Linux机器Centos6和rhel6系统主机加入W2K8 AD域环境
实验环境搭建
基础架构图如下:
AD同时配置DNS功能,实现互通及域名正反解析功能!
Linux机器配置
系统及本版信息如下
Krb5软件安装
需要安装以下4个软件:
krb5-workstation
krb5-devel
krb5-libs
pam_krb5
[root@centos6-server ~]# rpm -qa | grep krb
krb5-libs-1.10.3-10.el6.i686
krb5-devel-1.10.3-10.el6.i686
[root@centos6-server ~]# yum install krb5-workstation pam_krb5 -y
[root@centos6-server ~]# rpm -qa | grep krb5
krb5-libs-1.10.3-10.el6.i686
krb5-devel-1.10.3-10.el6.i686
krb5-workstation-1.10.3-10.el6.i686
pam_krb5-2.3.11-9.el6.i686
krb5-auth-dialog-0.13-3.el6.i686
krb5软件需求安装完成!
Samba软件安装
需要安装以下5个软件:
samba
samba-common
samba-client
samba-winbind
samba-winbind-clients
[root@centos6-server ~]# rpm -qa | grep samba
samba-winbind-3.6.9-151.el6.i686
samba-common-3.6.9-151.el6.i686
samba-winbind-clients-3.6.9-151.el6.i686
[root@centos6-server ~]# yum install samba-client samba -y
三、Linux机器通过图形界面加入域
出现报错信息如下:
[root@centos6-server ~]# net ads join -U administrator
Enter administrator‘s password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket expired
Failed to join domain: failed to connect to AD: Ticket expired
系统时间不同步问题(最好保持时间间隔在5分钟内!)
[root@centos6-server ~]# clock
Tue 22 Jul 2014 01:16:55 PM CST -0.157382 seconds
[root@centos6-server ~]# date -s 2014-07-23
Wed Jul 23 00:00:00 CST 2014
[root@centos6-server ~]# date -s 13:18:30
Wed Jul 23 13:18:30 CST 2014
[root@centos6-server ~]# hwclock --systohc
[root@centos6-server ~]# clock
Wed 23 Jul 2014 01:18:36 PM CST -0.235184 seconds
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator‘s password:
Using short domain name -- TEST
Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘
DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!
原因:DNS设置问题
DNS服务器IP为127.0.0.1 修改为本机IP192.168.4.172
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator‘s password:
Using short domain name -- TEST
Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘
DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!
刷新Linux机器的dns
[root@centos6-server ~]# yum install nscd -y
[root@centos6-server ~]# service nscd restart
Stopping nscd: [FAILED]
Starting nscd: [ OK ]
[root@centos6-server ~]# service nscd restart
Stopping nscd: [ OK ]
Starting nscd: [ OK ]
[root@centos6-server ~]#
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator‘s password:
Using short domain name -- TEST
Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘
DNS Update for centos6-server.test.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!
最终通过图形界面还是没有成功加入到域环境中!(改用配置方式,发现有些配置文件中缺少参数设置!)
四、通过配置文件设定加入域(主要为3个配置文件,修改红色框内的)
1、vi /etc/nsswitch.conf
2、vi /etc/krb5.conf
3、vi /etc/samba/smb.conf
[root@centos6-server ~]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@centos6-server ~]# chkconfig smb on
/添加smb服务随系统自动启动
[root@centos6-server ~]# chkconfig --list smb
smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@centos6-server ~]# service smb start
Starting SMB services:
[root@centos6-server ~]# hostname
centos6-server
[root@centos6-server ~]# net ads info
LDAP server: 192.168.4.172
LDAP server name: dc.test.com
Realm: TEST.COM
Bind Path: dc=TEST,dc=COM
LDAP port: 389
Server time: Wed, 23 Jul 2014 15:46:25 CST
KDC server: 192.168.4.172
Server time offset: -26
/查看域相关信息
[root@centos6-server ~]# net ads testjoin
Join is OK
/测试加域成功
[root@centos6-server ~]# net ads join -U Administrator
Enter Administrator‘s password:
Using short domain name -- TEST
Joined ‘CENTOS6-SERVER‘ to dns domain ‘test.com‘
/centos6-server机器加入域test.com成功
查看w2k8 AD截图如下:
[root@centos6-server ~]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
/查看域内的用户
对应w2k8 AD上也可看到用户zhang3和test11
[root@centos6-server ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
/查看域内的组
五、实现用户登录时自动创建用户目录
[root@centos6-server ~]# vi /etc/pam.d/system-auth
添加如下信息:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
[root@centos6-server ~]# vi /etc/pam.d/sshd
添加如下信息:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
用户SSH登录测试:
test11和zhang3用户均ssh登录成功!
