标签:des style http os io strong for art
This tip will describe how to configure authentication settings in CentOS to use authentication against Windows Servers. I will describe how to do it in a command line. The command line arguments can be easily adapted in the gui version. It is strongly recommended that you read the samba documentations on this topic to understand how winbind works.
|
|
WARNING: The commands given here will reconfigure authentication settings. Do not use them until you fully understand what they do. If you make any mistake you might not be able to login to your system! |
|
In order to use winbind you need to install the samba-common package.
# yum install samba-common
To join the CentOS machine to the Windows domain you need a valid domain admin account.
Actually all is done in one long command line which looks like this (you have to replace the strings starting with $ to match your local settings):
# authconfig --update --kickstart --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=$ADSWorkgroup --smbrealm=$ADSDomain --smbservers=$ADSServer --winbindjoin=$AdminUser --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize
Now that is an awful lot of parameters, lets see what they do:
--enablelocauthorize Also enable local authorization against /etc/passwd. Important!
Pam in CentOS uses stacking so you can put other authentication methods here, for complete options see
# authconfig --help
or the authconfig gui.
Once you run the command it will rewrite pam system-auth config, run net join ads for you and ask for the password of the domain admin user given in --winbindjoin. Afterwards it will disable nscd and enable winbindd. If that was successful you can check winbind status with the wbinfo tool. To show list of users use
# wbinfo -u
See wbinfo --help for details.
If you use kerberos keytabs for services (e.g. httpd kerberos authentication) you can manage it using the net command. To create a keytab file simply use
# net ads keytab create
To add a service realm (e.g. HTTP)
# net ads keytab add HTTP
in /etc/security/pam_winbind.conf you can specifiy a windows group on the parameter require_membership_of. Once this is set only users being member of this group can authenticate. This will not work if you use additional authentications (e.g. kerberos or ldap) which successfully authenticates the user.
In the described/default setup winbind will do dynamic ActiveDirectory SID to unix UID/GID mapping on each machine. This is not useful in some scenarios where you need identical UIDs on different machines. The typical example for that is NFS. Winbind offers a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs. This is done with the idmap rid backend. To use it you have to manually add the following lines to the [global] section of /etc/samba/smb.conf:
idmap domains = DOMAIN
idmap config DOMAIN:backend = rid
idmap config DOMAIN:base_rid = 0
idmap config DOMAIN:range = 20000 - 49999
Where DOMAIN is the WINS name of your ActiveDirectory domain. You can also map users from another trusted domain to a separate range. For details please consult the idmap_rid documentation: http://samba.org/samba/docs/man/manpages-3/idmap_rid.8.html. On CentOS 5 make sure you add those lines outside the range marked by:
#--authconfig--start-line--
..
#--authconfig--end-line--
so it will not be touched by authconfig.
Winbind authentication against active directory,布布扣,bubuko.com
Winbind authentication against active directory
标签:des style http os io strong for art
原文地址:http://www.cnblogs.com/lkzf/p/3898052.html
