Linux机器Centos6和rhel6系统主机加入W2K8 AD域环境

时间:2014-07-26 03:21:58   收藏:0   阅读:8257

基础架构图如下:

 bubuko.com,布布扣

AD同时配置DNS功能,实现互通及域名正反解析功能!

系统及本版信息如下

bubuko.com,布布扣

Krb5软件安装

需要安装以下4个软件:

krb5-workstation

krb5-devel

krb5-libs

pam_krb5

[root@centos6-server ~]# rpm -qa | grep krb

krb5-libs-1.10.3-10.el6.i686

krb5-devel-1.10.3-10.el6.i686

[root@centos6-server ~]# yum install krb5-workstation pam_krb5 -y

[root@centos6-server ~]# rpm -qa | grep krb5

krb5-libs-1.10.3-10.el6.i686

krb5-devel-1.10.3-10.el6.i686

krb5-workstation-1.10.3-10.el6.i686

pam_krb5-2.3.11-9.el6.i686

krb5-auth-dialog-0.13-3.el6.i686

 

krb5软件需求安装完成!

 

Samba软件安装

需要安装以下5个软件:

samba

samba-common

samba-client

samba-winbind

samba-winbind-clients

[root@centos6-server ~]# rpm -qa | grep samba

samba-winbind-3.6.9-151.el6.i686

samba-common-3.6.9-151.el6.i686

samba-winbind-clients-3.6.9-151.el6.i686

[root@centos6-server ~]# yum install samba-client samba -y

 

三、Linux机器通过图形界面加入域

bubuko.com,布布扣

 

bubuko.com,布布扣

 

bubuko.com,布布扣

 

bubuko.com,布布扣

 

bubuko.com,布布扣

 

bubuko.com,布布扣

 

bubuko.com,布布扣

 

出现报错信息如下:

bubuko.com,布布扣

[root@centos6-server ~]# net ads join -U administrator

Enter administrator‘s password:

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket expired

Failed to join domain: failed to connect to AD: Ticket expired

系统时间不同步问题(最好保持时间间隔在5分钟内!)

 

[root@centos6-server ~]# clock

Tue 22 Jul 2014 01:16:55 PM CST  -0.157382 seconds

[root@centos6-server ~]# date -s 2014-07-23

Wed Jul 23 00:00:00 CST 2014

[root@centos6-server ~]# date -s 13:18:30

Wed Jul 23 13:18:30 CST 2014

[root@centos6-server ~]# hwclock --systohc

[root@centos6-server ~]# clock

Wed 23 Jul 2014 01:18:36 PM CST  -0.235184 seconds

[root@centos6-server ~]# net ads join -U Administrator

Enter Administrator‘s password:

Using short domain name -- TEST

Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘

DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED

DNS update failed!

 

原因:DNS设置问题

DNS服务器IP127.0.0.1 修改为本机IP192.168.4.172

bubuko.com,布布扣

[root@centos6-server ~]# net ads join -U Administrator

Enter Administrator‘s password:

Using short domain name -- TEST

Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘

DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED

DNS update failed!

 

刷新Linux机器的dns

[root@centos6-server ~]# yum install nscd -y

[root@centos6-server ~]# service nscd restart

Stopping nscd: [FAILED]

Starting nscd: [  OK  ]

[root@centos6-server ~]# service nscd restart

Stopping nscd: [  OK  ]

Starting nscd: [  OK  ]

[root@centos6-server ~]#

 

[root@centos6-server ~]# net ads join -U Administrator

Enter Administrator‘s password:

Using short domain name -- TEST

Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘

DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED

DNS update failed!

 

最终通过图形界面还是没有成功加入到域环境中!(改用配置方式,发现有些配置文件中缺少参数设置!

 

四、通过配置文件设定加入域(主要为3个配置文件,修改红色框内的)

1vi /etc/nsswitch.conf

bubuko.com,布布扣

2vi /etc/krb5.conf

bubuko.com,布布扣

 

3vi /etc/samba/smb.conf

bubuko.com,布布扣

 

bubuko.com,布布扣

[root@centos6-server ~]# chkconfig --list smb

smb             0:off   1:off   2:off   3:off   4:off   5:off   6:off

[root@centos6-server ~]# chkconfig smb on

/添加smb服务随系统自动启动

[root@centos6-server ~]# chkconfig --list smb

smb             0:off   1:off   2:on    3:on    4:on    5:on    6:off

[root@centos6-server ~]# service smb start

Starting SMB services:

[root@centos6-server ~]# hostname

centos6-server

[root@centos6-server ~]# net ads info

LDAP server: 192.168.4.172

LDAP server name: dc.test.com

Realm: TEST.COM

Bind Path: dc=TEST,dc=COM

LDAP port: 389

Server time: Wed, 23 Jul 2014 15:46:25 CST

KDC server: 192.168.4.172

Server time offset: -26

/查看域相关信息

[root@centos6-server ~]# net ads testjoin

Join is OK

/测试加域成功

[root@centos6-server ~]# net ads join -U Administrator

Enter Administrator‘s password:

