Ubuntu-ads-client: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „=auf dem domain controller= kinit administrator samba-tool dns add localhost xinux.org dewey A 192.168.244.152 =Installation= ==Interface anpassen== vi /etc/…“)
 
 
(47 dazwischenliegende Versionen von 5 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
=auf dem domain controller=
+
=new=
kinit administrator
+
*https://docs.vmware.com/de/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-F8F0CFCF-C4D6-4784-85FF-E7C6DF575F49.html
samba-tool dns add localhost  xinux.org dewey A 192.168.244.152
+
 
  
 
=Installation=
 
=Installation=
 
==Interface anpassen==
 
==Interface anpassen==
vi /etc/network/interfaces
+
*vi /etc/network/interfaces
 
<pre>
 
<pre>
 
auto lo
 
auto lo
 
iface lo inet loopback
 
iface lo inet loopback
auto eth0
+
 
iface eth0 inet static
+
auto enp0s3
  address 192.168.244.152
+
iface enp0s3 inet static
  netmask 255.255.248.0
+
  address 10.0.10.96/24
gateway 192.168.240.100
+
  gateway 10.0.10.1
dns-nameservers 192.168.240.200
+
 
dns-search xinux.org
 
 
</pre>
 
</pre>
  
 
==hosts anpassen==
 
==hosts anpassen==
vi /etc/hosts
+
*hostnamectl ads-client
 +
*vi /etc/hosts
 
  127.0.0.1      localhost
 
  127.0.0.1      localhost
  192.168.244.152 dewey dewey.xinux.org
+
  127.0.1.1      ads-client.hack.lab    ads-client
  echo dewey.xinux.org > /etc/hostname
+
 
  reboot
+
=resolv.conf=
 +
  nameserver 10.0.10.85
 +
  search hack.lab
 +
 
 +
'''reboot'''
  
 
==samba4 installieren==
 
==samba4 installieren==
apt-get install samba smbclient winbind ntp libnss-winbind krb5-user acl
+
*apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
 +
 
 +
=Update der Pam=
 +
*pam-auth-update
  
 
==/etc/samba/smb.conf==
 
==/etc/samba/smb.conf==
 
<pre>
 
<pre>
 
[global]
 
[global]
  workgroup = XINUX
+
  workgroup = HACK
  security = ADS
+
  realm = HACK.LAB
  realm = XINUX.ORG
+
  security = ADS
  winbind separator = +
+
 
  winbind enum users = yes
+
  log level = 1 winbind:5
  winbind enum groups = yes
+
 
  winbind use default domain = yes
+
  winbind refresh tickets = Yes
  winbind refresh tickets = Yes
+
  vfs objects = acl_xattr
  template shell = /bin/bash
+
  map acl inherit = Yes
  idmap config * : range = 1000000 - 1999999
+
  store dos attributes = Yes
  idmap config EXAMPLE : backend = rid
+
 
  idmap config EXAMPLE : range = 1000000 - 1999999
+
  winbind use default domain = yes
 +
  winbind nss info = template
 +
 
 +
  winbind enum users = yes
 +
  winbind enum groups = yes
 +
 
 +
  idmap config * : backend = tdb
 +
  idmap config * : range = 3000-7999
 +
 
 +
  idmap config HACK : backend = rid
 +
  idmap config HACK : range = 10000-99999
 +
 
 +
  template homedir = /home/%U
 +
  template shell = /bin/bash
 +
 
 +
  # Mapping domain Administrator to local root
 +
  username map = /etc/samba/user.map
 +
 
 +
  kerberos method = dedicated keytab
 +
  dedicated keytab file = /etc/krb5.keytab
 +
 
 
</pre>
 
</pre>
  
Zeile 48: Zeile 75:
 
<pre>
 
<pre>
 
[libdefaults]
 
[libdefaults]
...
+
      default_realm = HACK.LAB
 +
      dns_lookup_realm = true
 +
      dns_lookup_kdc = true
 +
 
 
[realms]
 
[realms]
        XINUX.ORG = {
+
      HACK.LAB( = {
                kdc = gondor.xinux.org
+
            kdc = 10.0.10.85
                admin_server = gondor.xinux.org
+
            admin_server = 10.0.10.85
....
+
      }
 +
 
 +
[domain_realm]
 +
      .mydomain.com = HACK.LAB
 +
      mydomain.com = HACK.LAB
 +
 
