lang:~# net ads join -U administrator Enter administrator's password: Using short domain name -- LINUGGS Joined 'LANG' to dns domain 'linuggs.lan'
/etc/nsswitch.conf ändern
passwd: files systemd winbind group: files systemd winbind
services neustarten
- systemctl restart smbd
- systemctl restart nmbd
- systemctl restart winbind
ist winbind is "pingbar
root@fenetre:~# wbinfo -p Ping to winbindd succeeded
anzeigen der userliste
root@fenetre:~# wbinfo -u Administrator Guest krbtgt
anzeigen der passwd
- hier solten nun benutzer aus der ad autauchen
- getent passwd
benutzer03:*:11107:10513::/home/benutzer03:/bin/bash administrator:*:10500:10513::/home/administrator:/bin/bash benutzer04:*:11108:10513::/home/benutzer04:/bin/bash benutzer01:*:11105:10513::/home/benutzer01:/bin/bash krbtgt:*:10502:10513::/home/krbtgt:/bin/bash benutzer02:*:11106:10513::/home/benutzer02:/bin/bash guest:*:10501:10513::/home/guest:/bin/bash thomas:*:11104:10513::/home/thomas:/bin/bash
LIBPAM
änderungen in /etc/pam.d/
sollten automatisch geändert worden sein
common-auth
auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so
common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so
common-session
- einfügen
- session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session required pam_unix.so session optional pam_winbind.so session optional pam_systemd.so
common-password
password [success=2 default=ignore] pam_unix.so obscure yescrypt password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so
sudo
auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass auth required pam_deny.so @include common-account