Guida su come configurare Centos 6.0 tramite kerberos, samba e winbind per autenticarsi ad un dominio Microsoft Windows Active Directory 2008

#Guida su come configurare Centos 6.0 tramite kerberos, samba e winbind per autenticarsi ad un dominio Microsoft Windows Active Directory 2008 testata anche su windows 2008 r2

In questa guida useremo come esempio

Dominio:            domain.local
Server Win2008:        srvwin01
Server CentOS 6:    srvlinux01
_______________________________________________________________________________________________________________________________________________________________________________________________________

Compilazione file host

127.0.0.1   srvlinux01.domain.local srvlinux01 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.X.X srvlinux01.domain.local srvlinux01 localhost localhost.localdomain localhost4 localhost4.localdomain4

#ACTIVE DIRECTORY

192.168.X.X srvwin01.domain.local srvwin01
_______________________________________________________________________________________________________________________________________________________________________________________________________

Compilazione file dns /etc/resolv.conf

search domain.local
nameserver 192.168.X.X
nameserver 192.168.X.X

__________________________________________________________________________________________________________________________________________________________________________________________________________
Mettiamo selinux in permissive mode editiamo /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

riavviamo il server
#reboot
__________________________________________________________________________________________________________________________________________________________________________________________________________

Configuriamo il firewall apriamo le porte necessarie editiamo il file /etc/sysconfig/iptables

#SAMBA
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT

__________________________________________________________________________________________________________________________________________________________________________________________________________

Installazione di samba3 [Version 3.5.9] tramite sernet consigliato prima rimuovere il samba con #yum remove sama samba-client samba-winbind

# cd /etc/yum.repos.d/
# wget http://ftp.sernet.de/pub/samba/3.5/centos/6/sernet-samba.repo
# cd
# yum update
# yum install samba3 samba3-winbind
__________________________________________________________________________________________________________________________________________________________________________________________________________

Configurazione del file /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DOMAIN.LOCAL = {
  kdc = srvwin01.domain.local
  admin_server = srvwin01.domain.local
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL
__________________________________________________________________________________________________________________________________________________________________________________________________________

Configuriamo samba /etc/samba/smb.conf

# File configurazione Samba
[global]
   workgroup = DOMAIN
   realm = DOMAIN.LOCAL
   preferred master = no
   server string = Server Linux Cento 6
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   ;template primary group = "Domain Users"
   template shell = /bin/bash
__________________________________________________________________________________________________________________________________________________________________________________________________________

Configuraimo Pam /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_winbind.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     sufficient    pam_winbind.so use_first_pass
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3 type=
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_unix.so
session     required      pam_winbind.so use_first_pass
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
__________________________________________________________________________________________________________________________________________________________________________________________________________

Configuriamo file /etc/nsswitch.conf

passwd:     files winbind
shadow:     files winbind
group:      files winbind
__________________________________________________________________________________________________________________________________________________________________________________________________________

Avviamo i servizi e li abilitamo all'avvio

#service smb start
#service winbind start
#chkconfig smb on
#chkconfig winbind on

__________________________________________________________________________________________________________________________________________________________________________________________________________
Ora joiniamo il linux

#kinit administrator@DOMAIN.LOCAL -------> Verra richiesta pwd

#net ads join -U administrator@DOMAIN.LOCAL ------------> Verra richiesta pwd

Col comando net ads info verificiamo il corretto join al dominio
#net ads info

LDAP server: 192.168.X.X
LDAP server name: srvwin01.domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: sab, 23 lug 2011 19:46:22 CEST
KDC server: 192.168.X.X
Server time offset: -9

Ora se guardate in computer di active directory vedrete un macchina con nome srvlinux01

Io personalmente ho creato un unita organizzativa per i server linux ed inoltre ho creato su dns server alias

Coi comandi

#wbinfo -u -----------> Verrano mostrati gli utenti

#wbinfo -g -----------> Verrano mostrati i gruppi
__________________________________________________________________________________________________________________________________________________________________________________________________________

SMF 2.0.13 | SMF © 2013, Simple Machines
TinyPortal © 2005-2012

Indietro all'articolo