vim /etc/krb5.conf #修改krb5的設定檔,為了讓centos加入windows的網域
[logging] #這邊採用預設值
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SAMPLE.COM.TW #預設的領域
dns_lookup_realm = true #是否使用DNS來查詢 域名或網域控制器
dns_lookup_kdc = true #這會影響到加入網域時選擇adserver,用到的參數是 -S (netbios name)或 -I (ip address)
ticket_lifetime = 24h
forwardable = yes
[realms]
SAMPLE.COM.TW = {
kdc = 192.168.0.252 #網域控制器 可以設定 IP 或 domain name
admin_server = 192.168.0.252 #網域控制器的管理SERVER
default_domain = sample.com.tw #設定預設的domain 所以是用小寫表示
}
[domain_realm] #告訢哪些domain是屬於哪個realm
.sample.com.tw = SAMPLE.COM.TW
sample.com.tw = SAMPLE.COM.TW
[appdefaults] #這邊採用預設值
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
完成上述設定後,先來測試看是否能連上AD Server做認證
#因為沒有打上@SAMPLE.COM.TW所以它帶上了預設的realm
kinit adserver_account password for adserver_account@SAMPLE.COM.TW:
打上密碼後如果沒有錯誤,就代表可向AD做認證。
設定 samba 設定檔 /etc/samba/smb.conf
[global] workgroup = SAMPLE #SAMPLE是要加入的網域名稱 password server = 192.168.0.252 #這個是AD Server啦 realm = SAMPLE.COM.TW #領域名稱跟krb5.conf的設定檔是一樣的 security = domain #指定認證的安全層級 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = / template homedir = /home/%U template shell = /bin/sh winbind use default domain = true winbind offline logon = false # ----------------------- Network Related Options ------------------------- server string = Samba Server Version %v netbios name = SAMBASERVER client use spnego = no server signing = auto #使用預設值 # --------------------------- Logging Options ----------------------------- # # Log File let you specify where to put logs and how to split them up. # # Max Log Size let you specify the max size log files should reach # logs split per machine log file = /var/log/samba/%m.log # max 50KB per log file, then rotate max log size = 50 #網域成員設定 # ----------------------- Domain Members Options ------------------------ encrypt passwords = yes #密碼加密 local master = no os level = 20 username map = /etc/samba/smbusers preferred master = no winbind enum users = yes winbind enum groups = yes
編輯 /etc/nsswitch.conf 加入模組 winbind 來做帳號的驗證
vi /etc/nsswitch
修改如下面的設定
passwd: files winbind shadow: files group: files winbind
現在開始將這台Server加入windows的網域
# -U administrator 使用管理者的帳號來加入
# -S adserver.sample.com.tw 指定連線哪台AD作加入的動作
# -n samba-server 設定 netbios name ,加入網域所用的名子
net ads join -U administrator -S adserver.sample.com.tw -n samba-server Enter administrator's password:
重新啟動 winbind
service winbind restart
測試是否可以向AD取得上面的帳號
wbinfo -u wbinfo -g wbinfo -t
Check Winbind nsswitch module with getent
getent passwd getent group
設定smtp登入驗證的方式:
vim /etc/pam.d/login ,/etc/pam.d/smtp
auth sufficient pam_winbind.so account sufficient pam_winbind.so password sufficient pam_winbind.so use_authtok
配置posftfix
vi /etc/postfix/main.cf
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix myhostname = sun.mkchen.com mydomain = mkchen.com myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost,$mydomain unknown_local_recipient_reject_code = 550 mynetworks_style = subnet mynetworks = 192.168.101.0/24,127.0.0.0/8 relay_domains = $mydestination alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mail_spool_directory = /var/mail debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.2.10/samples readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $mydomain smtp_sasl_auth_enable = yes
重新啟動 postfix !
service postfix restart
現在用AD上的帳號登入看看吧!!
Jerry-Yang's Log 