ActiveDirectory上で一元管理されたユーザをLinuxサーバ上で使うことが目的です。
・ActiveDirectoryサーバOS: Windows Server 2008 R2 → FQDNは win2k8r2-ad01.kuitan.net ・LinuxサーバOS: CentOS6.2 (64-bit)
■/etc/hostsに自HOSTおよびADサーバを追加
[root@centos62 ~]# vi /etc/hosts [root@centos62 ~]# cat /etc/hosts # 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.0.1 centos62 localhost localhost.localdomain ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.xxx.125 win2k8r2-ad01.kuitan.net win2k8r2-ad01 [root@centos62 ~]#
■resolv.confの設定
[root@centos62 ~]# vi /etc/resolv.conf [root@centos62 ~]# cat /etc/resolv.conf # Generated by NetworkManager # No nameservers found; try putting DNS servers into your # ifcfg files in /etc/sysconfig/network-scripts like so: # # DNS1=xxx.xxx.xxx.xxx # DNS2=xxx.xxx.xxx.xxx # DOMAIN=lab.foo.com bar.foo.com search kuitan.net nameserver 192.168.xxx.125 [root@centos62 ~]#
⇒networkサービスを再起動すると設定がクリアされてしまうのでifcfg-eth0に記述
[root@centos62 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 [root@centos62 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NM_CONTROLLED="yes" ONBOOT=yes HWADDR=00:0C:29:xx:xx:xx TYPE=Ethernet BOOTPROTO=none IPADDR=192.168.xxx.143 PREFIX=24 GATEWAY=192.168.xxx.1 DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth0" UUID=5xxx6bd0-0ba0-7ffb-4xx1-d6xxxxxf3203 DOMAIN=kuitan.net DNS1=192.168.xxx.125 [root@centos62 ~]# [root@centos62 ~]# /etc/init.d/network restart インターフェース eth0 を終了中: デバイスの状態: 3 (切断済み) [ OK ] ループバックインターフェースを終了中 [ OK ] ループバックインターフェイスを呼び込み中 [ OK ] インターフェース eth0 を活性化中: アクティブ接続の状態: アクティベート済み アクティブ接続のパス: /org/freedesktop/NetworkManager/ActiveConnection/3 [ OK ] [root@centos62 ~]# cat /etc/resolv.conf # Generated by NetworkManager search kuitan.net nameserver 192.168.xxx.125 [root@centos62 ~]#
■Windbindに必要なSambaのパッケージ確認(samba-clientとsamba-commonが必要)
[root@centos62 ~]# rpm -qa | grep samba samba-winbind-clients-3.5.10-114.el6.x86_64 samba-3.5.10-114.el6.x86_64 samba4-libs-4.0.0-23.alpha11.el6.x86_64 samba-common-3.5.10-114.el6.x86_64 samba-client-3.5.10-114.el6.x86_64 [root@centos62 ~]#
■Winbindがない場合はあらかじめインストールしておく(CentOS6.2インストールメディアより)
[root@centos62 ~]# rpm -ivh /media/CentOS_6.2_Final/Packages/samba-winbind-3.5.10-114.el6.x86_64.rpm 警告: /media/CentOS_6.2_Final/Packages/samba-winbind-3.5.10-114.el6.x86_64.rpm: ヘッダ V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY 準備中... ################################# [100%] 1:samba-winbind ################################# [100%] [root@centos62 ~]# rpm -qa | grep winbind samba-winbind-clients-3.5.10-114.el6.x86_64 samba-winbind-3.5.10-114.el6.x86_64 [root@centos62 ~]#※ntlm_authコマンドも利用できるようになる。
■smb.confの設定([global]セクションに下記を追加)
[root@centos62 ~]# cd /etc/samba [root@centos62 samba]# ll 合計 20 -rw-r--r--. 1 root root 20 12月 8 09:15 2011 lmhosts -rw-r--r--. 1 root root 9778 12月 8 09:15 2011 smb.conf -rw-r--r--. 1 root root 97 12月 8 09:15 2011 smbusers [root@centos62 samba]# cp -p smb.conf smb.conf.20111208 [root@centos62 samba]# vi smb.conf 245行目あたりから # ---- Settings for Winbind ---- security = ads workgroup = KUITAN realm = KUITAN.NET password server = win2k8r2-ad01.kuitan.net encrypt passwords = true idmap uid = 10000-25000 idmap gid = 10000-20000 winbind use default domain = yes winbind cache time = 90 # winbind nested groups = yes # template shell = /bin/bash # template homedir = /home/%U
