Ubuntu可以加入windows AD域嘛? ubuntu系列
Ubuntu系统加入域环境怎么操作?问:首先我们来了解一下windows域是什么?答:windows域是计算机网络的一种形式,其中所有用户帐户 ,计算机,打印机和其他安全主体都在位于称为域控制器的一个或多个中央计算机集群上的中央数据库中注册。 身份验证在域控制器上进行。 在域中使用计算机的每个人都会收到一个唯一的用户帐户,然后可以为该帐户分配对该域内资源的访问权限。那么我们在跑业务的时候经常用的L
·
Ubuntu系统加入域环境怎么操作?
问:首先我们来了解一下windows域是什么?
答:windows域是计算机网络的一种形式,其中所有用户帐户 ,计算机,打印机和其他安全主体都在位于称为域控制器的一个或多个中央计算机集群上的中央数据库中注册。 身份验证在域控制器上进行。 在域中使用计算机的每个人都会收到一个唯一的用户帐户,然后可以为该帐户分配对该域内资源的访问权限。
那么我们在跑业务的时候经常用的Linux能不能加入到windows域控制环境中呢?
接下来我们用实验来回答上述问题。
环境介绍:
本次实验操作采用VMware虚拟化平台虚拟机实验完成
1台windows server2008 r2 充当域控服务器
1台ubuntu虚拟机
操作系统版本:ubuntu 18、windows server2008 r2
准备工作
- 将两台虚拟机安装完毕
- 将Windows server 2008 r2安装配置AD域控制器及DNS域名服务器(这里就不详细介绍,本次主要介绍ubuntu操作系统怎么加入windows AD域控制器)
- 将两台vm虚拟机的dns设置为AD域控制器的地址
- 准备工作做完后,分别对两台设备做好快照,方便出错及实恢复(如果是用物理设备就省略)
说明:不同的网络环境IP环境也会不同,但是需要做到dns内网外网解析正常,内网是指的解析载控制器的域名,外网指的是需要解析到公网,因为我们的操作有一部分软件包需要到公网获取,在没有离线包的情况下,就通过公网来安装软件包
Windows server 2008 r2 的配置情况:
域控环境为:windows server 2000纯模式
IP地址:10.1.1.101
掩码:24
网关:10.1.1.1
Dns解析:10.1.1.101(或者127.0.0.1)
(说明一下,这里的127.0.0.1就是本机,因为他自己就是DNS域名服务器)
kylin v10的配置情况:
IP地址:10.1.1.102
掩码:24
网关:10.1.1.1
Dns解析:10.1.1.102
备用Dns解析:114.114.114.114 (因为我们在操作的过程中需要连接外网,所以还是要留一个外网的dns解析外网)
准备工作完成后我们开始吧!!
操作内容部分
1、安装时间同步服务
(操作说明:我们的域控制操作,需要同步C/S两端的时间,即域控制服务器与域成员主机需要操持时间一致性,如果不能安装ntpdate的情况,可以通过手动同步时间,时间差距不超过30s即可,下图中见到的图1-2、图1-3中的域名为当前环境域控制服务器的域名,不同的环境域名也不同)
$ sudo apt-get install ntpdate
图1-1
$ sudo ntpdate -q dc.zhaolf.com
图1-2
$ sudo ntpdate -q dc.zhaolf.com
图1-3
2、 安装加入域环境必需的软件
$ sudo apt-get install -y samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
下面这里我截取了部分截图,已经在安装了
图2-1
在安装kerberos软件的过程中,会有提示我们输入默认的域名,我们输入大写的域名,并按Enter键继续。
图2-2
这里我们选择<是>
图2-3
3、测试与域控制器的票据信息
$ kinit administrator
(操作说明:期间会要求我们输入密码:kinit 后面接的用户名是我们域控制器里面的用户,除了administrator也可以是域控服务器里面创建的其他用户)
图3-1
$ klist
(操作说明:这里是查看一个票据信息,可以看到刚刚测试的域用户名与AD域信息)
图3-2
4、配置SAMBA
这一步是很重要的一步,将我们的主机通过SAMBA4的工作模式加入到活动目录域环境中(网上有很多教程说这一步需要先默认的samba配置文件备份走,然后在“/etc/samba/“ 目录下新建smb.conf文件,但是我实测没有成功,然后我是先将默认的smb.conf备份,然后再直接修改smb.conf,因为我们已经备份过了,所以直接修改是没问题的)
$ sudo cp smb.conf smb.conf.backup
(操作说明:备份默认的samba配置文件为smb.conf.backup)
图4-1
$ sudo vim smb.conf
(操作说明:通过修改我们的samba配置文件,来让我们的samba服务以ads模式运行)
以下内容我建议复制到/etc/samba/smb.conf里面去:
[global]
workgroup = ZHAOLF
realm = zhaolf.com
netbios name = ubuntu
security = ADS
dns forwarder = 192.168.6.101
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
图4-2
根据本地的实际情况来替换以下参数:
Workgroup——工作组
Realm——域名
netbios name
dns forwarder——DNS服务器地址
