当前,几乎所有的公司,组织都会采用 Active Directory为它们的 Windows 桌面和服务器提供身份验证服务。在《Linux 身份验证策略》中,我们讲过让Linux 计算机也采用 Active Directory,这样做得好处显而易见,那就是集中管身份验证。
1. 一些基础概念如Samba和Winbind,PAM, NSS可以参考《Linux 身份验证策略》。
2. 怎么配置 Samba,参考 学习Samba基础命令详解之大话西游01。
3. 关于使用LDAP认证,后面我会给大家带来文档
在《Linux 身份验证策略》中,我们也谈到可以采用一些公司的商用软件来集成Linux与Active Directory。但如果花钱购买集成软件不在预算之内,则可以利用免费的 Samba来做。今天我就来测试一下集成 RedHat/CentOS 6 与 ActiveDirectory 身份验证。
实施计划
使用 Winbind 设置 Linux 计算机以便使用 Active Directory 进行身份验证并非易事。要配置的东西有很多,而且很多地方都可能会出错,而 Linux 的每个版本和 Samba 的每个版本之间又都存在一些细微差别,再加上Windows Active Directory的版本不同,这更是雪上加霜。我选用了Windows 2003 R2 Active Directory与CentOS 6.2 来测试。
在集成 Active Directory 对 RHEL 6 对进行身份验证基本上需要步骤:
1. 前期的考虑,包括技术方面和非技术方面
2. 身份验证策略的选择
3. 实施的前期准备,包括Active Directory, DNS、 Samba,时间同步,Kerberos 客户端等。
4. 根据不同的验证策略来配置 Linux,特别是 PAM 和 NSS。
这里要注意的是,其实Windows Active Directory Domain Services包含了三个不同的服务:LDAP,DNS,Kerberos。
参考文档
这方面的文档真的非常多,但全面又比较权威的的,我找到了微软的一篇《使用 Active Directory 对 Linux 客户端进行身份验证》,以及RedHat的一篇《Integrating RedHat Enterprise Linux 6 with Active Directory》。
重要概念
Identity Management (IdM) in Red HatEnterprise Linux (RHEL)
这个IdM其实就是RedHat搞出来的和Windows ActiveDirectory DS一样的东西,不在本文的研究范围之类。
Red Hat Identity Management (IdM) in RHEL is a domaincontroller for Linux and UNIX servers that uses native Linux tools. Similar toActive Directory, Identity Management provides centralized management ofidentity stores, authentication and authorization policies. Identity Managementdefines a domain, with servers and clients who share centrally-managedservices, like Kerberos and DNS. Although centralizedapplications to manage identity, policy and authorization are not new, IdentityManagement is one of the only options that supports Linux/Unix domains.
Identity Management provides a unifying interface forstandards-based, common network
services, including PAM, LDAP, Kerberos, DNS, NTP, and certificate services,and allows Red
Hat Enterprise Linux systems to serve as domaincontrollers.
System Security Services Daemon (SSSD)
The System Security Services Daemon (SSSD) provides access to different identity andauthentication providers. SSSD is an intermediary between local clients and anyconfigured data store. The local clients connect to SSSD and then SSSD contactsthe external providers.
This brings a number of benefits for administrators:
Offline authentication. SSSD can optionally keep a cache of useridentities and credentials that it retrieves from remoteauthentication/identification services. This allows users to authenticate toresources successfully, even if the remote identification server is offline orthe local machine is offline.
Reduced load on authentication/identificationservers. Rather than having every client contact the identification serverdirectly, all local clients can contact SSSD which can connect to theidentification server or check its cache.
Single user account. Remote usersfrequently have multiple user accounts, such as one for their local system andone for the organizational system. Since SSSD supports caching and offlineauthentication, remote users can connect to network resources simply byauthenticating to their local machine and then SSSD maintains their networkcredentials.
SSSD recognizes domains, which are associated withdifferent identity servers. Domains are a combination of an identity providerand an authentication method. SSSD works with LDAP identity providers(OpenLDAP, Red Hat Directory Server, IdM in RHEL, Microsoft Active Directory)and native LDAP authentication or Kerberos authentication.
Winbind
对于Redhat 来说,Winbind 提供了以下三个功能:
Authentication of user credentials(via PAM).
ID Tracking/Name Resolution via nsswitch(NSS). The nsswitch service allows user and system information to be obtainedfrom different database services such as LDAP or NIS. ID Tracking/NameResolution is responsible for determining “Where” user identities are found.
ID Mapping represents the mappingbetween Red Hat Enterprise Linux user (UID), group (GID), and Windows security(SID) IDs. ID Mappings are handled through an idmap “backend” that isresponsible for tracking “What” ID’s users are known by in both operatingsystem environments.
ID 映射
通过 Active Directory 对 Linux 用户进行身份验证时有个大问题我还没有提到,那就是用户和组的 UID 问题。Linux 和 Windows 在内部都不是根据用户名来引用用户的,而是使用唯一的内部标识符。Windows 使用安全标识符(即 SID),它能够唯一标识 Windows 域中的每个用户,其结构长度可以变化。SID 也包含唯一域标识符,以便 Windows 区别不同域中的用户。
Linux 的方案则简单得多,Linux 计算机上的每个用户都有一个 UID,而此 UID 只是一个 32 位的整数。但是 UID 的范围受限于计算机本身。在某台 Linux 计算机上具有 UID 436 的用户,不一定与另一台 Linux 计算机上具有 UID 436 的用户相同。因此,用户必须登录他需要访问的每台计算机,这显然不是理想的情况。
Linux 网络管理员解决此问题的常用方法是,使用 NetworkInformation System (NIS) 或共享 LDAP 目录来提供网络身份验证。网络身份验证系统提供用户的 UID,而使用该身份验证系统的所有 Linux 计算机都将共享相同的用户和组标识符。在这种情况下,我将使用 Active Directory 来提供唯一的用户和组标识符。
解决这个ID映射问题,就是使用Winbind Backends。
Winbind Backends
Winbind idmap “backends” are one of the mostcommonly misunderstood components in Samba. Since Winbind provides a number ofdifferent “backends” and each manages ID Mappings differently, it is useful toclassify them as follows:
Allocating – “Read-Writeable” backends that store IDMappings in a local database file on the Red Hat Enterprise Linux 6 system(s).
Algorithmic – “Read-Only” backends that calculate ID Mappings on demand andprovide consistent ID Mappings across each Red Hat Enterprise Linux 6 system.
Assigned – “Read-Only” backends that use ID Mappingspre-configured within Active Directory.
Selecting a Winbind “backend” is also dependent onfactors such as:
Whether or not Active Directory schema modifications are permitted
Preferred location of ID Mappings
Number of Red Hat Enterprise Linux 6 systems
Number of nodes in the Active Directory forest
Use of LDAP
下图是RedHat 6 提供的不同Winbind Backend:
下面来说2个比较简单的策略:
第一个(也是最明显的)策略是,为每个用户和组创建 UID,并将该标识符与各自的对象一起存储到 Active Directory 中。这样一来,当 Winbind 对用户进行身份验证时,它就可以查询该用户的 UID,然后将它提供给 Linux 作为该用户的内部标识符。Winbind 将此方案称为 Active Directory ID 映射,或 idmap_ad。图 17 介绍了 ActiveDirectory ID 映射的过程。
Active Directory ID 映射的唯一缺点是,我们必须提供一种机制来确保每个用户和组都拥有标识符,而且这些标识符在林中都是唯一的。
幸好,还有另外一种 ID 映射策略,这种策略的管理负荷要少得多。回想一下,我们在前面曾提到过 Windows SID 可以唯一标识域中的用户和域本身。SID 中能唯一标识域中用户的部分称为相对标识符(或 RID),而且这部分事实上是一个 32 位的整数。因此,Winbind 可在用户登录时直接从 SID 中提取 RID,然后将该 RID 用作唯一的内部 UID。Winbind 将此策略称为 RID 映射,或 idmap_rid。图 18描述了 RID 映射的实际工作方式。
RID 映射具有零管理负荷的优点,但是您不能将它用在多域的环境中,因为不同域中的用户可能拥有相同的 RID 值。但是,如果您拥有单个 Active Directory 域,则可以使用 RID 映射。
要配置 Winbind ID 映射策略,请再次编辑 /etc/samba/smb.conf 文件,并且添加 “idmap backend = ad”行来使用 ActiveDirectory 映射策略;
如果您要使用 RID 映射策略,请添加“idmap backend =rid”行。确保该文件中不存在任何其他指定映射策略的行。
对于 Winbind,我们还需要在 smb.conf 文件中添加其他配置选项。虽然我们已将 PAM 设置为在每个用户登录时为其创建主目录,但是还需要告诉 Winbind 主目录的名称是什么。我们可以通过将“template homedir = /home/%U”行添加到 smb.conf 来执行此操作(请参见图 19)。这会告诉 Winbind,使用 Active Directory 进行身份验证的每个用户的主目录都将是 /home/<用户名>。但务必要先创建好 /home 目录。
前提考虑
There are many reasons why organizations choose tointegrate Red Hat Enterprise Linux 6 systems into a Windows Active Directorydomain. Some of the most common include:
Simplify, consolidate the administration of user accounts
Greater reliability, stability
Cost savings
Flexibility
Customization
Source code access
Greater security
Leverage Red Hat Enterprise Linux 6 benefits
Non-technical Considerations
· Organizational Alignment
· Expertise Levels
· Scope/Complexity
· Project Deployment
· Prototype
Technical Considerations
· File Sharing
· Login Access
· Active Directory ID Attributes
· numeration
· LDAP Referrals
· Winbind Backends
· Services Integration
· Log Files
身份验证策略
身份验证策略比较