图像界面登录测试:
图像界面下test11和zhang3用户均登录成功!
从Linux机器上可以看到administrator,test11,zhang3几个用户均为域用户。
六、RHEL6机器加入域:
[root@rhel6-client ~]# cat /etc/issue
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel \r on an \m
[root@rhel6-client ~]# uname -r
2.6.32-220.el6.i686
[root@rhel6-client ~]# hostname
rhel6-client
[root@rhel6-client ~]# date
Thu Jul 24 14:17:38 CST 2014
[root@rhel6-client ~]# cat /etc/resolv.conf
nameserver 192.168.4.172
[root@rhel6-client ~]# nslookup dc.test.com
Server: 192.168.4.172
Address: 192.168.4.172#53
Name: dc.test.com
Address: 192.168.4.172
[root@rhel6-client ~]# nslookup 192.168.4.172
Server: 192.168.4.172
Address: 192.168.4.172#53
172.4.168.192.in-addr.arpa name = dc.test.com.
解决时间同步和DNS解析问题!
参照Centos6环境来安装和配置:
[root@rhel6-client ~]# yum install krb5-workstation pam_krb5 –y
[root@rhel6-client ~]# yum install samba samba-client samba-common samba-winbind samba-winbind-client –y
[root@rhel6-client ~]# vi /etc/nsswitch.conf
修改部分:
passwd: files winbind
shadow: files winbind
group: files winbind
[root@rhel6-client ~]# vi /etc/krb5.conf
修改部分:
[realms]
TEST.COM = {
kdc = 192.168.4.172:88
admin_server = 192.168.4.172:749
default_domain = test.com
kdc = 192.168.4.172
}
[domain_realm]
test.com = TEST.COM
.test.com = TEST.COM
[root@rhel6-client ~]# vi /etc/samba/smb.conf
修改部分:
workgroup = TEST
; security = user
; passdb backend = tdbsam
/注释点以上2行
password server = 192.168.4.172
realm = TEST.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = /
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
[homes]
comment = Home Directories
path = /home/D%%U
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
valid users = TEST.COM\%U
create mode = 0644
directory mode = 0755
[root@rhel6-client ~]# service smb start
Starting SMB services: [ OK ]
[root@rhel6-client ~]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@rhel6-client ~]# chkconfig smb on
[root@rhel6-client ~]# chkconfig --list smb
smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@rhel6-client ~]# net ads info
[2014/07/24 15:00:42.789987, 0] param/loadparm.c:7619(lp_do_parameter)
Ignoring unknown parameter "idmap conifg *"
LDAP server: 192.168.4.172
LDAP server name: dc.test.com
Realm: TEST.COM
Bind Path: dc=TEST,dc=COM
LDAP port: 389
Server time: Thu, 24 Jul 2014 15:01:13 CST
KDC server: 192.168.4.172
Server time offset: 31
[root@rhel6-client ~]# net ads join -U administrator
[2014/07/24 14:52:20.186378, 0] param/loadparm.c:7619(lp_do_parameter)
Ignoring unknown parameter "idmap conifg *"
Enter administrator‘s password:
Using short domain name -- TEST
Joined ‘RHEL6-CLIENT‘ to realm ‘test.com‘
[root@rhel6-client ~]# wbinfo -u
[root@rhel6-client ~]# wbinfo –g
还未获取到域内的信息,稍等片刻!
[root@rhel6-client ~]# service winbind restart
Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[root@rhel6-client ~]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
[root@rhel6-client ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
[root@rhel6_client ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
administrator:*:16777216:16777220:Administrator:/home/TEST/administrator:/bin/bash
guest:*:16777217:16777221:Guest:/home/TEST/guest:/bin/bash
krbtgt:*:16777218:16777220:krbtgt:/home/TEST/krbtgt:/bin/bash
zhang3:*:16777219:16777220:zhang3:/home/TEST/zhang3:/bin/bash
test11:*:16777220:16777220:test11:/home/TEST/test11:/bin/bash
[root@rhel6_client ~]# getent group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail,postfix
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
cdrom:x:11:
tape:x:33:
dialout:x:18:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
sshd:x:74:
nscd:x:28:
ldap:x:55:
wbpriv:x:88:
domain computers:*:16777222:
domain controllers:*:16777223:
schema admins:*:16777224:administrator
enterprise admins:*:16777225:administrator
cert publishers:*:16777226:
domain admins:*:16777227:administrator
domain users:*:16777220:
domain guests:*:16777221:
group policy creator owners:*:16777228:administrator
ras and ias servers:*:16777229:
allowed rodc password replication group:*:16777230:
denied rodc password replication group:*:16777231:krbtgt
read-only domain controllers:*:16777232:
enterprise read-only domain controllers:*:16777233:
dnsadmins:*:16777234:
dnsupdateproxy:*:16777235:
rhel6-client加域成功!
