Shulou(Shulou.com)06/01 Report--

This article shows you what is the total strategy for Linux to join the Windows domain, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Join Linux to a Windows domain

1 、 samba

First of all, make sure that you have the samba package installed on your Linux system, and use the following command to check the basic library support of the samba package. There will be no problem with the general RPM installation.

# smbd-b | grep LDAP

HAVE_LDAP_H

HAVE_LDAP

HAVE_LDAP_DOMAIN2HOSTLIST

...

# smbd-b | grep KRB

HAVE_KRB5_H

HAVE_ADDRTYPE_IN_KRB5_ADDRESS

HAVE_KRB5

...

# smbd-b | grep ADS

WITH_ADS

WITH_ADS

# smbd-b | grep WINBIND

WITH_WINBIND

WITH_WINBIND

2. Krb5 configuration

Edit the following three sections in / etc/krb5.conf: suppose your domain name is SZ.AAA.COM and the domain controller is dc01.sz.aaa.com/192.168.1.200.

[libdefaults]

Default_realm = SZ.AAA.COM

Dns_lookup_realm = false

Dns_lookup_kdc = true

[realms]

SZ.AAA.COM= {

Kdc = 192.168.1.200 purl 88

Admin_server = 192.168.1.200VR 749

Default_domain = SZ.AAA.COM

}

[domain_realm]

.SZ.AAA.com = SZ.AAA.COM

SZ.AAA.COM= SZ.AAA.COM

Make sure your configuration is strictly case-sensitive, otherwise you may encounter an error "Cannot find KDC for requested realm while getting initial credentials" when testing connections with kinit.

# kinit Administrator@SZ.AAA.COM

Password for Administrator@SZ.AAA.COM

3. Samba configuration

Edit and modify / etc/samba/smb.conf as follows:

[global]

Workgroup = SZ

Realm = SZ.AAA.COM

Security = ADS

Password server = 192.168.1.200

Encrypt passwords = yes

Winbind separator = +

Idmap uid = 10000-20000

Idmap gid = 10000-20000

Winbind use default domain = Yes

[homes]

Comment = Home Directories

Valid users =% S

Read only = No

Browseable = No

Save and use testparm to check the configuration for possible syntax errors.

If there are no errors, start the samba service again.

Then join the domain with net ads join-S 192.168.1.200-U Administrator, where you need to enter the domain administrator password.

4. Winbind configuration

Edit / etc/nsswitch.conf, change passwd and group to (files depends on whether your linux system is configured with NIS or not. If NIS is configured, it is compat)

Passwd: files winbind

Group: files winbind

Start the samba service after saving (re). (re) start winbind.

Use wbinfo-u to retrieve the user, and wbinfo-g to retrieve the user group to test whether winbind is normal.

5. NTLM user verification module in Apache, its source code can be obtained with the link below.

[url] http://samba.org/ftp/unpacked/lorikeet/mod_auth_ntlm_winbind/[/url]

The source code requires the apxs after the installation version of the APACHE source code, set the apxs path to the PATH variable or change it in Makefile to execute make install, enter the module directory, and perform the following installation:

Autoconf

. / configure

Apxs-DAPACHE2-c-I mod_auth_ntlm_winbind.c

The mod_auth_ntlm_winbind.so module should be generated under / usr/local/apache2/modules.

6. Apache configuration

Add to httpd.conf

LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so

And configure the following contents in the DIRECTORY that requires NTLM verification:

AuthName "SZ.AAA.COM"

NTLMAuth on

NTLMAuthHelper "/ usr/bin/ntlm_auth-- helper-protocol=squid-2.5-ntlmssp"

NTLMBasicAuthoritative on

AuthType NTLM

Require valid-user

Domain user / user group permissions can be set for the corresponding directory.

Summary of experience:

1. According to winbind developers, CentOS's own samba+winbind will bring a lot of unexpected problems, using Version 3.0.26a-SerNet-RedHat (you can get the required client,common and winbind packages from [url] http://enterprisesamba.com/index.php?id=64[/url]).

CentOS 4.2 (2.6.9-22) carries samba 3.0.10-1.4E.2.

2. The file permission of Version 3.0.26a-SerNet-RedHat version / var/lib/samba/winbindd_privileged (CentOS integrated samba version / var/cache/samba/winbindd_privileged) is 777, otherwise Apache may report 500 internal server error.

3. Delete the file mentioned in 2 manually before restarting the winbind service, otherwise the restart will fail due to the change of the file permission.

4. Kinit and net ads join-S users do not have to be administrator, they can be the same. Of course, the user must have the permission to add Windows NT domain.

5. By changing the relevant verification configuration files under / etc/pam.d/, you can easily configure domain user integration for su, ssh, login, ftp, etc.

The above is what is the total strategy for Linux to join the Windows domain. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.