 
</pre>
 
</pre>
 +
 +
==Initiieren Sie ein Kerberos-Ticket==
 +
*kinit administrator
 +
=List=
 +
*klist
 +
Ticket cache: FILE:/tmp/krb5cc_0
 +
Default principal: administrator@HACK.LAB
 +
 +
Valid starting      Expires              Service principal
 +
01/12/2023 14:28:49  01/13/2023 00:28:49  krbtgt/HACK.LAB@HACK.LAB
 +
renew until 01/13/2023 14:28:45
 +
==Erstellen Sie eine Kerberos-Keytab-Datei==
 +
*net ads keytab create -U administrator
 +
==Treten Sie der AD-Domäne bei==
 +
*net ads join -U administrator
  
 
==domaine beitreten==
 
==domaine beitreten==
 
<pre>
 
<pre>
net ads join -U administrator
+
 
 +
root@lang:~# net ads join -U administrator
 
Enter administrator's password:
 
Enter administrator's password:
Using short domain name -- XINUX
+
Using short domain name -- LINUGGS
Joined 'DEWEY' to dns domain 'xinux.org'
+
Joined 'LANG' to dns domain 'linuggs.lan'
 +
 
 +
 
 
</pre>
 
</pre>
  
  
===nsswitch.conf ändern===
+
===/etc/nsswitch.conf ändern===
  passwd:        compat winbind
+
  passwd:        files systemd winbind
  group:          compat winbind
+
  group:          files systemd winbind
 +
 
 +
===services neustarten===
 +
*systemctl restart smbd
 +
*systemctl restart nmbd
 +
*systemctl restart winbind
  
 
===ist winbind is "pingbar===  
 
===ist winbind is "pingbar===  
Zeile 78: Zeile 136:
 
  Guest
 
  Guest
 
  krbtgt
 
  krbtgt
 
+
==anzeigen der passwd==
===funtioniert nsswitch===
+
;hier solten nun benutzer aus der ad autauchen
 +
*getent passwd
 
<pre>  
 
<pre>  
getent passwd | grep 700
+
benutzer03:*:11107:10513::/home/benutzer03:/bin/bash
administrator:*:70001:70005:Administrator:/home/XINUX/administrator:/bin/false
+
administrator:*:10500:10513::/home/administrator:/bin/bash
dns-gondor:*:70002:70005:dns-gondor:/home/XINUX/dns-gondor:/bin/false
+
benutzer04:*:11108:10513::/home/benutzer04:/bin/bash
krbtgt:*:70003:70005:krbtgt:/home/XINUX/krbtgt:/bin/false
+
benutzer01:*:11105:10513::/home/benutzer01:/bin/bash
thomas:*:70004:70005:thomas:/home/XINUX/thomas:/bin/false
+
krbtgt:*:10502:10513::/home/krbtgt:/bin/bash
guest:*:70005:70006:Guest:/home/XINUX/guest:/bin/false
+
benutzer02:*:11106:10513::/home/benutzer02:/bin/bash
squid:*:70006:70005:squid:/home/XINUX/squid:/bin/false
+
guest:*:10501:10513::/home/guest:/bin/bash
 +
thomas:*:11104:10513::/home/thomas:/bin/bash
 
</pre>
 
</pre>
  
 
*https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
 
*https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
 +
 +
=LIBPAM=
 +
==änderungen in /etc/pam.d/==
 +
sollten automatisch geändert worden sein
 +
===common-auth===
 +
auth [success=2 default=ignore] pam_unix.so nullok
 +
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
 +
auth requisite pam_deny.so
 +
auth required pam_permit.so
 +
 +
===common-account===
 +
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
 +
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
 +
account requisite pam_deny.so
 +
account required pam_permit.so
 +
 +
===common-session===
 +
*einfügen
 +
;session required pam_mkhomedir.so umask=0022 skel=/etc/skel
 +
session [default=1] pam_permit.so
 +
session requisite pam_deny.so
 +
session required pam_permit.so
 +
'''session required pam_mkhomedir.so umask=0022 skel=/etc/skel'''
 +
session required pam_unix.so
 +
session optional pam_winbind.so
 +
session optional pam_systemd.so
 +
 +
===common-password===
 +
password [success=2 default=ignore] pam_unix.so obscure yescrypt
 +
password [success=1 default=ignore] pam_winbind.so try_authtok try_first_pass
 +
password requisite pam_deny.so
 +
password required pam_permit.so
 +
 +
===sudo===
 +
auth sufficient pam_winbind.so
 +
auth sufficient pam_unix.so use_first_pass
 +
auth required  pam_deny.so
 +
@include common-account
 +
 +
*http://trabauer.com/?p=383

