linux下加入windows ad域的
下面是3 种linux下加入 windows Acitve Directory 并用 AD 验证帐号的方法。
假设您的环境是 AD server: server.redhat.com
realm: redhat.com
方法1:
该方法适用于有图形界面的环境。
执行命令
# system-config-authentication
方法2:
该方法适用于文本界面环境。
执行命令
# setup
选择
Authentication
方法3:
该方法适用于文本界面环境。
修改 /etc/krb5.conf
[root@client1 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REDHAT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
REDHAT.COM = {
kdc = server.redhat.com.com:88
admin_server = server.redhat.com:749
default_domain = redhat.com
}
[domain_realm]
redhat.com = REDHAT.COM
.redhat.com = REDHAT.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@client1 ~]#
2 修改 /etc/samba/smb.conf
[global]
#--authconfig--start-line--
workgroup = redhat.com
passWord server = server.redhat.com
realm = REDHAT.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline loGon = false
#--authconfig--end-line--
3 修改 /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
4 修改 pam 认证模块
添加
[root@client1 ~]# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_mkhomedir.so
5 加入 Windows Active Directory 域
[root@client1 ~]# net ads join -S server.redhat.com -W REDHAT.COM -U
Administrator
6 启动 winbind
# chkconfig --level 35 winbind on
# service winbind restart
相关文章