当前时区为 UTC + 8 小时



发表新帖 回复这个主题  [ 4 篇帖子 ] 
作者 内容
1 楼 
 文章标题 : [wiki]ActiveDirectoryHowto
帖子发表于 : 2005-08-02 11:00 
论坛管理员

注册: 2005-03-27 0:06
帖子: 10116
系统: Ubuntu 12.04
送出感谢: 7
接收感谢: 128
Active Directory from Microsoft is a directory service, that uses some open protocols, like Kerberos, ldap and SSL.

There are some ways to use AD for authentication, you can use pam_krb5, LDAP or winbind. For Winbind see [ActiveDirectoryWinbindHowto].
Kerberos: pam_krb5
Configure AD:

For pam_krb5 you do not need to configure anything.
pam_krb5

# apt-get install krb5-user libpam-krb5

Packetinfo: krb5-user-1.3.4-4 MIT Kerberos5, libpam-krb5-1.0-8 MIT Kerberos5

set up /etc/krb5.conf, e.g.

[logging]
default = FILE:/var/log/krb5lib.log

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
EXAMPLE.COM = {
kdc = windc.example.com
admin_server = windc.example.com
default_domain = example.com
}


[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Replace windc.example.com with the IP or FQDN of your Windows domain controller and EXAMPLE.COM with your kerberos realm, typically is this the domainname in uppercase.

Try if you can receive a kerberos ticket:

# kinit user
Password for user@EXAMPLE.COM: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: user@EXAMPLE.COM

Valid starting Expires Service principal
11/26/04 11:23:53 11/26/04 21:23:53 krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

set up /etc/pam.d/common-auth, e.g.

auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

set up /etc/pam.d/common-session, e.g.

session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

IconNote.png kpasswd for password changing does not work.

IconNote.png The user from AD have to exist in /etc/passwd on the ubuntu workstation, you can also use libnss-ldap to get the account info also from AD.
LDAP: libnss-ldap
Configure AD

It is necessary to extend the LDAP schema from AD with the UNIX attributes , install "UNIX Services for Windows" from Microsoft (I used version 3.5). SFU: [WWW] http://www.microsoft.com/windows/sfu/
libnss-ldap

Install libnss-ldap and the Name Service Caching Deamon for a better performance.

# apt-get install libnss-ldap nscd

Packetinfo: libnss-ldap-211-4, nscd-2.3.2-ds1-13ubuntu2

set up /etc/nsswitch.conf for ldap, e.g.

passwd: compat ldap
shadow: compat ldap
group: compat ldap

hosts: files dns
networks: files dns

services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files

automount: files
aliases: files

set up /etc/libnss-ldap.conf, e.g.

# Replace windc.example.com with your Windows DC
uri ldap://windc.example.com/

base dc=example,dc=com
ldap_version 3

# Add a user to AD, that can read the container
# with the users, that you want use.
binddn cn=ldapreader,cn=Users,dc=example,dc=com
bindpw cvfd123

scope sub
timelimit 30


pam_filter objectclass=User

pam_login_attribute sAMAccountName
pam_lookup_policy yes

# Modify ou=User,dc=e... to your container with your users.
nss_base_passwd ou=User,dc=example,dc=com?sub
nss_base_shadow ou=User,dc=example,dc=com?sub
nss_base_group ou=User,dc=example,dc=com?sub

# For MSSFU:
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute cn sAMAccountName

IconNote.png With this config is the LDAP Traffic unencrypted and someone can sniff it. To make it secure use SSL

set up /etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

set up /etc/pam.d/common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account sufficient pam_ldap.so
account required pam_unix.so

other usseful config files:

*

login.defs

nscd.conf


https://wiki.ubuntu.com/ActiveDirectoryHowto


_________________
当净其意如虚空,远离妄想及诸取,令心所向皆无碍


页首
 用户资料  
 
2 楼 
 文章标题 :
帖子发表于 : 2005-08-25 13:31 

注册: 2005-07-17 0:38
帖子: 31
地址: WZU
送出感谢: 0 次
接收感谢: 0 次
这个我认领了。。。呵

===============================================

活动目录作为微软的一种目录服务,它使用了像Kerberos,ldap和

SSL等一些开放的协议。

有多种方法可以通过使用AD进行身份认证,你可以使用pam_krb5,

LDAP 或 winbind。Winbind的使用详见[活动目录 WinbindHowto]



Kerberos: pam_krb5
配置 AD:

pam_krb5不需要任何配置。
pam_krb5

代码:
#apt-get install krb5-user libpam-krb5


Packetinfo: krb5-user-1.3.4-4 MIT Kerberos5, libpam-krb5

-1.0-8 MIT Kerberos5

调整配置 /etc/krb5.conf, 如下

代码:
[logging]
default = FILE:/var/log/krb5lib.log

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
EXAMPLE.COM = {
kdc = windc.example.com
admin_server = windc.example.com
default_domain = example.com
}


[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM


用你Windows域控制器的IP或完整的域名替换配置文件中的

windc.example.com,用你的kerberos域替换EXAMPLE.COM,这里的

域名必须是大写的。

如果你能收到这样一份kerberos的证书那我们就可以接着往下做:

代码:
# kinit user
Password for user@EXAMPLE.COM: ...

# klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: user@EXAMPLE.COM

Valid starting Expires Service principal
11/26/04 11:23:53 11/26/04 21:23:53

krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


设置 /etc/pam.d/common-auth, e.g.

代码:
auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so


设置 /etc/pam.d/common-session, e.g.

代码:
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/

umask=0077


IconNote.png kpasswd 因为密码改变了而不能工作。

ubuntu的工作站里必须存在来自AD的IconNote.png用户,可以使用

libnss-ldap获取AD中的帐户信息。
LDAP: libnss-ldap
配置 AD

首先必须为AD的LDAP项扩展UNIX属性,安装来自Microsoft(我用

的是3.5版本)的“UNIX Services for Windows”。SFU: [WWW]

http://www.microsoft.com/windows/sfu/
libnss-ldap

安装libnss-ldap和名称缓存服务程序

代码:
# apt-get install libnss-ldap nscd


Packetinfo: libnss-ldap-211-4, nscd-2.3.2-ds1-13ubuntu2

设置/etc/nsswitch.conf for ldap, e.g.

代码:
passwd: compat ldap
shadow: compat ldap
group: compat ldap

hosts: files dns
networks: files dns

services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files

automount: files
aliases: files


设置/etc/libnss-ldap.conf, e.g.

代码:
# Replace windc.example.com with your Windows DC
uri ldap://windc.example.com/

base dc=example,dc=com
ldap_version 3

# Add a user to AD, that can read the container
# with the users, that you want use.
binddn cn=ldapreader,cn=Users,dc=example,dc=com
bindpw cvfd123

scope sub
timelimit 30


pam_filter objectclass=User

pam_login_attribute sAMAccountName
pam_lookup_policy yes

# Modify ou=User,dc=e... to your container with your

users.
nss_base_passwd ou=User,dc=example,dc=com?sub
nss_base_shadow ou=User,dc=example,dc=com?sub
nss_base_group ou=User,dc=example,dc=com?sub

# For MSSFU:
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute cn sAMAccountName

IconNote.png With this config is the LDAP Traffic

unencrypted and someone can sniff it. To make it secure

use SSL

set up /etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common

to all services
#
# This file is included from other service-specific PAM

config files,
# and should contain a list of the authentication modules

that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default

is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass


设置/etc/pam.d/common-account

代码:
#
# /etc/pam.d/common-account - authorization settings

common to all services
#
# This file is included from other service-specific PAM

config files,
# and should contain a list of the authorization modules

that define
# the central access policy for use on the system. The

default is to
# only deny service to users whose accounts are expired in

/etc/shadow.
#
account sufficient pam_ldap.so
account required pam_unix.so


其他有用的一些配置文件:

*

login.defs

nscd.conf


https://wiki.ubuntu.com/ActiveDirectoryHowto

===============================================
[/quote]


_________________
独自站在这舞台,听到掌声响起来....


页首
 用户资料  
 
3 楼 
 文章标题 :
帖子发表于 : 2005-08-26 23:37 
论坛管理员

注册: 2005-03-27 0:06
帖子: 10116
系统: Ubuntu 12.04
送出感谢: 7
接收感谢: 128
http://www.ubuntu.org.cn/support/docume ... howto_view


_________________
当净其意如虚空,远离妄想及诸取,令心所向皆无碍


页首
 用户资料  
 
4 楼 
 文章标题 :
帖子发表于 : 2006-07-30 20:44 
头像

注册: 2005-07-02 14:41
帖子: 4133
系统: Ubuntu 14.04 (Kylin)
送出感谢: 53
接收感谢: 11
修正了几处,新增一处翻译(其实就一句话)
英文新的部分等待翻译
http://wiki.ubuntu.org.cn/ActiveDirectoryHowto


_________________
https://weakish.github.io


页首
 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 4 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 2 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
本站点为公益性站点,用于推广开源自由软件,由 DiaHosting VPSBudgetVM VPS 提供服务。
我们认为:软件应可免费取得,软件工具在各种语言环境下皆可使用,且不会有任何功能上的差异;
人们应有定制和修改软件的自由,且方式不受限制,只要他们自认为合适。

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
简体中文语系由 王笑宇 翻译