Aktuelle Version vom 12. Januar 2023, 14:56 Uhr

new


Installation

Interface anpassen

  • vi /etc/network/interfaces
auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
 address 10.0.10.96/24
 gateway 10.0.10.1

hosts anpassen

  • hostnamectl ads-client
  • vi /etc/hosts
127.0.0.1       localhost
127.0.1.1       ads-client.hack.lab     ads-client

resolv.conf

nameserver 10.0.10.85
search hack.lab

reboot

samba4 installieren

  • apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

Update der Pam

  • pam-auth-update

/etc/samba/smb.conf

[global]
  workgroup = HACK
  realm = HACK.LAB
  security = ADS

  log level = 1 winbind:5

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  winbind use default domain = yes
  winbind nss info = template

  winbind enum users = yes
  winbind enum groups = yes

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999

  idmap config HACK : backend = rid
  idmap config HACK : range = 10000-99999

  template homedir = /home/%U
  template shell = /bin/bash

  # Mapping domain Administrator to local root
  username map = /etc/samba/user.map

  kerberos method = dedicated keytab
  dedicated keytab file = /etc/krb5.keytab

/etc/krb5.conf

[libdefaults]
      default_realm = HACK.LAB
      dns_lookup_realm = true
      dns_lookup_kdc = true

[realms]
      HACK.LAB( = {
            kdc = 10.0.10.85
            admin_server = 10.0.10.85
      }

[domain_realm]
      .mydomain.com = HACK.LAB
      mydomain.com = HACK.LAB

Initiieren Sie ein Kerberos-Ticket

  • kinit administrator

List

  • klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@HACK.LAB

Valid starting       Expires              Service principal
01/12/2023 14:28:49  01/13/2023 00:28:49  krbtgt/HACK.LAB@HACK.LAB
	renew until 01/13/2023 14:28:45

Erstellen Sie eine Kerberos-Keytab-Datei

  • net ads keytab create -U administrator

Treten Sie der AD-Domäne bei

  • net ads join -U administrator

domaine beitreten


root@lang:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- LINUGGS
Joined 'LANG' to dns domain 'linuggs.lan'


/etc/nsswitch.conf ändern

passwd:         files systemd winbind
group:          files systemd winbind

services neustarten

  • systemctl restart smbd
  • systemctl restart nmbd
  • systemctl restart winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

anzeigen der passwd

hier solten nun benutzer aus der ad autauchen
  • getent passwd
 
benutzer03:*:11107:10513::/home/benutzer03:/bin/bash
administrator:*:10500:10513::/home/administrator:/bin/bash
benutzer04:*:11108:10513::/home/benutzer04:/bin/bash
benutzer01:*:11105:10513::/home/benutzer01:/bin/bash
krbtgt:*:10502:10513::/home/krbtgt:/bin/bash
benutzer02:*:11106:10513::/home/benutzer02:/bin/bash
guest:*:10501:10513::/home/guest:/bin/bash
thomas:*:11104:10513::/home/thomas:/bin/bash

LIBPAM

änderungen in /etc/pam.d/

sollten automatisch geändert worden sein

common-auth

auth	[success=2 default=ignore]	pam_unix.so nullok
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so

common-account

account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	[success=1 new_authtok_reqd=done default=ignore]	pam_winbind.so 
account	requisite			pam_deny.so
account	required			pam_permit.so

common-session

  • einfügen
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session	required	pam_unix.so 
session	optional			pam_winbind.so 
session	optional	pam_systemd.so

common-password

password	[success=2 default=ignore]	pam_unix.so obscure yescrypt
password	[success=1 default=ignore]	pam_winbind.so try_authtok try_first_pass
password	requisite			pam_deny.so
password	required			pam_permit.so

sudo

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required   pam_deny.so
@include common-account
Abgerufen von „http://wiki.ixheim.de/index.php?title=Ubuntu-ads-client&oldid=39632