这里可以参考一下RedHat的文档《Integrating RedHat Enterprise Linux 6 with Active Directory》,文中列举了10中不同的配置方法:
身份验证策略选择
既然有10中策略,那应该选哪一种呢?下图是一个比较简单的选择策略:
注意包括下面这些步骤,这里就不一一详述了。
Windows Server 2008 R2 server:
Deploy Windows Server 2008 R2
Configure Active Directory Domain Services
Red Hat Enterprise Linux 6 systems:
Deploy Red Hat Enterprise Linux 6
Configure SELinux Security Parameters
Install/Configure Samba (for recommended configurations 1, 2 only)
Synchronize Time Services
Configure DNS
Install/Configure Kerberos Client
Configure SELinux Security Parameters
关于SELinux,可参考《Red HatEnterprise Linux 6 Security-Enhanced Linux》。
Install/Configure Samba
Synchronize Time Services
这是因为如果时间差超过5分钟,Kerberos认证是通不过的。我们指向Windows的域控制器:
vim /etc/ntp.conf
server 0.centos.pool.ntp.org
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org
server 192.168.136.8 这个后面是AD 域的IP
/etc/init.d/ntpd restart
可以看到时间同步了。
Configure DNS
我的DNS server指向Windows域控制器:
[root@client /]# cat /etc/resolv.conf # Generated by NetworkManager search ad.xample.com 这里是域的全名 nameserver 192.168.136.8 这里是域的ip地址
# No nameservers found; try putting DNS servers into your # ifcfg files in /etc/sysconfig/network-scripts like so: # # DNS1=xxx.xxx.xxx.xxx # DNS2=xxx.xxx.xxx.xxx DOMAIN=ad.xample.com
[root@ client /]# cat /etc/sysconfig/network bash: cat /etc/sysconfig/network: No such file or directory
[root@server1 /]# cat /etc/sysconfig/network NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=client |
Install/Configure Kerberos Client
Best practice is to install and configure the Kerberosclient (krb5-workstation) to insure Kerberos is able to properly authenticateto Active Directory on the Windows Server 2008 R2 server. This step is optionalbut highly recommended as it is useful for troubleshooting Kerberosauthentication issues.
#1. Verify the Kerberos client is installed:
[root@server1 /]# yum list installed | grep krb5 krb5-libs.x86_64 1.10.3-10.el6 @anaconda-CentOS-201303020151.x86_64/6.4 krb5-workstation.x86_64 1.10.3-10.el6 @anaconda-CentOS-201303020151.x86_64/6.4 pam_krb5.x86_64 2.3.11-9.el6 @anaconda-CentOS-201303020151.x86_64/6.4
#2. Edit the file /etc/krb5.conf as follows
[root@client etc]# cat /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] EXAMPLE.COM={ kdc =ad.example.com admin_server = ad.example.com default_domain = EXAMPLE.COM } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM #3. Verify the Kerberos configuration. First, clear out any existing tickets:
root@client etc]# kdestroy kdestroy: No credentials cache found while destroying cache [root@client etc]# [root@client etc]# [root@client etc]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@server1 etc]#
#4. Obtain a new Kerberos ticket:
[root@client etc]# kinit administrator@AD.EXAMPLE.COM Password for administrator@AD.EXAMPLE.COM:
#5. Verify a new Kerberos ticket was granted:
[root@client etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@AD.EXAMPLE.COM
Valid starting Expires Service principal 10/09/14 16:20:09 10/10/14 02:20:12 krbtgt/AD.EXAMPLE.COM@ AD.EXAMPLE.COM renew until 10/16/14 16:20:09 |
Install oddjob-mkhomedir
Install the oddjob-mkhomedir package to ensure that userhome directories are created
with the proper SELinux file and directory contexts:
[root@server1 etc]# service oddjobd status oddjobd (pid 2018) is running...
