Implementing Redhat Linux 6 and Windows Unified authentication and shared access to Oracle ZS Storage systems through Windows Server AD

Windows Server AD set 1. Create a new organizational unit OU

For users to establish a good OU in advance, is for AD user management simple and clear.

2. Create a new user and user group

When creating a new user, the user is assigned to the correct user group at the same time, and the user's primary group (the primary user group) is also set. Each user may belong to more than one group, selecting an appropriate and meaningful group as primary. The Linux system obtains gidnumber from the primary group, which in the file system's permissions shows that the user belongs to primary group.

3. Editing Unix extended properties for users and groups

Select the user or group in the AD Admin Center, select the Extended Properties page, enter a unique uidnumber and a specific gidnumber. In order to avoid duplication and confusion, it is recommended that the Administrator plan to allocate the UID and GID values and scopes for each user and group in advance (refer to the Linux smb.conf settings below) before entering the AD Admin Center operation.

When the ad user logs on to Linux, the UID and GID are obtained from the ad, which can be verified by the ID command after logging in.

When Windows users access Oracle ZS, the user SID is converted by the Oracle ZS IDMU to the pre-set UID and GID in AD. This can be SSH to Oracle ZS, into the shell, into the/export/to view file system validation, or through the Show Mappings tool in the identity mapping in the Oracle ZS management interface.

This will ensure that Linux and Windows users share access to files in ZS.

Oracle ZS Settings 1. Set up DNS, NTP, AD

Set DNS,NTP in Configuration->services, and then join the ad domain.

2. Set IDMU

Inside the identity mapping in Configuration->services, select IDMU, click Apply, no additional configuration input is required.

3. Verify IDMU

Through the identity Mapping Show mappings tool, check the obtained UID and GID, if it is the same as the ad user Uidnumber, Gidnumber, is correct, if the temporary assigned ID appears, it is incorrect.

4. FS Initial creation

If you are a hybrid environment for Windows and Linux clients, it is recommended that you create the file system by selecting UNIX permissions. This is flexible, and it also keeps the file and folder permissions consistent between Linux and Windows created better. If you choose to use Windows default permissions, the root directory will default to 755.

5. ACL Property settings

The file system's ACL properties are not modified by default. There is little impact on basic permissions for access.

Note: If someone summarizes the ACL attributes on the permissions have effect, welcome to send me an email, I will fix.

Redhat Linux 6 settings 1. Configuring SELinux Security Parameters

The default selinux is enable when Redhat 6 is installed.

1.1. Verify whether the Enable

# Getenforce
Enforcing

1.2. Enable operation

1 # getenforceenforcing

1.3. Edit the/etc/selinux/config to confirm that the restart is also enabled

Selinux=enforcing

2. Configure Samba

2.1. Install the Samba package

Yum Install Samba samba-client Samba-common samba-winbind Samba-winbind-clients

2.2. Verify that Samba is running

PS grep SMB

2.3. Enable Samba to run at system startup

--list SMB

3. Synchronizing NTP

3.1. Edit/etc/ntp.conf

# Enable writing of Statistics records. #statistics clockstats cryptostats loopstats peerstatsserver (NTP server name) Ibur Stserver (NTP server IP) iburst

3.2. Application of NTP modifications

Redhat Linux 6:

# service NTPD stop# ntpdate (NTP server IP) # service NTPD start

Windows Server:

Find " Source "

How to create a Windows Server Ad Server for an NTP server

C:\WINSRV1>W32TM//manualpeerlist:"NTP server name or IP"/syncfromflags: Manual/updatec:\winsrv1>w32tm/query/status

3.3. Enable NTP to run at system startup

--list ntpd

4. Configure DNS

4.1. Edit/etc/resolv.conf

Domain Mydomainsearch mydomainnameserver (DNS server IP)

4.2. Edit/etc/sysconfig/network

Hostname=xxx.mydomain (client server name)

5. Edit the/etc/hosts file

Modify and simplify the contents of the/etc/hosts file as:

127.0. 0.1 localhostxxx.xxx.xxx.xxx (local static IP) xxx.mydomain (client server name) \ XXX (client server name )

6. Installing and configuring the Kerberos client

6.1. Install the Kerberos client

Yum Install krb5workstation

6.2. Verify that the Kerberos client installation was successful

Yum grep krb5krb5libs.x86_64             1.922. El6_2. 1     @rhel6serverrpmskrb5workstation. x86_64     1.922. El6_2 . 1    @rhel6serverrpmspam_krb5. x86_64            2.3.  119. El6      @anacondaRedHatEnterpriseLinux201111171049. x86_64/6.2

