«

»

Aug 25

Integration von Debian Lenny ins Active Directory

Kategorien:

Allgemein, Linux, sonstiges

Da es bei der Integration von Linux ins Active Directory zu diversen Problemen kommen kann, habe ich mich entschlossen ein kleines how-to zu schreiben.

Netzwerk

Das wichtigste, dass funktionieren muss, ist die DNS-Auflösung. Es muss der Name des Domaincontrollers so wie der eigene Hostname aufgelöst werden (Zur Not den eigenen Hostnamen per Hand im DNS anlegen).

Hier eine funktionierende Beispielkonfiguration mit statischer IP.

debian:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.32
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
broadcast 192.168.1.255
debian:~# cat /etc/resolv.conf
search example.org
nameserver 192.168.1.2

Man aktiviert die neue Konfiguration mit

debian:~# ifdown eth0
debian:~# ifup eth0

Pakete installieren

debian:~# aptitude install libkrb53 krb5-{admin-server,kdc} samba winbind ntpdate ntp ssh

Dienste konfigurieren

Als erstes die soeben installierten Dienste stoppen.

debian:~# /etc/init.d/samba stop && /etc/init.d/winbind stop && /etc/init.d/ntp stop

Kerberos

debian:~# nano /etc/krb5.conf
[libdefaults]
Default_realm = EXAMPLE.ORG
#The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
EXAMPLE.ORG = {
kdc = dc.example.org
admin_server = dc.example.org
}
[domain_realm]
.example.org = EXAMPLE.ORG
example.org = EXAMPLE.ORG
[login]
krb4_convert = true
krb4_get_tickets = false

ntp

debian:~# nano /etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
driftfile /var/lib/ntp/ntp.drift
 
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
 
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
 
# You do need to talk to an NTP server or two (or three).
server 10.247.57.2
 
# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst dynamic
#server 1.debian.pool.ntp.org iburst dynamic
#server 2.debian.pool.ntp.org iburst dynamic
#server 3.debian.pool.ntp.org iburst dynamic
 
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
 
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
 
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
 
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
 
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
 
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
 
Anschließend die Zeit einmal per Hand synchronieren, den Dienst starten und kontrollieren
debian:~# ntpdate dc.example.org
debian:~# /etc/init.d/ntp start
debien:~# ntpq -p

WINBIND

wbr-svkdvtws3:~# cat /etc/samba/smb.conf
[global]
workgroup = EXAMPLE
realm = EXAMPLE.ORG
netbios name = debian
security = ADS
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = yes

NSSWITCH

debian:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
passwd: compat winbind
group: compat winbind
shadow: compat
 
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
 
rpc: db files
netgroup: nis

PAM

debian:~# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

Aufnahme ins AD

Wichtig ist, dass samba und winbind nicht laufen, daher

debian:~# /etc/init.d/samba stop && /etc/init.d/winbind stop

Jetzt kann man das Computerkonto erstellen und neu starten.

debian:~# net ads join –U domadmin (Domänenadministrator)
debian:~# reboot

Tests & Fixes–

Tests

Wenn es mal nicht so läuft sollte man mehrere Sachen ausprobieren.
- läuft die DNS Aufklösung?

debian:~# nslookup dc.example.org
debian:~# host <IP des dc> (Reverse Lookup test)
debian:~# nslookup debian.example.org
debian:~# host <IP des hosts> (Reverse Lookup test)

- Sind auf dem Domain Controller alle Dienste erreichbar?

debian:~# telnet dc.example.org 445
debian:~# telnet dc.example.org 445

- läuft die Zeitsynchronisation?

debian:~# ntpq -p

- Kontrolle der logs

/var/log/samba/log.winbindd
/var/log/messages

Fixes

Man kann einige Handgriffe schonmal als Alias vorbeireiten.

- rs (steht für “restart”) und führt zu: Stoppen des winbind deamons, neustart des samba deamons, start des winbind deamons

debian:~# nano /root/.bashrc
debian:~# alias rs="/etc/init.d/winbind stop && /etc/init.d/samba restart && /etc/init.d/winbind start"

- cleanup führt zu: Stoppen von Winbind und Samba, löschen der temp. winbind Datenbank, Anlegen von Computerkonto im AD, neustart von samba und winbind, überprüfung der AD-Benutzer Namensauflösung

debian:~# nano /root/.bashrc
debian:~# alias cleanup="/etc/init.d/winbind stop && /etc/init.d/samba stop && rm -rf /var/lib/samba/* && net ads join -U Administrator && rs && wbinfo -u"

hilfreiche Links

http://oreilly.com/catalog/kerberos/chapter/ch05.pdf

http://technet.microsoft.com/en-us/library/bb463167.aspx

http://www.administrator.de/index.php?content=85403#toc3

Schlagwörter: , , , ,

  • Delicious
  • Facebook
  • Digg
  • Reddit
  • StumbleUpon
  • Twitter

Hinterlasse eine Antwort

Ihre E-Mail-Adresse wird nicht veröffentlicht.

Sie können diese HTML-Tags verwenden: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">