Client Linux AD » Historique » Version 2
Laurent Flori, 20/11/2019 11:26
| 1 | 1 | Laurent Flori | h1. Client Linux AD |
|---|---|---|---|
| 2 | 2 | Laurent Flori | |
| 3 | 1 | Laurent Flori | h3. Install required packages |
| 4 | 1 | Laurent Flori | |
| 5 | 1 | Laurent Flori | <pre>apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind</pre> |
| 6 | 1 | Laurent Flori | === Reconfigure krb5-config === |
| 7 | 1 | Laurent Flori | |
| 8 | 1 | Laurent Flori | <pre>dpkg-reconfigure krb5-config</pre> |
| 9 | 1 | Laurent Flori | Answer with the REALM (in case of etb1: ''DOMPEDAGO.ETB1.LAN'') |
| 10 | 1 | Laurent Flori | |
| 11 | 1 | Laurent Flori | h3. Test kerberos server |
| 12 | 1 | Laurent Flori | |
| 13 | 1 | Laurent Flori | <pre>~# kinit admin (password: eole) |
| 14 | 1 | Laurent Flori | ~# klist |
| 15 | 1 | Laurent Flori | Ticket cache: FILE:/tmp/krb5cc_0 |
| 16 | 1 | Laurent Flori | Default principal: admin@DOMPEDAGO.ETB1.LAN |
| 17 | 1 | Laurent Flori | |
| 18 | 1 | Laurent Flori | Valid starting Expires Service principal |
| 19 | 1 | Laurent Flori | 20/11/2019 09:33:22 20/11/2019 19:33:22 krbtgt/DOMPEDAGO.ETB1.LAN@DOMPEDAGO.ETB1.LAN |
| 20 | 1 | Laurent Flori | renew until 21/11/2019 09:33:20</pre> |
| 21 | 1 | Laurent Flori | |
| 22 | 1 | Laurent Flori | h3. Configure samba |
| 23 | 1 | Laurent Flori | |
| 24 | 1 | Laurent Flori | <pre> mv /etc/samba/smb.conf /etc/samba/smb.conf.initial |
| 25 | 1 | Laurent Flori | cat > /etc/samba/smb.conf << EOF |
| 26 | 1 | Laurent Flori | [global] |
| 27 | 1 | Laurent Flori | workgroup = DOMPEDAGO |
| 28 | 1 | Laurent Flori | realm = DOMPEDAGO.ETB1.LAN |
| 29 | 1 | Laurent Flori | netbios name = ubuntu |
| 30 | 1 | Laurent Flori | security = ADS |
| 31 | 1 | Laurent Flori | dns forwarder = 10.1.3.11 |
| 32 | 1 | Laurent Flori | |
| 33 | 1 | Laurent Flori | |
| 34 | 1 | Laurent Flori | idmap config *:range = 2000-2999 |
| 35 | 1 | Laurent Flori | idmap config DOMPEDAGO:backend = rid |
| 36 | 1 | Laurent Flori | idmap config DOMPEDAGO:range = 10000-999999 |
| 37 | 1 | Laurent Flori | |
| 38 | 1 | Laurent Flori | template homedir = /home/adhomes/%U |
| 39 | 1 | Laurent Flori | template shell = /bin/bash |
| 40 | 1 | Laurent Flori | winbind use default domain = true |
| 41 | 1 | Laurent Flori | winbind offline logon = false |
| 42 | 1 | Laurent Flori | winbind nss info = rfc2307 |
| 43 | 1 | Laurent Flori | winbind enum users = yes |
| 44 | 1 | Laurent Flori | winbind enum groups = yes |
| 45 | 1 | Laurent Flori | |
| 46 | 1 | Laurent Flori | vfs objects = acl_xattr |
| 47 | 1 | Laurent Flori | map acl inherit = Yes |
| 48 | 1 | Laurent Flori | store dos attributes = Yes |
| 49 | 1 | Laurent Flori | EOF</pre> |
| 50 | 1 | Laurent Flori | |
| 51 | 1 | Laurent Flori | h3. Join samba domain |
| 52 | 1 | Laurent Flori | |
| 53 | 1 | Laurent Flori | <pre>net ads join -U admin |
| 54 | 1 | Laurent Flori | systemctl restart smbd nmbd winbind</pre> |
| 55 | 1 | Laurent Flori | |
| 56 | 1 | Laurent Flori | h3. Modify nsswitch configuration |
| 57 | 1 | Laurent Flori | |
| 58 | 1 | Laurent Flori | <pre>#/etc/nsswitch.conf |
| 59 | 1 | Laurent Flori | # /etc/nsswitch.conf |
| 60 | 1 | Laurent Flori | # |
| 61 | 1 | Laurent Flori | # Example configuration of GNU Name Service Switch functionality. |
| 62 | 1 | Laurent Flori | # If you have the `glibc-doc-reference' and `info' packages installed, try: |
