CentOS в домене Windows

By 2010-08-21 March 6th, 2015 AD, CentOS, Kadmin, Linux, Windows Server

Для включения машины с центосом в домен надо поправить четыре конфига

nano /etc/krb5.conf

[logging] default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = ДОМЕН.ЛОКАЛ
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms] ДОМЕН.ЛОКАЛ = {
kdc = дк.домен.локал
admin_server = дк.домен.локал
default_domain = домен.локал
}

[domain_realm] .домен.локал = ДОМЕН.ЛОКАЛ
домен.локал = ДОМЕН.ЛОКАЛ

nano /etc/samba/smb.conf

[global] workgroup = домен
realm = ДОМЕН.ЛОКАЛ
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind enum users = Yes
winbind enum groups = Yes

nano /etc/nsswitch.conf

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns

nano /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore]pam_winbind.so
account required pam_permit.so

# account requisite pam_succeed_if.so user ingroup токаэтагруппа

password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0027
session optional pam_krb5.so

chkconfig smb on
chkconfig winbind on

service smb start
service winbind start
net ads join -U админдомена
reboot

Для синхронизайии времени с контроллером домена
ntpdate ДК
chkconfig ntpd on
service ntpd start

Если надо заходить по сети на самбу пользователям домена то

nano /etc/samba/smb.conf

[homes] comment = Home Directories
path = /home/%U
browseable = no
writable = yes

Если использовать самбу как принтсервер то еще CUPS

nano /etc/samba/smb.conf

[global] printing = cups
printcap name = cups
cups options = raw

[printers] comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
use client driver = yes

Leave a Reply

*