Net ads join — различия между версиями
Строка 81: | Строка 81: | ||
Спасибо автору статьи: | Спасибо автору статьи: | ||
https://serveradmin.ru/nastroyka-samba-s-integratsiey-v-ad/ | https://serveradmin.ru/nastroyka-samba-s-integratsiey-v-ad/ | ||
+ | |||
+ | |||
+ | |||
+ | Offline auth with winbind | ||
+ | |||
+ | |||
+ | In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM (Authenticating Domain Users Using PAM) | ||
+ | |||
+ | Then make sure smb.conf contains: | ||
+ | |||
+ | "winbind offline logon = yes" | ||
+ | |||
+ | |||
+ | adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this: | ||
+ | |||
+ | # | ||
+ | # pam_winbind configuration file | ||
+ | # | ||
+ | # /etc/security/pam_winbind.conf | ||
+ | # | ||
+ | [global] | ||
+ | # request a cached login if possible | ||
+ | # (needs "winbind offline logon = yes" in smb.conf) | ||
+ | cached_login = yes |
Версия 09:44, 21 февраля 2019
# mcedit /etc/sysconfig/selinux
SELINUX=disabled setenforce 0
# systemctl stop firewalld # systemctl disable firewalld
вводные данные:
xs.local название домена 10.1.3.4 ip адрес контроллера домена xs-winsrv.xs.local полное имя контроллера домена xs-design имя сервера centos, который вводим в домен admin51 учетная запись администратора домена
hostnamectl set-hostname <comp name.doamin>
- yum install chrony
mcedit /etc/chrony.conf
server xs-winsrv.xs.local iburst
# yum install samba-winbind samba-winbind-clients samba pam_krb5 krb5-workstation chrony
# authconfig --enablekrb5 --krb5kdc=xs-winsrv.xs.local --krb5adminserver=xs-winsrv.xs.local --krb5realm=XS.LOCAL --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=XS.LOCAL --smbservers=xs-winsrv.xs.local --smbworkgroup=XS --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablemkhomedir --enablewinbindusedefaultdomain --update
# net ads join -U admin51
# mcedit /etc/samba/smb.conf
[global] workgroup = XS password server = xs-winsrv.xs.local realm = XS.LOCAL security = ads idmap config * : range = 16777216-33554431 template homedir = /home/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = true
passdb backend = tdbsam
load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes
domain master = no local master = no preferred master = no os level = 1
log level = 3 log file = /var/log/samba/log.%m
# systemctl start winbind # systemctl start smb.service # systemctl enable winbind # systemctl enable smb.service
выполняем ряд проверок, чтобы убедиться, что все в порядке, winbind работает и samba будет получать актуальную информацию о пользователях и группах домена.
- wbinfo -t
checking the trust secret for domain XS via RPC calls succeeded
- wbinfo -u
- wbinfo -g
Спасибо автору статьи:
https://serveradmin.ru/nastroyka-samba-s-integratsiey-v-ad/
Offline auth with winbind
In order to enable offline authentication configure Samba to use winbind in nsswitch and for PAM (Authenticating Domain Users Using PAM)
Then make sure smb.conf contains:
"winbind offline logon = yes"
adding "cached_login = yes" to /etc/security/pam_winbind.conf. That file should look like this:
# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes