本文共 7717 字,大约阅读时间需要 25 分钟。
版本:
[root@station19 ~]# uname -aLinux station19.example.com 2.6.18-308.el5xen #1 SMP Fri Jan 27 17:59:00 EST 2012 i686 i686 i386 GNU/Linux[root@station19 ~]# lsb_release -aLSB Version: :core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarchDistributor ID: RedHatEnterpriseServerDescription: Red Hat Enterprise Linux Server release 5.8 (Tikanga)Release: 5.8Codename: Tikanga[root@station19 ~]#ldap.conf配置(红色粗体表示ldap.conf原本没有需要特别注意的):
* Windows 2008上需要把Linux-NSS用户加到Administrators组,这样Linux-NSS才有加AD的权限。[root@station19 ~]# egrep -v "^#|^$" /etc/ldap.confhost w2k8.ad.example.combase dc=ad,dc=example,dc=combinddn cn=Linux-NSS,cn=Users,dc=ad,dc=example,dc=combindpw p3ngu!ntimelimit 120bind_timelimit 120idle_timelimit 3600nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdmnss_map_objectclass posixAccount usernss_map_objectclass shadowAccount usernss_map_objectclass posixGroup groupnss_map_attribute uid sAMAccountNamenss_map_attribute homeDirectory unixHomeDirectorynss_map_attribute gecos cnpam_login_attribute sAMAccountNamepam_filter objectclass=Userpam_password adnss_base_passwd cn=Users,dc=ad,dc=example,dc=comssl no[root@station19 ~]#[root@station19 ~]# authconfig-tui
[/usr/bin/net join -w AD -S w2k8.ad.example.com -U Linux-NSS]Linux-NSS's password:<...> Using short domain name -- ADDNS update failed!Joined 'STATION19' to realm 'AD.EXAMPLE.COM'Shutting down Winbind services: [ OK ]Starting Winbind services: [ OK ][root@station19 ~]# getent passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinavahi-autoipd:x:100:156:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologingdm:x:42:42::/var/gdm:/sbin/nologinstudent:x:500:500::/home/student:/bin/bashvisitor:x:501:501::/home/visitor:/bin/bash[root@station19 ~]# wbinfo -uAD\administratorAD\guestAD\krbtgtAD\linux-nssAD\gatesAD\user2008[root@station19 ~]# net ads testjoinJoin is OK[root@station19 ~]# net ads infoLDAP server: 192.168.0.250LDAP server name: w2k8.ad.example.comRealm: AD.EXAMPLE.COMBind Path: dc=AD,dc=EXAMPLE,dc=COMLDAP port: 389Server time: Tue, 30 Jul 2013 00:08:49 CSTKDC server: 192.168.0.250Server time offset: 0[root@station19 ~]# smb.conf配置(红色部分为authconfig-tui之后要修改或增加的内容):* winbind use default domain = true 表示去掉windows AD里面的域名,即把AD\gates变成gates* 只有加了 winbind enum users = yes 和 winbind enum groups = yes 之后,才能通过getent passwd列出windows AD中的用户[root@station19 ~]# egrep -v "^#|^$|^;|[[:space:]]+#" /etc/samba/smb.conf[global] workgroup = AD password server = w2k8.ad.example.com realm = AD.EXAMPLE.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = true winbind enum users = yes winbind enum groups = yes winbind offline logon = false server string = Samba Server Version %v passdb backend = tdbsam load printers = yes cups options = raw[homes] comment = Home Directories browseable = no writable = yes[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes[root@station19 ~]#修改完smb.conf后重启winbind服务,getent passwd即可列出windows AD中的用户了
[root@station19 ~]# /etc/init.d/winbind restartShutting down Winbind services: [ OK ]Starting Winbind services: [ OK ][root@station19 ~]# wbinfo -uadministratorguestkrbtgtlinux-nssgatesuser2008[root@station19 ~]# getent passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinoprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinavahi-autoipd:x:100:156:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologingdm:x:42:42::/var/gdm:/sbin/nologinstudent:x:500:500::/home/student:/bin/bashvisitor:x:501:501::/home/visitor:/bin/bashadministrator:*:16777217:16777216:Administrator:/home/AD/administrator:/bin/bashguest:*:16777218:16777217:Guest:/home/AD/guest:/bin/bashkrbtgt:*:16777219:16777216:krbtgt:/home/AD/krbtgt:/bin/bashlinux-nss:*:16777220:16777216:Linux-NSS:/home/AD/linux-nss:/bin/bashgates:*:16777216:16777216:Bill Gates:/home/AD/gates:/bin/bashuser2008:*:16777221:16777216:User2008:/home/AD/user2008:/bin/bash[root@station19 ~]# 补充,上文中在加入AD域时碰到“DNS update failed!”的错误,这是因为默认Linux客户端没有和Windows AD服务器在同一个域里面。可通过在Linux客户端的/etc/hosts里面加条和Windows AD服务器在同一个域(ad.example.com)的主机名解决:[root@station19 ~]# cat /etc/hosts# Do not remove the following line, or various programs# that require network functionality will fail.127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6192.168.0.19 station19.ad.example.com station19.example.com station19[root@station19 ~]# authconfig-tui [/usr/bin/net join -w AD -S w2k8.ad.example.com -U Linux-NSS]Linux-NSS's password:<...> Using short domain name -- ADJoined 'STATION19' to realm 'AD.EXAMPLE.COM'Shutting down Winbind services: [ OK ]Starting Winbind services: [ OK ][root@station19 ~]# REF:1. Windows AD和ldap结合出问题http://phorum.study-area.org/index.php?topic=65043.0转载地址:http://vstai.baihongyu.com/