linux加入Windows域

Linux 加入Windows 域试验环境:DC:Server 2003 R2 IP: 192.168.1.236 Name:wfserver01 Domain:wf01 Linux:CentOS

Linux 加入Windows 域

试验环境:

DC:Server 2003 R2 IP: 192.168.1.236 Name:wfserver01 Domain:wf01 Linux:CentOS 5.5

一. 编辑设定档

配置[Kerberos 网络认证协议, 让Linux 通过windows 域的验证] #vi /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = WF01 #大写域名

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

WF01= {

kdc = 192.168.1.236:88 # 域伺服器IP

admin_server = 192.168.1.236:749 # 域伺服器IP

default_domain = WF01

}

[domain_realm]

.wf01=WF01 #域验证范围

wf01=WF01

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

二、连接AD server

1、kinit WF01

Kerberos 的 kinit 命令将测试服务器间的通信，后面的域名WF01是你的活动目录的域名，必须大写，否则会收到错误信息：

kinit(v5): Cannot find KDC for requested realm while getting initial credentials.

如果通信正常，你会提示输入口令，口令正确的话，就返回 bash 提示符，如果错误则报告：

kinit(v5): Preauthentication failed while getting initial credentials.

這一步代表了已经可以和AD server做沟通了，但并不代表Samba Server已经加入域了。

2、smb.conf 配置

#vi /etc/samba/smb.conf

[global]

workgroup = HF01T # 一定要填自己的domain 名稱

Reale=WF01

netbios name = VBIRDSERVER

#你的linux 主机名

idmap uid = 10000-20000 #Window 用户在linux 上的uid

idmap gid = 10000-20000 #Window 组在Linux 上的gid

winbind enum groups = yes

winbind enum users = yes

winbind separator = / #域分割符

; winbind use default domain = yes

template homedir = /home/U

template shell = /bin/bash

security = ads

encrypt passwords = yes

password server = 192.168.1.236

[homes]

path = /home/U

browseable = no

writable = yes

valid users =wf01/U

create mode = 0777

directory mode = 0777

3、配置nsswitch.conf

#vi /etc/nsswitch.conf

修改以下位置

passwd: files winbind #先查找Linux 本地用户, 然后查找windows 用户

shadow: files winbind

group: files winbind

4、启用samba 和winbind 服务

service smb start

service winbind start

5、加入AD 域

使用命令：net ads join –S 192.168.1.236 –U admistrator,然后会提示输入密码

成功则提示如下：

Using short domain name – WF01

Joined 'VBIRDSERVER' to realm 'WF01’

使用者自动建立家目录:

vi /etc/pam.d/system-auth,加入以下内容

session required /lib/security/$ISA/pam_mkhomedir.so umask=0022

skel=/etc/skel

其它一些命令:

Linux 从windows 中退域命令

Net ads leave –S ad的IP -U administrator

一些测试命令:

Wbinfo –t 测试与AD SERVER是否连接

Wbinfo –u 查询AD 内的用户

Wbinfo –g 查询AD 内的组

Getent passwd 查询密码