Ubuntu-ads-client: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 39: Zeile 39:
 
==/etc/samba/smb.conf==
 
==/etc/samba/smb.conf==
 
<pre>
 
<pre>
 +
[global]
 +
  workgroup = HACK
 +
  realm = HACK.LAB
 +
  security = ADS
 +
 +
  log level = 1 winbind:5
 +
 +
  winbind refresh tickets = Yes
 +
  vfs objects = acl_xattr
 +
  map acl inherit = Yes
 +
  store dos attributes = Yes
 +
 +
  winbind use default domain = yes
 +
  winbind nss info = template
  
[global]
+
  winbind enum users = yes
  workgroup = XINUX
+
  winbind enum groups = yes
  security = ADS
+
 
  realm = XINUX.LAN
+
  idmap config * : backend = tdb
    
+
   idmap config * : range = 3000-7999
  
  idmap config XINUX:backend = ad
+
  idmap config HACK : backend = rid
  idmap config *:backend = tdb
+
  idmap config HACK : range = 10000-99999
  idmap config * : range = 1000000-1999999
 
  idmap config XINUX:schema_mode = rfc2307
 
  idmap config XINUX:range = 10000-99999
 
  
  winbind nss info = rfc2307
+
  template homedir = /home/%U
  winbind trusted domains only = no
+
  template shell = /bin/bash
  winbind use default domain = yes
 
  winbind enum users  = yes
 
  winbind enum groups = yes
 
  winbind refresh tickets = Yes
 
  
 +
  # Mapping domain Administrator to local root
 +
  username map = /etc/samba/user.map
 
</pre>
 
</pre>
  

Version vom 12. Januar 2023, 13:26 Uhr

new


Installation

Interface anpassen

vi /etc/network/interfaces

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
 address 192.168.244.152
 netmask 255.255.248.0
 gateway 192.168.240.100
 dns-nameservers 192.168.242.13
 dns-search linuggs.lan

hosts anpassen

vi /etc/hosts
127.0.0.1       localhost
192.168.241.153 lang lang.linuggs.lan



Console:
echo lang.linuggs.lan > /etc/hostname
reboot

resolv.conf

nameserver 10.0.10.85
search hack.lab

samba4 installieren

  • apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

Update der Pam

  • pam-auth-update

/etc/samba/smb.conf

[global]
  workgroup = HACK
  realm = HACK.LAB
  security = ADS

  log level = 1 winbind:5

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  winbind use default domain = yes
  winbind nss info = template

  winbind enum users = yes
  winbind enum groups = yes

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999

  idmap config HACK : backend = rid
  idmap config HACK : range = 10000-99999

  template homedir = /home/%U
  template shell = /bin/bash

  # Mapping domain Administrator to local root
  username map = /etc/samba/user.map

/etc/krb5.conf


[libdefaults]
	default_realm = LINUGGS.LAN
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
        LINUGGS.LAN = {
                kdc = 192.168.242.13
                admin_server = 192.168.242.13
        }

[login]
	krb4_convert = true
	krb4_get_tickets = false

kerberos testen

root@lang:~# kinit administrator
Password for administrator@LINUGGS.LAN: 
root@lang:~#


domaine beitreten


root@lang:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- LINUGGS
Joined 'LANG' to dns domain 'linuggs.lan'


nsswitch.conf ändern

passwd:         compat winbind
group:          compat winbind

services neustarten

  • systemctl restart smbd
  • systemctl restart nmbd
  • systemctl restart winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

anzeigen der passwd

getent passwd

...
LINUGGS\administrator:*:10500:10513:Administrator:/home/LINUGGS/administrator:/bin/bash
LINUGGS\franz.walter:*:11117:10513:Franz Walter:/home/LINUGGS/franz.walter:/bin/bash
...

hier solten nun benutzer aus der ad autauchen

function of nsswitch

 
getent passwd
administrator:*:70001:70005:Administrator:/home/XINUX/administrator:/bin/bash
dns-gondor:*:70002:70005:dns-gondor:/home/XINUX/dns-gondor:/bin/bash
krbtgt:*:70003:70005:krbtgt:/home/XINUX/krbtgt:/bin/bash
thomas:*:70004:70005:thomas:/home/XINUX/thomas:/bin/bash
guest:*:70005:70006:Guest:/home/XINUX/guest:/bin/bash
squid:*:70006:70005:squid:/home/XINUX/squid:/bin/bash

LIBPAM

libpam-winbind

apt-get install libpam-winbind

änderungen in /etc/pam.d/

sollten automatisch geändert worden sein

common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

common-account

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account requisite                       pam_deny.so
account required                        pam_permit.so

common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
#add this if you want automatic creation of home dirs
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
#end 
session required        pam_unix.so
session optional                        pam_winbind.so
session optional        pam_systemd.so

sudo

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required   pam_deny.so
@include common-account
Abgerufen von „http://wiki.ixheim.de/index.php?title=Ubuntu-ads-client&oldid=39600