Guida su come configurare Centos 6.0 tramite kerberos, samba e winbind per autenticarsi ad un dominio Microsoft Windows Active Directory 2008
#Guida su come configurare Centos 6.0 tramite kerberos, samba e winbind per autenticarsi ad un dominio Microsoft Windows Active Directory 2008 testata anche su windows 2008 r2
In questa guida useremo come esempio
Dominio: domain.local
Server Win2008: srvwin01
Server CentOS 6: srvlinux01
_______________________________________________________________________________________________________________________________________________________________________________________________________
Compilazione file host
127.0.0.1 srvlinux01.domain.local srvlinux01 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.X.X srvlinux01.domain.local srvlinux01 localhost localhost.localdomain localhost4 localhost4.localdomain4
#ACTIVE DIRECTORY
192.168.X.X srvwin01.domain.local srvwin01
_______________________________________________________________________________________________________________________________________________________________________________________________________
Compilazione file dns /etc/resolv.conf
search domain.local
nameserver 192.168.X.X
nameserver 192.168.X.X
__________________________________________________________________________________________________________________________________________________________________________________________________________
Mettiamo selinux in permissive mode editiamo /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
riavviamo il server
#reboot
__________________________________________________________________________________________________________________________________________________________________________________________________________
Configuriamo il firewall apriamo le porte necessarie editiamo il file /etc/sysconfig/iptables
#SAMBA
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -i "interfaccia di rete es eth0" -s "maschera di rete es 192.168.X.X/X -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
__________________________________________________________________________________________________________________________________________________________________________________________________________
Installazione di samba3 [Version 3.5.9] tramite sernet consigliato prima rimuovere il samba con #yum remove sama samba-client samba-winbind
# cd /etc/yum.repos.d/
# wget http://ftp.sernet.de/pub/samba/3.5/centos/6/sernet-samba.repo
# cd
# yum update
# yum install samba3 samba3-winbind
__________________________________________________________________________________________________________________________________________________________________________________________________________
Configurazione del file /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.LOCAL = {
kdc = srvwin01.domain.local
admin_server = srvwin01.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
__________________________________________________________________________________________________________________________________________________________________________________________________________
Configuriamo samba /etc/samba/smb.conf
# File configurazione Samba
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no
server string = Server Linux Cento 6
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
;template primary group = "Domain Users"
template shell = /bin/bash
__________________________________________________________________________________________________________________________________________________________________________________________________________
Configuraimo Pam /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password requisite pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
session required pam_winbind.so use_first_pass
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
__________________________________________________________________________________________________________________________________________________________________________________________________________
Configuriamo file /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
__________________________________________________________________________________________________________________________________________________________________________________________________________
Avviamo i servizi e li abilitamo all'avvio
#service smb start
#service winbind start
#chkconfig smb on
#chkconfig winbind on
__________________________________________________________________________________________________________________________________________________________________________________________________________
Ora joiniamo il linux
#kinit administrator@DOMAIN.LOCAL -------> Verra richiesta pwd
#net ads join -U administrator@DOMAIN.LOCAL ------------> Verra richiesta pwd
Col comando net ads info verificiamo il corretto join al dominio
#net ads info
LDAP server: 192.168.X.X
LDAP server name: srvwin01.domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: sab, 23 lug 2011 19:46:22 CEST
KDC server: 192.168.X.X
Server time offset: -9
Ora se guardate in computer di active directory vedrete un macchina con nome srvlinux01
Io personalmente ho creato un unita organizzativa per i server linux ed inoltre ho creato su dns server alias
Coi comandi
#wbinfo -u -----------> Verrano mostrati gli utenti
#wbinfo -g -----------> Verrano mostrati i gruppi
__________________________________________________________________________________________________________________________________________________________________________________________________________