Use winbind to synchronize windowsPDC and linux accounts

Use winbind to synchronize windowsPDC and linux system accounts-Linux Enterprise Application-Linux server application information. The following is a detailed description. Test environment:
Operating System: redflagDC4.1 samba version: samba-3.0.2a-9AX ip: 172.16.100.2
(Note: you must use a relatively clean DC4.1 environment and use the built-in samba to complete the operation. We tested it earlier because the operating system has been configured by others, therefore, samba cannot be changed for several versions. You have to reinstall DC4.1 to complete the configuration .)

PDC Controller: windows2000Server testing domain name tail host name pig ip: 172.16.100.1
Test DNS: Host Name pig of windows2000Server (same as PDC)

Test process:

I. preparations:
Configure windows2000Server as PDC, create a tail domain, configure DNS that can resolve the tail domain, and use window2000 or windows98 with the client to log on to the PDC domain of windows2000Server correctly.

2. Configure the user and group information in the domain caught by the winbindd service to connect to the PDC:
1. Modify the nsswitch. conf file:
Vi/etc/nsswitch. conf
Make the following changes to make winbind a source of authentication information for passwd and group.


Passwd: files winbind
Shadow: files
Group: files winbind


2. Configure the DNS Client File of DC4.1:

Vi/etc/resolv. conf
Add nameserver 172.16.100.1

Ping pig. tail to ensure connectivity

3. vi smb. conf. Make sure that the [global] segment has the following lines:

[Global]
Workgroup = TAIL
Netbios name = rfdc41
Server string = Samba Server
Security = domain
Password server = pig. tail
Preferred master = no
Domain master = no
Domain logons = no
Idmap uid = 10000-20000
Idmap gid = 10000-20000
Template shell =/bin/bash
Template homedir =/home/% D/% U
Winbind separator = %
Winbind use default domain = Yes


Idmap uid and idmap gid are the idnumber range used by winbind to set win200x domain users, Group map users, and groups. If there are many users, the difference between the two values can be increased.
Template homedir is the main directory after the user logs on. I set it to/home/Domain Name/user name.
Template shell is the shell after the user logs on. If you want to use PDC to authenticate your sshd, you can add this to give the user a login shell.
Winbind separator is the delimiter between the domain name and the user name when obtaining the account, such as tail % work
Set winbind use default domain to yes, which shields the separator between the domain name and the user name during display. Otherwise, when you log on to the linux system, enter a user name like tail % work.

5. Use the net join command of samba to add this machine to the windows200x domain (supported by samba3.0 or a later version)

Net rpc join-S pig. tail-U Administrator

Enter the domain Administrator password, that is, the Administrator password.

6. Start the samba service and winbindd service.

# Service smb start
# Service winbind start


7. Run the wbinfo command to view the information of users and groups in the domain captured by the PDC through the winbindd service.

Wbinfo-u

The following shows the PDC user information captured by winbind:

Administrator
Guest
Huaijinyang
Jack
Krbtgt
Laohuai
User1
User2
User3
User4
User5
Work

Run the following command:

Wbinfo-g

We can see information about the PDC group captured by winbind as follows:

BUILTIN % System Operators
BUILTIN % Replicators
BUILTIN % Guests
BUILTIN % Power Users
BUILTIN % Print Operators
BUILTIN % Administrators
BUILTIN % Account Operators
BUILTIN % Backup Operators
BUILTIN % Users
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Cert Publishers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
DnsUpdateProxy
Zzz


8. Check whether the PDC user (group) is converted to the local user (Group) UID and GIU:

Getent passwd

Displays the status of converting a PDC user into a UID of a system user, and displays the following information:

