linux下加入windows ad域的

2023-01-31 05:01:12 windows linux ad

下面是3 种linux下加入 windows Acitve Directory 并用 AD 验证帐号的方法。
假设您的环境是  AD server:    server.redhat.com

                             realm:    redhat.com 

方法1:

该方法适用于有图形界面的环境。

执行命令

# system-config-authenticatio

方法2:

该方法适用于文本界面环境。

执行命令

# setup

选择

Authentication 

方法3:

该方法适用于文本界面环境。

修改 /etc/krb5.conf

[root@client1 ~]# cat /etc/krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = REDHAT.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 forwardable = yes

[realms]

 REDHAT.COM = {

  kdc = server.redhat.com.com:88

  admin_server = server.redhat.com:749

  default_domain = redhat.com

 }

[domain_realm]

 redhat.com = REDHAT.COM

 .redhat.com = REDHAT.COM

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

[root@client1 ~]#
 

2 修改 /etc/samba/smb.conf

[global]

#--authconfig--start-line--

   workgroup = redhat.com

   passWord server = server.redhat.com

   realm = REDHAT.COM

   security = ads

   idmap uid = 16777216-33554431

   idmap gid = 16777216-33554431

   template shell = /bin/bash

   winbind use default domain = false

   winbind offline loGon = false

#--authconfig--end-line-- 

3 修改 /etc/nsswitch.conf

passwd:     files winbind

shadow:     files winbind

group:      files winbind 

4 修改 pam 认证模块

添加

[root@client1 ~]# cat /etc/pam.d/system-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid  >= 500 quiet

auth        sufficient    pam_winbind.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_succeed_if.so uid  < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_winbind.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass

use_authtok

password    sufficient    pam_winbind.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in

crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_mkhomedir.so 

5 加入 Windows Active Directory 域

[root@client1 ~]# net ads join -S server.redhat.com -W REDHAT.COM -U

Administrator 

6 启动 winbind

# chkconfig --level 35 winbind on

# service winbind restart

相关文章