Article title: Linux module verification (3 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Next, we need Windows PDC to support the Kerberos PAM module. Using the Active Directory Users and Computers applications, you can create a user account named after a client (not a computer account. Use the DNS host name of the Linux server in the first name, full name, and user login name field. You want to restrict your account, but you must perform a comprehensive test on the change.
We set the client and its domain account to linux. You should create a new cannister/group for these user machines in the domain to identify which accounts are used for actual domain users and which accounts are Kerberos user machine accounts.
We need to install Windows 2000 support Tools to run the ktpass application. these Tools are placed in the directory named Support on the server disc: \ Program Files \ support Tools. This tool will generate a key file for the Kerberos server that uses Windows 2000 KDC. Run the following command on the command line of PDC:
Note that the user's machine account name is linux and the DOMAIN name DOMAIN. NET and password. the password should be the same as what you used when creating a linux user Machine account. The program output result should be as follows:
Successfully mapped host/linux to linux.
Key created.
Output keytab to linux. keytab:
Keytab version: 0x502
Keysize 48 host/linux @ DOMAIN. NET ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1
Keylength 8 (0xa27a8af1fe67ec07)
Account has been set for DES-only encryption.
Then, the file is securely copied to the Linux host and saved as/etc/krb5.keytab. The key file provides an image between users in the so-called Kerberos Principle and Active Directory. Do not overwrite existing keys. Otherwise, you will lose other Kerberos-based access permissions. Therefore, use ktutil.
Ensure that the system clock is synchronized with the KDC system clock (within 2 minutes ). Otherwise, Kerberos authentication fails due to the clock pulse phase difference (clock skew. You can use the network timing Protocol (NTP) server to maintain synchronization.
The difficulties have been solved. The next step is to configure the POP and IMAP servers to use Kerberos for authentication. First, make sure that the POP and IMAP services are installed, as shown in the "modified pop pam configuration" figure.
Modified pop pam configuration
This modification applies to common POP and SSL-based POP. If you prefer IMAP, you should make the same changes to/etc/pam. d/imap. If you use the SSL variants of these protocols, you do not have to create an SSL certificate and key pair because they are delivered along with Red Hat 7.2. However, these certificates are called self-signed certificates, which will prompt the client program to notify users that they cannot accept the permissions of the certificate signer.
For more information about using certificates signed by a recognized CA, see The Red Hat 7.2 Documentation.
Make sure to edit/etc/xinetd. d/ipop3,/etc/xinetd. d/pop3s,/etc/xinetd. d/imap and/etc/xinetd. d/imaps to run POP or IMAP services, which represent POP access, SSL-based POP access, IMAP access, and SSL-based IMAP access. Make sure that each file contains the disable = no line.
Then restart xinetd and activate the email server:
/Etc/init/d/xinetd restart
Pass Kerberos POP service verification
Finally, configure the email client program so that you can use POP or IMAP (either standard or SSL-based) to connect to the Linux server. We need to make sure that the user accounts on the created Linux server match those in the Windows Active Directory domain. Configure the email client program so that you can send a user ID and password to Windows so that you can use Linux-based email through the Active Directory Certificate.
Appendix: Windows Domain verification in PAM
To verify various services in the Linux system based on the Microsoft Windows domain, you need the PAM module not available on the Red Hat 7.2 Linux installation CD. Download the package from ftp://ftp.samba.org/pub/samba/pam_smb. As of the writing date, the latest version is 1.1.6. Install it on your Linux system and run the following command:
Tar zxvf pam_smb-1.1.6.tar.gz
Cd pam_smb
./Configure
Make
Cp pam_smb_auth.so/lib/security/
You need to edit the/etc/pam_smb.conf file so that the content is similar:
DOMAIN
PDC
BDC1
BDC2
DOMAIN is the name of the Windows DOMAIN, and PDC is the name of the NetBIOS of the master DOMAIN controller. The NetBIOS name of the BDC row and backup domain controller is optional. In fact, any Windows NT or 2000 Server can be used here, as long as it is in the same domain. With PDC and BDC, you can ensure that servers are always running and responding. Finally, edit the/etc/hosts file and add the following lines:
The IP address you use is the address of the PDC and BDC, and the domain name that fully complies with the standard, namely, the FQDN (pdc.domain.net), is the actual DNS name of these machines. The last name of each line is NetBIOS name. If the NetBIOS name matches the DNS host name of each domain controller, and the Linux server does not need a fully compliant domain name to resolve the domain controller name through DNS, this last step may not be necessary. In other words, if the NetBIOS name of the PDC is PDC, you can enter it on the Linux server and ping the pdc. the ping response is expected. Otherwise, you must edit/etc/hosts in the preceding format. However, running ping pdc will produce normal results, as will pam_smb. For more information about how password-related question/answer verification works in Windows, see us1.samba.org/samba/ftp/docs/textdocs/encryption.txt.
Appendix: Unix-oriented Windows services
We focus on verification tasks and do not pay close attention to how to synchronize account management between Linux and Windows. This is a difficult task. For convenience, Active Directory provides an important feature: LDAP interface.
Theoretically, Linux can use the LDAP interface to obtain account information. However, in fact, this function is not very useful. A module named pam_ldap can use the LDAP Directory through PAM, but some attributes that are not present by default by the LDAP interface of Active Directory are required. The default mode in Active Directory is useless to Unix hosts because it does not have Unix groups, user IDs, group IDs, or even Unix password hashes.
For normal use, Microsoft's Windows 2000 Unix edition service (SFU) must be installed on the PDC. this is an additional product that is generally purchased separately.
But we should pay attention to the impact of this on PDC. SFU places itself in the Active Directory domain by installing the domain on the PDC. Once the installation is complete, the domain will change the directory mode to be more Unix-friendly (in theory, you can manually change the directory .)
SFU not only brings about module changes, but also enables us to adopt a standard mechanism for batch account management in Unix: Network Information Service (NIS ).
In addition to mode enhancement and NIS services, SFU also provides other services, such as NFS clients, servers and gateways, user name ING, NFS verification servers, password synchronization, and ActiveState; activePerl and some Unix utilities.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