[root@server1 etc]# chkconfig oddjobd --list oddjobd 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@server1 etc]# |
集成方案一 – Samba/Winbind (idmap_rid)
这个是最简单的一种配置,可以用来集成一个台或多台Redhat到Active Directory domain中,可以提供用户访问的验证和文件共享功能。下面是配置概要:
Authentication and ID Components
The following picture depicts the Authentication, IDTracking, and ID Mapping for Configuration 1:
1. Configure Authentication(配置 PAM 和 NSS)
PAM和NSS的配置文件
PAM 和 NSS 提供 Linux 应用程序(如桌面)与 Winbind 之间的联系媒介。与许多 Linux 服务一样,您可以通过文本文件来配置 PAM 和 NSS。
PAM 为使用它的应用程序提供了四个与身份验证相关的功能。身份验证设施允许应用程序确定使用它的用户。帐户设施提供的帐户管理功能(如登录时间限制)与身份验证并不是特别相关。密码设施提供请求和管理密码的机制。会话设施执行与用户相关的安裝和应用程序的拆卸任务,例如,在用户特定的目录中记录或创建文件。
Red Hat 下的 PAM 将它的配置文件存储在 /etc/pam.d 目录中,其中包含使用 PAM 进行身份验证的每个应用程序的文本文件。例如,文件 /etc/pam.d/gdm 包含 Gnome Desktop Manager (GDM) 的 PAM 配置信息,即 Red Hat 的默认窗口运行环境。每个 PAM 配置文件都包含多行内容,其中每行分别定义 PAM 身份验证过程的某个方面。
PAM 配置文件中的每个项目都具有 <管理组> <控制> <模块> <参数> 的形式,其中 <管理组> 对应于配置条目所属的设施:身份验证、帐户、密码或会话。上图 中描述的控制关键字可控制 PAM 处理配置条目的方式。该文件的第三栏包含 /lib/security 目录中的 PAM 共享库的名称。共享库包含可动态加载的可执行代码,类似于 Windows 中的 DLL。模块名称后的其他术语都是 PAM 传递到共享库的参数。
Required 如果模块成功,则 PAM 将继续评估管理组的其余项目,并且结果将由其余模块的结果决定。如果模块失败,PAM 将继续评估,但向调用应用程序返回失败消息。
Requisite 如果模块成功,PAM 将继续评估管理组条目。如果模块失败,PAM 将返回到调用应用程序,并且不做进一步处理。
Sufficient 如果模块成功,PAM 将向调用应用程序返回成功消息。如果模块失败,PAM 会继续评估,但结果将由后续模块决定。
Optional 除非模块是为管理组指定的唯一模块,否则 PAM 将忽略模块的结果。
Include PAM 包括引用的 PAM 配置文件的内容,并且还会处理该配置文件包含的条目。
您可以看到每个管理组都包含多个条目。PAM 按照调用命名的模块的顺序处理条目。然后,该模块返回成功或失败消息,而 PAM 将继续根据控制关键字进行评估。
您可能会注意到,GDM 的 PAM 配置文件在它的所有管理组中都包含系统身份验证。这正是 PAM 为 GDM 建立默认身份验证行为的方式。通过修改系统身份验证,您可以修改在其 PAM 配置中包含系统身份验证文件的所有应用程序的身份验证行为。下图中介绍了默认系统身份验证文件。
Name Service Switch (NSS) 模块将隐藏系统数据存储的详细信息以防应用程序开发人员看见,这与 PAM 隐藏身份验证的详细信息的方式大体相似。NSS 允许管理员指定存储系统数据库的方式。具体来说,管理员可以指定如何存储用户名和密码信息。因为我们希望应用程序使用 Winbind 在 Active Directory 中查询用户信息,所以我们必须修改 NSS 配置文件才能显示此信息。
1. 配置步骤 (不过我没有图形化配置,具体往下看)!!!!!!我发现官网都是坑爹滴!
Red Hat 包含一个小型的图形小程序,可用来配置 PAM 和 NSS,称为system-config-authentication。它负责管理您需要对系统身份验证和 nss.conf 文件进行的大部分(而非全部)更改。
运行 system-config-authentication 应用程序后,您会看到下图:
Winbind Domain: Windows Active Directorydomain
Security Model: The Samba client mode ofoperation. The drop-down list allows
selection of the following options:
ads – This mode instructs Samba to act as a domainmember in an Active Directory Server (ADS) realm. To operate in this mode, thekrb5-server package must be installed, and Kerberos must be configuredproperly.
domain – In this mode, Samba attempts to validate theusername/password by authenticating it through a Windows Active Directorydomain server, similar to how a Windows Server would.
server – In this mode, Samba attempts to validate theusername/password by authenticating it through another SMB server. If theattempt fails, the user mode takes effect instead.
user – This is the default mode. With this level ofsecurity, a client must first log in with a valid username and password.Encrypted passwords can also be used in this security mode.
Winbind ADS Realm: When the ads SecurityModel is selected, this allows you to specify the ADS Realm the Samba servershould act as a domain member of.
Winbind Domain Controllers: Use this optionto specify which domain server winbind should use.
Template Shell: When filling out the userinformation for a Windows user, the winbindd daemon uses the value chosen hereto specify the login shell for that user.
Allow offline login: By checking thisoption, authentication information is stored in a local cache. This informationis then used when a user attempts to authenticate while offline.
我们将使用下列配置:
选择"Apply”,SSSD失败应该不影响最终结果,先不管。
Return to the Identity & Authentication tab, selectJoin Domain. An alert indicates the need
to save the configuration changes to disk before continuing.
