This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_winbind [2019/07/05 10:28] val [Использование WINBIND в библиотеке NSSWITCH] |
сервис_winbind [2023/03/19 16:16] val [Управление ключами KERBEROS в режиме ADS] |
||
---|---|---|---|
Line 5: | Line 5: | ||
===== Установка службы winbindd ===== | ===== Установка службы winbindd ===== | ||
- | ==== FreeBSD ==== | ||
- | <code> | ||
- | [gate:~] # pkg install samba41 | ||
- | [gate:~] # cat /etc/rc.conf | ||
- | </code><code> | ||
- | samba_server_enable="YES" | ||
- | nmbd_enable="NO" | ||
- | smbd_enable="NO" | ||
- | winbindd_enable="YES" | ||
- | </code><code> | ||
- | [gate:~] # cd /usr/local/etc/ | ||
- | </code> | ||
==== Debian/Ubuntu ==== | ==== Debian/Ubuntu ==== | ||
<code> | <code> | ||
- | debian# cp /etc/samba/smb.conf /root/ | ||
- | |||
- | debian# apt purge samba samba-common | ||
- | |||
- | debian# apt autoremove | ||
- | |||
- | debian# rm -r /etc/samba/ | ||
- | |||
root@gate:~# apt install winbind | root@gate:~# apt install winbind | ||
- | |||
- | root@gate:~# cd /etc/samba | ||
</code> | </code> | ||
Line 36: | Line 14: | ||
==== Регистрация unix системы в домене в режиме ADS ==== | ==== Регистрация unix системы в домене в режиме ADS ==== | ||
- | <code> | ||
- | freebsd# cat smb4.conf | ||
- | linux# cat smb.conf | + | * !!! Удалить все старые принципалы сервисов, привязанные к gate |
+ | |||
+ | <code> | ||
+ | gate# cat /etc/samba/smb.conf | ||
</code><code> | </code><code> | ||
[global] | [global] | ||
Line 46: | Line 25: | ||
realm = CORPX.UN | realm = CORPX.UN | ||
kerberos method = system keytab | kerberos method = system keytab | ||
- | winbind use default domain = Yes | + | winbind use default domain = Yes |
</code><code> | </code><code> | ||
gate# net ads join -U Administrator | gate# net ads join -U Administrator | ||
+ | |||
+ | или | ||
+ | |||
+ | gate# kinit Administrator | ||
+ | gate# net ads join -k | ||
+ | |||
+ | gate# net ads testjoin | ||
gate# host gate | gate# host gate | ||
- | freebsd# service samba_server start | + | gate# service winbind restart |
- | или | + | |
- | linux# service winbind restart | + | |
gate# wbinfo -t | gate# wbinfo -t | ||
Line 64: | Line 48: | ||
<code> | <code> | ||
gate# net ads leave -U Administrator | gate# net ads leave -U Administrator | ||
+ | или | ||
+ | gate# net ads leave -k | ||
gate# rm /etc/krb5.keytab | gate# rm /etc/krb5.keytab | ||
Line 70: | Line 56: | ||
==== Управление ключами KERBEROS в режиме ADS ==== | ==== Управление ключами KERBEROS в режиме ADS ==== | ||
- | !!! Перезагрузить клиентов и сервисы | + | * !!! Перезагрузить клиентов и сервисы |
+ | * [[https://www.opennet.ru/opennews/art.shtml?num=49267|Выпуск Samba 4.9.0]] | ||
- | === На UNIX системе === | + | === На Linux системе === |
<code> | <code> | ||
- | gate# net ads keytab create -U Administrator # Возможно, это не обязательно | + | gate# klist -ek /etc/krb5.keytab |
- | gate# net ads keytab add HTTP -U Administrator | + | gate# kinit Administrator |
- | gate# net ads keytab add imap -U Administrator | + | samba4.9+# net ads keytab add_update_ads HTTP -k |
- | gate# net ads keytab add cifs -U Administrator # Почему то не нужно, откуда берется, не понятно | + | samba4.9+# net ads keytab add_update_ads imap -k |
- | gate# net ads keytab add xmpp -U Administrator # С MS AD не работает, но, можно оставить через ktpass, с samba4 - OK ... | + | samba4.9+# net ads keytab add_update_ads smtp -k |
+ | |||
+ | samba4.9+# net ads keytab add_update_ads xmpp -k # С MS AD не работает, но, можно оставить через ktpass, с samba4 - OK ... | ||
- | freebsd# ktutil list | + | gate# klist -ek /etc/krb5.keytab |
- | или | + | |
- | linux# klist -ek /etc/krb5.keytab | + | gate# net ads setspn list gate |
+ | </code> | ||
+ | |||
+ | Пример команд на будущее (сейчас пишет в keytab файл http в нижнем регистре) | ||
+ | |||
+ | <code> | ||
+ | # net ads setspn add HTTP/gate.corp13.un | ||
+ | |||
+ | # net ads keytab create -k | ||
</code> | </code> | ||
Line 118: | Line 115: | ||
==== Авторизация в режиме ADS/DOMAIN ==== | ==== Авторизация в режиме ADS/DOMAIN ==== | ||
<code> | <code> | ||
- | gate# cat smb.conf | + | gate# wbinfo -n user1 |
+ | |||
+ | gate# cat /etc/samba/smb.conf | ||
</code><code> | </code><code> | ||
[global] | [global] | ||
... | ... | ||
winbind use default domain = Yes | winbind use default domain = Yes | ||
- | + | ||
+ | winbind expand groups = 1 | ||
winbind enum users = yes | winbind enum users = yes | ||
winbind enum groups = yes | winbind enum groups = yes | ||
Line 129: | Line 129: | ||
idmap config * : range = 20000-40000 | idmap config * : range = 20000-40000 | ||
template homedir = /home/%U | template homedir = /home/%U | ||
+ | #use suitable shell (what abount /usr/sbin/nologin ?) | ||
template shell = /bin/sh | template shell = /bin/sh | ||
</code><code> | </code><code> | ||
- | freebsd# service samba_server restart | + | gate# service winbind restart |
- | или | + | |
- | linux# service winbind restart | + | |
</code> | </code> | ||
Line 141: | Line 140: | ||
<code> | <code> | ||
- | gate# wbinfo -n user1 | + | gate# wbinfo -S `wbinfo -n user1|cut -d' ' -f1` |
- | gate# wbinfo -S ... | + | |
gate# wbinfo -i user1 | gate# wbinfo -i user1 | ||
</code><code> | </code><code> | ||
Line 150: | Line 149: | ||
</code><code> | </code><code> | ||
... | ... | ||
- | group: files winbind | + | passwd: files systemd winbind |
- | passwd: files winbind | + | group: files systemd winbind |
- | shadow: files winbind | + | shadow: files winbind |
... | ... | ||
</code><code> | </code><code> | ||
+ | Может понадобиться, если установлен nscd | ||
debian# service nscd restart && service nscd reload | debian# service nscd restart && service nscd reload | ||
Line 160: | Line 160: | ||
gate# getent passwd | gate# getent passwd | ||
- | </code> | + | |
- | * [[https://bugzilla.samba.org/show_bug.cgi?id=12176|Bug 12176 - wbinfo doesn't shows member users of a group any more]] | + | |
- | <code> | + | |
gate# getent group | gate# getent group | ||
Line 170: | Line 168: | ||
gate# chown -R user2:'domain users' /home/user2/ | gate# chown -R user2:'domain users' /home/user2/ | ||
gate# chown user2 /var/mail/user2 | gate# chown user2 /var/mail/user2 | ||
+ | |||
+ | |||
</code> | </code> | ||