由于 winbind use default domain 这个参数会让 winbind 服务把任何登录系统的帐号都当作 AD 帐号。因此,如果存在本地帐号名跟域帐号同名的情况下,请不要设置该参数。
5、加入windows AD域
$ sudo net ads join -U administrator
(操作说明:将当前主机加入到windows AD域,这个-U后面接的用户是域里面的用户,按提示输入域用户的密码)
图5-1
6、配置服务
$ Sudo systemctl restart smbd nmbd winbind
(操作说明:需要将主机加入windows域控制器后再来重启服务,这个顺序不能错)
图6-1
$ Sudo systemctl stop samba-ad-dc
(操作说明:将不需要的服务停止)
图6-2
$ sudo systemctl enable smbd nmbd winbind
(操作说明:将我们需要三个服务设置为开机自启,这样每次开机就会自动重启这三个服务)
图6-3
7、实现本地域认证
$ sudo vim /etc/nsswitch.conf
(操作说明:为了实现本地完成AD账号认证,我们需要修改本地机器上的一些配置文件,具体结果为图7-1所示)
图7-1
8、测试机器是否已经加入域
$ wbinfo -u
(操作说明:列出域环境中的用户)
图8-1
$ wbinfo -g
(操作说明:获取我们域环境中的用户组)
图8-2
9、测试windbind模块是否正常
$ sudo getent passwd
(操作说明:如果能获取到域控服务器里面的用户,那么说明winbind工作是正常的,一般情况下winbind不会出问题,如果出现问题很大可能是域控制器的问题)
图9-1
$ sudo getent group
(操作说明:如果能获取到域控服务器里面的用户组,那么说明winbind工作是正常的,一般情况下winbind不会出问题,如果出现问题很大可能是域控制器的问题)
图9-2
10、自动创建家目录
$ pam-auth-update
操作说明:在软件包设置界面勾选第五项,让域用户登录时,自动创建家目录)
图10-1
11、(这一步我也不知道是干嘛的啦)
$sudo vim /etc/pam.d/common-accoun
图11-1
12、测试
$ wbinfo -u
(操作说明:为了测评当前ubuntu主机是否已经加入到域中,使用wbinfo -u列出当前域的账号)
图12-1
$ wbinfo -g
(操作说明:为了测评当前ubuntu主机是否已经加入到域中,使用wbinfo -g列出当前域的账户组)
图12-2
$ sudo getent passwd
(操作说明:通过getent命令来查看域用户,测试winbind nsswitch模块是否正常,一般域用户会在屏幕最下面几行)
$ sudo getent group
(操作说明:通过getent命令来查看域用户组,测试winbind nsswitch模块是否正常,一般域用户会在屏幕最下面几行)
13、登录测试
在我们的控制台,使用AD域账号登录我们ubuntu主机
$ su – harry
(操作说明:Harry是我们域控制服务器里面创建的用户,目的是测试是否可以在本地登录域账号)
图13-1
14、修改LightDM显示管理器
(操作说明:ubuntu操作系统在登录的界面不会主动提供手动输入账户密码的入口,需要修改LightDM 显示管理器)
操作内容:麒麟操作系统 /usr/share/lightdm/lightdm.conf.d/60-kylin.conf添加以下内容
文件内容:
[SeatDefaults]
user-session=ubuntu
greeter-session=unity-greeter
greeter-show-manual-login=true
allow-guest=false
15、赋予域用户sudo权限
$ sudo vim /etc/sudoers
%domain^users ALL=(ALL:ALL) NOPASSWD:ALL
这里的users是填写域控制器里创建的用户
16、学习心得
学习Linux是一个非常枯燥的过程,因为在互联网上关于linux加windows域的文章呢也是五花八门,于是我就只踩着前辈们走过的路来走了一遍。另外也单独编写了一份域的Shell脚本附上(其实就是一堆命令)j是在内外网分开的环境下做的,如果是测试的话,就直接修改关键参数,直接跑即可:
#!/bin/bash
#apt update
#apt list --upgradable
#apt upgrade
#apt-get update
#apt-get update
#apt-get upgrade
echo "--------------------------------------欢迎使用自动化加域脚本--------------------------------------"
echo "说明:此脚本仅用于**特定的外网+内网环境使用,适用于还未加入AD域的Ubuntu主机,使用前请认真核对要求:
1、请确保主机同时具备内、外网环境条件
2、请确保主机内外网条件正常,均可以正常连通
3、请确保软件源更新正常
4、请知悉操作过程不可逆:
"
get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "首先,请确保主机能够连外网!按任意键继续!"
char=`get_char`
apt-get install ntpdate
apt-get install -y samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
echo "--------------------------------------组件安装完成--------------------------------------"