Using short domain name -- TEST

Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘

/centos6-server机器加入域test.com成功

查看w2k8 AD截图如下:

bubuko.com,布布扣

[root@centos6-server ~]# wbinfo -u

administrator

guest

krbtgt

zhang3

test11

/查看域内的用户

对应w2k8 AD上也可看到用户zhang3test11

bubuko.com,布布扣

 [root@centos6-server ~]# wbinfo -g

domain computers

domain controllers

schema admins

enterprise admins

cert publishers

domain admins

domain users

domain guests

group policy creator owners

ras and ias servers

allowed rodc password replication group

denied rodc password replication group

read-only domain controllers

enterprise read-only domain controllers

dnsadmins

dnsupdateproxy

/查看域内的组

五、实现用户登录时自动创建用户目录

[root@centos6-server ~]# vi /etc/pam.d/system-auth

添加如下信息:

session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel silent

[root@centos6-server ~]# vi /etc/pam.d/sshd

添加如下信息:

session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel silent

 

用户SSH登录测试:

bubuko.com,布布扣

bubuko.com,布布扣

bubuko.com,布布扣

bubuko.com,布布扣

test11zhang3用户均ssh登录成功!

图像界面登录测试:

bubuko.com,布布扣

bubuko.com,布布扣

bubuko.com,布布扣

图像界面下test11zhang3用户均登录成功!

bubuko.com,布布扣

Linux机器上可以看到administrator,test11,zhang3几个用户均为域用户。

 

六、RHEL6机器加入域:

 

[root@rhel6-client ~]# cat /etc/issue

Red Hat Enterprise Linux Server release 6.2 (Santiago)

Kernel \r on an \m

 

[root@rhel6-client ~]# uname -r

2.6.32-220.el6.i686

[root@rhel6-client ~]# hostname

rhel6-client

[root@rhel6-client ~]# date

Thu Jul 24 14:17:38 CST 2014

[root@rhel6-client ~]# cat /etc/resolv.conf

nameserver 192.168.4.172

[root@rhel6-client ~]# nslookup dc.test.com

Server:         192.168.4.172

Address:        192.168.4.172#53

 

Name:   dc.test.com

Address: 192.168.4.172

 

[root@rhel6-client ~]# nslookup 192.168.4.172

Server:         192.168.4.172

Address:        192.168.4.172#53

 

172.4.168.192.in-addr.arpa      name = dc.test.com.

解决时间同步和DNS解析问题!

 

参照Centos6环境来安装和配置:

[root@rhel6-client ~]# yum install krb5-workstation  pam_krb5 –y

[root@rhel6-client ~]# yum install samba samba-client samba-common samba-winbind samba-winbind-client –y

[root@rhel6-client ~]# vi /etc/nsswitch.conf

修改部分:

passwd:     files winbind

shadow:     files winbind

group:       files winbind

[root@rhel6-client ~]# vi /etc/krb5.conf

修改部分:

[realms]

 TEST.COM = {

  kdc = 192.168.4.172:88

  admin_server = 192.168.4.172:749

  default_domain = test.com

  kdc = 192.168.4.172

 }

 

[domain_realm]

 test.com = TEST.COM

 .test.com = TEST.COM

[root@rhel6-client ~]# vi /etc/samba/smb.conf

修改部分:

workgroup = TEST

;       security = user

;       passdb backend = tdbsam

/注释点以上2

        password server = 192.168.4.172

        realm = TEST.COM

        security = ads

        idmap uid = 16777216-33554431

        idmap gid = 16777216-33554431

        winbind separator = /

        template homedir = /home/%D/%U

        template shell = /bin/bash

        winbind use default domain = true

        winbind offline logon = true

        winbind enum users = yes

        winbind enum groups = yes

[homes]

        comment = Home Directories

        path = /home/D%%U

        browseable = no

        writable = yes

;       valid users = %S

;       valid users = MYDOMAIN\%S

        valid users = TEST.COM\%U

        create mode = 0644

        directory mode = 0755

[root@rhel6-client ~]# service smb start

Starting SMB services: [  OK  ]

[root@rhel6-client ~]# chkconfig --list smb

smb             0:off   1:off   2:off   3:off   4:off   5:off   6:off

[root@rhel6-client ~]# chkconfig smb on

[root@rhel6-client ~]# chkconfig --list smb

smb             0:off   1:off   2:on    3:on    4:on    5:on    6:off

[root@rhel6-client ~]# net ads info

[2014/07/24 15:00:42.789987,  0] param/loadparm.c:7619(lp_do_parameter)