Select Save. A new window prompts for the Domainadministrator password:
Select OK. 中间遇到了2个错,"DNS update failed"和“clock skew too great:
很容易解决,一是将DNS动态更新改为”nonsecure andsecure”,二是确保时间和域控同步。
我的配置:
/etc/samba/smb.conf
[global]
workgroup = AD # 指定AD域的NetBIOS名称。
必须有这个语句,否则不能在域网络中搜
# 索得到该Samba服务器
server string = File Server
netbios name = Sambaserver
security = ads # 指定Samba服务器的工作模式为ads
hosts allow = 172.16. 127. 192.
encrypt passwords = yes
guest account = alice # 指定alice用户作为来宾访问账户
realm =
ad.example.com
# 指定Windows域名(DNS格式)
password server = 172.16.0.1 # 指定担当身份
验证服务器的服务器IP地址
[homes]
comment = Home Directories
browseable = no
writable = yes
path = /home/%U
valid users = %U
[share]
comment = All user‘s share directory
path = /usr/share
public = no
guest ok =yes
readonly = yes
[program]
comment = Program Files
path = /etc/program
valid users = @administrator alice # 指
定该共享目录仅允许域网络中的administrtors组成员
# 和alice用户访问
public = no
writable = yes
idmap uid = 15000-20000 # 指定一个uid范围,
该范围内的uid被用来映射Linux用户到
# Windows用户SID,而且要确保这个id范围内没有被本地或NIS
# 用户占用,在winbind服务启动后,也不能在该ID范围内添加用户
idmap gid = 15000-20000 # 指定一个gid范围,该
范围内的gid被用来映射Linux用户到
# Windows的组SID,而且要确保这个id范围内没有被本地或NIS
# 组占用,在winbind启动以后,也不能在该ID范围内添加新组
winbind enum groups = yes # 指定winbind服务
是否能在系统上创建Windows域组。一般情况下
# 都要设置为yes,除非你出于某种原因希望关闭该功能
winbind enum users = yes # 指定winbind服务
是否能在系统上创建Windows域用户。一般情
# 况下都要设置为yes,除非你出于某种原因希望关闭该功能
winbind separator = + # 指定一个字符作为分隔符,
winbind将使用该分隔符来分隔用户或组
# 名使用该配置将使得域用户表示为"MYDOMAIN+username",域组
# 被表示为"MYDOMAIN+Domain Users"
template homedir = /homes/%D/%U # 用来指定为域
用户产生主目录。使用变量替换可使winbind
# 服务把用户主目录设置为/homes/MYDOMAIN/username
template shell = /bin/bash # 控制Samba在哪里寻找域用户的主目录
举个栗子:
[global] workgroup = AD password server = ad.example.com realm = AD.EXAMLE.COM security = ads idmap config * : range = 16777216-33554431 winbind separator = / template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = true server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 load printers = yes cups options = raw encrypt passwords = yes winbind enum users = yes winbind enum groups = yes [homes] comment = Home Directories path = /data/%D/%U browseable = no writable = yes valid users = %U valid users = AD.EXAMPLE.COM\%U create mode = 0777 directory mode = 0777 [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD.EXAMPLE.LOCAL # 指定默认域名 dns_lookup_realm = false # 指定无需DNS解析域请求包 dns_lookup_kdc = ture # 指定允许DNS解析kdc请求包 ticket_lifetime = 24h # 指定Kerberos认证票证有效期 forwardable = yes # 允许转发解析请求 [realms] LYCB.LOCAL = { kdc = 192.168.136.8:88 # 指定kdc服务器和kdc服务端口 136那个ip 其实就是AD 服务器那个ip 也就是 ad.example.com admin_server = 192.168.136.8:749 # 指定域控制器和管理端口 default_domain = ad.example.com # 指定默认域 } [domain_realm] .example.com = EXAMPLE.LOCAL example.com = EXAMPLE.LOCAL # 以上两条其实是设置一个域搜索范围,并通过这两个语句可以使得域名与大小写无关 [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true # 允许转发请求 krb4_convert = false }
nsswitch.conf配置文件是用来控制在用户访问Samba服务器时与Windows域中DC中的用户账户的切换,使用DC中的用户账户来进行身份验证。nsswitch.conf配置文件是在/etc目录下,要配置的内容也非常简单,只需要编辑以下几行语句即可:
/etc/nsswitch.conf
passwd: files winbind #注意 group: files winbind #注意 shadow: files winbind #注意 hosts: files dns wins networks: files dns protocols: db files services: db files ethers: db files rpc: db files
vi /etc/pam.d/system-auth 这里一般是认证的东西:不懂得要学习一下 注意添加红色字体,这里一般是 用户直接登录的玩意
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
对了还有,一个步骤就是 编辑 vi /etc/resolv.conf
# Generated by NetworkManager
search ad.xample.com #域服务器
nameserver 192.168.136.8 #域的ip
之后重启 smb winbind
2. Verify/Test Active Directory
[root@samba ~]# net ads info LDAP server: 192.168.136.8 LDAP server name: TJDNS03.ad.example.com Realm: AD.EXAMPLE.COM Bind Path: dc=AD,dc=EXAMPLE,dc=COM LDAP port: 389 Server time: Wed, 03 Dec 2014 17:49:37 CST KDC server: 192.168.136.8 Server time offset: 18 [root@samba ~]# wbinfo --domain-users SAMBA\lilinji administrator guest krbtgt lilinji wuxiaolei sss
看看下面的配置概述:3. Modify Samba Configuration
修改samba配置文件/etc/samba/smb.conf如下:
Test the new configuration file:
[root@samba ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) WARNING: The "idmap uid" option is deprecated WARNING: The "idmap gid" option is deprecated Processing section "[userdata]" Loaded services file OK. WARNING: The setting ‘security=ads‘ should NOT be combined with the ‘password server‘ parameter. (by default Samba will discover the correct DC to contact automatically). Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = AD realm = AD.EXAMPLE.COM security = ADS password server = ad.example.com template homedir = /home/%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 100000-200000 idmap config * : backend = tdb [userdata] path = /home/%D/%U valid users = AD.EXAMPLE.COM/%U read only = No create mask = 0777 directory mask = 0777 |
Backup and clear out the existing Samba cache files –requires services to be stopped.