6.3. Modify the Kerberos configuration file/etc/krb5.conf, see bold characters

Back up the krb5.conf file before modifying

[Logging]default= file:/var/log/KRB5LIBS.LOGKDC= file:/var/log/Krb5kdc.logadmin_server= file:/var/log/Kadmind.log[libdefaults]default_realm=Mydomaindns_lookup_realm=falseDNS_LOOKUP_KDC=falseTicket_lifetime=24hrenew_lifetime=7dforwardable=true[Realms]mydomain={KDC=Xxx.mydomain (AD Server) Admin_server=Xxx.mydomain (AD Server)} [Domain_realm].mydomain=Mydomainmydomain= MYDOMAIN

6.4. Verifying the Kerberos Configuration

Clear voucher

# kdestroy# Klist

To obtain a new Kerberos credential

# kinit [email protected]

Verify that new credentials are obtained

# klist

7. Installing Oddjob-mkhomedir

Install the Oddjob-mkhomedir package to ensure that the user's home directory is created correctly.

7.1. Installation

Yum Install oddjobmkhomedir.x86_64

7.2. Start the service and make the ODDJOBD service run at system startup

--list ODDJOBD

8. Automatically create home directory

Add one line to the following two configuration files

/etc/pam.d/system-Auth/etc/pam.d/sshd

Session  required  pam_mkhomedir.so  skel=/etc/skel/  umask=0077

Note: umask=0077 refers to the home directory owner who has full permissions, primary groups, and no permissions for others. Can be set to umaks=0022, which means that the owner has full permissions, the primary group, and other people have only read permissions.

9. Increase the UID and GID assignment range for AD users

Allow users of Uidnumber and Gidnumber < 30000 in AD user extended properties to log on to Linux

The/etc/pam.d/passwd-auth and/etc/pam.d/system-auth files are:

Account     sufficient     quiet

Modified to:

Account     sufficient    30000 quiet

Note: 30000 This value is smb.conf configuration item idmap Config (MYDOMAIN NetBIOS Name): Range = 10000-29999 Cap value.

10. Configure Samba/winbind

10.1. Edit/etc/samba/smb.conf, see bold characters

Backup/etc/samba/smb.conf before modification

10.2. Configuring smb.conf using AD mapping mode

Backend = AD mode is the direct acquisition of ad users and groups of Uidnumber and Gidnumber, needs to be set in advance Uidnumber and Gidnumber in AD User-managed extended properties, users and groups to be set, value ranges from this configuration item Idmap Config (MYDOMAIN NetBIOS Name): Range = 10000-29999 decision.

[Global]workgroup=(MYDOMAIN NetBIOS Name) password Server=XXX. MYDOMAIN (AD Server) Realm=mydomainsecurity=Adsidmap UID=30000-39999Idmap GID=30000-39999idmap config (MYDOMAIN NetBIOS Name): Backend=adidmap config (MYDOMAIN NetBIOS Name): Default=yesidmap config (MYDOMAIN NetBIOS Name): Range=10000-29999idmap config (MYDOMAIN NetBIOS Name): Schema_mode=Rfc2307winbind NSSInfo=rfc2307winbind enum Users=yeswinbind enumgroups=Yeswinbind nestedgroups=Yeswinbind Separator= +winbind Use Default domain=trueTemplate Homedir=/home/%d/%utemplate Shell=/bin/bashwinbind offline logon=true

10.3. Verifying the configuration file

# Testparm

10.4. Clear the existing Samba cache file

rm -f/var/lib/samba/*# service SMB start# service Winbind start

Note: If you find that the group name is not displayed correctly after logging in with your ad account, you can try this operation and then log back in.

10.5. Clear Kerberos Credentials

# kdestroy# Klist

10.6. Join the ad

Join -S XXX. MYDOMAIN (AD Server)-u Administrator

10.7. Test the ad link

Info

10.8. Launch the Winbind and Samba services to activate the new configuration

# Wbinfo-G

11. Verify the Login service

SSHhostname ID pwdls-ld   echo $SHELL

Note:

The configuration process can be simplified through a graphical window, but it is still advisable to complement and check for accuracy based on the above configuration and commands. Redhat Linux Graphical configuration command system-config-authentication, the text window graphical configuration command is setup.

Full text (full with image version can search Baidu library)

Implementing Redhat Linux 6 and Windows Unified authentication and shared access to Oracle ZS Storage systems through Windows Server AD