root@gate:~# apt install winbind
gate# cat /etc/samba/smb.conf
[global] workgroup = CORPX security = ADS realm = CORPX.UN kerberos method = system keytab winbind use default domain = Yes
gate# net ads join -U Administrator или gate# kinit Administrator gate# net ads join -k gate# net ads testjoin gate# host gate gate# service winbind restart gate# wbinfo -t gate# wbinfo -u gate# wbinfo -g
gate# net ads leave -U Administrator или gate# net ads leave -k gate# rm /etc/krb5.keytab
gate# klist -ek /etc/krb5.keytab gate# kinit Administrator samba4.9+# net ads keytab add_update_ads HTTP -k samba4.9+# net ads keytab add_update_ads imap -k samba4.9+# net ads keytab add_update_ads smtp -k samba4.9+# net ads keytab add_update_ads xmpp -k # С MS AD не работает, но, можно оставить через ktpass, с samba4 - OK ... gate# klist -ek /etc/krb5.keytab gate# net ads setspn list gate
Современный вариант
# net ads setspn add HTTP/gate.corp13.un # net ads keytab create но, пока, при создании /etc/krb5.keytab пишет http в нижнем регистре , поэтому, приходится # sed -i'' 's/http/HTTP/g' /etc/krb5.keytab
Проверка:
C:\>setspn -L gate
[gate:~] # cat /etc/pam.d/sshd ... auth sufficient /usr/local/lib/pam_winbind.so auth required pam_unix.so no_warn try_first_pass
root@gate:~# more /etc/pam.d/sshd ... auth sufficient pam_winbind.so # Standard Un*x authentication. ...
gate# wbinfo -n user1 # может не работать на этом этапе gate# cat /etc/samba/smb.conf
[global] ... winbind use default domain = Yes winbind expand groups = 1 winbind enum users = yes winbind enum groups = yes winbind cache time = 36 idmap config * : range = 20000-40000 template homedir = /home/%U #use suitable shell (what abount /usr/sbin/nologin ?) template shell = /bin/sh
gate# service winbind restart
!!! Тесты проходят с задержкой !!!
gate# wbinfo -S `wbinfo -n user1|cut -d' ' -f1` gate# wbinfo -i user1
gate# apt install libnss-winbind gate# cat /etc/nsswitch.conf
... passwd: files systemd winbind group: files systemd winbind shadow: files winbind ...
Может понадобиться, если установлен nscd debian# service nscd restart && service nscd reload gate# id user1 gate# getent passwd gate# getent group gate# chown -R user1:'domain users' /home/user1/ gate# chown user1 /var/mail/user1 gate# chown -R user2:'domain users' /home/user2/ gate# chown user2 /var/mail/user2
gate# cat smb.conf
[global] workgroup = CORPX security = DOMAIN winbind use default domain = Yes
[gate:~] # /usr/local/etc/rc.d/samba stop или root@gate:~# /etc/init.d/winbind stop gate# net rpc join -U root Administrators's password: Joined domain CORPX [gate:~] # /usr/local/etc/rc.d/samba start или root@gate:~# /etc/init.d/winbind start gate# wbinfo -t gate# wbinfo -u gate# wbinfo -g
gate# ntlm_auth --username=user1 password: NT_STATUS_OK: Success (0x0)