[root@samba ~]# kdestroy
[root@samba ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [ |
重新加入域时,这里又遇到了2个错:
Connection failed: NT_STATUS_CONNECTION_REFUSED
[root@samba ~]# net join -S server1 -U administrator Enter administrator‘s password: Failed to join domain: failed to lookup DC info for domain ‘AD.EXAMPLE.COM‘ over rpc: The connection was refused ADS join did not work, falling back to RPC... Connection failed: NT_STATUS_CONNECTION_REFUSED Enter administrator‘s password: Could not connect to server server1 Connection failed: NT_STATUS_CONNECTION_REFUSED
[root@server1 pam.d]# net join -S server1 -U Administrator Enter Administrator‘s password: Failed to join domain: failed to lookup DC info for domain ‘AD.EXAMPLE.COM‘ over rpc: The connection was refused ADS join did not work, falling back to RPC... Connection failed: NT_STATUS_CONNECTION_REFUSED Enter Administrator‘s password: Could not connect to server server1 Connection failed: NT_STATUS_CONNECTION_REFUSED
于是参考了这篇文章! #Refer to http://ubuntuforums.org/showthread.php?t=1356710
[root@server1 pam.d]# net join -U Administrator Enter Administrator‘s password: |
至此配置就到这里了!还有很多模式我没有测试希望大家一起测试上线!
下面是一些错误
4 Login Access
第一次失败。SSH不行,从非root用户也是不可以切换到域用户的,但root用户就可以su到域用户。这说明验证模块是对的,应该是其他的问题。找到了RedHat论坛的这篇文章,active directoryfatal: Access denied for user by PAM account configuration问题几乎和我一模一样,可以问题还没有解决。
我们先来看看SSH或者非root用户切换的报错:
[jonathan@server1 ~]$ su zhouwen - Password: su: incorrect password
tail -f /var/log/secure
Oct 10 11:09:00 server1 su: pam_unix(su:auth): authentication failure; logname=jonathan uid=500 euid=0 tty=pts/6 ruser=jonathan rhost= user=zhouwen Oct 10 11:09:00 server1 su: pam_sss(su:auth): Request to sssd failed. Connection refused Oct 10 11:09:00 server1 su: pam_winbind(su:auth): getting password (0x00000010) Oct 10 11:09:00 server1 su: pam_winbind(su:auth): pam_get_item returned a password Oct 10 11:09:00 server1 su: pam_winbind(su:auth): user ‘zhouwen‘ granted access Oct 10 11:09:00 server1 su: pam_sss(su:account): Request to sssd failed. Connection refused Oct 10 11:09:00 server1 su: pam_winbind(su:account): user ‘zhouwen‘ granted access |
从上面的信息来看,验证应该成功了,否则pam_winbind(su:account)就不会成功,我们再来看看故意输入错误密码的报错,很明显的看出,域控返回了密码错的信息。
[jonathan@server1 ~]$ su zhouwen - Password: Wrong Password su: incorrect password
tail -f /var/log/secure
Oct 10 11:08:49 server1 su: pam_unix(su:auth): authentication failure; logname=jonathan uid=500 euid=0 tty=pts/6 ruser=jonathan rhost= user=zhouwen Oct 10 11:08:49 server1 su: pam_sss(su:auth): Request to sssd failed. Connection refused Oct 10 11:08:49 server1 su: pam_winbind(su:auth): getting password (0x00000010) Oct 10 11:08:49 server1 su: pam_winbind(su:auth): pam_get_item returned a password Oct 10 11:08:49 server1 su: pam_winbind(su:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password Oct 10 11:08:49 server1 su: pam_winbind(su:auth): user ‘zhouwen‘ denied access (incorrect password or invalid membership) |
root用户就可以su到域用户,uid/gid取得就是SID后面的数字,也是按照我们之前指定的范围,home dir也创建成功,完全正常。
C:\Program Files\Windows Resource Kits\Tools>wmic useraccount where name=‘zhouwen‘ get sid SID S-1-5-21-4125118022-1750871687-1689327875-1122
C:\Program Files\Windows Resource Kits\Tools>wmic group where name=‘domain users‘ get sid SID S-1-5-21-4125118022-1750871687-1689327875-513
[root@server1 home]# su zhouwen Creating home directory for zhouwen.
