Linux AD Identity Unified Authentication (SSO)

Source: Internet
Author: User

Http://www.toxingwang.com/linux-unix/linux-admin/584.html

Linux+samba-winbind+ad for Unified authenticationApril 27, 2013 ? Linux management? A total of 3710 words ? Linux+samba-winbind+ad Implementing unified authentication closed comments? Being onlookers 32,265 views+

Managed Linux server and Windows Server if a lot, if all with local user name management, to manage and remember dozens of or even hundreds of servers different accounts different passwords, this is difficult, and how all server account passwords are set, there is no security at all. There is a domain controller in the network, and all users are joined to the Windows domain, and applications such as OA have unified domain authentication, so you can use the AD domain to verify the user login of the Linux server. Specific as follows:

Environment:
Authentication Server Os:windows Server 2012 Core Edition
Authentication Server ip:192.168.18.210
Authentication Server DNS Search name: test.com

1. Modify host name, DNS, and Firewall policy:

A, modify the hostname:

# vim/etc/sysconfig/network
# #主机名后缀为test. com, and host names cannot be duplicated.

B. Modify DNS

# vim/etc/resolv.conf
# #修改为如下内容
Search test.com
NameServer 192.168.18.210

C, edit vim/etc/hosts, cancel the native computer name partial parsing

D, vim/etc/sysconfig/iptables file, add two policies to allow all communication between the native and DC:

-A output-m state--state new-m tcp-p tcp-d 192.168.18.210-j ACCEPT
-A input-m state--state new-m tcp-p tcp-s 192.168.18.210-j ACCEPT

Restart the server for all changes to take effect

2. Time synchronization

A, edit scheduled tasks, join time synchronization

# Vim/etc/crontab
# #加入如下时间同步内容 to synchronize the time with the server once per hour
XX * * * * root/usr/sbin/ntpdate test.com;/usr/sbin/hwclock-w

b, add the Crond service to boot, and immediately restart the Crond service

# Chkconfig Crond on
# Service Crond Restart

3. Install Samba and krb5:

A, installation support software:

#yum-y install pam_krb5* krb5-libs* krb5-workstation* krb5-devel* krb5-auth Samba samba-winbind* samba-client* samba-swa t*

b, check whether the KRB5 related components are all installed

# Rpm-qa|grep KRB
Pam_krb5-2.3.11-9.el6.x86_64
Krb5-libs-1.9-33.el6_3.3.x86_64
Krb5-devel-1.9-33.el6_3.3.x86_64
Krb5-auth-dialog-0.13-3.el6.x86_64
Python-krbv-1.0.90-3.el6.x86_64
Krb5-workstation-1.9-33.el6_3.3.x86_64

C. Check that Samba components are all installed

# Rpm-qa|grep Samba
Samba-swat-3.5.10-125.el6.x86_64
Samba-common-3.5.10-125.el6.x86_64
Samba-winbind-clients-3.5.10-125.el6.x86_64
Samba-3.5.10-125.el6.x86_64
Samba-winbind-3.5.10-125.el6.x86_64
Samba-client-3.5.10-125.el6.x86_64

D. Verify Samba Base library support

# Smbd-b|grep LDAP
Have_ldap_h
Have_ldap
Have_ldap_add_result_entry
Have_ldap_init
Have_ldap_initialize
Have_ldap_sasl_wrapping
Have_ldap_set_rebind_proc
Have_libldap
Ldap_set_rebind_proc_args

# Smbd-b | grep KRB
Have_krb5_h
Have_krb5_locate_plugin_h
Have_addrtype_in_krb5_address
Have_decl_krb5_auth_con_set_req_cksumtype
Have_decl_krb5_get_credentials_for_user
...... The following slightly

# Smbd-b | grep ADS
With_ads
With_ads

# Smbd-b | grep WINBIND
With_winbind
With_winbind

Now that the basic installation of Samba and KRB5 is complete, the next step is to configure

4, add domain:

A, start the related services and set up boot:

# service Winbind Start
# Chkconfig Winbind on

b, using the Setup Configuration tool and selecting "Validate Configuration", select the following three items:

"Use Winbind" # #对应中文 "Using Winbind"
"Use Kerberos" # #对应中文 "Using Kerberos"
"Use Winbind authertication" # #对应中文 "Using Winbind Authentication"

Then click "Next" and fill it out as follows:

Domain: test.com
Kdc:dc-01.test.com
Management Server: Dc-01.test.com
# #并勾选下面两个选项.

Click "Next" again, and select or fill in as follows:

Security Model: ADS
Field: TEST # #注意大写
Domain controller: dc-01.test.com
Ads domain: test.com
Template Shell:/bin/bash

Click "Join the Domain", pop-up save prompt, select "Yes", will pop-up input domain Administrator account password, follow the prompts to enter.
When finished, exit "Setup" to see if there are any errors such as the following:

"Net_update_dns_internal:failed to connect with our dc!"

If you return as follows, join normal:

[/usr/bin/net join-w test-s dc-01.test.com-u Administrator]
Enter Administrator ' s password:<...>
Using short Domain name--TEST
Joined ' PAYSERVER02 ' to DNS domain ' test.com '
Start Winbind service: [OK]
Starting ODDJOBD: [OK]

C, test Winbind read the domain control information is normal

# wbinfo–t # #测试RPC通讯, prompting succeeded to show success
Chetest the trust secret for domain TEST via RPC calls succeeded

# wbinfo-u # #查看域用户
Test\guest
Test\administrator
Test\krbtgt
Test\barlowliu
...... The following omit ...

# #如果如上, the read is normal

# wbinfo-g # #查看域组
Test\domain Computers
Test\cert Publishers
Test\domain Users
Test\domain Guests
Test\ras and IAS servers
Test\domain Admins
Test\schema Admins
Test\enterprise Admins
...... The following omit ...

If you can see the users and groups in the domain after the above two commands are executed, it is OK. If you are prompted as follows, synchronization with the domain controller is not complete:

Error looking up Domain Users # #稍等后再测试即可

To test the NTLM component

# Ntlm_auth--username=administrator
Password: # #输入用户密码
Nt_status_ok:success (0x0)
Verify the Generation domain
# NET Ads Testjoin
Join is OK

D. Log in using a domain account
You can now log on to the Linux server using a domain user such as [email protected], but the log-in appears as follows:

Could not chdir to home directory/home/test/barlowliu:no such file or directory
-bash-4.1$

# #没有自动创建用户的家目录, here's how to fix the problem

5, solve the problem that the domain user does not have home directory after login:

A. Set up a domain user home directory:

# Mkdir/home/test
# chmod 1777/home/test

B. Edit the/etc/samba/smb.conf configuration file and add the following line:

Template Homedir =/home/%d/%u
# #修改如下一行如下, you can realize that you don't need to enter a domain name when you log in
Winbind Use Default Domain = True

C, edit/etc/pam.d/system-auth, add the following line:

Session Required Pam_mkhomedir.so Skel=/etc/skel umask=0077

D, vim/etc/pam.d/sshd Unified increase the above line:

Session Required Pam_mkhomedir.so Skel=/etc/skel umask=0077

Once you're done, you'll be able to log in with your domain account, but you'll also need to work with security requirements to set up each server to allow SSH logins and allow users to run the SU and sudo commands.

Linux AD Identity Unified Authentication (SSO)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.