我正在尝试将ubuntu 12.04服务器集成到具有nfs和单点登录的Windows 2012活动目录中.
建立:
> srv02 Windows服务器
> srv03 Ubuntu文件服务器
> srv04 Ubuntu应用服务器
> domain:lettrich.local
>领域:LETTRICH.LOCAL
什么有效
>使用dns ntp和dhcp设置Windows 2012 AD
> ubuntu服务器在广告中注册msktutil并获取
>用户的kerberos门票(例如,kinit Administrator@LETTRICH.LOCAL有效)
>和机器(kinit -k srv03$@LETTRICH.LOCAL工作),
> uid和gids使用AD上的UNIX身份管理和gssapi上的sssd进行解析.
什么行不通:
>在srv03上托管的srv04上安装NFS共享.
>获得服务负责人的kerberos票.
例如.
sudo kdestroy sudo kinit -k kinit: Client 'host/srv03.lettrich.local@LETTRICH.LOCAL' not found in Kerberos database while getting initial credentials
srv03上的krb5.keytab,srv04的模拟.
sudo klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 10 srv03$@LETTRICH.LOCAL (arcfour-hmac) 10 srv03$@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96) 10 srv03$@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96) 10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (arcfour-hmac) 10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96) 10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96) 10 host/srv03.lettrich.local@LETTRICH.LOCAL (arcfour-hmac) 10 host/srv03.lettrich.local@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96) 10 host/srv03.lettrich.local@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96)
nfs导出:
cat /etc/exports /export gss/krb5(rw,fsid=0,no_subtree_check,sync,insecure,crossmnt,anonuid=65534,anongid=65534) /export/users gss/krb5(rw,nohide,anongid=65534) /export/groups gss/krb5(rw,anongid=65534) /export/share gss/krb5(rw,anongid=65534) /export/backup gss/krb5(rw,anongid=65534)
安装在srv04上
sudo mount -t nfs4 -o sec=krb5 srv03:/export /mnt
给了我错误
srv04 rpc.gssd[754]: ERROR: No credentials found for connection to server srv03
Active Directory将srv03和srv04都列为具有正确服务主体名称的域计算机.(名称相应更改)
service principal name = nfs/srv03.lettrich.local; host/srv03.lettrich.local
我的错误在哪里? (是的,时间是同步的;-))
如有需要,将提供更多信息.
感谢所有提前帮助的人.
解决方法
其次,在Linux服务器中将DNS解析器指向Windows,并在linux中修改/ etc / hosts以获取正确的字段
第三,您必须安装Kerberos5和winbind应用程序/模块/库
四,配置/etc/krb5.conf:
[libdefaults]
default_realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
[realms]
YOUR.FULL.DOMAIN.WITH.UPPER.CHARS = {
kdc = list of IPs windows domain servers
admin_server = one ip for master domain server
}
[domain_realm]
your.full.comain.with.lover.chars = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
[logging]
#example logging
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
五,配置/etc/samba/smb.conf:
[global] workgroup = YOUR.SHORT.DOMAIN.WITH.UPPER.CASE netbios name = YOUR.SERVER.NAME.WITH.UPPER.CASE.WITHOUT.DOMAIN realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS security = ads password server = windows.ip.server.what.allows.password.change wins server = as.above.supports.wins.messages wins proxy = no kerberos method = system keytab dedicated keytab file = /etc/krb5.keytab server string = write what you want using %h as host name dns proxy = no idmap config * : backend = rid idmap config * : range = 10000-20000 winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind separator = + winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U preferred master = no inherit acls = Yes map acl inherit = Yes acl group control
第六,验证您是否能够临时使用任何用户连接:
wbinfo -t #test only net getdomainsid #should print local and domain identifier wbinfo -u #domain user list,may take long time for many users wbinfo -g #domain group list
第七,创建密码永不过期且无法更改的技术用户帐户.其他人则默认.将该用户收集在单独的AD目录中:)
第八,生成keytab:
net ads keytab create -U your.technical.user@YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
然后检查/etc/krb5.keytab是否存在
现在您可以配置其他服务,特别是使用ntlm帮助程序.您可以使用以下方法测试连接:
ntlm_auth --username UPPER.CASE.SHORTNAME.DOMAIN+your.technical.username
写密码,你应该看到状态:
NT_STATUS_OK: Success (0x0)
现在您可以配置PAM来验证许多服务,但我没有这样做.我成功地使用apache2.2 ntlm身份验证配置.我看到了ssh和Xsession的pam配置.
主要思想是,只有winbind对Active Directory进行身份验证.所有其他服务以任何方式在本地验证winbind. Winbind是samba的一部分.如果你不需要samba,只安装winbind,这会安装一些samba库.
有时配置连接时,wbinfo无法连接.然后,您必须等待片刻信息传播5分钟或更长时间.
当然,所有mashines的时间应该是同步的.为此配置NTP.我正在使用debian,但ubuntu使所有类似于debian :)祝你好运.
