Для начала установим необходимые для работы пакеты
# yum install -y krb5-workstation samba-common
Подправим файл /etc/hosts, чтобы он имел примерно такой вид:
# vi /etc/hosts 127.0.0.1 localhost.localdomain localhost 10.10.2.91 vm01.organization.local vm01 10.10.2.1 windows.organization.local windows
Теперь настроим Керберос для добавления linux-сервера в windows-домен
# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]javascript:void(0)
default_realm = ORGANIZATION.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
ORGANIZATION.LOCAL = {
kdc = windows.organization.local:88
admin_server = windows.organization.local:749
default_domain = organization.local
}
[domain_realm]
.organization.local = ORGANIZATION.LOCAL
organization.local = ORGANIZATION.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
# kinit administrator@ORGANIZATION.LOCAL
Password for administrator@ORGANIZATION.LOCAL:Минимальная настройка samba
[root@vm01 ~]#vi /etc/samba/smb.conf [global] workgroup = ORGANIZATIONAL netbios name = VM01 server string = VM01 Samba Server security = ads encrypt passwords = yes realm = ORGANIZATIONAL.LOCAL password server = windows.organization.local winbind enum users = yes winbind enum groups = yes winbind cache time = 1800 winbind use default domain = yes winbind refresh tickets = yes idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%U printing = load printers = no
Входим в домен
# net ads join -U administrator administrator's password: Using short domain name -- ORGANIZATION Joined 'VM01' to realm 'ORGANIZATION.LOCAL'
Добавить описание pam_winbind.so модуля для аутентификации в системе. Модуль pam_mkhomedir.so для автоматического создания домашней директории при первом присоединении пользователя.
vim /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Настраиваем nsswitch, для того чтобы он мог использовать данные (о пользователях и групппах) AD с помощью winbind-сервиса и стартуем сервис
vim /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind /etc/init.d/winbind start Starting Winbind services: [ OK ] chkconfig winbind on
Ограничиваем доступ к ssh-сервису
vim /etc/ssh/sshd_config PermitRootLogin no AllowGroups admins /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
Комментариев нет:
Отправить комментарий