[root@rhel6-client ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
[root@rhel6-client ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_ldap.so
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel silent
登录测试
[root@rhel6_client ~]# su - test11
su: user test11 does not exist
[root@rhel6_client ~]# su - zhang3
su: user zhang3 does not exist
[root@rhel6_client ~]#cat /var/log/secure
报错信息:
Jul 24 15:39:41 rhel6-client sshd[1734]: pam_succeed_if(sshd:auth): error retrieving information about user zhang3
Jul 24 15:39:43 rhel6-client sshd[1734]: Failed password for invalid user zhang3 from 192.168.4.240 port 62095 ssh2
Jul 24 15:39:46 rhel6-client sshd[1735]: Received disconnect from 192.168.4.240: 13: The user canceled authentication.
Jul 24 15:40:01 rhel6-client sshd[1736]: Invalid user test11 from 192.168.4.240
Jul 24 15:40:01 rhel6-client sshd[1737]: input_userauth_request: invalid user test11
Jul 24 15:40:08 rhel6-client sshd[1736]: pam_unix(sshd:auth): check pass; user unknown
Jul 24 15:40:08 rhel6-client sshd[1736]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.240
Jul 24 15:40:08 rhel6-client sshd[1736]: pam_succeed_if(sshd:auth): error retrieving information about user test11
Jul 24 15:40:10 rhel6-client sshd[1736]: Failed password for invalid user test11 from 192.168.4.240 port 62122 ssh2
Jul 24 15:40:13 rhel6-client sshd[1737]: Received disconnect from 192.168.4.240: 13: The user canceled authentication
[root@rhel6-client Packages]# yum rpcbind –y
[root@rhel6-client Packages]# /etc/init.d/winbind restart
Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[root@rhel6-client Packages]# wbinfo -t
checking the trust secret for domain TEST via RPC calls succeeded
[root@rhel6-client Packages]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
[root@rhel6-client Packages]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
由于无法自动创建域用户目录,需要手动建立域用户目录,rhel6这点不同于centos6系统可以自动建立登录用户目录!
[root@rhel6-client Packages]#cd /home
[root@rhel6-client home]# ls -al
total 8
drwxr-xr-x. 2 root root 4096 Jul 25 10:37 .
dr-xr-xr-x. 21 root root 4096 Jul 25 10:28 ..
[root@rhel6-client ]#cd
[root@rhel6-client ]# mkdir /home/TEST
[root@rhel6-client ]# chmod -R 755 /home/TEST
[root@rhel6-client ]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@rhel6-client home]# service winbind restart
Shutting down Winbind services: [FAILED]
Starting Winbind services: [ OK ]
[root@rhel6-client]# wbinfo -t
checking the trust secret for domain TEST via RPC calls succeeded
[root@rhel6-client ]# wbinfo -u
administrator
guest
krbtgt
zhang3
test11
[root@rhel6-client ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
[root@rhel6-client ~]# su - zhang3
[zhang3@rhel6-client ~]$ exit
logout
[root@rhel6-openvpn ~]# su - test11
[test11@rhel6-openvpn ~]$
[root@rhel6-openvpn ~]# ls -al /home/
total 12
drwxr-xr-x. 3 root root 4096 Jul 25 10:37 .
dr-xr-xr-x. 21 root root 4096 Jul 25 10:28 ..
drwxr-xr-x 4 root root 4096 Jul 25 10:39 TEST
[root@rhel6-openvpn ~]# cd /home/TEST/
[root@rhel6-openvpn TEST]# ls -al
total 16
drwxr-xr-x 4 root root 4096 Jul 25 10:39 .
drwxr-xr-x. 3 root root 4096 Jul 25 10:37 ..
drwxr-xr-x 2 test11 domain users 4096 Jul 25 11:08 test11
drwxr-xr-x 2 zhang3 domain users 4096 Jul 25 10:39 zhang3
域用户test11和zhang3用户成功可成功登录到rhel6机器。
至此,市面上主流Linux系统centos6,rhel6机器已成功加入windows 2008 server AD域中;
期间遇到的主要问题为1、时间同步问题,2、DNS解析问题,3、smb.conf和krb5.conf配置参数细节问题。
本文出自 “Bruce_tan” 博客,请务必保留此出处http://380281.blog.51cto.com/370281/1530071