• Winbind authentication against active directory


    Winbind authentication against active directory

     

    Description

    This tip will describe how to configure authentication settings in CentOS to use authentication against Windows Servers. I will describe how to do it in a command line. The command line arguments can be easily adapted in the gui version. It is strongly recommended that you read the samba documentations on this topic to understand how winbind works.

    WARNING: The commands given here will reconfigure authentication settings. Do not use them until you fully understand what they do. If you make any mistake you might not be able to login to your system!

     

    Prerequisites

    In order to use winbind you need to install the samba-common package.

     

    # yum install samba-common
    

    To join the CentOS machine to the Windows domain you need a valid domain admin account.

     

    Doing it

    Actually all is done in one long command line which looks like this (you have to replace the strings starting with $ to match your local settings):

     

    # authconfig 
    --update 
    --kickstart 
    --enablewinbind 
    --enablewinbindauth 
    --smbsecurity=ads 
    --smbworkgroup=$ADSWorkgroup 
    --smbrealm=$ADSDomain 
    --smbservers=$ADSServer 
    --winbindjoin=$AdminUser 
    --winbindtemplatehomedir=/home/%U 
    --winbindtemplateshell=/bin/bash 
    --enablewinbindusedefaultdomain 
    --enablelocauthorize
    

    Now that is an awful lot of parameters, lets see what they do:

    • --kickstart This tells authconfig not to run any ui (text-ui or gtk)
    • --enablewinbind Turn on nss lookup via winbind
    • --enablewinbindauth Turn on authentication via winbind
    • --smbsecurity=ads Set samba security model to active directory mode
    • --smbworkgroup= Classic (pre Windows 2003 Server) name of domain
    • --smbrealm= Active directory domain (e.g. yourcompany.com)
    • --smbservers= Name or list of AD servers to use. For a list of Servers use quotes e.g. "server1 server2 *", actually winbind should figure out the right servers itself by asking DNS but it might make sense to set them.
    • --winbindjoin= User name of domain admin user to authenticate the domain join of the machine.
    • --winbindtemplatehomedir=/home/%U Path template for home directories of users. (%U is a smb.conf token for username)
    • --winbindtemplateshell=/bin/bash Default shell to set for users.
    • --enablelocauthorize Also enable local authorization against /etc/passwd. Important!

     

    Additional parameters

    • --enablewinbindusedefaultdomain If you do not set this your usernames will have the form "WORKGROUPNAMEusername" if you set it the usernames will have the more common format "username".
    • --enablemkhomedir (CentOS 5 only) Enable pam_mkhomedir which automatically generates home dirs on first login. This is only useful if you do not have central homedirs on a network storage. On CentOS 4 you can enable pam_mkhomedirs manually by editing pam config for system-auth but this file is regenerated by each execution of authconfig.

    Pam in CentOS uses stacking so you can put other authentication methods here, for complete options see

     

    # authconfig --help
    

    or the authconfig gui.

     

    And then...

    Once you run the command it will rewrite pam system-auth config, run net join ads for you and ask for the password of the domain admin user given in --winbindjoin. Afterwards it will disable nscd and enable winbindd. If that was successful you can check winbind status with the wbinfo tool. To show list of users use

     

    # wbinfo -u
    

    See wbinfo --help for details.

     

    Additional things

     

    Kerberos Keytabs

    If you use kerberos keytabs for services (e.g. httpd kerberos authentication) you can manage it using the net command. To create a keytab file simply use

     

    # net ads keytab create
    

    To add a service realm (e.g. HTTP)

     

    # net ads keytab add HTTP
    

     

    Restricting access to given groups

    in /etc/security/pam_winbind.conf you can specifiy a windows group on the parameter require_membership_of. Once this is set only users being member of this group can authenticate. This will not work if you use additional authentications (e.g. kerberos or ldap) which successfully authenticates the user.

     

    Deterministic userid/groupid mapping

    In the described/default setup winbind will do dynamic ActiveDirectory SID to unix UID/GID mapping on each machine. This is not useful in some scenarios where you need identical UIDs on different machines. The typical example for that is NFS. Winbind offers a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs. This is done with the idmap rid backend. To use it you have to manually add the following lines to the [global] section of /etc/samba/smb.conf:

       idmap domains = DOMAIN
       idmap config DOMAIN:backend      = rid
       idmap config DOMAIN:base_rid     = 0
       idmap config DOMAIN:range        = 20000 - 49999
    

    Where DOMAIN is the WINS name of your ActiveDirectory domain. You can also map users from another trusted domain to a separate range. For details please consult the idmap_rid documentation: http://samba.org/samba/docs/man/manpages-3/idmap_rid.8.html. On CentOS 5 make sure you add those lines outside the range marked by:

    #--authconfig--start-line--
    ..
    #--authconfig--end-line--
    

    so it will not be touched by authconfig.

  • 相关阅读:
    雅虎公司C#笔试题
    DES
    从Socket看Visual C#.Net网络程序开发
    进一步接触C#委托与事件
    学习C#消息:循序渐进
    解惑答疑:C#委托和事件
    利用Visual C#实现Windows管道技术1
    使用命名管道通过网络在进程之间进行通信
    C#体验编程技术 类与对象
    学习C#实现HTTP协议:多线程文件传输
  • 原文地址:https://www.cnblogs.com/lkzf/p/3898052.html
Copyright © 2020-2023  润新知