#apt-get install krb5-user libpam-krb5 libnss-winbin libpam-winbind krb5-config winbind acl samba
install kerberos samba module
#vim /etc/netwwork/interface
modify network setting
===========================================
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.10.10.100
netmask 255.255.255.0
gateway 10.10.10.1
#vim /etc/hosts
modify the host file to add domain controller ip
===========================================
127.0.0.1 localhost
10.10.10.100 ubuntu.csp.com.tw ubuntu
10.10.10.1 twad1.csp.com.tw twad1
#vim /etc/resolve.conf
add new dns server
search csp.com.tw
nameserver 10.10.10.1
#ntpdate 10.10.10.1
sync with ntp server
#vim /etc/krb5.conf
modify kerberos configuration
add lines as below
=================================================
[logging]
default = FILE:/var/log/krb5.conf
[libdefaults]
default_realm = CSP.COM.TW
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
CSP.COM.TW={
kdc = twad1.csp.com.tw
admin_server = twad1.csp.com.tw
default_domain = csp.com.tw
}
[domain_realm]
.csp.com.tw = CSP.COM.TW
csp.com.tw = CPS.COM.TW
#vim /etc/samba/smb.conf
modify samba configuration
===========================================
#vim /etc/nsswitch.conf
passwd: compat file winbind
group: compat file winbind
===========================================
workgroup = CSP
preferred master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator =+
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template primary groups= "Domain users"
template shell = /bin/bash
client use spnego = yes
ntlm auth = yes
encrypt passwords = yes
winbind use default domain = yes
winbind nested groups = yes
restrict anonymous = 2
security = ads
realm = CSP.COM.TW
password server = 10.10.10.1
[homes]
comment = home folders
valid user = %U
read only = no
browseable = no
[Share]
comment = share for active directory auth
path = /share
browseable = yes
read only = no
inherit acles = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"CSP+linux team","CSP+tommy","CSP+john"
admin users = @"CSP+admin team"
#/etc/init.d/smbd stop
#/etc/init.d/nmbd stop
#/etc/init.d/winbind stop
#/etc/init.d/winbind start
#/etc/init.d/nmbd start
#/etc/init.d/smbd start
restart samba service and winbind service
#net ads join -S TWAD1 -U username%password
join ad with ad account and password
#vim /etc/pam.d/session-session
add one line
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
#mkdir /home/CSP
#chmod 755 /home/CSP
mkdir home folder for all CSP Domain user
#wbinfo -g
#wbinfo -u
use wbinfo to list all username and group about domain
#smbstatus
to list samba vesion
add proxy to winbind_privilege group
#vim /etc/group
winbindd_priv:x:112:proxy
沒有留言:
張貼留言