Linux joins Windows AD domain step details (Winbindsamba solution) _linux

Linux joined the domain, the general will think of joining the LDAP, so easy to manage, but in Linux under the LDAP configuration is not very easy, in the Enterprise Office environment in general Windows AD domain occupies the dominant position, convenient configuration, The Linux cluster machine for the production environment will choose LDAP, but sometimes in the office environment also mixed with Linux machines, in order to standardize management, but also need to add Linux machine window is in AD.

Linux to join Windows ad for easy operation in two scenarios (divided into centos/ubuntu two cases). All said is convenient operation, that must be the preferred method of lazy people.

1 Likewise-open

Used in Debian/ubuntu, you can use APT installation, convenient configuration, but because likewise's company was acquired, likewise related products are no longer open source products, more cup with the Internet even before the source package can not find, Fortunately, Ubuntu can still be installed through apt.

2 Winbind+samba

On the CentOS, before downloading a copy of Ubuntu on the likewise source on the CentOS compiler found that some of the underlying library some small problems, gu in the CentOS to adopt Winbind+samba program.

The use of likewise in Ubuntu is really very convenient, apt after installation, two commands can be added to the machine in Windows AD, as follows:

Copy Code code as follows:

DOMAINJOIN-CLI Join Your-domain-name Administrator
Lwconfig Assumedefaultdomain True

Therefore, the main experimental CentOS in this paper is the case of adding Windows ad

Experimental environment: centos6.4

Installing dependent Packages

Copy Code code as follows:

Yum install krb5-libs krb5-devel pam_krb5 krb5-workstation krb5-auth-dialogyum install Samba-winbind Samba Samba-common s Amba-client samba-winbind-clients

After installation of the relevant software, you can use the Authconfig-tui command for image configuration, in fact, the image configuration is to modify a few files just:

Copy Code code as follows:

Nsswitch.conf
#/etc/nsswitch.conf
Passwd:files Winbind
Shadow:files Winbind
Group:files Winbind

The above configuration means that you can verify the file configuration first and then Winbind

2 smb.conf

Copy Code code as follows:

#/etc/samba/smb.conf domain name must be capitalized
[Global]
Workgroup = Your-domian
Password Server = 172.16.14.20
Realm = Your-domian
Security = Ads
Idmap Config *: Range = 16777216-33554431
Template Shell =/bin/bash
Winbind Use Default Domain = True
Winbind Offline logon = True
Template Homedir =/home/%u
Winbind separator =/
Winbind Enum users = Yes
Winbind enum groups = Yes

Remember that your domain name must be capitalized

3 krb5.conf

Copy Code code as follows:

#/etc/krb5.conf domain name must be capitalized
[Logging]
Default = File:/var/log/krb5libs.log
KDC = File:/var/log/krb5kdc.log
Admin_server = File:/var/log/kadmind.log
[Libdefaults]
Default_realm = Your-domian
Dns_lookup_realm = False
DNS_LOOKUP_KDC = False
Ticket_lifetime = 24h
Renew_lifetime = 7d
Forwardable = True
[Realms]
Your-domian = {
KDC = 172.16.14.20 #AD域服务器地址
}
[Domain_realm]
Your-domian = Your-domian
. Your-domian = Your-domian

Restart related services

Copy Code code as follows:

/ETC/INIT.D/SMB restart/etc/init.d/winbind Restart

Now add the machine to the AD domain:

Copy Code code as follows:

NET Ads join-u Administrator

Enter the admin password for the ad domain after entering the domain, which can be validated by the Wbinfo command.

In the domain account login, in the destination machine because there is no relevant account, so the domain account is no home directory, need to log in when the domain account automatically set up related home directory

In the following two files, add the following: Session required pam_mkhomedir.so umask=0022 skel=/etc/skel/silent

Copy Code code as follows:

/etc/pam.d/system-auth/etc/pam.d/sshd

This allows the system to automatically create a home directory of domain accounts when logged in via SSH.
The PAM module is in the/lib64/security directory.