История изменений
Исправление kostik87, (текущая версия) :
Ну помимо указания DNS серверов ещё нужно настроить /etc/krb5.conf, nsswitch, pamd.
Правки одного конфига samba недостаточно.
Вот пример с Debian:
apt install samba winbind krb5-user libpam-krb5 libnss-winbind libpam-winbind
В файле /etc/krb5.conf описываешь свой DNS суффикс и указываешь имя контроллера домена
[libdefaults]
default_realm = GZHIRO.LOCAL
[realms]
OMEGA.LOCAL={
kdc = dc-01.gzhiro.local
admin_server = dc-01.gzhiro.local
default_domain = GZHIRO.LOCAL
}
[domain_realm]
.gzhiro.local = GZHIRO.LOCAL
В файле /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind files systemd
group: compat winbind files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Указываешь, что группы (group) и пользователи (passwd) можно искать так же и в winbind.
В /etc/samba/smb.conf делаешь примерно так:
/etc/samba/smb.conf
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
# workgroup = WORKGROUP
workgroup = GZHIRO
realm = GZHIRO.LOCAL
security = ADS
netbios name = WS-01
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
allocation roundup size = 4096
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = No
#restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
admin users = @"GZHIRO.LOCAL\Администраторы домена"
passdb backend = tdbsam
idmap uid = 10000-400000
idmap gid = 10000-400000
template shell = /bin/bash
# idmap config * : range = 10000-400000
idmap config LAN : backend = rid
idmap config LAN : default = yes
idmap config LAN : range = 10000-89999
idmap config * : backend = autorid
idmap config * : range = 100000-400000
Надо указать параметр netbios name, без него машину в домен не введёшь.
Настраиваешь pam.d:
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_winbind.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
Добавляя поддержку winbind. Обрати внимание на mkhomedir, чтобы создавались домашние директории доменных пользователей.
/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=3 default=ignore] pam_unix.so nullok try_first_pass
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
Перезапускаешь только
systemctl restart nmbd
systemctl restart smbd
Делаешь join:
net ads join -U admin@GZHIRO
Смотри как прошёл join, если успешно, то делаешь:
systemctl restart winbind
Если не успешно прошёл join, то разбираешься почему.
После перезапуска winbind проверяешь, что система видит доменных пользователей и группы:
getent passwd
getent group
Исправление kostik87, :
Ну помимо указания DNS серверов ещё нужно настроить /etc/krb5.conf, nsswitch, pamd.
Правки одного конфига samba недостаточно.
Исходная версия kostik87, :
Ну помимо указания DNS серверов ещё нужно настроить /etc/krb5.conf, nsswotch, pamd.
Правки одного конфига samba недостаточно.