get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "请操作员切换到内网环境!!请操作员切换到内网环境!!按任意键继续!!按任意键继续!!"
char=`get_char`
ntpdate -q zhaolf.com #修改处1:这里的域名是我们的域服务器的域名
ntpdate zhaolf.com #修改处2:这里的域名是我们的域服务器的域名
echo "时间同步已完成!"
echo "请输入域帐号为'administrator'的密码作为加入凭证:"
kinit administrator #这里然'administrator'是我们的域用户
klist
get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "请确认域测试正常!按任意键继续!!按任意键继续!!"
char=`get_char`
echo "加域所需组件安装测试完成!"
cp /etc/samba/smb.conf /etc/samba/smb.conf.back
echo "
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = zhaolf
realm = zhaolf.com
netbios name = kylin
security = ADS
dns forwarder = 192.168.6.101
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# server string is the equivalent of the NT Description field
# server string = %h server (Samba, Ubuntu)
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#--------------------------------------------------------------------------
#--------------------------------------------------------------------------
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
; comment = Home Directories
; browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
; read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
; valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
" > /etc/samba/smb.conf
echo "--------------------------------------SAMBA配置完成--------------------------------------"
echo "请输入域帐号'administrator'的密码作为测试凭证:"
net ads join -U administrator
wbinfo -u
get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "请加入域成功!按任意键继续!!按任意键继续!!"
char=`get_char`
systemctl restart smbd nmbd winbind
systemctl stop samba-ad-dc
systemctl enable smbd nmbd winbind
echo "
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
passwd: files winbind
group: files winbind
shadow: files winbind
#gshadow: files
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
" > /etc/nsswitch.conf
wbinfo -u
get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "请确保已能正常查看域内其他用户!按任意键继续!"
char=`get_char`
getent passwd
get_char()
{
SAVEDSTTY=`stty -g`
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty $SAVEDSTTY
}
echo "请确保已能正常查看域内其他用户密文!按任意键继续!"
char=`get_char`
pam-auth-update
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-account
echo "
[SeatDefaults]
user-session=ubuntu
greeter-session=unity-greeter
greeter-show-manual-login=true
allow-guest=false
" > /usr/share/lightdm/lightdm.conf.d/60-kylin.conf
echo "测试完成,欢迎加入zhaolf.com!"
更多推荐
5
0- 0
已为社区贡献1条内容
所有评论(0)