Version vom 12. Januar 2023, 13:38 Uhr

new

https://docs.vmware.com/de/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-F8F0CFCF-C4D6-4784-85FF-E7C6DF575F49.html

Installation

Interface anpassen

vi /etc/network/interfaces

auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
 address 10.0.10.96/24
 gateway 10.0.10.1

hosts anpassen

hostnamectl ads-client
vi /etc/hosts

127.0.0.1       localhost
127.0.1.1       ads-client.hack.lab     ads-client

resolv.conf

nameserver 10.0.10.85
search hack.lab

samba4 installieren

apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

Update der Pam

pam-auth-update

/etc/samba/smb.conf

[global]
  workgroup = HACK
  realm = HACK.LAB
  security = ADS

  log level = 1 winbind:5

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  winbind use default domain = yes
  winbind nss info = template

  winbind enum users = yes
  winbind enum groups = yes

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999

  idmap config HACK : backend = rid
  idmap config HACK : range = 10000-99999

  template homedir = /home/%U
  template shell = /bin/bash

  # Mapping domain Administrator to local root
  username map = /etc/samba/user.map

/etc/krb5.conf

[libdefaults]
      default_realm = HACK.LAB
      dns_lookup_realm = true
      dns_lookup_kdc = true

[realms]
      HACK.LAB( = {
            kdc = 10.0.10.85
            admin_server = 10.0.10.85
      }

[domain_realm]
      .mydomain.com = HACK.LAB
      mydomain.com = HACK.LAB

Initiieren Sie ein Kerberos-Ticket

kinit administrator

List

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@HACK.LAB

Valid starting       Expires              Service principal
01/12/2023 14:28:49  01/13/2023 00:28:49  krbtgt/HACK.LAB@HACK.LAB
	renew until 01/13/2023 14:28:45

Erstellen Sie eine Kerberos-Keytab-Datei

net ads keytab create -U administrator

Treten Sie der AD-Domäne bei

net ads join -U administrator

domaine beitreten


root@lang:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- LINUGGS
Joined 'LANG' to dns domain 'linuggs.lan'

/etc/nsswitch.conf ändern

passwd:         files systemd winbind
group:          files systemd winbind

services neustarten

systemctl restart smbd
systemctl restart nmbd
systemctl restart winbind

ist winbind is "pingbar

root@fenetre:~# wbinfo -p
Ping to winbindd succeeded

anzeigen der userliste

root@fenetre:~# wbinfo -u
Administrator
Guest
krbtgt

anzeigen der passwd

getent passwd

...
LINUGGS\administrator:*:10500:10513:Administrator:/home/LINUGGS/administrator:/bin/bash
LINUGGS\franz.walter:*:11117:10513:Franz Walter:/home/LINUGGS/franz.walter:/bin/bash
...

hier solten nun benutzer aus der ad autauchen

function of nsswitch

 
getent passwd
administrator:*:70001:70005:Administrator:/home/XINUX/administrator:/bin/bash
dns-gondor:*:70002:70005:dns-gondor:/home/XINUX/dns-gondor:/bin/bash
krbtgt:*:70003:70005:krbtgt:/home/XINUX/krbtgt:/bin/bash
thomas:*:70004:70005:thomas:/home/XINUX/thomas:/bin/bash
guest:*:70005:70006:Guest:/home/XINUX/guest:/bin/bash
squid:*:70006:70005:squid:/home/XINUX/squid:/bin/bash

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

LIBPAM

libpam-winbind

apt-get install libpam-winbind

änderungen in /etc/pam.d/

sollten automatisch geändert worden sein

common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

common-account

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account requisite                       pam_deny.so
account required                        pam_permit.so

common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
#add this if you want automatic creation of home dirs
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
#end 
session required        pam_unix.so
session optional                        pam_winbind.so
session optional        pam_systemd.so

sudo

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required   pam_deny.so
@include common-account

http://trabauer.com/?p=383

@@ Zeile 112: / Zeile 112: @@
-===nsswitch.conf ändern===
+===/etc/nsswitch.conf ändern===
-  passwd:         compat winbind
+  passwd:         files systemd winbind
-  group:          compat winbind
+  group:          files systemd winbind
 ===services neustarten===

Ubuntu-ads-client: Unterschied zwischen den Versionen

Version vom 12. Januar 2023, 13:38 Uhr

Inhaltsverzeichnis

new

Installation

Interface anpassen

hosts anpassen

resolv.conf

samba4 installieren

Update der Pam

/etc/samba/smb.conf

/etc/krb5.conf

Initiieren Sie ein Kerberos-Ticket

List

Erstellen Sie eine Kerberos-Keytab-Datei

Treten Sie der AD-Domäne bei

domaine beitreten

/etc/nsswitch.conf ändern

services neustarten

ist winbind is "pingbar

anzeigen der userliste

anzeigen der passwd

function of nsswitch

LIBPAM

libpam-winbind

änderungen in /etc/pam.d/

common-auth

common-account

common-session

sudo

Navigationsmenü

Suche