DNS infrastructure should work well In order that winbind funcitons properly. So check it first.
# host -t srv _kerberos._tcp.yourdomain.com
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv1.yourdomain.com.
_kerberos._tcp.yourdomain.com has SRV record 0 100 88 adsrv2.yourdomain.com.
Necessary packages should be installed.
# chkconfig winbind on
Create AD users home directories container.
# mkdir /home/YOURDOMAIN
# chmod 0777 /home/YOURDOMAIN
Host name should have same FQDN with the AD domain name.
# hostname -f
srv2.yourdomain.com
Authentication should be enabled and configured.
# authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=YOURDOMAIN --smbrealm=YOURDOMAIN.COM --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/YOURDOMAIN/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=YOURDOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
# service winbind restart
AD id's should be mapped against local id's. It's done by smb.conf
# vi /etc/samba/smb.conf
/** Original **/
workgroup = YOURDOMAIN
realm = YOURDOMAIN.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/YOURDOMAIN/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
/** Change with these **/
workgroup = YOURDOMAIN
realm = YOURDOMAIN.COM
security = ads
idmap domains = YOURDOMAIN
idmap config YOURDOMAIN:backend = rid
idmap config YOURDOMAIN:base_rid = 500
idmap config YOURDOMAIN:range = 500-1000000
#idmap uid = 16777216-33554431
#idmap gid = 16777216-33554431
template homedir = /home/YOURDOMAIN/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
To allow members of an AD group to login with ssh PAM should be configured.
# vi /etc/pam.d/system-auth
/**
Original **/
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/**
Change with these **/
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so user ingroup "linuxusers" debug
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
# service winbind restart
After these srv2 can be joined to domain.
# net ads join -U aduser
aduser's password:
Using short domain name -- YOURDOMAIN
Joined 'srv2' to realm 'YOURDOMAIN.COM'
# service winbind restart
After joining AD domain. Group info could be listed.
# wbinfo -g
Now you can login ssh session with AD account which is member of the linuxusers group.
Comments
Post a Comment