  Ignoring unknown parameter "idmap conifg *"

LDAP server: 192.168.4.172

LDAP server name: dc.test.com

Realm: TEST.COM

Bind Path: dc=TEST,dc=COM

LDAP port: 389

Server time: Thu, 24 Jul 2014 15:01:13 CST

KDC server: 192.168.4.172

Server time offset: 31

[root@rhel6-client ~]# net ads join -U administrator

[2014/07/24 14:52:20.186378,  0] param/loadparm.c:7619(lp_do_parameter)

  Ignoring unknown parameter "idmap conifg *"

Enter administrator‘s password:

Using short domain name -- TEST

Joined ‘RHEL6-CLIENT‘ to realm ‘test.com‘

[root@rhel6-client ~]# wbinfo -u

[root@rhel6-client ~]# wbinfo –g

还未获取到域内的信息,稍等片刻!

[root@rhel6-client ~]# service winbind restart

Shutting down Winbind services: [  OK  ]

Starting Winbind services: [  OK  ]

[root@rhel6-client ~]# wbinfo -u

administrator

guest

krbtgt

zhang3

test11

[root@rhel6-client ~]# wbinfo -g

domain computers

domain controllers

schema admins

enterprise admins

cert publishers

domain admins

domain users

domain guests

group policy creator owners

ras and ias servers

allowed rodc password replication group

denied rodc password replication group

read-only domain controllers

enterprise read-only domain controllers

dnsadmins

dnsupdateproxy

[root@rhel6_client ~]# getent passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

nslcd:x:65:55:LDAP Client User:/:/sbin/nologin

administrator:*:16777216:16777220:Administrator:/home/TEST/administrator:/bin/bash

guest:*:16777217:16777221:Guest:/home/TEST/guest:/bin/bash

krbtgt:*:16777218:16777220:krbtgt:/home/TEST/krbtgt:/bin/bash

zhang3:*:16777219:16777220:zhang3:/home/TEST/zhang3:/bin/bash

test11:*:16777220:16777220:test11:/home/TEST/test11:/bin/bash

[root@rhel6_client ~]# getent group

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

sys:x:3:root,bin,adm

adm:x:4:root,adm,daemon

tty:x:5:

disk:x:6:root

lp:x:7:daemon,lp

mem:x:8:

kmem:x:9:

wheel:x:10:root

mail:x:12:mail,postfix

uucp:x:14:uucp

man:x:15:

games:x:20:

gopher:x:30:

video:x:39:

dip:x:40:

ftp:x:50:

lock:x:54:

audio:x:63:

nobody:x:99:

users:x:100:

utmp:x:22:

utempter:x:35:

floppy:x:19:

vcsa:x:69:

cdrom:x:11:

tape:x:33:

dialout:x:18:

saslauth:x:76:

postdrop:x:90:

postfix:x:89:

sshd:x:74:

nscd:x:28:

ldap:x:55:

wbpriv:x:88:

domain computers:*:16777222:

domain controllers:*:16777223:

schema admins:*:16777224:administrator

enterprise admins:*:16777225:administrator

cert publishers:*:16777226:

domain admins:*:16777227:administrator

domain users:*:16777220:

domain guests:*:16777221:

group policy creator owners:*:16777228:administrator

ras and ias servers:*:16777229:

allowed rodc password replication group:*:16777230:

denied rodc password replication group:*:16777231:krbtgt

read-only domain controllers:*:16777232:

enterprise read-only domain controllers:*:16777233:

dnsadmins:*:16777234:

dnsupdateproxy:*:16777235:

bubuko.com,布布扣

rhel6-client加域成功!

[root@rhel6-client ~]# cat /etc/pam.d/sshd

#%PAM-1.0

auth       required     pam_sepermit.so

auth       include      password-auth

account    required     pam_nologin.so

account    include      password-auth

password   include      password-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open env_params

session    optional     pam_keyinit.so force revoke

session    include      password-auth

session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel silent

 

[root@rhel6-client ~]# cat /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_ldap.so

auth        required      pam_deny.so

 

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required      pam_permit.so

 

password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

 

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     optional      pam_ldap.so

session     required      pam_unix.so

session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel silent

 

登录测试

[root@rhel6_client ~]# su - test11

su: user test11 does not exist

[root@rhel6_client ~]# su - zhang3

su: user zhang3 does not exist

 

[root@rhel6_client ~]#cat /var/log/secure

报错信息:

Jul 24 15:39:41 rhel6-client sshd[1734]: pam_succeed_if(sshd:auth): error retrieving information about user zhang3

Jul 24 15:39:43 rhel6-client sshd[1734]: Failed password for invalid user zhang3 from 192.168.4.240 port 62095 ssh2

Jul 24 15:39:46 rhel6-client sshd[1735]: Received disconnect from 192.168.4.240: 13: The user canceled authentication.