| 63 | 1 | Laurent Flori | # `info libc "Name Service Switch"' for information about this file. |
| 64 | 1 | Laurent Flori | |
| 65 | 1 | Laurent Flori | passwd: compat winbind systemd ldap |
| 66 | 1 | Laurent Flori | group: compat winbind systemd ldap |
| 67 | 1 | Laurent Flori | shadow: compat ldap |
| 68 | 1 | Laurent Flori | gshadow: files |
| 69 | 1 | Laurent Flori | |
| 70 | 1 | Laurent Flori | hosts: files mdns4_minimal [NOTFOUND=return] dns |
| 71 | 1 | Laurent Flori | networks: files |
| 72 | 1 | Laurent Flori | |
| 73 | 1 | Laurent Flori | protocols: db files |
| 74 | 1 | Laurent Flori | services: db files |
| 75 | 1 | Laurent Flori | ethers: db files |
| 76 | 1 | Laurent Flori | rpc: db files |
| 77 | 1 | Laurent Flori | |
| 78 | 1 | Laurent Flori | netgroup: nis</pre> |
| 79 | 1 | Laurent Flori | |
| 80 | 1 | Laurent Flori | h3. Give it a try: |
| 81 | 1 | Laurent Flori | |
| 82 | 1 | Laurent Flori | <code>wbinfo -u</code> should return all local users along domain users <code>wbinfo -g</code> should return all local groups along domain groups |
| 83 | 1 | Laurent Flori | |
| 84 | 1 | Laurent Flori | h3. Modify pam configuration |
| 85 | 1 | Laurent Flori | |
| 86 | 1 | Laurent Flori | Activate winbind login with: |
| 87 | 1 | Laurent Flori | |
| 88 | 1 | Laurent Flori | <pre>pam-auth-update</pre> |
| 89 | 1 | Laurent Flori | Edit /etc/pam.d/common-password to replace winbind line with this one: |
| 90 | 1 | Laurent Flori | |
| 91 | 1 | Laurent Flori | <pre>... |
| 92 | 1 | Laurent Flori | password [success=1 default=ignore] pam_winbind.so try_first_pass |
| 93 | 1 | Laurent Flori | ...</pre> |
| 94 | 1 | Laurent Flori | If you want to activate homedir creation upon login add the following line at the end of /etc/pam.d/common-account: |
| 95 | 1 | Laurent Flori | |
| 96 | 1 | Laurent Flori | <pre>session required pam_mkhomedir.so skel=/etc/skel/ umask=0022</pre> |
| 97 | 1 | Laurent Flori | === Reboot and test === |
| 98 | 1 | Laurent Flori | |
| 99 | 1 | Laurent Flori | You should be able to log in with domains users (admin,prof.6a….) |
| 100 | 1 | Laurent Flori | |
| 101 | 1 | Laurent Flori | h3. Install libpam-mount |
| 102 | 1 | Laurent Flori | |
| 103 | 1 | Laurent Flori | **This part is not fully fonctionnal for now** |
| 104 | 1 | Laurent Flori | |
| 105 | 1 | Laurent Flori | <pre>apt-get install libpam-mount |
| 106 | 1 | Laurent Flori | cat > /etc/security/pam_mount.conf.xml << EOF |
| 107 | 1 | Laurent Flori | <?xml version="1.0" encoding="utf-8" ?> |
| 108 | 1 | Laurent Flori | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> |
| 109 | 1 | Laurent Flori | <pam_mount> |
| 110 | 1 | Laurent Flori | <debug enable="0" /> |
| 111 | 1 | Laurent Flori | <volume user="*" fstype="cifs" server="10.1.3.11" path="%(DOMAIN_USER)" mountpoint="/home/adhomes/%(DOMAIN_USER)" options="sec=ntlmssp,nodev,nosuid,mfsymlinks,nobrl,vers=1.0" /> |
| 112 | 1 | Laurent Flori | <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> |
| 113 | 1 | Laurent Flori | <mntoptions require="nosuid,nodev" /> |
| 114 | 1 | Laurent Flori | <logout wait="0" hup="no" term="no" kill="no" /> |
| 115 | 1 | Laurent Flori | <mkmountpoint enable="1" remove="true" /> |
| 116 | 1 | Laurent Flori | </pam_mount> |
| 117 | 1 | Laurent Flori | EOF |
| 118 | 1 | Laurent Flori | |
| 119 | 1 | Laurent Flori | pam-auth-update |
| 120 | 1 | Laurent Flori | </pre> |