■nsswitch.confの設定
[root@rails01 ~]# cp -p /etc/nsswitch.conf /etc/nsswitch.conf.20040923 [root@rails01 ~]# vi /etc/nsswitch.conf 33行目あたりを修正 passwd: files winbind shadow: files winbind group: files winbind
■krb5.confの設定
[root@centos62 ~]# cp -p /etc/krb5.conf /etc/krb5.conf.20100218 [root@centos62 ~]# vi /etc/krb5.conf [root@centos62 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = KUITAN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] KUITAN.NET = { kdc = win2k8r2-ad01.kuitan.net admin_server = win2k8r2-ad01.kuitan.net } [domain_realm] .kuitan.net = KUITAN.NET kuitan.net = KUITAN.NET [root@centos62 ~]#
⇒下記のようにviの文字列置換を使うとラク。
:%s/EXAMPLE.COM/KUITAN.NET/g :%s/kerberos.example.com/win2k8r2-ad01.kuitan.net/g :%s/example.com/kuitan.net/g
■smbとwinbindを起動
[root@centos62 ~]# /etc/init.d/smb start SMB サービスを起動中: [ OK ] [root@centos62 ~]# /etc/init.d/winbind start Winbind サービスを起動中: [ OK ] [root@centos62 ~]#
■Windowsドメインに参加
[root@centos62 ~]# net ads join -U administrator Enter administrator's password: Using short domain name -- KUITAN Joined 'CENTOS62' to realm 'kuitan.net' [2012/01/29 01:52:23.073504, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password CENTOS62$@KUITAN.NET failed: Clock skew too great No DNS domain configured for centos62. Unable to perform DNS Update. DNS update failed! [root@centos62 ~]#⇒時刻のずれが大きいため接続できない。
⇒ADサーバと時刻同期
[root@centos62 ~]# net time set -I win2k8r2-ad01.kuitan.net 2012年 1月 29日 日曜日 01:42:17 JST [root@centos62 ~]#
⇒時刻同期後再実行
[root@centos62 ~]# net ads join -U administrator Enter administrator's password: Using short domain name -- KUITAN Joined 'CENTOS62' to realm 'kuitan.net' No DNS domain configured for centos62. Unable to perform DNS Update. DNS update failed! [root@centos62 ~]#
⇒接続確認
[root@centos62 ~]# net ads info LDAP server: 192.168.xxx.125 LDAP server name: win2k8r2-ad01.kuitan.net Realm: KUITAN.NET Bind Path: dc=KUITAN,dc=NET LDAP port: 389 Server time: 日, 29 1月 2012 01:45:45 JST KDC server: 192.168.xxx.125 Server time offset: 1 [root@centos62 ~]# net ads testjoin Join is OK
⇒AD上のユーザとグループの表示
[root@centos62 ~]# wbinfo -u administrator guest krbtgt aduser01 aduser02 [root@centos62 ~]# wbinfo -g domain computers domain controllers schema admins enterprise admins cert publishers domain admins domain users domain guests group policy creator owners ras and ias servers allowed rodc password replication group denied rodc password replication group read-only domain controllers enterprise read-only domain controllers dnsadmins dnsupdateproxy [root@centos62 ~]# [root@centos62 ~]# id aduser01 uid=10000(aduser01) gid=10000(domain users) 所属グループ=10000(domain users) [root@centos62 ~]# ntlm_auth --username=KUITAN\\aduser02 password: NT_STATUS_OK: Success (0x0) [root@centos62 ~]#
この情報が何かのお役にたてれば幸いです。スポソサ~へのご協力いただけると幸いです。m(_ _)m