[zhouwen@server1 home]$ cd ~ [zhouwen@server1 ~]$ pwd /home/VMWARE-TEST/zhouwen
[zhouwen@server1 home]$ id uid=10001122(zhouwen) gid=10000513(domain users) groups=10000513(domain users),10001(BUILTIN+users),10001145(isilonsysadmin),10001149(netappsysadmin) |
仔细看了一下PAM的配置文件,没有发现任何问题
[root@server1 pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@server1 pam.d]# cat system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so |
唯一怀疑的就是SSSD了,虽然SSSD服务停掉了。看了Starting andStopping SSSD,遂把SSSD从authconfig配置中删掉。
[root@server1 sysconfig]# authconfig --disablesssdauth --disablesssd --update Starting Winbind services: [ OK ] Starting oddjobd: [ OK ] |
再试一次,成功!
Oct 10 11:35:14 server1 sshd[17975]: pam_winbind(sshd:auth): getting password (0x00000010) Oct 10 11:35:14 server1 sshd[17975]: pam_winbind(sshd:auth): pam_get_item returned a password Oct 10 11:35:14 server1 sshd[17975]: pam_winbind(sshd:auth): user ‘zhouwen‘ granted access Oct 10 11:35:14 server1 sshd[17975]: pam_winbind(sshd:account): user ‘zhouwen‘ granted access Oct 10 11:35:14 server1 sshd[17975]: Accepted password for zhouwen from 192.168.0.1 port 57177 ssh2 Oct 10 11:35:14 server1 sshd[17975]: pam_unix(sshd:session): session opened for user zhouwen by (uid=0) |
5 File Share
首先我们来看一下在Linux端访问Windows的文件共享目录:
#Use the smbclient utility to determine what file shares are available
[zhouwen@server1 ~]$ id uid=10001122(zhouwen) gid=10000513(domain users) groups=10000513(domain users),1 0001(BUILTIN+users),10001145(isilonsysadmin),10001149(netappsysadmin) [zhouwen@server1 ~]$ [zhouwen@server1 ~]$ [zhouwen@server1 ~]$ kinit Password for zhouwen@VMWARE-TEST.COM:
[zhouwen@server1 ~]$ smbclient -L domain-server -k params.c:Parameter() - Ignoring badly formed line in configuration file: /` OS=[Windows Server 2003 R2 3790 Service Pack 1] Server=[Windows Server 2003 R2 5.2]
Sharename Type Comment --------- ---- ------- ShareToDesktop Disk C$ Disk Default share wmpub Disk IPC$ IPC Remote IPC ADMIN$ Disk Remote Admin D$ Disk Default share SYSVOL Disk Logon server share NETLOGON Disk Logon server share OS=[Windows Server 2003 R2 3790 Service Pack 1] Server=[Windows Server 2003 R2 5.2]
#Use the smbclient utility to view what files are available:
[zhouwen@server1 ~]$ smbclient //domain-server/ShareToDesktop -k params.c:Parameter() - Ignoring badly formed line in configuration file: /` OS=[Windows Server 2003 R2 3790 Service Pack 1] Server=[Windows Server 2003 R2 5.2] smb: \> listconnect 0: server=domain-server, share=ShareToDesktop smb: \> ls . D 0 Sat Mar 24 15:07:32 2012 .. D 0 Sat Mar 24 15:07:32 2012 disk838EA8C0.img A 268435456 Sat Mar 24 15:07:32 2012 iStorageServer1.1.exe A 1427321 Sat Mar 24 14:03:59 2012 Web D 0 Sat Dec 25 20:23:47 2010
65406 blocks of size 16384. 31725 blocks available smb: \> quit |
多协议访问的权限问题
这个其实和其他NAS一样,即:
· Windows端访问只看NTFS Permission,不会理会Unix bits.
· Linux端则需要两边都要有权限。
关于常见NAS的多协议访问,可以参考NetApp Data ONTAP 8.2 7-Mode 多协议访问(NFS和CIFS共享) 配置、Isilon OneFS 多协议数据访问控制。
1. 以Root挂载Windows端共享目录
[root@server1 WinData]# mount -t cifs //domain-server/ShareToDesktop /mnt/WinData -o username=zhouwen Password:
[root@server1 pam.d]# ls -ld /mnt/WinData/ drwxr-xr-x 1 root root 0 Mar 24 2012 /mnt/WinData/ [root@server1 pam.d]# touch /mnt/WinData/root_file touch: cannot touch `/mnt/WinData/root_file‘: Permission denied |
我们可以看到即使root都没有权限,原因是因为root没有映射到Windows用户和相应的权限。我们先暂时在Windows端给所有人完全控制权限,这样root就有权限写文件了。
可是我们在Windows下看刚才root创建的文件owner是域用户,为什么呢?虽然没有仔细研究,但我觉得这是因为我们在mount时制定了域用户。
另外我们从Windows端的共享目录的session中也看到了Linux确实是以域用户zhouwen登陆的:
2. 以域用户访问Windows端共享目录
我发现不管怎么给权限,域用户在Linux下都没有写的权限。
在Windows端给与所有人完全控制,在Linux同样所有人完全控制。以root 挂载后,权限就自动变成755了,这样的结果就是只有root才有写的权限。但对于根目录,即使是root也没有办法更改权限,奇怪。
[root@server1 WinData]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), 6(disk),10(wheel),10001(BUILTIN+users),10000513(domain users)
[root@server1 zhouwen]# ll /mnt
drwxrwxrwx 2 root root 4096 Oct 10 13:37 WinData
[root@server1 zhouwen]# [root@server1 zhouwen]# mount -t cifs //domain-server/ShareToDesktop /mnt/WinData -o username=zhouwen Password: [root@server1 zhouwen]# ll /mnt
drwxr-xr-x 1 root root 0 Oct 10 15:00 WinData
[root@server1 mnt]# chmod 777 /mnt/WinData/ chmod: changing permissions of `/mnt/WinData/‘: Permission denied
[zhouwen@server1 ~]$ id uid=10001122(zhouwen) gid=10000513(domain users) groups=10000513(domain users),10001(BUILTIN+users),10001145(isilonsysadmin),10001149(netappsysadmin)
[zhouwen@server1 ~]$ ll /mnt/WinData/ total 0 -rwxr-xr-x 1 root root 0 Oct 10 14:40 root_file -rwxr-xr-x 1 root root 0 Oct 10 15:00 root_file2 -rwxr-xr-x 1 root root 0 Oct 10 15:09 root_file3 [zhouwen@server1 ~]$ [zhouwen@server1 ~]$ touch /mnt/WinData/zhouwen_file touch: cannot touch `/mnt/WinData/zhouwen_file‘: Permission denied |
如果我们在windos端以域用户zhouwen创建一个目录,在Linux看到的结果竟然是owner是root。如果你尝试去修改为zhouwen,不报错,但不起作用。
[root@server1 WinZhou]# ls -l total 0 -rwxr-xr-x 1 root root 0 Oct 10 14:40 root_file -rwxr-xr-x 1 root root 0 Oct 10 15:00 root_file2 -rwxr-xr-x 1 root root 0 Oct 10 15:09 root_file3 drwxr-xr-x 0 root root 0 Oct 10 15:18 zhouwen_windows -rwxr-xr-x 1 root root 0 Oct 10 15:20 zhouwen_windows.txt |
看起来samba的用户映射出了问题。域用户在本地创建文件没有问题,可以正常显示器用户名和UID/GID。
做了一番研究之后,看到Mounting windowsshare in linux and accessing those shares through SFTP configured in Linux与mounting windows shares on linux whilekeeping windows permissions
提到了我这种情况,就是当Linux 挂载一个来自windows的文件系统时,没办法把权限和用户信息显示出来,因为文件系统格式不同嘛。反过来,如果Windows来访问一个Samba提供的Share却是可以的。
root@server1 mnt]# mount -t cifs -o zhouwen,dir_mode=0777,uid=10001122 //domain-server/ShareToDesktop /mnt/WinData/ Password: [root@server1 mnt]# ll
drwxrwxrwx 1 zhouwen root 0 Oct 10 16:11 WinData
[zhouwen@server1 WinData]$ [zhouwen@server1 WinData]$ touch zhouwen_linux_file2 [zhouwen@server1 WinData]$ ll total 0 drwxrwxrwx 1 zhouwen root 0 Oct 10 15:40 zhouwen_linux_dir1 -rwxr-xr-x 1 zhouwen root 0 Oct 10 15:39 zhouwen_linux_file1 -rwxr-xr-x 1 zhouwen root 0 Oct 10 16:49 zhouwen_linux_file2 |
那些商业NAS可以的,因为文件系统本身就其提供的,参见NetApp Data ONTAP 8.2 7-Mode 多协议访问(NFS和CIFS共享) 配置、Isilon OneFS 多协议数据访问控制。
Windows端访问Samba共享目录
之前我们已经成功将Linux集成到了Windows域中,现在我们使用域用户从windows端来访问Samba共享目录。
先看Owner信息成功映射到了Linux端:关于权限的映射,我在Windows做的修改可以立即反应到Linux端,但是Windows端却看不到变化,奇怪。
总结
至此,所有的测试已经结束了。关于其他的方案可以参考Integrating RedHat Enterprise Linux 6 with Active Directory 。这里有一个遗憾,就是不能在Linux端成功看到windows共享目录的用户和权限。有时间有找个商用的解决方案来研究一番。
参考
1. NetApp Data ONTAP 8.2 7-Mode 多协议访问(NFS和CIFS共享) 配置
3. Mounting windowsshare in linux and accessing those shares through SFTP configured in Linux
4. 使用 Active Directory 对 Linux 客户端进行身份验证
5. Integrating RedHat Enterprise Linux 6 with Active Directory
6. Linux 身份验证策略
本文出自 “坚持就是胜利” 博客,转载请与作者联系!
原文地址:http://lilinji.blog.51cto.com/5441000/1586055