Jul 24 15:40:01 rhel6-client sshd[1736]: Invalid user test11 from 192.168.4.240

Jul 24 15:40:01 rhel6-client sshd[1737]: input_userauth_request: invalid user test11

Jul 24 15:40:08 rhel6-client sshd[1736]: pam_unix(sshd:auth): check pass; user unknown

Jul 24 15:40:08 rhel6-client sshd[1736]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.240

Jul 24 15:40:08 rhel6-client sshd[1736]: pam_succeed_if(sshd:auth): error retrieving information about user test11

Jul 24 15:40:10 rhel6-client sshd[1736]: Failed password for invalid user test11 from 192.168.4.240 port 62122 ssh2

Jul 24 15:40:13 rhel6-client sshd[1737]: Received disconnect from 192.168.4.240: 13: The user canceled authentication

 

[root@rhel6-client Packages]# yum rpcbind –y

[root@rhel6-client Packages]# /etc/init.d/winbind restart

 

Shutting down Winbind services: [  OK  ]

Starting Winbind services: [  OK  ]

[root@rhel6-client Packages]# wbinfo -t

checking the trust secret for domain TEST via RPC calls succeeded

[root@rhel6-client Packages]# wbinfo -u

administrator

guest

krbtgt

zhang3

test11

[root@rhel6-client Packages]# wbinfo -g

domain computers

domain controllers

schema admins

enterprise admins

cert publishers

domain admins

domain users

domain guests

group policy creator owners

ras and ias servers

allowed rodc password replication group

denied rodc password replication group

read-only domain controllers

enterprise read-only domain controllers

dnsadmins

dnsupdateproxy

由于无法自动创建域用户目录,需要手动建立域用户目录,rhel6这点不同于centos6系统可以自动建立登录用户目录!

[root@rhel6-client Packages]#cd /home

[root@rhel6-client home]# ls -al

total 8

drwxr-xr-x.  2 root root 4096 Jul 25 10:37 .

dr-xr-xr-x. 21 root root 4096 Jul 25 10:28 ..

[root@rhel6-client ]#cd

[root@rhel6-client ]# mkdir /home/TEST

[root@rhel6-client ]# chmod -R 755 /home/TEST

[root@rhel6-client ]# service smb restart

Shutting down SMB services: [  OK  ]

Starting SMB services: [  OK  ]

[root@rhel6-client home]# service winbind restart

 

Shutting down Winbind services: [FAILED]

Starting Winbind services: [  OK  ]

[root@rhel6-client]# wbinfo -t

checking the trust secret for domain TEST via RPC calls succeeded

[root@rhel6-client ]# wbinfo -u

administrator

guest

krbtgt

zhang3

test11

[root@rhel6-client ~]# wbinfo -g

domain computers

domain controllers

schema admins

enterprise admins

cert publishers

domain admins

domain users

domain guests

group policy creator owners

ras and ias servers

allowed rodc password replication group

denied rodc password replication group

read-only domain controllers

enterprise read-only domain controllers

dnsadmins

dnsupdateproxy

[root@rhel6-client ~]# su - zhang3

[zhang3@rhel6-client ~]$ exit

logout

[root@rhel6-openvpn ~]# su - test11

[test11@rhel6-openvpn ~]$

[root@rhel6-openvpn ~]# ls -al /home/

total 12

drwxr-xr-x.  3 root root 4096 Jul 25 10:37 .

dr-xr-xr-x. 21 root root 4096 Jul 25 10:28 ..

drwxr-xr-x   4 root root 4096 Jul 25 10:39 TEST

[root@rhel6-openvpn ~]# cd /home/TEST/

[root@rhel6-openvpn TEST]# ls -al

total 16

drwxr-xr-x  4 root   root         4096 Jul 25 10:39 .

drwxr-xr-x. 3 root   root         4096 Jul 25 10:37 ..

drwxr-xr-x  2 test11 domain users 4096 Jul 25 11:08 test11

drwxr-xr-x  2 zhang3 domain users 4096 Jul 25 10:39 zhang3

 

域用户test11zhang3用户成功可成功登录到rhel6机器。

 

至此,市面上主流Linux系统centos6,rhel6机器已成功加入windows 2008 server AD域中;

期间遇到的主要问题为1、时间同步问题,2DNS解析问题,3smb.confkrb5.conf配置参数细节问题。

本文出自 “Bruce_tan” 博客,请务必保留此出处http://380281.blog.51cto.com/370281/1530071

Linux机器Centos6和rhel6系统主机加入W2K8 AD域环境,布布扣,bubuko.com

评论(0
© 2014 mamicode.com 版权所有 京ICP备13008772号-2  联系我们:gaon5@hotmail.com
迷上了代码!