User Tools
сервис_winbind
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_winbind [2021/02/25 16:19] val [Авторизация в режиме ADS/DOMAIN] |
сервис_winbind [2024/05/29 07:16] (current) val [Авторизация в режиме ADS/DOMAIN] |
||
|---|---|---|---|
| Line 8: | Line 8: | ||
| ==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
| <code> | <code> | ||
| - | debian# cp /etc/samba/smb.conf /root/ | ||
| - | |||
| - | debian# apt purge samba samba-common | ||
| - | |||
| - | debian# apt autoremove | ||
| - | |||
| - | debian# rm -r /etc/samba/ | ||
| - | |||
| root@gate:~# apt install winbind | root@gate:~# apt install winbind | ||
| </code> | </code> | ||
| Line 22: | Line 14: | ||
| ==== Регистрация unix системы в домене в режиме ADS ==== | ==== Регистрация unix системы в домене в режиме ADS ==== | ||
| + | |||
| + | * !!! Удалить все старые принципалы сервисов, привязанные к gate | ||
| + | |||
| <code> | <code> | ||
| gate# cat /etc/samba/smb.conf | gate# cat /etc/samba/smb.conf | ||
| Line 30: | Line 25: | ||
| realm = CORPX.UN | realm = CORPX.UN | ||
| kerberos method = system keytab | kerberos method = system keytab | ||
| - | winbind use default domain = Yes | + | winbind use default domain = Yes |
| </code><code> | </code><code> | ||
| gate# net ads join -U Administrator | gate# net ads join -U Administrator | ||
| Line 53: | Line 48: | ||
| <code> | <code> | ||
| gate# net ads leave -U Administrator | gate# net ads leave -U Administrator | ||
| + | или | ||
| + | gate# net ads leave -k | ||
| gate# rm /etc/krb5.keytab | gate# rm /etc/krb5.keytab | ||
| Line 64: | Line 61: | ||
| === На Linux системе === | === На Linux системе === | ||
| <code> | <code> | ||
| - | gate# net ads keytab add HTTP -k | + | gate# klist -ek /etc/krb5.keytab |
| - | samba4.9# net ads keytab add_update_ads HTTP -k | + | |
| - | gate# net ads keytab add imap -U Administrator | + | gate# kinit Administrator |
| - | samba4.9# net ads keytab add_update_ads imap -k | + | |
| - | gate# net ads keytab add xmpp -k # С MS AD не работает, но, можно оставить через ktpass, с samba4 - OK ... | + | samba4.9+# net ads keytab add_update_ads HTTP -k |
| - | samba4.9# net ads keytab add_update_ads xmpp -k | + | |
| + | samba4.9+# net ads keytab add_update_ads imap -k | ||
| + | |||
| + | samba4.9+# net ads keytab add_update_ads smtp -k | ||
| + | |||
| + | samba4.9+# net ads keytab add_update_ads xmpp -k # С MS AD не работает, но, можно оставить через ktpass, с samba4 - OK ... | ||
| gate# klist -ek /etc/krb5.keytab | gate# klist -ek /etc/krb5.keytab | ||
| Line 78: | Line 78: | ||
| </code> | </code> | ||
| - | Пример команд на будущее (сейчас пишет в keytab файл http в нижнем регистре) | + | Современный вариант |
| <code> | <code> | ||
| # net ads setspn add HTTP/gate.corp13.un | # net ads setspn add HTTP/gate.corp13.un | ||
| - | # net ads keytab create -k | + | # net ads keytab create |
| + | |||
| + | но, пока, при создании /etc/krb5.keytab пишет http в нижнем регистре , поэтому, приходится | ||
| + | # sed -i'' 's/http/HTTP/g' /etc/krb5.keytab | ||
| </code> | </code> | ||
| Line 115: | Line 118: | ||
| ==== Авторизация в режиме ADS/DOMAIN ==== | ==== Авторизация в режиме ADS/DOMAIN ==== | ||
| <code> | <code> | ||
| - | gate# cat /etc/samba/smb.confsmb.conf | + | gate# wbinfo -n user1 # может не работать на этом этапе |
| + | |||
| + | gate# cat /etc/samba/smb.conf | ||
| </code><code> | </code><code> | ||
| [global] | [global] | ||
| Line 121: | Line 126: | ||
| winbind use default domain = Yes | winbind use default domain = Yes | ||
| + | winbind expand groups = 1 | ||
| winbind enum users = yes | winbind enum users = yes | ||
| winbind enum groups = yes | winbind enum groups = yes | ||
| Line 126: | Line 132: | ||
| idmap config * : range = 20000-40000 | idmap config * : range = 20000-40000 | ||
| template homedir = /home/%U | template homedir = /home/%U | ||
| + | #use suitable shell (what abount /usr/sbin/nologin ?) | ||
| template shell = /bin/sh | template shell = /bin/sh | ||
| </code><code> | </code><code> | ||
| Line 136: | Line 143: | ||
| <code> | <code> | ||
| - | gate# wbinfo -n user1 | + | gate# wbinfo -S `wbinfo -n user1|cut -d' ' -f1` |
| - | gate# wbinfo -S ... | + | |
| gate# wbinfo -i user1 | gate# wbinfo -i user1 | ||
| </code><code> | </code><code> | ||
| Line 145: | Line 152: | ||
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | group: files winbind | + | passwd: files systemd winbind |
| - | passwd: files winbind | + | group: files systemd winbind |
| - | shadow: files winbind | + | shadow: files winbind |
| ... | ... | ||
| </code><code> | </code><code> | ||
| + | Может понадобиться, если установлен nscd | ||
| debian# service nscd restart && service nscd reload | debian# service nscd restart && service nscd reload | ||
| Line 155: | Line 163: | ||
| gate# getent passwd | gate# getent passwd | ||
| - | </code> | + | |
| - | * [[https://bugzilla.samba.org/show_bug.cgi?id=12176|Bug 12176 - wbinfo doesn't shows member users of a group any more]] | + | |
| - | <code> | + | |
| gate# getent group | gate# getent group | ||
| Line 165: | Line 171: | ||
| gate# chown -R user2:'domain users' /home/user2/ | gate# chown -R user2:'domain users' /home/user2/ | ||
| gate# chown user2 /var/mail/user2 | gate# chown user2 /var/mail/user2 | ||
| + | |||
| + | |||
| </code> | </code> | ||
сервис_winbind.1614259162.txt.gz · Last modified: 2021/02/25 16:19 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