Administrator: x: 10000: 10000:/home/TAIL/Administrator:/bin/bash
Guest: x: 10001: 10000:/home/TAIL/Guest:/bin/bash
Huaijinyang: x: 10002: 10000: huai:/home/TAIL/huaijinyang:/bin/bash
Jack: x: 10003: 10000: jack:/home/TAIL/jack:/bin/bash
Krbtgt: x: 10004: 10000:/home/TAIL/krbtgt:/bin/bash
Laohuai: x: 10010: 10000: laohuai:/home/TAIL/laohuai:/bin/bash
User1: x: 10005: 10000: user1:/home/TAIL/user1:/bin/bash
User2: x: 10006: 10000: user2:/home/TAIL/user2:/bin/bash
User3: x: 10007: 10000: user3:/home/TAIL/user3:/bin/bash
User4: x: 10008: 10000: user4:/home/TAIL/user4:/bin/bash
User5: x: 10011: 10000: user5:/home/TAIL/user5:/bin/bash
Work: x: 10009: 10000: work:/home/TAIL/work:/bin/bash

The UID of the PDC user Administrator starts from 10000.


Getent group

The GID of the PDC user to the System user is displayed. The following information is displayed:

Domain Administrator: x: 10003: Administrator
Domain Users: x: 10000: Administrator, Guest, krbtgt, work, jack, user1, user2, user3, user4, huaijinyang, user5, laohuai
Domain Guests: x: 10005: Guest
Domain Computers: x: 10006: CALL-CENTER $, hjy $, localhost $, Lisboa $, HUAIJINYANG $, smb1 $, rfas41 $, lux $
Domain Controllers: x: 10007: PIG $
Cert Publishers: x: 10008:
Schema admin: x: 10002: Administrator
Enterprise Administrator: x: 10004: Administrator
Group Policy Creator Owners: x: 10001: Administrator
DnsUpdateProxy: x: 10009:
Zzz: x: 10010:
BUILTIN % System Operators: x: 10011:
BUILTIN % Replicators: x: 10012:
BUILTIN % Guests: x: 10013:
BUILTIN % Power Users: x: 10014:
BUILTIN % Print Operators: x: 10015:
BUILTIN % Administrators: x: 10016:
BUILTIN % Account Operators: x: 10017:
BUILTIN % Backup Operators: x: 10018:
BUILTIN % Users: x: 10019:

The UID of the PDC Users Group starts from 10000.
You can see this information, indicating that the configuration is complete and the winbind service is working properly.

Note that if you create a new user in the PDC domain or change the password for a user, refresh the samba service and winbind service as follows:

Service smb stop
Service winbind stop
Rm-f/etc/samba/*. tdb
Rm-f/var/cache/samba/*. tdb
Net rpc join-S pig. tail-U Administrator
Service smb start
Service winbind start

In order to re-capture the updated information of the PDC.

9. Create the user's logon home directory
The template homedir path is specified in the samba configuration file.
Mkdir/home/TAIL
Note that the PDC domain name must be in uppercase!

3. Configure pam Authentication for log on to the PDC user
1
Back up the original pam Authentication File

Mkdir/home/backup
Cp/etc/pam. d/login/home/backup
Cp/etc/pam. d/system-auth


2. Modify the login file
Vi/etc/pam. d/login
The last sentence of this file is

Session optional pam_lele.so

Add

Session required pam_mkhomedir.so skel =/etc/skel umask = 0022


3. modify the system-auth file

Vi/etc/pam. d/system-auth

A. Find the statement starting with "auth" and calling "pam_unix.so", as follows:

Auth sufficient/lib/security/$ ISA/pam_unix.so likeauth nullok

Add the string "use_first_pass" at the end of this sentence, as follows:

Auth sufficient/lib/security/$ ISA/pam_unix.so likeauth nullok use_first_pass

Then add the following statement to the sentence:

Auth sufficient/lib/security/pam_winbind.so


B. Find the statement starting with "account" and calling "pam_unix.so", as follows:

Account required/lib/security/$ ISA/pam_unix.so

Add the string "use_first_pass" at the end of this sentence, as follows:

Account required/lib/security/$ ISA/pam_unix.so use_first_pass

Then add the following statement to the sentence:

Account sufficient/lib/security/pam_winbind.so


4. Use PDC User Login Test
Log on to a terminal in linux as a PDC user. The $ prompt is displayed, indicating that the configuration is complete.